|
|
Alon Bar-Lev wrote: > Nuno Marques wrote: > >> Hi, >> >> I'm giving a different certificate to each user, and all the >> ceertificates have the correct username in them, but I also need the >> username/password to validate the user in the Active Directory, so it >> can happen that one user have one certificate with common name John Doe, >> but when asked for user/pass to perform validation in the AD puts Robert >> Doe. >> >> If the Robert Doe user exists in the AD and the password entered is >> correct, that user will login with an ID different of the one present in >> the certificate. >> >> Thanks, >> >> Nuno Marques >> > > I still do not understand. > Let's say that you achieve your goal... You forced the user to use > Certificate+User+Password in order to establish the VPN connection. > > How do you avoid the user to issue a command like: > NET USE \\xxx\cccc /user:aaaa > And connect to the network using a different user? > > There are two layers of access control, network layer and application > layer, they are independent. > > Using a certificate and not username+password is the right way to go, > since if the user prove that he has access to the private key is > stronger than if the user knows a password. > > You can check if this certificate matches some user in your > directory... But this is unnecessary if you revoke the certificate of > users who leave your site. > > After said that, have you checked common_name environment variable? > Looking at the code it should be set to the common_name of the client > certificate. > > Best Regards, > Alon Bar-Lev. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > I understand your point but using this aproach (certificate + user/pass) has some advantages: - Only the users that have a certificate can connect to the VPN - Even if the certificate is stolen, the thief will only connect if he knows the Active Directory password - Our AD makes users change passwd every 6 months, since the certificates don't have password, a user that changes the password on AD can connect without having to change certificates - And more important, most our users are not used to certificates, but are familiar with using AD, this way they don't even know they are using certificates Nuno Marques -- Nuno Marques <nmarques@xxxxxxxxxxx> Administração de Sistemas DI-FCUL Faculdade de Ciências da Universidade de Lisboa Campo Grande - Edificio C6 - Piso 3 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00047.html on line 264 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-02/msg00047.html on line 264 |