0

I have openvpn installed on ubuntu 19.04 and I am using the plugin "openvpn-auth-ldap.so" for authentication, I can authenticate users from an Organization Unit in my active directory in windows server 2012 but by trying to further restrict access only one group is not possible. The configuration used in the archvo: "auth-ldap.conf" is as follows:

<Authorization>
        BaseDN          "OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(CN=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=<mydomain>,DC=<local>"
                SearchFilter  "(&(objectClass=top;group)(memberOf=CN=<NameofMyGroupVPNUsers> ,OU=<MyOUWhereisMyGroupWithVPNUsers>,DC=mydomain,DC=local))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

Any idea how this configuration should go. I just want a group defined in my Active directory to have access to my OpenVPN server and not an entire OU.

Arturo Díaz
  • 23
  • 8
  • So right now, under that configuration, users can successfully log onto the VPN, but removing them from the *NameofMyGroupVPNUsers* results in them continuing to have access to the VPN, correct? – T-Heron Jul 26 '20 at 13:57
  • for thats works I have to change searchfilter to: "(samaccountname=%u)" and change requireGroup to false, the problem is when I try to rextrcit acces by group in my AD. – Arturo Díaz Jul 26 '20 at 23:01
  • This is unclear. Please edit your question to show the working configuration, and the non-working configuration and clearly label both of these. – T-Heron Jul 26 '20 at 23:52

2 Answers2

1

I think you misunderstood how the ldap configuration works.

The first section allows you to search for the users, the second allows you to further filter on the users based on the group membership.

So you should be able to do what you want with either of these two configurations :

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(&(samaccountname=%u)(memberOf=<DN_of_the_group>))"
        RequireGroup    false
</Authorization>

or

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(samaccountname=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "<FULL DN OF YOUR GROUP>"
                SearchFilter  "(objectClass=group)"
                MemberAttribute uniqueMember
        </Group>
</Authorization>

If the second doesn't work, try like this :

<Authorization>
        BaseDN          "OU=<where_users_accounts_are>,DC=<mydomain>,DC=<local>"
        SearchFilter    "(samaccountname=%u)"
        RequireGroup    true
        <Group>
                BaseDN  "OU=<where_group_vpn_is>,DC=<mydomain>,DC=<local>"
                SearchFilter  "(&(objectClass=group)(cn=<CN_OF_THE_GROUP>))"
                MemberAttribute uniqueMember
        </Group>
</Authorization>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Esteban
  • 1,752
  • 1
  • 8
  • 17
0

The problem was in the connection to ldap I had to specify the port 3268 and not the default.

The full file look so:

<LDAP>
       
        URL             ldap://myip:3268
        BindDN "CN=myuser,OU=MyOU,DC=my,DC=domain"    
        Password        myuserpass       
        Timeout        30       
        TLSEnable       no
        FollowReferrals yes
</LDAP>

<Authorization>
        BaseDN "DC=my,DC=domain"
        SearchFilter "(&(sAMAccountName=%u)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
        RequireGroup    true
        <Group>
                BaseDN "OU=MyOU,DC=my,DC=domain"
                SearchFilter "(cn=NameofGroupwithAccess)"
                MemberAttribute        "member"
        </Group>
</Authorization>
Arturo Díaz
  • 23
  • 8