|
|
On Tue, 4 Oct 2005, Ralf Hildebrandt wrote: > I'm using openvpn 2.0.2-1 on Debian/unstable > > OpenVPN works like a charm, per User configuration stuff also works. > But there's one thing I cannot get to work on a per-user basis: > > If I put: > > plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn > > into /etc/openvpn/server.conf, ALL users have to authenticate using > what I defined in /etc/pam.d/openvpn as: > > ---------------- snip --------------- > # PAM configuration for OpenVPN > > # Read environment variables from /etc/environment and > # /etc/security/pam_env.conf. > auth required pam_env.so # [1] > > # Angeblich soll das SecurID erzwingen > auth required pam_securid.so debug > ---------------- snip --------------- > > This is the PAM module provided for the RSA SecurID tokens which > generate a OTP every minute. This works. I enter a wrong > username/password combination, I'm, being rejected. I enter the correct > data, I'm let in. Life is good. > > But now to the problem: If I put this into > /etc/openvpn/ccd/hildeb.vpn.charite.de: > > ------------ snip ------------ > plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn > ifconfig-push 172.28.0.5 172.28.0.6 > ------------ snip ------------ > > I can enter ANYTHING as authentication data, I'm always let through. I > would expect the per-User configuration to work that way. OTOH, I do > get the IP I explicitly assigned. The 'plugin' directive can't be used in a --client-config-dir file -- it's a global directive only. You should be getting an error message to that effect in the server log: OPTIONS IMPORT: reading client specific options from: ccd/blah-blah Options error: option 'plugin' cannot be used in this context After flagging the error in the log file, OpenVPN will essentially ignore the "plugin" directive and handle the authentication as if the directive wasn't there. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |