OpenVPN Access Server on Active Directory via LDAP

Introduction

This guide provides information for configuring OpenVPN Access Server to authenticate against Active Directory (AD) using lightweight directory access protocol (LDAP).

Before you begin

A few helpful notes:

  • The default setup doesn’t protect the data communication with SSL encryption. You can add this with additional configuration covered in the section on how to enable SSL.
  • Windows Server doesn’t typically allow anonymous LDAP lookup. We recommend using a bind user.
  • Once configured, the systems don’t sync users. OpenVPN Access Server uses the LDAP server to look up user objects and check the password. You can create an advanced integration for this using a post_auth LDAP group mapping script.

OpenVPN Access Server using LDAP for Active Directory

Here’s a quick overview of the process of looking up a user:

  1. The user authenticates with OpenVPN Access Server.
  2. Access Server takes the username and looks it up in the LDAP directory.
  3. When found, it then checks the validity of the password.
  4. If valid, the LDAP directory sends some user properties to Access Server and an OK message that the credentials passed.
  5. Access Server checks user permissions to connect the user, with the defined permissions allowed.

Create and configure a bind user

The first step is to create a bind user to look up usernames and verify passwords. This bind user only needs limited access.

  1. On your Active Directory server, open Active Directory Users and Computers.
  2. Expand your appropriate domain and right-click Users.
  3. Select New > User.
  4. Enter the details of your new bind user for Access Server LDAP access and click Next.
  5. Set a password, check Password never expires, click Next and Finish.

You’ll use this bind user for Access Server to access the LDAP server. Next, you’ll configure that with Access Server.

Configure Access Server to use LDAP authentication

Note: For the following setup steps, we recommend using the openvpn account. Access Server 2.10 and newer sets this up with local authentication so if you encounter mistakes or issues with the LDAP configuration, the openvpn account can still gain access. In Access Server 2.9 and older, the account uses PAM authentication and if you’ve disabled the openvpn account by removing its password, you can re-define the password on the command line: passwd openvpn

Use the following steps to configure LDAP settings in OpenVPN Access Server’s Admin Web UI.

  1. Sign in to the Admin Web UI with the openvpn administrative account.
  2. Click Authentication > LDAP.
  3. Enter the address of your LDAP server, the details of your bind user, and the base DN of your LDAP directory.
  4. Click Save Settings.
  5. Before you click Update Running Server, click Use LDAP.
  6. Now click Update Running Server.

Note: The following shows an example of the setup with the LDAP fields:

Primary server: 18.123.456.78 (IP address of the Active Directory server)
Bind DN: CN=Bind User,CN=Users,DC=domain-name,DC=com (use the distinguishedName of your bind user)
Password: 123qweasd!@# (the password for your bind user, set to never expire)
Base DN for User Entries: CN=Users, DC=domain-name, DC=com (typically this matches the Bind DN after the username)
Username Attribute: sAMAccountName (the username attribute for Active Directory LDAP servers)
Additional LDAP Requirement (Advanced): memberOf=CN=VPN Users, CN=User, DC=domain-name, DC=com (optional setting to filter by a group such as ‘VPN Users’)

OpenVPN Access Server should now look up users on the LDAP server. Refer to the authentication problems troubleshooting page if you encounter issues.

Limit access to users in LDAP server and OpenVPN Access Server user permissions table (optional)

By default, users found on the LDAP server can authenticate with OpenVPN Access Server without being defined in User Permissions. To restrict VPN access to only those in both the LDAP directory and User Permissions:

  1. Sign in to the Admin Web UI.
  2. Click User Management > User Permissions.
  3. Check Yes for Require user permissions record for VPN access at the bottom of the page.
  4. Click Save Settings and Update Running Server.

When you require user permissions records to grant VPN access, you must add users to both the LDAP server and OpenVPN Access Server’s User Permissions table.

If you then had a user that exists on the LDAP server but not in the User Permissions table attempt to sign in to OpenVPN Access Server, they aren’t granted access. The user is denied. To grant the user access, add the account to the User Permissions table. Ensure that the username is an exact match.

Only allow users from one specific group to sign in (optional)

“Requiring user permissions record for VPN access” is one way to limit access to a specific group. Another way is to use an LDAP group. In our example, we have a group in the LDAP directory called VPN Users.

Grant access to OpenVPN Access Server to only the VPN Users group:

  1. In the Admin Web UI, click Authentication > LDAP.
  2. Enter the additional group requirement under Additional LDAP Requirement—example: memberOf=CN=VPN Users, CN=Users, DC=example, DC=com.

Note: Ensure that you specify the full DN, or the query may fail to find the user in the LDAP directory. Nesting groups isn’t supported, so you can’t make a group a member of another group.

Allow more than one group permission to sign in (optional)

To allow more than one group permission to sign in to OpenVPN Access Server:

  1. In the Admin Web UI, click Authentication > LDAP.
  2. Enter the additional group requirement for multiple groups under Additional LDAP Requirement with the proper syntax:
    1. |(memberOf=CN=VPN Users,CN=Users,DC=example,DC=com)(memberOf=CN=Remote Users,CN=Users,DC=example,DC=com)

Note: Ensure you include the pipe symbol. It‘s required at the beginning.

More than one group now has access using the Additional LDAP Requirement field.

Enable SSL over the connection (optional)

You must install an Enterprise Root CA on a domain controller to enable LDAPS for Microsoft Active Directory. If you have this setup, you can enable SSL connectivity with OpenVPN Access Server with these steps:

  1. Sign in to the Admin Web UI.
  2. Click Authentication > LDAP.
  3. Check the toggle to enable Use SSL to connect to LDAP servers.
  4. Click Save Settings and Update Running Server.

Suppose you don’t have or need an Enterprise Root CA on your server. In that case, you can enable SSL for LDAP by implementing a digital certificate on the domain controller specifically for LDAP SSL. Certificate verification can’t occur automatically. You must manually import the certificate to OpenVPN Access Server to verify the connection is with the correct server.

For details on verifying SSL certificates for a secure SSL LDAP connection, refer to Authentication options and command-line configurations and the LDAP authentication commands.

Enable anonymous binding (optional)

We recommend using a bind user for connecting with the LDAP server, as instructed above. If you have a reason you must use anonymous binding, follow these steps. You must allow anonymous bind and anonymous searches in the User container.

  1. On the Active Directory server, open the ADSI Edit tool.
  2. Right-click ADSI Edit and click Connect to…
  3. Under Select a well known Naming Context, select Configuration and click OK.
  4. Click on Configuration and expand CN=Configuration…, > CN=Services > CN=Windows NT.
  5. Right-click CN=Directory Service and click Properties.
  6. Click dSHeuristics, click Edit, and do one of the following:
    1. If it isn’t set, enter 0000002.
    2. If it’s set, alter the 7th digit to 2.
  7. Open Active Directory Users and Computers.
  8. Click View and enable Advanced Features.
  9. Right-click the object you want to make available to anonymous LDAP bind (such as the Users folder) and click Properties.
  10. Click the Security tab and click Advanced. (Note: Advanced is only visible if advanced features are enabled.)
  11. Click Add, click Select a principal, and enter ANONYMOUS LOGON.
  12. Click OK in all necessary windows.

You’ve now enabled anonymous bind to LDAP and can do anonymous searches on the LDAP directory server contents on the object where you defined anonymous logon read and list permissions.