Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam

That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn ->
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is
a symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


That may help.





*Mike Plemmons | Senior DevOps Engineer | CrossChx*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello,
> I am trying to configure my openvpn setup to authenticate against
> FreeIPA.  I have OpenVPN configured and is accepting connections.  The
> package for ldap_auth is installed and configured.  However I have tried to
> setup anonymous ldap lookups and authenticated ldap lookups and neither
> seem to be working.  Every time I change the config to test openvpn works
> just fine.  However when I try to connect to the VPN it tells me that the
> LDAP bind failed w/ invalid credentials.  I have been combing through
> google and found that a few people used pam in the past and still do
> today.  Is this proper procedure for setting this up?
>
> Is there a similar pam module that I could copy/link?
>
> Thank you,
> Andrew
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to