[Openvpn-users] 回复: 回复: Is it possible that use multi auth plugin at the same time?

[JWD]

There is a mistake. pam_ldap must be configured before system-auth.
Here is the correct config example.

vi /etc/pam.d/openvpn
#%PAM-1.0
auth       sufficient   /lib64/security/pam_ldap.so
account    sufficient   /lib64/security/pam_ldap.so
password   required     /lib64/security/pam_ldap.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth





JWD

发件人： JWD
发送时间： 2016-03-21 09:51
收件人： openvpn-users
主题： [Openvpn-users]回复: Is it possible that use multi auth plugin at the same 
time?
Now, I make it work by PAM. Auth locale and LDAP account at the same time.
Here is an example share with somebody who need it. Hope it will be helpful.
But question still there, can I use 2 auth plugin at the same time?

CentOS 6.5 x64

yum install pam_ldap -y

vi /etc/pam_ldap.conf
host ldap.example.com
base dc=example,dc=com
binddn CN=openvpn,CN=users,DC=example,DC=com
bindpw openvpn-password
scope sub
#pam_groupdn cn=openvpn,ou=groups,dc=example,dc=com
#pam_min_uid 0
#pam_max_uid 0
# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad

# 注：binddn/bindpw不加引号，即便有空格

vi /etc/pam.d/openvpn
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
auth       sufficient   /lib64/security/pam_ldap.so
account    sufficient   /lib64/security/pam_ldap.so
password   required     /lib64/security/pam_ldap.so

# 注：本地账户和LDAP账号均可认证

vi /etc/openvpn/vpn-server.conf
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

pkill -HUP openvpn






JWD

发件人： JWD
发送时间： 2016-03-20 20:15
收件人： openvpn-users; openvpn-users
主题： [Openvpn-users] Is it possible that use multi auth plugin at the same time?
After auth-pam login failed, user can login by auth-ldap. Is it possible?
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users