From 4eb5b96a70270dae2c03c80f68f2f06b3fb6b4f5 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Fri, 2 Mar 2018 15:44:00 +0100 Subject: [PATCH] First commit --- Makefile | 27 +++ README.md | 14 +- apps.mk | 64 ++++++ dicos/70_lemonldap_ng.xml | 42 ++++ eole.mk | 231 +++++++++++++++++++++ tmpl/handler-nginx.conf | 48 +++++ tmpl/lemonldap-ng.ini | 284 ++++++++++++++++++++++++++ tmpl/lmConf-1.js | 167 ++++++++++++++++ tmpl/lmConf-9.json | 386 ++++++++++++++++++++++++++++++++++++ tmpl/manager-nginx.conf | 63 ++++++ tmpl/nginx-lmlog.conf | 3 + tmpl/nginx-lua-headers.conf | 34 ++++ tmpl/portal-nginx.conf | 92 +++++++++ tmpl/test-nginx.conf | 104 ++++++++++ 14 files changed, 1558 insertions(+), 1 deletion(-) create mode 100644 Makefile create mode 100644 apps.mk create mode 100644 dicos/70_lemonldap_ng.xml create mode 100644 eole.mk create mode 100644 tmpl/handler-nginx.conf create mode 100644 tmpl/lemonldap-ng.ini create mode 100644 tmpl/lmConf-1.js create mode 100644 tmpl/lmConf-9.json create mode 100644 tmpl/manager-nginx.conf create mode 100644 tmpl/nginx-lmlog.conf create mode 100644 tmpl/nginx-lua-headers.conf create mode 100644 tmpl/portal-nginx.conf create mode 100644 tmpl/test-nginx.conf diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..3c6fd94 --- /dev/null +++ b/Makefile @@ -0,0 +1,27 @@ +################################ +# Makefile pour XXX-XXX +################################ + +SOURCE=eole-lemonldap +VERSION=0.1 +EOLE_VERSION=2.6 +EOLE_RELEASE=2.6.2 +PKGAPPS=non +#FLASK_MODULE= + +################################ +# Début de zone à ne pas éditer +################################ + +include eole.mk +include apps.mk + +################################ +# Fin de zone à ne pas éditer +################################ + +# Makefile rules dedicated to application +# if exists +ifneq (, $(strip $(wildcard $(SOURCE).mk))) +include $(SOURCE).mk +endif diff --git a/README.md b/README.md index 18f2e29..6a8ae0a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,15 @@ # eole-lemonldap -Intégration LemonLDAP::NG pour EOLE \ No newline at end of file +Intégration LemonLDAP::NG pour EOLE + +## Howto + +* Add the lemonldap-ng deb respository we need the last version of LemonLDAP. + +Gen_config -> Mode Expert -> Dépôts tiers -> Libellé du dépôt + +*# LemonLDAP::NG repository +deb https://lemonldap-ng.org/deb stable main +deb-src https://lemonldap-ng.org/deb stable main +Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 + diff --git a/apps.mk b/apps.mk new file mode 100644 index 0000000..1efe7df --- /dev/null +++ b/apps.mk @@ -0,0 +1,64 @@ +# +# NE PAS EDITER CE FICHIER +# +# Voir Makefile + + +########################## +# Application web envole # +########################## +ifneq (, $(filter oui web, $(PKGAPPS))) +# +# Sanity check +# +ifeq (, $(filter-out X.X, $(strip $(VERSION)))) +$(error $$(VERSION) variable has incorrect value '$(VERSION)') +endif + +# Where to store web application files +WEB_PATH := $(DESTDIR)/var/www/html + +# Envole +sharenvole_PROG_DIR := $(DESTDIR)/usr/share/envole/$(SOURCE) + +src_$(SOURCE)-$(VERSION)_REC_DIR := $(WEB_PATH)/$(SOURCE) +src_plugins-$(VERSION)_REC_DIR := $(WEB_PATH)/$(SOURCE)/plugin +src_lang-$(VERSION)_REC_DIR := $(WEB_PATH)/$(SOURCE)/lang + +endif + +########################## +# Application EOLE flask # +########################## +ifneq (, $(filter flask, $(PKGAPPS))) +# +# Sanity check +# +ifeq (, $(filter-out XXX, $(strip $(FLASK_MODULE)))) +$(error $$(FLASK_MODULE) variable has incorrect value '$(FLASK_MODULE)') +endif + +ifeq (, $(strip $(wildcard src/$(FLASK_MODULE).conf))) +$(error missing eoleflask configuration file 'src/$(FLASK_MODULE).conf') +endif + +# Everything is related to mount point +APPS_MOUNT_POINT := $(shell sed -ne 's|^"MOUNT_POINT"[[:space:]]*:[[:space:]]*"/\([^"]*\)",|\1|p' \ + src/$(FLASK_MODULE).conf) + +ifeq (, $(strip $(APPS_MOUNT_POINT))) +$(error no "MOUNT_POINT" in eoleflask configuration file 'src/$(FLASK_MODULE).conf') +endif + +# eole-flask configuration +src_DATA_DIR := $(DESTDIR)/etc/eole/flask/available + +# Where to store flask application files +FLASK_PATH := $(eole_DIR)/flask/$(APPS_MOUNT_POINT) + +# static files +src_$(FLASK_MODULE)_static_REC_DIR := $(FLASK_PATH)/static +src_$(FLASK_MODULE)_templates_REC_DIR := $(FLASK_PATH)/templates +src_$(FLASK_MODULE)_instance_REC_DIR := $(FLASK_PATH)/resources + +endif diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml new file mode 100644 index 0000000..171a528 --- /dev/null +++ b/dicos/70_lemonldap_ng.xml @@ -0,0 +1,42 @@ + + + + + + + 80 + 443 + + + + + + non + + + + + + /srv/one/market + + + + + + nom_machine + . + nom_domaine_local + + + non + lemon + Lemon-LDAP-NG + saLemon + + + + Activer l'hébergement d'une place de marché HTTP pour OpenNebula + Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com + Nom DNS de l'application de gestion de LemonLDAP-NG ex:manager.cadoles.com + + diff --git a/eole.mk b/eole.mk new file mode 100644 index 0000000..9730365 --- /dev/null +++ b/eole.mk @@ -0,0 +1,231 @@ +# +# NE PAS EDITER CE FICHIER +# +# Utiliser .mk à inclure à la fin de Makefile + +################# +# Sanity checks # +################# + +ifeq (, $(DESTDIR)) +$(warning $$(DESTDIR) is empty, installation will be done in /) +endif + +ifeq (, $(filter-out XXX-XXX, $(strip $(SOURCE)))) +$(error $$(SOURCE) variable has incorrect value '$(SOURCE)') +endif + +ifeq (, $(filter-out 2.X, $(strip $(EOLE_VERSION)))) +$(error $$(EOLE_VERSION) variable has incorrect value '$(EOLE_VERSION)') +endif + +ifeq (, $(filter-out 2.X.Y, $(strip $(EOLE_RELEASE)))) +$(error $$(EOLE_RELEASE) variable has incorrect value '$(EOLE_RELEASE)') +endif + +######################### +# Variables definitions # +######################### + +INSTALL := install +INSTALL_DATA := install -m 644 +INSTALL_PROGRAM := install -m 755 +INSTALL_DIRECTORY := install -m 755 -d +INSTALL_RECURSIVE := cp -dr --no-preserve=ownership + +# Standard path +bin_PROG_DIR := $(DESTDIR)/usr/bin +sbin_PROG_DIR := $(DESTDIR)/usr/sbin +man8_DATA_DIR := $(DESTDIR)/usr/share/man/fr.UTF-8/man8 + +# Base +eole_DIR := $(DESTDIR)/usr/share/eole + +ifeq ($(strip $(EOLE_VERSION)), 2.3) +diagnose_PROG_DIR := $(eole_DIR)/diagnose/module +else +diagnose_PROG_DIR := $(eole_DIR)/diagnose/ +endif + +# Creole +creole_DIR := $(eole_DIR)/creole +dicos_DATA_DIR := $(creole_DIR)/dicos +tmpl_DATA_DIR := $(creole_DIR)/distrib +preservice_PROG_DIR := $(eole_DIR)/preservice +pretemplate_PROG_DIR := $(eole_DIR)/pretemplate +posttemplate_PROG_DIR := $(eole_DIR)/posttemplate +postservice_PROG_DIR := $(eole_DIR)/postservice +ifeq ($(strip $(EOLE_VERSION)), 2.3) +firewall_DATA_DIR := $(eole_DIR)/firewall +endif +bacula_restore_DATA_DIR := $(eole_DIR)/bacula/restore +bareos_restore_DATA_DIR := $(eole_DIR)/bareos/restore +bacula_fichier_DATA_DIR := $(DESTDIR)/etc/bacula/baculafichiers.d +bareos_fichier_DATA_DIR := $(DESTDIR)/etc/bareos/bareosfichiers.d +ifeq ($(strip $(EOLE_VERSION)), 2.3) +schedule_pre_PROG_DIR := $(eole_DIR)/schedule/pre +schedule_post_PROG_DIR := $(eole_DIR)/schedule/post +else +schedule_scripts_PROG_DIR := $(eole_DIR)/schedule/scripts +endif +extra_REC_DIR := $(creole_DIR)/extra + +# Zéphir +zephir_DATA_DIR := $(DESTDIR)/usr/share/zephir +zephir_configs_DATA_DIR := $(zephir_DATA_DIR)/monitor/configs +zephir_srv_DATA_DIR := $(zephir_configs_DATA_DIR)/services +zephir_scripts_PROG_DIR := $(zephir_DATA_DIR)/scripts + +# SSO +sso_DATA_DIR := $(DESTDIR)/usr/share/sso +sso_filtres_DATA_DIR := $(sso_DATA_DIR)/app_filters +sso_user-info_DATA_DIR := $(sso_DATA_DIR)/user_infos + +# EAD +ead_DATA_DIR := $(DESTDIR)/usr/share/ead2/backend/config +ead_actions_DATA_DIR := $(ead_DATA_DIR)/actions +ead_perms_DATA_DIR := $(ead_DATA_DIR)/perms +ead_roles_DATA_DIR := $(ead_DATA_DIR)/roles + +# Program libraries goes under /usr/lib// +lib_$(SOURCE)_DATA_DIR := $(DESTDIR)/usr/lib/$(SOURCE) + +# Scripts Eole +scripts_PROG_DIR := $(eole_DIR)/sbin +lib_eole_DATA_DIR := $(DESTDIR)/usr/lib/eole + +# LDAP +ldap_passwords_DATA_DIR := $(eole_DIR)/annuaire/password_files + +# LXC +lxc_DATA_DIR := $(eole_DIR)/lxc +lxc_fstab_DATA_DIR := $(lxc_DATA_DIR)/fstab +lxc_hosts_DATA_DIR := $(lxc_DATA_DIR)/hosts + +# SQL +sql_DATA_DIR := $(eole_DIR)/mysql/$(SOURCE) +sql_gen_DATA_DIR := $(sql_DATA_DIR)/gen +sql_updates_DATA_DIR := $(sql_DATA_DIR)/updates + +sql_conf_gen_DATA_DIR := $(eole_DIR)/applications/gen +sql_conf_passwords_DATA_DIR := $(eole_DIR)/applications/passwords +sql_conf_updates_DATA_DIR := $(eole_DIR)/applications/updates/$(SOURCE) + +# EoleDB sql directory +db_DIR := $(eole_DIR)/db +db_gen_DATA_DIR := $(eole_DIR)/db/$(SOURCE)/gen +db_updates_DATA_DIR := $(eole_DIR)/db/$(SOURCE)/updates + +# Certifs +certs_DATA_DIR := $(eole_DIR)/certs + +# Logrotate +logrotate_DATA_DIR := $(DESTDIR)/etc/logrotate.d + +# Cron +cron_PROG_DIR := $(DESTDIR)/etc/cron.daily + +# Python modules +ifneq ($(DESTDIR),) +PYTHON_OPTS := --root $(DESTDIR) +endif + +# Translation +TRANSLATION_SRC := translation +TRANSLATION_DEST := $(DESTDIR)/usr/share/locale +PO_FILES = $(wildcard $(TRANSLATION_SRC)/*/*.po) +MO_FOLDERS = $(addprefix $(TRANSLATION_DEST), $(addsuffix LC_MESSAGES,$(subst $(TRANSLATION_SRC),,$(dir $(PO_FILES))))) + +############################################# +# Common directories and files installation # +############################################# + +all: + +$(MO_FOLDERS): + $(INSTALL_DIRECTORY) $@ + +$(PO_FILES): $(MO_FOLDERS) + msgfmt -o $(TRANSLATION_DEST)$(subst $(TRANSLATION_SRC),,$(addsuffix LC_MESSAGES,$(dir $@)))/$(notdir $(@:.po=.mo)) $@ + +install-lang: $(PO_FILES) + +install:: install-dirs install-files install-lang + +# $1 = command to run +# $2 = source directory +# $3 = destination directory +define fc_install_file + if [ -d $2 ]; then \ + for file in `ls -1 $2/`; do \ + $1 $2/$$file $3 || true; \ + done; \ + fi +endef + +## +## Directory creation +## + +# use % to catch local name in $* +# data, program and recursive directory require a corresponding +# directory in local sources +%_DATA_DIR %_PROG_DIR %REC_DIR: + test ! -d $(subst _,/,$*) || $(INSTALL_DIRECTORY) $($@) + +# Create the directory referenced by the variable without a local one. +%_DIR: + @: # do nothing + +## +## Install files present directly under data, program and recursive directories +## + +# $* : name of variable +# $($*): value of variable +%-instdata: + $(call fc_install_file, $(INSTALL_DATA), $(subst _,/,$(subst _DATA_DIR,,$*)), $($*)) + +%-instprog: + $(call fc_install_file, $(INSTALL_PROGRAM), $(subst _,/,$(subst _PROG_DIR,,$*)), $($*)) + +%-instrec: + $(call fc_install_file, $(INSTALL_RECURSIVE), $(subst _,/,$(subst _REC_DIR,,$*)), $($*)) + + +# Use second expansion as variables may be created in included +# Makefiles +.SECONDEXPANSION: + +# List of all directories +installdirs_LIST = $(foreach V, $(filter %_DIR, $(.VARIABLES)), \ + $(if $(filter file, $(origin $(V))), \ + $(V))) +# List of data directories +installdata_LIST = $(filter %_DATA_DIR, $(installdirs_LIST)) +# List of program directories +installprog_LIST = $(filter %_PROG_DIR, $(installdirs_LIST)) +# List of recursive directories +installrec_LIST = $(filter %_REC_DIR, $(installdirs_LIST)) + +# Expand directories to create as dependency +# Use double-colon to permit user to define additionnal install-dirs +install-dirs:: $$(installdirs_LIST) + +# Expand files to install as dependency +# Use double-colon to permit user to define additionnal install-files +install-files:: install-data-files install-prog-files install-rec-dirs + +install-data-files: $$(patsubst %,%-instdata,$$(installdata_LIST)) + +install-prog-files: $$(patsubst %,%-instprog,$$(installprog_LIST)) + +install-rec-dirs: $$(patsubst %,%-instrec,$$(installrec_LIST)) + +# Installation of python modules +ifeq ($(shell test -f setup.py && echo 0), 0) +install-files:: + python setup.py install --no-compile --install-layout=deb $(PYTHON_OPTS) +endif + +.PHONY: install install-dirs install-files install-data-files install-prog-files install-rec-dirs diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf new file mode 100644 index 0000000..5f0a8c8 --- /dev/null +++ b/tmpl/handler-nginx.conf @@ -0,0 +1,48 @@ +#======================================================================= +# Nginx configuration for LemonLDAP::NG Handler +#======================================================================= +# This file implements the reload virtualhost that permits to reload +# configuration without restarting server. +# You need then to declare this vhost in reloadUrls (in the manager +# interface if this server doesn't host the manager itself): +# +# KEY : VALUE +# host-or-IP:port : http://reload.example.com/reload +# +# IMPORTANT: +# To protect applications, see test-nginx.conf template in example files + +# Log format +include /etc/lemonldap-ng/nginx-lmlog.conf; +#access_log /var/log/nginx/access.log lm_combined; + +server { + listen 80; + server_name reload.example.com; + root /var/www/html; + + location = /reload { + allow 127.0.0.1; + deny all; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE reload; + } + + # Client requests + location / { + deny all; + + # Uncomment this if you use https only + #add_header Strict-Transport-Security "15768000"; + } + + # Uncomment this if status is enabled + #location = /status { + # allow 127.0.0.1; + # deny all; + # include /etc/nginx/fastcgi_params; + # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + # fastcgi_param LLTYPE status; + #} +} diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini new file mode 100644 index 0000000..a1bb9f5 --- /dev/null +++ b/tmpl/lemonldap-ng.ini @@ -0,0 +1,284 @@ +;============================================================================== +; LemonLDAP::NG local configuration parameters +; +; This file is dedicated to configuration parameters override +; You can set here configuration parameters that will be used only by +; local LemonLDAP::NG elements +; +; Section "all" is always read first before "portal", "handler" +; and "manager" +; +; Section "configuration" is used to load global configuration and set cache +; (replace old storage.conf file) +; +; Section "apply" is read by Manager to reload handlers +; (replace old apply.conf file) +; +; Other section are only read by the specific LemonLDAP::NG component +;============================================================================== + +[all] + +; CUSTOM FUNCTION +; If you want to create customFunctions in rules, declare them here: +;customFunctions = function1 function2 +;customFunctions = Package::func1 Package::func2 + +; CROSS-DOMAIN +; If you have some handlers that are not registered on the main domain, +; uncomment this +;cda = 1 + +; SAFE JAIL +; Uncomment this to disable Safe jail. +; Warning: this can allow malicious code in custom functions or rules +;useSafeJail = 0 + +[configuration] + +; GLOBAL CONFIGURATION ACCESS TYPE +; (File, SOAP, RDBI/CDBI, LDAP) +; Set here the parameters needed to access to LemonLDAP::NG configuration. +; You have to set "type" to one of the followings : +; +; * File: you have to set 'dirName' parameter. Example: +; +; type = File +; dirName = /var/lib/lemonldap-ng/conf +; +; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword' +; if needed. Example: +; +; type = RDBI +; ;type = CDBI +; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4 +; dbiUser = lemonldap +; dbiPassword = password +; +; * SOAP: SOAP configuration access is a sort of proxy: the portal is +; configured to use the real session storage type (DBI or File for +; example). +; You have to set 'proxy' parameter. Example: +; +; type = SOAP +; proxy = https://auth.example.com/index.pl/config +; proxyOptions = { timeout => 5 } +; User = lemonldap +; Password = mypassword +; +; * LDAP: you have to set ldapServer, ldapConfBase, ldapBindDN and ldapBindPassword. +; +; type = LDAP +; ldapServer = ldap://localhost +; ldapConfBase = ou=conf,ou=applications,dc=example,dc=com +; ldapBindDN = cn=manager,dc=example,dc=com +; ldapBindPassword = secret +; ldapObjectClass = applicationProcess +; ldapAttributeId = cn +; ldapAttributeContent = description + +type=File +dirName = /var/lib/lemonldap-ng/conf + +; LOCAL CACHE CONFIGURATION +; +; To increase performances, use a local cache for the configuration. You have +; to choose a Cache::Cache module and set its parameters. Example: +; +; localStorage = Cache::FileCache +; localStorageOptions={ \ +; 'namespace' => 'lemonldap-ng-config',\ +; 'default_expires_in' => 600, \ +; 'directory_umask' => '007', \ +; 'cache_root' => '/tmp', \ +; 'cache_depth' => 0, \ +; } +localStorage=Cache::FileCache +localStorageOptions={ \ + 'namespace' => 'lemonldap-ng-config',\ + 'default_expires_in' => 600, \ + 'directory_umask' => '007', \ + 'cache_root' => '/tmp', \ + 'cache_depth' => 0, \ +} + +[portal] + +; PERFORMANCES +; By setting useLocalConf, Portal will use only local cached configuration +; To refresh it, you must have an handler on the same server or you have to +; restart your server. This increase performances +;useLocalConf = 1 + +; PORTAL CUSTOMIZATION +; Name of the skin +;portalSkin = pastel +; Modules displayed +;portalDisplayLogout = 1 +;portalDisplayResetPassword = 1 +;portalDisplayChangePassword = 1 +;portalDisplayAppslist = 1 +;portalDisplayLoginHistory = 1 +; Require the old password when changing password +;portalRequireOldPassword = 1 +; Attribute displayed as connected user +;portalUserAttr = mail +; Old menu HTML code +; Enable it if you use old templates +;useOldMenuItems=1 +; Override error codes +;error_0 = You are well authenticated! +; Custom template parameters +; For example to use +;tpl_myparam = test + +; LOG +; By default, all is logged in Apache file. To log user actions by +; syslog, just set syslog facility here: +;syslog = auth +; SOAP FUNCTIONS +; Remove comment to activate SOAP Functions getCookies(user,pwd) and +; error(language, code) +;Soap = 1 +; Note that getAttibutes() will be activated but on a different URI +; (http://auth.example.com/index.pl/sessions) +; You can also restrict attributes and macros exported by getAttributes +;exportedAttr = uid mail + +; PASSWORD POLICY +; Remove comment to use LDAP Password Policy +;ldapPpolicyControl = 1 +; Remove comment to store password in session (use with caution) +;storePassword = 1 +; Remove comment to use LDAP modify password extension +; (beware of compatibility with LDAP Password Policy) +;ldapSetPassword = 1 +; RESET PASSWORD BY MAIL +; SMTP server (default to localhost), set to '' to use default mail service +;SMTPServer = localhost +; SMTP auth user +;SMTPAuthUser = toto +; SMTP auth password +;SMTPAuthPass = secret +; Mail From address +;mailFrom = noreply@example.com +; Reply To +;mailReplyTo = noreply@example.com +; Mail confirmation URL +;mailUrl = http://reset.example.com +; Mail subject for confirmation message +;mailConfirmSubject = [LemonLDAP::NG] Password reset confirmation +; Mail body for confiramtion (can use $url for confirmation URL, and other session +; infos, like $cn). Keep comment to use HTML templates +;mailConfirmBody = Hello $cn,\n\nClick here to receive your new password: $url +; Mail subject for new password message +;mailSubject = [LemonLDAP::NG] Your new password +; Mail body for new password (can use $password for generated password, and other session +; infos, like $cn). Keep comment to use HTML templates +;mailBody = Hello $cn,\n\nYour new password is $password +; LDAP filter to use +;mailLDAPFilter = '(&(mail=$mail)(objectClass=inetOrgPerson))' +; Random regexp for password generation +;randomPasswordRegexp = [A-Z]{3}[a-z]{5}.\d{2} +; LDAP GROUPS +; Set the base DN of your groups branch +;ldapGroupBase = ou=groups,dc=example,dc=com +; Objectclass used by groups +;ldapGroupObjectClass = groupOfUniqueNames +; Attribute used by groups to store member +;ldapGroupAttributeName = uniqueMember +; Attribute used by user to link to groups +;ldapGroupAttributeNameUser = dn +; Attribute used to identify a group. The group will be displayed as +; cn|mail|status, where cn, mail and status will be replaced by their +; values. +;ldapGroupAttributeNameSearch = cn mail + +; NOTIFICATIONS SERVICE +; Use it to be able to notify messages during authentication +;notification = 1 +; Note that the SOAP function newNotification will be activated on +; http://auth.example.com/index.pl/notification +; If you want to hide this, just protect "/index.pl/notification" in +; your Apache configuration file +; XSS protection bypass +; By default, the portal refuse redirections that comes from sites not +; registered in the configuration (manager) except for those coming +; from trusted domains. By default, trustedDomains contains the domain +; declared in the manager. You can set trustedDomains to empty value so +; that, undeclared sites will be rejected. You can also set here a list +; of trusted domains or hosts separated by spaces. This is usefull if +; your website use LemonLDAP::NG without handler with SOAP functions. +;trustedDomains = my.trusted.host example2.com + +; Check XSS +; Set to 0 to disable error on XSS attack detection +;checkXSS = 0 + +[handler] + +; Handler cache configuration +; You can overwrite here local session cache settings in manager: +; localSessionStorage=Cache::FileCache +; localSessionStorageOptions={ \ +; 'namespace' => 'lemonldap-ng-sessions', \ +; 'default_expires_in' => 600, \ +; 'directory_umask' => '007', \ +; 'cache_root' => '/tmp', \ +; 'cache_depth' => 3, \ +; } + +; Set https to 1 if your handler protect a https website (used only for +; redirections to the portal) +;https = 0 +; Set port if your your hanlder protect a website on a non standard port +; - 80 for http, 443 for https (used only for redirections to the portal) +;port = 8080 +; Set status to 1 if you want to have the report of activity (used for +; example to inform MRTG) +status = 0 +; Set useRedirectOnForbidden to 1 if you want to use REDIRECT and not FORBIDDEN +; when a user is not allowed by Handler +;useRedirectOnForbidden = 1 +; Hide LemonLDAP::NG Handler in Apache Server Signature +;hideSignature = 1 +useRedirectOnError = 1 + +; Zimbra Handler parameters +;zimbraPreAuthKey = XXXX +;zimbraAccountKey = uid +;zimbraBy =id +;zimbraUrl = /service/preauth +;zimbraSsoUrl = ^/zimbrasso$ + +[manager] + +; Manager protection: by default, the manager is protected by a demo account. +; You can protect it : +; * by Apache itself, +; * by the parameter 'protection' which can take one of the following +; values : +; * authenticate : all authenticated users can access +; * manager : manager is protected like other virtual hosts: you +; have to set rules in the corresponding virtual host +; * : you can set here directly the rule to apply +; * none : no protection +protection = manager + +; logLevel. Set here one of error, warn, notice, info or debug +logLevel = warn + +; staticPrefix: relative (or URL) location of static HTML components +staticPrefix = /static +; +; location of HTML templates directory +templateDir = /usr/share/lemonldap-ng/manager/templates + +; languages: available languages for manager interface +languages = fr, en + +; Manager modules enabled +; Set here the list of modules you want to see in manager interface +; The first will be used as default module displayed +enabledModules = conf, sessions, notifications + diff --git a/tmpl/lmConf-1.js b/tmpl/lmConf-1.js new file mode 100644 index 0000000..e9c9018 --- /dev/null +++ b/tmpl/lmConf-1.js @@ -0,0 +1,167 @@ +{ + "applicationList" : { + "1sample" : { + "catname" : "Sample applications", + "test1" : { + "options" : { + "description" : "A simple application displaying authenticated user", + "display" : "auto", + "logo" : "demo.png", + "name" : "Application Test 1", + "uri" : "http://test1.example.com/" + }, + "type" : "application" + }, + "test2" : { + "options" : { + "description" : "The same simple application displaying authenticated user", + "display" : "auto", + "logo" : "thumbnail.png", + "name" : "Application Test 2", + "uri" : "http://test2.example.com/" + }, + "type" : "application" + }, + "type" : "category" + }, + "2administration" : { + "catname" : "Administration", + "manager" : { + "options" : { + "description" : "Configure LemonLDAP::NG WebSSO", + "display" : "auto", + "logo" : "configure.png", + "name" : "WebSSO Manager", + "uri" : "http://manager.example.com/manager.html" + }, + "type" : "application" + }, + "notifications" : { + "options" : { + "description" : "Explore WebSSO notifications", + "display" : "auto", + "logo" : "database.png", + "name" : "Notifications explorer", + "uri" : "http://manager.example.com/notifications.html" + }, + "type" : "application" + }, + "sessions" : { + "options" : { + "description" : "Explore WebSSO sessions", + "display" : "auto", + "logo" : "database.png", + "name" : "Sessions explorer", + "uri" : "http://manager.example.com/sessions.html" + }, + "type" : "application" + }, + "type" : "category" + }, + "3documentation" : { + "catname" : "Documentation", + "localdoc" : { + "options" : { + "description" : "Documentation supplied with LemonLDAP::NG", + "display" : "on", + "logo" : "help.png", + "name" : "Local documentation", + "uri" : "http://manager.example.com/doc/" + }, + "type" : "application" + }, + "officialwebsite" : { + "options" : { + "description" : "Official LemonLDAP::NG Website", + "display" : "on", + "logo" : "network.png", + "name" : "Offical Website", + "uri" : "http://lemonldap-ng.org/" + }, + "type" : "application" + }, + "type" : "category" + } + }, + "authentication" : "Demo", + "cfgAuthor" : "The LemonLDAP::NG team", + "cfgNum" : 1, + "cookieName" : "lemonldap", + "demoExportedVars" : { + "cn" : "cn", + "mail" : "mail", + "uid" : "uid" + }, + "domain" : "example.com", + "exportedHeaders" : { + "test1.example.com" : { + "Auth-User" : "$uid" + }, + "test2.example.com" : { + "Auth-User" : "$uid" + } + }, + "exportedVars" : { + "UA" : "HTTP_USER_AGENT" + }, + "globalStorage" : "Apache::Session::File", + "globalStorageOptions" : { + "Directory" : "/var/lib/lemonldap-ng/sessions", + "LockDirectory" : "/var/lib/lemonldap-ng/sessions/lock", + "generateModule" : "Lemonldap::NG::Common::Apache::Session::Generate::SHA256" + }, + "groups" : {}, + "localSessionStorage" : "Cache::FileCache", + "localSessionStorageOptions" : { + "cache_depth" : 3, + "cache_root" : "/tmp", + "default_expires_in" : 600, + "directory_umask" : "007", + "namespace" : "lemonldap-ng-sessions" + }, + "locationRules" : { + "manager.example.com" : { + "(?#Configuration)^/(manager\\.html|conf/)" : "$uid eq \"dwho\"", + "(?#Notifications)/notifications" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", + "(?#Sessions)/sessions" : "$uid eq \"dwho\" or $uid eq \"rtyler\"", + "default" : "$uid eq \"dwho\"" + }, + "test1.example.com" : { + "^/logout" : "logout_sso", + "default" : "accept" + }, + "test2.example.com" : { + "^/logout" : "logout_sso", + "default" : "accept" + } + }, + "loginHistoryEnabled" : 1, + "macros" : { + "_whatToTrace" : "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" + }, + "mailUrl" : "http://auth.example.com/mail.pl", + "notification" : 1, + "notificationStorage" : "File", + "notificationStorageOptions" : { + "dirName" : "/var/lib/lemonldap-ng/notifications" + }, + "passwordDB" : "Demo", + "persistentStorage" : "Apache::Session::File", + "persistentStorageOptions" : { + "Directory" : "/var/lib/lemonldap-ng/psessions", + "LockDirectory" : "/var/lib/lemonldap-ng/psessions/lock" + }, + "portal" : "http://auth.example.com/", + "portalSkin" : "bootstrap", + "portalSkinBackground" : "1280px-Cedar_Breaks_National_Monument_partially.jpg", + "registerDB" : "Demo", + "registerUrl" : "http://auth.example.com/register.pl", + "reloadUrls" : { + "reload.example.com" : "http://reload.example.com/reload" + }, + "securedCookie" : 0, + "sessionDataToRemember" : {}, + "timeout" : 72000, + "userDB" : "Demo", + "whatToTrace" : "_whatToTrace" +} diff --git a/tmpl/lmConf-9.json b/tmpl/lmConf-9.json new file mode 100644 index 0000000..f7c43d0 --- /dev/null +++ b/tmpl/lmConf-9.json @@ -0,0 +1,386 @@ +{ + "ldapGroupAttributeNameUser": "dn", + "cfgAuthorIP": "172.16.0.1", + "samlSPMetaDataXML": null, + "facebookAuthnLevel": 1, + "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", + "secureTokenAttribute": "uid", + "singleSession": 0, + "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", + "CAS_pgtFile": "/tmp/pgt.txt", + "cookieName": "lemonldap", + "slaveExportedVars": {}, + "whatToTrace": "_whatToTrace", + "oidcRPMetaDataOptions": {}, + "notifyDeleted": 1, + "useRedirectOnError": 1, + "samlSPMetaDataExportedAttributes": null, + "ldapPwdEnc": "utf-8", + "openIdSPList": "0;", + "samlNameIDFormatMapEmail": "mail", + "samlSPMetaDataOptions": null, + "issuerDBOpenIDRule": 1, + "casStorageOptions": {}, + "mailFrom": "noreply@%%nom_domaine_local", + "timeoutActivity": 0, + "oidcRPMetaDataExportedVars": {}, + "issuerDBSAMLActivation": 0, + "issuerDBCASPath": "^/cas/", + "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", + "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", + "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "exportedHeaders": { + "test1.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "test2.%%nom_domaine_local": { + "Auth-User": "$uid" + }, + "manager.%%nom_domaine_local": {} + }, + "vhostOptions": { + "manager.%%nom_domaine_local": {}, + "test1.%%nom_domaine_local": {}, + "test2.%%nom_domaine_local": {} + }, + "radiusAuthnLevel": 3, + "dbiAuthnLevel": 2, + "ldapPasswordResetAttribute": "pwdReset", + "ldapGroupObjectClass": "groupOfNames", + "apacheAuthnLevel": 4, + "samlNameIDFormatMapKerberos": "uid", + "groups": {}, + "securedCookie": 0, + "httpOnly": 1, + "yubikeyAuthnLevel": 3, + "ADPwdMaxAge": 0, + "samlUseQueryStringSpecific": 0, + "loginHistoryEnabled": 1, + "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", + "failedLoginNumber": 5, + "samlServicePrivateKeyEncPwd": "", + "portalForceAuthnInterval": 0, + "cfgLog": "", + "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "exportedVars": { + "UA": "HTTP_USER_AGENT" + }, + "notificationStorage": "File", + "applicationList": { + "1sample": { + "test2": { + "options": { + "name": "Application Test 2", + "logo": "thumbnail.png", + "uri": "http://test2.%%nom_domaine_local/", + "display": "auto", + "description": "The same simple application displaying authenticated user" + }, + "type": "application" + }, + "type": "category", + "catname": "Sample applications", + "test1": { + "type": "application", + "options": { + "description": "A simple application displaying authenticated user", + "uri": "http://test1.%%nom_domaine_local/", + "logo": "demo.png", + "display": "auto", + "name": "Application Test 1" + } + } + }, + "2administration": { + "notifications": { + "options": { + "name": "Notifications explorer", + "display": "auto", + "description": "Explore WebSSO notifications", + "uri": "http://manager.%%nom_domaine_local/notifications.pl", + "logo": "database.png" + }, + "type": "application" + }, + "manager": { + "options": { + "uri": "http://manager.%%nom_domaine_local/", + "display": "auto", + "description": "Configure LemonLDAP::NG WebSSO", + "logo": "configure.png", + "name": "WebSSO Manager" + }, + "type": "application" + }, + "type": "category", + "sessions": { + "type": "application", + "options": { + "description": "Explore WebSSO sessions", + "uri": "http://manager.%%nom_domaine_local/sessions.pl", + "logo": "database.png", + "display": "auto", + "name": "Sessions explorer" + } + }, + "catname": "Administration" + }, + "3documentation": { + "catname": "Documentation", + "officialwebsite": { + "type": "application", + "options": { + "name": "Offical Website", + "description": "Official LemonLDAP::NG Website", + "logo": "network.png", + "display": "on", + "uri": "http://lemonldap-ng.org/" + } + }, + "type": "category", + "localdoc": { + "options": { + "logo": "help.png", + "description": "Documentation supplied with LemonLDAP::NG", + "display": "on", + "uri": "http://manager.%%nom_domaine_local/doc/", + "name": "Local documentation" + }, + "type": "application" + } + } + }, + "userControl": "^[\\w\\.\\-@]+$", + "timeout": 72000, + "portalAntiFrame": 1, + "SMTPServer": "", + "ldapTimeout": 120, + "samlAuthnContextMapPasswordProtectedTransport": 3, + "ldapUsePasswordResetAttribute": 1, + "ldapPpolicyControl": 0, + "casAttributes": {}, + "issuerDBSAMLPath": "^/saml/", + "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", + "portalDisplayAppslist": 1, + "confirmFormMethod": "post", + "domain": "%%nom_domaine_local", + "cfgNum": "9", + "authentication": "LDAP", + "samlNameIDFormatMapWindows": "uid", + "authChoiceModules": {}, + "ldapGroupAttributeName": "member", + "samlServicePrivateKeySigPwd": "", + "googleAuthnLevel": 1, + "successLoginNumber": 5, + "localSessionStorageOptions": { + "cache_root": "/tmp", + "namespace": "lemonldap-ng-sessions", + "default_expires_in": 600, + "directory_umask": "007", + "cache_depth": 3 + }, + "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "portalRequireOldPassword": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", + "ADPwdExpireWarning": 0, + "yubikeyPublicIDSize": 12, + "ldapGroupAttributeNameGroup": "dn", + "oidcRPMetaDataOptionsExtraClaims": null, + "ldapGroupRecursive": 0, + "mailSubject": "[LemonLDAP::NG] Your new password", + "nginxCustomHandlers": {}, + "samlSPSSODescriptorAuthnRequestsSigned": 1, + "portalDisplayResetPassword": 1, + "openIdSreg_timezone": "_timezone", + "infoFormMethod": "get", + "openIdAuthnLevel": 1, + "openIdSreg_nickname": "uid", + "samlServicePublicKeyEnc": "", + "userDB": "LDAP", + "grantSessionRules": {}, + "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", + "reloadUrls": { + "reload.%%nom_domaine_local": "http://reload.%%nom_domaine_local/reload" + }, + "registerTimeout": 0, + "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", + "slaveAuthnLevel": 2, + "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "Soap": 1, + "registerDB": "Demo", + "locationRules": { + "manager.%%nom_domaine_local": { + "default": "$uid eq \"dwho\"" + }, + "test1.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + }, + "test2.%%nom_domaine_local": { + "default": "accept", + "^/logout": "logout_sso" + } + }, + "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "hideOldPassword": 0, + "managerPassword": "ohc7kei8lil8Zoesai5chisaiGhu5Yaisai6kaegh9aingai0pae8ohb", + "authChoiceParam": "lmAuth", + "lwpSslOpts": {}, + "portalSkinRules": {}, + "issuerDBOpenIDPath": "^/openidserver/", + "redirectFormMethod": "get", + "portalDisplayRegister": 1, + "secureTokenMemcachedServers": "127.0.0.1:11211", + "notificationStorageOptions": { + "dirName": "/var/lib/lemonldap-ng/notifications" + }, + "browserIdAuthnLevel": 1, + "portalUserAttr": "_user", + "ldapVersion": 3, + "sessionDataToRemember": {}, + "samlNameIDFormatMapX509": "mail", + "managerDn": "cn=reader,o=gouv,c=fr", + "mailSessionKey": "mail", + "openIdSreg_email": "mail", + "localSessionStorage": "Cache::FileCache", + "persistentStorage": "Apache::Session::File", + "mailOnPasswordChange": 0, + "captchaStorage": "Apache::Session::File", + "remoteGlobalStorageOptions": { + "proxy": "http://auth.%%nom_domaine_local/index.pl/sessions", + "ns": "http://auth.%%nom_domaine_local/Lemonldap/NG/Common/CGI/SOAPService" + }, + "passwordDB": "LDAP", + "captcha_size": 6, + "mailCharset": "utf-8", + "facebookExportedVars": {}, + "nullAuthnLevel": 2, + "singleIP": 0, + "dbiExportedVars": {}, + "portalSkin": "bootstrap", + "storePassword": 0, + "hiddenAttributes": "_password", + "samlServicePrivateKeySig": "", + "globalStorage": "Apache::Session::File", + "notificationWildcard": "allusers", + "portalForceAuthn": 0, + "samlMetadataForceUTF8": 1, + "secureTokenUrls": ".*", + "secureTokenAllowOnError": 1, + "samlAuthnContextMapTLSClient": 5, + "ldapAllowResetExpiredPassword": 0, + "oidcOPMetaDataExportedVars": {}, + "notifyOther": 0, + "secureTokenExpiration": 60, + "captcha_mail_enabled": 0, + "samlStorageOptions": {}, + "samlOrganizationDisplayName": "Example", + "trustedProxies": "", + "secureTokenHeader": "Auth-Token", + "issuerDBCASActivation": 1, + "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", + "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlIDPMetaDataXML": {}, + "oidcStorageOptions": {}, + "cfgDate": 1519998069, + "samlAuthnContextMapPassword": 2, + "portalDisplayLoginHistory": 1, + "ldapPasswordResetAttributeValue": "TRUE", + "ldapServer": "%%ldapScheme://%%ldapServer", + "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", + "samlIDPMetaDataExportedAttributes": null, + "samlServicePrivateKeyEnc": "", + "useRedirectOnForbidden": 0, + "captcha_login_enabled": 0, + "https": 0, + "checkXSS": 1, + "ldapSetPassword": 0, + "portalPingInterval": 60000, + "captchaStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/captcha/" + }, + "useSafeJail": 1, + "registerDoneSubject": "[LemonLDAP::NG] Your new account", + "issuerDBCASRule": 1, + "samlAuthnContextMapKerberos": 4, + "ldapGroupAttributeNameSearch": "cn", + "logoutServices": {}, + "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, + "portalDisplayLogout": 1, + "issuerDBGetParameters": {}, + "googleExportedVars": {}, + "openIdSreg_fullname": "cn", + "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", + "demoExportedVars": { + "mail": "mail", + "uid": "uid", + "cn": "cn" + }, + "oidcOPMetaDataJSON": null, + "samlIdPResolveCookie": "lemonldapidp", + "samlRelayStateTimeout": 600, + "samlOrganizationURL": "http://www.%%nom_domaine_local", + "globalStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/sessions", + "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" + }, + "ldapExportedVars": { + "mail": "mail", + "cn": "cn", + "uid": "uid" + }, + "webIDExportedVars": {}, + "activeTimer": 1, + "cda": 0, + "samlServicePublicKeySig": "", + "portalCheckLogins": 1, + "CAS_authnLevel": 1, + "macros": { + "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" + }, + "samlIDPMetaDataOptions": null, + "twitterAuthnLevel": 1, + "openIdExportedVars": {}, + "captcha_register_enabled": 1, + "oidcOPMetaDataJWKS": null, + "webIDAuthnLevel": 1, + "issuerDBOpenIDActivation": "1", + "mailUrl": "http://auth.%%nom_domaine_local/mail.pl", + "maintenance": 0, + "jsRedirect": 0, + "cfgAuthor": "dwho", + "persistentStorageOptions": { + "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", + "Directory": "/var/lib/lemonldap-ng/psessions" + }, + "SSLAuthnLevel": 5, + "oidcServiceMetaDataAuthnContext": {}, + "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "notification": 1, + "ldapChangePasswordAsUser": 0, + "CAS_proxiedServices": {}, + "key": "e\"bTCt3*eU9^\\V%b", + "portal": "http://auth.%%nom_domaine_local/", + "singleSessionUserByIP": 0, + "portalOpenLinkInNewWindow": 0, + "post": { + "test2.%%nom_domaine_local": {}, + "test1.%%nom_domaine_local": {}, + "manager.%%nom_domaine_local": {} + }, + "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", + "issuerDBSAMLRule": 1, + "samlCommonDomainCookieActivation": 0, + "syslog": "", + "ldapBase": %%ldapUserBaseDN, + "ldapAuthnLevel": 2, + "mailTimeout": 0, + "samlEntityID": "#PORTAL#/saml/metadata", + "oidcOPMetaDataOptions": null, + "samlSPSSODescriptorWantAssertionsSigned": 1, + "samlOrganizationName": "%%samlOrganizationName", + "registerUrl": "http://auth.%%nom_domaine_local/register.pl", + "casAccessControlPolicy": "none", + "multiValuesSeparator": ";", + "ldapPort": %%ldapServerPort +} diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf new file mode 100644 index 0000000..5156dbb --- /dev/null +++ b/tmpl/manager-nginx.conf @@ -0,0 +1,63 @@ +server { + listen 80; + server_name manager.%%nom_domaine_local; + return 301 https://$host$request_uri; +} + +server { + listen 443; + ssl on; + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log; + server_name manager.%%nom_domaine_local; + + error_page 403 404 502 503 504 /nginx.html; + location = /nginx.html{ + root /usr/share/nginx/www; + } + + if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) { + rewrite ^/(.*)$ /manager.psgi/$1 break; + } + + location /manager.psgi { + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE manager; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.psgi)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + # Uncomment this if you use https only + #add_header Strict-Transport-Security "15768000"; + } + + location / { + index manager.psgi; + allow 127.0.0.0/8; + deny all; + try_files $uri $uri/ =404; + } + + location /doc/ { + alias /usr/share/doc/lemonldap-ng-doc/; + index index.html start.html; + } + location /lib/ { + alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/; + } + location /fr-doc/ { + alias /usr/share/doc/lemonldap-ng-fr-doc/; + index index.html start.html; + } + location /static/ { + alias /usr/share/lemonldap-ng/manager/static/; + } + + # DEBIAN + # If install was made with USEDEBIANLIBS (official releases), uncomment this + #location /javascript/ { + # alias /usr/share/javascript/; + #} +} diff --git a/tmpl/nginx-lmlog.conf b/tmpl/nginx-lmlog.conf new file mode 100644 index 0000000..c41f252 --- /dev/null +++ b/tmpl/nginx-lmlog.conf @@ -0,0 +1,3 @@ +log_format lm_combined '$remote_addr - $lmremote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; diff --git a/tmpl/nginx-lua-headers.conf b/tmpl/nginx-lua-headers.conf new file mode 100644 index 0000000..24b869c --- /dev/null +++ b/tmpl/nginx-lua-headers.conf @@ -0,0 +1,34 @@ + auth_request_set $headername1 $upstream_http_headername1; + auth_request_set $headervalue1 $upstream_http_headervalue1; + auth_request_set $headername2 $upstream_http_headername2; + auth_request_set $headervalue2 $upstream_http_headervalue2; + auth_request_set $headername3 $upstream_http_headername3; + auth_request_set $headervalue3 $upstream_http_headervalue3; + auth_request_set $headername4 $upstream_http_headername4; + auth_request_set $headervalue4 $upstream_http_headervalue4; + auth_request_set $headername5 $upstream_http_headername5; + auth_request_set $headervalue5 $upstream_http_headervalue5; + auth_request_set $headername6 $upstream_http_headername6; + auth_request_set $headervalue6 $upstream_http_headervalue6; + auth_request_set $headername7 $upstream_http_headername7; + auth_request_set $headervalue7 $upstream_http_headervalue7; + auth_request_set $headername8 $upstream_http_headername8; + auth_request_set $headervalue8 $upstream_http_headervalue8; + auth_request_set $headername9 $upstream_http_headername9; + auth_request_set $headervalue9 $upstream_http_headervalue9; + auth_request_set $headername10 $upstream_http_headername10; + auth_request_set $headervalue10 $upstream_http_headervalue10; + auth_request_set $lmcookie $upstream_http_cookie; + access_by_lua ' + i = 1 + ngx.req.set_header("Cookie",ngx.var.lmcookie) + while true do + if ngx.var["headername"..i] ~= nil then + ngx.req.set_header(ngx.var["headername"..i],ngx.var["headervalue"..i]) + else + break + end + i = i +1 + end + '; + diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf new file mode 100644 index 0000000..2c28b6d --- /dev/null +++ b/tmpl/portal-nginx.conf @@ -0,0 +1,92 @@ +server { + listen 80; + server_name auth.%%nom_domaine_local; + return 301 https://$host$request_uri; +} + +server { + listen 443; + ssl on; + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log; + server_name auth.%%nom_domaine_local; + root /var/lib/lemonldap-ng/portal/; + + location ~ \.pl(?:$|/) { + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE cgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + set $sn $request_uri; + if ($sn ~ "^(.*)\?") { + set $sn $1; + } + if ($sn ~ "^/index.pl") { + set $sn "/index.pl"; + } + fastcgi_param SCRIPT_NAME $sn; + fastcgi_split_path_info ^(.*\.pl)(/.*)$; + fastcgi_param PATH_INFO $fastcgi_path_info; + # Uncomment this if you use Auth SSL: + #map $ssl_client_s_dn $ssl_client_s_dn_cn { + # default ""; + # ~/CN=(?[^/]+) $CN; + #} + #fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn + } + + index index.pl; + location / { + try_files $uri $uri/ =404; + + # Uncomment this if you use https only + #add_header Strict-Transport-Security "15768000"; + } + + # SOAP functions for sessions management (disabled by default) + location /index.pl/adminSessions { + deny all; + } + + # SOAP functions for sessions access (disabled by default) + location /index.pl/sessions { + deny all; + } + + # SOAP functions for configuration access (disabled by default) + location /index.pl/config { + deny all; + } + + # SOAP functions for notification insertion (disabled by default) + location /index.pl/notification { + deny all; + } + # SAML2 Issuer + rewrite ^/saml/metadata /metadata.pl last; + rewrite ^/saml/.* /index.pl last; + + # CAS Issuer + rewrite ^/cas/.* /index.pl; + + # OpenID Issuer + rewrite ^/openidserver/.* /index.pl last; + + # OpenID Connect Issuer + rewrite ^/oauth2/.* /index.pl last; + rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last; + + # Get Issuer + rewrite ^/get/.* /index.pl; + + # Public pages + rewrite ^/public.* /public.pl; + + # DEBIAN + # If install was made with USEDEBIANLIBS (official releases), uncomment this + #location /javascript/ { + # alias /usr/share/javascript/; + #} +} diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf new file mode 100644 index 0000000..ad83e3c --- /dev/null +++ b/tmpl/test-nginx.conf @@ -0,0 +1,104 @@ +server { + listen 80; + server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; + return 301 https://$host$request_uri; +} + +server { + listen 443; + ssl on; + ssl_certificate %%server_cert; + ssl_certificate_key %%server_key; + ssl_client_certificate /etc/ssl/certs/ca.crt; + access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log; + + server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; + root /var/lib/lemonldap-ng/test/; + + + # Internal authentication request + location = /lmauth { + internal; + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + # To use AuthBasic handler, uncomment this and remove "error_page 401" + # fastcgi_param LLTYPE authbasic; + + # Drop post datas + fastcgi_pass_request_body off; + fastcgi_param CONTENT_LENGTH ""; + + # Keep original hostname + fastcgi_param HOST $http_host; + + # Keep original request (LLNG server will received /llauth) + fastcgi_param X_ORIGINAL_URI $request_uri; + } + + # Client requests + location / { + # Local application + index index.pl; + try_files $uri $uri/ =404; + + # Reverse proxy + #proxy_pass http://remote.server/; + #include /etc/nginx/proxy_params; + + ################################## + # CALLING AUTHENTICATION # + ################################## + auth_request /lmauth; + auth_request_set $lmremote_user $upstream_http_lm_remote_user; + auth_request_set $lmlocation $upstream_http_location; + # Uncomment this if CDA is used + #auth_request_set $cookie_value $upstream_http_set_cookie; + #add_header Set-Cookie $cookie_value; + # Remove this for AuthBasic handler + error_page 401 $lmlocation; + + ################################## + # PASSING HEADERS TO APPLICATION # + ################################## + + # IF LUA IS SUPPORTED + #include /etc/lemonldap-ng/nginx-lua-headers.conf; + + # ELSE + # Set manually your headers + #auth_request_set $authuser $upstream_http_auth_user; + #proxy_set_header Auth-User $authuser; + # OR in the correspondinc block + #fastcgi_param HTTP_AUTH_USER $authuser; + + # Then (if LUA not supported), change cookie header to hide LLNG cookie + #auth_request_set $lmcookie $upstream_http_cookie; + #proxy_set_header Cookie: $lmcookie; + # OR in the corresponding block + #fastcgi_param HTTP_COOKIE $lmcookie; + + # Uncomment this if you use https only + #add_header Strict-Transport-Security "15768000"; + + # Set REMOTE_USER (for FastCGI apps only) + #fastcgi_param REMOTE_USER $lmremote_user; + } + + # Handle test CGI + location ~ \.pl$ { + include /etc/nginx/fastcgi_params; + fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + fastcgi_param LLTYPE cgi; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_split_path_info ^(.*\.pl)(/.+)$; + fastcgi_param REMOTE_USER $lmremote_user; + } + + #location = /status { + # allow 127.0.0.1; + # deny all; + # include /etc/nginx/fastcgi_params; + # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; + # fastcgi_param LLTYPE status; + #} +}