[Freeipa-users] Query IPA for group membership
Simo Sorce
simo at redhat.com
Fri Oct 5 18:24:54 UTC 2012
On Fri, 2012-10-05 at 20:13 +0200, Fred van Zwieten wrote:
> You are completely right :-)
>
>
> Both IPA server and client are RHEL6.3 x86_64 boxes.
>
>
> On the OpenVPN server (which is an IPA client), I have 2 OpenVPN
> instances running, because different users must end up in different
> subnet's
>
>
> OpenVPN instance 1 listens on port 50000
> OpenVPN instance 2 listens on port 50001
>
>
> Users for subnet 1 must connect and authenticate on instance 1 (and
> get an IP in subnet 1)
> Users for subnet 2 must connect and authenticate on instance 2 (and
> get an IP in subnet 2)
>
>
> Both OpenVPN instances use the login pam module.
>
>
> In this setup I can not prevent users for subnet 2 to connect and
> authenticate successfully on OpenVPN instance 1.
>
>
> So, I would like to put the users for OpenVPN instance 1 in group
> OpenVPN1 en users for OpenVPN instance 2 in group OpenVPN2 on IPA.
>
>
> Next, the OpenVPN daemon must be able to check a user for membership.
> Is it is not a member, false is returned, and the OpenVMN
> authentication fails.
>
>
> Documentation for the openvpn_auth_pam is here.
>
Fred, what you can do is to use different pams ervice names (if openvpn
allows you to do that).
Create 2 services openvpn1 and openvpn2 and the use HBAC to assign
appropriate access control to those service for the openvpn
concentrator.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list