OpenVPN on OpenBSD and Auth-LDAP.conf in place. The "LDAP"-part is working, but I cannot get the "Authorization"-part to work as I want it to work.
I would like to grant users from specific OU's access to VPN if they are member of the security group "openvpn". I think I need to know how to query SearchFilter correctly. This is my Authorization part of Auth-LDAP-conf:
<Authorization>
# Base DN
BaseDN "OU=Users,OU=MyBusiness,DC=danske-seniorer,DC=dk"
Here I would like to select one (or more) BaseDN's and include their sub DN's Can this be done?
# User Search Filter
# SearchFilter "(&(cn=%u)(accountStatus=active))"
SearchFilter "(objectClass=*)"
If I use "SearchFilter"(&(cn (or uid)=%u)(accountStatus=active))"", I am not getting authorized at all. With "SearchFilter "(objectClass=*)"" I get authenticated if I choose a BaseDN with only one object and logs on with this.
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
<Group>
BaseDN "OU=Somethings,OU=MyBusiness,DC=santa,DC=claus"
SearchFilter "((cn=openvpn))"
MemberAttribute uniqueMember
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
</Authorization>
How to do things correctly in my case?
Regards, Lars.
Authenticating OpenVPN against Active Directory
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sun Jun 14, 2015 8:01 am
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Authenticating OpenVPN against Active Directory
What version of openvpn is that ?
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sun Jun 14, 2015 8:01 am
Re: Authenticating OpenVPN against Active Directory
2.4.1 but it is ported to OpenBSD
-
- OpenVpn Newbie
- Posts: 13
- Joined: Mon Sep 04, 2017 9:00 am
Re: Authenticating OpenVPN against Active Directory
Hmm, it's 2.4.1 for sure?
-
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Re: Authenticating OpenVPN against Active Directory
i think you have to ignore the group stanza , it's used for something else (at least that's how i remember it)
your filter should look something like (&(samaccountname=%u)(memberOf=CN=group_name,DC=domain,DC=lan)) , it has to return a single value so samaccountname will be equal to your AD username and also be a member of that Group , specified by it's DN
%u variable will be replaced by the entered username on the VPN connection.
The filter has to return a single record , else the authentication will fail.
check out this article for more information https://social.technet.microsoft.com/wi ... lters.aspx
or in powershell check out these help topics
your filter should look something like (&(samaccountname=%u)(memberOf=CN=group_name,DC=domain,DC=lan)) , it has to return a single value so samaccountname will be equal to your AD username and also be a member of that Group , specified by it's DN
%u variable will be replaced by the entered username on the VPN connection.
The filter has to return a single record , else the authentication will fail.
check out this article for more information https://social.technet.microsoft.com/wi ... lters.aspx
or in powershell check out these help topics
Code: Select all
PS C:\> help *activedirectory*
Name Category Module Synopsis
---- -------- ------ --------
about_ActiveDirectory HelpFile TOPIC
about_ActiveDirectory_Filter HelpFile TOPIC
about_ActiveDirectory_Identity HelpFile TOPIC
about_ActiveDirectory_ObjectModel HelpFile TOPIC