Hey all you fantastic people..
I recently deployed FreeIPA and am in the process of setting up a new OpenVPN server that auths against the 389 Directory Server included using openvpn-auth-ldap. However, I seem to be having problems when checking a user against a group i.e. the user group, ipausers
I've tried using the FreeIPA docs telling you how to do this for things like OwnCloud and Jenkins to model off of for the Group Attributes but to no avail...I presume its specifically how this openvpn-auth-ldap plugin works that it wants these formatted a certain way.
Here is some of what I tried (and really thought would work!). These are the "Authorization" and "Group" blocks that matter out of the auth-ldap.conf file:
<Authorization> # Base DN BaseDN "cn=users,cn=accounts,dc=example,dc=com" # User Search Filter SearchFilter "(uid=%u)" # Require Group Membership RequireGroup true # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users <Group> BaseDN "cn=groups,cn=accounts,dc=example,dc=com" SearchFilter "(cn=ipausers)" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization> Alternate lines I've tried are:
SearchFilter "(|(cn=ipausers))" MemberAttribute member MemberAttribute memberOf Note that turning RequireGroup to false sees the plugin authenticate users just fine. I'd really be able to lock it down via group(s) though making it easier for interns or other returning employees to actually maintain an account.
Thanks!
[link][8 comments]