Ok. Since the name of the pam I created is file is /etc/pam.d/openvpn, then this would be "ipa hbacsvc-add --desc="pam Openvpn service" openvpn" ...? On Tue, Sep 18, 2018 at 9:13 AM Alexander Bokovoy <[email protected]> wrote: > > On ti, 18 syys 2018, Sina Owolabi via FreeIPA-users wrote: > >Thanks everyone > > > >Im sorry I should have come much clearer, I apologize. > >Yes I use PAM with openvpn to authenticate user clients > >"plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" > >I'm also running a HBAC controlled IPA environment but the rule for vpnusers > >is a --servicecat=all: > > > >Rule name: allowvpnusers > > Service category: all > > Enabled: TRUE > > User Groups: vpnusers > > Hosts: vpn.internaldom.com > > > >What I wanted to know, is what specific services can I allow for the > >vpnusers, instead > >of granting them full access to the server. > The name of the pam config file. HBAC service names = names of > configurations for PAM, in /etc/pam.d/<name>. > > > > >On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein <[email protected]> wrote: > >> > >> Rob Crittenden via FreeIPA-users <[email protected]> > >> writes: > >> > >> > Sina Owolabi via FreeIPA-users wrote: > >> >> Hi List > >> >> > >> >> I’ve been struggling with this for a while and I would really appreciate > >> >> some advice. > >> >> I have an openvpn server using freeIPA to authenticate users logging > >> >> into the office VPN. > >> >> Currently all users have access to all services on the OpenVPN server. > >> >> How do I use HBAC to properly restrict them to just OpenVPN? Do I need > >> >> them to have access to anything else? > >> > > >> ... > >> > What HBAC rules you need for OpenVPN depends on how you have OpenVPN > >> > configured for auth. > >> > >> To elaborate that somewhat more: It depends how you authenticate your > >> users. The most simple way is to enable PAM authentication in your > >> server config: > >> > >> ,---- > >> | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn > >> `---- > >> > >> Then you create a file /etc/pam.d/openvpn and can use sssd there. Your > >> HBAC rule needs to allow the openvpn service for the users. > >> > >> You could also authenticate against LDAP or RADIUS and juggle with > >> groups, but PAM is really easier. > >> > >> Jochen > >> > >> -- > >> This space is intentionally left blank. > >_______________________________________________ > >FreeIPA-users mailing list -- [email protected] > >To unsubscribe send an email to [email protected] > >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > >https://lists.fedorahosted.org/archives/list/[email protected] > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
[Freeipa-users] Re: HBAC Rules for OpenVPN Server
Sina Owolabi via FreeIPA-users Tue, 18 Sep 2018 02:03:50 -0700
- [Freeipa-users] HBAC Rules for OpenVPN... Sina Owolabi via FreeIPA-users
- [Freeipa-users] Re: HBAC Rules fo... Rob Crittenden via FreeIPA-users
- [Freeipa-users] Re: HBAC Rule... Jochen Hein via FreeIPA-users
- [Freeipa-users] Re: HBAC ... Sina Owolabi via FreeIPA-users
- [Freeipa-users] Re: H... Alexander Bokovoy via FreeIPA-users
- [Freeipa-users] ... Sina Owolabi via FreeIPA-users
- [Freeipa-use... Alexander Bokovoy via FreeIPA-users
- [Freeipa... Sina Owolabi via FreeIPA-users
- [Freeipa-users] Re: H... Jochen Hein via FreeIPA-users
