allow working to access user-profile

Ali alimakki at gmail.com
Sun Dec 3 15:45:40 PST 2017


Hello,

I'm running a server using the following version:

ocserv --version
ocserv 0.11.9

Compiled with: seccomp, tcp-wrappers, PAM, PKCS#11, AnyConnect
GnuTLS version: 3.4.10

I'm trying to get my client to access the profile.xml defined in the
ocserv config, however I get the following error:

worker[battle.office]: x.x.x.x cannot load config file '/etc/ocserv/profile.xml'

The documentation states:

# Other fields may be used by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot.
# Note that enabling this option is not recommended as it will allow
# the worker processes to open arbitrary files (when isolate-workers is
# set to true).

As I'm not familiar with chroot, how might I go about allowing the
worker access to the file?

My server config looks like the following:

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
enable-auth = "certificate"
tcp-port = 4443
udp-port = 4443
run-as-user = nobody
run-as-group = nogroup
socket-file = /var/run/ocserv-socket
server-cert = /etc/ocserv/server.crt
server-key = /etc/ocserv/server.key
ca-cert = /etc/ocserv/ca.crt
isolate-workers = false
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 2.5.4.3
cert-group-oid = 2.5.4.11
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 300
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
cookie-rekey-time = 14400
deny-roaming = false
rekey-time = 3600
rekey-method = ssl
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
default-domain = example.com
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
ping-leases = false
user-profile = /etc/ocserv/profile.xml
cisco-client-compat = true
max-clients = 6

# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 1

dns = 8.8.8.8
dns = 8.8.4.4

Thank you for your time.

Ali



More information about the openconnect-devel mailing list