From 74fb92fb55c71e66c6e442002c95cd0b6b497c6a Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Tue, 24 Nov 2020 13:50:29 +0100 Subject: [PATCH 1/5] Make eole-lemonldap-ng compatible with eolebase --- dicos/70_lemonldap_ng.xml | 3 ++- dicos/71_lemonldap_ng_scribe.xml | 9 ++++++++- tmpl/lemonldap-ng-fastcgi-server | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 46be489..1b51faa 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -170,7 +170,8 @@ Activer le service LemonLDAP::NG sur ce serveur Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr - DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) + DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr) + DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé Liste des domaines à ajouter à la directive form-action. diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 29240ea..4fa6769 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -6,7 +6,14 @@ - + + + + cas + + + 443 + diff --git a/tmpl/lemonldap-ng-fastcgi-server b/tmpl/lemonldap-ng-fastcgi-server index 9942b4c..dafed7d 100644 --- a/tmpl/lemonldap-ng-fastcgi-server +++ b/tmpl/lemonldap-ng-fastcgi-server @@ -1,5 +1,5 @@ # Number of process (default: 7) -NPROC = %%lemonproc +NPROC=%%lemonproc # Unix socket to listen to SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock From 0f3ff07b5f1756ea0c126c3f7e9be8789fe28ccf Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 10:20:42 +0100 Subject: [PATCH 2/5] Merge last evolutions from master branch --- dicos/70_lemonldap_ng.xml | 16 +++++++++++++--- dicos/71_lemonldap_ng_scribe.xml | 23 +++++++++-------------- tmpl/lmConf-1.json | 7 +++++++ 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index 1b51faa..df54a8d 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -2,7 +2,6 @@ - @@ -15,7 +14,7 @@ - lemonldap-ng-fastcgi-server + lemonldap-ng-fastcgi-server manager-apache2 portal-apache2 @@ -47,11 +46,18 @@ + + oui + 4 + + info + + admin @@ -118,10 +124,13 @@ ['ldaps','ldap'] + + ['info','notice','warn','error','debug'] + + ['LDAP','Demo','Custom'] - casLDAPAttribute @@ -132,6 +141,7 @@ lemonldap-nginx lemonldap-apache lemonldap-apache + sllemon LemonLDAP saLemon diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 4fa6769..d03e59f 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,16 +5,15 @@ - - - - - cas - - - 443 - - + + + + cas + + + 443 + + @@ -58,10 +57,6 @@ ldap_port - - ldap_base_dn - - ldap_reader diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 1397ff0..5980d67 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -173,6 +173,13 @@ "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", +%if %%ldapScheme == "ldaps" + %if %%lmldapverify == "oui" + "ldapVerify": "required", + %else + "ldapVerify": "none", + %end if +%end if "ldapSetPassword": 0, "ldapTimeout": 120, "ldapUsePasswordResetAttribute": 1, From bf94e749163fd75603e03746bdcdefa7aefc81bd Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 2 Dec 2020 11:52:11 +0100 Subject: [PATCH 3/5] Using Active Directory (samba4) instead of OpenLDAP Moving to Active Directory the actual auth LDAP server The password is updated in the Samba4 directory so we need to use this one and not the OpenLDAP one --- dicos/70_lemonldap_ng.xml | 20 ++++++++++++++++++ dicos/71_lemonldap_ng_scribe.xml | 36 +++++++++++++++----------------- tmpl/handler-apache2.X.conf | 11 ++++++++++ tmpl/lmConf-1.json | 30 +++++++++++++++++++++----- tmpl/manager-apache2.X.conf | 6 +++--- tmpl/portal-apache2.X.conf | 6 +++--- 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index df54a8d..e4d49fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -27,6 +27,14 @@ + + + /cas + + + 443 + + non @@ -39,6 +47,10 @@ + + LDAP + + @@ -83,6 +95,9 @@ oui + + oui + oui @@ -124,6 +139,10 @@ ['ldaps','ldap'] + + ['LDAP','AD'] + + ['info','notice','warn','error','debug'] @@ -168,6 +187,7 @@ non llResetUrl + llResetExpiredPassword ['bootstrap','dark','impact','pastel'] diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index d03e59f..7a5ca95 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -5,20 +5,13 @@ - - - - cas - - - 443 - - + + + - oui activerLemon @@ -31,11 +24,8 @@ activer_sso - - oui - ldap_tls - ldaps - ldap + + ldaps @@ -44,25 +34,33 @@ nom_domaine_machine + + 636 + + oui eolesso_adresse - adresse_ip_ldap + ad_address - ldap_port + 636 + + + + AD - ldap_reader + sasl_ldap_reader - ldap_reader_passfile + /etc/eole/private/sasl-reader.password diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf index c42747b..d33da34 100644 --- a/tmpl/handler-apache2.X.conf +++ b/tmpl/handler-apache2.X.conf @@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503 ServerName %%reloadWebName + SSLEngine on + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel %%lm_loglevel + + ErrorLog /var/log/apache2/handler_error.log + CustomLog /var/log/apache2/handler_access.log common # Configuration reload mechanism (only 1 per physical server is # needed): choose your URL to avoid restarting Apache when # configuration change diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 5980d67..4fd5af5 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -85,7 +85,7 @@ }, "authChoiceModules": {}, "authChoiceParam": "lmAuth", - "authentication": "LDAP", + "authentication": "%%lemon_user_db", "browserIdAuthnLevel": 1, "captchaStorage": "Apache::Session::File", "captchaStorageOptions": { @@ -152,10 +152,27 @@ "issuerDBSAMLRule": 1, "jsRedirect": 0, "key": "e\"bTCt3*eU9^\\V%b", +%if %%llResetPassword == "oui" + %if %%llResetExpiredPassword == "oui" + %if %%lemon_user_db == "AD" + "ldapPpolicyControl": 0, + %else + "ldapPpolicyControl": 1, + %end if + "ldapAllowResetExpiredPassword": 1, + %else + "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + %end if +%end if + "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, +%if %%eole_module == "scribe" + "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "ldapBase": "%%ldapUserBaseDN", - "ldapChangePasswordAsUser": 0, +%end if + "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -170,7 +187,6 @@ "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", "ldapPort": "%%ldapServerPort", - "ldapPpolicyControl": 0, "ldapPwdEnc": "utf-8", "ldapServer": "%%ldapScheme://%%ldapServer", %if %%ldapScheme == "ldaps" @@ -218,7 +234,11 @@ %end if %end if "maintenance": 0, +%if %%eole_module == "scribe" + "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' +%else "managerDn": "%%ldapBindUserDN", +%end if %if %%is_file(%%ldapBindUserPassword) "managerPassword": "%%readPass("", %%ldapBindUserPassword)", %else @@ -251,7 +271,7 @@ "openIdSreg_fullname": "cn", "openIdSreg_nickname": "uid", "openIdSreg_timezone": "_timezone", - "passwordDB": "LDAP", + "passwordDB": "%%lemon_user_db", "persistentStorage": "Apache::Session::File", "persistentStorageOptions": { "Directory": "/var/lib/lemonldap-ng/psessions", @@ -371,7 +391,7 @@ "useRedirectOnForbidden": 0, "useSafeJail": 1, "userControl": "^[\\w\\.\\-@]+$", - "userDB": "LDAP", + "userDB": "%%lemon_user_db", "vhostOptions": { "%%managerWebName": { "vhostHttps": "1" diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf index 9bca544..cf6fcbd 100644 --- a/tmpl/manager-apache2.X.conf +++ b/tmpl/manager-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%managerWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/manager_error.log CustomLog /var/log/apache2/manager_access.log common diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf index 71fb6c1..5ab967d 100644 --- a/tmpl/portal-apache2.X.conf +++ b/tmpl/portal-apache2.X.conf @@ -13,13 +13,13 @@ ServerName %%authWebName SSLEngine on - SSLCertificateFile /etc/ssl/certs/eole.crt - SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateFile %%server_cert + SSLCertificateKeyFile %%server_key SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLProtocol all -SSLv3 -SSLv2 SSLProxyEngine on - LogLevel info + LogLevel %%lm_loglevel ErrorLog /var/log/apache2/portal_error.log CustomLog /var/log/apache2/portal_access.log common From 87818bd6f06c9b5e25c4f52443d329ce82c6ea80 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Mon, 7 Dec 2020 11:58:50 +0100 Subject: [PATCH 4/5] =?UTF-8?q?Activer=20la=20possibilit=C3=A9=20de=20chan?= =?UTF-8?q?ger=20son=20mot=20de=20passe=20depuis=20LemonLDAP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ref #31347 --- dicos/70_lemonldap_ng.xml | 7 +++++-- dicos/71_lemonldap_ng_scribe.xml | 4 ++++ tmpl/lemonldap-ng.ini | 4 ++-- tmpl/lmConf-1.json | 21 ++++++++++++++++----- 4 files changed, 27 insertions(+), 9 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index e4d49fc..b3c72fc 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -92,7 +92,10 @@ non - + + oui + + oui @@ -148,7 +151,7 @@ - ['LDAP','Demo','Custom'] + ['LDAP','AD','Demo','Custom'] casLDAPAttribute diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml index 7a5ca95..691bd0c 100644 --- a/dicos/71_lemonldap_ng_scribe.xml +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -55,6 +55,10 @@ AD + + AD + + sasl_ldap_reader diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 0f497ae..d3a83c2 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -197,11 +197,11 @@ portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 portalDisplayResetPassword = %%boolean[%%llResetPassword] -;portalDisplayChangePassword = 1 +portalDisplayChangePassword = %%boolean[%%llChangePassword] ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 ; Require the old password when changing password -;portalRequireOldPassword = 1 +portalRequireOldPassword = %%boolean[%%llChangePassword] ; Attribute displayed as connected user ;portalUserAttr = mail ; Old menu HTML code diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 4fd5af5..b136925 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -160,19 +160,29 @@ "ldapPpolicyControl": 1, %end if "ldapAllowResetExpiredPassword": 1, + "ldapChangePasswordAsUser": 1, %else "ldapPpolicyControl": 0, "ldapAllowResetExpiredPassword": 0, + "ldapChangePasswordAsUser": 1, %end if %end if - "ldapChangePasswordAsUser": 1, "ldapAuthnLevel": 2, + "ldapSearchDeref": "find", %if %%eole_module == "scribe" "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",' + "ldapExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "cn" + }, + "ldapGroupAttributeName": "memberUid", + "ldapGroupAttributeNameGroup": "dn", + "ldapGroupAttributeNameSearch": "cn", + "ldapGroupAttributeNameUser": "cn", + "ldapGroupObjectClass": "group", %else "ldapBase": "%%ldapUserBaseDN", -%end if - "ldapSearchDeref": "find", "ldapExportedVars": { "cn": "cn", "mail": "mail", @@ -183,6 +193,7 @@ "ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameUser": "uid", "ldapGroupObjectClass": "eolegroupe", +%end if "ldapGroupRecursive": 0, "ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttributeValue": "TRUE", @@ -228,7 +239,7 @@ "mailTimeout": 0, %if %%llResetPassword == "oui" %if %%is_empty(%%llResetUrl) - "mailUrl": "https://%%authWebName/mail.pl", + "mailUrl": "https://%%authWebName/resetpwd", %else "mailUrl": "%%llResetUrl", %end if @@ -281,7 +292,7 @@ "portalAntiFrame": 1, "portalCheckLogins": %%boolean[%%llCheckLogins], "portalDisplayAppslist": 1, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/", "portalDisplayLoginHistory": 1, "portalDisplayLogout": 1, "portalDisplayRegister": 1, From 47e822f9b9b452b879060ac393e0c05c6dc4fd36 Mon Sep 17 00:00:00 2001 From: Philippe Caseiro Date: Wed, 9 Dec 2020 16:48:14 +0100 Subject: [PATCH 5/5] Updating lmlog file for nginx mode --- dicos/70_lemonldap_ng.xml | 1 + tmpl/nginx-lmlog.conf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index b3c72fc..f243ffb 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -9,6 +9,7 @@ + diff --git a/tmpl/nginx-lmlog.conf b/tmpl/nginx-lmlog.conf index c41f252..3db97b1 100644 --- a/tmpl/nginx-lmlog.conf +++ b/tmpl/nginx-lmlog.conf @@ -1,3 +1,3 @@ -log_format lm_combined '$remote_addr - $lmremote_user [$time_local] ' +log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; + '"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';