Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Pointers required on understanding LDAP Authenticating script for openvpn

by shekarkcb (Beadle)
on Apr 10, 2013 at 09:50 UTC ( #1027942=perlquestion: print w/ replies, xml ) Need Help??
shekarkcb has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I have a working script which is used to authenticate users for vpn using ldap for openvpn. The way script called is, in openvpn conf file ( /etc/openvpn/server.conf )
auth-user-pass-verify /etc/openvpn/ldap_authenticate.pl via-env

The script is as follows,
 cat ldap_authenticate.pl

#!/usr/bin/perl -w use Net::LDAP; use strict; my $ldap; my $result; my $opt_uri = "ldap://localhost"; my $opt_user = $ENV{'username'}; my $opt_passwd = $ENV{'password'}; my $opt_common = $ENV{'common_name'}; my $opt_group = "cn=vpnusers,ou=Groups,dc=mycompany,dc=com"; my $opt_binddn = "uid=".$opt_user.",ou=People,dc=mycompany,dc=com"; $ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!"); $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou=Interns, +dc=mycompany,dc=com", password=>$opt_passwd); $result->code and die($result->error); $result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$opt_u +ser))"); $result->code(); if ($result->count == 1) { exit 0; } unless($result->count){ exit 1; }
It works perfectly fine for users who are from
ou=People

1). Just wondering how $ENV{'username'} and $ENV{'password'} work? I mean, considering if i call this script on command line by changing them to ask from user i.e <STDIN>, it says
Invalid credentials
and when i printed "$result" using Dumper, i can see that resultCode is 49. - How to enter manually , without using $ENV?

2). If i want to authenticate another CN ( in addition to CN=People, say CN=testuserforvpn, how can i do that?

Any pointers are greatly helpful.

Thanks

Comment on Pointers required on understanding LDAP Authenticating script for openvpn
Select or Download Code
Re: Pointers required on understanding LDAP Authenticating script for openvpn
by Loops (Curate) on Apr 10, 2013 at 10:57 UTC
    Howdy,

    You don't show the code that you use to read these values in from the command line. It's possible you're just forgetting to chomp the result and newline is being included as part of the value

    It's possible to use this script from the command line with no changes however. Either set those values in the environment before running it, or just:

    username=WHATEVER password=SECRET ./ldap_authenticate.pl
      Thanks for the reply.

      As i explained in first post, there is nothing code present passing username or password, this script is called from openvpn, the configuration file has this line

      auth-user-pass-verify /etc/openvpn/new_ldap_authenticate.pl via-env

      That's it, i am not sure how openvpn is passing username or password, that configuration file just says above line.
      I did tried manually passing username and password inside script, and from STDIN ( removed new line using chomp), and also tried your line, still getting <code> Invalid credentials<code>

      Just wanted to know how $ENV stuff is passed/called to/from Perl Script.
      And then add for new OU.

      Thanks

        The %ENV variable just holds your environment variables. So you should be able to change them values by updating the "username" and "password" environment variables before running your script. You can usually set them while running a script, like

        username="my_user" password="my_pass" perl script.pl
Re: Pointers required on understanding LDAP Authenticating script for openvpn
by Anonymous Monk on Apr 10, 2013 at 12:08 UTC
    via-environment variables ...
      Thank you all for the reply. But i figured out some kind of workable solution. This code may not be the Perfect one, but it works for me. Any suggetion/ pointers to improve this code is greatly helpful.

      Thanks

      #!/usr/bin/perl -w use Net::LDAP; use strict; use Data::Dumper; my $ldap; my $result; my $opt_uri = "ldap://localhost"; my $opt_user = $ENV{'username'}; my $opt_passwd = $ENV{'password'}; my $opt_common = $ENV{'common_name'}; unless (defined $opt_user or defined $opt_passwd) { print qq{ OOPS, I haven't recceived any username/password... Exiting \n }; exit 1; } my $opt_group = "cn=VpnUsers,ou=Groups,dc=mywebsite,dc=com"; my $opt_binddn = "uid=".$opt_user.",ou=People,dc=mywebsite,dc=com"; $ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!"); $result = $ldap->bind( $opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou=firstOU, +dc=mywebsite,dc=com", password=>$opt_passwd); if($result->code) { print "got code froom firstOU check, THIS PERSON IS NOT PART OF fi +rstOU... CHECKING IN secondOU\n"; $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou=seco +ndOU,dc=mywebsite,dc=com", password=>$opt_passwd); if($result->code) { print "got code from secondOU check, THIS PERSON IS NOT PART O +F secondOU. CHECKING IN thirdOU\n"; $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou= +thirdOU,dc=mywebsite,dc=com", password=>$opt_passwd); if($result->code) { print "got code from thirdOU check, THIS PERSON IS NOT PAR +T OF thirdOU... CHECKING IN fourthOU\n"; $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user." +,ou=fourthOU,dc=mywebsite,dc=com", password=>$opt_passwd); $result->code and die($result->error); $result = $ldap->search(base=>$opt_group, filter=>"(&(memb +erUid=$opt_user))"); if ($result->count == 1) { print "SEARCHIN IN fourthOU for vpnusers\n"; exit 0; } else { exit 1; } } else { $result = $ldap->search(base=>$opt_group, filter=>"(&(memb +erUid=$opt_user))"); if ($result->count == 1) { print "SEARCHIN IN thirdOU for vpnuser access\n"; exit 0; } else { exit 1; } } } else { $result = $ldap->search(base=>$opt_group, filter=>"(&(memberUi +d=$opt_user))"); if ($result->count == 1) { print "SEARCHIN IN secondOU for vpnuser access\n"; exit 0; } else { exit 1; } } } else { print "THIS PERSON IS IN firstOU...\n"; $result->code and die($result->error); $result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$o +pt_user))"); $result->code(); if ($result->count == 1) { exit 0; } else { exit 1; } }


Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1027942]
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (8)
As of 2014-12-22 00:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (109 votes), past polls