|
|
[Sorry about not responding directly to the parent, but it appears not to have been CC'd to the list. Marcom, please try to keep all replies to on-list messages still on-list unless someone explicitly requests that a thread be taken off-list]. Erich Titl wrote: > Marcos Morais wrote: >> Let's see if I Understood: >> What you're saying is that OpenVPN doesn't have a native package that >> allows >> that kind of authentication, and to have that working on my VPN I should >> either use a commercial VPN software that has It, or to add a third party >> plugin that does it for me? is that what you meant? How do you set up single-sign-on for systems on your LAN? How would you set up SSO for a laptop which is only occasionally connected to your LAN, and frequently connected elsewhere? Or do you not have single-sign-on at all, in which case we're misunderstanding how your LAN connection is expected to provide authentication or authorization information in the first place? If you can set up SSO for a laptop which is only occasionally on your LAN, you should be able to set it up for a system with is only occasionally on your VPN. Frankly, I think part of your problem is that you don't understand how single-sign-on works on your LAN -- to "direct the remote users to an LDAP or NIS server" doesn't give them any kind of permissions in and of itself: Neither LDAP or NIS provides any way for a server to vouch to another server for a user's authenticated or authorized status, and that's really what you need for single-sign-on to work. So -- it's not really an addon to OpenVPN you need as much as it is some mechanism to tell a system it should behave as part of your LAN. As soon as you have that, you can plug it in as a hook script, and there you go! Such a script will also be usable with many other VPN clients (with some invocation changes or an outer wrapper hiding the differences between the sites), as just about every sane VPN client supports script invocation. On Linux using Kerberos, such a script would want to update (or swap out) your krb5.conf, your ldap.conf and your PAM config files; it would probably be simplest just to have a folder with the updated ones, a folder with the disconnected ones, and swap 'em out as-appropriate. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-11/msg00095.html on line 220 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-11/msg00095.html on line 220 |