OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Openvpn-auth-ldap and multiple ldap servers

https://forums.openvpn.net/viewtopic.php?t=23844

Page 1 of 1

Openvpn-auth-ldap and multiple ldap servers

Posted: Thu Apr 06, 2017 8:19 am
by Alex987
Hi everyone !

I did configure an OpenvPN server with a LDAP authentication using the plugin openvpn-auth-ldap.
It works fine !

Now, I want to use two LDAP servers in order to avoid a single point of failure : if one of my LDAP server is not reachable by the OpenVPN server for any reason, the OpenVPN server will use the second LDAP server.
My two LDAP servers are Active Directory servers and are synchronized.

I think I need to add an URL line in the configuration file for openvpn-auth-ldap (/etc/openvpn/auth/ldap.conf) but I don't know if it is enough...

So, does someone configure the plugin with two or more LDAP servers ?
If yes, how do you handle this point ? Does it work fine ?

Code: Select all

# My file /etc/openvpn/auth/ldap.conf

<LDAP>
	# LDAP server URL
	URL		ldap://IP_ldap1
	
	# Bind DN (If your LDAP server doesn't support anonymous binds)
	BindDN		"CN=Bind User,OU=MyOU,DC=mydomain,DC=com"

	# Bind Password
	Password	MyPasswordForBind

	# Network timeout (in seconds)
	Timeout		45 #15

</LDAP>
<Authorization>
	# Base DN
	BaseDN		"DC=mydomain,DC=com"

	# User Search Filter
	SearchFilter "(&(sAMAccountName=%u))"

	# Require Group Membership
	RequireGroup	true

	<Group>
		BaseDN		"dc=mydomain,dc=com"
		SearchFilter	"(cn=Group_OpenVPN)"
		MemberAttribute	"member"
	</Group>
</Authorization>

Re: Openvpn-auth-ldap and multiple ldap servers

Posted: Thu Apr 27, 2017 1:47 pm
by Alex987
Well, I found this link : https://github.com/threerings/openvpn-a ... /issues/29
so I tested with this configuration :
ldap.conf
<LDAP>
# LDAP server URL
URL "ldap://IP_ldap1 ldap://IP_ldap2"

# Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN "CN=Bind User,OU=MyOU,DC=mydomain,DC=com"

# Bind Password
Password MyPasswordForBind

# Network timeout (in seconds)
Timeout 45 #15

</LDAP>
<Authorization>
# Base DN
BaseDN "DC=mydomain,DC=com"

# User Search Filter
SearchFilter "(&(sAMAccountName=%u))"

# Require Group Membership
RequireGroup true

<Group>
BaseDN "dc=mydomain,dc=com"
SearchFilter "(cn=Group_OpenVPN)"
MemberAttribute "member"
</Group>
</Authorization>
I did reload my OpenVPN with no error.
But when I block the access of the LDAP1 for the OpenVPN server, the OpenVPN server does not even try to connect the LDAP2 and keep up sending requests for authentication to the LDAP1.

Any idea to solve the problem ?

Re: Openvpn-auth-ldap and multiple ldap servers

Posted: Fri Apr 28, 2017 7:13 am
by TiTex
have you tried using the domain name for the LDAP URL and not the servers hostname
so let's say your ActiveDirectory domain is testing.com and you have dc01.testing.com and dc02.testing.com as domain controllers
just try using URL testing.com , see if that works

Re: Openvpn-auth-ldap and multiple ldap servers

Posted: Wed May 10, 2017 8:14 am
by Alex987
thanks for your response :)
I solved the problem : I reduced the timeout.
I define a timeout of 10s and, with this parameter, the switch between the 2 ldap servers works well !
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/