OpenVPN LDAP authentication should not modify mail attribute as login.
|Affected version:||2.0||Affected Architecture:|
I have setup an LDAP user directory, using mail as the unique search key (to find users). In the organisation I work for (>100K employees), this is the unique attribute that is the key to all other authentication activities - and that the users use instinctively.
In /etc/inc/auth.inc, around line 902 (which is called when openvpn authenticates a user with user auth), if a username is presented with an '
' character, it is split around the '' to get the left hand side value - which means that an LDAP attribute of "mail" cannot be used to authenticate an OpenVPN user. In an example, of firstname.lastname@example.org, there may be many "fred"'s in the organisation, and the search of (mail=fred) - the resulting query - will always fail.
While I guess the split was there for other reasons, I dont believe it is the right approach for ldap attributes - particularly those that are used to store email addresses.
#2 Updated by Deon George almost 2 years ago
The HTML (or something) has parsed my "description" and removed the "at" character. So all references to '' (double quote), should be read as quote at quote. :)
#3 Updated by Deon George almost 2 years ago
I've just realised my example is not a good one - in the company that I work for, our email addresses are in the form of email@example.com, where XX is the ISO country code of where fred is located. Thus our uniqueness is a combination of the email id (left hand side of the at) and domain name. If there is a firstname.lastname@example.org, and email@example.com, then fred cannot login since the code will pick out the "fred" on the left hand side of the at as the user name (if the query did work in the first place).