date:20121005

Re: [Freeipa-users] Keep Samba password in sync with userpassword and kerberos password

2012-10-05 Thread Simo Sorce

On Mon, 2012-10-01 at 17:03 -0400, Qing Chang wrote:
> In a thread on Freeipa-devel titled "freeIPA as a samba backend" there
> is a statement as below:
> =
> IPA will keep all of your passwords in sync - userPassword,
> sambaNTPassword, sambaLMPassword, and your kerberos passwords.  
> 389 cannot do this - the functionality that does this is provided by
> an IPA password plugin.  Openldap has a similar plugin, but I 
> think it is "contrib" and not "officially supported".
> ==
> 
> Can someone please point me to where I can find this plugin and
> configured it to keep all passwords listed above in sync?

The plugin is automatically enabled in IPA, it is the only way to change
passwords.

> I am unable to find detailed information on password plugin in IPA 2.2
> doc. 
> 
> My intention is to provide my Windows users (accounts on IPA server)
> IPA web interface only for changing their password. 

If you need to write a tool to change passwords keep in ming you can use
ldappasswd and pass it old/new user password.

> I am using Samba 3.0.23d as a standalone server because this is a last
> version that does not check for SIDs strictly...
> 
more recent versions of samba can also use the ldappasswd method.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] saslauthd on freeipa machine

2012-10-05 Thread Dmitri Pal

On 10/05/2012 12:16 PM, Stephen Ingram wrote:
> As I typically have saslauthd use kerberos to authenticate users I
> really haven't had the occasion to try before. Since freeipa machines
> use SSSD to help manage users on the system, I thought that saslauthd
> should be able to authenticate users against PAM as well. Unless I
> have somehow misconfigured, this seems not to be the case as each time
> I get:
>
> saslauthd[7342] :do_auth : auth failure: [user=nancy]
> [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]
>
> According to the logs on the freeipa machine, the auth is correct and
> the ticket is issued. Is there some additional client configuration
> required to make this work since SSSD now involved?
This seems relevant:
http://www.howtoforge.com/forums/showthread.php?t=24538


> Steve
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten

Hello,

I have a IPA server running. This server has users who are member to
various groups. I want to query the IPA server from an IPA client to know
whether a user is a member to a group.

I want to do this from the OpenVPN service using the openvpn_auth_pam.so.
Normally one uses this like this:

openvpn_auth_pam.so login

This queries the PAM login (and thus IPA) is the username/password from
openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you
could use other modules instead of login.

So, I would like to add the next line:

openvpn_auth_pam.so group  "openvpn"

Where a /etc/pam.d/group file would check whether the user is member of the
group "openvpn". If not, false is returned and the login attempt (thru
openvpn) fails.

Is this possible? If not is there a better way?

Fred
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Dmitri Pal

On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
> Hello,
>
> I have a IPA server running. This server has users who are member to
> various groups. I want to query the IPA server from an IPA client to
> know whether a user is a member to a group.
>
> I want to do this from the OpenVPN service using the
> openvpn_auth_pam.so. Normally one uses this like this:
>
> openvpn_auth_pam.so login
>
> This queries the PAM login (and thus IPA) is the username/password
> from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs
> say you could use other modules instead of login.
>
> So, I would like to add the next line:
>
> openvpn_auth_pam.so group  "openvpn"
>
> Where a /etc/pam.d/group file would check whether the user is member
> of the group "openvpn". If not, false is returned and the login
> attempt (thru openvpn) fails.
>
> Is this possible? If not is there a better way?
>
> Fred


Can you step up from the implementation and explain what you want to
accomplish?
It seems that you want to use OpenVPN and do some access control checks
when user connects to OpenVPN. Right?
If you can describe the flow of operations we might be able guide you to
the right solution.

Also would be nice to understand what OS OpenVPN is running on.

>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Simo Sorce

On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote:
> On 10/05/2012 01:36 PM, Fred van Zwieten wrote: 
> > Hello, 
> > 
> > 
> > I have a IPA server running. This server has users who are member to
> > various groups. I want to query the IPA server from an IPA client to
> > know whether a user is a member to a group.
> > 
> > 
> > I want to do this from the OpenVPN service using the
> > openvpn_auth_pam.so. Normally one uses this like this:
> > 
> > 
> > openvpn_auth_pam.so login
> > 
> > 
> > This queries the PAM login (and thus IPA) is the username/password
> > from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs
> > say you could use other modules instead of login.
> > 
> > 
> > So, I would like to add the next line:
> > 
> > 
> > openvpn_auth_pam.so group  "openvpn"
> > 
> > 
> > Where a /etc/pam.d/group file would check whether the user is member
> > of the group "openvpn". If not, false is returned and the login
> > attempt (thru openvpn) fails.
> > 
> > 
> > Is this possible? If not is there a better way?
> > 
> > 
> > Fred
> 
> 
> Can you step up from the implementation and explain what you want to
> accomplish?
> It seems that you want to use OpenVPN and do some access control
> checks when user connects to OpenVPN. Right?
> If you can describe the flow of operations we might be able guide you
> to the right solution.
> 
> Also would be nice to understand what OS OpenVPN is running on.

If the PAM stack is used fully (account phase at least) then HBAC may be
a better way to do this sort of check.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Dmitri Pal

On 10/05/2012 02:03 PM, Simo Sorce wrote:
> On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote:
>> On 10/05/2012 01:36 PM, Fred van Zwieten wrote: 
>>> Hello, 
>>>
>>>
>>> I have a IPA server running. This server has users who are member to
>>> various groups. I want to query the IPA server from an IPA client to
>>> know whether a user is a member to a group.
>>>
>>>
>>> I want to do this from the OpenVPN service using the
>>> openvpn_auth_pam.so. Normally one uses this like this:
>>>
>>>
>>> openvpn_auth_pam.so login
>>>
>>>
>>> This queries the PAM login (and thus IPA) is the username/password
>>> from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs
>>> say you could use other modules instead of login.
>>>
>>>
>>> So, I would like to add the next line:
>>>
>>>
>>> openvpn_auth_pam.so group  "openvpn"
>>>
>>>
>>> Where a /etc/pam.d/group file would check whether the user is member
>>> of the group "openvpn". If not, false is returned and the login
>>> attempt (thru openvpn) fails.
>>>
>>>
>>> Is this possible? If not is there a better way?
>>>
>>>
>>> Fred
>>
>> Can you step up from the implementation and explain what you want to
>> accomplish?
>> It seems that you want to use OpenVPN and do some access control
>> checks when user connects to OpenVPN. Right?
>> If you can describe the flow of operations we might be able guide you
>> to the right solution.
>>
>> Also would be nice to understand what OS OpenVPN is running on.
> If the PAM stack is used fully (account phase at least) then HBAC may be
> a better way to do this sort of check.
>
> Simo.
>
Yes I was thinking about it but this might not be version of Linux where
SSSD is not available.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten

You are completely right :-)

Both IPA server and client are RHEL6.3 x86_64 boxes.

On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances
running, because different users must end up in different subnet's

OpenVPN instance 1 listens on port 5
OpenVPN instance 2 listens on port 50001

Users for subnet 1 must connect and authenticate on instance 1 (and get an
IP in subnet 1)
Users for subnet 2 must connect and authenticate on instance 2 (and get an
IP in subnet 2)

Both OpenVPN instances use the login pam module.

In this setup I can not prevent users for subnet 2 to connect and
authenticate successfully on OpenVPN instance 1.

So, I would like to put the users for OpenVPN instance 1 in group OpenVPN1
en users for OpenVPN instance 2 in group OpenVPN2 on IPA.

Next, the OpenVPN daemon must be able to check a user for membership. Is it
is not a member, false is returned, and the OpenVMN authentication fails.

Documentation for the openvpn_auth_pam is
here
.

Fred


On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal  wrote:

>  On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>
> Hello,
>
>  I have a IPA server running. This server has users who are member to
> various groups. I want to query the IPA server from an IPA client to know
> whether a user is a member to a group.
>
>  I want to do this from the OpenVPN service using the
> openvpn_auth_pam.so. Normally one uses this like this:
>
>  openvpn_auth_pam.so login
>
>  This queries the PAM login (and thus IPA) is the username/password from
> openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you
> could use other modules instead of login.
>
>  So, I would like to add the next line:
>
>  openvpn_auth_pam.so group  "openvpn"
>
>  Where a /etc/pam.d/group file would check whether the user is member of
> the group "openvpn". If not, false is returned and the login attempt (thru
> openvpn) fails.
>
>  Is this possible? If not is there a better way?
>
>  Fred
>
>
>
> Can you step up from the implementation and explain what you want to
> accomplish?
> It seems that you want to use OpenVPN and do some access control checks
> when user connects to OpenVPN. Right?
> If you can describe the flow of operations we might be able guide you to
> the right solution.
>
> Also would be nice to understand what OS OpenVPN is running on.
>
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Simo Sorce

On Fri, 2012-10-05 at 20:13 +0200, Fred van Zwieten wrote:
> You are completely right :-)
> 
> 
> Both IPA server and client are RHEL6.3 x86_64 boxes.
> 
> 
> On the OpenVPN server (which is an IPA client), I have 2 OpenVPN
> instances running, because different users must end up in different
> subnet's
> 
> 
> OpenVPN instance 1 listens on port 5
> OpenVPN instance 2 listens on port 50001
> 
> 
> Users for subnet 1 must connect and authenticate on instance 1 (and
> get an IP in subnet 1)
> Users for subnet 2 must connect and authenticate on instance 2 (and
> get an IP in subnet 2)
> 
> 
> Both OpenVPN instances use the login pam module.
> 
> 
> In this setup I can not prevent users for subnet 2 to connect and
> authenticate successfully on OpenVPN instance 1.
> 
> 
> So, I would like to put the users for OpenVPN instance 1 in group
> OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.
> 
> 
> Next, the OpenVPN daemon must be able to check a user for membership.
> Is it is not a member, false is returned, and the OpenVMN
> authentication fails.
> 
> 
> Documentation for the openvpn_auth_pam is here. 
> 

Fred, what you can do is to use different pams ervice names (if openvpn
allows you to do that).
Create 2 services openvpn1 and openvpn2 and the use HBAC to assign
appropriate access control to those service for the openvpn
concentrator.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Dmitri Pal

On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
> You are completely right :-)
>
> Both IPA server and client are RHEL6.3 x86_64 boxes.
>
> On the OpenVPN server (which is an IPA client), I have 2 OpenVPN
> instances running, because different users must end up in different
> subnet's
>
> OpenVPN instance 1 listens on port 5
> OpenVPN instance 2 listens on port 50001
>
> Users for subnet 1 must connect and authenticate on instance 1 (and
> get an IP in subnet 1)
> Users for subnet 2 must connect and authenticate on instance 2 (and
> get an IP in subnet 2)
>
> Both OpenVPN instances use the login pam module.
>
> In this setup I can not prevent users for subnet 2 to connect and
> authenticate successfully on OpenVPN instance 1.
>
> So, I would like to put the users for OpenVPN instance 1 in group
> OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.
>
> Next, the OpenVPN daemon must be able to check a user for membership.
> Is it is not a member, false is returned, and the OpenVMN
> authentication fails.
>
> Documentation for the openvpn_auth_pam is here
> .
>  
>

OK, makes sense.
How does you pam configuration look like?
Especially the accounting part? What modules do you have there?
Can it be PAM module you are using expecting some value that need to be
configured in openvpn_auth_pam config?

> Fred
>
>
> On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal  > wrote:
>
> On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>> Hello,
>>
>> I have a IPA server running. This server has users who are member
>> to various groups. I want to query the IPA server from an IPA
>> client to know whether a user is a member to a group.
>>
>> I want to do this from the OpenVPN service using the
>> openvpn_auth_pam.so. Normally one uses this like this:
>>
>> openvpn_auth_pam.so login
>>
>> This queries the PAM login (and thus IPA) is the
>> username/password from openvpn is valid. the "login" is
>> /etc/pam.d/login. OpenVPN docs say you could use other modules
>> instead of login.
>>
>> So, I would like to add the next line:
>>
>> openvpn_auth_pam.so group  "openvpn"
>>
>> Where a /etc/pam.d/group file would check whether the user is
>> member of the group "openvpn". If not, false is returned and the
>> login attempt (thru openvpn) fails.
>>
>> Is this possible? If not is there a better way?
>>
>> Fred
>
>
> Can you step up from the implementation and explain what you want
> to accomplish?
> It seems that you want to use OpenVPN and do some access control
> checks when user connects to OpenVPN. Right?
> If you can describe the flow of operations we might be able guide
> you to the right solution.
>
> Also would be nice to understand what OS OpenVPN is running on.
>
>>
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ 
>
>
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] saslauthd on freeipa machine

2012-10-05 Thread Stephen Ingram

On Fri, Oct 5, 2012 at 10:03 AM, Dmitri Pal  wrote:
> On 10/05/2012 12:16 PM, Stephen Ingram wrote:
>> As I typically have saslauthd use kerberos to authenticate users I
>> really haven't had the occasion to try before. Since freeipa machines
>> use SSSD to help manage users on the system, I thought that saslauthd
>> should be able to authenticate users against PAM as well. Unless I
>> have somehow misconfigured, this seems not to be the case as each time
>> I get:
>>
>> saslauthd[7342] :do_auth : auth failure: [user=nancy]
>> [service=smtp] [realm=] [mech=pam] [reason=PAM acct error]
>>
>> According to the logs on the freeipa machine, the auth is correct and
>> the ticket is issued. Is there some additional client configuration
>> required to make this work since SSSD now involved?
> This seems relevant:
> http://www.howtoforge.com/forums/showthread.php?t=24538

Thanks. Just to follow up, it does work out of the box. I neglected to
tell IPA HBAC to let me on that host. Needless to say, if you are
going to use IPA, you need to use IPA **correctly**!

Steve

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten

Dmitri,

Well, this is, sort of, the point. I have no experience using pam, so I
have no idea how to set this up.

I have authentication up and running, but, like I said, both OpenVPN
instances happily authenticate users from both groups of users.

In my openvpn config file i have:

plugin openvpn_auth_pam login

where login is the /etc/pam.d/login file. I have not adjusted this file.
This is standard file for IPA client.

So, my idea was to do this in openvpn config file:

plugin openvpn_auth_pam login (can the user authenticate y/n?)
plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is the
user member op OPENVPN1 y/n?)

plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
authenticate against IPA. I am not sure how this could be setup to work
with HBAC..

Fred


On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal  wrote:

>  On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
>
> You are completely right :-)
>
>  Both IPA server and client are RHEL6.3 x86_64 boxes.
>
>  On the OpenVPN server (which is an IPA client), I have 2 OpenVPN
> instances running, because different users must end up in different subnet's
>
>  OpenVPN instance 1 listens on port 5
> OpenVPN instance 2 listens on port 50001
>
>  Users for subnet 1 must connect and authenticate on instance 1 (and get
> an IP in subnet 1)
> Users for subnet 2 must connect and authenticate on instance 2 (and get an
> IP in subnet 2)
>
>  Both OpenVPN instances use the login pam module.
>
>  In this setup I can not prevent users for subnet 2 to connect and
> authenticate successfully on OpenVPN instance 1.
>
>  So, I would like to put the users for OpenVPN instance 1 in group
> OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.
>
>  Next, the OpenVPN daemon must be able to check a user for membership. Is
> it is not a member, false is returned, and the OpenVMN authentication fails.
>
>  Documentation for the openvpn_auth_pam is 
> here
> .
>
>
> OK, makes sense.
> How does you pam configuration look like?
> Especially the accounting part? What modules do you have there?
> Can it be PAM module you are using expecting some value that need to be
> configured in openvpn_auth_pam config?
>
>  Fred
>
>
> On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal  wrote:
>
>>   On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>>
>> Hello,
>>
>>  I have a IPA server running. This server has users who are member to
>> various groups. I want to query the IPA server from an IPA client to know
>> whether a user is a member to a group.
>>
>>  I want to do this from the OpenVPN service using the
>> openvpn_auth_pam.so. Normally one uses this like this:
>>
>>  openvpn_auth_pam.so login
>>
>>  This queries the PAM login (and thus IPA) is the username/password from
>> openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you
>> could use other modules instead of login.
>>
>>  So, I would like to add the next line:
>>
>>  openvpn_auth_pam.so group  "openvpn"
>>
>>  Where a /etc/pam.d/group file would check whether the user is member of
>> the group "openvpn". If not, false is returned and the login attempt (thru
>> openvpn) fails.
>>
>>  Is this possible? If not is there a better way?
>>
>>  Fred
>>
>>
>>
>>  Can you step up from the implementation and explain what you want to
>> accomplish?
>> It seems that you want to use OpenVPN and do some access control checks
>> when user connects to OpenVPN. Right?
>> If you can describe the flow of operations we might be able guide you to
>> the right solution.
>>
>> Also would be nice to understand what OS OpenVPN is running on.
>>
>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Simo Sorce


Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and
openvn2

Then configure the two instance instance with:
plugin openvpn_auth_pam openvpn1
and
plugin openvpn_auth_pam openvpn2
respectively.

Then you can create HBAC rules in IPA using openvpn1 and openvon2 as
service names.

Simo.

On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote:
> Dmitri,
> 
> 
> Well, this is, sort of, the point. I have no experience using pam, so
> I have no idea how to set this up.
> 
> 
> I have authentication up and running, but, like I said, both OpenVPN
> instances happily authenticate users from both groups of users.
> 
> 
> In my openvpn config file i have:
> 
> 
> plugin openvpn_auth_pam login
> 
> 
> where login is the /etc/pam.d/login file. I have not adjusted this
> file. This is standard file for IPA client.
> 
> 
> So, my idea was to do this in openvpn config file:
> 
> 
> plugin openvpn_auth_pam login (can the user authenticate y/n?)
> plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is
> the user member op OPENVPN1 y/n?)
> 
> 
> plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
> authenticate against IPA. I am not sure how this could be setup to
> work with HBAC..
> 
> 
> Fred
> 
> 
> On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal  wrote:
> On 10/05/2012 02:13 PM, Fred van Zwieten wrote: 
> > You are completely right :-) 
> > 
> > 
> > Both IPA server and client are RHEL6.3 x86_64 boxes.
> > 
> > 
> > On the OpenVPN server (which is an IPA client), I have 2
> > OpenVPN instances running, because different users must end
> > up in different subnet's
> > 
> > 
> > OpenVPN instance 1 listens on port 5
> > OpenVPN instance 2 listens on port 50001
> > 
> > 
> > Users for subnet 1 must connect and authenticate on instance
> > 1 (and get an IP in subnet 1)
> > Users for subnet 2 must connect and authenticate on instance
> > 2 (and get an IP in subnet 2)
> > 
> > 
> > Both OpenVPN instances use the login pam module.
> > 
> > 
> > In this setup I can not prevent users for subnet 2 to
> > connect and authenticate successfully on OpenVPN instance 1.
> > 
> > 
> > So, I would like to put the users for OpenVPN instance 1 in
> > group OpenVPN1 en users for OpenVPN instance 2 in group
> > OpenVPN2 on IPA.
> > 
> > 
> > Next, the OpenVPN daemon must be able to check a user for
> > membership. Is it is not a member, false is returned, and
> > the OpenVMN authentication fails.
> > 
> > 
> > Documentation for the openvpn_auth_pam is here. 
> > 
> > 
> 
> 
> OK, makes sense.
> How does you pam configuration look like?
> Especially the accounting part? What modules do you have
> there?
> Can it be PAM module you are using expecting some value that
> need to be configured in openvpn_auth_pam config? 
> 
> > Fred
> > 
> > 
> > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal 
> > wrote:
> > On 10/05/2012 01:36 PM, Fred van Zwieten wrote: 
> > > Hello, 
> > > 
> > > 
> > > I have a IPA server running. This server has users
> > > who are member to various groups. I want to query
> > > the IPA server from an IPA client to know whether
> > > a user is a member to a group.
> > > 
> > > 
> > > I want to do this from the OpenVPN service using
> > > the openvpn_auth_pam.so. Normally one uses this
> > > like this:
> > > 
> > > 
> > > openvpn_auth_pam.so login
> > > 
> > > 
> > > This queries the PAM login (and thus IPA) is the
> > > username/password from openvpn is valid. the
> > > "login" is /etc/pam.d/login. OpenVPN docs say you
> > > could use other modules instead of login.
> > > 
> > > 
> > > So, I would like to add the next line:
> > > 
> > > 
> > > openvpn_auth_pam.so group  "openvpn"
> > > 
> > > 
> > > Where a /etc/pam.d/group file would check whether
> > > the user is member of the group "openvpn". If not,
> > > false is returned and the login attempt (thru
> > > openvpn) fails.
> > > 
> > > 
> > > Is this possible? If not is there a better way?
> >

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten

Simo,

That sounds easy enough. I will test it asap when I get to work on monday
and let you know.

Thank you (and Dmitri) so far and have a good weekend.

Fred


On Fri, Oct 5, 2012 at 9:09 PM, Simo Sorce  wrote:

>
> Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and
> openvn2
>
> Then configure the two instance instance with:
> plugin openvpn_auth_pam openvpn1
> and
> plugin openvpn_auth_pam openvpn2
> respectively.
>
> Then you can create HBAC rules in IPA using openvpn1 and openvon2 as
> service names.
>
> Simo.
>
> On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote:
> > Dmitri,
> >
> >
> > Well, this is, sort of, the point. I have no experience using pam, so
> > I have no idea how to set this up.
> >
> >
> > I have authentication up and running, but, like I said, both OpenVPN
> > instances happily authenticate users from both groups of users.
> >
> >
> > In my openvpn config file i have:
> >
> >
> > plugin openvpn_auth_pam login
> >
> >
> > where login is the /etc/pam.d/login file. I have not adjusted this
> > file. This is standard file for IPA client.
> >
> >
> > So, my idea was to do this in openvpn config file:
> >
> >
> > plugin openvpn_auth_pam login (can the user authenticate y/n?)
> > plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is
> > the user member op OPENVPN1 y/n?)
> >
> >
> > plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
> > authenticate against IPA. I am not sure how this could be setup to
> > work with HBAC..
> >
> >
> > Fred
> >
> >
> > On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal  wrote:
> > On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
> > > You are completely right :-)
> > >
> > >
> > > Both IPA server and client are RHEL6.3 x86_64 boxes.
> > >
> > >
> > > On the OpenVPN server (which is an IPA client), I have 2
> > > OpenVPN instances running, because different users must end
> > > up in different subnet's
> > >
> > >
> > > OpenVPN instance 1 listens on port 5
> > > OpenVPN instance 2 listens on port 50001
> > >
> > >
> > > Users for subnet 1 must connect and authenticate on instance
> > > 1 (and get an IP in subnet 1)
> > > Users for subnet 2 must connect and authenticate on instance
> > > 2 (and get an IP in subnet 2)
> > >
> > >
> > > Both OpenVPN instances use the login pam module.
> > >
> > >
> > > In this setup I can not prevent users for subnet 2 to
> > > connect and authenticate successfully on OpenVPN instance 1.
> > >
> > >
> > > So, I would like to put the users for OpenVPN instance 1 in
> > > group OpenVPN1 en users for OpenVPN instance 2 in group
> > > OpenVPN2 on IPA.
> > >
> > >
> > > Next, the OpenVPN daemon must be able to check a user for
> > > membership. Is it is not a member, false is returned, and
> > > the OpenVMN authentication fails.
> > >
> > >
> > > Documentation for the openvpn_auth_pam is here.
> > >
> > >
> >
> >
> > OK, makes sense.
> > How does you pam configuration look like?
> > Especially the accounting part? What modules do you have
> > there?
> > Can it be PAM module you are using expecting some value that
> > need to be configured in openvpn_auth_pam config?
> >
> > > Fred
> > >
> > >
> > > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal 
> > > wrote:
> > > On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
> > > > Hello,
> > > >
> > > >
> > > > I have a IPA server running. This server has users
> > > > who are member to various groups. I want to query
> > > > the IPA server from an IPA client to know whether
> > > > a user is a member to a group.
> > > >
> > > >
> > > > I want to do this from the OpenVPN service using
> > > > the openvpn_auth_pam.so. Normally one uses this
> > > > like this:
> > > >
> > > >
> > > > openvpn_auth_pam.so login
> > > >
> > > >
> > > > This queries the PAM login (and thus IPA) is the
> > > > username/password from openvpn is valid. the
> > > > "login" is /etc/pam.d/login. OpenVPN docs say you
> > > > could use other modules instead of login.
> > > >
> > > >
> > > > So, I would like to add the next line:
> > > >
> > > >
> > > > openvpn_auth_pam.so group  "openvpn"
> > > >
> >

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten

Hang on..I don't see how this can work (I haven't tried it btw).

If I simply copy login to openvpn1 and call openvpn_auth_pam with that file
as a parameter, how can it magically know to query IPA for the openvpn1
service as opposed to username/password? Must I not change the openvpn1
file to have it check for the service?

Fred

>
>
> On Fri, Oct 5, 2012 at 9:09 PM, Simo Sorce  wrote:
>
>>
>> Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and
>> openvn2
>>
>> Then configure the two instance instance with:
>> plugin openvpn_auth_pam openvpn1
>> and
>> plugin openvpn_auth_pam openvpn2
>> respectively.
>>
>> Then you can create HBAC rules in IPA using openvpn1 and openvon2 as
>> service names.
>>
>> Simo.
>>
>> On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote:
>> > Dmitri,
>> >
>> >
>> > Well, this is, sort of, the point. I have no experience using pam, so
>> > I have no idea how to set this up.
>> >
>> >
>> > I have authentication up and running, but, like I said, both OpenVPN
>> > instances happily authenticate users from both groups of users.
>> >
>> >
>> > In my openvpn config file i have:
>> >
>> >
>> > plugin openvpn_auth_pam login
>> >
>> >
>> > where login is the /etc/pam.d/login file. I have not adjusted this
>> > file. This is standard file for IPA client.
>> >
>> >
>> > So, my idea was to do this in openvpn config file:
>> >
>> >
>> > plugin openvpn_auth_pam login (can the user authenticate y/n?)
>> > plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is
>> > the user member op OPENVPN1 y/n?)
>> >
>> >
>> > plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
>> > authenticate against IPA. I am not sure how this could be setup to
>> > work with HBAC..
>> >
>> >
>> > Fred
>> >
>> >
>> > On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal  wrote:
>> > On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
>> > > You are completely right :-)
>> > >
>> > >
>> > > Both IPA server and client are RHEL6.3 x86_64 boxes.
>> > >
>> > >
>> > > On the OpenVPN server (which is an IPA client), I have 2
>> > > OpenVPN instances running, because different users must end
>> > > up in different subnet's
>> > >
>> > >
>> > > OpenVPN instance 1 listens on port 5
>> > > OpenVPN instance 2 listens on port 50001
>> > >
>> > >
>> > > Users for subnet 1 must connect and authenticate on instance
>> > > 1 (and get an IP in subnet 1)
>> > > Users for subnet 2 must connect and authenticate on instance
>> > > 2 (and get an IP in subnet 2)
>> > >
>> > >
>> > > Both OpenVPN instances use the login pam module.
>> > >
>> > >
>> > > In this setup I can not prevent users for subnet 2 to
>> > > connect and authenticate successfully on OpenVPN instance 1.
>> > >
>> > >
>> > > So, I would like to put the users for OpenVPN instance 1 in
>> > > group OpenVPN1 en users for OpenVPN instance 2 in group
>> > > OpenVPN2 on IPA.
>> > >
>> > >
>> > > Next, the OpenVPN daemon must be able to check a user for
>> > > membership. Is it is not a member, false is returned, and
>> > > the OpenVMN authentication fails.
>> > >
>> > >
>> > > Documentation for the openvpn_auth_pam is here.
>> > >
>> > >
>> >
>> >
>> > OK, makes sense.
>> > How does you pam configuration look like?
>> > Especially the accounting part? What modules do you have
>> > there?
>> > Can it be PAM module you are using expecting some value that
>> > need to be configured in openvpn_auth_pam config?
>> >
>> > > Fred
>> > >
>> > >
>> > > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal 
>> > > wrote:
>> > > On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>> > > > Hello,
>> > > >
>> > > >
>> > > > I have a IPA server running. This server has users
>> > > > who are member to various groups. I want to query
>> > > > the IPA server from an IPA client to know whether
>> > > > a user is a member to a group.
>> > > >
>> > > >
>> > > > I want to do this from the OpenVPN service using
>> > > > the openvpn_auth_pam.so. Normally one uses this
>> > > > like this:
>> > > >
>> > > >
>> > > > openvpn_auth_pam.so login
>> > > >
>> > > >
>> > > > This queries the PAM login (and thus IPA) is the
>> > > > username/password from openvpn is valid. the
>> > > > "login" is /etc/pam.d/login. OpenVPN docs say you
>> >

Re: [Freeipa-users] Keep Samba password in sync with userpassword and kerberos password

Re: [Freeipa-users] saslauthd on freeipa machine

[Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] saslauthd on freeipa machine

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

Re: [Freeipa-users] Query IPA for group membership

14 matches

Site Navigation

Mail list logo

Footer information