From 200c9c41e94e5a2dc914e6bd0141a427977b9ea2 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Wed, 2 Dec 2020 11:52:11 +0100
Subject: [PATCH] Using Active Directory (samba4) instead of OpenLDAP

Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
---
 dicos/70_lemonldap_ng.xml        | 20 ++++++++++++++++++
 dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++-----------------
 tmpl/handler-apache2.X.conf      | 11 ++++++++++
 tmpl/lmConf-1.json               | 30 +++++++++++++++++++++-----
 tmpl/manager-apache2.X.conf      |  6 +++---
 tmpl/portal-apache2.X.conf       |  6 +++---
 6 files changed, 79 insertions(+), 30 deletions(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index df54a8d..e4d49fc 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -27,6 +27,14 @@
     </files>
 
     <variables>
+        <family name='eole-sso'>
+            <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+                <value>/cas</value>
+            </variable>
+            <variable name='eolesso_port' redefine="True" exists='True'>
+                <value>443</value>
+            </variable>
+        </family>
         <family name='Services'>
             <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
                 <value>non</value>
@@ -39,6 +47,10 @@
             <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
             <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
 
+	    <variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
+                <value>LDAP</value>
+            </variable>
+
             <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
             <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
             <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@@ -83,6 +95,9 @@
             <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
                 <value>oui</value>
             </variable>
+            <variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
+                <value>oui</value>
+            </variable>
             <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
             <variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
                 <value>oui</value>
@@ -124,6 +139,10 @@
             <param>['ldaps','ldap']</param>
         </check>
 
+        <check name="valid_enum" target="lemon_user_db">
+            <param>['LDAP','AD']</param>
+        </check>
+
         <check name='valid_enum' target="lm_loglevel">
             <param>['info','notice','warn','error','debug']</param>
         </check>
@@ -168,6 +187,7 @@
         <condition name='disabled_if_in' source='llResetPassword'>
             <param>non</param>
             <target type='variable'>llResetUrl</target>
+            <target type='variable'>llResetExpiredPassword</target>
         </condition>
         <check name='valid_enum' target='llSkin'>
             <param>['bootstrap','dark','impact','pastel']</param>
diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml
index d03e59f..7a5ca95 100644
--- a/dicos/71_lemonldap_ng_scribe.xml
+++ b/dicos/71_lemonldap_ng_scribe.xml
@@ -5,20 +5,13 @@
 
     <variables>
 
-    <family name='eole sso'>
-        <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
-        <variable name='eolesso_cas_folder' redefine="True" exists='True'>
-            <value>cas</value>
-        </variable>
-        <variable name='eolesso_port' redefine="True" exists='True'>
-            <value>443</value>
-        </variable>
-    </family>
+        <family name='eole sso'>
+            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
+        </family>
 
     </variables>
 
     <constraints>
-
         <fill name='calc_multi_condition' target='activer_sso'>
             <param>oui</param>
             <param type='eole' name='condition_1'>activerLemon</param>
@@ -31,11 +24,8 @@
             <target type='variable'>activer_sso</target>
         </condition>
 
-        <auto name='calc_multi_condition' target='ldapScheme'>
-            <param>oui</param>
-            <param type='eole' name='condition_1'>ldap_tls</param>
-            <param name='match'>ldaps</param>
-            <param name='default_mismatch'>ldap</param>
+        <auto name='calc_val' target='ldapScheme'>
+            <param>ldaps</param>
         </auto>
 
         <fill name='calc_val_first_value' target='eolesso_adresse'>
@@ -44,25 +34,33 @@
             <param type='eole'>nom_domaine_machine</param>
         </fill>
 
+        <auto name='calc_val' target='ldap_port'>
+	    <param>636</param>
+	</auto>
+
         <condition name='frozen_if_in' source='activerLemon'>
             <param>oui</param>
             <target type='variable'>eolesso_adresse</target>
         </condition>
 
         <auto name='calc_val' target='ldapServer'>
-            <param type='eole'>adresse_ip_ldap</param>
+            <param type='eole'>ad_address</param>
         </auto>
 
         <auto name='calc_val' target='ldapServerPort'>
-            <param type='eole'>ldap_port</param>
+            <param type='number'>636</param>
+        </auto>
+
+        <auto name='calc_val' target='lemon_user_db'>
+            <param>AD</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserDN'>
-            <param type='eole'>ldap_reader</param>
+            <param type='eole'>sasl_ldap_reader</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserPassword'>
-            <param type='eole'>ldap_reader_passfile</param>
+	    <param>/etc/eole/private/sasl-reader.password</param>
         </auto>
 
         <auto name='calc_val' target='casFolder'>
diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf
index c42747b..d33da34 100644
--- a/tmpl/handler-apache2.X.conf
+++ b/tmpl/handler-apache2.X.conf
@@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%reloadWebName
 
+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
     # Configuration reload mechanism (only 1 per physical server is
     # needed): choose your URL to avoid restarting Apache when
     # configuration change
diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json
index 5980d67..4fd5af5 100644
--- a/tmpl/lmConf-1.json
+++ b/tmpl/lmConf-1.json
@@ -85,7 +85,7 @@
     },
     "authChoiceModules": {},
     "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
     "browserIdAuthnLevel": 1,
     "captchaStorage": "Apache::Session::File",
     "captchaStorageOptions": {
@@ -152,10 +152,27 @@
     "issuerDBSAMLRule": 1,
     "jsRedirect": 0,
     "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+  %else
+    "ldapPpolicyControl": 0,
     "ldapAllowResetExpiredPassword": 0,
+  %end if
+%end if
+    "ldapChangePasswordAsUser": 1,
     "ldapAuthnLevel": 2,
+%if %%eole_module == "scribe"
+    "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
+%end if
+    "ldapSearchDeref": "find",
     "ldapExportedVars": {
         "cn": "cn",
         "mail": "mail",
@@ -170,7 +187,6 @@
     "ldapPasswordResetAttribute": "pwdReset",
     "ldapPasswordResetAttributeValue": "TRUE",
     "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
     "ldapPwdEnc": "utf-8",
     "ldapServer": "%%ldapScheme://%%ldapServer",
 %if %%ldapScheme == "ldaps"
@@ -218,7 +234,11 @@
     %end if
 %end if
     "maintenance": 0,
+%if %%eole_module == "scribe"
+    "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "managerDn": "%%ldapBindUserDN",
+%end if
 %if %%is_file(%%ldapBindUserPassword)
     "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
 %else
@@ -251,7 +271,7 @@
     "openIdSreg_fullname": "cn",
     "openIdSreg_nickname": "uid",
     "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
     "persistentStorage": "Apache::Session::File",
     "persistentStorageOptions": {
         "Directory": "/var/lib/lemonldap-ng/psessions",
@@ -371,7 +391,7 @@
     "useRedirectOnForbidden": 0,
     "useSafeJail": 1,
     "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
     "vhostOptions": {
         "%%managerWebName": {
             "vhostHttps": "1"
diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf
index 9bca544..cf6fcbd 100644
--- a/tmpl/manager-apache2.X.conf
+++ b/tmpl/manager-apache2.X.conf
@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%managerWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/manager_error.log
     CustomLog /var/log/apache2/manager_access.log common
 
diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf
index 71fb6c1..5ab967d 100644
--- a/tmpl/portal-apache2.X.conf
+++ b/tmpl/portal-apache2.X.conf
@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%authWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/portal_error.log
     CustomLog /var/log/apache2/portal_access.log common