Developers Documentation



301 error for file:

User Tools

Site Tools

Using Ad for Openldap User Authentication

This writeup is to demonstrate the use of Microsoft's Active Directory as an authentication provider for OpenVPN. This guide assumes knowledge of command line functions in a ClearOS terminal environment and familiarity with tools of Active Directory.

Getting Started

You will need the following to configure ClearOS 5.x to use Active Directory as your authentication provider:

  • A ClearOS 5.x server running as your gateway
  • An Active Directory Domain controller on the same subnet as a LAN interface of your ClearOS 5.x server
  • User accounts on your with the exact same name as those configured on Active Directory with OpenVPN selected as one of their valid services.
  • For best practices, your ClearOS server should be using the AD server(s) as its DNS server only.
  • Opened ports on the incoming firewall rules of the ClearOS server for 'OpenVPN' (1194 UDP)

On your ClearOS server, you will need to provision a user that also exists on Active Directory (AD). The reason to maintain this account on ClearOS as well as AD is that ClearOS uses 2-factor authentication by means of security keys. It will NOT matter that the passwords match but doing so will allow you to use other ClearOS services with this user should you choose to do so.


From command line, validate that you can ping the domain controller and that you can get access to the Access Directory. For this scenario, your domain on AD is called 'clearos.lan' and the domain controller resides on and the ClearOS server resides on

Collecting Data

You need to know the Base DN, Bind DN, and password for your connections to AD. This can easily be collected from the “Active Directory Users and Computers” management console on your AD domain controller.

Looking at the image you can see that the base of this directory is clearos.lan which translates to the BaseDN value:


We add on the folder and name of the user to get the BindDN value. The folder being 'Users' and the user being 'Administrator'. So the BindDN would be:


It is important to note that Active Directory will use the CN (canonical name) value to define specific 'builtin' folders where user created folders use the moniker of OU (organization unit). These CN folders include 'Builtin', 'Computers', 'ForeignSecurityPrincipals', and 'Users'. These folders in the “Active Directory Users and Computers” will appear slightly different. CN 'folders' look like blank folders whereas OU folders look like folders with a book inside them. If the administrator account is in a different, user-created folder it may very well look like this: cn=backup administrator,ou=admins,ou=IT,ou=company,dc=clearos,dc=lan


Test connectivity to the AD server from your ClearOS box.


(type CTRL+c to cancel pings)

telnet 389

Telnet to port 389 to validate that you get a SYN packet which will indicate that the service is listening. This will reply with:

[root@system ~]# telnet 389
Connected to
Escape character is '^]'.

Type CTRL+] then type 'quit' and to exit.

telnet> quit
Connection closed.

Next test to see if you can get data from Active Directory with the following (please substitute the host address, domain name, and bind DN with those from your environment):

ldapsearch -x -h -b "dc=clearos,dc=lan" -D "cn=administrator,cn=users,dc=clearos,dc=lan" -W

You will be prompted for a password. Because we used the 'administrator' account, we will supply that password. The result of this will spit out all the objects in Active Directory and their associated values for their attributes.

Setting up the connection

You will want to configure a group within Windows that will allow your Windows Administrators to tell which users may VPN into the network. For our purposes, we will create a group called 'OpenVPNUsers' in the folder 'Users' in our Active Directory.

Now that we can show that ClearOS can connect to AD we can place these values into the configuration located in /etc/openvpn/auth-ldap.

The file will look like this:

# This file is automatically updated by ldapsync -- please do not edit.

	# LDAP server URL
	URL		ldap://

	# Bind DN (If your LDAP server doesn't support anonymous binds)
	BindDN		cn=administrator,cn=users,dc=clearos,dc=lan

	# Bind Password
	Password	password

	# Network timeout (in seconds)
	Timeout		15

	# Enable Start TLS
	TLSEnable	no

	# Follow LDAP Referrals (anonymously)
	FollowReferrals yes

	# TLS CA Certificate File
	TLSCACertFile	/etc/ssl/ca-cert.pem

	# TLS CA Certificate Directory
	TLSCACertDir	/etc/ssl/certs

	# Client Certificate and key
	# If TLS client authentication is required
	TLSCertFile	/etc/ssl/client-cert.pem
	TLSKeyFile	/etc/ssl/client-key.pem

	# Cipher Suite
	# The defaults are usually fine here

	BaseDN		"cn=users,dc=clearos,dc=lan"
	SearchFilter	"sAMAccountName=%u"
	RequireGroup	true
		BaseDN		"cn=users,dc=clearos,dc=lan"
		SearchFilter	"cn=OpenVPNUsers"
		MemberAttribute	Member

It has not gone unnoticed that the phrase “This file is automatically updated by ldapsync – please do not edit.” exists at the top of this document. Don't worry, we're just testing thusfar.

Let's do this thing

With all the parts in place. Restart the openvpn service and try out the connection. For the purpose of testing whether the account is truly from Active Directory or not, try changing the passwords between the ClearOS server and AD for that particular account.

Set this in stone

Once we are satisfied that this works, we need to change some things to prevent the normal operations of ClearOS from altering our configuration file (vis-a-vis ldapsync).

If everything is copacetic, you can make these changes permanent by updating the /etc/openldap/templates/openvpn.auth-ldap.template file. Use the following script:

mv /etc/openldap/templates/openvpn.auth-ldap.template /etc/openldap/templates/openvpn.auth-ldap.template~
echo "KOLAB_META_START" > /etc/openldap/templates/openvpn.auth-ldap.template
echo "TARGET=/etc/openvpn/auth-ldap" >> /etc/openldap/templates/openvpn.auth-ldap.template
echo "PERMISSIONS=0600" >> /etc/openldap/templates/openvpn.auth-ldap.template
echo "OWNERSHIP=root:root" >> /etc/openldap/templates/openvpn.auth-ldap.template
echo "KOLAB_META_END" >> /etc/openldap/templates/openvpn.auth-ldap.template
cat /etc/openvpn/auth-ldap >> /etc/openldap/templates/openvpn.auth-ldap.template
content/en_us/dev_apps_using_ad_for_openldap_user_authentication.txt · Last modified: 2015/09/17 15:08 (external edit)