How to customize and extend your OpenVPN installation.
Post Reply
OpenVpn Newbie
Posts: 16
Joined: Wed Dec 23, 2020 10:12 pm


Post by petrocelli1966 » Tue Jan 12, 2021 3:43 pm

Hi All,
I have been reading and trying in vain for the past few days so I would really appreciate dome assistance.
I am trying to get openVPN to authenticate to Active Directory whixh is on Windows 2012.
I run OpenVPN 2.5 on FreeBSD. My config files are below. From the client I am getting wrong credentials.
On the server I get this error:

Code: Select all

LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v23f0)
Unable to bind as CN=openvpnquery,CN=Users,DC=mayberryinv,DC=net
LDAP connect failed.
2021-01-12 08:12:51 us=33643 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2021-01-12 08:12:51 us=33686 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-ldap.so
2021-01-12 08:12:51 us=34192 TLS Auth Error: Auth Username/Password verification failed for peer
I am sure the password is correct however.


Code: Select all

        # LDAP server URL
        URL             ldap://
        BindDN         openvpnquery@domain.com
        Password        Password
        Timeout         15
        TLSEnable       no
        FollowReferrals no

        BaseDN          "DC=domain,DC=net"
        SearchFilter    "sAMAccountName=%u"
        RequireGroup    false
Server config

proto udp4
dev tun
ca /usr/local/etc/openvpn/server/ca.crt
cert /usr/local/etc/openvpn/server/issued/server.crt
key /usr/local/etc/openvpn/server/private/server.key # This file should be kept secret
dh /usr/local/etc/openvpn/server/dh.pem
push route x.x.x.x
push "dhcp-option DNS y.y.y.y"
push "dhcp-option DOMAIN domain.net"
tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tls-version-min 1.2
cipher AES-256-GCM
data-ciphers AES-256-GCM
crl-verify /usr/local/etc/openvpn/crl/crl.pem
plugin /usr/local/lib/openvpn-auth-ldap.so "/usr/local/etc/openvpn/server/auth-ldap.conf"
reneg-sec 28800
auth SHA256

Client config

dev tun
;proto tcp
proto udp
remote z.z.z.z
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-GCM
verb 3
;mute 20
auth SHA256
;redirect-gateway def1
reneg-sec 0
Last edited by Pippin on Tue Jan 12, 2021 4:42 pm, edited 1 time in total.
Reason: Formatting

OpenVpn Newbie
Posts: 16
Joined: Wed Dec 23, 2020 10:12 pm

Re: LDAP-Auth [Solved]

Post by petrocelli1966 » Wed Jan 13, 2021 1:21 pm

Well things have started working now. I had to change the line BaseDN "DC=domain,DC=net" to BaseDN "OU=Units,DC=domain,DC=net" which is the OU the user is in. Not sure why this happened. We have a huge user base in AD. Not sure if it was failing really or just timing out but it was saying auth-fail. Anyway, it is working now so this can be closed. Thanks.

Post Reply