I Fixed it!
The key was using a later version of sssd. In version 2.0.x, authentication prompting configurartion became available – re: https://sssd.io/docs/design_pages/promp ... ation.html
Unfortunately my OpenVPN instance was running on Centos 7.8 which only supports up to version 1.16. So I spun up a Centos 8 VM with sssd version 2.2.3 already loaded. Fedora 29 or higher would also work.
On the Centos 8 VM I installed & configured openVPN and free-ipa-client. I then configured sssd to combine password & OTP token into one value.
Add the following sections to the bottom of the file:
Code: Select all
password_prompt = Please enter LDAP password:
single_prompt = True
first_prompt = Please enter LDAP password + OTP token value:
Change the prompting words as needed. It really only shows up when testing from the cli. But most importantly
I learned after many hours that BOTH
sections are required in the order shown.
Next, configure pam.d by editing the file used for the OpenVPN service – in my case the file is named openvpn
Add the following:
Code: Select all
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so
auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
Restart sssd and openvpn
I also followed the steps descibed in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/
to configure FreeIPA.
To test locally:
- Configure a user in FreeIPA to use password only. In my case the user id is test5
- Switch to a local user on the server that does not have sudo privileges
- Now attempt to switch to the ipa user
- You should be prompted - Please enter LDAP password:
- Confirm you can log in with password only and then exit back to testuser
- Now configure the user (test5) in FreeIPA to use password + OTP
- Create a token in FreeIPA for user test5
- Attempt to switch to the ipa user again
- Now you should be prompted - Please enter LDAP password + OTP token value:
- Try logging in with password only. The attempt should fail.
- Attempt to switch to the ipa user once more
- Try logging in again with the password + OTP token value. (I used Google Authenticator to generate the token value). Login should be successful
I next tested from the OpenVPN client – with and without the OTP token.