New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

web-proxy-sso: TODO list for public release #43

Closed
fichtner opened this Issue Oct 22, 2016 · 19 comments

Comments

Projects
None yet
5 participants
@fichtner
Member

fichtner commented Oct 22, 2016

  • fix POST issue: {"errorMessage":"Error at /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php:520 - array_key_exists() expects parameter 2 to be array, string given (errno=2)"}
  • copyright header style updates
  • change menu location
  • adjust squid.conf and rc.conf.d/squid
  • alt-auth hook to prevent local user authentication
  • unwind auth server vs. squid authenticator
  • protect exec() calls with exec_safe()
  • GUI updates for actions
  • testing during 16.7.x series
  • Use a drop-down list for Domain Version
  • /etc/rc.conf.d/ssoproxyad is not sourced because the service is "squid" <-- need an /etc/rc.conf.d/squid DIRECTORY instead

Currently required patching for 16.7.7:

# opnsense-patch -c plugins 57cfcddf 916d315
@fichtner

This comment has been minimized.

Member

fichtner commented Oct 22, 2016

screen shot 2016-10-22 at 11 37 26 am

@fichtner

This comment has been minimized.

Member

fichtner commented Oct 22, 2016

@gitdevmod problem with API POST turned out to be a typo: UpdateOnly -> UpdateOnlyTextField

@gitdevmod

This comment has been minimized.

Contributor

gitdevmod commented Oct 22, 2016

  • adjust squid.conf and rc.conf.d/squid example
@fichtner

This comment has been minimized.

Member

fichtner commented Oct 23, 2016

@AdSchellevis the SSO plugin is quite light in terms of dependencies, and it requires a squid.conf base hook... it looks better to bring it into core.git itself. what do you think?

@gitdevmod At the moment, I don't know where the menu item should live (except in a native proxy server tab) and how it is going to be modelled: do we need a SSO configuration per user or is the "general" form the only form we need to use?

@gitdevmod

This comment has been minimized.

Contributor

gitdevmod commented Oct 23, 2016

@fichtner it's a general configuration, add a new server authentication, configure the plugin (AD information) and the server authentication in proxy configuration page.

@AdSchellevis

This comment has been minimized.

Member

AdSchellevis commented Oct 24, 2016

@fichtner oops, was working may way through my email from top to bottom, so posted my comments here opnsense/core#1235

I'm not overly enthusiastic for integrating it into core, mainly because of timing and current workload. If it's in core it automatically means we have to support the feature. I do see the logic of having it integrated, but when pluggable its easier to manage.

@fichtner

This comment has been minimized.

Member

fichtner commented Oct 24, 2016

@gitdevmod squid.conf and rc.conf.d changes in via plugin.. almost done :)

@gitdevmod

This comment has been minimized.

Contributor

gitdevmod commented Oct 24, 2016

Thanks!

@gitdevmod

This comment has been minimized.

Contributor

gitdevmod commented Oct 24, 2016

Code for kerberos is added correctly but Local User Authentication helper config should not be added at the same time

# Authentication Settings
# Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid.auth-user.php
auth_param basic realm OPNsense proxy authentication
auth_param basic credentialsttl 2 hours
auth_param basic children 5
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED

auth_param negotiate program "/usr/local/libexec/squid/negotiate_kerberos_auth"
auth_param negotiate children 10
auth_param negotiate keep_alive on

@fichtner

This comment has been minimized.

Member

fichtner commented Oct 25, 2016

@gitdevmod ok, this is tricky to plug in, we may need an "alt-auth" file for this then

fichtner added a commit to opnsense/core that referenced this issue Oct 26, 2016

proxy: allow alt auth framework config file
We fall back to the local authentication if not found.

PR: opnsense/plugins#43
@fichtner

This comment has been minimized.

Member

fichtner commented Oct 26, 2016

@gitdevmod should be in there, I think we are ready for a first try :)

@fichtner

This comment has been minimized.

Member

fichtner commented Oct 26, 2016

@gitdevmod fix tested in core and plugins for /etc/rc.conf.d/squid subdir -- cannot commit ATM, but will be there soon

fichtner added a commit to opnsense/core that referenced this issue Oct 28, 2016

proxy: allow alt auth framework config file
We fall back to the local authentication if not found.

PR: opnsense/plugins#43
(cherry picked from commit 3512257)
@gitdevmod

This comment has been minimized.

Contributor

gitdevmod commented Oct 30, 2016

Use a drop-down list for Domain Version. Last time I tried it did not work.

@fichtner

This comment has been minimized.

Member

fichtner commented Nov 8, 2016

@gitdevmod the authentication work on core.git moves to 16.7.8. I don't think we'll be ready for the first release of SSO just then, but 16.7.9 could be the one. :)

@fichtner

This comment has been minimized.

Member

fichtner commented Nov 9, 2016

I tried the option drop-down, but I didn't render properly as you said. Just keeping this for reference.

@adrianobragas

This comment has been minimized.

adrianobragas commented Jun 21, 2017

Hi guys, how install this plugin web-proxy-sso in my opnsense 17.1.4-amd64?

@fabianfrz

This comment has been minimized.

Member

fabianfrz commented Jun 21, 2017

@adrianobragas You should be able to install it via pkg install os-web-proxy-sso-devel (afaik there is no stable release).

@fichtner

This comment has been minimized.

Member

fichtner commented Jun 21, 2017

@fichtner

This comment has been minimized.

Member

fichtner commented Sep 21, 2017

We are going to replace the old SSO plugin with #266 soon

@fichtner fichtner closed this Sep 21, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment