David thanks a lot . it started working post doing changes as per your
above suggestions.
On Fri, Jul 28, 2017 at 6:43 PM, David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 27/07/17 15:56, saidireddy ranabothu wrote:
> > Hello,
> >
> > Please can help me how to integrate openvpn with FIPA SSSD?
>
> With FIPA, I presume you mean FreeIPA (as you also talk about SSSD).
> I've done a test setup which works quite well though; even wanted to
> write a blog article about it - but never had the time for it yet. Most
> of this is taken out-of-memory, and have not been tested in a while; so
> subtle errors might be present.
>
> Basically you need to do:
>
> 1. Create an 'openvpn' service in FreeIPA.
> - In the webUI, go to "Policy" -> "Host Based Access Control" and
> choose "HBAC Services"
> - Click "+ Add", and put "openvpn" in the "Service name" field.
>
> 2. Create HBAC Rules for which users and hosts which can use the
> OpenVPN service.
> - In the webUI, go to "Policy" -> "Host Based Access Control" and
> choose "HBAC Rules".
> - Click "+ Add" and put "openvpn_access" in the "Rule name" field
> and click on "Add and Edit".
> - Add users/user groups whom may use OpenVPN service (or choose
> "Anyone")
> - Add the OpenVPN servers under the "Accessing" block
> - Add the "openvpn" service in the "Via Service" block
>
> 3. Add the PAM service definition on the VPN servers
> - Create the file /etc/pam.d/openvpn ... it only needs to contain
> something like this:
>
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so otp_in_password
> auth required pam_deny.so
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> (Take those lines with a large pinch of salt, it can probably be
> further improved!)
>
> 4. Configure OpenVPN to use PAM authentication, using the openvpn
> PAM "module".
> - Add the following line to your OpenVPN configuration:
>
> plugin openvpn-plugin-auth-pam.so openvpn
>
>
> Normally these four steps should be enough.
>
>
> --
> kind regards,
>
> David Sommerseth
> OpenVPN Technologies, Inc
>
>
>
--
Thanks,
SaidiReddy
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
