Since the name of the pam I created is file is /etc/pam.d/openvpn,
then this would be
"ipa hbacsvc-add --desc="pam Openvpn service" openvpn" ...?
On Tue, Sep 18, 2018 at 9:13 AM Alexander Bokovoy <abokovoy(a)redhat.com> wrote:
> On ti, 18 syys 2018, Sina Owolabi via FreeIPA-users wrote:
> >Thanks everyone
> >Im sorry I should have come much clearer, I apologize.
> >Yes I use PAM with openvpn to authenticate user clients
> >"plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login"
> >I'm also running a HBAC controlled IPA environment but the rule for vpnusers
> >is a --servicecat=all:
> >Rule name: allowvpnusers
> > Service category: all
> > Enabled: TRUE
> > User Groups: vpnusers
> > Hosts: vpn.internaldom.com
> >What I wanted to know, is what specific services can I allow for the
> >vpnusers, instead
> >of granting them full access to the server.
> The name of the pam config file. HBAC service names = names of
> configurations for PAM, in /etc/pam.d/<name>.
> >On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein <jochen(a)jochen.org> wrote:
> >> Rob Crittenden via FreeIPA-users
> >> writes:
> >> > Sina Owolabi via FreeIPA-users wrote:
> >> >> Hi List
> >> >>
> >> >> I’ve been struggling with this for a while and I would really
> >> >> some advice.
> >> >> I have an openvpn server using freeIPA to authenticate users
> >> >> into the office VPN.
> >> >> Currently all users have access to all services on the OpenVPN
> >> >> How do I use HBAC to properly restrict them to just OpenVPN? Do I
> >> >> them to have access to anything else?
> >> >
> >> ...
> >> > What HBAC rules you need for OpenVPN depends on how you have OpenVPN
> >> > configured for auth.
> >> To elaborate that somewhat more: It depends how you authenticate your
> >> users. The most simple way is to enable PAM authentication in your
> >> server config:
> >> ,----
> >> | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
> >> `----
> >> Then you create a file /etc/pam.d/openvpn and can use sssd there. Your
> >> HBAC rule needs to allow the openvpn service for the users.
> >> You could also authenticate against LDAP or RADIUS and juggle with
> >> groups, but PAM is really easier.
> >> Jochen
> >> --
> >> This space is intentionally left blank.
> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland