[Freeipa-users] Query IPA for group membership

[Dmitri Pal]

On 10/05/2012 02:03 PM, Simo Sorce wrote:
> On Fri, 2012-10-05 at 13:50 -0400, Dmitri Pal wrote:
>> On 10/05/2012 01:36 PM, Fred van Zwieten wrote: 
>>> Hello, 
>>>
>>>
>>> I have a IPA server running. This server has users who are member to
>>> various groups. I want to query the IPA server from an IPA client to
>>> know whether a user is a member to a group.
>>>
>>>
>>> I want to do this from the OpenVPN service using the
>>> openvpn_auth_pam.so. Normally one uses this like this:
>>>
>>>
>>> openvpn_auth_pam.so login
>>>
>>>
>>> This queries the PAM login (and thus IPA) is the username/password
>>> from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs
>>> say you could use other modules instead of login.
>>>
>>>
>>> So, I would like to add the next line:
>>>
>>>
>>> openvpn_auth_pam.so group <username> "openvpn"
>>>
>>>
>>> Where a /etc/pam.d/group file would check whether the user is member
>>> of the group "openvpn". If not, false is returned and the login
>>> attempt (thru openvpn) fails.
>>>
>>>
>>> Is this possible? If not is there a better way?
>>>
>>>
>>> Fred
>>
>> Can you step up from the implementation and explain what you want to
>> accomplish?
>> It seems that you want to use OpenVPN and do some access control
>> checks when user connects to OpenVPN. Right?
>> If you can describe the flow of operations we might be able guide you
>> to the right solution.
>>
>> Also would be nice to understand what OS OpenVPN is running on.
> If the PAM stack is used fully (account phase at least) then HBAC may be
> a better way to do this sort of check.
>
> Simo.
>
Yes I was thinking about it but this might not be version of Linux where
SSSD is not available.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/