From 1ea5813c8f76126bbc605852365e65cb084f4c11 Mon Sep 17 00:00:00 2001 From: Daniel Dehennin Date: Wed, 14 Oct 2020 13:18:35 +0200 Subject: [PATCH] Update configuration for version 2.0.7 of LemonLDAP::NG Ref: #30852 --- tmpl/lemonldap-ng.ini | 175 +++++++++-- tmpl/lmConf-1.js | 441 -------------------------- tmpl/lmConf-1.json | 711 +++++++++++++++++++----------------------- 3 files changed, 465 insertions(+), 862 deletions(-) delete mode 100644 tmpl/lmConf-1.js diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 921810f..0f497ae 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -1,3 +1,4 @@ +%set %%boolean = {'oui': 1, 'non': 0} ;============================================================================== ; LemonLDAP::NG local configuration parameters ; @@ -11,9 +12,6 @@ ; Section "configuration" is used to load global configuration and set cache ; (replace old storage.conf file) ; -; Section "apply" is read by Manager to reload handlers -; (replace old apply.conf file) -; ; Other section are only read by the specific LemonLDAP::NG component ;============================================================================== @@ -34,16 +32,80 @@ ; Warning: this can allow malicious code in custom functions or rules ;useSafeJail = 0 +; LOGGING +; +; 1 - Defined logging level +; Set here one of error, warn, notice, info or debug +logLevel = debug +; Note that this has no effect for Apache2 logging: Apache LogLevel is used +; instead +; +; 2 - Change logger +; +; By default, logging is set to: +; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers +; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx) +; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager, +; portal,...) when they are not +; launched by FastCGI server +; Other loggers availables: +; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl +; +; "Std" is redirected to the web server logs for Apache. For Nginx, only if +; request failed +; +; You can overload this in this section (for all) or in another section if +; you want to change logger for a specified app. +; +; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions +; (userLogger). "userLogger" uses the same class as "logger" if not set. +;logger = Lemonldap::NG::Common::Logger::Syslog +;userLogger = Lemonldap::NG::Common::Logger::Std +; +; 2.1 - Using Syslog +; +; For Syslog logging, you can also overwrite facilities. Default values: +;logger = Lemonldap::NG::Common::Logger::Syslog +;syslogFacility = daemon +;userSyslogFacility = auth +; +; 2.2 - Using Log4perl +; +; If you want to use Log4perl, you can set these parameters. Here are default +; values: +;logger = Lemonldap::NG::Common::Logger::Log4perl +;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf +;log4perlLogger = LLNG +;log4perlUserLogger = LLNG.user +; +; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG" +; value points to the logger class. Example: +; log4perl.logger.LLNG = WARN, File1 +; log4perl.logger.LLNG.user = INFO, File2 +; ... + +; CONFIGURATION CHECK +; +; LLNG verify configuration at server start. If you use "reload" mechanism, +; local cache will be updated. Configuration is checked locally every +; 10 minutes by each LLNG component. You can change this value using +; `checkTime` (time in seconds). +; To increase performances, you should comment this parameter and rely on cache. +checkTime = 1 + [configuration] +; confTimeout: maximum time to get configuration (default 10) +;confTimeout = 5 + ; GLOBAL CONFIGURATION ACCESS TYPE -; (File, SOAP, RDBI/CDBI, LDAP) +; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile) ; Set here the parameters needed to access to LemonLDAP::NG configuration. ; You have to set "type" to one of the followings : ; -; * File: you have to set 'dirName' parameter. Example: +; * File/YAMLFile: you have to set 'dirName' parameter. Example: ; -; type = File +; type = File ; or type = YAMLFile ; dirName = /var/lib/lemonldap-ng/conf ; ; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword' @@ -51,17 +113,28 @@ ; ; type = RDBI ; ;type = CDBI -; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4 +; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4 ; dbiUser = lemonldap ; dbiPassword = password ; +; * REST: REST configuration access is a sort of proxy: the portal is +; configured to use the real session storage type (DBI or File for +; example). +; You have to set 'baseUrl' parameter. Example: +; +; type = REST +; baseUrl = https://auth.example.com/config +; proxyOptions = { timeout => 5 } +; User = lemonldap +; Password = mypassword +; ; * SOAP: SOAP configuration access is a sort of proxy: the portal is ; configured to use the real session storage type (DBI or File for ; example). ; You have to set 'proxy' parameter. Example: ; ; type = SOAP -; proxy = https://auth.example.com/index.pl/config +; proxy = https://auth.example.com/config ; proxyOptions = { timeout => 5 } ; User = lemonldap ; Password = mypassword @@ -91,7 +164,7 @@ dirName = /var/lib/lemonldap-ng/conf ; 'default_expires_in' => 600, \ ; 'directory_umask' => '007', \ ; 'cache_root' => '/tmp', \ -; 'cache_depth' => 0, \ +; 'cache_depth' => 3, \ ; } localStorage=Cache::FileCache localStorageOptions={ \ @@ -99,33 +172,31 @@ localStorageOptions={ \ 'default_expires_in' => 600, \ 'directory_umask' => '007', \ 'cache_root' => '/tmp', \ - 'cache_depth' => 0, \ + 'cache_depth' => 3, \ } [portal] -; PERFORMANCES -; By setting useLocalConf, Portal will use only local cached configuration -; To refresh it, you must have an handler on the same server or you have to -; restart your server. This increase performances -;useLocalConf = 1 +; PORTAL CUSTOMIZATION + +; I - Required parameters ; staticPrefix: relative (or URL) location of static HTML components staticPrefix = /static + ; location of HTML templates directory templateDir = /usr/share/lemonldap-ng/portal/templates + ; languages: available languages for portal interface -languages = fr, en -; PORTAL CUSTOMIZATION +languages = fr, en, vi, it, ar, de, fi, tr + +; II - Optional parameters (overwrite configuration) + ; Name of the skin portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 -%if %%llResetPassword == "oui" -portalDisplayResetPassword = 1 -%else -portalDisplayResetPassword = 0 -%end if +portalDisplayResetPassword = %%boolean[%%llResetPassword] ;portalDisplayChangePassword = 1 ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 @@ -142,16 +213,17 @@ portalDisplayResetPassword = 0 ; For example to use ;tpl_myparam = test -; LOG -; By default, all is logged in Apache file. To log user actions by -; syslog, just set syslog facility here: +; COMBINATION FORMS +; If you want to fix forms to display, you can use this; +;combinationForms = standardform, yubikeyform + ;syslog = auth ; SOAP FUNCTIONS ; Remove comment to activate SOAP Functions getCookies(user,pwd) and ; error(language, code) ;Soap = 1 ; Note that getAttibutes() will be activated but on a different URI -; (http://auth.example.com/index.pl/sessions) +; (http://auth.example.com/sessions) ; You can also restrict attributes and macros exported by getAttributes ;exportedAttr = uid mail @@ -208,8 +280,8 @@ portalDisplayResetPassword = 0 ; Use it to be able to notify messages during authentication ;notification = 1 ; Note that the SOAP function newNotification will be activated on -; http://auth.example.com/index.pl/notification -; If you want to hide this, just protect "/index.pl/notification" in +; http://auth.example.com/notification +; If you want to hide this, just protect "/index.fcgi/notification" in ; your Apache configuration file ; XSS protection bypass ; By default, the portal refuse redirections that comes from sites not @@ -225,6 +297,21 @@ portalDisplayResetPassword = 0 ; Set to 0 to disable error on XSS attack detection ;checkXSS = 0 +; pdata cookie domain +; pdata cookie could not be sent with cross domains AJAX request +; Null is default value +;pdataDomain = example.com + +; CUSTOM PLUGINS +; If you want to add custom plugins, set list here (comma separated) +; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page. +;customPlugins = ::My::Package1, ::My::Package2 + +; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers +; you can override OTT configuration to store Upgrade or Issuer OTT into global storage +;forceGlobalStorageUpgradeOTT = 1 +;forceGlobalStorageIssuerOTT = 1 + [handler] ; Handler cache configuration @@ -240,7 +327,7 @@ portalDisplayResetPassword = 0 ; Set https to 1 if your handler protect a https website (used only for ; redirections to the portal) -;https = 0 +https = 1 ; Set port if your your hanlder protect a website on a non standard port ; - 80 for http, 443 for https (used only for redirections to the portal) ;port = 8080 @@ -252,6 +339,10 @@ status = 0 ;useRedirectOnForbidden = 1 ; Hide LemonLDAP::NG Handler in Apache Server Signature ;hideSignature = 1 +; Set ServiceToken timeout +;handlerServiceTokenTTL = 30 +; Set Impersonation/ContextSwitching prefix +; impersonationPrefix = real_ useRedirectOnError = 1 ; Zimbra Handler parameters @@ -275,9 +366,6 @@ useRedirectOnError = 1 ; * none : no protection protection = manager -; logLevel. Set here one of error, warn, notice, info or debug -logLevel = warn - ; staticPrefix: relative (or URL) location of static HTML components staticPrefix = /static ; @@ -285,10 +373,29 @@ staticPrefix = /static templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates ; languages: available languages for manager interface -languages = fr, en +languages = fr, en, it, vi, ar, tr ; Manager modules enabled ; Set here the list of modules you want to see in manager interface ; The first will be used as default module displayed -enabledModules = conf, sessions, notifications +;enabledModules = conf, sessions, notifications, 2ndFA, viewer +enabledModules = conf, sessions, notifications, 2ndFA +; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf' +; 'conf' is set by default +;defaultModule = viewer + +; Viewer module allows us to edit configuration in read-only mode +; Options can be set with specific rules like this : +;viewerAllowBrowser = $uid eq 'dwho' +;viewerAllowDiff = $uid ne 'dwho' +; +; Viewer options - Default values +;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions +;viewerAllowBrowser = 0 +;viewerAllowDiff = 0 + +;[node-handler] +; +;This section is for node-lemonldap-ng-handler +;nodeVhosts = test3.example.com, test4.example.com diff --git a/tmpl/lmConf-1.js b/tmpl/lmConf-1.js deleted file mode 100644 index 60af145..0000000 --- a/tmpl/lmConf-1.js +++ /dev/null @@ -1,441 +0,0 @@ -%set %%ssoFilters = %%getSSOFilters -{ - "ldapGroupAttributeNameUser": "dn", - "cfgAuthorIP": "172.16.0.1", - "samlSPMetaDataXML": null, - "facebookAuthnLevel": 1, - "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", - "secureTokenAttribute": "uid", - "singleSession": 0, - "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", - "CAS_pgtFile": "/tmp/pgt.txt", - "cookieName": "lemonldap", - "slaveExportedVars": {}, - "whatToTrace": "_whatToTrace", - "oidcRPMetaDataOptions": {}, - "notifyDeleted": 1, - "useRedirectOnError": 1, - "samlSPMetaDataExportedAttributes": null, - "ldapPwdEnc": "utf-8", - "openIdSPList": "0;", - "samlNameIDFormatMapEmail": "mail", - "samlSPMetaDataOptions": null, - "issuerDBOpenIDRule": 1, - "casStorageOptions": {}, - "mailFrom": "noreply@%%nom_domaine_local", - "timeoutActivity": 0, - "oidcRPMetaDataExportedVars": {}, - "issuerDBSAMLActivation": 0, - "issuerDBCASPath": "^/%%casFolder/", - "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", - "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", - "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "exportedHeaders": { - "test1.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "test2.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "%%managerWebName": {} - }, - "vhostOptions": { - "%%managerWebName": { - "vhostHttps" : "1" - }, - "test1.%%nom_domaine_local": {}, - "test2.%%nom_domaine_local": {} - }, - "radiusAuthnLevel": 3, - "dbiAuthnLevel": 2, - "ldapPasswordResetAttribute": "pwdReset", - "ldapGroupObjectClass": "groupOfNames", - "apacheAuthnLevel": 4, - "samlNameIDFormatMapKerberos": "uid", - "groups": {}, - "securedCookie": 0, - "httpOnly": 1, - "yubikeyAuthnLevel": 3, - "ADPwdMaxAge": 0, - "samlUseQueryStringSpecific": 0, - "loginHistoryEnabled": 1, - "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", - "failedLoginNumber": 5, - "samlServicePrivateKeyEncPwd": "", - "portalForceAuthnInterval": 0, - "cfgLog": "", - "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "exportedVars": { - "UA": "HTTP_USER_AGENT", -%for att in %%casAttribute - "%%att": "%%att", -%end for -%set %%idx = 0 -%set %%size = %%len(%%ssoFilters) - 1 -%for key,value in %%ssoFilters - %if %%idx == %%size - "%%key": "%%value" - %else - "%%key": "%%value", - %end if - %set %%idx += 1 -%end for - }, - "notificationStorage": "File", - "applicationList": { - "1sample": { - "test2": { - "options": { - "name": "Application Test 2", - "logo": "thumbnail.png", - "uri": "https://test2.%%nom_domaine_local/", - "display": "auto", - "description": "The same simple application displaying authenticated user" - }, - "type": "application" - }, - "type": "category", - "catname": "Sample applications", - "test1": { - "type": "application", - "options": { - "description": "A simple application displaying authenticated user", - "uri": "https://test1.%%nom_domaine_local/", - "logo": "demo.png", - "display": "auto", - "name": "Application Test 1" - } - } - }, - "2administration": { - "notifications": { - "options": { - "name": "Notifications explorer", - "display": "auto", - "description": "Explore WebSSO notifications", - "uri": "https://%%managerWebName/notifications.pl", - "logo": "database.png" - }, - "type": "application" - }, - "manager": { - "options": { - "uri": "https://%%managerWebName/", - "display": "auto", - "description": "Configure LemonLDAP::NG WebSSO", - "logo": "configure.png", - "name": "WebSSO Manager" - }, - "type": "application" - }, - "type": "category", - "sessions": { - "type": "application", - "options": { - "description": "Explore WebSSO sessions", - "uri": "https://%%managerWebName/sessions.pl", - "logo": "database.png", - "display": "auto", - "name": "Sessions explorer" - } - }, - "catname": "Administration" - }, - "3documentation": { - "catname": "Documentation", - "officialwebsite": { - "type": "application", - "options": { - "name": "Offical Website", - "description": "Official LemonLDAP::NG Website", - "logo": "network.png", - "display": "on", - "uri": "http://lemonldap-ng.org/" - } - }, - "type": "category", - "localdoc": { - "options": { - "logo": "help.png", - "description": "Documentation supplied with LemonLDAP::NG", - "display": "on", - "uri": "https://%%managerWebName/doc/", - "name": "Local documentation" - }, - "type": "application" - } - } - }, - "userControl": "^[\\w\\.\\-@]+$", - "timeout": 72000, - "portalAntiFrame": 1, - "SMTPServer": "", - "ldapTimeout": 120, - "samlAuthnContextMapPasswordProtectedTransport": 3, - "ldapUsePasswordResetAttribute": 1, - "ldapPpolicyControl": 0, - "casAttributes": { -%for att in %%casAttribute - "%%att": "%%att.casLDAPAttribute", -%end for -%set %%idx = 0 -%set %%size = %%len(%%ssoFilters) - 1 -%for key,value in %%ssoFilters - %if %%idx == %%size - "%%key": "%%key" - %else - "%%key": "%%key", - %end if - %set %%idx += 1 -%end for - }, - "issuerDBSAMLPath": "^/saml/", - "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", - "portalDisplayAppslist": 1, - "confirmFormMethod": "post", - "domain": "%%nom_domaine_local", - "cfgNum": "1", - "authentication": "LDAP", - "samlNameIDFormatMapWindows": "uid", - "authChoiceModules": {}, - "ldapGroupAttributeName": "member", - "samlServicePrivateKeySigPwd": "", - "googleAuthnLevel": 1, - "successLoginNumber": 5, - "localSessionStorageOptions": { - "cache_root": "/tmp", - "namespace": "lemonldap-ng-sessions", - "default_expires_in": 600, - "directory_umask": "007", - "cache_depth": 3 - }, - "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "portalRequireOldPassword": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", - "ADPwdExpireWarning": 0, - "yubikeyPublicIDSize": 12, - "ldapGroupAttributeNameGroup": "dn", - "oidcRPMetaDataOptionsExtraClaims": null, - "ldapGroupRecursive": 0, - "mailSubject": "[LemonLDAP::NG] Your new password", - "nginxCustomHandlers": {}, - "samlSPSSODescriptorAuthnRequestsSigned": 1, -%if %%llResetPassword == "oui" - "portalDisplayResetPassword": 1, -%else - "portalDisplayResetPassword": 0, -%end if - "openIdSreg_timezone": "_timezone", - "infoFormMethod": "get", - "openIdAuthnLevel": 1, - "openIdSreg_nickname": "uid", - "samlServicePublicKeyEnc": "", - "userDB": "LDAP", - "grantSessionRules": {}, - "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", - "reloadUrls": { - "%%reloadWebName": "https://%%reloadWebName/reload" - }, - "registerTimeout": 0, - "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", - "slaveAuthnLevel": 2, - "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "Soap": 1, -%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo') -%if %%RegisterDB == "Custom" - "registerDB": "Null", -%else - "registerDB": "%%RegisterDB", -%end if - "locationRules": { - "%%managerWebName": { - "default": "$uid eq \"%%lemonAdmin\"" - }, - "test1.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - }, - "test2.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - } - }, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", - "hideOldPassword": 0, -%if %%is_file(%%ldapBindUserPassword) - "managerPassword": "%%readPass("", %%ldapBindUserPassword)", -%else - "managerPassword": "%%ldapBindUserPassword", -%end if - "authChoiceParam": "lmAuth", - "lwpSslOpts": {}, - "portalSkinRules": {}, - "issuerDBOpenIDPath": "^/openidserver/", - "redirectFormMethod": "get", - "portalDisplayRegister": 1, - "secureTokenMemcachedServers": "127.0.0.1:11211", - "notificationStorageOptions": { - "dirName": "/var/lib/lemonldap-ng/notifications" - }, - "browserIdAuthnLevel": 1, - "portalUserAttr": "_user", - "ldapVersion": 3, - "sessionDataToRemember": {}, - "samlNameIDFormatMapX509": "mail", - "managerDn": "%%ldapBindUserDN", - "mailSessionKey": "mail", - "openIdSreg_email": "mail", - "localSessionStorage": "Cache::FileCache", - "persistentStorage": "Apache::Session::File", - "mailOnPasswordChange": 0, - "captchaStorage": "Apache::Session::File", - "remoteGlobalStorageOptions": { - "proxy": "https://%%authWebName/index.pl/sessions", - "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService" - }, - "passwordDB": "LDAP", - "captcha_size": 6, - "mailCharset": "utf-8", - "facebookExportedVars": {}, - "nullAuthnLevel": 2, - "singleIP": 0, - "dbiExportedVars": {}, - "portalSkin": "bootstrap", - "storePassword": 0, - "hiddenAttributes": "_password", - "samlServicePrivateKeySig": "", - "globalStorage": "Apache::Session::File", - "notificationWildcard": "allusers", - "portalForceAuthn": 0, - "samlMetadataForceUTF8": 1, - "secureTokenUrls": ".*", - "secureTokenAllowOnError": 1, - "samlAuthnContextMapTLSClient": 5, - "ldapAllowResetExpiredPassword": 0, - "oidcOPMetaDataExportedVars": {}, - "notifyOther": 0, - "secureTokenExpiration": 60, - "captcha_mail_enabled": 0, - "samlStorageOptions": {}, - "samlOrganizationDisplayName": "Example", - "trustedProxies": "", - "secureTokenHeader": "Auth-Token", - "issuerDBCASActivation": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", - "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "samlIDPMetaDataXML": {}, - "oidcStorageOptions": {}, - "cfgDate": 1519998069, - "samlAuthnContextMapPassword": 2, - "portalDisplayLoginHistory": 1, - "ldapPasswordResetAttributeValue": "TRUE", - "ldapServer": "%%ldapScheme://%%ldapServer", - "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", - "samlIDPMetaDataExportedAttributes": null, - "samlServicePrivateKeyEnc": "", - "useRedirectOnForbidden": 0, - "captcha_login_enabled": 0, - "https": 0, - "checkXSS": 1, - "ldapSetPassword": 0, - "portalPingInterval": 60000, - "captchaStorageOptions": { - "Directory": "/var/lib/lemonldap-ng/captcha/" - }, - "useSafeJail": 1, - "registerDoneSubject": "[LemonLDAP::NG] Your new account", - "issuerDBCASRule": 1, - "samlAuthnContextMapKerberos": 4, - "ldapGroupAttributeNameSearch": "cn", - "logoutServices": {}, - "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, - "portalDisplayLogout": 1, - "issuerDBGetParameters": {}, - "googleExportedVars": {}, - "openIdSreg_fullname": "cn", - "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", - "demoExportedVars": { - "mail": "mail", - "uid": "uid", - "cn": "cn" - }, - "oidcOPMetaDataJSON": null, - "samlIdPResolveCookie": "lemonldapidp", - "samlRelayStateTimeout": 600, - "samlOrganizationURL": "https://auth.%%nom_domaine_local", - "globalStorageOptions": { - "Directory": "/var/lib/lemonldap-ng/sessions", - "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" - }, - "ldapExportedVars": { - "mail": "mail", - "cn": "cn", - "uid": "uid" - }, - "webIDExportedVars": {}, - "activeTimer": 1, - "cda": 0, - "samlServicePublicKeySig": "", -%if %%llCheckLogins == "oui" - "portalCheckLogins": 1, -%else - "portalCheckLogins": 0, -%end if - "CAS_authnLevel": 1, - "macros": { - "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" - }, - "samlIDPMetaDataOptions": null, - "twitterAuthnLevel": 1, - "openIdExportedVars": {}, - "captcha_register_enabled": 1, - "oidcOPMetaDataJWKS": null, - "webIDAuthnLevel": 1, - "issuerDBOpenIDActivation": "1", -%if %%is_empty(%%llResetUrl) - "mailUrl": "https://%%authWebName/mail.pl", -%else - "mailUrl": "%%llResetUrl", -%end if - "maintenance": 0, - "jsRedirect": 0, - "cfgAuthor": "Cadoles", - "persistentStorageOptions": { - "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", - "Directory": "/var/lib/lemonldap-ng/psessions" - }, - "SSLAuthnLevel": 5, - "oidcServiceMetaDataAuthnContext": {}, - "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "notification": 1, - "ldapChangePasswordAsUser": 0, - "CAS_proxiedServices": {}, - "key": "e\"bTCt3*eU9^\\V%b", - "portal": "https://%%authWebName/", - "singleSessionUserByIP": 0, - "portalOpenLinkInNewWindow": 0, - "post": { - "test2.%%nom_domaine_local": {}, - "test1.%%nom_domaine_local": {}, - "%%managerWebName": {} - }, - "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", - "issuerDBSAMLRule": 1, - "samlCommonDomainCookieActivation": 0, - "syslog": "", - "ldapBase": "%%ldapUserBaseDN", - "ldapAuthnLevel": 2, - "mailTimeout": 0, - "samlEntityID": "#PORTAL#/saml/metadata", - "oidcOPMetaDataOptions": null, - "samlSPSSODescriptorWantAssertionsSigned": 1, - "samlOrganizationName": "%%samlOrganizationName", -%if %%RegisterDB == "Custom" - "registerUrl": "%%llRegisterURL", -%else - "registerUrl": "https://%%authWebName/register.pl", -%end if - "casAccessControlPolicy": "none", - "multiValuesSeparator": ";", - "ldapPort": %%ldapServerPort -} diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 80d4a31..1397ff0 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -1,441 +1,378 @@ +%set %%boolean = {'oui': 1, 'non': 0} %set %%ssoFilters = %%getSSOFilters +%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"'] +%set %%cas_attributes = [] +%for %%attr in %%casAttribute + %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"') + %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"') +%end for +%for %%key, %%value in %%ssoFilters + %silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"') + %silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"') +%end for +%silent %%exported_vars.sort() +%silent %%cas_attributes.sort() { - "ldapGroupAttributeNameUser": "dn", - "cfgAuthorIP": "172.16.0.1", - "samlSPMetaDataXML": null, - "facebookAuthnLevel": 1, - "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", - "secureTokenAttribute": "uid", - "singleSession": 0, - "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", - "CAS_pgtFile": "/tmp/pgt.txt", - "cookieName": "lemonldap", - "slaveExportedVars": {}, - "whatToTrace": "_whatToTrace", - "oidcRPMetaDataOptions": {}, - "notifyDeleted": 1, - "useRedirectOnError": 1, - "samlSPMetaDataExportedAttributes": null, - "ldapPwdEnc": "utf-8", - "openIdSPList": "0;", - "samlNameIDFormatMapEmail": "mail", - "samlSPMetaDataOptions": null, - "issuerDBOpenIDRule": 1, - "casStorageOptions": {}, - "mailFrom": "noreply@%%nom_domaine_local", - "timeoutActivity": 0, - "oidcRPMetaDataExportedVars": {}, - "issuerDBSAMLActivation": 0, - "issuerDBCASPath": "^/%%casFolder/", - "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", - "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", - "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "exportedHeaders": { - "test1.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "test2.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "%%managerWebName": {} - }, - "vhostOptions": { - "%%managerWebName": { - "vhostHttps" : "1" - }, - "test1.%%nom_domaine_local": {}, - "test2.%%nom_domaine_local": {} - }, - "radiusAuthnLevel": 3, - "dbiAuthnLevel": 2, - "ldapPasswordResetAttribute": "pwdReset", - "ldapGroupObjectClass": "groupOfNames", - "apacheAuthnLevel": 4, - "samlNameIDFormatMapKerberos": "uid", - "groups": {}, - "securedCookie": 0, - "httpOnly": 1, - "yubikeyAuthnLevel": 3, + "ADPwdExpireWarning": 0, "ADPwdMaxAge": 0, - "samlUseQueryStringSpecific": 0, - "loginHistoryEnabled": 1, - "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", - "failedLoginNumber": 5, - "samlServicePrivateKeyEncPwd": "", - "portalForceAuthnInterval": 0, - "cfgLog": "", - "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "exportedVars": { - "UA": "HTTP_USER_AGENT", -%for att in %%casAttribute - "%%att": "%%att", -%end for -%set %%idx = 0 -%set %%size = %%len(%%ssoFilters) - 1 -%for key,value in %%ssoFilters - %if %%idx == %%size - "%%key": "%%value" - %else - "%%key": "%%value", - %end if - %set %%idx += 1 -%end for - }, - "notificationStorage": "File", + "CAS_authnLevel": 1, + "CAS_pgtFile": "/tmp/pgt.txt", + "CAS_proxiedServices": {}, + "SMTPServer": "", + "SSLAuthnLevel": 5, + "Soap": 1, + "activeTimer": 1, + "apacheAuthnLevel": 4, "applicationList": { - "1sample": { - "test2": { - "options": { - "name": "Application Test 2", - "logo": "thumbnail.png", - "uri": "https://test2.%%nom_domaine_local/", - "display": "auto", - "description": "The same simple application displaying authenticated user" - }, - "type": "application" - }, - "type": "category", - "catname": "Sample applications", - "test1": { - "type": "application", - "options": { - "description": "A simple application displaying authenticated user", - "uri": "https://test1.%%nom_domaine_local/", - "logo": "demo.png", - "display": "auto", - "name": "Application Test 1" - } - } - }, - "2administration": { - "notifications": { - "options": { - "name": "Notifications explorer", - "display": "auto", - "description": "Explore WebSSO notifications", - "uri": "https://%%managerWebName/notifications.pl", - "logo": "database.png" - }, - "type": "application" - }, + "1administration": { + "catname": "Administration", "manager": { "options": { - "uri": "https://%%managerWebName/", - "display": "auto", "description": "Configure LemonLDAP::NG WebSSO", + "display": "auto", "logo": "configure.png", - "name": "WebSSO Manager" + "name": "WebSSO Manager", + "uri": "https://%%managerWebName/" + }, + "type": "application" + }, + "notifications": { + "options": { + "description": "Explore WebSSO notifications", + "display": "auto", + "logo": "database.png", + "name": "Notifications explorer", + "uri": "https://%%managerWebName/notifications.pl" }, "type": "application" }, - "type": "category", "sessions": { - "type": "application", "options": { "description": "Explore WebSSO sessions", - "uri": "https://%%managerWebName/sessions.pl", - "logo": "database.png", "display": "auto", - "name": "Sessions explorer" - } - }, - "catname": "Administration" - }, - "3documentation": { - "catname": "Documentation", - "officialwebsite": { - "type": "application", - "options": { - "name": "Offical Website", - "description": "Official LemonLDAP::NG Website", - "logo": "network.png", - "display": "on", - "uri": "http://lemonldap-ng.org/" - } - }, - "type": "category", - "localdoc": { - "options": { - "logo": "help.png", - "description": "Documentation supplied with LemonLDAP::NG", - "display": "on", - "uri": "http://%%managerWebName/doc/", - "name": "Local documentation" + "logo": "database.png", + "name": "Sessions explorer", + "uri": "https://%%managerWebName/sessions.pl" }, "type": "application" - } + }, + "type": "category" + }, + "2documentation": { + "catname": "Documentation", + "localdoc": { + "options": { + "description": "Documentation supplied with LemonLDAP::NG", + "display": "on", + "logo": "help.png", + "name": "Local documentation", + "uri": "http://%%managerWebName/doc/" + }, + "type": "application" + }, + "officialwebsite": { + "options": { + "description": "Official LemonLDAP::NG Website", + "display": "on", + "logo": "network.png", + "name": "Offical Website", + "uri": "http://lemonldap-ng.org/" + }, + "type": "application" + }, + "type": "category" } }, - "userControl": "^[\\w\\.\\-@]+$", - "timeout": 72000, - "portalAntiFrame": 1, - "SMTPServer": "", - "ldapTimeout": 120, - "samlAuthnContextMapPasswordProtectedTransport": 3, - "ldapUsePasswordResetAttribute": 1, - "ldapPpolicyControl": 0, - "casAttributes": { -%for att in %%casAttribute - "%%att": "%%att.casLDAPAttribute", -%end for -%set %%idx = 0 -%set %%size = %%len(%%ssoFilters) - 1 -%for key,value in %%ssoFilters - %if %%idx == %%size - "%%key": "%%key" - %else - "%%key": "%%key", - %end if - %set %%idx += 1 -%end for - }, - "issuerDBSAMLPath": "^/saml/", - "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", - "portalDisplayAppslist": 1, - "confirmFormMethod": "post", - "domain": "%%nom_domaine_local", - "cfgNum": "1", - "authentication": "LDAP", - "samlNameIDFormatMapWindows": "uid", "authChoiceModules": {}, - "ldapGroupAttributeName": "member", - "samlServicePrivateKeySigPwd": "", + "authChoiceParam": "lmAuth", + "authentication": "LDAP", + "browserIdAuthnLevel": 1, + "captchaStorage": "Apache::Session::File", + "captchaStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/captcha/" + }, + "captcha_login_enabled": 0, + "captcha_mail_enabled": 0, + "captcha_register_enabled": 1, + "captcha_size": 6, + "casAccessControlPolicy": "none", + "casAttributes": { + %%custom_join(%%cas_attributes, ',\n ') + }, + "casStorageOptions": {}, + "cda": 0, + "cfgAuthor": "EOLE", + "cfgAuthorIP": "127.0.0.1", + "cfgDate": 1600257889, + "cfgLog": "", + "cfgNum": "1", + "checkXSS": 1, + "confirmFormMethod": "post", + "cookieName": "lemonldap", + "dbiAuthnLevel": 2, + "dbiExportedVars": {}, + "demoExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "uid" + }, + "domain": "%%nom_domaine_local", + "exportedHeaders": { + "%%managerWebName": {} + }, + "exportedVars": { + %%custom_join(%%exported_vars, ',\n ') + }, + "facebookAuthnLevel": 1, + "facebookExportedVars": {}, + "failedLoginNumber": 5, + "globalStorage": "Apache::Session::File", + "globalStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/sessions", + "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" + }, "googleAuthnLevel": 1, - "successLoginNumber": 5, + "googleExportedVars": {}, + "grantSessionRules": {}, + "groups": {}, + "hiddenAttributes": "_password", + "hideOldPassword": 0, + "httpOnly": 1, + "https": 0, + "infoFormMethod": "get", + "issuerDBCASActivation": 1, + "issuerDBCASPath": "^/%%casFolder/", + "issuerDBCASRule": 1, + "issuerDBGetParameters": {}, + "issuerDBOpenIDActivation": "1", + "issuerDBOpenIDPath": "^/openidserver/", + "issuerDBOpenIDRule": 1, + "issuerDBSAMLActivation": 0, + "issuerDBSAMLPath": "^/saml/", + "issuerDBSAMLRule": 1, + "jsRedirect": 0, + "key": "e\"bTCt3*eU9^\\V%b", + "ldapAllowResetExpiredPassword": 0, + "ldapAuthnLevel": 2, + "ldapBase": "%%ldapUserBaseDN", + "ldapChangePasswordAsUser": 0, + "ldapExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "uid" + }, + "ldapGroupAttributeName": "memberUid", + "ldapGroupAttributeNameGroup": "dn", + "ldapGroupAttributeNameSearch": "cn", + "ldapGroupAttributeNameUser": "uid", + "ldapGroupObjectClass": "eolegroupe", + "ldapGroupRecursive": 0, + "ldapPasswordResetAttribute": "pwdReset", + "ldapPasswordResetAttributeValue": "TRUE", + "ldapPort": "%%ldapServerPort", + "ldapPpolicyControl": 0, + "ldapPwdEnc": "utf-8", + "ldapServer": "%%ldapScheme://%%ldapServer", + "ldapSetPassword": 0, + "ldapTimeout": 120, + "ldapUsePasswordResetAttribute": 1, + "ldapVersion": 3, + "localSessionStorage": "Cache::FileCache", "localSessionStorageOptions": { + "cache_depth": 3, "cache_root": "/tmp", - "namespace": "lemonldap-ng-sessions", "default_expires_in": 600, "directory_umask": "007", - "cache_depth": 3 + "namespace": "lemonldap-ng-sessions" }, - "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "portalRequireOldPassword": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", - "ADPwdExpireWarning": 0, - "yubikeyPublicIDSize": 12, - "ldapGroupAttributeNameGroup": "dn", - "oidcRPMetaDataOptionsExtraClaims": null, - "ldapGroupRecursive": 0, - "mailSubject": "[LemonLDAP::NG] Your new password", - "nginxCustomHandlers": {}, - "samlSPSSODescriptorAuthnRequestsSigned": 1, -%if %%llResetPassword == "oui" - "portalDisplayResetPassword": 1, -%else - "portalDisplayResetPassword": 0, -%end if - "openIdSreg_timezone": "_timezone", - "infoFormMethod": "get", - "openIdAuthnLevel": 1, - "openIdSreg_nickname": "uid", - "samlServicePublicKeyEnc": "", - "userDB": "LDAP", - "grantSessionRules": {}, - "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", - "reloadUrls": { - "%%reloadWebName": "https://%%reloadWebName/reload" - }, - "registerTimeout": 0, - "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", - "slaveAuthnLevel": 2, - "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "Soap": 1, -%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo') -%if %%RegisterDB == "Custom" - "registerDB": "Null", -%else - "registerDB": "%%RegisterDB", -%end if "locationRules": { "%%managerWebName": { "default": "$uid eq \"%%lemonAdmin\"" - }, - "test1.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - }, - "test2.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" } }, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", - "hideOldPassword": 0, + "loginHistoryEnabled": 1, + "logoutServices": {}, + "lwpSslOpts": {}, + "macros": { + "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" + }, + "mailCharset": "utf-8", + "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", + "mailFrom": "noreply@%%nom_domaine_local", + "mailOnPasswordChange": 0, + "mailSessionKey": "mail", + "mailSubject": "[LemonLDAP::NG] Your new password", + "mailTimeout": 0, +%if %%llResetPassword == "oui" + %if %%is_empty(%%llResetUrl) + "mailUrl": "https://%%authWebName/mail.pl", + %else + "mailUrl": "%%llResetUrl", + %end if +%end if + "maintenance": 0, + "managerDn": "%%ldapBindUserDN", %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else "managerPassword": "%%ldapBindUserPassword", %end if - "authChoiceParam": "lmAuth", - "lwpSslOpts": {}, - "portalSkinRules": {}, - "issuerDBOpenIDPath": "^/openidserver/", - "redirectFormMethod": "get", - "portalDisplayRegister": 1, - "secureTokenMemcachedServers": "127.0.0.1:11211", + "multiValuesSeparator": ";", + "nginxCustomHandlers": {}, + "notification": 1, + "notificationStorage": "File", "notificationStorageOptions": { "dirName": "/var/lib/lemonldap-ng/notifications" }, - "browserIdAuthnLevel": 1, - "portalUserAttr": "_user", - "ldapVersion": 3, - "sessionDataToRemember": {}, - "samlNameIDFormatMapX509": "mail", - "managerDn": "%%ldapBindUserDN", - "mailSessionKey": "mail", - "openIdSreg_email": "mail", - "localSessionStorage": "Cache::FileCache", - "persistentStorage": "Apache::Session::File", - "mailOnPasswordChange": 0, - "captchaStorage": "Apache::Session::File", - "remoteGlobalStorageOptions": { - "proxy": "https://%%authWebName/index.pl/sessions", - "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService" - }, - "passwordDB": "LDAP", - "captcha_size": 6, - "mailCharset": "utf-8", - "facebookExportedVars": {}, - "nullAuthnLevel": 2, - "singleIP": 0, - "dbiExportedVars": {}, - "portalSkin": "bootstrap", - "storePassword": 0, - "hiddenAttributes": "_password", - "samlServicePrivateKeySig": "", - "globalStorage": "Apache::Session::File", "notificationWildcard": "allusers", - "portalForceAuthn": 0, - "samlMetadataForceUTF8": 1, - "secureTokenUrls": ".*", - "secureTokenAllowOnError": 1, - "samlAuthnContextMapTLSClient": 5, - "ldapAllowResetExpiredPassword": 0, - "oidcOPMetaDataExportedVars": {}, + "notifyDeleted": 1, "notifyOther": 0, - "secureTokenExpiration": 60, - "captcha_mail_enabled": 0, - "samlStorageOptions": {}, - "samlOrganizationDisplayName": "Example", - "trustedProxies": "", - "secureTokenHeader": "Auth-Token", - "issuerDBCASActivation": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", - "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "samlIDPMetaDataXML": {}, - "oidcStorageOptions": {}, - "cfgDate": 1519998069, - "samlAuthnContextMapPassword": 2, - "portalDisplayLoginHistory": 1, - "ldapPasswordResetAttributeValue": "TRUE", - "ldapServer": "%%ldapScheme://%%ldapServer", - "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", - "samlIDPMetaDataExportedAttributes": null, - "samlServicePrivateKeyEnc": "", - "useRedirectOnForbidden": 0, - "captcha_login_enabled": 0, - "https": 0, - "checkXSS": 1, - "ldapSetPassword": 0, - "portalPingInterval": 60000, - "captchaStorageOptions": { - "Directory": "/var/lib/lemonldap-ng/captcha/" - }, - "useSafeJail": 1, - "registerDoneSubject": "[LemonLDAP::NG] Your new account", - "issuerDBCASRule": 1, - "samlAuthnContextMapKerberos": 4, - "ldapGroupAttributeNameSearch": "cn", - "logoutServices": {}, - "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, - "portalDisplayLogout": 1, - "issuerDBGetParameters": {}, - "googleExportedVars": {}, - "openIdSreg_fullname": "cn", - "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", - "demoExportedVars": { - "mail": "mail", - "uid": "uid", - "cn": "cn" - }, + "nullAuthnLevel": 2, + "oidcOPMetaDataExportedVars": {}, "oidcOPMetaDataJSON": null, - "samlIdPResolveCookie": "lemonldapidp", - "samlRelayStateTimeout": 600, - "samlOrganizationURL": "https://auth.%%nom_domaine_local", - "globalStorageOptions": { - "Directory": "/var/lib/lemonldap-ng/sessions", - "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" - }, - "ldapExportedVars": { - "mail": "mail", - "cn": "cn", - "uid": "uid" - }, - "webIDExportedVars": {}, - "activeTimer": 1, - "cda": 0, - "samlServicePublicKeySig": "", -%if %%llCheckLogins == "oui" - "portalCheckLogins": 1, -%else - "portalCheckLogins": 0, -%end if - "CAS_authnLevel": 1, - "macros": { - "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" - }, - "samlIDPMetaDataOptions": null, - "twitterAuthnLevel": 1, - "openIdExportedVars": {}, - "captcha_register_enabled": 1, "oidcOPMetaDataJWKS": null, - "webIDAuthnLevel": 1, - "issuerDBOpenIDActivation": "1", -%if %%is_empty(%%llResetUrl) - "mailUrl": "https://%%authWebName/mail.pl", -%else - "mailUrl": "%%llResetUrl", -%end if - "maintenance": 0, - "jsRedirect": 0, - "cfgAuthor": "Cadoles", - "persistentStorageOptions": { - "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", - "Directory": "/var/lib/lemonldap-ng/psessions" - }, - "SSLAuthnLevel": 5, + "oidcOPMetaDataOptions": null, + "oidcRPMetaDataExportedVars": {}, + "oidcRPMetaDataOptions": {}, + "oidcRPMetaDataOptionsExtraClaims": null, "oidcServiceMetaDataAuthnContext": {}, - "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "notification": 1, - "ldapChangePasswordAsUser": 0, - "CAS_proxiedServices": {}, - "key": "e\"bTCt3*eU9^\\V%b", + "oidcStorageOptions": {}, + "openIdAuthnLevel": 1, + "openIdExportedVars": {}, + "openIdSPList": "0;", + "openIdSreg_email": "mail", + "openIdSreg_fullname": "cn", + "openIdSreg_nickname": "uid", + "openIdSreg_timezone": "_timezone", + "passwordDB": "LDAP", + "persistentStorage": "Apache::Session::File", + "persistentStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/psessions", + "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock" + }, "portal": "https://%%authWebName/", - "singleSessionUserByIP": 0, + "portalAntiFrame": 1, + "portalCheckLogins": %%boolean[%%llCheckLogins], + "portalDisplayAppslist": 1, + "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "portalDisplayLoginHistory": 1, + "portalDisplayLogout": 1, + "portalDisplayRegister": 1, + "portalDisplayResetPassword": %%boolean[%%llResetPassword], + "portalForceAuthn": 0, + "portalForceAuthnInterval": 0, "portalOpenLinkInNewWindow": 0, + "portalPingInterval": 60000, + "portalRequireOldPassword": 1, + "portalSkin": "bootstrap", + "portalSkinRules": {}, + "portalUserAttr": "_user", "post": { - "test2.%%nom_domaine_local": {}, - "test1.%%nom_domaine_local": {}, "%%managerWebName": {} }, - "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", - "issuerDBSAMLRule": 1, - "samlCommonDomainCookieActivation": 0, - "syslog": "", - "ldapBase": "%%ldapUserBaseDN", - "ldapAuthnLevel": 2, - "mailTimeout": 0, - "samlEntityID": "#PORTAL#/saml/metadata", - "oidcOPMetaDataOptions": null, - "samlSPSSODescriptorWantAssertionsSigned": 1, - "samlOrganizationName": "%%samlOrganizationName", -%if %%RegisterDB == "Custom" + "radiusAuthnLevel": 3, + "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", + "redirectFormMethod": "get", + "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", +%set %%register_db = %%getVar('llRegisterDB', 'Demo') +%if %%register_db == 'Custom' + "registerDB": "Null", "registerUrl": "%%llRegisterURL", %else + "registerDB": "%%register_db", "registerUrl": "https://%%authWebName/register.pl", %end if - "casAccessControlPolicy": "none", - "multiValuesSeparator": ";", - "ldapPort": %%ldapServerPort + "registerDoneSubject": "[LemonLDAP::NG] Your new account", + "registerTimeout": 0, + "reloadUrls": { + "%%reloadWebName": "https://%%reloadWebName/reload" + }, + "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", + "remoteGlobalStorageOptions": { + "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService", + "proxy": "https://%%authWebName/index.pl/sessions" + }, + "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", + "samlAuthnContextMapKerberos": 4, + "samlAuthnContextMapPassword": 2, + "samlAuthnContextMapPasswordProtectedTransport": 3, + "samlAuthnContextMapTLSClient": 5, + "samlCommonDomainCookieActivation": 0, + "samlEntityID": "#PORTAL#/saml/metadata", + "samlIDPMetaDataExportedAttributes": null, + "samlIDPMetaDataOptions": null, + "samlIDPMetaDataXML": {}, + "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", + "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", + "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", + "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", + "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", + "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, + "samlIdPResolveCookie": "lemonldapidp", + "samlMetadataForceUTF8": 1, + "samlNameIDFormatMapEmail": "mail", + "samlNameIDFormatMapKerberos": "uid", + "samlNameIDFormatMapWindows": "uid", + "samlNameIDFormatMapX509": "mail", + "samlOrganizationDisplayName": "Example", + "samlOrganizationName": "%%samlOrganizationName", + "samlOrganizationURL": "https://auth.%%nom_domaine_local", + "samlRelayStateTimeout": 600, + "samlSPMetaDataExportedAttributes": null, + "samlSPMetaDataOptions": null, + "samlSPMetaDataXML": null, + "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", + "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", + "samlSPSSODescriptorAuthnRequestsSigned": 1, + "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", + "samlSPSSODescriptorWantAssertionsSigned": 1, + "samlServicePrivateKeyEnc": "", + "samlServicePrivateKeyEncPwd": "", + "samlServicePrivateKeySig": "", + "samlServicePrivateKeySigPwd": "", + "samlServicePublicKeyEnc": "", + "samlServicePublicKeySig": "", + "samlStorageOptions": {}, + "samlUseQueryStringSpecific": 0, + "secureTokenAllowOnError": 1, + "secureTokenAttribute": "uid", + "secureTokenExpiration": 60, + "secureTokenHeader": "Auth-Token", + "secureTokenMemcachedServers": "127.0.0.1:11211", + "secureTokenUrls": ".*", + "securedCookie": 0, + "sessionDataToRemember": {}, + "singleIP": 0, + "singleSession": 0, + "singleSessionUserByIP": 0, + "slaveAuthnLevel": 2, + "slaveExportedVars": {}, + "storePassword": 0, + "successLoginNumber": 5, + "syslog": "", + "timeout": 72000, + "timeoutActivity": 0, + "trustedProxies": "", + "twitterAuthnLevel": 1, + "useRedirectOnError": 1, + "useRedirectOnForbidden": 0, + "useSafeJail": 1, + "userControl": "^[\\w\\.\\-@]+$", + "userDB": "LDAP", + "vhostOptions": { + "%%managerWebName": { + "vhostHttps": "1" + } + }, + "webIDAuthnLevel": 1, + "webIDExportedVars": {}, + "whatToTrace": "_whatToTrace", + "yubikeyAuthnLevel": 3, + "yubikeyPublicIDSize": 12 }