OpenVPN + PrivacyIdea + LDAP

we have OpenVPN, PrivacyIdea and LDAP on seperate VMs and trying to configure OpenVPN to work with PrivacyIdea and had no luck.
The LDAP is connect and when we test the connection we get the users. So PrivacyIdea and LDAP are corectly configurated. Now is just a problem with OpenVPN. Becasuse the docs are outdated we can’t follow them but any way we tried with this

auth    [success=1 default=ignore]
    /path/to/ url=https://your.privacyidea.server
auth    requisite 
auth    required  
session sufficient
account sufficient

and before that we installed the PAM following the readme of this repository GitHub - privacyidea/privacyidea-pam: Module for Linux PAM stack to authenticate users against privacyIDEA
and also try downloading the pam from archive repository GitHub - privacyidea/pam_python: Add two factor authentication to PAM via privacyIDEA
and had no luck.

If anyone make this work can you maybe share the config files so we can have an up to date example on how to make it work.

Dont mix things up.

you do not need pam_python, when using the new C based privacyidea pam.

Forget about pam_python and
Use the C based one:

Release: Releases · privacyidea/privacyidea-pam · GitHub
or compile yourself.
privacyidea-pam/ at main · privacyidea/privacyidea-pam · GitHub

Take a look at the examples here:

Thanks for replay and if I understand this correctly the pam should look like this

# /etc/pam.d/privacyidea-auth - authentication settings for services that should use 2FA with privacyIDEA
# This config can be used to soley authenticate against privacyIDEA
# It comes with no warranty.
auth   [success=1 default=ignore] url=https://server_ip
# fallback if privacyidea fails
auth	requisite
auth	required
auth	optional 

so I don’t need to specify the path for to /lib64/security/

and one more question, do I need to have the otp created or is this working just fine with ldap realm and ldap credentials. For start I just want to go slow and test to see if the basics works.

Depends on your Linux distro. Test it.

This depends on your privacyIDEA configuration. Authenitcation policies.
Yes, you can have it this way e.g. by using a passthru policy.

Note: The user (loginname) also needs to exist (or needs to be found) on the system, where you are logging in. (However, this is out of scope of privacyidea)

I just tried with the sample config and still not working I searched for logs and found this in journalctl pam

openvpn[371]: PAM unable to dlopen(/lib64/security/ /lib64/security/ undefined symbol: pam_get_user
openvpn[371]: PAM adding faulty module: /lib64/security/

What do you think this error could mean?
What does it actually say?

“undefined symbol: pam_get_user”

Hint: This is a compiled and linked C module, that is calling that can not be found “undefined symbol”. This has nothing to do with privacyIDEA/the module itself, but with the fact, that it does not run on your distribution. Either you are missing dependencies or you need to compile it yourself, anew.
I can not tell. Only you can, since you know your system.

I googled and no solution. I fixed the “undefined symbol: pam_get_user” by building from source from github. I followed the instruction to install all libraries and copy that one file into includes and compile, but now there is another of this thing called “curl_easy_perform” and I search the google with no luck even found someone who asked in this forums still got no answer or solution. So we are unable to make this happen on openvpn with privacyidea.

I checked all the thinks he did Issue with module and libcurl dependency

openvpn[140]: PAM unable to dlopen(/lib64/security/ /lib64/security/ undefined symbol: curl_easy_perform
openvpn[140]: PAM adding faulty module: /lib64/security/

If this is not the right place to ask this question can you maybe provide a forum name or site that I can solve this issue.
And sorry for my lack of knowledge in the this situation, but I can’t find any answers on google

Compiling C code always comes with a lot of dependencies. You are only telling here one line of error. Usually (this is not only the case with privacyIDEA but with all C code on the world) you would need a magic glass ball to know reasons.

The reasons are hidden in the versions of your libraries which are usually determined by the version of the linux distro you are running. So for startes it would be a good idea, to look at this.

This is a place where you can ask. On the other hand, you could also ask in a C forum “How do I debug compiling source code step by step”.

OK, I try using the compiled pam file from the github (Release v1.0.0 · privacyidea/privacyidea-pam · GitHub) and the curl error is gone but now I get the new one “undefined symbol: pam_get_user” and when I do

ldd -r

I get even more undefined symbols

I don’t know where to look for solutions cuz there is no information on google about this and I can’t even find and blogs that anyone even try the new pam from privacyidea