On Аўт, 09 ліп 2024, Tinku Goyal via FreeIPA-users wrote:
My setup includes a set of FreeIPA servers running on 4.9.2 version and
a OpenVPN configured for the users to connect to VPN. Previously I was
using IPA version 4.6.8 on CentOS7 and now installed IPA replica on
4.9.2 on OL8 and decommissioned the old one.
I am using openvpn-plugin-auth-pam.so with login pam file to
authenticate the IPA users logging in to OpenVPN.
when I am resetting the password of users now, then users are not able
to login to OpenVPN with 2FA (password+otp) whereas, with otp disabled
it is working
for old users for whom password is not resetted recently after change
in IPA cluster, their authentication is working through OpenVPN
with/without OTP both.
All users(old + users whose password is resetted recently) are able to
login to linux servers using password and OTP both combination, its
just not authenticating in OpenVPN.
I have tried multiple things but still couldn't able to get it work.
I don't see in openvpn auth-pam.c plugin code any handling of a password
change request during authentication.
Debug logs from SSSD and probably LDAP server for an attempt where a
password change is requested would be needed.
Please look at https://sssd.io/troubleshooting/basics.html for basics on
how to configure debug logs in SSSD.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
