Use pam_ldap authentication with OpenVPN AS?

ibrewster · Post by **ibrewster** » Wed Apr 10, 2013 6:25 pm

I am trying to make OpenVPN AS work with PAM authentication where I have PAM set up to do either pam_ldap or pam_unix authentication. I have PAM configured correctly for this authentication scheme, and have tested it with ssh logins as well as using the 'getent passwd' command. ssh works to authenticate against pam_ldap, and the getent passwd command returns all local and LDAP users, so I know that much at least is working.

OpenVPN, however, refuses to authenticate against pam_ldap users. When running nslcd in debug mode, I don't even see it get hit when I try a OpenVPN authentication. I have edited the /etc/pam.d/openvpnas file every which way I can think of, including making it identical to the (working) sshd file, and still not even a blip from nslcd. The error I get is 'PAM auth failed: User not known to the underlying authentication module' Which makes sense if it isn't querying the LDAP server.

This is running on CentOS. The steps I followed were:

1) Install pam_ldap via yum
2) Modify the /etc/nslcd.conf and /etc/nsswitch.conf files as per http://arthurdejong.org/nss-pam-ldapd/setup
3) Add the pam_ldap.so lines to the /etc/pam.d/system-auth file as per that page (auth, account, session, and password). The /etc/pam.d/openvpnas file contains the line "include system-auth" for each of these sections as well, so that change should be passed through
4) stop nscd and nslcd, then run nslcd with the -d switch to debug (as per the test and troubleshoot section of the above webpage)

At this point I was able to do ssh and su authentications, and see them hitting nslcd, and nslcd returning the proper LDAP records. However, when I tried an OpenVPN authentication, it did not hit nslcd at all.

What might I be missing here? I tried contacting tech support, but they were useless, aside from the mention that they had "received reports of users using PAM and PAM_LDAP successfully with the Access Server". Perhaps one of those users would be willing to post what they had to do to get it working?