Hang on..I don't see how this can work (I haven't tried it btw).<div><br></div><div>If I simply copy login to openvpn1 and call openvpn_auth_pam with that file as a parameter, how can it magically know to query IPA for the openvpn1 service as opposed to username/password? Must I not change the openvpn1 file to have it check for the service?</div>
<div><br>Fred<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">
<div><br><br><div class="gmail_quote">On Fri, Oct 5, 2012 at 9:09 PM, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and<br>
openvn2<br>
<br>
Then configure the two instance instance with:<br>
plugin openvpn_auth_pam openvpn1<br>
and<br>
plugin openvpn_auth_pam openvpn2<br>
respectively.<br>
<br>
Then you can create HBAC rules in IPA using openvpn1 and openvon2 as<br>
service names.<br>
<span><font color="#888888"><br>
Simo.<br>
</font></span><div><div><br>
On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote:<br>
> Dmitri,<br>
><br>
><br>
> Well, this is, sort of, the point. I have no experience using pam, so<br>
> I have no idea how to set this up.<br>
><br>
><br>
> I have authentication up and running, but, like I said, both OpenVPN<br>
> instances happily authenticate users from both groups of users.<br>
><br>
><br>
> In my openvpn config file i have:<br>
><br>
><br>
> plugin openvpn_auth_pam login<br>
><br>
><br>
> where login is the /etc/pam.d/login file. I have not adjusted this<br>
> file. This is standard file for IPA client.<br>
><br>
><br>
> So, my idea was to do this in openvpn config file:<br>
><br>
><br>
> plugin openvpn_auth_pam login (can the user authenticate y/n?)<br>
> plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is<br>
> the user member op OPENVPN1 y/n?)<br>
><br>
><br>
> plugin openvpn_auth_pam is afaik the only way to get OpenVPN to<br>
> authenticate against IPA. I am not sure how this could be setup to<br>
> work with HBAC..<br>
><br>
><br>
> Fred<br>
><br>
><br>
> On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> wrote:<br>
> On 10/05/2012 02:13 PM, Fred van Zwieten wrote:<br>
> > You are completely right :-)<br>
> ><br>
> ><br>
> > Both IPA server and client are RHEL6.3 x86_64 boxes.<br>
> ><br>
> ><br>
> > On the OpenVPN server (which is an IPA client), I have 2<br>
> > OpenVPN instances running, because different users must end<br>
> > up in different subnet's<br>
> ><br>
> ><br>
> > OpenVPN instance 1 listens on port 50000<br>
> > OpenVPN instance 2 listens on port 50001<br>
> ><br>
> ><br>
> > Users for subnet 1 must connect and authenticate on instance<br>
> > 1 (and get an IP in subnet 1)<br>
> > Users for subnet 2 must connect and authenticate on instance<br>
> > 2 (and get an IP in subnet 2)<br>
> ><br>
> ><br>
> > Both OpenVPN instances use the login pam module.<br>
> ><br>
> ><br>
> > In this setup I can not prevent users for subnet 2 to<br>
> > connect and authenticate successfully on OpenVPN instance 1.<br>
> ><br>
> ><br>
> > So, I would like to put the users for OpenVPN instance 1 in<br>
> > group OpenVPN1 en users for OpenVPN instance 2 in group<br>
> > OpenVPN2 on IPA.<br>
> ><br>
> ><br>
> > Next, the OpenVPN daemon must be able to check a user for<br>
> > membership. Is it is not a member, false is returned, and<br>
> > the OpenVMN authentication fails.<br>
> ><br>
> ><br>
> > Documentation for the openvpn_auth_pam is here.<br>
> ><br>
> ><br>
><br>
><br>
> OK, makes sense.<br>
> How does you pam configuration look like?<br>
> Especially the accounting part? What modules do you have<br>
> there?<br>
> Can it be PAM module you are using expecting some value that<br>
> need to be configured in openvpn_auth_pam config?<br>
><br>
> > Fred<br>
> ><br>
> ><br>
> > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>><br>
> > wrote:<br>
> > On 10/05/2012 01:36 PM, Fred van Zwieten wrote:<br>
> > > Hello,<br>
> > ><br>
> > ><br>
> > > I have a IPA server running. This server has users<br>
> > > who are member to various groups. I want to query<br>
> > > the IPA server from an IPA client to know whether<br>
> > > a user is a member to a group.<br>
> > ><br>
> > ><br>
> > > I want to do this from the OpenVPN service using<br>
> > > the openvpn_auth_pam.so. Normally one uses this<br>
> > > like this:<br>
> > ><br>
> > ><br>
> > > openvpn_auth_pam.so login<br>
> > ><br>
> > ><br>
> > > This queries the PAM login (and thus IPA) is the<br>
> > > username/password from openvpn is valid. the<br>
> > > "login" is /etc/pam.d/login. OpenVPN docs say you<br>
> > > could use other modules instead of login.<br>
> > ><br>
> > ><br>
> > > So, I would like to add the next line:<br>
> > ><br>
> > ><br>
> > > openvpn_auth_pam.so group <username> "openvpn"<br>
> > ><br>
> > ><br>
> > > Where a /etc/pam.d/group file would check whether<br>
> > > the user is member of the group "openvpn". If not,<br>
> > > false is returned and the login attempt (thru<br>
> > > openvpn) fails.<br>
> > ><br>
> > ><br>
> > > Is this possible? If not is there a better way?<br>
> > ><br>
> > ><br>
> > > Fred<br>
> ><br>
> ><br>
> ><br>
> > Can you step up from the implementation and explain<br>
> > what you want to accomplish?<br>
> > It seems that you want to use OpenVPN and do some<br>
> > access control checks when user connects to OpenVPN.<br>
> > Right?<br>
> > If you can describe the flow of operations we might<br>
> > be able guide you to the right solution.<br>
> ><br>
> > Also would be nice to understand what OS OpenVPN is<br>
> > running on.<br>
> ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > Freeipa-users mailing list<br>
> > > <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> ><br>
> ><br>
> > --<br>
> > Thank you,<br>
> > Dmitri Pal<br>
> ><br>
> > Sr. Engineering Manager for IdM portfolio<br>
> > Red Hat Inc.<br>
> ><br>
> ><br>
> > -------------------------------<br>
> > Looking to carve out IT costs?<br>
> > <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
> --<br>
> Thank you,<br>
> Dmitri Pal<br>
><br>
> Sr. Engineering Manager for IdM portfolio<br>
> Red Hat Inc.<br>
><br>
><br>
> -------------------------------<br>
> Looking to carve out IT costs?<br>
> <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
--<br>
</div></div><div><div>Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>