I'm pretty much struggling with Ovpn set up of authentication against FreeIPA user accounts for a while.
I have 2 server:
- 1. FreeIPA main server (CentOS 7)
2. OpenVPN server, with freeipa-client configured viaBoth services work out of box, in this case I'm able to log in as freeipa user locally (eg. su - freeipauser). (Ubuntu 16.04)Code: Select all
# ipa-client-install
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh3072.pem
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 217.31.204.130"
push "dhcp-option DNS 193.29.206.206"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA384
comp-lzo yes
max-clients 30
user openvpn_server
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
Code: Select all
auth required pam_unix.so shadow nodelay
auth requisite pam_succeed_if.so uid >=1000 quiet
auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200
account required pam_unix.so
Code: Select all
auth-user-pass
The question is how to modify the pam module to authenticate against FreeIPA users not a local users (on Ubuntu). Could you give me any hint please?