[Freeipa-users] Query IPA for group membership

Fred van Zwieten fvzwieten at vxcompany.com
Fri Oct 5 18:58:31 UTC 2012 

Dmitri,

Well, this is, sort of, the point. I have no experience using pam, so I
have no idea how to set this up.

I have authentication up and running, but, like I said, both OpenVPN
instances happily authenticate users from both groups of users.

In my openvpn config file i have:

plugin openvpn_auth_pam login

where login is the /etc/pam.d/login file. I have not adjusted this file.
This is standard file for IPA client.

So, my idea was to do this in openvpn config file:

plugin openvpn_auth_pam login (can the user authenticate y/n?)
plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is the
user member op OPENVPN1 y/n?)

plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
authenticate against IPA. I am not sure how this could be setup to work
with HBAC..

Fred


On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
>
> You are completely right :-)
>
>  Both IPA server and client are RHEL6.3 x86_64 boxes.
>
>  On the OpenVPN server (which is an IPA client), I have 2 OpenVPN
> instances running, because different users must end up in different subnet's
>
>  OpenVPN instance 1 listens on port 50000
> OpenVPN instance 2 listens on port 50001
>
>  Users for subnet 1 must connect and authenticate on instance 1 (and get
> an IP in subnet 1)
> Users for subnet 2 must connect and authenticate on instance 2 (and get an
> IP in subnet 2)
>
>  Both OpenVPN instances use the login pam module.
>
>  In this setup I can not prevent users for subnet 2 to connect and
> authenticate successfully on OpenVPN instance 1.
>
>  So, I would like to put the users for OpenVPN instance 1 in group
> OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.
>
>  Next, the OpenVPN daemon must be able to check a user for membership. Is
> it is not a member, false is returned, and the OpenVMN authentication fails.
>
>  Documentation for the openvpn_auth_pam is here<https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c>
> .
>
>
> OK, makes sense.
> How does you pam configuration look like?
> Especially the accounting part? What modules do you have there?
> Can it be PAM module you are using expecting some value that need to be
> configured in openvpn_auth_pam config?
>
>  Fred
>
>
> On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>>   On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>>
>> Hello,
>>
>>  I have a IPA server running. This server has users who are member to
>> various groups. I want to query the IPA server from an IPA client to know
>> whether a user is a member to a group.
>>
>>  I want to do this from the OpenVPN service using the
>> openvpn_auth_pam.so. Normally one uses this like this:
>>
>>  openvpn_auth_pam.so login
>>
>>  This queries the PAM login (and thus IPA) is the username/password from
>> openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs say you
>> could use other modules instead of login.
>>
>>  So, I would like to add the next line:
>>
>>  openvpn_auth_pam.so group <username> "openvpn"
>>
>>  Where a /etc/pam.d/group file would check whether the user is member of
>> the group "openvpn". If not, false is returned and the login attempt (thru
>> openvpn) fails.
>>
>>  Is this possible? If not is there a better way?
>>
>>  Fred
>>
>>
>>
>>  Can you step up from the implementation and explain what you want to
>> accomplish?
>> It seems that you want to use OpenVPN and do some access control checks
>> when user connects to OpenVPN. Right?
>> If you can describe the flow of operations we might be able guide you to
>> the right solution.
>>
>> Also would be nice to understand what OS OpenVPN is running on.
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121005/ba0bcdb7/attachment.htm>

More information about the Freeipa-users mailing list