diff options
| -rw-r--r-- | etc/inc/auth.inc | 556 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-ldap.php | 155 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-radius.php | 86 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-user.php | 19 | ||||
| -rw-r--r-- | etc/inc/openvpn.inc | 22 | ||||
| -rw-r--r-- | etc/inc/system.inc | 11 | ||||
| -rwxr-xr-x | usr/local/www/guiconfig.inc | 4 | ||||
| -rw-r--r-- | usr/local/www/system_authservers.php | 31 | ||||
| -rw-r--r-- | usr/local/www/system_usermanager_settings_ldapacpicker.php | 35 | ||||
| -rw-r--r-- | usr/local/www/vpn_openvpn_server.php | 10 |
10 files changed, 474 insertions, 455 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 4c0ed0a..339994d 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -461,79 +461,193 @@ function local_group_del($group) { } -function ldap_test_connection() { +function ldap_test_connection($authcfg = NULL) { global $debug, $config, $g; - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + } - if (!($ldap = ldap_connect($ldapserver))) - return false; + /* first check if there is even an LDAP server populated */ + if(!$ldapserver) + return false; + + /* connect and see if server is up */ + putenv('LDAPTLS_REQCERT=never'); + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! Could not connect to server {$ldapname}."); + return false; + } return true; } -function ldap_test_bind() { +function ldap_test_bind($authcfg = NULL) { global $debug, $config, $g; - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - - if (!($ldap = ldap_connect($ldapserver))) - return false; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbndun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapver = 3; + $ldapanon = false; + } + + /* first check if there is even an LDAP server populated */ + if(!$ldapserver) + return false; + + /* connect and see if server is up */ + putenv('LDAPTLS_REQCERT=never'); + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! Could not connect to server {$ldapname}."); + return false; + } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - - if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) + return false; + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) return false; + $ldap_unbind($ldap); + return true; } -function ldap_get_user_ous($show_complete_ou=true) { +function ldap_get_user_ous($show_complete_ou=true, $authcfg = NULL) { global $debug, $config, $g; if(!function_exists("ldap_connect")) return; - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapsearchbase = "{$config['system']['webgui']['ldapsearchbase']}"; - $ldaptype = $config['system']['webgui']['backend']; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapport = ""; + $ldapbasedn = $config['system']['webgui']['ldapsearchbase']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapver = 3; + $ldapanon = false; + $ldapname = "system-settings"; + $ldapfallback = true; + $ldapscope = "all"; + } - $ldapfilter = "(ou=*)"; - putenv('LDAPTLS_REQCERT=never'); - if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; - } + $ous = array(); + + /* first check if there is even an LDAP server populated */ + if(!$ldapserver) { + log_error("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined."); + return $ous; + } + + /* connect and see if server is up */ + putenv('LDAPTLS_REQCERT=never'); + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! Could not connect to server {$ldapname}."); + return $ous; + } + + $ldapfilter = "(|(ou=*)(cn=Users))"; ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); - if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) { + log_error("ERROR! ldap_get_user_ous() could not bind to server {$ldapname}."); + return $ous; + } + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error("ERROR! ldap_get_user_ous() could not bind to server {$ldapname}."); + return $ous; } - $search = ldap_search($ldap, $ldapsearchbase, $ldapfilter); + if ($ldapscope == "one") + $ldapfunc = "ldap_list"; + else + $ldapfunc = "ldap_search"; + $search = $ldapfunc($ldap, $ldapbasedn, $ldapfilter); $info = ldap_get_entries($ldap, $search); - $ous = array(); - if (is_array($info)) { foreach ($info as $inf) { if (!$show_complete_ou) { $inf_split = split(",", $inf['dn']); $ou = $inf_split[0]; $ou = str_replace("OU=","", $ou); + $ou = str_replace("CN=","", $ou); } else if($inf['dn']) $ou = $inf['dn']; @@ -542,14 +656,10 @@ function ldap_get_user_ous($show_complete_ou=true) { } } - //Tack on the default Users container for AD since its non-standard - if($ldaptype == 'ldap') - $ous[] = "CN=Users,".$ldapsearchbase; - return $ous; } -function ldap_get_groups($username) { +function ldap_get_groups($username, $authcfg = NULL) { global $debug, $config; if(!function_exists("ldap_connect")) @@ -569,45 +679,90 @@ function ldap_get_groups($username) { } //log_error("Getting LDAP groups for {$username}."); - - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapfilter = $config['system']['webgui']['ldapfilter']; - $ldapfilter = str_replace("\$username", $username, $ldapfilter); - $ldapgroupattribute = $config['system']['webgui']['ldapgroupattribute']; + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']); + $ldapfilter = "({$ldapnameattribute}={$username})"; + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + if (empty($ldapbindun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapport = ""; + $ldapbasedn = $config['system']['webgui']['ldapsearchbase']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapfilter = $config['system']['webgui']['ldapfilter']; + $ldapfilter = str_replace("_username_", $username, $ldapfilter); + $ldapgroupattribute = $config['system']['webgui']['ldapgroupattribute']; + $ldapver = 3; + $ldapanon = false; + $ldapname = "system-settings"; + $ldapfallback = true; + $ldapscope = "all"; + } + $ldapdn = $_SESSION['ldapdn']; - + /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */ $ldapgroupattribute = strtolower($ldapgroupattribute); + $memberof = array(); /* connect and see if server is up */ putenv('LDAPTLS_REQCERT=never'); - if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! ldap_get_groups() could not connect to server {$ldapserver}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; - } + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + log_error("ERROR! ldap_get_groups() Could not connect to server {$ldapname}."); + return memberof; + } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); /* bind as user that has rights to read group attributes */ - if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! ldap_get_groups() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); - $status = local_backed($username, $passwd); - return $status; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) + return false; + } else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { + log_error("ERROR! ldap_get_groups() could not bind to server {$ldapname}."); + return memberof; } /* get groups from DN found */ /* use ldap_read instead of search so we don't have to do a bunch of extra work */ /* since we know the DN is in $_SESSION['ldapdn'] */ //$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute)); - $search = ldap_read($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); + if ($ldapscope == "one") + $ldapfunc = "ldap_list"; + else + $ldapfunc = "ldap_search"; + + $search = $ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); $info = ldap_get_entries($ldap, $search); $countem = $info["count"]; - $memberof = array(); if(is_array($info[0][$ldapgroupattribute])) { /* Iterate through the groups and throw them into an array */ @@ -620,7 +775,7 @@ function ldap_get_groups($username) { } /* Time to close LDAP connection */ - ldap_close($ldap); + ldap_unbind($ldap); $groups = print_r($memberof,true); @@ -629,7 +784,7 @@ function ldap_get_groups($username) { return $memberof; } -function ldap_backed($username, $passwd) { +function ldap_backed($username, $passwd, $authcfg = NULL) { global $debug, $config; if(!$username) @@ -649,46 +804,101 @@ function ldap_backed($username, $passwd) { $username = $username_split[0]; } - $ldapserver = $config['system']['webgui']['ldapserver']; - $ldapbindun = $config['system']['webgui']['ldapbindun']; - $ldapbindpw = $config['system']['webgui']['ldapbindpw']; - $ldapauthcont = $config['system']['webgui']['ldapauthcontainers']; - $ldapnameattribute = $config['system']['webgui']['ldapnameattribute']; - $ldapfilter = $config['system']['webgui']['ldapfilter']; - $ldaptype = $config['system']['webgui']['backend']; - $ldapfilter = str_replace("_username_", $username, $ldapfilter); + if ($authcfg) { + if (strstr($authcfg['ldap_urltype'], "Standard")) + $ldapproto = "ldap"; + else + $ldapproto = "ldaps"; + $ldapserver = "{$ldapproto}://{$authcfg['host']}"; + $ldapport = $authcfg['ldap_port']; + $ldapbasedn = $authcfg['ldap_basedn']; + $ldapbindun = $authcfg['ldap_binddn']; + $ldapbindpw = $authcfg['ldap_bindpw']; + if (empty($ldapbindun) || empty($ldapbindpw)) + $ldapanon = true; + else + $ldapanon = false; + $ldapauthcont = $authcfg['ldap_authcn']; + $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); + $ldapfilter = "({$ldapnameattribute}={$username})"; + $ldaptype = ""; + $ldapver = $authcfg['ldap_protver']; + $ldapname = $authcfg['name']; + $ldapfallback = false; + $ldapscope = $authcfg['ldap_scope']; + } else { + $ldapserver = $config['system']['webgui']['ldapserver']; + $ldapport = ""; + $ldapbasedn = $config['system']['webgui']['ldapsearchbase']; + $ldapbindun = $config['system']['webgui']['ldapbindun']; + $ldapbindpw = $config['system']['webgui']['ldapbindpw']; + $ldapauthcont = $config['system']['webgui']['ldapauthcontainers']; + $ldapnameattribute = $config['system']['webgui']['ldapnameattribute']; + $ldapfilter = $config['system']['webgui']['ldapfilter']; + $ldaptype = $config['system']['webgui']['backend']; + $ldapver = 3; + $ldapfilter = str_replace("_username_", $username, $ldapfilter); + $ldapanon = false; + $ldapname = "system-settings"; + $ldapfallback = true; + $ldapscope = "all"; + } + /* first check if there is even an LDAP server populated */ if(!$ldapserver) { - log_error("ERROR! ldap_backed() backed selected with no LDAP authentication server defined. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings."); - $status = local_backed($username, $passwd); - return $status; + if ($ldapfallback) { + log_error("ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager."); + return local_backed($username, $passwd); + } else + log_error("ERROR! ldap_backed() called with no LDAP authentication server defined."); + + return false; } ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); /* Make sure we can connect to LDAP */ putenv('LDAPTLS_REQCERT=never'); - if (!($ldap = ldap_connect($ldapserver))) { - log_error("ERROR! ldap_backed() could not connect to server {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings."); - $status = local_backed($username, $passwd); - return $status; + $error = false; + if (empty($ldapport)) { + if (!($ldap = ldap_connect($ldapserver))) + $error = true; + } else if (!($ldap = ldap_connect($ldapserver, $ldapport))) + $error = true; + + if ($error == true) { + if ($ldapfallback) { + log_error("ERROR! Could not connect to server {$ldapname}. Defaulting to built-in local user database. Visit System -> User Manager for correcting it."); + return local_backed($username, $passwd); + } else + log_error("ERROR! Could not connect to server {$ldapname}."); + + return false; } + /* ok, its up. now, lets bind as the bind user so we can search it */ - if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) { - log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); + $error = false; + if ($ldapanon == true) { + if (!($res = @ldap_bind($ldap))) + $error = true; + } else if (!($res = ldap_bind($ldap, $ldapbindun, $ldapbindpw))) + $error = true; + + if ($error == true) { ldap_close($ldap); - $status = local_backed($username, $passwd); - return $status; + if ($ldapfallback) { + log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$ldapfilter}. Defaulting to built-in local_backed()"); + return local_backed($username, $passwd); + } else + log_error("ERROR! Could not bind to server {$ldapname}."); + + return false; } /* Get LDAP Authcontainers and split em up. */ - $ldac_split = split(";", $ldapauthcont); - - /* now count how many there are */ - $containers = count($ldac_split); - log_error("Number of Authentication Containers to search for $username is {$containers}"); + $ldac_splits = split(";", $ldapauthcont); /* setup the usercount so we think we havn't found anyone yet */ $usercount = 0; @@ -710,100 +920,81 @@ function ldap_backed($username, $passwd) { /* Person. To later be used by ldap_get_groups. */ /* that way we don't have to search twice. */ /*****************************************************************/ - if ($ldaptype == 'ldap'){ - log_error("Now Searching for {$username} in Active directory."); - /* Iterate through the user containers for search */ - for ($i=0;$i<$containers;$i++){ - /* Make sure we just use the first user we find */ - log_error("Now Searching in {$ldac_split[$i]} for {$ldapfilter}."); - $search = ldap_search($ldap,$ldac_split[$i],$ldapfilter); - $info = ldap_get_entries($ldap,$search); - $matches = $info['count']; - log_error("Matches Found = {$matches}"); - if ($matches == 1){ - $_SESSION['ldapdn'] = $info[0]['dn']; - $_SESSION['ldapou'] = $ldac_split[$i]; - $_SESSION['ldapon'] = "true"; - $ldapdn = $_SESSION['ldapdn']; - $userou = $_SESSION['ldapou']; - break; - } + log_error("Now Searching for {$username} in directory."); + /* Iterate through the user containers for search */ + foreach ($ldac_splits as $i => $ldac_split) { + /* Make sure we just use the first user we find */ + log_error("Now Searching in server {$ldapname}, container {$ldac_split} with filter {$ldapfilter}."); + if ($ldapscope == "one") + $ldapfunc = "ldap_list"; + else + $ldapfunc = "ldap_search"; + /* Support legacy auth container specification. */ + if (stristr($ldac_split, "DC=")) + $search = $ldapfunc($ldap,$ldac_split,$ldapfilter); + else + $search = $ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter); + if (!$search) { + log_error("Search resulted in error: " . ldap_error($ldap)); + continue; } - + $info = ldap_get_entries($ldap,$search); + $matches = $info['count']; if ($matches == 1){ - $binduser = $adbindas; - log_error("Going to login as {$username} - DN = {$_SESSION['ldapdn']}"); - } - if ($matches != 1){ - log_error("ERROR! Either LDAP search failed, or multiple users were found"); - $status = local_backed($username, $passwd); - $_SESSION['ldapon'] = "false"; - ldap_close($ldap); - return $status; + $userdn = $_SESSION['ldapdn'] = $info[0]['dn']; + $_SESSION['ldapou'] = $ldac_split[$i]; + $_SESSION['ldapon'] = "true"; + $usercount = 1; + break; } } - /*****************************************************************/ - /* Now LDAP other. eDirectory or Netscape or Sunone or OpenLDAP */ - /*****************************************************************/ - /* We First find the user based on username and filter */ - /* Then, once we find the first occurance of that person */ - /* We set seesion variables to ponit to the OU and DN of the */ - /* Person. To later be used by ldap_get_groups. */ - /* that way we don't have to search twice. */ - /*****************************************************************/ - if ($ldaptype == 'ldapother'){ - log_error("Now Searching for {$username} in LDAP."); - /* Iterate through the user containers for search */ - for ($i=0;$i<$containers;$i++){ - /* Make sure we just use the first user we find */ - log_error("Now searching in {$ldac_split[$i]} for {$ldapfilter}."); - $search = ldap_search($ldap,$ldac_split[$i],$ldapfilter); - $info = ldap_get_entries($ldap,$search); - $matches = $info['count']; - log_error("Matches Found = {$matches}."); - - if ($matches == 1){ - $_SESSION['ldapdn'] = $info[0]['dn']; - $_SESSION['ldapou'] = $ldac_split[$i]; - $_SESSION['ldapon'] = "true"; - $ldapdn = $_SESSION['ldapdn']; - $userou = $_SESSION['ldapou']; - break; - } - } - if($matches == 1){ - $binduser = $ldapnameattribute."=".$username.",".$userou; - log_error("Going to login as {$username} - DN = {$_SESSION['ldapdn']}"); - } - if($matches != 1){ - log_error("ERROR! Either LDAP search failed, or multiple users were found"); + if ($usercount != 1){ + ldap_unbind($ldap); + if ($ldapfallback) { + log_error("ERROR! Either LDAP search failed, or multiple users were found. Falling back to local user database."); $status = local_backed($username, $passwd); - ldap_close($ldap); $_SESSION['ldapon'] = "false"; - return $status; - } + return $status; + } else + log_error("ERROR! Either LDAP search failed, or multiple users were found."); + return false; } - + /* Now lets bind as the user we found */ - if (!($res = @ldap_bind($ldap, $binduser, $passwd))) { - log_error("ERROR! ldap_backed() could not bind to {$ldapserver} - {$username}. Defaulting to built-in local_backed(). Visit System -> User Manager -> Settings."); - $status = local_backed($username, $passwd); - return $status; + if (!($res = @ldap_bind($ldap, $userdn, $passwd))) { + if ($ldapfallback) { + log_error("ERROR! Could not login to server {$ldapname} as user {$username}. Defaulting to local user database. Visit System -> User Manager."); + $status = local_backed($username, $passwd); + $_SESSION['ldapon'] = "false"; + return $status; + } else + log_error("ERROR! Could not login to server {$ldapname} as user {$username}."); + + return false; } - log_error("$binduser succesfully logged in via LDAP."); + log_error("Logged in succesfully as {$username} via LDAP server {$ldapname} with DN = {$userdn}."); + + /* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */ + ldap_unbind($ldap); - /* At this point we are bound to LDAP so the user was auth'd okay. */ return true; } -function radius_backed($username, $passwd){ +function radius_backed($username, $passwd, $authcfg = NULL){ global $debug, $config; $ret = false; - $radiusservers = $config['system']['radius']['servers']; $rauth = new Auth_RADIUS_PAP($username, $passwd); + if ($authcfg) { + $radiusservers = array(); + $radiusservers[0]['ipaddr'] = $authcfg['host']; + $radiusservers[0]['port'] = $authcfg['radius_auth_port']; + $radiusservers[0]['sharedsecret'] = $authcfg['radius_secret']; + } else + $radiusservers = $config['system']['radius']['servers']; + /* Add a new servers to our instance */ foreach ($radiusservers as $radsrv) $rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret']); @@ -865,6 +1056,43 @@ function is_account_disabled($username) { return false; } +function auth_get_authserver($name) { + global $config; + + if (is_array($config['system']['authserver'])) { + foreach ($config['system']['authserver'] as $authcfg) { + if ($authcfg['name'] == $name) + return $authcfg; + } + } +} + +function authenticate_user($username, $password, $authcfg = NULL) { + + if (!$authcfg) { + return local_backed($username, $password); + } + + $authenticated = false; + switch($authcfg['type']) { + case 'ldap': + if (ldap_backed($username, $password, $authcfg)) + $authenticated = true; + break; + case 'radius': + if (radius_backed($username, $password, $authcfg)) + $authenticated = true; + break; + default: + /* lookup user object by name */ + if (local_backed($username, $password)) + $authenticated = true; + break; + } + + return $authenticated; +} + function session_auth($backing) { global $debug, $HTTP_SERVER_VARS, $config, $_SESSION, $page; diff --git a/etc/inc/openvpn.auth-ldap.php b/etc/inc/openvpn.auth-ldap.php deleted file mode 100755 index e84bfdc..0000000 --- a/etc/inc/openvpn.auth-ldap.php +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/local/bin/php -f -<?php -/* $Id$ */ -/* - openvpn.auth-ldap.php - - Copyright (C) 2010 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_BUILDER_BINARIES: - pfSense_MODULE: openvpn -*/ -require_once("config.inc"); -require_once("system.inc"); - -/* setup syslog logging */ -openlog("openvpn", LOG_ODELAY, LOG_AUTH); - -/* read data from environment */ -$username = getenv("username"); -$password = getenv("password"); - -if (empty($username) || empty($password)) { - syslog(LOG_ERR, "invalid user authentication environment"); - exit(-1); -} - -/* Replaced by a sed with propper variables used below(ldap parameters). */ -//<template> - -$authcfg = system_get_authserver($authmode); -$basednsplit = explode(",", $authcfg['ldap_basedn']); -$ldapbasedn = ""; -foreach ($basednsplit as $basedn) { - $dn = explode("=", $basedn); - if (strtoupper($dn[0]) == "DC") { - if ($first > 0) - $ldapbasedn .= "."; - $first = 1; - $ldapbasedn .= $dn[1]; - } -} -$ldapcfgou="{$authcfg['ldap_basedn']}"; -$ldapport="{$authcfg['ldap_port']}"; -if (strstr($authcfg['ldap_urltype'], "Standard")) - $ldapproto = "ldap"; -else - $ldapproto = "ldaps"; -$ldaphost="{$ldapproto}://{$authcfg['host']}"; -if (!empty($ldapbasedn)) - $ldapbasedn="@{$ldapbasedn}"; -else - $ldapbasedn="{$ldapbasedn}"; -$ldapver="{$authcfg['ldap_protver']}"; -$ldapnameattr=strtolower($authcfg['ldap_attr_user']); -$ldapfilter="({$ldapnameattr}={$username})"; -if (!$authcfg['ldap_binddn'] || !$authcfg['ldap_bindpw']) - $ldapanon=true; -else { - $ldapanon=false; - $ldapusername="{$authcfg['ldap_binddn']}"; - $ldappassword="{$authcfg['ldap_bindpw']}"; -} - -/* Make sure we can connect to LDAP */ -putenv('LDAPTLS_REQCERT=never'); -if (!($ldap = @ldap_connect($ldaphost, $ldapport))) { - syslog(LOG_ERROR, "ERROR! Could not connect to server {$ldaphost}."); - exit(-2); -} - -ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); -ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); - -/* ok, its up. now, lets bind as the bind user so we can search it */ -if ($ldapanon == true) { - if (!($res = @ldap_bind($ldap))) { - syslog(LOG_WARNING, "user {$username} could not bind anonymously\n"); - ldap_close($ldap); - exit(-3); - } -} else if (!($res = @ldap_bind($ldap, $ldapusername, $ldappassword))) { - syslog(LOG_WARNING, "user {$username} could not authenticate with bind credentials\n"); - ldap_close($ldap); - exit(-3); -} - -$ldapous = explode(";", $ldapcfgou); -$founddn = false; -foreach ($ldapous as $ldapou) { - if (!($search = ldap_search($ldap, $ldapou, $ldapfilter))) { - syslog(LOG_WARNING, "Could not search the {$ldapou} in directory for user: {$username}"); - continue; - } - - $userinfo = ldap_get_entries($ldap, $search); - if ($userinfo['count'] < 1) { - syslog(LOG_WARNING, "{$username} does not exist in {$ldapou}."); - continue; - } else if ($userinfo['count'] > 1) { - syslog(LOG_WARNING, "{$username} matches more than one entry in {$ldapou}."); - ldap_unbind($ldap); - exit(-5); - } - $founddn = true; - break; -} - -if ($founddn == false) { - syslog(LOG_WARNING, "{$username} could not authenticate."); - ldap_unbind($ldap); - exit(-4); -} - -$usernamedn = $username; -if (!strstr($username, "@") && !strstr($username, "\\")) - $usernamedn .= $ldapbasedn; - -if (!($res = @ldap_bind($ldap, $username, $password)) && - !($res = @ldap_bind($ldap, $usernamedn, $password)) && - !($res = @ldap_bind($ldap, "{$ldapnameattr}={$username},{$ldapou}", $password))) { - syslog(LOG_WARNING, "{$username} could not authenticate in {$ldapou}."); - ldap_unbind($ldap); - exit(-6); -} - -syslog(LOG_WARNING, "user {$username} authenticated\n"); - -ldap_unbind($ldap); - -exit(0); - -?> diff --git a/etc/inc/openvpn.auth-radius.php b/etc/inc/openvpn.auth-radius.php deleted file mode 100755 index 77f45da..0000000 --- a/etc/inc/openvpn.auth-radius.php +++ /dev/null @@ -1,86 +0,0 @@ -#!/usr/local/bin/php -f -<?php -/* $Id$ */ -/* - openvpn.auth-radius.php - - Copyright (C) 2010 Ermal Luçi - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_BUILDER_BINARIES: - pfSense_MODULE: openvpn -*/ - -require_once("config.inc"); -require_once("system.inc"); -require_once("radius.inc"); - -/* setup syslog logging */ -openlog("openvpn", LOG_ODELAY, LOG_AUTH); - -/* read data from environment */ -$username = getenv("username"); -$password = getenv("password"); - -if (empty($username) || empty($password)) { - syslog(LOG_ERR, "invalid user authentication environment"); - exit(-1); -} - -/* Replaced by a sed with propper variables used below(server parameters). */ -//<template> - -$authcfg = system_get_authserver($authmode); -$radsrv="{$authcfg['host']}"; -$radport="{$authcfg['radius_auth_port']}"; -$radsecret="{$authcfg['radius_secret']}"; - -$rauth = new Auth_RADIUS_PAP($username, $password); -/* Add server to our instance */ -$rauth->addServer($radsrv, $radport, $radsecret); - -if (!$rauth->start()) { - syslog(LOG_ERROR, "ERROR! " . $rauth->getError()); - exit(-2); -} - -/* Send request */ -$result = $rauth->send(); -if (PEAR::isError($result)) { - syslog(LOG_WARNING, "Something went wrong trying to authenticate {$username}: " . $result->getMessage() . " \n"); - exit(-1); -} else if ($result === true) { - syslog(LOG_WARNING, "user {$username} authenticated\n"); -} else { - syslog(LOG_WARNING, "user {$username} could not authenticate. \n"); - exit(-3); -} - -// close OO RADIUS_AUTHENTICATION -$rauth->close(); - -exit(0); - -?> diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 725b807..ecde6b6 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -55,10 +55,21 @@ if (!$username || !$password) { exit(-1); } -/* lookup user object by name */ -if (!local_backed($username, $password)) { - syslog(LOG_WARNING, "user {$username} supplied an invalid password\n"); - exit(-2); +/* Replaced by a sed with propper variables used below(ldap parameters). */ +//<template> + +$authenticated = false; +foreach ($authmodes as $authmode) { + $authcfg = auth_get_authserver($authmode); + if (!$authcfg) + continue; + + $authenticated = authenticate_user($username, $password, $authcfg); +} + +if ($authenticated == false) { + syslog(LOG_WARNING, "user {$username} could not authenticate.\n"); + exit(-1); } syslog(LOG_WARNING, "user {$username} authenticated\n"); diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc index a62e01a..081e109 100644 --- a/etc/inc/openvpn.inc +++ b/etc/inc/openvpn.inc @@ -49,6 +49,7 @@ require_once('config.inc'); require_once("certs.inc"); require_once('pfsense-utils.inc'); +require_once("auth.inc"); $openvpn_prots = array("UDP", "TCP"); @@ -379,16 +380,19 @@ function openvpn_reconfigure($mode,& $settings) { $conf .= "client-cert-not-required\n"; case 'server_tls_user': $conf .= "username-as-common-name\n"; - if ($settings['authmode'] == "local") - $conf .= "auth-user-pass-verify /etc/inc/openvpn.auth-user.php via-env\n"; - else { - $authcfg = system_get_authserver($settings['authmode']); - if ($authcfg) { - mwexec("/bin/cat /etc/inc/openvpn.auth-{$authcfg['type']}.php | /usr/bin/sed 's/\/\/<template>/\$authmode=\"{$authcfg['name']}\";/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); - mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); - $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n"; - } + $authcfgs = explode(",", $settings['authmode']); + $sed = "\$authmodes=array("; + $firstsed = 0; + foreach ($authcfgs as $authcfg) { + if ($firstsed > 0) + $sed .= ","; + $firstsed = 1; + $sed .= "\"{$authcfg}\""; } + $sed .= ");"; + mwexec("/bin/cat /etc/inc/openvpn.auth-user.php | /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php"); + mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php"); + $conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn//{$mode_id}.php via-env\n"; break; } diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 9a9598c..800abaa 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -1355,15 +1355,4 @@ function enable_watchdog() { exec("/usr/sbin/watchdogd"); } } - -function system_get_authserver($name) { - global $config; - - if (is_array($config['system']['authserver'])) { - foreach ($config['system']['authserver'] as $authcfg) { - if ($authcfg['name'] == $name) - return $authcfg; - } - } -} ?> diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 8906d56..b7966d4 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -134,9 +134,9 @@ $ldap_templates = array( 'msad' => array( 'desc' => "Microsoft AD", - 'attr_user' => "samAccountNAme", + 'attr_user' => "samAccountName", 'attr_group' => "cn", - 'attr_member' => "member"), + 'attr_member' => "memberOf"), 'edir' => array( 'desc' => "Novell eDirectory", diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index edf2e0a..461328a 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -81,6 +81,7 @@ if ($act == "edit") { $pconfig['ldap_protver'] = $a_server[$id]['ldap_protver']; $pconfig['ldap_scope'] = $a_server[$id]['ldap_scope']; $pconfig['ldap_basedn'] = $a_server[$id]['ldap_basedn']; + $pconfig['ldap_authcn'] = $a_server[$id]['ldap_authcn']; $pconfig['ldap_binddn'] = $a_server[$id]['ldap_binddn']; $pconfig['ldap_bindpw'] = $a_server[$id]['ldap_bindpw']; $pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user']; @@ -135,11 +136,11 @@ if ($_POST) { if ($pconfig['type'] == "ldap") { $reqdfields = explode(" ", "name type ldap_host ldap_port ". "ldap_urltype ldap_protver ldap_scope ldap_basedn ". - "ldap_attr_user ldap_attr_group ldap_attr_member"); + "ldap_attr_user ldap_attr_group ldap_attr_member ldapauthcontainers"); $reqdfieldsn = explode(",", "Descriptive name,Type,Hostname or IP,". "Port value,Transport,Protocol version,Search level,". "Search Base DN,User naming Attribute,". - "Group naming Attribute,Group member attribute"); + "Group naming Attribute,Group member attribute,Authentication container"); if (!$pconfig['ldap_anon']) { $reqdfields[] = "ldap_binddn"; @@ -200,6 +201,7 @@ if ($_POST) { $server['ldap_protver'] = $pconfig['ldap_protver']; $server['ldap_scope'] = $pconfig['ldap_scope']; $server['ldap_basedn'] = $pconfig['ldap_basedn']; + $server['ldap_authcn'] = $pconfig['ldapauthcontainers']; $server['ldap_attr_user'] = $pconfig['ldap_attr_user']; $server['ldap_attr_group'] = $pconfig['ldap_attr_group']; $server['ldap_attr_member'] = $pconfig['ldap_attr_member']; @@ -469,6 +471,24 @@ function radius_srvcschange(){ </td> </tr> <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Authentication containers");?></td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="2"> + <tr> + <td>Containers: </td> + <td> + <input name="ldapauthcontainers" type="text" class="formfld unknown" id="ldapauthcontainers" size="40" value="<?=htmlspecialchars($pconfig['ldap_authcn']);?>"/> + <input type="button" onClick="javascript:if(openwindow('system_usermanager_settings_ldapacpicker.php') == false) alert('Popup blocker detected. Action aborted.');" value="Select"> + <br />NOTE: Semi-Colon separated. This will be prepended to the search base dn above or you can specify full container path. + <br />EXAMPLE: CN=Users;DC=example + <br />EXAMPLE: CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com + </td> + </tr> + </table> + + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Bind credentials");?></td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="2"> @@ -658,6 +678,13 @@ function radius_srvcschange(){ <?php include("fend.inc");?> <script type="text/javascript"> <!-- +function openwindow(url) { + var oWin = window.open(url,"pfSensePop","width=620,height=400,top=150,left=150"); + if (oWin==null || typeof(oWin)=="undefined") + return false; + else + return true; +} server_typechange('<?=$pconfig['type'];?>'); <?php if (!isset($id) || $pconfig['type'] == "ldap"): ?> ldap_bindchange(); diff --git a/usr/local/www/system_usermanager_settings_ldapacpicker.php b/usr/local/www/system_usermanager_settings_ldapacpicker.php index 52953b0..891b146 100644 --- a/usr/local/www/system_usermanager_settings_ldapacpicker.php +++ b/usr/local/www/system_usermanager_settings_ldapacpicker.php @@ -36,24 +36,23 @@ require("priv.defs.inc"); require("priv.inc"); if($_POST) { - print_r($_POST); - $ous = ldap_get_user_ous(true); - $values = ""; - $isfirst = true; - foreach($ous as $ou) { - if(in_array($ou, $_POST['ou'])) { - if($isfirst == false) - $values .= ";"; - $isfirst = false; - $values .= $ou; - } - } - echo "<script language=\"JavaScript\">\n"; - echo "<!--\n"; - echo " opener.document.forms[0].ldapauthcontainers.value='$values'\n"; - echo " this.close();\n"; - echo "-->\n"; - echo "</script>\n"; + $ous = ldap_get_user_ous(true); + $values = ""; + $isfirst = true; + foreach($ous as $ou) { + if(in_array($ou, $_POST['ou'])) { + if($isfirst == false) + $values .= ";"; + $isfirst = false; + $values .= $ou; + } + } + echo "<script language=\"JavaScript\">\n"; + echo "<!--\n"; + echo " opener.document.forms[0].ldapauthcontainers.value='$values'\n"; + echo " this.close();\n"; + echo "-->\n"; + echo "</script>\n"; } ?> diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index c58942f..87328e0 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -265,7 +265,7 @@ if ($_POST) { if ($_POST['disable'] == "yes") $server['disable'] = true; $server['mode'] = $pconfig['mode']; - $server['authmode'] = $pconfig['authmode']; + $server['authmode'] = implode(",", $pconfig['authmode']); $server['protocol'] = $pconfig['protocol']; list($server['interface'], $server['ipaddr']) = explode ("|",$pconfig['interface']); $server['local_port'] = $pconfig['local_port']; @@ -338,6 +338,7 @@ if ($_POST) { header("Location: vpn_openvpn_server.php"); exit; } + $pconfig['authmode'] = implode(",", $pconfig['authmode']); } include("head.inc"); @@ -545,12 +546,13 @@ function netbios_change() { <tr id="authmodetr" style="display:none"> <td width="22%" valign="top" class="vncellreq"><?=gettext("Backend for authentication");?></td> <td width="78%" class="vtable"> - <select name='authmode' id='authmode' class="formselect"> - <option value="local" <?php if ($pconfig['authmode'] == "local") echo "selected";?>>Local authentication database</option> + <select name='authmode[]' id='authmode' class="formselect" multiple="true" size="<?php echo count($auth_servers) + 1; ?>"> + <?php $authmodes = explode(",", $pconfig['authmode']); ?> + <option value="local" <?php if (in_array("local", $authmodes)) echo "selected";?>>Local authentication database</option> <?php foreach ($auth_servers as $auth_server): $selected = ""; - if ($pconfig['authmode'] == $auth_server['name']) + if (in_array($auth_server['name'], $authmodes)) $selected = "selected"; ?> <option value="<?=$auth_server['name'];?>" <?=$selected;?>><?=$auth_server['name'];?></option> |
