<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
<blockquote
cite="mid:CALVifsZnbGtN34h+q3WEz=cZ-pRdHLES7ptTf2UOL_mAVSyziA@mail.gmail.com"
type="cite">Hello,
<div><br>
</div>
<div>I have a IPA server running. This server has users who are
member to various groups. I want to query the IPA server from an
IPA client to know whether a user is a member to a group.</div>
<div><br>
</div>
<div>I want to do this from the OpenVPN service using the
openvpn_auth_pam.so. Normally one uses this like this:</div>
<div><br>
</div>
<div>openvpn_auth_pam.so login</div>
<div><br>
</div>
<div>This queries the PAM login (and thus IPA) is the
username/password from openvpn is valid. the "login" is
/etc/pam.d/login. OpenVPN docs say you could use other modules
instead of login.</div>
<div><br>
</div>
<div>So, I would like to add the next line:</div>
<div><br>
</div>
<div>openvpn_auth_pam.so group <username> "openvpn"</div>
<div><br>
</div>
<div>Where a /etc/pam.d/group file would check whether the user is
member of the group "openvpn". If not, false is returned and the
login attempt (thru openvpn) fails.</div>
<div><br>
</div>
<div>Is this possible? If not is there a better way?</div>
<div><br>
</div>
<div>Fred</div>
</blockquote>
<br>
<br>
Can you step up from the implementation and explain what you want to
accomplish?<br>
It seems that you want to use OpenVPN and do some access control
checks when user connects to OpenVPN. Right?<br>
If you can describe the flow of operations we might be able guide
you to the right solution.<br>
<br>
Also would be nice to understand what OS OpenVPN is running on.<br>
<br>
<blockquote
cite="mid:CALVifsZnbGtN34h+q3WEz=cZ-pRdHLES7ptTf2UOL_mAVSyziA@mail.gmail.com"
type="cite">
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>