Hi.
I have been trying to integrate openvpn with Freeipa, general integration (i.e using IPA user password) works fine, my issue is connecting it with 2FA (OTP), without writing an external script it is not possible to use OTP + IPA + openvpn as there is no mechanism to ask for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor - reason are explained in this reddit post ->
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_toke...
I was advised however that openvpn-auth-ldap can be used as its setup so you can input PASS+OTPTOKEN as the password field,
What I do not understand what to enter in the /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I need using ldapsearch with similar syntax to
# ldapsearch -ZZ -W -L ldap://ipa.example.org -b dc=example,dc=org -D uid=testuser,cn=users,cn=accounts,dc=example,dc=org
However I found using this syntax I just got the error
" ldap_start_tls: Operations error (1), additional info: SSL connection already established"
I have found working commands to query LDAP such as
# ldapsearch -LL -Y GSSAPI
However I am really not sure what info I need to get.
The config for auth-ldap is at the end of the message, the only parts I think I know are (btw the ipa server is called ipa1.morgan.kvm)
--- URL ldap://ipa1.morgan.kvm TLSCACertFile /etc/ipa/ca.crt ---
(this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc
Can anyone help ?
The config is below
-------------- <LDAP> # LDAP server URL URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password # Password SecretPassword
# Network timeout (in seconds) Timeout 15
# Enable Start TLS TLSEnable yes
# Follow LDAP Referrals (anonymously) FollowReferrals yes
# TLS CA Certificate File TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs
# Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP>
<Authorization> # Base DN BaseDN "ou=People,dc=example,dc=com"
# User Search Filter SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership RequireGroup false
# Add non-group members to a PF table (disabled) #PFTable ips_vpn_users
<Group> BaseDN "ou=Groups,dc=example,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization>
--------------
Morgan Cox via FreeIPA-users wrote:
Hi.
I have been trying to integrate openvpn with Freeipa, general integration (i.e using IPA user password) works fine, my issue is connecting it with 2FA (OTP), without writing an external script it is not possible to use OTP + IPA + openvpn as there is no mechanism to ask for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor
- reason are explained in this reddit post ->
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_toke...
I was advised however that openvpn-auth-ldap can be used as its setup so you can input PASS+OTPTOKEN as the password field,
What I do not understand what to enter in the /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I need using ldapsearch with similar syntax to
# ldapsearch -ZZ -W -L ldap://ipa.example.org http://ipa.example.org -b dc=example,dc=org -D uid=testuser,cn=users,cn=accounts,dc=example,dc=org
TLSEnable is enabled by default on IPA systems in /etc/openldap/ldap.conf. The first -Z means enable startTLS which is already enabled. The second -Z means quit on failure which it does because startTLS is already enabled.
However I found using this syntax I just got the error
" ldap_start_tls: Operations error (1), additional info: SSL connection already established"
I have found working commands to query LDAP such as
# ldapsearch -LL -Y GSSAPI
It is more or less equivalent, using GSSAPI and your current Kerberos credentials rather than TLS and simple bind.
However I am really not sure what info I need to get.
I don't know what you need for this either.
The config for auth-ldap is at the end of the message, the only parts I think I know are (btw the ipa server is called ipa1.morgan.kvm)
URL ldap://ipa1.morgan.kvm TLSCACertFile /etc/ipa/ca.crt
(this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc
The basedn for what, users? You can get the basedn for the server from /etc/ipa/default.conf
The container for users is cn=users,cn=accounts,$BASEDN
Not sure which cert paths you need either but the CA cert chain is in /etc/ipa/ca.crt as you seem to have configured.
rob
Can anyone help ?
The config is below
<LDAP> # LDAP server URL URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com
# Bind Password # Password SecretPassword
# Network timeout (in seconds) Timeout 15
# Enable Start TLS TLSEnable yes
# Follow LDAP Referrals (anonymously) FollowReferrals yes
# TLS CA Certificate File TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs
# Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization> # Base DN BaseDN "ou=People,dc=example,dc=com"
# User Search Filter SearchFilter "(&(uid=%u)(accountStatus=active))"
# Require Group Membership RequireGroup false
# Add non-group members to a PF table (disabled) #PFTable ips_vpn_users
<Group> BaseDN "ou=Groups,dc=example,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>
</Authorization>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi.
Thank you for taking the time to respond.
I have been playing with the options literrally all day and still haven't got it to connect via auth-ldap
I think it may be the BINDDN part I am missing.. Also unsure if I need the BINDDN and password set..
Presently my config (/etc/openvpn/auth/ldap.conf) looks like :- (ignore the pass, its a test server not open to the internet..)
---------------- <LDAP> # LDAP server URL URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds) #BindDN dc=morgan,dc=kvm
# Bind Password Password "test_123"
# Network timeout (in seconds) Timeout 15
# Enable Start TLS TLSEnable yes
# Follow LDAP Referrals (anonymously) FollowReferrals yes
# TLS CA Certificate File TLSCACertFile /etc/ipa/ca.crt
# TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs
# Client Certificate and key # If TLS client authentication is required #TLSCertFile /usr/local/etc/ssl/client-cert.pem #TLSKeyFile /usr/local/etc/ssl/client-key.pem
# Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH #TLSCipherSuite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA2$ </LDAP>
<Authorization> # Base DN #BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm" BaseDN "dc=morgan,dc=kvm"
# User Search Filter SearchFilter "(uid=%u)"
# Require Group Membership RequireGroup true
# Add non-group members to a PF table (disabled) #PFTable ips_vpn_users
<Group> BaseDN "cn=users,cn=accounts,dc=morgan,dc=kvm" SearchFilter "(cn=ipausers)" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization>
----------------
Using this method I can see in the openvpn client log
--------- Tue Sep 18 17:26:46 2018 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Tue Sep 18 17:26:46 2018 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Tue Sep 18 17:26:46 2018 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Tue Sep 18 17:26:46 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.122.15:1194 Tue Sep 18 17:26:46 2018 Socket Buffers: R=[212992->212992] S=[212992->212992] Tue Sep 18 17:26:46 2018 UDP link local: (not bound) Tue Sep 18 17:26:46 2018 UDP link remote: [AF_INET]192.168.122.15:1194 Tue Sep 18 17:26:46 2018 TLS: Initial packet from [AF_INET] 192.168.122.15:1194, sid=3a69634f 7bb2d4c1 Tue Sep 18 17:26:46 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Sep 18 17:26:46 2018 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm Tue Sep 18 17:26:46 2018 VERIFY OK: nsCertType=SERVER Tue Sep 18 17:26:46 2018 VERIFY KU OK Tue Sep 18 17:26:46 2018 Validating certificate extended key usage Tue Sep 18 17:26:46 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Tue Sep 18 17:26:46 2018 VERIFY EKU OK Tue Sep 18 17:26:46 2018 VERIFY OK: depth=0, CN=openvpntest.morgan.kvm Tue Sep 18 17:26:46 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Tue Sep 18 17:26:46 2018 [openvpntest.morgan.kvm] Peer Connection Initiated with [AF_INET]192.168.122.15:1194 Tue Sep 18 17:26:47 2018 SENT CONTROL [openvpntest.morgan.kvm]: 'PUSH_REQUEST' (status=1) Tue Sep 18 17:26:47 2018 AUTH: Received control message: AUTH_FAILED Tue Sep 18 17:26:47 2018 SIGTERM[soft,auth-failure] received, process exiting ---------
And in the server log : I note " TLS Auth Error: Auth Username/Password verification failed for peer", which looks like a TLS issue ??
-------------------------- Tue Sep 18 17:46:17 2018 us=534356 MULTI: multi_create_instance called Tue Sep 18 17:46:17 2018 us=534567 192.168.122.223:54272 Re-using SSL/TLS context Tue Sep 18 17:46:17 2018 us=534614 192.168.122.223:54272 LZO compression initializing Tue Sep 18 17:46:17 2018 us=534806 192.168.122.223:54272 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ] Tue Sep 18 17:46:17 2018 us=534863 192.168.122.223:54272 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Tue Sep 18 17:46:17 2018 us=534945 192.168.122.223:54272 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server' Tue Sep 18 17:46:17 2018 us=534973 192.168.122.223:54272 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client' Tue Sep 18 17:46:17 2018 us=535065 192.168.122.223:54272 TLS: Initial packet from [AF_INET]192.168.122.223:54272, sid=09635563 e216bb99 Tue Sep 18 17:46:17 2018 us=558083 192.168.122.223:54272 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm Tue Sep 18 17:46:17 2018 us=558234 192.168.122.223:54272 VERIFY KU OK Tue Sep 18 17:46:17 2018 us=558255 192.168.122.223:54272 Validating certificate extended key usage Tue Sep 18 17:46:17 2018 us=558266 192.168.122.223:54272 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Tue Sep 18 17:46:17 2018 us=558275 192.168.122.223:54272 VERIFY EKU OK Tue Sep 18 17:46:17 2018 us=558282 192.168.122.223:54272 VERIFY OK: depth=0, CN=ovpn-client1 Tue Sep 18 17:46:17 2018 us=561418 192.168.122.223:54272 peer info: IV_VER=2.4.6 Tue Sep 18 17:46:17 2018 us=561465 192.168.122.223:54272 peer info: IV_PLAT=linux Tue Sep 18 17:46:17 2018 us=561477 192.168.122.223:54272 peer info: IV_PROTO=2 Tue Sep 18 17:46:17 2018 us=561486 192.168.122.223:54272 peer info: IV_NCP=2 Tue Sep 18 17:46:17 2018 us=561494 192.168.122.223:54272 peer info: IV_LZ4=1 Tue Sep 18 17:46:17 2018 us=561502 192.168.122.223:54272 peer info: IV_LZ4v2=1 Tue Sep 18 17:46:17 2018 us=561510 192.168.122.223:54272 peer info: IV_LZO=1 Tue Sep 18 17:46:17 2018 us=561519 192.168.122.223:54272 peer info: IV_COMP_STUB=1 Tue Sep 18 17:46:17 2018 us=561538 192.168.122.223:54272 peer info: IV_COMP_STUBv2=1 Tue Sep 18 17:46:17 2018 us=561547 192.168.122.223:54272 peer info: IV_TCPNL=1 Tue Sep 18 17:46:17 2018 us=582461 192.168.122.223:54272 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/ openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Tue Sep 18 17:46:17 2018 us=582524 192.168.122.223:54272 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so Tue Sep 18 17:46:17 2018 us=582571 192.168.122.223:54272 TLS Auth Error: Auth Username/Password verification failed for peer Tue Sep 18 17:46:17 2018 us=583059 192.168.122.223:54272 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Tue Sep 18 17:46:17 2018 us=583119 192.168.122.223:54272 [ovpn-client1] Peer Connection Initiated with [AF_INET]192.168.122.223:54272 Tue Sep 18 17:46:18 2018 us=806322 192.168.122.223:54272 PUSH: Received control message: 'PUSH_REQUEST' Tue Sep 18 17:46:18 2018 us=806438 192.168.122.223:54272 Delayed exit in 5 seconds Tue Sep 18 17:46:18 2018 us=806484 192.168.122.223:54272 SENT CONTROL [ovpn-client1]: 'AUTH_FAILED' (status=1) Tue Sep 18 17:46:24 2018 us=152743 192.168.122.223:54272 SIGTERM[soft,delayed-exit] received, client-instance exiting
--------------------------
However If I change the ldap-auth config file to
- uncomment : BindDN dc=morgan,dc=kvm - change : TLSEnable -> to NO
This is the openvpn server output - I see "LDAP bind failed: Inappropriate authentication"
---------------- Tue Sep 18 17:49:06 2018 us=496975 MULTI: multi_create_instance called Tue Sep 18 17:49:06 2018 us=497229 192.168.122.223:34170 Re-using SSL/TLS context Tue Sep 18 17:49:06 2018 us=497303 192.168.122.223:34170 LZO compression initializing Tue Sep 18 17:49:06 2018 us=497506 192.168.122.223:34170 Control Channel MTU parms [ L:1622 D:1140 EF:110 EB:0 ET:0 EL:3 ] Tue Sep 18 17:49:06 2018 us=497578 192.168.122.223:34170 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ] Tue Sep 18 17:49:06 2018 us=497731 192.168.122.223:34170 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server' Tue Sep 18 17:49:06 2018 us=497782 192.168.122.223:34170 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client' Tue Sep 18 17:49:06 2018 us=497855 192.168.122.223:34170 TLS: Initial packet from [AF_INET]192.168.122.223:34170, sid=a5214c27 7611da04 Tue Sep 18 17:49:06 2018 us=526256 192.168.122.223:34170 VERIFY OK: depth=1, CN=openvpntest.morgan.kvm Tue Sep 18 17:49:06 2018 us=526469 192.168.122.223:34170 VERIFY KU OK Tue Sep 18 17:49:06 2018 us=526498 192.168.122.223:34170 Validating certificate extended key usage Tue Sep 18 17:49:06 2018 us=526514 192.168.122.223:34170 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Tue Sep 18 17:49:06 2018 us=526526 192.168.122.223:34170 VERIFY EKU OK Tue Sep 18 17:49:06 2018 us=526538 192.168.122.223:34170 VERIFY OK: depth=0, CN=ovpn-client1 Tue Sep 18 17:49:06 2018 us=530464 192.168.122.223:34170 peer info: IV_VER=2.4.6 Tue Sep 18 17:49:06 2018 us=530517 192.168.122.223:34170 peer info: IV_PLAT=linux Tue Sep 18 17:49:06 2018 us=530531 192.168.122.223:34170 peer info: IV_PROTO=2 Tue Sep 18 17:49:06 2018 us=530542 192.168.122.223:34170 peer info: IV_NCP=2 Tue Sep 18 17:49:06 2018 us=530552 192.168.122.223:34170 peer info: IV_LZ4=1 Tue Sep 18 17:49:06 2018 us=530561 192.168.122.223:34170 peer info: IV_LZ4v2=1 Tue Sep 18 17:49:06 2018 us=530571 192.168.122.223:34170 peer info: IV_LZO=1 Tue Sep 18 17:49:06 2018 us=530581 192.168.122.223:34170 peer info: IV_COMP_STUB=1 Tue Sep 18 17:49:06 2018 us=530591 192.168.122.223:34170 peer info: IV_COMP_STUBv2=1 Tue Sep 18 17:49:06 2018 us=530601 192.168.122.223:34170 peer info: IV_TCPNL=1 LDAP bind failed: Inappropriate authentication Unable to bind as dc=morgan,dc=kvm LDAP connect failed. Tue Sep 18 17:49:06 2018 us=533422 192.168.122.223:34170 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/ openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Tue Sep 18 17:49:06 2018 us=533448 192.168.122.223:34170 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so Tue Sep 18 17:49:06 2018 us=533486 192.168.122.223:34170 TLS Auth Error: Auth Username/Password verification failed for peer Tue Sep 18 17:49:06 2018 us=533860 192.168.122.223:34170 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Tue Sep 18 17:49:06 2018 us=533904 192.168.122.223:34170 [ovpn-client1] Peer Connection Initiated with [AF_INET]192.168.122.223:34170 Tue Sep 18 17:49:07 2018 us=545087 192.168.122.223:34170 PUSH: Received control message: 'PUSH_REQUEST' Tue Sep 18 17:49:07 2018 us=545217 192.168.122.223:34170 Delayed exit in 5 seconds Tue Sep 18 17:49:07 2018 us=545272 192.168.122.223:34170 SENT CONTROL [ovpn-client1]: 'AUTH_FAILED' (status=1) Tue Sep 18 17:49:12 2018 us=665108 192.168.122.223:34170 SIGTERM[soft,delayed-exit] received, client-instance exiting
---------------------------
Also on the IPA server (using the above method
----------------- 18/Sep/2018:17:49:05.953156501 +0100] conn=689 fd=112 slot=112 connection from 192.168.122.15 to 192.168.122.20 [18/Sep/2018:17:49:05.953488573 +0100] conn=689 op=0 BIND dn="dc=morgan,dc=kvm" method=128 version=3 [18/Sep/2018:17:49:05.953862643 +0100] conn=689 op=0 RESULT err=48 tag=97 nentries=0 etime=0.0000670081 [18/Sep/2018:17:49:05.954298020 +0100] conn=689 op=1 UNBIND [18/Sep/2018:17:49:05.954317117 +0100] conn=689 op=1 fd=112 closed - U1 ------------------
Can anyone help me here - i.e do I use TLSEnable?, do I set a BINDDN ? and Do i need the password ? And is my BASEDN set correctly ?
Any help would be welcomed....
using auth-pam it works (but not with OTP)
On Mon, 17 Sep 2018 at 18:37, Rob Crittenden rcritten@redhat.com wrote:
Morgan Cox via FreeIPA-users wrote:
Hi.
I have been trying to integrate openvpn with Freeipa, general integration (i.e using IPA user password) works fine, my issue is connecting it with 2FA (OTP), without writing an external script it is not possible to use OTP + IPA + openvpn as there is no mechanism to ask for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor
- reason are explained in this reddit post ->
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_toke...
I was advised however that openvpn-auth-ldap can be used as its setup so you can input PASS+OTPTOKEN as the password field,
What I do not understand what to enter in the /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I need using ldapsearch with similar syntax to
# ldapsearch -ZZ -W -L ldap://ipa.example.org http://ipa.example.org -b dc=example,dc=org -D
uid=testuser,cn=users,cn=accounts,dc=example,dc=org
TLSEnable is enabled by default on IPA systems in /etc/openldap/ldap.conf. The first -Z means enable startTLS which is already enabled. The second -Z means quit on failure which it does because startTLS is already enabled.
However I found using this syntax I just got the error
" ldap_start_tls: Operations error (1), additional info: SSL connection already established"
I have found working commands to query LDAP such as
# ldapsearch -LL -Y GSSAPI
It is more or less equivalent, using GSSAPI and your current Kerberos credentials rather than TLS and simple bind.
However I am really not sure what info I need to get.
I don't know what you need for this either.
The config for auth-ldap is at the end of the message, the only parts I think I know are (btw the ipa server is called ipa1.morgan.kvm)
URL ldap://ipa1.morgan.kvm TLSCACertFile /etc/ipa/ca.crt
(this may be wrong..) I am unsure about the BaseDN and TLS cert paths,
etc
The basedn for what, users? You can get the basedn for the server from /etc/ipa/default.conf
The container for users is cn=users,cn=accounts,$BASEDN
Not sure which cert paths you need either but the CA cert chain is in /etc/ipa/ca.crt as you seem to have configured.
rob
Can anyone help ?
The config is below
<LDAP> # LDAP server URL URL ldap://ipa1.morgan.kvm
# Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com # Bind Password # Password SecretPassword # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable yes # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /etc/ipa/ca.crt # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization> # Base DN BaseDN "ou=People,dc=example,dc=com"
# User Search Filter SearchFilter "(&(uid=%u)(accountStatus=active))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users <Group> BaseDN "ou=Groups,dc=example,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group>
</Authorization>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org