Compare commits

..

60 Commits

Author SHA1 Message Date
3edf7dd774 Fix ldapVerify values 2021-03-03 16:24:20 +01:00
293d940fdc Adding ldapExportedVars 2021-02-03 17:18:18 +01:00
918ceab882 Export LDAP Attributes
this attributes and the variables names have to be named with the
same name
2021-02-03 15:48:55 +01:00
adea10270d Fix LDAP/CAS/Exported attributes bug 2021-02-03 15:44:14 +01:00
6c5beb7e9f Fix conflict for Makefile 2021-02-03 15:19:11 +01:00
583e77d7c7 Fix Register button display 2021-01-29 10:10:15 +01:00
eddc9696c3 Mise à jour de 'README.md' 2021-01-06 11:23:29 +01:00
4e8caeda89 Merge branch '2.8.0/master' 2021-01-05 11:31:43 +01:00
f3b120eb62 patch lemonldap pour corriger le problème des attributs avec la valeur 0 (ref #31384) 2021-01-05 11:27:02 +01:00
cc9a5e20ce Merge remote-tracking branch 'eole/master' into develop 2020-12-18 16:53:36 +01:00
5512f64aab Merge branch '2.8.0/master' 2020-12-16 10:31:04 +01:00
569e0caab8 set correct openldap conf 2020-12-16 10:30:33 +01:00
bb18f68a54 Merge branch '2.8.0/master' 2020-12-14 14:04:43 +01:00
20e382934c set default openldap 2020-12-14 14:04:09 +01:00
cf5d9485ca Merge branch '2.8.0/master' 2020-12-14 10:25:37 +01:00
cf82616454 correction on condition 2020-12-14 10:24:17 +01:00
e423388795 Merge branch '2.8.0/master' 2020-12-11 09:26:06 +01:00
e810740ba9 Adding AD password warning support 2020-12-11 09:25:41 +01:00
140cc084a3 Merge branch '2.8.0/master' 2020-12-09 17:17:56 +01:00
3753625b20 Updating nginx configuration for 2.8 2020-12-09 17:17:30 +01:00
df5dabbcf4 Merge branch '2.8.0/master' 2020-12-09 16:48:35 +01:00
47e822f9b9 Updating lmlog file for nginx mode 2020-12-09 16:48:14 +01:00
87818bd6f0 Activer la possibilité de changer son mot de passe depuis LemonLDAP
ref #31347
2020-12-07 16:07:34 +01:00
fe8722e776 Activer la possibilité de changer son mot de passe depuis LemonLDAP
ref #31347
2020-12-07 16:06:55 +01:00
200c9c41e9 Using Active Directory (samba4) instead of OpenLDAP
Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
2020-12-03 16:52:33 +01:00
bf94e74916 Using Active Directory (samba4) instead of OpenLDAP
Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
2020-12-03 16:50:55 +01:00
0f3ff07b5f Merge last evolutions from master branch 2020-12-02 10:20:42 +01:00
63bf3c9f98 UserBaseDN and BaseDN is not the same thing
We need to use the user base dn
2020-11-26 17:13:37 +01:00
03a00fb7ce Cleanup ldap_tls redefine 2020-11-26 16:58:32 +01:00
52e5c433eb Enable option for SSL verify 2020-11-26 16:53:02 +01:00
d1ad6aeb25 Fix lm_loglevel 2020-11-26 14:09:15 +01:00
815fca0e82 Merge branch 'master' of https://dev-eole.ac-dijon.fr/git/eole-lemonldap-ng 2020-11-26 13:49:34 +01:00
8ec486eafc Adding syslog configuration 2020-11-26 13:48:14 +01:00
4af11f3d28 Cleanup dico and support for loglevel 2020-11-26 13:47:47 +01:00
8af3ee655f Cleanup dico 2020-11-26 13:43:33 +01:00
5d4e572967 Fixing log format 2020-11-26 13:21:49 +01:00
74fb92fb55 Make eole-lemonldap-ng compatible with eolebase 2020-11-24 15:51:43 +01:00
15da7394f3 Make eole-lemonldap-ng compatible with eolebase 2020-11-24 15:47:38 +01:00
536da57382 parent d08c965ee8
author vfebvre <vfebvre@cadoles.com> 1599144265 +0200
committer Philippe Caseiro <pcaseiro@cadoles.com> 1606220045 +0100

Corrections diverses
2020-11-24 15:47:38 +01:00
Joël Cuissinat
d08c965ee8 Merge branch '2.8.0/master' 2020-11-16 15:46:53 +01:00
Joël Cuissinat
b9ef7ec41d dicos/70_lemonldap_ng.xml : cosmetic fixes
* add "lemon" icon
* add help on family

Ref: #30576
2020-11-16 15:40:44 +01:00
Daniel Dehennin
f2e6a3afe0 Merge branch '2.8.0/master' into master 2020-10-16 09:52:25 +02:00
Daniel Dehennin
251a9a3907 Disable the apache servicelist when LemonLDAP::NG is disabled
Ref: #30852
2020-10-16 09:47:14 +02:00
Daniel Dehennin
2700a5d440 Prepare version 2.8.1
* Makefile: Mise à jour de la version.
  Mise à jour de la release.

* .gitignore: règles minimale pour les fichiers de sauvegarde des
éditeurs.
2020-10-15 09:34:31 +02:00
Daniel Dehennin
9b66227236 eolesso_adresse should be forced only when LemonLDAP::NG is enabled
The “calc_val” was failing when LemonLDAP::NG was disabled because
“authWebName” can't be used.

We shouldn't force “eolesso_adresse” when LemonLDAP::NG is disabled,
the user must be able to set whatever value she wants.

* dicos/71_lemonldap_ng_scribe.xml: fill the “eolesso_adresse” and
  freeze it when LemonLDAP::NG is enabled.

Ref: #30852
2020-10-15 09:07:40 +02:00
Daniel Dehennin
90411f89f7 Override previous fill on eolesso_adresse
Ref: #30852
2020-10-14 15:54:41 +02:00
Daniel Dehennin
d99ac8c9ad Force local SSO on Scribe
Ref: #30852
2020-10-14 15:46:39 +02:00
Daniel Dehennin
f43fca1a98 Don't modify /etc/hosts on ScribeAD
Ref: #30852
2020-10-14 13:52:41 +02:00
Daniel Dehennin
03a80f03fb Update README
Ref: #30852
2020-10-14 13:31:42 +02:00
Daniel Dehennin
a6eeb05ca9 Smooth the configuration of LemonLDAP::NG on Scribe
Ref: #30852
2020-10-14 13:19:05 +02:00
Daniel Dehennin
dec2cb8e79 Harmonize script names
Ref: #30852
2020-10-14 13:18:54 +02:00
Daniel Dehennin
1ea5813c8f Update configuration for version 2.0.7 of LemonLDAP::NG
Ref: #30852
2020-10-14 13:18:35 +02:00
Daniel Dehennin
589239352e Make LemonLDAP::NG useable with Apache2
Ref: #30852
2020-10-14 13:18:15 +02:00
Daniel Dehennin
c9c6171367 Prettify the XML
And remove useless test sites.

Ref: #30852
2020-10-14 13:18:04 +02:00
Daniel Dehennin
04c73c223b Don't crash if LemonLDAP::NG is disabled
Ref: #30852
2020-10-14 13:17:07 +02:00
Daniel Dehennin
6be262c6fb LemonLDAP::NG should be installable side by side with EOLESSO
Ref: #30852
2020-10-14 13:16:45 +02:00
Daniel Dehennin
04215109ac Python3 ConfigParser is in configparser module
Ref: #30852
2020-10-14 13:16:37 +02:00
Daniel Dehennin
0dd5154b78 Realign dico
Ref: #30852
2020-10-14 13:16:21 +02:00
Daniel Dehennin
1ad8da6343 Prepare version 2.8.0
* Makefile: Mise à jour de la release.
2020-10-14 13:15:19 +02:00
ad9059bfae passage en 2.7.2 2020-09-03 16:44:25 +02:00
40 changed files with 1389 additions and 1316 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
# Backup and swap files
*~
*#
*.swp

View File

@ -4,8 +4,8 @@
SOURCE=eole-lemonldap
VERSION=0.1
EOLE_VERSION=2.6
EOLE_RELEASE=2.6.2
EOLE_VERSION=2.7
EOLE_RELEASE=2.7.2
PKGAPPS=non
#FLASK_MODULE=<APPLICATION>

View File

@ -10,14 +10,14 @@ LemonLDAP::NG EOLE integration
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
#### LemonLDAP::NG repository
#### LemonLDAP::NG repository (if you use EOLE 2.8.X this is not needed anymore)
* deb https://lemonldap-ng.org/deb 1.9 main
* deb-src https://lemonldap-ng.org/deb 1.9 main
* deb https://lemonldap-ng.org/deb stable main
* deb-src https://lemonldap-ng.org/deb stable main
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### Cadoles Repository
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
* deb [ arch=all ] https://vulcain.cadoles.com 2.7.2-dev main
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
### Install packages
@ -33,18 +33,28 @@ Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
* Fill LemonLDAP configuration
#### Nginx Web case
#### On Scribe
* LemonLDAP::NG is configured to use the local LDAP service
* We register the supplementary host names to the AD DNS
* We add the supplementary host names to the `ssl_subjectalt_names`
#### Manual configuration
##### Nginx Web case
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
not be served properly, so we need to disable this function
GenConfig -> Services -> Activer la publication dapplications web par Nginx -> "Non'
#### Configuration DNS
##### Configuration DNS
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
#### Configuration LDAP
##### Configuration LDAP
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
@ -52,14 +62,14 @@ GenConfig -> Services -> Activer la publication dapplications web par Nginx -
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
#### Configuration CAS
##### Configuration CAS
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
### SSL issues
##### SSL issues
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)

View File

@ -31,7 +31,7 @@ def getSSOFilters():
""" Convert former eole-sso filters to LemonLDAP filters
"""
import glob
from ConfigParser import ConfigParser
from configparser import ConfigParser
try:
filters = { 'uid': "uid", "mail": "mail" }

1
debian/compat vendored
View File

@ -1 +0,0 @@
9

30
debian/control vendored
View File

@ -1,30 +0,0 @@
Source: eole-lemonldap
Section: web
Priority: optional
Maintainer: Cadoles <eole@ac-dijon.fr>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.3
Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
Package: eole-lemonldap
Architecture: all
Depends: ${misc:Depends}, eole-lemonldap-pkg
Conflicts: eole-sso
Provides: eole-sso
Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
.
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.
Package: eole-lemonldap-pkg
Architecture: all
Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fastcgi-server,
libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
libxml-simple-perl, libcgi-compile-perl, libmouse-perl, libio-string-perl, libnet-openid-server-perl,
libemail-sender-perl, libgd-securityimage-perl, libimage-magick-perl, libnet-ldap-perl,
libunicode-string-perl, libsoap-lite-perl, libhtml-template-perl, libcache-cache-perl,
libdbi-perl, perl-modules, libwww-perl
Description: Paquet de dépendances pour eole-lemonldap.
.
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

44
debian/copyright vendored
View File

@ -1,44 +0,0 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: {PROJECT}
Source: {URL}
Files: *
Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
License: {UPSTREAM LICENSE}
Files: debian/*
Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
License: CeCILL-2
License: {UPSTREAM LICENSE}
{TEXT OF THE LICENSE}
License: CeCILL-2
This software is governed by the CeCILL-2 license under French law and
abiding by the rules of distribution of free software. You can use,
modify and or redistribute the software under the terms of the CeCILL-2
license as circulated by CEA, CNRS and INRIA at the following URL
"http://www.cecill.info";.
.
As a counterpart to the access to the source code and rights to copy,
modify and redistribute granted by the license, users are provided only
with a limited warranty and the software's author, the holder of the
economic rights, and the successive licensors have only limited
liability.
.
In this respect, the user's attention is drawn to the risks associated
with loading, using, modifying and/or developing or reproducing the
software by the user in light of its specific status of free software,
that may mean that it is complicated to manipulate, and that also
therefore means that it is reserved for developers and experienced
professionals having in-depth computer knowledge. Users are therefore
encouraged to load and test the software's suitability as regards their
requirements in conditions enabling the security of their systems and/or
data to be ensured and, more generally, to use and operate it in the
same conditions as regards security.
.
The fact that you are presently reading this means that you have had
knowledge of the CeCILL-2 license and that you accept its terms.
.
On Eole systems, the complete text of the CeCILL-2 License can be found
in '/usr/share/common-licenses/CeCILL-2-en'.

View File

@ -1 +0,0 @@
usr

3
debian/gbp.conf vendored
View File

@ -1,3 +0,0 @@
# Set per distribution debian tag
[DEFAULT]
debian-tag = debian/eole/%(version)s

8
debian/rules vendored
View File

@ -1,8 +0,0 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
%:
dh $@

Binary file not shown.

View File

@ -1 +0,0 @@
3.0 (native)

View File

@ -1,6 +1,7 @@
#!/bin/bash
if [ $(CreoleGet activerLemon) = "oui" ];then
if [ $(CreoleGet activerLemon 'non') = 'oui' ]
then
. /usr/lib/eole/diagnose.sh
manager=$(CreoleGet managerWebName)
portal=$(CreoleGet authWebName)

View File

@ -1,69 +1,111 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files>
<!-- Je suis un commentaire -->
<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
<service>lemonldap-ng-fastcgi-server</service>
<file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
<file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
<file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/nginx-lmlog.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/manager-apache2.X.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/>
<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
<service method='apache' servicelist='lemonldap-apache'>manager-apache2</service>
<service method='apache' servicelist='lemonldap-apache'>portal-apache2</service>
<service method='apache' servicelist='lemonldap-apache'>handler-apache2</service>
<service_access service='nginx'>
<port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port>
</service_access>
</files>
<variables>
<family name='eole-sso'>
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>/cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
<family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value>
</variable>
</family>
<family name='LemonLDAP'>
<family name='LemonLDAP' icon='lemon'>
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
<value>LDAP</value>
</variable>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
<variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
<value>oui</value>
</variable>
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
<value>4</value>
</variable>
<variable name="lm_loglevel" type='string' description="Verbosité des journaux" mode='expert'>
<value>info</value>
</variable>
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
<value>admin</value>
</variable>
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
<value>64</value>
</variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
<value>cas</value>
</variable>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True'>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True' exists='False'>
<value>oui</value>
</variable>
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
<variable name='ssoDebug' type='string' description="Activer le Debug pour la lib php-CAS" mode="expert">
<value>non</value>
</variable>
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
<value>bootstrap</value>
</variable>
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
<value>non</value>
</variable>
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail">
<value>oui</value>
</variable>
<variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
<value>oui</value>
</variable>
<variable name='llADPasswordMaxAge' type='number' description="Durée de vie des mots de passe (en secondes)" mode='expert'>
<value>5184000</value>
</variable>
<variable name='llADPasswordExpireWarn' type='number' description="Délai avant affichage d'un message d'alerte sur l'expiration du mot de passe (en secondes)">
<value>3456000</value>
</variable>
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
<value>oui</value>
</variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
@ -73,14 +115,18 @@
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
</family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
<separator name="casAttribute">Configuration CAS</separator>
<separator name="llSkin">Personnalisation de la mire SSO</separator>
</separators>
</variables>
<constraints>
<fill name='concat' target='managerWebName'>
<param>manager.</param>
@ -98,22 +144,54 @@
<param>SAML</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
</check>
<check name="valid_enum" target="lemon_user_db">
<param>['LDAP','AD']</param>
</check>
<check name='valid_enum' target="lm_loglevel">
<param>['info','notice','warn','error','debug']</param>
</check>
<check name="valid_enum" target="llRegisterDB">
<param>['LDAP','Demo','Custom']</param>
<param>['LDAP','AD','Demo','Custom']</param>
</check>
<group master="casAttribute">
<slave>casLDAPAttribute</slave>
</group>
<condition name='disabled_if_not_in' source='lemon_user_db'>
<param>AD</param>
<target type='variable'>llADPasswordMaxAge</target>
<target type='variable'>llADPasswordExpireWarn</target>
</condition>
<condition name='disabled_if_in' source='activerLemon'>
<param>non</param>
<target type='filelist'>lemon</target>
<target type='filelist'>lemonCAS</target>
<target type='filelist'>lemonldap</target>
<target type='filelist'>lemonldap-nginx</target>
<target type='filelist'>lemonldap-apache</target>
<target type='servicelist'>lemonldap-apache</target>
<target type='servicelist'>sllemon</target>
<target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target>
</condition>
<condition name="disabled_if_in" source="activer_nginx_web" fallback="True">
<param>non</param>
<target type='filelist'>lemonldap-nginx</target>
</condition>
<condition name="disabled_if_in" source="activer_apache" fallback="True">
<param>non</param>
<target type='filelist'>lemonldap-apache</target>
<target type='servicelist'>lemonldap-apache</target>
</condition>
<condition name='disabled_if_in' source='llRegisterAccount'>
<param>non</param>
<target type='variable'>llRegisterDB</target>
@ -125,18 +203,21 @@
<condition name='disabled_if_in' source='llResetPassword'>
<param>non</param>
<target type='variable'>llResetUrl</target>
<target type='variable'>llResetExpiredPassword</target>
</condition>
<check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param>
<param name="checkval">False</param>
</check>
</constraints>
<help>
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
<family name='LemonLDAP'>Configuration de la solution d'authentification unique LemonLDAP::NG</family>
<variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable>
<variable name='ldapBindUserDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
</help>

View File

@ -0,0 +1,80 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files />
<variables>
<family name='eole sso'>
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
</family>
</variables>
<constraints>
<fill name='calc_multi_condition' target='activer_sso'>
<param>oui</param>
<param type='eole' name='condition_1'>activerLemon</param>
<param name='match'>distant</param>
<param name='default_mismatch'>local</param>
</fill>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>activer_sso</target>
</condition>
<fill name='calc_val_first_value' target='eolesso_adresse'>
<param type='eole' optional='True' hidden='False'>authWebName</param>
<param type='eole' optional='True' hidden='False'>web_url</param>
<param type='eole'>nom_domaine_machine</param>
</fill>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>eolesso_adresse</target>
</condition>
<auto name='calc_multi_condition' target='ldapScheme'>
<param>oui</param>
<param type='eole' name='condition_1'>ldap_tls</param>
<param name='match'>ldaps</param>
<param name='default_mismatch'>ldap</param>
</auto>
<auto name='calc_val' target='ldapServer'>
<param type='eole'>adresse_ip_ldap</param>
</auto>
<auto name='calc_val' target='ldapServerPort'>
<param type='eole'>ldap_port</param>
</auto>
<auto name='calc_val' target='lemon_user_db'>
<param>LDAP</param>
</auto>
<auto name='calc_val' target='llRegisterDB'>
<param>LDAP</param>
</auto>
<auto name='calc_val' target='ldapUserBaseDN'>
<param type='eole'>ldap_base_dn</param>
</auto>
<auto name='calc_val' target='ldapBindUserDN'>
<param type='eole'>ldap_reader</param>
</auto>
<auto name='calc_val' target='ldapBindUserPassword'>
<param type='eole'>ldap_reader_passfile</param>
</auto>
<auto name='calc_val' target='casFolder'>
<param type='eole'>eolesso_cas_folder</param>
</auto>
</constraints>
<help />
</creole>

2
eole-lemonldap-ng.mk Normal file
View File

@ -0,0 +1,2 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs
lemonldap-ng_DATA_DIR := $(eole_DIR)/lemonldap-ng

View File

@ -1 +0,0 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs

102
lemonldap-ng/LDAP.pm Normal file
View File

@ -0,0 +1,102 @@
package Lemonldap::NG::Portal::UserDB::LDAP;
use strict;
use Mouse;
use utf8;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
extends 'Lemonldap::NG::Portal::Lib::LDAP';
our $VERSION = '2.0.6';
has ldapGroupAttributeNameSearch => (
is => 'rw',
lazy => 1,
builder => sub {
my $attributes = [];
@$attributes =
split( /\s+/, $_[0]->{conf}->{ldapGroupAttributeNameSearch} )
if $_[0]->{conf}->{ldapGroupAttributeNameSearch};
push( @$attributes, $_[0]->{conf}->{ldapGroupAttributeNameGroup} )
if ( $_[0]->{conf}->{ldapGroupRecursive}
and $_[0]->{conf}->{ldapGroupAttributeNameGroup} ne "dn" );
return $attributes;
}
);
# RUNNING METHODS
#
# getUser is provided by Portal::Lib::LDAP
# Load all parameters included in exportedVars parameter.
# Multi-value parameters are loaded in a single string with
# a separator (param multiValuesSeparator)
# @return Lemonldap::NG::Portal constant
sub setSessionInfo {
my ( $self, $req ) = @_;
$req->{sessionInfo}->{_dn} = $req->data->{dn};
my %vars = ( %{ $self->conf->{exportedVars} },
%{ $self->conf->{ldapExportedVars} } );
while ( my ( $k, $v ) = each %vars ) {
# getLdapValue returns an empty string for missing attribute
# but we really want to return undef so they don't get stored in session
$req->sessionInfo->{$k} =
$self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
}
PE_OK;
}
# Load all groups in $groups.
# @return Lemonldap::NG::Portal constant
sub setGroups {
my ( $self, $req ) = @_;
my $groups = $req->{sessionInfo}->{groups};
my $hGroups = $req->{sessionInfo}->{hGroups};
if ( $self->conf->{ldapGroupBase} ) {
# Get value for group search
my $group_value = $self->ldap->getLdapValue( $req->data->{ldapentry},
$self->conf->{ldapGroupAttributeNameUser} );
if ( $self->conf->{ldapGroupDecodeSearchedValue} ) {
utf8::decode($group_value);
}
$self->logger->debug( "Searching LDAP groups in "
. $self->conf->{ldapGroupBase}
. " for $group_value" );
# Call searchGroups
my $ldapGroups = $self->ldap->searchGroups(
$self->conf->{ldapGroupBase},
$self->conf->{ldapGroupAttributeName},
$group_value,
$self->ldapGroupAttributeNameSearch,
$req->{ldapGroupDuplicateCheck}
);
foreach ( keys %$ldapGroups ) {
my $groupName = $_;
$hGroups->{$groupName} = $ldapGroups->{$groupName};
my $groupValues = [];
foreach ( @{ $self->ldapGroupAttributeNameSearch } ) {
next if $_ =~ /^name$/;
my $firstValue = $ldapGroups->{$groupName}->{$_}->[0];
push @$groupValues, $firstValue;
}
$groups .= $self->conf->{multiValuesSeparator} if $groups;
$groups .= join( '|', @$groupValues );
}
}
$req->{sessionInfo}->{groups} = $groups;
$req->{sessionInfo}->{hGroups} = $hGroups;
PE_OK;
}
1;

View File

@ -0,0 +1,20 @@
--- /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm.old 2019-12-11 12:05:54.000000000 +0100
+++ /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm 2021-01-05 10:54:19.188732119 +0100
@@ -40,10 +40,15 @@
%{ $self->conf->{ldapExportedVars} } );
while ( my ( $k, $v ) = each %vars ) {
+ my $value = $self->ldap->getLdapValue( $req->data->{ldapentry}, $v );
+
# getLdapValue returns an empty string for missing attribute
# but we really want to return undef so they don't get stored in session
- $req->sessionInfo->{$k} =
- $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
+ # This has to be a string comparison because "0" is a valid attribute
+ # value. See #2403
+ $value = undef if ( $value eq "" );
+
+ $req->sessionInfo->{$k} = $value;
}
PE_OK;

View File

@ -0,0 +1,45 @@
#!/bin/bash
[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0
[ -f /usr/lib/eole/eolead.sh ] || exit 0
. /usr/lib/eole/eolead.sh
# ScribeAD/HorusAD
. $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf
DNS_IP="${CONTAINER_IP}"
CONTAINER_EXEC='lxc-attach -n addc --'
EXT_IP=$(CreoleGet adresse_ip_eth0)
for service in manager auth reload
do
fqdn=$(CreoleGet "${service}WebName")
service_addr=$(dig "@${DNS_IP}" "${fqdn}" +short)
if [ "${service_addr}" != "${EXT_IP}" ]
then
${CONTAINER_EXEC} kinit "${AD_HOST_NAME^^}@${AD_REALM^^}" -k -t "${AD_HOST_KEYTAB_FILE}"
if [ -n "${service_addr}" ]
then
echo -n "Suppression de lenregistrement DNS '${fqdn} IN A ${service_addr}' : "
$CONTAINER_EXEC samba-tool \
dns \
delete \
"${AD_HOST_NAME}.${AD_REALM}" \
"${AD_REALM}" \
"${fqdn}" A "${service_addr}" \
-k 1
fi
echo -n "Ajout de lenregistrement DNS '${fqdn} IN A ${EXT_IP}' : "
$CONTAINER_EXEC samba-tool \
dns \
add \
"${AD_HOST_NAME}.${AD_REALM}" \
"${AD_REALM}" \
"${fqdn}" A "${EXT_IP}" \
-k 1
fi
done
exit 0

View File

@ -1,9 +1,12 @@
#!/bin/bash
[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0
# Updating Configuration cache
cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
opt="update-cache"
res=$(${cmd} ${opt} 2>&1)
exit ${?}
# Updating Configuration cache
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1

View File

@ -1,17 +0,0 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
CONF_FILES="manager-nginx.conf"
CONF_FILES="${CONF_FILES} handler-nginx.conf"
CONF_FILES="${CONF_FILES} portal-nginx.conf"
CONF_FILES="${CONF_FILES} test-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do
if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' ];then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

View File

@ -1,5 +1,8 @@
#!/bin/bash
# Don't run on ScribeAD
[ ! -f /usr/lib/eole/eolead.sh ] || exit 0
ENABLE=$(CreoleGet activerLemon 'non')
HOSTS="/etc/hosts"

View File

@ -0,0 +1,19 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
NGINX_ENABLE=$(CreoleGet activer_nginx_web 'non')
CONF_FILES="manager-nginx.conf handler-nginx.conf portal-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do
if [ -e /etc/nginx/sites-enabled/${CONF_FILE} ]
then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' -a "${NGINX_ENABLE}" = 'oui' ]
then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

12
posttemplate/70-lemonldap-patch Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
# vérifie si le patch est déjà appliqué
grep -q 2403 /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm && exit 0
# copie de sauvegarde
cp -a /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm /usr/share/eole/lemonldap-ng/
# application du patch
patch -d / -p 0 < /usr/share/eole/lemonldap-ng/LDAP.pm.patch
exit 0

View File

@ -1,27 +0,0 @@
<?php
define("__CAS_SERVER", "%%authWebName");
define("__CAS_VERSION", "2.0");
define("__CAS_FOLDER", "%%casFolder");
define("__CAS_PORT", 443);
define("__CAS_PROTO", "https");
%if %%cas_send_logout == 'oui'
define("__CAS_LOGOUT", true);
%else
define("__CAS_LOGOUT", false);
%end if
%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
define("__CAS_VALIDER_CA", true);
%else
define("__CAS_VALIDER_CA", false);
%end if
%if %%is_empty(%%getVar('ssoCALocation', ''))
define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
%else
define("__CAS_CA_LOCATION", "%%ssoCALocation");
%end if
%if %%getVar("ssoDebug", 'non') == "oui"
define("__CAS_DEBUG", true);
%else
define("__CAS_DEBUG", false);
%end if
?>

View File

@ -1,7 +0,0 @@
<?php
%if %%mode_conteneur_actif != "non"
define("__CAS_IP", "%%adresse_ip_br0");
%else
define("__CAS_IP", "false");
%end if
?>

View File

@ -0,0 +1,78 @@
#========================================================================
# Apache configuration for LemonLDAP::NG Handler
#========================================================================
# This file implements the reload virtualhost that permits to reload
# configuration without restarting server, and some common instructions.
# You need then to declare this vhost in reloadUrls (in the manager
# interface if this server doesn't host the manager itself):
#
# KEY : VALUE
# host-or-IP:port : http://reload.domscribe.ac-test.fr/reload
#
# IMPORTANT:
# To protect applications, see test-apache.conf template in example files
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::ApacheMP2
# Common error page and security parameters
ErrorDocument 403 https://%%authWebName/lmerror/403
ErrorDocument 404 https://%%authWebName/lmerror/404
ErrorDocument 500 https://%%authWebName/lmerror/500
ErrorDocument 502 https://%%authWebName/lmerror/502
ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/handler_error.log
CustomLog /var/log/apache2/handler_access.log common
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<Location /reload>
<IfVersion >= 2.3>
Require ip 127 ::1
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
Allow from 127.0.0.0/8 ::1
</IfVersion>
SetHandler perl-script
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
</Location>
# Uncomment this to activate status module
#<Location /status>
# <IfVersion >= 2.3>
# Require ip 127 ::1
# </IfVersion>
# <IfVersion < 2.3>
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.0/8 ::1
# </IfVersion>
# SetHandler perl-script
# PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
# # You may have to uncomment the next directive to skip
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -23,8 +23,7 @@ server {
}
server {
listen 443;
ssl on;
listen 443 ssl;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -62,7 +61,7 @@ server {
deny all;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
add_header Strict-Transport-Security "max-age=15768000";
}
}

View File

@ -1,5 +1,5 @@
# Number of process (default: 7)
NPROC = %%lemonproc
NPROC=%%lemonproc
# Unix socket to listen to
SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock

View File

@ -1,3 +1,4 @@
%set %%boolean = {'oui': 1, 'non': 0}
;==============================================================================
; LemonLDAP::NG local configuration parameters
;
@ -11,9 +12,6 @@
; Section "configuration" is used to load global configuration and set cache
; (replace old storage.conf file)
;
; Section "apply" is read by Manager to reload handlers
; (replace old apply.conf file)
;
; Other section are only read by the specific LemonLDAP::NG component
;==============================================================================
@ -34,16 +32,80 @@
; Warning: this can allow malicious code in custom functions or rules
;useSafeJail = 0
; LOGGING
;
; 1 - Defined logging level
; Set here one of error, warn, notice, info or debug
logLevel = %%lm_loglevel
; Note that this has no effect for Apache2 logging: Apache LogLevel is used
; instead
;
; 2 - Change logger
;
; By default, logging is set to:
; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers
; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx)
; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager,
; portal,...) when they are not
; launched by FastCGI server
; Other loggers availables:
; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
;
; "Std" is redirected to the web server logs for Apache. For Nginx, only if
; request failed
;
; You can overload this in this section (for all) or in another section if
; you want to change logger for a specified app.
;
; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
; (userLogger). "userLogger" uses the same class as "logger" if not set.
;logger = Lemonldap::NG::Common::Logger::Syslog
;userLogger = Lemonldap::NG::Common::Logger::Std
;
; 2.1 - Using Syslog
;
; For Syslog logging, you can also overwrite facilities. Default values:
logger = Lemonldap::NG::Common::Logger::Syslog
syslogFacility = daemon
userSyslogFacility = auth
;
; 2.2 - Using Log4perl
;
; If you want to use Log4perl, you can set these parameters. Here are default
; values:
;logger = Lemonldap::NG::Common::Logger::Log4perl
;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf
;log4perlLogger = LLNG
;log4perlUserLogger = LLNG.user
;
; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
; value points to the logger class. Example:
; log4perl.logger.LLNG = WARN, File1
; log4perl.logger.LLNG.user = INFO, File2
; ...
; CONFIGURATION CHECK
;
; LLNG verify configuration at server start. If you use "reload" mechanism,
; local cache will be updated. Configuration is checked locally every
; 10 minutes by each LLNG component. You can change this value using
; `checkTime` (time in seconds).
; To increase performances, you should comment this parameter and rely on cache.
checkTime = 1
[configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
; (File, SOAP, RDBI/CDBI, LDAP)
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings :
;
; * File: you have to set 'dirName' parameter. Example:
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
;
; type = File
; type = File ; or type = YAMLFile
; dirName = /var/lib/lemonldap-ng/conf
;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
@ -51,17 +113,28 @@
;
; type = RDBI
; ;type = CDBI
; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
; dbiUser = lemonldap
; dbiPassword = password
;
; * REST: REST configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'baseUrl' parameter. Example:
;
; type = REST
; baseUrl = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
;
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'proxy' parameter. Example:
;
; type = SOAP
; proxy = https://auth.example.com/index.pl/config
; proxy = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
@ -91,7 +164,7 @@ dirName = /var/lib/lemonldap-ng/conf
; 'default_expires_in' => 600, \
; 'directory_umask' => '007', \
; 'cache_root' => '/tmp', \
; 'cache_depth' => 0, \
; 'cache_depth' => 3, \
; }
localStorage=Cache::FileCache
localStorageOptions={ \
@ -99,38 +172,36 @@ localStorageOptions={ \
'default_expires_in' => 600, \
'directory_umask' => '007', \
'cache_root' => '/tmp', \
'cache_depth' => 0, \
'cache_depth' => 3, \
}
[portal]
; PERFORMANCES
; By setting useLocalConf, Portal will use only local cached configuration
; To refresh it, you must have an handler on the same server or you have to
; restart your server. This increase performances
;useLocalConf = 1
; PORTAL CUSTOMIZATION
; I - Required parameters
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/portal/templates
; languages: available languages for portal interface
languages = fr, en
; PORTAL CUSTOMIZATION
languages = fr, en, vi, it, ar, de, fi, tr
; II - Optional parameters (overwrite configuration)
; Name of the skin
portalSkin = %%llSkin
; Modules displayed
;portalDisplayLogout = 1
%if %%llResetPassword == "oui"
portalDisplayResetPassword = 1
%else
portalDisplayResetPassword = 0
%end if
;portalDisplayChangePassword = 1
portalDisplayResetPassword = %%boolean[%%llResetPassword]
portalDisplayChangePassword = %%boolean[%%llChangePassword]
;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1
; Require the old password when changing password
;portalRequireOldPassword = 1
portalRequireOldPassword = %%boolean[%%llChangePassword]
; Attribute displayed as connected user
;portalUserAttr = mail
; Old menu HTML code
@ -142,16 +213,17 @@ portalDisplayResetPassword = 0
; For example to use <TMPL_VAR NAME="myparam">
;tpl_myparam = test
; LOG
; By default, all is logged in Apache file. To log user actions by
; syslog, just set syslog facility here:
; COMBINATION FORMS
; If you want to fix forms to display, you can use this;
;combinationForms = standardform, yubikeyform
;syslog = auth
; SOAP FUNCTIONS
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
; error(language, code)
;Soap = 1
; Note that getAttibutes() will be activated but on a different URI
; (http://auth.example.com/index.pl/sessions)
; (http://auth.example.com/sessions)
; You can also restrict attributes and macros exported by getAttributes
;exportedAttr = uid mail
@ -208,8 +280,8 @@ portalDisplayResetPassword = 0
; Use it to be able to notify messages during authentication
;notification = 1
; Note that the SOAP function newNotification will be activated on
; http://auth.example.com/index.pl/notification
; If you want to hide this, just protect "/index.pl/notification" in
; http://auth.example.com/notification
; If you want to hide this, just protect "/index.fcgi/notification" in
; your Apache configuration file
; XSS protection bypass
; By default, the portal refuse redirections that comes from sites not
@ -225,6 +297,21 @@ portalDisplayResetPassword = 0
; Set to 0 to disable error on XSS attack detection
;checkXSS = 0
; pdata cookie domain
; pdata cookie could not be sent with cross domains AJAX request
; Null is default value
;pdataDomain = example.com
; CUSTOM PLUGINS
; If you want to add custom plugins, set list here (comma separated)
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
;customPlugins = ::My::Package1, ::My::Package2
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
;forceGlobalStorageUpgradeOTT = 1
;forceGlobalStorageIssuerOTT = 1
[handler]
; Handler cache configuration
@ -240,7 +327,7 @@ portalDisplayResetPassword = 0
; Set https to 1 if your handler protect a https website (used only for
; redirections to the portal)
;https = 0
https = 1
; Set port if your your hanlder protect a website on a non standard port
; - 80 for http, 443 for https (used only for redirections to the portal)
;port = 8080
@ -252,6 +339,10 @@ status = 0
;useRedirectOnForbidden = 1
; Hide LemonLDAP::NG Handler in Apache Server Signature
;hideSignature = 1
; Set ServiceToken timeout
;handlerServiceTokenTTL = 30
; Set Impersonation/ContextSwitching prefix
; impersonationPrefix = real_
useRedirectOnError = 1
; Zimbra Handler parameters
@ -275,9 +366,6 @@ useRedirectOnError = 1
; * none : no protection
protection = manager
; logLevel. Set here one of error, warn, notice, info or debug
logLevel = warn
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
;
@ -285,10 +373,29 @@ staticPrefix = /static
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
; languages: available languages for manager interface
languages = fr, en
languages = fr, en, it, vi, ar, tr
; Manager modules enabled
; Set here the list of modules you want to see in manager interface
; The first will be used as default module displayed
enabledModules = conf, sessions, notifications
;enabledModules = conf, sessions, notifications, 2ndFA, viewer
enabledModules = conf, sessions, notifications, 2ndFA
; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
; 'conf' is set by default
;defaultModule = viewer
; Viewer module allows us to edit configuration in read-only mode
; Options can be set with specific rules like this :
;viewerAllowBrowser = $uid eq 'dwho'
;viewerAllowDiff = $uid ne 'dwho'
;
; Viewer options - Default values
;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
;viewerAllowBrowser = 0
;viewerAllowDiff = 0
;[node-handler]
;
;This section is for node-lemonldap-ng-handler
;nodeVhosts = test3.example.com, test4.example.com

View File

@ -1,441 +0,0 @@
%set %%ssoFilters = %%getSSOFilters
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {
"vhostHttps" : "1"
},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else
"%%key": "%%value",
%end if
%set %%idx += 1
%end for
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "https://%%managerWebName/doc/",
"name": "Local documentation"
},
"type": "application"
}
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
"mailUrl": "%%llResetUrl",
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
%if %%RegisterDB == "Custom"
"registerUrl": "%%llRegisterURL",
%else
"registerUrl": "https://%%authWebName/register.pl",
%end if
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
}

View File

@ -1,441 +1,406 @@
%set %%boolean = {'oui': 1, 'non': 0}
%set %%ssoFilters = %%getSSOFilters
%set %%ldapAttributes = {"uid": "uid", "mail": "mail", "cn":"cn"}
%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"']
%set %%cas_attributes = []
%set %%ldap_attributes = {}
%for %%attr in %%casAttribute
%silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
%silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
%set %%ldap_attributes[%%attr.casLDAPAttribute] = %%attr.casLDAPAttribute
%end for
%for %%key, %%value in %%ssoFilters
%silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"')
%silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"')
%set %%ldap_attributes[%%value] = %%value
%end for
%silent %%exported_vars.sort()
%silent %%cas_attributes.sort()
%set %%ldapAttr = []
%for %%k, %%v in %%ldap_attributes.items()
%silent %%ldapAttr.append('"' + %%k + '": "' + %%v + '"')
%end for
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
%if %%lemon_user_db == "AD"
"ADPwdExpireWarning": %%llADPasswordExpireWarn,
"ADPwdMaxAge": %%llADPasswordMaxAge,
%end if
"CAS_authnLevel": 1,
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {
"vhostHttps" : "1"
},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"CAS_proxiedServices": {},
"SMTPServer": "",
"SSLAuthnLevel": 5,
"Soap": 1,
"activeTimer": 1,
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else
"%%key": "%%value",
%end if
%set %%idx += 1
%end for
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"1administration": {
"catname": "Administration",
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"display": "auto",
"logo": "configure.png",
"name": "WebSSO Manager"
"name": "WebSSO Manager",
"uri": "https://%%managerWebName/"
},
"type": "application"
},
"notifications": {
"options": {
"description": "Explore WebSSO notifications",
"display": "auto",
"logo": "database.png",
"name": "Notifications explorer",
"uri": "https://%%managerWebName/notifications.pl"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"name": "Local documentation"
"logo": "database.png",
"name": "Sessions explorer",
"uri": "https://%%managerWebName/sessions.pl"
},
"type": "application"
}
},
"type": "category"
},
"2documentation": {
"catname": "Documentation",
"localdoc": {
"options": {
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"logo": "help.png",
"name": "Local documentation",
"uri": "http://%%managerWebName/doc/"
},
"type": "application"
},
"officialwebsite": {
"options": {
"description": "Official LemonLDAP::NG Website",
"display": "on",
"logo": "network.png",
"name": "Offical Website",
"uri": "http://lemonldap-ng.org/"
},
"type": "application"
},
"type": "category"
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"authChoiceParam": "lmAuth",
"authentication": "%%lemon_user_db",
"browserIdAuthnLevel": 1,
"captchaStorage": "Apache::Session::File",
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"captcha_login_enabled": 0,
"captcha_mail_enabled": 0,
"captcha_register_enabled": 1,
"captcha_size": 6,
"casAccessControlPolicy": "none",
"casAttributes": {
%%custom_join(%%cas_attributes, ',\n ')
},
"casStorageOptions": {},
"cda": 0,
"cfgAuthor": "EOLE",
"cfgAuthorIP": "127.0.0.1",
"cfgDate": 1600257889,
"cfgLog": "",
"cfgNum": "1",
"checkXSS": 1,
"confirmFormMethod": "post",
"cookieName": "lemonldap",
"dbiAuthnLevel": 2,
"dbiExportedVars": {},
"demoExportedVars": {
"cn": "cn",
"mail": "mail",
"uid": "uid"
},
"domain": "%%nom_domaine_local",
"exportedHeaders": {
"%%managerWebName": {}
},
"exportedVars": {
%%custom_join(%%exported_vars, ',\n ')
},
"facebookAuthnLevel": 1,
"facebookExportedVars": {},
"failedLoginNumber": 5,
"globalStorage": "Apache::Session::File",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"googleExportedVars": {},
"grantSessionRules": {},
"groups": {},
"hiddenAttributes": "_password",
"hideOldPassword": 0,
"httpOnly": 1,
"https": 0,
"infoFormMethod": "get",
"issuerDBCASActivation": 1,
"issuerDBCASPath": "^/%%casFolder/",
"issuerDBCASRule": 1,
"issuerDBGetParameters": {},
"issuerDBOpenIDActivation": "1",
"issuerDBOpenIDPath": "^/openidserver/",
"issuerDBOpenIDRule": 1,
"issuerDBSAMLActivation": 0,
"issuerDBSAMLPath": "^/saml/",
"issuerDBSAMLRule": 1,
"jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b",
%if %%llResetPassword == "oui"
%if %%llResetExpiredPassword == "oui"
%if %%lemon_user_db == "AD"
"ldapPpolicyControl": 0,
%else
"ldapPpolicyControl": 1,
%end if
"ldapAllowResetExpiredPassword": 1,
"ldapChangePasswordAsUser": 1,
%else
"ldapPpolicyControl": 0,
"ldapAllowResetExpiredPassword": 0,
"ldapChangePasswordAsUser": 1,
%end if
%end if
"ldapAuthnLevel": 2,
"ldapSearchDeref": "find",
"ldapBase": "%%ldapUserBaseDN",
"ldapExportedVars": {
%%custom_join(%%ldapAttr, ',\n ')
},
"ldapGroupAttributeName": "memberUid",
"ldapGroupAttributeNameGroup": "dn",
"ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "uid",
"ldapGroupObjectClass": "eolegroupe",
"ldapGroupRecursive": 0,
"ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE",
"ldapPort": "%%ldapServerPort",
"ldapPwdEnc": "utf-8",
"ldapServer": "%%ldapScheme://%%ldapServer",
%if %%ldapScheme == "ldaps"
%if %%lmldapverify == "oui"
"ldapVerify": "Require",
%else
"ldapVerify": "None",
%end if
%end if
"ldapSetPassword": 0,
"ldapTimeout": 120,
"ldapUsePasswordResetAttribute": 1,
"ldapVersion": 3,
"localSessionStorage": "Cache::FileCache",
"localSessionStorageOptions": {
"cache_depth": 3,
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
"namespace": "lemonldap-ng-sessions"
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
"loginHistoryEnabled": 1,
"logoutServices": {},
"lwpSslOpts": {},
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"mailCharset": "utf-8",
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"mailFrom": "noreply@%%nom_domaine_local",
"mailOnPasswordChange": 0,
"mailSessionKey": "mail",
"mailSubject": "[LemonLDAP::NG] Your new password",
"mailTimeout": 0,
%if %%llResetPassword == "oui"
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/resetpwd",
%else
"mailUrl": "%%llResetUrl",
%end if
%end if
"maintenance": 0,
"managerDn": "%%ldapBindUserDN",
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"multiValuesSeparator": ";",
"nginxCustomHandlers": {},
"notification": 1,
"notificationStorage": "File",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyDeleted": 1,
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"nullAuthnLevel": 2,
"oidcOPMetaDataExportedVars": {},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
"mailUrl": "%%llResetUrl",
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcOPMetaDataOptions": null,
"oidcRPMetaDataExportedVars": {},
"oidcRPMetaDataOptions": {},
"oidcRPMetaDataOptionsExtraClaims": null,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"oidcStorageOptions": {},
"openIdAuthnLevel": 1,
"openIdExportedVars": {},
"openIdSPList": "0;",
"openIdSreg_email": "mail",
"openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone",
"passwordDB": "%%lemon_user_db",
"persistentStorage": "Apache::Session::File",
"persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions",
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock"
},
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalAntiFrame": 1,
"portalCheckLogins": %%boolean[%%llCheckLogins],
"portalDisplayAppslist": 1,
"portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
"portalDisplayLoginHistory": 1,
"portalDisplayLogout": 1,
"portalDisplayRegister": %%boolean[%%llRegisterAccount],
"portalDisplayResetPassword": %%boolean[%%llResetPassword],
"portalForceAuthn": 0,
"portalForceAuthnInterval": 0,
"portalOpenLinkInNewWindow": 0,
"portalPingInterval": 60000,
"portalRequireOldPassword": 1,
"portalSkin": "bootstrap",
"portalSkinRules": {},
"portalUserAttr": "_user",
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
%if %%RegisterDB == "Custom"
"radiusAuthnLevel": 3,
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"redirectFormMethod": "get",
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
%set %%register_db = %%getVar('llRegisterDB', 'Demo')
%if %%register_db == 'Custom'
"registerDB": "Null",
"registerUrl": "%%llRegisterURL",
%else
"registerDB": "%%register_db",
"registerUrl": "https://%%authWebName/register.pl",
%end if
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"registerTimeout": 0,
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"remoteGlobalStorageOptions": {
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService",
"proxy": "https://%%authWebName/index.pl/sessions"
},
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"samlAuthnContextMapKerberos": 4,
"samlAuthnContextMapPassword": 2,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"samlAuthnContextMapTLSClient": 5,
"samlCommonDomainCookieActivation": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"samlIDPMetaDataExportedAttributes": null,
"samlIDPMetaDataOptions": null,
"samlIDPMetaDataXML": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"samlIdPResolveCookie": "lemonldapidp",
"samlMetadataForceUTF8": 1,
"samlNameIDFormatMapEmail": "mail",
"samlNameIDFormatMapKerberos": "uid",
"samlNameIDFormatMapWindows": "uid",
"samlNameIDFormatMapX509": "mail",
"samlOrganizationDisplayName": "Example",
"samlOrganizationName": "%%samlOrganizationName",
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"samlRelayStateTimeout": 600,
"samlSPMetaDataExportedAttributes": null,
"samlSPMetaDataOptions": null,
"samlSPMetaDataXML": null,
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlServicePrivateKeyEnc": "",
"samlServicePrivateKeyEncPwd": "",
"samlServicePrivateKeySig": "",
"samlServicePrivateKeySigPwd": "",
"samlServicePublicKeyEnc": "",
"samlServicePublicKeySig": "",
"samlStorageOptions": {},
"samlUseQueryStringSpecific": 0,
"secureTokenAllowOnError": 1,
"secureTokenAttribute": "uid",
"secureTokenExpiration": 60,
"secureTokenHeader": "Auth-Token",
"secureTokenMemcachedServers": "127.0.0.1:11211",
"secureTokenUrls": ".*",
"securedCookie": 0,
"sessionDataToRemember": {},
"singleIP": 0,
"singleSession": 0,
"singleSessionUserByIP": 0,
"slaveAuthnLevel": 2,
"slaveExportedVars": {},
"storePassword": 0,
"successLoginNumber": 5,
"syslog": "",
"timeout": 72000,
"timeoutActivity": 0,
"trustedProxies": "",
"twitterAuthnLevel": 1,
"useRedirectOnError": 1,
"useRedirectOnForbidden": 0,
"useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$",
"userDB": "%%lemon_user_db",
"vhostOptions": {
"%%managerWebName": {
"vhostHttps": "1"
}
},
"webIDAuthnLevel": 1,
"webIDExportedVars": {},
"whatToTrace": "_whatToTrace",
"yubikeyAuthnLevel": 3,
"yubikeyPublicIDSize": 12
}

130
tmpl/manager-apache2.X.conf Normal file
View File

@ -0,0 +1,130 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Manager
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Manager virtual host (manager.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/manager.log llng
#ErrorLog /var/log/apache2/lm_err.log
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# FASTCGI CONFIGURATION
# ---------------------
# 1) URI management
RewriteEngine on
# For performances, you can delete the previous RewriteRule line after
# puttings html files: simply put the HTML results of differents modules
# (configuration, sessions, notifications) as manager.html, sessions.html,
# notifications.html and uncomment the 2 following lines:
# DirectoryIndex manager.html
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
# 2) FastCGI engine
# You can choose any FastCGI system. Here is an example using mod_fcgid
# mod_fcgid configuration
FcgidMaxRequestLen 2000000
<Files *.fcgi>
SetHandler fcgid-script
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# If you want to use mod_fastcgi, replace lines below by:
#FastCgiServer /usr/share/lemonldap-ng/manager/htdocs//manager.fcgi
# GLOBAL CONFIGURATION
# --------------------
DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/
<Location />
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static//
<Directory /usr/share/lemonldap-ng/manager/htdocs/static/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
</Directory>
# On-line documentation
Alias /doc/ /usr/share/doc/lemonldap-ng/
Alias /lib/ /usr/share/doc/lemonldap-ng/pages/documentation/current/lib/
<Directory /usr/share/doc/lemonldap-ng/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -5,8 +5,7 @@ server {
}
server {
listen 443;
ssl on;
listen 443 ssl;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -70,8 +69,8 @@ server {
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
#location /javascript/ {
# alias /usr/share/javascript/;
#}
location /javascript/ {
alias /usr/share/javascript/;
}
}

View File

@ -1,3 +1,3 @@
log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';

View File

@ -1,35 +0,0 @@
# sample pam_cas config
# host from CAS server. mandatory
host %%authWebName
# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 443
# uri to validate ticket. Default to /proxyValidate
uriValidate /proxyValidate
# https or no. values on or off. Default to on.
ssl on
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug off
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
#proxy https://%%authWebName/proxycas/casimap.php
#proxy https://imp.its.yale.edu/cas/casProxy.php
#proxy https://uportal1.its.yale.edu/CasProxyServlet
#proxy https://uportal2.its.yale.edu/CasProxyServlet
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
# certificate from high level CA
%if not %%is_empty(%%getVar('ssoCALocation', ''))
trusted_ca %%ssoCALocation
%else
trusted_ca /etc/ssl/certs/ca.crt
%end if

147
tmpl/portal-apache2.X.conf Normal file
View File

@ -0,0 +1,147 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Portal Virtual Host (auth.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +ExecCGI +FollowSymLinks
</Directory>
RewriteEngine On
# For performances, you can put static html files: simply put the HTML
# result (example: /oauth2/checksession.html) as static file. Then
# uncomment the following line.
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
# Authorization header needs to be passed when using Kerberos or OIDC
<IfVersion >= 2.4.13>
CGIPassAuth On
</IfVersion>
<IfVersion < 2.4.13>
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfVersion>
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# Uncomment this if status is enabled
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
Require all granted
Options +FollowSymLinks
</Directory>
<Location /static/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
<IfModule mod_dir.c>
DirectoryIndex index.fcgi index.html
</IfModule>
# REST/SOAP functions for sessions management (disabled by default)
<Location /index.fcgi/adminSessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for configuration access (disabled by default)
<Location /index.fcgi/config>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for notification insertion (disabled by default)
<Location /index.fcgi/notification>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# Enable compression
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -15,8 +15,7 @@ server {
}
server {
listen 443;
ssl on;
listen 443 ssl;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
@ -83,7 +82,7 @@ server {
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
#location /javascript/ {
# alias /usr/share/javascript/;
#}
location /javascript/ {
alias /usr/share/javascript/;
}
}

View File

@ -1,117 +0,0 @@
server {
listen 80;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
root /var/lib/lemonldap-ng/test/;
# Internal authentication request
location = /lmauth {
internal;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
#fastcgi_buffer_size 32k;
#fastcgi_buffers 32 32k;
}
# Client requests
location / {
# Local application
index index.pl;
try_files $uri $uri/ =404;
# Reverse proxy
#proxy_pass http://remote.server/;
#include /etc/nginx/proxy_params;
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
# ELSE
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR in the corresponding block
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
}
# Handle test CGI
location ~ ^(?<sc>/.*\.pl)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
fastcgi_param REMOTE_USER $lmremote_user;
# Or with uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE cgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
}
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
### Or with uWSGI
## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000;
## uwsgi_param LLTYPE status;
#}
}