CODEWITHSUNDEEP
ldapopenvpnldap-queryics-openvpn
Arturo Díaz
Arturo Díaz

Reputation: 23

openvpn LDAP authentication with Group

I have openvpn installed on ubuntu 19.04 and I am using the plugin "openvpn-auth-ldap.so" for authentication, I can authenticate users from an Organization Unit in my active directory in windows server 2012 but by trying to further restrict access only one group is not possible. The configuration used in the archvo: "auth-ldap.conf" is as follows:

<Authorization>
        BaseDN          "OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(CN=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=<mydomain>,DC=<local>"
                SearchFilter  "(&(objectClass=top;group)(memberOf=CN=<NameofMyGroupVPNUsers> ,OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=mydomain,DC=local))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Any idea how this configuration should go. I just want a group defined in my Active directory to have access to my OpenVPN server and not an entire OU.

Upvotes: 0

Views: 2983

Answers (2)

Arturo D&#237;az
Arturo D&#237;az

Reputation: 23

The problem was in the connection to ldap I had to specify the port 3268 and not the default.

The full file look so:

<LDAP>
       
        URL             ldap://myip:3268
        BindDN "CN=myuser,OU=MyOU,DC=my,DC=domain"    
        Password        myuserpass       
        Timeout        30       
        TLSEnable       no
        FollowReferrals yes
</LDAP>

<Authorization>
        BaseDN "DC=my,DC=domain"
        SearchFilter "(&(sAMAccountName=%u)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
        RequireGroup    true
        <Group>
                BaseDN "OU=MyOU,DC=my,DC=domain"
                SearchFilter "(cn=NameofGroupwithAccess)"
                MemberAttribute        "member"
        </Group>
</Authorization>

Upvotes: 0

Esteban
Esteban

Reputation: 1815

I think you misunderstood how the ldap configuration works.

The first section allows you to search for the users, the second allows you to further filter on the users based on the group membership.

So you should be able to do what you want with either of these two configurations :

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(&(samaccountname=%u)(memberOf=<DN_of_the_group>))"
        RequireGroup    false
</Authorization>

or

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(samaccountname=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "<FULL DN OF YOUR GROUP>"
                SearchFilter  "(objectClass=group)"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

If the second doesn't work, try like this :

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(samaccountname=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "OU=<where_group_vpn_is>,DC=<mydomain>,DC=<local>"
                SearchFilter  "(&(objectClass=group)(cn=<CN_OF_THE_GROUP>))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Upvotes: 1

Related Questions