[Freeipa-users] Query IPA for group membership
Dmitri Pal
dpal at redhat.com
Fri Oct 5 18:23:56 UTC 2012
On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
> You are completely right :-)
>
> Both IPA server and client are RHEL6.3 x86_64 boxes.
>
> On the OpenVPN server (which is an IPA client), I have 2 OpenVPN
> instances running, because different users must end up in different
> subnet's
>
> OpenVPN instance 1 listens on port 50000
> OpenVPN instance 2 listens on port 50001
>
> Users for subnet 1 must connect and authenticate on instance 1 (and
> get an IP in subnet 1)
> Users for subnet 2 must connect and authenticate on instance 2 (and
> get an IP in subnet 2)
>
> Both OpenVPN instances use the login pam module.
>
> In this setup I can not prevent users for subnet 2 to connect and
> authenticate successfully on OpenVPN instance 1.
>
> So, I would like to put the users for OpenVPN instance 1 in group
> OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.
>
> Next, the OpenVPN daemon must be able to check a user for membership.
> Is it is not a member, false is returned, and the OpenVMN
> authentication fails.
>
> Documentation for the openvpn_auth_pam is here
> <https://community.openvpn.net/openvpn/browser/plugin/auth-pam/README?rev=6cfada268122fe54ce6d211d96c744e91d41248c>.
>
OK, makes sense.
How does you pam configuration look like?
Especially the accounting part? What modules do you have there?
Can it be PAM module you are using expecting some value that need to be
configured in openvpn_auth_pam config?
> Fred
>
>
> On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
>> Hello,
>>
>> I have a IPA server running. This server has users who are member
>> to various groups. I want to query the IPA server from an IPA
>> client to know whether a user is a member to a group.
>>
>> I want to do this from the OpenVPN service using the
>> openvpn_auth_pam.so. Normally one uses this like this:
>>
>> openvpn_auth_pam.so login
>>
>> This queries the PAM login (and thus IPA) is the
>> username/password from openvpn is valid. the "login" is
>> /etc/pam.d/login. OpenVPN docs say you could use other modules
>> instead of login.
>>
>> So, I would like to add the next line:
>>
>> openvpn_auth_pam.so group <username> "openvpn"
>>
>> Where a /etc/pam.d/group file would check whether the user is
>> member of the group "openvpn". If not, false is returned and the
>> login attempt (thru openvpn) fails.
>>
>> Is this possible? If not is there a better way?
>>
>> Fred
>
>
> Can you step up from the implementation and explain what you want
> to accomplish?
> It seems that you want to use OpenVPN and do some access control
> checks when user connects to OpenVPN. Right?
> If you can describe the flow of operations we might be able guide
> you to the right solution.
>
> Also would be nice to understand what OS OpenVPN is running on.
>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121005/46c4a368/attachment.htm>
More information about the Freeipa-users
mailing list