diff options
author | Ermal <eri@pfsense.org> | 2011-07-15 13:10:40 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2011-07-15 13:10:40 +0000 |
commit | fe2031ab18b967b31f95d865db07011a39ce6fcc (patch) | |
tree | 06759c005e263b681a21098a8273a84dc473beb1 | |
parent | e6bd231242cb43ad7e8fca8635d6adcb17f38186 (diff) | |
download | pfsense-fe2031ab18b967b31f95d865db07011a39ce6fcc.zip pfsense-fe2031ab18b967b31f95d865db07011a39ce6fcc.tar.gz |
Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.
-rw-r--r-- | etc/inc/auth.inc | 48 | ||||
-rwxr-xr-x | etc/inc/openvpn.auth-user.php | 7 | ||||
-rw-r--r-- | usr/local/www/system_authservers.php | 30 | ||||
-rw-r--r-- | usr/local/www/system_usermanager_settings_ldapacpicker.php | 1 |
4 files changed, 74 insertions, 12 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index e284943..e93bf02 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -627,8 +627,10 @@ function ldap_test_connection($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -644,6 +646,34 @@ function ldap_test_connection($authcfg) { return true; } +function ldap_setup_caenv($authcfg) { + global $g; + + unset($caref); + if (empty($authcfg['ldap_cacert']) || !strstr($authcfg['ldap_urltype'], "SSL")) { + putenv('LDAPTLS_REQCERT=never'); + return; + } else { + $caref = lookup_ca($authcfg['ldap_cacert']); + if (!$caref) { + log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_cacert'])); + /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ + putenv('LDAPTLS_REQCERT=hard'); + return; + } + if (!is_dir("{$g['varrun_path']}/certs")) + @mkdir("{$g['varrun_path']}/certs"); + if (file_exists("{$g['varrun_path']}/certs/{$authcfg['name']}.ca")) + @unlink("{$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + file_put_contents("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", base64_decode($caref['crt'])); + @chmod("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", 0600); + putenv('LDAPTLS_REQCERT=hard'); + /* XXX: Probably even the hashed link should be created for this? */ + putenv("TLS_CACERTDIR={$g['varrun_path']}/certs"); + putenv("TLS_CACERT={$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + } +} + function ldap_test_bind($authcfg) { global $debug, $config, $g; @@ -669,8 +699,10 @@ function ldap_test_bind($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -736,8 +768,10 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -847,8 +881,10 @@ function ldap_get_groups($username, $authcfg) { $ldapgroupattribute = strtolower($ldapgroupattribute); $memberof = array(); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -967,8 +1003,10 @@ function ldap_backed($username, $passwd, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* Make sure we can connect to LDAP */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 35d79cd..d36b5ff 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -96,11 +96,6 @@ if (!$username || !$password) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> -if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { - putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca"); - putenv("LDAPTLS_REQCERT=never"); -} - $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { @@ -127,4 +122,4 @@ syslog(LOG_WARNING, "user {$username} authenticated\n"); exit(0); -?>
\ No newline at end of file +?> diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index b6b1097..694bee5 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -54,6 +54,10 @@ $a_servers = auth_get_authserver_list(); foreach ($a_servers as $servers) $a_server[] = $servers; +if (!is_array($config['ca'])) + $config['ca'] = array(); +$a_ca =& $config['ca']; + $act = $_GET['act']; if ($_POST['act']) $act = $_POST['act']; @@ -87,6 +91,7 @@ if ($act == "edit") { $pconfig['name'] = $a_server[$id]['name']; if ($pconfig['type'] == "ldap") { + $pconfig['ldap_caref'] = $a_server[$id]['ldap_caref']; $pconfig['ldap_host'] = $a_server[$id]['host']; $pconfig['ldap_port'] = $a_server[$id]['ldap_port']; $pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype']; @@ -168,7 +173,6 @@ if ($_POST) { $reqdfieldsn[] = gettext("Bind user DN"); $reqdfieldsn[] = gettext("Bind Password"); } - } if ($pconfig['type'] == "radius") { @@ -222,6 +226,8 @@ if ($_POST) { if ($server['type'] == "ldap") { + if (!empty($pconfig['ldap_caref'])) + $server['ldap_caref'] = $pconfig['ldap_caref']; $server['host'] = $pconfig['ldap_host']; $server['ldap_port'] = $pconfig['ldap_port']; $server['ldap_urltype'] = $pconfig['ldap_urltype']; @@ -389,6 +395,7 @@ function select_clicked() { url += '&urltype=' + document.getElementById("ldap_urltype").value; url += '&proto=' + document.getElementById("ldap_protver").value; url += '&authcn=' + document.getElementById("ldapauthcontainers").value; + url += '&cert=' + document.getElementById("ldap_caref").value; var oWin = window.open(url,"pfSensePop","width=620,height=400,top=150,left=150"); if (oWin==null || typeof(oWin)=="undefined") @@ -490,6 +497,27 @@ function select_clicked() { </select> </td> </tr> + <tr id="tls_ca"> + <td width="22%" valign="top" class="vncell"><?=gettext("Peer Certificate Authority"); ?></td> + <td width="78%" class="vtable"> + <?php if (count($a_ca)): ?> + <select name='ldap_caref' class="formselect"> + <?php + foreach ($a_ca as $ca): + $selected = ""; + if ($pconfig['ldap_caref'] == $ca['refid']) + $selected = "selected"; + ?> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <?php endforeach; ?> + </select> + <br/><span><?=gettext("This option is used if 'SSL Encrypted' option is choosen.");?> <br/> + <?=gettext("It must match with the CA in the AD otherwise problems will arise.");?></span> + <?php else: ?> + <b>No Certificate Authorities defined.</b> <br/>Create one under <a href="system_camanager.php">System > Cert Manager</a>. + <?php endif; ?> + </td> + </tr> <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("Protocol version");?></td> <td width="78%" class="vtable"> diff --git a/usr/local/www/system_usermanager_settings_ldapacpicker.php b/usr/local/www/system_usermanager_settings_ldapacpicker.php index e6b38c3..91da391 100644 --- a/usr/local/www/system_usermanager_settings_ldapacpicker.php +++ b/usr/local/www/system_usermanager_settings_ldapacpicker.php @@ -47,6 +47,7 @@ if($_GET) { $authcfg['ldap_urltype'] = $_GET['urltype']; $authcfg['ldap_protver'] = $_GET['proto']; $authcfg['ldap_authcn'] = explode(";", $_GET['authcn']); + $authcfg['ldap_caref'] = $_GET['cert']; $ous = ldap_get_user_ous(true, $authcfg); } |