Hi.
First of all, we ask for your understanding that you are using a translator to speak English incorrectly.
As the title suggests, I am wondering if it is possible to limit the expiration date for user accounts that access through the server after the access server is built.
Even if you look for a method, we do not have a separate guide, so we will contact you, so please advise if anyone knows.
Thank you.
Is it possible to set the expiration date for the access account?
-
seirian
- OpenVpn Newbie
- Posts: 1
- Joined: Thu May 20, 2021 1:55 am
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Is it possible to set the expiration date for the access account?
Hi There,
Can you please elaborate on the details of your inquiry?
What do you mean by setting an expiration date for the access account?
Are you pertaining to the inactivity timeout?
Please provide more details for your inquiry. Thank you!
Crowley
Can you please elaborate on the details of your inquiry?
What do you mean by setting an expiration date for the access account?
Are you pertaining to the inactivity timeout?
Please provide more details for your inquiry. Thank you!
Regards,seirian wrote: ↑Thu May 20, 2021 2:00 amHi.
First of all, we ask for your understanding that you are using a translator to speak English incorrectly.
As the title suggests, I am wondering if it is possible to limit the expiration date for user accounts that access through the server after the access server is built.
Even if you look for a method, we do not have a separate guide, so we will contact you, so please advise if anyone knows.
Thank you.
Crowley
OpenVPN Inc.Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
chilinux
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Is it possible to set the expiration date for the access account?
I think he is asking if he can set an account/certificate expiration similar to how Linux has "usermod --expiredate" or how Active Directory has "Account Expires."
The answer is this is not provided directly in the web administration portal right now.
If you are using an external authenticaion source such as LDAP and the account has expired on that then the user will no longer be able to login. However, their existing VPN user certificate will still be valid and existing VPN connections will still continue.
OpenVPN AS does have expirations applied to the certificates issued but all of them are set to be valid for 3,650 days with no option for the administration to change the length.
But an expiration can still be applied using the sacli script by establishing a Linux "at" job.
For example, if you need OpenVPN AS user "consultant" expired after 1 week, you can do the following over ssh to the OpenVPN AS server:
The answer is this is not provided directly in the web administration portal right now.
If you are using an external authenticaion source such as LDAP and the account has expired on that then the user will no longer be able to login. However, their existing VPN user certificate will still be valid and existing VPN connections will still continue.
OpenVPN AS does have expirations applied to the certificates issued but all of them are set to be valid for 3,650 days with no option for the administration to change the length.
But an expiration can still be applied using the sacli script by establishing a Linux "at" job.
For example, if you need OpenVPN AS user "consultant" expired after 1 week, you can do the following over ssh to the OpenVPN AS server:
Code: Select all
at now + 1 week << EOF
SACLI=/usr/local/openvpn_as/scripts/sacli
ID=consultant
$SACLI --user $ID --key prop_deny --value true UserPropPut
$SACLI --user $ID RevokeUser
$SACLI --user $ID DisconnectUser
EOF