Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 02 November 2024, 06:35:34 am

Login with username, password and session length

Download the latest community FREE version  HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  OpenVPN authenticate against Windows Server 2008 Active Directory
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: OpenVPN authenticate against Windows Server 2008 Active Directory  (Read 22445 times)
wdupreez
Full Member
***
Offline Offline

Posts: 12


« on: Wednesday 03 November 2010, 08:07:42 pm »

I thought I'd share my experience after battling to get this to work for a long time.

To get OpenVPN to authenticate against Windows Server 2008 Active Directory, follow the KB article (kb.endian.com/entry/64), but with the following exceptions:

1. In the LDAP_USER_SEARCHFILTER value, substitute "uid" with "sAMAccountName", and remove the "loginShell" filter, eg.

Code:
LDAP_USER_SEARCHFILTER=(&(sAMAccountName=%(u)s))

2. In the LDAP_GROUP_MEMBERATTRIBUTE value, substitute "uniqueMember" with "member", eg.

Code:
LDAP_GROUP_MEMBERATTRIBUTE=member

My final configuration looks something like this:

Code:
AUTH_TYPE=certpsk
CLIENT_TO_CLIENT=on
DOMAIN=corp.mydomain.com
DROP_DHCP=on
GLOBAL_DNS=192.168.1.20
OPENVPN_ENABLED=on
PURPLECLIENT_BEGIN_DEVICE=tap2
PURPLE_DEVICE=tap0
PURPLE_IP_BEGIN=192.168.1.200
PURPLE_IP_END=192.168.1.210
PUSH_DOMAIN=on
PUSH_GLOBAL_DNS=on
PUSH_GLOBAL_NETWORKS=
AUTHENTICATION_STACK=ldap,local
LDAP_URI=ldap://192.168.1.20
LDAP_BIND_DN=cn=MyAccount,ou=UserAccounts,dc=corp,dc=mydomain,dc=com
LDAP_BIND_PASSWORD=123456
LDAP_USER_BASEDN=ou=UserAccounts,dc=corp,dc=mydomain,dc=com
LDAP_USER_SEARCHFILTER=(&(sAMAccountName=%(u)s)(objectCategory=person)(objectClass=user))
LDAP_REQUIRE_GROUP=on
LDAP_GROUP_BASEDN=ou=UserAccounts,dc=corp,dc=mydomain,dc=com
LDAP_GROUP_SEARCHFILTER=(cn=VPN Users)
LDAP_GROUP_MEMBERATTRIBUTE=member

Logged
leso
Jr. Member
*
Offline Offline

Posts: 5


« Reply #1 on: Wednesday 15 December 2010, 08:48:45 am »

Thank you for your feedback , did you use endian community ver 2.4.1?

Logged
wdupreez
Full Member
***
Offline Offline

Posts: 12


« Reply #2 on: Wednesday 15 December 2010, 08:08:28 pm »

I use 2.4 - IMO there are way too many issues outstanding on 2.4.1 to use it in a production environment.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #3 on: Thursday 16 December 2010, 09:23:46 am »

The LDAP_BIND_DN user what priviliges must have?
Logged
wdupreez
Full Member
***
Offline Offline

Posts: 12


« Reply #4 on: Thursday 16 December 2010, 07:22:04 pm »

The LDAP_BIND_DN user what priviliges must have?

The only requirement is that the LDAP_BIND_DN user must be able to read user information from AD. Using an account that is part of the "Domain Administrators" security group ("super-user" as per the KB article) is one option, but I won't recommended it, unless you are in a test environment.

What I did was to create a user account in AD and then delegate the "Reading all user information" task to the account. Very simple.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.047 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com