"Quote from: deajan on February 22, 2024, 06:37:08 PMOkay, I actually retried my whole config.
Automagic user creation from LDAP when connecting to OpenVPN works, unless you set "Enforce local group" in OpenVPN config like I did.
So this is basically a security issue, since if I remove a LDAP user from a let's call it "VPN GROUP" on the LDAP server, the user still can connect, since the user already exists on OPNSense.
I have setup an extended query like `&(memberOf:1.2.840.113556.1.4.1941:=CN=VPN GROUP,DC=domain,DC=local)(objectCategory=person)` but still can connect to OpenVPN once I've removed a user from the ldap "VPN GROUP".
[EDIT] After removing the recursive ldap attribute for memberOf, adding / removing users from VPN GROUP limits it's ability to VPN connect like it should. [/EDIT]
How do you autorize to create a user on openvpn?
Do you have a password for the account? And the .ovpn configuration itself must be from that user.
