How to bypass LDAP for one user

Post Reply
droujav
OpenVpn Newbie
Posts: 3
Joined: Fri Jul 20, 2018 2:31 am

How to bypass LDAP for one user

Post by droujav » Fri Jul 20, 2018 2:39 am

Hello,
I use LDAP auth. However, my LDAP (AD) server is on the Gateway Client subnet, therefore I need to establish the vpn connection from this client FIRST, then after that the OpenVPN Access Server can use LDAP auth for the other users. At the moment, the only user that can skip LDAP for that first connection is the admin user "openvpn"...
How can I create another non-admin user that will bypass LDAP ?

Thanks

novaflash
I should be on the dev team.
Posts: 720
Joined: Fri Apr 13, 2012 8:43 pm

Re: How to bypass LDAP for one user

Post by novaflash » Fri Jul 20, 2018 7:45 am

The 'openvpn' user is a special super admin user that bypasses LDAP authentication on purpose. The idea being that when you enable LDAP and you make a mistake in configuration, you can still log in as an admin user and correct the mistake. Or if your LDAP server has a problem or has changed credentials or something, and you need to log in to the Admin UI and fix things, you can still do so with the openvpn admin account.

It is possible to create multiple such super admin users and they have special access rules. This is not safe however. We advise that you disable the 'openvpn' account when you are finished configuring things and have set up your own admin user. Why is it unsafe to keep using the 'openvpn' account for admin purposes? For one, it bypasses LDAP authentication, so centralized password management for this account just does not work. Also, Google Authenticator is bypassed for this user, again with the idea that if things are messed up you need a way to get in and fix things. So, make your own admin user, and use that, and disable the 'openvpn' account. Instructions are on this page: https://docs.openvpn.net/getting-starte ... tallation/

In any case, while it is possible to create multiple such super admin users that indeed bypass LDAP and go to PAM directly, it is not recommended for security reasons. Also, all such accounts will always have admin rights and this cannot be disabled for these type of accounts. This is probably something you don't want, and we advise against it.

In short though, it is currently not possible to use LDAP authentication, and then have one or two additional users that use local authentication mode. If you need an additional user, then simply add it to your LDAP directory, and use those credentials to log in.

If you really are focused on having this solution anyways, an unsupported option is to switch to PAM authentication, and in PAM set up a module that queries LDAP. This way local PAM accounts and external LDAP accounts through PAM authentication can work.

droujav
OpenVpn Newbie
Posts: 3
Joined: Fri Jul 20, 2018 2:31 am

Re: How to bypass LDAP for one user

Post by droujav » Fri Jul 20, 2018 10:14 am

Hi, thanks for your reply !
and why is the PAM with LDAP module "unsupported" ?

novaflash
I should be on the dev team.
Posts: 720
Joined: Fri Apr 13, 2012 8:43 pm

Re: How to bypass LDAP for one user

Post by novaflash » Fri Jul 20, 2018 12:09 pm

The reason for that is that we already provide a means to use LDAP in Access Server. That function we support. Doing it outside of Access Server is your responsibility. If that fails, that's not something we can fix from within Access Server.

Post Reply