Re: [Openvpn-users] Certificate common name & auth-user-pass-verify

[Alon Bar-Lev <alon.barlev@xxxxxxxxx>]

Nuno Marques wrote:
> Hi,
>
> I'm giving a different certificate to each user, and all the
> ceertificates have the correct username in them, but I also need the
> username/password to validate the user in the Active Directory, so it
> can happen that one user have one certificate with common name John Doe,
> but when asked for user/pass to perform validation in the AD puts Robert
> Doe.
>
> If the Robert Doe user exists in the AD and the password entered is
> correct, that user will login with an ID different of the one present in
> the certificate.
>
> Thanks,
>
> Nuno Marques

I still do not understand.
Let's say that you achieve your goal... You forced the user 
to use Certificate+User+Password in order to establish the 
VPN connection.

How do you avoid the user to issue a command like:
NET USE \\xxx\cccc /user:aaaa
And connect to the network using a different user?

There are two layers of access control, network layer and 
application layer, they are independent.

Using a certificate and not username+password is the right 
way to go, since if the user prove that he has access to the 
private key is stronger than if the user knows a password.

You can check if this certificate matches some user in your 
directory... But this is unnecessary if you revoke the 
certificate of users who leave your site.

After said that, have you checked common_name environment 
variable? Looking at the code it should be set to the 
common_name of the client certificate.

Best Regards,
Alon Bar-Lev.


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users