Rob Crittenden via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Sina Owolabi via FreeIPA-users wrote:
> Hi List
>
> I’ve been struggling with this for a while and I would really appreciate
> some advice.
> I have an openvpn server using freeIPA to authenticate users logging
> into the office VPN.
> Currently all users have access to all services on the OpenVPN server.
> How do I use HBAC to properly restrict them to just OpenVPN? Do I need
> them to have access to anything else?
...
What HBAC rules you need for OpenVPN depends on how you have OpenVPN
configured for auth.
To elaborate that somewhat more: It depends how you authenticate your
users. The most simple way is to enable PAM authentication in your
server config:
,----
| plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
`----
Then you create a file /etc/pam.d/openvpn and can use sssd there. Your
HBAC rule needs to allow the openvpn service for the users.
You could also authenticate against LDAP or RADIUS and juggle with
groups, but PAM is really easier.
Jochen
--
This space is intentionally left blank.