Re: [Freeipa-users] saslauthd on freeipa machine

2012-10-05 Thread Dmitri Pal
On 10/05/2012 12:16 PM, Stephen Ingram wrote: As I typically have saslauthd use kerberos to authenticate users I really haven't had the occasion to try before. Since freeipa machines use SSSD to help manage users on the system, I thought that saslauthd should be able to authenticate users

[Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten
Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to a group. I want to do this from the OpenVPN service using the openvpn_auth_pam.so. Normally one uses this like this:

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Dmitri Pal
On 10/05/2012 01:36 PM, Fred van Zwieten wrote: Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to a group. I want to do this from the OpenVPN service using the

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Simo Sorce
On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote: On 10/05/2012 01:36 PM, Fred van Zwieten wrote: Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Dmitri Pal
On 10/05/2012 02:03 PM, Simo Sorce wrote: On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote: On 10/05/2012 01:36 PM, Fred van Zwieten wrote: Hello, I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten
You are completely right :-) Both IPA server and client are RHEL6.3 x86_64 boxes. On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances running, because different users must end up in different subnet's OpenVPN instance 1 listens on port 5 OpenVPN instance 2 listens on

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Simo Sorce
On Fri, 2012-10-05 at 20:13 +0200, Fred van Zwieten wrote: You are completely right :-) Both IPA server and client are RHEL6.3 x86_64 boxes. On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances running, because different users must end up in different subnet's

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Dmitri Pal
On 10/05/2012 02:13 PM, Fred van Zwieten wrote: You are completely right :-) Both IPA server and client are RHEL6.3 x86_64 boxes. On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances running, because different users must end up in different subnet's OpenVPN instance

Re: [Freeipa-users] saslauthd on freeipa machine

2012-10-05 Thread Stephen Ingram
On Fri, Oct 5, 2012 at 10:03 AM, Dmitri Pal d...@redhat.com wrote: On 10/05/2012 12:16 PM, Stephen Ingram wrote: As I typically have saslauthd use kerberos to authenticate users I really haven't had the occasion to try before. Since freeipa machines use SSSD to help manage users on the system,

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Simo Sorce
Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and openvn2 Then configure the two instance instance with: plugin openvpn_auth_pam openvpn1 and plugin openvpn_auth_pam openvpn2 respectively. Then you can create HBAC rules in IPA using openvpn1 and openvon2 as service names.

Re: [Freeipa-users] Query IPA for group membership

2012-10-05 Thread Fred van Zwieten
Simo, That sounds easy enough. I will test it asap when I get to work on monday and let you know. Thank you (and Dmitri) so far and have a good weekend. Fred On Fri, Oct 5, 2012 at 9:09 PM, Simo Sorce s...@redhat.com wrote: Fred I suggest you copy the 'login' file into 2 new files: