Pointers required on understanding LDAP Authenticating script for openvpn

shekarkcb has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I have a working script which is used to authenticate users for vpn using ldap for openvpn. The way script called is, in openvpn conf file ( /etc/openvpn/server.conf )
auth-user-pass-verify /etc/openvpn/ldap_authenticate.pl via-env

The script is as follows,
cat ldap_authenticate.pl

#!/usr/bin/perl -w
use Net::LDAP;
use strict;

my $ldap;
my $result;

my $opt_uri = "ldap://localhost";
my $opt_user = $ENV{'username'};
my $opt_passwd = $ENV{'password'};
my $opt_common = $ENV{'common_name'};
my $opt_group = "cn=vpnusers,ou=Groups,dc=mycompany,dc=com";
my $opt_binddn = "uid=".$opt_user.",ou=People,dc=mycompany,dc=com";
$ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!");

$result = $ldap->bind($opt_binddn, password=>$opt_passwd);
$result->code and $result = $ldap->bind("uid=".$opt_user.",ou=Interns,
+dc=mycompany,dc=com", password=>$opt_passwd);
$result->code and die($result->error);
$result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$opt_u
+ser))");
$result->code();
if ($result->count == 1) { exit 0; }
unless($result->count){ exit 1; }
[download]

It works perfectly fine for users who are from
ou=People

1). Just wondering how $ENV{'username'} and $ENV{'password'} work? I mean, considering if i call this script on command line by changing them to ask from user i.e <STDIN>, it says
Invalid credentials
and when i printed "$result" using Dumper, i can see that resultCode is 49. - How to enter manually , without using $ENV?

2). If i want to authenticate another CN ( in addition to CN=People, say CN=testuserforvpn, how can i do that?

Any pointers are greatly helpful.

Thanks

Comment on Pointers required on understanding LDAP Authenticating script for openvpn Select or Download Code

Replies are listed 'Best First'.
Re: Pointers required on understanding LDAP Authenticating script for openvpn by Loops (Curate) on Apr 10, 2013 at 10:57 UTC
Howdy, You don't show the code that you use to read these values in from the command line. It's possible you're just forgetting to chomp the result and newline is being included as part of the value It's possible to use this script from the command line with no changes however. Either set those values in the environment before running it, or just: `username=WHATEVER password=SECRET ./ldap_authenticate.pl` [download]	[reply] [d/l]
Re^2: Pointers required on understanding LDAP Authenticating script for openvpn by shekarkcb (Beadle) on Apr 10, 2013 at 12:01 UTC
Thanks for the reply. As i explained in first post, there is nothing code present passing username or password, this script is called from openvpn, the configuration file has this line `auth-user-pass-verify /etc/openvpn/new_ldap_authenticate.pl via-env` [download] That's it, i am not sure how openvpn is passing username or password, that configuration file just says above line. I did tried manually passing username and password inside script, and from STDIN ( removed new line using chomp), and also tried your line, still getting <code> Invalid credentials<code> Just wanted to know how $ENV stuff is passed/called to/from Perl Script. And then add for new OU. Thanks	[reply] [d/l]
Re^3: Pointers required on understanding LDAP Authenticating script for openvpn by influx (Beadle) on Apr 10, 2013 at 15:26 UTC
The %ENV variable just holds your environment variables. So you should be able to change them values by updating the "username" and "password" environment variables before running your script. You can usually set them while running a script, like `username="my_user" password="my_pass" perl script.pl`	[reply] [d/l]
Re: Pointers required on understanding LDAP Authenticating script for openvpn by Anonymous Monk on Apr 10, 2013 at 12:08 UTC
`via-env`ironment variables ...	[reply]
Re^2: Pointers required on understanding LDAP Authenticating script for openvpn by shekarkcb (Beadle) on Apr 12, 2013 at 05:56 UTC
Thank you all for the reply. But i figured out some kind of workable solution. This code may not be the Perfect one, but it works for me. Any suggetion/ pointers to improve this code is greatly helpful. Thanks #!/usr/bin/perl -w use Net::LDAP; use strict; use Data::Dumper; my $ldap; my $result; my $opt_uri = "ldap://localhost"; my $opt_user = $ENV{'username'}; my $opt_passwd = $ENV{'password'}; my $opt_common = $ENV{'common_name'}; unless (defined $opt_user or defined $opt_passwd) { print qq{ OOPS, I haven't recceived any username/password... Exiting \n }; exit 1; } my $opt_group = "cn=VpnUsers,ou=Groups,dc=mywebsite,dc=com"; my $opt_binddn = "uid=".$opt_user.",ou=People,dc=mywebsite,dc=com"; $ldap = Net::LDAP->new($opt_uri) or die("connect $opt_uri failed!"); $result = $ldap->bind( $opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou=firstOU, +dc=mywebsite,dc=com", password=>$opt_passwd); if($result->code) { print "got code froom firstOU check, THIS PERSON IS NOT PART OF fi +rstOU... CHECKING IN secondOU\n"; $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou=seco +ndOU,dc=mywebsite,dc=com", password=>$opt_passwd); if($result->code) { print "got code from secondOU check, THIS PERSON IS NOT PART O +F secondOU. CHECKING IN thirdOU\n"; $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user.",ou= +thirdOU,dc=mywebsite,dc=com", password=>$opt_passwd); if($result->code) { print "got code from thirdOU check, THIS PERSON IS NOT PAR +T OF thirdOU... CHECKING IN fourthOU\n"; $result = $ldap->bind($opt_binddn, password=>$opt_passwd); $result->code and $result = $ldap->bind("uid=".$opt_user." +,ou=fourthOU,dc=mywebsite,dc=com", password=>$opt_passwd); $result->code and die($result->error); $result = $ldap->search(base=>$opt_group, filter=>"(&(memb +erUid=$opt_user))"); if ($result->count == 1) { print "SEARCHIN IN fourthOU for vpnusers\n"; exit 0; } else { exit 1; } } else { $result = $ldap->search(base=>$opt_group, filter=>"(&(memb +erUid=$opt_user))"); if ($result->count == 1) { print "SEARCHIN IN thirdOU for vpnuser access\n"; exit 0; } else { exit 1; } } } else { $result = $ldap->search(base=>$opt_group, filter=>"(&(memberUi +d=$opt_user))"); if ($result->count == 1) { print "SEARCHIN IN secondOU for vpnuser access\n"; exit 0; } else { exit 1; } } } else { print "THIS PERSON IS IN firstOU...\n"; $result->code and die($result->error); $result = $ldap->search(base=>$opt_group, filter=>"(&(memberUid=$o +pt_user))"); $result->code(); if ($result->count == 1) { exit 0; } else { exit 1; } } [download]	[reply] [d/l]