On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
> I have a IPA server running. This server has users who are member to
> various groups. I want to query the IPA server from an IPA client to
> know whether a user is a member to a group.
> I want to do this from the OpenVPN service using the
> openvpn_auth_pam.so. Normally one uses this like this:
> openvpn_auth_pam.so login
> This queries the PAM login (and thus IPA) is the username/password
> from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs
> say you could use other modules instead of login.
> So, I would like to add the next line:
> openvpn_auth_pam.so group <username> "openvpn"
> Where a /etc/pam.d/group file would check whether the user is member
> of the group "openvpn". If not, false is returned and the login
> attempt (thru openvpn) fails.
> Is this possible? If not is there a better way?
Can you step up from the implementation and explain what you want to
It seems that you want to use OpenVPN and do some access control checks
when user connects to OpenVPN. Right?
If you can describe the flow of operations we might be able guide you to
the right solution.
Also would be nice to understand what OS OpenVPN is running on.
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list