Doesn't really address the core issue, but wanted to chime in that we
ended up having to manually configure our Debian 8 instances to work
with our RHEL IPA servers.
We use ansible to automate the entire process, the playbook contents
below should be descriptive enough to know what is being
We use openvpn's "auth-user-pass-verify" option to call a perl script
that queries PAM.
I can't provide all of it since it has sensitive/corporate information
but essentially OpenVPN will provide the password used during client
negotiation as an environment variable, and the perl script sends
Yup, we do it on several of our web servers...It's actually really cut
and dry, that last section of that page you referenced is accurate and
it's dead simple.
On 08/11/2017 03:01 PM, William Muriithi via FreeIPA-users wrote:
Afternoon,
I am attempting to add redundancy to a system that we
We run almost the exact same setup...Which is sufficient, but not as
great as it could be (Basically the password changing issues you've
noted). We've also noticed that a single bad login attempt gets counted
multiple times on the IPA server, so you can get locked accounts quicker
than