Description
When you configure users, you can assign only one group to each user at a time. In some scenarios, however, a user needs to inherit access rules or properties from additional groups. In those cases, the inherit.x directive lets you configure a user to inherit properties from multiple groups at the same time, with no limit on the number of groups the user can inherit.
sacli --user "<USER_GROUP>" --key "inherit.x" --value "GROUP" UserPropPut sacli start
This article describes common scenarios where you can use this directive to let users inherit properties from multiple groups.
Scenario 1
Suppose you have three groups with access to specific subnets:
group_Ahas access to192.0.2.0/24.group_Bhas access to198.51.100.0/24.group_Chas access to203.0.113.0/24.
One user needs access to 192.0.2.0/24 and 203.0.113.0/24. If the user belongs to group_A, they inherit access to 192.0.2.0/24. Because you can assign only one group to a user, you can use the inherit.x directive to also inherit properties from group_C.
sudo su sacli --user "openvpn" --key "inherit.0" --value "group_C" UserPropPut sacli start
After you apply the change, you can confirm it in the user properties.
root@BackupAS:~# sacli --pfilt openvpn userpropget
{
"openvpn": {
"conn_group": "group_A",
"inherit.0": "group_C",
"prop_superuser": "true",
"type": "user_compile"On the client, you can also confirm that the expected routes are pushed and appear in the routing table.
From client logs in OpenVPN Connect:
IPHelper: add route 100.64.0.0/10 8 172.27.242.1 metric=101 IPHelper: add route 67.207.67.2/32 8 172.27.242.1 metric=101 IPHelper: add route 67.207.67.3/32 8 172.27.242.1 metric=101 IPHelper: add route 192.0.2.0/24 8 172.27.242.1 metric=101 <-- Subnet from group_A IPHelper: add route 203.0.113.0/24 8 172.27.242.1 metric=101 <-- Subnet from group_C
From the client’s terminal:
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
67.207.67.2 255.255.255.255 172.27.242.1 172.27.242.11 102
67.207.67.3 255.255.255.255 172.27.242.1 172.27.242.11 102
1 00.64.0.0 255.192.0.0 172.27.242.1 172.27.242.11 102
192.0.2.0 255.255.255.0 172.27.242.1 172.27.242.11 102
203.0.113.0 255.255.255.0 172.27.242.1 172.27.242.11 102
If the user doesn’t belong to group_A, you can still inherit properties from both groups by adding group_A as a secondary inherited group.
sacli --user "openvpn" --key "inherit.0" --value "group_C" UserPropPut sacli --user "openvpn" --key "inherit.1" --value "group_A" UserPropPut sacli start
In that case, the user properties show both inherited groups.
root@BackupAS:~# sacli --pfilt openvpn userpropget
{
"openvpn": {
"inherit.0": "group_C",
"inherit.1": "group_A",
"prop_superuser": "true",
"type": "user_compile"
Note: If you need to inherit properties from additional groups, increase the inherit.x number for each group, so you don’t overwrite the previous entries.
Scenario 2
If you need all users who belong to group_A to inherit properties from one or more additional groups, configure group_A to inherit those properties.
sudo su sacli --user "group_A" --key "inherit.0" --value "group_B" UserPropPut sacli --user "group_A" --key "inherit.1" --value "group_C" UserPropPut sacli start
After you apply the change, you can confirm the inherited properties in group_A.
root@BackupAS:~# sacli --pfilt group_A userpropget
{
"group_A": {
"access_to.0": "+NAT:192.0.2.0/24",
"group_declare": "true",
"inherit.0": "group_B",
"inherit.1": "group_C",
"pvt_epoch": "1944675163906932539",
"type": "group"
When a user from group_A connects, you can also confirm the pushed routes in the client logs and routing table.
From client logs in OpenVPN Connect:
IPHelper: add route 100.64.0.0/10 8 172.27.242.1 metric=101 IPHelper: add route 67.207.67.2/32 8 172.27.242.1 metric=101 IPHelper: add route 67.207.67.3/32 8 172.27.242.1 metric=101 IPHelper: add route 192.0.2.0/24 8 172.27.242.1 metric=101 <-- Subnet from group_A IPHelper: add route 198.51.100.0/24 8 172.27.242.1 metric=101 <-- Subnet from group_B IPHelper: add route 203.0.113.0/24 8 172.27.242.1 metric=101 <-- Subnet from group_C
From the client’s terminal:
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
67.207.67.2 255.255.255.255 172.27.242.1 172.27.242.11 102
67.207.67.3 255.255.255.255 172.27.242.1 172.27.242.11 102
1 00.64.0.0 255.192.0.0 172.27.242.1 172.27.242.11 102
192.0.2.0 255.255.255.0 172.27.242.1 172.27.242.11 102
198.51.100.0 255.255.255.0 172.27.242.1 172.27.242.11 102
203.0.113.0 255.255.255.0 172.27.242.1 172.27.242.11 102These examples cover the most common use cases. If you have additional questions, submit a support ticket.
Comments
0 comments
Please sign in to leave a comment.