From 92ee8452079ce3a11c16cd36faaf325704dbaf2b Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Mon, 14 Jun 2021 14:30:34 +0200
Subject: [PATCH] New script cn-validation.sh for OpenVPN

---
 cn-validation.sh | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 cn-validation.sh

diff --git a/cn-validation.sh b/cn-validation.sh
new file mode 100644
index 0000000..f6710b8
--- /dev/null
+++ b/cn-validation.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+# 
+# cn-validation.sh is a client-connect script for OpenVPN server
+# When connecting using the PAM plugin, it allow clients to connect only if their CN is equal to their UNIX username
+#
+# You need this parameters in your's server config :
+#
+# script-security 2
+# client-connect <path-to-cn-filter>/cn-validation.sh
+#
+
+set -u
+
+if [ "${common_name}" = "${username}" ]; then
+        logger -i -t openvpn-cn-validation -p auth.info "Accepted login for ${common_name} from ${trusted_ip} port ${trusted_port}"
+        exit 0
+else
+        logger -i -t openvpn-cn-validation -p auth.notice "Failed login for CN ${common_name} / username ${username} from ${trusted_ip} port ${trusted_port}"
+fi
+
+exit 1