Merge branch 'master' into 2.7.2/master

2021-03-03 17:05:07 +01:00
parent 0f0e822069 3edf7dd774
commit da3c97d534
16 changed files with 280 additions and 61 deletions
--- a/tmpl/handler-apache2.X.conf
+++ b/tmpl/handler-apache2.X.conf
@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%reloadWebName

+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
--- a/tmpl/handler-nginx.conf
+++ b/tmpl/handler-nginx.conf
@ -23,8 +23,7 @@ server {
 }

 server {
-  listen 443;
-  ssl on;
+  listen 443 ssl;
 %if %%cert_type == "letsencrypt"
  ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
  ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -62,7 +61,7 @@ server {
    deny all;

    # Uncomment this if you use https only
-    #add_header Strict-Transport-Security "max-age=15768000";
+    add_header Strict-Transport-Security "max-age=15768000";
  }

 }
--- a/tmpl/lemonldap-ng.ini
+++ b/tmpl/lemonldap-ng.ini
@ -36,7 +36,7 @@
 ;
 ; 1 - Defined logging level
 ;   Set here one of error, warn, notice, info or debug
-logLevel     = debug
+logLevel     = %%lm_loglevel
 ; Note that this has no effect for Apache2 logging: Apache LogLevel is used
 ; instead
 ;
@ -65,9 +65,9 @@ logLevel     = debug
 ; 2.1 - Using Syslog
 ;
 ;   For Syslog logging, you can also overwrite facilities. Default values:
-;logger             = Lemonldap::NG::Common::Logger::Syslog
-;syslogFacility     = daemon
-;userSyslogFacility = auth
+logger             = Lemonldap::NG::Common::Logger::Syslog
+syslogFacility     = daemon
+userSyslogFacility = auth
 ;
 ; 2.2 - Using Log4perl
 ;
@ -197,11 +197,11 @@ portalSkin = %%llSkin
 ; Modules displayed
 ;portalDisplayLogout = 1
 portalDisplayResetPassword = %%boolean[%%llResetPassword]
-;portalDisplayChangePassword = 1
+portalDisplayChangePassword = %%boolean[%%llChangePassword]
 ;portalDisplayAppslist = 1
 ;portalDisplayLoginHistory = 1
 ; Require the old password when changing password
-;portalRequireOldPassword = 1
+portalRequireOldPassword = %%boolean[%%llChangePassword]
 ; Attribute displayed as connected user
 ;portalUserAttr = mail
 ; Old menu HTML code
--- a/tmpl/lmConf-1.json
+++ b/tmpl/lmConf-1.json
@ -1,20 +1,30 @@
 %set %%boolean = {'oui': 1, 'non': 0}
 %set %%ssoFilters = %%getSSOFilters
+%set %%ldapAttributes = {"uid": "uid", "mail": "mail", "cn":"cn"}
 %set %%exported_vars = ['"UA": "HTTP_USER_AGENT"']
 %set %%cas_attributes = []
+%set %%ldap_attributes = {}
 %for %%attr in %%casAttribute
-    %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"')
-    %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"')
+    %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
+    %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
+    %set %%ldap_attributes[%%attr.casLDAPAttribute] = %%attr.casLDAPAttribute
 %end for
 %for %%key, %%value in %%ssoFilters
    %silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"')
    %silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"')
+    %set %%ldap_attributes[%%value] = %%value
 %end for
 %silent %%exported_vars.sort()
 %silent %%cas_attributes.sort()
+%set %%ldapAttr = []
+%for %%k, %%v in %%ldap_attributes.items()
+   %silent %%ldapAttr.append('"' + %%k + '": "' + %%v + '"')
+%end for
 {
-    "ADPwdExpireWarning": 0,
-    "ADPwdMaxAge": 0,
+%if %%lemon_user_db == "AD"
+    "ADPwdExpireWarning": %%llADPasswordExpireWarn,
+    "ADPwdMaxAge": %%llADPasswordMaxAge,
+%end if
    "CAS_authnLevel": 1,
    "CAS_pgtFile": "/tmp/pgt.txt",
    "CAS_proxiedServices": {},
@ -85,7 +95,7 @@
    },
    "authChoiceModules": {},
    "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
    "browserIdAuthnLevel": 1,
    "captchaStorage": "Apache::Session::File",
    "captchaStorageOptions": {
@ -152,14 +162,26 @@
    "issuerDBSAMLRule": 1,
    "jsRedirect": 0,
    "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+    "ldapChangePasswordAsUser": 1,
+  %else
+    "ldapPpolicyControl": 0,
    "ldapAllowResetExpiredPassword": 0,
+    "ldapChangePasswordAsUser": 1,
+  %end if
+%end if
    "ldapAuthnLevel": 2,
+    "ldapSearchDeref": "find",
    "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
    "ldapExportedVars": {
-        "cn": "cn",
-        "mail": "mail",
-        "uid": "uid"
+        %%custom_join(%%ldapAttr, ',\n        ')
    },
    "ldapGroupAttributeName": "memberUid",
    "ldapGroupAttributeNameGroup": "dn",
@ -170,9 +192,15 @@
    "ldapPasswordResetAttribute": "pwdReset",
    "ldapPasswordResetAttributeValue": "TRUE",
    "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
    "ldapPwdEnc": "utf-8",
    "ldapServer": "%%ldapScheme://%%ldapServer",
+%if %%ldapScheme == "ldaps"
+   %if %%lmldapverify == "oui"
+    "ldapVerify": "Require",
+   %else
+    "ldapVerify": "None",
+   %end if
+%end if
    "ldapSetPassword": 0,
    "ldapTimeout": 120,
    "ldapUsePasswordResetAttribute": 1,
@ -212,7 +240,7 @@
    "mailTimeout": 0,
 %if %%llResetPassword == "oui"
    %if %%is_empty(%%llResetUrl)
-    "mailUrl": "https://%%authWebName/mail.pl",
+    "mailUrl": "https://%%authWebName/resetpwd",
    %else
    "mailUrl": "%%llResetUrl",
    %end if
@ -251,7 +279,7 @@
    "openIdSreg_fullname": "cn",
    "openIdSreg_nickname": "uid",
    "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
    "persistentStorage": "Apache::Session::File",
    "persistentStorageOptions": {
        "Directory": "/var/lib/lemonldap-ng/psessions",
@ -261,7 +289,7 @@
    "portalAntiFrame": 1,
    "portalCheckLogins": %%boolean[%%llCheckLogins],
    "portalDisplayAppslist": 1,
-    "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
+    "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
    "portalDisplayLoginHistory": 1,
    "portalDisplayLogout": 1,
    "portalDisplayRegister": %%boolean[%%llRegisterAccount],
@ -371,7 +399,7 @@
    "useRedirectOnForbidden": 0,
    "useSafeJail": 1,
    "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
    "vhostOptions": {
        "%%managerWebName": {
            "vhostHttps": "1"
--- a/tmpl/manager-apache2.X.conf
+++ b/tmpl/manager-apache2.X.conf
@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%managerWebName
    SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

-    LogLevel info
+    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/manager_error.log
    CustomLog /var/log/apache2/manager_access.log common

--- a/tmpl/manager-nginx.conf
+++ b/tmpl/manager-nginx.conf
@ -5,8 +5,7 @@ server {
 }

 server {
-  listen 443;
-  ssl on;
+  listen 443 ssl;
  %if %%cert_type == "letsencrypt"
  ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
  ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -70,8 +69,8 @@ server {

  # DEBIAN
  # If install was made with USEDEBIANLIBS (official releases), uncomment this
-  #location /javascript/ {
-  #  alias /usr/share/javascript/;
-  #}
+  location /javascript/ {
+    alias /usr/share/javascript/;
+  }

 }
--- a/tmpl/nginx-lmlog.conf
+++ b/tmpl/nginx-lmlog.conf
@ -1,3 +1,3 @@
-log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
+log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
 	'"$request" $status $body_bytes_sent '
-	'"$http_referer" "$http_user_agent"';
+	'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';
--- a/tmpl/portal-apache2.X.conf
+++ b/tmpl/portal-apache2.X.conf
@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
    ServerName %%authWebName
    SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
    SSLProtocol all -SSLv3 -SSLv2
    SSLProxyEngine on

-    LogLevel info
+    LogLevel %%lm_loglevel
    ErrorLog /var/log/apache2/portal_error.log
    CustomLog /var/log/apache2/portal_access.log common

--- a/tmpl/portal-nginx.conf
+++ b/tmpl/portal-nginx.conf
@ -15,8 +15,7 @@ server {
 }

 server {
-  listen 443;
-  ssl on;
+  listen 443 ssl;
 %if %%cert_type == "letsencrypt"
  ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
  ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
@ -83,7 +82,7 @@ server {

  # DEBIAN
  # If install was made with USEDEBIANLIBS (official releases), uncomment this
-  #location /javascript/ {
-  #  alias /usr/share/javascript/;
-  #}
+  location /javascript/ {
+    alias /usr/share/javascript/;
+  }
 }