Hi, I have a VPN server (devuan 4) connecting to my ldap server (devuan 4) using libpam-ldapd, so it's running nslcd and using libpam-ldapd for the pam_ldap implementation. This is all working successfully and I am using the 'pam_authz_search' option in /etc/nslcd.conf to control which users are allowed to login to the server via console and ssh.
# pam_authz_search in /etc/nslcd.conf pam_authz_search (&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(&(host=\\*)(!(|(host=!$hostname)(host=!$fqdn)))))) My problem is that I am setting up OpenVPN on this server and attempting to use openvpn-plugin-auth-pam.so provided by the openvpn package to do the vpn username/password and TOTP authentication. # /etc/openvpn/myserver.conf plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD" While the 'pam_authz_search' option in nslcd.conf is working to restrict users logging in directly to the server, it is also preventing users from authenticating to the openvpn PAM service. The openvpn PAM service is defined as: # /etc/pam.d/openvpn auth requisite pam_ldap.so minimum_uid=1000 # will be adding pam_google_authenticator.so at a later time here If I remove the 'pam_authz_search' option from nslcd.conf then the OpenVPN users can authenticate successfully. Is there a different configuration I can set up to control users from logging in to the console/ssh via LDAP host attributes, but also allow different users to authenticate to openvpn PAM via an LDAP group membership? Surprisingly, if I have the 'pam_authz_search' option enabled in nslcd.conf, I can still run `pamtester openvpn myvpnuser authenticate` and it authenticates successfully without getting denied. I'm not sure why that should succeed? Is pamtester bypassing nslcd? -- Tom _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng