Project

General

Profile

Download (4.06 KB) Statistics
| Branch: | Tag: | Revision:
1
#!/usr/local/bin/php -f
2
<?php
3
/*
4
    ipsec.auth-user.php
5

    
6
    Copyright (C) 2008 Shrew Soft Inc
7
    Copyright (C) 2010 Ermal Lu?i
8
    All rights reserved.
9

    
10
    Redistribution and use in source and binary forms, with or without
11
    modification, are permitted provided that the following conditions are met:
12

    
13
    1. Redistributions of source code must retain the above copyright notice,
14
       this list of conditions and the following disclaimer.
15

    
16
    2. Redistributions in binary form must reproduce the above copyright
17
       notice, this list of conditions and the following disclaimer in the
18
       documentation and/or other materials provided with the distribution.
19

    
20
    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
21
    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
22
    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
24
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29
    POSSIBILITY OF SUCH DAMAGE.
30

    
31
	DISABLE_PHP_LINT_CHECKING
32
*/
33
/*
34
	pfSense_BUILDER_BINARIES:	
35
	pfSense_MODULE:	openvpn
36
*/
37
/*
38
 * racoon calls this script to authenticate a user
39
 * based on a username and password. We lookup these
40
 * in our config.xml file and check the credentials.
41
 */
42

    
43
require_once("globals.inc");
44
require_once("config.inc");
45
require_once("radius.inc");
46
require_once("auth.inc");
47
require_once("interfaces.inc");
48

    
49
/**
50
 * Get the NAS-Identifier
51
 *
52
 * We will use our local hostname to make up the nas_id
53
 */
54
if (!function_exists("getNasID")) {
55
function getNasID()
56
{
57
    global $g;
58

    
59
    $nasId = "";
60
    exec("/bin/hostname", $nasId);
61
    if(!$nasId[0])
62
        $nasId[0] = "{$g['product_name']}";
63
    return $nasId[0];
64
}
65
}
66

    
67
/**
68
 * Get the NAS-IP-Address based on the current wan address
69
 *
70
 * Use functions in interfaces.inc to find this out
71
 *
72
 */
73
if (!function_exists("getNasIP")) {
74
function getNasIP()
75
{
76
    $nasIp = get_interface_ip();
77
    if(!$nasIp)
78
        $nasIp = "0.0.0.0";
79
    return $nasIp;
80
}
81
}
82
/* setup syslog logging */
83
openlog("racoon", LOG_ODELAY, LOG_AUTH);
84

    
85
/* read data from environment */
86
$username = getenv("username");
87
$password = getenv("password");
88
$common_name = getenv("common_name");
89

    
90
if (!$username || !$password) {
91
	syslog(LOG_ERR, "invalid user authentication environment");
92
	exit(-1);
93
}
94

    
95
/* Replaced by a sed with propper variables used below(ldap parameters). */
96
//<template>
97

    
98
if (file_exists("{$g['varetc_path']}/ipsec/{$modeid}.ca")) {
99
	//putenv("LDAPTLS_CACERT={$g['varetc_path']}/ipsec/{$ikeid}.crt");
100
	putenv("LDAPTLS_CACERTDIR={$g['varetc_path']}/ipsec");
101
	putenv("LDAPTLS_REQCERT=never");
102
}
103

    
104
$authenticated = false;
105

    
106
if (($strictusercn === true) && ($common_name != $username)) {
107
	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
108
	exit(1);
109
}
110

    
111
$attributes = array();
112
foreach ($authmodes as $authmode) {
113
	$authcfg = auth_get_authserver($authmode);
114
	if (!$authcfg && $authmode != "local")
115
		continue;
116

    
117
	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
118
	if ($authenticated == true) {
119
		if (stristr($authmode, "local")) {
120
			$user = getUserEntry($username); 
121
			if (!is_array($user) || !userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
122
				$authenticated = false;
123
				syslog(LOG_WARNING, "user '{$username}' cannot authenticate through IPSec since the required privileges are missing.\n");
124
				continue;
125
			}
126
		}
127
		break;
128
	}
129
}
130

    
131
if ($authenticated == false) {
132
	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
133
	exit(-1);
134
}
135

    
136
if (file_exists("/etc/inc/ipsec.attributes.php"))
137
        include_once("/etc/inc/ipsec.attributes.php");
138
        
139
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
140

    
141
exit(0);
142

    
143
?>
(28-28/68)