How to Configure LDAP Authentication with Google Cloud Identity on OPNsense?

Published on: 2023 October 27

.

6 min read

Users can be authenticated using the Google Cloud Identity LDAP (Lightweight Directory Access Protocol) service on OPNsense installations. The Google Secure LDAP service facilitates a straightforward and protected method of connecting LDAP-based services and applications to Google Workspace or Cloud Identity. Cloud Directory can function as a cloud-based LDAP server for the purposes of authentication, authorization, and directory lookups when Secure LDAP is utilized. Companies that have already offloaded e-mail and drive storage to Google can now use the service for LDAP-based authentication. So that there is no need to maintain separate authentication services locally and on Google Workspace.

OPNsense firewalls are capable of employing client certificates that are stored directly on LDAP authentication sources.

An LDAP server is implemented in a variety of ways and used or provided by several directory service offerings like OpenLDAP, Google Cloud Identity, and Microsoft Active Directory (AD). OPNsense utilizes an LDAP server for authorization and authentication purposes regarding components of the graphical user interface (the web configurator). In order to define privileges for the GUI using LDAP, the local user manager must perform an import of the users from the LDAP source.

A multi-site organization that utilizes G Suite Enterprise for storage and email but does not wish to operate a local LDAP server but still wishes to implement centralized authentication for firewalls across all sites. Companies may also use LDAP authentication on OPNsense for their captive portal, virtual private network (VPN), or squid caching proxy users.

In order to establish a secure LDAP connection, firewalls operating on OPNsense must incorporate the stunnel program.

There are several procedures involved in configuring an OPNsense firewall to utilize G Suite LDAP authentication; each of these procedures is detailed in this document.

tip

Additionally, LDAP can be integrated with two-factor authentication.

1. Configure the LDAP Application on the G Suite admin portal
2. Download the certificate, key, username and password
3. Import the certificate and key
4. Install the stunnel package on OPNsense
5. Configure the stunnel package
6. Configure LDAP authentication on OPNsense
7. Test G Suite LDAP Authentication
8. Use G Suite LDAP for Administrative Logins
9. Importing G Suite LDAP Users

1. Configure the LDAP Application on the G Suite admin portal

Supported editions of G Suite for secure LDAP service are Frontline Standard; Business Plus; Enterprise Standard and Enterprise Plus; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus; Enterprise Essentials Plus. Follow the instructions from official Google documentation or you may follow the next steps for configuring and enabling the G Suite LDAP

1. Sign in to the Google Admin console.
2. Click on Apps and LDAP, or select Apps from the hamburger menu and choose LDAP.
3. From the LDAP app, click on Add Client.
4. Name your client, enter a description (optional).
5. Click CONTINUE.
6. Configure permissions for access by selecting "Entire domain" for the "Verify user credentials" field, unless you are employing organizational units to achieve greater specificity, such as marketing, sales, and so forth.
7. "Entire domain" should be selected for the "Read user information" option.
8. Activate "Read group information" if you intend to map to groups via the MEMBER_OF attribute in your LDAP query; otherwise, do not include this attribute.
9. Click ADD LDAP CLIENT.
10. Go to Client Details page by clicking on Edit details.
11. Choose the radio button for ON for everyone on Service status pane
12. Click SAVE.

Having set the service status of the client to "on," you can now configure access for your users via the Admin Web UI.

2. Download the certificate, key, username and password

Download the certificate, key, username and password from G Suite to a local directory on a workstation. You may utilize the link provided on the confirmation page or access the generated certificate through the client's details page. A ZIP file containing both the certificate and the key will be downloaded to you.

3. Import the certificate and key

You may import certificate and key into your OPNsense firewall by following the next steps:

1. Navigate to System → Trust → Certificates tab.

   Figure 1. Trust Certificates on OPNsense

2. Click + Add button to display the certificate import interface.

3. Select Import an existing certificate from the Method dropdown menu.

4. Type a Descriptive name, such as G Suite LDAP.

5. Copy and paste the contents of the downloaded certificate into the Certificate data field.

6. Copy and paste the contents of the downloaded key into the Private Key data field.

   Figure 2. Importing G-Suite LDAP Certificate on OPNsense

7. Click Save.

The firewall is currently able to utilize the G-Suite LDAP certificate.

4. Install the stunnel plugin on OPNsense

Stunnel is a proxy that provides the ability to encrypt existing clients and servers with TLS without requiring any modifications to the source code of the applications.

OPNsense's Stunnel feature enables the secure forwarding of TCP connections via TLS mutual authentication. While the application allows for pre-shared key authentication, our plugin exclusively supports certificate-based authentication. While this method ensures greater security, it incurs a greater connection burden.

Figure 3. Stunnel functionality on OPNsense

The client component (which is not included in this plugin's delivery) establishes a connection with the server via a predefined port and initiates the forwarding of locally received packets to the opposite end of the tunnel, as depicted in the diagram above.

Tunneling HTTP proxy traffic is one of the more prevalent applications of the stunnel.

You may install the stunnel plugin on your OPNsense firewall by following the next steps:

1. Navigate to System → Firmware → Plugins on your OPNsense web UI.

2. Type stunnel in the search field.

   Figure 4. Installing stunnel package on OPNsense

3. Click the + icon next to os-stunnel to install the plugin.

5. Configure the stunnel plugin

You may configure the stunnel plugin on OPNsense by following the next steps:

1. Navigate to VPN → STunnel → Configuration on your OPNsense web UI.

2. Click + Add button to add a new profile.

   Figure 5. stunnel configuration on OPNsense

3. Type the Listen address. It is generally recommended to employ a loopback interface and direct traffic to the specified address via port forwarding. Maintain the current value (127.0.0.1) for the sake of illustration.

   warning

   When selecting an interface that does not support loopback, ensure that it is static.

4. Type the Listen port number to which the stunnel client establishes a connection. Here, the number 1636 is selected for the example.

5. Type the Target hostname. The hostname or IP address of the service to which the connection is being established; in this case,ldap.google.com.

6. Type the Target port that the service utilizes as its target port is 636.

7. Choose the Certificate that was imported previously, in this case, G Suite LDAP.

8. You may select enable CRL option to enable certificate revocation lists; when selected, a CRL in the (/var/run/stunnel/certs) directory with the format XXXXXXXX.r0 is required. If certificates are managed from this device, an automatic generation of all attached CRLs will occur.

warning

In the absence of a valid CRL and configuration, all connections will be denied. Stunnel restarts may be required for additions (if the certificate has already been used).

9. To identify this conduit, enter a descriptive phrase that is easy for users to comprehend, such as G Suite LDAP

10. Enable Client Mode by clicking on the checkbox.

11. You may leave other settings as default.

12. Click Save to save the settings.

    Figure 6. Configuring stunnel on OPNsense

13. Click Apply to activate the settings.

    Figure 7. Applying stunnel configuration on OPNsense

tip

To enhance security measures, one may activate chroot mode in the VPN tunnel. In general, however, there is a disadvantage to utilizing this feature. Stunnel will lose connectivity to the system logging facility (syslog) in the event that it is resumed, resulting in subsequent loss of visibility.

6. Configure LDAP authentication on OPNsense

To add a new LDAP server as an authentication source you may follow the next steps:

1. Navigate to System ? Access ? Servers on OPNsense web UI.

2. Click on + Add button in the top right corner.

   Figure 8. Access servers on OPNsense

3. Enter a Descriptive name for this LDAP server, such as G Suite.

4. Set Hostname or IP address to 127.0.0.1.

5. Set Port value to 1636.

6. Type the G Suite LDAP username and password that were created with the certificate and key into Bind credentials field.

7. Type the domain name in DN format into Base DN field, for example dc=mycompany,dc=com.

8. Fill in the 8Authentication containers*. Base DN prepended by the Users organizational unit, for example: ou=Users,dc=mycompany,dc=com.

9. You may leave other settings as default.

10. Click Save to store the settings.

    Figure 9. Access servers settings on OPNsense

7. Test G Suite LDAP Authentication

After implementing the comprehensive configuration outlined earlier, authentication against Google G Suite LDAP is now feasible. You may test the authentication initially to ensure that it is functioning correctly by following the next steps:

1. Navigate to the System → Tester menu.

2. Assign the name of the LDAP Server entry to the Authentication Server, such as G Suite.

3. Type the Username and Password that are well-known on the domain that G Suite manages. into the related fields.

4. Click Test.

   Figure 10. LDAP test on OPNsense

note

Only the username component of the logon is validated against the configured LDAP base DN by default. When an identity is provided with a domain component, such as [email protected], the domain portion is disregarded.

The user should be identified as having successfully authenticated. Upon passing the test, the service will be deemed operational. It can be used as an authentication source for the graphical user interface, captive portal, squid proxy, VPNs, or anywhere the user manager authentication servers operate by OPNsense firewall.

Verify the main system log for LDAP error messages if the test fails. Commence the analysis by comparing every setting in this document, G Suite, and OPNsense, starting from the beginning. The majority of issues stem from incorrect parameter input, including the selection of the incorrect certificate, the use of an incorrect LDAP attribute name, or the failure to use the correct bind credentials.

8. Enable G Suite LDAP Server for Administrative Logins

Assuming all is well and the user has successfully authenticated, you may start to use G Suite for administrative logins on OPNsense by following the next steps:

1. Navigate to System → Settings → Administration on OPNsense web UI.

2. Scroll down to the Authentication pane.

3. Select G Suite as the Server. You may also select Local Database as an alternative authentication server.

4. Click Save.

   Figure 11. Setting Authentication server on OPNsense

Firewall web UI users will undergo authentication using Google Cloud Identity subsequent to uploading.

9. Importing G Suite LDAP Users

To grant G Suite LDAP users access to the graphical user interface, the users must be imported into the local user manager by following next steps:

1. Navigate to System → Access → Users, where a cloud import icon will appear in the form's upper right corner.

2. Initiate the user import process by clicking the cloud import icon.

3. A new form containing the users' information will appear; select those you wish to import.

   Figure 12. Importing LDAP users on OPNsense