On Fri, 2012-10-05 at 20:13 +0200, Fred van Zwieten wrote: > You are completely right :-) > > > Both IPA server and client are RHEL6.3 x86_64 boxes. > > > On the OpenVPN server (which is an IPA client), I have 2 OpenVPN > instances running, because different users must end up in different > subnet's > > > OpenVPN instance 1 listens on port 50000 > OpenVPN instance 2 listens on port 50001 > > > Users for subnet 1 must connect and authenticate on instance 1 (and > get an IP in subnet 1) > Users for subnet 2 must connect and authenticate on instance 2 (and > get an IP in subnet 2) > > > Both OpenVPN instances use the login pam module. > > > In this setup I can not prevent users for subnet 2 to connect and > authenticate successfully on OpenVPN instance 1. > > > So, I would like to put the users for OpenVPN instance 1 in group > OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA. > > > Next, the OpenVPN daemon must be able to check a user for membership. > Is it is not a member, false is returned, and the OpenVMN > authentication fails. > > > Documentation for the openvpn_auth_pam is here. >
Fred, what you can do is to use different pams ervice names (if openvpn allows you to do that). Create 2 services openvpn1 and openvpn2 and the use HBAC to assign appropriate access control to those service for the openvpn concentrator. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users