Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Certificate authentication only plus check LDAP attributes
« previous
next »
Print
Pages: [
1
]
Author
Topic: Certificate authentication only plus check LDAP attributes (Read 1055 times)
1zmbl
Newbie
Posts: 1
Karma: 0
Certificate authentication only plus check LDAP attributes
«
on:
August 25, 2022, 01:58:12 pm »
Hi there,
I am trying to set up an OPNsense appliance as VPN gateway. I would like users to be able to authenticate
only
with a certificate from an external CA.
However, not every user with a valid certificate should be able to connect to the VPN. We have set a specific LDAP attribute that states whether a user is allowed to connet to the VPN or not.
Every certificate from that external CA contains the LDAP DN of a user as, I think, "subject name" (
https://en.wikipedia.org/wiki/X.509#Structure_of_a_certificate
) of the certificate.
I would like OPNsense to use that subject name from the certificate to check in LDAP if a user is allowed to connect to the VPN.
Currently, I am using the OpenVPN protocol. I found out, that u can extend a certificate authentication method by your own script by adding "tls-verify" to the OpenVPN server configuration file. Therefore, I am writing a shell script with OpenLDAP client to check the attribute.
Does anyone know if there is a better way to do this? I do not want users to additionally authenticate using their LDAP username and password. I am open to use another VPN protocol.
Are there any risks or issues with my method?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Certificate authentication only plus check LDAP attributes