Windows AD and SSO

Started by rgemmell, October 17, 2016, 04:46:09 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
May 18, 2017, 06:53:30 PM #45
Hi,

Besides the external contributor has not already put the plugin available, is there any way to implement the SSO/AD with the current firmware?

Regards,
Crisman.
May 18, 2017, 07:14:44 PM #46
The plugin is available, but not advertised as it is in development mode. You can install it from the console and it should then show up in the services menu:

# pkg install os-web-proxy-sso-devel


Cheers,
Franco
May 18, 2017, 09:17:00 PM #47
May 18, 2017, 09:58:05 PM #48
Yes, but we don't want to release something that is not approved by the maintainer, even if we fix that list.
July 25, 2017, 07:43:11 AM #49
Sorry to ask again, but is there any solution to this error?

Error: ldap_sasl_interactive_bind_s failed (Unknown authentication method)\tadditional info: SASL(-4): no mechanism available: No worthy mechs found

OPNsense 17.1.10-amd64


I have tried in many ways to solve, even with older versions (16.7) and I can not make the plugin work.
August 01, 2017, 11:05:35 PM #50
I tested it with 17.7r1 and it says /usr/bin/kinit: not found.
That would be awesome if this becomes stable.
August 02, 2017, 06:45:17 AM #51
Hi Andy,

Thanks for this hint, the paths to kinit / kdestroy are definitely wrong, apply this patch[1] to fix that:

# opnsense-patch -c plugins 3189ebd1

I really don't know about the state of this, it somehow worked a while back, but we had several open issues and at least for me personally no test setup to be able to finish it.


Cheers,
Franco

[1] https://github.com/opnsense/plugins/commit/3189ebd1
August 15, 2017, 06:05:50 PM #52
Thank you Franco! But now joining domain dies with the following error:
Code Select
kinit: unrecognized option `--password-file=/usr/local/etc/ssoproxyad/krb5secret'Usage: kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F | --forwardable | --noforwardable] [-p | -P | --proxiable | --noproxiable] -n [-a | -A | --addresses | --noaddresses] [--request-pac | --no-request-pac] [-C | --canonicalize] [-E | --enterprise] [-v] [-R] [-k [-i|-t keytab_file]] [-c cachename] [-S service_name] [-T ticket_armor_cache] [-X <attribute>[=<value>]] [principal] options: -V verbose -l lifetime -s start time -r renewable lifetime -f forwardable -F not forwardable -p proxiable -P not proxiable -n anonymous -a include addresses -A do not include addresses -v validate -R renew -C canonicalize -E client is enterprise principal name -k use keytab -i use default client keytab (with -k) -t filename of keytab to use -c Kerberos 5 cache name -S service -T armor credential cache -X <attribute>[=<value>]
Also the category in the menu-tree is not correct. It is listed under "Proxy" but the new category is "Web Proxy".

Thanks for your awesome work!
August 15, 2017, 07:11:11 PM #53
Hi Andy,

Thanks for the fix. The switch from Heimdal to MIT Kerberos seems to have taken its toll on the implementation. It looks like "-k -t file" should be used, if the file specified needs a different contents I do not know...

https://serverfault.com/a/488553


Cheers,
Franco
Print
Go Up Pages 1 2 3 4
User actions