Allow the GUI auth API to be used for doing authentication against authentication servers specified. Teach Openvpn to use this API. Allow openvpn to authenticate against multiple servers that can be selected on the server configuration page.

1 files changed, 13 insertions, 9 deletions

diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index a62e01a..081e109 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -49,6 +49,7 @@
 require_once('config.inc');
 require_once("certs.inc");
 require_once('pfsense-utils.inc');
+require_once("auth.inc");
 
 $openvpn_prots = array("UDP", "TCP");
 
@@ -379,16 +380,19 @@ function openvpn_reconfigure($mode,& $settings) {
 				$conf .= "client-cert-not-required\n";
 			case 'server_tls_user':
 				$conf .= "username-as-common-name\n";
-				if ($settings['authmode'] == "local")
-					$conf .= "auth-user-pass-verify /etc/inc/openvpn.auth-user.php via-env\n";
-				else {
-					$authcfg = system_get_authserver($settings['authmode']);
-					if ($authcfg) {
-						mwexec("/bin/cat /etc/inc/openvpn.auth-{$authcfg['type']}.php | /usr/bin/sed 's/\/\/<template>/\$authmode=\"{$authcfg['name']}\";/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.php");
-						mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
-						$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";
-					}
+				$authcfgs = explode(",", $settings['authmode']);
+				$sed = "\$authmodes=array(";
+				$firstsed = 0;
+				foreach ($authcfgs as $authcfg) {
+					if ($firstsed > 0)
+						$sed .= ",";
+					$firstsed = 1;
+					$sed .= "\"{$authcfg}\"";
 				}
+				$sed .= ");";
+				mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' >  {$g['varetc_path']}/openvpn/{$mode_id}.php");
+				mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
+				$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn//{$mode_id}.php via-env\n";
 				break;
 		}