OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Is it possible to set the expiration date for the access account?

https://forums.openvpn.net/viewtopic.php?t=32335

Page 1 of 1

Is it possible to set the expiration date for the access account?

Posted: Thu May 20, 2021 2:00 am
by seirian
Hi.
First of all, we ask for your understanding that you are using a translator to speak English incorrectly.
As the title suggests, I am wondering if it is possible to limit the expiration date for user accounts that access through the server after the access server is built.
Even if you look for a method, we do not have a separate guide, so we will contact you, so please advise if anyone knows.
Thank you.

Re: Is it possible to set the expiration date for the access account?

Posted: Thu May 20, 2021 4:17 pm
by openvpn_inc
Hi There,

Can you please elaborate on the details of your inquiry?
What do you mean by setting an expiration date for the access account?
Are you pertaining to the inactivity timeout?
Please provide more details for your inquiry. Thank you!
seirian wrote:
Thu May 20, 2021 2:00 am
 Hi.
First of all, we ask for your understanding that you are using a translator to speak English incorrectly.
As the title suggests, I am wondering if it is possible to limit the expiration date for user accounts that access through the server after the access server is built.
Even if you look for a method, we do not have a separate guide, so we will contact you, so please advise if anyone knows.
Thank you.
Regards,
Crowley

Re: Is it possible to set the expiration date for the access account?

Posted: Thu May 20, 2021 11:29 pm
by chilinux
I think he is asking if he can set an account/certificate expiration similar to how Linux has "usermod --expiredate" or how Active Directory has "Account Expires."

The answer is this is not provided directly in the web administration portal right now.

If you are using an external authenticaion source such as LDAP and the account has expired on that then the user will no longer be able to login. However, their existing VPN user certificate will still be valid and existing VPN connections will still continue.

OpenVPN AS does have expirations applied to the certificates issued but all of them are set to be valid for 3,650 days with no option for the administration to change the length.

But an expiration can still be applied using the sacli script by establishing a Linux "at" job.

For example, if you need OpenVPN AS user "consultant" expired after 1 week, you can do the following over ssh to the OpenVPN AS server:

Code: Select all

at now + 1 week << EOF
SACLI=/usr/local/openvpn_as/scripts/sacli
ID=consultant
$SACLI --user $ID --key prop_deny --value true UserPropPut
$SACLI --user $ID RevokeUser
$SACLI --user $ID DisconnectUser
EOF
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/