On 04/01/2015 11:46 AM, Andrew Holway wrote:
Thanks Alexander.

What happens to the passwords? Are they hashed by Kerberos?

Yes. But stored in LDAP.


On 1 April 2015 at 15:14, Alexander Bokovoy <aboko...@redhat.com <mailto:aboko...@redhat.com>> wrote:

    On Wed, 01 Apr 2015, Andrew Holway wrote:

        Please could someone explain to me what is happening internally?

        In my head I have the following process....

        The openvpn pam module sends the username and password to pam.
        Pam passes this onto sssd
        sssd then does the kerberos thing
        kerberos passes the password to the LDAP

    KDC passes request to ipa-otpd daemon (our RADIUS-like proxy)
    which then
    binds to IPA LDAP to verify the password

        some LDAP module takes the password from the database, appends
        on the OTP
        and actually does the auth...

    Yes, the rest is correct.

    http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
    from on "the Kerberos thing"




        On 1 April 2015 at 13:15, Andrew Holway
        <andrew.hol...@gmail.com <mailto:andrew.hol...@gmail.com>> wrote:


                     It is simple to configure OpenVPN with
                    authentication against FreeIPA in

                Fedora 21, all the heavy lifting is done by SSSD:


            I have to say that this sssd / pam method is working very
            very well.

            I do however need to get my head around radius. Something
            for a rainy
            sunday I think :).





                # grep plugin /etc/openvpn/server.conf
                plugin
                /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
                "openvpn
                login USERNAME password PASSWORD"

                # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root
                root 11 Apr  1 10:55
                /etc/pam.d/openvpn -> system-auth

                # LANG=C ipa user-show vpnuser
                 User login: vpnuser
                 First name: VPN
                 Last name: TestUser
                 Home directory: /home/vpnuser
                 Login shell: /bin/sh
                 Email address: vpnu...@example.com
                <mailto:vpnu...@example.com>
                 UID: 1792600005
                 GID: 1792600005
                 Account disabled: False
                 User authentication types: otp
                 Password: True
                 Member of groups: ipausers
                 Kerberos keys available: True

                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
                BACKGROUND:
                received command code: 0
                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
                BACKGROUND:
                USER: vpnuser
                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
                BACKGROUND:
                my_conv[0] query='login:' style=2
                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
                BACKGROUND:
                name match found, query/match-string ['login:',
                'login'] = 'USERNAME'
                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
                BACKGROUND:
                my_conv[0] query='Password: ' style=1
                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
                BACKGROUND:
                name match found, query/match-string ['Password: ',
                'password'] = 'PASSWORD'
                Apr 01 11:24:50 ipa.example.com
                <http://ipa.example.com> openvpn[29724]:
                pam_unix(openvpn:auth):
                authentication failure; logname= uid=0 euid=0 tty=
                ruser= rhost=
                user=vpnuser
                Apr 01 11:24:53 ipa.example.com
                <http://ipa.example.com> openvpn[29724]:
                pam_sss(openvpn:auth):
                authentication success; logname= uid=0 euid=0 tty=
                ruser= rhost=
                user=vpnuser
                Apr 01 11:24:55 ipa.example.com
                <http://ipa.example.com> openvpn[29732]:
                MY-IP_ADDRESS:50232
                PLUGIN_CALL: POST
                /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
                <http://openvpn-plugin-auth-pam.so/>
                PLUGIN_AUTH_USER_PASS_VERIFY status=0
                Apr 01 11:24:55 ipa.example.com
                <http://ipa.example.com> openvpn[29732]:
                MY-IP-ADDRESS:50232 TLS:
                Username/Password authentication succeeded for
                username 'vpnuser'


                --
                / Alexander Bokovoy

                --
                Manage your subscription for the Freeipa-users mailing
                list:
                https://www.redhat.com/mailman/listinfo/freeipa-users
                Go to http://freeipa.org for more info on the project




-- / Alexander Bokovoy




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to