Hi, On Fri, Jul 09, 2021 at 06:17:14PM +0100, Duarte Rocha wrote: > I'm loading the openvpn-auth-ldap.so for user validation and then > loading the duo plugin for 2FA. It works, except it has an unwanted > behaviour if a user is not on the allowed groups in LDAP the > openvpn-auth-ldap.so will fail but will still trigger the push > notification. Shouldn't the 2nd plugin not be called if the previous > ends with error?
Just came across this old thread.
Sorry for not responding in a more timely fashion - we discussed
your findings, and a subsequently discovered security issue with
multiple plugins running in "deferred" mode (not your case), and
fixed the latter one first.
The "should plugins be executed allways, all of them" (current behaviour)
or "should it be short-circuited, with authentication stopping the moment
the first plugin returns ERROR" is currently under discussion, and I
expect to see some code in the next few weeks (so, 2.5.7 might address
this).
Please follow the openvpn-devel list for discussions on code and
behavioural changes.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
