`username-as-common-name` option when using this solution
LBegnaud opened this issue · 2 comments
I'm testing various connection methods and i've got my head around how it all works I think. The way we currently use openvpn with client certs, we don't generate a cert for each user, but we recycle them on a tight interval and have users redownload via self service portal. While possible to generate client certs based on the user downloading it, i'd rather keep the ovpn files able to be distributed and preserve the authentication layer using openvpn-auth-ldap, and just stack this device login workflow on top of it.
Right now the issue i'm having is that it seems openvpn-auth-ldap is forcing a connection reset because it doesn't get the devicelogin response within 5s, which is quite impossible to do.
Works just fine if I use only the management-client-auth directive, so thank you for this streamlined approach to the python script. Hoping you may have guidance on how to best implement these two layers of authentication
Hi. No idea. And the ovpn ldap auth plugin has no maintaince anymore.
You can auth-pam plugin from openvpn and implement the LDAP logic on PAM side using pam ldap or sssd. No garantuee if it works.
You could fork this plugin and implement the ldap auth on your side. Implement LDAP auth in Python could be possible, but this is not the scope of this project.
Long term, if OVPN3 is availible, webauth and cloud auth only may be the preffered method over local ldap...
Good info, thanks again for every thing