OpenVPN authentication against FreeIPA, SSSD

Scripts which allow the use of special authentication methods (LDAP, AD, MySQL/PostgreSQL, etc).
Post Reply
ODra
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 14, 2017 6:58 pm

OpenVPN authentication against FreeIPA, SSSD

Post by ODra » Tue Mar 14, 2017 8:17 pm

Hello there,

I'm pretty much struggling with Ovpn set up of authentication against FreeIPA user accounts for a while.
I have 2 server:
  • 1. FreeIPA main server (CentOS 7)
    2. OpenVPN server, with freeipa-client configured via

    Code: Select all

     # ipa-client-install 
    Both services work out of box, in this case I'm able to log in as freeipa user locally (eg. su - freeipauser). (Ubuntu 16.04)
Ovpn /etc/openvpn/server.conf looks as follows:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh3072.pem
tls-server
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 217.31.204.130"
push "dhcp-option DNS 193.29.206.206"
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
cipher AES-256-CBC
auth SHA384
comp-lzo yes
max-clients 30
user openvpn_server
group nogroup
persist-key
persist-tun
status openvpn-status.log
log          /var/log/openvpn.log
verb 3
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
My /etc/pam.d/openvpn looks:

Code: Select all

auth    required        pam_unix.so    shadow    nodelay
auth    requisite       pam_succeed_if.so uid >=1000 quiet
auth    required        pam_tally2.so deny=4 even_deny_root unlock_time=1200
account required        pam_unix.so
And beside all common parameters, I added

Code: Select all

auth-user-pass
to the client.ovpn so a TLS certificate, and credentials are needed to establish a connection.
The question is how to modify the pam module to authenticate against FreeIPA users not a local users (on Ubuntu). Could you give me any hint please?

ODra
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 14, 2017 6:58 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by ODra » Thu Mar 16, 2017 9:10 am

*bump*

Guys, seriously no one has any idea or a hint how to do it? :roll:

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2830
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by TinCanTech » Thu Mar 16, 2017 12:07 pm

You could try the openvpn users mailing list ..
But to be honest, I don't think openvpn are the people to ask.

ODra
OpenVpn Newbie
Posts: 3
Joined: Tue Mar 14, 2017 6:58 pm

Re: OpenVPN authentication against FreeIPA, SSSD

Post by ODra » Sun Mar 19, 2017 9:51 pm

Hey,
thanks for the hint. I'll give it a try. Guess that's openvpn-users@lists.sourceforge.net the email address.
I think it's more openvpn related than FreeIPA thing.

Post Reply