[Freeipa-users] Re: openvpn authenticating to freeipa

2017-12-06 Thread Lee Wiscovitch via FreeIPA-users 
We use openvpn's "auth-user-pass-verify" option to call a perl script 
that queries PAM.


I can't provide all of it since it has sensitive/corporate information 
but essentially OpenVPN will provide the password used during client 
negotiation as an environment variable, and the perl script sends that 
to PAM to be validated. Then based off the results the script will 
either end with a 0 (Good/Pass) or 1 (Bad/Fail). OpenVPN will 
automatically terminate the connection if the script ends with anything 
other than 0.


We ended up going this route cause we also wanted to verify a TOTP token 
as well as the user/pass, and the perl script allows for that (We obtain 
the TOTP token by configuring the client ovpn to request 
"static-challenge" which is also provided to the script via environment 
variable).



On 12/06/2017 03:29 PM, Andrew Meyer via FreeIPA-users wrote:

I already had the line in there for the plugin.

On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer  
wrote:



I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
 wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
 wrote:

Hello,

I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
have OpenVPN configured and is accepting connections.  The package for 
ldap_auth is installed and configured.  However I have tried to setup anonymous 
ldap lookups and authenticated ldap lookups and neither seem to be working.  
Every time I change the config to test openvpn works just fine.  However when I 
try to connect to the VPN it tells me that the LDAP bind failed w/ invalid 
credentials.  I have been combing through google and found that a few people 
used pam in the past and still do today.  Is this proper procedure for setting 
this up?

Is there a similar pam module that I could copy/link?

Thank you,
Andrew
__ _
FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

2017-12-06 Thread Andrew Meyer via FreeIPA-users 
I already had the line in there for the plugin.

On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer  
wrote:



I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
 wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
 wrote:

Hello,
>I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
>have OpenVPN configured and is accepting connections.  The package for 
>ldap_auth is installed and configured.  However I have tried to setup 
>anonymous ldap lookups and authenticated ldap lookups and neither seem to be 
>working.  Every time I change the config to test openvpn works just fine.  
>However when I try to connect to the VPN it tells me that the LDAP bind failed 
>w/ invalid credentials.  I have been combing through google and found that a 
>few people used pam in the past and still do today.  Is this proper procedure 
>for setting this up?
>
>Is there a similar pam module that I could copy/link?
>
>Thank you,
>Andrew
>__ _
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org

>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

2017-12-06 Thread Andrew Meyer via FreeIPA-users 
I think I did see that while searching, but did not click on it.  I will now!
Thank you!


On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users 
 wrote:



Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam


That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn



(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn -> 
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is a 
symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok 
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.







Mike Plemmons | Senior DevOps Engineer | CrossChx

614.427.2411
mike.plemm...@crosschx.com

www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users 
 wrote:

Hello,
>I am trying to configure my openvpn setup to authenticate against FreeIPA.  I 
>have OpenVPN configured and is accepting connections.  The package for 
>ldap_auth is installed and configured.  However I have tried to setup 
>anonymous ldap lookups and authenticated ldap lookups and neither seem to be 
>working.  Every time I change the config to test openvpn works just fine.  
>However when I try to connect to the VPN it tells me that the LDAP bind failed 
>w/ invalid credentials.  I have been combing through google and found that a 
>few people used pam in the past and still do today.  Is this proper procedure 
>for setting this up?
>
>Is there a similar pam module that I could copy/link?
>
>Thank you,
>Andrew
>__ _
>FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
>

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: openvpn authenticating to freeipa

2017-12-06 Thread Michael Plemmons via FreeIPA-users 
Have you taken a look at this?

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam

That is a plugin we have on our OpenVPN server which is backed by FreeIPA.

In our OpenVPN server conf file we have a line that looks like this.

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


(root)>ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 27 Dec 30  2016 /etc/pam.d/openvpn ->
/etc/pam.d/password-auth-ac


The PAM module called 'openvpn' looks like this.  As you can see openvpn is
a symlink.

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
authrequisite pam_succeed_if.so uid >= 1000 quiet_success
authsufficientpam_sss.so forward_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so


That may help.





*Mike Plemmons | Senior DevOps Engineer | CrossChx*
614.427.2411
mike.plemm...@crosschx.com
www.crosschx.com

On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hello,
> I am trying to configure my openvpn setup to authenticate against
> FreeIPA.  I have OpenVPN configured and is accepting connections.  The
> package for ldap_auth is installed and configured.  However I have tried to
> setup anonymous ldap lookups and authenticated ldap lookups and neither
> seem to be working.  Every time I change the config to test openvpn works
> just fine.  However when I try to connect to the VPN it tells me that the
> LDAP bind failed w/ invalid credentials.  I have been combing through
> google and found that a few people used pam in the past and still do
> today.  Is this proper procedure for setting this up?
>
> Is there a similar pam module that I could copy/link?
>
> Thank you,
> Andrew
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org