[Freeipa-users] Critique
Alexander Bokovoy
abokovoy at redhat.com
Fri Apr 17 07:31:26 UTC 2015
On Fri, 17 Apr 2015, Andrew Holway wrote:
>In an obviously blatant promotion exercise and attempt to build page
>rank....
>
>Please could I have some critique on this article?
>
>http://otternetworks.de/tech/freeipa-technical-brief/
>
>Your feedback would be really appreciated
Thanks for the nice article showing how to enable OpenVPN with
two-factor authentication.
My notes:
- Title is misleading as article is about setting up OpenVPN with
two-factor auth, not really about FreeIPA itself
- You mention "Using a completely standard client OpenVPN configuration
with only one addition “auth-user-pass” to prompt for a password we
are able to use OpenVPN to log into a network using password+OTP."
However, there is no config example that shows it. I would add that,
along the lines of using PAM plugin.
- It would probably be good to mention that by using PAM authentication
plugin you also get HBAC rules from FreeIPA to fine tune which users
can actually use this VPN concentrator. As it is, any user from your
system would be able to use VPN but most probably you'd want to limit
them by group membership and it is better to achieve by using HBAC
rules.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list