I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

Hello,
>I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
>have OpenVPN configured and is accepting connections.  The package for 
>ldap_auth is installed and configured.  However I have tried to setup 
>anonymous ldap lookups and authenticated ldap lookups and neither seem to be 
>working.  Every time I change the config to test openvpn works just fine.  
>However when I try to connect to the VPN it tells me that the LDAP bind failed 
>w/ invalid credentials.  I have been combing through google and found that a 
>few people used pam in the past and still do today.  Is this proper procedure 
>for setting this up?
>
>Is there a similar pam module that I could copy/link?
>
>Thank you,
>Andrew
>______________________________ _________________
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to