OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Windows AD and SSO
« previous next »
  • Print
Pages: 1 2 3 [4]

Author Topic: Windows AD and SSO  (Read 31989 times)

Crisman

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Windows AD and SSO
« Reply #45 on: May 18, 2017, 06:53:30 pm »
Hi,

Besides the external contributor has not already put the plugin available, is there any way to implement the SSO/AD with the current firmware?

Regards,
Crisman.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Windows AD and SSO
« Reply #46 on: May 18, 2017, 07:14:44 pm »
The plugin is available, but not advertised as it is in development mode. You can install it from the console and it should then show up in the services menu:

# pkg install os-web-proxy-sso-devel


Cheers,
Franco
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Windows AD and SSO
« Reply #47 on: May 18, 2017, 09:17:00 pm »
FYI: The plugin code is here:
https://github.com/opnsense/plugins/tree/master/www/web-proxy-sso

@fichtner: there is an really old ticket: https://github.com/opnsense/plugins/issues/43
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Windows AD and SSO
« Reply #48 on: May 18, 2017, 09:58:05 pm »
Yes, but we don't want to release something that is not approved by the maintainer, even if we fix that list.
Logged

mmartinssantos

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Windows AD and SSO
« Reply #49 on: July 25, 2017, 07:43:11 am »
Sorry to ask again, but is there any solution to this error?

Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs found

OPNsense 17.1.10-amd64


I have tried in many ways to solve, even with older versions (16.7) and I can not make the plugin work.
Logged

AndyX90

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 2
    • View Profile
Re: Windows AD and SSO
« Reply #50 on: August 01, 2017, 11:05:35 pm »
I tested it with 17.7r1 and it says /usr/bin/kinit: not found.
That would be awesome if this becomes stable.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Windows AD and SSO
« Reply #51 on: August 02, 2017, 06:45:17 am »
Hi Andy,

Thanks for this hint, the paths to kinit / kdestroy are definitely wrong, apply this patch[1] to fix that:

# opnsense-patch -c plugins 3189ebd1

I really don't know about the state of this, it somehow worked a while back, but we had several open issues and at least for me personally no test setup to be able to finish it.


Cheers,
Franco

[1] https://github.com/opnsense/plugins/commit/3189ebd1
Logged

AndyX90

  • Jr. Member
  • **
  • Posts: 55
  • Karma: 2
    • View Profile
Re: Windows AD and SSO
« Reply #52 on: August 15, 2017, 06:05:50 pm »
Thank you Franco! But now joining domain dies with the following error:
Code: [Select]
kinit: unrecognized option `--password-file=/usr/local/etc/ssoproxyad/krb5secret'Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F | --forwardable | --noforwardable] [-p | -P | --proxiable | --noproxiable] -n [-a | -A | --addresses | --noaddresses] [--request-pac | --no-request-pac] [-C | --canonicalize] [-E | --enterprise] [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] [-S service_name] [-T ticket_armor_cache] [-X <attribute>[=<value>]] [principal] options: -V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -n anonymous -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -i use default client keytab (with -k) -t filename of keytab to use -c Kerberos 5 cache name -S service -T armor credential cache -X <attribute>[=<value>]Also the category in the menu-tree is not correct. It is listed under "Proxy" but the new category is "Web Proxy".

Thanks for your awesome work!
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13633
  • Karma: 1174
    • View Profile
Re: Windows AD and SSO
« Reply #53 on: August 15, 2017, 07:11:11 pm »
Hi Andy,

Thanks for the fix. The switch from Heimdal to MIT Kerberos seems to have taken its toll on the implementation. It looks like "-k -t file" should be used, if the file specified needs a different contents I do not know...

https://serverfault.com/a/488553


Cheers,
Franco
Logged

  • Print
Pages: 1 2 3 [4]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • Windows AD and SSO
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2