First, log into Foxpass and do the following:
- Primary Server: ldap.foxpass.com
- Secondary Server: (leave blank)
- Enable "Use SSL to connect to LDAP servers"
- Credentials for initial bind: "Use these credentials"
- Bind DN: cn=openvpn,[ your base dn ] (i.e. cn=openvpn,dc=example,dc=com)
- Password: [ binder password from above ]
- Base DN for User Entries: ou=people,[ your base dn ] (i.e. ou=people,dc=example,dc=com)
- Username Attribute: uid
- OPTIONAL: To limit access to a certain group, set Additional LDAP Requirement to memberOf=cn=[ group name ],ou=groups,[ your base dn ] (i.e. memberOf=cn=vpn,ou=groups,dc=example,dc=com)
- OPTIONAL, but highly recommended: Configure OpenVPN to use two-factor authentication using Google Authenticator.
- OPTIONAL, but highly recommended if you have MFA enabled in Foxpass or your delegated authentication method: Increase the timeout that OpenVPN waits for a response from the LDAP server. This is important because it can take some time for a user to respond to an MFA push notification. We recommend increasing the timeout to something long enough for the user to respond to the push notification, like 60 seconds. You can increase the timeout default of 4 seconds by running these commands:
./sacli --key "auth.ldap.0.timeout" --value <SECONDS> ConfigPut ./sacli start
Users will log-in with their username (i.e. 'bob', not 'firstname.lastname@example.org') and their "Foxpass" password. If they haven't set a "Foxpass" password, please direct them to this page to set one.