On 04/01/2015 11:46 AM, Andrew Holway wrote:
Thanks Alexander.
What happens to the passwords? Are they hashed by Kerberos?
Yes. But stored in LDAP.
On 1 April 2015 at 15:14, Alexander Bokovoy <[email protected]
<mailto:[email protected]>> wrote:
On Wed, 01 Apr 2015, Andrew Holway wrote:
Please could someone explain to me what is happening internally?
In my head I have the following process....
The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP
KDC passes request to ipa-otpd daemon (our RADIUS-like proxy)
which then
binds to IPA LDAP to verify the password
some LDAP module takes the password from the database, appends
on the OTP
and actually does the auth...
Yes, the rest is correct.
http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
from on "the Kerberos thing"
On 1 April 2015 at 13:15, Andrew Holway
<[email protected] <mailto:[email protected]>> wrote:
It is simple to configure OpenVPN with
authentication against FreeIPA in
Fedora 21, all the heavy lifting is done by SSSD:
I have to say that this sssd / pam method is working very
very well.
I do however need to get my head around radius. Something
for a rainy
sunday I think :).
# grep plugin /etc/openvpn/server.conf
plugin
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
"openvpn
login USERNAME password PASSWORD"
# LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root
root 11 Apr 1 10:55
/etc/pam.d/openvpn -> system-auth
# LANG=C ipa user-show vpnuser
User login: vpnuser
First name: VPN
Last name: TestUser
Home directory: /home/vpnuser
Login shell: /bin/sh
Email address: [email protected]
<mailto:[email protected]>
UID: 1792600005
GID: 1792600005
Account disabled: False
User authentication types: otp
Password: True
Member of groups: ipausers
Kerberos keys available: True
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29723]: AUTH-PAM:
BACKGROUND:
received command code: 0
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29723]: AUTH-PAM:
BACKGROUND:
USER: vpnuser
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29723]: AUTH-PAM:
BACKGROUND:
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29723]: AUTH-PAM:
BACKGROUND:
name match found, query/match-string ['login:',
'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29723]: AUTH-PAM:
BACKGROUND:
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29723]: AUTH-PAM:
BACKGROUND:
name match found, query/match-string ['Password: ',
'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com
<http://ipa.example.com> openvpn[29724]:
pam_unix(openvpn:auth):
authentication failure; logname= uid=0 euid=0 tty=
ruser= rhost=
user=vpnuser
Apr 01 11:24:53 ipa.example.com
<http://ipa.example.com> openvpn[29724]:
pam_sss(openvpn:auth):
authentication success; logname= uid=0 euid=0 tty=
ruser= rhost=
user=vpnuser
Apr 01 11:24:55 ipa.example.com
<http://ipa.example.com> openvpn[29732]:
MY-IP_ADDRESS:50232
PLUGIN_CALL: POST
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
<http://openvpn-plugin-auth-pam.so/>
PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 01 11:24:55 ipa.example.com
<http://ipa.example.com> openvpn[29732]:
MY-IP-ADDRESS:50232 TLS:
Username/Password authentication succeeded for
username 'vpnuser'
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing
list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
