Unable to enable MFA for selective users when using in combination with LDAP for authentication

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
sshaikh
OpenVpn Newbie
Posts: 1
Joined: Wed Jul 12, 2017 7:01 pm

Unable to enable MFA for selective users when using in combination with LDAP for authentication

Post by sshaikh » Wed Jul 12, 2017 7:22 pm

I am using LDAP for authentication and try to using MFA alongside. Below are my scenarios.
1. When MFA is enabled for everyone under the client setting using the Google Athenticator support, it works fine. And then I can selective disable it for specific users using the below
Q: How to enable Google Authenticator in general, but disable it for certain specific accounts or groups?

A: First, enable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value true ConfigPut
./sacli start
Next, disable for specific users or groups:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value false UserPropPut


2. However when I try to achieve the reverse of disabling MFA for everyone but a selective few users, it does not seem to work. Again I am following the steps below.

Q: How to disable Google Authenticator in general, but enable it for certain specific accounts or groups?

A: First, disable Google Authenticator for all accounts:

./sacli --key vpn.server.google_auth.enable --value false ConfigPut
./sacli start
Next, enable for specific users or groups:

./sacli --user <USER_OR_GROUP> --key prop_google_auth --value true UserPropPut

I am not received any credible help from the open vpn support team. Has anyone had this issue? Is there any caveat that I could be missing, please let me know.

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Unable to enable MFA for selective users when using in combination with LDAP for authentication

Post by novaflash » Sun Jul 23, 2017 12:12 pm

The information in the documentation is exactly correct and works exactly as specified.

I suggest you try to make sure you are actually applying the settings to the correct users and groups. Spelling of user names with LDAP is very important; the user name as it is known in LDAP is leading. You must use that spelling. Do it differently and it's just not applied.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply