> > >> It is simple to configure OpenVPN with authentication against FreeIPA in > Fedora 21, all the heavy lifting is done by SSSD: >
I have to say that this sssd / pam method is working very very well. I do however need to get my head around radius. Something for a rainy sunday I think :). > > # grep plugin /etc/openvpn/server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn > login USERNAME password PASSWORD" > > # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 > /etc/pam.d/openvpn -> system-auth > > # LANG=C ipa user-show vpnuser > User login: vpnuser > First name: VPN > Last name: TestUser > Home directory: /home/vpnuser > Login shell: /bin/sh > Email address: [email protected] > UID: 1792600005 > GID: 1792600005 > Account disabled: False > User authentication types: otp > Password: True > Member of groups: ipausers > Kerberos keys available: True > > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > received command code: 0 > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > USER: vpnuser > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > my_conv[0] query='login:' style=2 > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > name match found, query/match-string ['login:', 'login'] = 'USERNAME' > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > my_conv[0] query='Password: ' style=1 > Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: > name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' > Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= > user=vpnuser > Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): > authentication success; logname= uid=0 euid=0 tty= ruser= rhost= > user=vpnuser > Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 > PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/ > PLUGIN_AUTH_USER_PASS_VERIFY status=0 > Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: > Username/Password authentication succeeded for username 'vpnuser' > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
