diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index bca1ddf17..47e18fde4 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -247,7 +247,25 @@ function index_users()
}
return $userindex;
- }
+}
+
+function getUserGroups($username)
+{
+ global $config;
+ $member_groups = array();
+ $user = getUserEntry($username);
+ if ($user !== false) {
+ $allowed_groups = local_user_get_groups($user);
+ if (isset($config['system']['group'])) {
+ foreach ($config['system']['group'] as $group) {
+ if (in_array($group['name'], $allowed_groups)) {
+ $member_groups[] = $group['name'];
+ }
+ }
+ }
+ }
+ return $member_groups;
+}
function &getUserEntry($name)
{
@@ -309,7 +327,7 @@ function get_user_privileges(&$user)
$privs = $user['priv'];
}
- $names = local_user_get_groups($user, true);
+ $names = local_user_get_groups($user);
foreach ($names as $name) {
$group = getGroupEntry($name);
@@ -518,7 +536,7 @@ function local_user_set_password(&$user, $password = null)
}
}
-function local_user_get_groups($user, $all = false)
+function local_user_get_groups($user)
{
global $config;
@@ -530,7 +548,7 @@ function local_user_get_groups($user, $all = false)
foreach ($config['system']['group'] as $group) {
if (isset($group['member'])) {
- if (in_array($user['uid'], $group['member']) || ($group['name'] == "all" && $all)) {
+ if (in_array($user['uid'], $group['member'])) {
$groups[] = $group['name'];
}
}
@@ -549,7 +567,7 @@ function local_user_set_groups($user, $new_groups = null)
return;
}
- $cur_groups = local_user_get_groups($user, true);
+ $cur_groups = local_user_get_groups($user);
$mod_groups = array();
if (!is_array($new_groups)) {
diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index 4fac3bd8d..520fea45d 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -686,7 +686,7 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
if ($settings['strictusercn']) {
$strictusercn = "true";
}
- $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' {$strictusercn} {$mode_id}\" via-env\n";
+ $conf .= "auth-user-pass-verify \"/usr/local/sbin/ovpn_auth_verify user '{$settings['authmode']}' '{$strictusercn}' '{$mode_id}'\" via-env\n";
}
break;
}
diff --git a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
index d6d74937d..7c9a67168 100644
--- a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
+++ b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
@@ -78,8 +78,33 @@ if (!is_array($authmodes)) {
exit(1);
}
+$a_server = null;
+
+if (isset($config['openvpn']['openvpn-server'])) {
+ foreach ($config['openvpn']['openvpn-server'] as $server) {
+ if ($server['vpnid'] == $modeid) {
+ $a_server = $server;
+ break;
+ }
+ }
+}
+
+if ($a_server == null) {
+ syslog(LOG_WARNING, "The server $modeid was not found. Denying authentication for user {$username}");
+ closelog();
+ exit(1);
+}
+
+if (!empty($a_server['local_group']) && !in_array($a_server['local_group'], getUserGroups($username))) {
+ syslog(LOG_WARNING, "The server $modeid requires the local group {$a_server['local_group']}. Denying authentication for user {$username}");
+ closelog();
+ exit(1);
+}
+
foreach ($authmodes as $authmode) {
$authcfg = auth_get_authserver($authmode);
+
+ /* XXX this doesn't look right... */
if (!$authcfg && $authmode != "local") {
continue;
}
diff --git a/src/www/diag_authentication.php b/src/www/diag_authentication.php
index e109a1e4a..7c85b9c84 100644
--- a/src/www/diag_authentication.php
+++ b/src/www/diag_authentication.php
@@ -31,25 +31,6 @@ require_once("guiconfig.inc");
require_once("PEAR.inc");
require_once("interfaces.inc");
-function getUserGroups($username, $authcfg)
-{
- global $config;
- $member_groups = array();
- $user = getUserEntry($username);
- if ($user !== false) {
- $allowed_groups = local_user_get_groups($user, true);
- if (isset($config['system']['group'])) {
- foreach ($config['system']['group'] as $group) {
- if (in_array($group['name'], $allowed_groups)) {
- $member_groups[] = $group['name'];
- }
- }
- }
- }
- return $member_groups;
-}
-
-
$input_errors = array();
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array("authmode" => "", "username" => "", "password" => "");
@@ -68,7 +49,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if (count($input_errors) == 0) {
if (authenticate_user($_POST['username'], $_POST['password'], $authcfg)) {
$savemsg = gettext("User") . ": " . $_POST['username'] . " " . gettext("authenticated successfully.");
- $groups = getUserGroups($_POST['username'], $authcfg);
+ $groups = getUserGroups($_POST['username']);
$savemsg .= "
" . gettext("This user is a member of these groups") . ":
";
foreach ($groups as $group) {
$savemsg .= "{$group} ";
diff --git a/src/www/system_usermanager.php b/src/www/system_usermanager.php
index 6683a7186..c21f887bc 100644
--- a/src/www/system_usermanager.php
+++ b/src/www/system_usermanager.php
@@ -44,7 +44,7 @@ function get_user_privdesc(& $user)
$user_privs = $user['priv'];
}
- $names = local_user_get_groups($user, true);
+ $names = local_user_get_groups($user);
foreach ($names as $name) {
$group = getGroupEntry($name);
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index 830d40a94..8a271014d 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -64,7 +64,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
,serverbridge_interface,serverbridge_dhcp_start,serverbridge_dhcp_end
,dns_server1,dns_server2,dns_server3,dns_server4,ntp_server1
,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
- ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain
+ ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain,local_group
,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length
,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,reneg-sec,use-common-name";
@@ -332,7 +332,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$copy_fields = "mode,protocol,dev_mode,local_port,description,crypto,digest,engine
,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6
,gwredir,local_network,local_networkv6,maxclients,compression
- ,passtos,client2client,dynamic_ip,pool_enable,topology_subnet
+ ,passtos,client2client,dynamic_ip,pool_enable,topology_subnet,local_group
,serverbridge_dhcp,serverbridge_interface,serverbridge_dhcp_start
,serverbridge_dhcp_end,dns_domain,dns_server1,dns_server2,dns_server3
,dns_server4,push_register_dns,ntp_server1,ntp_server2,netbios_enable
@@ -660,6 +660,24 @@ $( document ).ready(function() {
+
+ | |
+
+
+
+
+
+ |
+
| |
|