Using Active Directory (samba4) instead of OpenLDAP

Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one
2020-12-02 11:52:11 +01:00
parent 63bf3c9f98
commit 200c9c41e9
6 changed files with 79 additions and 30 deletions
--- a/tmpl/handler-apache2.X.conf
+++ b/tmpl/handler-apache2.X.conf
@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%reloadWebName

+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
--- a/tmpl/lmConf-1.json
+++ b/tmpl/lmConf-1.json
@ -85,7 +85,7 @@
    },
    "authChoiceModules": {},
    "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
    "browserIdAuthnLevel": 1,
    "captchaStorage": "Apache::Session::File",
    "captchaStorageOptions": {
@ -152,10 +152,27 @@
    "issuerDBSAMLRule": 1,
    "jsRedirect": 0,
    "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+  %else
+    "ldapPpolicyControl": 0,
    "ldapAllowResetExpiredPassword": 0,
+  %end if
+%end if
+    "ldapChangePasswordAsUser": 1,
    "ldapAuthnLevel": 2,
+%if %%eole_module == "scribe"
+    "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
    "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
+%end if
+    "ldapSearchDeref": "find",
    "ldapExportedVars": {
        "cn": "cn",
        "mail": "mail",
@ -170,7 +187,6 @@
    "ldapPasswordResetAttribute": "pwdReset",
    "ldapPasswordResetAttributeValue": "TRUE",
    "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
    "ldapPwdEnc": "utf-8",
    "ldapServer": "%%ldapScheme://%%ldapServer",
 %if %%ldapScheme == "ldaps"
@ -218,7 +234,11 @@
    %end if
 %end if
    "maintenance": 0,
+%if %%eole_module == "scribe"
+    "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
    "managerDn": "%%ldapBindUserDN",
+%end if
 %if %%is_file(%%ldapBindUserPassword)
    "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
 %else
@ -251,7 +271,7 @@
    "openIdSreg_fullname": "cn",
    "openIdSreg_nickname": "uid",
    "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
    "persistentStorage": "Apache::Session::File",
    "persistentStorageOptions": {
        "Directory": "/var/lib/lemonldap-ng/psessions",
@ -371,7 +391,7 @@
    "useRedirectOnForbidden": 0,
    "useSafeJail": 1,
    "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
    "vhostOptions": {
        "%%managerWebName": {
            "vhostHttps": "1"
--- a/tmpl/manager-apache2.X.conf
+++ b/tmpl/manager-apache2.X.conf
@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%managerWebName
    SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

-    LogLevel info
+    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/manager_error.log
    CustomLog /var/log/apache2/manager_access.log common

--- a/tmpl/portal-apache2.X.conf
+++ b/tmpl/portal-apache2.X.conf
@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%authWebName
    SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

-    LogLevel info
+    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/portal_error.log
    CustomLog /var/log/apache2/portal_access.log common