Live Support Chat

How to Authenticate OpenVPN against Active Directory PDF Print E-mail
Written by Veritech Administrator   
Thursday, 18 February 2010 09:39

This article describes how to configure the OpenVPN Server so that it authenticates from a Windows Active Directory Server as well as the local user database.  Note that this process is separate to the Active Directory authentication system included with the Endian Proxy service.

 

Endian have released an article http://kb.endian.com/entry/64/ which describes LDAP authentication, however, that article is not precisely related to Active Directory.  The following instructions pertain specifically to using an Active Directory (AD) back-end.

 

It isn't possible to configure AD authentication through the administration graphical interface.  Instead, a file needs to be edited in the command-line

First, enable the OpenVPN server on he Endian and ensure it works with local accounts.

Edit the file: /var/efw/openvpn/settings

(it is advisable to make a backup copy of this file first!)

Add the following lines to this file:

 

LDAP_BIND_DN=cn=administrator,cn=Users,dc=domainname,dc=local

This is an authorised user that can query the AD.  Administrator works well here.  The 'dc' parameters pertain to the Windows AD domain name.

* Note: it's possible that your AD tree is different, and possibly users are not in the cn=Users subtree.  In that case, you will need to adjust this string.  A good tool to help determine your tree structure is the Softerra LDAP Browser tool.

 

LDAP_BIND_PASSWORD=administratorpassword

This is the password for the user specified in LDAP_BIND_DN above.

 

LDAP_URI=ldap://192.168.1.1

This is the IP address of the Active Directory server.

 

LDAP_USER_BASEDN=cn=Users,dc=domainname,dc=local

This is the tree in AD where the users reside.  Including cn=Users allows the search to be quicker and locate only the relevant users.

* Note: it's possible that your AD tree is different, and possibly users are not in the cn=Users subtree.  In that case, you will need to adjust this string.  A good tool to help determine your tree structure is the Softerra LDAP Browser tool.

 

LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(SAMAccountName=%(u)s))

This is the search filter to locate users, and passes the username and password in the AD query.

 

Save the 'settings' file.

Restart the openVPN service (from the GUI) and connect using the OpenVPN client.

More details on the file options are available at http://kb.endian.com/entry/64/
Last Updated on Thursday, 18 February 2010 09:56
 
buy viagra | viagra purchase | viagra without prescription | Viagra For Sale | viagra cheap | discount viagra | information about viagra | sex videos | 100 mg viagra | free viagra sample