From 536da57382135576a68417722367d636120acd1b Mon Sep 17 00:00:00 2001
From: vfebvre <vfebvre@cadoles.com>
Date: Thu, 3 Sep 2020 16:44:25 +0200
Subject: [PATCH 01/11] parent d08c965ee8959bec8afb87d1c9ee0c137f391f51 author
 vfebvre <vfebvre@cadoles.com> 1599144265 +0200 committer Philippe Caseiro
 <pcaseiro@cadoles.com> 1606220045 +0100

Corrections diverses
---
 README.md                   | 21 +++++++++++++++++
 dicos/70_lemonldap_ng.xml   | 45 ++++++++++++++++++++++++++++++++++---
 postservice/99-lemonldap-ng |  8 ++++++-
 3 files changed, 70 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 21aae0d..70cc7e0 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,27 @@ LemonLDAP::NG EOLE integration
 
 ## Howto
 
+### Repository configuration
+
+* Add the lemonldap-ng deb respository we need the last version of LemonLDAP.
+
+GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
+
+#### LemonLDAP::NG repository (if you use EOLE 2.7.2 this is not needed anymore)
+ 
+* deb     https://lemonldap-ng.org/deb stable main
+* deb-src https://lemonldap-ng.org/deb stable main
+* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 
+
+#### Cadoles Repository
+* deb [ arch=all  ] https://vulcain.cadoles.com 2.7.2-dev main
+* Key URL : https://vulcain.cadoles.com/cadoles.gpg
+
+### Install packages
+
+apt update
+apt install eole-lemonldap
+
 ### Configure LemonLDAP in GenConfig
 
 * Enable lemonldap in "Services" tab
diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index 46be489..70447e9 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -2,6 +2,7 @@
 <creole>
 
     <files>
+<<<<<<< HEAD
 
         <file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
@@ -15,7 +16,7 @@
         <file filelist='lemonldap-apache' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/>
         <file filelist='lemonldap-apache' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/>
 
-        <service>lemonldap-ng-fastcgi-server</service>
+        <service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
 
         <service method='apache' servicelist='lemonldap-apache'>manager-apache2</service>
         <service method='apache' servicelist='lemonldap-apache'>portal-apache2</service>
@@ -49,6 +50,43 @@
             <variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
 
             <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
+=======
+		<!-- Je suis un commentaire -->
+		<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
+        <file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
+		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
+		<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
+		<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
+		<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
+		<service_access service='nginx'>
+			<port service_accesslist="saLemon">80</port>
+			<port service_accesslist="saLemon">443</port>
+		</service_access>
+	</files>
+	<variables>
+		<family name='Services'>
+			<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
+				<value>non</value>
+			</variable>
+		</family>
+		<family name='LemonLDAP'>
+			<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
+			<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
+			<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
+			<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
+			<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
+			<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
+			<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
+			<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
+			<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
+			<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
+            <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
+>>>>>>> 70a1c26 (Fix disable if in)
                 <value>4</value>
             </variable>
 
@@ -121,7 +159,6 @@
         <check name="valid_enum" target="llRegisterDB">
             <param>['LDAP','Demo','Custom']</param>
         </check>
-
         <group master="casAttribute">
             <slave>casLDAPAttribute</slave>
         </group>
@@ -132,6 +169,7 @@
             <target type='filelist'>lemonldap-nginx</target>
             <target type='filelist'>lemonldap-apache</target>
             <target type='servicelist'>lemonldap-apache</target>
+            <target type='servicelist'>sllemon</target>
             <target type='family'>LemonLDAP</target>
             <target type='service_accesslist'>saLemon</target>
         </condition>
@@ -170,7 +208,8 @@
         <variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable>
         <variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
         <variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
-        <variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
+	<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable>
+	<variable name='ldapBindUsererDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
         <variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
         <variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
     </help>
diff --git a/postservice/99-lemonldap-ng b/postservice/99-lemonldap-ng
index 022cef8..33b464a 100644
--- a/postservice/99-lemonldap-ng
+++ b/postservice/99-lemonldap-ng
@@ -1,6 +1,12 @@
 #!/bin/bash
 
-[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0
+
+[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0
+
+# Updating Configuration cache
+
+cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
+opt="update-cache"
 
 # Updating Configuration cache
 /usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1

From 15da7394f33ef887316eb3645a6653cac62fa9f0 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Tue, 24 Nov 2020 13:50:29 +0100
Subject: [PATCH 02/11] Make eole-lemonldap-ng compatible with eolebase

---
 dicos/70_lemonldap_ng.xml        | 2 +-
 dicos/71_lemonldap_ng_scribe.xml | 9 ++++++++-
 tmpl/lemonldap-ng-fastcgi-server | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index 70447e9..6394bb9 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -209,7 +209,7 @@
         <variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
         <variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
 	<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable>
-	<variable name='ldapBindUsererDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
+	<variable name='ldapBindUserDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
         <variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
         <variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
     </help>
diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml
index 29240ea..4fa6769 100644
--- a/dicos/71_lemonldap_ng_scribe.xml
+++ b/dicos/71_lemonldap_ng_scribe.xml
@@ -6,7 +6,14 @@
     <variables>
 
         <family name='eole sso'>
-            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" />
+            <variable name='eolesso_adresse'  description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
+            <variable name='ldap_tls' redefine="True" exists='True' />
+	    <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+		    <value>cas</value>
+	    </variable>
+	    <variable name='eolesso_port' redefine="True" exists='True'>
+		    <value>443</value>
+	    </variable>
         </family>
 
     </variables>
diff --git a/tmpl/lemonldap-ng-fastcgi-server b/tmpl/lemonldap-ng-fastcgi-server
index 9942b4c..dafed7d 100644
--- a/tmpl/lemonldap-ng-fastcgi-server
+++ b/tmpl/lemonldap-ng-fastcgi-server
@@ -1,5 +1,5 @@
 # Number of process (default: 7)
-NPROC = %%lemonproc
+NPROC=%%lemonproc
 
 # Unix socket to listen to
 SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock

From 5d4e5729678f3a238450297e8b4f204733dc1077 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 13:21:49 +0100
Subject: [PATCH 03/11] Fixing log format

---
 tmpl/nginx-lmlog.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tmpl/nginx-lmlog.conf b/tmpl/nginx-lmlog.conf
index c41f252..3db97b1 100644
--- a/tmpl/nginx-lmlog.conf
+++ b/tmpl/nginx-lmlog.conf
@@ -1,3 +1,3 @@
-log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
+log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
 	'"$request" $status $body_bytes_sent '
-	'"$http_referer" "$http_user_agent"';
+	'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';

From 8af3ee655fbafaa559d240553bf176cb92299751 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 13:43:33 +0100
Subject: [PATCH 04/11] Cleanup dico

---
 dicos/70_lemonldap_ng.xml | 39 ---------------------------------------
 1 file changed, 39 deletions(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index 6394bb9..aa616c0 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -2,8 +2,6 @@
 <creole>
 
     <files>
-<<<<<<< HEAD
-
         <file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
@@ -50,43 +48,6 @@
             <variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
 
             <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
-=======
-		<!-- Je suis un commentaire -->
-		<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
-        <file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
-		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
-		<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
-		<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
-		<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
-		<service_access service='nginx'>
-			<port service_accesslist="saLemon">80</port>
-			<port service_accesslist="saLemon">443</port>
-		</service_access>
-	</files>
-	<variables>
-		<family name='Services'>
-			<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
-				<value>non</value>
-			</variable>
-		</family>
-		<family name='LemonLDAP'>
-			<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
-			<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
-			<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
-			<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
-			<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
-			<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
-			<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
-			<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
-			<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
-			<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
-            <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
->>>>>>> 70a1c26 (Fix disable if in)
                 <value>4</value>
             </variable>
 

From 4af11f3d28b6b231f5724ff89d6911410086dcc8 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 13:47:47 +0100
Subject: [PATCH 05/11] Cleanup dico and support for loglevel

---
 dicos/70_lemonldap_ng.xml | 47 +++++++--------------------------------
 1 file changed, 8 insertions(+), 39 deletions(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index 6394bb9..cbf69ad 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -2,8 +2,6 @@
 <creole>
 
     <files>
-<<<<<<< HEAD
-
         <file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
@@ -50,46 +48,13 @@
             <variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
 
             <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
-=======
-		<!-- Je suis un commentaire -->
-		<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
-		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
-        <file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
-		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
-		<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
-		<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
-		<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
-		<service_access service='nginx'>
-			<port service_accesslist="saLemon">80</port>
-			<port service_accesslist="saLemon">443</port>
-		</service_access>
-	</files>
-	<variables>
-		<family name='Services'>
-			<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
-				<value>non</value>
-			</variable>
-		</family>
-		<family name='LemonLDAP'>
-			<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
-			<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
-			<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
-			<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
-			<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
-			<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
-			<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
-			<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
-			<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
-			<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
-            <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
->>>>>>> 70a1c26 (Fix disable if in)
                 <value>4</value>
             </variable>
 
+            <variable name="lm_loglevel" type='string' description="Verbosité des journaux" mode='expert'>
+                <value>info</value>
+            </variable>
+
             <variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
                 <value>admin</value>
             </variable>
@@ -156,6 +121,10 @@
             <param>['ldaps','ldap']</param>
         </check>
 
+        <check name='valid_enum' target="lm_loglevel">
+            <param>['info','notice','warn','error','debug'</param>
+        </check>
+
         <check name="valid_enum" target="llRegisterDB">
             <param>['LDAP','Demo','Custom']</param>
         </check>

From 8ec486eafc113553282debc011e7183b4746ef8c Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 13:48:14 +0100
Subject: [PATCH 06/11] Adding syslog configuration

---
 tmpl/lemonldap-ng.ini | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini
index 0f497ae..25e511c 100644
--- a/tmpl/lemonldap-ng.ini
+++ b/tmpl/lemonldap-ng.ini
@@ -36,7 +36,7 @@
 ;
 ; 1 - Defined logging level
 ;   Set here one of error, warn, notice, info or debug
-logLevel     = debug
+logLevel     = %%lm_loglevel
 ; Note that this has no effect for Apache2 logging: Apache LogLevel is used
 ; instead
 ;
@@ -65,9 +65,9 @@ logLevel     = debug
 ; 2.1 - Using Syslog
 ;
 ;   For Syslog logging, you can also overwrite facilities. Default values:
-;logger             = Lemonldap::NG::Common::Logger::Syslog
-;syslogFacility     = daemon
-;userSyslogFacility = auth
+logger             = Lemonldap::NG::Common::Logger::Syslog
+syslogFacility     = daemon
+userSyslogFacility = auth
 ;
 ; 2.2 - Using Log4perl
 ;

From d1ad6aeb25cb4d8462f474448bee0f535b54496e Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 14:09:15 +0100
Subject: [PATCH 07/11] Fix lm_loglevel

---
 dicos/70_lemonldap_ng.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index cbf69ad..d165088 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -122,7 +122,7 @@
         </check>
 
         <check name='valid_enum' target="lm_loglevel">
-            <param>['info','notice','warn','error','debug'</param>
+            <param>['info','notice','warn','error','debug']</param>
         </check>
 
         <check name="valid_enum" target="llRegisterDB">

From 52e5c433eb9c13e2e1f3950d4dbb747311ac2c59 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 16:53:02 +0100
Subject: [PATCH 08/11] Enable option for SSL verify

---
 dicos/70_lemonldap_ng.xml | 3 +++
 tmpl/lmConf-1.json        | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index d165088..c13c7ad 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -84,6 +84,9 @@
             <variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
                 <value>oui</value>
             </variable>
+            <variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
+                <value>oui</value>
+            </variable>
             <variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
             <variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
             <variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json
index 1397ff0..5980d67 100644
--- a/tmpl/lmConf-1.json
+++ b/tmpl/lmConf-1.json
@@ -173,6 +173,13 @@
     "ldapPpolicyControl": 0,
     "ldapPwdEnc": "utf-8",
     "ldapServer": "%%ldapScheme://%%ldapServer",
+%if %%ldapScheme == "ldaps"
+   %if %%lmldapverify == "oui"
+    "ldapVerify": "required",
+   %else
+    "ldapVerify": "none",
+   %end if
+%end if
     "ldapSetPassword": 0,
     "ldapTimeout": 120,
     "ldapUsePasswordResetAttribute": 1,

From 03a00fb7ce6e091bd479674e476dbd50f3b2a82e Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 16:58:32 +0100
Subject: [PATCH 09/11] Cleanup ldap_tls redefine

---
 dicos/71_lemonldap_ng_scribe.xml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml
index 4fa6769..fdc706f 100644
--- a/dicos/71_lemonldap_ng_scribe.xml
+++ b/dicos/71_lemonldap_ng_scribe.xml
@@ -5,16 +5,19 @@
 
     <variables>
 
-        <family name='eole sso'>
-            <variable name='eolesso_adresse'  description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
-            <variable name='ldap_tls' redefine="True" exists='True' />
-	    <variable name='eolesso_cas_folder' redefine="True" exists='True'>
-		    <value>cas</value>
-	    </variable>
-	    <variable name='eolesso_port' redefine="True" exists='True'>
-		    <value>443</value>
-	    </variable>
-        </family>
+    <family name='eole sso'>
+        <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
+        <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+            <value>cas</value>
+        </variable>
+        <variable name='eolesso_port' redefine="True" exists='True'>
+            <value>443</value>
+        </variable>
+    </family>
+
+    <family name='annuaire'>
+        <variable name='ldap_tls' description="Utiliser SSL ou TLS" redefine="True" exists='True' />
+    </family>
 
     </variables>
 

From 63bf3c9f98c0fe8c6ecae660e931921091c11f09 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Thu, 26 Nov 2020 17:13:37 +0100
Subject: [PATCH 10/11] UserBaseDN and BaseDN is not the same thing We need to
 use the user base dn

---
 dicos/70_lemonldap_ng.xml        | 6 +++---
 dicos/71_lemonldap_ng_scribe.xml | 8 --------
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index c13c7ad..df54a8d 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -46,6 +46,9 @@
             <variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
             <variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
             <variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
+            <variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
+                <value>oui</value>
+            </variable>
 
             <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
                 <value>4</value>
@@ -84,9 +87,6 @@
             <variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
                 <value>oui</value>
             </variable>
-            <variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
-                <value>oui</value>
-            </variable>
             <variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
             <variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
             <variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml
index fdc706f..d03e59f 100644
--- a/dicos/71_lemonldap_ng_scribe.xml
+++ b/dicos/71_lemonldap_ng_scribe.xml
@@ -15,10 +15,6 @@
         </variable>
     </family>
 
-    <family name='annuaire'>
-        <variable name='ldap_tls' description="Utiliser SSL ou TLS" redefine="True" exists='True' />
-    </family>
-
     </variables>
 
     <constraints>
@@ -61,10 +57,6 @@
             <param type='eole'>ldap_port</param>
         </auto>
 
-        <auto name='calc_val' target='ldapUserBaseDN'>
-            <param type='eole'>ldap_base_dn</param>
-        </auto>
-
         <auto name='calc_val' target='ldapBindUserDN'>
             <param type='eole'>ldap_reader</param>
         </auto>

From 200c9c41e94e5a2dc914e6bd0141a427977b9ea2 Mon Sep 17 00:00:00 2001
From: Philippe Caseiro <pcaseiro@cadoles.com>
Date: Wed, 2 Dec 2020 11:52:11 +0100
Subject: [PATCH 11/11] Using Active Directory (samba4) instead of OpenLDAP

Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
---
 dicos/70_lemonldap_ng.xml        | 20 ++++++++++++++++++
 dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++-----------------
 tmpl/handler-apache2.X.conf      | 11 ++++++++++
 tmpl/lmConf-1.json               | 30 +++++++++++++++++++++-----
 tmpl/manager-apache2.X.conf      |  6 +++---
 tmpl/portal-apache2.X.conf       |  6 +++---
 6 files changed, 79 insertions(+), 30 deletions(-)

diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml
index df54a8d..e4d49fc 100644
--- a/dicos/70_lemonldap_ng.xml
+++ b/dicos/70_lemonldap_ng.xml
@@ -27,6 +27,14 @@
     </files>
 
     <variables>
+        <family name='eole-sso'>
+            <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+                <value>/cas</value>
+            </variable>
+            <variable name='eolesso_port' redefine="True" exists='True'>
+                <value>443</value>
+            </variable>
+        </family>
         <family name='Services'>
             <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
                 <value>non</value>
@@ -39,6 +47,10 @@
             <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
             <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
 
+	    <variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
+                <value>LDAP</value>
+            </variable>
+
             <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
             <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
             <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@@ -83,6 +95,9 @@
             <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
                 <value>oui</value>
             </variable>
+            <variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
+                <value>oui</value>
+            </variable>
             <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
             <variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
                 <value>oui</value>
@@ -124,6 +139,10 @@
             <param>['ldaps','ldap']</param>
         </check>
 
+        <check name="valid_enum" target="lemon_user_db">
+            <param>['LDAP','AD']</param>
+        </check>
+
         <check name='valid_enum' target="lm_loglevel">
             <param>['info','notice','warn','error','debug']</param>
         </check>
@@ -168,6 +187,7 @@
         <condition name='disabled_if_in' source='llResetPassword'>
             <param>non</param>
             <target type='variable'>llResetUrl</target>
+            <target type='variable'>llResetExpiredPassword</target>
         </condition>
         <check name='valid_enum' target='llSkin'>
             <param>['bootstrap','dark','impact','pastel']</param>
diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml
index d03e59f..7a5ca95 100644
--- a/dicos/71_lemonldap_ng_scribe.xml
+++ b/dicos/71_lemonldap_ng_scribe.xml
@@ -5,20 +5,13 @@
 
     <variables>
 
-    <family name='eole sso'>
-        <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
-        <variable name='eolesso_cas_folder' redefine="True" exists='True'>
-            <value>cas</value>
-        </variable>
-        <variable name='eolesso_port' redefine="True" exists='True'>
-            <value>443</value>
-        </variable>
-    </family>
+        <family name='eole sso'>
+            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
+        </family>
 
     </variables>
 
     <constraints>
-
         <fill name='calc_multi_condition' target='activer_sso'>
             <param>oui</param>
             <param type='eole' name='condition_1'>activerLemon</param>
@@ -31,11 +24,8 @@
             <target type='variable'>activer_sso</target>
         </condition>
 
-        <auto name='calc_multi_condition' target='ldapScheme'>
-            <param>oui</param>
-            <param type='eole' name='condition_1'>ldap_tls</param>
-            <param name='match'>ldaps</param>
-            <param name='default_mismatch'>ldap</param>
+        <auto name='calc_val' target='ldapScheme'>
+            <param>ldaps</param>
         </auto>
 
         <fill name='calc_val_first_value' target='eolesso_adresse'>
@@ -44,25 +34,33 @@
             <param type='eole'>nom_domaine_machine</param>
         </fill>
 
+        <auto name='calc_val' target='ldap_port'>
+	    <param>636</param>
+	</auto>
+
         <condition name='frozen_if_in' source='activerLemon'>
             <param>oui</param>
             <target type='variable'>eolesso_adresse</target>
         </condition>
 
         <auto name='calc_val' target='ldapServer'>
-            <param type='eole'>adresse_ip_ldap</param>
+            <param type='eole'>ad_address</param>
         </auto>
 
         <auto name='calc_val' target='ldapServerPort'>
-            <param type='eole'>ldap_port</param>
+            <param type='number'>636</param>
+        </auto>
+
+        <auto name='calc_val' target='lemon_user_db'>
+            <param>AD</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserDN'>
-            <param type='eole'>ldap_reader</param>
+            <param type='eole'>sasl_ldap_reader</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserPassword'>
-            <param type='eole'>ldap_reader_passfile</param>
+	    <param>/etc/eole/private/sasl-reader.password</param>
         </auto>
 
         <auto name='calc_val' target='casFolder'>
diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf
index c42747b..d33da34 100644
--- a/tmpl/handler-apache2.X.conf
+++ b/tmpl/handler-apache2.X.conf
@@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%reloadWebName
 
+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
     # Configuration reload mechanism (only 1 per physical server is
     # needed): choose your URL to avoid restarting Apache when
     # configuration change
diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json
index 5980d67..4fd5af5 100644
--- a/tmpl/lmConf-1.json
+++ b/tmpl/lmConf-1.json
@@ -85,7 +85,7 @@
     },
     "authChoiceModules": {},
     "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
     "browserIdAuthnLevel": 1,
     "captchaStorage": "Apache::Session::File",
     "captchaStorageOptions": {
@@ -152,10 +152,27 @@
     "issuerDBSAMLRule": 1,
     "jsRedirect": 0,
     "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+  %else
+    "ldapPpolicyControl": 0,
     "ldapAllowResetExpiredPassword": 0,
+  %end if
+%end if
+    "ldapChangePasswordAsUser": 1,
     "ldapAuthnLevel": 2,
+%if %%eole_module == "scribe"
+    "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
+%end if
+    "ldapSearchDeref": "find",
     "ldapExportedVars": {
         "cn": "cn",
         "mail": "mail",
@@ -170,7 +187,6 @@
     "ldapPasswordResetAttribute": "pwdReset",
     "ldapPasswordResetAttributeValue": "TRUE",
     "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
     "ldapPwdEnc": "utf-8",
     "ldapServer": "%%ldapScheme://%%ldapServer",
 %if %%ldapScheme == "ldaps"
@@ -218,7 +234,11 @@
     %end if
 %end if
     "maintenance": 0,
+%if %%eole_module == "scribe"
+    "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "managerDn": "%%ldapBindUserDN",
+%end if
 %if %%is_file(%%ldapBindUserPassword)
     "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
 %else
@@ -251,7 +271,7 @@
     "openIdSreg_fullname": "cn",
     "openIdSreg_nickname": "uid",
     "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
     "persistentStorage": "Apache::Session::File",
     "persistentStorageOptions": {
         "Directory": "/var/lib/lemonldap-ng/psessions",
@@ -371,7 +391,7 @@
     "useRedirectOnForbidden": 0,
     "useSafeJail": 1,
     "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
     "vhostOptions": {
         "%%managerWebName": {
             "vhostHttps": "1"
diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf
index 9bca544..cf6fcbd 100644
--- a/tmpl/manager-apache2.X.conf
+++ b/tmpl/manager-apache2.X.conf
@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%managerWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/manager_error.log
     CustomLog /var/log/apache2/manager_access.log common
 
diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf
index 71fb6c1..5ab967d 100644
--- a/tmpl/portal-apache2.X.conf
+++ b/tmpl/portal-apache2.X.conf
@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%authWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/portal_error.log
     CustomLog /var/log/apache2/portal_access.log common