Cadoles
/
eole-lemonldap
18
0
Fork 0
Code Issues 11 Pull Requests Releases Wiki Activity

Adding first working templates 

- manager-nginx.conf
 - portal-nginx.conf
 - handler-nginx.conf
 - lmConf-1.js (Any configuration modification in LemonLDAP Manager
   prevail over this configuration)

Adding diagnose script
  - HTTP Ping the manager, the handler and the portal

Adding posttempalte script
  - Enable nginx configuration if necessary
  - Add an entry ton /etc/hosts with the 3 web names
This commit is contained in:
Philippe Caseiro 2018-03-05 14:35:14 +01:00
parent 4eb5b96a70
commit 3e7bc2b56b
9 changed files with 506 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
diagnose/71-lemonLDAP Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
if [ $(CreoleGet activerLemon) = "oui" ];then
. /usr/lib/eole/diagnose.sh
manager=$(CreoleGet managerWebName)
portal=$(CreoleGet authWebName)
handler=$(CreoleGet reloadWebName)
EchoGras "*** LemonLDAP::NG"
TestHTTPPage "Manager" "http://${manager}/"
TestHTTPPage "Portal" "http://${portal}/"
TestHTTPPage "Handler" "http://${handler}/"
echo
fi
exit 0

51
dicos/70_lemonldap_ng.xml
View File

@ -1,8 +1,11 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<creole> <creole>
<files> <files>
<!-- Je suis un commentaire --> <!-- Je suis un commentaire -->
<file filelist='lemon' name='/etc/nginx/sites-available/http_lemon.conf' source='market.nginx' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/nginx/sites-available/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
<service_access service='nginx'> <service_access service='nginx'>
<port service_accesslist="saLemon">80</port> <port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port> <port service_accesslist="saLemon">443</port>
@ -10,33 +13,57 @@
</files> </files>
<variables> <variables>
<family name='Services'> <family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer l'hébergement d'une place de marché HTTP "> <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value> <value>non</value>
</variable> </variable>
</family> </family>
<family name='Lemon-LDAP-NG'> <family name='LemonLDAP'>
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/> <variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/> <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<value>/srv/one/market</value> <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
</variable> <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
</family> </family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
</separators>
</variables> </variables>
<constraints> <constraints>
<fill name='concat' target='managerWebName'> <fill name='concat' target='managerWebName'>
<param type='eole'>nom_machine</param> <param>manager.</param>
<param>.</param>
<param type='eole'>nom_domaine_local</param> <param type='eole'>nom_domaine_local</param>
</fill> </fill>
<fill name='concat' target='authWebName'>
<param>auth.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='reloadWebName'>
<param>reload.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='samlOrganizationName'>
<param>SAML</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
</check>
<condition name='disabled_if_in' source='activerLemon'> <condition name='disabled_if_in' source='activerLemon'>
<param>non</param> <param>non</param>
<target type='filelist'>lemon</target> <target type='filelist'>lemon</target>
<target type='family'>Lemon-LDAP-NG</target> <target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target> <target type='service_accesslist'>saLemon</target>
</condition> </condition>
</constraints> </constraints>
<help> <help>
<variable name='activer_http_lemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable> <variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com</variable> <variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com</variable> <variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
</help> </help>
</creole> </creole>

19
posttemplate/70-lemon-hosts Executable file
View File

@ -0,0 +1,19 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
HOSTS="/etc/hosts"
if [ "${ENABLE}" = 'oui' ];then
manager=$(CreoleGet managerWebName)
handler=$(CreoleGet reloadWebName)
portal=$(CreoleGet authWebName)
ipaddr=$(CreoleGet adresse_ip_eth0)
line="${ipaddr} ${manager} ${handler} ${portal}"
grep -q "${line}" ${HOSTS}
if [[ ${?} -eq 0 ]]
then
exit 0
else
echo ${line} >> ${HOSTS}
fi
fi

16
posttemplate/70-lemon-nginx Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
CONF_FILES='manager-nginx.conf'
CONF_FILES='${CONF_FILE} handler-nginx.conf'
CONF_FILES='${CONF_FILE} portal-nginx.conf'
for CONF_FILE in ${CONF_FILES}
do
if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' ];then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

23
tmpl/handler-nginx.conf
View File

@ -18,7 +18,28 @@ include /etc/lemonldap-ng/nginx-lmlog.conf;
server { server {
listen 80; listen 80;
server_name reload.example.com; server_name %%reloadWebName;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%reloadWebName;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
}
root /var/www/html; root /var/www/html;
location = /reload { location = /reload {

539
tmpl/lmConf-1.js
View File

@ -1,167 +1,386 @@
{ {
"applicationList" : { "ldapGroupAttributeNameUser": "dn",
"1sample" : { "cfgAuthorIP": "172.16.0.1",
"catname" : "Sample applications", "samlSPMetaDataXML": null,
"test1" : { "facebookAuthnLevel": 1,
"options" : { "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"description" : "A simple application displaying authenticated user", "secureTokenAttribute": "uid",
"display" : "auto", "singleSession": 0,
"logo" : "demo.png", "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"name" : "Application Test 1", "CAS_pgtFile": "/tmp/pgt.txt",
"uri" : "http://test1.example.com/" "cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT"
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "http://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
}, },
"type" : "application" "type": "category",
}, "catname": "Sample applications",
"test2" : { "test1": {
"options" : { "type": "application",
"description" : "The same simple application displaying authenticated user", "options": {
"display" : "auto", "description": "A simple application displaying authenticated user",
"logo" : "thumbnail.png", "uri": "http://test1.%%nom_domaine_local/",
"name" : "Application Test 2", "logo": "demo.png",
"uri" : "http://test2.example.com/" "display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
}, },
"type" : "application" "manager": {
}, "options": {
"type" : "category" "uri": "https://%%managerWebName/",
}, "display": "auto",
"2administration" : { "description": "Configure LemonLDAP::NG WebSSO",
"catname" : "Administration", "logo": "configure.png",
"manager" : { "name": "WebSSO Manager"
"options" : { },
"description" : "Configure LemonLDAP::NG WebSSO", "type": "application"
"display" : "auto",
"logo" : "configure.png",
"name" : "WebSSO Manager",
"uri" : "http://manager.example.com/manager.html"
}, },
"type" : "application" "type": "category",
}, "sessions": {
"notifications" : { "type": "application",
"options" : { "options": {
"description" : "Explore WebSSO notifications", "description": "Explore WebSSO sessions",
"display" : "auto", "uri": "https://%%managerWebName/sessions.pl",
"logo" : "database.png", "logo": "database.png",
"name" : "Notifications explorer", "display": "auto",
"uri" : "http://manager.example.com/notifications.html" "name": "Sessions explorer"
}
}, },
"type" : "application" "catname": "Administration"
}, },
"sessions" : { "3documentation": {
"options" : { "catname": "Documentation",
"description" : "Explore WebSSO sessions", "officialwebsite": {
"display" : "auto", "type": "application",
"logo" : "database.png", "options": {
"name" : "Sessions explorer", "name": "Offical Website",
"uri" : "http://manager.example.com/sessions.html" "description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
}, },
"type" : "application" "type": "category",
}, "localdoc": {
"type" : "category" "options": {
}, "logo": "help.png",
"3documentation" : { "description": "Documentation supplied with LemonLDAP::NG",
"catname" : "Documentation", "display": "on",
"localdoc" : { "uri": "http://%%managerWebName/doc/",
"options" : { "name": "Local documentation"
"description" : "Documentation supplied with LemonLDAP::NG", },
"display" : "on", "type": "application"
"logo" : "help.png", }
"name" : "Local documentation", }
"uri" : "http://manager.example.com/doc/" },
}, "userControl": "^[\\w\\.\\-@]+$",
"type" : "application" "timeout": 72000,
}, "portalAntiFrame": 1,
"officialwebsite" : { "SMTPServer": "",
"options" : { "ldapTimeout": 120,
"description" : "Official LemonLDAP::NG Website", "samlAuthnContextMapPasswordProtectedTransport": 3,
"display" : "on", "ldapUsePasswordResetAttribute": 1,
"logo" : "network.png", "ldapPpolicyControl": 0,
"name" : "Offical Website", "casAttributes": {},
"uri" : "http://lemonldap-ng.org/" "issuerDBSAMLPath": "^/saml/",
}, "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"type" : "application" "portalDisplayAppslist": 1,
}, "confirmFormMethod": "post",
"type" : "category" "domain": "%%nom_domaine_local",
} "cfgNum": "9",
}, "authentication": "LDAP",
"authentication" : "Demo", "samlNameIDFormatMapWindows": "uid",
"cfgAuthor" : "The LemonLDAP::NG team", "authChoiceModules": {},
"cfgNum" : 1, "ldapGroupAttributeName": "member",
"cookieName" : "lemonldap", "samlServicePrivateKeySigPwd": "",
"demoExportedVars" : { "googleAuthnLevel": 1,
"cn" : "cn", "successLoginNumber": 5,
"mail" : "mail", "localSessionStorageOptions": {
"uid" : "uid" "cache_root": "/tmp",
}, "namespace": "lemonldap-ng-sessions",
"domain" : "example.com", "default_expires_in": 600,
"exportedHeaders" : { "directory_umask": "007",
"test1.example.com" : { "cache_depth": 3
"Auth-User" : "$uid" },
}, "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"test2.example.com" : { "portalRequireOldPassword": 1,
"Auth-User" : "$uid" "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
} "ADPwdExpireWarning": 0,
}, "yubikeyPublicIDSize": 12,
"exportedVars" : { "ldapGroupAttributeNameGroup": "dn",
"UA" : "HTTP_USER_AGENT" "oidcRPMetaDataOptionsExtraClaims": null,
}, "ldapGroupRecursive": 0,
"globalStorage" : "Apache::Session::File", "mailSubject": "[LemonLDAP::NG] Your new password",
"globalStorageOptions" : { "nginxCustomHandlers": {},
"Directory" : "/var/lib/lemonldap-ng/sessions", "samlSPSSODescriptorAuthnRequestsSigned": 1,
"LockDirectory" : "/var/lib/lemonldap-ng/sessions/lock", "portalDisplayResetPassword": 1,
"generateModule" : "Lemonldap::NG::Common::Apache::Session::Generate::SHA256" "openIdSreg_timezone": "_timezone",
}, "infoFormMethod": "get",
"groups" : {}, "openIdAuthnLevel": 1,
"localSessionStorage" : "Cache::FileCache", "openIdSreg_nickname": "uid",
"localSessionStorageOptions" : { "samlServicePublicKeyEnc": "",
"cache_depth" : 3, "userDB": "LDAP",
"cache_root" : "/tmp", "grantSessionRules": {},
"default_expires_in" : 600, "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"directory_umask" : "007", "reloadUrls": {
"namespace" : "lemonldap-ng-sessions" "%%reloadWebName": "http://%%reloadWebName/reload"
}, },
"locationRules" : { "registerTimeout": 0,
"manager.example.com" : { "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"(?#Configuration)^/(manager\\.html|conf/)" : "$uid eq \"dwho\"", "slaveAuthnLevel": 2,
"(?#Notifications)/notifications" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"(?#Sessions)/sessions" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", "Soap": 1,
"default" : "$uid eq \"dwho\"" "registerDB": "Demo",
}, "locationRules": {
"test1.example.com" : { "%%managerWebName": {
"^/logout" : "logout_sso", "default": "$uid eq \"dwho\""
"default" : "accept" },
}, "test1.%%nom_domaine_local": {
"test2.example.com" : { "default": "accept",
"^/logout" : "logout_sso", "^/logout": "logout_sso"
"default" : "accept" },
} "test2.%%nom_domaine_local": {
}, "default": "accept",
"loginHistoryEnabled" : 1, "^/logout": "logout_sso"
"macros" : { }
"_whatToTrace" : "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" },
}, "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"mailUrl" : "http://auth.example.com/mail.pl", "hideOldPassword": 0,
"notification" : 1, "managerPassword": "%%ldapBindUserPassword",
"notificationStorage" : "File", "authChoiceParam": "lmAuth",
"notificationStorageOptions" : { "lwpSslOpts": {},
"dirName" : "/var/lib/lemonldap-ng/notifications" "portalSkinRules": {},
}, "issuerDBOpenIDPath": "^/openidserver/",
"passwordDB" : "Demo", "redirectFormMethod": "get",
"persistentStorage" : "Apache::Session::File", "portalDisplayRegister": 1,
"persistentStorageOptions" : { "secureTokenMemcachedServers": "127.0.0.1:11211",
"Directory" : "/var/lib/lemonldap-ng/psessions", "notificationStorageOptions": {
"LockDirectory" : "/var/lib/lemonldap-ng/psessions/lock" "dirName": "/var/lib/lemonldap-ng/notifications"
}, },
"portal" : "http://auth.example.com/", "browserIdAuthnLevel": 1,
"portalSkin" : "bootstrap", "portalUserAttr": "_user",
"portalSkinBackground" : "1280px-Cedar_Breaks_National_Monument_partially.jpg", "ldapVersion": 3,
"registerDB" : "Demo", "sessionDataToRemember": {},
"registerUrl" : "http://auth.example.com/register.pl", "samlNameIDFormatMapX509": "mail",
"reloadUrls" : { "managerDn": "%%ldapBindUserDN",
"reload.example.com" : "http://reload.example.com/reload" "mailSessionKey": "mail",
}, "openIdSreg_email": "mail",
"securedCookie" : 0, "localSessionStorage": "Cache::FileCache",
"sessionDataToRemember" : {}, "persistentStorage": "Apache::Session::File",
"timeout" : 72000, "mailOnPasswordChange": 0,
"userDB" : "Demo", "captchaStorage": "Apache::Session::File",
"whatToTrace" : "_whatToTrace" "remoteGlobalStorageOptions": {
"proxy": "http://%%authWebName/index.pl/sessions",
"ns": "http://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "http://www.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
"portalCheckLogins": 1,
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "http://%%authWebName/mail.pl",
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "dwho",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "http://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"registerUrl": "http://%%authWebName/register.pl",
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
} }

386
tmpl/lmConf-9.json
View File

@ -1,386 +0,0 @@
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"manager.%%nom_domaine_local": {}
},
"vhostOptions": {
"manager.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT"
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "http://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "http://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "http://manager.%%nom_domaine_local/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"manager": {
"options": {
"uri": "http://manager.%%nom_domaine_local/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "http://manager.%%nom_domaine_local/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://manager.%%nom_domaine_local/doc/",
"name": "Local documentation"
},
"type": "application"
}
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "9",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"portalDisplayResetPassword": 1,
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"reload.%%nom_domaine_local": "http://reload.%%nom_domaine_local/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
"registerDB": "Demo",
"locationRules": {
"manager.%%nom_domaine_local": {
"default": "$uid eq \"dwho\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
"managerPassword": "ohc7kei8lil8Zoesai5chisaiGhu5Yaisai6kaegh9aingai0pae8ohb",
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "cn=reader,o=gouv,c=fr",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "http://auth.%%nom_domaine_local/index.pl/sessions",
"ns": "http://auth.%%nom_domaine_local/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "http://www.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
"portalCheckLogins": 1,
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "http://auth.%%nom_domaine_local/mail.pl",
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "dwho",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "http://auth.%%nom_domaine_local/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"manager.%%nom_domaine_local": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": %%ldapUserBaseDN,
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"registerUrl": "http://auth.%%nom_domaine_local/register.pl",
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
}

9
tmpl/manager-nginx.conf
View File

@ -1,17 +1,22 @@
server { server {
listen 80; listen 80;
server_name manager.%%nom_domaine_local; server_name %%managerWebName;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
server { server {
listen 443; listen 443;
ssl on; ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
ssl_certificate %%server_cert; ssl_certificate %%server_cert;
ssl_certificate_key %%server_key; ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name manager.%%nom_domaine_local; server_name %%managerWebName;
error_page 403 404 502 503 504 /nginx.html; error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{ location = /nginx.html{

9
tmpl/portal-nginx.conf
View File

@ -1,17 +1,22 @@
server { server {
listen 80; listen 80;
server_name auth.%%nom_domaine_local; server_name %%authWebName;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
server { server {
listen 443; listen 443;
ssl on; ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
%else
ssl_certificate %%server_cert; ssl_certificate %%server_cert;
ssl_certificate_key %%server_key; ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt; ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
server_name auth.%%nom_domaine_local; server_name %%authWebName;
root /var/lib/lemonldap-ng/portal/; root /var/lib/lemonldap-ng/portal/;
location ~ \.pl(?:$|/) { location ~ \.pl(?:$|/) {