Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

First version to add AD/Kerberos authentication to squid to pfSense 2.3 #34

Closed
wants to merge 8 commits into from
Closed

First version to add AD/Kerberos authentication to squid to pfSense 2.3 #34

wants to merge 8 commits into from

Conversation

gitdevmod
Copy link

This is my first PR to pfSense FreeBSD-ports

kerberos (kinit) from FreeBSD base
pkg needed:
- openldap-sasl-client (replace openldap-client)
- cyrus-sasl
- cyrus-sasl-gssapi
- msktutil

TODO:
- cron auto-update computer is missing
- test and test

@gitdevmod
First version to add AD/Kerberos authentication to squid to pfSense 2.3
eba7d13 
kerberos (kinit) from FreeBSD base
pkg needed:
	- openldap-sasl-client (replace openldap-client)
	- cyrus-sasl
	- cyrus-sasl-gssapi
	- msktutil

TODO:
	- cron auto-update computer is missing
	- test and test
@gitdevmod
Add crontabjob for msktutil --auto-update computer
f4baa41
@gitdevmod
Style
15746a7
@gitdevmod
- Remove files on deinstall
a2a7d17 
- Use kinit only if keytab does not exist
- Use kdestroy after creating keytab file
@gitdevmod
Fix syntax
5ef8608
@gitdevmod
Use unlink_if_exists() function
06615fe
@gitdevmod
Fix syntax
8398dc1
@gitdevmod
Make sure SQUID_UID/SQUID_GID can access to PROXY.keytab file
603cf2e
netgate-git-updates pushed a commit that referenced this pull request Feb 3, 2016
@DonLewisFreeBSD
Upgrade net/nmsg to 0.11.0:
3bd19b1 
nmsg (0.11.0)

  [ Henry Stern ]
  * Add an interval randomization option that randomizes the initial offset
    within the selected time interval. This functionality is exposed via the
    libnmsg nmsg_io_set_interval_randomized() function and the nmsgtool -R /
    --randomize command-line option (#27, #33).

  * Add documention for nmsgtool -j / --readjson and -J / --write-json
    command-line options (#26, #28).

  * Add PKG_CHECK_MODULES dependency on yajl >= 2.1.0 (#29, #31).

  * Make nmsgtool -k / --kicker work when combined with -c or -t, when
    producing output in JSON format (#25, #38).

  * Fix compiler warning [-Wtautological-compare] in
    _nmsg_msgmod_json_to_payload_load() (#36, #39).

  * Add nmsg_message_get_num_field_values(),
    nmsg_message_get_num_field_values_by_idx() functions (#5, #40).

  [ Robert Edmonds ]
  * Remove the unused enum nmsg_modtype from the internal libnmsg API (#30).

  * Header file cleanups (#14, #34).

  * Rewrite nmsg_res_lookup() to use a switch, which eliminates a Clang
    warning (#14, #35).

  * Add a message filtering capability to the libnmsg I/O loop, including
    external filter module plugin and nmsgtool support (#41, #43, #44).

  [ Mike Schiffman ]
  * Add yajl/ prefix to #include's of yajl headers (#37)

Pet portlint

Sponsored by:	Farsight Security, Inc.
@anahimself
Copy link

I am really interested to test this because I was trying on pfsense 2.2 and no success (missing file libgssapi_spnego.so.10 while msktutil, ...)

Can i patch the 3 files used on the stable 2.3 and debug with you if any trouble (for the others)?
(are you sure the msktutil uses /etc/krb5.conf on 2.3, because it apparently doesnt on 2.3 => creating a fake krb file for no reason)

@anahimself
Copy link

anahimself commented Apr 13, 2016
edited
Loading

Problem:
if (($auth_method != 'cp') or ($auth_method != 'adk')) {

This statement is always true, you should replace the test ;-)

Atm all is working but i miss a group member check too, will add this myself in the squid.conf

@anahimself
Copy link

Another comment, concerning the upn:
--upn HTTP/' . $hostname .
should be changed to
--upn HTTP/' . strtoupper($config['system']['hostname'])

all the rest seems very good so far

@gitdevmod
Copy link
Author

Hi @anahimself, thanks for your comments, I've not tried this patch since my last commit, not sure it will apply cleanly

@anahimself
Copy link

Good job anyway for all that

@gitdevmod
Copy link
Author

I still think it's a nice feature to have in pfsense, maybe you can fork and update the patch :)

@netgate-git-updates
Copy link

Before this pull request can be accepted you must first sign a CLA as described at https://www.pfsense.org/about-pfsense/#cla. Please read for more details.

@gitdevmod
Copy link
Author

Hi, I don't think it can apply correctly, if anyone is interested you can reuse it.

@anahimself
Copy link

Got it working in production, very useful

@rbgarga
Copy link
Member

rbgarga commented Aug 4, 2016

CLA was not signed, closing.

@rbgarga rbgarga closed this Aug 4, 2016
@leeramsay
Copy link

This would be a crazy useful feature, is there no way this can be advanced without the original author signing CLA? It looks like it worked out of the box, and a few people have tested it.

@anahimself
Copy link

I agree.
It is an awesome feature, rarely implemented but a lot more efficient than NTLM.
I can easily give the modifications I made on the 3 files if any (wrong auth_method test + upn fix).
It is in production since 5 months ;-)

@doktornotor
Copy link
Contributor

doktornotor commented Jan 15, 2017
edited
Loading

If someone wants to do a new PR to add this, of course feel free. Before doing that, however, you'd better discuss the pitfalls. Such as, depending on packages that conflict with base pfSense dependencies (openldap-sasl-client) is a no go from the very beginning (so, presumably this would require changes in pfSense itself). Best to discuss first in the forums before implementing something.

@rbgarga - Having hard time understanding the differences between openldap24-sasl-client and openldap24-client ports, or why are those even separate.

netgate-git-updates pushed a commit that referenced this pull request Apr 28, 2017
@DonLewisFreeBSD
Upgrade fstrm to version 0.3.2:
0653b74 
 * Accomodate systems without pthread_condattr_setclock (Issue #34)

PR:		218554
Approved by:	Leo Vandewoestijne <[email protected]> (maintainer)
Sponsored by:	Farsight Security, Inc.
netgate-git-updates pushed a commit that referenced this pull request Sep 3, 2024
@fraggerfox
sysutils/pfetch: Update to 1.4.0
8aa1ffa 
Changes since 1.3.0:

1.4.0

What's Changed

  * Add support for more package managers by @AlbydST in #34
  * Support Digital UNIX (aka Tru64 UNIX)
  * Support HP-UX
  * PF_KERNEL variable to control the displayed kernel version
  * Support disk info for NetBSD

Full Changelog: Un1q32/pfetch@1.3.0...1.4.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@gitdevmod @anahimself @netgate-git-updates @rbgarga @leeramsay @doktornotor @marcelloc