OPNsense Forum

English Forums => General Discussion => Topic started by: Wyrm on July 19, 2018, 03:52:45 pm

Title: Adding 400 users to local user manager
Post by: Wyrm on July 19, 2018, 03:52:45 pm
Hi,
for one customer I need to add around 400 users to local user manager. These users will be used for captive portal. Is there some limit on it ? How much users could be in system ?

I have found that it is possible by XML configuration script which I restore, but only system part, where I manualy edit xml file and add user details...but it is not so comfortable...

Does anybody has some good advice how to add them by some script ? Or is there any option how to add them ?
I have them in Excel table with fields First Name, Surname, Mail and Password. Customers will accept mail as username and I put to all same password. Each user will then change their password by web gui.

Thanks for some reply..

 
Title: Re: Adding 400 users to local user manager
Post by: bartjsmit on July 20, 2018, 08:20:34 am
Are these users in a directory somewhere? My first port of call would be Radius.

Bart...
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on July 20, 2018, 10:55:42 pm
Hi,
I have only excel table with names, mails and details.

They are in customers google education account - so they are all google accounts, but customer could not use two-factor authentication. So they are in google, but I have only exported table in excel...

Is there some way how to create them ?
Title: Re: Adding 400 users to local user manager
Post by: fabian on July 20, 2018, 11:08:38 pm
convert it to a CSV, read it line by line and use a shell script with curl to add them to the freeradius plugin via the API. Then authenticate against the local freeradius.
Title: Re: Adding 400 users to local user manager
Post by: fvanroie on July 21, 2018, 10:28:44 pm
If you have PowerShell installed on a workstation, you can easily import the users using my PS_OPNsense PowerShell Module (https://github.com/fvanroie/PS_OPNsense). It's still in development but this should work:

Code: [Select]
Import-Module PS_OPNsense
Connect-OPNsense -Url $url -Credential $apicredential -SkipCertificateCheck

# Import users from CSV file
$users = Import-Csv -Path U:\opnsense\passwords.csv

# Loop the users
foreach ($user in $users) {
    # Build the Freeradius user JSON string
    $json = '{{ "user": {{ "enabled": 1, "password": "{0}", "username": "{1}" }} }}' -f $user.password, $user.username

    # Invoke the API call to create the user
    Invoke-OPNsenseCommand -Module freeradius -Controller user -Command adduser -Json $json -Method POST
}

# List all the Freeradius users
Get-OPNsenseItem -Freeradius User

Disconnect-OPNsense

I'm biassed towards PowerShell and it is very suitable for jobs like this. The Invoke-Command is a bit of a hack because I haven't implemented the New-OPNsenseItem cmdlet yet. But once you get the hang of the API it's fairly straightforward to script against OPNsense.
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on August 31, 2018, 10:01:28 am
Hi,
I have tried to use APi, but powershell shows errors when I want to connect to opnsense server:

Connect-OPNsense : Cannot process argument transformation on parameter 'Secret'. Cannot convert the "<secret code>" value of type "System.String" to type "System.Security.SecureString".
At line:2 char:149
+ ... 4Uq -Secret <secret code> ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Connect-OPNsense], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Connect-OPNsense

When I try to use this function it also needs authentification and when i fill in login and password it is not accepting it...

What is needed to work with APi other than API key ?

Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 01, 2018, 01:58:57 am
Hi,
I have found problem itself - I have typed space " " in secret key, so the script showed errors. No I corrected this and connect works. I will prepare user import script and I hope it will do the work  ;)
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 01, 2018, 01:26:09 pm
So I tested your script and connection to server works but adding user do not work. It simply does not add users.
Is there some other command I could run to add users? Or is there some problem with syntax? I tried to send commands directly and response was "failed".

Thanks for answer
Title: Re: Adding 400 users to local user manager
Post by: mimugmail on September 01, 2018, 03:00:36 pm
Did you realized that it's for FreeRADIUS plugin? It's not for real local users, so it also wont work with 2FA.
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 02, 2018, 12:42:36 pm
I know it. But customer do not want to use 2FA. So I need only users to put in. Is there any possibility to make script to add user to local user manager ? I mean not radius but normal users ?
I do not see in API reference any info about possibility to add user.
Is there some way ?
Title: Re: Adding 400 users to local user manager
Post by: mimugmail on September 02, 2018, 02:00:16 pm
Local Users are not API enabled
Title: Re: Adding 400 users to local user manager
Post by: franco on September 03, 2018, 03:48:42 pm
Still, you could point a new Auth Server to the internal FreeRADIUS plugin and use it for system authentication.
Title: Re: Adding 400 users to local user manager
Post by: mimugmail on September 03, 2018, 07:32:14 pm
How is 2FA implemented in the system? Perhaps it's possible to connect it with Radius Users?
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 03, 2018, 09:16:04 pm
Still, you could point a new Auth Server to the internal FreeRADIUS plugin and use it for system authentication.
I could do but there is still problem how to put all the users from csv file to system. It is the main problem...I have to put them all by hand now...or is another possibility ?
Title: Re: Adding 400 users to local user manager
Post by: fabian on September 03, 2018, 09:22:10 pm
a simple shell script adding one per row?
cat file.csv | while read line; do
c1=$(echo $line | cut -d',' -f1)
...
curl ... -H "Content-Type: application/json" --data "{json data}"
done;
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 03, 2018, 09:45:46 pm
a simple shell script adding one per row?
cat file.csv | while read line; do
c1=$(echo $line | cut -d',' -f1)
...
curl ... -H "Content-Type: application/json" --data "{json data}"
done;
I am sorry I do not much understand...I have .csv file and format of every row is:
username;e-mail;password;fullname
How will look whole script or where is command to add user?

I have PowerShell module by fvanroie and it only now connects to opnsense server by using api key and secret. Script he posted here is not adding any users. I tried to modify .csv file to only have password and username there and it did not helped.

So i do not know how to do it exactly...

Title: Re: Adding 400 users to local user manager
Post by: fabian on September 03, 2018, 10:23:35 pm
I am sorry I do not much understand...I have .csv file and format of every row is:
username;e-mail;password;fullname
username=$(echo $line | cut -d';' -f1)
mail=$(echo $line | cut -d';' -f2)
password=$(echo $line | cut -d';' -f3)
fullname=$(echo $line | cut -d';' -f4)

data extract from line is done - the rest is posting using curl. However this is shell scripting (Linux/BSD) and not Powershell.
the curl command only needs -u "user:password" (the two access token values) and the correct JSON structure like mentioned ealier.

How will look whole script or where is command to add user?

I think you can assemble the parts now ;)

I have PowerShell module by fvanroie and it only now connects to opnsense server by using api key and secret. Script he posted here is not adding any users. I tried to modify .csv file to only have password and username there and it did not helped.

Mine is just a small hint for you to get it done :)
for example, instead of curl you can output the variable using echo $username to see the content. The JSON structure can be captured from the web interface (it is using the same api)
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 04, 2018, 01:06:28 am
Is it usable for local system manager users?
Title: Re: Adding 400 users to local user manager
Post by: mimugmail on September 04, 2018, 06:01:45 am
Is it usable for local system manager users?

No, only with Freeradius plugin.
What exactly do you want to achieve with these local users?
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 04, 2018, 08:10:48 am
I need them to login to captive portal and later for more services.
They also will have access to gui to change passwords and other aspects.
Customer does not have any windows server to hold their users and need to use these users to connect to his wifi and needs to apply some filtering and proxy
I think is better to have them as local users because when they decide to use 2FA they could...

By shell is possible to add them by some batch ?
Title: Re: Adding 400 users to local user manager
Post by: mimugmail on September 04, 2018, 08:16:00 am
You have to pre-check for what exactly. Also when using OpenVPN Radius can be used. Only downside would be you won't get a a client certificate for each user.

Captive Portal and OpenVPN with only user/pw is fine with Radius.
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 04, 2018, 08:41:57 am
Better is not to use Radius. In future they may need certificates, because it is school and there is now strong impact on security (EU GDPR)...
Title: Re: Adding 400 users to local user manager
Post by: Wyrm on September 04, 2018, 11:19:40 pm
Is there some option to do by some script anything for users in local manager?
When I save configuration - it is in XML. There is part in system tree in xml and it cointaints users...
Format is like this:
<user>
      <password>password</password>
      <scope>user</scope>
      <name>name</name>
      <descr>some descript</descr>
      <expires/>
      <authorizedkeys/>
      <ipsecpsk/>
      <otp_seed/>
      <email>some@some.xx</email>
      <uid>user id number</uid>
</user>
   
So is possible to have some import option to make xml file with this structure to add users?