Hello,
I use LDAP auth. However, my LDAP (AD) server is on the Gateway Client subnet, therefore I need to establish the vpn connection from this client FIRST, then after that the OpenVPN Access Server can use LDAP auth for the other users. At the moment, the only user that can skip LDAP for that first connection is the admin user "openvpn"...
How can I create another non-admin user that will bypass LDAP ?
Thanks
How to bypass LDAP for one user
-
droujav
- OpenVpn Newbie
- Posts: 10
- Joined: Fri Jul 20, 2018 2:31 am
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: How to bypass LDAP for one user
The 'openvpn' user is a special super admin user that bypasses LDAP authentication on purpose. The idea being that when you enable LDAP and you make a mistake in configuration, you can still log in as an admin user and correct the mistake. Or if your LDAP server has a problem or has changed credentials or something, and you need to log in to the Admin UI and fix things, you can still do so with the openvpn admin account.
It is possible to create multiple such super admin users and they have special access rules. This is not safe however. We advise that you disable the 'openvpn' account when you are finished configuring things and have set up your own admin user. Why is it unsafe to keep using the 'openvpn' account for admin purposes? For one, it bypasses LDAP authentication, so centralized password management for this account just does not work. Also, Google Authenticator is bypassed for this user, again with the idea that if things are messed up you need a way to get in and fix things. So, make your own admin user, and use that, and disable the 'openvpn' account. Instructions are on this page: https://docs.openvpn.net/getting-starte ... tallation/
In any case, while it is possible to create multiple such super admin users that indeed bypass LDAP and go to PAM directly, it is not recommended for security reasons. Also, all such accounts will always have admin rights and this cannot be disabled for these type of accounts. This is probably something you don't want, and we advise against it.
In short though, it is currently not possible to use LDAP authentication, and then have one or two additional users that use local authentication mode. If you need an additional user, then simply add it to your LDAP directory, and use those credentials to log in.
If you really are focused on having this solution anyways, an unsupported option is to switch to PAM authentication, and in PAM set up a module that queries LDAP. This way local PAM accounts and external LDAP accounts through PAM authentication can work.
It is possible to create multiple such super admin users and they have special access rules. This is not safe however. We advise that you disable the 'openvpn' account when you are finished configuring things and have set up your own admin user. Why is it unsafe to keep using the 'openvpn' account for admin purposes? For one, it bypasses LDAP authentication, so centralized password management for this account just does not work. Also, Google Authenticator is bypassed for this user, again with the idea that if things are messed up you need a way to get in and fix things. So, make your own admin user, and use that, and disable the 'openvpn' account. Instructions are on this page: https://docs.openvpn.net/getting-starte ... tallation/
In any case, while it is possible to create multiple such super admin users that indeed bypass LDAP and go to PAM directly, it is not recommended for security reasons. Also, all such accounts will always have admin rights and this cannot be disabled for these type of accounts. This is probably something you don't want, and we advise against it.
In short though, it is currently not possible to use LDAP authentication, and then have one or two additional users that use local authentication mode. If you need an additional user, then simply add it to your LDAP directory, and use those credentials to log in.
If you really are focused on having this solution anyways, an unsupported option is to switch to PAM authentication, and in PAM set up a module that queries LDAP. This way local PAM accounts and external LDAP accounts through PAM authentication can work.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
droujav
- OpenVpn Newbie
- Posts: 10
- Joined: Fri Jul 20, 2018 2:31 am
Re: How to bypass LDAP for one user
Hi, thanks for your reply !
and why is the PAM with LDAP module "unsupported" ?
and why is the PAM with LDAP module "unsupported" ?
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: How to bypass LDAP for one user
The reason for that is that we already provide a means to use LDAP in Access Server. That function we support. Doing it outside of Access Server is your responsibility. If that fails, that's not something we can fix from within Access Server.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
droujav
- OpenVpn Newbie
- Posts: 10
- Joined: Fri Jul 20, 2018 2:31 am
Re: How to bypass LDAP for one user
Hi,
I found a way to bypass LDAP & MFA: use autologin. This, from the OpenVPN console, explains why:
IMPORTANT NOTE: if you are using autologin profiles (selectable on the User Permissions page), bear in mind that they authenticate using a certificate only and will therefore bypass credential-based authentication using the external authentication DBs below.
I found a way to bypass LDAP & MFA: use autologin. This, from the OpenVPN console, explains why:
IMPORTANT NOTE: if you are using autologin profiles (selectable on the User Permissions page), bear in mind that they authenticate using a certificate only and will therefore bypass credential-based authentication using the external authentication DBs below.