Want to use new features? check out the latest push and read source:UPGRADE-from-0.0.X.txt

OpenVPN LDAP Auth Plugin


This plugin was tested on OpenVPN 2.1 and might not work against 2.0 until a small change it made (see issue #2)

Also, only start_tls and clear text connection are supported so far.


Releases can be downloaded from GitHub Repository download page

Source code is accessible via Git@GitHub


Debian Lenny / Ubuntu 9.10

The following packages are required to build this plugin:

  • libldap2-dev
  • libpthread-stubs0-dev
  • libtool
  • automake

To use this plugin you only need the following:

  • libldap-2.4-2
  • libpthread-stubs0


In order to compile and install this plugin you need to run the following:

$ aclocal
$ autoconf
$ libtoolize
$ automake --add-missing
$ ./configure
$ make
$ sudo make install


$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

Optionally, if you only ran make, you can copy the .so files
from src/.libs/

Server configuration

In a nutshell, configuring this plugin consists of two steps:

  • Creating a configuration file for this plugin (e.g. /etc/openvpn/ldap-auth-config)
  • Editing the OpenVPN configuration file (e.g. /etc/openvpn/default.conf) to load this plugin and it's configuration file automatically

For more information about using alternate authentication methods, see http://openvpn.net/index.php/open-source/documentation/howto.html#auth

LDAP plugin configuration

First copy the example configuration file from tests/config.conf to your OpenVPN configuration directory (e.g. /etc/openvpn). The same file is shown below - note that %u will be replaced by the username provided by the client:


Default values are:


If you're running Debian/Ubuntu and have configured the openvpn init script to launch all VPNs automatically (see /etc/default/openvpn), you should avoid using the *.conf suffix for this LDAP plugin configuration file. Otherwise the init script will try to load it as a VPN configuration which obviously fails.

OpenVPN configuration

Next edit the main OpenVPN config file (e.g. /etc/openvpn/default.conf). If you want to use authenticate client only from LDAP, add


somewhere. You probably want to use this, too:


Next make sure the plugin is loaded by adding something like this to the end:

plugin /etc/openvpn/ldap-auth/libopenvpn-ldap-auth.so -c /etc/openvpn/ldap-auth-config

If you used make install, the .so file is probably in /usr/local/lib. Note that this syntax is the same as the one provided by the testplugin tool (see below). Also note that LDAP authentication is using deferred functionality. As such, the plugin (running with low privileges) needs to be able to with to the tmp dir. Adding:

tmp-dir /dev/shm

to your openvpn config will allow writing to file.

Client configuration

If you use LDAP authentication only, you can safely remove/skip the cert and key directives in OpenVPN configuration file. The ca entry is still required, as is tls-auth directive if used by the server. If you want users to type in their username/password interactively when VPN starts, use this directive:


If you want to make VPN launch automatically, you need to put the username and password into a file, e.g. /etc/openvpn/default.pass:


In addition, you need to use auth-user-pass entry like this:

auth-user-pass /etc/openvpn/default.pass

Command line arguments

On top of -c the following argument can be passed to the plugin:

  • -H : LDAP URI
  • -D : Bind DN
  • -W : Bind Password
  • -b : Base DN
  • -f : Search filter
  • -t : Timeout
  • -Z : set start_tls to True


Once you have an OpenVPN process running, you can test authentication with tests/testplugin binary within the source code tree. Normally you'd do something like this:

$ cd tests
$ ./testplugin -c /etc/openvpn/ldap-auth-config

The testplugin tool will output lots of useful information, but monitoring the LDAP server logs / console output also helps.