HI.
I have a freeIPA server, on the server I have a group 'ovpn-users' which is
designed to be a group to allow access to our OpenVPN server and to enforce OTP when
connecting to the VPN.
My current setup works 'fine' - however it is allowing any user from any group
access to the VPN, as soon as I enable
RequireGroup True
I cannot login at all.
I have tried every combination I can think of and altered the Group BaseDN, whatever I try
doesn't work.
My workaround/hack to get this to work is to leave 'RequireGroup False' and change
the user search filter to
SearchFilter "(uid=ovpn-%u)"
As all VPN usernames start with prefix ovpn-
i.e
ovpn-user1
Which means when they login to VPN then omit the prefix ovpn- (i.e in above case use =
user1)
Can anyone help get 'RequireGroup' working ?
With ldapsearch I can see ovpn-users user uid's using (I have omitted domain/user
names)
---
# ldapsearch -Y gssapi -b cn=groups,cn=accounts,dc=xxxx,dc=xxxx '(cn=ovpn-users)'
SASL/GSSAPI authentication started
SASL username: xxxx(a)xxxx.xxxx
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=groups,cn=accounts,dc=xxxx,dc=xxxx> with scope subtree
# filter: (cn=ovpn-users)
# requesting: ALL
#
# ovpn-users, groups, accounts, xxxx.xxxx
dn: cn=ovpn-users,cn=groups,cn=accounts,dc=xxxx,dc=xxxx
member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx
member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx
member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx
memberOf: ipaUniqueID=d1fbb816-1071-11ea-ab30-063361404bd4,cn=hbac,dc=xxxx,dc=
xxxx
cn: ovpn-users
description: OpenVPN users
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
ipaUniqueID: e6415bdc-1071-11ea-814c-063361404bd4
gidNumber: 1928600030
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
---
And I have tried in the config
---
<Group>
BaseDN "cn=groups,cn=accounts,dc=xxxx,dc=xxxx"
SearchFilter "(cn=ovpn-users)"
MemberAttribute member
# Add group members to a PF table (disabled)
#PFTable ips_vpn_eng
</Group>
--
I have also tried replacing the 'MemberAttribute' field with
- member
- memberUid
- memberOF
And have tried (probably over 100) different values in Group and user BaseDN
[1] Has anyone got RequireGroup to work ?
Also I have these oquestions ..
[2] Also : What can I do about RHEL8 ? with the auth-ldap package ? There is no package on
rhel/centos8 and you cannot compile it as objective C support is removed from rhel8
[3] Are there going to be changes to IPA and PAM so I can use openvpn+IPA+OTP without need
for auth-ldap?
Thanks
---
Show replies by date