OpenVPN + PrivacyIdea + LDAP

Qintiy · May 27, 2024, 7:36am

Hi,
we have OpenVPN, PrivacyIdea and LDAP on seperate VMs and trying to configure OpenVPN to work with PrivacyIdea and had no luck.
The LDAP is connect and when we test the connection we get the users. So PrivacyIdea and LDAP are corectly configurated. Now is just a problem with OpenVPN. Becasuse the docs are outdated we can’t follow them but any way we tried with this

auth    [success=1 default=ignore]      pam_python.so
    /path/to/privacyidea_pam.py url=https://your.privacyidea.server
auth    requisite           pam_deny.so
auth    required            pam_permit.so
session sufficient          pam_permit.so
account sufficient          pam_permit.so

and before that we installed the PAM following the readme of this repository GitHub - privacyidea/privacyidea-pam: Module for Linux PAM stack to authenticate users against privacyIDEA
and also try downloading the pam from archive repository GitHub - privacyidea/pam_python: Add two factor authentication to PAM via privacyIDEA
and had no luck.

If anyone make this work can you maybe share the config files so we can have an up to date example on how to make it work.

cornelinux · May 28, 2024, 6:32am

Dont mix things up.

you do not need pam_python, when using the new C based privacyidea pam.

Forget about pam_python and privacyidea_pam.py.
Use the C based one:

Release: Releases · privacyidea/privacyidea-pam · GitHub
or compile yourself.
privacyidea-pam/README.md at main · privacyidea/privacyidea-pam · GitHub

Take a look at the examples here:

Qintiy · May 28, 2024, 6:58am

Thanks for replay and if I understand this correctly the pam should look like this
/etc/pam.d/openvpn

#
# /etc/pam.d/privacyidea-auth - authentication settings for services that should use 2FA with privacyIDEA
#
# This config can be used to soley authenticate against privacyIDEA
#
# It comes with no warranty.
#
auth   [success=1 default=ignore]   pam_privacyidea.so url=https://server_ip
# fallback if privacyidea fails
auth	requisite			pam_deny.so
auth	required			pam_permit.so
auth	optional			pam_cap.so

so I don’t need to specify the path for pam_privacyidea.so to /lib64/security/pam_privacyidea.so?

and one more question, do I need to have the otp created or is this working just fine with ldap realm and ldap credentials. For start I just want to go slow and test to see if the basics works.

cornelinux · May 28, 2024, 7:08am

Depends on your Linux distro. Test it.

This depends on your privacyIDEA configuration. Authenitcation policies.
Yes, you can have it this way e.g. by using a passthru policy.

Note: The user (loginname) also needs to exist (or needs to be found) on the system, where you are logging in. (However, this is out of scope of privacyidea)

Qintiy · May 28, 2024, 7:56pm

I just tried with the sample config and still not working I searched for logs and found this in journalctl pam

openvpn[371]: PAM unable to dlopen(/lib64/security/pam_privacyidea.so): /lib64/security/pam_privacyidea.so: undefined symbol: pam_get_user
openvpn[371]: PAM adding faulty module: /lib64/security/pam_privacyidea.so

cornelinux · May 28, 2024, 8:56pm

What do you think this error could mean?
What does it actually say?

“undefined symbol: pam_get_user”

Hint: This is a compiled and linked C module, that is calling s.th. that can not be found “undefined symbol”. This has nothing to do with privacyIDEA/the module itself, but with the fact, that it does not run on your distribution. Either you are missing dependencies or you need to compile it yourself, anew.
I can not tell. Only you can, since you know your system.

Qintiy · May 29, 2024, 5:20am

I googled and no solution. I fixed the “undefined symbol: pam_get_user” by building from source from github. I followed the instruction to install all libraries and copy that one file into includes and compile, but now there is another of this thing called “curl_easy_perform” and I search the google with no luck even found someone who asked in this forums still got no answer or solution. So we are unable to make this happen on openvpn with privacyidea.

I checked all the thinks he did Issue with pam_privacyidea.so module and libcurl dependency

openvpn[140]: PAM unable to dlopen(/lib64/security/pam_privacyidea.so): /lib64/security/pam_privacyidea.so: undefined symbol: curl_easy_perform
openvpn[140]: PAM adding faulty module: /lib64/security/pam_privacyidea.so

If this is not the right place to ask this question can you maybe provide a forum name or site that I can solve this issue.
And sorry for my lack of knowledge in the this situation, but I can’t find any answers on google

cornelinux · May 30, 2024, 5:36am

Compiling C code always comes with a lot of dependencies. You are only telling here one line of error. Usually (this is not only the case with privacyIDEA but with all C code on the world) you would need a magic glass ball to know reasons.

The reasons are hidden in the versions of your libraries which are usually determined by the version of the linux distro you are running. So for startes it would be a good idea, to look at this.

This is a place where you can ask. On the other hand, you could also ask in a C forum “How do I debug compiling source code step by step”.

Qintiy · May 30, 2024, 12:14pm

OK, I try using the compiled pam file from the github (Release v1.0.0 · privacyidea/privacyidea-pam · GitHub) and the curl error is gone but now I get the new one “undefined symbol: pam_get_user” and when I do

ldd -r pam_privacyidea.so

I get even more undefined symbols

I don’t know where to look for solutions cuz there is no information on google about this and I can’t even find and blogs that anyone even try the new pam from privacyidea