Cadoles/eole-lemonldap
21
0
Fork 0
Code Issues 11 Pull Requests Releases Wiki Activity

Merge branch 'master' into 2.7.2/master

Browse Source
This commit is contained in:
Philippe Caseiro
2020-11-24 13:31:11 +01:00
parent fd4ee5dc87 944dbed98a
commit faac2bb213
20 changed files with 1140 additions and 762 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
tmpl/cas.inc.php.tmpl
View File

@ -1,27 +0,0 @@
<?php
define("__CAS_SERVER", "%%authWebName");
define("__CAS_VERSION", "2.0");
define("__CAS_FOLDER", "%%casFolder");
define("__CAS_PORT", 443);
define("__CAS_PROTO", "https");
%if %%cas_send_logout == 'oui'
define("__CAS_LOGOUT", true);
%else
define("__CAS_LOGOUT", false);
%end if
%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
define("__CAS_VALIDER_CA", true);
%else
define("__CAS_VALIDER_CA", false);
%end if
%if %%is_empty(%%getVar('ssoCALocation', ''))
define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
%else
define("__CAS_CA_LOCATION", "%%ssoCALocation");
%end if
%if %%getVar("ssoDebug", 'non') == "oui"
define("__CAS_DEBUG", true);
%else
define("__CAS_DEBUG", false);
%end if
?>

7
tmpl/eoleCASConfig.php.tmpl
View File

@ -1,7 +0,0 @@
<?php
%if %%mode_conteneur_actif != "non"
define("__CAS_IP", "%%adresse_ip_br0");
%else
define("__CAS_IP", "false");
%end if
?>

67
tmpl/handler-apache2.X.conf Normal file
View File

@ -0,0 +1,67 @@
#========================================================================
# Apache configuration for LemonLDAP::NG Handler
#========================================================================
# This file implements the reload virtualhost that permits to reload
# configuration without restarting server, and some common instructions.
# You need then to declare this vhost in reloadUrls (in the manager
# interface if this server doesn't host the manager itself):
#
# KEY : VALUE
# host-or-IP:port : http://reload.domscribe.ac-test.fr/reload
#
# IMPORTANT:
# To protect applications, see test-apache.conf template in example files
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::ApacheMP2
# Common error page and security parameters
ErrorDocument 403 https://%%authWebName/lmerror/403
ErrorDocument 404 https://%%authWebName/lmerror/404
ErrorDocument 500 https://%%authWebName/lmerror/500
ErrorDocument 502 https://%%authWebName/lmerror/502
ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<Location /reload>
<IfVersion >= 2.3>
Require ip 127 ::1
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
Allow from 127.0.0.0/8 ::1
</IfVersion>
SetHandler perl-script
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
</Location>
# Uncomment this to activate status module
#<Location /status>
# <IfVersion >= 2.3>
# Require ip 127 ::1
# </IfVersion>
# <IfVersion < 2.3>
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.0/8 ::1
# </IfVersion>
# SetHandler perl-script
# PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
# # You may have to uncomment the next directive to skip
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

175
tmpl/lemonldap-ng.ini
View File

@ -1,3 +1,4 @@
%set %%boolean = {'oui': 1, 'non': 0}
;==============================================================================
; LemonLDAP::NG local configuration parameters
;
@ -11,9 +12,6 @@
; Section "configuration" is used to load global configuration and set cache
; (replace old storage.conf file)
;
; Section "apply" is read by Manager to reload handlers
; (replace old apply.conf file)
;
; Other section are only read by the specific LemonLDAP::NG component
;==============================================================================
@ -34,16 +32,80 @@
; Warning: this can allow malicious code in custom functions or rules
;useSafeJail = 0
; LOGGING
;
; 1 - Defined logging level
; Set here one of error, warn, notice, info or debug
logLevel = debug
; Note that this has no effect for Apache2 logging: Apache LogLevel is used
; instead
;
; 2 - Change logger
;
; By default, logging is set to:
; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers
; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx)
; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager,
; portal,...) when they are not
; launched by FastCGI server
; Other loggers availables:
; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
;
; "Std" is redirected to the web server logs for Apache. For Nginx, only if
; request failed
;
; You can overload this in this section (for all) or in another section if
; you want to change logger for a specified app.
;
; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
; (userLogger). "userLogger" uses the same class as "logger" if not set.
;logger = Lemonldap::NG::Common::Logger::Syslog
;userLogger = Lemonldap::NG::Common::Logger::Std
;
; 2.1 - Using Syslog
;
; For Syslog logging, you can also overwrite facilities. Default values:
;logger = Lemonldap::NG::Common::Logger::Syslog
;syslogFacility = daemon
;userSyslogFacility = auth
;
; 2.2 - Using Log4perl
;
; If you want to use Log4perl, you can set these parameters. Here are default
; values:
;logger = Lemonldap::NG::Common::Logger::Log4perl
;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf
;log4perlLogger = LLNG
;log4perlUserLogger = LLNG.user
;
; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
; value points to the logger class. Example:
; log4perl.logger.LLNG = WARN, File1
; log4perl.logger.LLNG.user = INFO, File2
; ...
; CONFIGURATION CHECK
;
; LLNG verify configuration at server start. If you use "reload" mechanism,
; local cache will be updated. Configuration is checked locally every
; 10 minutes by each LLNG component. You can change this value using
; `checkTime` (time in seconds).
; To increase performances, you should comment this parameter and rely on cache.
checkTime = 1
[configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
; (File, SOAP, RDBI/CDBI, LDAP)
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings :
;
; * File: you have to set 'dirName' parameter. Example:
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
;
; type = File
; type = File ; or type = YAMLFile
; dirName = /var/lib/lemonldap-ng/conf
;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
@ -51,17 +113,28 @@
;
; type = RDBI
; ;type = CDBI
; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
; dbiUser = lemonldap
; dbiPassword = password
;
; * REST: REST configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'baseUrl' parameter. Example:
;
; type = REST
; baseUrl = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
;
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'proxy' parameter. Example:
;
; type = SOAP
; proxy = https://auth.example.com/index.pl/config
; proxy = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
@ -91,7 +164,7 @@ dirName = /var/lib/lemonldap-ng/conf
; 'default_expires_in' => 600, \
; 'directory_umask' => '007', \
; 'cache_root' => '/tmp', \
; 'cache_depth' => 0, \
; 'cache_depth' => 3, \
; }
localStorage=Cache::FileCache
localStorageOptions={ \
@ -99,33 +172,31 @@ localStorageOptions={ \
'default_expires_in' => 600, \
'directory_umask' => '007', \
'cache_root' => '/tmp', \
'cache_depth' => 0, \
'cache_depth' => 3, \
}
[portal]
; PERFORMANCES
; By setting useLocalConf, Portal will use only local cached configuration
; To refresh it, you must have an handler on the same server or you have to
; restart your server. This increase performances
;useLocalConf = 1
; PORTAL CUSTOMIZATION
; I - Required parameters
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/portal/templates
; languages: available languages for portal interface
languages = fr, en
; PORTAL CUSTOMIZATION
languages = fr, en, vi, it, ar, de, fi, tr
; II - Optional parameters (overwrite configuration)
; Name of the skin
portalSkin = %%llSkin
; Modules displayed
;portalDisplayLogout = 1
%if %%llResetPassword == "oui"
portalDisplayResetPassword = 1
%else
portalDisplayResetPassword = 0
%end if
portalDisplayResetPassword = %%boolean[%%llResetPassword]
;portalDisplayChangePassword = 1
;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1
@ -142,16 +213,17 @@ portalDisplayResetPassword = 0
; For example to use <TMPL_VAR NAME="myparam">
;tpl_myparam = test
; LOG
; By default, all is logged in Apache file. To log user actions by
; syslog, just set syslog facility here:
; COMBINATION FORMS
; If you want to fix forms to display, you can use this;
;combinationForms = standardform, yubikeyform
;syslog = auth
; SOAP FUNCTIONS
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
; error(language, code)
;Soap = 1
; Note that getAttibutes() will be activated but on a different URI
; (http://auth.example.com/index.pl/sessions)
; (http://auth.example.com/sessions)
; You can also restrict attributes and macros exported by getAttributes
;exportedAttr = uid mail
@ -208,8 +280,8 @@ portalDisplayResetPassword = 0
; Use it to be able to notify messages during authentication
;notification = 1
; Note that the SOAP function newNotification will be activated on
; http://auth.example.com/index.pl/notification
; If you want to hide this, just protect "/index.pl/notification" in
; http://auth.example.com/notification
; If you want to hide this, just protect "/index.fcgi/notification" in
; your Apache configuration file
; XSS protection bypass
; By default, the portal refuse redirections that comes from sites not
@ -225,6 +297,21 @@ portalDisplayResetPassword = 0
; Set to 0 to disable error on XSS attack detection
;checkXSS = 0
; pdata cookie domain
; pdata cookie could not be sent with cross domains AJAX request
; Null is default value
;pdataDomain = example.com
; CUSTOM PLUGINS
; If you want to add custom plugins, set list here (comma separated)
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
;customPlugins = ::My::Package1, ::My::Package2
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
;forceGlobalStorageUpgradeOTT = 1
;forceGlobalStorageIssuerOTT = 1
[handler]
; Handler cache configuration
@ -240,7 +327,7 @@ portalDisplayResetPassword = 0
; Set https to 1 if your handler protect a https website (used only for
; redirections to the portal)
;https = 0
https = 1
; Set port if your your hanlder protect a website on a non standard port
; - 80 for http, 443 for https (used only for redirections to the portal)
;port = 8080
@ -252,6 +339,10 @@ status = 0
;useRedirectOnForbidden = 1
; Hide LemonLDAP::NG Handler in Apache Server Signature
;hideSignature = 1
; Set ServiceToken timeout
;handlerServiceTokenTTL = 30
; Set Impersonation/ContextSwitching prefix
; impersonationPrefix = real_
useRedirectOnError = 1
; Zimbra Handler parameters
@ -275,9 +366,6 @@ useRedirectOnError = 1
; * none : no protection
protection = manager
; logLevel. Set here one of error, warn, notice, info or debug
logLevel = warn
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
;
@ -285,10 +373,29 @@ staticPrefix = /static
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
; languages: available languages for manager interface
languages = fr, en
languages = fr, en, it, vi, ar, tr
; Manager modules enabled
; Set here the list of modules you want to see in manager interface
; The first will be used as default module displayed
enabledModules = conf, sessions, notifications
;enabledModules = conf, sessions, notifications, 2ndFA, viewer
enabledModules = conf, sessions, notifications, 2ndFA
; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
; 'conf' is set by default
;defaultModule = viewer
; Viewer module allows us to edit configuration in read-only mode
; Options can be set with specific rules like this :
;viewerAllowBrowser = $uid eq 'dwho'
;viewerAllowDiff = $uid ne 'dwho'
;
; Viewer options - Default values
;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
;viewerAllowBrowser = 0
;viewerAllowDiff = 0
;[node-handler]
;
;This section is for node-lemonldap-ng-handler
;nodeVhosts = test3.example.com, test4.example.com

706
tmpl/lmConf-1.json
View File

@ -1,387 +1,198 @@
%set %%boolean = {'oui': 1, 'non': 0}
%set %%ssoFilters = %%getSSOFilters
%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"']
%set %%cas_attributes = []
%for %%attr in %%casAttribute
%silent %%exported_vars.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"')
%silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr + '.casLDAPAttribute"')
%end for
%for %%key, %%value in %%ssoFilters
%silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"')
%silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"')
%end for
%silent %%exported_vars.sort()
%silent %%cas_attributes.sort()
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {
"vhostHttps" : "1"
},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdExpireWarning": 0,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else
"%%key": "%%value",
%end if
%set %%idx += 1
%end for
},
"notificationStorage": "File",
"CAS_authnLevel": 1,
"CAS_pgtFile": "/tmp/pgt.txt",
"CAS_proxiedServices": {},
"SMTPServer": "",
"SSLAuthnLevel": 5,
"Soap": 1,
"activeTimer": 1,
"apacheAuthnLevel": 4,
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"1administration": {
"catname": "Administration",
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"display": "auto",
"logo": "configure.png",
"name": "WebSSO Manager"
"name": "WebSSO Manager",
"uri": "https://%%managerWebName/"
},
"type": "application"
},
"notifications": {
"options": {
"description": "Explore WebSSO notifications",
"display": "auto",
"logo": "database.png",
"name": "Notifications explorer",
"uri": "https://%%managerWebName/notifications.pl"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"name": "Local documentation"
"logo": "database.png",
"name": "Sessions explorer",
"uri": "https://%%managerWebName/sessions.pl"
},
"type": "application"
}
},
"type": "category"
},
"2documentation": {
"catname": "Documentation",
"localdoc": {
"options": {
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"logo": "help.png",
"name": "Local documentation",
"uri": "http://%%managerWebName/doc/"
},
"type": "application"
},
"officialwebsite": {
"options": {
"description": "Official LemonLDAP::NG Website",
"display": "on",
"logo": "network.png",
"name": "Offical Website",
"uri": "http://lemonldap-ng.org/"
},
"type": "application"
},
"type": "category"
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"authentication": "LDAP",
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
"captcha_login_enabled": 0,
"captcha_mail_enabled": 0,
"captcha_register_enabled": 1,
"captcha_size": 6,
"casAccessControlPolicy": "none",
"casAttributes": {
%%custom_join(%%cas_attributes, ',\n ')
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"casStorageOptions": {},
"cda": 0,
"cfgAuthor": "EOLE",
"cfgAuthorIP": "127.0.0.1",
"cfgDate": 1600257889,
"cfgLog": "",
"cfgNum": "1",
"checkXSS": 1,
"confirmFormMethod": "post",
"cookieName": "lemonldap",
"dbiAuthnLevel": 2,
"dbiExportedVars": {},
"demoExportedVars": {
"cn": "cn",
"mail": "mail",
"uid": "uid"
},
"domain": "%%nom_domaine_local",
"exportedHeaders": {
"%%managerWebName": {}
},
"exportedVars": {
%%custom_join(%%exported_vars, ',\n ')
},
"facebookAuthnLevel": 1,
"facebookExportedVars": {},
"failedLoginNumber": 5,
"globalStorage": "Apache::Session::File",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"googleAuthnLevel": 1,
"googleExportedVars": {},
"grantSessionRules": {},
"groups": {},
"hiddenAttributes": "_password",
"hideOldPassword": 0,
"httpOnly": 1,
"https": 0,
"infoFormMethod": "get",
"issuerDBCASActivation": 1,
"issuerDBCASPath": "^/%%casFolder/",
"issuerDBCASRule": 1,
"issuerDBGetParameters": {},
"issuerDBOpenIDActivation": "1",
"issuerDBOpenIDPath": "^/openidserver/",
"issuerDBOpenIDRule": 1,
"issuerDBSAMLActivation": 0,
"issuerDBSAMLPath": "^/saml/",
"issuerDBSAMLRule": 1,
"jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b",
"ldapAllowResetExpiredPassword": 0,
"ldapAuthnLevel": 2,
"ldapBase": "%%ldapUserBaseDN",
"ldapChangePasswordAsUser": 0,
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"mail": "mail",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"ldapGroupAttributeName": "memberUid",
"ldapGroupAttributeNameGroup": "dn",
"ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "uid",
"ldapGroupObjectClass": "eolegroupe",
"ldapGroupRecursive": 0,
"ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE",
"ldapPort": "%%ldapServerPort",
"ldapPpolicyControl": 0,
"ldapPwdEnc": "utf-8",
"ldapServer": "%%ldapScheme://%%ldapServer",
"ldapSetPassword": 0,
"ldapTimeout": 120,
"ldapUsePasswordResetAttribute": 1,
"ldapVersion": 3,
"localSessionStorage": "Cache::FileCache",
"localSessionStorageOptions": {
"cache_depth": 3,
"cache_root": "/tmp",
"default_expires_in": 600,
"directory_umask": "007",
"namespace": "lemonldap-ng-sessions"
},
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
}
},
"loginHistoryEnabled": 1,
"logoutServices": {},
"lwpSslOpts": {},
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
@ -392,52 +203,183 @@
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailCharset": "utf-8",
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"mailFrom": "noreply@%%nom_domaine_local",
"mailOnPasswordChange": 0,
"mailSessionKey": "mail",
"mailSubject": "[LemonLDAP::NG] Your new password",
"mailTimeout": 0,
%if %%llResetPassword == "oui"
%if %%is_empty(%%llResetUrl)
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
%else
"mailUrl": "%%llResetUrl",
%end if
%end if
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"managerDn": "%%ldapBindUserDN",
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"multiValuesSeparator": ";",
"nginxCustomHandlers": {},
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"notificationStorage": "File",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"notificationWildcard": "allusers",
"notifyDeleted": 1,
"notifyOther": 0,
"nullAuthnLevel": 2,
"oidcOPMetaDataExportedVars": {},
"oidcOPMetaDataJSON": null,
"oidcOPMetaDataJWKS": null,
"oidcOPMetaDataOptions": null,
"oidcRPMetaDataExportedVars": {},
"oidcRPMetaDataOptions": {},
"oidcRPMetaDataOptionsExtraClaims": null,
"oidcServiceMetaDataAuthnContext": {},
"oidcStorageOptions": {},
"openIdAuthnLevel": 1,
"openIdExportedVars": {},
"openIdSPList": "0;",
"openIdSreg_email": "mail",
"openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone",
"passwordDB": "LDAP",
"persistentStorage": "Apache::Session::File",
"persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions",
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock"
},
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalAntiFrame": 1,
"portalCheckLogins": %%boolean[%%llCheckLogins],
"portalDisplayAppslist": 1,
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"portalDisplayLoginHistory": 1,
"portalDisplayLogout": 1,
"portalDisplayRegister": 1,
"portalDisplayResetPassword": %%boolean[%%llResetPassword],
"portalForceAuthn": 0,
"portalForceAuthnInterval": 0,
"portalOpenLinkInNewWindow": 0,
"portalPingInterval": 60000,
"portalRequireOldPassword": 1,
"portalSkin": "bootstrap",
"portalSkinRules": {},
"portalUserAttr": "_user",
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
%if %%RegisterDB == "Custom"
"radiusAuthnLevel": 3,
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"redirectFormMethod": "get",
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
%set %%register_db = %%getVar('llRegisterDB', 'Demo')
%if %%register_db == 'Custom'
"registerDB": "Null",
"registerUrl": "%%llRegisterURL",
%else
"registerDB": "%%register_db",
"registerUrl": "https://%%authWebName/register.pl",
%end if
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"registerTimeout": 0,
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"remoteGlobalStorageOptions": {
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService",
"proxy": "https://%%authWebName/index.pl/sessions"
},
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"samlAuthnContextMapKerberos": 4,
"samlAuthnContextMapPassword": 2,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"samlAuthnContextMapTLSClient": 5,
"samlCommonDomainCookieActivation": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"samlIDPMetaDataExportedAttributes": null,
"samlIDPMetaDataOptions": null,
"samlIDPMetaDataXML": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"samlIdPResolveCookie": "lemonldapidp",
"samlMetadataForceUTF8": 1,
"samlNameIDFormatMapEmail": "mail",
"samlNameIDFormatMapKerberos": "uid",
"samlNameIDFormatMapWindows": "uid",
"samlNameIDFormatMapX509": "mail",
"samlOrganizationDisplayName": "Example",
"samlOrganizationName": "%%samlOrganizationName",
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"samlRelayStateTimeout": 600,
"samlSPMetaDataExportedAttributes": null,
"samlSPMetaDataOptions": null,
"samlSPMetaDataXML": null,
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlServicePrivateKeyEnc": "",
"samlServicePrivateKeyEncPwd": "",
"samlServicePrivateKeySig": "",
"samlServicePrivateKeySigPwd": "",
"samlServicePublicKeyEnc": "",
"samlServicePublicKeySig": "",
"samlStorageOptions": {},
"samlUseQueryStringSpecific": 0,
"secureTokenAllowOnError": 1,
"secureTokenAttribute": "uid",
"secureTokenExpiration": 60,
"secureTokenHeader": "Auth-Token",
"secureTokenMemcachedServers": "127.0.0.1:11211",
"secureTokenUrls": ".*",
"securedCookie": 0,
"sessionDataToRemember": {},
"singleIP": 0,
"singleSession": 0,
"singleSessionUserByIP": 0,
"slaveAuthnLevel": 2,
"slaveExportedVars": {},
"storePassword": 0,
"successLoginNumber": 5,
"syslog": "",
"timeout": 72000,
"timeoutActivity": 0,
"trustedProxies": "",
"twitterAuthnLevel": 1,
"useRedirectOnError": 1,
"useRedirectOnForbidden": 0,
"useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$",
"userDB": "LDAP",
"vhostOptions": {
"%%managerWebName": {
"vhostHttps": "1"
}
},
"webIDAuthnLevel": 1,
"webIDExportedVars": {},
"whatToTrace": "_whatToTrace",
"yubikeyAuthnLevel": 3,
"yubikeyPublicIDSize": 12
}

130
tmpl/manager-apache2.X.conf Normal file
View File

@ -0,0 +1,130 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Manager
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Manager virtual host (manager.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName
SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt
SSLCertificateKeyFile /etc/ssl/private/eole.key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel info
ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/manager.log llng
#ErrorLog /var/log/apache2/lm_err.log
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# FASTCGI CONFIGURATION
# ---------------------
# 1) URI management
RewriteEngine on
# For performances, you can delete the previous RewriteRule line after
# puttings html files: simply put the HTML results of differents modules
# (configuration, sessions, notifications) as manager.html, sessions.html,
# notifications.html and uncomment the 2 following lines:
# DirectoryIndex manager.html
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
# 2) FastCGI engine
# You can choose any FastCGI system. Here is an example using mod_fcgid
# mod_fcgid configuration
FcgidMaxRequestLen 2000000
<Files *.fcgi>
SetHandler fcgid-script
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# If you want to use mod_fastcgi, replace lines below by:
#FastCgiServer /usr/share/lemonldap-ng/manager/htdocs//manager.fcgi
# GLOBAL CONFIGURATION
# --------------------
DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/
<Location />
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static//
<Directory /usr/share/lemonldap-ng/manager/htdocs/static/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
</Directory>
# On-line documentation
Alias /doc/ /usr/share/doc/lemonldap-ng/
Alias /lib/ /usr/share/doc/lemonldap-ng/pages/documentation/current/lib/
<Directory /usr/share/doc/lemonldap-ng/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

35
tmpl/pam_cas_auth.conf
View File

@ -1,35 +0,0 @@
# sample pam_cas config
# host from CAS server. mandatory
host %%authWebName
# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 443
# uri to validate ticket. Default to /proxyValidate
uriValidate /proxyValidate
# https or no. values on or off. Default to on.
ssl on
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug off
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
#proxy https://%%authWebName/proxycas/casimap.php
#proxy https://imp.its.yale.edu/cas/casProxy.php
#proxy https://uportal1.its.yale.edu/CasProxyServlet
#proxy https://uportal2.its.yale.edu/CasProxyServlet
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
# certificate from high level CA
%if not %%is_empty(%%getVar('ssoCALocation', ''))
trusted_ca %%ssoCALocation
%else
trusted_ca /etc/ssl/certs/ca.crt
%end if

147
tmpl/portal-apache2.X.conf Normal file
View File

@ -0,0 +1,147 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Portal Virtual Host (auth.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName
SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt
SSLCertificateKeyFile /etc/ssl/private/eole.key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel info
ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +ExecCGI +FollowSymLinks
</Directory>
RewriteEngine On
# For performances, you can put static html files: simply put the HTML
# result (example: /oauth2/checksession.html) as static file. Then
# uncomment the following line.
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
# Authorization header needs to be passed when using Kerberos or OIDC
<IfVersion >= 2.4.13>
CGIPassAuth On
</IfVersion>
<IfVersion < 2.4.13>
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfVersion>
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# Uncomment this if status is enabled
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
Require all granted
Options +FollowSymLinks
</Directory>
<Location /static/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
<IfModule mod_dir.c>
DirectoryIndex index.fcgi index.html
</IfModule>
# REST/SOAP functions for sessions management (disabled by default)
<Location /index.fcgi/adminSessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for configuration access (disabled by default)
<Location /index.fcgi/config>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for notification insertion (disabled by default)
<Location /index.fcgi/notification>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# Enable compression
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

117
tmpl/test-nginx.conf
View File

@ -1,117 +0,0 @@
server {
listen 80;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
root /var/lib/lemonldap-ng/test/;
# Internal authentication request
location = /lmauth {
internal;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
#fastcgi_buffer_size 32k;
#fastcgi_buffers 32 32k;
}
# Client requests
location / {
# Local application
index index.pl;
try_files $uri $uri/ =404;
# Reverse proxy
#proxy_pass http://remote.server/;
#include /etc/nginx/proxy_params;
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
# ELSE
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR in the corresponding block
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
}
# Handle test CGI
location ~ ^(?<sc>/.*\.pl)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
fastcgi_param REMOTE_USER $lmremote_user;
# Or with uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE cgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
}
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
### Or with uWSGI
## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000;
## uwsgi_param LLTYPE status;
#}
}