Linking privacyidea to OpenVpn

Greetings ,

I’m testing out privacyidea on the Univention server and i was surprised by
the simplicity of combining this two tools , however i couldn’t find any
guide lines on configuring privacyidea and openvpn together specially with
PAM.

All the guides that i could find online are for openvpn with google
authenticator.

any ideas and suggestions are highly appreciated ,
thanks

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpWWGdwREFBb0pFQkJoWkZVdWpZRkpLSlVRQUxGRUR5ZExsYStRS1l1T251TEpK
UXFRDQp4emEvYU9WQmVGRHBsNW5hNTVXRlNVT043V3dnR3FzZ2FDZ3N6YnJYY0tmMGxsSnBUU0Mw
c0JzOWQ5ZER3RXpSDQo5M0NsbnJ1aDVFUEdEd1N5blJIOEw4cnpDM1FDaFByTFU2WnJrN2pQcEIw
NjVxNWlKa0tobE9HMnVVUVVXUXJUDQpaNUdnYmVzQ1hpaHgwOThoUGlXaWhSQnJGdGVTQVBXOGlu
OWNKWXVoV2hYMnhORy9WOUZYVHZFWldGZUMzNTlPDQpja3p0RUMwdSswTVZ0cERsK3liWDhibytD
NnFGOGdqQWoyMVFsNVN5SXBtd0d2cVVGaE5GdEJLaFJOZXkyM3BwDQovYUtTanFkUFNsT0ZBUXE1
UTBXUzJjaGRzMWFxbytYTlV2UUZoVWV3OGpkWktZSis5YnFaZVFzNC9IK1hJZTQvDQpDUCtUcFdn
c2hIcTVISnJzdWRxck1EdDRWZWMveGVCYkNlWFp2ZjlmZGViazV2bHMzMlBuTGhRQjlsbXd6V1p0
DQozNWhrSG1TVzJyajZRNHFLSDFMYlFuakhvM2d6T0RCWlhEVkdzY2FpRjJPYWs5b1RVc0FmOHA5
d2VwaTRpSisrDQo3c3VVOU4wTk1RWWNYc29NYmg0TUdHdURlUHVrV0lSR29JL1FHZ2lLY2xkRWU5
Q1BaY29Ca2RlaEdFZE5qNy9iDQpYT1dleklaWWEyUkMwSk1lZ052OXVKUTlnTm4xd1R4ZnFuOWpK
NkZqYnBwSm9rZU11dlJpbDZISHQ4RmV3QWRuDQphYU9yUFp1eXNSdk82NXdDMUUydXI1bE45T1F0
a2hyS2RxQURnVmhxV0pUUVBGS09jVzh2NXp5M3c2KzNmRnh0DQo4L1VMT1BMQXhKSVlJREVSWVc3
Tg0KPVZyaEoNCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpWWHlJQUFBb0pFQkJoWkZVdWpZRkppN3NRQUxlZ0hJUTZxN0VvYUxQa1dqL0Y4
RjN6DQpMdllqc0M3eUI5RWMxMkFLbXhXaXJwRjhhNGtoSUNuOEhkaGVMYUJvMWROYzM1YlBzVUNh
S2dLb0RWSlpnaURYDQpZcTlOeUpvS3NybWJMSHlhK2lGc1NwR0lJS2JFcXM3RHYyNUdlcml6Zkxx
YUFKQUduOG8zRU5lSVNzNjFsNWQxDQorODFhZ20xc2xLUUlDYjVVMnhCNk4zMm1jWnNVVzdvL0pE
aDdpQ1dFOG5SWUxCZEN1MVB4TkNlNlVSZWgvbGMwDQpCbTUzZ2NtNTdmSVczeTJmeG54T3g0ZkR1
bmdxY0NQZGJsTTA3TVZ5YVFML0hTK1lGMUxuejQzNm9kd0I0alFlDQpSaGl4V3RmM1JEWlgvdndE
VnhCWk10cHJMYWkzVWdUTU43R0IvWHlmY0w1V0I2ZWdzYW5QeGI4NWVSTHZpTW51DQpKRmVsLzlN
ZXVmUm5ocDJ1KzJtbzhZZUh6bXRSR045ZkVsSENncWl1YWx3UUhuZlRHaXJUbXpRZGl1WkR6RHVK
DQoyaElveTRONWNSc1ZNT0s5Q1UzV25wODljU1JNdHM5ZG1MRU9hck55RndOVzNGRTJRbEVXQXBC
Z1pTc1hiUFBDDQpVQW5PUW5EM3RXcktqQkxvSDhxTExVK3NGV2JNYlRZZHYxWlFiN3RQZlVjb3Nq
ZjFMeGhXbzNvNWF3TjZYN2dODQpjREtNTVpBTTVGYmZ6TDFDcStkS01WZ29VdmY5Q3FmcmV6Y2tB
N3JVekJpWXFwYm5Tb1FQS3lmQ1dvN0FocGNvDQpjTVZDUXlWbktzVWI3dURBSTY3V1JGVGc4Z1Vj
N2wzenE3d3M2K1prSVgzQ0hvOGgrNUFyakxhK1JpZDd1NHoyDQp1aU52WkJxbUlyQWZMM1NrVE5v
Qg0KPWN6STINCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K

Thanks for the answer i’ve tried configuring my server as the following :
#/etc/pam.d/openvpn-pam:

auth sufficient pam_python.so /root/privacyidea_pam.py url=
https://172.23.0.154/privacyidea prompt=privacyIDEA_Authentication
account sufficient /lib/x86_64-linux-gnu/security/pam_permit.so debug
session sufficient /lib/x86_64-linux-gnu/security/pam_permit.so debug

#etc/openvpn/server.conf

Constant values

dh /etc/openvpn/dh2048.pem
ca /etc/univention/ssl/ucsCA/CAcert.pem
cert /etc/univention/ssl/ucs-6655/cert.pem
key /etc/univention/ssl/ucs-6655/private.key
crl-verify /etc/openvpn/crl.pem
ifconfig-pool-persist ipp.txt
push "route None None"
push "dhcp-option DNS 172.23.0.154"
push "dhcp-option DOMAIN tst.intranet"
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 1
mute 5
status /var/log/openvpn/openvpn-status.log
management /var/run/management-udp unix
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpn-pam
dev tun
topology subnet

Values which can be changed through UDM

port 1194
server 172.23.1.0 255.255.255.0
proto udp
proto udp
push "redirect-gateway"
duplicate-cn

Then i try to login by using a valid username and a password as "pinotp"
but i get the following error in ucs console :

AUTH-PAM: BACKGROUND: user ‘damdoek’ failed to authenticate: Permission
denied

any ideas about this ?Le jeudi 21 mai 2015 16:09:32 UTC+1, zerhouni saad a écrit :

Greetings ,

I’m testing out privacyidea on the Univention server and i was surprised
by the simplicity of combining this two tools , however i couldn’t find any
guide lines on configuring privacyidea and openvpn together specially with
PAM.

All the guides that i could find online are for openvpn with google
authenticator.

any ideas and suggestions are highly appreciated ,
thanks

Ok so i had pam working fine for SSH i forgot to say that before , but
openvpn wasn’t able to connect , so after some few tests i managed to get
it working by using the following configuration :

auth requisite pam_nologin.so

auth sufficient pam_python.so
/root/privacyidea_pam.py url=https://172.23.0.154/privacyidea
prompt=privacyIDEA_Authentication nosslverify

auth sufficient pam_unix.so try_first_pass

account sufficient /lib/x86_64-linux-gnu/security/pam_permit.so debug

session sufficient /lib/x86_64-linux-gnu/security/pam_permit.so debug

auth [success=done new_authtok_reqd=ok user_unknown=ignore
service_err=die authinfo_unavail=die default=ignore]
pam_krb5.so $

auth [success=done new_authtok_reqd=ok user_unknown=die
service_err=die authinfo_unavail=die default=die]
pam_ldap.so use_fi$

and i changed the default realm to my tst.intranet which contains the ldap
users .

thank you for the help and i’m looking forward to get this configuration
automaticly in the future :DLe jeudi 21 mai 2015 16:09:32 UTC+1, zerhouni saad a écrit :

Greetings ,

I’m testing out privacyidea on the Univention server and i was surprised
by the simplicity of combining this two tools , however i couldn’t find any
guide lines on configuring privacyidea and openvpn together specially with
PAM.

All the guides that i could find online are for openvpn with google
authenticator.

any ideas and suggestions are highly appreciated ,
thanks

Q29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi9wZ3Atc2lnbmF0dXJlOyBuYW1lPSJzaWduYXR1cmUu
YXNjIg0KQ29udGVudC1EZXNjcmlwdGlvbjogT3BlblBHUCBkaWdpdGFsIHNpZ25hdHVyZQ0KQ29u
dGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9InNpZ25hdHVyZS5hc2MiDQoN
Ci0tLS0tQkVHSU4gUEdQIFNJR05BVFVSRS0tLS0tDQpWZXJzaW9uOiBHbnVQRyB2MQ0KDQppUUlj
QkFFQkFnQUdCUUpWWHd3NEFBb0pFQkJoWkZVdWpZRkpLcWdRQUtLckFmNnlpWXNJRnh6YzhRWFlC
dElpDQpFRzNIMXJ5Z1JsM09yelI2SDQweWVTUWdSUzB2d3ZTcnFWUXh1OGFEd3hkUGREZkhBWFFZ
cUE0cEpKOG9Gd0d0DQpQaXJTUThydm5CbkVpVHo4OVgxb0IrdTlocmJ5aWtEdXlpRkRuVFlSck9a
aVlhUUs4aTNWa2lUTm1pUDJlM291DQpwVWZaeUJhRUFJM0FaSGM0TytiWUtwUm5Yc0g2MDR1UlhO
cnAxWnRFdDZSTm9JMWpjRlNKaWJwNkJNM2JGckgyDQpRdEZSNFNOMXAwVzYwcjJwaWdHOFE0cnlI
ekRlZlQzM1pSeHM4N3Vyd2grNEEzbFFDRUt3eHVaZ2pvUnlaN1NTDQpGWERvaGUvN1BySnFkTy90
VXFUVUZTMVNiMkEvWWNnTCtOd0RxeXA5V1ZscEVmUHBscGkxNVQ3dVNXRzJaUHdVDQpoZDVXUHdp
Tjk4NGVmU1hRbzRvY2hkb1VtdmlCMm9saGlIRkZsa1V2VXRJWTFXWFVaVncraFlLWStwS3NUWlcy
DQpXZ3pKSVljOVRlaFNLcE9NWHh5WjBhRHhNY2dxcVFQcDJ4ckRtYzArWWw2RndTb1NMV253RnpC
WElFcytkRlZnDQpiaURkem1iQ2dKS2trTUM0UjBQRVI1ZGQ5UmplWVlPQVZKK2toaWRIRU1Bakhz
UmZMbGNtbkFPMnA5S2xkVUlFDQpxaTFhaE9yZk8ybWIvMHdFQnJFVWVIdE1tYlA2Zit1TXJxM2F0
ZlZuSVl0V3RDRHB0Q3JLNG03cW9XU1EwSyt5DQpOMW1nd0xtbHR1K3hBZUdiYzZlbkVyWVhUQk5p
VCswUVFtU1B6RHByM1crWkJvdWpSWW52NGdJZi9TSlBmNEgxDQpZKzZyeDU5WW1HQ2oxdFl5SXB0
aQ0KPS9ZWG4NCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQ0K