Merge branch 'master' into dist/eole/2.7.2/master

This commit is contained in:
Philippe Caseiro 2020-12-09 09:29:03 +01:00
commit 9b8e8acce3
7 changed files with 103 additions and 36 deletions

View File

@ -27,6 +27,14 @@
</files> </files>
<variables> <variables>
<family name='eole-sso'>
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>/cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
<family name='Services'> <family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG"> <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value> <value>non</value>
@ -39,6 +47,10 @@
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/> <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/> <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
<value>LDAP</value>
</variable>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/> <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/> <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@ -80,7 +92,13 @@
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection"> <variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
<value>non</value> <value>non</value>
</variable> </variable>
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe"> <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail">
<value>oui</value>
</variable>
<variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
<value>oui</value>
</variable>
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
<value>oui</value> <value>oui</value>
</variable> </variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" /> <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
@ -124,12 +142,16 @@
<param>['ldaps','ldap']</param> <param>['ldaps','ldap']</param>
</check> </check>
<check name="valid_enum" target="lemon_user_db">
<param>['LDAP','AD']</param>
</check>
<check name='valid_enum' target="lm_loglevel"> <check name='valid_enum' target="lm_loglevel">
<param>['info','notice','warn','error','debug']</param> <param>['info','notice','warn','error','debug']</param>
</check> </check>
<check name="valid_enum" target="llRegisterDB"> <check name="valid_enum" target="llRegisterDB">
<param>['LDAP','Demo','Custom']</param> <param>['LDAP','AD','Demo','Custom']</param>
</check> </check>
<group master="casAttribute"> <group master="casAttribute">
<slave>casLDAPAttribute</slave> <slave>casLDAPAttribute</slave>
@ -168,6 +190,7 @@
<condition name='disabled_if_in' source='llResetPassword'> <condition name='disabled_if_in' source='llResetPassword'>
<param>non</param> <param>non</param>
<target type='variable'>llResetUrl</target> <target type='variable'>llResetUrl</target>
<target type='variable'>llResetExpiredPassword</target>
</condition> </condition>
<check name='valid_enum' target='llSkin'> <check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param> <param>['bootstrap','dark','impact','pastel']</param>

View File

@ -7,18 +7,11 @@
<family name='eole sso'> <family name='eole sso'>
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' /> <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family> </family>
</variables> </variables>
<constraints> <constraints>
<fill name='calc_multi_condition' target='activer_sso'> <fill name='calc_multi_condition' target='activer_sso'>
<param>oui</param> <param>oui</param>
<param type='eole' name='condition_1'>activerLemon</param> <param type='eole' name='condition_1'>activerLemon</param>
@ -31,11 +24,8 @@
<target type='variable'>activer_sso</target> <target type='variable'>activer_sso</target>
</condition> </condition>
<auto name='calc_multi_condition' target='ldapScheme'> <auto name='calc_val' target='ldapScheme'>
<param>oui</param> <param>ldaps</param>
<param type='eole' name='condition_1'>ldap_tls</param>
<param name='match'>ldaps</param>
<param name='default_mismatch'>ldap</param>
</auto> </auto>
<fill name='calc_val_first_value' target='eolesso_adresse'> <fill name='calc_val_first_value' target='eolesso_adresse'>
@ -44,25 +34,37 @@
<param type='eole'>nom_domaine_machine</param> <param type='eole'>nom_domaine_machine</param>
</fill> </fill>
<auto name='calc_val' target='ldap_port'>
<param>636</param>
</auto>
<condition name='frozen_if_in' source='activerLemon'> <condition name='frozen_if_in' source='activerLemon'>
<param>oui</param> <param>oui</param>
<target type='variable'>eolesso_adresse</target> <target type='variable'>eolesso_adresse</target>
</condition> </condition>
<auto name='calc_val' target='ldapServer'> <auto name='calc_val' target='ldapServer'>
<param type='eole'>adresse_ip_ldap</param> <param type='eole'>ad_address</param>
</auto> </auto>
<auto name='calc_val' target='ldapServerPort'> <auto name='calc_val' target='ldapServerPort'>
<param type='eole'>ldap_port</param> <param type='number'>636</param>
</auto>
<auto name='calc_val' target='lemon_user_db'>
<param>AD</param>
</auto>
<auto name='calc_val' target='llRegisterDB'>
<param>AD</param>
</auto> </auto>
<auto name='calc_val' target='ldapBindUserDN'> <auto name='calc_val' target='ldapBindUserDN'>
<param type='eole'>ldap_reader</param> <param type='eole'>sasl_ldap_reader</param>
</auto> </auto>
<auto name='calc_val' target='ldapBindUserPassword'> <auto name='calc_val' target='ldapBindUserPassword'>
<param type='eole'>ldap_reader_passfile</param> <param>/etc/eole/private/sasl-reader.password</param>
</auto> </auto>
<auto name='calc_val' target='casFolder'> <auto name='calc_val' target='casFolder'>

View File

@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443> <VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName ServerName %%reloadWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/handler_error.log
CustomLog /var/log/apache2/handler_access.log common
# Configuration reload mechanism (only 1 per physical server is # Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when # needed): choose your URL to avoid restarting Apache when
# configuration change # configuration change

View File

@ -197,11 +197,11 @@ portalSkin = %%llSkin
; Modules displayed ; Modules displayed
;portalDisplayLogout = 1 ;portalDisplayLogout = 1
portalDisplayResetPassword = %%boolean[%%llResetPassword] portalDisplayResetPassword = %%boolean[%%llResetPassword]
;portalDisplayChangePassword = 1 portalDisplayChangePassword = %%boolean[%%llChangePassword]
;portalDisplayAppslist = 1 ;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1 ;portalDisplayLoginHistory = 1
; Require the old password when changing password ; Require the old password when changing password
;portalRequireOldPassword = 1 portalRequireOldPassword = %%boolean[%%llChangePassword]
; Attribute displayed as connected user ; Attribute displayed as connected user
;portalUserAttr = mail ;portalUserAttr = mail
; Old menu HTML code ; Old menu HTML code

View File

@ -85,7 +85,7 @@
}, },
"authChoiceModules": {}, "authChoiceModules": {},
"authChoiceParam": "lmAuth", "authChoiceParam": "lmAuth",
"authentication": "LDAP", "authentication": "%%lemon_user_db",
"browserIdAuthnLevel": 1, "browserIdAuthnLevel": 1,
"captchaStorage": "Apache::Session::File", "captchaStorage": "Apache::Session::File",
"captchaStorageOptions": { "captchaStorageOptions": {
@ -152,10 +152,37 @@
"issuerDBSAMLRule": 1, "issuerDBSAMLRule": 1,
"jsRedirect": 0, "jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b", "key": "e\"bTCt3*eU9^\\V%b",
%if %%llResetPassword == "oui"
%if %%llResetExpiredPassword == "oui"
%if %%lemon_user_db == "AD"
"ldapPpolicyControl": 0,
%else
"ldapPpolicyControl": 1,
%end if
"ldapAllowResetExpiredPassword": 1,
"ldapChangePasswordAsUser": 1,
%else
"ldapPpolicyControl": 0,
"ldapAllowResetExpiredPassword": 0, "ldapAllowResetExpiredPassword": 0,
"ldapChangePasswordAsUser": 1,
%end if
%end if
"ldapAuthnLevel": 2, "ldapAuthnLevel": 2,
"ldapSearchDeref": "find",
%if %%eole_module == "scribe"
"ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
"ldapExportedVars": {
"cn": "cn",
"mail": "mail",
"uid": "cn"
},
"ldapGroupAttributeName": "memberUid",
"ldapGroupAttributeNameGroup": "dn",
"ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "cn",
"ldapGroupObjectClass": "group",
%else
"ldapBase": "%%ldapUserBaseDN", "ldapBase": "%%ldapUserBaseDN",
"ldapChangePasswordAsUser": 0,
"ldapExportedVars": { "ldapExportedVars": {
"cn": "cn", "cn": "cn",
"mail": "mail", "mail": "mail",
@ -166,11 +193,11 @@
"ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "uid", "ldapGroupAttributeNameUser": "uid",
"ldapGroupObjectClass": "eolegroupe", "ldapGroupObjectClass": "eolegroupe",
%end if
"ldapGroupRecursive": 0, "ldapGroupRecursive": 0,
"ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE", "ldapPasswordResetAttributeValue": "TRUE",
"ldapPort": "%%ldapServerPort", "ldapPort": "%%ldapServerPort",
"ldapPpolicyControl": 0,
"ldapPwdEnc": "utf-8", "ldapPwdEnc": "utf-8",
"ldapServer": "%%ldapScheme://%%ldapServer", "ldapServer": "%%ldapScheme://%%ldapServer",
%if %%ldapScheme == "ldaps" %if %%ldapScheme == "ldaps"
@ -219,13 +246,17 @@
"mailTimeout": 0, "mailTimeout": 0,
%if %%llResetPassword == "oui" %if %%llResetPassword == "oui"
%if %%is_empty(%%llResetUrl) %if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl", "mailUrl": "https://%%authWebName/resetpwd",
%else %else
"mailUrl": "%%llResetUrl", "mailUrl": "%%llResetUrl",
%end if %end if
%end if %end if
"maintenance": 0, "maintenance": 0,
%if %%eole_module == "scribe"
"managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
%else
"managerDn": "%%ldapBindUserDN", "managerDn": "%%ldapBindUserDN",
%end if
%if %%is_file(%%ldapBindUserPassword) %if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)", "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else %else
@ -258,7 +289,7 @@
"openIdSreg_fullname": "cn", "openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid", "openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone", "openIdSreg_timezone": "_timezone",
"passwordDB": "LDAP", "passwordDB": "%%lemon_user_db",
"persistentStorage": "Apache::Session::File", "persistentStorage": "Apache::Session::File",
"persistentStorageOptions": { "persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions", "Directory": "/var/lib/lemonldap-ng/psessions",
@ -268,7 +299,7 @@
"portalAntiFrame": 1, "portalAntiFrame": 1,
"portalCheckLogins": %%boolean[%%llCheckLogins], "portalCheckLogins": %%boolean[%%llCheckLogins],
"portalDisplayAppslist": 1, "portalDisplayAppslist": 1,
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
"portalDisplayLoginHistory": 1, "portalDisplayLoginHistory": 1,
"portalDisplayLogout": 1, "portalDisplayLogout": 1,
"portalDisplayRegister": 1, "portalDisplayRegister": 1,
@ -378,7 +409,7 @@
"useRedirectOnForbidden": 0, "useRedirectOnForbidden": 0,
"useSafeJail": 1, "useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$", "userControl": "^[\\w\\.\\-@]+$",
"userDB": "LDAP", "userDB": "%%lemon_user_db",
"vhostOptions": { "vhostOptions": {
"%%managerWebName": { "%%managerWebName": {
"vhostHttps": "1" "vhostHttps": "1"

View File

@ -13,13 +13,13 @@
<VirtualHost %%adresse_ip_eth0:443> <VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName ServerName %%managerWebName
SSLEngine on SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt SSLCertificateFile %%server_cert
SSLCertificateKeyFile /etc/ssl/private/eole.key SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2 SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on SSLProxyEngine on
LogLevel info LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/manager_error.log ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common CustomLog /var/log/apache2/manager_access.log common

View File

@ -13,13 +13,13 @@
<VirtualHost %%adresse_ip_eth0:443> <VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName ServerName %%authWebName
SSLEngine on SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt SSLCertificateFile %%server_cert
SSLCertificateKeyFile /etc/ssl/private/eole.key SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2 SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on SSLProxyEngine on
LogLevel info LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/portal_error.log ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common CustomLog /var/log/apache2/portal_access.log common