On ti, 18 syys 2018, Sina Owolabi via FreeIPA-users wrote:
Thanks everyone
Im sorry I should have come much clearer, I apologize.
Yes I use PAM with openvpn to authenticate user clients
"plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login"
I'm also running a HBAC controlled IPA environment but the rule for vpnusers
is a --servicecat=all:
Rule name: allowvpnusers
Service category: all
Enabled: TRUE
User Groups: vpnusers
Hosts: vpn.internaldom.com
What I wanted to know, is what specific services can I allow for the
vpnusers, instead
of granting them full access to the server.
The name of the pam config file. HBAC service names = names of
configurations for PAM, in /etc/pam.d/<name>.
On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein <[email protected]> wrote:
Rob Crittenden via FreeIPA-users <[email protected]>
writes:
> Sina Owolabi via FreeIPA-users wrote:
>> Hi List
>>
>> I’ve been struggling with this for a while and I would really appreciate
>> some advice.
>> I have an openvpn server using freeIPA to authenticate users logging
>> into the office VPN.
>> Currently all users have access to all services on the OpenVPN server.
>> How do I use HBAC to properly restrict them to just OpenVPN? Do I need
>> them to have access to anything else?
>
...
> What HBAC rules you need for OpenVPN depends on how you have OpenVPN
> configured for auth.
To elaborate that somewhat more: It depends how you authenticate your
users. The most simple way is to enable PAM authentication in your
server config:
,----
| plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
`----
Then you create a file /etc/pam.d/openvpn and can use sssd there. Your
HBAC rule needs to allow the openvpn service for the users.
You could also authenticate against LDAP or RADIUS and juggle with
groups, but PAM is really easier.
Jochen
--
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
