From e00cc20e931163a965a69f51d2f7a53e12636a05 Mon Sep 17 00:00:00 2001 From: Josh North Date: Wed, 3 Dec 2014 14:45:54 -0500 Subject: [PATCH] Update ovpn-ad-sync.sh --- ovpn-ad-sync.sh | 69 +++++++++++++++++++++---------------------------- 1 file changed, 30 insertions(+), 39 deletions(-) diff --git a/ovpn-ad-sync.sh b/ovpn-ad-sync.sh index 6fcdf81..e92a0df 100755 --- a/ovpn-ad-sync.sh +++ b/ovpn-ad-sync.sh @@ -1,46 +1,37 @@ #!/bin/bash -# 2014-12-01 -# Josh North - josh.north@point808.com -# -# ovpn-ad-sync.sh -# -# This script is a very rudimentary hack to fill my purpose. It may or may not -# work for you. It could also be put to use with LDAP with minimal -# modification. -# Theory: basically, the script should be run on a cron schedule. At run, it -# searches all users in a specified AD group. It then checks to see if -# subdirectories exist for the user, if not, it decides to create them. It -# then loops through to look for directories that do not have a corresponding -# user in the AD list and deletes them. It technically (at this point) does -# not revoke access and restart the vpn, this is IMPORTANT, because in my setup -# we are authenticating against AD anyway as a second layer. This is not fully -# secure but like I said, it is a major work in progress. -# -# requirements: -# sendmail (written for ssmtp version) uuencode (part of sharutils) ldap-client, etc -# THE FOLLOWING VARIABLES MUST BE MODIFIED TO MATCH YOUR ENVIRONMENT OR BAD -# THINGS WILL HAPPEN!!! -OAS_ADUSR="oas_user@EXAMPLE.COM" # user@domain.tld or full DN -OAS_ADPWD="oas_user" # we will change this later -OAS_ADBASE="dc=example,dc=com" # search base -OAS_ADURI="ldap://192.168.1.21" # full URI required -OAS_VPNGRP="cn=OpenVPNUsers,cn=Users,dc=example,dc=com" # full group DN -OAS_USERDIR="/etc/openvpn/oas_clients" # full path to user configs -OAS_RSADIR="/etc/openvpn/rsa" # full path to easy-rsa root -OAS_LOGFILE="/var/log/oas.log" # log file -OAS_LOGRET=10 # lines of old log to keep -OAS_OVPNTPL="${OAS_USERDIR}/template.ovpn" # template file to use for clients -OAS_MAILSUBJ="Example Company - VPN Information" # subject line of email -OAS_MAILFROM="admin@example.com" # email from appearance -OAS_MAILADMIN="admin@example.com" # email to send errors and config cc -OAS_USERGUIDE="${OAS_USERDIR}/VPN_SETUP_GUIDE.pdf" # pdf or other common file guide for users -OAS_ORGNAME="Example Company, Inc." +# ovpn-ad-sync +# +# Description: +# Script to synchronize AD/LDAP users with OpenVPN config files and email user certificates and a setup guide to end users. This script is a very rudimentary hack to fill my purpose. It may or may not work for you. It could also be put to use with LDAP with minimal modification even though I wrote it for an Active Directory environment. +# Author: +# Josh North 2014-12-01 +# josh.north@point808.com +# Free for use and modification. Credit is appreciated if you do anything with it but nothing is required. +# Theory: +# Basically, the script should be run on a cron schedule. At run, it searches all users in a specified AD group. It then checks to see if subdirectories exist for the user, if not, it decides to create them. It then loops through to look for directories that do not have a corresponding user in the AD list and deletes them. It technically (at this point) does not revoke access and restart the vpn, this is IMPORTANT, because in my setup we are authenticating against AD anyway as a second layer. This is not fully secure but like I said, it is a major work in progress. +# +# Instructions: +# Please see README.md in the root of this github project or your cloned directory -# END OF VARIABLES -# READ, BUT DON'T TOUCH THE FOLLOWING UNLESS YOU KNOW WHAT YOU ARE DOING -# AND IF YOU DON'T KNOW WHAT YOU ARE DOING YOU PROBABLY SHOULDN'T BE USING THIS!!! +# VARIABLES +OAS_ADUSR="oas_user@EXAMPLE.COM" # User@domain.tld or full DN +OAS_ADPWD="oas_user" # We will change this later +OAS_ADBASE="dc=example,dc=com" # Search base +OAS_ADURI="ldap://192.168.1.21" # Full URI required +OAS_VPNGRP="cn=OpenVPNUsers,cn=Users,dc=example,dc=com" # Full group DN +OAS_USERDIR="/etc/openvpn/oas_clients" # Full path to user configs +OAS_RSADIR="/etc/openvpn/rsa" # Full path to easy-rsa root +OAS_LOGFILE="/var/log/oas.log" # Log file +OAS_LOGRET=10 # Lines of old log to keep +OAS_OVPNTPL="${OAS_USERDIR}/template.ovpn" # Template file to use for clients +OAS_MAILSUBJ="Example Company - VPN Information" # Subject line of email +OAS_MAILFROM="admin@example.com" # This will appear as the "From" address +OAS_MAILADMIN="admin@example.com" # Email to copy all configs and errors to +OAS_USERGUIDE="${OAS_USERDIR}/VPN_SETUP_GUIDE.pdf" # File guide to attach +OAS_ORGNAME="Example Company, Inc." # Company name +# MAIN SCRIPT # easy logger function from http://mostlyunixish.franzoni.eu/ function logsetup { TMP=$(tail -n $OAS_LOGRET $OAS_LOGFILE 2>/dev/null) && echo "${TMP}" > $OAS_LOGFILE