Closed jkroepke closed 7 months ago
Expected behavior If
username-as-common-name
is configured I expect that>CLIENT:ENV,username=myself
and>CLIENT:ENV,common_name=myself
having the same values.
In this case the common_name
is set to username
only after authentication, so you will not see it in CLIENT:ENV
when CLIENT:CONNECT cid kid
is received. This command is issued before username and password are verified, and is indeed meant for the management client to do the user/pass authentication.
Subsequent messages like CLIENT:ESTABLISHED
should contain the replaced common_name
in CLIENT:ENV
.
This is explained in the man page of recent versions:
--username-as-common-name
Use the authenticated username as the common-name, rather than the
common-name from the client certificate. Requires that some form of
--auth-user-pass verification is in effect. As the replacement happens after
--auth-user-pass verification, the verification script or plugin will still receive
the common-name from the certificate.
The common_name environment variable passed to scripts and plugins invoked
after authentication (e.g, client-connect script) and filenames parsed in client-config
directory will match the username.
Note the usage authenticated username
.
Thanks for the clarification.
Describe the bug If
username-as-common-name
is configured, I assume that the common name is replaced by the users username. However the common_name is empty for a management client, ifmanagement-client-auth
is used.Example:
Server Configuration:
Management Client:
if
management-client-auth
management client does validation based on the common name, it would break ifusername-as-common-name
is configured and no common name is given. In conclusion, the sameusername-as-common-name
logic need to be replicated.In case
username-as-common-name
hits after authentication, a configuration hint from OpenVPN point of view would nice that the management client receives this info out of the box.To Reproduce
Expected behavior If
username-as-common-name
is configured I expect that>CLIENT:ENV,username=myself
and>CLIENT:ENV,common_name=myself
having the same values.Version information (please complete the following information):
Additional context