Compare commits

...

2 Commits

Author SHA1 Message Date
Philippe Caseiro fe8722e776 Activer la possibilité de changer son mot de passe depuis LemonLDAP
ref #31347
2020-12-07 16:06:55 +01:00
Philippe Caseiro 200c9c41e9 Using Active Directory (samba4) instead of OpenLDAP
Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
2020-12-03 16:52:33 +01:00
7 changed files with 103 additions and 36 deletions

View File

@ -27,6 +27,14 @@
</files> </files>
<variables> <variables>
<family name='eole-sso'>
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>/cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
<family name='Services'> <family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG"> <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value> <value>non</value>
@ -39,6 +47,10 @@
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/> <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/> <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
<value>LDAP</value>
</variable>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/> <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/> <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@ -80,7 +92,13 @@
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection"> <variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
<value>non</value> <value>non</value>
</variable> </variable>
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe"> <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail">
<value>oui</value>
</variable>
<variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
<value>oui</value>
</variable>
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
<value>oui</value> <value>oui</value>
</variable> </variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" /> <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
@ -124,12 +142,16 @@
<param>['ldaps','ldap']</param> <param>['ldaps','ldap']</param>
</check> </check>
<check name="valid_enum" target="lemon_user_db">
<param>['LDAP','AD']</param>
</check>
<check name='valid_enum' target="lm_loglevel"> <check name='valid_enum' target="lm_loglevel">
<param>['info','notice','warn','error','debug']</param> <param>['info','notice','warn','error','debug']</param>
</check> </check>
<check name="valid_enum" target="llRegisterDB"> <check name="valid_enum" target="llRegisterDB">
<param>['LDAP','Demo','Custom']</param> <param>['LDAP','AD','Demo','Custom']</param>
</check> </check>
<group master="casAttribute"> <group master="casAttribute">
<slave>casLDAPAttribute</slave> <slave>casLDAPAttribute</slave>
@ -168,6 +190,7 @@
<condition name='disabled_if_in' source='llResetPassword'> <condition name='disabled_if_in' source='llResetPassword'>
<param>non</param> <param>non</param>
<target type='variable'>llResetUrl</target> <target type='variable'>llResetUrl</target>
<target type='variable'>llResetExpiredPassword</target>
</condition> </condition>
<check name='valid_enum' target='llSkin'> <check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param> <param>['bootstrap','dark','impact','pastel']</param>

View File

@ -5,20 +5,13 @@
<variables> <variables>
<family name='eole sso'> <family name='eole sso'>
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' /> <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
<variable name='eolesso_cas_folder' redefine="True" exists='True'> </family>
<value>cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
</variables> </variables>
<constraints> <constraints>
<fill name='calc_multi_condition' target='activer_sso'> <fill name='calc_multi_condition' target='activer_sso'>
<param>oui</param> <param>oui</param>
<param type='eole' name='condition_1'>activerLemon</param> <param type='eole' name='condition_1'>activerLemon</param>
@ -31,11 +24,8 @@
<target type='variable'>activer_sso</target> <target type='variable'>activer_sso</target>
</condition> </condition>
<auto name='calc_multi_condition' target='ldapScheme'> <auto name='calc_val' target='ldapScheme'>
<param>oui</param> <param>ldaps</param>
<param type='eole' name='condition_1'>ldap_tls</param>
<param name='match'>ldaps</param>
<param name='default_mismatch'>ldap</param>
</auto> </auto>
<fill name='calc_val_first_value' target='eolesso_adresse'> <fill name='calc_val_first_value' target='eolesso_adresse'>
@ -44,25 +34,37 @@
<param type='eole'>nom_domaine_machine</param> <param type='eole'>nom_domaine_machine</param>
</fill> </fill>
<auto name='calc_val' target='ldap_port'>
<param>636</param>
</auto>
<condition name='frozen_if_in' source='activerLemon'> <condition name='frozen_if_in' source='activerLemon'>
<param>oui</param> <param>oui</param>
<target type='variable'>eolesso_adresse</target> <target type='variable'>eolesso_adresse</target>
</condition> </condition>
<auto name='calc_val' target='ldapServer'> <auto name='calc_val' target='ldapServer'>
<param type='eole'>adresse_ip_ldap</param> <param type='eole'>ad_address</param>
</auto> </auto>
<auto name='calc_val' target='ldapServerPort'> <auto name='calc_val' target='ldapServerPort'>
<param type='eole'>ldap_port</param> <param type='number'>636</param>
</auto>
<auto name='calc_val' target='lemon_user_db'>
<param>AD</param>
</auto>
<auto name='calc_val' target='llRegisterDB'>
<param>AD</param>
</auto> </auto>
<auto name='calc_val' target='ldapBindUserDN'> <auto name='calc_val' target='ldapBindUserDN'>
<param type='eole'>ldap_reader</param> <param type='eole'>sasl_ldap_reader</param>
</auto> </auto>
<auto name='calc_val' target='ldapBindUserPassword'> <auto name='calc_val' target='ldapBindUserPassword'>
<param type='eole'>ldap_reader_passfile</param> <param>/etc/eole/private/sasl-reader.password</param>
</auto> </auto>
<auto name='calc_val' target='casFolder'> <auto name='calc_val' target='casFolder'>

View File

@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443> <VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName ServerName %%reloadWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/handler_error.log
CustomLog /var/log/apache2/handler_access.log common
# Configuration reload mechanism (only 1 per physical server is # Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when # needed): choose your URL to avoid restarting Apache when
# configuration change # configuration change

View File

@ -197,11 +197,11 @@ portalSkin = %%llSkin
; Modules displayed ; Modules displayed
;portalDisplayLogout = 1 ;portalDisplayLogout = 1
portalDisplayResetPassword = %%boolean[%%llResetPassword] portalDisplayResetPassword = %%boolean[%%llResetPassword]
;portalDisplayChangePassword = 1 portalDisplayChangePassword = %%boolean[%%llChangePassword]
;portalDisplayAppslist = 1 ;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1 ;portalDisplayLoginHistory = 1
; Require the old password when changing password ; Require the old password when changing password
;portalRequireOldPassword = 1 portalRequireOldPassword = %%boolean[%%llChangePassword]
; Attribute displayed as connected user ; Attribute displayed as connected user
;portalUserAttr = mail ;portalUserAttr = mail
; Old menu HTML code ; Old menu HTML code

View File

@ -85,7 +85,7 @@
}, },
"authChoiceModules": {}, "authChoiceModules": {},
"authChoiceParam": "lmAuth", "authChoiceParam": "lmAuth",
"authentication": "LDAP", "authentication": "%%lemon_user_db",
"browserIdAuthnLevel": 1, "browserIdAuthnLevel": 1,
"captchaStorage": "Apache::Session::File", "captchaStorage": "Apache::Session::File",
"captchaStorageOptions": { "captchaStorageOptions": {
@ -152,10 +152,37 @@
"issuerDBSAMLRule": 1, "issuerDBSAMLRule": 1,
"jsRedirect": 0, "jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b", "key": "e\"bTCt3*eU9^\\V%b",
%if %%llResetPassword == "oui"
%if %%llResetExpiredPassword == "oui"
%if %%lemon_user_db == "AD"
"ldapPpolicyControl": 0,
%else
"ldapPpolicyControl": 1,
%end if
"ldapAllowResetExpiredPassword": 1,
"ldapChangePasswordAsUser": 1,
%else
"ldapPpolicyControl": 0,
"ldapAllowResetExpiredPassword": 0, "ldapAllowResetExpiredPassword": 0,
"ldapChangePasswordAsUser": 1,
%end if
%end if
"ldapAuthnLevel": 2, "ldapAuthnLevel": 2,
"ldapSearchDeref": "find",
%if %%eole_module == "scribe"
"ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
"ldapExportedVars": {
"cn": "cn",
"mail": "mail",
"uid": "cn"
},
"ldapGroupAttributeName": "memberUid",
"ldapGroupAttributeNameGroup": "dn",
"ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "cn",
"ldapGroupObjectClass": "group",
%else
"ldapBase": "%%ldapUserBaseDN", "ldapBase": "%%ldapUserBaseDN",
"ldapChangePasswordAsUser": 0,
"ldapExportedVars": { "ldapExportedVars": {
"cn": "cn", "cn": "cn",
"mail": "mail", "mail": "mail",
@ -166,11 +193,11 @@
"ldapGroupAttributeNameSearch": "cn", "ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "uid", "ldapGroupAttributeNameUser": "uid",
"ldapGroupObjectClass": "eolegroupe", "ldapGroupObjectClass": "eolegroupe",
%end if
"ldapGroupRecursive": 0, "ldapGroupRecursive": 0,
"ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE", "ldapPasswordResetAttributeValue": "TRUE",
"ldapPort": "%%ldapServerPort", "ldapPort": "%%ldapServerPort",
"ldapPpolicyControl": 0,
"ldapPwdEnc": "utf-8", "ldapPwdEnc": "utf-8",
"ldapServer": "%%ldapScheme://%%ldapServer", "ldapServer": "%%ldapScheme://%%ldapServer",
%if %%ldapScheme == "ldaps" %if %%ldapScheme == "ldaps"
@ -212,13 +239,17 @@
"mailTimeout": 0, "mailTimeout": 0,
%if %%llResetPassword == "oui" %if %%llResetPassword == "oui"
%if %%is_empty(%%llResetUrl) %if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl", "mailUrl": "https://%%authWebName/resetpwd",
%else %else
"mailUrl": "%%llResetUrl", "mailUrl": "%%llResetUrl",
%end if %end if
%end if %end if
"maintenance": 0, "maintenance": 0,
%if %%eole_module == "scribe"
"managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
%else
"managerDn": "%%ldapBindUserDN", "managerDn": "%%ldapBindUserDN",
%end if
%if %%is_file(%%ldapBindUserPassword) %if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)", "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else %else
@ -251,7 +282,7 @@
"openIdSreg_fullname": "cn", "openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid", "openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone", "openIdSreg_timezone": "_timezone",
"passwordDB": "LDAP", "passwordDB": "%%lemon_user_db",
"persistentStorage": "Apache::Session::File", "persistentStorage": "Apache::Session::File",
"persistentStorageOptions": { "persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions", "Directory": "/var/lib/lemonldap-ng/psessions",
@ -261,7 +292,7 @@
"portalAntiFrame": 1, "portalAntiFrame": 1,
"portalCheckLogins": %%boolean[%%llCheckLogins], "portalCheckLogins": %%boolean[%%llCheckLogins],
"portalDisplayAppslist": 1, "portalDisplayAppslist": 1,
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/", "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
"portalDisplayLoginHistory": 1, "portalDisplayLoginHistory": 1,
"portalDisplayLogout": 1, "portalDisplayLogout": 1,
"portalDisplayRegister": 1, "portalDisplayRegister": 1,
@ -371,7 +402,7 @@
"useRedirectOnForbidden": 0, "useRedirectOnForbidden": 0,
"useSafeJail": 1, "useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$", "userControl": "^[\\w\\.\\-@]+$",
"userDB": "LDAP", "userDB": "%%lemon_user_db",
"vhostOptions": { "vhostOptions": {
"%%managerWebName": { "%%managerWebName": {
"vhostHttps": "1" "vhostHttps": "1"

View File

@ -13,13 +13,13 @@
<VirtualHost %%adresse_ip_eth0:443> <VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName ServerName %%managerWebName
SSLEngine on SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt SSLCertificateFile %%server_cert
SSLCertificateKeyFile /etc/ssl/private/eole.key SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2 SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on SSLProxyEngine on
LogLevel info LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/manager_error.log ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common CustomLog /var/log/apache2/manager_access.log common

View File

@ -13,13 +13,13 @@
<VirtualHost %%adresse_ip_eth0:443> <VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName ServerName %%authWebName
SSLEngine on SSLEngine on
SSLCertificateFile /etc/ssl/certs/eole.crt SSLCertificateFile %%server_cert
SSLCertificateKeyFile /etc/ssl/private/eole.key SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2 SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on SSLProxyEngine on
LogLevel info LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/portal_error.log ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common CustomLog /var/log/apache2/portal_access.log common