First version to add AD/Kerberos authentication to squid to pfSense 2.3 #34
Conversation
kerberos (kinit) from FreeBSD base pkg needed: - openldap-sasl-client (replace openldap-client) - cyrus-sasl - cyrus-sasl-gssapi - msktutil TODO: - cron auto-update computer is missing - test and test
- Use kinit only if keytab does not exist - Use kdestroy after creating keytab file
nmsg (0.11.0)
[ Henry Stern ]
* Add an interval randomization option that randomizes the initial offset
within the selected time interval. This functionality is exposed via the
libnmsg nmsg_io_set_interval_randomized() function and the nmsgtool -R /
--randomize command-line option (#27, #33).
* Add documention for nmsgtool -j / --readjson and -J / --write-json
command-line options (#26, #28).
* Add PKG_CHECK_MODULES dependency on yajl >= 2.1.0 (#29, #31).
* Make nmsgtool -k / --kicker work when combined with -c or -t, when
producing output in JSON format (#25, #38).
* Fix compiler warning [-Wtautological-compare] in
_nmsg_msgmod_json_to_payload_load() (#36, #39).
* Add nmsg_message_get_num_field_values(),
nmsg_message_get_num_field_values_by_idx() functions (#5, #40).
[ Robert Edmonds ]
* Remove the unused enum nmsg_modtype from the internal libnmsg API (#30).
* Header file cleanups (#14, #34).
* Rewrite nmsg_res_lookup() to use a switch, which eliminates a Clang
warning (#14, #35).
* Add a message filtering capability to the libnmsg I/O loop, including
external filter module plugin and nmsgtool support (#41, #43, #44).
[ Mike Schiffman ]
* Add yajl/ prefix to #include's of yajl headers (#37)
Pet portlint
Sponsored by: Farsight Security, Inc.
|
I am really interested to test this because I was trying on pfsense 2.2 and no success (missing file libgssapi_spnego.so.10 while msktutil, ...) Can i patch the 3 files used on the stable 2.3 and debug with you if any trouble (for the others)? |
|
Problem: This statement is always true, you should replace the test ;-) Atm all is working but i miss a group member check too, will add this myself in the squid.conf |
|
Another comment, concerning the upn: all the rest seems very good so far |
|
Hi @anahimself, thanks for your comments, I've not tried this patch since my last commit, not sure it will apply cleanly |
|
Good job anyway for all that |
|
I still think it's a nice feature to have in pfsense, maybe you can fork and update the patch :) |
|
Before this pull request can be accepted you must first sign a CLA as described at https://www.pfsense.org/about-pfsense/#cla. Please read for more details. |
|
Hi, I don't think it can apply correctly, if anyone is interested you can reuse it. |
|
Got it working in production, very useful |
|
CLA was not signed, closing. |
|
This would be a crazy useful feature, is there no way this can be advanced without the original author signing CLA? It looks like it worked out of the box, and a few people have tested it. |
|
I agree. |
|
If someone wants to do a new PR to add this, of course feel free. Before doing that, however, you'd better discuss the pitfalls. Such as, depending on packages that conflict with base pfSense dependencies (openldap-sasl-client) is a no go from the very beginning (so, presumably this would require changes in pfSense itself). Best to discuss first in the forums before implementing something. @rbgarga - Having hard time understanding the differences between openldap24-sasl-client and openldap24-client ports, or why are those even separate. |
* Accomodate systems without pthread_condattr_setclock (Issue #34) PR: 218554 Approved by: Leo Vandewoestijne <freebsd@dns-lab.com> (maintainer) Sponsored by: Farsight Security, Inc.
This is my first PR to pfSense FreeBSD-ports
kerberos (kinit) from FreeBSD base
pkg needed:
- openldap-sasl-client (replace openldap-client)
- cyrus-sasl
- cyrus-sasl-gssapi
- msktutil
TODO:
- cron auto-update computer is missing
- test and test