mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 08:09:41 +00:00
Auth cleanup, ditch ldap_setup_caenv() in favour of LDAP->setUpCaEnv(), for https://github.com/opnsense/core/issues/3206
This commit is contained in:
Ad Schellevis
parent
7960f2ab77
commit
afcbdee036
@ -685,32 +685,6 @@ function local_group_del($group)
|
||||
mwexecf('/usr/sbin/pw groupdel %s', $group['name']);
|
||||
}
|
||||
|
||||
function ldap_setup_caenv($authcfg)
|
||||
{
|
||||
unset($caref);
|
||||
|
||||
if (empty($authcfg['ldap_caref']) || !strstr($authcfg['ldap_urltype'], "SSL")) {
|
||||
putenv('LDAPTLS_REQCERT=never');
|
||||
return;
|
||||
}
|
||||
|
||||
$caref = lookup_ca($authcfg['ldap_caref']);
|
||||
if (!$caref) {
|
||||
log_error(sprintf('LDAP: Could not lookup CA by reference for host %s.', $authcfg['ldap_caref']));
|
||||
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
|
||||
putenv('LDAPTLS_REQCERT=hard');
|
||||
return;
|
||||
}
|
||||
|
||||
@mkdir("/var/run/certs");
|
||||
@unlink("/var/run/certs/{$caref['refid']}.ca");
|
||||
file_put_contents("/var/run/certs/{$caref['refid']}.ca", base64_decode($caref['crt']));
|
||||
@chmod("/var/run/certs/{$caref['refid']}.ca", 0600);
|
||||
putenv('LDAPTLS_REQCERT=hard');
|
||||
/* XXX: Probably even the hashed link should be created for this? */
|
||||
putenv("LDAPTLS_CACERTDIR=/var/run/certs");
|
||||
putenv("LDAPTLS_CACERT=/var/run/certs/{$caref['refid']}.ca");
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $name string name of the authentication system configured on the authentication server page or 'Local Database' for local authentication
|
||||
@ -789,9 +763,6 @@ function get_authenticator($authcfg = NULL)
|
||||
if ($authcfg['type'] == 'local') {
|
||||
// avoid gettext type issues on Local Database, authenticator should always be named "Local Database"
|
||||
$authName = 'Local Database';
|
||||
} elseif ($authcfg['type'] == 'ldap' || $authcfg['type'] == 'ldap-totp') {
|
||||
// temporary fix, ldap handler doesn't do this init yet.
|
||||
ldap_setup_caenv($authcfg);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -28,6 +28,8 @@
|
||||
|
||||
namespace OPNsense\Auth;
|
||||
|
||||
use OPNsense\Core\Config;
|
||||
|
||||
/**
|
||||
* Class LDAP connector
|
||||
* @package OPNsense\Auth
|
||||
@ -240,6 +242,41 @@ class LDAP extends Base implements IAuthConnector
|
||||
if (!empty($config['ldap_port'])) {
|
||||
$this->ldapBindURL .= ":{$config['ldap_port']}";
|
||||
}
|
||||
|
||||
// setup environment
|
||||
if (!empty($config['ldap_caref']) && stristr($config['ldap_urltype'], "standard") === false) {
|
||||
$this->setUpCaEnv($config['ldap_caref']);
|
||||
} else {
|
||||
putenv('LDAPTLS_REQCERT=never');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* setup certificate environment
|
||||
* @param string $caref ca reference
|
||||
*/
|
||||
public function setUpCaEnv($caref)
|
||||
{
|
||||
$ca = null;
|
||||
if (isset(Config::getInstance()->object()->ca)) {
|
||||
foreach (Config::getInstance()->object()->ca as $cert) {
|
||||
if (isset($cert->refid) && (string)$caref == $cert->refid) {
|
||||
$ca = $cert;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
putenv('LDAPTLS_REQCERT=hard');
|
||||
if (!empty($ca)) {
|
||||
@mkdir("/var/run/certs");
|
||||
@unlink("/var/run/certs/{$ca->refid}.ca");
|
||||
file_put_contents("/var/run/certs/{$ca->refid}.ca", base64_decode((string)$ca->crt));
|
||||
@chmod("/var/run/certs/{$ca->refid}.ca", 0600);
|
||||
putenv("LDAPTLS_CACERTDIR=/var/run/certs");
|
||||
putenv("LDAPTLS_CACERT=/var/run/certs/{$ca->refid}.ca");
|
||||
} else {
|
||||
syslog(LOG_ERR, sprintf('LDAP: Could not lookup CA by reference for host %s.', $caref));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -50,9 +50,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
||||
if ($authcfg['type'] == 'local') {
|
||||
// avoid gettext type issues on Local Database, authenticator should always be named "Local Database"
|
||||
$authName = 'Local Database';
|
||||
} elseif ($authcfg['type'] == 'ldap' || $authcfg['type'] == 'ldap-totp') {
|
||||
// temporary fix, ldap handler doesn't do this init yet.
|
||||
ldap_setup_caenv($authcfg);
|
||||
}
|
||||
|
||||
$authFactory = new OPNsense\Auth\AuthenticationFactory;
|
||||
|
||||
@ -74,11 +74,12 @@ foreach ($servers as $server) {
|
||||
}
|
||||
|
||||
if ($ldap_server !== null) {
|
||||
// setup peer ca
|
||||
ldap_setup_caenv($ldap_server);
|
||||
|
||||
// connect to ldap server
|
||||
$ldap_auth = new OPNsense\Auth\LDAP($ldap_server['ldap_basedn'], $ldap_server['ldap_protver']);
|
||||
if (!empty($ldap_server['ldap_caref']) && stristr($ldap_server['ldap_urltype'], "standard") === false) {
|
||||
// setup peer ca
|
||||
$ldap_auth->setUpCaEnv($ldap_server['ldap_caref']);
|
||||
}
|
||||
$ldap_is_connected = $ldap_auth->connect($ldap_server['ldap_full_url'], $ldap_server['ldap_binddn'], $ldap_server['ldap_bindpw']);
|
||||
|
||||
if ($ldap_is_connected) {
|
||||
|
||||
@ -33,13 +33,6 @@ require_once("auth.inc");
|
||||
$result = array();
|
||||
|
||||
if (isset($_POST['basedn']) && isset($_POST['host'])) {
|
||||
if (isset($_POST['cert'])) {
|
||||
$authcfg = array();
|
||||
$authcfg['ldap_caref'] = $_POST['cert'];
|
||||
$authcfg['ldap_urltype'] = 'SSL';
|
||||
ldap_setup_caenv($authcfg);
|
||||
}
|
||||
|
||||
$ldap_authcn = isset($_POST['authcn']) ? explode(";", $_POST['authcn']) : array();
|
||||
if (isset($_POST['urltype']) && strstr($_POST['urltype'], "Standard")) {
|
||||
$ldap_full_url = "ldap://";
|
||||
@ -52,6 +45,9 @@ if (isset($_POST['basedn']) && isset($_POST['host'])) {
|
||||
}
|
||||
|
||||
$ldap_auth = new OPNsense\Auth\LDAP($_POST['basedn'], isset($_POST['proto']) ? $_POST['proto'] : 3);
|
||||
if (isset($_POST['cert'])) {
|
||||
$ldap_auth->setUpCaEnv($_POST['cert']);
|
||||
}
|
||||
$ldap_is_connected = $ldap_auth->connect($ldap_full_url
|
||||
, !empty($_POST['binddn']) ? $_POST['binddn'] : null
|
||||
, !empty($_POST['bindpw']) ? $_POST['bindpw'] : null
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user