Thanks everyone
Im sorry I should have come much clearer, I apologize.
Yes I use PAM with openvpn to authenticate user clients
"plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login"
I'm also running a HBAC controlled IPA environment but the rule for vpnusers
is a --servicecat=all:
Rule name: allowvpnusers
Service category: all
Enabled: TRUE
User Groups: vpnusers
Hosts:
vpn.internaldom.com
What I wanted to know, is what specific services can I allow for the
vpnusers, instead
of granting them full access to the server.
On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein <jochen(a)jochen.org> wrote:
>
> Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
> writes:
>
> > Sina Owolabi via FreeIPA-users wrote:
> >> Hi List
> >>
> >> I’ve been struggling with this for a while and I would really appreciate
> >> some advice.
> >> I have an openvpn server using freeIPA to authenticate users logging
> >> into the office VPN.
> >> Currently all users have access to all services on the OpenVPN server.
> >> How do I use HBAC to properly restrict them to just OpenVPN? Do I need
> >> them to have access to anything else?
> >
> ...
> > What HBAC rules you need for OpenVPN depends on how you have OpenVPN
> > configured for auth.
>
> To elaborate that somewhat more: It depends how you authenticate your
> users. The most simple way is to enable PAM authentication in your
> server config:
>
> ,----
> | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
> `----
>
> Then you create a file /etc/pam.d/openvpn and can use sssd there. Your
> HBAC rule needs to allow the openvpn service for the users.
>
> You could also authenticate against LDAP or RADIUS and juggle with
> groups, but PAM is really easier.
>
> Jochen
>
> --
> This space is intentionally left blank.