Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Patch included] Active Directory group membership checking for 2.0.1

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 5 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Juve
      last edited by

      Hi all,

      Here is the updated patch for 2.0.1 for enabling ldap group memebership checking when using active directory.
      It is working for OUs, builtin groups and groups.
      It does not support nested groups, users must be in the group you are using as authentication container.

      Download the file "auth.inc.adgroup.patch.txt" and rename it to "auth.inc.adgroup.patch",
      then patch the auth.inc file (located in /etc/inc) with "patch -i auth.inc.adgroup.patch"

      For example, if your domain is "MYDOMAIN.PRIVATE" and users allowed to connect remotely through openvpn are members of the group named "OpenVPN-RAS" in the OU named "Security", your configuration should look like the attached screenshot.

      ldap.png
      ldap.png_thumb
      auth.inc.adgroup.patch.txt

      1 Reply Last reply Reply Quote 0
      • B
        bobwondernut
        last edited by

        You are so awesome it hurts.

        1 Reply Last reply Reply Quote 0
        • R
          rcampbell
          last edited by

          I'm trying to patch this file but am not having much luck.  First I tried using WinSCP to copy the file however the file system is read only.

          I then used the Diagnostics - Command Prompt screen to Upload the file.  It put it in the /tmp folder.  I ran a command from the same screen to move it to /etc/inc.  Finally I ran the following through the same screen to patch it 'patch -i /etc/inc/auth.inc.adgroup.patch'.  By checking the date modified on the auth.inc file I can see it hasn't changed.

          Can you tell me how to apply this patch correctly?

          1 Reply Last reply Reply Quote 0
          • P
            PeterP3
            last edited by

            I've not tested the Patch. But the first thing which you have to do is to make the Filesystem writeable.

            Login with ssh and type this in:

            /etc/rc.conf_mount_rw

            if you reboot or type this command in: /etc/rc.conf_mount_ro

            your system is readonly again.

            1 Reply Last reply Reply Quote 0
            • D
              donkers
              last edited by

              Hey, I have been trying to use your patch and can't work out what I'm doing wrong. I applied the patch OK and created a new entry in 'System: Authentication Servers' then configured OpenVPN server to uses it. Any help would be great

              The System: Authentication Servers entry:

              System: Authentication Servers
              Descriptive name OpenVPNUsers
              Type LDAP

              LDAP Server Settings
              –-----------------------------------------------------
              Hostname or IP address 10.10.10.10
              Port value 389
              Transport TCP
              Peer Certificate Authority internal-ca
              Protocol version 3
              Search scope
              Level:  Entire Subtree
              Base DN:  DC=domain,DC=com,DC=au
              Authentication containers
              Containers:  CN=OpenVPN Users,OU=Users,DC=domain,DC=com,DC=au

              Bind credentials
              User DN:  readonlyuser
              Password:  password
              User naming attribute samAccountName
              Group naming attribute cn
              Group member attribute memberOf

              OpenVPN Log:

              Jun 6 15:51:24 openvpn[45763]: 49.176.33.77:19534 [] Peer Connection Initiated with [AF_INET]49.176.33.77:19534
              Jun 6 15:53:55 openvpn[45763]: 49.176.33.77:19534 Re-using SSL/TLS context
              Jun 6 15:53:55 openvpn[45763]: 49.176.33.77:19534 LZO compression initialized
              Jun 6 15:53:58 openvpn: : Now Searching for janedoe in directory.
              Jun 6 15:53:58 openvpn: : The container string contains at least one group, we need to find user DN now
              Jun 6 15:53:58 openvpn: : User found
              Jun 6 15:53:58 openvpn: : Now Searching in server OpenVPNUsers, container CN=TechNet OpenVPN Users,OU=Users with filter (samaccountname=janedoe).
              Jun 6 15:53:58 openvpn: : Search resulted in error: Success
              Jun 6 15:53:58 openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
              Jun 6 15:53:58 openvpn: user janedoe could not authenticate.
              Jun 6 15:53:58 openvpn[45763]: 49.176.33.77:19534 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
              Jun 6 15:53:58 openvpn[45763]: 49.176.33.77:19534 TLS Auth Error: Auth Username/Password verification failed for peer

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.