Dmitri, Well, this is, sort of, the point. I have no experience using pam, so I have no idea how to set this up.
I have authentication up and running, but, like I said, both OpenVPN instances happily authenticate users from both groups of users. In my openvpn config file i have: plugin openvpn_auth_pam login where login is the /etc/pam.d/login file. I have not adjusted this file. This is standard file for IPA client. So, my idea was to do this in openvpn config file: plugin openvpn_auth_pam login (can the user authenticate y/n?) plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is the user member op OPENVPN1 y/n?) plugin openvpn_auth_pam is afaik the only way to get OpenVPN to authenticate against IPA. I am not sure how this could be setup to work with HBAC.. Fred On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <d...@redhat.com> wrote: > On 10/05/2012 02:13 PM, Fred van Zwieten wrote: > > You are completely right :-) > > Both IPA server and client are RHEL6.3 x86_64 boxes. > > On the OpenVPN server (which is an IPA client), I have 2 OpenVPN > instances running, because different users must end up in different subnet's > > OpenVPN instance 1 listens on port 50000 > OpenVPN instance 2 listens on port 50001 > > Users for subnet 1 must connect and authenticate on instance 1 (and get > an IP in subnet 1) > Users for subnet 2 must connect and authenticate on instance 2 (and get an > IP in subnet 2) > > Both OpenVPN instances use the login pam module. > > In this setup I can not prevent users for subnet 2 to connect and > authenticate successfully on OpenVPN instance 1. > > So, I would like to put the users for OpenVPN instance 1 in group > OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA. > > Next, the OpenVPN daemon must be able to check a user for membership. Is > it is not a member, false is returned, and the OpenVMN authentication fails. > > Documentation for the openvpn_auth_pam is > here<https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c> > . > > > OK, makes sense. > How does you pam configuration look like? > Especially the accounting part? What modules do you have there? > Can it be PAM module you are using expecting some value that need to be > configured in openvpn_auth_pam config? > > Fred > > > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <d...@redhat.com> wrote: > >> On 10/05/2012 01:36 PM, Fred van Zwieten wrote: >> >> Hello, >> >> I have a IPA server running. This server has users who are member to >> various groups. I want to query the IPA server from an IPA client to know >> whether a user is a member to a group. >> >> I want to do this from the OpenVPN service using the >> openvpn_auth_pam.so. Normally one uses this like this: >> >> openvpn_auth_pam.so login >> >> This queries the PAM login (and thus IPA) is the username/password from >> openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you >> could use other modules instead of login. >> >> So, I would like to add the next line: >> >> openvpn_auth_pam.so group <username> "openvpn" >> >> Where a /etc/pam.d/group file would check whether the user is member of >> the group "openvpn". If not, false is returned and the login attempt (thru >> openvpn) fails. >> >> Is this possible? If not is there a better way? >> >> Fred >> >> >> >> Can you step up from the implementation and explain what you want to >> accomplish? >> It seems that you want to use OpenVPN and do some access control checks >> when user connects to OpenVPN. Right? >> If you can describe the flow of operations we might be able guide you to >> the right solution. >> >> Also would be nice to understand what OS OpenVPN is running on. >> >> >> >> >> _______________________________________________ >> Freeipa-users mailing >> listFreeipaemail@example.com://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >> >> > > > _______________________________________________ > Freeipa-users mailing > listFreeipafirstname.lastname@example.org://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > >
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users