Vpn connection for ldap users without sudo

Ubuntu Version: 22.04 LTS,
Desktop Environment (if applicable):GNOME
Problem Description:
Authenticated users(Windows AD) are unable to connect VPN without local admin password.

What need to be done for AD users to initiate VPN connection from GUI without local admin password.

Thanks in advance,

Relevant System Information:

• Ubuntu desktop is integrated with Windows AD server(using winbind).
• AD users are not given sudo privileges.
• skel environment is used for uniformity.
• Authenticated users are able to login to Ubuntu Desktop with their AD credentials.
• openconnect and openforti-gui is installed with VPN configured for Fortinet SSL VPN and “All user may connect to this network” enabled in Network Connection setting by local admin user.
• local admin can connect VPN using openconnect or openforti-gui.
• This desktop system is used for remote support and only one user will be using at a time.

Screenshots or Error Messages:
No GUI errors, it simply would not connect.

You can configure sudo to give them access to be able to run just the commands that need admin (sudo access) and nothing else. Sudo is very granular. It’s not all or nothing. It can also integrate with AD so you can grant AD groups the ability to do things with sudo and run a small subset of commands. Very common (We do it where I work).
Is this what you mean, or have I read this wrong?

We don’t want AD users to install any software or modify system configurations, except allowing VPN connection/disconnection.

Since the VPN connection initiation is from Network Manager GUI, how can this be set up just for networking ?.

Is there any method to omit policy-kit for AD authenticated users to control network manager without credentials and without granting sudo privileges for the AD group ?.

In a nut shell this should still work:
https://askubuntu.com/questions/708261/how-do-i-set-the-policy-for-users-to-modify-the-network-state-and-connections

And before any changes made to the production machine, I’ll test first in a VM.

Identity=unix-user:foo

Assuming"foo" is local user mentioned in the solution.

The challenge with AD is we cannot specify user as anyone in the group should be able to login to the system and initiate VPN connection.

And what Identity should be given for AD group in “Identity=ad-group???:xxxx” ?.

Apart from above issues, what is the default policy kit rule location on Ubuntu 22 LTS.

1. /etc/polkit-1/rules.d/
2. /etc/NetworkManager/conf.d
3. somewhere else ?.

Different blogs/forums provide different solutions.

Trust me, I know I went through a handful of them before landing on my solution.
I have no need for AD any longer and it’s so much nicer.

There are links in a search that address that much better, and I’ll try to find them in my notes just give me a beat.

On my notes I used this location /var/lib/polkit-1 but I can’t find my rules that was used on 22.04

Roughly and PLEASE NOTE this is a very rough guess:

sudo su -c 'printf "[Allow AD users to modify network settings]\nIdentity=unix-group:your_ad_group\nAction=org.freedesktop.NetworkManager.settings.modify.system\nResultAny=yes\nResultInactive=yes\nResultActive=yes\n\n[Allow AD users to enable/disable networking]\nIdentity=unix-group:your_ad_group\nAction=org.freedesktop.NetworkManager.settings.enable-disable-network\nResultAny=yes\nResultInactive=yes\nResultActive=yes" > /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla'

Replace your_ad_group with the name of your AD group.

That’s just a starting point.

Also check if the rule is added in /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla file.
Test the Configuration:

Will test and update here.

@1fallen, I tried your suggestion - /var/lib/polkit-1/localauthority/50-local.d/10-network-manager.pkla

And also so tried following rules in /usr/share/polkit-1/rules.d/org.freedesktop.NetworkManager.rules, commenting out default rule.

polkit.addRule(function(action, subject) {  
  if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("domain users")) {  
return polkit.Result.YES;  
  }  
});

and even with (action.id.indexOf("org.freedesktop.NetworkManager.settings.modify.system")

Both settings keep on asking for local admin password.

It seems disabling polkit is the only option or i’m missing something. Disabling polkit result in user accidentally disabling wired LAN or creating, deleting or modifying existing configurations, which we don’t want.

/etc/NetworkManager/conf.d/any-user.conf

[main]
auth-polkit=false

Life is kicking my behind these past weeks. Give me a day or two, so i can lay this out myself.

I have to also revist this this 2 week old thread.
My Senior Mind collects a lot of information in that time span… be back.

I’m going to be very tied up for a month (the end of April)

But in talking with a few friends they have pointed me to this link.

https://openvpn.net/as-docs/tutorials/tutorial--active-directory-ldap.html#tutorial--set-up-access-server-with-active-directory-via-ldap-for-vpn-integration

You might have to alter a thing or two but it should be helpful.
Best of Luck.

@1fallen, No worries and thanks for your time.

The openvpn link you shared is for openvpn server authenticating against AD server.

My requirement is to allow ldap authenticated linux users to connect/disconnect specific(VPN) Network Manager connections without providing local admin password.

I’ll dig deeper into options for NM rules and figure it out whether this is possible or not OR even a better method exist without compromising default security.

/usr/share/polkit-1/rules.d/org.freedesktop.NetworkManager.rules

If you do succeed at this please share, I have been told this is all but impossdible…by Developers. (None of which are Ubuntu Devs)

This topic was automatically closed after 30 days. New replies are no longer allowed.