Daniel Dehennin
parent
04c73c223b
commit
c9c6171367
|
|
@ -1,38 +1,44 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<creole>
|
||||
|
||||
<files>
|
||||
<!-- Je suis un commentaire -->
|
||||
<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
|
||||
|
||||
<file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
|
||||
<file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
|
||||
<file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
|
||||
|
||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
|
||||
<service>lemonldap-ng-fastcgi-server</service>
|
||||
<service_access service='nginx'>
|
||||
<port service_accesslist="saLemon">80</port>
|
||||
<port service_accesslist="saLemon">443</port>
|
||||
</service_access>
|
||||
</files>
|
||||
|
||||
<variables>
|
||||
<family name='Services'>
|
||||
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
|
||||
<value>non</value>
|
||||
</variable>
|
||||
</family>
|
||||
|
||||
<family name='LemonLDAP'>
|
||||
|
||||
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
|
||||
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
|
||||
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
|
||||
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
|
||||
|
||||
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
|
||||
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
|
||||
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
|
||||
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
|
||||
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
|
||||
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
|
||||
<variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
|
||||
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
|
||||
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
|
||||
|
||||
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
|
||||
<value>4</value>
|
||||
</variable>
|
||||
|
||||
|
|
@ -42,6 +48,7 @@
|
|||
|
||||
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
|
||||
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
|
||||
|
||||
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
|
||||
<value>cas</value>
|
||||
</variable>
|
||||
|
|
@ -49,6 +56,7 @@
|
|||
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True' exists='False'>
|
||||
<value>oui</value>
|
||||
</variable>
|
||||
|
||||
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
|
||||
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
|
||||
<value>bootstrap</value>
|
||||
|
|
@ -66,14 +74,18 @@
|
|||
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
|
||||
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
|
||||
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
|
||||
|
||||
</family>
|
||||
|
||||
<separators>
|
||||
<separator name="managerWebName">Configuration DNS</separator>
|
||||
<separator name="ldapScheme">Configuration LDAP</separator>
|
||||
<separator name="casAttribute">Configuration CAS</separator>
|
||||
<separator name="llSkin">Personnalisation de la mire SSO</separator>
|
||||
</separators>
|
||||
|
||||
</variables>
|
||||
|
||||
<constraints>
|
||||
<fill name='concat' target='managerWebName'>
|
||||
<param>manager.</param>
|
||||
|
|
@ -91,19 +103,23 @@
|
|||
<param>SAML</param>
|
||||
<param type='eole'>nom_domaine_local</param>
|
||||
</fill>
|
||||
|
||||
<check name="valid_enum" target="ldapScheme">
|
||||
<param>['ldaps','ldap']</param>
|
||||
</check>
|
||||
|
||||
<check name="valid_enum" target="llRegisterDB">
|
||||
<param>['LDAP','Demo','Custom']</param>
|
||||
</check>
|
||||
|
||||
<group master="casAttribute">
|
||||
<slave>casLDAPAttribute</slave>
|
||||
</group>
|
||||
|
||||
<condition name='disabled_if_in' source='activerLemon'>
|
||||
<param>non</param>
|
||||
<target type='filelist'>lemon</target>
|
||||
<target type='filelist'>lemonCAS</target>
|
||||
<target type='filelist'>lemonldap</target>
|
||||
<target type='filelist'>lemonldap-nginx</target>
|
||||
<target type='family'>LemonLDAP</target>
|
||||
<target type='service_accesslist'>saLemon</target>
|
||||
</condition>
|
||||
|
|
@ -124,10 +140,11 @@
|
|||
<param name="checkval">False</param>
|
||||
</check>
|
||||
</constraints>
|
||||
|
||||
<help>
|
||||
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
|
||||
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
|
||||
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
|
||||
<variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable>
|
||||
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
|
||||
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
|
||||
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
|
||||
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
|
||||
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
|
||||
|
|
|
|||
|
|
@ -1,117 +0,0 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
ssl on;
|
||||
ssl_certificate %%server_cert;
|
||||
ssl_certificate_key %%server_key;
|
||||
ssl_client_certificate /etc/ssl/certs/ca.crt;
|
||||
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
|
||||
|
||||
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
|
||||
root /var/lib/lemonldap-ng/test/;
|
||||
|
||||
# Internal authentication request
|
||||
location = /lmauth {
|
||||
internal;
|
||||
|
||||
# FastCGI configuration
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||
# Drop post datas
|
||||
fastcgi_pass_request_body off;
|
||||
fastcgi_param CONTENT_LENGTH "";
|
||||
# Keep original hostname
|
||||
fastcgi_param HOST $http_host;
|
||||
# Keep original request (LLNG server will receive /lmauth)
|
||||
fastcgi_param X_ORIGINAL_URI $request_uri;
|
||||
# Improve performances
|
||||
#fastcgi_buffer_size 32k;
|
||||
#fastcgi_buffers 32 32k;
|
||||
|
||||
}
|
||||
|
||||
# Client requests
|
||||
location / {
|
||||
# Local application
|
||||
index index.pl;
|
||||
try_files $uri $uri/ =404;
|
||||
|
||||
# Reverse proxy
|
||||
#proxy_pass http://remote.server/;
|
||||
#include /etc/nginx/proxy_params;
|
||||
|
||||
##################################
|
||||
# CALLING AUTHENTICATION #
|
||||
##################################
|
||||
auth_request /lmauth;
|
||||
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
||||
auth_request_set $lmlocation $upstream_http_location;
|
||||
# If CDA is used, uncomment this
|
||||
#auth_request_set $cookie_value $upstream_http_set_cookie;
|
||||
#add_header Set-Cookie $cookie_value;
|
||||
# Remove this for AuthBasic handler
|
||||
error_page 401 $lmlocation;
|
||||
|
||||
##################################
|
||||
# PASSING HEADERS TO APPLICATION #
|
||||
##################################
|
||||
|
||||
# IF LUA IS SUPPORTED
|
||||
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
||||
|
||||
# ELSE
|
||||
# Set manually your headers
|
||||
#auth_request_set $authuser $upstream_http_auth_user;
|
||||
#proxy_set_header Auth-User $authuser;
|
||||
# OR in the corresponding block
|
||||
#fastcgi_param HTTP_AUTH_USER $authuser;
|
||||
|
||||
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
|
||||
#auth_request_set $lmcookie $upstream_http_cookie;
|
||||
#proxy_set_header Cookie: $lmcookie;
|
||||
# OR in the corresponding block
|
||||
#fastcgi_param HTTP_COOKIE $lmcookie;
|
||||
|
||||
# Uncomment this if you use https only
|
||||
#add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
# Set REMOTE_USER (for FastCGI apps only)
|
||||
#fastcgi_param REMOTE_USER $lmremote_user;
|
||||
}
|
||||
|
||||
# Handle test CGI
|
||||
location ~ ^(?<sc>/.*\.pl)(?:$|/) {
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||
fastcgi_param LLTYPE cgi;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
|
||||
fastcgi_param REMOTE_USER $lmremote_user;
|
||||
|
||||
# Or with uWSGI
|
||||
#include /etc/nginx/uwsgi_params;
|
||||
#uwsgi_pass 127.0.0.1:5000;
|
||||
#uwsgi_param LLTYPE cgi;
|
||||
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
|
||||
#uwsgi_param SCRIPT_NAME $sc;
|
||||
}
|
||||
|
||||
#location = /status {
|
||||
# allow 127.0.0.1;
|
||||
# deny all;
|
||||
# include /etc/nginx/fastcgi_params;
|
||||
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||
# fastcgi_param LLTYPE status;
|
||||
|
||||
### Or with uWSGI
|
||||
## include /etc/nginx/uwsgi_params;
|
||||
## uwsgi_pass 127.0.0.1:5000;
|
||||
## uwsgi_param LLTYPE status;
|
||||
#}
|
||||
}
|
||||
Loading…
Reference in New Issue