<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 10/05/2012 02:13 PM, Fred van Zwieten wrote: <blockquote cite="mid:CALVifsYvc2BdP0wfm7F3BpdNXBbOHPYcqKC6LV3srZ2wnC1i5A@mail.gmail.com" type="cite">You are completely right :-) <div><br> </div> <div>Both IPA server and client are RHEL6.3 x86_64 boxes.</div> <div><br> </div> <div>On the OpenVPN server (which is an IPA client), I have 2 OpenVPN instances running, because different users must end up in different subnet's</div> <div><br> </div> <div>OpenVPN instance 1 listens on port 50000</div> <div>OpenVPN instance 2 listens on port 50001</div> <div><br> </div> <div>Users for subnet 1 must connect and authenticate on instance 1 (and get an IP in subnet 1)</div> <div>Users for subnet 2 must connect and authenticate on instance 2 (and get an IP in subnet 2)</div> <div><br> </div> <div>Both OpenVPN instances use the login pam module.</div> <div><br> </div> <div>In this setup I can not prevent users for subnet 2 to connect and authenticate successfully on OpenVPN instance 1.</div> <div><br> </div> <div>So, I would like to put the users for OpenVPN instance 1 in group OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.</div> <div><br> </div> <div>Next, the OpenVPN daemon must be able to check a user for membership. Is it is not a member, false is returned, and the OpenVMN authentication fails.</div> <div><br> </div> <div>Documentation for the openvpn_auth_pam is <a moz-do-not-send="true" href="https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c">here</a>. </div> <div><br> </div> </blockquote> <br> OK, makes sense.<br> How does you pam configuration look like?<br> Especially the accounting part? What modules do you have there?<br> Can it be PAM module you are using expecting some value that need to be configured in openvpn_auth_pam config? <br> <br> <blockquote cite="mid:CALVifsYvc2BdP0wfm7F3BpdNXBbOHPYcqKC6LV3srZ2wnC1i5A@mail.gmail.com" type="cite"> <div> Fred</div> <div><br> <br> <div class="gmail_quote">On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div class="h5"> On 10/05/2012 01:36 PM, Fred van Zwieten wrote: <blockquote type="cite">Hello, <div><br> </div> <div>I have a IPA server running. This server has users who are member to various groups. I want to query the IPA server from an IPA client to know whether a user is a member to a group.</div> <div><br> </div> <div>I want to do this from the OpenVPN service using the openvpn_auth_pam.so. Normally one uses this like this:</div> <div><br> </div> <div>openvpn_auth_pam.so login</div> <div><br> </div> <div>This queries the PAM login (and thus IPA) is the username/password from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you could use other modules instead of login.</div> <div><br> </div> <div>So, I would like to add the next line:</div> <div><br> </div> <div>openvpn_auth_pam.so group <username> "openvpn"</div> <div><br> </div> <div>Where a /etc/pam.d/group file would check whether the user is member of the group "openvpn". If not, false is returned and the login attempt (thru openvpn) fails.</div> <div><br> </div> <div>Is this possible? If not is there a better way?</div> <div><br> </div> <div>Fred</div> </blockquote> <br> <br> </div> </div> Can you step up from the implementation and explain what you want to accomplish?<br> It seems that you want to use OpenVPN and do some access control checks when user connects to OpenVPN. Right?<br> If you can describe the flow of operations we might be able guide you to the right solution.<br> <br> Also would be nice to understand what OS OpenVPN is running on.<br> <br> <blockquote type="cite"> <div><br> </div> <br> <fieldset></fieldset> <br> <pre>_______________________________________________ Freeipa-users mailing list <a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> <span class="HOEnZb"><font color="#888888"> </font></span></blockquote> <span class="HOEnZb"><font color="#888888"> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> </blockquote> </div> <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>