Feature #1260
closed
Allow other Backends for Remote Access ( SSL/TLS + User Auth )
0%
Description
Currently in 2.0 BETA5, only the local user db is allowed for use in a Remote Access ( SSL/TLS + User Auth ) template. Not sure why this limitation exists, but it obviously wouldn't be typical in any OpenVPN implementation outside of pfSense. Is this an oversight in so far as simply a gui limitation, or can this and the 'client-cert-not-required' directive be lifted?
Updated by Jim Pingle about 13 years ago
It's currently done that way because only with Local auth can you manage both the users and the certificates easily in the GUI.
With LDAP or Radius you could make the certificates in the GUI (or elsewhere) but they couldn't be automated or tied in any meaningful way to user accounts. You'd have to manually make certificates for each user you want to connect, and ensure that the common name of the certificate matches the username.
Updated by John Doe about 13 years ago
Ok, I understand but that's a bit pedantic as this is how it is in every other installation outside of pfSense. My vote would still be to relax it:)
Updated by Chris Buechler about 13 years ago
- Target version set to 2.1
We were really overthinking it, it can be as simple as forcing individual certificates to be created. It doesn't have to know about the users, or provide an easy way to create the certs by checking for users that actually exist. It could do that for LDAP in the future, show a list of users so you can easily bulk-create certs, but just showing a list of all certs on the appropriate CA would suffice for a quick fix.
Updated by John Doe about 13 years ago
Jim/Chris,
I plan on getting an important box updated to 2.0rc1 which requires secondary auth via ldap with SSL/TLS. As I see Chris has set the target for 2.1, could you guys point me to the php file I would need to modify to bypass the check and I will hack away at making it work?
Thanks!
Updated by Jim Pingle about 13 years ago
Most likely you're looking at /etc/openvpn.inc and /usr/local/www/vpn_openvpn_server.php - and if you want to fixup the export package to handle it, /usr/local/pkg/openvpn-client-export.inc and /usr/local/www/vpn_openvpn_export.php would need to be fixed to handle the case where the user isn't known, to just list certificates instead of users.
Updated by Jim Pingle almost 13 years ago
- Status changed from New to Feedback
I changed the code around a while back to allow this, didn't realize there was still a ticket hanging out for it. This should be working properly in the GUI and the exporter these days.
Updated by Chris Buechler almost 13 years ago
- Target version changed from 2.1 to 2.0
Updated by Chris Buechler over 12 years ago
- Status changed from Feedback to Resolved