Thanks Alexander. What happens to the passwords? Are they hashed by Kerberos?
On 1 April 2015 at 15:14, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Wed, 01 Apr 2015, Andrew Holway wrote: > >> Please could someone explain to me what is happening internally? >> >> In my head I have the following process.... >> >> The openvpn pam module sends the username and password to pam. >> Pam passes this onto sssd >> sssd then does the kerberos thing >> kerberos passes the password to the LDAP >> > KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then > binds to IPA LDAP to verify the password > >> some LDAP module takes the password from the database, appends on the OTP >> and actually does the auth... >> > Yes, the rest is correct. > > http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture > from on "the Kerberos thing" > > > >> >> On 1 April 2015 at 13:15, Andrew Holway <andrew.hol...@gmail.com> wrote: >> >> >>> It is simple to configure OpenVPN with authentication against FreeIPA >>>>> in >>>>> >>>> Fedora 21, all the heavy lifting is done by SSSD: >>>> >>>> >>> I have to say that this sssd / pam method is working very very well. >>> >>> I do however need to get my head around radius. Something for a rainy >>> sunday I think :). >>> >>> >>> >>> >>> >>>> # grep plugin /etc/openvpn/server.conf >>>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn >>>> login USERNAME password PASSWORD" >>>> >>>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 >>>> 10:55 >>>> /etc/pam.d/openvpn -> system-auth >>>> >>>> # LANG=C ipa user-show vpnuser >>>> User login: vpnuser >>>> First name: VPN >>>> Last name: TestUser >>>> Home directory: /home/vpnuser >>>> Login shell: /bin/sh >>>> Email address: vpnu...@example.com >>>> UID: 1792600005 >>>> GID: 1792600005 >>>> Account disabled: False >>>> User authentication types: otp >>>> Password: True >>>> Member of groups: ipausers >>>> Kerberos keys available: True >>>> >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> received command code: 0 >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> USER: vpnuser >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> my_conv[0] query='login:' style=2 >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> name match found, query/match-string ['login:', 'login'] = 'USERNAME' >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> my_conv[0] query='Password: ' style=1 >>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: >>>> name match found, query/match-string ['Password: ', 'password'] = >>>> 'PASSWORD' >>>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): >>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= >>>> user=vpnuser >>>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): >>>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= >>>> user=vpnuser >>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 >>>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/ope >>>> nvpn-plugin-auth-pam.so/ >>>> PLUGIN_AUTH_USER_PASS_VERIFY status=0 >>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 >>>> TLS: >>>> Username/Password authentication succeeded for username 'vpnuser' >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project