On Thu, Aug 4, 2016 at 11:50 AM, Michael Hicks <michaelhick...@gmail.com> wrote:
> I guess I’ll submit a documentation bug to alter the description in the > docs for "username-as-common-name” to more clearly illustrate this. Maybe > just changing "For --auth-user-pass-verify authentication...” to > "After --auth-user-pass-verify authentication…” and a note about this > affecting the client-(dis)connect and client-config-dir options. > Yes the documentation is poorly worded and could be improved. I think the reference to auth-user-pass-verify itself is confusing as one could instead use management-client-auth to authenticate users. A description that says this option replaces the common-name by the "authenticated username" without any reference to auth-user-pass-verify may be better. As you wrote, clarifying that this affects ccd etc. is also useful. > I modified the duo plugin source to use username instead of common_name > and it works as I expect. I’ll also submit a pull request against the > duo_openvpn plugin source to get that changed upstream and see where it > goes. > More likely to get accepted if you make that configurable --- say adding an optional arg to the plugin to indicate username should be taken from getenv("username",..) instead of getenv("common-name",..) so that existing use cases are not affected. That said, I think that plugin could be further improved using the static challenge feature openvpn so that the usual username/password auth can work along with Duo. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users