What configuration can I use to separate LDAP ciphers from OTP?

[ericzhong2010]

I'm considering entering the OTP via the static-challenge parameter, but I still don't know how to do it.
Which big boss knows?

[wheelybird]

Hi. You'd need to clone the repo, modify a couple of files and build your own container to be able to do this.

You'd need to edit files/configuration/create_server_config.sh and modify the line plugin $(dpkg-query -L openvpn | grep openvpn-plugin-auth-pam.so | head -n1) openvpn to something like plugin $(dpkg-query -L openvpn | grep openvpn-plugin-auth-pam.so | head -n1) "openvpn login USERNAME password PASSWORD otp OTP"

Then you'd need to modify files/etc/pam.d/openvpn.with-otp to be something like auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root authtok_prompt=otp forward_pass

I haven't actually tested this, and I'm pretty sure you'll need to fiddle with those settings to get it to work; I'm not sure exactly how pam_ldap.so and pam_google_authenticator.so interact when it comes to a static-challenge.

[ericzhong2010]

I think it is not working. I already tried it.
Anyway, Thank you very much.