Vpn connection for ldap users without sudo

Support and Help
1

Ubuntu Version: 22.04 LTS,
Desktop Environment (if applicable):GNOME
Problem Description:
Authenticated users(Windows AD) are unable to connect VPN without local admin password.

What need to be done for AD users to initiate VPN connection from GUI without local admin password.

Thanks in advance,

Relevant System Information:

  • Ubuntu desktop is integrated with Windows AD server(using winbind).
  • AD users are not given sudo privileges.
  • skel environment is used for uniformity.
  • Authenticated users are able to login to Ubuntu Desktop with their AD credentials.
  • openconnect and openforti-gui is installed with VPN configured for Fortinet SSL VPN and “All user may connect to this network” enabled in Network Connection setting by local admin user.
  • local admin can connect VPN using openconnect or openforti-gui.
  • This desktop system is used for remote support and only one user will be using at a time.

Screenshots or Error Messages:
No GUI errors, it simply would not connect.

2

You can configure sudo to give them access to be able to run just the commands that need admin (sudo access) and nothing else. Sudo is very granular. It’s not all or nothing. It can also integrate with AD so you can grant AD groups the ability to do things with sudo and run a small subset of commands. Very common (We do it where I work).
Is this what you mean, or have I read this wrong?

3

We don’t want AD users to install any software or modify system configurations, except allowing VPN connection/disconnection.

Since the VPN connection initiation is from Network Manager GUI, how can this be set up just for networking ?.

Is there any method to omit policy-kit for AD authenticated users to control network manager without credentials and without granting sudo privileges for the AD group ?.

4

In a nut shell this should still work:
https://askubuntu.com/questions/708261/how-do-i-set-the-policy-for-users-to-modify-the-network-state-and-connections

And before any changes made to the production machine, I’ll test first in a VM.

5

Identity=unix-user:foo

Assuming"foo" is local user mentioned in the solution.

The challenge with AD is we cannot specify user as anyone in the group should be able to login to the system and initiate VPN connection.

And what Identity should be given for AD group in “Identity=ad-group???:xxxx” ?.

Apart from above issues, what is the default policy kit rule location on Ubuntu 22 LTS.

  1. /etc/polkit-1/rules.d/
  2. /etc/NetworkManager/conf.d
  3. somewhere else ?.

Different blogs/forums provide different solutions.

6

Trust me, I know I went through a handful of them before landing on my solution.
I have no need for AD any longer and it’s so much nicer. :wink:

There are links in a search that address that much better, and I’ll try to find them in my notes just give me a beat.

On my notes I used this location /var/lib/polkit-1 but I can’t find my rules that was used on 22.04

Roughly and PLEASE NOTE this is a very rough guess:

sudo su -c 'printf "[Allow AD users to modify network settings]\nIdentity=unix-group:your_ad_group\nAction=org.freedesktop.NetworkManager.settings.modify.system\nResultAny=yes\nResultInactive=yes\nResultActive=yes\n\n[Allow AD users to enable/disable networking]\nIdentity=unix-group:your_ad_group\nAction=org.freedesktop.NetworkManager.settings.enable-disable-network\nResultAny=yes\nResultInactive=yes\nResultActive=yes" > /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla'

Replace your_ad_group with the name of your AD group.

That’s just a starting point.

Also check if the rule is added in /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla file.
Test the Configuration:

7

Will test and update here.