Hi,
On Sat, Jan 14, 2017 at 4:16 PM, <selva.n...@gmail.com> wrote:
> From: Selva Nair <selva.n...@gmail.com>
>
> Currently the username unqualified by the domain is used to validate
> a user which fails for domain users. Instead authorize the user
>
> (i) if the built-in admin group or ovpn_admin group is in the process token
> (ii) else if the user's SID is in the built-in admin or ovpn_admin groups
>
> The second check is needed to recognize dynamic updates to group membership
> on the local machine that will not be reflected in the token.
>
> These checks do not require connection to a domain controller and will
> work even when user is logged in with cached credentials.
>
> Resolves Trac: #810
>
> v2: include the token check as described above
Bump :) This addresses a critical issue that I would like to see fixed in
2.4.1..
Thanks,
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
