-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/03/12 15:32, michael-dev wrote:
> Hi,
>
> I've got a openvpn radius authentication plugin (username/password)
> here [1,2]. Though my radius server is really friendly to users (e.g.
> you might add or strip the domain as you like, upper/lower-case does
> not matter, users might have multiple usernames for different
> reasons), I still want each user to connect only ones to openvpn in
> order to mitigate sharing credentials. Radius has the
> chargeable-user-identity reply attribute that could be used to set the
> common-name, but I did not find any way in openvpn to do this from
> plugin. Could a patch adding a way to set the common name from radius
> plugin similar to return_list in OPENVPN_PLUGIN_CLIENT_CONNECT_V2 be
> accepted?
>
I'm probably not awake enough to really understand what you try to solve.
But if you want to change the username to become the common-name after
the authentication, I struggle to see what that really solves.
You seem to have users with multiple usernames, but want them to only
connect once - no matter which user name they use.
The username itself is sent from the client and is never really used in
OpenVPN, except being sent further to either --auth-user-pass-verify or
the a --plugin which has set the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
flag set.
So changing the username from the plug-in would not really make any
difference at all, as a new connection from the same user would still
send the "other" username to the plug-in.
I would rather suggest enhancing your radius plug-in. On each successful
authentication save the chargeable-user-identity response in a
lookup-table.
For each authentication, first check the user name against this
lookup-table. If you get a match, tell OpenVPN to reject the connection
(OPENVPN_PLUGIN_FUNC_ERROR). If there's no match, continue with the
radius authentication, retrieve chargeable-user-identity response and do
another lookup to see if you get a match on this identity instead. If
you do, reject again. If you don't have a match, save this identity and
report OPENVPN_PLUGIN_FUNC_SUCCESS.
You would also need to add an extra plug-in hook,
OPENVPN_PLUGIN_CLIENT_DISCONNECT. This hook need to remove the user from
this lookup table, to allow the user to connect again later on.
Does this make sense to you?
kind regards,
David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9RInoACgkQDC186MBRfrrA+wCgh3x98Q5d4qhoUyQz5K0Av2/q
KmUAn3DclppZHfR2YfNKJLwTlPcB47s/
=O5BL
-END PGP SIGNATURE-