[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] how to set auth-user-pass required only for some clients

  • Subject: [Openvpn-users] how to set auth-user-pass required only for some clients
  • From: Paul Bijnens <Paul.Bijnens@xxxxxxxxxxxxxx>
  • Date: Wed, 07 Nov 2007 16:31:46 +0100

What is the best way to implement different authentication requirements
depending on the client certificate:

- most clients need  auth-user-pass  in addition to the right
     (best verified with openvpn-auth-pam.so module)
- some clients, depending on their common_name in the certificate
   do not need to give a username/password.

It seems that loading the pam module cannot be done inside the ccd
dir.  Thus loading openvpn-auth-pam results in everyone needing to give
a username/password.

Alternatively, if I could configure the pam to allow access for
a short list of common_names, that would be fine as well, e.g.
with pam_listfile.  But how  do I get access to the common_name in a
pam-module config?

Or do I need to drop the pam module and use the auth-user-pass-verify
script only, where I can get common_name from the environment?

Or should I run two servers listening on different ports or on a
different ip-number aliased to the same interface?

Paul Bijnens, xplanation Technology Services        Tel  +32 16 397.511______________________
OpenVPN mailing lists