[Freeipa-users] OTP integrations

Andrew Holway andrew.holway at gmail.com
Wed Apr 1 11:15:03 UTC 2015 

>
>
>>  It is simple to configure OpenVPN with authentication against FreeIPA in
> Fedora 21, all the heavy lifting is done by SSSD:
>

I have to say that this sssd / pam method is working very very well.

I do however need to get my head around radius. Something for a rainy
sunday I think :).




>
> # grep plugin /etc/openvpn/server.conf
> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
> login USERNAME password PASSWORD"
>
> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1 10:55
> /etc/pam.d/openvpn -> system-auth
>
> # LANG=C ipa user-show vpnuser
>  User login: vpnuser
>  First name: VPN
>  Last name: TestUser
>  Home directory: /home/vpnuser
>  Login shell: /bin/sh
>  Email address: vpnuser at example.com
>  UID: 1792600005
>  GID: 1792600005
>  Account disabled: False
>  User authentication types: otp
>  Password: True
>  Member of groups: ipausers
>  Kerberos keys available: True
>
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> received command code: 0
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> USER: vpnuser
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> my_conv[0] query='login:' style=2
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> name match found, query/match-string ['login:', 'login'] = 'USERNAME'
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> my_conv[0] query='Password: ' style=1
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=vpnuser
> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
> user=vpnuser
> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
> PLUGIN_AUTH_USER_PASS_VERIFY status=0
> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
> Username/Password authentication succeeded for username 'vpnuser'
>
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/17c9323d/attachment.htm>

More information about the Freeipa-users mailing list