OpenVPN LDAP User Group in Windows Active Directory

Submitted by crowbar on Tue, 01/06/2015 - 14:54

Recently I had to setup an OpenVPN server with user account details coming from Windows Server Active Directory (as LDAP). The OpenVPN server would be in Amazon's AWS (EC2). Using the walkthrough (https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon...) on the OpenVPN site got the basic server up very quickly. OpenVPN also has a guide (https://openvpn.net/index.php/access-server/docs/admin-guides/190-how-to...) on setting up LDAP authentication. As soon as I started setting up the LDAP authentication, things divered from the documentation.

The first item was the bind credentials for the OpenVPN server. In the guide it shows "domain\administrator." I found this would not work for me. I was using OpenVPN 2.0.11 (The newest as of Jan 2015). I had to create a new user in Active Directory, make the user a member of the Administrators group and ensure they had a user@domain.org login.

Using the newly created user I was able to authenticate against my AD server. One note here, I tested LDAP to the OpenVPN server by using ldapsearch from a SSH (putty) session. Like this:

ldapsearch -x -h domain-controller.domain.org -D "binduser@domain.org" -W -b "cn=users,dc=domain,dc=org" -s sub "(cn=*)" cn mail sn

When prompted, enter the password for the bind user. You should see a listing of all user accounts in the domain. With this test I knew the OpenVPN server had connectivity to the Windows server and the necessary ports were open for LDAP authentication.

Now that users could authenticate against Windows AD, I wanted to require membership in a specific group to be able to use the VPN. To accomplish I created a new group in AD within the User Groups folder (OU=User Groups). I added each user to my new group (lets call it "VPN Users"). Right in the OpenVPN server configuration it shows an example of:

memberOf=CN=VPN Users, CN=Users, DC=example, DC=net

Changing the DC= parts to the correct information did not work. After much searching and some trial and error, I came up with a line that did work:

memberOf=CN=VPN Users, OU=User Groups, DC=domain, DC=org

WIth this setting in the Advanced LDAP field I can control access to the VPN based on group membership in the "VPN Users" group.

Tags: