Hello
I'm currently facing a problem (like some others have through the years, after some web and forum searches) and wish there was an easy solution.
I'm using OpenVPN with LDAP authentification in my AD.
Everything works great but I wanted to begin pushing static ip addresses to specific clients, thus i thought about --client-config-dir.
All is well excepted that the user login name (email address) is case insensitive at logon time, but due to linux filesystem, becomes case sensitive when looking for a client specific config in the ccd directory.
So simply changing some upper/lowercase letter in the login name and the client evades his specific config file in the ccd dir.
It would be so handy to have a parameter like "--ccd-lowercase-filenames" that would only look for lowercase files..
To my knowledge i don't see a way to do a case-sensitive ldap search in AD.
Also it would be somewhat user-unfriendly if I have to educate users to type their login in a specific case or else it fails.
I guess I could workaround the problem by using client-scripts instead, who would relay specific config options read from files found after converting whatever commonname is received to lowercase... but yeah.
I wish
Thanks for reading
I wish I could use case-insensitive files in client-confg-dir (or lowercase)
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
lostence
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Oct 17, 2017 7:32 pm
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: I wish I could use case-insensitive files in client-confg-dir (or lowercase)
The common_name (where the file name is derived, unless --username-as-common-name is used) is part of the Certificate, which is controlled by the SSL Library (openssl probably) .. It is case sensitive as is Linux file system.
You could probably craft a reasonably simple --auth-user-pass-verify script (or other script) to transpose whatever the user enters to be all lower case. Linux is quite good for that sort of srcipt ..
You could probably craft a reasonably simple --auth-user-pass-verify script (or other script) to transpose whatever the user enters to be all lower case. Linux is quite good for that sort of srcipt ..
-
lostence
- OpenVpn Newbie
- Posts: 2
- Joined: Tue Oct 17, 2017 7:32 pm
Re: I wish I could use case-insensitive files in client-confg-dir (or lowercase)
Thanks for the answer.
I did not specify but i do indeed use --username-as-common-name.
--auth-user-pass-verify looks like it just calls a script to validate the credentials provided by the user, and returns success or failure.
It would not change the filename that will be looked up in the ccd dir, from my understanding.
--client-connect on the other hand looks like it could be used to source a lowercase file from the provided commonname parameter.
I guess I could even put the ccd directory on a case insensitive filesystem but that is a bit of a hassle.
But again, i feel it would be a handy option to have, as the case insensitivity of LDAP auth defeats the security aspect of ccd files and static ips.
EDIT: I would also happily accept an --lowercase-username-as-common-name
I did not specify but i do indeed use --username-as-common-name.
--auth-user-pass-verify looks like it just calls a script to validate the credentials provided by the user, and returns success or failure.
It would not change the filename that will be looked up in the ccd dir, from my understanding.
--client-connect on the other hand looks like it could be used to source a lowercase file from the provided commonname parameter.
I guess I could even put the ccd directory on a case insensitive filesystem but that is a bit of a hassle.
But again, i feel it would be a handy option to have, as the case insensitivity of LDAP auth defeats the security aspect of ccd files and static ips.
EDIT: I would also happily accept an --lowercase-username-as-common-name