diff options
author | jim-p <jimp@pfsense.org> | 2010-10-12 17:21:32 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2010-10-12 17:21:32 -0400 |
commit | 8901958c07478a924b87bff8c0cde56e3a259a8c (patch) | |
tree | 8148693f63086ba55782a4e4620a771297bdb109 /etc/inc/openvpn.auth-user.php | |
parent | bd6f4dccdb9764011bd56eb231db99a272f190db (diff) | |
download | pfsense-8901958c07478a924b87bff8c0cde56e3a259a8c.zip pfsense-8901958c07478a924b87bff8c0cde56e3a259a8c.tar.gz |
Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887
Diffstat (limited to 'etc/inc/openvpn.auth-user.php')
-rwxr-xr-x | etc/inc/openvpn.auth-user.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index a611f8c..544e21f 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -85,6 +85,7 @@ openlog("openvpn", LOG_ODELAY, LOG_AUTH); /* read data from environment */ $username = getenv("username"); $password = getenv("password"); +$common_name = getenv("common_name"); if (!$username || !$password) { syslog(LOG_ERR, "invalid user authentication environment"); @@ -95,6 +96,12 @@ if (!$username || !$password) { //<template> $authenticated = false; + +if (($strictusercn === true) && ($common_name != $username)) { + syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n"); + exit(1); +} + foreach ($authmodes as $authmode) { $authcfg = auth_get_authserver($authmode); if (!$authcfg && $authmode != "local") |