towo/verify-ou.pl

## verify-ou.pl
#!/usr/bin/perl
## vim: set syn=on ts=4 sw=4 sts=0 et foldmethod=indent:
## purpose: check if value exists in multi-valued ou
## copyright: B1 Systems GmbH <info@b1-systems.de>, 2018.
## license: GPLv3+, http://www.gnu.org/licenses/gpl-3.0.html
## author: Tobias Wolter <tobias.wolter@b1-systems.de>, 2018.
## version: 1.0

## Source for this is the verify-cn sample from OpenVPN:
## https://github.com/OpenVPN/openvpn/blob/master/sample/sample-scripts/verify-cn
## Original author isn't known.

## For this to work like intended, the OU will need to be formatted like OU=foo,bar,baz.

die "usage: verify-ou search certificate_depth subject" if (@ARGV != 3);

# Parse out arguments:
#   search -- The substing you are searching in the OU
#   depth  -- The current certificate chain depth.  In a typical
#             bi-level chain, the root certificate will be at level
#             1 and the client certificate will be at level 0.
#             This script will be called separately for each level.
#   x509   -- the X509 subject string as extracted by OpenVPN from
#             the client's provided certificate.
($search, $depth, $x509) = @ARGV;

if ($depth == 0) {
    # If depth is zero, we know that this is the final
    # certificate in the chain (i.e. the client certificate),
    # and the one we are interested in examining.
    # If so, parse out the organizational unit substring in
    # the X509 subject string.

    $x509 =~ s{(^/|/$)}{}g;
    %components = split /[\/=]/, $x509;
    @ous = (split /,/, $components{'OU'});
    $components{'OU'} = \@ous;

    if (grep(/$search/, @{$components{'OU'}})) {
      # found
      exit 0
    }

    # Authentication failed -- Either we could not parse
    # the X509 subject string, or the common name in the
    # subject string didn't match the passed cn argument.
    exit 1;
} else {
    # If depth is nonzero, tell OpenVPN to continue processing
    # the certificate chain.
    exit 0;
}
	#!/usr/bin/perl
	## vim: set syn=on ts=4 sw=4 sts=0 et foldmethod=indent:
	## purpose: check if value exists in multi-valued ou
	## copyright: B1 Systems GmbH <info@b1-systems.de>, 2018.
	## license: GPLv3+, http://www.gnu.org/licenses/gpl-3.0.html
	## author: Tobias Wolter <tobias.wolter@b1-systems.de>, 2018.
	## version: 1.0

	## Source for this is the verify-cn sample from OpenVPN:
	## https://github.com/OpenVPN/openvpn/blob/master/sample/sample-scripts/verify-cn
	## Original author isn't known.

	## For this to work like intended, the OU will need to be formatted like OU=foo,bar,baz.

	die "usage: verify-ou search certificate_depth subject" if (@ARGV != 3);

	# Parse out arguments:
	# search -- The substing you are searching in the OU
	# depth -- The current certificate chain depth. In a typical
	# bi-level chain, the root certificate will be at level
	# 1 and the client certificate will be at level 0.
	# This script will be called separately for each level.
	# x509 -- the X509 subject string as extracted by OpenVPN from
	# the client's provided certificate.
	($search, $depth, $x509) = @ARGV;

	if ($depth == 0) {
	# If depth is zero, we know that this is the final
	# certificate in the chain (i.e. the client certificate),
	# and the one we are interested in examining.
	# If so, parse out the organizational unit substring in
	# the X509 subject string.

	$x509 =~ s{(^/\|/$)}{}g;
	%components = split /[\/=]/, $x509;
	@ous = (split /,/, $components{'OU'});
	$components{'OU'} = \@ous;

	if (grep(/$search/, @{$components{'OU'}})) {
	# found
	exit 0
	}

	# Authentication failed -- Either we could not parse
	# the X509 subject string, or the common name in the
	# subject string didn't match the passed cn argument.
	exit 1;
	} else {
	# If depth is nonzero, tell OpenVPN to continue processing
	# the certificate chain.
	exit 0;
	}