Using Active Directory (samba4) instead of OpenLDAP
Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one
This commit is contained in:
parent
63bf3c9f98
commit
200c9c41e9
|
@ -27,6 +27,14 @@
|
||||||
</files>
|
</files>
|
||||||
|
|
||||||
<variables>
|
<variables>
|
||||||
|
<family name='eole-sso'>
|
||||||
|
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
|
||||||
|
<value>/cas</value>
|
||||||
|
</variable>
|
||||||
|
<variable name='eolesso_port' redefine="True" exists='True'>
|
||||||
|
<value>443</value>
|
||||||
|
</variable>
|
||||||
|
</family>
|
||||||
<family name='Services'>
|
<family name='Services'>
|
||||||
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
|
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
|
||||||
<value>non</value>
|
<value>non</value>
|
||||||
|
@ -39,6 +47,10 @@
|
||||||
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
|
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
|
||||||
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
|
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
|
||||||
|
|
||||||
|
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
|
||||||
|
<value>LDAP</value>
|
||||||
|
</variable>
|
||||||
|
|
||||||
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
|
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
|
||||||
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
|
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
|
||||||
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
|
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
|
||||||
|
@ -83,6 +95,9 @@
|
||||||
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
|
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
|
||||||
<value>oui</value>
|
<value>oui</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
|
||||||
|
<value>oui</value>
|
||||||
|
</variable>
|
||||||
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
|
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
|
||||||
<variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
|
<variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
|
||||||
<value>oui</value>
|
<value>oui</value>
|
||||||
|
@ -124,6 +139,10 @@
|
||||||
<param>['ldaps','ldap']</param>
|
<param>['ldaps','ldap']</param>
|
||||||
</check>
|
</check>
|
||||||
|
|
||||||
|
<check name="valid_enum" target="lemon_user_db">
|
||||||
|
<param>['LDAP','AD']</param>
|
||||||
|
</check>
|
||||||
|
|
||||||
<check name='valid_enum' target="lm_loglevel">
|
<check name='valid_enum' target="lm_loglevel">
|
||||||
<param>['info','notice','warn','error','debug']</param>
|
<param>['info','notice','warn','error','debug']</param>
|
||||||
</check>
|
</check>
|
||||||
|
@ -168,6 +187,7 @@
|
||||||
<condition name='disabled_if_in' source='llResetPassword'>
|
<condition name='disabled_if_in' source='llResetPassword'>
|
||||||
<param>non</param>
|
<param>non</param>
|
||||||
<target type='variable'>llResetUrl</target>
|
<target type='variable'>llResetUrl</target>
|
||||||
|
<target type='variable'>llResetExpiredPassword</target>
|
||||||
</condition>
|
</condition>
|
||||||
<check name='valid_enum' target='llSkin'>
|
<check name='valid_enum' target='llSkin'>
|
||||||
<param>['bootstrap','dark','impact','pastel']</param>
|
<param>['bootstrap','dark','impact','pastel']</param>
|
||||||
|
|
|
@ -5,20 +5,13 @@
|
||||||
|
|
||||||
<variables>
|
<variables>
|
||||||
|
|
||||||
<family name='eole sso'>
|
<family name='eole sso'>
|
||||||
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
|
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
|
||||||
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
|
</family>
|
||||||
<value>cas</value>
|
|
||||||
</variable>
|
|
||||||
<variable name='eolesso_port' redefine="True" exists='True'>
|
|
||||||
<value>443</value>
|
|
||||||
</variable>
|
|
||||||
</family>
|
|
||||||
|
|
||||||
</variables>
|
</variables>
|
||||||
|
|
||||||
<constraints>
|
<constraints>
|
||||||
|
|
||||||
<fill name='calc_multi_condition' target='activer_sso'>
|
<fill name='calc_multi_condition' target='activer_sso'>
|
||||||
<param>oui</param>
|
<param>oui</param>
|
||||||
<param type='eole' name='condition_1'>activerLemon</param>
|
<param type='eole' name='condition_1'>activerLemon</param>
|
||||||
|
@ -31,11 +24,8 @@
|
||||||
<target type='variable'>activer_sso</target>
|
<target type='variable'>activer_sso</target>
|
||||||
</condition>
|
</condition>
|
||||||
|
|
||||||
<auto name='calc_multi_condition' target='ldapScheme'>
|
<auto name='calc_val' target='ldapScheme'>
|
||||||
<param>oui</param>
|
<param>ldaps</param>
|
||||||
<param type='eole' name='condition_1'>ldap_tls</param>
|
|
||||||
<param name='match'>ldaps</param>
|
|
||||||
<param name='default_mismatch'>ldap</param>
|
|
||||||
</auto>
|
</auto>
|
||||||
|
|
||||||
<fill name='calc_val_first_value' target='eolesso_adresse'>
|
<fill name='calc_val_first_value' target='eolesso_adresse'>
|
||||||
|
@ -44,25 +34,33 @@
|
||||||
<param type='eole'>nom_domaine_machine</param>
|
<param type='eole'>nom_domaine_machine</param>
|
||||||
</fill>
|
</fill>
|
||||||
|
|
||||||
|
<auto name='calc_val' target='ldap_port'>
|
||||||
|
<param>636</param>
|
||||||
|
</auto>
|
||||||
|
|
||||||
<condition name='frozen_if_in' source='activerLemon'>
|
<condition name='frozen_if_in' source='activerLemon'>
|
||||||
<param>oui</param>
|
<param>oui</param>
|
||||||
<target type='variable'>eolesso_adresse</target>
|
<target type='variable'>eolesso_adresse</target>
|
||||||
</condition>
|
</condition>
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapServer'>
|
<auto name='calc_val' target='ldapServer'>
|
||||||
<param type='eole'>adresse_ip_ldap</param>
|
<param type='eole'>ad_address</param>
|
||||||
</auto>
|
</auto>
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapServerPort'>
|
<auto name='calc_val' target='ldapServerPort'>
|
||||||
<param type='eole'>ldap_port</param>
|
<param type='number'>636</param>
|
||||||
|
</auto>
|
||||||
|
|
||||||
|
<auto name='calc_val' target='lemon_user_db'>
|
||||||
|
<param>AD</param>
|
||||||
</auto>
|
</auto>
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapBindUserDN'>
|
<auto name='calc_val' target='ldapBindUserDN'>
|
||||||
<param type='eole'>ldap_reader</param>
|
<param type='eole'>sasl_ldap_reader</param>
|
||||||
</auto>
|
</auto>
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapBindUserPassword'>
|
<auto name='calc_val' target='ldapBindUserPassword'>
|
||||||
<param type='eole'>ldap_reader_passfile</param>
|
<param>/etc/eole/private/sasl-reader.password</param>
|
||||||
</auto>
|
</auto>
|
||||||
|
|
||||||
<auto name='calc_val' target='casFolder'>
|
<auto name='calc_val' target='casFolder'>
|
||||||
|
|
|
@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
|
||||||
<VirtualHost %%adresse_ip_eth0:443>
|
<VirtualHost %%adresse_ip_eth0:443>
|
||||||
ServerName %%reloadWebName
|
ServerName %%reloadWebName
|
||||||
|
|
||||||
|
SSLEngine on
|
||||||
|
SSLCertificateFile %%server_cert
|
||||||
|
SSLCertificateKeyFile %%server_key
|
||||||
|
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
||||||
|
SSLProtocol all -SSLv3 -SSLv2
|
||||||
|
SSLProxyEngine on
|
||||||
|
|
||||||
|
LogLevel %%lm_loglevel
|
||||||
|
|
||||||
|
ErrorLog /var/log/apache2/handler_error.log
|
||||||
|
CustomLog /var/log/apache2/handler_access.log common
|
||||||
# Configuration reload mechanism (only 1 per physical server is
|
# Configuration reload mechanism (only 1 per physical server is
|
||||||
# needed): choose your URL to avoid restarting Apache when
|
# needed): choose your URL to avoid restarting Apache when
|
||||||
# configuration change
|
# configuration change
|
||||||
|
|
|
@ -85,7 +85,7 @@
|
||||||
},
|
},
|
||||||
"authChoiceModules": {},
|
"authChoiceModules": {},
|
||||||
"authChoiceParam": "lmAuth",
|
"authChoiceParam": "lmAuth",
|
||||||
"authentication": "LDAP",
|
"authentication": "%%lemon_user_db",
|
||||||
"browserIdAuthnLevel": 1,
|
"browserIdAuthnLevel": 1,
|
||||||
"captchaStorage": "Apache::Session::File",
|
"captchaStorage": "Apache::Session::File",
|
||||||
"captchaStorageOptions": {
|
"captchaStorageOptions": {
|
||||||
|
@ -152,10 +152,27 @@
|
||||||
"issuerDBSAMLRule": 1,
|
"issuerDBSAMLRule": 1,
|
||||||
"jsRedirect": 0,
|
"jsRedirect": 0,
|
||||||
"key": "e\"bTCt3*eU9^\\V%b",
|
"key": "e\"bTCt3*eU9^\\V%b",
|
||||||
|
%if %%llResetPassword == "oui"
|
||||||
|
%if %%llResetExpiredPassword == "oui"
|
||||||
|
%if %%lemon_user_db == "AD"
|
||||||
|
"ldapPpolicyControl": 0,
|
||||||
|
%else
|
||||||
|
"ldapPpolicyControl": 1,
|
||||||
|
%end if
|
||||||
|
"ldapAllowResetExpiredPassword": 1,
|
||||||
|
%else
|
||||||
|
"ldapPpolicyControl": 0,
|
||||||
"ldapAllowResetExpiredPassword": 0,
|
"ldapAllowResetExpiredPassword": 0,
|
||||||
|
%end if
|
||||||
|
%end if
|
||||||
|
"ldapChangePasswordAsUser": 1,
|
||||||
"ldapAuthnLevel": 2,
|
"ldapAuthnLevel": 2,
|
||||||
|
%if %%eole_module == "scribe"
|
||||||
|
"ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
|
||||||
|
%else
|
||||||
"ldapBase": "%%ldapUserBaseDN",
|
"ldapBase": "%%ldapUserBaseDN",
|
||||||
"ldapChangePasswordAsUser": 0,
|
%end if
|
||||||
|
"ldapSearchDeref": "find",
|
||||||
"ldapExportedVars": {
|
"ldapExportedVars": {
|
||||||
"cn": "cn",
|
"cn": "cn",
|
||||||
"mail": "mail",
|
"mail": "mail",
|
||||||
|
@ -170,7 +187,6 @@
|
||||||
"ldapPasswordResetAttribute": "pwdReset",
|
"ldapPasswordResetAttribute": "pwdReset",
|
||||||
"ldapPasswordResetAttributeValue": "TRUE",
|
"ldapPasswordResetAttributeValue": "TRUE",
|
||||||
"ldapPort": "%%ldapServerPort",
|
"ldapPort": "%%ldapServerPort",
|
||||||
"ldapPpolicyControl": 0,
|
|
||||||
"ldapPwdEnc": "utf-8",
|
"ldapPwdEnc": "utf-8",
|
||||||
"ldapServer": "%%ldapScheme://%%ldapServer",
|
"ldapServer": "%%ldapScheme://%%ldapServer",
|
||||||
%if %%ldapScheme == "ldaps"
|
%if %%ldapScheme == "ldaps"
|
||||||
|
@ -218,7 +234,11 @@
|
||||||
%end if
|
%end if
|
||||||
%end if
|
%end if
|
||||||
"maintenance": 0,
|
"maintenance": 0,
|
||||||
|
%if %%eole_module == "scribe"
|
||||||
|
"managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
|
||||||
|
%else
|
||||||
"managerDn": "%%ldapBindUserDN",
|
"managerDn": "%%ldapBindUserDN",
|
||||||
|
%end if
|
||||||
%if %%is_file(%%ldapBindUserPassword)
|
%if %%is_file(%%ldapBindUserPassword)
|
||||||
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
|
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
|
||||||
%else
|
%else
|
||||||
|
@ -251,7 +271,7 @@
|
||||||
"openIdSreg_fullname": "cn",
|
"openIdSreg_fullname": "cn",
|
||||||
"openIdSreg_nickname": "uid",
|
"openIdSreg_nickname": "uid",
|
||||||
"openIdSreg_timezone": "_timezone",
|
"openIdSreg_timezone": "_timezone",
|
||||||
"passwordDB": "LDAP",
|
"passwordDB": "%%lemon_user_db",
|
||||||
"persistentStorage": "Apache::Session::File",
|
"persistentStorage": "Apache::Session::File",
|
||||||
"persistentStorageOptions": {
|
"persistentStorageOptions": {
|
||||||
"Directory": "/var/lib/lemonldap-ng/psessions",
|
"Directory": "/var/lib/lemonldap-ng/psessions",
|
||||||
|
@ -371,7 +391,7 @@
|
||||||
"useRedirectOnForbidden": 0,
|
"useRedirectOnForbidden": 0,
|
||||||
"useSafeJail": 1,
|
"useSafeJail": 1,
|
||||||
"userControl": "^[\\w\\.\\-@]+$",
|
"userControl": "^[\\w\\.\\-@]+$",
|
||||||
"userDB": "LDAP",
|
"userDB": "%%lemon_user_db",
|
||||||
"vhostOptions": {
|
"vhostOptions": {
|
||||||
"%%managerWebName": {
|
"%%managerWebName": {
|
||||||
"vhostHttps": "1"
|
"vhostHttps": "1"
|
||||||
|
|
|
@ -13,13 +13,13 @@
|
||||||
<VirtualHost %%adresse_ip_eth0:443>
|
<VirtualHost %%adresse_ip_eth0:443>
|
||||||
ServerName %%managerWebName
|
ServerName %%managerWebName
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile /etc/ssl/certs/eole.crt
|
SSLCertificateFile %%server_cert
|
||||||
SSLCertificateKeyFile /etc/ssl/private/eole.key
|
SSLCertificateKeyFile %%server_key
|
||||||
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
||||||
SSLProtocol all -SSLv3 -SSLv2
|
SSLProtocol all -SSLv3 -SSLv2
|
||||||
SSLProxyEngine on
|
SSLProxyEngine on
|
||||||
|
|
||||||
LogLevel info
|
LogLevel %%lm_loglevel
|
||||||
ErrorLog /var/log/apache2/manager_error.log
|
ErrorLog /var/log/apache2/manager_error.log
|
||||||
CustomLog /var/log/apache2/manager_access.log common
|
CustomLog /var/log/apache2/manager_access.log common
|
||||||
|
|
||||||
|
|
|
@ -13,13 +13,13 @@
|
||||||
<VirtualHost %%adresse_ip_eth0:443>
|
<VirtualHost %%adresse_ip_eth0:443>
|
||||||
ServerName %%authWebName
|
ServerName %%authWebName
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile /etc/ssl/certs/eole.crt
|
SSLCertificateFile %%server_cert
|
||||||
SSLCertificateKeyFile /etc/ssl/private/eole.key
|
SSLCertificateKeyFile %%server_key
|
||||||
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
||||||
SSLProtocol all -SSLv3 -SSLv2
|
SSLProtocol all -SSLv3 -SSLv2
|
||||||
SSLProxyEngine on
|
SSLProxyEngine on
|
||||||
|
|
||||||
LogLevel info
|
LogLevel %%lm_loglevel
|
||||||
ErrorLog /var/log/apache2/portal_error.log
|
ErrorLog /var/log/apache2/portal_error.log
|
||||||
CustomLog /var/log/apache2/portal_access.log common
|
CustomLog /var/log/apache2/portal_access.log common
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue