Hi, I saw it done at 4755ee48c56dcb672ddcbcba4362f08eecf04a11 :) Does it support authentication certificate with multi OU? On Mon, May 19, 2014 at 11:21 PM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > On Mon, May 19, 2014 at 4:59 PM, Kevin Cernekee <cernekee at gmail.com> wrote: >>> Is that really necessary? It could be simply a warning message, as >>> there are cases where a server may support more groups that the ones >>> advertised. >> On Cisco this could be done through a group-url. So instead of >> entering a bare hostname, the user would enter something like >> "https://vpn.foo.com/my-group-url";. The group-url namespace is >> separate from the authgroup names used in the dropdown list, and so it >> can include hidden groups. > > That looks like a lot of legacy craft and I'd like to avoid using the > URL if possible. Even openconnect accepts differently the one type of > group from the other (as I understand there is --usergroup and > --authgroup). > >> More recently we also saw a case where fields in the client cert were >> used to select the group. > > That is supported in ocserv too. > >> These options are described here: >> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html >> If ocserv asked the user to manually enter an authgroup name that was >> not listed in the dialog, it would cause trouble for most/all GUI >> clients. > > I see, but I'd like to simplify the group selection by not adding any > cisco legacy cruft. I'll experiment a bit with that. > > regards, > Nikos > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel at lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel
