Hang on..I don't see how this can work (I haven't tried it btw).

If I simply copy login to openvpn1 and call openvpn_auth_pam with that file
as a parameter, how can it magically know to query IPA for the openvpn1
service as opposed to username/password? Must I not change the openvpn1
file to have it check for the service?

Fred

>
>
> On Fri, Oct 5, 2012 at 9:09 PM, Simo Sorce <s...@redhat.com> wrote:
>
>>
>> Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and
>> openvn2
>>
>> Then configure the two instance instance with:
>> plugin openvpn_auth_pam openvpn1
>> and
>> plugin openvpn_auth_pam openvpn2
>> respectively.
>>
>> Then you can create HBAC rules in IPA using openvpn1 and openvon2 as
>> service names.
>>
>> Simo.
>>
>> On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote:
>> > Dmitri,
>> >
>> >
>> > Well, this is, sort of, the point. I have no experience using pam, so
>> > I have no idea how to set this up.
>> >
>> >
>> > I have authentication up and running, but, like I said, both OpenVPN
>> > instances happily authenticate users from both groups of users.
>> >
>> >
>> > In my openvpn config file i have:
>> >
>> >
>> > plugin openvpn_auth_pam login
>> >
>> >
>> > where login is the /etc/pam.d/login file. I have not adjusted this
>> > file. This is standard file for IPA client.
>> >
>> >
>> > So, my idea was to do this in openvpn config file:
>> >
>> >
>> > plugin openvpn_auth_pam login (can the user authenticate y/n?)
>> > plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is
>> > the user member op OPENVPN1 y/n?)
>> >
>> >
>> > plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
>> > authenticate against IPA. I am not sure how this could be setup to
>> > work with HBAC..
>> >
>> >
>> > Fred
>> >
>> >
>> > On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <d...@redhat.com> wrote:
>> >         On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
>> >         > You are completely right :-)
>> >         >
>> >         >
>> >         > Both IPA server and client are RHEL6.3 x86_64 boxes.
>> >         >
>> >         >
>> >         > On the OpenVPN server (which is an IPA client), I have 2
>> >         > OpenVPN instances running, because different users must end
>> >         > up in different subnet's
>> >         >
>> >         >
>> >         > OpenVPN instance 1 listens on port 50000
>> >         > OpenVPN instance 2 listens on port 50001
>> >         >
>> >         >
>> >         > Users for subnet 1 must connect and authenticate on instance
>> >         > 1 (and get an IP in subnet 1)
>> >         > Users for subnet 2 must connect and authenticate on instance
>> >         > 2 (and get an IP in subnet 2)
>> >         >
>> >         >
>> >         > Both OpenVPN instances use the login pam module.
>> >         >
>> >         >
>> >         > In this setup I can not prevent users for subnet 2 to
>> >         > connect and authenticate successfully on OpenVPN instance 1.
>> >         >
>> >         >
>> >         > So, I would like to put the users for OpenVPN instance 1 in
>> >         > group OpenVPN1 en users for OpenVPN instance 2 in group
>> >         > OpenVPN2 on IPA.
>> >         >
>> >         >
>> >         > Next, the OpenVPN daemon must be able to check a user for
>> >         > membership. Is it is not a member, false is returned, and
>> >         > the OpenVMN authentication fails.
>> >         >
>> >         >
>> >         > Documentation for the openvpn_auth_pam is here.
>> >         >
>> >         >
>> >
>> >
>> >         OK, makes sense.
>> >         How does you pam configuration look like?
>> >         Especially the accounting part? What modules do you have
>> >         there?
>> >         Can it be PAM module you are using expecting some value that
>> >         need to be configured in openvpn_auth_pam config?
>> >
>> >         > Fred
>> >         >
>> >         >
>> >         > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <d...@redhat.com>
>> >         > wrote:
>> >         >         On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>> >         >         > Hello,
>> >         >         >
>> >         >         >
>> >         >         > I have a IPA server running. This server has users
>> >         >         > who are member to various groups. I want to query
>> >         >         > the IPA server from an IPA client to know whether
>> >         >         > a user is a member to a group.
>> >         >         >
>> >         >         >
>> >         >         > I want to do this from the OpenVPN service using
>> >         >         > the openvpn_auth_pam.so. Normally one uses this
>> >         >         > like this:
>> >         >         >
>> >         >         >
>> >         >         > openvpn_auth_pam.so login
>> >         >         >
>> >         >         >
>> >         >         > This queries the PAM login (and thus IPA) is the
>> >         >         > username/password from openvpn is valid. the
>> >         >         > "login" is /etc/pam.d/login. OpenVPN docs say you
>> >         >         > could use other modules instead of login.
>> >         >         >
>> >         >         >
>> >         >         > So, I would like to add the next line:
>> >         >         >
>> >         >         >
>> >         >         > openvpn_auth_pam.so group <username> "openvpn"
>> >         >         >
>> >         >         >
>> >         >         > Where a /etc/pam.d/group file would check whether
>> >         >         > the user is member of the group "openvpn". If not,
>> >         >         > false is returned and the login attempt (thru
>> >         >         > openvpn) fails.
>> >         >         >
>> >         >         >
>> >         >         > Is this possible? If not is there a better way?
>> >         >         >
>> >         >         >
>> >         >         > Fred
>> >         >
>> >         >
>> >         >
>> >         >         Can you step up from the implementation and explain
>> >         >         what you want to accomplish?
>> >         >         It seems that you want to use OpenVPN and do some
>> >         >         access control checks when user connects to OpenVPN.
>> >         >         Right?
>> >         >         If you can describe the flow of operations we might
>> >         >         be able guide you to the right solution.
>> >         >
>> >         >         Also would be nice to understand what OS OpenVPN is
>> >         >         running on.
>> >         >
>> >         >         >
>> >         >         >
>> >         >         >
>> >         >         >
>> >         >         > _______________________________________________
>> >         >         > Freeipa-users mailing list
>> >         >         > Freeipa-users@redhat.com
>> >         >         >
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >         >
>> >         >
>> >         >         --
>> >         >         Thank you,
>> >         >         Dmitri Pal
>> >         >
>> >         >         Sr. Engineering Manager for IdM portfolio
>> >         >         Red Hat Inc.
>> >         >
>> >         >
>> >         >         -------------------------------
>> >         >         Looking to carve out IT costs?
>> >         >         www.redhat.com/carveoutcosts/
>> >         >
>> >         >
>> >         >
>> >         >
>> >         >
>> >         >
>> >         > _______________________________________________
>> >         > Freeipa-users mailing list
>> >         > Freeipa-users@redhat.com
>> >         > https://www.redhat.com/mailman/listinfo/freeipa-users
>> >
>> >
>> >         --
>> >         Thank you,
>> >         Dmitri Pal
>> >
>> >         Sr. Engineering Manager for IdM portfolio
>> >         Red Hat Inc.
>> >
>> >
>> >         -------------------------------
>> >         Looking to carve out IT costs?
>> >         www.redhat.com/carveoutcosts/
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Freeipa-users mailing list
>> > Freeipa-users@redhat.com
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to