-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 27/08/13 14:00, Nikolaos Milas wrote: > Hello, > > I am using OpenVPN Community openvpn-2.2.2-1.el6.x86_64 on CentOS > 6.4 x86_64 using two-factor auth, certs and ldap - by calling the > ldap plugin: > > plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so > /etc/openvpn/auth/ldap.conf > > Is there a way to specify (using a ccd file) that a particular > client will authenticate only using certs, effectively disabling > the ldap plugin for that client? > > This means that the particular client will use single-factor > authentication.
I've played a lot with OpenVPN plug-ins, and have even written my own authentication plug-in [1] to resolve similar issues. Unfortunately there are a few things to beware of, as it might open up access in unexpected ways. There are no possibility to use CCD to resolve this issue at all. But you have the --auth-user-pass-optional option you can use on the server side. But you need a slightly more intelligent - --auth-user-pass-verify (or an auth --plugin) which can tackle that username/password fields are empty. In addition(!) it should be added an additional certificate check, so that you restrict this feature to only selected certificates. Otherwise, any client can just remove the - --auth-user-pass in their client configs, and gain access. What I would rather recommend is that you use a more static password on those clients you don't want to have two factor auth on. And in their client configs, use --auth-user-pass $FILE, where $FILE is a path to a plain text file stored on the client. The contents of this file is username on the first line and password on the second one. This way, you don't need to do anything special on your server side, and even having two factor auth for all clients. Otherwise, you need a more clever plug-in to tackle that. With the latest git code base in my eurephia plug-in, it should be possible to add a "dummy authentication" which just ignores username/passwords (even empty ones) and does the authentication only against the certificate - for those clients where you only want single factor auth. [1] <http://www.eurephia.net/> - -- kind regards, David Sommerseth -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlId6DEACgkQDC186MBRfro96gCeNyQ8/iGhM0tuYZdXUpGz7ajq hEwAniUFY2mf3r5K6AtE7u44KwbjKWvd =pGgq -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
