LDAP-based users don't show in User Permissions

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
yodakramer
OpenVpn Newbie
Posts: 2
Joined: Thu Jul 09, 2020 4:48 pm

LDAP-based users don't show in User Permissions

Post by yodakramer » Thu Jul 09, 2020 4:58 pm

I have users successfully authenticating to openvpn using LDAP auth.

However, these users also don't have a User Permissions entry so I can't easily change their default group.

Two questions:
  1. Is there an option that creates User Permission entries on login?
  2. Or do I manually add User Permission entries for those that need to be in a different group?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: LDAP-based users don't show in User Permissions

Post by novaflash » Thu Jul 16, 2020 7:50 pm

Hello yodakramer,

In Group Permissions you can set the default group for any user that doesn't have a group set yet. That also means users that have no properties defined in Access Server.

In Access Server, if a user has no properties defined, it just gets assumed default values. Like the default group setting I just mentioned for example. You can also set a default setting to give everyone autologin privileges, for example. That's a little harder to do as it requires a command line blurb to do that. But the idea is simply that if there is nothing specific about a user, it doesn't need to be in User Permissions.

Having said that, what might be useful to you is our post_auth script that, after successful login, can assign a specific group to a user based on that user's group membership in the LDAP server. So if in your LDAP server your LDAP user is part of the LDAP group "Administrators" then you can have the post_auth script recognize this when that LDAP user logs in at your Access Server, and then put that user in an Access Server group like "VPN Admins" or something. You can also rewrite the script very slightly so it always put all users in a particular group, making the default group setting unnecessary, and has the added advantage that this is now a user specific property, so this user will show up in the User Permissions panel after first login.

The post_auth script can be found here:
https://openvpn.net/vpn-server-resource ... p-mapping/
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply