Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and openvn2
Then configure the two instance instance with: plugin openvpn_auth_pam openvpn1 and plugin openvpn_auth_pam openvpn2 respectively. Then you can create HBAC rules in IPA using openvpn1 and openvon2 as service names. Simo. On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote: > Dmitri, > > > Well, this is, sort of, the point. I have no experience using pam, so > I have no idea how to set this up. > > > I have authentication up and running, but, like I said, both OpenVPN > instances happily authenticate users from both groups of users. > > > In my openvpn config file i have: > > > plugin openvpn_auth_pam login > > > where login is the /etc/pam.d/login file. I have not adjusted this > file. This is standard file for IPA client. > > > So, my idea was to do this in openvpn config file: > > > plugin openvpn_auth_pam login (can the user authenticate y/n?) > plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is > the user member op OPENVPN1 y/n?) > > > plugin openvpn_auth_pam is afaik the only way to get OpenVPN to > authenticate against IPA. I am not sure how this could be setup to > work with HBAC.. > > > Fred > > > On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <d...@redhat.com> wrote: > On 10/05/2012 02:13 PM, Fred van Zwieten wrote: > > You are completely right :-) > > > > > > Both IPA server and client are RHEL6.3 x86_64 boxes. > > > > > > On the OpenVPN server (which is an IPA client), I have 2 > > OpenVPN instances running, because different users must end > > up in different subnet's > > > > > > OpenVPN instance 1 listens on port 50000 > > OpenVPN instance 2 listens on port 50001 > > > > > > Users for subnet 1 must connect and authenticate on instance > > 1 (and get an IP in subnet 1) > > Users for subnet 2 must connect and authenticate on instance > > 2 (and get an IP in subnet 2) > > > > > > Both OpenVPN instances use the login pam module. > > > > > > In this setup I can not prevent users for subnet 2 to > > connect and authenticate successfully on OpenVPN instance 1. > > > > > > So, I would like to put the users for OpenVPN instance 1 in > > group OpenVPN1 en users for OpenVPN instance 2 in group > > OpenVPN2 on IPA. > > > > > > Next, the OpenVPN daemon must be able to check a user for > > membership. Is it is not a member, false is returned, and > > the OpenVMN authentication fails. > > > > > > Documentation for the openvpn_auth_pam is here. > > > > > > > OK, makes sense. > How does you pam configuration look like? > Especially the accounting part? What modules do you have > there? > Can it be PAM module you are using expecting some value that > need to be configured in openvpn_auth_pam config? > > > Fred > > > > > > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <d...@redhat.com> > > wrote: > > On 10/05/2012 01:36 PM, Fred van Zwieten wrote: > > > Hello, > > > > > > > > > I have a IPA server running. This server has users > > > who are member to various groups. I want to query > > > the IPA server from an IPA client to know whether > > > a user is a member to a group. > > > > > > > > > I want to do this from the OpenVPN service using > > > the openvpn_auth_pam.so. Normally one uses this > > > like this: > > > > > > > > > openvpn_auth_pam.so login > > > > > > > > > This queries the PAM login (and thus IPA) is the > > > username/password from openvpn is valid. the > > > "login" is /etc/pam.d/login. OpenVPN docs say you > > > could use other modules instead of login. > > > > > > > > > So, I would like to add the next line: > > > > > > > > > openvpn_auth_pam.so group <username> "openvpn" > > > > > > > > > Where a /etc/pam.d/group file would check whether > > > the user is member of the group "openvpn". If not, > > > false is returned and the login attempt (thru > > > openvpn) fails. > > > > > > > > > Is this possible? If not is there a better way? > > > > > > > > > Fred > > > > > > > > Can you step up from the implementation and explain > > what you want to accomplish? > > It seems that you want to use OpenVPN and do some > > access control checks when user connects to OpenVPN. > > Right? > > If you can describe the flow of operations we might > > be able guide you to the right solution. > > > > Also would be nice to understand what OS OpenVPN is > > running on. > > > > > > > > > > > > > > > > > _______________________________________________ > > > Freeipa-users mailing list > > > Freeipa-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager for IdM portfolio > > Red Hat Inc. > > > > > > ------------------------------- > > Looking to carve out IT costs? > > www.redhat.com/carveoutcosts/ > > > > > > > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users