[Samba] OpenVPN using LDAP Auth and Samba 4 AD

Stefan G. Weichinger lists at xunil.at
Mon Mar 2 10:46:51 UTC 2020

Am 01.03.20 um 12:01 schrieb Paul Littlefield via samba:
> Hello All,
> I would like to use OpenVPN with Samba 4 AD using the LDAP Auth plugin.
> However, my tests come up with the following errors in the OpenVPN...
> LDAP bind failed: Strong(er) authentication required (BindSimple:
> Transport encryption required.)
> Unable to bind as CN=VPN Connect,CN=Users,DC=MYDOMAIN,DC=COM
> LDAP connect failed.
> /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
> PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with
> status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
> TLS Auth Error: Auth Username/Password verification failed for peer
> Has anyone else used OpenVPN with Samba 4 AD and if so, can I see your
> sanitised config please?

I have a working setup with OpenVPN on a pfsense-2.4.4p3 authenticating
against Samba4 AD.

The tricky and important part is to get the certs and hostnames right:

the openvpn server contacts the/one AD DC via hostname and the DC
replies with its cert. The hostname contacted must match the hostname in
the cert etc

And you have to make openvpn trust that cert.


"ldap server require strong auth = no"  helps to work around this, I assume.

But it's safer to do it right, even when it's more hassle ;-)

More information about the samba mailing list