[Freeipa-users] Query IPA for group membership
Simo Sorce
simo at redhat.com
Sat Oct 6 18:45:25 UTC 2012
On Sat, 2012-10-06 at 08:12 +0200, Fred van Zwieten wrote:
> Hang on..I don't see how this can work (I haven't tried it btw).
>
>
> If I simply copy login to openvpn1 and call openvpn_auth_pam with that
> file as a parameter, how can it magically know to query IPA for the
> openvpn1 service as opposed to username/password? Must I not change
> the openvpn1 file to have it check for the service?
This is how it normally works with PAM enabled applications.
Openvpn opens the PAM stack and tells it that 'openvpn1' is the name of
the service performing an auth request.
The PAM stack then opens the openvpn1 file to find what is the sepcific
service configuration.
The service name is passed in to all pam modules.
In the PAM 'account' stack (which is run after the auth stack where the
normal username/password can be used), the PAM framework will call
pam_sss to check the account validity. This is where the pam_sss service
will contact the sssd_pam daemon and tell it that service openvpn1 is
trying to auth userX.
The sssd_pam module checks the HBAC rules and tries to match
user,machine,service to a rule. The rules will determine if the account
is allowed on the machine for the specific service.
If not pam_sss will return a suitable error in the account phase and
openvpn should return an authentication error.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list