OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Windows AD and SSO
« previous next »
  • Print
Pages: 1 [2] 3 4

Author Topic: Windows AD and SSO  (Read 31990 times)

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Windows AD and SSO
« Reply #15 on: October 28, 2016, 12:42:22 pm »
Plugin is marked private so it does not show up in the GUI. The system needs multiple changes that came in last minute. You need to run the following on top of 16.7.7:

# opnsense-update -t opnsense-devel
# pkg install ospriv-web-proxy-sso
# opnsense-patch -c plugins 57cfcddf 916d315 9301836
# opnsense-patch 528866c5 7094a5cd3

The plugin is found under "Services: Proxy Server: Single sign-on" and hopefully domg can help explain how it works if need be.


Cheers,
Franco
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Windows AD and SSO
« Reply #16 on: October 29, 2016, 07:55:42 am »
domg provided a README:

Code: [Select]
Prerequisites:
OPNsense must use AD DNS (do not use DNS from DHCP/WAN)
OPNsense must have a hostname in AD DNS (A and PTR)
OPNsense must be in sync with AD DNS time (use one IP of AD in NTP)
OPNsense must be in same domain as AD (hostname configuration page)
Create a new Authorization server with ssoproxyad type

Configuration:
Configure Single-Sign-On page with appropriate information
Execute joinDomain button
OPNsense should be in AD in computers OU
Reset comptuers from AD
Execute UpdateDomain
Select Authorization server in Proxy page

Todo:
Add cron job for auto-update keytab
Test button should test prerequisites

https://github.com/gitdevmod/plugins/tree/patch-4/www/web-proxy-sso
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #17 on: October 30, 2016, 06:19:21 pm »
Hi Guys

Thanks for the update.
I am attempting to join the server to the domain but I get the error "no configuration file found" when testing the settings. Could you provide an example list of settings that I should be using?

Kind regards
Robert
Logged

domg

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 10
    • View Profile
Re: Windows AD and SSO
« Reply #18 on: October 30, 2016, 07:51:03 pm »
Hi rgemmell,

This is the configuration I use, Domain Version can be 2003 or 2008 then save and join domain
« Last Edit: October 30, 2016, 07:55:10 pm by domg »
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #19 on: October 31, 2016, 08:35:49 am »
Ok I am making small progress.
With the below settings I get a "Test ok!" but a "unable to run config action" when clicking Join Domain. Any ideas?

Domain Name: HILT-OPNSENSE
Domain Controller: BWX-HILT-DC01.bwx.local
Version: 2012
Domain user: rgemmell
Password: ....
Logged

domg

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 10
    • View Profile
Re: Windows AD and SSO
« Reply #20 on: October 31, 2016, 11:37:07 am »
Hi,

Domain Controller must be in same Domain, it should be BWX-HILT-DC01.HILT-OPNSENSE and Version can only be 2003 or 2008. For 2012 Domain, you can use 2008.
Logged

domg

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 10
    • View Profile
Re: Windows AD and SSO
« Reply #21 on: October 31, 2016, 11:54:47 am »
The button "Test" actually only prints a "Test ok!" message, in future it should test prerequisites and fields.
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #22 on: October 31, 2016, 06:36:11 pm »
Hi Guys

I am sure you are getting sick of me now.  :)
I am still having issues. I started with a fresh installation this time.
Firstly, I can ping bwx.local and BWX-HILT-DC01.bwx.local from the server with no issues.
Here are the settings I have:
Logged

domg

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 10
    • View Profile
Re: Windows AD and SSO
« Reply #23 on: October 31, 2016, 10:58:48 pm »
Could you run from the console:
Code: [Select]
# configctl ssoproxyad joinDomain
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #24 on: November 01, 2016, 07:21:47 am »
Ok I ran the command and get the following:
root@HILT-OPNSENSE:~ # configctl ssoproxyad joinDomain
Warning: file_put_contents(/usr/local/etc/ssoproxyad/krb5secret): failed to open                     stream: No such file or directory in /usr/local/opnsense/scripts/OPNsense/SSOPr                    oxyAD/joinDomain.php on line 60

Warning: chmod(): No such file or directory in /usr/local/opnsense/scripts/OPNse                    nse/SSOProxyAD/joinDomain.php on line 61
{"message":"Array"}
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #25 on: November 01, 2016, 07:33:40 am »
Sorry Guys, in my stupidity I forgot to setup the proxy itself after a setup the new server.
Running the command now gives the following:
configctl ssoproxyad joinDomain
{"message":"Unable to create keytab: Error: ldap_sasl_interactive_bind_s failed (Can't contact LDAP server)Error: ldap_connect failed--> Is your kerberos ticket expired? You might try re-\"kinit\"ing.--> Is DNS configured correctly? You might try options \"--server\" and \"--no-reverse-lookups\"."}
root@HILT-OPNSENSE:~ # ping bwt.local
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #26 on: November 01, 2016, 09:59:48 am »
Alright, i now the get following:
Nov 1 10:54:56   configd_ctl.py: error in configd communication Traceback (most recent call last): File "/usr/local/opnsense/service/configd_ctl.py", line 65, in exec_config_cmd line = sock.recv(65536) timeout: timed out
Nov 1 10:52:56   configd.py: [37a2e8b3-6d6b-41cf-846a-ab9c9bc25f24] SSO Proxy AD module join AD domain
Nov 1 10:52:51   api[43906]: no matching csrf found for request
Nov 1 10:52:48   api[43906]: no matching csrf found for request
Logged

domg

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 10
    • View Profile
Re: Windows AD and SSO
« Reply #27 on: November 01, 2016, 10:40:24 am »
Hi,
Could you ping your OPNsense with hostname.domain and IP ?
If you can, I'm on IRC #opnsense for debugging
Logged

rgemmell

  • Newbie
  • *
  • Posts: 18
  • Karma: 3
    • View Profile
Re: Windows AD and SSO
« Reply #28 on: November 01, 2016, 11:05:04 am »
Hi there. Yes I can, everything resolves perfectly. Before I had an issue with DNS which is why I redid the server.
Logged

domg

  • Jr. Member
  • **
  • Posts: 60
  • Karma: 10
    • View Profile
Re: Windows AD and SSO
« Reply #29 on: November 01, 2016, 11:41:56 am »
ok, could you confirm all prerequisites are ok ?
Logged

  • Print
Pages: 1 [2] 3 4
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Windows AD and SSO
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2