[Openvpn-devel] User validation by interactive service

Sat, 07 Jan 2017 12:12:03 -0800 

Hi,

As discussed in Trac #810, the service currently does not qualify the
username with domain while checking group membership. This breaks configs
in user's profile for domain users so I want to fix it in 2.4.1

An easy fix is to do what the GUI does -- use DOMAIN\username instead of
just username. This works by asking Windows for a list of groups a
user@domain belongs to and requires access to the domain controller to
resolve the user which is not ideal [1]

So I suggest to use the user's SID (which is available to the GUI through
in the process token,  and to the service through the impersonation token)
and compare it with SIDs of all members of the built-in admin group
and ovpn_admin_group
[2]

Limitations: (i) indirect membership (e.g., user is member of group A which
is a member of the admin group) will not be checked. It is possible to
recurse, but we have to restrict to checking local groups and not domain
groups to avoid connection to a DC.
(ii) Domain administrators are members of the built-in admin group though
indirect membership in "Domain Admins", but we wont detect.

I think these are reasonable limitations required to ensure that the
validation can be done using local resources only (i.e without needing to
consult the AD).

But would like to hear any suggestions for or against the above.

Thanks.

Selva

[1] In some setups domain controller may be reachable only through the VPN
and the user may be logging in with cached credentials. Even otherwise
requiring network access to validate user's access to the iservice is best
avoided
.
[2] Proposed patch is here here
<https://github.com/selvanair/openvpn/commit/7b4342a7b7f1dabd27ad94b2c665fcbe0680cf37>
(pending more tests).

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to