|
Title: OpenVPN authenticate against Windows Server 2008 Active Directory Post by: wdupreez on Wednesday 03 November 2010, 08:07:42 pm I thought I'd share my experience after battling to get this to work for a long time.
To get OpenVPN to authenticate against Windows Server 2008 Active Directory, follow the KB article (kb.endian.com/entry/64), but with the following exceptions: 1. In the LDAP_USER_SEARCHFILTER value, substitute "uid" with "sAMAccountName", and remove the "loginShell" filter, eg. Code: LDAP_USER_SEARCHFILTER=(&(sAMAccountName=%(u)s)) 2. In the LDAP_GROUP_MEMBERATTRIBUTE value, substitute "uniqueMember" with "member", eg. Code: LDAP_GROUP_MEMBERATTRIBUTE=member My final configuration looks something like this: Code: AUTH_TYPE=certpsk Title: Re: OpenVPN authenticate against Windows Server 2008 Active Directory Post by: leso on Wednesday 15 December 2010, 08:48:45 am Thank you for your feedback , did you use endian community ver 2.4.1?
Title: Re: OpenVPN authenticate against Windows Server 2008 Active Directory Post by: wdupreez on Wednesday 15 December 2010, 08:08:28 pm I use 2.4 - IMO there are way too many issues outstanding on 2.4.1 to use it in a production environment.
Title: Re: OpenVPN authenticate against Windows Server 2008 Active Directory Post by: mrkroket on Thursday 16 December 2010, 09:23:46 am The LDAP_BIND_DN user what priviliges must have?
Title: Re: OpenVPN authenticate against Windows Server 2008 Active Directory Post by: wdupreez on Thursday 16 December 2010, 07:22:04 pm The LDAP_BIND_DN user what priviliges must have? The only requirement is that the LDAP_BIND_DN user must be able to read user information from AD. Using an account that is part of the "Domain Administrators" security group ("super-user" as per the KB article) is one option, but I won't recommended it, unless you are in a test environment. What I did was to create a user account in AD and then delegate the "Reading all user information" task to the account. Very simple. |