Hi, thanks for the hint, I did this, and below can be found a related script (decided to use radius in this case)
Code: Select all
from pyovpn.plugin import *
def post_auth(authcred, attributes, authret, info):
# Create user prop list, if one does not already exist
proplist = authret.setdefault('proplist', {})
# user properties to save
proplist_save = {}
# Proceed with post_auth script if the server is using RADIUS, otherwise skip this script
if info.get('auth_method') == 'radius':
# Every valid user should be able to connect to the VPN
authret['proplist']['prop_autogenerate'] = 'true'
# If user belong to any groups, set group for that user using priority below
if 11 in info['radius_reply']:
print("***** RADIUS-Reply: users groups list:", ''.join(info['radius_reply'].get(11)))
groups = ''.join(info['radius_reply'].get(11))
radius_groups = groups.split(";")
# Adjust these to map the user's radius group membership to an Access Server group.
if 'test' in radius_groups:
group = "test"
elif 'test1' in radius_groups:
group = "test1"
authret['proplist']['conn_group'] = group
proplist_save['conn_group'] = group
return authret, proplist_save
I made it in the same way as done in the script for LDAP, groups attach to a person in strict order from the most powerful to the least privileged.
This solution is quite simple and think can be useful for other people using okta as SSO for OpenVPN Access Server and who want to use okta groups for providing network access permissions