OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

AD permissions required for LDAP Bind account?

https://forums.openvpn.net/viewtopic.php?t=33525

Page 1 of 1

AD permissions required for LDAP Bind account?

Posted: Sun Jan 02, 2022 8:31 pm
by kiyomaka
Greetings everyone,
My OpenVPN server has been collecting dust for a while as I've been working from home and have not had need to leverage it.

I have the server configured to use Google 2FA, LDAP and an additional LDAP requirement.

I had everything working when I last tested it about 16 months ago, however some point between then and now the Additional LDAP Requirement stopped working and I'm unable to sign in.

Attempting to sign in via auth CLI throws an error like this.

API METHOD: authenticate
AUTH_RETURN
status : FAIL
reason : user not found that meets specified requirements: memberOf=CN=OpenVPNUsers,CN=Users,DC=XX,DC=XXXX,DC=XXX
user : xxxx.xxxxx

Authentication does work if I blank out the Additional LDAP Requirement: (Advanced) line

As a (Shitty) test I temporarily made the bind account a member of the Domain Admins group, and sure enough it was able to successfully auth, which tells me that this is something permission related preventing the group membership from being read, perhaps related to a Microsoft patch installed on the DCs.

I'm currently running OpenVPN Access server v2.8.5

What specific permissions should I delegate to the bind account?

Re: AD permissions required for LDAP Bind account?

Posted: Sun Jan 02, 2022 11:12 pm
by openvpn_inc
Hello Kiyomaka,

The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.

Kind regards,
Johan

Re: AD permissions required for LDAP Bind account?

Posted: Mon Jan 03, 2022 2:14 am
by kiyomaka
openvpn_inc wrote:
Sun Jan 02, 2022 11:12 pm
 Hello Kiyomaka,

The bind account is so only an authenticated user can see objects in the LDAP directory. Anonymous access to that is usually turned off. So the bind account needs to have enough permissions to allow objects to be visible. In other terms the account needs to be able to enumerate the user accounts. You might want to use a tool like ldaptools on Linux to 'see' what the LDAP account can see.

Kind regards,
Johan
Would i be installing ldap tools on the Microsoft AD Domain Controller or the OpenVPN server itself?
By enumerate do you mean it should have enough access to view the properties and attributes of the user accounts signing into OpenVPN and any associated group dependencies?

Re: AD permissions required for LDAP Bind account?

Posted: Thu Jan 06, 2022 1:31 pm
by openvpn_inc
Hello kiyomaka,

The ldaptools package can be installed on a Linux system, like on Access Server itself. You don't specifically have to use that one. There are also other tools that can let you browse an LDAP directory.

You would need to be able to list users and some of their attributes yes.

This page I Googled might be helpful to get you going with ldapsearch, which is part of ldaptools:
https://www.seei.biz/using-ldapsearch-t ... directory/

Kind regards,
Johan
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/