Thanks everyone Im sorry I should have come much clearer, I apologize. Yes I use PAM with openvpn to authenticate user clients "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" I'm also running a HBAC controlled IPA environment but the rule for vpnusers is a --servicecat=all:
Rule name: allowvpnusers Service category: all Enabled: TRUE User Groups: vpnusers Hosts: vpn.internaldom.com What I wanted to know, is what specific services can I allow for the vpnusers, instead of granting them full access to the server. On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein <[email protected]> wrote: > > Rob Crittenden via FreeIPA-users <[email protected]> > writes: > > > Sina Owolabi via FreeIPA-users wrote: > >> Hi List > >> > >> I’ve been struggling with this for a while and I would really appreciate > >> some advice. > >> I have an openvpn server using freeIPA to authenticate users logging > >> into the office VPN. > >> Currently all users have access to all services on the OpenVPN server. > >> How do I use HBAC to properly restrict them to just OpenVPN? Do I need > >> them to have access to anything else? > > > ... > > What HBAC rules you need for OpenVPN depends on how you have OpenVPN > > configured for auth. > > To elaborate that somewhat more: It depends how you authenticate your > users. The most simple way is to enable PAM authentication in your > server config: > > ,---- > | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn > `---- > > Then you create a file /etc/pam.d/openvpn and can use sssd there. Your > HBAC rule needs to allow the openvpn service for the users. > > You could also authenticate against LDAP or RADIUS and juggle with > groups, but PAM is really easier. > > Jochen > > -- > This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
