Enhancement #2294
IPSec: honor VPNClientAccess property
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-ipsec | |||
| Target version: | v6.5-beta3 | |||
| Resolution: | NEEDINFO: | No |
Description
Actual implementation allows all users to use L2TP/IPSec vpn.
Only users with VPNClientAccess should be allowed to use the L2TP tunnel.
Related issues
Associated revisions
NethServer::Directory module: added setGroupMembers() method. Refs #2294
Allow L2TP/IPsec access to l2tpusers group members. Refs #2294
The group members list is kept consistent by
nethserver-ipsec-synchronize-l2tpusers action, by selecting any user
with VPNClientAccess=yes prop.
History
#1
Updated by Davide Principi over 7 years ago
- Subject changed from IPSec: honor VPNClientAccess peroperty to IPSec: honor VPNClientAccess property
#2
Updated by Davide Principi over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#3
Updated by Davide Principi over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#4
Updated by Davide Principi over 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
Old version allows accessing to any user in accounts DB. After upgrading to the modified version only users listed in VPN > Accounts are allowed to connect through L2TP/IPsec protocols.
l2tpusers must have gid > 500
#5
Updated by Davide Principi over 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-directory-1.3.0-17.0git4c775814.ns6.noarch.rpmnethserver-ipsec-1.0.0-2.0gitc841ec2b.ns6.noarch.rpm
nethserver-ipsec-1.0.0-3.0git16a8a53f.ns6.noarch.rpm
#6
Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Giacomo Sanchietti
#7
Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
dn: cn=l2tpusers,ou=Groups,dc=directory,dc=nh cn: l2tpusers gidNumber: 507 objectClass: posixGroup objectClass: sambaGroupMapping structuralObjectClass: posixGroup entryUUID: 0fa87e78-220b-1033-9f64-2b3ff0941e5f creatorsName: cn=libuser,dc=directory,dc=nh createTimestamp: 20140204171058Z sambaSID: S-1-5-21-1081185447-3589350628-2846206084-1001 sambaGroupType: 2 displayName: l2tpusers description: Unix Group l2tpusers entryCSN: 20140204171059.104750Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140204171059Z
When user is not enabled to VPN:
Feb 4 17:47:24 server pppd[736]: Plugin winbind.so loaded. Feb 4 17:47:24 server pppd[736]: WINBIND plugin initialized. Feb 4 17:47:24 server pppd[736]: pppd 2.4.5 started by root, uid 0 Feb 4 17:47:24 server pppd[736]: Using interface ppp0 Feb 4 17:47:24 server pppd[736]: Connect: ppp0 <--> /dev/pts/2 Feb 4 17:47:24 server pppd[736]: Winbind has declined authentication for user! Feb 4 17:47:24 server pppd[736]: Logon failure Feb 4 17:47:24 server pppd[736]: Peer MYCOMPANY\\giacomo failed CHAP authentication Feb 4 17:47:24 server pppd[736]: Connection terminated. Feb 4 17:47:24 server pppd[736]: Exit.
If the user is enabled to VPN, the connection can be correctly established.
Marking as VERIFIED.
#8
Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver/6.5/base repository.