NxFilter SSO with G Suite LDAP

Integration of NxFilter and G Suite LDAP allows easy importing of G Suite users so that NxFilter can match DNS requests with specific users.

G Suite Secure LDAP Setup

1. In the Google Admin Console, go to Apps > LDAP. Click on ADD LDAP CLIENT.
2. Give the client a name and description.
3. Set the following access permissions:
   • Verify user credentials: Entire domain (or specific OUs)
   • Read user information: Entire domain (or specific OUs)
   • Optional: Read group information. This is useful if you want to create predefined DNS policies based on G Suite groups.
4. Click on the ADD LDAP CLIENT button.
5. At this point, you can download the certificate if desired, otherwise leave it for later and click CONTINUE TO CLIENT DETAILS.
6. The next screen shows the settings for you new LDAP client. Click on the Authentication section.
7. If you haven't already, download the certificate zip file. Extract the .crt and .key file and save them for later.
8. Make note of an admin user account that can read user information. In this example, ldapreader@domain.com.

Installing Stunnel

As of this writing, NxFilter does not have a way to import the Google certificate and key. Therefore stunnel must be installed to facilitate a secure connection to Secure LDAP.

1. On NxFilter, install stunnel: sudo apt install stunnel4
2. Modify /etc/default/stunnel4 to allow stunnel to start after every reboot: set ENABLED=1
3. Copy the Google certificate and key into /etc/stunnel (or your preferred location)
4. Create the file /etc/stunnel/google-ldap.conf with the following contents:

[ldap]

client = yes

accept = 127.0.0.1:1636

connect = ldap.google.com:636

cert = /etc/stunnel/google.crt

key = /etc/stunnel/google.key

Modify NxFilter

1. Set up the OpenLDAP connection. Click User > OpenLDAP. Set the following attributes:
   • Host: 127.0.0.1
   • Admin: uid=ldapreader,ou=Users,dc=domain,dc=com
   • Password: [password for the ldapreader account]
   • Base DN: dc=domain,dc=com
   • Auto-sync: [how often NxFilter should sync accounts with G Suite]
   • Click Submit
2. Now, modify the new OpenLDAP connection. Click User > OpenLDAP, then click the EDIT button for the new connection.
   • Modify the Port: 1636
   • Click Submit
3. Verify the connection. Click User > OpenLDAP, then click the TEST button for the new connection. Once the test is successful, click the IMPORT button to import the G Suite users.
4. Set up the RADIUS connection. Click User > RADIUS. Set the following attributes:
   • Accounting Port: for example, 1813
   • Shared Secret: for example, secret
   • Use RADIUS: check the box
   • Click Submit
5. NxFilter now needs to be restarted.

Adding RADIUS Accounting to Wifi

To the wifi that utilizes RADIUS, add NxFilter as a RADIUS Accounting server.

• Modify wifi settings, enable RADIUS Accounting using the RADIUS attributes from step 4 of the previous section:
  • Account server: [IP or FQDN of NxFilter]
  • Accounting Port: 1813
  • Shared Secret: secret
• Within NxFilter, manually create users for the IP ranges used within your LAN, especially for the ranges that include devices that do not authenticate via 802.1X. This ensures that devices are always allowed to use NxFilter as their DNS server.

References

• https://www.nxfilter.org/tutorial/c-sso-by-802-1x.php
• https://www.reddit.com/r/nxfilter/comments/bb8g98/googles_gsuite_secure_ldap_import_to_nxfilter/
• https://support.google.com/a/answer/1219251