From bf94e749163fd75603e03746bdcdefa7aefc81bd Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 11:52:11 +0100 Subject: [PATCH] Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one --- dicos/70_lemonldap_ng.xml | 20 ++++++++++++++++++ dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++----------------- tmpl/handler-apache2.X.conf | 11 ++++++++++ tmpl/lmConf-1.json | 30 +++++++++++++++++++++----- tmpl/manager-apache2.X.conf | 6 +++--- tmpl/portal-apache2.X.conf | 6 +++--- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index df54a8d..e4d49fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -27,6 +27,14 @@ + + + /cas + + + 443 + + non @@ -39,6 +47,10 @@ + + LDAP + + @@ -83,6 +95,9 @@ oui + + oui + oui @@ -124,6 +139,10 @@ ['ldaps','ldap'] + + ['LDAP','AD'] + + ['info','notice','warn','error','debug'] @@ -168,6 +187,7 @@ non llResetUrl + llResetExpiredPassword ['bootstrap','dark','impact','pastel'] diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index d03e59f..7a5ca95 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,20 +5,13 @@ - - - - cas - - - 443 - - + + + - oui activerLemon @@ -31,11 +24,8 @@ activer_sso - - oui - ldap_tls - ldaps - ldap + + ldaps @@ -44,25 +34,33 @@ nom_domaine_machine + + 636 + + oui eolesso_adresse - adresse_ip_ldap + ad_address - ldap_port + 636 + + + + AD - ldap_reader + sasl_ldap_reader - ldap_reader_passfile + /etc/eole/private/sasl-reader.password diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf index c42747b..d33da34 100644 --- a/tmpl/handler-apache2.X.conf +++ b/tmpl/handler-apache2.X.conf @@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503 ServerName %%reloadWebName + SSLEngine on + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel %%lm_loglevel + + ErrorLog /var/log/apache2/handler_error.log + CustomLog /var/log/apache2/handler_access.log common # Configuration reload mechanism (only 1 per physical server is # needed): choose your URL to avoid restarting Apache when # configuration change diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 5980d67..4fd5af5 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -85,7 +85,7 @@ }, "authChoiceModules": {}, "authChoiceParam": "lmAuth", - "authentication": "LDAP", + "authentication": "%%lemon_user_db", "browserIdAuthnLevel": 1, "captchaStorage": "Apache::Session::File", "captchaStorageOptions": { @@ -152,10 +152,27 @@ "issuerDBSAMLRule": 1, "jsRedirect": 0, "key": "e\"bTCt3*eU9^\\V%b", +%if %%llResetPassword == "oui" + %if %%llResetExpiredPassword == "oui" + %if %%lemon_user_db == "AD" + "ldapPpolicyControl": 0, + %else + "ldapPpolicyControl": 1, + %end if + "ldapAllowResetExpiredPassword": 1, + %else + "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + %end if +%end if + "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, +%if %%eole_module == "scribe" + "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "ldapBase": "%%ldapUserBaseDN", - "ldapChangePasswordAsUser": 0, +%end if + "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -170,7 +187,6 @@ "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", "ldapPort": "%%ldapServerPort", - "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", %if %%ldapScheme == "ldaps" @@ -218,7 +234,11 @@ %end if %end if "maintenance": 0, +%if %%eole_module == "scribe" + "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "managerDn": "%%ldapBindUserDN", +%end if %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else @@ -251,7 +271,7 @@ "openIdSreg_fullname": "cn", "openIdSreg_nickname": "uid", "openIdSreg_timezone": "_timezone", - "passwordDB": "LDAP", + "passwordDB": "%%lemon_user_db", "persistentStorage": "Apache::Session::File", "persistentStorageOptions": { "Directory": "/var/lib/lemonldap-ng/psessions", @@ -371,7 +391,7 @@ "useRedirectOnForbidden": 0, "useSafeJail": 1, "userControl": "^[\\w\\.\\-@]+$", - "userDB": "LDAP", + "userDB": "%%lemon_user_db", "vhostOptions": { "%%managerWebName": { "vhostHttps": "1" diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf index 9bca544..cf6fcbd 100644 --- a/tmpl/manager-apache2.X.conf +++ b/tmpl/manager-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%managerWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/manager_error.log CustomLog /var/log/apache2/manager_access.log common diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf index 71fb6c1..5ab967d 100644 --- a/tmpl/portal-apache2.X.conf +++ b/tmpl/portal-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%authWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/portal_error.log CustomLog /var/log/apache2/portal_access.log common