Smart-Soft Proxy SSO plugin #266
Conversation
| {% if helpers.exists('OPNsense.ProxySSO.ADKerberosImplementation') and OPNsense.ProxySSO.ADKerberosImplementation == 'W2003' %} | ||
| default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 | ||
| default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 | ||
| permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 |
| {% if method != "Local Database" %} | ||
| {% for server in helpers.toList('system.authserver') %} | ||
| {% if server.type == 'ldap' and server.name == method %} | ||
| {% if ldap_method.append(server) %} |
| e) ENCTYPES="$OPTARG" ;; | ||
| b) BASENAME="$OPTARG" ;; | ||
| u) USERNAME="$OPTARG" ;; # LDAP admin username | ||
| p) PASSWORD="$OPTARG" ;; # LDAP admin password |
| <button class="btn btn-primary" id="DeleteKeytab" type="button"><b>{{ lang._('Delete keytab') }}</b></button> | ||
| <button class="btn btn-primary" id="ShowKeytab" type="button"><b>{{ lang._('Show keytab') }}</b></button> | ||
| <br/> | ||
| <br/> |
There was a problem hiding this comment.
to keep the distance, it would be better to use CSS because br depends on many settings (like font size) while margin-bottom with a pixel distance will always stay the same.
| $hostname = 'HTTP/' . $cnf['system']['hostname']; | ||
| $domain = $cnf['system']['domain']; | ||
| $kerbname = substr(strtoupper($cnf['system']['hostname']), 0, 13) . "-K"; | ||
| $winver = !isset($cnf['OPNsense']['ProxySSO']['ADKerberosImplementation']) || $cnf['OPNsense']['ProxySSO']['ADKerberosImplementation'] == 'W2008' ? '2008' : '2003'; |
There was a problem hiding this comment.
Why are you not using your model for that?
$mdl = new ProxySSO();
$value = (string)$mdl->ADKerberosImplementation;should work to access this field if the model is imported.
| $("#CreateKeytab").click(function() { | ||
| ajaxCall(url="/api/proxysso/service/createkeytab", sendData={ | ||
| "admin_login":$("#admin_username").val(), | ||
| "admin_password":$("#admin_password").val()}, callback=function(data,status) { |
| $("#TestKerbLogin").click(function() { | ||
| ajaxCall(url="/api/proxysso/service/testkerblogin", sendData={ | ||
| "login":$("#username").val(), | ||
| "password":$("#password").val()}, callback=function(data,status) { |
| {{ partial("layout_partials/base_form",['fields':testingCreateForm,'id':'frm_TestingCreate'])}} | ||
| <button class="btn btn-primary" id="CreateKeytab" type="button"><b>{{ lang._('Create keytab') }}</b></button> | ||
| <button class="btn btn-primary" id="DeleteKeytab" type="button"><b>{{ lang._('Delete keytab') }}</b></button> | ||
| <button class="btn btn-primary" id="ShowKeytab" type="button"><b>{{ lang._('Show keytab') }}</b></button> |
There was a problem hiding this comment.
This is the frontend, if possible try clean english here (Key Table for example). This is important for translation and for end users.
| PASSWORD="${PASSWORD%\'}" | ||
| echo "${PASSWORD}" | sed 's/\\//g' > ${PASS_TMP} | ||
|
|
||
| /usr/local/bin/kinit ${USERNAME} < ${PASS_TMP} |
There was a problem hiding this comment.
I think so.
Password escaped before this action call:
$pass = escapeshellarg($this->request->getPost("password"));
And additional quoting performed in script (%\').
| {% for method in OPNsense.proxy.forward.authentication.method.split(",") %} | ||
| {% for server in helpers.toList('system.authserver') %} | ||
| {% if server.type == 'ldap' and server.name == method %} | ||
| {% if ldap.append(server) %}{% endif %} |
There was a problem hiding this comment.
Yes, it is a way to provide value changes from inner loop to outer variable (ldap) in jinja2.
ldap.append(server) makes it working.
There was a problem hiding this comment.
If you would do it like this, there would not be an if:
https://github.com/opnsense/plugins/blob/master/net/mdns-repeater/src/opnsense/service/templates/OPNsense/MDNSRepeater/mdnsrepeater#L7
|
@fabianfrz all items are fixed. |
www/proxy-sso/+POST_DEINSTALL.post
Outdated
| @@ -0,0 +1,5 @@ | |||
| rm /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf | |||
There was a problem hiding this comment.
I don't have time for a full review yet, but this needs "rm -f" in case the file is not there
I have this on my TODO to provide a proper revoke of templates on deinstall for automation: #46
www/proxy-sso/+POST_DEINSTALL.post
Outdated
| @@ -0,0 +1,5 @@ | |||
| rm /usr/local/etc/squid/pre-auth/20-negotiate.auth.conf | |||
| if [ -f /var/run/squid/squid.pid ]; then | |||
| service squid reload | |||
There was a problem hiding this comment.
I know what it's trying to achieve, but it's tricky as it doesn't work on a stock FreeBSD, it would kill the service. In OPNsense it works, maybe we need some type of reload command embedding in the package Makefile to signal reverse dependencies of base plugins?
PLUGIN_USES= squid
pointing to the squid.inc plugin file and doing a reload if possible?
There was a problem hiding this comment.
in any case, a configd call would be far safer here, preferably in the background
| PLUGIN_COMMENT= Kerberos authentication module | ||
| PLUGIN_DEPENDS= msktutil cyrus-sasl-gssapi | ||
| PLUGIN_MAINTAINER= evbevz@gmail.com | ||
| PLUGIN_WWW= http://smart-soft.ru |
There was a problem hiding this comment.
should upgrade to HTTPS if possible ;)
| @@ -0,0 +1,8 @@ | |||
| PLUGIN_NAME= proxy-sso | |||
There was a problem hiding this comment.
are you ok with replacing the old plugin? the name would be web-proxy-sso or web-proxy-sso2, although that gets confusing...
There was a problem hiding this comment.
no problem, as you wish )
| @@ -0,0 +1,8 @@ | |||
| PLUGIN_NAME= proxy-sso | |||
| PLUGIN_VERSION= 1.3 | |||
There was a problem hiding this comment.
if we replace the old one, can this be 2.0 instead? what do you think?
There was a problem hiding this comment.
Great. I can do this post merge, no need to shuffle it all around now :)
| function proxy_sso_configure() | ||
| { | ||
| return [ | ||
| 'webproxy_reconfigure' => ['proxy_sso_squid_reconfigure'], |
There was a problem hiding this comment.
does this work in the core or do we need to merge a pr? I vaguely remember something
There was a problem hiding this comment.
This needs opnsense/core#1627
Without this pull-request, administrator should reconfigure proxy-sso manually after reconfiguring proxy.
There was a problem hiding this comment.
this changes slightly with the merge: the facility is "webproxy" and in reconfigure you need to check for "reconfigure" argument, it looks like this:
https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/openvpn.inc#L37
There was a problem hiding this comment.
Some changes have to be done in connection with acceptance of opnsense/core#1627
There was a problem hiding this comment.
in that case the line now reads something like:
'webproxy' => ['proxy_sso_squid_reconfigure:2'],
but the second argument to the function is the "reconfigure" statement like
https://github.com/opnsense/core/blob/master/src/etc/inc/plugins.inc.d/openvpn.inc#L1172
There was a problem hiding this comment.
Why? I don't understand why I need set count of parameters to 2 when function proxy_sso_squid_reconfigure() has no parameters.
There was a problem hiding this comment.
because the plugin configure endpoint was simplified. we can pass all kinds of arguments here, we don't have to encode the type of the call in the name of the endpoint, so "webproxy_reconfigure" becomes "webproxy":
opnsense/core@b769f35#diff-7ab5c46a2101377cc2113c978d5a9676R34
| message:create keytab | ||
|
|
||
| [deletekeytab] | ||
| command:( [ ! -f /usr/local/etc/squid/squid.keytab ] && echo "No keytab file" ) || rm /usr/local/etc/squid/squid.keytab |
There was a problem hiding this comment.
ideally this should be like a wrapper shell script for keytab operations to avoid bouncing every tweak / change through the service configuration. but this is only a recommendation from my side :)
There was a problem hiding this comment.
I did not want to produce more essences, than minimum.
There was a problem hiding this comment.
it's fine for now. if it grows more complex we need to reconsider
|
opnsense/core#1627 was merged with a tiny bit of changes... |
| use \OPNsense\Core\Config; | ||
| use \OPNsense\ProxySSO\ProxySSO; | ||
|
|
||
| class ServiceController extends \OPNsense\Proxy\Api\ServiceController |
There was a problem hiding this comment.
Is this base controller still an requirement?
|
Merged, thanks! Will fix up remaining issues post-merged. |
deps: msktutil, cyrus-sasl-gssapi.
MIT kerberos implementation.
When Web-proxy uses LDAP connectors for authentication, SSO plugin gets the first LDAP connector from proxy authentication settings and makes SSO available for that connector.
Use kerberos check-list tab for easy setup, resolve common configuration mistakes, generate/delete/show keytab and test SSO.