You are completely right :-) Both IPA server and client are RHEL6.3 x86_64 boxes.
On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances running, because different users must end up in different subnet's OpenVPN instance 1 listens on port 50000 OpenVPN instance 2 listens on port 50001 Users for subnet 1 must connect and authenticate on instance 1 (and get an IP in subnet 1) Users for subnet 2 must connect and authenticate on instance 2 (and get an IP in subnet 2) Both OpenVPN instances use the login pam module. In this setup I can not prevent users for subnet 2 to connect and authenticate successfully on OpenVPN instance 1. So, I would like to put the users for OpenVPN instance 1 in group OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA. Next, the OpenVPN daemon must be able to check a user for membership. Is it is not a member, false is returned, and the OpenVMN authentication fails. Documentation for the openvpn_auth_pam is here<https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c> . Fred On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <d...@redhat.com> wrote: > On 10/05/2012 01:36 PM, Fred van Zwieten wrote: > > Hello, > > I have a IPA server running. This server has users who are member to > various groups. I want to query the IPA server from an IPA client to know > whether a user is a member to a group. > > I want to do this from the OpenVPN service using the > openvpn_auth_pam.so. Normally one uses this like this: > > openvpn_auth_pam.so login > > This queries the PAM login (and thus IPA) is the username/password from > openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you > could use other modules instead of login. > > So, I would like to add the next line: > > openvpn_auth_pam.so group <username> "openvpn" > > Where a /etc/pam.d/group file would check whether the user is member of > the group "openvpn". If not, false is returned and the login attempt (thru > openvpn) fails. > > Is this possible? If not is there a better way? > > Fred > > > > Can you step up from the implementation and explain what you want to > accomplish? > It seems that you want to use OpenVPN and do some access control checks > when user connects to OpenVPN. Right? > If you can describe the flow of operations we might be able guide you to > the right solution. > > Also would be nice to understand what OS OpenVPN is running on. > > > > > _______________________________________________ > Freeipa-users mailing > listFreeipaemail@example.com://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users