Cadoles
/
eole-lemonldap
20
0
Fork 0
Code Issues 11 Pull Requests Releases Wiki Activity

Adding first working templates 

- manager-nginx.conf
 - portal-nginx.conf
 - handler-nginx.conf
 - lmConf-1.js (Any configuration modification in LemonLDAP Manager
   prevail over this configuration)

Adding diagnose script
  - HTTP Ping the manager, the handler and the portal

Adding posttempalte script
  - Enable nginx configuration if necessary
  - Add an entry ton /etc/hosts with the 3 web names
This commit is contained in:
Philippe Caseiro 2018-03-05 14:35:14 +01:00
parent 4eb5b96a70
commit 3e7bc2b56b
9 changed files with 506 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
diagnose/71-lemonLDAP Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
if [ $(CreoleGet activerLemon) = "oui" ];then
. /usr/lib/eole/diagnose.sh
manager=$(CreoleGet managerWebName)
portal=$(CreoleGet authWebName)
handler=$(CreoleGet reloadWebName)
EchoGras "*** LemonLDAP::NG"
TestHTTPPage "Manager" "http://${manager}/"
TestHTTPPage "Portal" "http://${portal}/"
TestHTTPPage "Handler" "http://${handler}/"
echo
fi
exit 0

49
dicos/70_lemonldap_ng.xml
View File

@ -2,7 +2,10 @@
<creole>
<files>
<!-- Je suis un commentaire -->
<file filelist='lemon' name='/etc/nginx/sites-available/http_lemon.conf' source='market.nginx' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
<service_access service='nginx'>
<port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port>
@ -10,33 +13,57 @@
</files>
<variables>
<family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer l'hébergement d'une place de marché HTTP ">
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value>
</variable>
</family>
<family name='Lemon-LDAP-NG'>
<family name='LemonLDAP'>
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<value>/srv/one/market</value>
</variable>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
</family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
</separators>
</variables>
<constraints>
<fill name='concat' target='managerWebName'>
<param type='eole'>nom_machine</param>
<param>.</param>
<param>manager.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='authWebName'>
<param>auth.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='reloadWebName'>
<param>reload.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='samlOrganizationName'>
<param>SAML</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
</check>
<condition name='disabled_if_in' source='activerLemon'>
<param>non</param>
<target type='filelist'>lemon</target>
<target type='family'>Lemon-LDAP-NG</target>
<target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target>
</condition>
</constraints>
<help>
<variable name='activer_http_lemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com</variable>
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
</help>
</creole>

19
posttemplate/70-lemon-hosts Executable file
View File

@ -0,0 +1,19 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
HOSTS="/etc/hosts"
if [ "${ENABLE}" = 'oui' ];then
manager=$(CreoleGet managerWebName)
handler=$(CreoleGet reloadWebName)
portal=$(CreoleGet authWebName)
ipaddr=$(CreoleGet adresse_ip_eth0)
line="${ipaddr} ${manager} ${handler} ${portal}"
grep -q "${line}" ${HOSTS}
if [[ ${?} -eq 0 ]]
then
exit 0
else
echo ${line} >> ${HOSTS}
fi
fi

16
posttemplate/70-lemon-nginx Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
CONF_FILES='manager-nginx.conf'
CONF_FILES='${CONF_FILE} handler-nginx.conf'
CONF_FILES='${CONF_FILE} portal-nginx.conf'
for CONF_FILE in ${CONF_FILES}
do
if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' ];then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

23
tmpl/handler-nginx.conf
View File

@ -18,7 +18,28 @@ include /etc/lemonldap-ng/nginx-lmlog.conf;
server {
listen 80;
server_name reload.example.com;
server_name %%reloadWebName;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%reloadWebName;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
}
root /var/www/html;
location = /reload {

509
tmpl/lmConf-1.js
View File

@ -1,167 +1,386 @@
{
"applicationList" : {
"1sample" : {
"catname" : "Sample applications",
"test1" : {
"options" : {
"description" : "A simple application displaying authenticated user",
"display" : "auto",
"logo" : "demo.png",
"name" : "Application Test 1",
"uri" : "http://test1.example.com/"
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"type" : "application"
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2" : {
"options" : {
"description" : "The same simple application displaying authenticated user",
"display" : "auto",
"logo" : "thumbnail.png",
"name" : "Application Test 2",
"uri" : "http://test2.example.com/"
"%%managerWebName": {}
},
"type" : "application"
"vhostOptions": {
"%%managerWebName": {},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"type" : "category"
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT"
},
"2administration" : {
"catname" : "Administration",
"manager" : {
"options" : {
"description" : "Configure LemonLDAP::NG WebSSO",
"display" : "auto",
"logo" : "configure.png",
"name" : "WebSSO Manager",
"uri" : "http://manager.example.com/manager.html"
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "http://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type" : "application"
"type": "application"
},
"notifications" : {
"options" : {
"description" : "Explore WebSSO notifications",
"display" : "auto",
"logo" : "database.png",
"name" : "Notifications explorer",
"uri" : "http://manager.example.com/notifications.html"
},
"type" : "application"
},
"sessions" : {
"options" : {
"description" : "Explore WebSSO sessions",
"display" : "auto",
"logo" : "database.png",
"name" : "Sessions explorer",
"uri" : "http://manager.example.com/sessions.html"
},
"type" : "application"
},
"type" : "category"
},
"3documentation" : {
"catname" : "Documentation",
"localdoc" : {
"options" : {
"description" : "Documentation supplied with LemonLDAP::NG",
"display" : "on",
"logo" : "help.png",
"name" : "Local documentation",
"uri" : "http://manager.example.com/doc/"
},
"type" : "application"
},
"officialwebsite" : {
"options" : {
"description" : "Official LemonLDAP::NG Website",
"display" : "on",
"logo" : "network.png",
"name" : "Offical Website",
"uri" : "http://lemonldap-ng.org/"
},
"type" : "application"
},
"type" : "category"
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "http://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"authentication" : "Demo",
"cfgAuthor" : "The LemonLDAP::NG team",
"cfgNum" : 1,
"cookieName" : "lemonldap",
"demoExportedVars" : {
"cn" : "cn",
"mail" : "mail",
"uid" : "uid"
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"domain" : "example.com",
"exportedHeaders" : {
"test1.example.com" : {
"Auth-User" : "$uid"
"type": "application"
},
"test2.example.com" : {
"Auth-User" : "$uid"
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"exportedVars" : {
"UA" : "HTTP_USER_AGENT"
"catname": "Administration"
},
"globalStorage" : "Apache::Session::File",
"globalStorageOptions" : {
"Directory" : "/var/lib/lemonldap-ng/sessions",
"LockDirectory" : "/var/lib/lemonldap-ng/sessions/lock",
"generateModule" : "Lemonldap::NG::Common::Apache::Session::Generate::SHA256"
},
"groups" : {},
"localSessionStorage" : "Cache::FileCache",
"localSessionStorageOptions" : {
"cache_depth" : 3,
"cache_root" : "/tmp",
"default_expires_in" : 600,
"directory_umask" : "007",
"namespace" : "lemonldap-ng-sessions"
},
"locationRules" : {
"manager.example.com" : {
"(?#Configuration)^/(manager\\.html|conf/)" : "$uid eq \"dwho\"",
"(?#Notifications)/notifications" : "$uid eq \"dwho\" or $uid eq \"rtyler\"",
"(?#Sessions)/sessions" : "$uid eq \"dwho\" or $uid eq \"rtyler\"",
"default" : "$uid eq \"dwho\""
},
"test1.example.com" : {
"^/logout" : "logout_sso",
"default" : "accept"
},
"test2.example.com" : {
"^/logout" : "logout_sso",
"default" : "accept"
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"loginHistoryEnabled" : 1,
"macros" : {
"_whatToTrace" : "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"name": "Local documentation"
},
"mailUrl" : "http://auth.example.com/mail.pl",
"notification" : 1,
"notificationStorage" : "File",
"notificationStorageOptions" : {
"dirName" : "/var/lib/lemonldap-ng/notifications"
"type": "application"
}
}
},
"passwordDB" : "Demo",
"persistentStorage" : "Apache::Session::File",
"persistentStorageOptions" : {
"Directory" : "/var/lib/lemonldap-ng/psessions",
"LockDirectory" : "/var/lib/lemonldap-ng/psessions/lock"
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "9",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"portal" : "http://auth.example.com/",
"portalSkin" : "bootstrap",
"portalSkinBackground" : "1280px-Cedar_Breaks_National_Monument_partially.jpg",
"registerDB" : "Demo",
"registerUrl" : "http://auth.example.com/register.pl",
"reloadUrls" : {
"reload.example.com" : "http://reload.example.com/reload"
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"portalDisplayResetPassword": 1,
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "http://%%reloadWebName/reload"
},
"securedCookie" : 0,
"sessionDataToRemember" : {},
"timeout" : 72000,
"userDB" : "Demo",
"whatToTrace" : "_whatToTrace"
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
"registerDB": "Demo",
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"dwho\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
"managerPassword": "%%ldapBindUserPassword",
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "http://%%authWebName/index.pl/sessions",
"ns": "http://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "http://www.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
"portalCheckLogins": 1,
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "http://%%authWebName/mail.pl",
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "dwho",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "http://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"registerUrl": "http://%%authWebName/register.pl",
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
}

386
tmpl/lmConf-9.json
View File

@ -1,386 +0,0 @@
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"manager.%%nom_domaine_local": {}
},
"vhostOptions": {
"manager.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT"
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "http://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "http://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "http://manager.%%nom_domaine_local/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"manager": {
"options": {
"uri": "http://manager.%%nom_domaine_local/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "http://manager.%%nom_domaine_local/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://manager.%%nom_domaine_local/doc/",
"name": "Local documentation"
},
"type": "application"
}
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "9",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"portalDisplayResetPassword": 1,
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"reload.%%nom_domaine_local": "http://reload.%%nom_domaine_local/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
"registerDB": "Demo",
"locationRules": {
"manager.%%nom_domaine_local": {
"default": "$uid eq \"dwho\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
"managerPassword": "ohc7kei8lil8Zoesai5chisaiGhu5Yaisai6kaegh9aingai0pae8ohb",
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "cn=reader,o=gouv,c=fr",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "http://auth.%%nom_domaine_local/index.pl/sessions",
"ns": "http://auth.%%nom_domaine_local/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "http://www.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
"portalCheckLogins": 1,
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "http://auth.%%nom_domaine_local/mail.pl",
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "dwho",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "http://auth.%%nom_domaine_local/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"manager.%%nom_domaine_local": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": %%ldapUserBaseDN,
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"registerUrl": "http://auth.%%nom_domaine_local/register.pl",
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
}

9
tmpl/manager-nginx.conf
View File

@ -1,17 +1,22 @@
server {
listen 80;
server_name manager.%%nom_domaine_local;
server_name %%managerWebName;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name manager.%%nom_domaine_local;
server_name %%managerWebName;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{

9
tmpl/portal-nginx.conf
View File

@ -1,17 +1,22 @@
server {
listen 80;
server_name auth.%%nom_domaine_local;
server_name %%authWebName;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
server_name auth.%%nom_domaine_local;
server_name %%authWebName;
root /var/lib/lemonldap-ng/portal/;
location ~ \.pl(?:$|/) {