Hi,

I have a VPN server (devuan 4) connecting to my ldap server (devuan 4)
using libpam-ldapd, so it's running nslcd and using libpam-ldapd for
the pam_ldap implementation.
This is all working successfully and I am using the 'pam_authz_search'
option in /etc/nslcd.conf to control which users are allowed to login
to the server via console and ssh.

# pam_authz_search in /etc/nslcd.conf
pam_authz_search
(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)(&(host=\\*)(!(|(host=!$hostname)(host=!$fqdn))))))


My problem is that I am setting up OpenVPN on this server and
attempting to use openvpn-plugin-auth-pam.so provided by the openvpn
package to do the vpn username/password and TOTP authentication.

# /etc/openvpn/myserver.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login
USERNAME password PASSWORD"


While the 'pam_authz_search' option in nslcd.conf is working to
restrict users logging in directly to the server, it is also
preventing users from authenticating to the openvpn PAM service.

The openvpn PAM service is defined as:

# /etc/pam.d/openvpn
auth requisite pam_ldap.so minimum_uid=1000
# will be adding pam_google_authenticator.so at a later time here

If I remove the 'pam_authz_search' option from nslcd.conf then the
OpenVPN users can authenticate successfully.

Is there a different configuration I can set up to control users from
logging in to the console/ssh via LDAP host attributes, but also allow
different users to authenticate to openvpn PAM via an LDAP group
membership?

Surprisingly, if I have the 'pam_authz_search' option enabled in
nslcd.conf, I can still run `pamtester openvpn myvpnuser authenticate`
and it authenticates successfully without getting denied. I'm not
sure why that should succeed? Is pamtester bypassing nslcd?


--
Tom