Possible to set case insensitive for LDAP lookup?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
stech4114
OpenVpn Newbie
Posts: 7
Joined: Mon May 09, 2022 12:26 pm

Possible to set case insensitive for LDAP lookup?

Post by stech4114 » Tue May 16, 2023 7:03 pm

I am using LDAP UPN for sign in and some users have a capital first letter in their UPN, some do not. If they type it incorrectly it fails because of the mismatch. Is it possible to sign in using either case?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Possible to set case insensitive for LDAP lookup?

Post by openvpn_inc » Tue May 16, 2023 7:32 pm

Hello stech4114,

It is up to the LDAP server to deal with case insensitive behavior. On Windows AD servers for example it is quite common that any case is accepted.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

stech4114
OpenVpn Newbie
Posts: 7
Joined: Mon May 09, 2022 12:26 pm

Re: Possible to set case insensitive for LDAP lookup?

Post by stech4114 » Tue May 16, 2023 8:23 pm

openvpn_inc wrote:
Tue May 16, 2023 7:32 pm
Hello stech4114,

It is up to the LDAP server to deal with case insensitive behavior. On Windows AD servers for example it is quite common that any case is accepted.

Kind regards,
Johan
That's not the "case" here ;) from the OpenVPN log this is what happens... also I want to note you can sign into the web portal with EITHER case... but with the OpenVPN Connect client you must use the proper case:

username-only match fail, client username='Thisuser@domain.ext', DB username='thisuser@domain.ext '

stech4114
OpenVpn Newbie
Posts: 7
Joined: Mon May 09, 2022 12:26 pm

Re: Possible to set case insensitive for LDAP lookup?

Post by stech4114 » Wed May 17, 2023 4:06 pm

Any help on this? the error seems to be that openvpn server cares about it not the LDAP server... it even finishes DUO auth before giving the error:

username-only match fail, client username='Thisuser@domain.ext', DB username='thisuser@domain.ext '

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Possible to set case insensitive for LDAP lookup?

Post by openvpn_inc » Thu May 18, 2023 6:01 pm

Hello,

I see, there is also Duo post-auth script involved. That might be a case where the normal logic doesn't work as well.

There is an option under Authentication > LDAP to make authentication case insensitive but not sure if that works in combination with Duo.

You may need to contact our support and send information on how things are setup, there may be a case here where case insensitive behavior is simply not possible due to the interaction between Access Server, LDAP, and Duo script. We might then make an internal case to see what could be done. Without Duo script, Access Server sends the credentials to the LDAP server, and the LDAP server then decides to verify that case-sensitive or not. The LDAP then sends back the exact case as it is in the LDAP directory, and then the Access Server sticks to using that for authentication. But with Duo being inbetween, that might upset that. The Duo script may be specifically taking the user input and ignore what the LDAP server reports back, resulting in a possible mismatch in case.

You might want to consider switching to Duo SAML implementation, if possible.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply