User Guide - Private LDAP Authentication

Overview

OpenVPN Cloud can be configured to use private LDAP authentication. This means that the LDAP server is positioned in your private network, and your users authenticate with the OpenVPN Connect app using their LDAP username and password credentials.

Prerequisites

Before you can set up private LDAP authentication, you must first either configure a network and connector with the same subnet as the LDAP server, or create a host that has a connector that is installed on the LDAP server. Network and host connectors provide an always-on link between the VPN and your network. In this case, a connector allows your users to authenticate with your private LDAP server and sign in to the OpenVPN Connect app.

If you are routing VPN traffic to and from your network to multiple servers and services and not just an LDAP server, you should create a network. If you are only using VPN tunneling for LDAP authentication, you should create a host.

Steps: Create a network

  1. Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com
  2. Access Networks and click Create Network.
  3. Select Connect private and public networks to OpenVPN Cloud and click Next.
  4. Enter the network name.
  5. Using CIDR notation, add the network subnet that your LDAP server is located in.
  6. Mandatory: You must add and launch a connector to allow authentication traffic to flow to and from the LDAP server. For further information on installing a connector, refer to: Connecting Networks to OpenVPN Cloud Using Connectors.

Steps: Create a host

  1. Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com
  2. Access Hosts and click Create Host.
  3. Add a host record, including a name that helps to define its purpose.
  4. Mandatory: You must add and launch a connector to allow authentication traffic to flow to and from the LDAP server. For further information on installing a connector, refer to: Connecting Networks to OpenVPN Cloud Using Connectors.

Steps: Add your LDAP server to OpenVPN Cloud

  1. Sign in to the OpenVPN Cloud administration portal at https://cloud.openvpn.com.
  2. Access Settings > User Authentication and click Edit.
  3. In the Authenticate Users Using section, click Configure under Private LDAP.
  4. Enter your LDAP server parameters, noting that fields marked with an asterisk are mandatory.
Bind DN An object that you bind to in the LDAP server that gives you permission to authenticate. In this case, the Bind DN is the user trying to authenticate. The Bind DN is required if anonymous binding is disabled on the LDAP server.
PasswordA password is required if anonymous binding is disabled  on the LDAP server.
Base DN for search The starting point that an LDAP server uses when searching your directory for users to authenticate.
Username AttributeUsed for the OpenVPN Cloud account username.
UserGroup AttributeUsed for the OpenVPN Cloud user group name.
First Name AttributeUsed as a first name for an OpenVPN Cloud user account.
Last Name AttributeUsed as a last name for an OpenVPN Cloud user account.
Email AttributeUsed as an email address for an OpenVPN Cloud user account.
  • If your LDAP server is configured to use anonymous binding, you only need to enter a BaseDN. Check your LDAP server to ensure that the ANONYMOUS LOGON built-in security principal has propagated to your user group container (for example, Users) and all of its descendant objects.
  • Note that the Username and UserGroup attributes are required.
WARNING: At the time of publication, OpenVPN Cloud doesn’t support usernames that include a space character. Usernames with a space character are imported into OpenVPN Cloud, but can’t be configured, edited, or deleted.
  1. Specify the IP address or hostname of your LDAP Server.
Primary LDAP Server The LDAP server IP address or hostname. If connectivity to the LDAP server is being routed through a network, the LDAP server IP address must belong to the same subnet as the network. If connectivity to the LDAP server is being routed through a host, you must enter the host connector VPN IP address.
LDAP Server Connected ToIf you use a hostname for the LDAP server, you must select the network or host from the drop-down list. Note: You must ensure that the LDAP server hostname is correctly resolved by your DNS server.
PortLDAP uses its own distinct network port to connect clients and servers. The default port for LDAP is port 389, but LDAPS uses port 636 and establishes TLS/SSL upon connection with a client.
Public CertificateSSL certificate. OpenVPN Cloud supports SSL certificates in the PEM format with .crt, .pem, .cer, and .key file extensions.
  1. Click Add Secondary LDAP Server if you are using LDAP server clustering and want to configure an additional LDAP server.
  2. Test your LDAP server connectivity once you have finished configuration.

Steps: Set up User Group mapping

After you have completed the LDAP server configuration, you can set up mapping between your LDAP user groups and the user groups in OpenVPN Cloud.

If you enable the LDAP parameter User Group Sync, the User Group value is set according to your LDAP configuration.

Add RuleYou can add a mapping rule to match LDAP user groups and OpenVPN Cloud user groups. 
LDAP User Groups(s)The user groups in your LDAP directory.
OpenVPN Cloud User GroupsThe user groups in your OpenVPN Cloud account.

Any users from your LDAP user groups that aren’t mapped to an OpenVPN Cloud User Group are assigned to the default OpenVPN Cloud user group. You can specify the default OpenVPN Cloud user group with the drop-down list.

Note: At the time of publication, user group mapping is not available for the Microsoft Active Directory Domain Users user group.

Once you have completed the user group mapping configuration, click Save And Enable LDAP Auth to enable user authentication with LDAP.

Troubleshooting: Error messages during configuration

Cannot resolve domain name. Check your DNS Server configuration.
  • Check that the hostname and DNS server information is correct.
Cannot reach LDAP Server. Check your LDAP Server parameters and that LDAP Server is connected to VPN.
  • Check that the LDAP server port is correct, that it’s not closed on the LDAP server, and that it’s not blocked by a firewall.
The authentication method is not supported by LDAP. Check your LDAP Server anonymous access.
  • Check that anonymous binding has been enabled on the LDAP server.
Credentials are invalid. Check your Bind DN and Password.
  • Check that the LDAP server Bind DN and password information is correct.