Group selection and certificates

jvi v8kjvi0j6 at gmail.com
Sun Jul 3 09:26:45 PDT 2016 

I wish to define routing depending on selected group, i.e. using
plaintext password auth this works so: a user connects, is a member of
several groups, and is hence able to select a group which they want to
connect with, e.g. 'default' (being default) or 'tor' (getting routed
through Tor network in an isolated manner). This works just fine,
settings in the conf:

auto-select-group = false
#default-select-group = default
select-group = default
select-group = magical
select-group = ipv6_broken
select-group = tor
config-per-user = <ocserv's dir>/users
config-per-group = <ocserv's dir>groups
default-group-config = <ocserv's dir>groups/default

so basically I am defining groups visible to users by hand. Everything
works just fine. That's what I want.

Now I'd like to replicate the same behavior using certificate
authentication, so a user connects, auth via cert, and is able to
select which group they want. It so far only worked for either no
group record present, or with default group explicitly defined in the
config file.

So basically what's above with addition of
cert-user-oid = 2.5.4.3
default-select-group = default
#cert-group-oid = 2.5.4.11

This way a user connects and gets auto-selected the 'default' group.
That's okay. Works.

Now, though, the problem is that if I uncomment cert-group-oid and
start defining a list of groups under OU, e.g. "default, tor" so a
user could selected on connect which group they want, it stops working
and auth fails. It also fails when I comment out default-select-group.
In any case in the debug log I can only see:

ocserv[12008]: sec-mod: using 'certificate' authentication to
authenticate user (session: j8dSq0)
ocserv[12008]: sec-mod: user '' requested group 'default' but is not
included on his certificate groups
ocserv[12008]: sec-mod: could not accept group.
ocserv[12008]: sec-mod: error processing data for 'sm: auth init' command (-1)
ocserv[12011]: worker: 192.168.1.4 worker-auth.c:680: error receiving
auth reply message
ocserv[12011]: worker: 192.168.1.4 worker-auth.c:1520: failed
authentication for ''

Note that the user record is empty.

1st question
What is the proper syntax to define a list of available groups in the
certificate (so under OC record)? "group1, group2" or something else?
Am i defining it incorrectly? Example (using UID instead of CN for
username)

Subject:
            organizationName          = AnyConnect
            organizationalUnitName    = default, tor
            userId                    = test1


2nd question
Is it possible to authenticate with a certificate and be able to
select a particular group on connect at all, i.e. to replicate how
this works using plaintext auth? This is what I want.

Summarizing,

no group records in the certificate AND/OR default-select-group = works fine
group records in the certificate AND default-select-group defined =
works, but group records are ignored, the default group is chosen
group records in the certificate AND no default-select-group defined = fails

Thanks for help. Seems something is wrong.

jvi

More information about the openconnect-devel mailing list