Alexander Littell wrote:
How difficult would it be to program the openvpn-status.log to show
usernames instead of common names? Or maybe both. Any thoughts on how to
do this?
I could be wrong, but I would guess that most OpenVPN administrators are
using username/password pairs instead of certificates to authenticate their
clients. Well, I do anyway. :)
I'm assuming "openvpn-status.log" is the file created by the status
directive (different folks can call it different things -- and it has
two different formats available). I believe that already *will* show
usernames if you have username-as-common-name specified; is this
understanding incorrect?
In any event, while I request both usernames and certificates, the
certificates are more useful in logs (as our certificates specify an
individual machine as well as the user who owns that machine, whereas
the usernames specify only the individual who owns the machine but not
the specific host).
Are you using username-as-common-name? How about duplicate-cn? (It's
much better to have unique certificates -- but if you're authenticating
by username and aren't using certificates properly, using
username-and-common-name and not duplicate-cn should give you more
management control than using duplicate-cn and leaving off
username-as-common-name, as in this latter case you can't identify
individual clients for disconnect commands or such).
I think that this subthread belongs in openvpn-users rather than
openvpn-devel. I'm sending it to both; please reply only in openvpn-users.
