SlideShare a Scribd company logo
Using Google Cloud Identity
Secure LDAP with pfSense
October 2018 Hangout
Jim Pingle
Youtube Live
If the video looks fuzzy, Youtube
set the auto quality too low
Click the gear and choose 720p!
About this Hangout
●
Netgate News
●
What is LDAP?
●
Google Cloud Secure LDAP
●
Example Use Cases
●
Security Concerns
●
Setup on Google Cloud
●
Setup pfSense CE/pfSense 2.4.4
●
Setup Factory 2.4.4-p1 or later
●
Create Groups on pfSense
●
Testing Authentication
●
Using LDAP for pfSense
Administrative Logins
●
Other Uses
Google Partner Manager McCall McIntyre is in the audience today (Say hi!)
Netgate News
●
TNSR now available on Netgate Appliances
– https://www.netgate.com/press-releases/tnsr-now-available-on-netgate-appliances.html
– Netgate SG-5100, XG-1537, and XG-1541 for now, more models in the future
●
pfSense 2.4.4-RELEASE is out!
– If you have not upgraded yet, carefully read the release blog post, release notes, and upgrade guide
●
https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html
●
https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html
●
https://www.netgate.com/docs/pfsense/install/upgrade-guide.html
– Do not attempt to upgrade existing packages or install new packages on older releases before upgrading to pfSense
2.4.4
●
SG-5100 shipping now!
●
SG-1000 is now End of Sale
– Still supported, but no new device sales
– New device coming soon to take its place, details coming!
●
pfSense 2.3.x has reached its End of Life
– https://www.netgate.com/blog/pfsense-release-2-3-x-eol-reminder.html
Netgate News
●
Netgate Dual-Ethernet MinnowBoard Turbot device offers
– MBT-4220 price lowered to $299
– MBT-2220 and MBT-4220 now have an optional “black flame” laser etching add-on
– MBT devices now ship with a credit card sized USB key pre-loaded with pfSense
(use in bottom USB port)
– https://www.netgate.com/blog/netgate-dual-ethernet-minnowBoard-turbot-with-pfse
nse-special-offer.html
●
Linux Foundation Networking survey of Communication Service Providers
– https://www.netgate.com/blog/csps-ready-to-steamroll-open-source-networking.html
– https://www.lightreading.com/nfv/nfv-specs-open-source/the-reality-of-open-network
ing-in-csp-transformation-/a/d-id/746620
●
Jim Thompson spoke at the Embedded Linux Conference earlier this week,
his talk was about the technologies behind TNSR and how it is changing the
high-end router market
What is LDAP?
●
Lightweight Directory Access Protocol
●
Used for a variety of reasons, such as
– Central Authentication & Authorization
●
VPN, computer/network/server logins, IMAP/POP3, web applications, appliances, etc
– Organization directory (e.g. e-mail contacts)
– Store data about people/groups/units/entities
●
Implemented in a variety of ways, and used or provided by several directory service offerings, such as:
– OpenLDAP
– Google Cloud Identity (now)
– Microsoft Active Directory
– Apple Open Directory
– Novell eDirectory
●
Covered previously in other hangouts, the book, etc.
– https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsense-24.html
Google Cloud Secure LDAP
●
Secure LDAP service that ties back to Google Cloud Identity
●
Can be used for authenticating cloud-hosted or on-premises applications and services
●
Companies that have already offloaded e-mail and drive storage to Google can now also use the
service for LDAP-based central auth
– No need to maintain separate authentication infrastructures and accounts locally and on Google services
●
Easy-to-use account management where users can maintain their own passwords
●
Currently rolling out to Cloud Identity and G Suite Enterprise customers over the next few weeks
●
https://cloud.google.com/blog/products/identity-security/simplifying-identity-and-access-manageme
nt-for-more-businesses
●
https://cloud.google.com/identity/
●
The setup described in this Hangout is also covered in the online pfSense docs
– https://www.netgate.com/docs/pfsense/usermanager/google-gsuite-auth-source.html
Example Use Cases
●
A company with multiple locations that uses G Suite Enterprise for
e-mail and storage that does not want to run a local LDAP server,
but still wants to take advantage of central authentication for
firewalls at all locations
●
A company that wants to use central authentication for VPNs, taking
advantage of the accounts already setup in Cloud Identity
●
Any other similar cases where using the hosted service has less
overhead and management than maintaining a local service
Security Concerns
●
Similar concerns to any hosted services or centrally located services across multiple locations in an organization
●
The classic tradeoff here is ease of management vs loss of control
●
Since the service itself is not controlled locally, there is some level of trust / risk involved
– Do you trust Google to handle this task?
– If you are using Cloud Identity / G Suite, odds are that is already something your org has decided!
●
Service is contingent on an active Internet connection and the service being up
– pfSense will fall back to local authentication in this case when used for web interface logins
– When used across multiple locations, the same connectivity concern applies there as well
– Primary factor there is reliability of the ISP or availability of redundant connectivity, which is not directly related to Google or
this service specifically
– Service availability concerns are low, as Google has a good track record of reliability
●
This does not open a channel through which Google can reach into your firewall or other devices
– Communication is initiated one way: The device queries the LDAP server, the LDAP server responds with results of query
Setup on Google Cloud
●
Currently requires an account using the "Cloud Premium" or "G Suite Enterprise" tier
●
Follow Google’s setup document at
https://support.google.com/cloudidentity/answer/9048516
– This must be followed exactly
– Not shown here because it varies by org and Google’s docs cover it thoroughly
●
Download the certificate and its key for use by pfSense
●
During the setup process, generate access credentials (username and password) to be used
for bind credentials
– https://support.google.com/cloudidentity/answer/9048541#generate-access-codes
●
Create any required groups and add members to these groups
– Note the exact names used as you will need to make groups with the same name on pfSense later!
Setup on pfSense
●
First step is to import the certificate
– Open the certificate files from Google in a text editor (Notepad, Notepad++, UE, etc)
– Navigate to System > Cert manager, Certificates tab
– Click Add/Sign to display the certificate import interface
– Change Method to Import an existing certificate
– Enter a Descriptive name, such as Google Cloud LDAP Client
– Copy and paste the contents of the downloaded certificate into the Certificate data box
– Copy and paste the contents of the downloaded key into the Private Key data box
– Click Save
●
Next steps depend on pfSense version (CE or Factory 2.4.4-p1)
Setup stunnel for CE or pfSense 2.4.4
●
On pfSense CE, and even on factory 2.4.4 and earlier, the LDAP client on the
firewall does not directly support an SSL client certificate, only a server certificate
●
The stunnel package works around this, setting up an encrypted tunnel to Google
Cloud Secure LDAP that can use the client certificate imported in the previous step
●
This requires stunnel package version 5.37, update the package if it’s already
installed on pfSense 2.4.4 but out of date
●
If not already on pfSense 2.4.4, upgrade to pfSense 2.4.4
●
If the stunnel package is not installed, install it from System > Package Manager,
Available Packages tab
Setup stunnel for CE or pfSense 2.4.4
●
Next, configure stunnel to connect to Google Cloud Secure LDAP
●
Navigate to Services > STunnel
●
Click Add to create a new profile
●
Enter a Description for this connection, such as Google Cloud Secure LDAP
●
Check Client Mode
●
Set Listen on IP to 127.0.0.1
●
Set Listen on port to 1636
●
Set the Certificate to the entry imported previously, in this case Google Cloud LDAP Client
●
Set Redirects to IP to ldap.google.com
●
Set Redirects to port to 636
●
Click Save
Setup LDAP for CE or pfSense 2.4.4 (stunnel)
●
This scenario is for CE or Factory 2.4.4 using stunnel
●
Select System > User manager, Authentication servers tab
●
Click Add to create a new entry
●
Enter a Descriptive name for this LDAP server, such as Google Cloud Secure LDAP
●
Set Type to LDAP
●
Set the Hostname or IP address to 127.0.0.1 so pfSense will connect through stunnel
●
Set Port value to 1636
●
Set Transport to TCP-Standard
– Since stunnel handles the encryption, this step uses plain TCP only, but since it only goes to localhost there is no danger
●
Set Protocol version to 3
●
Set Server timeout to 25
●
Set Search scope to Entire tree
Setup LDAP for Factory 2.4.4-p1 or later
●
This scenario is for Factory 2.4.4-p1 or later using built-in LDAP Client certificate support
●
Select System > User manager, Authentication servers tab
●
Click Add to create a new entry
●
Enter a Descriptive name for this LDAP server, such as Google Cloud Secure LDAP
●
Set Type to LDAP
●
Set the Hostname or IP address to ldap.google.com
●
Set Port value to 636
●
Set Transport to SSL - Encrypted
●
Set Peer Certificate Authority to Global Root CA List
●
Set Client Certificate to the entry imported previously, in this case Google Cloud LDAP Client
●
Set Protocol version to 3
●
Set Server timeout to 25
●
Set Search scope to Entire tree
Common LDAP Server Entries
●
These settings are unique to your domain/account, the example shown in the hangout (pfsense.org) or
the docs (example.com) is shown only as a demonstration and must be replaced with the actual domain
name and equivalent components!
– Set Base DN to the domain name in DN format
●
Ex: dc=example,dc=com
– Set Authentication containers to the Base DN prepended by the Users organizational unit
●
Ex: ou=Users,dc=example,dc=com
– Uncheck Bind anonymous to show Bind Credentials
– Set Bind credentials to the Secure LDAP username and password that were created on Google Cloud earlier
●
Set User naming attribute to uid
●
Set Group naming attribute to cn
●
Set Group member attribute to memberOf
●
Click Save
Create Groups on pfSense
●
When using LDAP auth for the pfSense WebGUI, permissions are
mapped to users and groups based on the values returned from LDAP
and entries that exist locally
●
If an LDAP user is a member of a group and that group exists on
pfSense with an identical name, then the user will have the privileges
assigned to that group
– Similarly, if an LDAP username matches a local user, the privileges of that user
also apply
●
Earlier, you made groups on Google Cloud and added members, now we
need to create matching entries on pfSense
Create Groups on pfSense
●
Create the group on pfSense
– Navigate to System > User Manager, Groups tab
– Click Add to make a new group entry
– Enter the Group name (Ex: fwadmins)
– Set the Scope to Remote
– Enter a Description, Remote Firewall Administrators
– Click Save
●
Edit the group again to add privileges
– Click the pencil icon on the row for the newly created group
– Click Add in the Assigned Privileges section
– Select the desired permissions for the group, for example: WebCfg - All pages
●
Do not select every item in this list! That will also select User - Config: Deny Config Write which prevents users from making
changes to the configuration
– Click Save to store the privileges
Testing LDAP Authentication
●
Test from Diagnostics > Authentication
●
Select the Google Cloud Secure LDAP server from the list and enter valid credentials, then click test
●
If auth was successful, it should also list any groups the user is a member of which also were found
locally on pfSense
– If auth worked but no groups were found, ensure that the name of the group matches on Google Cloud and on
pfSense, and ensure the user is a member of the group in the settings for the account on Google Cloud
●
If the authentication failed, check the main system log for errors and review every step in this
hangout and the online docs again
●
May need 16/11 from console/ssh after SSL changes to clear the LDAP environment settings
●
Only use the username is checked, anything after the @ is ignored when entered
– For example, joe@example.com will auth the same as joe@movie.edu
– The domain is ignored, only the username is taken and authenticated inside of the configured LDAP containers
Use LDAP For pfSense Administration Logins
●
Assuming authentication was successful and showed the correct groups, the server can now be
used for authenticating users on pfSense!
– Note that currently this only works for the GUI, and not SSH
●
To change pfSense so it uses Google Cloud Secure LDAP for firewall authentication…
– Navigate to System > User manager, Settings tab
– Set the Authentication server to Google Cloud Secure LDAP
– Click Save
●
After completing those steps, log out and then back in using a Google account for your organization
●
If the account fails, see the previous troubleshooting steps
●
When LDAP authentication fails, local authentication is tried
– A local account such as the default admin user can be used to get back in and adjust settings as needed if the
LDAP server is failing authentication or unreachable
Alternate Uses
●
Use directly for VPN auth if all users have access
– Users still need certs for SSL/TLS auth in OpenVPN
– Can use auth without certs if needed (easier, but less secure)
●
Add another LDAP server entry using extended filter so that it
can only auth a single group, e.g. VPNusers, then use that
server for OpenVPN/IPsec
●
Central Captive Portal auth source for the entire company
Conclusion
●
Questions?
●
Additional Resources for LDAP and Privileges:
– https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsens
e-24.html
– https://www.netgate.com/resources/videos/user-management-and-pri
vileges-on-pfsense-24.html
– https://www.netgate.com/docs/pfsense/book/usermanager/index.html
●
Ideas for hangout topics? Post on forum, Reddit, etc

More Related Content

What's hot

Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrency
Viller Hsiao
 
Debian Packaging tutorial
Debian Packaging tutorialDebian Packaging tutorial
Debian Packaging tutorial
nussbauml
 
RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015
Netgate
 
Configuration Management in Ansible
Configuration Management in Ansible Configuration Management in Ansible
Configuration Management in Ansible
Bangladesh Network Operators Group
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfile
Rainer Gerhards
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
Zane Williamson
 
Patroni: Kubernetes-native PostgreSQL companion
Patroni: Kubernetes-native PostgreSQL companionPatroni: Kubernetes-native PostgreSQL companion
Patroni: Kubernetes-native PostgreSQL companion
Alexander Kukushkin
 
Postgresql Database Administration Basic - Day1
Postgresql  Database Administration Basic  - Day1Postgresql  Database Administration Basic  - Day1
Postgresql Database Administration Basic - Day1
PoguttuezhiniVP
 
Best Practices of running PostgreSQL in Virtual Environments
Best Practices of running PostgreSQL in Virtual EnvironmentsBest Practices of running PostgreSQL in Virtual Environments
Best Practices of running PostgreSQL in Virtual Environments
Jignesh Shah
 
PostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldPostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized World
Jignesh Shah
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Vietnam Open Infrastructure User Group
 
Barman (PostgreSql) manual
Barman (PostgreSql) manualBarman (PostgreSql) manual
Barman (PostgreSql) manual
Marcelo Pesallaccia
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
ScyllaDB
 
MySQL Group Replication
MySQL Group ReplicationMySQL Group Replication
MySQL Group Replication
Ulf Wendel
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Deploying PostgreSQL on Kubernetes
Deploying PostgreSQL on KubernetesDeploying PostgreSQL on Kubernetes
Deploying PostgreSQL on Kubernetes
Jimmy Angelakos
 
Prometheus design and philosophy
Prometheus design and philosophy   Prometheus design and philosophy
Prometheus design and philosophy
Docker, Inc.
 

What's hot (20)

Prerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrencyPrerequisite knowledge for shared memory concurrency
Prerequisite knowledge for shared memory concurrency
 
Debian Packaging tutorial
Debian Packaging tutorialDebian Packaging tutorial
Debian Packaging tutorial
 
RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015RADIUS and LDAP - pfSense Hangout August 2015
RADIUS and LDAP - pfSense Hangout August 2015
 
Configuration Management in Ansible
Configuration Management in Ansible Configuration Management in Ansible
Configuration Management in Ansible
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Using Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfileUsing Wildcards with rsyslog's File Monitor imfile
Using Wildcards with rsyslog's File Monitor imfile
 
Terraform Modules and Continuous Deployment
Terraform Modules and Continuous DeploymentTerraform Modules and Continuous Deployment
Terraform Modules and Continuous Deployment
 
Patroni: Kubernetes-native PostgreSQL companion
Patroni: Kubernetes-native PostgreSQL companionPatroni: Kubernetes-native PostgreSQL companion
Patroni: Kubernetes-native PostgreSQL companion
 
Postgresql Database Administration Basic - Day1
Postgresql  Database Administration Basic  - Day1Postgresql  Database Administration Basic  - Day1
Postgresql Database Administration Basic - Day1
 
Best Practices of running PostgreSQL in Virtual Environments
Best Practices of running PostgreSQL in Virtual EnvironmentsBest Practices of running PostgreSQL in Virtual Environments
Best Practices of running PostgreSQL in Virtual Environments
 
PostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized WorldPostgreSQL High Availability in a Containerized World
PostgreSQL High Availability in a Containerized World
 
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
 
Barman (PostgreSql) manual
Barman (PostgreSql) manualBarman (PostgreSql) manual
Barman (PostgreSql) manual
 
New Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using TracingNew Ways to Find Latency in Linux Using Tracing
New Ways to Find Latency in Linux Using Tracing
 
MySQL Group Replication
MySQL Group ReplicationMySQL Group Replication
MySQL Group Replication
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Vagrant
VagrantVagrant
Vagrant
 
OpenStack Cinder
OpenStack CinderOpenStack Cinder
OpenStack Cinder
 
Deploying PostgreSQL on Kubernetes
Deploying PostgreSQL on KubernetesDeploying PostgreSQL on Kubernetes
Deploying PostgreSQL on Kubernetes
 
Prometheus design and philosophy
Prometheus design and philosophy   Prometheus design and philosophy
Prometheus design and philosophy
 

Similar to Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout October 2018

Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
Netgate
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Netgate
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
Netgate
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015
Netgate
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
Drew Fustini
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Netgate
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
Netgate
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusion
Ortus Solutions, Corp
 
Establishing your district's relationship with google
Establishing your district's relationship with googleEstablishing your district's relationship with google
Establishing your district's relationship with googleTim Golden
 
Rameshwar panchal Resume
Rameshwar panchal ResumeRameshwar panchal Resume
Rameshwar panchal Resume
rameshwar panchal
 
SharePoint On-Premises Nirvana
SharePoint On-Premises NirvanaSharePoint On-Premises Nirvana
SharePoint On-Premises Nirvana
John Calvert
 
Google Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data editionGoogle Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data edition
Daniel Zivkovic
 
SAP TechEd 2013 session Tec118 managing your-environment
SAP TechEd 2013 session Tec118 managing your-environmentSAP TechEd 2013 session Tec118 managing your-environment
SAP TechEd 2013 session Tec118 managing your-environment
Chris Kernaghan
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX, Inc.
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For Workflow
Timothy Spann
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
NGINX, Inc.
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
Jessica DeVita
 
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructureSecuring oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
vasuballa
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
Exove
 

Similar to Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout October 2018 (20)

Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015
 
Let's Encrypt!
Let's Encrypt!Let's Encrypt!
Let's Encrypt!
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
Secure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusionSecure your Secrets and Settings in ColdFusion
Secure your Secrets and Settings in ColdFusion
 
Establishing your district's relationship with google
Establishing your district's relationship with googleEstablishing your district's relationship with google
Establishing your district's relationship with google
 
Rameshwar panchal Resume
Rameshwar panchal ResumeRameshwar panchal Resume
Rameshwar panchal Resume
 
SharePoint On-Premises Nirvana
SharePoint On-Premises NirvanaSharePoint On-Premises Nirvana
SharePoint On-Premises Nirvana
 
Google Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data editionGoogle Cloud Next '22 Recap: Serverless & Data edition
Google Cloud Next '22 Recap: Serverless & Data edition
 
SAP TechEd 2013 session Tec118 managing your-environment
SAP TechEd 2013 session Tec118 managing your-environmentSAP TechEd 2013 session Tec118 managing your-environment
SAP TechEd 2013 session Tec118 managing your-environment
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
Best Practices For Workflow
Best Practices For WorkflowBest Practices For Workflow
Best Practices For Workflow
 
NGINX: Basics and Best Practices
NGINX: Basics and Best PracticesNGINX: Basics and Best Practices
NGINX: Basics and Best Practices
 
Bay Area Chef Meetup February
Bay Area Chef Meetup FebruaryBay Area Chef Meetup February
Bay Area Chef Meetup February
 
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructureSecuring oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
 
Managing Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with DrupalManaging Complexity and Privacy Debt with Drupal
Managing Complexity and Privacy Debt with Drupal
 

More from Netgate

Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Netgate
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Netgate
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Netgate
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
Netgate
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Netgate
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Netgate
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
Netgate
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
Netgate
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
Netgate
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
Netgate
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
Netgate
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
Netgate
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Netgate
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Netgate
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
Netgate
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
Netgate
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Netgate
 

More from Netgate (18)

Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
 

Recently uploaded

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout October 2018

  • 1. Using Google Cloud Identity Secure LDAP with pfSense October 2018 Hangout Jim Pingle
  • 2. Youtube Live If the video looks fuzzy, Youtube set the auto quality too low Click the gear and choose 720p!
  • 3. About this Hangout ● Netgate News ● What is LDAP? ● Google Cloud Secure LDAP ● Example Use Cases ● Security Concerns ● Setup on Google Cloud ● Setup pfSense CE/pfSense 2.4.4 ● Setup Factory 2.4.4-p1 or later ● Create Groups on pfSense ● Testing Authentication ● Using LDAP for pfSense Administrative Logins ● Other Uses Google Partner Manager McCall McIntyre is in the audience today (Say hi!)
  • 4. Netgate News ● TNSR now available on Netgate Appliances – https://www.netgate.com/press-releases/tnsr-now-available-on-netgate-appliances.html – Netgate SG-5100, XG-1537, and XG-1541 for now, more models in the future ● pfSense 2.4.4-RELEASE is out! – If you have not upgraded yet, carefully read the release blog post, release notes, and upgrade guide ● https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html ● https://www.netgate.com/docs/pfsense/releases/2-4-4-new-features-and-changes.html ● https://www.netgate.com/docs/pfsense/install/upgrade-guide.html – Do not attempt to upgrade existing packages or install new packages on older releases before upgrading to pfSense 2.4.4 ● SG-5100 shipping now! ● SG-1000 is now End of Sale – Still supported, but no new device sales – New device coming soon to take its place, details coming! ● pfSense 2.3.x has reached its End of Life – https://www.netgate.com/blog/pfsense-release-2-3-x-eol-reminder.html
  • 5. Netgate News ● Netgate Dual-Ethernet MinnowBoard Turbot device offers – MBT-4220 price lowered to $299 – MBT-2220 and MBT-4220 now have an optional “black flame” laser etching add-on – MBT devices now ship with a credit card sized USB key pre-loaded with pfSense (use in bottom USB port) – https://www.netgate.com/blog/netgate-dual-ethernet-minnowBoard-turbot-with-pfse nse-special-offer.html ● Linux Foundation Networking survey of Communication Service Providers – https://www.netgate.com/blog/csps-ready-to-steamroll-open-source-networking.html – https://www.lightreading.com/nfv/nfv-specs-open-source/the-reality-of-open-network ing-in-csp-transformation-/a/d-id/746620 ● Jim Thompson spoke at the Embedded Linux Conference earlier this week, his talk was about the technologies behind TNSR and how it is changing the high-end router market
  • 6. What is LDAP? ● Lightweight Directory Access Protocol ● Used for a variety of reasons, such as – Central Authentication & Authorization ● VPN, computer/network/server logins, IMAP/POP3, web applications, appliances, etc – Organization directory (e.g. e-mail contacts) – Store data about people/groups/units/entities ● Implemented in a variety of ways, and used or provided by several directory service offerings, such as: – OpenLDAP – Google Cloud Identity (now) – Microsoft Active Directory – Apple Open Directory – Novell eDirectory ● Covered previously in other hangouts, the book, etc. – https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsense-24.html
  • 7. Google Cloud Secure LDAP ● Secure LDAP service that ties back to Google Cloud Identity ● Can be used for authenticating cloud-hosted or on-premises applications and services ● Companies that have already offloaded e-mail and drive storage to Google can now also use the service for LDAP-based central auth – No need to maintain separate authentication infrastructures and accounts locally and on Google services ● Easy-to-use account management where users can maintain their own passwords ● Currently rolling out to Cloud Identity and G Suite Enterprise customers over the next few weeks ● https://cloud.google.com/blog/products/identity-security/simplifying-identity-and-access-manageme nt-for-more-businesses ● https://cloud.google.com/identity/ ● The setup described in this Hangout is also covered in the online pfSense docs – https://www.netgate.com/docs/pfsense/usermanager/google-gsuite-auth-source.html
  • 8. Example Use Cases ● A company with multiple locations that uses G Suite Enterprise for e-mail and storage that does not want to run a local LDAP server, but still wants to take advantage of central authentication for firewalls at all locations ● A company that wants to use central authentication for VPNs, taking advantage of the accounts already setup in Cloud Identity ● Any other similar cases where using the hosted service has less overhead and management than maintaining a local service
  • 9. Security Concerns ● Similar concerns to any hosted services or centrally located services across multiple locations in an organization ● The classic tradeoff here is ease of management vs loss of control ● Since the service itself is not controlled locally, there is some level of trust / risk involved – Do you trust Google to handle this task? – If you are using Cloud Identity / G Suite, odds are that is already something your org has decided! ● Service is contingent on an active Internet connection and the service being up – pfSense will fall back to local authentication in this case when used for web interface logins – When used across multiple locations, the same connectivity concern applies there as well – Primary factor there is reliability of the ISP or availability of redundant connectivity, which is not directly related to Google or this service specifically – Service availability concerns are low, as Google has a good track record of reliability ● This does not open a channel through which Google can reach into your firewall or other devices – Communication is initiated one way: The device queries the LDAP server, the LDAP server responds with results of query
  • 10. Setup on Google Cloud ● Currently requires an account using the "Cloud Premium" or "G Suite Enterprise" tier ● Follow Google’s setup document at https://support.google.com/cloudidentity/answer/9048516 – This must be followed exactly – Not shown here because it varies by org and Google’s docs cover it thoroughly ● Download the certificate and its key for use by pfSense ● During the setup process, generate access credentials (username and password) to be used for bind credentials – https://support.google.com/cloudidentity/answer/9048541#generate-access-codes ● Create any required groups and add members to these groups – Note the exact names used as you will need to make groups with the same name on pfSense later!
  • 11. Setup on pfSense ● First step is to import the certificate – Open the certificate files from Google in a text editor (Notepad, Notepad++, UE, etc) – Navigate to System > Cert manager, Certificates tab – Click Add/Sign to display the certificate import interface – Change Method to Import an existing certificate – Enter a Descriptive name, such as Google Cloud LDAP Client – Copy and paste the contents of the downloaded certificate into the Certificate data box – Copy and paste the contents of the downloaded key into the Private Key data box – Click Save ● Next steps depend on pfSense version (CE or Factory 2.4.4-p1)
  • 12. Setup stunnel for CE or pfSense 2.4.4 ● On pfSense CE, and even on factory 2.4.4 and earlier, the LDAP client on the firewall does not directly support an SSL client certificate, only a server certificate ● The stunnel package works around this, setting up an encrypted tunnel to Google Cloud Secure LDAP that can use the client certificate imported in the previous step ● This requires stunnel package version 5.37, update the package if it’s already installed on pfSense 2.4.4 but out of date ● If not already on pfSense 2.4.4, upgrade to pfSense 2.4.4 ● If the stunnel package is not installed, install it from System > Package Manager, Available Packages tab
  • 13. Setup stunnel for CE or pfSense 2.4.4 ● Next, configure stunnel to connect to Google Cloud Secure LDAP ● Navigate to Services > STunnel ● Click Add to create a new profile ● Enter a Description for this connection, such as Google Cloud Secure LDAP ● Check Client Mode ● Set Listen on IP to 127.0.0.1 ● Set Listen on port to 1636 ● Set the Certificate to the entry imported previously, in this case Google Cloud LDAP Client ● Set Redirects to IP to ldap.google.com ● Set Redirects to port to 636 ● Click Save
  • 14. Setup LDAP for CE or pfSense 2.4.4 (stunnel) ● This scenario is for CE or Factory 2.4.4 using stunnel ● Select System > User manager, Authentication servers tab ● Click Add to create a new entry ● Enter a Descriptive name for this LDAP server, such as Google Cloud Secure LDAP ● Set Type to LDAP ● Set the Hostname or IP address to 127.0.0.1 so pfSense will connect through stunnel ● Set Port value to 1636 ● Set Transport to TCP-Standard – Since stunnel handles the encryption, this step uses plain TCP only, but since it only goes to localhost there is no danger ● Set Protocol version to 3 ● Set Server timeout to 25 ● Set Search scope to Entire tree
  • 15. Setup LDAP for Factory 2.4.4-p1 or later ● This scenario is for Factory 2.4.4-p1 or later using built-in LDAP Client certificate support ● Select System > User manager, Authentication servers tab ● Click Add to create a new entry ● Enter a Descriptive name for this LDAP server, such as Google Cloud Secure LDAP ● Set Type to LDAP ● Set the Hostname or IP address to ldap.google.com ● Set Port value to 636 ● Set Transport to SSL - Encrypted ● Set Peer Certificate Authority to Global Root CA List ● Set Client Certificate to the entry imported previously, in this case Google Cloud LDAP Client ● Set Protocol version to 3 ● Set Server timeout to 25 ● Set Search scope to Entire tree
  • 16. Common LDAP Server Entries ● These settings are unique to your domain/account, the example shown in the hangout (pfsense.org) or the docs (example.com) is shown only as a demonstration and must be replaced with the actual domain name and equivalent components! – Set Base DN to the domain name in DN format ● Ex: dc=example,dc=com – Set Authentication containers to the Base DN prepended by the Users organizational unit ● Ex: ou=Users,dc=example,dc=com – Uncheck Bind anonymous to show Bind Credentials – Set Bind credentials to the Secure LDAP username and password that were created on Google Cloud earlier ● Set User naming attribute to uid ● Set Group naming attribute to cn ● Set Group member attribute to memberOf ● Click Save
  • 17. Create Groups on pfSense ● When using LDAP auth for the pfSense WebGUI, permissions are mapped to users and groups based on the values returned from LDAP and entries that exist locally ● If an LDAP user is a member of a group and that group exists on pfSense with an identical name, then the user will have the privileges assigned to that group – Similarly, if an LDAP username matches a local user, the privileges of that user also apply ● Earlier, you made groups on Google Cloud and added members, now we need to create matching entries on pfSense
  • 18. Create Groups on pfSense ● Create the group on pfSense – Navigate to System > User Manager, Groups tab – Click Add to make a new group entry – Enter the Group name (Ex: fwadmins) – Set the Scope to Remote – Enter a Description, Remote Firewall Administrators – Click Save ● Edit the group again to add privileges – Click the pencil icon on the row for the newly created group – Click Add in the Assigned Privileges section – Select the desired permissions for the group, for example: WebCfg - All pages ● Do not select every item in this list! That will also select User - Config: Deny Config Write which prevents users from making changes to the configuration – Click Save to store the privileges
  • 19. Testing LDAP Authentication ● Test from Diagnostics > Authentication ● Select the Google Cloud Secure LDAP server from the list and enter valid credentials, then click test ● If auth was successful, it should also list any groups the user is a member of which also were found locally on pfSense – If auth worked but no groups were found, ensure that the name of the group matches on Google Cloud and on pfSense, and ensure the user is a member of the group in the settings for the account on Google Cloud ● If the authentication failed, check the main system log for errors and review every step in this hangout and the online docs again ● May need 16/11 from console/ssh after SSL changes to clear the LDAP environment settings ● Only use the username is checked, anything after the @ is ignored when entered – For example, joe@example.com will auth the same as joe@movie.edu – The domain is ignored, only the username is taken and authenticated inside of the configured LDAP containers
  • 20. Use LDAP For pfSense Administration Logins ● Assuming authentication was successful and showed the correct groups, the server can now be used for authenticating users on pfSense! – Note that currently this only works for the GUI, and not SSH ● To change pfSense so it uses Google Cloud Secure LDAP for firewall authentication… – Navigate to System > User manager, Settings tab – Set the Authentication server to Google Cloud Secure LDAP – Click Save ● After completing those steps, log out and then back in using a Google account for your organization ● If the account fails, see the previous troubleshooting steps ● When LDAP authentication fails, local authentication is tried – A local account such as the default admin user can be used to get back in and adjust settings as needed if the LDAP server is failing authentication or unreachable
  • 21. Alternate Uses ● Use directly for VPN auth if all users have access – Users still need certs for SSL/TLS auth in OpenVPN – Can use auth without certs if needed (easier, but less secure) ● Add another LDAP server entry using extended filter so that it can only auth a single group, e.g. VPNusers, then use that server for OpenVPN/IPsec ● Central Captive Portal auth source for the entire company
  • 22. Conclusion ● Questions? ● Additional Resources for LDAP and Privileges: – https://www.netgate.com/resources/videos/radius-and-ldap-on-pfsens e-24.html – https://www.netgate.com/resources/videos/user-management-and-pri vileges-on-pfsense-24.html – https://www.netgate.com/docs/pfsense/book/usermanager/index.html ● Ideas for hangout topics? Post on forum, Reddit, etc