From 536da57382135576a68417722367d636120acd1b Mon Sep 17 00:00:00 2001 From: vfebvre Date: Thu, 3 Sep 2020 16:44:25 +0200 Subject: [PATCH 01/29] parent d08c965ee8959bec8afb87d1c9ee0c137f391f51 author vfebvre 1599144265 +0200 committer Philippe Caseiro 1606220045 +0100 Corrections diverses --- README.md | 21 +++++++++++++++++ dicos/70_lemonldap_ng.xml | 45 ++++++++++++++++++++++++++++++++++--- postservice/99-lemonldap-ng | 8 ++++++- 3 files changed, 70 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 21aae0d..70cc7e0 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,27 @@ LemonLDAP::NG EOLE integration ## Howto +### Repository configuration + +* Add the lemonldap-ng deb respository we need the last version of LemonLDAP. + +GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt + +#### LemonLDAP::NG repository (if you use EOLE 2.7.2 this is not needed anymore) + +* deb https://lemonldap-ng.org/deb stable main +* deb-src https://lemonldap-ng.org/deb stable main +* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 + +#### Cadoles Repository +* deb [ arch=all ] https://vulcain.cadoles.com 2.7.2-dev main +* Key URL : https://vulcain.cadoles.com/cadoles.gpg + +### Install packages + +apt update +apt install eole-lemonldap + ### Configure LemonLDAP in GenConfig * Enable lemonldap in "Services" tab diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 46be489..70447e9 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,6 +2,7 @@ +<<<<<<< HEAD @@ -15,7 +16,7 @@ - lemonldap-ng-fastcgi-server + lemonldap-ng-fastcgi-server manager-apache2 portal-apache2 @@ -49,6 +50,43 @@ +======= + + + + + + + + + + + + lemonldap-ng-fastcgi-server + + 80 + 443 + + + + + + non + + + + + + + --> + + + + + + + +>>>>>>> 70a1c26 (Fix disable if in) 4 @@ -121,7 +159,6 @@ ['LDAP','Demo','Custom'] - casLDAPAttribute @@ -132,6 +169,7 @@ lemonldap-nginx lemonldap-apache lemonldap-apache + sllemon LemonLDAP saLemon @@ -170,7 +208,8 @@ Activer le service LemonLDAP::NG sur ce serveur Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr - DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) + DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr) + DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé Liste des domaines à ajouter à la directive form-action. diff --git a/postservice/99-lemonldap-ng b/postservice/99-lemonldap-ng index 022cef8..33b464a 100644 --- a/postservice/99-lemonldap-ng +++ b/postservice/99-lemonldap-ng @@ -1,6 +1,12 @@ #!/bin/bash -[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0 + +[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0 + +# Updating Configuration cache + +cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache" +opt="update-cache" # Updating Configuration cache /usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1 From 15da7394f33ef887316eb3645a6653cac62fa9f0 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Tue, 24 Nov 2020 13:50:29 +0100 Subject: [PATCH 02/29] Make eole-lemonldap-ng compatible with eolebase --- dicos/70_lemonldap_ng.xml | 2 +- dicos/71_lemonldap_ng_scribe.xml | 9 ++++++++- tmpl/lemonldap-ng-fastcgi-server | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 70447e9..6394bb9 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -209,7 +209,7 @@ Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr) - DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) + DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé Liste des domaines à ajouter à la directive form-action. diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 29240ea..4fa6769 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -6,7 +6,14 @@ - + + + + cas + + + 443 + diff --git a/tmpl/lemonldap-ng-fastcgi-server b/tmpl/lemonldap-ng-fastcgi-server index 9942b4c..dafed7d 100644 --- a/tmpl/lemonldap-ng-fastcgi-server +++ b/tmpl/lemonldap-ng-fastcgi-server @@ -1,5 +1,5 @@ # Number of process (default: 7) -NPROC = %%lemonproc +NPROC=%%lemonproc # Unix socket to listen to SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock From 74fb92fb55c71e66c6e442002c95cd0b6b497c6a Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Tue, 24 Nov 2020 13:50:29 +0100 Subject: [PATCH 03/29] Make eole-lemonldap-ng compatible with eolebase --- dicos/70_lemonldap_ng.xml | 3 ++- dicos/71_lemonldap_ng_scribe.xml | 9 ++++++++- tmpl/lemonldap-ng-fastcgi-server | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 46be489..1b51faa 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -170,7 +170,8 @@ Activer le service LemonLDAP::NG sur ce serveur Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr - DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) + DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr) + DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé Liste des domaines à ajouter à la directive form-action. diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 29240ea..4fa6769 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -6,7 +6,14 @@ - + + + + cas + + + 443 + diff --git a/tmpl/lemonldap-ng-fastcgi-server b/tmpl/lemonldap-ng-fastcgi-server index 9942b4c..dafed7d 100644 --- a/tmpl/lemonldap-ng-fastcgi-server +++ b/tmpl/lemonldap-ng-fastcgi-server @@ -1,5 +1,5 @@ # Number of process (default: 7) -NPROC = %%lemonproc +NPROC=%%lemonproc # Unix socket to listen to SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock From 5d4e5729678f3a238450297e8b4f204733dc1077 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 13:21:49 +0100 Subject: [PATCH 04/29] Fixing log format --- tmpl/nginx-lmlog.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpl/nginx-lmlog.conf b/tmpl/nginx-lmlog.conf index c41f252..3db97b1 100644 --- a/tmpl/nginx-lmlog.conf +++ b/tmpl/nginx-lmlog.conf @@ -1,3 +1,3 @@ -log_format lm_combined '$remote_addr - $lmremote_user [$time_local] ' +log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; + '"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom'; From 8af3ee655fbafaa559d240553bf176cb92299751 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 13:43:33 +0100 Subject: [PATCH 05/29] Cleanup dico --- dicos/70_lemonldap_ng.xml | 39 --------------------------------------- 1 file changed, 39 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 6394bb9..aa616c0 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,8 +2,6 @@ -<<<<<<< HEAD - @@ -50,43 +48,6 @@ -======= - - - - - - - - - - - - lemonldap-ng-fastcgi-server - - 80 - 443 - - - - - - non - - - - - - - --> - - - - - - - ->>>>>>> 70a1c26 (Fix disable if in) 4 From 4af11f3d28b6b231f5724ff89d6911410086dcc8 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 13:47:47 +0100 Subject: [PATCH 06/29] Cleanup dico and support for loglevel --- dicos/70_lemonldap_ng.xml | 47 +++++++-------------------------------- 1 file changed, 8 insertions(+), 39 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 6394bb9..cbf69ad 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,8 +2,6 @@ -<<<<<<< HEAD - @@ -50,46 +48,13 @@ -======= - - - - - - - - - - - - lemonldap-ng-fastcgi-server - - 80 - 443 - - - - - - non - - - - - - - --> - - - - - - - ->>>>>>> 70a1c26 (Fix disable if in) 4 + + info + + admin @@ -156,6 +121,10 @@ ['ldaps','ldap'] + + ['info','notice','warn','error','debug' + + ['LDAP','Demo','Custom'] From 8ec486eafc113553282debc011e7183b4746ef8c Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 13:48:14 +0100 Subject: [PATCH 07/29] Adding syslog configuration --- tmpl/lemonldap-ng.ini | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 0f497ae..25e511c 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -36,7 +36,7 @@ ; ; 1 - Defined logging level ; Set here one of error, warn, notice, info or debug -logLevel = debug +logLevel = %%lm_loglevel ; Note that this has no effect for Apache2 logging: Apache LogLevel is used ; instead ; @@ -65,9 +65,9 @@ logLevel = debug ; 2.1 - Using Syslog ; ; For Syslog logging, you can also overwrite facilities. Default values: -;logger = Lemonldap::NG::Common::Logger::Syslog -;syslogFacility = daemon -;userSyslogFacility = auth +logger = Lemonldap::NG::Common::Logger::Syslog +syslogFacility = daemon +userSyslogFacility = auth ; ; 2.2 - Using Log4perl ; From d1ad6aeb25cb4d8462f474448bee0f535b54496e Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 14:09:15 +0100 Subject: [PATCH 08/29] Fix lm_loglevel --- dicos/70_lemonldap_ng.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index cbf69ad..d165088 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -122,7 +122,7 @@ - ['info','notice','warn','error','debug' + ['info','notice','warn','error','debug'] From 52e5c433eb9c13e2e1f3950d4dbb747311ac2c59 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 16:53:02 +0100 Subject: [PATCH 09/29] Enable option for SSL verify --- dicos/70_lemonldap_ng.xml | 3 +++ tmpl/lmConf-1.json | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index d165088..c13c7ad 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -84,6 +84,9 @@ oui + + oui + diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 1397ff0..5980d67 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -173,6 +173,13 @@ "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", +%if %%ldapScheme == "ldaps" + %if %%lmldapverify == "oui" + "ldapVerify": "required", + %else + "ldapVerify": "none", + %end if +%end if "ldapSetPassword": 0, "ldapTimeout": 120, "ldapUsePasswordResetAttribute": 1, From 03a00fb7ce6e091bd479674e476dbd50f3b2a82e Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 16:58:32 +0100 Subject: [PATCH 10/29] Cleanup ldap_tls redefine --- dicos/71_lemonldap_ng_scribe.xml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 4fa6769..fdc706f 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,16 +5,19 @@ - - - - - cas - - - 443 - - + + + + cas + + + 443 + + + + + + From 63bf3c9f98c0fe8c6ecae660e931921091c11f09 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Thu, 26 Nov 2020 17:13:37 +0100 Subject: [PATCH 11/29] UserBaseDN and BaseDN is not the same thing We need to use the user base dn --- dicos/70_lemonldap_ng.xml | 6 +++--- dicos/71_lemonldap_ng_scribe.xml | 8 -------- 2 files changed, 3 insertions(+), 11 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index c13c7ad..df54a8d 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -46,6 +46,9 @@ + + oui + 4 @@ -84,9 +87,6 @@ oui - - oui - diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index fdc706f..d03e59f 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -15,10 +15,6 @@ - - - - @@ -61,10 +57,6 @@ ldap_port - - ldap_base_dn - - ldap_reader From 0f3ff07b5f1756ea0c126c3f7e9be8789fe28ccf Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 10:20:42 +0100 Subject: [PATCH 12/29] Merge last evolutions from master branch --- dicos/70_lemonldap_ng.xml | 16 +++++++++++++--- dicos/71_lemonldap_ng_scribe.xml | 23 +++++++++-------------- tmpl/lmConf-1.json | 7 +++++++ 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 1b51faa..df54a8d 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,7 +2,6 @@ - @@ -15,7 +14,7 @@ - lemonldap-ng-fastcgi-server + lemonldap-ng-fastcgi-server manager-apache2 portal-apache2 @@ -47,11 +46,18 @@ + + oui + 4 + + info + + admin @@ -118,10 +124,13 @@ ['ldaps','ldap'] + + ['info','notice','warn','error','debug'] + + ['LDAP','Demo','Custom'] - casLDAPAttribute @@ -132,6 +141,7 @@ lemonldap-nginx lemonldap-apache lemonldap-apache + sllemon LemonLDAP saLemon diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 4fa6769..d03e59f 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,16 +5,15 @@ - - - - - cas - - - 443 - - + + + + cas + + + 443 + + @@ -58,10 +57,6 @@ ldap_port - - ldap_base_dn - - ldap_reader diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 1397ff0..5980d67 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -173,6 +173,13 @@ "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", +%if %%ldapScheme == "ldaps" + %if %%lmldapverify == "oui" + "ldapVerify": "required", + %else + "ldapVerify": "none", + %end if +%end if "ldapSetPassword": 0, "ldapTimeout": 120, "ldapUsePasswordResetAttribute": 1, From bf94e749163fd75603e03746bdcdefa7aefc81bd Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 11:52:11 +0100 Subject: [PATCH 13/29] Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one --- dicos/70_lemonldap_ng.xml | 20 ++++++++++++++++++ dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++----------------- tmpl/handler-apache2.X.conf | 11 ++++++++++ tmpl/lmConf-1.json | 30 +++++++++++++++++++++----- tmpl/manager-apache2.X.conf | 6 +++--- tmpl/portal-apache2.X.conf | 6 +++--- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index df54a8d..e4d49fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -27,6 +27,14 @@ + + + /cas + + + 443 + + non @@ -39,6 +47,10 @@ + + LDAP + + @@ -83,6 +95,9 @@ oui + + oui + oui @@ -124,6 +139,10 @@ ['ldaps','ldap'] + + ['LDAP','AD'] + + ['info','notice','warn','error','debug'] @@ -168,6 +187,7 @@ non llResetUrl + llResetExpiredPassword ['bootstrap','dark','impact','pastel'] diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index d03e59f..7a5ca95 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,20 +5,13 @@ - - - - cas - - - 443 - - + + + - oui activerLemon @@ -31,11 +24,8 @@ activer_sso - - oui - ldap_tls - ldaps - ldap + + ldaps @@ -44,25 +34,33 @@ nom_domaine_machine + + 636 + + oui eolesso_adresse - adresse_ip_ldap + ad_address - ldap_port + 636 + + + + AD - ldap_reader + sasl_ldap_reader - ldap_reader_passfile + /etc/eole/private/sasl-reader.password diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf index c42747b..d33da34 100644 --- a/tmpl/handler-apache2.X.conf +++ b/tmpl/handler-apache2.X.conf @@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503 ServerName %%reloadWebName + SSLEngine on + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel %%lm_loglevel + + ErrorLog /var/log/apache2/handler_error.log + CustomLog /var/log/apache2/handler_access.log common # Configuration reload mechanism (only 1 per physical server is # needed): choose your URL to avoid restarting Apache when # configuration change diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 5980d67..4fd5af5 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -85,7 +85,7 @@ }, "authChoiceModules": {}, "authChoiceParam": "lmAuth", - "authentication": "LDAP", + "authentication": "%%lemon_user_db", "browserIdAuthnLevel": 1, "captchaStorage": "Apache::Session::File", "captchaStorageOptions": { @@ -152,10 +152,27 @@ "issuerDBSAMLRule": 1, "jsRedirect": 0, "key": "e\"bTCt3*eU9^\\V%b", +%if %%llResetPassword == "oui" + %if %%llResetExpiredPassword == "oui" + %if %%lemon_user_db == "AD" + "ldapPpolicyControl": 0, + %else + "ldapPpolicyControl": 1, + %end if + "ldapAllowResetExpiredPassword": 1, + %else + "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + %end if +%end if + "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, +%if %%eole_module == "scribe" + "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "ldapBase": "%%ldapUserBaseDN", - "ldapChangePasswordAsUser": 0, +%end if + "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -170,7 +187,6 @@ "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", "ldapPort": "%%ldapServerPort", - "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", %if %%ldapScheme == "ldaps" @@ -218,7 +234,11 @@ %end if %end if "maintenance": 0, +%if %%eole_module == "scribe" + "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "managerDn": "%%ldapBindUserDN", +%end if %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else @@ -251,7 +271,7 @@ "openIdSreg_fullname": "cn", "openIdSreg_nickname": "uid", "openIdSreg_timezone": "_timezone", - "passwordDB": "LDAP", + "passwordDB": "%%lemon_user_db", "persistentStorage": "Apache::Session::File", "persistentStorageOptions": { "Directory": "/var/lib/lemonldap-ng/psessions", @@ -371,7 +391,7 @@ "useRedirectOnForbidden": 0, "useSafeJail": 1, "userControl": "^[\\w\\.\\-@]+$", - "userDB": "LDAP", + "userDB": "%%lemon_user_db", "vhostOptions": { "%%managerWebName": { "vhostHttps": "1" diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf index 9bca544..cf6fcbd 100644 --- a/tmpl/manager-apache2.X.conf +++ b/tmpl/manager-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%managerWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/manager_error.log CustomLog /var/log/apache2/manager_access.log common diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf index 71fb6c1..5ab967d 100644 --- a/tmpl/portal-apache2.X.conf +++ b/tmpl/portal-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%authWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/portal_error.log CustomLog /var/log/apache2/portal_access.log common From 200c9c41e94e5a2dc914e6bd0141a427977b9ea2 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 11:52:11 +0100 Subject: [PATCH 14/29] Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one --- dicos/70_lemonldap_ng.xml | 20 ++++++++++++++++++ dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++----------------- tmpl/handler-apache2.X.conf | 11 ++++++++++ tmpl/lmConf-1.json | 30 +++++++++++++++++++++----- tmpl/manager-apache2.X.conf | 6 +++--- tmpl/portal-apache2.X.conf | 6 +++--- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index df54a8d..e4d49fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -27,6 +27,14 @@ + + + /cas + + + 443 + + non @@ -39,6 +47,10 @@ + + LDAP + + @@ -83,6 +95,9 @@ oui + + oui + oui @@ -124,6 +139,10 @@ ['ldaps','ldap'] + + ['LDAP','AD'] + + ['info','notice','warn','error','debug'] @@ -168,6 +187,7 @@ non llResetUrl + llResetExpiredPassword ['bootstrap','dark','impact','pastel'] diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index d03e59f..7a5ca95 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,20 +5,13 @@ - - - - cas - - - 443 - - + + + - oui activerLemon @@ -31,11 +24,8 @@ activer_sso - - oui - ldap_tls - ldaps - ldap + + ldaps @@ -44,25 +34,33 @@ nom_domaine_machine + + 636 + + oui eolesso_adresse - adresse_ip_ldap + ad_address - ldap_port + 636 + + + + AD - ldap_reader + sasl_ldap_reader - ldap_reader_passfile + /etc/eole/private/sasl-reader.password diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf index c42747b..d33da34 100644 --- a/tmpl/handler-apache2.X.conf +++ b/tmpl/handler-apache2.X.conf @@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503 ServerName %%reloadWebName + SSLEngine on + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel %%lm_loglevel + + ErrorLog /var/log/apache2/handler_error.log + CustomLog /var/log/apache2/handler_access.log common # Configuration reload mechanism (only 1 per physical server is # needed): choose your URL to avoid restarting Apache when # configuration change diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 5980d67..4fd5af5 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -85,7 +85,7 @@ }, "authChoiceModules": {}, "authChoiceParam": "lmAuth", - "authentication": "LDAP", + "authentication": "%%lemon_user_db", "browserIdAuthnLevel": 1, "captchaStorage": "Apache::Session::File", "captchaStorageOptions": { @@ -152,10 +152,27 @@ "issuerDBSAMLRule": 1, "jsRedirect": 0, "key": "e\"bTCt3*eU9^\\V%b", +%if %%llResetPassword == "oui" + %if %%llResetExpiredPassword == "oui" + %if %%lemon_user_db == "AD" + "ldapPpolicyControl": 0, + %else + "ldapPpolicyControl": 1, + %end if + "ldapAllowResetExpiredPassword": 1, + %else + "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + %end if +%end if + "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, +%if %%eole_module == "scribe" + "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "ldapBase": "%%ldapUserBaseDN", - "ldapChangePasswordAsUser": 0, +%end if + "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -170,7 +187,6 @@ "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", "ldapPort": "%%ldapServerPort", - "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", %if %%ldapScheme == "ldaps" @@ -218,7 +234,11 @@ %end if %end if "maintenance": 0, +%if %%eole_module == "scribe" + "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "managerDn": "%%ldapBindUserDN", +%end if %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else @@ -251,7 +271,7 @@ "openIdSreg_fullname": "cn", "openIdSreg_nickname": "uid", "openIdSreg_timezone": "_timezone", - "passwordDB": "LDAP", + "passwordDB": "%%lemon_user_db", "persistentStorage": "Apache::Session::File", "persistentStorageOptions": { "Directory": "/var/lib/lemonldap-ng/psessions", @@ -371,7 +391,7 @@ "useRedirectOnForbidden": 0, "useSafeJail": 1, "userControl": "^[\\w\\.\\-@]+$", - "userDB": "LDAP", + "userDB": "%%lemon_user_db", "vhostOptions": { "%%managerWebName": { "vhostHttps": "1" diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf index 9bca544..cf6fcbd 100644 --- a/tmpl/manager-apache2.X.conf +++ b/tmpl/manager-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%managerWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/manager_error.log CustomLog /var/log/apache2/manager_access.log common diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf index 71fb6c1..5ab967d 100644 --- a/tmpl/portal-apache2.X.conf +++ b/tmpl/portal-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%authWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/portal_error.log CustomLog /var/log/apache2/portal_access.log common From fe8722e776db1e7b607a61e4c9285ef0a1f184ff Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Mon, 7 Dec 2020 11:58:50 +0100 Subject: [PATCH 15/29] =?UTF-8?q?Activer=20la=20possibilit=C3=A9=20de=20ch?= =?UTF-8?q?anger=20son=20mot=20de=20passe=20depuis=20LemonLDAP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ref #31347 --- dicos/70_lemonldap_ng.xml | 7 +++++-- dicos/71_lemonldap_ng_scribe.xml | 4 ++++ tmpl/lemonldap-ng.ini | 4 ++-- tmpl/lmConf-1.json | 21 ++++++++++++++++----- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index e4d49fc..b3c72fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -92,7 +92,10 @@ non - + + oui + + oui @@ -148,7 +151,7 @@ - ['LDAP','Demo','Custom'] + ['LDAP','AD','Demo','Custom'] casLDAPAttribute diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 7a5ca95..691bd0c 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -55,6 +55,10 @@ AD + + AD + + sasl_ldap_reader diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 25e511c..81874bd 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -197,11 +197,11 @@ portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 portalDisplayResetPassword = %%boolean[%%llResetPassword] -;portalDisplayChangePassword = 1 +portalDisplayChangePassword = %%boolean[%%llChangePassword] ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 ; Require the old password when changing password -;portalRequireOldPassword = 1 +portalRequireOldPassword = %%boolean[%%llChangePassword] ; Attribute displayed as connected user ;portalUserAttr = mail ; Old menu HTML code diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 4fd5af5..b136925 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -160,19 +160,29 @@ "ldapPpolicyControl": 1, %end if "ldapAllowResetExpiredPassword": 1, + "ldapChangePasswordAsUser": 1, %else "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + "ldapChangePasswordAsUser": 1, %end if %end if - "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, + "ldapSearchDeref": "find", %if %%eole_module == "scribe" "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' + "ldapExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "cn" + }, + "ldapGroupAttributeName": "memberUid", + "ldapGroupAttributeNameGroup": "dn", + "ldapGroupAttributeNameSearch": "cn", + "ldapGroupAttributeNameUser": "cn", + "ldapGroupObjectClass": "group", %else "ldapBase": "%%ldapUserBaseDN", -%end if - "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -183,6 +193,7 @@ "ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameUser": "uid", "ldapGroupObjectClass": "eolegroupe", +%end if "ldapGroupRecursive": 0, "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", @@ -228,7 +239,7 @@ "mailTimeout": 0, %if %%llResetPassword == "oui" %if %%is_empty(%%llResetUrl) - "mailUrl": "https://%%authWebName/mail.pl", + "mailUrl": "https://%%authWebName/resetpwd", %else "mailUrl": "%%llResetUrl", %end if @@ -281,7 +292,7 @@ "portalAntiFrame": 1, "portalCheckLogins": %%boolean[%%llCheckLogins], "portalDisplayAppslist": 1, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/", "portalDisplayLoginHistory": 1, "portalDisplayLogout": 1, "portalDisplayRegister": 1, From 87818bd6f06c9b5e25c4f52443d329ce82c6ea80 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Mon, 7 Dec 2020 11:58:50 +0100 Subject: [PATCH 16/29] =?UTF-8?q?Activer=20la=20possibilit=C3=A9=20de=20ch?= =?UTF-8?q?anger=20son=20mot=20de=20passe=20depuis=20LemonLDAP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ref #31347 --- dicos/70_lemonldap_ng.xml | 7 +++++-- dicos/71_lemonldap_ng_scribe.xml | 4 ++++ tmpl/lemonldap-ng.ini | 4 ++-- tmpl/lmConf-1.json | 21 ++++++++++++++++----- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index e4d49fc..b3c72fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -92,7 +92,10 @@ non - + + oui + + oui @@ -148,7 +151,7 @@ - ['LDAP','Demo','Custom'] + ['LDAP','AD','Demo','Custom'] casLDAPAttribute diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 7a5ca95..691bd0c 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -55,6 +55,10 @@ AD + + AD + + sasl_ldap_reader diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 0f497ae..d3a83c2 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -197,11 +197,11 @@ portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 portalDisplayResetPassword = %%boolean[%%llResetPassword] -;portalDisplayChangePassword = 1 +portalDisplayChangePassword = %%boolean[%%llChangePassword] ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 ; Require the old password when changing password -;portalRequireOldPassword = 1 +portalRequireOldPassword = %%boolean[%%llChangePassword] ; Attribute displayed as connected user ;portalUserAttr = mail ; Old menu HTML code diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 4fd5af5..b136925 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -160,19 +160,29 @@ "ldapPpolicyControl": 1, %end if "ldapAllowResetExpiredPassword": 1, + "ldapChangePasswordAsUser": 1, %else "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + "ldapChangePasswordAsUser": 1, %end if %end if - "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, + "ldapSearchDeref": "find", %if %%eole_module == "scribe" "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' + "ldapExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "cn" + }, + "ldapGroupAttributeName": "memberUid", + "ldapGroupAttributeNameGroup": "dn", + "ldapGroupAttributeNameSearch": "cn", + "ldapGroupAttributeNameUser": "cn", + "ldapGroupObjectClass": "group", %else "ldapBase": "%%ldapUserBaseDN", -%end if - "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -183,6 +193,7 @@ "ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameUser": "uid", "ldapGroupObjectClass": "eolegroupe", +%end if "ldapGroupRecursive": 0, "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", @@ -228,7 +239,7 @@ "mailTimeout": 0, %if %%llResetPassword == "oui" %if %%is_empty(%%llResetUrl) - "mailUrl": "https://%%authWebName/mail.pl", + "mailUrl": "https://%%authWebName/resetpwd", %else "mailUrl": "%%llResetUrl", %end if @@ -281,7 +292,7 @@ "portalAntiFrame": 1, "portalCheckLogins": %%boolean[%%llCheckLogins], "portalDisplayAppslist": 1, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/", "portalDisplayLoginHistory": 1, "portalDisplayLogout": 1, "portalDisplayRegister": 1, From 47e822f9b9b452b879060ac393e0c05c6dc4fd36 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 9 Dec 2020 16:48:14 +0100 Subject: [PATCH 17/29] Updating lmlog file for nginx mode --- dicos/70_lemonldap_ng.xml | 1 + tmpl/nginx-lmlog.conf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index b3c72fc..f243ffb 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -9,6 +9,7 @@ + diff --git a/tmpl/nginx-lmlog.conf b/tmpl/nginx-lmlog.conf index c41f252..3db97b1 100644 --- a/tmpl/nginx-lmlog.conf +++ b/tmpl/nginx-lmlog.conf @@ -1,3 +1,3 @@ -log_format lm_combined '$remote_addr - $lmremote_user [$time_local] ' +log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; + '"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom'; From 3753625b20850de55911783b4900ec9c7d17eb69 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 9 Dec 2020 17:17:30 +0100 Subject: [PATCH 18/29] Updating nginx configuration for 2.8 --- tmpl/handler-nginx.conf | 5 ++--- tmpl/manager-nginx.conf | 9 ++++----- tmpl/portal-nginx.conf | 9 ++++----- 3 files changed, 10 insertions(+), 13 deletions(-) diff --git a/tmpl/handler-nginx.conf b/tmpl/handler-nginx.conf index 726bc86..f7dcbf4 100644 --- a/tmpl/handler-nginx.conf +++ b/tmpl/handler-nginx.conf @@ -23,8 +23,7 @@ server { } server { - listen 443; - ssl on; + listen 443 ssl; %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; @@ -62,7 +61,7 @@ server { deny all; # Uncomment this if you use https only - #add_header Strict-Transport-Security "max-age=15768000"; + add_header Strict-Transport-Security "max-age=15768000"; } } diff --git a/tmpl/manager-nginx.conf b/tmpl/manager-nginx.conf index b1db898..4399ed3 100644 --- a/tmpl/manager-nginx.conf +++ b/tmpl/manager-nginx.conf @@ -5,8 +5,7 @@ server { } server { - listen 443; - ssl on; + listen 443 ssl; %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; @@ -70,8 +69,8 @@ server { # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this - #location /javascript/ { - # alias /usr/share/javascript/; - #} + location /javascript/ { + alias /usr/share/javascript/; + } } diff --git a/tmpl/portal-nginx.conf b/tmpl/portal-nginx.conf index c754ac4..634f4f8 100644 --- a/tmpl/portal-nginx.conf +++ b/tmpl/portal-nginx.conf @@ -15,8 +15,7 @@ server { } server { - listen 443; - ssl on; + listen 443 ssl; %if %%cert_type == "letsencrypt" ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; @@ -83,7 +82,7 @@ server { # DEBIAN # If install was made with USEDEBIANLIBS (official releases), uncomment this - #location /javascript/ { - # alias /usr/share/javascript/; - #} + location /javascript/ { + alias /usr/share/javascript/; + } } From e810740ba947a9d6be145f880a9eb6965e83c1b8 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Fri, 11 Dec 2020 09:25:41 +0100 Subject: [PATCH 19/29] Adding AD password warning support --- dicos/70_lemonldap_ng.xml | 12 ++++++++++++ tmpl/lmConf-1.json | 6 ++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index f243ffb..49e614d 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -99,6 +99,12 @@ oui + + 5184000 + + + 3456000 + oui @@ -158,6 +164,12 @@ casLDAPAttribute + + AD + llADPasswordMaxAge + llADPasswordExpireWarn + + non lemonldap diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index b136925..a794cd1 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -13,8 +13,10 @@ %silent %%exported_vars.sort() %silent %%cas_attributes.sort() { - "ADPwdExpireWarning": 0, - "ADPwdMaxAge": 0, +%if %%lemon_user_db == "AD" + "ADPwdExpireWarning": %%llADPasswordExpireWarn, + "ADPwdMaxAge": %%llADPasswordMaxAge, +%end if "CAS_authnLevel": 1, "CAS_pgtFile": "/tmp/pgt.txt", "CAS_proxiedServices": {}, From cf8261645471c8b501e06c5403242f88f8fbd963 Mon Sep 17 00:00:00 2001 From: Matthieu Lamalle Date: Mon, 14 Dec 2020 10:24:17 +0100 Subject: [PATCH 20/29] correction on condition --- dicos/70_lemonldap_ng.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 49e614d..e648467 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -164,7 +164,7 @@ casLDAPAttribute - + AD llADPasswordMaxAge llADPasswordExpireWarn From 20e382934cfed75f9a9800c82cdee92335e42426 Mon Sep 17 00:00:00 2001 From: Matthieu Lamalle Date: Mon, 14 Dec 2020 14:04:09 +0100 Subject: [PATCH 21/29] set default openldap --- dicos/71_lemonldap_ng_scribe.xml | 14 ++++++++------ tmpl/lmConf-1.json | 18 ------------------ 2 files changed, 8 insertions(+), 24 deletions(-) diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 691bd0c..67433ca 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -35,8 +35,8 @@ - 636 - + 389 + oui @@ -48,17 +48,19 @@ - 636 + 389 - AD + LDAP - AD + LDAP + + + ldap_base_dn - sasl_ldap_reader diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index a794cd1..e38468e 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -171,19 +171,6 @@ %end if "ldapAuthnLevel": 2, "ldapSearchDeref": "find", -%if %%eole_module == "scribe" - "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' - "ldapExportedVars": { - "cn": "cn", - "mail": "mail", - "uid": "cn" - }, - "ldapGroupAttributeName": "memberUid", - "ldapGroupAttributeNameGroup": "dn", - "ldapGroupAttributeNameSearch": "cn", - "ldapGroupAttributeNameUser": "cn", - "ldapGroupObjectClass": "group", -%else "ldapBase": "%%ldapUserBaseDN", "ldapExportedVars": { "cn": "cn", @@ -195,7 +182,6 @@ "ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameUser": "uid", "ldapGroupObjectClass": "eolegroupe", -%end if "ldapGroupRecursive": 0, "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", @@ -247,11 +233,7 @@ %end if %end if "maintenance": 0, -%if %%eole_module == "scribe" - "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' -%else "managerDn": "%%ldapBindUserDN", -%end if %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else From 569e0caab86704c3f54433120e5078a346d8e558 Mon Sep 17 00:00:00 2001 From: Matthieu Lamalle Date: Wed, 16 Dec 2020 10:30:33 +0100 Subject: [PATCH 22/29] set correct openldap conf --- dicos/71_lemonldap_ng_scribe.xml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 67433ca..98d68d9 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -24,9 +24,6 @@ activer_sso - - ldaps - authWebName @@ -34,21 +31,24 @@ nom_domaine_machine - - 389 - - oui eolesso_adresse + + oui + ldap_tls + ldaps + ldap + + - ad_address + adresse_ip_ldap - 389 + ldap_port @@ -62,11 +62,11 @@ ldap_base_dn - sasl_ldap_reader + ldap_reader - /etc/eole/private/sasl-reader.password + ldap_reader_passfile @@ -77,4 +77,4 @@ - + \ No newline at end of file From f3b120eb62948e1c6ebccd3ba879a59cb95b5756 Mon Sep 17 00:00:00 2001 From: Emmanuel Garette Date: Tue, 5 Jan 2021 11:27:02 +0100 Subject: [PATCH 23/29] =?UTF-8?q?patch=20lemonldap=20pour=20corriger=20le?= =?UTF-8?q?=20probl=C3=A8me=20des=20attributs=20avec=20la=20valeur=200=20(?= =?UTF-8?q?ref=20#31384)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Makefile | 2 +- eole-lemonldap-ng.mk | 2 + eole-lemonldap.mk | 1 - lemonldap-ng/LDAP.pm | 102 ++++++++++++++++++++++++++++++++ lemonldap-ng/LDAP.pm.patch | 20 +++++++ posttemplate/70-lemonldap-patch | 12 ++++ 6 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 eole-lemonldap-ng.mk delete mode 100644 eole-lemonldap.mk create mode 100644 lemonldap-ng/LDAP.pm create mode 100644 lemonldap-ng/LDAP.pm.patch create mode 100755 posttemplate/70-lemonldap-patch diff --git a/Makefile b/Makefile index fd9c34a..655b480 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ # Makefile pour XXX-XXX ################################ -SOURCE=eole-lemonldap +SOURCE=eole-lemonldap-ng VERSION=2.8.0 EOLE_VERSION=2.8 EOLE_RELEASE=2.8.0 diff --git a/eole-lemonldap-ng.mk b/eole-lemonldap-ng.mk new file mode 100644 index 0000000..25693df --- /dev/null +++ b/eole-lemonldap-ng.mk @@ -0,0 +1,2 @@ +creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs +lemonldap-ng_DATA_DIR := $(eole_DIR)/lemonldap-ng diff --git a/eole-lemonldap.mk b/eole-lemonldap.mk deleted file mode 100644 index b152d43..0000000 --- a/eole-lemonldap.mk +++ /dev/null @@ -1 +0,0 @@ -creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs diff --git a/lemonldap-ng/LDAP.pm b/lemonldap-ng/LDAP.pm new file mode 100644 index 0000000..e62ad43 --- /dev/null +++ b/lemonldap-ng/LDAP.pm @@ -0,0 +1,102 @@ +package Lemonldap::NG::Portal::UserDB::LDAP; + +use strict; +use Mouse; +use utf8; +use Lemonldap::NG::Portal::Main::Constants qw(PE_OK); + +extends 'Lemonldap::NG::Portal::Lib::LDAP'; + +our $VERSION = '2.0.6'; + +has ldapGroupAttributeNameSearch => ( + is => 'rw', + lazy => 1, + builder => sub { + my $attributes = []; + @$attributes = + split( /\s+/, $_[0]->{conf}->{ldapGroupAttributeNameSearch} ) + if $_[0]->{conf}->{ldapGroupAttributeNameSearch}; + push( @$attributes, $_[0]->{conf}->{ldapGroupAttributeNameGroup} ) + if ( $_[0]->{conf}->{ldapGroupRecursive} + and $_[0]->{conf}->{ldapGroupAttributeNameGroup} ne "dn" ); + return $attributes; + } +); + +# RUNNING METHODS +# +# getUser is provided by Portal::Lib::LDAP + +# Load all parameters included in exportedVars parameter. +# Multi-value parameters are loaded in a single string with +# a separator (param multiValuesSeparator) +# @return Lemonldap::NG::Portal constant +sub setSessionInfo { + my ( $self, $req ) = @_; + $req->{sessionInfo}->{_dn} = $req->data->{dn}; + + my %vars = ( %{ $self->conf->{exportedVars} }, + %{ $self->conf->{ldapExportedVars} } ); + while ( my ( $k, $v ) = each %vars ) { + + # getLdapValue returns an empty string for missing attribute + # but we really want to return undef so they don't get stored in session + $req->sessionInfo->{$k} = + $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef; + } + + PE_OK; +} + +# Load all groups in $groups. +# @return Lemonldap::NG::Portal constant +sub setGroups { + my ( $self, $req ) = @_; + my $groups = $req->{sessionInfo}->{groups}; + my $hGroups = $req->{sessionInfo}->{hGroups}; + + if ( $self->conf->{ldapGroupBase} ) { + + # Get value for group search + my $group_value = $self->ldap->getLdapValue( $req->data->{ldapentry}, + $self->conf->{ldapGroupAttributeNameUser} ); + + if ( $self->conf->{ldapGroupDecodeSearchedValue} ) { + utf8::decode($group_value); + } + + $self->logger->debug( "Searching LDAP groups in " + . $self->conf->{ldapGroupBase} + . " for $group_value" ); + + # Call searchGroups + my $ldapGroups = $self->ldap->searchGroups( + $self->conf->{ldapGroupBase}, + $self->conf->{ldapGroupAttributeName}, + $group_value, + $self->ldapGroupAttributeNameSearch, + $req->{ldapGroupDuplicateCheck} + ); + + foreach ( keys %$ldapGroups ) { + my $groupName = $_; + $hGroups->{$groupName} = $ldapGroups->{$groupName}; + my $groupValues = []; + foreach ( @{ $self->ldapGroupAttributeNameSearch } ) { + next if $_ =~ /^name$/; + my $firstValue = $ldapGroups->{$groupName}->{$_}->[0]; + push @$groupValues, $firstValue; + } + $groups .= $self->conf->{multiValuesSeparator} if $groups; + $groups .= join( '|', @$groupValues ); + } + + } + + $req->{sessionInfo}->{groups} = $groups; + $req->{sessionInfo}->{hGroups} = $hGroups; + PE_OK; +} + +1; diff --git a/lemonldap-ng/LDAP.pm.patch b/lemonldap-ng/LDAP.pm.patch new file mode 100644 index 0000000..e2c7456 --- /dev/null +++ b/lemonldap-ng/LDAP.pm.patch @@ -0,0 +1,20 @@ +--- /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm.old 2019-12-11 12:05:54.000000000 +0100 ++++ /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm 2021-01-05 10:54:19.188732119 +0100 +@@ -40,10 +40,15 @@ + %{ $self->conf->{ldapExportedVars} } ); + while ( my ( $k, $v ) = each %vars ) { + ++ my $value = $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ); ++ + # getLdapValue returns an empty string for missing attribute + # but we really want to return undef so they don't get stored in session +- $req->sessionInfo->{$k} = +- $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef; ++ # This has to be a string comparison because "0" is a valid attribute ++ # value. See #2403 ++ $value = undef if ( $value eq "" ); ++ ++ $req->sessionInfo->{$k} = $value; + } + + PE_OK; diff --git a/posttemplate/70-lemonldap-patch b/posttemplate/70-lemonldap-patch new file mode 100755 index 0000000..ede0e0e --- /dev/null +++ b/posttemplate/70-lemonldap-patch @@ -0,0 +1,12 @@ +#!/bin/bash + +# vérifie si le patch est déjà appliqué +grep -q 2403 /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm && exit 0 + +# copie de sauvegarde +cp -a /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm /usr/share/eole/lemonldap-ng/ + +# application du patch +patch -d / -p 0 < /usr/share/eole/lemonldap-ng/LDAP.pm.patch + +exit 0 From eddc9696c3537c4a8e3a281733ce3ad762619942 Mon Sep 17 00:00:00 2001 From: pcaseiro Date: Wed, 6 Jan 2021 11:23:29 +0100 Subject: [PATCH 24/29] =?UTF-8?q?Mise=20=C3=A0=20jour=20de=20'README.md'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 70cc7e0..db14b1b 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ LemonLDAP::NG EOLE integration GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt -#### LemonLDAP::NG repository (if you use EOLE 2.7.2 this is not needed anymore) +#### LemonLDAP::NG repository (if you use EOLE 2.8.X this is not needed anymore) * deb https://lemonldap-ng.org/deb stable main * deb-src https://lemonldap-ng.org/deb stable main From 583e77d7c7a387c37e066de0f2a5ab3e65880402 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Fri, 29 Jan 2021 10:10:15 +0100 Subject: [PATCH 25/29] Fix Register button display --- tmpl/lmConf-1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index e38468e..39e2589 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -279,7 +279,7 @@ "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/", "portalDisplayLoginHistory": 1, "portalDisplayLogout": 1, - "portalDisplayRegister": 1, + "portalDisplayRegister": %%boolean[%%llRegisterAccount], "portalDisplayResetPassword": %%boolean[%%llResetPassword], "portalForceAuthn": 0, "portalForceAuthnInterval": 0, From adea10270dfa687bea7d6eca98cc8d69998f501e Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 3 Feb 2021 15:44:14 +0100 Subject: [PATCH 26/29] Fix LDAP/CAS/Exported attributes bug --- tmpl/lmConf-1.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 39e2589..6b5081c 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -2,9 +2,11 @@ %set %%ssoFilters = %%getSSOFilters %set %%exported_vars = ['"UA": "HTTP_USER_AGENT"'] %set %%cas_attributes = [] +%set %%ldap_attributes = ['"uid": "uid"', '"mail": "mail"','"cn":"cn"'] %for %%attr in %%casAttribute - %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"') - %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"') + %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') + %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') + %silent %%ldap_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') %end for %for %%key, %%value in %%ssoFilters %silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"') @@ -173,9 +175,7 @@ "ldapSearchDeref": "find", "ldapBase": "%%ldapUserBaseDN", "ldapExportedVars": { - "cn": "cn", - "mail": "mail", - "uid": "uid" + %%custom_join(%%ldap_attributes, ',\n ') }, "ldapGroupAttributeName": "memberUid", "ldapGroupAttributeNameGroup": "dn", From 918ceab88250a27b747a2ba387fe82ca80da7140 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 3 Feb 2021 15:48:55 +0100 Subject: [PATCH 27/29] Export LDAP Attributes this attributes and the variables names have to be named with the same name --- tmpl/lmConf-1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 6b5081c..4304c35 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -6,7 +6,7 @@ %for %%attr in %%casAttribute %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') - %silent %%ldap_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') + %silent %%ldap_attributes.append('"' + %%attr.casLDAPAttribute + '": "' + %%attr.casLDAPAttribute + '"') %end for %for %%key, %%value in %%ssoFilters %silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"') From 293d940fdcf75922f7ea2e86b8f0f585031955cf Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 3 Feb 2021 17:18:18 +0100 Subject: [PATCH 28/29] Adding ldapExportedVars --- tmpl/lmConf-1.json | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 4304c35..c9a64c3 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -1,19 +1,25 @@ %set %%boolean = {'oui': 1, 'non': 0} %set %%ssoFilters = %%getSSOFilters +%set %%ldapAttributes = {"uid": "uid", "mail": "mail", "cn":"cn"} %set %%exported_vars = ['"UA": "HTTP_USER_AGENT"'] %set %%cas_attributes = [] -%set %%ldap_attributes = ['"uid": "uid"', '"mail": "mail"','"cn":"cn"'] +%set %%ldap_attributes = {} %for %%attr in %%casAttribute %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"') - %silent %%ldap_attributes.append('"' + %%attr.casLDAPAttribute + '": "' + %%attr.casLDAPAttribute + '"') + %set %%ldap_attributes[%%attr.casLDAPAttribute] = %%attr.casLDAPAttribute %end for %for %%key, %%value in %%ssoFilters %silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"') %silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"') + %set %%ldap_attributes[%%value] = %%value %end for %silent %%exported_vars.sort() %silent %%cas_attributes.sort() +%set %%ldapAttr = [] +%for %%k, %%v in %%ldap_attributes.items() + %silent %%ldapAttr.append('"' + %%k + '": "' + %%v + '"') +%end for { %if %%lemon_user_db == "AD" "ADPwdExpireWarning": %%llADPasswordExpireWarn, @@ -175,7 +181,7 @@ "ldapSearchDeref": "find", "ldapBase": "%%ldapUserBaseDN", "ldapExportedVars": { - %%custom_join(%%ldap_attributes, ',\n ') + %%custom_join(%%ldapAttr, ',\n ') }, "ldapGroupAttributeName": "memberUid", "ldapGroupAttributeNameGroup": "dn", From 3edf7dd77428f6a95bb60e18f8a5af97698725fd Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 3 Mar 2021 16:24:20 +0100 Subject: [PATCH 29/29] Fix ldapVerify values --- tmpl/lmConf-1.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index c9a64c3..61b34df 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -196,9 +196,9 @@ "ldapServer": "%%ldapScheme://%%ldapServer", %if %%ldapScheme == "ldaps" %if %%lmldapverify == "oui" - "ldapVerify": "required", + "ldapVerify": "Require", %else - "ldapVerify": "none", + "ldapVerify": "None", %end if %end if "ldapSetPassword": 0,