[Patch included] Active Directory group membership checking for 2.0.1
Juve last edited by
Here is the updated patch for 2.0.1 for enabling ldap group memebership checking when using active directory.
It is working for OUs, builtin groups and groups.
It does not support nested groups, users must be in the group you are using as authentication container.
Download the file "auth.inc.adgroup.patch.txt" and rename it to "auth.inc.adgroup.patch",
then patch the auth.inc file (located in /etc/inc) with "patch -i auth.inc.adgroup.patch"
For example, if your domain is "MYDOMAIN.PRIVATE" and users allowed to connect remotely through openvpn are members of the group named "OpenVPN-RAS" in the OU named "Security", your configuration should look like the attached screenshot.
bobwondernut last edited by
You are so awesome it hurts.
rcampbell last edited by
I'm trying to patch this file but am not having much luck. First I tried using WinSCP to copy the file however the file system is read only.
I then used the Diagnostics - Command Prompt screen to Upload the file. It put it in the /tmp folder. I ran a command from the same screen to move it to /etc/inc. Finally I ran the following through the same screen to patch it 'patch -i /etc/inc/auth.inc.adgroup.patch'. By checking the date modified on the auth.inc file I can see it hasn't changed.
Can you tell me how to apply this patch correctly?
PeterP3 last edited by
I've not tested the Patch. But the first thing which you have to do is to make the Filesystem writeable.
Login with ssh and type this in:
if you reboot or type this command in: /etc/rc.conf_mount_ro
your system is readonly again.
donkers last edited by
Hey, I have been trying to use your patch and can't work out what I'm doing wrong. I applied the patch OK and created a new entry in 'System: Authentication Servers' then configured OpenVPN server to uses it. Any help would be great
The System: Authentication Servers entry:
System: Authentication Servers
Descriptive name OpenVPNUsers
LDAP Server Settings
Hostname or IP address 10.10.10.10
Port value 389
Peer Certificate Authority internal-ca
Protocol version 3
Level: Entire Subtree
Base DN: DC=domain,DC=com,DC=au
Containers: CN=OpenVPN Users,OU=Users,DC=domain,DC=com,DC=au
User DN: readonlyuser
User naming attribute samAccountName
Group naming attribute cn
Group member attribute memberOf
Jun 6 15:51:24 openvpn: 18.104.22.168:19534  Peer Connection Initiated with [AF_INET]22.214.171.124:19534
Jun 6 15:53:55 openvpn: 126.96.36.199:19534 Re-using SSL/TLS context
Jun 6 15:53:55 openvpn: 188.8.131.52:19534 LZO compression initialized
Jun 6 15:53:58 openvpn: : Now Searching for janedoe in directory.
Jun 6 15:53:58 openvpn: : The container string contains at least one group, we need to find user DN now
Jun 6 15:53:58 openvpn: : User found
Jun 6 15:53:58 openvpn: : Now Searching in server OpenVPNUsers, container CN=TechNet OpenVPN Users,OU=Users with filter (samaccountname=janedoe).
Jun 6 15:53:58 openvpn: : Search resulted in error: Success
Jun 6 15:53:58 openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
Jun 6 15:53:58 openvpn: user janedoe could not authenticate.
Jun 6 15:53:58 openvpn: 184.108.40.206:19534 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
Jun 6 15:53:58 openvpn: 220.127.116.11:19534 TLS Auth Error: Auth Username/Password verification failed for peer