OpenVPN Auth. per AD Group Membership

vito

I am sure i am missing something here.
I have my Auth. server setup and OpenVpn is working if i point to an OU with user names.

What i am trying to do is have OpenVPN auth. against the AD group called "AllowedOpenVPNUsers"
users in this group will only be allowed to use the vpn
That security group is located in a different OU.

I had this working in 1.2.3 (post below) so i could be missing a setting or two.
http://forum.pfsense.org/index.php/topic,14946.0.html

Thanks in advance.

2.0 Beta 4
Sep 27 4:12:19

vito

Only thing i found so far is this post.
http://forum.pfsense.org/index.php/topic,25166.0.html
still no luck.

vito

I still can not seem to get this working.
Is there something i am missing in the config?
Any help would be great. :)
Thanks again.

2.0-BETA4 (i386)
built on Mon Oct 18 15:51:06 EDT 2010
FreeBSD 8.1-RELEASE-p1

vito

Ok,
I tried everything i could think of
I added the group right to Authentication containers per the example, nothing
the users are in this OU (OU=SBSUsers,OU=Users,OU=MyBusiness,….,....)
the security group is here (CN=AllowedOpenVPNUsers,OU=Security Groups,OU=MyBusiness,...,...

Authentication containers does not show the groups in the OU as it apears to state from this post http://forum.pfsense.org/index.php/topic,25166.msg150474.html#msg150474

It does not appear the group membership is being read from the group AllowedOpenVPNUsers
Also, the "Please select which containers to Authenticate against" box allows for multi section, yet only one FDN is shown.

auth to a SBS2008 server

Anyone have this working?
Should i report it as a bug/feature?
Any help would be appreciated

NOTE: auth right to the use OU works, but then that allows everyone in the OU access.

Juve

Hi there.

I made a patch two weeks ago to use AD  group membership for my openvpn server.

I use it everyday,it still can be improved but works well.

auth.inc.patch.txt

vito

Juve!!
Thank You!!!
So i was not going nuts with this? a stock build does not work with AD groups?
I had to hack it together from 1.2.3 (see link above), but thought it would be working in 2.0.
Especially with the group attribute being listed.
Did i miss a bug ticket or something?

Was your path submitted for inclusion in 2.0?

Sorry for asking but Where is this file located in the file system?
I will be testing today!!! :)
Thanks!!!

Juve

In the /etc/inc folder.

Then you will have to supply the DN of the groups you want to check in=> for example : CN=myOvpnUserGroup,OU=MyOU,DC=myDomain,DC=Priv

This patch will not change the directory browser behaviour, it will still show the OUs only.

Here is the  patched file, just rename it to auth.inc.

auth.inc.txt

vito

So i would still specify the DN of the group under "Authentication Containers" in the gui?

again, thanks!! :)

Juve

Yes, that's it.

vito

juve
This is working for me now! :)

Did you see a bug report for this?
Thanks again for your help

Juve

It's not a bug, I think the default behaviour is to match on OUs membership, not group membership.
It's good to hear it's working :-)

vito

huh,
I thought it could be a bug because of this post. Another user was looking for the same thing.
http://forum.pfsense.org/index.php/topic,25166.msg150474.html#msg150474
If not a bug, I think a feature request should be added.

To me, not to be able to pick Group Membership leaves issues due to the different ways admin's configure AD.

With your patch, can an OU still be checked for users and not group? (did not test that)
(pretty much the way it was before) Just so i know.

Again thanks. it is appreciated
:)

Juve

No problem, the code checks if you are providing an OU DN or a group DN.
It also checks if you are providing a special known builtin container which is not an OU nor a group (eg: cn=users, cn=computers etc.).

jimp

Juve,

Can you open a ticket on redmine with your patch?

It could be imported in to the base system if enough people test it out and say it works well, so long as it doesn't break other functionality.

dhudson4god

I applied this patch and it worked great.

Thanks!

The issue that I still notice is that I can't nest groups within my openvpn-allowed group in Active Directory.  When I add a user directly to the group, they are allowed to auth, but when they are in a group (say "Staff") that is in the openvpn-allowed group, they cannot.

This isn't a big issue for me, but it may affect some users with large domains.

Thanks again!

Juve

Recursive group membership checking is not yet included.
It could be added, I'll look as soon as possible on how to add this feature. This feature will be LDAP query intensive, since group nesting will require checking if group members are group objects and so on.

@Jimp, the ticket is open and assigned to you.

jimp

Looks like we need a patch for that instead of a whole file.

And it will have to wait for 2.1 it looks like, but if you have a patch then others can always patch it in if they want the feature in the meantime.

vito

jimp,
do you mean Recursive group membership checking as a patch for 2.1 or the original patch juve added?
thanks!

jimp

The original code for AD group matching.

vito

thanks jimp
not sure if you saw juve patch file on the first page.
he attached two files to the post.