|
|
I'm not sure if this is a limitation with PAM/Radius or if it's something Openvpn does not handle well. I am deploying this in a corporate environment, I have employees passwords expire every X. Now when they logon, there is currently no mechanism for Openvpn to pass the "password is expiring notice" to the client (A) this would be nice at a minimum, so the client doesn't know their AD password is about to expire, so they continue like this, never really logging into the network except for Openvpn (using their AD password (AD=Active Directory), which is accessed by Openvpn via PAM Radius (and IAS on the MS side).. The best possible scenario would be to allow the client to see the password expiring option and thus allow the user to change their password on the Domain(AD), thru Openvpn. Not secure? AD requires one to know the old password and one has to already have the users cert, if they have both of these, they are already in. Not sure if it's clear (most password discussions about the new GUI key pass change (not a fan)) and not about having openvpn + pam, play nicer with Windows passwords (AD). Thanks Tory PS Without this, users are being locked out of the VPN, until they contact IT and have a temporary password set for them. Having a secondary VPN device (non openvpn) for them to use to reset password is a lame option. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-11/msg00047.html on line 203 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-11/msg00047.html on line 203 |