Begin of Eole-SSO replacement work

We need to provide what EoleSSO provides.

For me this 3 new template have to be placed in a dedicated package
like eole-sso-client, this templates are not necessary for the server
only usefull for the clients.
This commit is contained in:
Philippe Caseiro 2018-03-21 14:13:15 +01:00
parent 19fc15c324
commit d3897f1e4a
5 changed files with 84 additions and 1 deletions

View File

@ -7,6 +7,9 @@
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/> <file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
<service>lemonldap-ng-fastcgi-server</service> <service>lemonldap-ng-fastcgi-server</service>
<service_access service='nginx'> <service_access service='nginx'>
<port service_accesslist="saLemon">80</port> <port service_accesslist="saLemon">80</port>
@ -38,6 +41,16 @@
</variable> </variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/> <variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/> <variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
<value>cas</value>
</variable>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True'>
<value>oui</value>
</variable>
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
<variable name='ssoDebug' type='string' description="Activer le Debug pour la lib php-CAS" mode="expert">
<value>non</value>
</variable>
</family> </family>
<separators> <separators>
<separator name="managerWebName">Configuration DNS</separator> <separator name="managerWebName">Configuration DNS</separator>
@ -71,6 +84,7 @@
<condition name='disabled_if_in' source='activerLemon'> <condition name='disabled_if_in' source='activerLemon'>
<param>non</param> <param>non</param>
<target type='filelist'>lemon</target> <target type='filelist'>lemon</target>
<target type='filelist'>lemonCAS</target>
<target type='family'>LemonLDAP</target> <target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target> <target type='service_accesslist'>saLemon</target>
</condition> </condition>

27
tmpl/cas.inc.php.tmpl Normal file
View File

@ -0,0 +1,27 @@
<?php
define("__CAS_SERVER", "%%authWebName");
define("__CAS_VERSION", "2.0");
define("__CAS_FOLDER", "%%casFolder");
define("__CAS_PORT", %%eolesso_port);
define("__CAS_PROTO", "https");
%if %%cas_send_logout == 'oui'
define("__CAS_LOGOUT", true);
%else
define("__CAS_LOGOUT", false);
%end if
%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
define("__CAS_VALIDER_CA", true);
%else
define("__CAS_VALIDER_CA", false);
%end if
%if %%is_empty(%%getVar('ssoCALocation', ''))
define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
%else
define("__CAS_CA_LOCATION", "%%ssoCALocation");
%end if
%if %%getVar("ssoDebug", 'non') == "oui"
define("__CAS_DEBUG", true);
%else
define("__CAS_DEBUG", false);
%end if
?>

View File

@ -0,0 +1,7 @@
<?php
%if %%mode_conteneur_actif != "non"
define("__CAS_IP", "%%adresse_ip_br0");
%else
define("__CAS_IP", "false");
%end if
?>

View File

@ -25,7 +25,7 @@
"timeoutActivity": 0, "timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {}, "oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0, "issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/", "issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",

35
tmpl/pam_cas_auth.conf Normal file
View File

@ -0,0 +1,35 @@
# sample pam_cas config
# host from CAS server. mandatory
host %%authWebName
# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 443
# uri to validate ticket. Default to /proxyValidate
uriValidate /proxyValidate
# https or no. values on or off. Default to on.
ssl on
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug off
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
#proxy https://%%eolesso_adresse/proxycas/casimap.php
#proxy https://imp.its.yale.edu/cas/casProxy.php
#proxy https://uportal1.its.yale.edu/CasProxyServlet
#proxy https://uportal2.its.yale.edu/CasProxyServlet
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
# certificate from high level CA
%if not %%is_empty(%%getVar('ssoCALocation', ''))
trusted_ca %%eolessoCALocation
%else
trusted_ca /etc/ssl/certs/ca.crt
%end if