diff options
| author | Ermal Luçi <eri@pfsense.org> | 2010-03-01 19:26:03 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2010-03-01 19:26:03 +0000 |
| commit | b6d0c86f52d4229444e5b358066fc209b75acc3e (patch) | |
| tree | 25ebc7af6db88dc8255d790f2809c871856fed56 /etc | |
| parent | 3198b8d356065a64dc093440ad1e0636265e3ffc (diff) | |
| download | pfsense-b6d0c86f52d4229444e5b358066fc209b75acc3e.zip pfsense-b6d0c86f52d4229444e5b358066fc209b75acc3e.tar.gz | |
Correct script used for OpenVPN authentication to actually work.
Diffstat (limited to 'etc')
| -rwxr-xr-x | etc/inc/openvpn.auth-ldap.php | 9 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 15 |
2 files changed, 18 insertions, 6 deletions
diff --git a/etc/inc/openvpn.auth-ldap.php b/etc/inc/openvpn.auth-ldap.php index 37063c7..1a84fcf 100755 --- a/etc/inc/openvpn.auth-ldap.php +++ b/etc/inc/openvpn.auth-ldap.php @@ -48,6 +48,9 @@ if (empty($username) || empty($password)) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> +if (!strstr($username, "@") && !strstr($username, "\\")) + $username .= $ldapbasedn; + /* Make sure we can connect to LDAP */ putenv('LDAPTLS_REQCERT=never'); if (!($ldap = @ldap_connect($ldaphost, $ldapport))) { @@ -56,16 +59,18 @@ if (!($ldap = @ldap_connect($ldaphost, $ldapport))) { } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); -ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); +ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); /* ok, its up. now, lets bind as the bind user so we can search it */ -if (!($res = @ldap_bind($ldap, "{$ldapuserattr}={$username}{$ldapbasedn}", $password))) { +if (!($res = @ldap_bind($ldap, $username, $password))) { syslog(LOG_WARNING, "user {$username} could not authenticate\n"); ldap_close($ldap); exit(-3); } syslog(LOG_WARNING, "user {$username} authenticated\n"); +ldap_unbind($ldap); + exit(0); ?> diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index 5bfdb3b..3e2964b 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -386,10 +386,17 @@ function openvpn_reconfigure($mode,& $settings) { if ($authcfg) { switch ($authcfg['type']) { case 'ldap': - $sed = "\$ldaphost=\"{$authcfg['host']}\";"; - $sed .= "\$ldapport=\"{$authcfg['ldap_port']}\";"; - $sed .= "\$ldapuserattr=\"{$authcfg['ldap_attr_user']}\";"; - $sed .= "\$ldapbasedn=\"{$authcfg['ldap_basedn']}\";"; + $basednrplc = array("dc=", "DC="); + $ldapbasedn = str_replace($basednrplc, "", $authcfg['ldap_basedn']); + $ldapbasedn = str_replace(",", ".", $ldapbasedn); + $sed = "\$ldapport=\"{$authcfg['ldap_port']}\";"; + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $sed .= "\$ldaphost=\"{$ldapproto}:\/\/{$authcfg['host']}\";"; + $sed .= "\$ldapbasedn=\"@{$ldapbasedn}\";"; + $sed .= "\$ldapver={$authcfg['ldap_protver']};"; break; case 'radius': $sed = "\$radsrv=\"{$authcfg['host']}\";"; |
