|
|
What is the best way to implement different authentication requirements
depending on the client certificate:
- most clients need auth-user-pass in addition to the right
certificates
(best verified with openvpn-auth-pam.so module)
- some clients, depending on their common_name in the certificate
do not need to give a username/password.
It seems that loading the pam module cannot be done inside the ccd
dir. Thus loading openvpn-auth-pam results in everyone needing to give
a username/password.
Alternatively, if I could configure the pam to allow access for
a short list of common_names, that would be fine as well, e.g.
with pam_listfile. But how do I get access to the common_name in a
pam-module config?
Or do I need to drop the pam module and use the auth-user-pass-verify
script only, where I can get common_name from the environment?
Or should I run two servers listening on different ports or on a
different ip-number aliased to the same interface?
--
Paul Bijnens, xplanation Technology Services Tel +32 16 397.511______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|