Menu
▾
▴
Re: [Openvpn-users] Fwd: openvpn integration with SSSD
|
From: David S. <op...@sf...> - 2017-07-28 13:13:39
|
On 27/07/17 15:56, saidireddy ranabothu wrote:
> Hello,
>
> Please can help me how to integrate openvpn with FIPA SSSD?
With FIPA, I presume you mean FreeIPA (as you also talk about SSSD).
I've done a test setup which works quite well though; even wanted to
write a blog article about it - but never had the time for it yet. Most
of this is taken out-of-memory, and have not been tested in a while; so
subtle errors might be present.
Basically you need to do:
1. Create an 'openvpn' service in FreeIPA.
- In the webUI, go to "Policy" -> "Host Based Access Control" and
choose "HBAC Services"
- Click "+ Add", and put "openvpn" in the "Service name" field.
2. Create HBAC Rules for which users and hosts which can use the
OpenVPN service.
- In the webUI, go to "Policy" -> "Host Based Access Control" and
choose "HBAC Rules".
- Click "+ Add" and put "openvpn_access" in the "Rule name" field
and click on "Add and Edit".
- Add users/user groups whom may use OpenVPN service (or choose
"Anyone")
- Add the OpenVPN servers under the "Accessing" block
- Add the "openvpn" service in the "Via Service" block
3. Add the PAM service definition on the VPN servers
- Create the file /etc/pam.d/openvpn ... it only needs to contain
something like this:
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so otp_in_password
auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
(Take those lines with a large pinch of salt, it can probably be
further improved!)
4. Configure OpenVPN to use PAM authentication, using the openvpn
PAM "module".
- Add the following line to your OpenVPN configuration:
plugin openvpn-plugin-auth-pam.so openvpn
Normally these four steps should be enough.
--
kind regards,
David Sommerseth
OpenVPN Technologies, Inc
|
