OpenVPN Support Forum

Is it possible to use LDAP groups (or local groups with LDAP users) to determine access control? This is different from using groups as part of the Additional LDAP Requirement, I'd like to be able to control access to specific subnets based on group membership.

For example:
Admin group with access to all subnets (10.0.0.0/8).
If not in that group, access to subnets based on the contents of the 'Routing' section of the 'Web Server' config (10.0.0.0/24 and 10.0.1.0/24).

I have tried adding an LDAP group using its exact name, similar to adding LDAP users to control access, but this does not work.

I have also tried creating a new local group and adding an LDAP user to it, also without any luck.

Any help would be greatly appreciated.

They are 2 separate groups... you will need to add each user to the groups you create in the UI and base your permission on those.

I'm not sure I understand. I have tried adding an LDAP user to a local group and it doesn't work. In fact I cannot even successfully connect a VPN client, the authentication fails.

you cannot add ldap groups to the groups in Openvpnas it wont work. as the groups are stored in the DB configuration file. its not even the same as groups in linux "/etc/groups". what you need to do is create ur users in ldap have openvpnas authenticate with ldap. create ur groups in openvpnas then add each user from ldap to the openvpn server... then add each user to openvpn groups. again groups in ldap and groups in openvpn cannot be tied together ;hope thats clearer