Bug #1613
closed
OpenVPN LDAP authentication should not modify mail attribute as login.
0%
Description
I have setup an LDAP user directory, using mail as the unique search key (to find users). In the organisation I work for (>100K employees), this is the unique attribute that is the key to all other authentication activities - and that the users use instinctively.
In /etc/inc/auth.inc, around line 902 (which is called when openvpn authenticates a user with user auth), if a username is presented with an '' character, it is split around the '' to get the left hand side value - which means that an LDAP attribute of "mail" cannot be used to authenticate an OpenVPN user. In an example, of fred@example.com, there may be many "fred"'s in the organisation, and the search of (mail=fred) - the resulting query - will always fail.
While I guess the split was there for other reasons, I dont believe it is the right approach for ldap attributes - particularly those that are used to store email addresses.
Updated by Chris Buechler almost 13 years ago
- Category set to OpenVPN
- Affected Version set to 2.0
Updated by Deon George almost 13 years ago
The HTML (or something) has parsed my "description" and removed the "at" character. So all references to '' (double quote), should be read as quote at quote. :)
Updated by Deon George almost 13 years ago
I've just realised my example is not a good one - in the company that I work for, our email addresses are in the form of fred@xx.example.com, where XX is the ISO country code of where fred is located. Thus our uniqueness is a combination of the email id (left hand side of the at) and domain name. If there is a fred@au.example.com, and fred@nz.example.com, then fred cannot login since the code will pick out the "fred" on the left hand side of the at as the user name (if the query did work in the first place).
Updated by Kill Bill over 6 years ago
This has been configurable for ~4 years; fixed.
https://github.com/pfsense/pfsense/commit/a5cd1c5a4286062b84caf32df860f2e2f2e204aa
Updated by