I've been able to successfully authenticate with ldap, using a single group using the following config...
<Group>
BaseDN "OU=Groups,OU=Users,OU=AD,DC=ad,DC=mydomain,DC=com"
SearchFilter "(CN=VPN Users)"
MemberAttribute member
</Group>
I'm now attempting to setup an admin specific openvpn instance which will require membership in the "Admins" group, in addition to the "VPN Users" group. However I haven't been able to find the correct syntax to do this.
This is what I've tried...
<Group>
BaseDN "OU=Groups,OU=Users,OU=AD,DC=ad,DC=mydomain,DC=com"
SearchFilter "(&(CN=VPN Users)(CN=Admins))"
MemberAttribute member
</Group>
This failed authentication.
Then I tried including 2 group sections, like this...
<Group>
BaseDN "OU=Groups,OU=Users,OU=AD,DC=ad,DC=mydomain,DC=com"
SearchFilter "(CN=VPN Users)"
MemberAttribute member
</Group>
<Group>
BaseDN "OU=Groups,OU=Users,OU=AD,DC=ad,DC=mydomain,DC=com"
SearchFilter "(CN=Admins)"
MemberAttribute member
</Group>
In this case it authenticated if the user was a member of either of the groups. It didn't require membership in both.
I could potentially just create another group, but that then becomes extra hassle to manage. If possible I would really like to be able to work with the groups we already have.
