OpenVPN Access Server System Administrator Guide
OpenVPN Access Server System Administrator Guide
OpenVPN Access Server System Administrator Guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
7 How to authenticate users with Active Directory<br />
<strong>OpenVPN</strong> <strong>Access</strong> <strong>Server</strong>'s LDAP authentication feature is general in that it interoperates with<br />
various LDAP servers. A popular specific case is configuring <strong>Access</strong> <strong>Server</strong> to authenticate users<br />
with a Windows Active Directory server. You will need to know a few details about your Active<br />
Directory configuration to perform this configuration with <strong>Access</strong> <strong>Server</strong>.<br />
Note: "DN" means Distinguished Name, a name encoding with multiple attribute=value pairs, such as<br />
CN=Joan Smith, CN=Users, OU=Finance Group, DC=example, DC=com<br />
What you need to know:<br />
The "Base DN" for User Entries of all users to be authenticated by <strong>Access</strong> <strong>Server</strong>.<br />
For an AD domain of "example.net", a typical Base DN for User Entries would be:<br />
CN=Users, DC=example, DC=net<br />
The Full DN and password of a user with administrative privileges in Active<br />
Directory.<br />
This user's credentials are used by <strong>Access</strong> <strong>Server</strong> to bind to the Active Directory server so<br />
that it can perform a search for a given VPN user's entry in the LDAP database.<br />
7.1.1 Configuring <strong>Access</strong> <strong>Server</strong> LDAP Authentication<br />
On the LDAP page in the <strong>Access</strong> <strong>Server</strong> Admin Web UI,<br />
Enter the hostname or IP address of the Active Directory server (typically also the Domain<br />
Controller) for the domain in the Primary <strong>Server</strong> field. If there is a secondary/backup<br />
Active Directory server, enter its hostname or IP address in the Secondary <strong>Server</strong> field.<br />
Configure the Base DN for User Entries setting with the Base DN described above.<br />
Note that all users to be authenticated by <strong>Access</strong> <strong>Server</strong> must have full DNs that end with<br />
the specified Base DN. For example, with a Base DN of<br />
CN=Users, DC=example, DC=net<br />
these user DNs are valid:<br />
CN=David Jones, CN=Users, DC=example, DC=net<br />
CN=Users, DC=example, DC=net<br />
However, these user DNs are not valid:<br />
CN=Fred Murtok, DC=example, DC=net<br />
CN=Alice Barnes, CN=Users, OU=Eng Group, DC=example, DC=net<br />
For the Credentials for Initial Bind: setting, choose Using these credentials:<br />
Then enter the Full DN and password of the administrative user (see above). Note that you<br />
cannot simply enter "<strong>Administrator</strong>". The Full DN must be used, such as<br />
CN=<strong>Administrator</strong>, CN=Users, DC=example, DC=net<br />
Be sure that the Username Attribute setting is set to "sAMAccountName". This is the<br />
attribute name that Active Directory uses to store a user's username (e.g., "abarnes")<br />
<strong>OpenVPN</strong> <strong>Access</strong> <strong>Server</strong> <strong>System</strong> <strong>Administrator</strong> <strong>Guide</strong><br />
52