I am trying to authenticate LDAP (Active Directory) users of a OpenVPN service that uses PAM. In addition of course to having OTP using google-authenticator-libpam.
I am able to authenticate the users using their LDAP username (sAMAccount) and password, and also using the OTP.
However, the previous authentication works only if the each user have a local user with the same username I am using to authenticate, though this local user or its password does not affect the authentication process, so I just need to create a dummy user for my whole authentication to work, otherwise, the process fails because of the error (notice the first line is the most interesting error message):
6 PLUGIN AUTH-PAM: BACKGROUND: user 'SOMEUSER' failed to authenticate: User not known to the underlying authentication module
2021-11-06 03:21:56 us=101655 IPADDRESS:50265 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
2021-11-06 03:21:56 us=101683 IPADDRESS:50265 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
2021-11-06 03:21:56 us=101882 IPADDRESS:50265 TLS Auth Error: Auth Username/Password verification failed for peer
Can I somehow change this behavior, so that google-authenticator does not look at the local users at all?
I found this sentence
The user= option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.
but I am not sure how can this be useful for my case to make google-authenticator not look on local users at all.
Hi,
I am trying to authenticate LDAP (Active Directory) users of a OpenVPN service that uses PAM. In addition of course to having OTP using google-authenticator-libpam.
I am able to authenticate the users using their LDAP username (sAMAccount) and password, and also using the OTP.
However, the previous authentication works only if the each user have a local user with the same username I am using to authenticate, though this local user or its password does not affect the authentication process, so I just need to create a dummy user for my whole authentication to work, otherwise, the process fails because of the error (notice the first line is the most interesting error message):
Can I somehow change this behavior, so that google-authenticator does not look at the local users at all?
I found this sentence
but I am not sure how can this be useful for my case to make google-authenticator not look on local users at all.