[Freeipa-users] Query IPA for group membership
Dmitri Pal
dpal at redhat.com
Fri Oct 5 17:50:53 UTC 2012
On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
> Hello,
>
> I have a IPA server running. This server has users who are member to
> various groups. I want to query the IPA server from an IPA client to
> know whether a user is a member to a group.
>
> I want to do this from the OpenVPN service using the
> openvpn_auth_pam.so. Normally one uses this like this:
>
> openvpn_auth_pam.so login
>
> This queries the PAM login (and thus IPA) is the username/password
> from openvpn is valid. the "login" is /etc/pam.d/login. OpenVPN docs
> say you could use other modules instead of login.
>
> So, I would like to add the next line:
>
> openvpn_auth_pam.so group <username> "openvpn"
>
> Where a /etc/pam.d/group file would check whether the user is member
> of the group "openvpn". If not, false is returned and the login
> attempt (thru openvpn) fails.
>
> Is this possible? If not is there a better way?
>
> Fred
Can you step up from the implementation and explain what you want to
accomplish?
It seems that you want to use OpenVPN and do some access control checks
when user connects to OpenVPN. Right?
If you can describe the flow of operations we might be able guide you to
the right solution.
Also would be nice to understand what OS OpenVPN is running on.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121005/530c0365/attachment.htm>
More information about the Freeipa-users
mailing list