openvpn LDAP用户自动固定客户端IP地址

_openvpn_server.conf

#LDAP
plugin /usr/local/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf" 
#plugin /usr/local/lib/openvpn/openvpn-otp.so "password_is_cr=1 otp_secrets=/etc/openvpn/auth/otp-secrets"



#script-security 2
script-security 3
# untrusted state
#client-connect      /etc/openvpn/scripts/client-connect.sh
auth-user-pass-verify /etc/openvpn/scripts/assignip.sh via-env

#openvpn LDAP用户自动固定客户端IP地址

#原理，使用LDAP以后，新用户登陆以后openvpn会获取到用户的用户名，密码哈希，客户端IP，客户端版本等信息(通过env传递)。
#新用户登录以后从ipaddr.txt获取第一个地址，写入ccd目录中以用户名命令的文件，然后将第一个地址从ipaddr.txt删除
#当用户再次登录后，成为老用户，从ccd目录中读取自己用户名文件，读出IP地址。
#这里的ipaddr.txt是一个提前写入的IP地址库文件。

example_ccd_user

example_ccd_user 
```
ifconfig-push 10.127.208.43 255.255.252.0
```

ipaddr.txt

10.127.209.13
10.127.209.14
10.127.209.15
10.127.209.16
#我的openvpn配置中topology subnet，所以IP地址是连续的，如果是topology net30，需要自行更换。

scripts_assignip.sh

#!/bin/bash

# username and common_name must be the same to allow access.
# users are not allowed to share their cert
#if [ $username != $common_name ]; then
#   echo "$(date +%Y%m%d-%H%M%S) DENIED  username=$username cert=$common_name" >> /var/log/openvpn-access.log
#   exit 1
#fi

enviroment="`env | awk '{printf "%s ", $0}'`"
echo "`date +'%y-%m-%d %H:%M'` - $enviroment" >> /var/log/openvpn-access.log

if [[ -f /etc/openvpn/server/ccd/$username  ]]
then
	echo "$username exist."
else
	#pick ip
	staticip="`/bin/head -1 /etc/openvpn/server/db/ipaddr.txt`"
	#remove ip
	/bin/sed -i '1d' /etc/openvpn/server/db/ipaddr.txt
	echo "Assign $staticip 255.255.252.0 to $username" >> /var/log/openvpn-access.log
	#write to file
	echo "ifconfig-push $staticip 255.255.252.0" > /etc/openvpn/server/ccd/$username

fi

#always right
exit 0