/etc/inc/openvpn.auth-user.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/openvpn.auth-user.php @ 72b4a1e8

1	3c11bd3c	Matthew Grooms	#!/usr/local/bin/php -f
2			<?php
3			/* $Id$ */
4			/*
5			openvpn.auth-user.php
6
7			Copyright (C) 2008 Shrew Soft Inc
8	8a6b0fbe	Ermal Lu?i	Copyright (C) 2010 Ermal Lu?i
9	3c11bd3c	Matthew Grooms	All rights reserved.
10
11			Redistribution and use in source and binary forms, with or without
12			modification, are permitted provided that the following conditions are met:
13
14			1. Redistributions of source code must retain the above copyright notice,
15			this list of conditions and the following disclaimer.
16
17			2. Redistributions in binary form must reproduce the above copyright
18			notice, this list of conditions and the following disclaimer in the
19			documentation and/or other materials provided with the distribution.
20
21			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
22			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
23			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
24			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
25			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30			POSSIBILITY OF SUCH DAMAGE.
31	1f5309a3	Matthew Grooms
32			DISABLE_PHP_LINT_CHECKING
33	3c11bd3c	Matthew Grooms	*/
34	523855b0	Scott Ullrich	/*
35			pfSense_BUILDER_BINARIES:
36			pfSense_MODULE: openvpn
37			*/
38	3c11bd3c	Matthew Grooms	/*
39			* OpenVPN calls this script to authenticate a user
40			* based on a username and password. We lookup these
41			* in our config.xml file and check the credentials.
42			*/
43
44	befad728	Ermal	require_once("globals.inc");
45	3c11bd3c	Matthew Grooms	require_once("config.inc");
46	cc686d98	Ermal Lu?i	require_once("radius.inc");
47	a13ce628	Ermal Lu?i	require_once("auth.inc");
48	cc686d98	Ermal Lu?i	require_once("interfaces.inc");
49	3c11bd3c	Matthew Grooms
50	cc686d98	Ermal Lu?i	/**
51			* Get the NAS-Identifier
52			*
53			* We will use our local hostname to make up the nas_id
54			*/
55			if (!function_exists("getNasID")) {
56			function getNasID()
57			{
58			global $g;
59
60			$nasId = "";
61			exec("/bin/hostname", $nasId);
62			if(!$nasId[0])
63			$nasId[0] = "{$g['product_name']}";
64			return $nasId[0];
65			}
66			}
67
68			/**
69			* Get the NAS-IP-Address based on the current wan address
70			*
71			* Use functions in interfaces.inc to find this out
72			*
73			*/
74			if (!function_exists("getNasIP")) {
75			function getNasIP()
76			{
77			$nasIp = get_interface_ip();
78			if(!$nasIp)
79			$nasIp = "0.0.0.0";
80			return $nasIp;
81			}
82			}
83	3c11bd3c	Matthew Grooms	/* setup syslog logging */
84			openlog("openvpn", LOG_ODELAY, LOG_AUTH);
85
86	0c8d2763	Chris Buechler	/* read data from environment */
87			$username = getenv("username");
88			$password = getenv("password");
89	8901958c	jim-p	$common_name = getenv("common_name");
90	3c11bd3c	Matthew Grooms
91			if (!$username \|\| !$password) {
92	1f5309a3	Matthew Grooms	syslog(LOG_ERR, "invalid user authentication environment");
93	3c11bd3c	Matthew Grooms	exit(-1);
94			}
95
96	c61e4626	Ermal Lu?i	/* Replaced by a sed with propper variables used below(ldap parameters). */
97			//<template>
98
99	1492e02c	Ermal	if (file_exists("{$g['varetc_path']}/openvpn/{$modeid}.ca")) {
100			putenv("LDAPTLS_CACERT={$g['varetc_path']}/openvpn/{$modeid}.ca");
101			putenv("LDAPTLS_REQCERT=never");
102			}
103
104	c61e4626	Ermal Lu?i	$authenticated = false;
105	8901958c	jim-p
106			if (($strictusercn === true) && ($common_name != $username)) {
107			syslog(LOG_WARNING, "Username does not match certificate common name ({$username} != {$common_name}), access denied.\n");
108			exit(1);
109			}
110
111	1492e02c	Ermal	$attributes = array();
112	c61e4626	Ermal Lu?i	foreach ($authmodes as $authmode) {
113			$authcfg = auth_get_authserver($authmode);
114	006a162f	Ermal Lu?i	if (!$authcfg && $authmode != "local")
115	c61e4626	Ermal Lu?i	continue;
116
117	1492e02c	Ermal	$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
118	006a162f	Ermal Lu?i	if ($authenticated == true)
119			break;
120	c61e4626	Ermal Lu?i	}
121
122			if ($authenticated == false) {
123	3260b82f	Ermal	syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
124	c61e4626	Ermal Lu?i	exit(-1);
125	3c11bd3c	Matthew Grooms	}
126
127	1492e02c	Ermal	if (file_exists("/etc/inc/openvpn.attributes.php"))
128			include_once("/etc/inc/openvpn.attributes.php");
129
130			$content = "";
131			if (is_array($attributes['dns-servers'])) {
132			foreach ($attributes['dns-servers'] as $dnssrv) {
133			if (is_ipaddr($dnssrv))
134			$content .= "push \"dhcp-option DNS {$dnssrv}\"\n";
135			}
136			}
137			if (is_array($attributes['routes'])) {
138			foreach ($attributes['routes'] as $route)
139			$content .= "push \"route {$route} vpn_gateway\"\n";
140			}
141
142			if (isset($attributes['framed_ip'])) {
143			/* XXX: only use when TAP windows driver >= 8.2.x */
144			/* if (isset($attributes['framed_mask'])) {
145			$content .= "topology subnet\n";
146			$content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}";
147			} else {
148			*/
149			$content .= "topology net30\n";
150			$content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1));
151			// }
152			}
153
154			if (!empty($content))
155			@file_put_contents("{$g['tmp_path']}/{$username}", $content);
156
157	3260b82f	Ermal	syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
158	a13ce628	Ermal Lu?i
159	3c11bd3c	Matthew Grooms	exit(0);
160
161	fe2031ab	Ermal	?>

Project

General

Profile

pfSense