Re: [Openvpn-users] Fwd: openvpn integration with SSSD

Fri, 28 Jul 2017 06:16:00 -0700 

On 27/07/17 15:56, saidireddy ranabothu wrote:
> Hello,
> 
> Please can help me how to integrate openvpn with FIPA SSSD?

With FIPA, I presume you mean FreeIPA (as you also talk about SSSD).
I've done a test setup which works quite well though; even wanted to
write a blog article about it - but never had the time for it yet.  Most
of this is taken out-of-memory, and have not been tested in a while; so
subtle errors might be present.

Basically you need to do:

1.  Create an 'openvpn' service in FreeIPA.
    - In the webUI, go to "Policy" -> "Host Based Access Control" and
      choose "HBAC Services"
    - Click "+ Add", and put "openvpn" in the "Service name" field.

2.  Create HBAC Rules for which users and hosts which can use the
    OpenVPN service.
    - In the webUI, go to "Policy" -> "Host Based Access Control" and
      choose "HBAC Rules".
    - Click "+ Add" and put "openvpn_access" in the "Rule name" field
      and click on "Add and Edit".
    - Add users/user groups whom may use OpenVPN service (or choose
      "Anyone")
    - Add the OpenVPN servers under the "Accessing" block
    - Add the "openvpn" service in the "Via Service" block

3.  Add the PAM service definition on the VPN servers
    - Create the file /etc/pam.d/openvpn ... it only needs to contain
      something like this:

   auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
   auth        sufficient    pam_sss.so otp_in_password
   auth        required      pam_deny.so
   account     [default=bad success=ok user_unknown=ignore] pam_sss.so
   account     required      pam_permit.so

      (Take those lines with a large pinch of salt, it can probably be
       further improved!)

4.  Configure OpenVPN to use PAM authentication, using the openvpn
    PAM "module".
    - Add the following line to your OpenVPN configuration:

   plugin openvpn-plugin-auth-pam.so openvpn


Normally these four steps should be enough.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to