diff mbox series

[Openvpn-devel,v1] Improve documentation for override-username

Message ID 20250324135441.26725-1-gert@greenie.muc.de
State Accepted
Headers show
Series [Openvpn-devel,v1] Improve documentation for override-username | expand

Commit Message

Gert Doering March 24, 2025, 1:54 p.m. UTC 
From: Arne Schwabe <arne@rfc2549.org>

- Mention that pushing auth-token-user only happens when OpenVPN also
  generates the auth-token.
- mention that OpenVPN will only accept the original and overridden username
  from a client
- suggest to use auth-token-user when a user generates the auth-token

Change-Id: Ifc7443974345042ab9945d6a10e1d1b4525e5e05
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/914
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>

Comments

Gert Doering March 24, 2025, 1:59 p.m. UTC | #1 
Documentation-only, nothing to test.  (Stared at the change nonetheless,
as we had discussions on some of the behavioural details - change makes
sense)

Your patch has been applied to the master branch.

commit 5c1c57684b6a1e6bce24605d55fe8dc3d9d3480e
Author: Arne Schwabe
Date:   Mon Mar 24 14:54:33 2025 +0100

     Improve documentation for override-username

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
     Message-Id: <20250324135441.26725-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31210.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index e93b04d..ccc1374 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -432,7 +432,12 @@ 
 
   The changed username will be picked up by the status output and also by
   the ``--auth-gen-token`` option. It will also be pushed to the client
-  using ``--auth-token-user``.
+  using ``--auth-token-user`` if ``--auth-gen-token`` is enabled.
+
+  Internally on all subsequent renegotiations the client provided username
+  will be replaced by the username provided by ``--override-username``.
+  If the client changes to a username that is different from both the initial
+  and the overridden username, the client will be rejected.
 
   Special care should be taken that both the initial username of the client
   and the overridden username are handled correctly when using
@@ -444,6 +449,10 @@ 
   can be used for ``--auth-gen-token`` to allow providing a username in
   these scenarios.
 
+  If the ``--auth-token`` directive is pushed by another script/plugin or
+  management interface, consider also generating and pushing
+  ``--auth-token-user``.
+
 --port-share args
   Share OpenVPN TCP with another service