pfSense

I have setup an LDAP user directory, using mail as the unique search key (to find users). In the organisation I work for (>100K employees), this is the unique attribute that is the key to all other authentication activities - and that the users use instinctively.

In /etc/inc/auth.inc, around line 902 (which is called when openvpn authenticates a user with user auth), if a username is presented with an '' character, it is split around the '' to get the left hand side value - which means that an LDAP attribute of "mail" cannot be used to authenticate an OpenVPN user. In an example, of fred@example.com, there may be many "fred"'s in the organisation, and the search of (mail=fred) - the resulting query - will always fail.

While I guess the split was there for other reasons, I dont believe it is the right approach for ldap attributes - particularly those that are used to store email addresses.