Hello, I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up?
Is there a similar pam module that I could copy/link?
Thank you, Andrew
Have you taken a look at this?
https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
That is a plugin we have on our OpenVPN server which is backed by FreeIPA.
In our OpenVPN server conf file we have a line that looks like this.
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
(root)>ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 27 Dec 30 2016 /etc/pam.d/openvpn -> /etc/pam.d/password-auth-ac
The PAM module called 'openvpn' looks like this. As you can see openvpn is a symlink.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
That may help.
*Mike Plemmons | Senior DevOps Engineer | CrossChx* 614.427.2411 mike.plemmons@crosschx.com www.crosschx.com
On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello, I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up?
Is there a similar pam module that I could copy/link?
Thank you, Andrew _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I think I did see that while searching, but did not click on it. I will now! Thank you!
On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Have you taken a look at this?
https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
That is a plugin we have on our OpenVPN server which is backed by FreeIPA.
In our OpenVPN server conf file we have a line that looks like this.
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
(root)>ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 27 Dec 30 2016 /etc/pam.d/openvpn -> /etc/pam.d/password-auth-ac
The PAM module called 'openvpn' looks like this. As you can see openvpn is a symlink.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
That may help.
Mike Plemmons | Senior DevOps Engineer | CrossChx
614.427.2411 mike.plemmons@crosschx.com
www.crosschx.com
On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello,
I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up?
Is there a similar pam module that I could copy/link?
Thank you, Andrew ______________________________ _________________ FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I already had the line in there for the plugin.
On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer andrewm659@yahoo.com wrote:
I think I did see that while searching, but did not click on it. I will now! Thank you!
On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Have you taken a look at this?
https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
That is a plugin we have on our OpenVPN server which is backed by FreeIPA.
In our OpenVPN server conf file we have a line that looks like this.
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
(root)>ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 27 Dec 30 2016 /etc/pam.d/openvpn -> /etc/pam.d/password-auth-ac
The PAM module called 'openvpn' looks like this. As you can see openvpn is a symlink.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
That may help.
Mike Plemmons | Senior DevOps Engineer | CrossChx
614.427.2411 mike.plemmons@crosschx.com
www.crosschx.com
On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello,
I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up?
Is there a similar pam module that I could copy/link?
Thank you, Andrew ______________________________ _________________ FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
We use openvpn's "auth-user-pass-verify" option to call a perl script that queries PAM.
I can't provide all of it since it has sensitive/corporate information but essentially OpenVPN will provide the password used during client negotiation as an environment variable, and the perl script sends that to PAM to be validated. Then based off the results the script will either end with a 0 (Good/Pass) or 1 (Bad/Fail). OpenVPN will automatically terminate the connection if the script ends with anything other than 0.
We ended up going this route cause we also wanted to verify a TOTP token as well as the user/pass, and the perl script allows for that (We obtain the TOTP token by configuring the client ovpn to request "static-challenge" which is also provided to the script via environment variable).
On 12/06/2017 03:29 PM, Andrew Meyer via FreeIPA-users wrote:
I already had the line in there for the plugin.
On Wednesday, December 6, 2017 2:28 PM, Andrew Meyer andrewm659@yahoo.com wrote:
I think I did see that while searching, but did not click on it. I will now! Thank you!
On Wednesday, December 6, 2017 2:24 PM, Michael Plemmons via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Have you taken a look at this?
https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
That is a plugin we have on our OpenVPN server which is backed by FreeIPA.
In our OpenVPN server conf file we have a line that looks like this.
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
(root)>ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 27 Dec 30 2016 /etc/pam.d/openvpn -> /etc/pam.d/password-auth-ac
The PAM module called 'openvpn' looks like this. As you can see openvpn is a symlink.
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
That may help.
Mike Plemmons | Senior DevOps Engineer | CrossChx
614.427.2411 mike.plemmons@crosschx.com
www.crosschx.com
On Wed, Dec 6, 2017 at 3:13 PM, Andrew Meyer via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello,
I am trying to configure my openvpn setup to authenticate against FreeIPA. I have OpenVPN configured and is accepting connections. The package for ldap_auth is installed and configured. However I have tried to setup anonymous ldap lookups and authenticated ldap lookups and neither seem to be working. Every time I change the config to test openvpn works just fine. However when I try to connect to the VPN it tells me that the LDAP bind failed w/ invalid credentials. I have been combing through google and found that a few people used pam in the past and still do today. Is this proper procedure for setting this up?
Is there a similar pam module that I could copy/link?
Thank you, Andrew ______________________________ _________________ FreeIPA-users mailing list -- freeipa-users@lists. fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists. fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Andrew Meyer -
Lee Wiscovitch -
Michael Plemmons