"
Thank you. As soon as my users let me i will take the proxy offline and test.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#32
19.1 Legacy Series / Re: SQUID + LDAP error since upgrade.
May 24, 2019, 01:10:26 PM
Now you lost me.
Proxy: Login - "imported from LDAP and given the privilege "Proxy: Login"
How can i import an user form ldap into the opnsense users?
The webgui always asks me for a password as i was creating a local user. That kind of defeats the purpose of centralized user authentication, and the need for a specific privilege inside the opnsense - and not being a part of an ldap group - also defeats the plus of permissions being imported form a centralized user authentication service.
This is already being done by the ipsec auth modules, i can make a user auth and connect, not having need of any special permissions, with everything login related being controlled by the LDAP directory service.
Is this possible?
Many Thanks!!
Proxy: Login - "imported from LDAP and given the privilege "Proxy: Login"
How can i import an user form ldap into the opnsense users?
The webgui always asks me for a password as i was creating a local user. That kind of defeats the purpose of centralized user authentication, and the need for a specific privilege inside the opnsense - and not being a part of an ldap group - also defeats the plus of permissions being imported form a centralized user authentication service.
This is already being done by the ipsec auth modules, i can make a user auth and connect, not having need of any special permissions, with everything login related being controlled by the LDAP directory service.
Is this possible?
Many Thanks!!
#33
19.1 Legacy Series / Re: SQUID + LDAP error since upgrade.
May 24, 2019, 12:40:09 PM
"Well, it looks like LDAP wasn't configured for Squid"
My bad. I've had it disabled when i sent the logs, so it would not mess the auth done by the basic_ldap_auth method.
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
# opnsense-login -s ipsec -u xupetas
Password:
User xupetas successfully authenticated for service ipsec
With the method enabled in squid, i am getting:
May 24 11:33:26 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\LDAP
May 24 11:33:26 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 11:35:19 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\LDAP
May 24 11:35:19 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 11:35:26 vparfw01 opnsense: user xupetas authenticated successfully for ipsec [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP]
Thanks for your help. Any insight?
My bad. I've had it disabled when i sent the logs, so it would not mess the auth done by the basic_ldap_auth method.
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
# opnsense-login -s ipsec -u xupetas
Password:
User xupetas successfully authenticated for service ipsec
With the method enabled in squid, i am getting:
May 24 11:33:26 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\LDAP
May 24 11:33:26 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 11:35:19 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\LDAP
May 24 11:35:19 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 11:35:26 vparfw01 opnsense: user xupetas authenticated successfully for ipsec [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP]
Thanks for your help. Any insight?
#34
19.1 Legacy Series / Re: SQUID + LDAP error since upgrade.
May 24, 2019, 09:43:12 AM
Hello Franco,
clog /var/log/system.log
(empty)
There is something wrong in the squid auth module:
May 24 08:38:48 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\Local
May 24 08:38:48 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 08:39:13 vparfw01 opnsense-login: in prompt_tty(): caught signal 2
May 24 08:39:25 vparfw01 opnsense: user xupetas authenticated successfully for ipsec [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP]
In the logs, i've tried to login with the same credentials on my ipsec vpn and my squid. Please note the diference on the log:
On SQUID: OPNsense\Auth\Local
On IPSEC: OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP
The second goes to try ldap. The pam one, stays put on the local users and does not go to ldap.
Does this help?
If not i will try to setup a dummy null-routed opnsense with some of my config so you can access it and see whats wrong.
Xupetas
clog /var/log/system.log
(empty)
There is something wrong in the squid auth module:
May 24 08:38:48 vparfw01 opnsense: user xupetas could not authenticate for squid, failed constraints on OPNsense\Auth\Services\Squid authenticated via OPNsense\Auth\Local
May 24 08:38:48 vparfw01 opnsense-login: in openpam_dispatch(): all modules were unsuccessful for pam_sm_authenticate()
May 24 08:39:13 vparfw01 opnsense-login: in prompt_tty(): caught signal 2
May 24 08:39:25 vparfw01 opnsense: user xupetas authenticated successfully for ipsec [using OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP]
In the logs, i've tried to login with the same credentials on my ipsec vpn and my squid. Please note the diference on the log:
On SQUID: OPNsense\Auth\Local
On IPSEC: OPNsense\Auth\Services\IPsec + OPNsense\Auth\LDAP
The second goes to try ldap. The pam one, stays put on the local users and does not go to ldap.
Does this help?
If not i will try to setup a dummy null-routed opnsense with some of my config so you can access it and see whats wrong.
Xupetas
#35
19.1 Legacy Series / Re: SQUID + LDAP error since upgrade.
May 22, 2019, 05:17:43 PM
# opnsense-login -s squid -u xupetas
Password:
User xupetas NOT authenticated for service squid
And the user exists in the LDAP, is valid and unlocked, and i see querys being send to the ldap server.
Also, if i go via webgui, on the tester section i can authenticate the user xupetas without issues.
Is there a log i can see the error form within the opnsense?
Password:
User xupetas NOT authenticated for service squid
And the user exists in the LDAP, is valid and unlocked, and i see querys being send to the ldap server.
Also, if i go via webgui, on the tester section i can authenticate the user xupetas without issues.
Is there a log i can see the error form within the opnsense?
#36
19.1 Legacy Series / Re: SQUID + LDAP error since upgrade.
May 22, 2019, 03:07:35 PM
Hi Franco,
The auth using basic_pam_auth does not work. And if i test the auth via the system/access/tester it works perfectly.
Why if it's working the same? Is there any log i can check the error?
Thanks
Nuno
The auth using basic_pam_auth does not work. And if i test the auth via the system/access/tester it works perfectly.
Why if it's working the same? Is there any log i can check the error?
Thanks
Nuno
#37
19.1 Legacy Series / SQUID + LDAP error since upgrade.
May 22, 2019, 10:13:46 AM
Hello,
Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:
From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
To:
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?
It is still possible to authenticate against a ldap server with a few lines of configuration:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx
external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx -h ipa.net.xpto:33389 -f
"(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"
This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?
Can you help me please?
Thanks
Since my upgrade from 19.1.4 to 19.1.7 my ldap auth with squid stopped working.
I've looked inside my backup's and found that the auth part of squid.conf has changed:
From:
auth_param basic program /usr/local/etc/inc/plugins.inc.d/squid/auth-user.php
To:
auth_param basic program /usr/local/libexec/squid/basic_pam_auth -o
What happened to the original basic program auth-user.php? Was it discontinued? How was it replaced?
It is still possible to authenticate against a ldap server with a few lines of configuration:
auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -b "dc=net,dc=xpto" -f "uid=%s" ipa.net.xpto:33389 -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxxxxx
external_acl_type memberof %LOGIN /usr/local/libexec/squid/ext_ldap_group_acl -P -R -b "dc=net,dc=xpto" -D uid=query_squid_bind,cn=users,cn=accounts,dc=net,dc=xpto -w xxxxxx -h ipa.net.xpto:33389 -f
"(&(objectclass=*)(memberof=cn=app_squid_users,cn=groups,cn=accounts,dc=net,dc=xpto)(uid=%uid))"
This works fine, but it's a deviation from using the webgui and I would like to avoid it.
How can it be made ldapauth to work with the configuration passed by the gui?
What am I missing?
Can you help me please?
Thanks
#38
19.1 Legacy Series / Re: Endless booting,crashing and looping on KVM, on a AMD
March 10, 2019, 01:42:53 PM
It appears that that did the trick, both on dev and production ranges.
Thanks very much for your help!
Thanks very much for your help!
#39
19.1 Legacy Series / SOLVED: Endless booting,crashing and looping on KVM, on a AMD
March 09, 2019, 11:12:06 PM
Hello All!
I've finally got around to upgrade to the latest version 19.1.3, on my homelab servers, and on a AMD Phenom i am getting an endless panic/reboot cycle.
The OPNsense runs on a Linux/KVM system, and the interaction is trowing an KVM: Guest triggered AMD Erratum 383.
I've done all i knew, on the kvm side (cpu passsthrough) and nothing. Sometimes it boots. Sometimes it reboots endlessy.
What am i missing? To the best of my knowlege this was not happening on 19.1.
EDIT: Tested upgrading it to the Dev version and the issue is not felt here. The only thing i can think of is that freebsd is having a tantrum.
In 19.1 the version is FreeBSD 11.2-RELEASE-p9-HBSD, on 19.7 the version is FreeBSD 11.2-RELEASE-p8-HBSD.
Form p9 to p8. Why the downgrade?
EDIT2: Nope... just crashed again with the same error KVM: Guest triggered AMD Erratum 383. It appears that is felt also on 19.7.
Can you plesae help me?
Thanks!
I've finally got around to upgrade to the latest version 19.1.3, on my homelab servers, and on a AMD Phenom i am getting an endless panic/reboot cycle.
The OPNsense runs on a Linux/KVM system, and the interaction is trowing an KVM: Guest triggered AMD Erratum 383.
I've done all i knew, on the kvm side (cpu passsthrough) and nothing. Sometimes it boots. Sometimes it reboots endlessy.
What am i missing? To the best of my knowlege this was not happening on 19.1.
EDIT: Tested upgrading it to the Dev version and the issue is not felt here. The only thing i can think of is that freebsd is having a tantrum.
In 19.1 the version is FreeBSD 11.2-RELEASE-p9-HBSD, on 19.7 the version is FreeBSD 11.2-RELEASE-p8-HBSD.
Form p9 to p8. Why the downgrade?
EDIT2: Nope... just crashed again with the same error KVM: Guest triggered AMD Erratum 383. It appears that is felt also on 19.7.
Can you plesae help me?
Thanks!
#40
19.1 Legacy Series / Re: 19.1 bootloop
February 18, 2019, 10:32:08 AM
It has to do with an old amd cpu bug.
To work around it, create this file: /boot/loader.conf.local
Inside put this:
hint.hpet.0.clock=0
hint.ahci.0.msi=2
hint.sdhci_pci.0.disabled=1
hint.sdhci_pci.1.disabled=1
Reboot... and voilá!
To work around it, create this file: /boot/loader.conf.local
Inside put this:
hint.hpet.0.clock=0
hint.ahci.0.msi=2
hint.sdhci_pci.0.disabled=1
hint.sdhci_pci.1.disabled=1
Reboot... and voilá!
#41
18.7 Legacy Series / Re: Nextcloud backup woops?
August 03, 2018, 10:55:23 AM
Hello Fabian.
I CAN upload data using a regular webdav client
The path nextcloud forces me to use on the webdav client is cloud.blablabla.com/remote.php/dav/files/USERNAME/
Thanks for your help.
Nuno
I CAN upload data using a regular webdav client
The path nextcloud forces me to use on the webdav client is cloud.blablabla.com/remote.php/dav/files/USERNAME/
Thanks for your help.
Nuno
#42
18.7 Legacy Series / Nextcloud backup woops?
August 02, 2018, 05:23:16 PM
Hello all,
I'm having issues getting the nextcloud backup plugin to work. I am having this errors:
config[76475]: Error while fetching filelist from Nextcloud
config[93176]: {"url":"https:\/\/cloud.blablabla.com\/remote.php\/dav\/files\/config\/OPNsense-Backup\/config-pfsense01.net.xpto-2018-08-02_15:53:53.xml","content_type":"text\/html; charset=iso8859-1","http_code":403,"header_size":480,"request_size":326,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":1.293437,"namelookup_time":7.6e-5,"connect_time":0.003817,"pretransfer_time":0.029171,"size_upload":878690,"size_download":295,"speed_download":228,"speed_upload":679574,"download_content_length":-1,"upload_content_length":878690,"starttransfer_time":0.032878,"redirect_time":0,"redirect_url":"","primary_ip":"104.28.6.80","certinfo":[],"primary_port":443,"local_ip":"192.168.1.20","local_port":38604}
For what i am able to notice i am getting a 403 http error.
However i am able to upload to the nextcloud instance with that user using either the browser or the native nextcloud client.
The nextcloud IS able to create the destination dir, so it appears not to be permission related. I just am not able to upload the xml file.
I can also see the opnsense logging in with success to the nextcloud instance:
{"reqId":"W2MlzKwQACkAAE3Xt7QAAAAC","level":1,"time":"2018-08-02T15:39:56+00:00","remoteAddr":"172.16.3.161","user":"config","app":"admin_audit","method":"PROPFIND","url":"\/remote.php\/dav\/files\/config\/","message":"Login successful: \"config\"","userAgent":"OPNsense Firewall","version":"13.0.5.2"}
Can you shed some light on this? What am i missing?
Nuno
I'm having issues getting the nextcloud backup plugin to work. I am having this errors:
config[76475]: Error while fetching filelist from Nextcloud
config[93176]: {"url":"https:\/\/cloud.blablabla.com\/remote.php\/dav\/files\/config\/OPNsense-Backup\/config-pfsense01.net.xpto-2018-08-02_15:53:53.xml","content_type":"text\/html; charset=iso8859-1","http_code":403,"header_size":480,"request_size":326,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":1.293437,"namelookup_time":7.6e-5,"connect_time":0.003817,"pretransfer_time":0.029171,"size_upload":878690,"size_download":295,"speed_download":228,"speed_upload":679574,"download_content_length":-1,"upload_content_length":878690,"starttransfer_time":0.032878,"redirect_time":0,"redirect_url":"","primary_ip":"104.28.6.80","certinfo":[],"primary_port":443,"local_ip":"192.168.1.20","local_port":38604}
For what i am able to notice i am getting a 403 http error.
However i am able to upload to the nextcloud instance with that user using either the browser or the native nextcloud client.
The nextcloud IS able to create the destination dir, so it appears not to be permission related. I just am not able to upload the xml file.
I can also see the opnsense logging in with success to the nextcloud instance:
{"reqId":"W2MlzKwQACkAAE3Xt7QAAAAC","level":1,"time":"2018-08-02T15:39:56+00:00","remoteAddr":"172.16.3.161","user":"config","app":"admin_audit","method":"PROPFIND","url":"\/remote.php\/dav\/files\/config\/","message":"Login successful: \"config\"","userAgent":"OPNsense Firewall","version":"13.0.5.2"}
Can you shed some light on this? What am i missing?
Nuno
#43
18.7 Legacy Series / Re: Missing? Or i am looking in the wrong place?
August 02, 2018, 04:25:58 PM
Tks!!! Perfect!
#44
18.7 Legacy Series / [SOLVED] Missing? Or i am looking in the wrong place?
August 02, 2018, 03:40:36 PM
Hello All,
After updating, I've lost the place where i used to configure access to the opnsense webgui.
It used to be in system--> Access --> Config
After the upgrade the config part disappeared. Where is it now?
I want to give access to an LDAP user to access the webgui.
Thanks for a wonderful product!
Nuno
After updating, I've lost the place where i used to configure access to the opnsense webgui.
It used to be in system--> Access --> Config
After the upgrade the config part disappeared. Where is it now?
I want to give access to an LDAP user to access the webgui.
Thanks for a wonderful product!
Nuno
#45
18.1 Legacy Series / Re: [SOLVED] Cannot upgrade to 18.1.6 - Bus error
April 11, 2018, 07:44:40 PM
Hello Franco,
I dont know why, but downgrading the os-haproxy package didnt do much. When i downgraded both it was ok.
I forgot then to lock the haproxy-devel, and when i installed other packages (suricata related), it updated the haproxy-devel package and unlocked the os-haproxy and updated it also.
Had do downgrade again, and lock both.
Wierd i know....
Thanks,
I dont know why, but downgrading the os-haproxy package didnt do much. When i downgraded both it was ok.
I forgot then to lock the haproxy-devel, and when i installed other packages (suricata related), it updated the haproxy-devel package and unlocked the os-haproxy and updated it also.
Had do downgrade again, and lock both.
Wierd i know....
Thanks,
