Group Restriction when authenticating via Ldap

[vmachine]

How can apply rules to users in Access server when Im authenticating via Ldap. When i use PAM it works but whenever i use ldap authentication fails if i add the user in the GUI and add them to a group.

[swg0101]

Can you clarify your problem?
What exactly are you trying to do (e.g. What kind of rules are you trying to apply)?

[vmachine]

I have users authenticating via LDAP. I want a user to be restricted to only https to a specific server so i added that rule to a group in the AS GUI ; however when i add that user to the group i can no longer log in with that account. whenever i use locate/PAM accounts the group permissions works perfect but not when using LDAP.

[swg0101]

Are you seeing any error messages in your Log Reports page?

[vmachine]

I get a authentication Failed on the client. And this appears in the log. my group is called test. Are groups in AS related to groups in AD as well or are they local?


group assignment failed: referenced group 'Test' either does not exist or does not define group_subnets: omi/auth:454,internet/defer:746,sagent/usersvc:1034,sagent/usersvc:415,sagent/usersvc:179,sagent/usersvc:165,sagent/usersvc:132 (pyovpn.sagent.usersvc.GroupError)

[swg0101]

In the admin UI, under VPN Settings, do you have anything under Group Default IP Address Network (Optional)?

[vmachine]

No i left it empty.

[iamkl00t]

I know this is an ancient post but I really wish vmachine had posted the solution... Having the same problem.

[iamkl00t]

For anyone else having this issue here's what I did to get it to work:

VPN Settings
Dynamic IP Address Network - 10.8.0.64/26
Group Default IP Address Network (Optional) - 10.8.0.128/25

Group Permissions
I created a group called "LDAP-CorpVPN Users" (I had to delete this and recreate it)

post_auth script:
if 'CorpVPN Users' in ldap_groups:
group = "LDAP-CorpVPN Users"


What finally kicked this into working was one of two things:

1. Deleting and recreating the "LDAP-CorpVPN Users" or
2. Deleting and recreating the "LDAP-CorpVPN Users" and NOT clicking on the 'more settings' button - (could clicking this have created empty config files?)

Not sure either way - but it is working which is all I care about just thought I would be nice and add what fixed this for me as looking at the post count there are obviously a lot of people arriving here from google like me.

[novaflash]

It's really quite simple, the error says it all:

> group assignment failed: referenced group 'Test' either does not exist or does not define group_subnets:

So either the referenced group name didn't exist (test instead of Test perhaps) in your post-auth script,
or there are no subnets defined for groups. You can set a subnet in VPN Settings under group default IP address pool, or with each group individually.

[iamkl00t]

Yeah the issue was I had already ruled out both of those. The syntax was right (I never had to change it) and I HAD defined subnets for the group.

[novaflash]

I know Access Server long enough to know to trust the error. Something was not set up right. Most likely settings were saved but not applied, or some such thing. In any case, your particular case is solved, but from experience, this really is exactly as the error message says.

[tangerinehuge]

Updating this old post in case someone runs into this issue. I hit this error when restoring my config from an old system running 2.7.5 to one running a new version (2.8.7) during an upgrade. The solution for me was to delete and recreate the group. I didn't have to touch the subnets which were empty for my config.