HI. I have a freeIPA server, on the server I have a group 'ovpn-users' which is designed to be a group to allow access to our OpenVPN server and to enforce OTP when connecting to the VPN. My current setup works 'fine' - however it is allowing any user from any group access to the VPN, as soon as I enable RequireGroup True I cannot login at all. I have tried every combination I can think of and altered the Group BaseDN, whatever I try doesn't work. My workaround/hack to get this to work is to leave 'RequireGroup False' and change the user search filter to SearchFilter "(uid=ovpn-%u)" As all VPN usernames start with prefix ovpn- i.e ovpn-user1 Which means when they login to VPN then omit the prefix ovpn- (i.e in above case use = user1) Can anyone help get 'RequireGroup' working ? With ldapsearch I can see ovpn-users user uid's using (I have omitted domain/user names) --- # ldapsearch -Y gssapi -b cn=groups,cn=accounts,dc=xxxx,dc=xxxx '(cn=ovpn-users)' SASL/GSSAPI authentication started SASL username: xxxx(a)xxxx.xxxx SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=xxxx,dc=xxxx> with scope subtree # filter: (cn=ovpn-users) # requesting: ALL # # ovpn-users, groups, accounts, xxxx.xxxx dn: cn=ovpn-users,cn=groups,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx memberOf: ipaUniqueID=d1fbb816-1071-11ea-ab30-063361404bd4,cn=hbac,dc=xxxx,dc= xxxx cn: ovpn-users description: OpenVPN users objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: e6415bdc-1071-11ea-814c-063361404bd4 gidNumber: 1928600030 # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 --- And I have tried in the config --- <Group> BaseDN "cn=groups,cn=accounts,dc=xxxx,dc=xxxx" SearchFilter "(cn=ovpn-users)" MemberAttribute member # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> -- I have also tried replacing the 'MemberAttribute' field with - member - memberUid - memberOF And have tried (probably over 100) different values in Group and user BaseDN [1] Has anyone got RequireGroup to work ? Also I have these oquestions .. [2] Also : What can I do about RHEL8 ? with the auth-ldap package ? There is no package on rhel/centos8 and you cannot compile it as objective C support is removed from rhel8 [3] Are there going to be changes to IPA and PAM so I can use openvpn+IPA+OTP without need for auth-ldap? Thanks ---