OpenVPN Cloud can be configured to use private LDAP authentication. This means that the LDAP server is positioned in your private network, and your users authenticate with the OpenVPN Connect app using their LDAP username and password credentials.
Prerequisites
Before you can set up private LDAP authentication, you must first either configure a network and connector with the same subnet as the LDAP server, or create a host that has a connector that is installed on the LDAP server. Network and host connectors provide an always-on link between the VPN and your network. In this case, a connector allows your users to authenticate with your private LDAP server and sign in to the OpenVPN Connect app.
If you are routing VPN traffic to and from your network to multiple servers and services and not just an LDAP server, you should create a network. If you are only using VPN tunneling for LDAP authentication, you should create a host.
Select Connect private and public networks to OpenVPN Cloud and click Next.
Enter the network name.
Using CIDR notation, add the network subnet that your LDAP server is located in.
Mandatory: You must add and launch a connector to allow authentication traffic to flow to and from the LDAP server. For further information on installing a connector, refer to: Connecting Networks to OpenVPN Cloud Using Connectors.
Add a host record, including a name that helps to define its purpose.
Mandatory: You must add and launch a connector to allow authentication traffic to flow to and from the LDAP server. For further information on installing a connector, refer to: Connecting Networks to OpenVPN Cloud Using Connectors.
Access Settings > User Authentication and click Edit.
In the Authenticate Users Using section, click Configure under Private LDAP.
Enter your LDAP server parameters, noting that fields marked with an asterisk are mandatory.
Bind DN
An object that you bind to in the LDAP server that gives you permission to authenticate. In this case, the Bind DN is the user trying to authenticate. The Bind DN is required if anonymous binding is disabled on the LDAP server.
Password
A password is required if anonymous binding is disabled on the LDAP server.
Base DN for search
The starting point that an LDAP server uses when searching your directory for users to authenticate.
Username Attribute
Used for the OpenVPN Cloud account username.
UserGroup Attribute
Used for the OpenVPN Cloud user group name.
First Name Attribute
Used as a first name for an OpenVPN Cloud user account.
Last Name Attribute
Used as a last name for an OpenVPN Cloud user account.
Email Attribute
Used as an email address for an OpenVPN Cloud user account.
If your LDAP server is configured to use anonymous binding, you only need to enter a BaseDN. Check your LDAP server to ensure that the ANONYMOUS LOGON built-in security principal has propagated to your user group container (for example, Users) and all of its descendant objects.
Note that the Username and UserGroup attributes are required.
WARNING: At the time of publication, OpenVPN Cloud doesn’t support usernames that include a space character. Usernames with a space character are imported into OpenVPN Cloud, but can’t be configured, edited, or deleted.
Specify the IP address or hostname of your LDAP Server.
Primary LDAP Server
The LDAP server IP address or hostname. If connectivity to the LDAP server is being routed through a network, the LDAP server IP address must belong to the same subnet as the network. If connectivity to the LDAP server is being routed through a host, you must enter the host connector VPN IP address.
LDAP Server Connected To
If you use a hostname for the LDAP server, you must select the network or host from the drop-down list. Note: You must ensure that the LDAP server hostname is correctly resolved by your DNS server.
Port
LDAP uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connection with a client.
Public Certificate
SSL certificate. OpenVPN Cloud supports SSL certificates in the PEM format with .crt, .pem, .cer, and .key file extensions.
Click Add Secondary LDAP Server if you are using LDAP server clustering and want to configure an additional LDAP server.
Test your LDAP server connectivity once you have finished configuration.
Steps: Set up User Group mapping
After you have completed the LDAP server configuration, you can set up mapping between your LDAP user groups and the user groups in OpenVPN Cloud.
If you enable the LDAP parameter User Group Sync, the User Group value is set according to your LDAP configuration.
Add Rule
You can add a mapping rule to match LDAP user groups and OpenVPN Cloud user groups.
LDAP User Groups(s)
The user groups in your LDAP directory.
OpenVPN Cloud User Groups
The user groups in your OpenVPN Cloud account.
Any users from your LDAP user groups that aren’t mapped to an OpenVPN Cloud User Group are assigned to the default OpenVPN Cloud user group. You can specify the default OpenVPN Cloud user group with the drop-down list.
Note: At the time of publication, user group mapping is not available for the Microsoft Active Directory Domain Users user group.
Once you have completed the user group mapping configuration, click Save And Enable LDAP Auth to enable user authentication with LDAP.
Troubleshooting: Error messages during configuration
Cannot resolve domain name. Check your DNS Server configuration.
Check that the hostname and DNS server information is correct.
Cannot reach LDAP Server. Check your LDAP Server parameters and that LDAP Server is connected to VPN.
Check that the LDAP server port is correct, that it’s not closed on the LDAP server, and that it’s not blocked by a firewall.
The authentication method is not supported by LDAP. Check your LDAP Server anonymous access.
Check that anonymous binding has been enabled on the LDAP server.
Credentials are invalid. Check your Bind DN and Password.
Check that the LDAP server Bind DN and password information is correct.