dokril/lemana-vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f2d4f8e04b319ed5da20144b7a2c784f74a8f7d5
lemana-vpn/.agents/skills/lemana-vpn-sso-autofill/SKILL.md

3.2 KiB
Raw Blame History

name, description
name description
lemana-vpn-sso-autofill Use when touching Lemana VPN Bitwarden, Keychain, TOTP, openconnect-lite runtime patches, Keycloak SSO, auto-fill, manual mode, hidden browser mode, or authentication troubleshooting.

Lemana VPN SSO And Autofill

Overview

The connection path is: Bitwarden or existing Keychain -> openconnect-lite credentials -> patched Keycloak browser flow -> Cisco/openconnect tunnel -> status JSON/logs/DNS cleanup. Be precise about which credential source is active.

Credential Flow

With Bitwarden enabled, bin/vpn-lemanapro.sh unlocks bw, reads item LM LDAP, extracts LDAP password and permanent TOTP seed, then writes both to macOS Keychain for openconnect-lite.

Without Bitwarden, connection can still work if Keychain already has:

  • service openconnect-lite, account <LDAP username> for the LDAP password;
  • service openconnect-lite, account totp/<LDAP username> for the permanent TOTP seed.

The Bitwarden master password unlocks the vault. It is not the corporate LDAP password. The TOTP seed is not the current 6-digit authenticator code.

If a GUI/no-tty path has incomplete Keychain credentials, do not invent an invisible prompt. Tell the user to run:

vpn --configure-keychain

Runtime Patches

vpn-lemanapro.sh patches openconnect-lite before connection. The expected behavior includes:

  • Qt hidden browser mode uses offscreen, not minimal.
  • Keycloak fields keep direct elem.value = ..., plus input and change DOM events.
  • Autofill stays in ApplicationWorld; do not reintroduce MainWorld, native setters, or stateful click guards unless there is fresh evidence.
  • URL guard prevents Keycloak selectors from clicking Cisco ACS pages.
  • Auth redirect reads 302 Location from vpn.lemanapro.ru without following a TLS-reset-prone final headend GET.
  • LEMANA_VPN_AUTOFILL_CLICK=0 disables submit for manual mode.
  • LEMANA_VPN_AUTOFILL_DISABLE=1 disables autofill for low-level diagnosis.

Apply patches without connecting:

vpn-lemanapro.sh --patch-only

Modes

  • vpn / vpn-auto: hidden browser, autofill, auto-submit.
  • vpn --manual / vpn-manual: visible browser, autofill, no submit.
  • vpn --manual-full / vpn-manual-full: visible browser, no autofill, no submit.
  • vpn-debug: visible browser and raw logs.

When diagnosing SSO, use manual mode first. Do not repeatedly start automatic mode if a connection attempt is already in progress.

Testing

For any SSO/autofill patch:

bash -n bin/vpn-lemanapro.sh
tests/smoke.sh

If live behavior must be checked:

vpn --status
vpn --manual
vpn --manual-full
tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log

Skip live reconnect when VPN is already connected unless the user explicitly approves disrupting the current session.

Troubleshooting Signals

  • Looping on employee.auth.lemanapro.ru/.../login-actions/authenticate: check autofill events and Keycloak selectors.
  • SSLEOFError / UNEXPECTED_EOF_WHILE_READING on sslvpna or sslvpnb: check the auth redirect patch.
  • Menu-bar app shows credential failure without a prompt: use terminal vpn --configure-keychain; GUI should not wait for stdin.
Reference in New Issue View Git Blame Copy Permalink