Morgan Cox via FreeIPA-users wrote: > Hi. > > I have been trying to integrate openvpn with Freeipa, general > integration (i.e using IPA user password) works fine, my issue is > connecting it with 2FA (OTP), without writing an external script it is > not possible to use OTP + IPA + openvpn as there is no mechanism to ask > for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor > - reason are explained in this reddit post -> > > https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_token_not_working/ > > I was advised however that openvpn-auth-ldap can be used as its setup so > you can input PASS+OTPTOKEN as the password field, > > What I do not understand what to enter in the > /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I > need using ldapsearch with similar syntax to > > # ldapsearch -ZZ -W -L ldap://ipa.example.org <http://ipa.example.org> > -b dc=example,dc=org -D uid=testuser,cn=users,cn=accounts,dc=example,dc=org
TLSEnable is enabled by default on IPA systems in /etc/openldap/ldap.conf. The first -Z means enable startTLS which is already enabled. The second -Z means quit on failure which it does because startTLS is already enabled. > However I found using this syntax I just got the error > > " ldap_start_tls: Operations error (1), additional info: SSL connection > already established" > > I have found working commands to query LDAP such as > > # ldapsearch -LL -Y GSSAPI It is more or less equivalent, using GSSAPI and your current Kerberos credentials rather than TLS and simple bind. > However I am really not sure what info I need to get. I don't know what you need for this either. > > The config for auth-ldap is at the end of the message, the only parts I > think I know are > (btw the ipa server is called ipa1.morgan.kvm) > > --- > URL ldap://ipa1.morgan.kvm > TLSCACertFile /etc/ipa/ca.crt > --- > > (this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc The basedn for what, users? You can get the basedn for the server from /etc/ipa/default.conf The container for users is cn=users,cn=accounts,$BASEDN Not sure which cert paths you need either but the CA cert chain is in /etc/ipa/ca.crt as you seem to have configured. rob > > Can anyone help ? > > The config is below > > -------------- > <LDAP> > # LDAP server URL > URL ldap://ipa1.morgan.kvm > > # Bind DN (If your LDAP server doesn't support anonymous binds) > # BindDN uid=Manager,ou=People,dc=example,dc=com > > # Bind Password > # Password SecretPassword > > # Network timeout (in seconds) > Timeout 15 > > # Enable Start TLS > TLSEnable yes > > # Follow LDAP Referrals (anonymously) > FollowReferrals yes > > # TLS CA Certificate File > TLSCACertFile /etc/ipa/ca.crt > > # TLS CA Certificate Directory > TLSCACertDir /etc/ssl/certs > > # Client Certificate and key > # If TLS client authentication is required > TLSCertFile /usr/local/etc/ssl/client-cert.pem > TLSKeyFile /usr/local/etc/ssl/client-key.pem > > # Cipher Suite > # The defaults are usually fine here > # TLSCipherSuite ALL:!ADH:@STRENGTH > </LDAP> > > <Authorization> > # Base DN > BaseDN "ou=People,dc=example,dc=com" > > # User Search Filter > SearchFilter "(&(uid=%u)(accountStatus=active))" > > # Require Group Membership > RequireGroup false > > # Add non-group members to a PF table (disabled) > #PFTable ips_vpn_users > > <Group> > BaseDN "ou=Groups,dc=example,dc=com" > SearchFilter "(|(cn=developers)(cn=artists))" > MemberAttribute uniqueMember > # Add group members to a PF table (disabled) > #PFTable ips_vpn_eng > </Group> > </Authorization> > > -------------- > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
