My user authenticates fine through OpenVPN AS, using LDAP authentication over FreeIPA.
Now I want to restrict OpenVPN to enforce that they belong to a certain group.
I've created a User Group in FreeIPA, and changed OpenVPN to have an "Additional LDAP Requirement" of "memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk"
But when I try to authenticate now, I get access denied, with this error in openvpn logs:
2019-11-26T09:38:12+0000 [stdout#info] VPN Auth Failed: u"LDAP exception on ldaps://endpoint.free.ipa.internal/ (facility='search (u'cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk', 2, u'(&(uid=myUser)(memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk))')'): **user not found that meets specified requirements**: memberOf=CN=myGroup,CN=groups,CN=accounts,DC=mgmt,DC=company,DC=uk: auth/authldap:178,python2.7/threading:774,python2.7/threading:801,python2.7/threading:754,_threads/_threadworker:46,_threads/_team:190,python/threadpool:250,python/threadpool:266,python/context:122,python/context:85,auth/authldap:138,auth/authldap:178,util/error:67,util/error:48" [None]
If I try (what I think is) the equivalent LDAP Search from command line, it works fine:
ldapsearch -x -D "uid=admin,cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" -W -H ldap://localhost -b "cn=users,cn=accounts,dc=mgmt,dc=company,dc=uk" '(&(uid=myUser)(memberOf=cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk))'
That returns the user, and even lists their memberOf attributes:
...
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
memberOf: cn=myGroup,cn=groups,cn=accounts,dc=mgmt,dc=company,dc=uk
...
So unsure what I've done wrong in OpenLDAP.
I read that memberOf only works retrospectively, so I removed and re-added myUser to myGroup. Still didn't work.
Ah found it.
OpenVPNAS was using anonymous binding to connect to FreeIPA in order to authenticate people. With anonymous binding, it isn't permitted to see group membership!
Fix was to change OpenVPNAS to bind as an admin user. Now it works fine.