diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/auth.inc | 48 | ||||
| -rwxr-xr-x | etc/inc/openvpn.auth-user.php | 7 |
2 files changed, 44 insertions, 11 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index e284943..e93bf02 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -627,8 +627,10 @@ function ldap_test_connection($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -644,6 +646,34 @@ function ldap_test_connection($authcfg) { return true; } +function ldap_setup_caenv($authcfg) { + global $g; + + unset($caref); + if (empty($authcfg['ldap_cacert']) || !strstr($authcfg['ldap_urltype'], "SSL")) { + putenv('LDAPTLS_REQCERT=never'); + return; + } else { + $caref = lookup_ca($authcfg['ldap_cacert']); + if (!$caref) { + log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_cacert'])); + /* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */ + putenv('LDAPTLS_REQCERT=hard'); + return; + } + if (!is_dir("{$g['varrun_path']}/certs")) + @mkdir("{$g['varrun_path']}/certs"); + if (file_exists("{$g['varrun_path']}/certs/{$authcfg['name']}.ca")) + @unlink("{$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + file_put_contents("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", base64_decode($caref['crt'])); + @chmod("{$g['varrun_path']}/certs/{$authcfg['name']}.ca", 0600); + putenv('LDAPTLS_REQCERT=hard'); + /* XXX: Probably even the hashed link should be created for this? */ + putenv("TLS_CACERTDIR={$g['varrun_path']}/certs"); + putenv("TLS_CACERT={$g['varrun_path']}/certs/{$authcfg['name']}.ca"); + } +} + function ldap_test_bind($authcfg) { global $debug, $config, $g; @@ -669,8 +699,10 @@ function ldap_test_bind($authcfg) { if(!$ldapserver) return false; + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -736,8 +768,10 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { return $ous; } + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -847,8 +881,10 @@ function ldap_get_groups($username, $authcfg) { $ldapgroupattribute = strtolower($ldapgroupattribute); $memberof = array(); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* connect and see if server is up */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) @@ -967,8 +1003,10 @@ function ldap_backed($username, $passwd, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + /* Setup CA environment if needed. */ + ldap_setup_caenv($authcfg); + /* Make sure we can connect to LDAP */ - putenv('LDAPTLS_REQCERT=never'); $error = false; if (empty($ldapport)) { if (!($ldap = ldap_connect($ldapserver))) diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 35d79cd..d36b5ff 100755 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -96,11 +96,6 @@ if (!$username || !$password) { /* Replaced by a sed with propper variables used below(ldap parameters). */ //<template> -if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) { - putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca"); - putenv("LDAPTLS_REQCERT=never"); -} - $authenticated = false; if (($strictusercn === true) && ($common_name != $username)) { @@ -127,4 +122,4 @@ syslog(LOG_WARNING, "user {$username} authenticated\n"); exit(0); -?>
\ No newline at end of file +?> |
