I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password.
-Kevin > On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4 > > HBAC Service: openvpn > HBAC Rule: > [root@ipa ~]# ipa hbacrule-show openvpn_access > Rule name: openvpn_access > Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. > Enabled: TRUE > Users: <users> > Hosts: vpnhost.localdomain.local > Services: openvpn > > User account: > [root@ipa ~]# ipa user-show <omitted> > User login: <omitted> > First name: <omitted> > Last name: <omitted> > Home directory: /home/<omitted> > Login shell: /bin/bash > Principal name: <omitted> > Principal alias: <omitted> > Email address: <omitted> > UID: 1909600003 > GID: 1909600003 > User authentication types: otp > Certificate: <omitted> > Account disabled: False > Password: True > Member of groups: vpn_users > Member of HBAC rule: openvpn_access > Indirect Member of HBAC rule: user_ipa_access > Kerberos keys available: True > > OpenVPN server: > /etc/pam.d/openvpn > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth required pam_faildelay.so delay=2000000 > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= > 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > > > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn > > > Any help would be greatly appreciated. Any other information that you may > need, please feel free to ask. I've read multiple threads, some have gotten > it to work without posting answers, some have not and has stated openvpn does > not support multiple prompts. > > Eric > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org