Use pam_ldap authentication with OpenVPN AS?
Posted: Wed Apr 10, 2013 6:25 pm
I am trying to make OpenVPN AS work with PAM authentication where I have PAM set up to do either pam_ldap or pam_unix authentication. I have PAM configured correctly for this authentication scheme, and have tested it with ssh logins as well as using the 'getent passwd' command. ssh works to authenticate against pam_ldap, and the getent passwd command returns all local and LDAP users, so I know that much at least is working.
OpenVPN, however, refuses to authenticate against pam_ldap users. When running nslcd in debug mode, I don't even see it get hit when I try a OpenVPN authentication. I have edited the /etc/pam.d/openvpnas file every which way I can think of, including making it identical to the (working) sshd file, and still not even a blip from nslcd. The error I get is 'PAM auth failed: User not known to the underlying authentication module' Which makes sense if it isn't querying the LDAP server.
This is running on CentOS. The steps I followed were:
1) Install pam_ldap via yum
2) Modify the /etc/nslcd.conf and /etc/nsswitch.conf files as per http://arthurdejong.org/nss-pam-ldapd/setup
3) Add the pam_ldap.so lines to the /etc/pam.d/system-auth file as per that page (auth, account, session, and password). The /etc/pam.d/openvpnas file contains the line "include system-auth" for each of these sections as well, so that change should be passed through
4) stop nscd and nslcd, then run nslcd with the -d switch to debug (as per the test and troubleshoot section of the above webpage)
At this point I was able to do ssh and su authentications, and see them hitting nslcd, and nslcd returning the proper LDAP records. However, when I tried an OpenVPN authentication, it did not hit nslcd at all.
What might I be missing here? I tried contacting tech support, but they were useless, aside from the mention that they had "received reports of users using PAM and PAM_LDAP successfully with the Access Server". Perhaps one of those users would be willing to post what they had to do to get it working?
OpenVPN, however, refuses to authenticate against pam_ldap users. When running nslcd in debug mode, I don't even see it get hit when I try a OpenVPN authentication. I have edited the /etc/pam.d/openvpnas file every which way I can think of, including making it identical to the (working) sshd file, and still not even a blip from nslcd. The error I get is 'PAM auth failed: User not known to the underlying authentication module' Which makes sense if it isn't querying the LDAP server.
This is running on CentOS. The steps I followed were:
1) Install pam_ldap via yum
2) Modify the /etc/nslcd.conf and /etc/nsswitch.conf files as per http://arthurdejong.org/nss-pam-ldapd/setup
3) Add the pam_ldap.so lines to the /etc/pam.d/system-auth file as per that page (auth, account, session, and password). The /etc/pam.d/openvpnas file contains the line "include system-auth" for each of these sections as well, so that change should be passed through
4) stop nscd and nslcd, then run nslcd with the -d switch to debug (as per the test and troubleshoot section of the above webpage)
At this point I was able to do ssh and su authentications, and see them hitting nslcd, and nslcd returning the proper LDAP records. However, when I tried an OpenVPN authentication, it did not hit nslcd at all.
What might I be missing here? I tried contacting tech support, but they were useless, aside from the mention that they had "received reports of users using PAM and PAM_LDAP successfully with the Access Server". Perhaps one of those users would be willing to post what they had to do to get it working?