Project

General

Profile

Download (4.68 KB) Statistics
| Branch: | Tag: | Revision:
1
#!/usr/local/bin/php -f
2
<?php
3
/* $Id$ */
4
/*
5
    openvpn.auth-user.php
6

    
7
    Copyright (C) 2008 Shrew Soft Inc
8
    Copyright (C) 2010 Ermal Lu?i
9
    All rights reserved.
10

    
11
    Redistribution and use in source and binary forms, with or without
12
    modification, are permitted provided that the following conditions are met:
13

    
14
    1. Redistributions of source code must retain the above copyright notice,
15
       this list of conditions and the following disclaimer.
16

    
17
    2. Redistributions in binary form must reproduce the above copyright
18
       notice, this list of conditions and the following disclaimer in the
19
       documentation and/or other materials provided with the distribution.
20

    
21
    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22
    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23
    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24
    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30
    POSSIBILITY OF SUCH DAMAGE.
31

    
32
	DISABLE_PHP_LINT_CHECKING
33
*/
34
/*
35
	pfSense_BUILDER_BINARIES:	
36
	pfSense_MODULE:	openvpn
37
*/
38
/*
39
 * OpenVPN calls this script to authenticate a user
40
 * based on a username and password. We lookup these
41
 * in our config.xml file and check the credentials.
42
 */
43

    
44
require_once("globals.inc");
45
require_once("config.inc");
46
require_once("radius.inc");
47
require_once("auth.inc");
48
require_once("interfaces.inc");
49

    
50
/**
51
 * Get the NAS-Identifier
52
 *
53
 * We will use our local hostname to make up the nas_id
54
 */
55
if (!function_exists("getNasID")) {
56
function getNasID()
57
{
58
    global $g;
59

    
60
    $nasId = "";
61
    exec("/bin/hostname", $nasId);
62
    if(!$nasId[0])
63
        $nasId[0] = "{$g['product_name']}";
64
    return $nasId[0];
65
}
66
}
67

    
68
/**
69
 * Get the NAS-IP-Address based on the current wan address
70
 *
71
 * Use functions in interfaces.inc to find this out
72
 *
73
 */
74
if (!function_exists("getNasIP")) {
75
function getNasIP()
76
{
77
    $nasIp = get_interface_ip();
78
    if(!$nasIp)
79
        $nasIp = "0.0.0.0";
80
    return $nasIp;
81
}
82
}
83
/* setup syslog logging */
84
openlog("openvpn", LOG_ODELAY, LOG_AUTH);
85

    
86
/* read data from environment */
87
$username = getenv("username");
88
$password = getenv("password");
89
$common_name = getenv("common_name");
90

    
91
if (!$username || !$password) {
92
	syslog(LOG_ERR, "invalid user authentication environment");
93
	exit(-1);
94
}
95

    
96
/* Replaced by a sed with propper variables used below(ldap parameters). */
97
//<template>
98

    
99
if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) {
100
	putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca");
101
	putenv("LDAPTLS_REQCERT=never");
102
}
103

    
104
$authenticated = false;
105

    
106
if (($strictusercn === true) && ($common_name != $username)) {
107
	syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
108
	exit(1);
109
}
110

    
111
$attributes = array();
112
foreach ($authmodes as $authmode) {
113
	$authcfg = auth_get_authserver($authmode);
114
	if (!$authcfg && $authmode != "local")
115
		continue;
116

    
117
	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
118
	if ($authenticated == true)
119
		break;
120
}
121

    
122
if ($authenticated == false) {
123
	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
124
	exit(-1);
125
}
126

    
127
if (file_exists("/etc/inc/openvpn.attributes.php"))
128
        include_once("/etc/inc/openvpn.attributes.php");
129
        
130
$content = "";
131
if (is_array($attributes['dns-servers'])) {
132
        foreach ($attributes['dns-servers'] as $dnssrv) {
133
                if (is_ipaddr($dnssrv))
134
                        $content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
135
        }
136
}
137
if (is_array($attributes['routes'])) {
138
        foreach ($attributes['routes'] as $route)
139
                        $content .= "push \"route {$route} vpn_gateway\"\n";
140
}
141

    
142
if (isset($attributes['framed_ip'])) {
143
/* XXX: only use when TAP windows driver >= 8.2.x */
144
/*      if (isset($attributes['framed_mask'])) {
145
                $content .= "topology subnet\n";
146
                $content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
147
        } else {
148
*/
149
                $content .= "topology net30\n";
150
                $content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1));
151
//      }
152
}
153
    
154
if (!empty($content))
155
        @file_put_contents("{$g['tmp_path']}/{$username}", $content);
156

    
157
syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
158

    
159
exit(0);
160

    
161
?>
(37-37/68)