On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote: > On 10/05/2012 01:36 PM, Fred van Zwieten wrote: > > Hello, > > > > > > I have a IPA server running. This server has users who are member to > > various groups. I want to query the IPA server from an IPA client to > > know whether a user is a member to a group. > > > > > > I want to do this from the OpenVPN service using the > > openvpn_auth_pam.so. Normally one uses this like this: > > > > > > openvpn_auth_pam.so login > > > > > > This queries the PAM login (and thus IPA) is the username/password > > from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs > > say you could use other modules instead of login. > > > > > > So, I would like to add the next line: > > > > > > openvpn_auth_pam.so group <username> "openvpn" > > > > > > Where a /etc/pam.d/group file would check whether the user is member > > of the group "openvpn". If not, false is returned and the login > > attempt (thru openvpn) fails. > > > > > > Is this possible? If not is there a better way? > > > > > > Fred > > > Can you step up from the implementation and explain what you want to > accomplish? > It seems that you want to use OpenVPN and do some access control > checks when user connects to OpenVPN. Right? > If you can describe the flow of operations we might be able guide you > to the right solution. > > Also would be nice to understand what OS OpenVPN is running on.
If the PAM stack is used fully (account phase at least) then HBAC may be a better way to do this sort of check. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users