diff options
| author | Ermal Luçi <eri@pfsense.org> | 2010-03-02 17:07:06 +0000 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2010-03-02 17:07:06 +0000 |
| commit | c61e4626269fb099f4b7e9c12ceaeffd163c968f (patch) | |
| tree | fe99cd1c66aa9e456bc9b16de0f462bfc982c249 /etc | |
| parent | a13ce628f8a2c1292bf222387ea59cd63e9b9234 (diff) | |
| download | pfsense-c61e4626269fb099f4b7e9c12ceaeffd163c968f.zip pfsense-c61e4626269fb099f4b7e9c12ceaeffd163c968f.tar.gz | |
Allow the GUI auth API to be used for doing authentication against authentication servers specified. Teach Openvpn to use this API. Allow openvpn to authenticate against multiple servers that can be selected on the server configuration page.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/auth.inc | 556 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-ldap.php | 155 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-radius.php | 86 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-user.php | 19 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 22 | ||||
| -rw-r--r-- | etc/inc/system.inc | 11 |
6 files changed, 420 insertions, 429 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 4c0ed0a..339994d 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -461,79 +461,193 @@ function local_group_del($group) { } -function ldap_test_connection() { +function ldap_test_connection($authcfg = NULL) { global $debug, $config, $g; - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + } - if (!($ldap = ldap_connect($ldapserver))) - return false; + /* first check if there is even an LDAP server populated */ + if(!$ldapserver) + return false; + + /* connect and see if server is up */ + putenv('LDAPTLS_REQCERT=never'); + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! Could not connect to server {$ldapname}."); + return false; + } return true; } -function ldap_test_bind() { +function ldap_test_bind($authcfg = NULL) { global $debug, $config, $g; - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - - if (!($ldap = ldap_connect($ldapserver))) - return false; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbndun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapver = 3; + $ldapanon = false; + } + + /* first check if there is even an LDAP server populated */ + if(!$ldapserver) + return false; + + /* connect and see if server is up */ + putenv('LDAPTLS_REQCERT=never'); + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! Could not connect to server {$ldapname}."); + return false; + } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - - if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) + return false; + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) return false; + $ldap_unbind($ldap); + return true; } -function ldap_get_user_ous($show_complete_ou=true) { +function ldap_get_user_ous($show_complete_ou=true, $authcfg = NULL) { global $debug, $config, $g; if(!function_exists("ldap_connect")) return; - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}"; - $ldaptype = $config['system']['webgui']['backend']; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapport = ""; + $ldapbasedn = $config['system']['webgui']['ldapsearchbase']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapver = 3; + $ldapanon = false; + $ldapname = "system-settings"; + $ldapfallback = true; + $ldapscope = "all"; + } - $ldapfilter = "(ou=*)"; - putenv('LDAPTLS_REQCERT=never'); - if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; - } + $ous = array(); + + /* first check if there is even an LDAP server populated */ + if(!$ldapserver) { + log_error("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined."); + return $ous; + } + + /* connect and see if server is up */ + putenv('LDAPTLS_REQCERT=never'); + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! Could not connect to server {$ldapname}."); + return $ous; + } + + $ldapfilter = "(|(ou=*)(cn=Users))"; ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); - if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + log_error("ERROR! ldap_get_user_ous() could not bind to server {$ldapname}."); + return $ous; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error("ERROR! ldap_get_user_ous() could not bind to server {$ldapname}."); + return $ous; } - $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter); + if ($ldapscope == "one") + $ldapfunc = "ldap_list"; + else + $ldapfunc = "ldap_search"; + $search = $ldapfunc($ldap, $ldapbasedn, $ldapfilter); $info = ldap_get_entries($ldap, $search); - $ous = array(); - if (is_array($info)) { foreach ($info as $inf) { if (!$show_complete_ou) { $inf_split = split(",", $inf['dn']); $ou = $inf_split[0]; $ou = str_replace("OU=","", $ou); + $ou = str_replace("CN=","", $ou); } else if($inf['dn']) $ou = $inf['dn']; @@ -542,14 +656,10 @@ function ldap_get_user_ous($show_complete_ou=true) { } } - //Tack on the default Users container for AD since its non-standard - if($ldaptype == 'ldap') - $ous[] = "CN=Users,".$ldapsearchbase; - return $ous; } -function ldap_get_groups($username) { +function ldap_get_groups($username, $authcfg = NULL) { global $debug, $config; if(!function_exists("ldap_connect")) @@ -569,45 +679,90 @@ function ldap_get_groups($username) { } //log_error("Getting LDAP groups for {$username}."); - - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapfilter = $config['system']['webgui']['ldapfilter']; - $ldapfilter = str_replace("\$username", $username, $ldapfilter); - $ldapgroupattribute = $config['system']['webgui']['ldapgroupattribute']; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']); + $ldapfilter = "({$ldapnameattribute}={$username})"; + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapport = ""; + $ldapbasedn = $config['system']['webgui']['ldapsearchbase']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapfilter = $config['system']['webgui']['ldapfilter']; + $ldapfilter = str_replace("_username_", $username, $ldapfilter); + $ldapgroupattribute = $config['system']['webgui']['ldapgroupattribute']; + $ldapver = 3; + $ldapanon = false; + $ldapname = "system-settings"; + $ldapfallback = true; + $ldapscope = "all"; + } + $ldapdn = $_SESSION['ldapdn']; - + /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */ $ldapgroupattribute = strtolower($ldapgroupattribute); + $memberof = array(); /* connect and see if server is up */ putenv('LDAPTLS_REQCERT=never'); - if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; - } + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! ldap_get_groups() Could not connect to server {$ldapname}."); + return memberof; + } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); /* bind as user that has rights to read group attributes */ - if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) + return false; + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error("ERROR! ldap_get_groups() could not bind to server {$ldapname}."); + return memberof; } /* get groups from DN found */ /* use ldap_read instead of search so we don't have to do a bunch of extra work */ /* since we know the DN is in $_SESSION['ldapdn'] */ //$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute)); - $search = ldap_read($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); + if ($ldapscope == "one") + $ldapfunc = "ldap_list"; + else + $ldapfunc = "ldap_search"; + + $search = $ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); $info = ldap_get_entries($ldap, $search); $countem = $info["count"]; - $memberof = array(); if(is_array($info[0][$ldapgroupattribute])) { /* Iterate through the groups and throw them into an array */ @@ -620,7 +775,7 @@ function ldap_get_groups($username) { } /* Time to close LDAP connection */ - ldap_close($ldap); + ldap_unbind($ldap); $groups = print_r($memberof,true); @@ -629,7 +784,7 @@ function ldap_get_groups($username) { return $memberof; } -function ldap_backed($username, $passwd) { +function ldap_backed($username, $passwd, $authcfg = NULL) { global $debug, $config; if(!$username) @@ -649,46 +804,101 @@ function ldap_backed($username, $passwd) { $username = $username_split[0]; } - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapauthcont = $config['system']['webgui']['ldapauthcontainers']; - $ldapnameattribute = $config['system']['webgui']['ldapnameattribute']; - $ldapfilter = $config['system']['webgui']['ldapfilter']; - $ldaptype = $config['system']['webgui']['backend']; - $ldapfilter = str_replace("_username_", $username, $ldapfilter); + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + if (empty($ldapbindun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapfilter = "({$ldapnameattribute}={$username})"; + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapport = ""; + $ldapbasedn = $config['system']['webgui']['ldapsearchbase']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapauthcont = $config['system']['webgui']['ldapauthcontainers']; + $ldapnameattribute = $config['system']['webgui']['ldapnameattribute']; + $ldapfilter = $config['system']['webgui']['ldapfilter']; + $ldaptype = $config['system']['webgui']['backend']; + $ldapver = 3; + $ldapfilter = str_replace("_username_", $username, $ldapfilter); + $ldapanon = false; + $ldapname = "system-settings"; + $ldapfallback = true; + $ldapscope = "all"; + } + /* first check if there is even an LDAP server populated */ if(!$ldapserver) { - log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings."); - $status = local_backed($username, $passwd); - return $status; + if ($ldapfallback) { + log_error("ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager."); + return local_backed($username, $passwd); + } else + log_error("ERROR! ldap_backed() called with no LDAP authentication server defined."); + + return false; } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); /* Make sure we can connect to LDAP */ putenv('LDAPTLS_REQCERT=never'); - if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings."); - $status = local_backed($username, $passwd); - return $status; + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + if ($ldapfallback) { + log_error("ERROR! Could not connect to server {$ldapname}. Defaulting to built-in local user database. Visit System -> User Manager for correcting it."); + return local_backed($username, $passwd); + } else + log_error("ERROR! Could not connect to server {$ldapname}."); + + return false; } + /* ok, its up. now, lets bind as the bind user so we can search it */ - if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); + $error = false; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) + $error = true; + } else if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) + $error = true; + + if ($error == true) { ldap_close($ldap); - $status = local_backed($username, $passwd); - return $status; + if ($ldapfallback) { + log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); + return local_backed($username, $passwd); + } else + log_error("ERROR! Could not bind to server {$ldapname}."); + + return false; } /* Get LDAP Authcontainers and split em up. */ - $ldac_split = split(";", $ldapauthcont); - - /* now count how many there are */ - $containers = count($ldac_split); - log_error("Number of Authentication Containers to search for $username is {$containers}"); + $ldac_splits = split(";", $ldapauthcont); /* setup the usercount so we think we havn't found anyone yet */ $usercount = 0; @@ -710,100 +920,81 @@ function ldap_backed($username, $passwd) { /* Person. To later be used by ldap_get_groups. */ /* that way we don't have to search twice. */ /*****************************************************************/ - if ($ldaptype == 'ldap'){ - log_error("Now Searching for {$username} in Active directory."); - /* Iterate through the user containers for search */ - for ($i=0;$i<$containers;$i++){ - /* Make sure we just use the first user we find */ - log_error("Now Searching in {$ldac_split[$i]} for {$ldapfilter}."); - $search = ldap_search($ldap,$ldac_split[$i],$ldapfilter); - $info = ldap_get_entries($ldap,$search); - $matches = $info['count']; - log_error("Matches Found = {$matches}"); - if ($matches == 1){ - $_SESSION['ldapdn'] = $info[0]['dn']; - $_SESSION['ldapou'] = $ldac_split[$i]; - $_SESSION['ldapon'] = "true"; - $ldapdn = $_SESSION['ldapdn']; - $userou = $_SESSION['ldapou']; - break; - } + log_error("Now Searching for {$username} in directory."); + /* Iterate through the user containers for search */ + foreach ($ldac_splits as $i => $ldac_split) { + /* Make sure we just use the first user we find */ + log_error("Now Searching in server {$ldapname}, container {$ldac_split} with filter {$ldapfilter}."); + if ($ldapscope == "one") + $ldapfunc = "ldap_list"; + else + $ldapfunc = "ldap_search"; + /* Support legacy auth container specification. */ + if (stristr($ldac_split, "DC=")) + $search = $ldapfunc($ldap,$ldac_split,$ldapfilter); + else + $search = $ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter); + if (!$search) { + log_error("Search resulted in error: " . ldap_error($ldap)); + continue; } - + $info = ldap_get_entries($ldap,$search); + $matches = $info['count']; if ($matches == 1){ - $binduser = $adbindas; - log_error("Going to login as {$username} - DN = {$_SESSION['ldapdn']}"); - } - if ($matches != 1){ - log_error("ERROR! Either LDAP search failed, or multiple users were found"); - $status = local_backed($username, $passwd); - $_SESSION['ldapon'] = "false"; - ldap_close($ldap); - return $status; + $userdn = $_SESSION['ldapdn'] = $info[0]['dn']; + $_SESSION['ldapou'] = $ldac_split[$i]; + $_SESSION['ldapon'] = "true"; + $usercount = 1; + break; } } - /*****************************************************************/ - /* Now LDAP other. eDirectory or Netscape or Sunone or OpenLDAP */ - /*****************************************************************/ - /* We First find the user based on username and filter */ - /* Then, once we find the first occurance of that person */ - /* We set seesion variables to ponit to the OU and DN of the */ - /* Person. To later be used by ldap_get_groups. */ - /* that way we don't have to search twice. */ - /*****************************************************************/ - if ($ldaptype == 'ldapother'){ - log_error("Now Searching for {$username} in LDAP."); - /* Iterate through the user containers for search */ - for ($i=0;$i<$containers;$i++){ - /* Make sure we just use the first user we find */ - log_error("Now searching in {$ldac_split[$i]} for {$ldapfilter}."); - $search = ldap_search($ldap,$ldac_split[$i],$ldapfilter); - $info = ldap_get_entries($ldap,$search); - $matches = $info['count']; - log_error("Matches Found = {$matches}."); - - if ($matches == 1){ - $_SESSION['ldapdn'] = $info[0]['dn']; - $_SESSION['ldapou'] = $ldac_split[$i]; - $_SESSION['ldapon'] = "true"; - $ldapdn = $_SESSION['ldapdn']; - $userou = $_SESSION['ldapou']; - break; - } - } - if($matches == 1){ - $binduser = $ldapnameattribute."=".$username.",".$userou; - log_error("Going to login as {$username} - DN = {$_SESSION['ldapdn']}"); - } - if($matches != 1){ - log_error("ERROR! Either LDAP search failed, or multiple users were found"); + if ($usercount != 1){ + ldap_unbind($ldap); + if ($ldapfallback) { + log_error("ERROR! Either LDAP search failed, or multiple users were found. Falling back to local user database."); $status = local_backed($username, $passwd); - ldap_close($ldap); $_SESSION['ldapon'] = "false"; - return $status; - } + return $status; + } else + log_error("ERROR! Either LDAP search failed, or multiple users were found."); + return false; } - + /* Now lets bind as the user we found */ - if (!($res = @ldap_bind($ldap, $binduser, $passwd))) { - log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings."); - $status = local_backed($username, $passwd); - return $status; + if (!($res = @ldap_bind($ldap, $userdn, $passwd))) { + if ($ldapfallback) { + log_error("ERROR! Could not login to server {$ldapname} as user {$username}. Defaulting to local user database. Visit System -> User Manager."); + $status = local_backed($username, $passwd); + $_SESSION['ldapon'] = "false"; + return $status; + } else + log_error("ERROR! Could not login to server {$ldapname} as user {$username}."); + + return false; } - log_error("$binduser succesfully logged in via LDAP."); + log_error("Logged in succesfully as {$username} via LDAP server {$ldapname} with DN = {$userdn}."); + + /* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */ + ldap_unbind($ldap); - /* At this point we are bound to LDAP so the user was auth'd okay. */ return true; } -function radius_backed($username, $passwd){ +function radius_backed($username, $passwd, $authcfg = NULL){ global $debug, $config; $ret = false; - $radiusservers = $config['system']['radius']['servers']; $rauth = new Auth_RADIUS_PAP($username, $passwd); + if ($authcfg) { + $radiusservers = array(); + $radiusservers[0]['ipaddr'] = $authcfg['host']; + $radiusservers[0]['port'] = $authcfg['radius_auth_port']; + $radiusservers[0]['sharedsecret'] = $authcfg['radius_secret']; + } else + $radiusservers = $config['system']['radius']['servers']; + /* Add a new servers to our instance */ foreach ($radiusservers as $radsrv) $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret']); @@ -865,6 +1056,43 @@ function is_account_disabled($username) { return false; } +function auth_get_authserver($name) { + global $config; + + if (is_array($config['system']['authserver'])) { + foreach ($config['system']['authserver'] as $authcfg) { + if ($authcfg['name'] == $name) + return $authcfg; + } + } +} + +function authenticate_user($username, $password, $authcfg = NULL) { + + if (!$authcfg) { + return local_backed($username, $password); + } + + $authenticated = false; + switch($authcfg['type']) { + case 'ldap': + if (ldap_backed($username, $password, $authcfg)) + $authenticated = true; + break; + case 'radius': + if (radius_backed($username, $password, $authcfg)) + $authenticated = true; + break; + default: + /* lookup user object by name */ + if (local_backed($username, $password)) + $authenticated = true; + break; + } + + return $authenticated; +} + function session_auth($backing) { global $debug, $HTTP_SERVER_VARS, $config, $_SESSION, $page; diff --git a/etc/inc/openvpn.auth-ldap.php b/etc/inc/openvpn.auth-ldap.php deleted file mode 100755 index e84bfdc..0000000 --- a/etc/inc/openvpn.auth-ldap.php +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/local/bin/php -f -<?php -/* $Id$ */ -/* - openvpn.auth-ldap.php - - Copyright (C) 2010 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_BUILDER_BINARIES: - pfSense_MODULE: openvpn -*/ -require_once("config.inc"); -require_once("system.inc"); - -/* setup syslog logging */ -openlog("openvpn", LOG_ODELAY, LOG_AUTH); - -/* read data from environment */ -$username = getenv("username"); -$password = getenv("password"); - -if (empty($username) || empty($password)) { - syslog(LOG_ERR, "invalid user authentication environment"); - exit(-1); -} - -/* Replaced by a sed with propper variables used below(ldap parameters). */ -//<template> - -$authcfg = system_get_authserver($authmode); -$basednsplit = explode(",", $authcfg['ldap_basedn']); -$ldapbasedn = ""; -foreach ($basednsplit as $basedn) { - $dn = explode("=", $basedn); - if (strtoupper($dn[0]) == "DC") { - if ($first > 0) - $ldapbasedn .= "."; - $first = 1; - $ldapbasedn .= $dn[1]; - } -} -$ldapcfgou="{$authcfg['ldap_basedn']}"; -$ldapport="{$authcfg['ldap_port']}"; -if (strstr($authcfg['ldap_urltype'], "Standard")) - $ldapproto = "ldap"; -else - $ldapproto = "ldaps"; -$ldaphost="{$ldapproto}://{$authcfg['host']}"; -if (!empty($ldapbasedn)) - $ldapbasedn="@{$ldapbasedn}"; -else - $ldapbasedn="{$ldapbasedn}"; -$ldapver="{$authcfg['ldap_protver']}"; -$ldapnameattr=strtolower($authcfg['ldap_attr_user']); -$ldapfilter="({$ldapnameattr}={$username})"; -if (!$authcfg['ldap_binddn'] || !$authcfg['ldap_bindpw']) - $ldapanon=true; -else { - $ldapanon=false; - $ldapusername="{$authcfg['ldap_binddn']}"; - $ldappassword="{$authcfg['ldap_bindpw']}"; -} - -/* Make sure we can connect to LDAP */ -putenv('LDAPTLS_REQCERT=never'); -if (!($ldap = @ldap_connect($ldaphost, $ldapport))) { - syslog(LOG_ERROR, "ERROR! Could not connect to server {$ldaphost}."); - exit(-2); -} - -ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); -ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); - -/* ok, its up. now, lets bind as the bind user so we can search it */ -if ($ldapanon == true) { - if (!($res = @ldap_bind($ldap))) { - syslog(LOG_WARNING, "user {$username} could not bind anonymously\n"); - ldap_close($ldap); - exit(-3); - } -} else if (!($res = @ldap_bind($ldap, $ldapusername, $ldappassword))) { - syslog(LOG_WARNING, "user {$username} could not authenticate with bind credentials\n"); - ldap_close($ldap); - exit(-3); -} - -$ldapous = explode(";", $ldapcfgou); -$founddn = false; -foreach ($ldapous as $ldapou) { - if (!($search = ldap_search($ldap, $ldapou, $ldapfilter))) { - syslog(LOG_WARNING, "Could not search the {$ldapou} in directory for user: {$username}"); - continue; - } - - $userinfo = ldap_get_entries($ldap, $search); - if ($userinfo['count'] < 1) { - syslog(LOG_WARNING, "{$username} does not exist in {$ldapou}."); - continue; - } else if ($userinfo['count'] > 1) { - syslog(LOG_WARNING, "{$username} matches more than one entry in {$ldapou}."); - ldap_unbind($ldap); - exit(-5); - } - $founddn = true; - break; -} - -if ($founddn == false) { - syslog(LOG_WARNING, "{$username} could not authenticate."); - ldap_unbind($ldap); - exit(-4); -} - -$usernamedn = $username; -if (!strstr($username, "@") && !strstr($username, "\\")) - $usernamedn .= $ldapbasedn; - -if (!($res = @ldap_bind($ldap, $username, $password)) && - !($res = @ldap_bind($ldap, $usernamedn, $password)) && - !($res = @ldap_bind($ldap, "{$ldapnameattr}={$username},{$ldapou}", $password))) { - syslog(LOG_WARNING, "{$username} could not authenticate in {$ldapou}."); - ldap_unbind($ldap); - exit(-6); -} - -syslog(LOG_WARNING, "user {$username} authenticated\n"); - -ldap_unbind($ldap); - -exit(0); - -?> diff --git a/etc/inc/openvpn.auth-radius.php b/etc/inc/openvpn.auth-radius.php deleted file mode 100755 index 77f45da..0000000 --- a/etc/inc/openvpn.auth-radius.php +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/local/bin/php -f -<?php -/* $Id$ */ -/* - openvpn.auth-radius.php - - Copyright (C) 2010 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_BUILDER_BINARIES: - pfSense_MODULE: openvpn -*/ - -require_once("config.inc"); -require_once("system.inc"); -require_once("radius.inc"); - -/* setup syslog logging */ -openlog("openvpn", LOG_ODELAY, LOG_AUTH); - -/* read data from environment */ -$username = getenv("username"); -$password = getenv("password"); - -if (empty($username) || empty($password)) { - syslog(LOG_ERR, "invalid user authentication environment"); - exit(-1); -} - -/* Replaced by a sed with propper variables used below(server parameters). */ -//<template> - -$authcfg = system_get_authserver($authmode); -$radsrv="{$authcfg['host']}"; -$radport="{$authcfg['radius_auth_port']}"; -$radsecret="{$authcfg['radius_secret']}"; - -$rauth = new Auth_RADIUS_PAP($username, $password); -/* Add server to our instance */ -$rauth->addServer($radsrv, $radport, $radsecret); - -if (!$rauth->start()) { - syslog(LOG_ERROR, "ERROR! " . $rauth->getError()); - exit(-2); -} - -/* Send request */ -$result = $rauth->send(); -if (PEAR::isError($result)) { - syslog(LOG_WARNING, "Something went wrong trying to authenticate {$username}: " . $result->getMessage() . " \n"); - exit(-1); -} else if ($result === true) { - syslog(LOG_WARNING, "user {$username} authenticated\n"); -} else { - syslog(LOG_WARNING, "user {$username} could not authenticate. \n"); - exit(-3); -} - -// close OO RADIUS_AUTHENTICATION -$rauth->close(); - -exit(0); - -?> diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 725b807..ecde6b6 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -55,10 +55,21 @@ if (!$username || !$password) { exit(-1); } -/* lookup user object by name */ -if (!local_backed($username, $password)) { - syslog(LOG_WARNING, "user {$username} supplied an invalid password\n"); - exit(-2); +/* Replaced by a sed with propper variables used below(ldap parameters). */ +//<template> + +$authenticated = false; +foreach ($authmodes as $authmode) { + $authcfg = auth_get_authserver($authmode); + if (!$authcfg) + continue; + + $authenticated = authenticate_user($username, $password, $authcfg); +} + +if ($authenticated == false) { + syslog(LOG_WARNING, "user {$username} could not authenticate.\n"); + exit(-1); } syslog(LOG_WARNING, "user {$username} authenticated\n"); diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index a62e01a..081e109 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -49,6 +49,7 @@ require_once('config.inc'); require_once("certs.inc"); require_once('pfsense-utils.inc'); +require_once("auth.inc"); $openvpn_prots = array("UDP", "TCP"); @@ -379,16 +380,19 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "client-cert-not-required\n"; case 'server_tls_user': $conf .= "username-as-common-name\n"; - if ($settings['authmode'] == "local") - $conf .= "auth-user-pass-verify /etc/inc/openvpn.auth-user.php via-env\n"; - else { - $authcfg = system_get_authserver($settings['authmode']); - if ($authcfg) { - mwexec("/bin/cat /etc/inc/openvpn.auth-{$authcfg['type']}.php | /usr/bin/sed 's/\/\/<template>/\$authmode=\"{$authcfg['name']}\";/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); - mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); - $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n"; - } + $authcfgs = explode(",", $settings['authmode']); + $sed = "\$authmodes=array("; + $firstsed = 0; + foreach ($authcfgs as $authcfg) { + if ($firstsed > 0) + $sed .= ","; + $firstsed = 1; + $sed .= "\"{$authcfg}\""; } + $sed .= ");"; + mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); + mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); + $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn//{$mode_id}.php via-env\n"; break; } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 9a9598c..800abaa 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1355,15 +1355,4 @@ function enable_watchdog() { exec("/usr/sbin/watchdogd"); } } - -function system_get_authserver($name) { - global $config; - - if (is_array($config['system']['authserver'])) { - foreach ($config['system']['authserver'] as $authcfg) { - if ($authcfg['name'] == $name) - return $authcfg; - } - } -} ?> |
