Page 1 of 1

LDAP Additional Settings..

Posted: Fri Jun 22, 2012 2:04 am
by AllenK
Hello, I'm trying to configure the Additional LDAP Requirement, but it seems there is no way to customize what the search is looking for.
My LDAP server uses poixGroup for the objectClass of my groups (CN=groupname,ou=group,dc=domain,dc=com). The attribute is memberUid for group members.

Since everything I have tried fails, I'm assuming the OpenVPN-AS only looks for the uid attribute in the specifed group???

if so, can a feature request be suggested to customize attribute for the Additional requirements..

Changing my LDAP server is out of the question.

Thanks !

Re: LDAP Additional Settings..

Posted: Tue Jun 26, 2012 4:28 am
by AllenK
anybody? Are there any users that have successfully used the Additional LDAP Settings to only allow users in a particular group access to the VPN??

I've tried every combination of queries I can think of, and nothing seems to work. any hints or pointers would be greatly appreciated.. here's a quick edited export of my LDAP structure.. I've tried using poixGroup, organizationUnits, pretty much every combination of structures and object class's that support uid, memberUID ect ect..

Also tried several different combinations of query syntax's..
Any suggestions would be greatly appreciated.. I'm looking at replacing a corporate VPN with opvenVPN but LDAP support is a requirement with security.. just because your an authenticated user, doesn't mean you should have VPN access.

Code: Select all

dn: dc=domain,dc=network
objectClass: organization
objectClass: dcObject
objectClass: top
dc: domain
o: domain

dn: ou=People,dc=domain,dc=network
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Group,dc=domain,dc=network
objectClass: organizationalUnit
objectClass: top
ou: Group

dn: cn=regusers,ou=Group,dc=domain,dc=network
objectClass: posixGroup
cn: regusers
memberUid: user1

dn: cn=vpnusers,ou=Group,dc=domain,dc=network
objectClass: posixGroup
cn: vpnusers
memberUid: user3

dn: uid=user1,ou=People,dc=domain,dc=network
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: inetOrgPerson
cn: user1
uid: user1

Re: LDAP Additional Settings..

Posted: Wed Aug 01, 2012 8:04 pm
by DenverCoder9
Hello AllenK,

I don't know what kind of LDAP server you are using but in our Active Directory we had to add a builtin group to the user. We found that with "ldapuser" we could do lookups for the standard things but once we added any additional settings in openvpn it broke. We had another ldap account that worked correctly with additional settings, the difference ended up being a builtin group in our domain called "Pre-Windows 2000 Compatible Access". Once we made ldapuser a member of that group we were able to get it to go through with additional settings and authenticate properly.

I'm not sure why this worked for us, perhaps openvpn uses some older form of access exclusively for the additional settings.

Good Luck.


Re: LDAP Additional Settings..

Posted: Mon Aug 06, 2012 4:02 pm
by DenverCoder9
For our Active Directory environment we had two different accounts for LDAP lookups. One worked when we specified an additional group in OpenVPN and the other did not (while both could at least authenticate users). We found out the difference between the two was that the working one was a member of a group called "Pre-Windows 2000 Compatible Access". Once we made it a member of that group it could authenticate users and validate if they were a member of the additional group in question. My guess is that somehow the additional settings does a different kind of lookup perhaps with a different protocol requiring that group be enabled.

For reference our sanitized Bind DN was this:

Code: Select all

cn=lookupaccount, cn=users, dc=example, dc=net
And our sanitized Additional Requirement was:

Code: Select all

Good luck.