Problems with using Additional LDAP Requirement

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
clipper
OpenVpn Newbie
Posts: 2
Joined: Sun Apr 04, 2021 9:11 pm

Problems with using Additional LDAP Requirement

Post by clipper » Sun Apr 04, 2021 10:24 pm

Hello there,

so I set up a OpenVPN Access Server for our company a few months ago. All working fine. Now I wanted to use "Additional LDAP Requirement:" with the following input "memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL". I created a security group on our active directory called VPNtesting and put my username into it.

If I try the auth script by OpenVPN the following error appears:

administrator@OAS017:/usr/local/openvpn_as/scripts$ sudo ./authcli -u <myusername> -p <mypassword>
API METHOD: authenticate
AUTH_RETURN
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=VPNtesting, CN=Users, DC=IT, DC=LOCAL
user : <myusername>

When I change the ad group security group setting to local, global or universal. I still get the same error message. The VPN works tho when I leave the "Additional LDAP Requirement:" blank.

So it has to be a syntax based error. Some additional info: we run a 2012 Windows Server with AD on it.

Can someone help me out here?

clipper
OpenVpn Newbie
Posts: 2
Joined: Sun Apr 04, 2021 9:11 pm

Re: Problems with using Additional LDAP Requirement

Post by clipper » Tue Apr 06, 2021 7:17 am

If I look up the security group VPNtesting in AD, under members my account shows up. But when I look up the user >properties>attribute editor>distinguishedName information of my account in our AD following is listed:

distinguishedName CN=mySurname\, myName, CN=Users, DC=IT, DC=LOCAL

So its missing the "memberOf=VPNtesting" part. I don't know how to solve this since the documentation doesn't contain any information re this and there is no post afaik re this anywhere.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 312
Joined: Tue Feb 16, 2021 10:41 am

Re: Problems with using Additional LDAP Requirement

Post by openvpn_inc » Tue Apr 06, 2021 10:41 pm

Hi There,

Can you please confirm if you have the bind DN configured properly with the Administrator account that can read the entire Directory?
Most of the time that is the problem. Also, you can check with bad credential dn. It could be that some space had been added in your CN in the credential base dn. etc...

Regrads,
Crowley
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply