Merge branch '2.8.0/master' into dist/eole/2.8.0/master

2020-12-03 16:51:40 +01:00 · 2020-12-03 16:51:40 +01:00 · 34239e8ce5
parent ad8e4a69a9 bf94e74916
commit 34239e8ce5
6 changed files with 79 additions and 30 deletions
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@ -27,6 +27,14 @@
    </files>

    <variables>
+        <family name='eole-sso'>
+            <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+                <value>/cas</value>
+            </variable>
+            <variable name='eolesso_port' redefine="True" exists='True'>
+                <value>443</value>
+            </variable>
+        </family>
        <family name='Services'>
            <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
                <value>non</value>
@ -39,6 +47,10 @@
            <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
            <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>

+	    <variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
+                <value>LDAP</value>
+            </variable>
+
            <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
            <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
            <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@ -83,6 +95,9 @@
            <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
                <value>oui</value>
            </variable>
+            <variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
+                <value>oui</value>
+            </variable>
            <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
            <variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
                <value>oui</value>
@ -124,6 +139,10 @@
            <param>['ldaps','ldap']</param>
        </check>

+        <check name="valid_enum" target="lemon_user_db">
+            <param>['LDAP','AD']</param>
+        </check>
+
        <check name='valid_enum' target="lm_loglevel">
            <param>['info','notice','warn','error','debug']</param>
        </check>
@ -168,6 +187,7 @@
        <condition name='disabled_if_in' source='llResetPassword'>
            <param>non</param>
            <target type='variable'>llResetUrl</target>
+            <target type='variable'>llResetExpiredPassword</target>
        </condition>
        <check name='valid_enum' target='llSkin'>
            <param>['bootstrap','dark','impact','pastel']</param>
--- a/dicos/71_lemonldap_ng_scribe.xml
+++ b/dicos/71_lemonldap_ng_scribe.xml
@ -5,20 +5,13 @@

    <variables>

-    <family name='eole sso'>
-        <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
-        <variable name='eolesso_cas_folder' redefine="True" exists='True'>
-            <value>cas</value>
-        </variable>
-        <variable name='eolesso_port' redefine="True" exists='True'>
-            <value>443</value>
-        </variable>
-    </family>
+        <family name='eole sso'>
+            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
+        </family>

    </variables>

    <constraints>
-
        <fill name='calc_multi_condition' target='activer_sso'>
            <param>oui</param>
            <param type='eole' name='condition_1'>activerLemon</param>
@ -31,11 +24,8 @@
            <target type='variable'>activer_sso</target>
        </condition>

-        <auto name='calc_multi_condition' target='ldapScheme'>
-            <param>oui</param>
-            <param type='eole' name='condition_1'>ldap_tls</param>
-            <param name='match'>ldaps</param>
-            <param name='default_mismatch'>ldap</param>
+        <auto name='calc_val' target='ldapScheme'>
+            <param>ldaps</param>
        </auto>

        <fill name='calc_val_first_value' target='eolesso_adresse'>
@ -44,25 +34,33 @@
            <param type='eole'>nom_domaine_machine</param>
        </fill>

+        <auto name='calc_val' target='ldap_port'>
+	    <param>636</param>
+	</auto>
+
        <condition name='frozen_if_in' source='activerLemon'>
            <param>oui</param>
            <target type='variable'>eolesso_adresse</target>
        </condition>

        <auto name='calc_val' target='ldapServer'>
-            <param type='eole'>adresse_ip_ldap</param>
+            <param type='eole'>ad_address</param>
        </auto>

        <auto name='calc_val' target='ldapServerPort'>
-            <param type='eole'>ldap_port</param>
+            <param type='number'>636</param>
+        </auto>
+
+        <auto name='calc_val' target='lemon_user_db'>
+            <param>AD</param>
        </auto>

        <auto name='calc_val' target='ldapBindUserDN'>
-            <param type='eole'>ldap_reader</param>
+            <param type='eole'>sasl_ldap_reader</param>
        </auto>

        <auto name='calc_val' target='ldapBindUserPassword'>
-            <param type='eole'>ldap_reader_passfile</param>
+	    <param>/etc/eole/private/sasl-reader.password</param>
        </auto>

        <auto name='calc_val' target='casFolder'>
--- a/tmpl/handler-apache2.X.conf
+++ b/tmpl/handler-apache2.X.conf
@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%reloadWebName

+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
--- a/tmpl/lmConf-1.json
+++ b/tmpl/lmConf-1.json
@ -85,7 +85,7 @@
    },
    "authChoiceModules": {},
    "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
    "browserIdAuthnLevel": 1,
    "captchaStorage": "Apache::Session::File",
    "captchaStorageOptions": {
@ -152,10 +152,27 @@
    "issuerDBSAMLRule": 1,
    "jsRedirect": 0,
    "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+  %else
+    "ldapPpolicyControl": 0,
    "ldapAllowResetExpiredPassword": 0,
+  %end if
+%end if
+    "ldapChangePasswordAsUser": 1,
    "ldapAuthnLevel": 2,
+%if %%eole_module == "scribe"
+    "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
    "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
+%end if
+    "ldapSearchDeref": "find",
    "ldapExportedVars": {
        "cn": "cn",
        "mail": "mail",
@ -170,7 +187,6 @@
    "ldapPasswordResetAttribute": "pwdReset",
    "ldapPasswordResetAttributeValue": "TRUE",
    "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
    "ldapPwdEnc": "utf-8",
    "ldapServer": "%%ldapScheme://%%ldapServer",
 %if %%ldapScheme == "ldaps"
@ -218,7 +234,11 @@
    %end if
 %end if
    "maintenance": 0,
+%if %%eole_module == "scribe"
+    "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
    "managerDn": "%%ldapBindUserDN",
+%end if
 %if %%is_file(%%ldapBindUserPassword)
    "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
 %else
@ -251,7 +271,7 @@
    "openIdSreg_fullname": "cn",
    "openIdSreg_nickname": "uid",
    "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
    "persistentStorage": "Apache::Session::File",
    "persistentStorageOptions": {
        "Directory": "/var/lib/lemonldap-ng/psessions",
@ -371,7 +391,7 @@
    "useRedirectOnForbidden": 0,
    "useSafeJail": 1,
    "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
    "vhostOptions": {
        "%%managerWebName": {
            "vhostHttps": "1"
--- a/tmpl/manager-apache2.X.conf
+++ b/tmpl/manager-apache2.X.conf
@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%managerWebName
    SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

-    LogLevel info
+    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/manager_error.log
    CustomLog /var/log/apache2/manager_access.log common

--- a/tmpl/portal-apache2.X.conf
+++ b/tmpl/portal-apache2.X.conf
@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%authWebName
    SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

-    LogLevel info
+    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/portal_error.log
    CustomLog /var/log/apache2/portal_access.log common