Help! configuring "openvpn-auth-ldap"

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
nateriver74
OpenVpn Newbie
Posts: 3
Joined: Thu May 11, 2023 10:47 am

Help! configuring "openvpn-auth-ldap"

Post by nateriver74 » Tue Jun 20, 2023 11:58 pm

Hi guys
I have installed and configured
"OpenVPN" and "OpenLDAP", in addition, I also have their plugin "openvpn-auth-ldap" installed, and it is precisely with this last one that I have a problem. this is my configuration.

Code: Select all

<LDAP>
        # LDAP server URL
        URL             ldap://x.x.x.x:389

        # Bind DN (If your LDAP server doesn't support anonymous binds)
        BindDN          cn=admin,dc=mydomain,dc=com

        # Bind Password
        Password        P@ssw0rd

        # Network timeout (in seconds)
        Timeout         15

        # Enable Start TLS
        TLSEnable       no

        # Follow LDAP Referrals (anonymously)
        FollowReferrals no
</LDAP>

<Authorization>
        # Base DN
        BaseDN          "ou=user,dc=mydomain,dc=com"
        
        # User Search Filter
        SearchFilter    "(uid=%u)"

        # Require Group Membership
        RequireGroup    true
        <Group>
                BaseDN         "ou=group,dc=mydomain,dc=com"
                SearchFilter   "(cn=openVPN)"
                MemberAttribute memberUid
        </Group>
</Authorization>
The error I have is that if I want to authenticate the users who are in groups, it won't let me, it shows me a credential error, but if it is to authenticate only the users, everything is correct.
RequireGroup false => all good
RequireGroup true => all wrong

Help me figure out what I'm doing wrong? :(

Thank you so much!
Top
Lorenamartin4
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 13, 2023 11:10 am

Re: Help! configuring "openvpn-auth-ldap"

Post by Lorenamartin4 » Fri Jul 14, 2023 10:46 am

Try to Verify LDAP Server Configuration Ensure that the LDAP server URL, in this case, "ldap://x.x.x.x:389," is correct and accessible from the machine running OpenVPN. Double-check the BindDN and Bind Password. Make sure they are correct and have appropriate permissions to perform the necessary operations.
Check LDAP BaseDN and SearchFilter Confirm that the BaseDN for users ("ou=user,dc=mydomain,dc=com") and groups ("ou=group,dc=mydomain,dc=com") are correct and match your LDAP directory structure. Verify the SearchFilter used for users ("(uid=%u)") and groups ("(cn=openVPN)"). Ensure they match the attribute values in your LDAP directory.
Verify Group Membership Attribute Check that the MemberAttribute value ("memberUid") is correct for your LDAP directory. It should be the attribute that specifies the user's membership in a group.
Debug and Logging Enable verbose logging in OpenVPN to get more detailed information about the authentication process and any potential errors or warnings. Check the OpenVPN and LDAP server logs for any relevant error messages that might help identify the problem.
Test LDAP Authentication Use LDAP command-line tools (e.g., ldapsearch) to manually test the LDAP server and verify that users and groups are correctly retrieved using the provided search filters and attributes. Test both user authentication and group membership retrieval separately to isolate the issue.
TLS Configuration If your LDAP server supports StartTLS, you can try enabling it by setting TLSEnable to "yes" in your OpenVPN configuration. Make sure you have the necessary TLS certificates configured correctly if StartTLS is enabled.
Top
Post Reply

Return to “Server Administration”