OpenVPN Support Forum

Hello,
I'm not sure whether I get it right, but even if I have LDAP authentication configured, I have to add users manually? Or can I somehow load them from AD? Thank you..

Hello devlin,

With LDAP authentication configured you can choose one of two operation modes explained below. On modern Access Servers the mode can be selected with the "External user registration" option under Authentication > Settings, in the admin UI. On older Access Servers it was an option at the bottom of the User Permissions page that did the same thing.

Automatic registration disabled: Any user that is valid in LDAP and also already exists in the Access Server (just add the username spelled exactly the same way to User Permissions page) can log in. Any users that are not added by the administrator to Access Server's User Permissions page won't be able to login. This mode is active when you turn "Deny access to unlisted accounts by default" to "Yes".

Automatic registration enabled: Any user that is valid in LDAP, will be allowed to log in, and if they don't exist yet in Access Server, they will be added automatically the first time they log in at the Access Server. This mode is active when you turn "Deny access to unlisted accounts by default" to "No" (this is the default setting, meaning by default all users that have valid credentials on the default authentication backend are allowed to login).

Note that for this to work in your situation, LDAP must be the default authentication method, as this option only applies to the default authentication method. Also, there is no operating mode that copies all users in LDAP in one go into Access Server. It only happens as they log in first time. That of course doesn't make much of a difference for the end-user, but it may make a difference for the administrator if they need to set specific access control rules per user.

Kind regards,
Johan

Great, I understand. Thank you very much for explanation!