openvpn as two factor network entry point integrated to AD

From the client side you need the following option to prompt the user for username/password

auth-user-pass

On the server side you need the following option to verify the username/password

auth-user-pass-verify scriptname method

scriptname is a script or program that openvpn will execute in order to verify the user/pass. If the script's return code is true (0), the user gets logged in, otherwise invalidated. method is the way user and pass parameters are passed to the scriptname.

So you need to have a script/program to validate users based on an ldap server and you're done.

Edit: related documentation Using alternative authentication methods

I have a friend who is doing exactly that: OpenVPN with SSL certificates used to authenticate each endpoint, then a username/password prompt appears and the user's credentials are authenticated off an AD server via LDAP before the OpenVPN connection will come up. I know that's what he's doing, as I have on occasion had credentials to use it, and thus logged in myself. So yes, it's possible, but I don't have the configs; sorry.

Have you tried to follow http://openvpn.net/index.php/open-source/documentation/howto.html#security and use the openvpn-auth-pam ?

Have not done it myself, but would go the path described in https://help.ubuntu.com/community/ActiveDirectoryHowto#Pam to setup pam against AD. After that's done, telling openvpn to use pam shouldn't be hard.

I use OpenVPN as a RAS server on Ubuntu and for two-fold uthentication I have a Deepnet Authentication Server which generates One Time Passwords to be used in conjunction with static passwords - which in turn authenticates the VPN users to AD.