From 3e7bc2b56bdffc5e49dd4dc3da82b846c1653bab Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Mon, 5 Mar 2018 14:35:14 +0100 Subject: [PATCH] Adding first working templates - manager-nginx.conf - portal-nginx.conf - handler-nginx.conf - lmConf-1.js (Any configuration modification in LemonLDAP Manager prevail over this configuration) Adding diagnose script - HTTP Ping the manager, the handler and the portal Adding posttempalte script - Enable nginx configuration if necessary - Add an entry ton /etc/hosts with the 3 web names --- diagnose/71-lemonLDAP | 16 ++ dicos/70_lemonldap_ng.xml | 51 +++- posttemplate/70-lemon-hosts | 19 ++ posttemplate/70-lemon-nginx | 16 ++ tmpl/handler-nginx.conf | 25 +- tmpl/lmConf-1.js | 539 +++++++++++++++++++++++++----------- tmpl/lmConf-9.json | 386 -------------------------- tmpl/manager-nginx.conf | 9 +- tmpl/portal-nginx.conf | 9 +- 9 files changed, 506 insertions(+), 564 deletions(-) create mode 100755 diagnose/71-lemonLDAP create mode 100755 posttemplate/70-lemon-hosts create mode 100755 posttemplate/70-lemon-nginx delete mode 100644 tmpl/lmConf-9.json diff --git a/diagnose/71-lemonLDAP b/diagnose/71-lemonLDAP new file mode 100755 index 0000000..f072546 --- /dev/null +++ b/diagnose/71-lemonLDAP @@ -0,0 +1,16 @@ +#!/bin/bash + +if [ $(CreoleGet activerLemon) = "oui" ];then + . /usr/lib/eole/diagnose.sh + manager=$(CreoleGet managerWebName) + portal=$(CreoleGet authWebName) + handler=$(CreoleGet reloadWebName) + + EchoGras "*** LemonLDAP::NG" + TestHTTPPage "Manager" "http://${manager}/" + TestHTTPPage "Portal" "http://${portal}/" + TestHTTPPage "Handler" "http://${handler}/" + echo +fi + +exit 0 diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 171a528..b2ea08c 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -1,8 +1,11 @@ - + - + + + + 80 443 @@ -10,33 +13,57 @@ - + non - + - /srv/one/market - + + --> + + + + + + + + Configuration DNS + Configuration LDAP + - nom_machine - . + manager. nom_domaine_local + + auth. + nom_domaine_local + + + reload. + nom_domaine_local + + + SAML + nom_domaine_local + + + ['ldaps','ldap'] + non lemon - Lemon-LDAP-NG + LemonLDAP saLemon - Activer l'hébergement d'une place de marché HTTP pour OpenNebula - Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com - Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com + Activer l'hébergement d'une place de marché HTTP pour OpenNebula + Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com + Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com diff --git a/posttemplate/70-lemon-hosts b/posttemplate/70-lemon-hosts new file mode 100755 index 0000000..1488f3d --- /dev/null +++ b/posttemplate/70-lemon-hosts @@ -0,0 +1,19 @@ +#!/bin/bash + +ENABLE=$(CreoleGet activerLemon 'non') +HOSTS="/etc/hosts" + +if [ "${ENABLE}" = 'oui' ];then + manager=$(CreoleGet managerWebName) + handler=$(CreoleGet reloadWebName) + portal=$(CreoleGet authWebName) + ipaddr=$(CreoleGet adresse_ip_eth0) + line="${ipaddr} ${manager} ${handler} ${portal}" + grep -q "${line}" ${HOSTS} + if [[ ${?} -eq 0 ]] + then + exit 0 + else + echo ${line} >> ${HOSTS} + fi +fi \ No newline at end of file diff --git a/posttemplate/70-lemon-nginx b/posttemplate/70-lemon-nginx new file mode 100755 index 0000000..14d5fcb --- /dev/null +++ b/posttemplate/70-lemon-nginx @@ -0,0 +1,16 @@ +#!/bin/bash + +ENABLE=$(CreoleGet activerLemon 'non') +CONF_FILES='manager-nginx.conf' +CONF_FILES='${CONF_FILE} handler-nginx.conf' +CONF_FILES='${CONF_FILE} portal-nginx.conf' + +for CONF_FILE in ${CONF_FILES} +do + if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then + rm /etc/nginx/sites-enabled/${CONF_FILE} + fi + if [ "${ENABLE}" = 'oui' ];then + ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE} + fi +done \ No newline at end of file diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf index 5f0a8c8..ce25b87 100644 --- a/tmpl/handler-nginx.conf +++ b/tmpl/handler-nginx.conf @@ -18,7 +18,28 @@ include /etc/lemonldap-ng/nginx-lmlog.conf; server { listen 80; - server_name reload.example.com; + server_name %%reloadWebName; + return 301 https://$host$request_uri; +} + +server { + listen 443; + ssl on; +%if %%cert_type == "letsencrypt" + ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; + ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; +%else + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; +%end if + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; + server_name %%reloadWebName; + + error_page 403 404 502 503 504 /nginx.html; + location = /nginx.html{ + root /usr/share/nginx/www; + } root /var/www/html; location = /reload { @@ -45,4 +66,4 @@ server { # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # fastcgi_param LLTYPE status; #} -} +} \ No newline at end of file diff --git a/tmpl/lmConf-1.js b/tmpl/lmConf-1.js index e9c9018..81526be 100644 --- a/tmpl/lmConf-1.js +++ b/tmpl/lmConf-1.js @@ -1,167 +1,386 @@ { - "applicationList" : { - "1sample" : { - "catname" : "Sample applications", - "test1" : { - "options" : { - "description" : "A simple application displaying authenticated user", - "display" : "auto", - "logo" : "demo.png", - "name" : "Application Test 1", - "uri" : "http://test1.example.com/" + "ldapGroupAttributeNameUser": "dn", + "cfgAuthorIP": "172.16.0.1", + "samlSPMetaDataXML": null, + "facebookAuthnLevel": 1, + "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", + "secureTokenAttribute": "uid", + "singleSession": 0, + "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", + "CAS_pgtFile": "/tmp/pgt.txt", + "cookieName": "lemonldap", + "slaveExportedVars": {}, + "whatToTrace": "_whatToTrace", + "oidcRPMetaDataOptions": {}, + "notifyDeleted": 1, + "useRedirectOnError": 1, + "samlSPMetaDataExportedAttributes": null, + "ldapPwdEnc": "utf-8", + "openIdSPList": "0;", + "samlNameIDFormatMapEmail": "mail", + "samlSPMetaDataOptions": null, + "issuerDBOpenIDRule": 1, + "casStorageOptions": {}, + "mailFrom": "noreply@%%nom_domaine_local", + "timeoutActivity": 0, + "oidcRPMetaDataExportedVars": {}, + "issuerDBSAMLActivation": 0, + "issuerDBCASPath": "^/cas/", + "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", + "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", + "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "exportedHeaders": { + "test1.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "test2.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "%%managerWebName": {} + }, + "vhostOptions": { + "%%managerWebName": {}, + "test1.%%nom_domaine_local": {}, + "test2.%%nom_domaine_local": {} + }, + "radiusAuthnLevel": 3, + "dbiAuthnLevel": 2, + "ldapPasswordResetAttribute": "pwdReset", + "ldapGroupObjectClass": "groupOfNames", + "apacheAuthnLevel": 4, + "samlNameIDFormatMapKerberos": "uid", + "groups": {}, + "securedCookie": 0, + "httpOnly": 1, + "yubikeyAuthnLevel": 3, + "ADPwdMaxAge": 0, + "samlUseQueryStringSpecific": 0, + "loginHistoryEnabled": 1, + "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", + "failedLoginNumber": 5, + "samlServicePrivateKeyEncPwd": "", + "portalForceAuthnInterval": 0, + "cfgLog": "", + "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "exportedVars": { + "UA": "HTTP_USER_AGENT" + }, + "notificationStorage": "File", + "applicationList": { + "1sample": { + "test2": { + "options": { + "name": "Application Test 2", + "logo": "thumbnail.png", + "uri": "http://test2.%%nom_domaine_local/", + "display": "auto", + "description": "The same simple application displaying authenticated user" + }, + "type": "application" }, - "type" : "application" - }, - "test2" : { - "options" : { - "description" : "The same simple application displaying authenticated user", - "display" : "auto", - "logo" : "thumbnail.png", - "name" : "Application Test 2", - "uri" : "http://test2.example.com/" + "type": "category", + "catname": "Sample applications", + "test1": { + "type": "application", + "options": { + "description": "A simple application displaying authenticated user", + "uri": "http://test1.%%nom_domaine_local/", + "logo": "demo.png", + "display": "auto", + "name": "Application Test 1" + } + } + }, + "2administration": { + "notifications": { + "options": { + "name": "Notifications explorer", + "display": "auto", + "description": "Explore WebSSO notifications", + "uri": "https://%%managerWebName/notifications.pl", + "logo": "database.png" + }, + "type": "application" }, - "type" : "application" - }, - "type" : "category" - }, - "2administration" : { - "catname" : "Administration", - "manager" : { - "options" : { - "description" : "Configure LemonLDAP::NG WebSSO", - "display" : "auto", - "logo" : "configure.png", - "name" : "WebSSO Manager", - "uri" : "http://manager.example.com/manager.html" + "manager": { + "options": { + "uri": "https://%%managerWebName/", + "display": "auto", + "description": "Configure LemonLDAP::NG WebSSO", + "logo": "configure.png", + "name": "WebSSO Manager" + }, + "type": "application" }, - "type" : "application" - }, - "notifications" : { - "options" : { - "description" : "Explore WebSSO notifications", - "display" : "auto", - "logo" : "database.png", - "name" : "Notifications explorer", - "uri" : "http://manager.example.com/notifications.html" + "type": "category", + "sessions": { + "type": "application", + "options": { + "description": "Explore WebSSO sessions", + "uri": "https://%%managerWebName/sessions.pl", + "logo": "database.png", + "display": "auto", + "name": "Sessions explorer" + } }, - "type" : "application" - }, - "sessions" : { - "options" : { - "description" : "Explore WebSSO sessions", - "display" : "auto", - "logo" : "database.png", - "name" : "Sessions explorer", - "uri" : "http://manager.example.com/sessions.html" + "catname": "Administration" + }, + "3documentation": { + "catname": "Documentation", + "officialwebsite": { + "type": "application", + "options": { + "name": "Offical Website", + "description": "Official LemonLDAP::NG Website", + "logo": "network.png", + "display": "on", + "uri": "http://lemonldap-ng.org/" + } }, - "type" : "application" - }, - "type" : "category" - }, - "3documentation" : { - "catname" : "Documentation", - "localdoc" : { - "options" : { - "description" : "Documentation supplied with LemonLDAP::NG", - "display" : "on", - "logo" : "help.png", - "name" : "Local documentation", - "uri" : "http://manager.example.com/doc/" - }, - "type" : "application" - }, - "officialwebsite" : { - "options" : { - "description" : "Official LemonLDAP::NG Website", - "display" : "on", - "logo" : "network.png", - "name" : "Offical Website", - "uri" : "http://lemonldap-ng.org/" - }, - "type" : "application" - }, - "type" : "category" - } - }, - "authentication" : "Demo", - "cfgAuthor" : "The LemonLDAP::NG team", - "cfgNum" : 1, - "cookieName" : "lemonldap", - "demoExportedVars" : { - "cn" : "cn", - "mail" : "mail", - "uid" : "uid" - }, - "domain" : "example.com", - "exportedHeaders" : { - "test1.example.com" : { - "Auth-User" : "$uid" - }, - "test2.example.com" : { - "Auth-User" : "$uid" - } - }, - "exportedVars" : { - "UA" : "HTTP_USER_AGENT" - }, - "globalStorage" : "Apache::Session::File", - "globalStorageOptions" : { - "Directory" : "/var/lib/lemonldap-ng/sessions", - "LockDirectory" : "/var/lib/lemonldap-ng/sessions/lock", - "generateModule" : "Lemonldap::NG::Common::Apache::Session::Generate::SHA256" - }, - "groups" : {}, - "localSessionStorage" : "Cache::FileCache", - "localSessionStorageOptions" : { - "cache_depth" : 3, - "cache_root" : "/tmp", - "default_expires_in" : 600, - "directory_umask" : "007", - "namespace" : "lemonldap-ng-sessions" - }, - "locationRules" : { - "manager.example.com" : { - "(?#Configuration)^/(manager\\.html|conf/)" : "$uid eq \"dwho\"", - "(?#Notifications)/notifications" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", - "(?#Sessions)/sessions" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", - "default" : "$uid eq \"dwho\"" - }, - "test1.example.com" : { - "^/logout" : "logout_sso", - "default" : "accept" - }, - "test2.example.com" : { - "^/logout" : "logout_sso", - "default" : "accept" - } - }, - "loginHistoryEnabled" : 1, - "macros" : { - "_whatToTrace" : "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" - }, - "mailUrl" : "http://auth.example.com/mail.pl", - "notification" : 1, - "notificationStorage" : "File", - "notificationStorageOptions" : { - "dirName" : "/var/lib/lemonldap-ng/notifications" - }, - "passwordDB" : "Demo", - "persistentStorage" : "Apache::Session::File", - "persistentStorageOptions" : { - "Directory" : "/var/lib/lemonldap-ng/psessions", - "LockDirectory" : "/var/lib/lemonldap-ng/psessions/lock" - }, - "portal" : "http://auth.example.com/", - "portalSkin" : "bootstrap", - "portalSkinBackground" : "1280px-Cedar_Breaks_National_Monument_partially.jpg", - "registerDB" : "Demo", - "registerUrl" : "http://auth.example.com/register.pl", - "reloadUrls" : { - "reload.example.com" : "http://reload.example.com/reload" - }, - "securedCookie" : 0, - "sessionDataToRemember" : {}, - "timeout" : 72000, - "userDB" : "Demo", - "whatToTrace" : "_whatToTrace" + "type": "category", + "localdoc": { + "options": { + "logo": "help.png", + "description": "Documentation supplied with LemonLDAP::NG", + "display": "on", + "uri": "http://%%managerWebName/doc/", + "name": "Local documentation" + }, + "type": "application" + } + } + }, + "userControl": "^[\\w\\.\\-@]+$", + "timeout": 72000, + "portalAntiFrame": 1, + "SMTPServer": "", + "ldapTimeout": 120, + "samlAuthnContextMapPasswordProtectedTransport": 3, + "ldapUsePasswordResetAttribute": 1, + "ldapPpolicyControl": 0, + "casAttributes": {}, + "issuerDBSAMLPath": "^/saml/", + "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", + "portalDisplayAppslist": 1, + "confirmFormMethod": "post", + "domain": "%%nom_domaine_local", + "cfgNum": "9", + "authentication": "LDAP", + "samlNameIDFormatMapWindows": "uid", + "authChoiceModules": {}, + "ldapGroupAttributeName": "member", + "samlServicePrivateKeySigPwd": "", + "googleAuthnLevel": 1, + "successLoginNumber": 5, + "localSessionStorageOptions": { + "cache_root": "/tmp", + "namespace": "lemonldap-ng-sessions", + "default_expires_in": 600, + "directory_umask": "007", + "cache_depth": 3 + }, + "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "portalRequireOldPassword": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", + "ADPwdExpireWarning": 0, + "yubikeyPublicIDSize": 12, + "ldapGroupAttributeNameGroup": "dn", + "oidcRPMetaDataOptionsExtraClaims": null, + "ldapGroupRecursive": 0, + "mailSubject": "[LemonLDAP::NG] Your new password", + "nginxCustomHandlers": {}, + "samlSPSSODescriptorAuthnRequestsSigned": 1, + "portalDisplayResetPassword": 1, + "openIdSreg_timezone": "_timezone", + "infoFormMethod": "get", + "openIdAuthnLevel": 1, + "openIdSreg_nickname": "uid", + "samlServicePublicKeyEnc": "", + "userDB": "LDAP", + "grantSessionRules": {}, + "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", + "reloadUrls": { + "%%reloadWebName": "http://%%reloadWebName/reload" + }, + "registerTimeout": 0, + "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", + "slaveAuthnLevel": 2, + "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "Soap": 1, + "registerDB": "Demo", + "locationRules": { + "%%managerWebName": { + "default": "$uid eq \"dwho\"" + }, + "test1.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + }, + "test2.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + } + }, + "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "hideOldPassword": 0, + "managerPassword": "%%ldapBindUserPassword", + "authChoiceParam": "lmAuth", + "lwpSslOpts": {}, + "portalSkinRules": {}, + "issuerDBOpenIDPath": "^/openidserver/", + "redirectFormMethod": "get", + "portalDisplayRegister": 1, + "secureTokenMemcachedServers": "127.0.0.1:11211", + "notificationStorageOptions": { + "dirName": "/var/lib/lemonldap-ng/notifications" + }, + "browserIdAuthnLevel": 1, + "portalUserAttr": "_user", + "ldapVersion": 3, + "sessionDataToRemember": {}, + "samlNameIDFormatMapX509": "mail", + "managerDn": "%%ldapBindUserDN", + "mailSessionKey": "mail", + "openIdSreg_email": "mail", + "localSessionStorage": "Cache::FileCache", + "persistentStorage": "Apache::Session::File", + "mailOnPasswordChange": 0, + "captchaStorage": "Apache::Session::File", + "remoteGlobalStorageOptions": { + "proxy": "http://%%authWebName/index.pl/sessions", + "ns": "http://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService" + }, + "passwordDB": "LDAP", + "captcha_size": 6, + "mailCharset": "utf-8", + "facebookExportedVars": {}, + "nullAuthnLevel": 2, + "singleIP": 0, + "dbiExportedVars": {}, + "portalSkin": "bootstrap", + "storePassword": 0, + "hiddenAttributes": "_password", + "samlServicePrivateKeySig": "", + "globalStorage": "Apache::Session::File", + "notificationWildcard": "allusers", + "portalForceAuthn": 0, + "samlMetadataForceUTF8": 1, + "secureTokenUrls": ".*", + "secureTokenAllowOnError": 1, + "samlAuthnContextMapTLSClient": 5, + "ldapAllowResetExpiredPassword": 0, + "oidcOPMetaDataExportedVars": {}, + "notifyOther": 0, + "secureTokenExpiration": 60, + "captcha_mail_enabled": 0, + "samlStorageOptions": {}, + "samlOrganizationDisplayName": "Example", + "trustedProxies": "", + "secureTokenHeader": "Auth-Token", + "issuerDBCASActivation": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", + "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlIDPMetaDataXML": {}, + "oidcStorageOptions": {}, + "cfgDate": 1519998069, + "samlAuthnContextMapPassword": 2, + "portalDisplayLoginHistory": 1, + "ldapPasswordResetAttributeValue": "TRUE", + "ldapServer": "%%ldapScheme://%%ldapServer", + "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", + "samlIDPMetaDataExportedAttributes": null, + "samlServicePrivateKeyEnc": "", + "useRedirectOnForbidden": 0, + "captcha_login_enabled": 0, + "https": 0, + "checkXSS": 1, + "ldapSetPassword": 0, + "portalPingInterval": 60000, + "captchaStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/captcha/" + }, + "useSafeJail": 1, + "registerDoneSubject": "[LemonLDAP::NG] Your new account", + "issuerDBCASRule": 1, + "samlAuthnContextMapKerberos": 4, + "ldapGroupAttributeNameSearch": "cn", + "logoutServices": {}, + "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, + "portalDisplayLogout": 1, + "issuerDBGetParameters": {}, + "googleExportedVars": {}, + "openIdSreg_fullname": "cn", + "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", + "demoExportedVars": { + "mail": "mail", + "uid": "uid", + "cn": "cn" + }, + "oidcOPMetaDataJSON": null, + "samlIdPResolveCookie": "lemonldapidp", + "samlRelayStateTimeout": 600, + "samlOrganizationURL": "http://www.%%nom_domaine_local", + "globalStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/sessions", + "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" + }, + "ldapExportedVars": { + "mail": "mail", + "cn": "cn", + "uid": "uid" + }, + "webIDExportedVars": {}, + "activeTimer": 1, + "cda": 0, + "samlServicePublicKeySig": "", + "portalCheckLogins": 1, + "CAS_authnLevel": 1, + "macros": { + "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" + }, + "samlIDPMetaDataOptions": null, + "twitterAuthnLevel": 1, + "openIdExportedVars": {}, + "captcha_register_enabled": 1, + "oidcOPMetaDataJWKS": null, + "webIDAuthnLevel": 1, + "issuerDBOpenIDActivation": "1", + "mailUrl": "http://%%authWebName/mail.pl", + "maintenance": 0, + "jsRedirect": 0, + "cfgAuthor": "dwho", + "persistentStorageOptions": { + "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", + "Directory": "/var/lib/lemonldap-ng/psessions" + }, + "SSLAuthnLevel": 5, + "oidcServiceMetaDataAuthnContext": {}, + "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "notification": 1, + "ldapChangePasswordAsUser": 0, + "CAS_proxiedServices": {}, + "key": "e\"bTCt3*eU9^\\V%b", + "portal": "http://%%authWebName/", + "singleSessionUserByIP": 0, + "portalOpenLinkInNewWindow": 0, + "post": { + "test2.%%nom_domaine_local": {}, + "test1.%%nom_domaine_local": {}, + "%%managerWebName": {} + }, + "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", + "issuerDBSAMLRule": 1, + "samlCommonDomainCookieActivation": 0, + "syslog": "", + "ldapBase": "%%ldapUserBaseDN", + "ldapAuthnLevel": 2, + "mailTimeout": 0, + "samlEntityID": "#PORTAL#/saml/metadata", + "oidcOPMetaDataOptions": null, + "samlSPSSODescriptorWantAssertionsSigned": 1, + "samlOrganizationName": "%%samlOrganizationName", + "registerUrl": "http://%%authWebName/register.pl", + "casAccessControlPolicy": "none", + "multiValuesSeparator": ";", + "ldapPort": %%ldapServerPort } diff --git a/tmpl/lmConf-9.json b/tmpl/lmConf-9.json deleted file mode 100644 index f7c43d0..0000000 --- a/tmpl/lmConf-9.json +++ /dev/null @@ -1,386 +0,0 @@ -{ - "ldapGroupAttributeNameUser": "dn", - "cfgAuthorIP": "172.16.0.1", - "samlSPMetaDataXML": null, - "facebookAuthnLevel": 1, - "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", - "secureTokenAttribute": "uid", - "singleSession": 0, - "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", - "CAS_pgtFile": "/tmp/pgt.txt", - "cookieName": "lemonldap", - "slaveExportedVars": {}, - "whatToTrace": "_whatToTrace", - "oidcRPMetaDataOptions": {}, - "notifyDeleted": 1, - "useRedirectOnError": 1, - "samlSPMetaDataExportedAttributes": null, - "ldapPwdEnc": "utf-8", - "openIdSPList": "0;", - "samlNameIDFormatMapEmail": "mail", - "samlSPMetaDataOptions": null, - "issuerDBOpenIDRule": 1, - "casStorageOptions": {}, - "mailFrom": "noreply@%%nom_domaine_local", - "timeoutActivity": 0, - "oidcRPMetaDataExportedVars": {}, - "issuerDBSAMLActivation": 0, - "issuerDBCASPath": "^/cas/", - "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", - "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", - "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "exportedHeaders": { - "test1.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "test2.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "manager.%%nom_domaine_local": {} - }, - "vhostOptions": { - "manager.%%nom_domaine_local": {}, - "test1.%%nom_domaine_local": {}, - "test2.%%nom_domaine_local": {} - }, - "radiusAuthnLevel": 3, - "dbiAuthnLevel": 2, - "ldapPasswordResetAttribute": "pwdReset", - "ldapGroupObjectClass": "groupOfNames", - "apacheAuthnLevel": 4, - "samlNameIDFormatMapKerberos": "uid", - "groups": {}, - "securedCookie": 0, - "httpOnly": 1, - "yubikeyAuthnLevel": 3, - "ADPwdMaxAge": 0, - "samlUseQueryStringSpecific": 0, - "loginHistoryEnabled": 1, - "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", - "failedLoginNumber": 5, - "samlServicePrivateKeyEncPwd": "", - "portalForceAuthnInterval": 0, - "cfgLog": "", - "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "exportedVars": { - "UA": "HTTP_USER_AGENT" - }, - "notificationStorage": "File", - "applicationList": { - "1sample": { - "test2": { - "options": { - "name": "Application Test 2", - "logo": "thumbnail.png", - "uri": "http://test2.%%nom_domaine_local/", - "display": "auto", - "description": "The same simple application displaying authenticated user" - }, - "type": "application" - }, - "type": "category", - "catname": "Sample applications", - "test1": { - "type": "application", - "options": { - "description": "A simple application displaying authenticated user", - "uri": "http://test1.%%nom_domaine_local/", - "logo": "demo.png", - "display": "auto", - "name": "Application Test 1" - } - } - }, - "2administration": { - "notifications": { - "options": { - "name": "Notifications explorer", - "display": "auto", - "description": "Explore WebSSO notifications", - "uri": "http://manager.%%nom_domaine_local/notifications.pl", - "logo": "database.png" - }, - "type": "application" - }, - "manager": { - "options": { - "uri": "http://manager.%%nom_domaine_local/", - "display": "auto", - "description": "Configure LemonLDAP::NG WebSSO", - "logo": "configure.png", - "name": "WebSSO Manager" - }, - "type": "application" - }, - "type": "category", - "sessions": { - "type": "application", - "options": { - "description": "Explore WebSSO sessions", - "uri": "http://manager.%%nom_domaine_local/sessions.pl", - "logo": "database.png", - "display": "auto", - "name": "Sessions explorer" - } - }, - "catname": "Administration" - }, - "3documentation": { - "catname": "Documentation", - "officialwebsite": { - "type": "application", - "options": { - "name": "Offical Website", - "description": "Official LemonLDAP::NG Website", - "logo": "network.png", - "display": "on", - "uri": "http://lemonldap-ng.org/" - } - }, - "type": "category", - "localdoc": { - "options": { - "logo": "help.png", - "description": "Documentation supplied with LemonLDAP::NG", - "display": "on", - "uri": "http://manager.%%nom_domaine_local/doc/", - "name": "Local documentation" - }, - "type": "application" - } - } - }, - "userControl": "^[\\w\\.\\-@]+$", - "timeout": 72000, - "portalAntiFrame": 1, - "SMTPServer": "", - "ldapTimeout": 120, - "samlAuthnContextMapPasswordProtectedTransport": 3, - "ldapUsePasswordResetAttribute": 1, - "ldapPpolicyControl": 0, - "casAttributes": {}, - "issuerDBSAMLPath": "^/saml/", - "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", - "portalDisplayAppslist": 1, - "confirmFormMethod": "post", - "domain": "%%nom_domaine_local", - "cfgNum": "9", - "authentication": "LDAP", - "samlNameIDFormatMapWindows": "uid", - "authChoiceModules": {}, - "ldapGroupAttributeName": "member", - "samlServicePrivateKeySigPwd": "", - "googleAuthnLevel": 1, - "successLoginNumber": 5, - "localSessionStorageOptions": { - "cache_root": "/tmp", - "namespace": "lemonldap-ng-sessions", - "default_expires_in": 600, - "directory_umask": "007", - "cache_depth": 3 - }, - "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "portalRequireOldPassword": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", - "ADPwdExpireWarning": 0, - "yubikeyPublicIDSize": 12, - "ldapGroupAttributeNameGroup": "dn", - "oidcRPMetaDataOptionsExtraClaims": null, - "ldapGroupRecursive": 0, - "mailSubject": "[LemonLDAP::NG] Your new password", - "nginxCustomHandlers": {}, - "samlSPSSODescriptorAuthnRequestsSigned": 1, - "portalDisplayResetPassword": 1, - "openIdSreg_timezone": "_timezone", - "infoFormMethod": "get", - "openIdAuthnLevel": 1, - "openIdSreg_nickname": "uid", - "samlServicePublicKeyEnc": "", - "userDB": "LDAP", - "grantSessionRules": {}, - "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", - "reloadUrls": { - "reload.%%nom_domaine_local": "http://reload.%%nom_domaine_local/reload" - }, - "registerTimeout": 0, - "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", - "slaveAuthnLevel": 2, - "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "Soap": 1, - "registerDB": "Demo", - "locationRules": { - "manager.%%nom_domaine_local": { - "default": "$uid eq \"dwho\"" - }, - "test1.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - }, - "test2.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - } - }, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", - "hideOldPassword": 0, - "managerPassword": "ohc7kei8lil8Zoesai5chisaiGhu5Yaisai6kaegh9aingai0pae8ohb", - "authChoiceParam": "lmAuth", - "lwpSslOpts": {}, - "portalSkinRules": {}, - "issuerDBOpenIDPath": "^/openidserver/", - "redirectFormMethod": "get", - "portalDisplayRegister": 1, - "secureTokenMemcachedServers": "127.0.0.1:11211", - "notificationStorageOptions": { - "dirName": "/var/lib/lemonldap-ng/notifications" - }, - "browserIdAuthnLevel": 1, - "portalUserAttr": "_user", - "ldapVersion": 3, - "sessionDataToRemember": {}, - "samlNameIDFormatMapX509": "mail", - "managerDn": "cn=reader,o=gouv,c=fr", - "mailSessionKey": "mail", - "openIdSreg_email": "mail", - "localSessionStorage": "Cache::FileCache", - "persistentStorage": "Apache::Session::File", - "mailOnPasswordChange": 0, - "captchaStorage": "Apache::Session::File", - "remoteGlobalStorageOptions": { - "proxy": "http://auth.%%nom_domaine_local/index.pl/sessions", - "ns": "http://auth.%%nom_domaine_local/Lemonldap/NG/Common/CGI/SOAPService" - }, - "passwordDB": "LDAP", - "captcha_size": 6, - "mailCharset": "utf-8", - "facebookExportedVars": {}, - "nullAuthnLevel": 2, - "singleIP": 0, - "dbiExportedVars": {}, - "portalSkin": "bootstrap", - "storePassword": 0, - "hiddenAttributes": "_password", - "samlServicePrivateKeySig": "", - "globalStorage": "Apache::Session::File", - "notificationWildcard": "allusers", - "portalForceAuthn": 0, - "samlMetadataForceUTF8": 1, - "secureTokenUrls": ".*", - "secureTokenAllowOnError": 1, - "samlAuthnContextMapTLSClient": 5, - "ldapAllowResetExpiredPassword": 0, - "oidcOPMetaDataExportedVars": {}, - "notifyOther": 0, - "secureTokenExpiration": 60, - "captcha_mail_enabled": 0, - "samlStorageOptions": {}, - "samlOrganizationDisplayName": "Example", - "trustedProxies": "", - "secureTokenHeader": "Auth-Token", - "issuerDBCASActivation": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", - "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "samlIDPMetaDataXML": {}, - "oidcStorageOptions": {}, - "cfgDate": 1519998069, - "samlAuthnContextMapPassword": 2, - "portalDisplayLoginHistory": 1, - "ldapPasswordResetAttributeValue": "TRUE", - "ldapServer": "%%ldapScheme://%%ldapServer", - "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", - "samlIDPMetaDataExportedAttributes": null, - "samlServicePrivateKeyEnc": "", - "useRedirectOnForbidden": 0, - "captcha_login_enabled": 0, - "https": 0, - "checkXSS": 1, - "ldapSetPassword": 0, - "portalPingInterval": 60000, - "captchaStorageOptions": { - "Directory": "/var/lib/lemonldap-ng/captcha/" - }, - "useSafeJail": 1, - "registerDoneSubject": "[LemonLDAP::NG] Your new account", - "issuerDBCASRule": 1, - "samlAuthnContextMapKerberos": 4, - "ldapGroupAttributeNameSearch": "cn", - "logoutServices": {}, - "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, - "portalDisplayLogout": 1, - "issuerDBGetParameters": {}, - "googleExportedVars": {}, - "openIdSreg_fullname": "cn", - "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", - "demoExportedVars": { - "mail": "mail", - "uid": "uid", - "cn": "cn" - }, - "oidcOPMetaDataJSON": null, - "samlIdPResolveCookie": "lemonldapidp", - "samlRelayStateTimeout": 600, - "samlOrganizationURL": "http://www.%%nom_domaine_local", - "globalStorageOptions": { - "Directory": "/var/lib/lemonldap-ng/sessions", - "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" - }, - "ldapExportedVars": { - "mail": "mail", - "cn": "cn", - "uid": "uid" - }, - "webIDExportedVars": {}, - "activeTimer": 1, - "cda": 0, - "samlServicePublicKeySig": "", - "portalCheckLogins": 1, - "CAS_authnLevel": 1, - "macros": { - "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" - }, - "samlIDPMetaDataOptions": null, - "twitterAuthnLevel": 1, - "openIdExportedVars": {}, - "captcha_register_enabled": 1, - "oidcOPMetaDataJWKS": null, - "webIDAuthnLevel": 1, - "issuerDBOpenIDActivation": "1", - "mailUrl": "http://auth.%%nom_domaine_local/mail.pl", - "maintenance": 0, - "jsRedirect": 0, - "cfgAuthor": "dwho", - "persistentStorageOptions": { - "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", - "Directory": "/var/lib/lemonldap-ng/psessions" - }, - "SSLAuthnLevel": 5, - "oidcServiceMetaDataAuthnContext": {}, - "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "notification": 1, - "ldapChangePasswordAsUser": 0, - "CAS_proxiedServices": {}, - "key": "e\"bTCt3*eU9^\\V%b", - "portal": "http://auth.%%nom_domaine_local/", - "singleSessionUserByIP": 0, - "portalOpenLinkInNewWindow": 0, - "post": { - "test2.%%nom_domaine_local": {}, - "test1.%%nom_domaine_local": {}, - "manager.%%nom_domaine_local": {} - }, - "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", - "issuerDBSAMLRule": 1, - "samlCommonDomainCookieActivation": 0, - "syslog": "", - "ldapBase": %%ldapUserBaseDN, - "ldapAuthnLevel": 2, - "mailTimeout": 0, - "samlEntityID": "#PORTAL#/saml/metadata", - "oidcOPMetaDataOptions": null, - "samlSPSSODescriptorWantAssertionsSigned": 1, - "samlOrganizationName": "%%samlOrganizationName", - "registerUrl": "http://auth.%%nom_domaine_local/register.pl", - "casAccessControlPolicy": "none", - "multiValuesSeparator": ";", - "ldapPort": %%ldapServerPort -} diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf index 5156dbb..48e9d98 100644 --- a/tmpl/manager-nginx.conf +++ b/tmpl/manager-nginx.conf @@ -1,17 +1,22 @@ server { listen 80; - server_name manager.%%nom_domaine_local; + server_name %%managerWebName; return 301 https://$host$request_uri; } server { listen 443; ssl on; +%if %%cert_type == "letsencrypt" + ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; + ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; +%else ssl_certificate %%server_cert; ssl_certificate_key %%server_key; +%end if ssl_client_certificate /etc/ssl/certs/ca.crt; access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; - server_name manager.%%nom_domaine_local; + server_name %%managerWebName; error_page 403 404 502 503 504 /nginx.html; location = /nginx.html{ diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf index 2c28b6d..c7f0544 100644 --- a/tmpl/portal-nginx.conf +++ b/tmpl/portal-nginx.conf @@ -1,17 +1,22 @@ server { listen 80; - server_name auth.%%nom_domaine_local; + server_name %%authWebName; return 301 https://$host$request_uri; } server { listen 443; ssl on; +%if %%cert_type == "letsencrypt" + ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; + ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; +%else ssl_certificate %%server_cert; ssl_certificate_key %%server_key; +%end if ssl_client_certificate /etc/ssl/certs/ca.crt; access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; - server_name auth.%%nom_domaine_local; + server_name %%authWebName; root /var/lib/lemonldap-ng/portal/; location ~ \.pl(?:$|/) {