OpenVPN Auth. per AD Group Membership



  • I am sure i am missing something here.
    I have my Auth. server setup and OpenVpn is working if i point to an OU with user names.

    What i am trying to do is have OpenVPN auth. against the AD group called "AllowedOpenVPNUsers"
    users in this group will only be allowed to use the vpn
    That security group is located in a different OU.

    I had this working in 1.2.3 (post below) so i could be missing a setting or two.
    http://forum.pfsense.org/index.php/topic,14946.0.html

    Thanks in advance.

    2.0 Beta 4
    Sep 27 4:12:19



  • Only thing i found so far is this post.
    http://forum.pfsense.org/index.php/topic,25166.0.html
    still no luck.



  • I still can not seem to get this working.
    Is there something i am missing in the config?
    Any help would be great. :)
    Thanks again.

    2.0-BETA4 (i386)
    built on Mon Oct 18 15:51:06 EDT 2010
    FreeBSD 8.1-RELEASE-p1



  • Ok,
    I tried everything i could think of
    I added the group right to Authentication containers per the example, nothing
    the users are in this OU (OU=SBSUsers,OU=Users,OU=MyBusiness,….,....)
    the security group is here (CN=AllowedOpenVPNUsers,OU=Security Groups,OU=MyBusiness,...,...

    Authentication containers does not show the groups in the OU as it apears to state from this post http://forum.pfsense.org/index.php/topic,25166.msg150474.html#msg150474

    It does not appear the group membership is being read from the group AllowedOpenVPNUsers
    Also, the "Please select which containers to Authenticate against" box allows for multi section, yet only one FDN is shown.

    auth to a SBS2008 server

    Anyone have this working?
    Should i report it as a bug/feature?
    Any help would be appreciated

    NOTE: auth right to the use OU works, but then that allows everyone in the OU access.



  • Hi there.

    I made a patch two weeks ago to use AD  group membership for my openvpn server.

    I use it everyday,it still can be improved but works well.

    auth.inc.patch.txt



  • Juve!!
    Thank You!!!
    So i was not going nuts with this? a stock build does not work with AD groups?
    I had to hack it together from 1.2.3 (see link above), but thought it would be working in 2.0.
    Especially with the group attribute being listed.
    Did i miss a bug ticket or something?

    Was your path submitted for inclusion in 2.0?

    Sorry for asking but Where is this file located in the file system?
    I will be testing today!!! :)
    Thanks!!!



  • In the /etc/inc folder.

    Then you will have to supply the DN of the groups you want to check in=> for example : CN=myOvpnUserGroup,OU=MyOU,DC=myDomain,DC=Priv

    This patch will not change the directory browser behaviour, it will still show the OUs only.

    Here is the  patched file, just rename it to auth.inc.

    auth.inc.txt



  • So i would still specify the DN of the group under "Authentication Containers" in the gui?

    again, thanks!! :)



  • Yes, that's it.



  • juve
    This is working for me now! :)

    Did you see a bug report for this?
    Thanks again for your help



  • It's not a bug, I think the default behaviour is to match on OUs membership, not group membership.
    It's good to hear it's working :-)



  • huh,
    I thought it could be a bug because of this post. Another user was looking for the same thing.
    http://forum.pfsense.org/index.php/topic,25166.msg150474.html#msg150474
    If not a bug, I think a feature request should be added.

    To me, not to be able to pick Group Membership leaves issues due to the different ways admin's configure AD.

    With your patch, can an OU still be checked for users and not group? (did not test that)
    (pretty much the way it was before) Just so i know.

    Again thanks. it is appreciated
    :)



  • No problem, the code checks if you are providing an OU DN or a group DN.
    It also checks if you are providing a special known builtin container which is not an OU nor a group (eg: cn=users, cn=computers etc.).


  • Rebel Alliance Developer Netgate

    Juve,

    Can you open a ticket on redmine with your patch?

    It could be imported in to the base system if enough people test it out and say it works well, so long as it doesn't break other functionality.



  • I applied this patch and it worked great.

    Thanks!

    The issue that I still notice is that I can't nest groups within my openvpn-allowed group in Active Directory.  When I add a user directly to the group, they are allowed to auth, but when they are in a group (say "Staff") that is in the openvpn-allowed group, they cannot.

    This isn't a big issue for me, but it may affect some users with large domains.

    Thanks again!



  • Recursive group membership checking is not yet included.
    It could be added, I'll look as soon as possible on how to add this feature. This feature will be LDAP query intensive, since group nesting will require checking if group members are group objects and so on.

    @Jimp, the ticket is open and assigned to you.


  • Rebel Alliance Developer Netgate

    Looks like we need a patch for that instead of a whole file.

    And it will have to wait for 2.1 it looks like, but if you have a patch then others can always patch it in if they want the feature in the meantime.



  • jimp,
    do you mean Recursive group membership checking as a patch for 2.1 or the original patch juve added?
    thanks!


  • Rebel Alliance Developer Netgate

    The original code for AD group matching.



  • thanks jimp
    not sure if you saw juve patch file on the first page.
    he attached two files to the post.


  • Rebel Alliance Developer Netgate

    Yes but the file has changed quite a bit since then, not sure if it still applies cleanly. (It may, I haven't tried)



  • I updated to the latest snap to test the patch file.
    I am not having any luck, but I am not a programmer. :)
    The original auth.inc file that Juve posted does work in the new snap for open VPN, but not sure if anything else is broken since the file was changed allot. (As jimp noted)
    Juve, I hate to ask but have you worked on this with new snaps?  Please let me know if I can help.
    Without group searches, I think this severely hurts the AD lookup function. (IMHO)


Log in to reply