Insecure method used #1
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Do not install testplugin openvpn-ldap-search test programs
From ldap_search_ext* man page: Note that res parameter of ldap_search_ext_s() and ldap_search_s() should be freed with ldap_msgfree() regardless of return value of these functions.
PF rules are written to pf_file options available through ccd files are pushes through OPENVPN_PLUGIN_CLIENT_CONNECT_V2 's return_list
Can now authenticate different profiles from different sources. If no pf_rules are found, it will accept everything
PF must be enabled at config level with: enable_pf=true When ldap account profile start_date and/or end_date are different than 0, check if user is allowed to connect at current date.
Install openvpn-ldap-auth-test on make install
Allow to define undef/false/true to be able to handle PF at profile level add src/types.h add helpers in cnf.h * int config_is_pf_enabled( config_t *c ) * config_is_pf_enabled_for_profile( config_t *c, profile_config_t *p )
changed sleep period to 1
* move ldapconfprofile functions to ldap_profile.c * add ldap_profile_handle_allowed_timeframe will check if user is allowed to connect now
Will match search_filter syntax
if either default rules for client/subnet is missing, default to allow all (default openvpn behaviour)
Accounts profile need to be defined within <profile></profile> tags
Initialise result to NULL and only free if not NULL after search
If enable_pf is defined and either pf_client_default_accept or pf_subnet_default_accept is UNDEF, write the rule profided in conf If one of pf_*_default_accept is UNDEF and no default_pf_rules is defined, allow all traffic
When an OpenVPNAccount has no OvpnProfile and default_profiledn is defined in config, fetch that info and use it.
Per profile PF rules can be set using: * enable_pf * default_pf_rules If no rules found, accept all config items can have whitespaces in front of them
It use to expect *ldap_version* parameter instead of *version*
Conflicts: Changelog src/cnf.c src/la_ldap.c tests/Makefile.am
Details a bit more what the config can handle.
When a LDAP entry is neither an OpenVPNAccount or OpenVPNProfile and default_profiledn is defined, apply its settings
uint8_t was use to handle size string returned by ldap_account_get_options_to_string This can easily be > 256 and was crashing app
Remove unused variables...
When the replacement string is part of the needle,
the while loop never exit.
ex: str_replace_all("foobar", "foo", "foo2");
The plugin was not affected as we only replace_all "\\n" by "\n"
Cleaning up debugging and allowing to use syslog while in daemon mode
works without modifying /etc/ldap/ldap.conf
tls_reqcert=never|allow|try|demand|hard is now supported in config. Defaults to *never*
Needed on Debian Wheezy
In case -c option is not used, the plugin will use a default filename to load the config from. this will must exist even though it might be empty
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Connection uses SHA1 instead of SHA256