diff options
author | Ermal <eri@pfsense.org> | 2012-06-05 19:37:45 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2012-06-05 19:37:45 +0000 |
commit | 1492e02cb4f48de3ff33ed4d4db013aac00087d3 (patch) | |
tree | f632662f50022f848ec50239cd84f23d406c5b97 /etc/inc/openvpn.auth-user.php | |
parent | ae5c8d0e05720ace47f57fcbd9478504277efc89 (diff) | |
download | pfsense-1492e02cb4f48de3ff33ed4d4db013aac00087d3.zip pfsense-1492e02cb4f48de3ff33ed4d4db013aac00087d3.tar.gz |
Import OpenVPN cisco style radius attributes applying policy to logged in users. Feature #2100
Diffstat (limited to 'etc/inc/openvpn.auth-user.php')
-rwxr-xr-x | etc/inc/openvpn.auth-user.php | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 0558dbb..92c3b87 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -96,6 +96,11 @@ if (!$username || !$password) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> +if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { + putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca"); + putenv("LDAPTLS_REQCERT=never"); +} + $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { @@ -103,12 +108,13 @@ if (($strictusercn === true) && ($common_name != $username)) { exit(1); } +$attributes = array(); foreach ($authmodes as $authmode) { $authcfg = auth_get_authserver($authmode); if (!$authcfg && $authmode != "local") continue; - $authenticated = authenticate_user($username, $password, $authcfg); + $authenticated = authenticate_user($username, $password, $authcfg, $attributes); if ($authenticated == true) break; } @@ -118,6 +124,36 @@ if ($authenticated == false) { exit(-1); } +if (file_exists("/etc/inc/openvpn.attributes.php")) + include_once("/etc/inc/openvpn.attributes.php"); + +$content = ""; +if (is_array($attributes['dns-servers'])) { + foreach ($attributes['dns-servers'] as $dnssrv) { + if (is_ipaddr($dnssrv)) + $content .= "push \"dhcp-option DNS {$dnssrv}\"\n"; + } +} +if (is_array($attributes['routes'])) { + foreach ($attributes['routes'] as $route) + $content .= "push \"route {$route} vpn_gateway\"\n"; +} + +if (isset($attributes['framed_ip'])) { +/* XXX: only use when TAP windows driver >= 8.2.x */ +/* if (isset($attributes['framed_mask'])) { + $content .= "topology subnet\n"; + $content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}"; + } else { +*/ + $content .= "topology net30\n"; + $content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1)); +// } +} + +if (!empty($content)) + @file_put_contents("{$g['tmp_path']}/{$username}", $content); + syslog(LOG_NOTICE, "user {$username} authenticated\n"); exit(0); |