OpenVPN Access Server Cli Creating a group

Post Reply
steve79
OpenVpn Newbie
Posts: 4
Joined: Mon Apr 18, 2016 11:31 am

OpenVPN Access Server Cli Creating a group

Post by steve79 » Wed May 04, 2016 7:36 am

Hi there,

does any one knows how to create a group via CLI? i can't seems to find a way

Thanks

Steve.

novaflash
OpenVPN Expert
Posts: 477
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Access Server Cli Creating a group

Post by novaflash » Wed May 04, 2016 10:13 am

You can go to /usr/local/openvpn_as/scripts/ and look up the scripts there. For example if you run ./confdba --help or ./sacli --help you can see help information on how to use the command line scripts. You should be able to do something like this for example;

cd /usr/local/openvpn_as/scripts/
./sacli -u GROUP -mk type -v group UserPropPut
./confdba -u --prof GROUP -mk "group_declare" -v "true"
./confdba -u --prof GROUP -mk "type" -v "group"

You may need to run ./sacli start to let the Access Server reload settings. But the group should then exist. There are also other settings like c2s_dest_s and c2s_dest_v and such to set things that are configured on that group. You can find more info at https://docs.openvpn.net/access-server/ in the command line section. Should be some samples in there as well.

steve79
OpenVpn Newbie
Posts: 4
Joined: Mon Apr 18, 2016 11:31 am

Re: OpenVPN Access Server Cli Creating a group

Post by steve79 » Thu May 05, 2016 1:39 pm

Thanks Novaflash - but it does not seems strait forward command to create a group - I am trying to script this but does not seems strait forward.

novaflash
OpenVPN Expert
Posts: 477
Joined: Fri Apr 13, 2012 8:43 pm

Re: OpenVPN Access Server Cli Creating a group

Post by novaflash » Thu May 05, 2016 1:47 pm

I don't know what you expect. It's a command line script. The sample provided does exactly what you asked for.

Good luck now.

astclair
OpenVpn Newbie
Posts: 4
Joined: Tue Nov 10, 2015 1:22 pm

Re: OpenVPN Access Server Cli Creating a group

Post by astclair » Mon Aug 07, 2017 5:45 pm

It took me a while to decipher the answer that novaflash provided, but it is correct.

I had to implement this from the CLI in order to achieve some Google Auth implementation we needed. We wanted to restrict google auth to only a certain group. So, my group will be called googleauth.

The first thing I did to understand what's going on here is I added the group via the web interface, using the name googleauth. Then, via some trial and error, I identified the properties I need to pass to confdba. I need --userdb which says to query the Users's config database. I need --show which just means show me general information. I need --prof to identify which profile (think of profile as username or group name) to show.

So, I issued the command:

Code: Select all

cd /usr/local/openvpn_as/scripts
./confdba --userdb --show --prof googleauth
This produced the following result:

Code: Select all

{
  "googleauth": {
    "c2s_dest_s": "false",
    "c2s_dest_v": "false",
    "group_declare": "true",
    "prop_autologin": "false",
    "prop_deny": "false",
    "prop_google_auth": "true",
    "prop_superuser": "false",
    "type": "group"
  }
}
Now I know that I essentially need to emulate this setup, but from the CLI.

-----------------------------

Step 1. Create the group using sacli.

Code: Select all

cd /usr/local/openvpn_as/scripts
./sacli --user googleauth --key type --value group UserPropPut
The original example provided by novaflash includes a -m parameter, however sacli does not have that option. The above command creates group named googleauth.

Step 2. Configure the group options to match the JSON above, that was produced by creating the user from the UI

Code: Select all

cd /usr/local/openvpn_as/scripts
./confdba --userdb --prof googleauth --mod --key c2s_dest_s --value false
./confdba --userdb --prof googleauth --mod --key c2s_dest_v --value false
./confdba --userdb --prof googleauth --mod --key group_declare --value true
./confdba --userdb --prof googleauth --mod --key prop_autologin --value false
./confdba --userdb --prof googleauth --mod --key prop_deny --value false
./confdba --userdb --prof googleauth --mod --key prop_google_auth --value true
./confdba --userdb --prof googleauth --mod --key prop_superuser --value false
./confdba --userdb --prof googleauth --mod --key type --value group
Note that the --mod directive is required above.

Step 3. Start sacli

Code: Select all

cd /usr/local/openvpn_as/scripts
./sacli start
-----------------------------

After doing the above steps, I now have a new group that requires Google Authentication.

Post Reply