basic ldap auth algorithm
This commit is contained in:
Xavier Henner
83
openvpn.go
83
openvpn.go
@@ -18,6 +18,7 @@ type OpenVpnMgt struct {
|
||||
connected bool
|
||||
m sync.RWMutex
|
||||
ret chan []string
|
||||
ldap map[string]ldapConfig
|
||||
authCa string
|
||||
vpnlogUrl string
|
||||
mailRelay string
|
||||
@@ -36,6 +37,7 @@ func NewVPNServer(port string) *OpenVpnMgt {
|
||||
return &OpenVpnMgt{
|
||||
Port: port,
|
||||
ret: make(chan []string),
|
||||
ldap: make(map[string]ldapConfig),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -66,6 +68,77 @@ func (s *OpenVpnMgt) Run() {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *OpenVpnMgt) TokenPassword(c *vpnSession) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func (s *OpenVpnMgt) Auth(c *vpnSession) (error, bool) {
|
||||
// an empty password is not good
|
||||
if c.password == "" {
|
||||
return nil, false
|
||||
}
|
||||
|
||||
// check if the password is a valid token validated for TOTP 2FA
|
||||
tokenPassword := s.TokenPassword(c)
|
||||
// If this is the case, empty the password to avoid checking it against the
|
||||
// ldap server
|
||||
if tokenPassword {
|
||||
c.password = ""
|
||||
}
|
||||
|
||||
c.Profile = ""
|
||||
login := []string{c.Login}
|
||||
pass := c.password
|
||||
|
||||
for {
|
||||
n := c.Profile
|
||||
for k, ldap := range s.ldap {
|
||||
if ldap.upgradeFrom != c.Profile {
|
||||
continue
|
||||
}
|
||||
log.Printf("try %s with login %s\n", k, login)
|
||||
|
||||
err, userOk, passOk, secondary := ldap.Auth(login, pass)
|
||||
|
||||
// if there is an error, try the other configurations
|
||||
if err != nil {
|
||||
log.Println(err)
|
||||
continue
|
||||
}
|
||||
|
||||
// we did find a valid User
|
||||
if userOk {
|
||||
// the login for the new auth level is given by the current one
|
||||
login = secondary
|
||||
|
||||
if c.Mail == "" {
|
||||
c.Mail = secondary[0]
|
||||
}
|
||||
|
||||
if passOk && c.Profile != "" {
|
||||
// it's at least the second auth level, and we have a valid
|
||||
// password on 2 different auth system. It's a dupplicate
|
||||
// password, let's log it
|
||||
log.Printf("User %s has a dupplicate password\n", c.Login)
|
||||
}
|
||||
|
||||
// we have either a positive auth ok a previous valid one
|
||||
if passOk || c.Profile != "" || tokenPassword {
|
||||
c.Profile = k
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if n == c.Profile {
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
log.Println(c)
|
||||
log.Println(s.ldap[c.Profile])
|
||||
return nil, false
|
||||
}
|
||||
|
||||
func (s *OpenVpnMgt) sendCommand(msg []string) (error, []string) {
|
||||
if !s.connected {
|
||||
return errors.New("No openvpn server present"), nil
|
||||
@@ -115,6 +188,16 @@ func (s *OpenVpnMgt) ClientConnect(line string) {
|
||||
|
||||
client.ParseEnv(&infos)
|
||||
|
||||
err, ok := s.Auth(client)
|
||||
|
||||
if err != nil {
|
||||
log.Println(err)
|
||||
}
|
||||
|
||||
if ok {
|
||||
log.Println("auth ok")
|
||||
}
|
||||
|
||||
// err, msg := s.sendCommand([]string{fmt.Sprintf("client-deny %d %d \"Need OTP\" \"CRV1:R:blabla:eC5oZW5uZXI=:OTP Code \"", client.cID, client.kID)})
|
||||
// if err != nil {
|
||||
// return
|
||||
|
||||
Reference in New Issue
Block a user