We use openvpn's "auth-user-pass-verify" option to call a perl script that queries PAM.

I can't provide all of it since it has sensitive/corporate information but essentially OpenVPN will provide the password used during client negotiation as an environment variable, and the perl script sends that to PAM to be validated. Then based off the results the script will either end with a 0 (Good/Pass) or 1 (Bad/Fail). OpenVPN will automatically terminate the connection if the script ends with anything other than 0.


We ended up going this route cause we also wanted to verify a TOTP token as well as the user/pass, and the perl script allows for that (We obtain the TOTP token by configuring the client ovpn to request "static-challenge" which is also provided to the script via environment variable).


On 12/06/2017 03:29 PM, Andrew Meyer via FreeIPA-users wrote:
I already had the line in there for the plugin.

On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer <andrewm...@yahoo.com> 
wrote:



I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:

Hello,
I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
have OpenVPN configured and is accepting connections.  The package for 
ldap_auth is installed and configured.  However I have tried to setup anonymous 
ldap lookups and authenticated ldap lookups and neither seem to be working.  
Every time I change the config to test openvpn works just fine.  However when I 
try to connect to the VPN it tells me that the LDAP bind failed w/ invalid 
credentials.  I have been combing through google and found that a few people 
used pam in the past and still do today.  Is this proper procedure for setting 
this up?

Is there a similar pam module that I could copy/link?

Thank you,
Andrew
______________________________ _________________
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to