VPN + application authentication SSO

[harerama]

Hello,

I am pretty new to OpenVPN installation - so I may not use appropriate terms in the following description:

I would like to setup an OpenVPN for remote access to a private server (pretty standard so far).
Is there any way of also authenticating users of an application based on the VPN user connected ?

If the user "user1" connects to the server through the VPN tunnel, is there any way of knowning, on the application side, that the current user is "user1" ?

The application is consists of 2 parts: one web-based J2EE application and one industry-specific exchange protocol, but I can change the application to link with an authentication module if needed.

Thanks for your help.

HR

[maikcat]

hi there,

if the application server is on a seperate server,
i can only think of assosiating clients ip address with apps usernames (you can make your clients use static ips).

if the application is on the same server with openvpn
you can use some enviromental variables that openvpn also uses...

Michael.

[harerama]

I thought of using static IP addresses, but I don't find it to be an elegant solution...
I will go this way if nothing else can work.

My point was that, as the user is authenticated when connecting to the VPN, why not propagate this authentication further to the application layer.

My ideal setup would be:
- link VPN and LDAP (easy)
- link application and LDAP to get authorization rights
- use VPN authentication in application layer

So the only authentication arises at VPN connection. Everything is accessible with appropriate rights.

I don't see it as not feasible (theoretically) but was hoping to find some out-of-the box solution or ideas to pick building blocks.

[janjust]

openvpn can authenticate users against an LDAP database; if you can modify your LDAP database to record the login time then you can use the LDAP database to verify whether a user is logged on or not... this depends largely on your LDAP setup, however.