126 lines
7.6 KiB
Bash
126 lines
7.6 KiB
Bash
|
#!/bin/bash
|
||
|
# 2014-12-01
|
||
|
# Josh North - josh.north@point808.com
|
||
|
#
|
||
|
# ovpn-ad-sync
|
||
|
#
|
||
|
# This script is a very rudimentary hack to fill my purpose. It may or may not
|
||
|
# work for you. It could also be put to use with LDAP with minimal
|
||
|
# modification.
|
||
|
# Theory: basically, the script should be run on a cron schedule. At run, it
|
||
|
# searches all users in a specified AD group. It then checks to see if
|
||
|
# subdirectories exist for the user, if not, it decides to create them. It
|
||
|
# then loops through to look for directories that do not have a corresponding
|
||
|
# user in the AD list and deletes them. It technically (at this point) does
|
||
|
# not revoke access and restart the vpn, this is IMPORTANT, because in my setup
|
||
|
# we are authenticating against AD anyway as a second layer. This is not fully
|
||
|
# secure but like I said, it is a major work in progress.
|
||
|
#
|
||
|
# requirements:
|
||
|
# sendmail (written for ssmtp version) uuencode (part of sharutils) ldap-client, etc
|
||
|
|
||
|
# THE FOLLOWING VARIABLES MUST BE MODIFIED TO MATCH YOUR ENVIRONMENT OR BAD
|
||
|
# THINGS WILL HAPPEN!!!
|
||
|
OAS_ADUSR="SYS_OpenVPN@SUPPLIES.LOCAL" # user@domain.tld or full DN
|
||
|
OAS_ADPWD="whatthefreak!" # we will change this later
|
||
|
OAS_ADBASE="dc=supplies,dc=local" # search base
|
||
|
OAS_ADURI="ldap://192.168.1.21" # full URI required
|
||
|
OAS_VPNGRP="cn=OpenVPNUsers,cn=Users,dc=supplies,dc=local" # full group DN
|
||
|
OAS_USERDIR="/etc/openvpn/oas_clients" # full path to user configs
|
||
|
OAS_RSADIR="/etc/openvpn/rsa" # full path to easy-rsa root
|
||
|
OAS_LOGFILE="/var/log/oas.log" # log file
|
||
|
OAS_LOGRET=10 # lines of old log to keep
|
||
|
OAS_OVPNTPL="${OAS_USERDIR}/template.ovpn" # template file to use for clients
|
||
|
OAS_MAILSUBJ="Supplies Unlimited VPN Information" # subject line of email
|
||
|
OAS_MAILFROM="admin@suppliesunlimited.com" # email from appearance
|
||
|
OAS_MAILADMIN="admin@point808.com" # email to send errors and config cc
|
||
|
OAS_USERGUIDE="${OAS_USERDIR}/VPN_SETUP_GUIDE.pdf" # pdf or other common file guide for users
|
||
|
OAS_ORGNAME="Supplies Unlimited, Inc."
|
||
|
|
||
|
# END OF VARIABLES
|
||
|
# READ, BUT DON'T TOUCH THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING
|
||
|
# AND IF YOU DON'T KNOW WHAT YOU ARE DOING YOU PROBABLY SHOULDN'T BE USING THIS!!!
|
||
|
|
||
|
# easy logger function from http://mostlyunixish.franzoni.eu/
|
||
|
function logsetup {
|
||
|
TMP=$(tail -n $OAS_LOGRET $OAS_LOGFILE 2>/dev/null) && echo "${TMP}" > $OAS_LOGFILE
|
||
|
exec > >(tee -a $OAS_LOGFILE)
|
||
|
exec 2>&1
|
||
|
}
|
||
|
function log {
|
||
|
echo "[$(date)]: $*"
|
||
|
}
|
||
|
logsetup
|
||
|
|
||
|
log "Script starting up"
|
||
|
|
||
|
# source rsa vars
|
||
|
cd ${OAS_RSADIR}
|
||
|
source ./vars
|
||
|
|
||
|
# and back
|
||
|
cd ${OAS_USERDIR}
|
||
|
log "Beginning user creation run"
|
||
|
# ldapsearch returns an array of user principals in the for loop. for each
|
||
|
# principal in the vpn group, we want to get the users name, guid, and email
|
||
|
for i in $(
|
||
|
ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP}))" | grep sAMAccountName | awk '{print $2}'
|
||
|
); do
|
||
|
# now we are in a loop - the following row(s) are run on each user in group
|
||
|
# is there already a dir? for right now we assume that if a directory exists we are good with that user
|
||
|
log "Checking user directory for ${i}..."
|
||
|
if [ -d "${OAS_USERDIR}/${i}" ]; then
|
||
|
log "User directory for ${i} already already exists, no need to modify"
|
||
|
# if not, lets notify and make one and do the vpn thingie
|
||
|
else
|
||
|
log "User directory for ${i} does not exist - this must be a new user in the group"
|
||
|
log "Getting user details for ${i} from directory service..."
|
||
|
OAS_USRMAIL="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep mail | awk '{print $2}')"
|
||
|
OAS_USRGUID="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep UID | awk '{print $2}')"
|
||
|
OAS_USRFNAME="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep displayName | awk '{print $(NF-1) " " $NF}')"
|
||
|
#run another loop to see if email field is valid, if not, we have to error out!
|
||
|
if [[ -n $(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep mail | awk '{print $2}') ]]; then
|
||
|
log "User details for ${i} pulled successfully..."
|
||
|
log "Creating user certificates..."
|
||
|
export KEY_NAME="${OAS_USRFNAME}"
|
||
|
export KEY_EMAIL="${OAS_USRMAIL}"
|
||
|
cd ${OAS_RSADIR}
|
||
|
${OAS_RSADIR}/pkitool ${i}
|
||
|
log "Certificates created for ${i}, now starting configuration and file generation..."
|
||
|
mkdir ${OAS_USERDIR}/${i}
|
||
|
cp ${OAS_RSADIR}/keys/${i}.crt ${OAS_USERDIR}/${i}
|
||
|
cp ${OAS_RSADIR}/keys/${i}.key ${OAS_USERDIR}/${i}
|
||
|
cp ${OAS_RSADIR}/keys/ca.crt ${OAS_USERDIR}/${i}
|
||
|
cp ${OAS_RSADIR}/keys/dh2048.pem ${OAS_USERDIR}/${i}
|
||
|
# now we need to make a config file... let's try using a template as a header and adding certs
|
||
|
cat ${OAS_OVPNTPL} > ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '<ca>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
cat ${OAS_USERDIR}/${i}/ca.crt >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '</ca>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '<dh>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
cat ${OAS_USERDIR}/${i}/dh2048.pem >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '</dh>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '<cert>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
cat ${OAS_USERDIR}/${i}/${i}.crt >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '</cert>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '<key>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
cat ${OAS_USERDIR}/${i}/${i}.key >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
echo '</key>' >> ${OAS_USERDIR}/${i}/${i}.ovpn
|
||
|
log "Configuration created, now trying to email configuration file to the user"
|
||
|
echo -e "to: ${OAS_USRMAIL}\ncc: ${OAS_MAILADMIN}\nsubject: ${OAS_MAILSUBJ}\nHello,\nThis email is from ${OAS_ORGNAME} You are receiving it because your account has been granted remote access privileges via a secure VPN client.\nPlease review the attached PDF user guide and contact your support personell with any questions or problems. You will also need to download and save the attached .ovpn file.\nIMPORTANT! Please do NOT share the information contained in this email or the attached key file with anyone! This file identifies your computer to the network, and any other use opens the company network for hacking or other malicious behaviour.\nNOTE: You will be prompted for a user name and password when connecting to the VPN client. Your username will be your domain login (${i}) and your password is the same as your domain password.\n" | (cat - && uuencode ${OAS_USERDIR}/${i}/${i}.ovpn ${i}.ovpn && uuencode ${OAS_USERGUIDE} VPN_SETUP_GUIDE.pdf) | /usr/sbin/sendmail -t -F ${OAS_MAILFROM}
|
||
|
log "Emailed configuration file to user email address ${OAS_USRMAIL}"
|
||
|
log "If they do not receive their email, just copy and paste the file from the server or re-run"
|
||
|
else
|
||
|
log "ERROR - no email address stored in directory for user ${i}. You must set an email address!"
|
||
|
fi
|
||
|
# go back to user dir!!!
|
||
|
cd ${OAS_USERDIR}
|
||
|
fi
|
||
|
# end of the first looper!
|
||
|
done
|
||
|
# next thing is to check and delete (or recycle) user directories not in directory group
|
||
|
|
||
|
log "Script run complete - it may or may not be a success, the log will tell..."
|
||
|
log "Taking a nap before the next run..."
|
||
|
exit 0
|