Description: In Access Server, you can configure a post-authentication script to automate group mapping with LDAP authentication.
Install the post-auth script
Refer to our documentation for the LDAP-group mapping script and follow those steps to download, configure and install the post-auth script on your Access Server.
LDAP post-auth script setup tips
- You can edit the script using nano on your server or a text editor on your computer. We show the steps to use nano on the documentation page.
- Comment out (#) any lines in the script or simply delete them.
- After you've customized the script to map your LDAP group memberships to Access Server groups, the remainder of the script should be good to go.
Test the LDAP script
Use the tips below to test your setup:
Use the authcli tool
Run a test with the authcli tool where username and password are the LDAP user credentials:
sudo su
cd /usr/local/openvpn_as/scripts/
./authcli --user USERNAME --pass PASSWORD
As an example, suppose we have an LDAP user, "brandon," and an LDAP group, "Security," that we expect to be added and mapped to the Access Server group, "security."
- Run these commands with the authcli tool:
sudo su
cd /usr/local/openvpn_as/scripts
./authcli --user brandon --pass br@nd0n! - The response shows that it succeeded:
API METHOD: authenticate
AUTH_RETURN
status : SUCCEED
user : brandon
reason : LDAP auth succeeded on ldap://XX.XX.XX.XX
proplist : {'prop_autogenerate': 'true', 'prop_force_lzo': 'false', 'prop_autologin': 'true', 'prop_deny': 'false', 'conn_group': 'security'}
session_id : AS_UASWqWaSUlhaxxXwjUoRuw==
expire : 1667064926
The output shows the following:
- It succeeded:
status : SUCCEED
- The user was added to the "security" group:
'conn_group': 'security'
To check user properties, run this command:
./sacli --pfilt <USER_OR_GROUP> UserPropGet
When testing this with the user, "brandon," here's how it looks:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# ./sacli --pfilt brandon UserPropGet
{
"brandon": {
"conn_group": "security",
"type": "user_connect"
}
To check this in the Access Server logs, run this command:
grep "POST_AUTH" /var/log/openvpnas.log
Or you can use a command specific for the user:
egrep 'POST_AUTH|brandon' /var/log/openvpnas.log
The log output for user "brandon," looks like this:
root@openvpn-access-server-Brandon:/usr/local/openvpn_as/scripts# egrep "POST_AUTH|brandon" /var/log/openvpnas.log
2022-10-29T12:27:26-0500 [stdout#info] ***** POST_AUTH: User group mapping found for 'brandon', setting OpenVPN connection group to 'security' ...
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.