Using Active Directory (samba4) instead of OpenLDAP

Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
This commit is contained in:
Philippe Caseiro 2020-12-02 11:52:11 +01:00
parent 63bf3c9f98
commit 200c9c41e9
6 changed files with 79 additions and 30 deletions

View File

@ -27,6 +27,14 @@
</files>
<variables>
<family name='eole-sso'>
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>/cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
<family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value>
@ -39,6 +47,10 @@
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
<value>LDAP</value>
</variable>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@ -83,6 +95,9 @@
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
<value>oui</value>
</variable>
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
<value>oui</value>
</variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
<variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
<value>oui</value>
@ -124,6 +139,10 @@
<param>['ldaps','ldap']</param>
</check>
<check name="valid_enum" target="lemon_user_db">
<param>['LDAP','AD']</param>
</check>
<check name='valid_enum' target="lm_loglevel">
<param>['info','notice','warn','error','debug']</param>
</check>
@ -168,6 +187,7 @@
<condition name='disabled_if_in' source='llResetPassword'>
<param>non</param>
<target type='variable'>llResetUrl</target>
<target type='variable'>llResetExpiredPassword</target>
</condition>
<check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param>

View File

@ -7,18 +7,11 @@
<family name='eole sso'>
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
</variables>
<constraints>
<fill name='calc_multi_condition' target='activer_sso'>
<param>oui</param>
<param type='eole' name='condition_1'>activerLemon</param>
@ -31,11 +24,8 @@
<target type='variable'>activer_sso</target>
</condition>
<auto name='calc_multi_condition' target='ldapScheme'>
<param>oui</param>
<param type='eole' name='condition_1'>ldap_tls</param>
<param name='match'>ldaps</param>
<param name='default_mismatch'>ldap</param>
<auto name='calc_val' target='ldapScheme'>
<param>ldaps</param>
</auto>
<fill name='calc_val_first_value' target='eolesso_adresse'>
@ -44,25 +34,33 @@
<param type='eole'>nom_domaine_machine</param>
</fill>
<auto name='calc_val' target='ldap_port'>
<param>636</param>
</auto>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>eolesso_adresse</target>
</condition>
<auto name='calc_val' target='ldapServer'>
<param type='eole'>adresse_ip_ldap</param>
<param type='eole'>ad_address</param>
</auto>
<auto name='calc_val' target='ldapServerPort'>
<param type='eole'>ldap_port</param>
<param type='number'>636</param>
</auto>
<auto name='calc_val' target='lemon_user_db'>
<param>AD</param>
</auto>
<auto name='calc_val' target='ldapBindUserDN'>
<param type='eole'>ldap_reader</param>
<param type='eole'>sasl_ldap_reader</param>
</auto>
<auto name='calc_val' target='ldapBindUserPassword'>
<param type='eole'>ldap_reader_passfile</param>
<param>/etc/eole/private/sasl-reader.password</param>
</auto>
<auto name='calc_val' target='casFolder'>

View File

@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/handler_error.log
CustomLog /var/log/apache2/handler_access.log common
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change

View File

@ -85,7 +85,7 @@
},
"authChoiceModules": {},
"authChoiceParam": "lmAuth",
"authentication": "LDAP",
"authentication": "%%lemon_user_db",
"browserIdAuthnLevel": 1,
"captchaStorage": "Apache::Session::File",
"captchaStorageOptions": {
@ -152,10 +152,27 @@
"issuerDBSAMLRule": 1,
"jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b",
%if %%llResetPassword == "oui"
%if %%llResetExpiredPassword == "oui"
%if %%lemon_user_db == "AD"
"ldapPpolicyControl": 0,
%else
"ldapPpolicyControl": 1,
%end if
"ldapAllowResetExpiredPassword": 1,
%else
"ldapPpolicyControl": 0,
"ldapAllowResetExpiredPassword": 0,
%end if
%end if
"ldapChangePasswordAsUser": 1,
"ldapAuthnLevel": 2,
%if %%eole_module == "scribe"
"ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
%else
"ldapBase": "%%ldapUserBaseDN",
"ldapChangePasswordAsUser": 0,
%end if
"ldapSearchDeref": "find",
"ldapExportedVars": {
"cn": "cn",
"mail": "mail",
@ -170,7 +187,6 @@
"ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE",
"ldapPort": "%%ldapServerPort",
"ldapPpolicyControl": 0,
"ldapPwdEnc": "utf-8",
"ldapServer": "%%ldapScheme://%%ldapServer",
%if %%ldapScheme == "ldaps"
@ -218,7 +234,11 @@
%end if
%end if
"maintenance": 0,
%if %%eole_module == "scribe"
"managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
%else
"managerDn": "%%ldapBindUserDN",
%end if
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
@ -251,7 +271,7 @@
"openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone",
"passwordDB": "LDAP",
"passwordDB": "%%lemon_user_db",
"persistentStorage": "Apache::Session::File",
"persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions",
@ -371,7 +391,7 @@
"useRedirectOnForbidden": 0,
"useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$",
"userDB": "LDAP",
"userDB": "%%lemon_user_db",
"vhostOptions": {
"%%managerWebName": {
"vhostHttps": "1"

View File

@ -13,13 +13,13 @@
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName
SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt
SSLCertificateKeyFile /etc/ssl/private/eole.key
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel info
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common

View File

@ -13,13 +13,13 @@
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName
SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt
SSLCertificateKeyFile /etc/ssl/private/eole.key
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel info
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common