EFW Support

Support => VPN Support => Topic started by: danielcsgomes on Wednesday 11 August 2010, 09:11:42 pm



Title: OpenVPN AD By user in group
Post by: danielcsgomes on Wednesday 11 August 2010, 09:11:42 pm
Hello all, that is my first post here.

It was a hard job to make all the configuration without any background, but with some research and with this forum it happen. But now i have a question, there is any possibility of OpenVPN with LDAP see inside a Security Group the members associated and only allow that users to connect throw OpenVPN?

Now i am pointing LDAP to the OU where the users are, but i prefer to point to a Security Group that have associate users, i don't wanna all members connecting throw vpn to the company only the specific ones.

Thanks in advance,

Daniel Gomes


Title: Re: OpenVPN AD By user in group
Post by: danielcsgomes on Friday 13 August 2010, 01:12:51 am
So i saw that is possible but i tried implement but got auth failed, i will post my configurations:

my /var/ewf/openvpn/settings file:

AUTHENTICATION_STACK=local,ldap
AUTH_TYPE=psk
CLIENT_TO_CLIENT=on
DOMAIN=grupogomes.local
DROP_DHCP=
GLOBAL_DNS=192.168.16.2/24
GLOBAL_NETWORKS=192.168.16.0/24,10.10.10.0/24
LDAP_BIND_DN=cn=Administrador,cn=Users,dc=grupogomes,dc=local
LDAP_BIND_PASSWORD=*****
LDAP_URI=ldap://192.168.16.2
LDAP_USER_BASEDN=ou=Utilizadores,ou=Pinhal Novo,dc=grupogomes,dc=local
LDAP_USER_SEARCHFILTER=(&(objectCategory=person)(objectClass=user)(SAMAccountName=%(u)s))
OPENVPN_ENABLED=on
PURPLECLIENT_BEGIN_DEVICE=tap2
PURPLE_DEVICE=tap0
PURPLE_IP_BEGIN=192.168.16.25
PURPLE_IP_END=192.168.16.38
PUSH_DOMAIN=on
PUSH_GLOBAL_DNS=on
PUSH_GLOBAL_NETWORKS=on

LDAP_REQUIRE_GROUP=on
LDAP_GROUP_BASEDN=ou=Security Groups,ou=Pinhal Novo,dc=grupogomes,dc=local
LDAP_GROUP_SEARCHFILTER=(cn=Poceirão - Cesar Gomes)
LDAP_GROUP_MEMBERATTRIBUTE=member

So i want that the username can login only if it is member of "Poceirão - Cesar Gomes" Security Group.

What i am doing wrong?

This is my structure of AD:

DC=GrupoGomes,DC=local
-CN=Users
---CN=Administrador
-OU=Pinhal Novo
---OU=Security Groups
-----CN=Poceirão - Cesar Gomes (typy=group)
-----more 2 groups here
---OU=Utilizadores
-----OU=CesarGomes
--------CN=about 5 members on that OU
-----OU=euCasa
--------CN=About more 5 members on that OU


Title: Re: OpenVPN AD By user in group
Post by: danielcsgomes on Monday 16 August 2010, 02:05:22 pm
No one knows how to only allow members of a user group to connect throw OpenVPN?


Title: Re: OpenVPN AD By user in group
Post by: wdupreez on Wednesday 03 November 2010, 08:18:41 pm
Hi Daniel, please see my post on authenticating OpenVPN users against AD. I hope it helps.