OpenVPN AS authentication with LDAP, powered by Foxpass.

Here's how to set up OpenVPN AS authentication with LDAP, powered by Foxpass.

First, log into Foxpass and do the following:

  1. Note your Base DN on the dashboard page. Copy/paste it somewhere.
  2. Create an LDAP Binder account with the name 'openvpn' on the LDAP binders page. Copy/paste the generated password! It is only displayed once.

OpenVPN AS LDAP configuration:

  • Primary Server:
  • Secondary Server: (leave blank)
  • Enable "Use SSL to connect to LDAP servers"
  • Credentials for initial bind: "Use these credentials"
  • Bind DN: cn=openvpn,[ your base dn ] (i.e. cn=openvpn,dc=example,dc=com)
  • Password: [ binder password from above ]
  • Base DN for User Entries: ou=people,[ your base dn ] (i.e. ou=people,dc=example,dc=com)
  • Username Attribute: uid
  • OPTIONAL: To limit access to a certain group, set Additional LDAP Requirement to memberOf=cn=[ group name ],ou=groups,[ your base dn ] (i.e. memberOf=cn=vpn,ou=groups,dc=example,dc=com)
  • OPTIONAL, but highly recommended: Configure OpenVPN to use two-factor authentication using Google Authenticator.
  • OPTIONAL, but highly recommended if you have MFA enabled in Foxpass or your delegated authentication method: Increase the timeout that OpenVPN waits for a response from the LDAP server. This is important because it can take some time for a user to respond to an MFA push notification. We recommend increasing the timeout to something long enough for the user to respond to the push notification, like 60 seconds. You can increase the timeout default of 4 seconds by running these commands:
./sacli --key "auth.ldap.0.timeout" --value <SECONDS> ConfigPut
./sacli start

Users will log-in with their username (i.e. 'bob', not '[email protected]') and their "Foxpass" password. If they haven't set a "Foxpass" password, please direct them to this page to set one.