Skip to content

Commit

Permalink
Merge pull request #26 from wheelybird/active_directory
Browse files Browse the repository at this point in the history
Fix variable name error and also set the login attribute required by AD
  • Loading branch information
wheelybird authored Jan 10, 2020
2 parents fe6f01d + 3d4b389 commit 162ddcb
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 26 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ Configuration is via environmental variables. Here's a list, along with the def
* `LDAP_TLS_VALIDATE_CERT` (true): Set to 'true' to ensure the TLS certificate can be validated. 'false' will ignore certificate issues - you might need this if you're using a self-signed certificate and not passing in the CA certificate.
* `LDAP_TLS_CA_CERT` (_undefined_): The contents of the CA certificate file for the LDAP server. You'll need this to enable TLS if using self-signed certificates.

* `ACTIVE_DIRECTORY_COMPAT_MODE` (false): Sets `LDAP_LOGIN_ATTRIBUTE` to `sAMAccountName` and `LDAP_FILTER` to `(objectClass=user)`, which allows LDAP lookups to work with Active Directory. This will override any value you've manually set for those settings.

* `OVPN_TLS_CIPHERS` (TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA): Determines which ciphers will be set for `tls-cipher` in the openvpn config file.
* `OVPN_PROTOCOL` (udp): The protocol OpenVPN uses. Either `udp` or `tcp`.
* `OVPN_NETWORK` (10.50.50.0 255.255.255.0): The network that will be used the the VPN in `network_address netmask` format.
Expand Down
43 changes: 22 additions & 21 deletions files/configuration/set_defaults.sh
Original file line number Diff line number Diff line change
Expand Up @@ -33,27 +33,28 @@ fi

default_tls_ciphers="TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA"

if [ "${OVPN_TLS_CIPHERS}x" == "x" ]; then export OVPN_TLS_CIPHERS=$default_tls_ciphers; fi
if [ "${OVPN_PROTOCOL}x" == "x" ]; then export OVPN_PROTOCOL="udp"; fi
if [ "${OVPN_NETWORK}x" == "x" ]; then export OVPN_NETWORK="10.50.50.0 255.255.255.0"; fi
if [ "${OVPN_VERBOSITY}x" == "x" ]; then export OVPN_VERBOSITY="3"; fi
if [ "${OVPN_NAT}x" == "x" ]; then export OVPN_NAT="true"; fi
if [ "${OVPN_REGISTER_DNS}x" == "x" ]; then export OVPN_REGISTER_DNS="false"; fi
if [ "${OVPN_ENABLE_COMPRESSION}x" == "x" ]; then export OVPN_ENABLE_COMPRESSION="true"; fi
if [ "${REGENERATE_CERTS}x" == "x" ]; then export REGENERATE_CERTS="false"; fi
if [ "${OVPN_MANAGEMENT_ENABLE}x" == "x" ]; then export OVPN_MANAGEMENT_ENABLE="false"; fi
if [ "${OVPN_MANAGEMENT_NOAUTH}x" == "x" ]; then export OVPN_MANAGEMENT_NOAUTH="false"; fi
if [ "${DEBUG}x" == "x" ]; then export DEBUG="false"; fi
if [ "${LOG_TO_STDOUT}x" == "x" ]; then export LOG_TO_STDOUT="true"; fi
if [ "${ENABLE_OTP}x" == "x" ]; then export ENABLE_OTP="false"; fi
if [ "${LDAP_LOGIN_ATTRIBUTE}x" == "x" ]; then export LDAP_LOGIN_ATTRIBUTE="uid"; fi
if [ "${LDAP_TLS}x" == "x" ]; then export LDAP_TLS="false"; fi
if [ "${LDAP_TLS_VALIDATE_CERT}x" == "x" ]; then export LDAP_TLS_VALIDATE_CERT="true"; fi
if [ "${KEY_LENGTH}x" == "x" ]; then export KEY_LENGTH="2048"; fi
if [ "${FAIL2BAN_ENABLED}x" == "x" ]; then export FAIL2BAN_ENABLED="false"; fi
if [ "${FAIL2BAN_MAXRETRIES}x" == "x" ]; then export FAIL2BAN_MAXRETRIES="3"; fi

if [ "$FAIL2BAN_ENABLED" == "true" ]; then LOG_TO_STDOUT="false"; fi
if [ "${OVPN_TLS_CIPHERS}x" == "x" ]; then export OVPN_TLS_CIPHERS=$default_tls_ciphers; fi
if [ "${OVPN_PROTOCOL}x" == "x" ]; then export OVPN_PROTOCOL="udp"; fi
if [ "${OVPN_NETWORK}x" == "x" ]; then export OVPN_NETWORK="10.50.50.0 255.255.255.0"; fi
if [ "${OVPN_VERBOSITY}x" == "x" ]; then export OVPN_VERBOSITY="3"; fi
if [ "${OVPN_NAT}x" == "x" ]; then export OVPN_NAT="true"; fi
if [ "${OVPN_REGISTER_DNS}x" == "x" ]; then export OVPN_REGISTER_DNS="false"; fi
if [ "${OVPN_ENABLE_COMPRESSION}x" == "x" ]; then export OVPN_ENABLE_COMPRESSION="true"; fi
if [ "${REGENERATE_CERTS}x" == "x" ]; then export REGENERATE_CERTS="false"; fi
if [ "${OVPN_MANAGEMENT_ENABLE}x" == "x" ]; then export OVPN_MANAGEMENT_ENABLE="false"; fi
if [ "${OVPN_MANAGEMENT_NOAUTH}x" == "x" ]; then export OVPN_MANAGEMENT_NOAUTH="false"; fi
if [ "${DEBUG}x" == "x" ]; then export DEBUG="false"; fi
if [ "${LOG_TO_STDOUT}x" == "x" ]; then export LOG_TO_STDOUT="true"; fi
if [ "${ENABLE_OTP}x" == "x" ]; then export ENABLE_OTP="false"; fi
if [ "${LDAP_LOGIN_ATTRIBUTE}x" == "x" ]; then export LDAP_LOGIN_ATTRIBUTE="uid"; fi
if [ "${LDAP_TLS}x" == "x" ]; then export LDAP_TLS="false"; fi
if [ "${LDAP_TLS_VALIDATE_CERT}x" == "x" ]; then export LDAP_TLS_VALIDATE_CERT="true"; fi
if [ "${KEY_LENGTH}x" == "x" ]; then export KEY_LENGTH="2048"; fi
if [ "${FAIL2BAN_ENABLED}x" == "x" ]; then export FAIL2BAN_ENABLED="false"; fi
if [ "${FAIL2BAN_MAXRETRIES}x" == "x" ]; then export FAIL2BAN_MAXRETRIES="3"; fi
if [ "${ACTIVE_DIRECTORY_COMPAT_MODE}x" == "x" ]; then export ACTIVE_DIRECTORY_COMPAT_MODE="false"; fi

if [ "$FAIL2BAN_ENABLED" == "true" ]; then export LOG_TO_STDOUT="false"; fi
if [ "$LOG_TO_STDOUT" == "true" ]; then
LOG_FILE="/proc/1/fd/1"
else
Expand Down
20 changes: 15 additions & 5 deletions files/configuration/setup_ldap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -29,15 +29,25 @@ if [ "${LDAP_TLS_CA_CERT}x" != "x" ] ; then
echo "tls_cacertfile ${OPENVPN_DIR}/ldap-ca.crt" >> $LDAP_CONFIG
fi

if [ "${LDAP_FILTER}x" != "x" ] ; then
echo "filter passwd $LDAP_FILTER" >> $LDAP_CONFIG
fi
if [ "${ACTIVE_DIRECTORY_COMPAT_MODE}" == "true" ]; then

echo "filter passwd (objectClass=user)" >> $LDAP_CONFIG
echo "map passwd uid sAMAccountName" >> $LDAP_CONFIG

else

if [ "${LDAP_FILTER}x" != "x" ]; then
echo "filter passwd $LDAP_FILTER" >> $LDAP_CONFIG
fi

if [ "${LDAP_LOGIN_ATTRIBUTE}x" != "x" ]; then
echo "map passwd uid $LDAP_LOGIN_ATTRIBUTE" >> $LDAP_CONFIG
fi

if [ "${LDAP_LOGIN_ATTRIBUTE}x" != "x" ] ; then
echo "map passwd uid $LDAP_LOGIN_ATTRIBUTE" >> $LDAP_CONFIG
fi

if [ "${LDAP_BIND_USER_DN}x" != "x" ] ; then
echo "binddn $LDAP_BIND_USER_DN" >> $LDAP_CONFIG
echo "bindpw $LDAP_BIND_USER_PASS" >> $LDAP_CONFIG
fi

0 comments on commit 162ddcb

Please sign in to comment.