Tutorial: Set Up Access Server with Active Directory via LDAP for VPN Integration
This guide provides information for configuring your Access Server VPN to authenticate against Active Directory (AD) using Lightweight Directory Access Protocol (LDAP).
Overview
This guide provides information for configuring OpenVPN Access Server to authenticate against Active Directory (AD) using Lightweight Directory Access Protocol (LDAP).
Here’s a quick overview of the process of looking up a user:
The user authenticates with Access Server.
Access Server takes the username and looks it up in the LDAP directory.
When found, it then checks the validity of the password.
If valid, the LDAP directory sends some user properties to Access Server and an OK message that the credentials passed.
Access Server checks user permissions to connect the user, with the defined permissions allowed.
A few helpful notes:
The default setup doesn’t protect the data communication with SSL encryption. You can add this with additional configuration covered in the section on how to enable SSL.
Windows Server doesn’t typically allow anonymous LDAP lookup. We recommend using a bind user.
Once configured, the systems don’t sync users. Access Server uses the LDAP server to look up user objects and check passwords. You can create an advanced integration for this using a post_auth LDAP group mapping script.
The first step is to create a bind user to look up usernames and verify passwords. This bind user only needs limited access.
On your Active Directory server, open Active Directory Users and Computers.
Expand your appropriate domain and right-click Users.
Select New > User.
Enter the details of your new bind user for Access Server LDAP access and click Next.
Set a password, check Password never expires, click Next and Finish.
You’ll use this bind user for Access Server to access the LDAP server. Next, you’ll configure that with Access Server.
Tip
For the following setup steps, we recommend using the openvpn account. Access Server 2.10 and newer sets this up with local authentication, so if you encounter mistakes or issues with the LDAP configuration, the openvpn account can still gain access. In Access Server 2.9 and older, the account uses PAM authentication, and if you’ve disabled the openvpn account by removing its password, you can re-define the password on the command line: passwd openvpn
Use the following steps to configure LDAP settings in Access Server’s Admin Web UI.
Sign in to the Admin Web UI with the openvpn administrative account.
Click Authentication > LDAP.
Enter the address of your LDAP server, the details of your bind user, and the base DN of your LDAP directory.
Set Enable LDAP authentication to Yes.
Primary server: 192.0.2.78 (Active Directory's IP address).
Bind DN: CN=Bind User,CN=Users,DC=domain-name,DC=com (use the distinguishedName of your bind user).
Password: passwordexample (the password for your bind user, set to never expire).
Base DN for User Entries: CN=Users, DC=domain-name, DC=com (typically this matches the Bind DN after the username).
Username Attribute: sAMAccountName (the username attribute for the Active Directory LDAP servers).
Additional LDAP Requirements (Advanced): memberOf=CN=VPN Users, CN=User, DC=domain-name, DC=com (optional setting to filter by a group such as 'VPN Users').
By default, users found on the LDAP server can authenticate with Access Server without being defined in User Permissions. To restrict VPN access to only those in both the LDAP directory and User Permissions:
Sign in to the Admin Web UI.
Click Authentication > Settings.
Under External User Registration, set Deny access to unlisted accounts by default to Yes.
When you require user permissions records to grant VPN access, you must now add users to the LDAP server and Access Server’s User Permissions table.
If a user who exists on the LDAP server but is not in the User Permissions table attempts to sign in to Access Server, they aren’t granted access and are denied. Add the account to the User Permissions table to grant the user access. Ensure that the username is an exact match.
Using an LDAP group, you can limit access to a specific group. In our example, we have a group in the LDAP directory called VPN Users.
Grant access to Access Server to the VPN Users group only:
Sign in to the Admin Web UI.
Click Authentication > LDAP.
Enter the additional group requirement under Additional LDAP Requirement. For example, memberOf=CN=VPN Users, CN=Users, DC=example, DC=com.
Tip
Ensure you specify the full DN, or the query may fail to find the user in the LDAP directory. Nesting groups aren’t supported, so you can’t make a group a member of another group.
To allow more than one group permission to sign in to Access Server:
Sign in to the Admin Web UI.
Click Authentication > LDAP.
Enter the additional group requirement for multiple groups under Additional LDAP Requirement with the proper syntax:
|(memberOf=CN=VPN Users,CN=Users,DC=example,DC=com)(memberOf=CN=Remote Users,CN=Users,DC=example,DC=com)
Important
Ensure you include the pipe symbol. It‘s required at the beginning.
More than one group now has access using the Additional LDAP Requirement field.
You must install an Enterprise Root CA on a domain controller to enable LDAPS for Microsoft Active Directory. If you have this setup, you can enable SSL connectivity with Access Server with these steps:
Sign in to the Admin Web UI.
Click Authentication > LDAP.
Check the toggle to enable Use SSL to connect to LDAP servers.
Suppose you don’t have or need an Enterprise Root CA on your server. In that case, you can enable SSL for LDAP by implementing a digital certificate on the domain controller specifically for LDAP SSL. Certificate verification can’t occur automatically. You must manually import the certificate to Access Server to verify the connection is with the correct server.
For details on verifying SSL certificates for a secure SSL LDAP connection, refer to the LDAP authentication command tutorial.
We recommend using a bind user for connecting with the LDAP server, as instructed above. If you have a reason you must use anonymous binding, follow these steps. You must allow anonymous bind and anonymous searches in the User container.
On the Active Directory server, open the ADSI Edit tool.
Right-click ADSI Edit and click Connect to…
Under Select a well known Naming Context, select Configuration and click OK.
Click on Configuration and expand CN=Configuration…, > CN=Services > CN=Windows NT.
Right-click CN=Directory Service and click Properties.
Click dSHeuristics, click Edit, and do one of the following:
If it isn’t set, enter 0000002.
If it’s set, alter the 7th digit to 2.
Open Active Directory Users and Computers.
Click View and enable Advanced Features.
Right-click the object you want to make available to anonymous LDAP bind (such as the Users folder) and click Properties.
Click the Security tab and click Advanced.
Tip
Advanced is only visible if advanced features are enabled.
Click Add, click Select a principal, and enter ANONYMOUS LOGON.
Click OK in all necessary windows.
You’ve now enabled anonymous bind to LDAP and can do anonymous searches on the LDAP directory server contents on the object where you defined anonymous logon read and list permissions.