euclide
/
openvpn-mgt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

basic ldap auth algorithm

This commit is contained in:
Xavier Henner 2019-07-09 01:44:18 +02:00
parent dd38706b0b
commit 29efc7be3f
3 changed files with 106 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
main.go
View File

@ -5,14 +5,14 @@ import (
"log" "log"
"log/syslog" "log/syslog"
"os" "os"
"strings"
"github.com/pyke369/golang-support/uconfig" "github.com/pyke369/golang-support/uconfig"
) )
var config *uconfig.UConfig
func main() { func main() {
var err error var err error
var config *uconfig.UConfig
// default configuration file is ./openvpn-dm-mgt-server.conf // default configuration file is ./openvpn-dm-mgt-server.conf
configFile := flag.String("config", "openvpn-dm-mgt-server.conf", "configuration file") configFile := flag.String("config", "openvpn-dm-mgt-server.conf", "configuration file")
logToSyslog := flag.Bool("syslog", false, "Log to syslog") logToSyslog := flag.Bool("syslog", false, "Log to syslog")
@ -47,6 +47,27 @@ func main() {
} }
} }
for _, profile := range config.GetPaths("config.profiles") {
profileName := strings.Split(profile, ".")[2]
ldapConf := ldapConfig{
servers: parseConfigArray(config, profile+".servers"),
baseDN: config.GetString(profile+".baseDN", ""),
bindCn: config.GetString(profile+".bindCn", ""),
bindPw: config.GetString(profile+".bindPw", ""),
searchFilter: config.GetString(profile+".searchFilter", ""),
primaryAttribute: config.GetString(profile+".primaryAttribute", ""),
secondaryAttribute: config.GetString(profile+".secondaryAttribute", ""),
validGroups: parseConfigArray(config, profile+".validGroups"),
otpType: config.GetString(profile+".otp", ""),
certAuth: config.GetString(profile+".cert", "optionnal"),
upgradeFrom: config.GetString(profile+".upgradeFrom", ""),
}
ldapConf.addIPRange(config.GetString(profile+".IPRange", ""))
server.ldap[profileName] = ldapConf
}
// time to start the listeners
go server.Run() go server.Run()
NewHTTPServer( NewHTTPServer(
config.GetString("config.httpPort", "127.0.0.01:8080"), config.GetString("config.httpPort", "127.0.0.01:8080"),

83
openvpn.go
View File

@ -18,6 +18,7 @@ type OpenVpnMgt struct {
connected bool connected bool
m sync.RWMutex m sync.RWMutex
ret chan []string ret chan []string
ldap map[string]ldapConfig
authCa string authCa string
vpnlogUrl string vpnlogUrl string
mailRelay string mailRelay string
@ -36,6 +37,7 @@ func NewVPNServer(port string) *OpenVpnMgt {
return &OpenVpnMgt{ return &OpenVpnMgt{
Port: port, Port: port,
ret: make(chan []string), ret: make(chan []string),
ldap: make(map[string]ldapConfig),
} }
} }
@ -66,6 +68,77 @@ func (s *OpenVpnMgt) Run() {
} }
} }
func (s *OpenVpnMgt) TokenPassword(c *vpnSession) bool {
return false
}
func (s *OpenVpnMgt) Auth(c *vpnSession) (error, bool) {
// an empty password is not good
if c.password == "" {
return nil, false
}
// check if the password is a valid token validated for TOTP 2FA
tokenPassword := s.TokenPassword(c)
// If this is the case, empty the password to avoid checking it against the
// ldap server
if tokenPassword {
c.password = ""
}
c.Profile = ""
login := []string{c.Login}
pass := c.password
for {
n := c.Profile
for k, ldap := range s.ldap {
if ldap.upgradeFrom != c.Profile {
continue
}
log.Printf("try %s with login %s\n", k, login)
err, userOk, passOk, secondary := ldap.Auth(login, pass)
// if there is an error, try the other configurations
if err != nil {
log.Println(err)
continue
}
// we did find a valid User
if userOk {
// the login for the new auth level is given by the current one
login = secondary
if c.Mail == "" {
c.Mail = secondary[0]
}
if passOk && c.Profile != "" {
// it's at least the second auth level, and we have a valid
// password on 2 different auth system. It's a dupplicate
// password, let's log it
log.Printf("User %s has a dupplicate password\n", c.Login)
}
// we have either a positive auth ok a previous valid one
if passOk || c.Profile != "" || tokenPassword {
c.Profile = k
}
}
}
if n == c.Profile {
break
}
}
log.Println(c)
log.Println(s.ldap[c.Profile])
return nil, false
}
func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) { func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
if !s.connected { if !s.connected {
return errors.New("No openvpn server present"), nil return errors.New("No openvpn server present"), nil
@ -115,6 +188,16 @@ func (s *OpenVpnMgt) ClientConnect(line string) {
client.ParseEnv(&infos) client.ParseEnv(&infos)
err, ok := s.Auth(client)
if err != nil {
log.Println(err)
}
if ok {
log.Println("auth ok")
}
// err, msg := s.sendCommand([]string{fmt.Sprintf("client-deny %d %d \"Need OTP\" \"CRV1:R:blabla:eC5oZW5uZXI=:OTP Code \"", client.cID, client.kID)}) // err, msg := s.sendCommand([]string{fmt.Sprintf("client-deny %d %d \"Need OTP\" \"CRV1:R:blabla:eC5oZW5uZXI=:OTP Code \"", client.cID, client.kID)})
// if err != nil { // if err != nil {
// return // return

1
vpnsession.go
View File

@ -106,7 +106,6 @@ func (c *vpnSession) ParseEnv(infos *[]string) {
c.dev = p[1] c.dev = p[1]
} }
} }
} }
func (c *vpnSession) String() string { func (c *vpnSession) String() string {