D
D
DuD2017-11-19 21:10:32
openvpn
DuD, 2017-11-19 21:10:32

Is it possible to configure OpenVPN authentication by certificate+ldap?

Configured OpenVPN for login and password authentication via ldap.
Now there was a problem, the client with the certificate eg. "test1" can authenticate to ldap under "test2".
Those. OpenVPN does not check if the Common Name of the certificate and the login that the user enters match, is it possible to fix this?
OpenVPN 2.3.10
+ openvpn-auth-ldap plugin

Answer the question

In order to leave comments, you need to log in

2 answer(s)
M
mureevms, 2017-11-19
@mureevms

As far as I know, you can't. But this is not a cant that needs fixing, this is a feature, since the key name is needed to identify this key by the authorization and user identification center. Since you delegate the second to the LDAP server, it makes no sense to have a key for each user. Generally it doesn't. It is more convenient to issue one key and distribute it to all users, and manage access with the help of groups from the LDAP side.

Y
younghacker, 2017-11-20
@younghacker

Never solved such a problem, but I would move in the direction of the authentication script.
You need to find or write a simple shell script that will compare the LDAP name and CommonName.
And in case of a mismatch, return an error. When you do this, you can log and send an alert to the VPN administrator.
Perhaps openvpn-auth-ldap will need to be disabled and validate the user login and check for name matches with commonname in his certificate on the script side.
--auth-user-pass-verify /etc/openvpn/scripts/scriptname.sh file
--tmp-dir /dev/shm
I would carefully consider what the --username-as-common-name option does. Will it help solve everything at once?
I think that in this way your problem can be solved.
Or you can make a patch for openvpn-auth-ldap and add an option to the config.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question