Rob Crittenden via FreeIPA-users <[email protected]> writes:
> Sina Owolabi via FreeIPA-users wrote: >> Hi List >> >> I’ve been struggling with this for a while and I would really appreciate >> some advice. >> I have an openvpn server using freeIPA to authenticate users logging >> into the office VPN. >> Currently all users have access to all services on the OpenVPN server. >> How do I use HBAC to properly restrict them to just OpenVPN? Do I need >> them to have access to anything else? > ... > What HBAC rules you need for OpenVPN depends on how you have OpenVPN > configured for auth. To elaborate that somewhat more: It depends how you authenticate your users. The most simple way is to enable PAM authentication in your server config: ,---- | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn `---- Then you create a file /etc/pam.d/openvpn and can use sssd there. Your HBAC rule needs to allow the openvpn service for the users. You could also authenticate against LDAP or RADIUS and juggle with groups, but PAM is really easier. Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
