diff options
author | Ermal <eri@pfsense.org> | 2013-12-19 08:53:32 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-12-19 08:53:32 +0000 |
commit | 5e28dad4a34bc3b8da8134b23c85a8f922ebb401 (patch) | |
tree | a307678a095f3044ee0b7149e5bea3df9ea18515 /etc/inc/openvpn.auth-user.php | |
parent | 00e8315b3d5db09870ca93f380f7ba577e90be88 (diff) | |
download | pfsense-5e28dad4a34bc3b8da8134b23c85a8f922ebb401.zip pfsense-5e28dad4a34bc3b8da8134b23c85a8f922ebb401.tar.gz |
Migrate openvpn authentication to use fcgicli rather than forking a php process. Maybe should could consider to write a short library todo this
Diffstat (limited to 'etc/inc/openvpn.auth-user.php')
-rwxr-xr-x | etc/inc/openvpn.auth-user.php | 51 |
1 files changed, 42 insertions, 9 deletions
diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 2ddadca..e76351c 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -83,14 +83,27 @@ function getNasIP() /* setup syslog logging */ openlog("openvpn", LOG_ODELAY, LOG_AUTH); -/* read data from environment */ -$username = getenv("username"); -$password = getenv("password"); -$common_name = getenv("common_name"); +if (isset($_GET)) { + $authmodes = explode(",", $_GET['authcfg']); + $username = $_GET['username']; + $password = urldecode($_GET['password']); + $common_name = $_GET['cn']; + $modeid = $_GET['modeid']; + $strictusercn = $_GET['strictcn'] == "false" ? false : true; +} else { + /* read data from environment */ + $username = getenv("username"); + $password = getenv("password"); + $common_name = getenv("common_name"); +} if (!$username || !$password) { syslog(LOG_ERR, "invalid user authentication environment"); - exit(-1); + if (isset($_GET)) { + echo "FAILED"; + return; + } else + exit(-1); } /* Replaced by a sed with propper variables used below(ldap parameters). */ @@ -105,7 +118,20 @@ $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); - exit(1); + if (isset($_GET)) { + echo "FAILED"; + return; + } else + exit(1); +} + +if (!is_array($authmodes)) { + syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}"); + if (isset($_GET)) { + echo "FAILED"; + return; + } else + exit(1); } $attributes = array(); @@ -121,7 +147,11 @@ foreach ($authmodes as $authmode) { if ($authenticated == false) { syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n"); - exit(-1); + if (isset($_GET)) { + echo "FAILED"; + return; + } else + exit(-1); } if (file_exists("/etc/inc/openvpn.attributes.php")) @@ -136,7 +166,7 @@ if (is_array($attributes['dns-servers'])) { } if (is_array($attributes['routes'])) { foreach ($attributes['routes'] as $route) - $content .= "push \"route {$route} vpn_gateway\"\n"; + $content .= "push \"route {$route} vpn_gateway\"\n"; } if (isset($attributes['framed_ip'])) { @@ -156,6 +186,9 @@ if (!empty($content)) syslog(LOG_NOTICE, "user '{$username}' authenticated\n"); -exit(0); +if (isset($_GET)) + echo "OK"; +else + exit(0); ?> |