Possible to set case insensitive for LDAP lookup?
-
- OpenVpn Newbie
- Posts: 7
- Joined: Mon May 09, 2022 12:26 pm
Possible to set case insensitive for LDAP lookup?
I am using LDAP UPN for sign in and some users have a capital first letter in their UPN, some do not. If they type it incorrectly it fails because of the mismatch. Is it possible to sign in using either case?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Possible to set case insensitive for LDAP lookup?
Hello stech4114,
It is up to the LDAP server to deal with case insensitive behavior. On Windows AD servers for example it is quite common that any case is accepted.
Kind regards,
Johan
It is up to the LDAP server to deal with case insensitive behavior. On Windows AD servers for example it is quite common that any case is accepted.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 7
- Joined: Mon May 09, 2022 12:26 pm
Re: Possible to set case insensitive for LDAP lookup?
That's not the "case" here from the OpenVPN log this is what happens... also I want to note you can sign into the web portal with EITHER case... but with the OpenVPN Connect client you must use the proper case:openvpn_inc wrote: ↑Tue May 16, 2023 7:32 pmHello stech4114,
It is up to the LDAP server to deal with case insensitive behavior. On Windows AD servers for example it is quite common that any case is accepted.
Kind regards,
Johan
username-only match fail, client username='Thisuser@domain.ext', DB username='thisuser@domain.ext '
-
- OpenVpn Newbie
- Posts: 7
- Joined: Mon May 09, 2022 12:26 pm
Re: Possible to set case insensitive for LDAP lookup?
Any help on this? the error seems to be that openvpn server cares about it not the LDAP server... it even finishes DUO auth before giving the error:
username-only match fail, client username='Thisuser@domain.ext', DB username='thisuser@domain.ext '
username-only match fail, client username='Thisuser@domain.ext', DB username='thisuser@domain.ext '
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Possible to set case insensitive for LDAP lookup?
Hello,
I see, there is also Duo post-auth script involved. That might be a case where the normal logic doesn't work as well.
There is an option under Authentication > LDAP to make authentication case insensitive but not sure if that works in combination with Duo.
You may need to contact our support and send information on how things are setup, there may be a case here where case insensitive behavior is simply not possible due to the interaction between Access Server, LDAP, and Duo script. We might then make an internal case to see what could be done. Without Duo script, Access Server sends the credentials to the LDAP server, and the LDAP server then decides to verify that case-sensitive or not. The LDAP then sends back the exact case as it is in the LDAP directory, and then the Access Server sticks to using that for authentication. But with Duo being inbetween, that might upset that. The Duo script may be specifically taking the user input and ignore what the LDAP server reports back, resulting in a possible mismatch in case.
You might want to consider switching to Duo SAML implementation, if possible.
Kind regards,
Johan
I see, there is also Duo post-auth script involved. That might be a case where the normal logic doesn't work as well.
There is an option under Authentication > LDAP to make authentication case insensitive but not sure if that works in combination with Duo.
You may need to contact our support and send information on how things are setup, there may be a case here where case insensitive behavior is simply not possible due to the interaction between Access Server, LDAP, and Duo script. We might then make an internal case to see what could be done. Without Duo script, Access Server sends the credentials to the LDAP server, and the LDAP server then decides to verify that case-sensitive or not. The LDAP then sends back the exact case as it is in the LDAP directory, and then the Access Server sticks to using that for authentication. But with Duo being inbetween, that might upset that. The Duo script may be specifically taking the user input and ignore what the LDAP server reports back, resulting in a possible mismatch in case.
You might want to consider switching to Duo SAML implementation, if possible.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support