Hi. I have been trying to integrate openvpn with Freeipa, general integration (i.e using IPA user password) works fine, my issue is connecting it with 2FA (OTP), without writing an external script it is not possible to use OTP + IPA + openvpn as there is no mechanism to ask for 2nd factor in openvpn and only sshd is setup is setup for 2nd factor - reason are explained in this reddit post ->
https://www.reddit.com/r/linuxadmin/comments/5wjqs6/freeipa_openvpn_otp_token_not_working/ I was advised however that openvpn-auth-ldap can be used as its setup so you can input PASS+OTPTOKEN as the password field, What I do not understand what to enter in the /etc/openvpn/auth/ldap.conf config, I was advised I could get the data I need using ldapsearch with similar syntax to # ldapsearch -ZZ -W -L ldap://ipa.example.org -b dc=example,dc=org -D uid=testuser,cn=users,cn=accounts,dc=example,dc=org However I found using this syntax I just got the error " ldap_start_tls: Operations error (1), additional info: SSL connection already established" I have found working commands to query LDAP such as # ldapsearch -LL -Y GSSAPI However I am really not sure what info I need to get. The config for auth-ldap is at the end of the message, the only parts I think I know are (btw the ipa server is called ipa1.morgan.kvm) --- URL ldap://ipa1.morgan.kvm TLSCACertFile /etc/ipa/ca.crt --- (this may be wrong..) I am unsure about the BaseDN and TLS cert paths, etc Can anyone help ? The config is below -------------- <LDAP> # LDAP server URL URL ldap://ipa1.morgan.kvm # Bind DN (If your LDAP server doesn't support anonymous binds) # BindDN uid=Manager,ou=People,dc=example,dc=com # Bind Password # Password SecretPassword # Network timeout (in seconds) Timeout 15 # Enable Start TLS TLSEnable yes # Follow LDAP Referrals (anonymously) FollowReferrals yes # TLS CA Certificate File TLSCACertFile /etc/ipa/ca.crt # TLS CA Certificate Directory TLSCACertDir /etc/ssl/certs # Client Certificate and key # If TLS client authentication is required TLSCertFile /usr/local/etc/ssl/client-cert.pem TLSKeyFile /usr/local/etc/ssl/client-key.pem # Cipher Suite # The defaults are usually fine here # TLSCipherSuite ALL:!ADH:@STRENGTH </LDAP> <Authorization> # Base DN BaseDN "ou=People,dc=example,dc=com" # User Search Filter SearchFilter "(&(uid=%u)(accountStatus=active))" # Require Group Membership RequireGroup false # Add non-group members to a PF table (disabled) #PFTable ips_vpn_users <Group> BaseDN "ou=Groups,dc=example,dc=com" SearchFilter "(|(cn=developers)(cn=artists))" MemberAttribute uniqueMember # Add group members to a PF table (disabled) #PFTable ips_vpn_eng </Group> </Authorization> --------------
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
