[Freeipa-users] Query IPA for group membership
Simo Sorce
simo at redhat.com
Fri Oct 5 19:09:15 UTC 2012
Fred I suggest you copy the 'login' file into 2 new files: openvpn1 and
openvn2
Then configure the two instance instance with:
plugin openvpn_auth_pam openvpn1
and
plugin openvpn_auth_pam openvpn2
respectively.
Then you can create HBAC rules in IPA using openvpn1 and openvon2 as
service names.
Simo.
On Fri, 2012-10-05 at 20:58 +0200, Fred van Zwieten wrote:
> Dmitri,
>
>
> Well, this is, sort of, the point. I have no experience using pam, so
> I have no idea how to set this up.
>
>
> I have authentication up and running, but, like I said, both OpenVPN
> instances happily authenticate users from both groups of users.
>
>
> In my openvpn config file i have:
>
>
> plugin openvpn_auth_pam login
>
>
> where login is the /etc/pam.d/login file. I have not adjusted this
> file. This is standard file for IPA client.
>
>
> So, my idea was to do this in openvpn config file:
>
>
> plugin openvpn_auth_pam login (can the user authenticate y/n?)
> plugin openvpn_auth_pam check_group name USERNAME group OPENVPN1 (is
> the user member op OPENVPN1 y/n?)
>
>
> plugin openvpn_auth_pam is afaik the only way to get OpenVPN to
> authenticate against IPA. I am not sure how this could be setup to
> work with HBAC..
>
>
> Fred
>
>
> On Fri, Oct 5, 2012 at 8:23 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 10/05/2012 02:13 PM, Fred van Zwieten wrote:
> > You are completely right :-)
> >
> >
> > Both IPA server and client are RHEL6.3 x86_64 boxes.
> >
> >
> > On the OpenVPN server (which is an IPA client), I have 2
> > OpenVPN instances running, because different users must end
> > up in different subnet's
> >
> >
> > OpenVPN instance 1 listens on port 50000
> > OpenVPN instance 2 listens on port 50001
> >
> >
> > Users for subnet 1 must connect and authenticate on instance
> > 1 (and get an IP in subnet 1)
> > Users for subnet 2 must connect and authenticate on instance
> > 2 (and get an IP in subnet 2)
> >
> >
> > Both OpenVPN instances use the login pam module.
> >
> >
> > In this setup I can not prevent users for subnet 2 to
> > connect and authenticate successfully on OpenVPN instance 1.
> >
> >
> > So, I would like to put the users for OpenVPN instance 1 in
> > group OpenVPN1 en users for OpenVPN instance 2 in group
> > OpenVPN2 on IPA.
> >
> >
> > Next, the OpenVPN daemon must be able to check a user for
> > membership. Is it is not a member, false is returned, and
> > the OpenVMN authentication fails.
> >
> >
> > Documentation for the openvpn_auth_pam is here.
> >
> >
>
>
> OK, makes sense.
> How does you pam configuration look like?
> Especially the accounting part? What modules do you have
> there?
> Can it be PAM module you are using expecting some value that
> need to be configured in openvpn_auth_pam config?
>
> > Fred
> >
> >
> > On Fri, Oct 5, 2012 at 7:50 PM, Dmitri Pal <dpal at redhat.com>
> > wrote:
> > On 10/05/2012 01:36 PM, Fred van Zwieten wrote:
> > > Hello,
> > >
> > >
> > > I have a IPA server running. This server has users
> > > who are member to various groups. I want to query
> > > the IPA server from an IPA client to know whether
> > > a user is a member to a group.
> > >
> > >
> > > I want to do this from the OpenVPN service using
> > > the openvpn_auth_pam.so. Normally one uses this
> > > like this:
> > >
> > >
> > > openvpn_auth_pam.so login
> > >
> > >
> > > This queries the PAM login (and thus IPA) is the
> > > username/password from openvpn is valid. the
> > > "login" is /etc/pam.d/login. OpenVPN docs say you
> > > could use other modules instead of login.
> > >
> > >
> > > So, I would like to add the next line:
> > >
> > >
> > > openvpn_auth_pam.so group <username> "openvpn"
> > >
> > >
> > > Where a /etc/pam.d/group file would check whether
> > > the user is member of the group "openvpn". If not,
> > > false is returned and the login attempt (thru
> > > openvpn) fails.
> > >
> > >
> > > Is this possible? If not is there a better way?
> > >
> > >
> > > Fred
> >
> >
> >
> > Can you step up from the implementation and explain
> > what you want to accomplish?
> > It seems that you want to use OpenVPN and do some
> > access control checks when user connects to OpenVPN.
> > Right?
> > If you can describe the flow of operations we might
> > be able guide you to the right solution.
> >
> > Also would be nice to understand what OS OpenVPN is
> > running on.
> >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager for IdM portfolio
> > Red Hat Inc.
> >
> >
> > -------------------------------
> > Looking to carve out IT costs?
> > www.redhat.com/carveoutcosts/
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list