[Patch included] Active Directory group membership checking for 2.0.1
-
Hi all,
Here is the updated patch for 2.0.1 for enabling ldap group memebership checking when using active directory.
It is working for OUs, builtin groups and groups.
It does not support nested groups, users must be in the group you are using as authentication container.Download the file "auth.inc.adgroup.patch.txt" and rename it to "auth.inc.adgroup.patch",
then patch the auth.inc file (located in /etc/inc) with "patch -i auth.inc.adgroup.patch"For example, if your domain is "MYDOMAIN.PRIVATE" and users allowed to connect remotely through openvpn are members of the group named "OpenVPN-RAS" in the OU named "Security", your configuration should look like the attached screenshot.
-
You are so awesome it hurts.
-
I'm trying to patch this file but am not having much luck. First I tried using WinSCP to copy the file however the file system is read only.
I then used the Diagnostics - Command Prompt screen to Upload the file. It put it in the /tmp folder. I ran a command from the same screen to move it to /etc/inc. Finally I ran the following through the same screen to patch it 'patch -i /etc/inc/auth.inc.adgroup.patch'. By checking the date modified on the auth.inc file I can see it hasn't changed.
Can you tell me how to apply this patch correctly?
-
I've not tested the Patch. But the first thing which you have to do is to make the Filesystem writeable.
Login with ssh and type this in:
/etc/rc.conf_mount_rw
if you reboot or type this command in: /etc/rc.conf_mount_ro
your system is readonly again.
-
Hey, I have been trying to use your patch and can't work out what I'm doing wrong. I applied the patch OK and created a new entry in 'System: Authentication Servers' then configured OpenVPN server to uses it. Any help would be great
The System: Authentication Servers entry:
System: Authentication Servers
Descriptive name OpenVPNUsers
Type LDAPLDAP Server Settings
–-----------------------------------------------------
Hostname or IP address 10.10.10.10
Port value 389
Transport TCP
Peer Certificate Authority internal-ca
Protocol version 3
Search scope
Level: Entire Subtree
Base DN: DC=domain,DC=com,DC=au
Authentication containers
Containers: CN=OpenVPN Users,OU=Users,DC=domain,DC=com,DC=auBind credentials
User DN: readonlyuser
Password: password
User naming attribute samAccountName
Group naming attribute cn
Group member attribute memberOfOpenVPN Log:
Jun 6 15:51:24 openvpn[45763]: 49.176.33.77:19534 [] Peer Connection Initiated with [AF_INET]49.176.33.77:19534
Jun 6 15:53:55 openvpn[45763]: 49.176.33.77:19534 Re-using SSL/TLS context
Jun 6 15:53:55 openvpn[45763]: 49.176.33.77:19534 LZO compression initialized
Jun 6 15:53:58 openvpn: : Now Searching for janedoe in directory.
Jun 6 15:53:58 openvpn: : The container string contains at least one group, we need to find user DN now
Jun 6 15:53:58 openvpn: : User found
Jun 6 15:53:58 openvpn: : Now Searching in server OpenVPNUsers, container CN=TechNet OpenVPN Users,OU=Users with filter (samaccountname=janedoe).
Jun 6 15:53:58 openvpn: : Search resulted in error: Success
Jun 6 15:53:58 openvpn: : ERROR! Either LDAP search failed, or multiple users were found.
Jun 6 15:53:58 openvpn: user janedoe could not authenticate.
Jun 6 15:53:58 openvpn[45763]: 49.176.33.77:19534 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 255
Jun 6 15:53:58 openvpn[45763]: 49.176.33.77:19534 TLS Auth Error: Auth Username/Password verification failed for peer