Dmitri,<div><br></div><div>Well, this is, sort of, the point. I have no experience using pam, so I have no idea how to set this up.</div><div><br></div><div>I have authentication up and running, but, like I said, both OpenVPN instances happily authenticate users from both groups of users.</div>
<div><br></div><div>In my openvpn config file i have:</div><div><br></div><div>plugin openvpn_auth_pam login</div><div><br></div><div>where login is the /etc/pam.d/login file. I have not adjusted this file. This is standard file for IPA client.</div>
<div><br></div><div>So, my idea was to do this in openvpn config file:</div><div><br></div><div>plugin openvpn_auth_pam login (can the user authenticate y/n?)</div><div>plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is the user member op OPENVPN1 y/n?)</div>
<div><br></div><div>plugin openvpn_auth_pam is afaik the only way to get OpenVPN to authenticate against IPA. I am not sure how this could be setup to work with HBAC..</div><div><br></div><div>Fred<br>
<br><br><div class="gmail_quote">On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
<blockquote type="cite">You are completely right :-)
<div><br>
</div>
<div>Both IPA server and client are RHEL6.3 x86_64 boxes.</div>
<div><br>
</div>
<div>On the OpenVPN server (which is an IPA client), I have 2
OpenVPN instances running, because different users must end up
in different subnet's</div>
<div><br>
</div>
<div>OpenVPN instance 1 listens on port 50000</div>
<div>OpenVPN instance 2 listens on port 50001</div>
<div><br>
</div>
<div>Users for subnet 1 must connect and authenticate on instance
1 (and get an IP in subnet 1)</div>
<div>Users for subnet 2 must connect and authenticate on instance
2 (and get an IP in subnet 2)</div>
<div><br>
</div>
<div>Both OpenVPN instances use the login pam module.</div>
<div><br>
</div>
<div>In this setup I can not prevent users for subnet 2 to connect
and authenticate successfully on OpenVPN instance 1.</div>
<div><br>
</div>
<div>So, I would like to put the users for OpenVPN instance 1 in
group OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2
on IPA.</div>
<div><br>
</div>
<div>Next, the OpenVPN daemon must be able to check a user for
membership. Is it is not a member, false is returned, and the
OpenVMN authentication fails.</div>
<div><br>
</div>
<div>Documentation for the openvpn_auth_pam is <a href="https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c" target="_blank">here</a>. </div>
<div><br>
</div>
</blockquote>
<br></div>
OK, makes sense.<br>
How does you pam configuration look like?<br>
Especially the accounting part? What modules do you have there?<br>
Can it be PAM module you are using expecting some value that need to
be configured in openvpn_auth_pam config? <br><div><div class="h5">
<br>
<blockquote type="cite">
<div>
Fred</div>
<div><br>
<br>
<div class="gmail_quote">On Fri, Oct 5, 2012 at 7:50 PM, Dmitri
Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div> On 10/05/2012 01:36 PM, Fred van
Zwieten wrote:
<blockquote type="cite">Hello,
<div><br>
</div>
<div>I have a IPA server running. This server has
users who are member to various groups. I want to
query the IPA server from an IPA client to know
whether a user is a member to a group.</div>
<div><br>
</div>
<div>I want to do this from the OpenVPN service
using the openvpn_auth_pam.so. Normally one uses
this like this:</div>
<div><br>
</div>
<div>openvpn_auth_pam.so login</div>
<div><br>
</div>
<div>This queries the PAM login (and thus IPA) is
the username/password from openvpn is valid. the
"login" is /etc/pam.d/login. OpenVPN docs say you
could use other modules instead of login.</div>
<div><br>
</div>
<div>So, I would like to add the next line:</div>
<div><br>
</div>
<div>openvpn_auth_pam.so group <username>
"openvpn"</div>
<div><br>
</div>
<div>Where a /etc/pam.d/group file would check
whether the user is member of the group "openvpn".
If not, false is returned and the login attempt
(thru openvpn) fails.</div>
<div><br>
</div>
<div>Is this possible? If not is there a better way?</div>
<div><br>
</div>
<div>Fred</div>
</blockquote>
<br>
<br>
</div>
</div>
Can you step up from the implementation and explain what
you want to accomplish?<br>
It seems that you want to use OpenVPN and do some access
control checks when user connects to OpenVPN. Right?<br>
If you can describe the flow of operations we might be
able guide you to the right solution.<br>
<br>
Also would be nice to understand what OS OpenVPN is
running on.<br>
<br>
<blockquote type="cite">
<div><br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div></div></div>
</blockquote></div><br></div>