It is possible to configure that the commonName of the certificate have to be equal to the LDAP login name ?
Posted: Wed Jun 21, 2023 3:38 pm
Sorry, if this is a simple question, but I couldn't find the sollution.
I use the following lines to let the server check for a valid SSL certificate AND a valid OpenLDAP authentification:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/auth-ldap.conf
verify-client-cert require
username-as-common-name
It works fine, the OpenVPN server only allows clients with a valid certificate and a valid LDAP account.
But OpenVPN does not stop the connection if the commonName of the certificate is different from the OpenLDAP login name.
So for example Alice can use the certificate from Bob and use here login alice to start the connection.
On the server there are messages like:
... alice/10.11.12.13:12345 MULTI: bad source address from client [10.11.12.13:], packet dropped
but the connection is still active.
Is there any way to make OpenVPN stop connections when the commonName of the certificate is not equal to the LDAP login name ?
I use the following lines to let the server check for a valid SSL certificate AND a valid OpenLDAP authentification:
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/auth-ldap.conf
verify-client-cert require
username-as-common-name
It works fine, the OpenVPN server only allows clients with a valid certificate and a valid LDAP account.
But OpenVPN does not stop the connection if the commonName of the certificate is different from the OpenLDAP login name.
So for example Alice can use the certificate from Bob and use here login alice to start the connection.
On the server there are messages like:
... alice/10.11.12.13:12345 MULTI: bad source address from client [10.11.12.13:], packet dropped
but the connection is still active.
Is there any way to make OpenVPN stop connections when the commonName of the certificate is not equal to the LDAP login name ?