AD permissions required for LDAP Bind account?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
kiyomaka
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 02, 2022 8:19 pm

AD permissions required for LDAP Bind account?

Post by kiyomaka » Sun Jan 02, 2022 8:31 pm

Greetings everyone,
My OpenVPN server has been collecting dust for a while as I've been working from home and have not had need to leverage it.

I have the server configured to use Google 2FA, LDAP and an additional LDAP requirement.

I had everything working when I last tested it about 16 months ago, however some point between then and now the Additional LDAP Requirement stopped working and I'm unable to sign in.

Attempting to sign in via auth CLI throws an error like this.

API METHOD: authenticate
AUTH_RETURN
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=OpenVPNUsers,CN=Users,DC=XX,DC=XXXX,DC=XXX
user : xxxx.xxxxx

Authentication does work if I blank out the Additional LDAP Requirement: (Advanced) line

As a (Shitty) test I temporarily made the bind account a member of the Domain Admins group, and sure enough it was able to successfully auth, which tells me that this is something permission related preventing the group membership from being read, perhaps related to a Microsoft patch installed on the DCs.

I'm currently running OpenVPN Access server v2.8.5

What specific permissions should I delegate to the bind account?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: AD permissions required for LDAP Bind account?

Post by openvpn_inc » Sun Jan 02, 2022 11:12 pm

Hello Kiyomaka,

The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

kiyomaka
OpenVpn Newbie
Posts: 2
Joined: Sun Jan 02, 2022 8:19 pm

Re: AD permissions required for LDAP Bind account?

Post by kiyomaka » Mon Jan 03, 2022 2:14 am

openvpn_inc wrote:
Sun Jan 02, 2022 11:12 pm
Hello Kiyomaka,

The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.

Kind regards,
Johan
Would i be installing ldap tools on the Microsoft AD Domain Controller or the OpenVPN server itself?
By enumerate do you mean it should have enough access to view the properties and attributes of the user accounts signing into OpenVPN and any associated group dependencies?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: AD permissions required for LDAP Bind account?

Post by openvpn_inc » Thu Jan 06, 2022 1:31 pm

Hello kiyomaka,

The ldaptools package can be installed on a Linux system, like on Access Server itself. You don't specifically have to use that one. There are also other tools that can let you browse an LDAP directory.

You would need to be able to list users and some of their attributes yes.

This page I Googled might be helpful to get you going with ldapsearch, which is part of ldaptools:
https://www.seei.biz/using-ldapsearch-t ... directory/

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply