diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2fcd22b --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +# Backup and swap files +*~ +*# +*.swp diff --git a/README.md b/README.md index 673a734..70cc7e0 100644 --- a/README.md +++ b/README.md @@ -12,8 +12,8 @@ GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt #### LemonLDAP::NG repository (if you use EOLE 2.7.2 this is not needed anymore) -* deb https://lemonldap-ng.org/deb 1.9 main -* deb-src https://lemonldap-ng.org/deb 1.9 main +* deb https://lemonldap-ng.org/deb stable main +* deb-src https://lemonldap-ng.org/deb stable main * Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 #### Cadoles Repository @@ -33,18 +33,28 @@ Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui" * Fill LemonLDAP configuration -#### Nginx Web case +#### On Scribe + +* LemonLDAP::NG is configured to use the local LDAP service +* We register the supplementary host names to the AD DNS +* We add the supplementary host names to the `ssl_subjectalt_names` + +#### Manual configuration + +##### Nginx Web case By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will not be served properly, so we need to disable this function GenConfig -> Services -> Activer la publication d’applications web par Nginx -> "Non' -#### Configuration DNS +##### Configuration DNS + * GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG * GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG -#### Configuration LDAP +##### Configuration LDAP + * GenConfig -> Lemonldap -> Protocole LDAP à utiliser * GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG * GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG @@ -52,14 +62,14 @@ GenConfig -> Services -> Activer la publication d’applications web par Nginx - * GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr) * GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password) -#### Configuration CAS +##### Configuration CAS Add your CAS attributes mapping ( uid = uid and mail = mail are created by default) * GenConfig -> Lemonldap -> Nom de l'attribut CAS * GenConfig -> Lemonldap -> Attribut LDAP équivalent -### SSL issues +##### SSL issues If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names. You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG) diff --git a/creolefuncs/lemonldap.py b/creolefuncs/lemonldap.py index e2e62b5..3c764c3 100644 --- a/creolefuncs/lemonldap.py +++ b/creolefuncs/lemonldap.py @@ -31,7 +31,7 @@ def getSSOFilters(): """ Convert former eole-sso filters to LemonLDAP filters """ import glob - from ConfigParser import ConfigParser + from configparser import ConfigParser try: filters = { 'uid': "uid", "mail": "mail" } diff --git a/diagnose/71-lemonLDAP b/diagnose/71-lemonLDAP index f072546..f885a00 100755 --- a/diagnose/71-lemonLDAP +++ b/diagnose/71-lemonLDAP @@ -1,6 +1,7 @@ #!/bin/bash -if [ $(CreoleGet activerLemon) = "oui" ];then +if [ $(CreoleGet activerLemon 'non') = 'oui' ] +then . /usr/lib/eole/diagnose.sh manager=$(CreoleGet managerWebName) portal=$(CreoleGet authWebName) diff --git a/dicos/70_lemonldap_ng.xml b/dicos/70_lemonldap_ng.xml index d8905b7..bc9ef65 100644 --- a/dicos/70_lemonldap_ng.xml +++ b/dicos/70_lemonldap_ng.xml @@ -1,145 +1,177 @@ + - - - - - - - - - - - - lemonldap-ng-fastcgi-server - - 80 - 443 - - - - - - non - - - - - - - --> - - - - - - - + + + + + + + + + + + + + lemonldap-ng-fastcgi-server + + manager-apache2 + portal-apache2 + handler-apache2 + + + 80 + 443 + + + + + + + non + + + + + + + + + + + + + + + + + + 4 - - admin - - - 64 - - - - - cas - - - - - non - - - bootstrap - - - non - - - oui - - - - oui - - - - - + + admin + + + + + + + cas + + + + + + + bootstrap + + + non + + + oui + + + + oui + + + + + + + - Configuration DNS - Configuration LDAP - Configuration CAS - Personnalisation de la mire SSO - - - - - manager. - nom_domaine_local - - - auth. - nom_domaine_local - - - reload. - nom_domaine_local - - - SAML - nom_domaine_local - - - ['ldaps','ldap'] + Configuration DNS + Configuration LDAP + Configuration CAS + Personnalisation de la mire SSO + + + + + + + manager. + nom_domaine_local + + + auth. + nom_domaine_local + + + reload. + nom_domaine_local + + + SAML + nom_domaine_local + + + + ['ldaps','ldap'] - - ['LDAP','Demo','Custom'] + + + ['LDAP','Demo','Custom'] - - casLDAPAttribute - - - non - lemon - lemonCAS - LemonLDAP - sllemon - saLemon - - - non - llRegisterDB - - - Custom - llRegisterURL - + + casLDAPAttribute + + + + non + lemonldap + lemonldap-nginx + lemonldap-apache + lemonldap-apache + sllemon + LemonLDAP + saLemon + + + + non + lemonldap-nginx + + + + non + lemonldap-apache + lemonldap-apache + + + + non + llRegisterDB + + + Custom + llRegisterURL + non llResetUrl - - - ['bootstrap','dark','impact','pastel'] - False - - - - Activer l'hébergement d'une place de marché HTTP pour OpenNebula - Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com - Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com - DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr) - DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) - server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX - Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé - Liste des domaines à ajouter à la directive form-action. - + + + ['bootstrap','dark','impact','pastel'] + False + + + + + Configuration de la solution d'authentification unique LemonLDAP::NG + Activer le service LemonLDAP::NG sur ce serveur + Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr + Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr + DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr) + DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr) + Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé + Liste des domaines à ajouter à la directive form-action. + diff --git a/dicos/71_lemonldap_ng_scribe.xml b/dicos/71_lemonldap_ng_scribe.xml new file mode 100644 index 0000000..29240ea --- /dev/null +++ b/dicos/71_lemonldap_ng_scribe.xml @@ -0,0 +1,74 @@ + + + + + + + + + + + + + + + + + oui + activerLemon + distant + local + + + + oui + activer_sso + + + + oui + ldap_tls + ldaps + ldap + + + + authWebName + web_url + nom_domaine_machine + + + + oui + eolesso_adresse + + + + adresse_ip_ldap + + + + ldap_port + + + + ldap_base_dn + + + + ldap_reader + + + + ldap_reader_passfile + + + + eolesso_cas_folder + + + + + + + diff --git a/postservice/98-lemonldap-ng-scribe-register-hosts b/postservice/98-lemonldap-ng-scribe-register-hosts new file mode 100644 index 0000000..eda1aa7 --- /dev/null +++ b/postservice/98-lemonldap-ng-scribe-register-hosts @@ -0,0 +1,45 @@ +#!/bin/bash + +[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0 + +[ -f /usr/lib/eole/eolead.sh ] || exit 0 + +. /usr/lib/eole/eolead.sh +# ScribeAD/HorusAD +. $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf +DNS_IP="${CONTAINER_IP}" +CONTAINER_EXEC='lxc-attach -n addc --' + +EXT_IP=$(CreoleGet adresse_ip_eth0) + +for service in manager auth reload +do + fqdn=$(CreoleGet "${service}WebName") + service_addr=$(dig "@${DNS_IP}" "${fqdn}" +short) + if [ "${service_addr}" != "${EXT_IP}" ] + then + ${CONTAINER_EXEC} kinit "${AD_HOST_NAME^^}@${AD_REALM^^}" -k -t "${AD_HOST_KEYTAB_FILE}" + if [ -n "${service_addr}" ] + then + echo -n "Suppression de l’enregistrement DNS '${fqdn} IN A ${service_addr}' : " + $CONTAINER_EXEC samba-tool \ + dns \ + delete \ + "${AD_HOST_NAME}.${AD_REALM}" \ + "${AD_REALM}" \ + "${fqdn}" A "${service_addr}" \ + -k 1 + fi + + echo -n "Ajout de l’enregistrement DNS '${fqdn} IN A ${EXT_IP}' : " + $CONTAINER_EXEC samba-tool \ + dns \ + add \ + "${AD_HOST_NAME}.${AD_REALM}" \ + "${AD_REALM}" \ + "${fqdn}" A "${EXT_IP}" \ + -k 1 + fi +done + +exit 0 diff --git a/postservice/99-lemonldap-ng b/postservice/99-lemonldap-ng index 9af9aef..33b464a 100644 --- a/postservice/99-lemonldap-ng +++ b/postservice/99-lemonldap-ng @@ -8,5 +8,5 @@ cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache" opt="update-cache" -res=$(${cmd} ${opt} 2>&1) -exit ${?} +# Updating Configuration cache +/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1 diff --git a/posttemplate/70-lemon-nginx b/posttemplate/70-lemon-nginx deleted file mode 100755 index 6b32fa8..0000000 --- a/posttemplate/70-lemon-nginx +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -ENABLE=$(CreoleGet activerLemon 'non') -CONF_FILES="manager-nginx.conf" -CONF_FILES="${CONF_FILES} handler-nginx.conf" -CONF_FILES="${CONF_FILES} portal-nginx.conf" -CONF_FILES="${CONF_FILES} test-nginx.conf" - -for CONF_FILE in ${CONF_FILES} -do - if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then - rm /etc/nginx/sites-enabled/${CONF_FILE} - fi - if [ "${ENABLE}" = 'oui' ];then - ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE} - fi -done \ No newline at end of file diff --git a/posttemplate/70-lemon-hosts b/posttemplate/70-lemonldap-ng-hosts similarity index 86% rename from posttemplate/70-lemon-hosts rename to posttemplate/70-lemonldap-ng-hosts index 1488f3d..559b5c0 100755 --- a/posttemplate/70-lemon-hosts +++ b/posttemplate/70-lemonldap-ng-hosts @@ -1,5 +1,8 @@ #!/bin/bash +# Don't run on ScribeAD +[ ! -f /usr/lib/eole/eolead.sh ] || exit 0 + ENABLE=$(CreoleGet activerLemon 'non') HOSTS="/etc/hosts" diff --git a/posttemplate/70-lemonldap-ng-nginx b/posttemplate/70-lemonldap-ng-nginx new file mode 100755 index 0000000..43586a0 --- /dev/null +++ b/posttemplate/70-lemonldap-ng-nginx @@ -0,0 +1,19 @@ +#!/bin/bash + +ENABLE=$(CreoleGet activerLemon 'non') +NGINX_ENABLE=$(CreoleGet activer_nginx_web 'non') + +CONF_FILES="manager-nginx.conf handler-nginx.conf portal-nginx.conf" + +for CONF_FILE in ${CONF_FILES} +do + if [ -e /etc/nginx/sites-enabled/${CONF_FILE} ] + then + rm /etc/nginx/sites-enabled/${CONF_FILE} + fi + + if [ "${ENABLE}" = 'oui' -a "${NGINX_ENABLE}" = 'oui' ] + then + ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE} + fi +done diff --git a/tmpl/cas.inc.php.tmpl b/tmpl/cas.inc.php.tmpl deleted file mode 100644 index ee81820..0000000 --- a/tmpl/cas.inc.php.tmpl +++ /dev/null @@ -1,27 +0,0 @@ - diff --git a/tmpl/eoleCASConfig.php.tmpl b/tmpl/eoleCASConfig.php.tmpl deleted file mode 100644 index d260ac4..0000000 --- a/tmpl/eoleCASConfig.php.tmpl +++ /dev/null @@ -1,7 +0,0 @@ - diff --git a/tmpl/handler-apache2.X.conf b/tmpl/handler-apache2.X.conf new file mode 100644 index 0000000..c42747b --- /dev/null +++ b/tmpl/handler-apache2.X.conf @@ -0,0 +1,67 @@ +#======================================================================== +# Apache configuration for LemonLDAP::NG Handler +#======================================================================== +# This file implements the reload virtualhost that permits to reload +# configuration without restarting server, and some common instructions. +# You need then to declare this vhost in reloadUrls (in the manager +# interface if this server doesn't host the manager itself): +# +# KEY : VALUE +# host-or-IP:port : http://reload.domscribe.ac-test.fr/reload +# +# IMPORTANT: +# To protect applications, see test-apache.conf template in example files + +# Uncomment this if no previous NameVirtualHost declaration +#NameVirtualHost "*:80" + +# Load LemonLDAP::NG Handler +PerlOptions +GlobalRequest +PerlModule Lemonldap::NG::Handler::ApacheMP2 + +# Common error page and security parameters +ErrorDocument 403 https://%%authWebName/lmerror/403 +ErrorDocument 404 https://%%authWebName/lmerror/404 +ErrorDocument 500 https://%%authWebName/lmerror/500 +ErrorDocument 502 https://%%authWebName/lmerror/502 +ErrorDocument 503 https://%%authWebName/lmerror/503 + + + ServerName %%reloadWebName + + # Configuration reload mechanism (only 1 per physical server is + # needed): choose your URL to avoid restarting Apache when + # configuration change + + = 2.3> + Require ip 127 ::1 + + + Order Deny,Allow + Deny from all + Allow from 127.0.0.0/8 ::1 + + SetHandler perl-script + PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload + + + # Uncomment this to activate status module + # + # = 2.3> + # Require ip 127 ::1 + # + # + # Order Deny,Allow + # Deny from all + # Allow from 127.0.0.0/8 ::1 + # + # SetHandler perl-script + # PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status + # # You may have to uncomment the next directive to skip + # # an upper PerlHeaderParserHandler directive + # #PerlHeaderParserHandler Apache2::Const::DECLINED + # + + # Uncomment this if site if you use SSL only + #Header set Strict-Transport-Security "max-age=15768000" + diff --git a/tmpl/lemonldap-ng.ini b/tmpl/lemonldap-ng.ini index 921810f..0f497ae 100644 --- a/tmpl/lemonldap-ng.ini +++ b/tmpl/lemonldap-ng.ini @@ -1,3 +1,4 @@ +%set %%boolean = {'oui': 1, 'non': 0} ;============================================================================== ; LemonLDAP::NG local configuration parameters ; @@ -11,9 +12,6 @@ ; Section "configuration" is used to load global configuration and set cache ; (replace old storage.conf file) ; -; Section "apply" is read by Manager to reload handlers -; (replace old apply.conf file) -; ; Other section are only read by the specific LemonLDAP::NG component ;============================================================================== @@ -34,16 +32,80 @@ ; Warning: this can allow malicious code in custom functions or rules ;useSafeJail = 0 +; LOGGING +; +; 1 - Defined logging level +; Set here one of error, warn, notice, info or debug +logLevel = debug +; Note that this has no effect for Apache2 logging: Apache LogLevel is used +; instead +; +; 2 - Change logger +; +; By default, logging is set to: +; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers +; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx) +; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager, +; portal,...) when they are not +; launched by FastCGI server +; Other loggers availables: +; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl +; +; "Std" is redirected to the web server logs for Apache. For Nginx, only if +; request failed +; +; You can overload this in this section (for all) or in another section if +; you want to change logger for a specified app. +; +; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions +; (userLogger). "userLogger" uses the same class as "logger" if not set. +;logger = Lemonldap::NG::Common::Logger::Syslog +;userLogger = Lemonldap::NG::Common::Logger::Std +; +; 2.1 - Using Syslog +; +; For Syslog logging, you can also overwrite facilities. Default values: +;logger = Lemonldap::NG::Common::Logger::Syslog +;syslogFacility = daemon +;userSyslogFacility = auth +; +; 2.2 - Using Log4perl +; +; If you want to use Log4perl, you can set these parameters. Here are default +; values: +;logger = Lemonldap::NG::Common::Logger::Log4perl +;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf +;log4perlLogger = LLNG +;log4perlUserLogger = LLNG.user +; +; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG" +; value points to the logger class. Example: +; log4perl.logger.LLNG = WARN, File1 +; log4perl.logger.LLNG.user = INFO, File2 +; ... + +; CONFIGURATION CHECK +; +; LLNG verify configuration at server start. If you use "reload" mechanism, +; local cache will be updated. Configuration is checked locally every +; 10 minutes by each LLNG component. You can change this value using +; `checkTime` (time in seconds). +; To increase performances, you should comment this parameter and rely on cache. +checkTime = 1 + [configuration] +; confTimeout: maximum time to get configuration (default 10) +;confTimeout = 5 + ; GLOBAL CONFIGURATION ACCESS TYPE -; (File, SOAP, RDBI/CDBI, LDAP) +; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile) ; Set here the parameters needed to access to LemonLDAP::NG configuration. ; You have to set "type" to one of the followings : ; -; * File: you have to set 'dirName' parameter. Example: +; * File/YAMLFile: you have to set 'dirName' parameter. Example: ; -; type = File +; type = File ; or type = YAMLFile ; dirName = /var/lib/lemonldap-ng/conf ; ; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword' @@ -51,17 +113,28 @@ ; ; type = RDBI ; ;type = CDBI -; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4 +; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4 ; dbiUser = lemonldap ; dbiPassword = password ; +; * REST: REST configuration access is a sort of proxy: the portal is +; configured to use the real session storage type (DBI or File for +; example). +; You have to set 'baseUrl' parameter. Example: +; +; type = REST +; baseUrl = https://auth.example.com/config +; proxyOptions = { timeout => 5 } +; User = lemonldap +; Password = mypassword +; ; * SOAP: SOAP configuration access is a sort of proxy: the portal is ; configured to use the real session storage type (DBI or File for ; example). ; You have to set 'proxy' parameter. Example: ; ; type = SOAP -; proxy = https://auth.example.com/index.pl/config +; proxy = https://auth.example.com/config ; proxyOptions = { timeout => 5 } ; User = lemonldap ; Password = mypassword @@ -91,7 +164,7 @@ dirName = /var/lib/lemonldap-ng/conf ; 'default_expires_in' => 600, \ ; 'directory_umask' => '007', \ ; 'cache_root' => '/tmp', \ -; 'cache_depth' => 0, \ +; 'cache_depth' => 3, \ ; } localStorage=Cache::FileCache localStorageOptions={ \ @@ -99,33 +172,31 @@ localStorageOptions={ \ 'default_expires_in' => 600, \ 'directory_umask' => '007', \ 'cache_root' => '/tmp', \ - 'cache_depth' => 0, \ + 'cache_depth' => 3, \ } [portal] -; PERFORMANCES -; By setting useLocalConf, Portal will use only local cached configuration -; To refresh it, you must have an handler on the same server or you have to -; restart your server. This increase performances -;useLocalConf = 1 +; PORTAL CUSTOMIZATION + +; I - Required parameters ; staticPrefix: relative (or URL) location of static HTML components staticPrefix = /static + ; location of HTML templates directory templateDir = /usr/share/lemonldap-ng/portal/templates + ; languages: available languages for portal interface -languages = fr, en -; PORTAL CUSTOMIZATION +languages = fr, en, vi, it, ar, de, fi, tr + +; II - Optional parameters (overwrite configuration) + ; Name of the skin portalSkin = %%llSkin ; Modules displayed ;portalDisplayLogout = 1 -%if %%llResetPassword == "oui" -portalDisplayResetPassword = 1 -%else -portalDisplayResetPassword = 0 -%end if +portalDisplayResetPassword = %%boolean[%%llResetPassword] ;portalDisplayChangePassword = 1 ;portalDisplayAppslist = 1 ;portalDisplayLoginHistory = 1 @@ -142,16 +213,17 @@ portalDisplayResetPassword = 0 ; For example to use ;tpl_myparam = test -; LOG -; By default, all is logged in Apache file. To log user actions by -; syslog, just set syslog facility here: +; COMBINATION FORMS +; If you want to fix forms to display, you can use this; +;combinationForms = standardform, yubikeyform + ;syslog = auth ; SOAP FUNCTIONS ; Remove comment to activate SOAP Functions getCookies(user,pwd) and ; error(language, code) ;Soap = 1 ; Note that getAttibutes() will be activated but on a different URI -; (http://auth.example.com/index.pl/sessions) +; (http://auth.example.com/sessions) ; You can also restrict attributes and macros exported by getAttributes ;exportedAttr = uid mail @@ -208,8 +280,8 @@ portalDisplayResetPassword = 0 ; Use it to be able to notify messages during authentication ;notification = 1 ; Note that the SOAP function newNotification will be activated on -; http://auth.example.com/index.pl/notification -; If you want to hide this, just protect "/index.pl/notification" in +; http://auth.example.com/notification +; If you want to hide this, just protect "/index.fcgi/notification" in ; your Apache configuration file ; XSS protection bypass ; By default, the portal refuse redirections that comes from sites not @@ -225,6 +297,21 @@ portalDisplayResetPassword = 0 ; Set to 0 to disable error on XSS attack detection ;checkXSS = 0 +; pdata cookie domain +; pdata cookie could not be sent with cross domains AJAX request +; Null is default value +;pdataDomain = example.com + +; CUSTOM PLUGINS +; If you want to add custom plugins, set list here (comma separated) +; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page. +;customPlugins = ::My::Package1, ::My::Package2 + +; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers +; you can override OTT configuration to store Upgrade or Issuer OTT into global storage +;forceGlobalStorageUpgradeOTT = 1 +;forceGlobalStorageIssuerOTT = 1 + [handler] ; Handler cache configuration @@ -240,7 +327,7 @@ portalDisplayResetPassword = 0 ; Set https to 1 if your handler protect a https website (used only for ; redirections to the portal) -;https = 0 +https = 1 ; Set port if your your hanlder protect a website on a non standard port ; - 80 for http, 443 for https (used only for redirections to the portal) ;port = 8080 @@ -252,6 +339,10 @@ status = 0 ;useRedirectOnForbidden = 1 ; Hide LemonLDAP::NG Handler in Apache Server Signature ;hideSignature = 1 +; Set ServiceToken timeout +;handlerServiceTokenTTL = 30 +; Set Impersonation/ContextSwitching prefix +; impersonationPrefix = real_ useRedirectOnError = 1 ; Zimbra Handler parameters @@ -275,9 +366,6 @@ useRedirectOnError = 1 ; * none : no protection protection = manager -; logLevel. Set here one of error, warn, notice, info or debug -logLevel = warn - ; staticPrefix: relative (or URL) location of static HTML components staticPrefix = /static ; @@ -285,10 +373,29 @@ staticPrefix = /static templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates ; languages: available languages for manager interface -languages = fr, en +languages = fr, en, it, vi, ar, tr ; Manager modules enabled ; Set here the list of modules you want to see in manager interface ; The first will be used as default module displayed -enabledModules = conf, sessions, notifications +;enabledModules = conf, sessions, notifications, 2ndFA, viewer +enabledModules = conf, sessions, notifications, 2ndFA +; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf' +; 'conf' is set by default +;defaultModule = viewer + +; Viewer module allows us to edit configuration in read-only mode +; Options can be set with specific rules like this : +;viewerAllowBrowser = $uid eq 'dwho' +;viewerAllowDiff = $uid ne 'dwho' +; +; Viewer options - Default values +;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions +;viewerAllowBrowser = 0 +;viewerAllowDiff = 0 + +;[node-handler] +; +;This section is for node-lemonldap-ng-handler +;nodeVhosts = test3.example.com, test4.example.com diff --git a/tmpl/lmConf-1.json b/tmpl/lmConf-1.json index 05b9664..63fa2c9 100644 --- a/tmpl/lmConf-1.json +++ b/tmpl/lmConf-1.json @@ -1,387 +1,198 @@ +%set %%boolean = {'oui': 1, 'non': 0} %set %%ssoFilters = %%getSSOFilters +%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"'] +%set %%cas_attributes = [] +%for %%attr in %%casAttribute + %silent %%exported_vars.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"') + %silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"') +%end for +%for %%key, %%value in %%ssoFilters + %silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"') + %silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"') +%end for +%silent %%exported_vars.sort() +%silent %%cas_attributes.sort() { - "ldapGroupAttributeNameUser": "dn", - "cfgAuthorIP": "172.16.0.1", - "samlSPMetaDataXML": null, - "facebookAuthnLevel": 1, - "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", - "secureTokenAttribute": "uid", - "singleSession": 0, - "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", - "CAS_pgtFile": "/tmp/pgt.txt", - "cookieName": "lemonldap", - "slaveExportedVars": {}, - "whatToTrace": "_whatToTrace", - "oidcRPMetaDataOptions": {}, - "notifyDeleted": 1, - "useRedirectOnError": 1, - "samlSPMetaDataExportedAttributes": null, - "ldapPwdEnc": "utf-8", - "openIdSPList": "0;", - "samlNameIDFormatMapEmail": "mail", - "samlSPMetaDataOptions": null, - "issuerDBOpenIDRule": 1, - "casStorageOptions": {}, - "mailFrom": "noreply@%%nom_domaine_local", - "timeoutActivity": 0, - "oidcRPMetaDataExportedVars": {}, - "issuerDBSAMLActivation": 0, - "issuerDBCASPath": "^/%%casFolder/", - "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", - "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", - "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "exportedHeaders": { - "test1.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "test2.%%nom_domaine_local": { - "Auth-User": "$uid" - }, - "%%managerWebName": {} - }, - "vhostOptions": { - "%%managerWebName": { - "vhostHttps" : "1" - }, - "test1.%%nom_domaine_local": {}, - "test2.%%nom_domaine_local": {} - }, - "radiusAuthnLevel": 3, - "dbiAuthnLevel": 2, - "ldapPasswordResetAttribute": "pwdReset", - "ldapGroupObjectClass": "groupOfNames", - "apacheAuthnLevel": 4, - "samlNameIDFormatMapKerberos": "uid", - "groups": {}, - "securedCookie": 0, - "httpOnly": 1, - "yubikeyAuthnLevel": 3, + "ADPwdExpireWarning": 0, "ADPwdMaxAge": 0, - "samlUseQueryStringSpecific": 0, - "loginHistoryEnabled": 1, - "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", - "failedLoginNumber": 5, - "samlServicePrivateKeyEncPwd": "", - "portalForceAuthnInterval": 0, - "cfgLog": "", - "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "exportedVars": { - "UA": "HTTP_USER_AGENT", -%for att in %%casAttribute - "%%att": "%%att", -%end for -%set %%idx = 0 -%set %%size = %%len(%%ssoFilters) - 1 -%for key,value in %%ssoFilters - %if %%idx == %%size - "%%key": "%%value" - %else - "%%key": "%%value", - %end if - %set %%idx += 1 -%end for - }, - "notificationStorage": "File", + "CAS_authnLevel": 1, + "CAS_pgtFile": "/tmp/pgt.txt", + "CAS_proxiedServices": {}, + "SMTPServer": "", + "SSLAuthnLevel": 5, + "Soap": 1, + "activeTimer": 1, + "apacheAuthnLevel": 4, "applicationList": { - "1sample": { - "test2": { - "options": { - "name": "Application Test 2", - "logo": "thumbnail.png", - "uri": "https://test2.%%nom_domaine_local/", - "display": "auto", - "description": "The same simple application displaying authenticated user" - }, - "type": "application" - }, - "type": "category", - "catname": "Sample applications", - "test1": { - "type": "application", - "options": { - "description": "A simple application displaying authenticated user", - "uri": "https://test1.%%nom_domaine_local/", - "logo": "demo.png", - "display": "auto", - "name": "Application Test 1" - } - } - }, - "2administration": { - "notifications": { - "options": { - "name": "Notifications explorer", - "display": "auto", - "description": "Explore WebSSO notifications", - "uri": "https://%%managerWebName/notifications.pl", - "logo": "database.png" - }, - "type": "application" - }, + "1administration": { + "catname": "Administration", "manager": { "options": { - "uri": "https://%%managerWebName/", - "display": "auto", "description": "Configure LemonLDAP::NG WebSSO", + "display": "auto", "logo": "configure.png", - "name": "WebSSO Manager" + "name": "WebSSO Manager", + "uri": "https://%%managerWebName/" + }, + "type": "application" + }, + "notifications": { + "options": { + "description": "Explore WebSSO notifications", + "display": "auto", + "logo": "database.png", + "name": "Notifications explorer", + "uri": "https://%%managerWebName/notifications.pl" }, "type": "application" }, - "type": "category", "sessions": { - "type": "application", "options": { "description": "Explore WebSSO sessions", - "uri": "https://%%managerWebName/sessions.pl", - "logo": "database.png", "display": "auto", - "name": "Sessions explorer" - } - }, - "catname": "Administration" - }, - "3documentation": { - "catname": "Documentation", - "officialwebsite": { - "type": "application", - "options": { - "name": "Offical Website", - "description": "Official LemonLDAP::NG Website", - "logo": "network.png", - "display": "on", - "uri": "http://lemonldap-ng.org/" - } - }, - "type": "category", - "localdoc": { - "options": { - "logo": "help.png", - "description": "Documentation supplied with LemonLDAP::NG", - "display": "on", - "uri": "http://%%managerWebName/doc/", - "name": "Local documentation" + "logo": "database.png", + "name": "Sessions explorer", + "uri": "https://%%managerWebName/sessions.pl" }, "type": "application" - } + }, + "type": "category" + }, + "2documentation": { + "catname": "Documentation", + "localdoc": { + "options": { + "description": "Documentation supplied with LemonLDAP::NG", + "display": "on", + "logo": "help.png", + "name": "Local documentation", + "uri": "http://%%managerWebName/doc/" + }, + "type": "application" + }, + "officialwebsite": { + "options": { + "description": "Official LemonLDAP::NG Website", + "display": "on", + "logo": "network.png", + "name": "Offical Website", + "uri": "http://lemonldap-ng.org/" + }, + "type": "application" + }, + "type": "category" } }, - "userControl": "^[\\w\\.\\-@]+$", - "timeout": 72000, - "portalAntiFrame": 1, - "SMTPServer": "", - "ldapTimeout": 120, - "samlAuthnContextMapPasswordProtectedTransport": 3, - "ldapUsePasswordResetAttribute": 1, - "ldapPpolicyControl": 0, - "casAttributes": { -%for att in %%casAttribute - "%%att": "%%att.casLDAPAttribute", -%end for -%set %%idx = 0 -%set %%size = %%len(%%ssoFilters) - 1 -%for key,value in %%ssoFilters - %if %%idx == %%size - "%%key": "%%key" - %else - "%%key": "%%key", - %end if - %set %%idx += 1 -%end for - }, - "issuerDBSAMLPath": "^/saml/", - "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", - "portalDisplayAppslist": 1, - "confirmFormMethod": "post", - "domain": "%%nom_domaine_local", - "cfgNum": "1", - "authentication": "LDAP", - "samlNameIDFormatMapWindows": "uid", "authChoiceModules": {}, - "ldapGroupAttributeName": "member", - "samlServicePrivateKeySigPwd": "", - "googleAuthnLevel": 1, - "successLoginNumber": 5, - "localSessionStorageOptions": { - "cache_root": "/tmp", - "namespace": "lemonldap-ng-sessions", - "default_expires_in": 600, - "directory_umask": "007", - "cache_depth": 3 - }, - "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", - "portalRequireOldPassword": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", - "ADPwdExpireWarning": 0, - "yubikeyPublicIDSize": 12, - "ldapGroupAttributeNameGroup": "dn", - "oidcRPMetaDataOptionsExtraClaims": null, - "ldapGroupRecursive": 0, - "mailSubject": "[LemonLDAP::NG] Your new password", - "nginxCustomHandlers": {}, - "samlSPSSODescriptorAuthnRequestsSigned": 1, -%if %%llResetPassword == "oui" - "portalDisplayResetPassword": 1, -%else - "portalDisplayResetPassword": 0, -%end if - "openIdSreg_timezone": "_timezone", - "infoFormMethod": "get", - "openIdAuthnLevel": 1, - "openIdSreg_nickname": "uid", - "samlServicePublicKeyEnc": "", - "userDB": "LDAP", - "grantSessionRules": {}, - "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", - "reloadUrls": { - "%%reloadWebName": "https://%%reloadWebName/reload" - }, - "registerTimeout": 0, - "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", - "slaveAuthnLevel": 2, - "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", - "Soap": 1, -%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo') -%if %%RegisterDB == "Custom" - "registerDB": "Null", -%else - "registerDB": "%%RegisterDB", -%end if - "locationRules": { - "%%managerWebName": { - "default": "$uid eq \"%%lemonAdmin\"" - }, - "test1.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - }, - "test2.%%nom_domaine_local": { - "default": "accept", - "^/logout": "logout_sso" - } - }, - "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", - "hideOldPassword": 0, -%if %%is_file(%%ldapBindUserPassword) - "managerPassword": "%%readPass("", %%ldapBindUserPassword)", -%else - "managerPassword": "%%ldapBindUserPassword", -%end if "authChoiceParam": "lmAuth", - "lwpSslOpts": {}, - "portalSkinRules": {}, - "issuerDBOpenIDPath": "^/openidserver/", - "redirectFormMethod": "get", - "portalDisplayRegister": 1, - "secureTokenMemcachedServers": "127.0.0.1:11211", - "notificationStorageOptions": { - "dirName": "/var/lib/lemonldap-ng/notifications" - }, + "authentication": "LDAP", "browserIdAuthnLevel": 1, - "portalUserAttr": "_user", - "ldapVersion": 3, - "sessionDataToRemember": {}, - "samlNameIDFormatMapX509": "mail", - "managerDn": "%%ldapBindUserDN", - "mailSessionKey": "mail", - "openIdSreg_email": "mail", - "localSessionStorage": "Cache::FileCache", - "persistentStorage": "Apache::Session::File", - "mailOnPasswordChange": 0, "captchaStorage": "Apache::Session::File", - "remoteGlobalStorageOptions": { - "proxy": "https://%%authWebName/index.pl/sessions", - "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService" - }, - "passwordDB": "LDAP", - "captcha_size": 6, - "mailCharset": "utf-8", - "facebookExportedVars": {}, - "nullAuthnLevel": 2, - "singleIP": 0, - "dbiExportedVars": {}, - "portalSkin": "bootstrap", - "storePassword": 0, - "hiddenAttributes": "_password", - "samlServicePrivateKeySig": "", - "globalStorage": "Apache::Session::File", - "notificationWildcard": "allusers", - "portalForceAuthn": 0, - "samlMetadataForceUTF8": 1, - "secureTokenUrls": ".*", - "secureTokenAllowOnError": 1, - "samlAuthnContextMapTLSClient": 5, - "ldapAllowResetExpiredPassword": 0, - "oidcOPMetaDataExportedVars": {}, - "notifyOther": 0, - "secureTokenExpiration": 60, - "captcha_mail_enabled": 0, - "samlStorageOptions": {}, - "samlOrganizationDisplayName": "Example", - "trustedProxies": "", - "secureTokenHeader": "Auth-Token", - "issuerDBCASActivation": 1, - "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", - "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", - "samlIDPMetaDataXML": {}, - "oidcStorageOptions": {}, - "cfgDate": 1519998069, - "samlAuthnContextMapPassword": 2, - "portalDisplayLoginHistory": 1, - "ldapPasswordResetAttributeValue": "TRUE", - "ldapServer": "%%ldapScheme://%%ldapServer", - "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", - "samlIDPMetaDataExportedAttributes": null, - "samlServicePrivateKeyEnc": "", - "useRedirectOnForbidden": 0, - "captcha_login_enabled": 0, - "https": 0, - "checkXSS": 1, - "ldapSetPassword": 0, - "portalPingInterval": 60000, "captchaStorageOptions": { "Directory": "/var/lib/lemonldap-ng/captcha/" }, - "useSafeJail": 1, - "registerDoneSubject": "[LemonLDAP::NG] Your new account", - "issuerDBCASRule": 1, - "samlAuthnContextMapKerberos": 4, - "ldapGroupAttributeNameSearch": "cn", - "logoutServices": {}, - "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, - "portalDisplayLogout": 1, - "issuerDBGetParameters": {}, - "googleExportedVars": {}, - "openIdSreg_fullname": "cn", - "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", - "demoExportedVars": { - "mail": "mail", - "uid": "uid", - "cn": "cn" + "captcha_login_enabled": 0, + "captcha_mail_enabled": 0, + "captcha_register_enabled": 1, + "captcha_size": 6, + "casAccessControlPolicy": "none", + "casAttributes": { + %%custom_join(%%cas_attributes, ',\n ') }, - "oidcOPMetaDataJSON": null, - "samlIdPResolveCookie": "lemonldapidp", - "samlRelayStateTimeout": 600, - "samlOrganizationURL": "https://auth.%%nom_domaine_local", + "casStorageOptions": {}, + "cda": 0, + "cfgAuthor": "EOLE", + "cfgAuthorIP": "127.0.0.1", + "cfgDate": 1600257889, + "cfgLog": "", + "cfgNum": "1", + "checkXSS": 1, + "confirmFormMethod": "post", + "cookieName": "lemonldap", + "dbiAuthnLevel": 2, + "dbiExportedVars": {}, + "demoExportedVars": { + "cn": "cn", + "mail": "mail", + "uid": "uid" + }, + "domain": "%%nom_domaine_local", + "exportedHeaders": { + "%%managerWebName": {} + }, + "exportedVars": { + %%custom_join(%%exported_vars, ',\n ') + }, + "facebookAuthnLevel": 1, + "facebookExportedVars": {}, + "failedLoginNumber": 5, + "globalStorage": "Apache::Session::File", "globalStorageOptions": { "Directory": "/var/lib/lemonldap-ng/sessions", "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock" }, + "googleAuthnLevel": 1, + "googleExportedVars": {}, + "grantSessionRules": {}, + "groups": {}, + "hiddenAttributes": "_password", + "hideOldPassword": 0, + "httpOnly": 1, + "https": 0, + "infoFormMethod": "get", + "issuerDBCASActivation": 1, + "issuerDBCASPath": "^/%%casFolder/", + "issuerDBCASRule": 1, + "issuerDBGetParameters": {}, + "issuerDBOpenIDActivation": "1", + "issuerDBOpenIDPath": "^/openidserver/", + "issuerDBOpenIDRule": 1, + "issuerDBSAMLActivation": 0, + "issuerDBSAMLPath": "^/saml/", + "issuerDBSAMLRule": 1, + "jsRedirect": 0, + "key": "e\"bTCt3*eU9^\\V%b", + "ldapAllowResetExpiredPassword": 0, + "ldapAuthnLevel": 2, + "ldapBase": "%%ldapUserBaseDN", + "ldapChangePasswordAsUser": 0, "ldapExportedVars": { - "mail": "mail", "cn": "cn", + "mail": "mail", "uid": "uid" }, - "webIDExportedVars": {}, - "activeTimer": 1, - "cda": 0, - "samlServicePublicKeySig": "", -%if %%llCheckLogins == "oui" - "portalCheckLogins": 1, -%else - "portalCheckLogins": 0, -%end if - "CAS_authnLevel": 1, + "ldapGroupAttributeName": "memberUid", + "ldapGroupAttributeNameGroup": "dn", + "ldapGroupAttributeNameSearch": "cn", + "ldapGroupAttributeNameUser": "uid", + "ldapGroupObjectClass": "eolegroupe", + "ldapGroupRecursive": 0, + "ldapPasswordResetAttribute": "pwdReset", + "ldapPasswordResetAttributeValue": "TRUE", + "ldapPort": "%%ldapServerPort", + "ldapPpolicyControl": 0, + "ldapPwdEnc": "utf-8", + "ldapServer": "%%ldapScheme://%%ldapServer", + "ldapSetPassword": 0, + "ldapTimeout": 120, + "ldapUsePasswordResetAttribute": 1, + "ldapVersion": 3, + "localSessionStorage": "Cache::FileCache", + "localSessionStorageOptions": { + "cache_depth": 3, + "cache_root": "/tmp", + "default_expires_in": 600, + "directory_umask": "007", + "namespace": "lemonldap-ng-sessions" + }, + "locationRules": { + "%%managerWebName": { + "default": "$uid eq \"%%lemonAdmin\"" + } + }, + "loginHistoryEnabled": 1, + "logoutServices": {}, + "lwpSslOpts": {}, "macros": { "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\"" }, @@ -392,52 +203,183 @@ "oidcOPMetaDataJWKS": null, "webIDAuthnLevel": 1, "issuerDBOpenIDActivation": "1", + "mailCharset": "utf-8", + "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation", + "mailFrom": "noreply@%%nom_domaine_local", + "mailOnPasswordChange": 0, + "mailSessionKey": "mail", + "mailSubject": "[LemonLDAP::NG] Your new password", + "mailTimeout": 0, %if %%llResetPassword == "oui" - %if %%is_empty(%%llResetUrl) + %if %%is_empty(%%llResetUrl) "mailUrl": "https://%%authWebName/mail.pl", - %else + %else "mailUrl": "%%llResetUrl", - %end if + %end if %end if "maintenance": 0, - "jsRedirect": 0, - "cfgAuthor": "Cadoles", - "persistentStorageOptions": { - "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock", - "Directory": "/var/lib/lemonldap-ng/psessions" - }, - "SSLAuthnLevel": 5, - "oidcServiceMetaDataAuthnContext": {}, - "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "managerDn": "%%ldapBindUserDN", +%if %%is_file(%%ldapBindUserPassword) + "managerPassword": "%%readPass("", %%ldapBindUserPassword)", +%else + "managerPassword": "%%ldapBindUserPassword", +%end if + "multiValuesSeparator": ";", + "nginxCustomHandlers": {}, "notification": 1, - "ldapChangePasswordAsUser": 0, - "CAS_proxiedServices": {}, - "key": "e\"bTCt3*eU9^\\V%b", + "notificationStorage": "File", + "notificationStorageOptions": { + "dirName": "/var/lib/lemonldap-ng/notifications" + }, + "notificationWildcard": "allusers", + "notifyDeleted": 1, + "notifyOther": 0, + "nullAuthnLevel": 2, + "oidcOPMetaDataExportedVars": {}, + "oidcOPMetaDataJSON": null, + "oidcOPMetaDataJWKS": null, + "oidcOPMetaDataOptions": null, + "oidcRPMetaDataExportedVars": {}, + "oidcRPMetaDataOptions": {}, + "oidcRPMetaDataOptionsExtraClaims": null, + "oidcServiceMetaDataAuthnContext": {}, + "oidcStorageOptions": {}, + "openIdAuthnLevel": 1, + "openIdExportedVars": {}, + "openIdSPList": "0;", + "openIdSreg_email": "mail", + "openIdSreg_fullname": "cn", + "openIdSreg_nickname": "uid", + "openIdSreg_timezone": "_timezone", + "passwordDB": "LDAP", + "persistentStorage": "Apache::Session::File", + "persistentStorageOptions": { + "Directory": "/var/lib/lemonldap-ng/psessions", + "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock" + }, "portal": "https://%%authWebName/", - "singleSessionUserByIP": 0, + "portalAntiFrame": 1, + "portalCheckLogins": %%boolean[%%llCheckLogins], + "portalDisplayAppslist": 1, + "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", + "portalDisplayLoginHistory": 1, + "portalDisplayLogout": 1, + "portalDisplayRegister": 1, + "portalDisplayResetPassword": %%boolean[%%llResetPassword], + "portalForceAuthn": 0, + "portalForceAuthnInterval": 0, "portalOpenLinkInNewWindow": 0, + "portalPingInterval": 60000, + "portalRequireOldPassword": 1, + "portalSkin": "bootstrap", + "portalSkinRules": {}, + "portalUserAttr": "_user", "post": { - "test2.%%nom_domaine_local": {}, - "test1.%%nom_domaine_local": {}, "%%managerWebName": {} }, - "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", - "issuerDBSAMLRule": 1, - "samlCommonDomainCookieActivation": 0, - "syslog": "", - "ldapBase": "%%ldapUserBaseDN", - "ldapAuthnLevel": 2, - "mailTimeout": 0, - "samlEntityID": "#PORTAL#/saml/metadata", - "oidcOPMetaDataOptions": null, - "samlSPSSODescriptorWantAssertionsSigned": 1, - "samlOrganizationName": "%%samlOrganizationName", -%if %%RegisterDB == "Custom" + "radiusAuthnLevel": 3, + "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", + "redirectFormMethod": "get", + "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", +%set %%register_db = %%getVar('llRegisterDB', 'Demo') +%if %%register_db == 'Custom' + "registerDB": "Null", "registerUrl": "%%llRegisterURL", %else + "registerDB": "%%register_db", "registerUrl": "https://%%authWebName/register.pl", %end if - "casAccessControlPolicy": "none", - "multiValuesSeparator": ";", - "ldapPort": %%ldapServerPort + "registerDoneSubject": "[LemonLDAP::NG] Your new account", + "registerTimeout": 0, + "reloadUrls": { + "%%reloadWebName": "https://%%reloadWebName/reload" + }, + "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP", + "remoteGlobalStorageOptions": { + "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService", + "proxy": "https://%%authWebName/index.pl/sessions" + }, + "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;", + "samlAuthnContextMapKerberos": 4, + "samlAuthnContextMapPassword": 2, + "samlAuthnContextMapPasswordProtectedTransport": 3, + "samlAuthnContextMapTLSClient": 5, + "samlCommonDomainCookieActivation": 0, + "samlEntityID": "#PORTAL#/saml/metadata", + "samlIDPMetaDataExportedAttributes": null, + "samlIDPMetaDataOptions": null, + "samlIDPMetaDataXML": {}, + "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn", + "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;", + "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;", + "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;", + "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;", + "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;", + "samlIDPSSODescriptorWantAuthnRequestsSigned": 1, + "samlIdPResolveCookie": "lemonldapidp", + "samlMetadataForceUTF8": 1, + "samlNameIDFormatMapEmail": "mail", + "samlNameIDFormatMapKerberos": "uid", + "samlNameIDFormatMapWindows": "uid", + "samlNameIDFormatMapX509": "mail", + "samlOrganizationDisplayName": "Example", + "samlOrganizationName": "%%samlOrganizationName", + "samlOrganizationURL": "https://auth.%%nom_domaine_local", + "samlRelayStateTimeout": 600, + "samlSPMetaDataExportedAttributes": null, + "samlSPMetaDataOptions": null, + "samlSPMetaDataXML": null, + "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact", + "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact", + "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost", + "samlSPSSODescriptorAuthnRequestsSigned": 1, + "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn", + "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;", + "samlSPSSODescriptorWantAssertionsSigned": 1, + "samlServicePrivateKeyEnc": "", + "samlServicePrivateKeyEncPwd": "", + "samlServicePrivateKeySig": "", + "samlServicePrivateKeySigPwd": "", + "samlServicePublicKeyEnc": "", + "samlServicePublicKeySig": "", + "samlStorageOptions": {}, + "samlUseQueryStringSpecific": 0, + "secureTokenAllowOnError": 1, + "secureTokenAttribute": "uid", + "secureTokenExpiration": 60, + "secureTokenHeader": "Auth-Token", + "secureTokenMemcachedServers": "127.0.0.1:11211", + "secureTokenUrls": ".*", + "securedCookie": 0, + "sessionDataToRemember": {}, + "singleIP": 0, + "singleSession": 0, + "singleSessionUserByIP": 0, + "slaveAuthnLevel": 2, + "slaveExportedVars": {}, + "storePassword": 0, + "successLoginNumber": 5, + "syslog": "", + "timeout": 72000, + "timeoutActivity": 0, + "trustedProxies": "", + "twitterAuthnLevel": 1, + "useRedirectOnError": 1, + "useRedirectOnForbidden": 0, + "useSafeJail": 1, + "userControl": "^[\\w\\.\\-@]+$", + "userDB": "LDAP", + "vhostOptions": { + "%%managerWebName": { + "vhostHttps": "1" + } + }, + "webIDAuthnLevel": 1, + "webIDExportedVars": {}, + "whatToTrace": "_whatToTrace", + "yubikeyAuthnLevel": 3, + "yubikeyPublicIDSize": 12 } diff --git a/tmpl/manager-apache2.X.conf b/tmpl/manager-apache2.X.conf new file mode 100644 index 0000000..9bca544 --- /dev/null +++ b/tmpl/manager-apache2.X.conf @@ -0,0 +1,130 @@ +#==================================================================== +# Apache configuration for LemonLDAP::NG Manager +#==================================================================== + +# Uncomment this if no previous NameVirtualHost declaration +#NameVirtualHost "*:80" + +# To insert LLNG user id in Apache logs, declare this format and use it in +# CustomLog directive +#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng + +# Manager virtual host (manager.example.com) + + ServerName %%managerWebName + SSLEngine on + SSLCertificateFile /etc/ssl/certs/eole.crt + SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel info + ErrorLog /var/log/apache2/manager_error.log + CustomLog /var/log/apache2/manager_access.log common + + # See above to set LLNG user id in Apache logs + #CustomLog /var/log/apache2/manager.log llng + #ErrorLog /var/log/apache2/lm_err.log + + # Uncomment this if you are running behind a reverse proxy and want + # LemonLDAP::NG to see the real IP address of the end user + # Adjust the settings to match the IP address of your reverse proxy + # and the header containing the original IP address + # + #RemoteIPHeader X-Forwarded-For + #RemoteIPInternalProxy 127.0.0.1 + + + # FASTCGI CONFIGURATION + # --------------------- + + # 1) URI management + RewriteEngine on + + # For performances, you can delete the previous RewriteRule line after + # puttings html files: simply put the HTML results of differents modules + # (configuration, sessions, notifications) as manager.html, sessions.html, + # notifications.html and uncomment the 2 following lines: + # DirectoryIndex manager.html + # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + + # REST URLs + RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*" + RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT] + + # 2) FastCGI engine + + # You can choose any FastCGI system. Here is an example using mod_fcgid + # mod_fcgid configuration + FcgidMaxRequestLen 2000000 + + SetHandler fcgid-script + Options +ExecCGI + header unset Lm-Remote-User + + + # If you want to use mod_fastcgi, replace lines below by: + #FastCgiServer /usr/share/lemonldap-ng/manager/htdocs//manager.fcgi + + # GLOBAL CONFIGURATION + # -------------------- + + DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/ + + + = 2.3> + Require all granted + + + Order Deny,Allow + Allow from all + + Options +FollowSymLinks + + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css + SetOutputFilter DEFLATE + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary + + + Header append Vary User-Agent env=!dont-vary + + + + # Static files (javascripts, HTML forms,...) + + Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static// + + = 2.3> + Require all granted + + + Order Deny,Allow + Allow from all + + Options +FollowSymLinks + + + # On-line documentation + Alias /doc/ /usr/share/doc/lemonldap-ng/ + Alias /lib/ /usr/share/doc/lemonldap-ng/pages/documentation/current/lib/ + + = 2.3> + Require all granted + + + Order Deny,Allow + Allow from all + + ErrorDocument 404 /notfound.html + Options +FollowSymLinks + DirectoryIndex index.html start.html + + + # Uncomment this if site if you use SSL only + #Header set Strict-Transport-Security "max-age=15768000" + diff --git a/tmpl/pam_cas_auth.conf b/tmpl/pam_cas_auth.conf deleted file mode 100644 index 9e69d5d..0000000 --- a/tmpl/pam_cas_auth.conf +++ /dev/null @@ -1,35 +0,0 @@ -# sample pam_cas config - -# host from CAS server. mandatory -host %%authWebName - -# port from CAS server. Default to 80 or 443, depends from ssl instruction -port 443 - -# uri to validate ticket. Default to /proxyValidate -uriValidate /proxyValidate - -# https or no. values on or off. Default to on. -ssl on - -# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off -debug off - -# proxy or proxies who deliver Proxy Ticket. -# If no proxy, pam_cas doesn't control it -# It may be several proxy instructions -#proxy https://%%authWebName/proxycas/casimap.php -#proxy https://imp.its.yale.edu/cas/casProxy.php -#proxy https://uportal1.its.yale.edu/CasProxyServlet -#proxy https://uportal2.its.yale.edu/CasProxyServlet - -# trusted_ca. mandatory if ssl on. -# It a file in pem format. It can contents several certificates -# If the CAS server certificate is auto-signed, the file must content the certificate -# If the certificate is trusted by an Certificate Autority, The file must content -# certificate from high level CA -%if not %%is_empty(%%getVar('ssoCALocation', '')) -trusted_ca %%ssoCALocation -%else -trusted_ca /etc/ssl/certs/ca.crt -%end if diff --git a/tmpl/portal-apache2.X.conf b/tmpl/portal-apache2.X.conf new file mode 100644 index 0000000..71fb6c1 --- /dev/null +++ b/tmpl/portal-apache2.X.conf @@ -0,0 +1,147 @@ +#==================================================================== +# Apache configuration for LemonLDAP::NG Portal +#==================================================================== + +# Uncomment this if no previous NameVirtualHost declaration +#NameVirtualHost "*:80" + +# To insert LLNG user id in Apache logs, declare this format and use it in +# CustomLog directive +#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng + +# Portal Virtual Host (auth.example.com) + + ServerName %%authWebName + SSLEngine on + SSLCertificateFile /etc/ssl/certs/eole.crt + SSLCertificateKeyFile /etc/ssl/private/eole.key + SSLCertificateChainFile /etc/ssl/certs/ca_local.crt + SSLProtocol all -SSLv3 -SSLv2 + SSLProxyEngine on + + LogLevel info + ErrorLog /var/log/apache2/portal_error.log + CustomLog /var/log/apache2/portal_access.log common + + # See above to set LLNG user id in Apache logs + #CustomLog /var/log/apache2/portal.log llng + + # DocumentRoot (FCGI scripts) + DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/ + + = 2.3> + Require all granted + + + Order Deny,Allow + Allow from all + + Options +ExecCGI +FollowSymLinks + + RewriteEngine On + # For performances, you can put static html files: simply put the HTML + # result (example: /oauth2/checksession.html) as static file. Then + # uncomment the following line. + # RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$" + RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$" + RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT] + + # Note that Content-Security-Policy header is generated by portal itself + + SetHandler fcgid-script + + # Authorization header needs to be passed when using Kerberos or OIDC + = 2.4.13> + CGIPassAuth On + + + RewriteCond %{HTTP:Authorization} ^(.*) + RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + + + Options +ExecCGI + header unset Lm-Remote-User + + + # Uncomment this if status is enabled + #FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321 + + # Static files + Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/ + + Require all granted + Options +FollowSymLinks + + + + ExpiresActive On + ExpiresDefault "access plus 1 month" + + + + + DirectoryIndex index.fcgi index.html + + + # REST/SOAP functions for sessions management (disabled by default) + + = 2.3> + Require all denied + + + Order Deny,Allow + Deny from all + + + + # REST/SOAP functions for sessions access (disabled by default) + + = 2.3> + Require all denied + + + Order Deny,Allow + Deny from all + + + + # REST/SOAP functions for configuration access (disabled by default) + + = 2.3> + Require all denied + + + Order Deny,Allow + Deny from all + + + + # REST/SOAP functions for notification insertion (disabled by default) + + = 2.3> + Require all denied + + + Order Deny,Allow + Deny from all + + + + # Enable compression + + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css + SetOutputFilter DEFLATE + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary + + + Header append Vary User-Agent env=!dont-vary + + + + # Uncomment this if site if you use SSL only + #Header set Strict-Transport-Security "max-age=15768000" + diff --git a/tmpl/test-nginx.conf b/tmpl/test-nginx.conf deleted file mode 100644 index 64e08bd..0000000 --- a/tmpl/test-nginx.conf +++ /dev/null @@ -1,117 +0,0 @@ -server { - listen 80; - server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; - return 301 https://$host$request_uri; -} - -server { - listen 443; - ssl on; - ssl_certificate %%server_cert; - ssl_certificate_key %%server_key; - ssl_client_certificate /etc/ssl/certs/ca.crt; - access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log; - - server_name test1.%%nom_domaine_local test2.%%nom_domaine_local; - root /var/lib/lemonldap-ng/test/; - - # Internal authentication request - location = /lmauth { - internal; - - # FastCGI configuration - include /etc/nginx/fastcgi_params; - fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # Drop post datas - fastcgi_pass_request_body off; - fastcgi_param CONTENT_LENGTH ""; - # Keep original hostname - fastcgi_param HOST $http_host; - # Keep original request (LLNG server will receive /lmauth) - fastcgi_param X_ORIGINAL_URI $request_uri; - # Improve performances - #fastcgi_buffer_size 32k; - #fastcgi_buffers 32 32k; - - } - - # Client requests - location / { - # Local application - index index.pl; - try_files $uri $uri/ =404; - - # Reverse proxy - #proxy_pass http://remote.server/; - #include /etc/nginx/proxy_params; - - ################################## - # CALLING AUTHENTICATION # - ################################## - auth_request /lmauth; - auth_request_set $lmremote_user $upstream_http_lm_remote_user; - auth_request_set $lmremote_custom $upstream_http_lm_remote_custom; - auth_request_set $lmlocation $upstream_http_location; - # If CDA is used, uncomment this - #auth_request_set $cookie_value $upstream_http_set_cookie; - #add_header Set-Cookie $cookie_value; - # Remove this for AuthBasic handler - error_page 401 $lmlocation; - - ################################## - # PASSING HEADERS TO APPLICATION # - ################################## - - # IF LUA IS SUPPORTED - #include /etc/lemonldap-ng/nginx-lua-headers.conf; - - # ELSE - # Set manually your headers - #auth_request_set $authuser $upstream_http_auth_user; - #proxy_set_header Auth-User $authuser; - # OR in the corresponding block - #fastcgi_param HTTP_AUTH_USER $authuser; - - # Then (if LUA is not supported), change cookie header to hide LLNG cookie - #auth_request_set $lmcookie $upstream_http_cookie; - #proxy_set_header Cookie: $lmcookie; - # OR in the corresponding block - #fastcgi_param HTTP_COOKIE $lmcookie; - - # Uncomment this if you use https only - #add_header Strict-Transport-Security "max-age=15768000"; - - # Set REMOTE_USER (for FastCGI apps only) - #fastcgi_param REMOTE_USER $lmremote_user; - } - - # Handle test CGI - location ~ ^(?/.*\.pl)(?:$|/) { - include /etc/nginx/fastcgi_params; - fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - fastcgi_param LLTYPE cgi; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_split_path_info ^(.*\.pl)(/.+)$; - fastcgi_param REMOTE_USER $lmremote_user; - - # Or with uWSGI - #include /etc/nginx/uwsgi_params; - #uwsgi_pass 127.0.0.1:5000; - #uwsgi_param LLTYPE cgi; - #uwsgi_param SCRIPT_FILENAME $document_root$sc; - #uwsgi_param SCRIPT_NAME $sc; - } - - #location = /status { - # allow 127.0.0.1; - # deny all; - # include /etc/nginx/fastcgi_params; - # fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; - # fastcgi_param LLTYPE status; - - ### Or with uWSGI - ## include /etc/nginx/uwsgi_params; - ## uwsgi_pass 127.0.0.1:5000; - ## uwsgi_param LLTYPE status; - #} -}