Comments (13)
pppwaw
commented on June 11, 2024
Second problem:
openvpn_auth_azure_ad/authenticator.py, 386-389 lines
if "common_name" not in client["env"] and accounts:
result = self._app.acquire_token_silent(
self.token_scopes, account=client["env"]["common_name"]
)
if there isn't a "common name" in client["env"], why keep call it at acquire_token_silent ?
from openvpn-auth-azure-ad.
pppwaw
commented on June 11, 2024
I think this code can be changed to this:
accounts = self._app.get_accounts(client["env"]["username"])
if "common_name" not in client["env"] and accounts:
result = self._app.acquire_token_silent(
self.token_scopes, account=accounts[0]
)
elif "common_name" in client["env"]:
result = self._app.acquire_token_silent(
self.token_scopes, account=client["env"]["common_name"]
)
Users with a logged-in account and do not have a common_name use the account to log in. Otherwise, use common_name to log in.
But I am not sure if this is correct, and I hope you can guide me. :)
from openvpn-auth-azure-ad.
jkroepke
commented on June 11, 2024
I guess your openvpn setup does not require client certs. In history, I tested the scenario, but I also set the OpenVPN setting --username-as-common-name. I never thought that common_name can be undefined.
from openvpn-auth-azure-ad.
pppwaw
commented on June 11, 2024
I guess your openvpn setup does not require client certs. In history, I tested the scenario, but I also set the OpenVPN setting
--username-as-common-name. I never thought thatcommon_namecan be undefined.
Yes. I used to use the LDAP authentication plugin. To make a ovpn file available to everyone, I removed the client certificate.
from openvpn-auth-azure-ad.
jkroepke
commented on June 11, 2024
I will take a look on this scenario and PR on weekend/next week.
from openvpn-auth-azure-ad.
jkroepke
commented on June 11, 2024
Hi, if you enable username-as-common-name on your openvpn server, would this resolve your issue?`
from openvpn-auth-azure-ad.
pppwaw
commented on June 11, 2024
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: 2022-08-07 16:57:36,323 ERROR Exception in thread
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: Traceback (most recent call last):
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/util/thread_pool.py", line 24, in _function_wrapper
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: return fn(*args, **kwargs)
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/authenticator.py", line 308, in client_connect
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: self.authenticate_client(client)
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/authenticator.py", line 391, in authenticate_client
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: if util.is_authenticated(result):
Aug 07 16:57:36 debian openvpn-auth-azure-ad[443608]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/util/__init__.py", line 12, in is_authenticated
root@debian:~# cat /etc/openvpn/server.conf
port 1194
proto tcp-server
server 10.77.2.0 255.255.255.0
dh dh2048.pem
dev tun
ca /etc/openvpn/rsa/pki/ca.crt
key /etc/openvpn/rsa/pki/private/server.key
cert /etc/openvpn/rsa/pki/issued/server.crt
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "route 59.192.0.0 255.192.0.0"
duplicate-cn
keepalive 10 120
persist-key
persist-tun
verb 3
username-as-common-name
management 127.0.0.1 1145
management-client-auth
seems no.
from openvpn-auth-azure-ad.
jkroepke
commented on June 11, 2024
I see. Changing the lint to
def is_authenticated(result: dict) -> bool:
return result is not None and "access_token" in result
as you describe it in your PR should resolve it?
from openvpn-auth-azure-ad.
pppwaw
commented on June 11, 2024
error:
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: 2022-08-09 19:40:36,888 INFO [cid: 5]: Received client connect
Aug 09 19:40:36 debian ovpn-server[25190]: 120.229.78.58:20911 peer info: IV_LZO=1
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: 2022-08-09 19:40:36,888 INFO [cid: 5 | 36f6e4dc-5b5e-45c7-bdb7-a8eb6a3d7c86]: {'env': {'n_clients': '0', 'password': 'xxxxxx', 'untrusted_port': '20911', 'untrusted_ip': '120.229.78.58', 'username': '[email protected]', 'IV_SSO': 'openurl', 'IV_GUI_VER': 'OpenVPN_GUI_11', 'IV_TCPNL': '1', 'IV_COMP_STUBv2': '1', 'IV_COMP_STUB': '1', 'IV_LZO': '1', 'IV_LZ4v2': '1', 'IV_LZ4': '1', 'IV_CIPHERS': 'AES-256-GCM:AES-128-GCM', 'IV_NCP': '2', 'IV_PROTO': '6', 'IV_PLAT': 'win', 'IV_VER': '2.5.7', 'remote_port_1': '1194', 'local_port_1': '1194', 'proto_1': 'tcp-server', 'daemon_pid': '25190', 'daemon_start_time': '1660045061', 'daemon_log_redirect': '0', 'daemon': '1', 'verb': '3', 'config': '/etc/openvpn/server.conf', 'ifconfig_local': '10.77.2.1', 'ifconfig_remote': '10.77.2.2', 'route_net_gateway': '120.241.236.1', 'route_vpn_gateway': '10.77.2.2', 'route_network_1': '10.77.2.0', 'route_netmask_1': '255.255.255.0', 'route_gateway_1': '10.77.2.2', 'script_context': 'init', 'tun_mtu': '1500', 'link_mtu': '1623', 'dev': 'tun0', 'dev_type': 'tun', 'redirect_gateway': '0', 'END': ''}, 'reason': 'connect', 'cid': '5', 'kid': '0', 'state_id': '36f6e4dc-5b5e-45c7-bdb7-a8eb6a3d7c86'} [{'home_account_id': 'xxxxxx2', 'environment': 'login.microsoftonline.com', 'username': '[email protected]', 'authority_type': 'MSSTS', 'local_account_id': 'xxxxxx', 'realm': 'xxxxxx'}]
Aug 09 19:40:36 debian ovpn-server[25190]: 120.229.78.58:20911 peer info: IV_COMP_STUB=1
Aug 09 19:40:36 debian ovpn-server[25190]: 120.229.78.58:20911 peer info: IV_COMP_STUBv2=1
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: 2022-08-09 19:40:36,889 ERROR Exception in thread
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: Traceback (most recent call last):
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/util/thread_pool.py", line 24, in _function_wrapper
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: return fn(*args, **kwargs)
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/authenticator.py", line 308, in client_connect
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: self.authenticate_client(client)
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/authenticator.py", line 389, in authenticate_client
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: self.token_scopes, account=client["env"]["common_name"]
Aug 09 19:40:36 debian openvpn-auth-azure-ad[23640]: KeyError: 'common_name'
conf:
port 1194
proto tcp-server
server 10.77.2.0 255.255.255.0
dh dh2048.pem
dev tun
ca /etc/openvpn/rsa/pki/ca.crt
key /etc/openvpn/rsa/pki/private/server.key
cert /etc/openvpn/rsa/pki/issued/server.crt
tls-crypt static.key
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.0.0.0"
push "route 59.192.0.0 255.192.0.0"
duplicate-cn
keepalive 10 120
persist-key
persist-tun
verb 3
username-as-common-name
verify-client-cert none
management 127.0.0.1 1145
management-client-auth
Seems no too.
From this discussion, seems the username-as-common-name is only useful for auth-user-pass-verify? If so, should we try to read the username when the common_name doesn't exist?
from openvpn-auth-azure-ad.
jkroepke
commented on June 11, 2024
Okay thanks for figure this out here.
If so, should we try to read the username when the common_name doesn't exist?
I would not fully agree with this. Instead, using a fallback mechanism, I will introduce a new command line option to exlicit define if common_name or username should be used. This should avoid any new unknown security issues.
from openvpn-auth-azure-ad.
jkroepke
commented on June 11, 2024
I guess #14 should able to fix your issue. I'm currently not able to verify this patch.
from openvpn-auth-azure-ad.
pppwaw
commented on June 11, 2024
It has an error:
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: 2022-08-17 19:56:00,545 ERROR Exception in thread
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: Traceback (most recent call last):
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/util/thread_pool.py", line 24, in _function_wrapper
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: return fn(*args, **kwargs)
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/authenticator.py", line 284, in client_connect
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: self.authenticate_client(client)
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: File "/usr/local/lib/python3.9/dist-packages/openvpn_auth_azure_ad/authenticator.py", line 361, in authenticate_client
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: result = self._app.acquire_token_silent(
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: File "/usr/local/lib/python3.9/dist-packages/msal/application.py", line 1117, in acquire_token_silent
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: result = self.acquire_token_silent_with_error(
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: File "/usr/local/lib/python3.9/dist-packages/msal/application.py", line 1170, in acquire_token_silent_with_error
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: result = self._acquire_token_silent_from_cache_and_possibly_refresh_it(
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: File "/usr/local/lib/python3.9/dist-packages/msal/application.py", line 1225, in _acquire_token_silent_from_cache_and_possibly_refresh_it
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: "home_account_id": (account or {}).get("home_account_id"),
Aug 17 19:56:00 debian openvpn-auth-azure-ad[204445]: AttributeError: 'str' object has no attribute 'get
seems that the account can't pass as a string?
I tried to change the authenticator.py to this
...
if self._remember_user_enabled:
if self._openvpn_identity_key in client["env"]:
accounts = self._app.get_accounts(client["env"][self._openvpn_identity_key])
result = self._app.acquire_token_silent(
self.token_scopes, account=accounts[0] if accounts else None
)
...
and seems it works good.
from openvpn-auth-azure-ad.
github-actions
commented on June 11, 2024
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
from openvpn-auth-azure-ad.
Related Issues (13)
- Authorization flow with AD groups HOT 3
- Frequent disconnections from the OpenVPN server HOT 4
- Can't use unix sockets to talk to openvpn management interface HOT 2
- Version issues HOT 2
- `username-as-common-name` option when using this solution HOT 2
- Add reconnect / connection lost behaivor HOT 1
- openvpn server community edition HOT 1
- Stuck on "PUSH REQUEST" HOT 2
- Move user authentication in a thread
- Add docker-compose file to launch this connector + OpenVPN container HOT 2
- openvpn_auth_azure_ad.util.errors.ConnectError: [Errno 111] Connection refused HOT 8
- client certificate does not match Azure AD user HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn-auth-azure-ad.