1 files changed, 58 insertions, 2 deletions

diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst
index 2ae353e8..5a269b43 100644
--- a/docs/vpn/openvpn.rst
+++ b/docs/vpn/openvpn.rst
@@ -246,7 +246,7 @@ The required config file may look like:
   # LDAP server URL
   URL             ldap://ldap.example.com
   # Bind DN (If your LDAP server doesn't support anonymous binds)
-  BindDN          cn=Manager,dc=example,dc=com
+  BindDN          cn=LDAPUser,dc=example,dc=com
   # Bind Password password
   Password        S3cr3t
   # Network timeout (in seconds)
@@ -258,10 +258,66 @@ The required config file may look like:
   BaseDN          "ou=people,dc=example,dc=com"
   # User Search Filter
   SearchFilter    "(&(uid=%u)(objectClass=shadowAccount))"
-  # Require Group Membership
+  # Require Group Membership - allow all users
   RequireGroup    false
   </Authorization>
 
+Active Directory
+****************
+
+Despite the fact that AD is a superset of LDAP
+
+.. code-block:: sh
+
+  <LDAP>
+    # LDAP server URL
+    URL ldap://dc01.example.com
+    # Bind DN (If your LDAP server doesn’t support anonymous binds)
+    BindDN CN=LDAPUser,DC=example,DC=com
+    # Bind Password
+    Password mysecretpassword
+    # Network timeout (in seconds)
+    Timeout  15
+    # Enable Start TLS
+    TLSEnable no
+    # Follow LDAP Referrals (anonymously)
+    FollowReferrals no
+  </LDAP>
+
+  <Authorization>
+    # Base DN
+    BaseDN        "DC=example,DC=com"
+    # User Search Filter, user must be a member of the VPN AD group
+    SearchFilter  "(&(sAMAccountName=%u)(memberOf=CN=VPN,OU=Groups,DC=example,DC=com))"
+    # Require Group Membership
+    RequireGroup    false # already handled by SearchFilter
+    <Group>
+      BaseDN        "OU=Groups,DC=example,DC=com"
+      SearchFilter  "(|(cn=VPN))"
+      MemberAttribute  memberOf
+    </Group>
+  </Authorization>
+
+If you only wan't to check if the user account is enabled and can authenticate
+(against the primary group) the following snipped is sufficient:
+
+.. code-block:: sh
+
+  <LDAP>
+    URL ldap://ds0001.gefoekom.de
+    BindDN CN=SA_OPENVPN,OU=ServiceAccounts,OU=GS,OU=GeFoekoM,DC=gefoekom,DC=de
+    Password g7LjfjmlPhhHnvmal75hbfdknms-44
+    Timeout  15
+    TLSEnable no
+    FollowReferrals no
+  </LDAP>
+
+  <Authorization>
+    BaseDN          "OU=GeFoekoM,DC=gefoekom,DC=de"
+    SearchFilter    "sAMAccountName=%u"
+    RequireGroup    false
+  </Authorization>
+
 A complete LDAP auth OpenVPN configuration could look like the following example:
 
 .. code-block:: sh