Hi there,
does any one knows how to create a group via CLI? i can't seems to find a way
Thanks
Steve.
OpenVPN Access Server Cli Creating a group
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Apr 18, 2016 11:31 am
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: OpenVPN Access Server Cli Creating a group
You can go to /usr/local/openvpn_as/scripts/ and look up the scripts there. For example if you run ./confdba --help or ./sacli --help you can see help information on how to use the command line scripts. You should be able to do something like this for example;
cd /usr/local/openvpn_as/scripts/
./sacli -u GROUP -mk type -v group UserPropPut
./confdba -u --prof GROUP -mk "group_declare" -v "true"
./confdba -u --prof GROUP -mk "type" -v "group"
You may need to run ./sacli start to let the Access Server reload settings. But the group should then exist. There are also other settings like c2s_dest_s and c2s_dest_v and such to set things that are configured on that group. You can find more info at https://docs.openvpn.net/access-server/ in the command line section. Should be some samples in there as well.
cd /usr/local/openvpn_as/scripts/
./sacli -u GROUP -mk type -v group UserPropPut
./confdba -u --prof GROUP -mk "group_declare" -v "true"
./confdba -u --prof GROUP -mk "type" -v "group"
You may need to run ./sacli start to let the Access Server reload settings. But the group should then exist. There are also other settings like c2s_dest_s and c2s_dest_v and such to set things that are configured on that group. You can find more info at https://docs.openvpn.net/access-server/ in the command line section. Should be some samples in there as well.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Mon Apr 18, 2016 11:31 am
Re: OpenVPN Access Server Cli Creating a group
Thanks Novaflash - but it does not seems strait forward command to create a group - I am trying to script this but does not seems strait forward.
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: OpenVPN Access Server Cli Creating a group
I don't know what you expect. It's a command line script. The sample provided does exactly what you asked for.
Good luck now.
Good luck now.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Nov 10, 2015 1:22 pm
Re: OpenVPN Access Server Cli Creating a group
It took me a while to decipher the answer that novaflash provided, but it is correct.
I had to implement this from the CLI in order to achieve some Google Auth implementation we needed. We wanted to restrict google auth to only a certain group. So, my group will be called googleauth.
The first thing I did to understand what's going on here is I added the group via the web interface, using the name googleauth. Then, via some trial and error, I identified the properties I need to pass to confdba. I need --userdb which says to query the Users's config database. I need --show which just means show me general information. I need --prof to identify which profile (think of profile as username or group name) to show.
So, I issued the command:
This produced the following result:
Now I know that I essentially need to emulate this setup, but from the CLI.
-----------------------------
Step 1. Create the group using sacli.
The original example provided by novaflash includes a -m parameter, however sacli does not have that option. The above command creates group named googleauth.
Step 2. Configure the group options to match the JSON above, that was produced by creating the user from the UI
Note that the --mod directive is required above.
Step 3. Start sacli
-----------------------------
After doing the above steps, I now have a new group that requires Google Authentication.
I had to implement this from the CLI in order to achieve some Google Auth implementation we needed. We wanted to restrict google auth to only a certain group. So, my group will be called googleauth.
The first thing I did to understand what's going on here is I added the group via the web interface, using the name googleauth. Then, via some trial and error, I identified the properties I need to pass to confdba. I need --userdb which says to query the Users's config database. I need --show which just means show me general information. I need --prof to identify which profile (think of profile as username or group name) to show.
So, I issued the command:
Code: Select all
cd /usr/local/openvpn_as/scripts
./confdba --userdb --show --prof googleauth
Code: Select all
{
"googleauth": {
"c2s_dest_s": "false",
"c2s_dest_v": "false",
"group_declare": "true",
"prop_autologin": "false",
"prop_deny": "false",
"prop_google_auth": "true",
"prop_superuser": "false",
"type": "group"
}
}
-----------------------------
Step 1. Create the group using sacli.
Code: Select all
cd /usr/local/openvpn_as/scripts
./sacli --user googleauth --key type --value group UserPropPut
Step 2. Configure the group options to match the JSON above, that was produced by creating the user from the UI
Code: Select all
cd /usr/local/openvpn_as/scripts
./confdba --userdb --prof googleauth --mod --key c2s_dest_s --value false
./confdba --userdb --prof googleauth --mod --key c2s_dest_v --value false
./confdba --userdb --prof googleauth --mod --key group_declare --value true
./confdba --userdb --prof googleauth --mod --key prop_autologin --value false
./confdba --userdb --prof googleauth --mod --key prop_deny --value false
./confdba --userdb --prof googleauth --mod --key prop_google_auth --value true
./confdba --userdb --prof googleauth --mod --key prop_superuser --value false
./confdba --userdb --prof googleauth --mod --key type --value group
Step 3. Start sacli
Code: Select all
cd /usr/local/openvpn_as/scripts
./sacli start
After doing the above steps, I now have a new group that requires Google Authentication.