<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=FR link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi,</p><p class=MsoNormal>Finally, i figured out what to put in this « aclPermissionList » variable .</p><p class=MsoNormal>Here is my configuration :</p><p class=MsoNormal>--------------------------------------------------------------------</p><p class=MsoNormal>/etc/vpn-server-api/config.php</p><p class=MsoNormal>'enableAcl' => true,</p><p class=MsoNormal> 'aclPermissionList' =></p><p class=MsoNormal> array (</p><div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm'><p class=MsoNormal style='border:none;padding:0cm'> 'cn=vpn,ou=groups,dc=myuniversity,dc=fr',</p><p class=MsoNormal style='text-indent:35.4pt;border:none;padding:0cm'>),</p></div><p class=MsoNormal>/etc/vpn-user-portal/config.php</p><p class=MsoNormal>'FormLdapAuthentication' => [</p><p class=MsoNormal> // *** OpenLDAP ***</p><p class=MsoNormal> 'ldapUri' => 'ldap://myldap.mydomain.fr',</p><p class=MsoNormal> 'bindDnTemplate' => 'uid={{UID}},ou=people,dc=myuniversity,dc=fr',</p><p class=MsoNormal> 'permissionAttribute' => 'memberOf',</p><p class=MsoNormal> ],</p><div style='mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm'><p class=MsoNormal style='border:none;padding:0cm'>'adminPermissionList' => ['cn=vpn.admin,ou=groups,dc= myuniversity,dc=fr'],</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Everything is working fine.</p><p class=MsoNormal>Thanks for your help.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards</p><p class=MsoNormal>Rija</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>De : </b><a href="mailto:fkooman@tuxed.net">François Kooman</a><br><b>Envoyé le :</b>lundi 23 mars 2020 20:19<br><b>À : </b><a href="mailto:rija.rasolo@univ-rouen.fr">rasolrij</a>; <a href="mailto:eduvpn-deploy@list.surfnet.nl">eduvpn-deploy@list.surfnet.nl</a><br><b>Objet :</b>Re: [eduVPN-deploy] ACL Profile</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On 3/23/20 8:11 PM, rasolrij wrote:</p><p class=MsoNormal>> Hi,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi Rija,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> I would like to use ACL with LDAP to manage VPN profiles.</p><p class=MsoNormal>> </p><p class=MsoNormal>> LDAP config is working fine (|FormLdapAuthentication| ). I can log to</p><p class=MsoNormal>> eduvpn web interface but no profile filtering.</p><p class=MsoNormal>> </p><p class=MsoNormal>> How do i filter on a Ldap group in aclPermissionList ?</p><p class=MsoNormal>> </p><p class=MsoNormal>> What is the syntax ?</p><p class=MsoNormal>> </p><p class=MsoNormal>> Anyone can help ?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>There are two documents relevant for this:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>1. https://github.com/eduvpn/documentation/blob/v2/ACL.md</p><p class=MsoNormal>2. https://github.com/eduvpn/documentation/blob/v2/LDAP.md</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The idea is to set the permissionAttribute in the LDAP configuration in</p><p class=MsoNormal>/etc/vpn-user-portal/config.php to e.g. "memberOf", as in the example.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The the *values* that attribute can have are configured in the</p><p class=MsoNormal>aclPermissionList in /etc/vpn-server-api/config.php. Do not forget to</p><p class=MsoNormal>also set enableAcl to true there.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This should be all that is required. The syntax is explained in the</p><p class=MsoNormal>documentation. You can also check the example configuration files that</p><p class=MsoNormal>contain comments as well [1,2].</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Let me know if it is not clear yet!</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Regards,</p><p class=MsoNormal>François</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>[1]</p><p class=MsoNormal>https://github.com/eduvpn/vpn-user-portal/blob/v2/config/config.php.example</p><p class=MsoNormal>[2]</p><p class=MsoNormal>https://github.com/eduvpn/vpn-server-api/blob/v2/config/config.php.example</p><p class=MsoNormal><o:p> </o:p></p></div><div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br /> <table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 18px;"><a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" alt="" width="46" height="29" style="width: 46px; height: 29px;" /></a></td>
<td style="width: 470px; padding-top: 17px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Garanti sans virus. <a href="https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" target="_blank" style="color: #4453ea;">www.avast.com</a> </td>
</tr>
</table>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body></html>