<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 04/01/2015 11:46 AM, Andrew Holway
wrote:<br>
</div>
<blockquote
cite="mid:CAEiui-u1Zmn9GEDEh912qR2fofxjgU9k=Rc6yBCFa_JR3+mh9Q@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks Alexander.
<div><br>
</div>
<div>What happens to the passwords? Are they hashed by Kerberos?</div>
</div>
</blockquote>
<br>
Yes. But stored in LDAP.<br>
<br>
<blockquote
cite="mid:CAEiui-u1Zmn9GEDEh912qR2fofxjgU9k=Rc6yBCFa_JR3+mh9Q@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 1 April 2015 at 15:14, Alexander
Bokovoy <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On Wed, 01 Apr 2015, Andrew Holway wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Please could someone explain to me what is happening
internally?<br>
<br>
In my head I have the following process....<br>
<br>
The openvpn pam module sends the username and password
to pam.<br>
Pam passes this onto sssd<br>
sssd then does the kerberos thing<br>
kerberos passes the password to the LDAP<br>
</blockquote>
</span>
KDC passes request to ipa-otpd daemon (our RADIUS-like
proxy) which then<br>
binds to IPA LDAP to verify the password<span class=""><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
some LDAP module takes the password from the database,
appends on the OTP<br>
and actually does the auth...<br>
</blockquote>
</span>
Yes, the rest is correct.<br>
<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png"
target="_blank">http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png</a>
is the full picture<br>
from on "the Kerberos thing"
<div class="HOEnZb">
<div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
On 1 April 2015 at 13:15, Andrew Holway <<a
moz-do-not-send="true"
href="mailto:andrew.holway@gmail.com"
target="_blank">andrew.holway@gmail.com</a>>
wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
It is simple to configure OpenVPN with
authentication against FreeIPA in<br>
</blockquote>
Fedora 21, all the heavy lifting is done by SSSD:<br>
<br>
</blockquote>
<br>
I have to say that this sssd / pam method is working
very very well.<br>
<br>
I do however need to get my head around radius.
Something for a rainy<br>
sunday I think :).<br>
<br>
<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
# grep plugin /etc/openvpn/server.conf<br>
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
"openvpn<br>
login USERNAME password PASSWORD"<br>
<br>
# LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1
root root 11 Apr 1 10:55<br>
/etc/pam.d/openvpn -> system-auth<br>
<br>
# LANG=C ipa user-show vpnuser<br>
User login: vpnuser<br>
First name: VPN<br>
Last name: TestUser<br>
Home directory: /home/vpnuser<br>
Login shell: /bin/sh<br>
Email address: <a moz-do-not-send="true"
href="mailto:vpnuser@example.com"
target="_blank">vpnuser@example.com</a><br>
UID: 1792600005<br>
GID: 1792600005<br>
Account disabled: False<br>
User authentication types: otp<br>
Password: True<br>
Member of groups: ipausers<br>
Kerberos keys available: True<br>
<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29723]: AUTH-PAM: BACKGROUND:<br>
received command code: 0<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29723]: AUTH-PAM: BACKGROUND:<br>
USER: vpnuser<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29723]: AUTH-PAM: BACKGROUND:<br>
my_conv[0] query='login:' style=2<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29723]: AUTH-PAM: BACKGROUND:<br>
name match found, query/match-string ['login:',
'login'] = 'USERNAME'<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29723]: AUTH-PAM: BACKGROUND:<br>
my_conv[0] query='Password: ' style=1<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29723]: AUTH-PAM: BACKGROUND:<br>
name match found, query/match-string ['Password:
', 'password'] = 'PASSWORD'<br>
Apr 01 11:24:50 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29724]: pam_unix(openvpn:auth):<br>
authentication failure; logname= uid=0 euid=0 tty=
ruser= rhost=<br>
user=vpnuser<br>
Apr 01 11:24:53 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29724]: pam_sss(openvpn:auth):<br>
authentication success; logname= uid=0 euid=0 tty=
ruser= rhost=<br>
user=vpnuser<br>
Apr 01 11:24:55 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29732]: MY-IP_ADDRESS:50232<br>
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/<a
moz-do-not-send="true"
href="http://openvpn-plugin-auth-pam.so/"
target="_blank">openvpn-plugin-auth-pam.so/</a><br>
PLUGIN_AUTH_USER_PASS_VERIFY status=0<br>
Apr 01 11:24:55 <a moz-do-not-send="true"
href="http://ipa.example.com" target="_blank">ipa.example.com</a>
openvpn[29732]: MY-IP-ADDRESS:50232 TLS:<br>
Username/Password authentication succeeded for
username 'vpnuser'<br>
<br>
<br>
--<br>
/ Alexander Bokovoy<br>
<br>
--<br>
Manage your subscription for the Freeipa-users
mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
</blockquote>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
-- <br>
/ Alexander Bokovoy<br>
</font></span></blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>