Windows AD and SSO

[Crisman]

Hi,

Besides the external contributor has not already put the plugin available, is there any way to implement the SSO/AD with the current firmware?

Regards,
Crisman.

[franco]

The plugin is available, but not advertised as it is in development mode. You can install it from the console and it should then show up in the services menu:

# pkg install os-web-proxy-sso-devel


Cheers,
Franco

[fabian]

FYI: The plugin code is here:
https://github.com/opnsense/plugins/tree/master/www/web-proxy-sso

@fichtner: there is an really old ticket: https://github.com/opnsense/plugins/issues/43

[franco]

Yes, but we don't want to release something that is not approved by the maintainer, even if we fix that list.

[mmartinssantos]

Sorry to ask again, but is there any solution to this error?

Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs found

OPNsense 17.1.10-amd64


I have tried in many ways to solve, even with older versions (16.7) and I can not make the plugin work.

[AndyX90]

I tested it with 17.7r1 and it says /usr/bin/kinit: not found.
That would be awesome if this becomes stable.

[franco]

Hi Andy,

Thanks for this hint, the paths to kinit / kdestroy are definitely wrong, apply this patch[1] to fix that:

# opnsense-patch -c plugins 3189ebd1

I really don't know about the state of this, it somehow worked a while back, but we had several open issues and at least for me personally no test setup to be able to finish it.


Cheers,
Franco

[1] https://github.com/opnsense/plugins/commit/3189ebd1

[AndyX90]

Thank you Franco! But now joining domain dies with the following error:

Code: [Select]

kinit: unrecognized option `--password-file=/usr/local/etc/ssoproxyad/krb5secret'Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F | --forwardable | --noforwardable] [-p | -P | --proxiable | --noproxiable] -n [-a | -A | --addresses | --noaddresses] [--request-pac | --no-request-pac] [-C | --canonicalize] [-E | --enterprise] [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] [-S service_name] [-T ticket_armor_cache] [-X <attribute>[=<value>]] [principal] options: -V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -n anonymous -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -i use default client keytab (with -k) -t filename of keytab to use -c Kerberos 5 cache name -S service -T armor credential cache -X <attribute>[=<value>]Also the category in the menu-tree is not correct. It is listed under "Proxy" but the new category is "Web Proxy".

Thanks for your awesome work!

[franco]

Hi Andy,

Thanks for the fix. The switch from Heimdal to MIT Kerberos seems to have taken its toll on the implementation. It looks like "-k -t file" should be used, if the file specified needs a different contents I do not know...

https://serverfault.com/a/488553


Cheers,
Franco