TechQA.

openvpn LDAP authentication with Group

2.6k views Asked by At

I have openvpn installed on ubuntu 19.04 and I am using the plugin "openvpn-auth-ldap.so" for authentication, I can authenticate users from an Organization Unit in my active directory in windows server 2012 but by trying to further restrict access only one group is not possible. The configuration used in the archvo: "auth-ldap.conf" is as follows:

<Authorization>
        BaseDN          "OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(CN=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=<mydomain>,DC=<local>"
                SearchFilter  "(&(objectClass=top;group)(memberOf=CN=<NameofMyGroupVPNUsers> ,OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=mydomain,DC=local))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Any idea how this configuration should go. I just want a group defined in my Active directory to have access to my OpenVPN server and not an entire OU.

ldap openvpn ldap-query ics-openvpn
Original Q&A
2

There are 2 answers

0
Esteban On BEST ANSWER

I think you misunderstood how the ldap configuration works.

The first section allows you to search for the users, the second allows you to further filter on the users based on the group membership.

So you should be able to do what you want with either of these two configurations :

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(&(samaccountname=%u)(memberOf=<DN_of_the_group>))"
        RequireGroup    false
</Authorization>

or

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(samaccountname=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "<FULL DN OF YOUR GROUP>"
                SearchFilter  "(objectClass=group)"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

If the second doesn't work, try like this :

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(samaccountname=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "OU=<where_group_vpn_is>,DC=<mydomain>,DC=<local>"
                SearchFilter  "(&(objectClass=group)(cn=<CN_OF_THE_GROUP>))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>
0
Arturo Díaz On

The problem was in the connection to ldap I had to specify the port 3268 and not the default.

The full file look so:

<LDAP>
       
        URL             ldap://myip:3268
        BindDN "CN=myuser,OU=MyOU,DC=my,DC=domain"    
        Password        myuserpass       
        Timeout        30       
        TLSEnable       no
        FollowReferrals yes
</LDAP>

<Authorization>
        BaseDN "DC=my,DC=domain"
        SearchFilter "(&(sAMAccountName=%u)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
        RequireGroup    true
        <Group>
                BaseDN "OU=MyOU,DC=my,DC=domain"
                SearchFilter "(cn=NameofGroupwithAccess)"
                MemberAttribute        "member"
        </Group>
</Authorization>

Related Questions in LDAP

Related Questions in OPENVPN

Related Questions in LDAP-QUERY

Related Questions in ICS-OPENVPN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions