diff --git a/oas_clients/VPN_SETUP_GUIDE.pdf b/oas_attachments/VPN_SETUP_GUIDE.pdf
similarity index 100%
rename from oas_clients/VPN_SETUP_GUIDE.pdf
rename to oas_attachments/VPN_SETUP_GUIDE.pdf
diff --git a/ovpn-ad-sync.sh b/ovpn-ad-sync.sh
index e92a0df..a994690 100755
--- a/ovpn-ad-sync.sh
+++ b/ovpn-ad-sync.sh
@@ -28,7 +28,7 @@ OAS_OVPNTPL="${OAS_USERDIR}/template.ovpn" # Template file to use f
OAS_MAILSUBJ="Example Company - VPN Information" # Subject line of email
OAS_MAILFROM="admin@example.com" # This will appear as the "From" address
OAS_MAILADMIN="admin@example.com" # Email to copy all configs and errors to
-OAS_USERGUIDE="${OAS_USERDIR}/VPN_SETUP_GUIDE.pdf" # File guide to attach
+OAS_ATTACHMENTS="/etc/openvpn/oas_attachments/*" # File guide to attach (path to dir plus /* at end)!!!
OAS_ORGNAME="Example Company, Inc." # Company name
# MAIN SCRIPT
@@ -54,55 +54,55 @@ cd ${OAS_USERDIR}
log "Beginning user creation run"
# ldapsearch returns an array of user principals in the for loop. for each
# principal in the vpn group, we want to get the users name, guid, and email
-for i in $(
+for s_user in $(
ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP}))" | grep sAMAccountName | awk '{print $2}'
); do
# now we are in a loop - the following row(s) are run on each user in group
# is there already a dir? for right now we assume that if a directory exists we are good with that user
- log "Checking user directory for ${i}..."
- if [ -d "${OAS_USERDIR}/${i}" ]; then
- log "User directory for ${i} already already exists, no need to modify"
+ log "Checking user directory for ${s_user}..."
+ if [ -d "${OAS_USERDIR}/${s_user}" ]; then
+ log "User directory for ${s_user} already already exists, no need to modify"
# if not, lets notify and make one and do the vpn thingie
else
- log "User directory for ${i} does not exist - this must be a new user in the group"
- log "Getting user details for ${i} from directory service..."
- OAS_USRMAIL="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep mail | awk '{print $2}')"
- OAS_USRGUID="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep UID | awk '{print $2}')"
- OAS_USRFNAME="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep displayName | awk '{print $(NF-1) " " $NF}')"
+ log "User directory for ${s_user} does not exist - this must be a new user in the group"
+ log "Getting user details for ${s_user} from directory service..."
+ OAS_USRMAIL="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${s_user}))" | grep mail | awk '{print $2}')"
+ OAS_USRGUID="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${s_user}))" | grep UID | awk '{print $2}')"
+ OAS_USRFNAME="$(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${s_user}))" | grep displayName | awk '{print $(NF-1) " " $NF}')"
#run another loop to see if email field is valid, if not, we have to error out!
- if [[ -n $(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${i}))" | grep mail | awk '{print $2}') ]]; then
- log "User details for ${i} pulled successfully..."
+ if [[ -n $(ldapsearch -x -D "${OAS_ADUSR}" -H "${OAS_ADURI}" -w "${OAS_ADPWD}" -s sub -b "${OAS_ADBASE}" "(&(objectCategory=user)(memberOf=${OAS_VPNGRP})(sAMAccountName=${s_user}))" | grep mail | awk '{print $2}') ]]; then
+ log "User details for ${s_user} pulled successfully..."
log "Creating user certificates..."
export KEY_NAME="${OAS_USRFNAME}"
export KEY_EMAIL="${OAS_USRMAIL}"
cd ${OAS_RSADIR}
- ${OAS_RSADIR}/pkitool ${i}
- log "Certificates created for ${i}, now starting configuration and file generation..."
- mkdir ${OAS_USERDIR}/${i}
- cp ${OAS_RSADIR}/keys/${i}.crt ${OAS_USERDIR}/${i}
- cp ${OAS_RSADIR}/keys/${i}.key ${OAS_USERDIR}/${i}
- cp ${OAS_RSADIR}/keys/ca.crt ${OAS_USERDIR}/${i}
- cp ${OAS_RSADIR}/keys/dh2048.pem ${OAS_USERDIR}/${i}
+ ${OAS_RSADIR}/pkitool ${s_user}
+ log "Certificates created for ${s_user}, now starting configuration and file generation..."
+ mkdir ${OAS_USERDIR}/${s_user}
+ cp ${OAS_RSADIR}/keys/${s_user}.crt ${OAS_USERDIR}/${s_user}
+ cp ${OAS_RSADIR}/keys/${s_user}.key ${OAS_USERDIR}/${s_user}
+ cp ${OAS_RSADIR}/keys/ca.crt ${OAS_USERDIR}/${s_user}
+ cp ${OAS_RSADIR}/keys/dh2048.pem ${OAS_USERDIR}/${s_user}
# now we need to make a config file... let's try using a template as a header and adding certs
- cat ${OAS_OVPNTPL} > ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- cat ${OAS_USERDIR}/${i}/ca.crt >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- cat ${OAS_USERDIR}/${i}/dh2048.pem >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- cat ${OAS_USERDIR}/${i}/${i}.crt >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
- cat ${OAS_USERDIR}/${i}/${i}.key >> ${OAS_USERDIR}/${i}/${i}.ovpn
- echo '' >> ${OAS_USERDIR}/${i}/${i}.ovpn
+ cat ${OAS_OVPNTPL} > ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ cat ${OAS_USERDIR}/${s_user}/ca.crt >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ cat ${OAS_USERDIR}/${s_user}/dh2048.pem >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ cat ${OAS_USERDIR}/${s_user}/${s_user}.crt >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ cat ${OAS_USERDIR}/${s_user}/${s_user}.key >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
+ echo '' >> ${OAS_USERDIR}/${s_user}/${s_user}.ovpn
log "Configuration created, now trying to email configuration file to the user"
- echo -e "to: ${OAS_USRMAIL}\ncc: ${OAS_MAILADMIN}\nsubject: ${OAS_MAILSUBJ}\nHello,\nThis email is from ${OAS_ORGNAME} You are receiving it because your account has been granted remote access privileges via a secure VPN client.\nPlease review the attached PDF user guide and contact your support personell with any questions or problems. You will also need to download and save the attached .ovpn file.\nIMPORTANT! Please do NOT share the information contained in this email or the attached key file with anyone! This file identifies your computer to the network, and any other use opens the company network for hacking or other malicious behaviour.\nNOTE: You will be prompted for a user name and password when connecting to the VPN client. Your username will be your domain login (${i}) and your password is the same as your domain password.\n" | (cat - && uuencode ${OAS_USERDIR}/${i}/${i}.ovpn ${i}.ovpn && uuencode ${OAS_USERGUIDE} VPN_SETUP_GUIDE.pdf) | /usr/sbin/sendmail -t -F ${OAS_MAILFROM}
+ echo -e "to: ${OAS_USRMAIL}\ncc: ${OAS_MAILADMIN}\nsubject: ${OAS_MAILSUBJ}\nHello ${OAS_USRFNAME},\n\nThis email is from ${OAS_ORGNAME} You are receiving it because your account has been granted remote access privileges via a secure VPN client.\n\nThere should be multiple attachments to this email. One is your OpenVPN configuration file (${s_user}.ovpn), and at least one User Guide document, though your administrator may have attached additional documents specific to your network. Please review the attached guides before contacting your support personell if you have any questions or problems.\n\nIMPORTANT! Please do NOT share the information contained in this email or the attached key file with anyone! This file identifies your computer to the network, and any other use opens the company network for hacking or other malicious behaviour.\n\nNOTE: You will be prompted for a user name and password when connecting to the VPN client. Your username will be your domain login name (${s_user}) and your password is the same as your domain password.\n" | (cat - && uuencode ${OAS_USERDIR}/${s_user}/${s_user}.ovpn ${s_user}.ovpn && for s_file in ${OAS_ATTACHMENTS}; do uuencode "${s_file}" "$(basename "${s_file}")"; done) | /usr/sbin/sendmail -t -F ${OAS_MAILFROM}
log "Emailed configuration file to user email address ${OAS_USRMAIL}"
log "If they do not receive their email, just copy and paste the file from the server or re-run"
else
- log "ERROR - no email address stored in directory for user ${i}. You must set an email address!"
+ log "ERROR - no email address stored in directory for user ${s_user}. You must set an email address!"
fi
# go back to user dir!!!
cd ${OAS_USERDIR}