81 lines
3.2 KiB
Markdown
81 lines
3.2 KiB
Markdown
---
|
|
name: lemana-vpn-sso-autofill
|
|
description: Use when touching Lemana VPN Bitwarden, Keychain, TOTP, openconnect-lite runtime patches, Keycloak SSO, auto-fill, manual mode, hidden browser mode, or authentication troubleshooting.
|
|
---
|
|
|
|
# Lemana VPN SSO And Autofill
|
|
|
|
## Overview
|
|
|
|
The connection path is: Bitwarden or existing Keychain -> `openconnect-lite` credentials -> patched Keycloak browser flow -> Cisco/openconnect tunnel -> status JSON/logs/DNS cleanup. Be precise about which credential source is active.
|
|
|
|
## Credential Flow
|
|
|
|
With Bitwarden enabled, `bin/vpn-lemanapro.sh` unlocks `bw`, reads item `LM LDAP`, extracts LDAP password and permanent TOTP seed, then writes both to macOS Keychain for `openconnect-lite`.
|
|
|
|
Without Bitwarden, connection can still work if Keychain already has:
|
|
|
|
- service `openconnect-lite`, account `<LDAP username>` for the LDAP password;
|
|
- service `openconnect-lite`, account `totp/<LDAP username>` for the permanent TOTP seed.
|
|
|
|
The Bitwarden master password unlocks the vault. It is not the corporate LDAP password. The TOTP seed is not the current 6-digit authenticator code.
|
|
|
|
If a GUI/no-tty path has incomplete Keychain credentials, do not invent an invisible prompt. Tell the user to run:
|
|
|
|
```sh
|
|
vpn --configure-keychain
|
|
```
|
|
|
|
## Runtime Patches
|
|
|
|
`vpn-lemanapro.sh` patches `openconnect-lite` before connection. The expected behavior includes:
|
|
|
|
- Qt hidden browser mode uses `offscreen`, not `minimal`.
|
|
- Keycloak fields keep direct `elem.value = ...`, plus `input` and `change` DOM events.
|
|
- Autofill stays in `ApplicationWorld`; do not reintroduce `MainWorld`, native setters, or stateful click guards unless there is fresh evidence.
|
|
- URL guard prevents Keycloak selectors from clicking Cisco ACS pages.
|
|
- Auth redirect reads 302 `Location` from `vpn.lemanapro.ru` without following a TLS-reset-prone final headend GET.
|
|
- `LEMANA_VPN_AUTOFILL_CLICK=0` disables submit for manual mode.
|
|
- `LEMANA_VPN_AUTOFILL_DISABLE=1` disables autofill for low-level diagnosis.
|
|
|
|
Apply patches without connecting:
|
|
|
|
```sh
|
|
vpn-lemanapro.sh --patch-only
|
|
```
|
|
|
|
## Modes
|
|
|
|
- `vpn` / `vpn-auto`: hidden browser, autofill, auto-submit.
|
|
- `vpn --manual` / `vpn-manual`: visible browser, autofill, no submit.
|
|
- `vpn --manual-full` / `vpn-manual-full`: visible browser, no autofill, no submit.
|
|
- `vpn-debug`: visible browser and raw logs.
|
|
|
|
When diagnosing SSO, use manual mode first. Do not repeatedly start automatic mode if a connection attempt is already in progress.
|
|
|
|
## Testing
|
|
|
|
For any SSO/autofill patch:
|
|
|
|
```sh
|
|
bash -n bin/vpn-lemanapro.sh
|
|
tests/smoke.sh
|
|
```
|
|
|
|
If live behavior must be checked:
|
|
|
|
```sh
|
|
vpn --status
|
|
vpn --manual
|
|
vpn --manual-full
|
|
tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log
|
|
```
|
|
|
|
Skip live reconnect when VPN is already connected unless the user explicitly approves disrupting the current session.
|
|
|
|
## Troubleshooting Signals
|
|
|
|
- Looping on `employee.auth.lemanapro.ru/.../login-actions/authenticate`: check autofill events and Keycloak selectors.
|
|
- `SSLEOFError` / `UNEXPECTED_EOF_WHILE_READING` on `sslvpna` or `sslvpnb`: check the auth redirect patch.
|
|
- Menu-bar app shows credential failure without a prompt: use terminal `vpn --configure-keychain`; GUI should not wait for stdin.
|