I have a IPA server running. This server has users who are member to
various groups. I want to query the IPA server from an IPA client to know
whether a user is a member to a group.

I want to do this from the OpenVPN service using the openvpn_auth_pam.so.
Normally one uses this like this:

openvpn_auth_pam.so login

This queries the PAM login (and thus IPA) is the username/password from
openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you
could use other modules instead of login.

So, I would like to add the next line:

openvpn_auth_pam.so group <username> "openvpn"

Where a /etc/pam.d/group file would check whether the user is member of the
group "openvpn". If not, false is returned and the login attempt (thru
openvpn) fails.

Is this possible? If not is there a better way?

Freeipa-users mailing list

Reply via email to