Windows AD and SSO

Started by rgemmell, October 17, 2016, 04:46:09 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
October 28, 2016, 12:42:22 PM #15
Plugin is marked private so it does not show up in the GUI. The system needs multiple changes that came in last minute. You need to run the following on top of 16.7.7:

# opnsense-update -t opnsense-devel
# pkg install ospriv-web-proxy-sso
# opnsense-patch -c plugins 57cfcddf 916d315 9301836
# opnsense-patch 528866c5 7094a5cd3

The plugin is found under "Services: Proxy Server: Single sign-on" and hopefully domg can help explain how it works if need be.


Cheers,
Franco
October 29, 2016, 07:55:42 AM #16
domg provided a README:

Code Select
Prerequisites:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
OPNsense must have a hostname in AD DNS (A and PTR)
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
OPNsense must be in same domain as AD (hostname configuration page)
Create a new Authorization server with ssoproxyad type

Configuration:
Configure Single-Sign-On page with appropriate information
Execute joinDomain button
OPNsense should be in AD in computers OU
Reset comptuers from AD
Execute UpdateDomain
Select Authorization server in Proxy page

Todo:
Add cron job for auto-update keytab
Test button should test prerequisites

https://github.com/gitdevmod/plugins/tree/patch-4/www/web-proxy-sso
October 30, 2016, 06:19:21 PM #17
Hi Guys

Thanks for the update.
I am attempting to join the server to the domain but I get the error "no configuration file found" when testing the settings. Could you provide an example list of settings that I should be using?

Kind regards
Robert
October 30, 2016, 07:51:03 PM #18 Last Edit: October 30, 2016, 07:55:10 PM by domg
Hi rgemmell,

This is the configuration I use, Domain Version can be 2003 or 2008 then save and join domain
October 31, 2016, 08:35:49 AM #19
Ok I am making small progress.
With the below settings I get a "Test ok!" but a "unable to run config action" when clicking Join Domain. Any ideas?

Domain Name: HILT-OPNSENSE
Domain Controller: BWX-HILT-DC01.bwx.local
Version: 2012
Domain user: rgemmell
Password: ....
October 31, 2016, 11:37:07 AM #20
Hi,

Domain Controller must be in same Domain, it should be BWX-HILT-DC01.HILT-OPNSENSE and Version can only be 2003 or 2008. For 2012 Domain, you can use 2008.
October 31, 2016, 11:54:47 AM #21
The button "Test" actually only prints a "Test ok!" message, in future it should test prerequisites and fields.
October 31, 2016, 06:36:11 PM #22
Hi Guys

I am sure you are getting sick of me now.  :)
I am still having issues. I started with a fresh installation this time.
Firstly, I can ping bwx.local and BWX-HILT-DC01.bwx.local from the server with no issues.
Here are the settings I have:
October 31, 2016, 10:58:48 PM #23
Could you run from the console:
Code Select
# configctl ssoproxyad joinDomain
November 01, 2016, 07:21:47 AM #24
Ok I ran the command and get the following:
root@HILT-OPNSENSE:~ # configctl ssoproxyad joinDomain
Warning: file_put_contents(/usr/local/etc/ssoproxyad/krb5secret): failed to open                     stream: No such file or directory in /usr/local/opnsense/scripts/OPNsense/SSOPr                    oxyAD/joinDomain.php on line 60

Warning: chmod(): No such file or directory in /usr/local/opnsense/scripts/OPNse                    nse/SSOProxyAD/joinDomain.php on line 61
{"message":"Array"}
November 01, 2016, 07:33:40 AM #25
Sorry Guys, in my stupidity I forgot to setup the proxy itself after a setup the new server.
Running the command now gives the following:
configctl ssoproxyad joinDomain
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Can't contact LDAP server)Error: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}
root@HILT-OPNSENSE:~ # ping bwt.local
November 01, 2016, 09:59:48 AM #26
Alright, i now the get following:
Nov 1 10:54:56   configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Nov 1 10:52:56   configd.py: [37a2e8b3-6d6b-41cf-846a-ab9c9bc25f24] SSO Proxy AD module join AD domain
Nov 1 10:52:51   api[43906]: no matching csrf found for request
Nov 1 10:52:48   api[43906]: no matching csrf found for request
November 01, 2016, 10:40:24 AM #27
Hi,
Could you ping your OPNsense with hostname.domain and IP ?
If you can, I'm on IRC #opnsense for debugging
November 01, 2016, 11:05:04 AM #28
Hi there. Yes I can, everything resolves perfectly. Before I had an issue with DNS which is why I redid the server.
November 01, 2016, 11:41:56 AM #29
ok, could you confirm all prerequisites are ok ?
Print
Go Up Pages 1 2 3 4
User actions