[Patch included] Active Directory group membership checking for 2.0.1



  • Hi all,

    Here is the updated patch for 2.0.1 for enabling ldap group memebership checking when using active directory.
    It is working for OUs, builtin groups and groups.
    It does not support nested groups, users must be in the group you are using as authentication container.

    Download the file "auth.inc.adgroup.patch.txt" and rename it to "auth.inc.adgroup.patch",
    then patch the auth.inc file (located in /etc/inc) with "patch -i auth.inc.adgroup.patch"

    For example, if your domain is "MYDOMAIN.PRIVATE" and users allowed to connect remotely through openvpn are members of the group named "OpenVPN-RAS" in the OU named "Security", your configuration should look like the attached screenshot.



    auth.inc.adgroup.patch.txt



  • You are so awesome it hurts.



  • I'm trying to patch this file but am not having much luck.  First I tried using WinSCP to copy the file however the file system is read only.

    I then used the Diagnostics - Command Prompt screen to Upload the file.  It put it in the /tmp folder.  I ran a command from the same screen to move it to /etc/inc.  Finally I ran the following through the same screen to patch it 'patch -i /etc/inc/auth.inc.adgroup.patch'.  By checking the date modified on the auth.inc file I can see it hasn't changed.

    Can you tell me how to apply this patch correctly?



  • I've not tested the Patch. But the first thing which you have to do is to make the Filesystem writeable.

    Login with ssh and type this in:

    /etc/rc.conf_mount_rw

    if you reboot or type this command in: /etc/rc.conf_mount_ro

    your system is readonly again.



  • Hey, I have been trying to use your patch and can't work out what I'm doing wrong. I applied the patch OK and created a new entry in 'System: Authentication Servers' then configured OpenVPN server to uses it. Any help would be great

    The System: Authentication Servers entry:

    System: Authentication Servers
    Descriptive name OpenVPNUsers
    Type LDAP

    LDAP Server Settings
    –-----------------------------------------------------
    Hostname or IP address 10.10.10.10
    Port value 389
    Transport TCP
    Peer Certificate Authority internal-ca
    Protocol version 3
    Search scope
    Level:  Entire Subtree
    Base DN:  DC=domain,DC=com,DC=au
    Authentication containers
    Containers:  CN=OpenVPN Users,OU=Users,DC=domain,DC=com,DC=au

    Bind credentials
    User DN:  readonlyuser
    Password:  password
    User naming attribute samAccountName
    Group naming attribute cn
    Group member attribute memberOf

    OpenVPN Log:

    Jun 6 15:51:24 openvpn[45763]: 49.176.33.77:19534 [] Peer Connection Initiated with [AF_INET]49.176.33.77:19534
    Jun 6 15:53:55 openvpn[45763]: 49.176.33.77:19534 Re-using SSL/TLS context
    Jun 6 15:53:55 openvpn[45763]: 49.176.33.77:19534 LZO compression initialized
    Jun 6 15:53:58 openvpn: : Now Searching for janedoe in directory.
    Jun 6 15:53:58 openvpn: : The container string contains at least one group, we need to find user DN now
    Jun 6 15:53:58 openvpn: : User found
    Jun 6 15:53:58 openvpn: : Now Searching in server OpenVPNUsers, container CN=TechNet OpenVPN Users,OU=Users with filter (samaccountname=janedoe).
    Jun 6 15:53:58 openvpn: : Search resulted in error: Success
    Jun 6 15:53:58 openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
    Jun 6 15:53:58 openvpn: user janedoe could not authenticate.
    Jun 6 15:53:58 openvpn[45763]: 49.176.33.77:19534 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
    Jun 6 15:53:58 openvpn[45763]: 49.176.33.77:19534 TLS Auth Error: Auth Username/Password verification failed for peer