ocserv: user group not assigned when using certificate authentication

sskaje sskaje at gmail.com
Thu Aug 28 01:22:11 PDT 2014 

Nikos, 
I have these in my config file:

# grep group  /opt/ocserv/etc/config |grep -v '^#'
cert-group-oid = 2.5.4.11
run-as-group = daemon
config-per-group = /opt/ocserv/etc/config-per-group/
default-group-config = /opt/ocserv/etc/defaults/group.conf
select-group = vpn
select-group = dnsonly
default-select-group = vpn
auto-select-group = false



gnutls template files:
$ cat ~/Work/CA/RSA/gnutls/ocserv_clients/dnsonly/dnsonly.tmpl 
cn = "dnsonly"
unit = "dnsonly"
serial = 5000
expiration_days = 365
signing_key
tls_www_client

$ cat ~/Work/CA/RSA/gnutls/ocserv_clients/vpn/sskaje.tmpl 
cn = "sskaje"
unit = "vpn"
serial = 1000
expiration_days = 365
signing_key
tls_www_client



group vpn is selected by default, and for both connections group selectings are show.

I changed the group manually to dnsonly, cn=“dnsonly” works, but for cn=“sskaje”, different error shown:


ocserv[21191]: worker: xxx:31667 Groups ret: 0
ocserv[21191]: worker: xxx:31667 Groupname: dnsonly
ocserv[21191]: worker: xxx:31667 groupname=dnsonly, ws->config->default_select_group: vpn, ws->groupname=
ocserv[21191]: worker: xxx:31667 Groupname in cmp: dnsonly
ocserv[21191]: worker: xxx:31667 no certificate provided for authentication




sskaje
http://sskaje.me
sskaje at gmail.com



在 2014年8月28日,16:10,Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> 写道:

> On Thu, Aug 28, 2014 at 6:06 AM, sskaje <sskaje at gmail.com> wrote:
>> It's a long mail with lots of code and logs, for short:
>> Issue 1: case insensitive match should be used in parse_reply() from src/worker-auth.c
>> Issue 2: groups read from cert is not assigned to ws->groupname, makes group selecting message prompted all the time.
> 
> Thanks for reporting that. About issue 1, I've committed a fix which
> should do the trick.
> 
> About issue 2. Could you elaborate on your use-case? Did you select
> the group that was set with select-default-group? I found an issue in
> that case and committed a fix and a test case.
> 
> regards,
> Nikos

More information about the openconnect-devel mailing list