Openvpn + pam_module + ubuntu 16.04

Hi everyone.
I’ve installed privacyidea server, configured LDAP integration, enrolled the new token.
Then I tried to configure OTP for OpenVPN but faced the issue.

My config:

root@openvpnubuntu:/etc/openvpn# cat /etc/pam.d/openvpn 
auth    [success=1 default=ignore] /lib/security/ url= prompt=privacyIDEA_Authentication debug
auth    requisite 
auth    required  
session sufficient
account sufficient

root@openvpnubuntu:/etc/openvpn# cat /etc/openvpn/server.conf 
#explicit-exit-notify 1
#conf for privacy idea
reneg-sec 0
plugin /usr/lib/openvpn/ openvpn

I’ve faced with the issue, that pam module didn’t connect to privacy idea server.
I assume that the pam module does not execute in the proper way.

Could you please help with it.

Take a look into /var/log/auth.log. This will tell you everything that is happening in the PAM stack and you should see the problem immediately.

Hi, Thanks.
I’ve add ‘nosslverify’ parametr and pam module have started checking passwords,

But I’ve faced with another issue
I’ve input correct token for authorisation. (I checked that correct with web ui privacy idea)

Then, I can see the following logs in auth.log:
Mar 5 12:07:49 openvpnubuntu openvpn: requests > 1.0
Mar 5 12:07:49 openvpnubuntu openvpn: privacyidea_pam: result: {u’status’: True, u’value’: True}
Mar 5 12:07:49 openvpnubuntu openvpn: privacyidea_pam: detail: {u’message’: u’matching 1 tokens’, u’type’: u’hotp’, u’serial’: u’OATH000047C9’, u’otplen’: 6, u’threadid’: 140333286156032}
Mar 5 12:07:49 openvpnubuntu openvpn: privacyidea_pam: offline save authitem: None
Mar 5 12:08:49 openvpnubuntu openvpn: PAM (openvpn) illegal module type: login
Mar 5 12:08:49 openvpnubuntu openvpn: PAM pam_parse: expecting return value; […auth]

But in OpenVPN logs I can see the following errors:
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: my_conv[0] query='privacyIDEA_Authentication: ’ style=1
/usr/lib/python2.7/dist-packages/urllib3/ InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See:
AUTH-PAM: BACKGROUND: user ‘user1’ failed to authenticate: Authentication failure
Tue Mar 5 12:08:49 2019 us=260390 PLUGIN_CALL: POST /usr/lib/openvpn/ status=1
Tue Mar 5 12:08:49 2019 us=260457 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/

And OpenVPN client tels that Incorrect password.

It is all about reading the log files.
You tell me, wha illegal module type: login means, when openvpn says this.
I do not know this. So probably your openvpn config is wrong.

The privacyIDEA part was successful as you can see in the logs and in the audit log.
So obviously openvpn does not like your configuration.

Thanks for fast response.
Maybe issue caused that in latest openvpn server on ubuntu 16.04 have following plugin:
/usr/lib/openvpn/ ?

And documentation for privacyidea require use:

Dear Cornelius,
Thank you very much for hints.
I found the root of the problem.
Some PAM debug configs prevented to correct work. (My bad)

Now all works fine.