openvpn-auth-ldap + FreeIPA - Cannot get 'RequireGroup' to work at all ! (tried everything..)
HI.
I have a freeIPA server, on the server I have a group 'ovpn-users' which is designed to be a group to allow access to our OpenVPN server and to enforce OTP when connecting to the VPN.
My current setup works 'fine' - however it is allowing any user from any group access to the VPN, as soon as I enable
RequireGroup True
I cannot login at all.
I have tried every combination I can think of and altered the Group BaseDN, whatever I try doesn't work.
My workaround/hack to get this to work is to leave 'RequireGroup False' and change the user search filter to
SearchFilter "(uid=ovpn-%u)"
As all VPN usernames start with prefix ovpn-
i.e
ovpn-user1
Which means when they login to VPN then omit the prefix ovpn- (i.e in above case use = user1)
Can anyone help get 'RequireGroup' working ?
With ldapsearch I can see ovpn-users user uid's using (I have omitted domain/user names)
---
# ldapsearch -Y gssapi -b cn=groups,cn=accounts,dc=xxxx,dc=xxxx '(cn=ovpn-users)'
SASL/GSSAPI authentication started SASL username: xxxx@xxxx.xxxx SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=xxxx,dc=xxxx> with scope subtree # filter: (cn=ovpn-users) # requesting: ALL #
# ovpn-users, groups, accounts, xxxx.xxxx dn: cn=ovpn-users,cn=groups,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx memberOf: ipaUniqueID=d1fbb816-1071-11ea-ab30-063361404bd4,cn=hbac,dc=xxxx,dc= xxxx cn: ovpn-users description: OpenVPN users objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: e6415bdc-1071-11ea-814c-063361404bd4 gidNumber: 1928600030
# search result search: 4 result: 0 Success
# numResponses: 2 # numEntries: 1 ---
And I have tried in the config
--- <Group> BaseDN "cn=groups,cn=accounts,dc=xxxx,dc=xxxx" SearchFilter "(cn=ovpn-users)" MemberAttribute member # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> --
I have also tried replacing the 'MemberAttribute' field with
- member - memberUid - memberOF
And have tried (probably over 100) different values in Group and user BaseDN
[1] Has anyone got RequireGroup to work ?
Also I have these oquestions ..
[2] Also : What can I do about RHEL8 ? with the auth-ldap package ? There is no package on rhel/centos8 and you cannot compile it as objective C support is removed from rhel8
[3] Are there going to be changes to IPA and PAM so I can use openvpn+IPA+OTP without need for auth-ldap?
Thanks
---
On pe, 29 marras 2019, Morgan Cox via FreeIPA-users wrote:
HI.
I have a freeIPA server, on the server I have a group 'ovpn-users' which is designed to be a group to allow access to our OpenVPN server and to enforce OTP when connecting to the VPN.
My current setup works 'fine' - however it is allowing any user from any group access to the VPN, as soon as I enable
RequireGroup TrueI cannot login at all.
I have tried every combination I can think of and altered the Group BaseDN, whatever I try doesn't work.
My workaround/hack to get this to work is to leave 'RequireGroup False' and change the user search filter to
SearchFilter "(uid=ovpn-%u)"As all VPN usernames start with prefix ovpn-
i.e
ovpn-user1
Which means when they login to VPN then omit the prefix ovpn- (i.e in above case use = user1)
Can anyone help get 'RequireGroup' working ?
Are you binding to LDAP for these searches anonymously? The access to member attribute is only provided for authenticated connections.
Frankly, I would rather use HBAC rules and configured OpenVPN to ask PAM to do authorization like we discussed some time ago in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
With ldapsearch I can see ovpn-users user uid's using (I have omitted domain/user names)
# ldapsearch -Y gssapi -b cn=groups,cn=accounts,dc=xxxx,dc=xxxx '(cn=ovpn-users)'
SASL/GSSAPI authentication started SASL username: xxxx@xxxx.xxxx SASL SSF: 256 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=groups,cn=accounts,dc=xxxx,dc=xxxx> with scope subtree # filter: (cn=ovpn-users) # requesting: ALL #
# ovpn-users, groups, accounts, xxxx.xxxx dn: cn=ovpn-users,cn=groups,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx member: uid=ovpn-xxxxx,cn=users,cn=accounts,dc=xxxx,dc=xxxx memberOf: ipaUniqueID=d1fbb816-1071-11ea-ab30-063361404bd4,cn=hbac,dc=xxxx,dc= xxxx cn: ovpn-users description: OpenVPN users objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ipausergroup objectClass: ipaobject objectClass: posixgroup ipaUniqueID: e6415bdc-1071-11ea-814c-063361404bd4 gidNumber: 1928600030
# search result search: 4 result: 0 Success
# numResponses: 2
# numEntries: 1
And I have tried in the config
<Group> BaseDN "cn=groups,cn=accounts,dc=xxxx,dc=xxxx" SearchFilter "(cn=ovpn-users)" MemberAttribute member # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>--
I have also tried replacing the 'MemberAttribute' field with
- member
- memberUid
- memberOF
And have tried (probably over 100) different values in Group and user BaseDN
[1] Has anyone got RequireGroup to work ?
Also I have these oquestions ..
[2] Also : What can I do about RHEL8 ? with the auth-ldap package ? There is no package on rhel/centos8 and you cannot compile it as objective C support is removed from rhel8
[3] Are there going to be changes to IPA and PAM so I can use openvpn+IPA+OTP without need for auth-ldap?
Thanks
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
In my auth-ldap config I haven't put a password so I assume its anonymous ?
Will HBAC rules work when using OTP also ? My understanding was that pam_sss is hardcoded and only works with sshd ?
i.e
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_toke...
On pe, 29 marras 2019, Morgan Cox via FreeIPA-users wrote:
Are you binding to LDAP for these searches anonymously? The access to member attribute is only provided for authenticated connections.
Frankly, I would rather use HBAC rules and configured OpenVPN to ask PAM to do authorization like we discussed some time ago in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
On pe, 29 marras 2019, Morgan Cox via FreeIPA-users wrote:
In my auth-ldap config I haven't put a password so I assume its anonymous ?
Will HBAC rules work when using OTP also ? My understanding was that pam_sss is hardcoded and only works with sshd ?
There is a change: https://pagure.io/SSSD/sssd/issue/3264. As Sumit said in https://pagure.io/SSSD/sssd/issue/3438,
"The "alternative approach" is already available.
If there is no reply to the second prompt (resp[1].resp == NULL || *(resp[1].resp) == '\0') then this code path is taken as well.
The special handling of sshd is not about putting password and OTP in a single value but the behavior of the conversation callback of sshd to put the single input from the user into every reply.
But there is one thing to keep in mind. pam_sss will send the data to SSSD flagged as password. If the user is configured for 2FA then the backend will assume the input is a password and OTP in a single string. But is the user is configured for both 2FA or 1FA then this input will only be used for the password (1FA) authentication. There will be no fallback to 2FA because one of the original principal of SSSD was that the credentials will be only used once and not tried as long an authentication methods is successful.
There is a more general ticket https://pagure.io/SSSD/sssd/issue/3264. "
It is released in SSSD 2.2.0, so it is part of RHEL 8.1.0.
I haven't seen any release of SSSD 1.16 that includes the fixes yet but the backport was done upstream to 1.16 branch.
So you might want to try with RHEL 8.1 or Fedora 31.
i.e
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_toke...
On pe, 29 marras 2019, Morgan Cox via FreeIPA-users wrote:
Are you binding to LDAP for these searches anonymously? The access to member attribute is only provided for authenticated connections.
Frankly, I would rather use HBAC rules and configured OpenVPN to ask PAM to do authorization like we discussed some time ago in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Thank you I can attempt to use Rhel8.1 and test that.
One other thing - I note the master branch of openvpn-auth-pam -> https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
Now has
" plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"
(this isn't in latest stable 2.4.x)
In order to use it you have to add
'static-challenge' to OpenVPN client config
Will this work with sssd ?
On pe, 29 marras 2019, Morgan Cox via FreeIPA-users wrote:
Thank you I can attempt to use Rhel8.1 and test that.
One other thing - I note the master branch of openvpn-auth-pam -> https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
Now has
" plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"
(this isn't in latest stable 2.4.x)
In order to use it you have to add
'static-challenge' to OpenVPN client config
Will this work with sssd ?
Looking at the code, it should work. I haven't tried that myself, though, so it is purely theoretical.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Morgan Cox