From 200c9c41e94e5a2dc914e6bd0141a427977b9ea2 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 11:52:11 +0100 Subject: [PATCH 1/2] Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one --- dicos/70_lemonldap_ng.xml | 20 ++++++++++++++++++ dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++----------------- tmpl/handler-apache2.X.conf | 11 ++++++++++ tmpl/lmConf-1.json | 30 +++++++++++++++++++++----- tmpl/manager-apache2.X.conf | 6 +++--- tmpl/portal-apache2.X.conf | 6 +++--- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index df54a8d..e4d49fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -27,6 +27,14 @@ + + + /cas + + + 443 + + non @@ -39,6 +47,10 @@ + + LDAP + + @@ -83,6 +95,9 @@ oui + + oui + oui @@ -124,6 +139,10 @@ ['ldaps','ldap'] + + ['LDAP','AD'] + + ['info','notice','warn','error','debug'] @@ -168,6 +187,7 @@ non llResetUrl + llResetExpiredPassword ['bootstrap','dark','impact','pastel'] diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index d03e59f..7a5ca95 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,20 +5,13 @@ - - - - cas - - - 443 - - + + + - oui activerLemon @@ -31,11 +24,8 @@ activer_sso - - oui - ldap_tls - ldaps - ldap + + ldaps @@ -44,25 +34,33 @@ nom_domaine_machine + + 636 + + oui eolesso_adresse - adresse_ip_ldap + ad_address - ldap_port + 636 + + + + AD - ldap_reader + sasl_ldap_reader - ldap_reader_passfile + /etc/eole/private/sasl-reader.password diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf index c42747b..d33da34 100644 --- a/tmpl/handler-apache2.X.conf +++ b/tmpl/handler-apache2.X.conf @@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503 ServerName %%reloadWebName + SSLEngine on + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel %%lm_loglevel + + ErrorLog /var/log/apache2/handler_error.log + CustomLog /var/log/apache2/handler_access.log common # Configuration reload mechanism (only 1 per physical server is # needed): choose your URL to avoid restarting Apache when # configuration change diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 5980d67..4fd5af5 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -85,7 +85,7 @@ }, "authChoiceModules": {}, "authChoiceParam": "lmAuth", - "authentication": "LDAP", + "authentication": "%%lemon_user_db", "browserIdAuthnLevel": 1, "captchaStorage": "Apache::Session::File", "captchaStorageOptions": { @@ -152,10 +152,27 @@ "issuerDBSAMLRule": 1, "jsRedirect": 0, "key": "e\"bTCt3*eU9^\\V%b", +%if %%llResetPassword == "oui" + %if %%llResetExpiredPassword == "oui" + %if %%lemon_user_db == "AD" + "ldapPpolicyControl": 0, + %else + "ldapPpolicyControl": 1, + %end if + "ldapAllowResetExpiredPassword": 1, + %else + "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + %end if +%end if + "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, +%if %%eole_module == "scribe" + "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "ldapBase": "%%ldapUserBaseDN", - "ldapChangePasswordAsUser": 0, +%end if + "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -170,7 +187,6 @@ "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", "ldapPort": "%%ldapServerPort", - "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", %if %%ldapScheme == "ldaps" @@ -218,7 +234,11 @@ %end if %end if "maintenance": 0, +%if %%eole_module == "scribe" + "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "managerDn": "%%ldapBindUserDN", +%end if %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else @@ -251,7 +271,7 @@ "openIdSreg_fullname": "cn", "openIdSreg_nickname": "uid", "openIdSreg_timezone": "_timezone", - "passwordDB": "LDAP", + "passwordDB": "%%lemon_user_db", "persistentStorage": "Apache::Session::File", "persistentStorageOptions": { "Directory": "/var/lib/lemonldap-ng/psessions", @@ -371,7 +391,7 @@ "useRedirectOnForbidden": 0, "useSafeJail": 1, "userControl": "^[\\w\\.\\-@]+$", - "userDB": "LDAP", + "userDB": "%%lemon_user_db", "vhostOptions": { "%%managerWebName": { "vhostHttps": "1" diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf index 9bca544..cf6fcbd 100644 --- a/tmpl/manager-apache2.X.conf +++ b/tmpl/manager-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%managerWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/manager_error.log CustomLog /var/log/apache2/manager_access.log common diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf index 71fb6c1..5ab967d 100644 --- a/tmpl/portal-apache2.X.conf +++ b/tmpl/portal-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%authWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/portal_error.log CustomLog /var/log/apache2/portal_access.log common From fe8722e776db1e7b607a61e4c9285ef0a1f184ff Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Mon, 7 Dec 2020 11:58:50 +0100 Subject: [PATCH 2/2] =?UTF-8?q?Activer=20la=20possibilit=C3=A9=20de=20chan?= =?UTF-8?q?ger=20son=20mot=20de=20passe=20depuis=20LemonLDAP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ref #31347 --- dicos/70_lemonldap_ng.xml | 7 +++++-- dicos/71_lemonldap_ng_scribe.xml | 4 ++++ tmpl/lemonldap-ng.ini | 4 ++-- tmpl/lmConf-1.json | 21 ++++++++++++++++----- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index e4d49fc..b3c72fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -92,7 +92,10 @@ non - + + oui + + oui @@ -148,7 +151,7 @@ - ['LDAP','Demo','Custom'] + ['LDAP','AD','Demo','Custom'] casLDAPAttribute diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 7a5ca95..691bd0c 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -55,6 +55,10 @@ AD + + AD + + sasl_ldap_reader diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 25e511c..81874bd 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -197,11 +197,11 @@ portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 portalDisplayResetPassword = %%boolean[%%llResetPassword] -;portalDisplayChangePassword = 1 +portalDisplayChangePassword = %%boolean[%%llChangePassword] ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 ; Require the old password when changing password -;portalRequireOldPassword = 1 +portalRequireOldPassword = %%boolean[%%llChangePassword] ; Attribute displayed as connected user ;portalUserAttr = mail ; Old menu HTML code diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 4fd5af5..b136925 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -160,19 +160,29 @@ "ldapPpolicyControl": 1, %end if "ldapAllowResetExpiredPassword": 1, + "ldapChangePasswordAsUser": 1, %else "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + "ldapChangePasswordAsUser": 1, %end if %end if - "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, + "ldapSearchDeref": "find", %if %%eole_module == "scribe" "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' + "ldapExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "cn" + }, + "ldapGroupAttributeName": "memberUid", + "ldapGroupAttributeNameGroup": "dn", + "ldapGroupAttributeNameSearch": "cn", + "ldapGroupAttributeNameUser": "cn", + "ldapGroupObjectClass": "group", %else "ldapBase": "%%ldapUserBaseDN", -%end if - "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -183,6 +193,7 @@ "ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameUser": "uid", "ldapGroupObjectClass": "eolegroupe", +%end if "ldapGroupRecursive": 0, "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", @@ -228,7 +239,7 @@ "mailTimeout": 0, %if %%llResetPassword == "oui" %if %%is_empty(%%llResetUrl) - "mailUrl": "https://%%authWebName/mail.pl", + "mailUrl": "https://%%authWebName/resetpwd", %else "mailUrl": "%%llResetUrl", %end if @@ -281,7 +292,7 @@ "portalAntiFrame": 1, "portalCheckLogins": %%boolean[%%llCheckLogins], "portalDisplayAppslist": 1, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/", "portalDisplayLoginHistory": 1, "portalDisplayLogout": 1, "portalDisplayRegister": 1,