Lots of howto’s tell you to update the standard PAM login service to use ldap, and to have openvpn use that login service for authentication. I expect in most cases you’ll probably just want to have a dedicated vpn server, and not having users logging in on the system wide login. At least, that’s what I needed today to migrate away from that password file based config.

That turned out to be quite easy once you get the pam config right, though I’m still not 100% positive this particular pam config is the most optimal. In the end I just defined a new openvpn pam service by creating /etc/pam.d/openvpn with a very short and simple config.

Here’s the configuration notes which reflect this config update. All users with an ldap account, and member of the remoteaccess group are granted access to openvpn.

--- openvpn_installation_howto.txt 31 Mar 2010 12:37:42 -0000 1.16
+++ openvpn_installation_howto.txt 23 Apr 2010 14:53:23 -0000
@@ -167,6 +167,25 @@
# Server configuration
######################

+## config update to authenticate & authorise through ldap
+aptitude install libpam-ldap
+
+- edit /etc/pam_ldap.conf
+ uri ldaps://ldap.server
+ base dc=division,dc=corp,dc=be
+ ldap_version 3
+ pam_groupdn cn=remoteaccess,ou=groups,dc=division,dc=corp,dc=be
+ pam_member_attribute memberUid
+ pam_password crypt
+ tls_checkpeer no
+- create /etc/pam.d/openvpn
+ auth required pam_ldap.so
+ account required pam_ldap.so
+- edit server-udp.conf and server-tcp.conf
+ #auth-user-pass-verify /etc/openvpn/fileauth.pl via-file
+ plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn


Actually, this was triggered by clicking a mailto: link, whilst I hadn’t fixed Gnome’s default behaviour of launching evolution, so I just closed the mail dialog Window, but evolution seems to insist on staying running persistently.

But I don’t even use this freaky program. I only configure my Google Calendar to have it show up in the date app in gnome-panel. I may have an IMAP account configured too, but I don’t really use that.

I can understand that having an IMAP account with several gigs of data on the server end might trigger some indexing magic, but why evolution insists on permanantly using half of my physicical memory is beyond me.

This behaviour has actually been very persistent since several years/releases. Even deleting al .evolution related data in $HOME doesn’t fix that, so it’s not some left over garbage from an old installation.

How to reproduce? Clean install. Configure a calendar. Configure an imap account. Rince & repeat.

How such a piece of junk manages to stay the default client of choice in Gnome, and hence lots of distributions, is beyond me.