Compare commits

...

93 Commits

Author SHA1 Message Date
Philippe Caseiro 3edf7dd774 Fix ldapVerify values 2021-03-03 16:24:20 +01:00
Philippe Caseiro 293d940fdc Adding ldapExportedVars 2021-02-03 17:18:18 +01:00
Philippe Caseiro 918ceab882 Export LDAP Attributes
this attributes and the variables names have to be named with the
same name
2021-02-03 15:48:55 +01:00
Philippe Caseiro adea10270d Fix LDAP/CAS/Exported attributes bug 2021-02-03 15:44:14 +01:00
Philippe Caseiro 6c5beb7e9f Fix conflict for Makefile 2021-02-03 15:19:11 +01:00
Philippe Caseiro 583e77d7c7 Fix Register button display 2021-01-29 10:10:15 +01:00
pcaseiro eddc9696c3 Mise à jour de 'README.md' 2021-01-06 11:23:29 +01:00
Emmanuel Garette 4e8caeda89 Merge branch '2.8.0/master' 2021-01-05 11:31:43 +01:00
Emmanuel Garette f3b120eb62 patch lemonldap pour corriger le problème des attributs avec la valeur 0 (ref #31384) 2021-01-05 11:27:02 +01:00
Philippe Caseiro cc9a5e20ce Merge remote-tracking branch 'eole/master' into develop 2020-12-18 16:53:36 +01:00
Matthieu Lamalle 5512f64aab Merge branch '2.8.0/master' 2020-12-16 10:31:04 +01:00
Matthieu Lamalle 569e0caab8 set correct openldap conf 2020-12-16 10:30:33 +01:00
Matthieu Lamalle bb18f68a54 Merge branch '2.8.0/master' 2020-12-14 14:04:43 +01:00
Matthieu Lamalle 20e382934c set default openldap 2020-12-14 14:04:09 +01:00
Matthieu Lamalle cf5d9485ca Merge branch '2.8.0/master' 2020-12-14 10:25:37 +01:00
Matthieu Lamalle cf82616454 correction on condition 2020-12-14 10:24:17 +01:00
Philippe Caseiro e423388795 Merge branch '2.8.0/master' 2020-12-11 09:26:06 +01:00
Philippe Caseiro e810740ba9 Adding AD password warning support 2020-12-11 09:25:41 +01:00
Philippe Caseiro 140cc084a3 Merge branch '2.8.0/master' 2020-12-09 17:17:56 +01:00
Philippe Caseiro 3753625b20 Updating nginx configuration for 2.8 2020-12-09 17:17:30 +01:00
Philippe Caseiro df5dabbcf4 Merge branch '2.8.0/master' 2020-12-09 16:48:35 +01:00
Philippe Caseiro 47e822f9b9 Updating lmlog file for nginx mode 2020-12-09 16:48:14 +01:00
Philippe Caseiro 87818bd6f0 Activer la possibilité de changer son mot de passe depuis LemonLDAP
ref #31347
2020-12-07 16:07:34 +01:00
Philippe Caseiro fe8722e776 Activer la possibilité de changer son mot de passe depuis LemonLDAP
ref #31347
2020-12-07 16:06:55 +01:00
Philippe Caseiro 200c9c41e9 Using Active Directory (samba4) instead of OpenLDAP
Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
2020-12-03 16:52:33 +01:00
Philippe Caseiro bf94e74916 Using Active Directory (samba4) instead of OpenLDAP
Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one
2020-12-03 16:50:55 +01:00
Philippe Caseiro 0f3ff07b5f Merge last evolutions from master branch 2020-12-02 10:20:42 +01:00
Philippe Caseiro 63bf3c9f98 UserBaseDN and BaseDN is not the same thing
We need to use the user base dn
2020-11-26 17:13:37 +01:00
Philippe Caseiro 03a00fb7ce Cleanup ldap_tls redefine 2020-11-26 16:58:32 +01:00
Philippe Caseiro 52e5c433eb Enable option for SSL verify 2020-11-26 16:53:02 +01:00
Philippe Caseiro d1ad6aeb25 Fix lm_loglevel 2020-11-26 14:09:15 +01:00
Philippe Caseiro 815fca0e82 Merge branch 'master' of https://dev-eole.ac-dijon.fr/git/eole-lemonldap-ng 2020-11-26 13:49:34 +01:00
Philippe Caseiro 8ec486eafc Adding syslog configuration 2020-11-26 13:48:14 +01:00
Philippe Caseiro 4af11f3d28 Cleanup dico and support for loglevel 2020-11-26 13:47:47 +01:00
Philippe Caseiro 8af3ee655f Cleanup dico 2020-11-26 13:43:33 +01:00
Philippe Caseiro 5d4e572967 Fixing log format 2020-11-26 13:21:49 +01:00
Philippe Caseiro 74fb92fb55 Make eole-lemonldap-ng compatible with eolebase 2020-11-24 15:51:43 +01:00
Philippe Caseiro 15da7394f3 Make eole-lemonldap-ng compatible with eolebase 2020-11-24 15:47:38 +01:00
vfebvre 536da57382 parent d08c965ee8
author vfebvre <vfebvre@cadoles.com> 1599144265 +0200
committer Philippe Caseiro <pcaseiro@cadoles.com> 1606220045 +0100

Corrections diverses
2020-11-24 15:47:38 +01:00
Joël Cuissinat d08c965ee8 Merge branch '2.8.0/master' 2020-11-16 15:46:53 +01:00
Joël Cuissinat b9ef7ec41d dicos/70_lemonldap_ng.xml : cosmetic fixes
* add "lemon" icon
* add help on family

Ref: #30576
2020-11-16 15:40:44 +01:00
Daniel Dehennin f2e6a3afe0 Merge branch '2.8.0/master' into master 2020-10-16 09:52:25 +02:00
Daniel Dehennin 251a9a3907 Disable the apache servicelist when LemonLDAP::NG is disabled
Ref: #30852
2020-10-16 09:47:14 +02:00
Daniel Dehennin 2700a5d440 Prepare version 2.8.1
* Makefile: Mise à jour de la version.
  Mise à jour de la release.

* .gitignore: règles minimale pour les fichiers de sauvegarde des
éditeurs.
2020-10-15 09:34:31 +02:00
Daniel Dehennin 9b66227236 eolesso_adresse should be forced only when LemonLDAP::NG is enabled
The “calc_val” was failing when LemonLDAP::NG was disabled because
“authWebName” can't be used.

We shouldn't force “eolesso_adresse” when LemonLDAP::NG is disabled,
the user must be able to set whatever value she wants.

* dicos/71_lemonldap_ng_scribe.xml: fill the “eolesso_adresse” and
  freeze it when LemonLDAP::NG is enabled.

Ref: #30852
2020-10-15 09:07:40 +02:00
Daniel Dehennin 90411f89f7 Override previous fill on eolesso_adresse
Ref: #30852
2020-10-14 15:54:41 +02:00
Daniel Dehennin d99ac8c9ad Force local SSO on Scribe
Ref: #30852
2020-10-14 15:46:39 +02:00
Daniel Dehennin f43fca1a98 Don't modify /etc/hosts on ScribeAD
Ref: #30852
2020-10-14 13:52:41 +02:00
Daniel Dehennin 03a80f03fb Update README
Ref: #30852
2020-10-14 13:31:42 +02:00
Daniel Dehennin a6eeb05ca9 Smooth the configuration of LemonLDAP::NG on Scribe
Ref: #30852
2020-10-14 13:19:05 +02:00
Daniel Dehennin dec2cb8e79 Harmonize script names
Ref: #30852
2020-10-14 13:18:54 +02:00
Daniel Dehennin 1ea5813c8f Update configuration for version 2.0.7 of LemonLDAP::NG
Ref: #30852
2020-10-14 13:18:35 +02:00
Daniel Dehennin 589239352e Make LemonLDAP::NG useable with Apache2
Ref: #30852
2020-10-14 13:18:15 +02:00
Daniel Dehennin c9c6171367 Prettify the XML
And remove useless test sites.

Ref: #30852
2020-10-14 13:18:04 +02:00
Daniel Dehennin 04c73c223b Don't crash if LemonLDAP::NG is disabled
Ref: #30852
2020-10-14 13:17:07 +02:00
Daniel Dehennin 6be262c6fb LemonLDAP::NG should be installable side by side with EOLESSO
Ref: #30852
2020-10-14 13:16:45 +02:00
Daniel Dehennin 04215109ac Python3 ConfigParser is in configparser module
Ref: #30852
2020-10-14 13:16:37 +02:00
Daniel Dehennin 0dd5154b78 Realign dico
Ref: #30852
2020-10-14 13:16:21 +02:00
Daniel Dehennin 1ad8da6343 Prepare version 2.8.0
* Makefile: Mise à jour de la release.
2020-10-14 13:15:19 +02:00
vfebvre ad9059bfae passage en 2.7.2 2020-09-03 16:44:25 +02:00
Arnaud Fornerot 7d05697ad0 Merge branch 'develop' into staging 2020-01-16 09:35:09 +01:00
Arnaud Fornerot 7328d4b968 utilisation de la variable lemonproc dans la conf fastcgi 2020-01-16 09:27:47 +01:00
Arnaud Fornerot 267b96bd16 optimisation 2020-01-16 09:13:16 +01:00
Benjamin Bohard 3326273e21 Merge branch 'develop' into staging 2020-01-06 14:58:33 +01:00
Benjamin Bohard 53e17b8da0 Merge branch 'issue/3-CSP_targets' into develop 2019-12-12 12:01:18 +01:00
Benjamin Bohard 207dadd5cc Add variables to defined allowed CSP targets 2019-12-12 12:01:00 +01:00
Benjamin Bohard 994166b1fd Merge branch 'issue/2-variable_init' into develop 2019-12-12 11:16:48 +01:00
Benjamin Bohard 20c513e4fd declare lmremote_custom variable in test-nginx.conf 2019-12-12 11:16:38 +01:00
Benjamin Bohard 0980b3d30c Merge branch 'issue/1-error_page_location' into develop 2019-12-12 11:15:07 +01:00
Benjamin Bohard 9003ecbcb3 nginx error pages are located in html subfolder, not www 2019-12-12 11:14:54 +01:00
Philippe Caseiro 8fbafb4c70 Merge branch 'develop' into staging 2019-09-13 16:08:44 +02:00
Philippe Caseiro cc1da0773b Work around CSP form-action issue with CAS.
Replace header with nicer values
2019-09-13 16:02:48 +02:00
Philippe Caseiro a96d56b19c Merge branch 'develop' 2019-09-13 10:00:17 +02:00
Benjamin Bohard e0c7ca8f5e Merge branch 'feature/Migration' into develop 2019-07-15 10:46:29 +02:00
Benjamin Bohard 73fb96c026 Update configuration and dictionnary for v2.0 2019-07-15 10:40:26 +02:00
Benjamin Bohard abb1d10a87 Reprise des fichiers de configuration pour intégration au module EOLE 2019-07-12 12:08:17 +02:00
Benjamin Bohard 30e142fa98 Importation des fichiers de configuration 2019-07-12 11:03:25 +02:00
Philippe Caseiro c7b38c52d0 Update README 2019-07-11 09:44:49 +02:00
afornerot 6c3adaab2b Mise en place dans le template d'une URL de reset de password (fixes #4) 2018-09-13 14:35:15 +02:00
Philippe Caseiro 050e559f75 Adding postservice to update configuration cache
We need to update the configuration cache to apply the
configuration modifications
2018-04-12 09:26:49 +02:00
Philippe Caseiro eef533bfe6 Using exportedVars key names in casAttributes
We need tu use the key name of exportedVars in casAttributes to make
attr availlable
2018-04-09 14:31:35 +02:00
Philippe Caseiro e84ba19b68 Filling exportedVars configuration
User attributes are stored in "local session" so if we want to use
attributes in CAS session we need to make them available in local
session first
2018-04-09 13:29:05 +02:00
Philippe Caseiro b7aefb7a8b llRegisterDB variable could be disabled
If you choose to remove "Registration button"
from the interface llRegisterDB is disabled
so it's not available for the template.
2018-03-27 12:25:52 +02:00
Philippe Caseiro 5f5c5359f7 Fixing Custom URL option 2018-03-26 11:21:28 +02:00
Philippe Caseiro 51519eae55 Adding Custom Register URL option to template 2018-03-26 11:05:26 +02:00
Philippe Caseiro 2afe4dceb4 GenConfig clean up 2018-03-26 09:56:38 +02:00
afornerot 0f25183778 ajout du template lemonldap-ng.ini et utilisation de la variable llSkin 2018-03-23 16:56:54 +01:00
afornerot a4a3d52746 ajout variable llSkin 2018-03-23 16:22:02 +01:00
Philippe Caseiro a5ce48110d Adding SSO auth page customisation 2018-03-23 16:13:40 +01:00
Philippe Caseiro 61b982607e Fixing filter generation when no filter file is present in the server 2018-03-21 15:03:50 +01:00
Philippe Caseiro a91abb36f3 Remove all references to eole-sso variable 2018-03-21 14:21:46 +01:00
Philippe Caseiro 710ea85f96 443 port is mandatory for lemonLDAP 2018-03-21 14:18:12 +01:00
Philippe Caseiro d3897f1e4a Begin of Eole-SSO replacement work
We need to provide what EoleSSO provides.

For me this 3 new template have to be placed in a dedicated package
like eole-sso-client, this templates are not necessary for the server
only usefull for the clients.
2018-03-21 14:13:15 +01:00
28 changed files with 1524 additions and 710 deletions

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
# Backup and swap files
*~
*#
*.swp

View File

@ -4,8 +4,8 @@
SOURCE=eole-lemonldap
VERSION=0.1
EOLE_VERSION=2.6
EOLE_RELEASE=2.6.2
EOLE_VERSION=2.7
EOLE_RELEASE=2.7.2
PKGAPPS=non
#FLASK_MODULE=<APPLICATION>

View File

@ -10,14 +10,14 @@ LemonLDAP::NG EOLE integration
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
#### LemonLDAP::NG repository
#### LemonLDAP::NG repository (if you use EOLE 2.8.X this is not needed anymore)
* deb https://lemonldap-ng.org/deb stable main
* deb-src https://lemonldap-ng.org/deb stable main
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### Cadoles Repository
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
* deb [ arch=all ] https://vulcain.cadoles.com 2.7.2-dev main
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
### Install packages
@ -33,18 +33,28 @@ Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
* Fill LemonLDAP configuration
#### Nginx Web case
#### On Scribe
* LemonLDAP::NG is configured to use the local LDAP service
* We register the supplementary host names to the AD DNS
* We add the supplementary host names to the `ssl_subjectalt_names`
#### Manual configuration
##### Nginx Web case
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
not be served properly, so we need to disable this function
GenConfig -> Services -> Activer la publication dapplications web par Nginx -> "Non'
#### Configuration DNS
##### Configuration DNS
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
#### Configuration LDAP
##### Configuration LDAP
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
@ -52,14 +62,14 @@ GenConfig -> Services -> Activer la publication dapplications web par Nginx -
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
#### Configuration CAS
##### Configuration CAS
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
### SSL issues
##### SSL issues
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)

View File

@ -31,36 +31,37 @@ def getSSOFilters():
""" Convert former eole-sso filters to LemonLDAP filters
"""
import glob
from ConfigParser import ConfigParser
import json
from configparser import ConfigParser
try:
filters = {}
filters = { 'uid': "uid", "mail": "mail" }
filterDirectory = "/usr/share/sso/app_filters/"
filterExtention = ".ini"
filterSection = "utilisateur"
filterFiles = glob.glob("{0}/*{1}".format(filterDirectory, filterExtention))
toClean = ["uid","mail","cn","__name__"]
for fi in filterFiles:
# Don't parse "applications.ini"
config = ConfigParser()
config.read(fi)
if filterSection in config._sections:
filters.update(config._sections[filterSection].items())
for key in toClean:
del(filters[key])
res = ""
toClean = [ "__name__" ]
if len(filterFiles) != 0:
for fi in filterFiles:
# Don't parse "applications.ini"
config = ConfigParser()
config.read(fi)
if filterSection in config._sections:
filters.update(config._sections[filterSection].items())
for key in toClean:
if key in filters.keys():
del(filters[key])
res = {}
index=0
size=len(filters)
return(filters.items())
"""
for k,v in filters.items():
res += " \"{0}\": \"{1}\",".format(k,v)
res[k] " \"{0}\": \"{1}\"".format(k,v)
index += 1
if index != size:
res += "\n"
res += ",\n"
return(res)
"""
except:
return "Error Generating Filters"

View File

@ -1,6 +1,7 @@
#!/bin/bash
if [ $(CreoleGet activerLemon) = "oui" ];then
if [ $(CreoleGet activerLemon 'non') = 'oui' ]
then
. /usr/lib/eole/diagnose.sh
manager=$(CreoleGet managerWebName)
portal=$(CreoleGet authWebName)

View File

@ -1,85 +1,224 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files>
<!-- Je suis un commentaire -->
<file filelist='lemon' name='/etc/nginx/sites-available/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
<service>lemonldap-ng-fastcgi-server</service>
<service_access service='nginx'>
<port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port>
</service_access>
</files>
<variables>
<family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value>
</variable>
</family>
<family name='LemonLDAP'>
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
<value>admin</value>
</variable>
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
<value>64</value>
</variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
</family>
<file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
<file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
<file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/nginx-lmlog.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/manager-apache2.X.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/>
<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
<service method='apache' servicelist='lemonldap-apache'>manager-apache2</service>
<service method='apache' servicelist='lemonldap-apache'>portal-apache2</service>
<service method='apache' servicelist='lemonldap-apache'>handler-apache2</service>
<service_access service='nginx'>
<port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port>
</service_access>
</files>
<variables>
<family name='eole-sso'>
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>/cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
<family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value>
</variable>
</family>
<family name='LemonLDAP' icon='lemon'>
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
<value>LDAP</value>
</variable>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
<variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
<value>oui</value>
</variable>
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
<value>4</value>
</variable>
<variable name="lm_loglevel" type='string' description="Verbosité des journaux" mode='expert'>
<value>info</value>
</variable>
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
<value>admin</value>
</variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
<value>cas</value>
</variable>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True' exists='False'>
<value>oui</value>
</variable>
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
<value>bootstrap</value>
</variable>
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
<value>non</value>
</variable>
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail">
<value>oui</value>
</variable>
<variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
<value>oui</value>
</variable>
<variable name='llADPasswordMaxAge' type='number' description="Durée de vie des mots de passe (en secondes)" mode='expert'>
<value>5184000</value>
</variable>
<variable name='llADPasswordExpireWarn' type='number' description="Délai avant affichage d'un message d'alerte sur l'expiration du mot de passe (en secondes)">
<value>3456000</value>
</variable>
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
<value>oui</value>
</variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
<variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
<value>oui</value>
</variable>
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
</family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
<separator name="casAttribute">Configuration CAS</separator>
</separators>
</variables>
<constraints>
<fill name='concat' target='managerWebName'>
<param>manager.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='authWebName'>
<param>auth.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='reloadWebName'>
<param>reload.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='samlOrganizationName'>
<param>SAML</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
<separator name="casAttribute">Configuration CAS</separator>
<separator name="llSkin">Personnalisation de la mire SSO</separator>
</separators>
</variables>
<constraints>
<fill name='concat' target='managerWebName'>
<param>manager.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='authWebName'>
<param>auth.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='reloadWebName'>
<param>reload.</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<fill name='concat' target='samlOrganizationName'>
<param>SAML</param>
<param type='eole'>nom_domaine_local</param>
</fill>
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
</check>
<group master="casAttribute">
<slave>casLDAPAttribute</slave>
</group>
<condition name='disabled_if_in' source='activerLemon'>
<param>non</param>
<target type='filelist'>lemon</target>
<target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target>
</condition>
</constraints>
<help>
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
</help>
<check name="valid_enum" target="lemon_user_db">
<param>['LDAP','AD']</param>
</check>
<check name='valid_enum' target="lm_loglevel">
<param>['info','notice','warn','error','debug']</param>
</check>
<check name="valid_enum" target="llRegisterDB">
<param>['LDAP','AD','Demo','Custom']</param>
</check>
<group master="casAttribute">
<slave>casLDAPAttribute</slave>
</group>
<condition name='disabled_if_not_in' source='lemon_user_db'>
<param>AD</param>
<target type='variable'>llADPasswordMaxAge</target>
<target type='variable'>llADPasswordExpireWarn</target>
</condition>
<condition name='disabled_if_in' source='activerLemon'>
<param>non</param>
<target type='filelist'>lemonldap</target>
<target type='filelist'>lemonldap-nginx</target>
<target type='filelist'>lemonldap-apache</target>
<target type='servicelist'>lemonldap-apache</target>
<target type='servicelist'>sllemon</target>
<target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target>
</condition>
<condition name="disabled_if_in" source="activer_nginx_web" fallback="True">
<param>non</param>
<target type='filelist'>lemonldap-nginx</target>
</condition>
<condition name="disabled_if_in" source="activer_apache" fallback="True">
<param>non</param>
<target type='filelist'>lemonldap-apache</target>
<target type='servicelist'>lemonldap-apache</target>
</condition>
<condition name='disabled_if_in' source='llRegisterAccount'>
<param>non</param>
<target type='variable'>llRegisterDB</target>
</condition>
<condition name='disabled_if_not_in' source='llRegisterDB'>
<param>Custom</param>
<target type='variable'>llRegisterURL</target>
</condition>
<condition name='disabled_if_in' source='llResetPassword'>
<param>non</param>
<target type='variable'>llResetUrl</target>
<target type='variable'>llResetExpiredPassword</target>
</condition>
<check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param>
<param name="checkval">False</param>
</check>
</constraints>
<help>
<family name='LemonLDAP'>Configuration de la solution d'authentification unique LemonLDAP::NG</family>
<variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable>
<variable name='ldapBindUserDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
</help>
</creole>

View File

@ -0,0 +1,80 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files />
<variables>
<family name='eole sso'>
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
</family>
</variables>
<constraints>
<fill name='calc_multi_condition' target='activer_sso'>
<param>oui</param>
<param type='eole' name='condition_1'>activerLemon</param>
<param name='match'>distant</param>
<param name='default_mismatch'>local</param>
</fill>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>activer_sso</target>
</condition>
<fill name='calc_val_first_value' target='eolesso_adresse'>
<param type='eole' optional='True' hidden='False'>authWebName</param>
<param type='eole' optional='True' hidden='False'>web_url</param>
<param type='eole'>nom_domaine_machine</param>
</fill>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>eolesso_adresse</target>
</condition>
<auto name='calc_multi_condition' target='ldapScheme'>
<param>oui</param>
<param type='eole' name='condition_1'>ldap_tls</param>
<param name='match'>ldaps</param>
<param name='default_mismatch'>ldap</param>
</auto>
<auto name='calc_val' target='ldapServer'>
<param type='eole'>adresse_ip_ldap</param>
</auto>
<auto name='calc_val' target='ldapServerPort'>
<param type='eole'>ldap_port</param>
</auto>
<auto name='calc_val' target='lemon_user_db'>
<param>LDAP</param>
</auto>
<auto name='calc_val' target='llRegisterDB'>
<param>LDAP</param>
</auto>
<auto name='calc_val' target='ldapUserBaseDN'>
<param type='eole'>ldap_base_dn</param>
</auto>
<auto name='calc_val' target='ldapBindUserDN'>
<param type='eole'>ldap_reader</param>
</auto>
<auto name='calc_val' target='ldapBindUserPassword'>
<param type='eole'>ldap_reader_passfile</param>
</auto>
<auto name='calc_val' target='casFolder'>
<param type='eole'>eolesso_cas_folder</param>
</auto>
</constraints>
<help />
</creole>

2
eole-lemonldap-ng.mk Normal file
View File

@ -0,0 +1,2 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs
lemonldap-ng_DATA_DIR := $(eole_DIR)/lemonldap-ng

View File

@ -1 +0,0 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs

102
lemonldap-ng/LDAP.pm Normal file
View File

@ -0,0 +1,102 @@
package Lemonldap::NG::Portal::UserDB::LDAP;
use strict;
use Mouse;
use utf8;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
extends 'Lemonldap::NG::Portal::Lib::LDAP';
our $VERSION = '2.0.6';
has ldapGroupAttributeNameSearch => (
is => 'rw',
lazy => 1,
builder => sub {
my $attributes = [];
@$attributes =
split( /\s+/, $_[0]->{conf}->{ldapGroupAttributeNameSearch} )
if $_[0]->{conf}->{ldapGroupAttributeNameSearch};
push( @$attributes, $_[0]->{conf}->{ldapGroupAttributeNameGroup} )
if ( $_[0]->{conf}->{ldapGroupRecursive}
and $_[0]->{conf}->{ldapGroupAttributeNameGroup} ne "dn" );
return $attributes;
}
);
# RUNNING METHODS
#
# getUser is provided by Portal::Lib::LDAP
# Load all parameters included in exportedVars parameter.
# Multi-value parameters are loaded in a single string with
# a separator (param multiValuesSeparator)
# @return Lemonldap::NG::Portal constant
sub setSessionInfo {
my ( $self, $req ) = @_;
$req->{sessionInfo}->{_dn} = $req->data->{dn};
my %vars = ( %{ $self->conf->{exportedVars} },
%{ $self->conf->{ldapExportedVars} } );
while ( my ( $k, $v ) = each %vars ) {
# getLdapValue returns an empty string for missing attribute
# but we really want to return undef so they don't get stored in session
$req->sessionInfo->{$k} =
$self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
}
PE_OK;
}
# Load all groups in $groups.
# @return Lemonldap::NG::Portal constant
sub setGroups {
my ( $self, $req ) = @_;
my $groups = $req->{sessionInfo}->{groups};
my $hGroups = $req->{sessionInfo}->{hGroups};
if ( $self->conf->{ldapGroupBase} ) {
# Get value for group search
my $group_value = $self->ldap->getLdapValue( $req->data->{ldapentry},
$self->conf->{ldapGroupAttributeNameUser} );
if ( $self->conf->{ldapGroupDecodeSearchedValue} ) {
utf8::decode($group_value);
}
$self->logger->debug( "Searching LDAP groups in "
. $self->conf->{ldapGroupBase}
. " for $group_value" );
# Call searchGroups
my $ldapGroups = $self->ldap->searchGroups(
$self->conf->{ldapGroupBase},
$self->conf->{ldapGroupAttributeName},
$group_value,
$self->ldapGroupAttributeNameSearch,
$req->{ldapGroupDuplicateCheck}
);
foreach ( keys %$ldapGroups ) {
my $groupName = $_;
$hGroups->{$groupName} = $ldapGroups->{$groupName};
my $groupValues = [];
foreach ( @{ $self->ldapGroupAttributeNameSearch } ) {
next if $_ =~ /^name$/;
my $firstValue = $ldapGroups->{$groupName}->{$_}->[0];
push @$groupValues, $firstValue;
}
$groups .= $self->conf->{multiValuesSeparator} if $groups;
$groups .= join( '|', @$groupValues );
}
}
$req->{sessionInfo}->{groups} = $groups;
$req->{sessionInfo}->{hGroups} = $hGroups;
PE_OK;
}
1;

View File

@ -0,0 +1,20 @@
--- /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm.old 2019-12-11 12:05:54.000000000 +0100
+++ /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm 2021-01-05 10:54:19.188732119 +0100
@@ -40,10 +40,15 @@
%{ $self->conf->{ldapExportedVars} } );
while ( my ( $k, $v ) = each %vars ) {
+ my $value = $self->ldap->getLdapValue( $req->data->{ldapentry}, $v );
+
# getLdapValue returns an empty string for missing attribute
# but we really want to return undef so they don't get stored in session
- $req->sessionInfo->{$k} =
- $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
+ # This has to be a string comparison because "0" is a valid attribute
+ # value. See #2403
+ $value = undef if ( $value eq "" );
+
+ $req->sessionInfo->{$k} = $value;
}
PE_OK;

View File

@ -0,0 +1,45 @@
#!/bin/bash
[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0
[ -f /usr/lib/eole/eolead.sh ] || exit 0
. /usr/lib/eole/eolead.sh
# ScribeAD/HorusAD
. $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf
DNS_IP="${CONTAINER_IP}"
CONTAINER_EXEC='lxc-attach -n addc --'
EXT_IP=$(CreoleGet adresse_ip_eth0)
for service in manager auth reload
do
fqdn=$(CreoleGet "${service}WebName")
service_addr=$(dig "@${DNS_IP}" "${fqdn}" +short)
if [ "${service_addr}" != "${EXT_IP}" ]
then
${CONTAINER_EXEC} kinit "${AD_HOST_NAME^^}@${AD_REALM^^}" -k -t "${AD_HOST_KEYTAB_FILE}"
if [ -n "${service_addr}" ]
then
echo -n "Suppression de lenregistrement DNS '${fqdn} IN A ${service_addr}' : "
$CONTAINER_EXEC samba-tool \
dns \
delete \
"${AD_HOST_NAME}.${AD_REALM}" \
"${AD_REALM}" \
"${fqdn}" A "${service_addr}" \
-k 1
fi
echo -n "Ajout de lenregistrement DNS '${fqdn} IN A ${EXT_IP}' : "
$CONTAINER_EXEC samba-tool \
dns \
add \
"${AD_HOST_NAME}.${AD_REALM}" \
"${AD_REALM}" \
"${fqdn}" A "${EXT_IP}" \
-k 1
fi
done
exit 0

View File

@ -0,0 +1,12 @@
#!/bin/bash
[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0
# Updating Configuration cache
cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
opt="update-cache"
# Updating Configuration cache
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1

View File

@ -1,17 +0,0 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
CONF_FILES="manager-nginx.conf"
CONF_FILES="${CONF_FILES} handler-nginx.conf"
CONF_FILES="${CONF_FILES} portal-nginx.conf"
CONF_FILES="${CONF_FILES} test-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do
if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' ];then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

View File

@ -1,5 +1,8 @@
#!/bin/bash
# Don't run on ScribeAD
[ ! -f /usr/lib/eole/eolead.sh ] || exit 0
ENABLE=$(CreoleGet activerLemon 'non')
HOSTS="/etc/hosts"

View File

@ -0,0 +1,19 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
NGINX_ENABLE=$(CreoleGet activer_nginx_web 'non')
CONF_FILES="manager-nginx.conf handler-nginx.conf portal-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do
if [ -e /etc/nginx/sites-enabled/${CONF_FILE} ]
then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' -a "${NGINX_ENABLE}" = 'oui' ]
then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

12
posttemplate/70-lemonldap-patch Executable file
View File

@ -0,0 +1,12 @@
#!/bin/bash
# vérifie si le patch est déjà appliqué
grep -q 2403 /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm && exit 0
# copie de sauvegarde
cp -a /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm /usr/share/eole/lemonldap-ng/
# application du patch
patch -d / -p 0 < /usr/share/eole/lemonldap-ng/LDAP.pm.patch
exit 0

View File

@ -0,0 +1,78 @@
#========================================================================
# Apache configuration for LemonLDAP::NG Handler
#========================================================================
# This file implements the reload virtualhost that permits to reload
# configuration without restarting server, and some common instructions.
# You need then to declare this vhost in reloadUrls (in the manager
# interface if this server doesn't host the manager itself):
#
# KEY : VALUE
# host-or-IP:port : http://reload.domscribe.ac-test.fr/reload
#
# IMPORTANT:
# To protect applications, see test-apache.conf template in example files
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::ApacheMP2
# Common error page and security parameters
ErrorDocument 403 https://%%authWebName/lmerror/403
ErrorDocument 404 https://%%authWebName/lmerror/404
ErrorDocument 500 https://%%authWebName/lmerror/500
ErrorDocument 502 https://%%authWebName/lmerror/502
ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/handler_error.log
CustomLog /var/log/apache2/handler_access.log common
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<Location /reload>
<IfVersion >= 2.3>
Require ip 127 ::1
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
Allow from 127.0.0.0/8 ::1
</IfVersion>
SetHandler perl-script
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
</Location>
# Uncomment this to activate status module
#<Location /status>
# <IfVersion >= 2.3>
# Require ip 127 ::1
# </IfVersion>
# <IfVersion < 2.3>
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.0/8 ::1
# </IfVersion>
# SetHandler perl-script
# PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
# # You may have to uncomment the next directive to skip
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -12,10 +12,6 @@
# IMPORTANT:
# To protect applications, see test-nginx.conf template in example files
%if %%getVar("revprox_hash_bucket_size", "non") == "non"
server_names_hash_bucket_size %%nginxBucketSize;
%end if
# Log format
include /etc/lemonldap-ng/nginx-lmlog.conf;
#access_log /var/log/nginx/access.log lm_combined;
@ -27,8 +23,7 @@ server {
}
server {
listen 443;
ssl on;
listen 443 ssl;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -39,22 +34,26 @@ server {
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%reloadWebName;
root /var/www/html;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
root /usr/share/nginx/html;
}
root /var/www/html;
location = /reload {
allow 127.0.0.1;
%for ipaddr in %%ip_ssh_eth0
allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0);
%end for
deny all;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE reload;
}
# Client requests
@ -62,15 +61,7 @@ server {
deny all;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
add_header Strict-Transport-Security "max-age=15768000";
}
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}
}

View File

@ -0,0 +1,15 @@
# Number of process (default: 7)
NPROC=%%lemonproc
# Unix socket to listen to
SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
# Pid file
PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
# User and GROUP
USER=www-data
GROUP=www-data
# Custom functions file
#CUSTOM_FUNCTIONS_FILE=/var/lib/lemonldap-ng/myfile.pm

View File

@ -1,3 +1,4 @@
%set %%boolean = {'oui': 1, 'non': 0}
;==============================================================================
; LemonLDAP::NG local configuration parameters
;
@ -11,9 +12,6 @@
; Section "configuration" is used to load global configuration and set cache
; (replace old storage.conf file)
;
; Section "apply" is read by Manager to reload handlers
; (replace old apply.conf file)
;
; Other section are only read by the specific LemonLDAP::NG component
;==============================================================================
@ -34,16 +32,80 @@
; Warning: this can allow malicious code in custom functions or rules
;useSafeJail = 0
; LOGGING
;
; 1 - Defined logging level
; Set here one of error, warn, notice, info or debug
logLevel = %%lm_loglevel
; Note that this has no effect for Apache2 logging: Apache LogLevel is used
; instead
;
; 2 - Change logger
;
; By default, logging is set to:
; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers
; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx)
; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager,
; portal,...) when they are not
; launched by FastCGI server
; Other loggers availables:
; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
;
; "Std" is redirected to the web server logs for Apache. For Nginx, only if
; request failed
;
; You can overload this in this section (for all) or in another section if
; you want to change logger for a specified app.
;
; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
; (userLogger). "userLogger" uses the same class as "logger" if not set.
;logger = Lemonldap::NG::Common::Logger::Syslog
;userLogger = Lemonldap::NG::Common::Logger::Std
;
; 2.1 - Using Syslog
;
; For Syslog logging, you can also overwrite facilities. Default values:
logger = Lemonldap::NG::Common::Logger::Syslog
syslogFacility = daemon
userSyslogFacility = auth
;
; 2.2 - Using Log4perl
;
; If you want to use Log4perl, you can set these parameters. Here are default
; values:
;logger = Lemonldap::NG::Common::Logger::Log4perl
;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf
;log4perlLogger = LLNG
;log4perlUserLogger = LLNG.user
;
; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
; value points to the logger class. Example:
; log4perl.logger.LLNG = WARN, File1
; log4perl.logger.LLNG.user = INFO, File2
; ...
; CONFIGURATION CHECK
;
; LLNG verify configuration at server start. If you use "reload" mechanism,
; local cache will be updated. Configuration is checked locally every
; 10 minutes by each LLNG component. You can change this value using
; `checkTime` (time in seconds).
; To increase performances, you should comment this parameter and rely on cache.
checkTime = 1
[configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
; (File, SOAP, RDBI/CDBI, LDAP)
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings :
;
; * File: you have to set 'dirName' parameter. Example:
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
;
; type = File
; type = File ; or type = YAMLFile
; dirName = /var/lib/lemonldap-ng/conf
;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
@ -51,17 +113,28 @@
;
; type = RDBI
; ;type = CDBI
; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
; dbiUser = lemonldap
; dbiPassword = password
;
; * REST: REST configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'baseUrl' parameter. Example:
;
; type = REST
; baseUrl = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
;
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'proxy' parameter. Example:
;
; type = SOAP
; proxy = https://auth.example.com/index.pl/config
; proxy = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
@ -91,7 +164,7 @@ dirName = /var/lib/lemonldap-ng/conf
; 'default_expires_in' => 600, \
; 'directory_umask' => '007', \
; 'cache_root' => '/tmp', \
; 'cache_depth' => 0, \
; 'cache_depth' => 3, \
; }
localStorage=Cache::FileCache
localStorageOptions={ \
@ -99,28 +172,36 @@ localStorageOptions={ \
'default_expires_in' => 600, \
'directory_umask' => '007', \
'cache_root' => '/tmp', \
'cache_depth' => 0, \
'cache_depth' => 3, \
}
[portal]
; PERFORMANCES
; By setting useLocalConf, Portal will use only local cached configuration
; To refresh it, you must have an handler on the same server or you have to
; restart your server. This increase performances
;useLocalConf = 1
; PORTAL CUSTOMIZATION
; I - Required parameters
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/portal/templates
; languages: available languages for portal interface
languages = fr, en, vi, it, ar, de, fi, tr
; II - Optional parameters (overwrite configuration)
; Name of the skin
;portalSkin = pastel
portalSkin = %%llSkin
; Modules displayed
;portalDisplayLogout = 1
;portalDisplayResetPassword = 1
;portalDisplayChangePassword = 1
portalDisplayResetPassword = %%boolean[%%llResetPassword]
portalDisplayChangePassword = %%boolean[%%llChangePassword]
;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1
; Require the old password when changing password
;portalRequireOldPassword = 1
portalRequireOldPassword = %%boolean[%%llChangePassword]
; Attribute displayed as connected user
;portalUserAttr = mail
; Old menu HTML code
@ -132,16 +213,17 @@ localStorageOptions={ \
; For example to use <TMPL_VAR NAME="myparam">
;tpl_myparam = test
; LOG
; By default, all is logged in Apache file. To log user actions by
; syslog, just set syslog facility here:
; COMBINATION FORMS
; If you want to fix forms to display, you can use this;
;combinationForms = standardform, yubikeyform
;syslog = auth
; SOAP FUNCTIONS
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
; error(language, code)
;Soap = 1
; Note that getAttibutes() will be activated but on a different URI
; (http://auth.example.com/index.pl/sessions)
; (http://auth.example.com/sessions)
; You can also restrict attributes and macros exported by getAttributes
;exportedAttr = uid mail
@ -198,8 +280,8 @@ localStorageOptions={ \
; Use it to be able to notify messages during authentication
;notification = 1
; Note that the SOAP function newNotification will be activated on
; http://auth.example.com/index.pl/notification
; If you want to hide this, just protect "/index.pl/notification" in
; http://auth.example.com/notification
; If you want to hide this, just protect "/index.fcgi/notification" in
; your Apache configuration file
; XSS protection bypass
; By default, the portal refuse redirections that comes from sites not
@ -215,6 +297,21 @@ localStorageOptions={ \
; Set to 0 to disable error on XSS attack detection
;checkXSS = 0
; pdata cookie domain
; pdata cookie could not be sent with cross domains AJAX request
; Null is default value
;pdataDomain = example.com
; CUSTOM PLUGINS
; If you want to add custom plugins, set list here (comma separated)
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
;customPlugins = ::My::Package1, ::My::Package2
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
;forceGlobalStorageUpgradeOTT = 1
;forceGlobalStorageIssuerOTT = 1
[handler]
; Handler cache configuration
@ -230,7 +327,7 @@ localStorageOptions={ \
; Set https to 1 if your handler protect a https website (used only for
; redirections to the portal)
;https = 0
https = 1
; Set port if your your hanlder protect a website on a non standard port
; - 80 for http, 443 for https (used only for redirections to the portal)
;port = 8080
@ -242,6 +339,10 @@ status = 0
;useRedirectOnForbidden = 1
; Hide LemonLDAP::NG Handler in Apache Server Signature
;hideSignature = 1
; Set ServiceToken timeout
;handlerServiceTokenTTL = 30
; Set Impersonation/ContextSwitching prefix
; impersonationPrefix = real_
useRedirectOnError = 1
; Zimbra Handler parameters
@ -265,20 +366,36 @@ useRedirectOnError = 1
; * none : no protection
protection = manager
; logLevel. Set here one of error, warn, notice, info or debug
logLevel = warn
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
;
; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/manager/templates
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
; languages: available languages for manager interface
languages = fr, en
languages = fr, en, it, vi, ar, tr
; Manager modules enabled
; Set here the list of modules you want to see in manager interface
; The first will be used as default module displayed
enabledModules = conf, sessions, notifications
;enabledModules = conf, sessions, notifications, 2ndFA, viewer
enabledModules = conf, sessions, notifications, 2ndFA
; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
; 'conf' is set by default
;defaultModule = viewer
; Viewer module allows us to edit configuration in read-only mode
; Options can be set with specific rules like this :
;viewerAllowBrowser = $uid eq 'dwho'
;viewerAllowDiff = $uid ne 'dwho'
;
; Viewer options - Default values
;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
;viewerAllowBrowser = 0
;viewerAllowDiff = 0
;[node-handler]
;
;This section is for node-lemonldap-ng-handler
;nodeVhosts = test3.example.com, test4.example.com

View File

@ -1,397 +1,406 @@
%set %%boolean = {'oui': 1, 'non': 0}
%set %%ssoFilters = %%getSSOFilters
%set %%ldapAttributes = {"uid": "uid", "mail": "mail", "cn":"cn"}
%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"']
%set %%cas_attributes = []
%set %%ldap_attributes = {}
%for %%attr in %%casAttribute
%silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
%silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
%set %%ldap_attributes[%%attr.casLDAPAttribute] = %%attr.casLDAPAttribute
%end for
%for %%key, %%value in %%ssoFilters
%silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"')
%silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"')
%set %%ldap_attributes[%%value] = %%value
%end for
%silent %%exported_vars.sort()
%silent %%cas_attributes.sort()
%set %%ldapAttr = []
%for %%k, %%v in %%ldap_attributes.items()
%silent %%ldapAttr.append('"' + %%k + '": "' + %%v + '"')
%end for
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
%if %%lemon_user_db == "AD"
"ADPwdExpireWarning": %%llADPasswordExpireWarn,
"ADPwdMaxAge": %%llADPasswordMaxAge,
%end if
"CAS_authnLevel": 1,
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"CAS_proxiedServices": {},
"SMTPServer": "",
"SSLAuthnLevel": 5,
"Soap": 1,
"activeTimer": 1,
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT"
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"1administration": {
"catname": "Administration",
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"display": "auto",
"logo": "configure.png",
"name": "WebSSO Manager"
"name": "WebSSO Manager",
"uri": "https://%%managerWebName/"
},
"type": "application"
},
"notifications": {
"options": {
"description": "Explore WebSSO notifications",
"display": "auto",
"logo": "database.png",
"name": "Notifications explorer",
"uri": "https://%%managerWebName/notifications.pl"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "https://%%managerWebName/doc/",
"name": "Local documentation"
"logo": "database.png",
"name": "Sessions explorer",
"uri": "https://%%managerWebName/sessions.pl"
},
"type": "application"
}
},
"type": "category"
},
"2documentation": {
"catname": "Documentation",
"localdoc": {
"options": {
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"logo": "help.png",
"name": "Local documentation",
"uri": "http://%%managerWebName/doc/"
},
"type": "application"
},
"officialwebsite": {
"options": {
"description": "Official LemonLDAP::NG Website",
"display": "on",
"logo": "network.png",
"name": "Offical Website",
"uri": "http://lemonldap-ng.org/"
},
"type": "application"
},
"type": "category"
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {
"uid":"uid",
%%getSSOFilters
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
"mail":"mail"
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"authChoiceParam": "lmAuth",
"authentication": "%%lemon_user_db",
"browserIdAuthnLevel": 1,
"captchaStorage": "Apache::Session::File",
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"captcha_login_enabled": 0,
"captcha_mail_enabled": 0,
"captcha_register_enabled": 1,
"captcha_size": 6,
"casAccessControlPolicy": "none",
"casAttributes": {
%%custom_join(%%cas_attributes, ',\n ')
},
"casStorageOptions": {},
"cda": 0,
"cfgAuthor": "EOLE",
"cfgAuthorIP": "127.0.0.1",
"cfgDate": 1600257889,
"cfgLog": "",
"cfgNum": "1",
"checkXSS": 1,
"confirmFormMethod": "post",
"cookieName": "lemonldap",
"dbiAuthnLevel": 2,
"dbiExportedVars": {},
"demoExportedVars": {
"cn": "cn",
"mail": "mail",
"uid": "uid"
},
"domain": "%%nom_domaine_local",
"exportedHeaders": {
"%%managerWebName": {}
},
"exportedVars": {
%%custom_join(%%exported_vars, ',\n ')
},
"facebookAuthnLevel": 1,
"facebookExportedVars": {},
"failedLoginNumber": 5,
"globalStorage": "Apache::Session::File",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"googleExportedVars": {},
"grantSessionRules": {},
"groups": {},
"hiddenAttributes": "_password",
"hideOldPassword": 0,
"httpOnly": 1,
"https": 0,
"infoFormMethod": "get",
"issuerDBCASActivation": 1,
"issuerDBCASPath": "^/%%casFolder/",
"issuerDBCASRule": 1,
"issuerDBGetParameters": {},
"issuerDBOpenIDActivation": "1",
"issuerDBOpenIDPath": "^/openidserver/",
"issuerDBOpenIDRule": 1,
"issuerDBSAMLActivation": 0,
"issuerDBSAMLPath": "^/saml/",
"issuerDBSAMLRule": 1,
"jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b",
%if %%llResetPassword == "oui"
%if %%llResetExpiredPassword == "oui"
%if %%lemon_user_db == "AD"
"ldapPpolicyControl": 0,
%else
"ldapPpolicyControl": 1,
%end if
"ldapAllowResetExpiredPassword": 1,
"ldapChangePasswordAsUser": 1,
%else
"ldapPpolicyControl": 0,
"ldapAllowResetExpiredPassword": 0,
"ldapChangePasswordAsUser": 1,
%end if
%end if
"ldapAuthnLevel": 2,
"ldapSearchDeref": "find",
"ldapBase": "%%ldapUserBaseDN",
"ldapExportedVars": {
%%custom_join(%%ldapAttr, ',\n ')
},
"ldapGroupAttributeName": "memberUid",
"ldapGroupAttributeNameGroup": "dn",
"ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "uid",
"ldapGroupObjectClass": "eolegroupe",
"ldapGroupRecursive": 0,
"ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE",
"ldapPort": "%%ldapServerPort",
"ldapPwdEnc": "utf-8",
"ldapServer": "%%ldapScheme://%%ldapServer",
%if %%ldapScheme == "ldaps"
%if %%lmldapverify == "oui"
"ldapVerify": "Require",
%else
"ldapVerify": "None",
%end if
%end if
"ldapSetPassword": 0,
"ldapTimeout": 120,
"ldapUsePasswordResetAttribute": 1,
"ldapVersion": 3,
"localSessionStorage": "Cache::FileCache",
"localSessionStorageOptions": {
"cache_depth": 3,
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
"namespace": "lemonldap-ng-sessions"
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"portalDisplayResetPassword": 1,
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
"registerDB": "Demo",
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
"loginHistoryEnabled": 1,
"logoutServices": {},
"lwpSslOpts": {},
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"mailCharset": "utf-8",
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"mailFrom": "noreply@%%nom_domaine_local",
"mailOnPasswordChange": 0,
"mailSessionKey": "mail",
"mailSubject": "[LemonLDAP::NG] Your new password",
"mailTimeout": 0,
%if %%llResetPassword == "oui"
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/resetpwd",
%else
"mailUrl": "%%llResetUrl",
%end if
%end if
"maintenance": 0,
"managerDn": "%%ldapBindUserDN",
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"multiValuesSeparator": ";",
"nginxCustomHandlers": {},
"notification": 1,
"notificationStorage": "File",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyDeleted": 1,
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"nullAuthnLevel": 2,
"oidcOPMetaDataExportedVars": {},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
"portalCheckLogins": 1,
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "https://%%authWebName/mail.pl",
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcOPMetaDataOptions": null,
"oidcRPMetaDataExportedVars": {},
"oidcRPMetaDataOptions": {},
"oidcRPMetaDataOptionsExtraClaims": null,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"oidcStorageOptions": {},
"openIdAuthnLevel": 1,
"openIdExportedVars": {},
"openIdSPList": "0;",
"openIdSreg_email": "mail",
"openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone",
"passwordDB": "%%lemon_user_db",
"persistentStorage": "Apache::Session::File",
"persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions",
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock"
},
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalAntiFrame": 1,
"portalCheckLogins": %%boolean[%%llCheckLogins],
"portalDisplayAppslist": 1,
"portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
"portalDisplayLoginHistory": 1,
"portalDisplayLogout": 1,
"portalDisplayRegister": %%boolean[%%llRegisterAccount],
"portalDisplayResetPassword": %%boolean[%%llResetPassword],
"portalForceAuthn": 0,
"portalForceAuthnInterval": 0,
"portalOpenLinkInNewWindow": 0,
"portalPingInterval": 60000,
"portalRequireOldPassword": 1,
"portalSkin": "bootstrap",
"portalSkinRules": {},
"portalUserAttr": "_user",
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"radiusAuthnLevel": 3,
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"redirectFormMethod": "get",
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
%set %%register_db = %%getVar('llRegisterDB', 'Demo')
%if %%register_db == 'Custom'
"registerDB": "Null",
"registerUrl": "%%llRegisterURL",
%else
"registerDB": "%%register_db",
"registerUrl": "https://%%authWebName/register.pl",
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
%end if
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"registerTimeout": 0,
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"remoteGlobalStorageOptions": {
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService",
"proxy": "https://%%authWebName/index.pl/sessions"
},
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"samlAuthnContextMapKerberos": 4,
"samlAuthnContextMapPassword": 2,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"samlAuthnContextMapTLSClient": 5,
"samlCommonDomainCookieActivation": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"samlIDPMetaDataExportedAttributes": null,
"samlIDPMetaDataOptions": null,
"samlIDPMetaDataXML": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"samlIdPResolveCookie": "lemonldapidp",
"samlMetadataForceUTF8": 1,
"samlNameIDFormatMapEmail": "mail",
"samlNameIDFormatMapKerberos": "uid",
"samlNameIDFormatMapWindows": "uid",
"samlNameIDFormatMapX509": "mail",
"samlOrganizationDisplayName": "Example",
"samlOrganizationName": "%%samlOrganizationName",
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"samlRelayStateTimeout": 600,
"samlSPMetaDataExportedAttributes": null,
"samlSPMetaDataOptions": null,
"samlSPMetaDataXML": null,
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlServicePrivateKeyEnc": "",
"samlServicePrivateKeyEncPwd": "",
"samlServicePrivateKeySig": "",
"samlServicePrivateKeySigPwd": "",
"samlServicePublicKeyEnc": "",
"samlServicePublicKeySig": "",
"samlStorageOptions": {},
"samlUseQueryStringSpecific": 0,
"secureTokenAllowOnError": 1,
"secureTokenAttribute": "uid",
"secureTokenExpiration": 60,
"secureTokenHeader": "Auth-Token",
"secureTokenMemcachedServers": "127.0.0.1:11211",
"secureTokenUrls": ".*",
"securedCookie": 0,
"sessionDataToRemember": {},
"singleIP": 0,
"singleSession": 0,
"singleSessionUserByIP": 0,
"slaveAuthnLevel": 2,
"slaveExportedVars": {},
"storePassword": 0,
"successLoginNumber": 5,
"syslog": "",
"timeout": 72000,
"timeoutActivity": 0,
"trustedProxies": "",
"twitterAuthnLevel": 1,
"useRedirectOnError": 1,
"useRedirectOnForbidden": 0,
"useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$",
"userDB": "%%lemon_user_db",
"vhostOptions": {
"%%managerWebName": {
"vhostHttps": "1"
}
},
"webIDAuthnLevel": 1,
"webIDExportedVars": {},
"whatToTrace": "_whatToTrace",
"yubikeyAuthnLevel": 3,
"yubikeyPublicIDSize": 12
}

130
tmpl/manager-apache2.X.conf Normal file
View File

@ -0,0 +1,130 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Manager
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Manager virtual host (manager.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/manager.log llng
#ErrorLog /var/log/apache2/lm_err.log
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# FASTCGI CONFIGURATION
# ---------------------
# 1) URI management
RewriteEngine on
# For performances, you can delete the previous RewriteRule line after
# puttings html files: simply put the HTML results of differents modules
# (configuration, sessions, notifications) as manager.html, sessions.html,
# notifications.html and uncomment the 2 following lines:
# DirectoryIndex manager.html
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
# 2) FastCGI engine
# You can choose any FastCGI system. Here is an example using mod_fcgid
# mod_fcgid configuration
FcgidMaxRequestLen 2000000
<Files *.fcgi>
SetHandler fcgid-script
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# If you want to use mod_fastcgi, replace lines below by:
#FastCgiServer /usr/share/lemonldap-ng/manager/htdocs//manager.fcgi
# GLOBAL CONFIGURATION
# --------------------
DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/
<Location />
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static//
<Directory /usr/share/lemonldap-ng/manager/htdocs/static/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
</Directory>
# On-line documentation
Alias /doc/ /usr/share/doc/lemonldap-ng/
Alias /lib/ /usr/share/doc/lemonldap-ng/pages/documentation/current/lib/
<Directory /usr/share/doc/lemonldap-ng/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -5,9 +5,8 @@ server {
}
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
listen 443 ssl;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
@ -20,29 +19,41 @@ server {
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
}
root /usr/share/nginx/html;
}
if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) {
root /usr/share/lemonldap-ng/manager/htdocs/;
if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
rewrite ^/(.*)$ /manager.psgi/$1 break;
}
location /manager.psgi {
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE psgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
#add_header Strict-Transport-Security "max-age=15768000";
}
location / {
index manager.psgi;
try_files $uri $uri/ =404;
allow 127.0.0.0/8;
deny all;
try_files $uri $uri/ =404;
}
location /doc/ {
@ -52,17 +63,14 @@ server {
location /lib/ {
alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/;
}
location /fr-doc/ {
alias /usr/share/doc/lemonldap-ng-fr-doc/;
index index.html start.html;
}
location /static/ {
alias /usr/share/lemonldap-ng/manager/static/;
alias /usr/share/lemonldap-ng/manager/htdocs/static/;
}
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
#location /javascript/ {
# alias /usr/share/javascript/;
#}
location /javascript/ {
alias /usr/share/javascript/;
}
}

View File

@ -1,3 +1,3 @@
log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';

147
tmpl/portal-apache2.X.conf Normal file
View File

@ -0,0 +1,147 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Portal Virtual Host (auth.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +ExecCGI +FollowSymLinks
</Directory>
RewriteEngine On
# For performances, you can put static html files: simply put the HTML
# result (example: /oauth2/checksession.html) as static file. Then
# uncomment the following line.
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
# Authorization header needs to be passed when using Kerberos or OIDC
<IfVersion >= 2.4.13>
CGIPassAuth On
</IfVersion>
<IfVersion < 2.4.13>
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfVersion>
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# Uncomment this if status is enabled
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
Require all granted
Options +FollowSymLinks
</Directory>
<Location /static/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
<IfModule mod_dir.c>
DirectoryIndex index.fcgi index.html
</IfModule>
# REST/SOAP functions for sessions management (disabled by default)
<Location /index.fcgi/adminSessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for configuration access (disabled by default)
<Location /index.fcgi/config>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for notification insertion (disabled by default)
<Location /index.fcgi/notification>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# Enable compression
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -1,3 +1,13 @@
## map directive must be in http context
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
%set %%webDomain = %%authWebName.split('.',1)[1]
%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')
server {
listen 80;
server_name %%authWebName;
@ -5,93 +15,74 @@ server {
}
server {
listen 443;
ssl on;
listen 443 ssl;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
ssl_client_certificate /etc/ssl/certs/ca..crt;
ssl_session_cache shared:SSL:10m;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
server_name %%authWebName;
root /var/lib/lemonldap-ng/portal/;
root /usr/share/lemonldap-ng/portal/htdocs/;
location ~ \.pl(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $sn $request_uri;
if ($sn ~ "^(.*)\?") {
set $sn $1;
}
if ($sn ~ "^/index.pl") {
set $sn "/index.pl";
}
fastcgi_param SCRIPT_NAME $sn;
fastcgi_split_path_info ^(.*\.pl)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
index index.pl;
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_hide_header Content-Security-Policy;
add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";
}
index index.psgi;
location / {
try_files $uri $uri/ =404;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
#add_header Strict-Transport-Security "max-age=15768000";
}
# SOAP functions for sessions management (disabled by default)
location /index.pl/adminSessions {
location /static/ {
alias /usr/share/lemonldap-ng/portal/htdocs/static/;
}
# REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
deny all;
}
# SOAP functions for sessions access (disabled by default)
location /index.pl/sessions {
# REST/SOAP functions for sessions access (disabled by default)
location /index.psgi/sessions {
deny all;
}
# SOAP functions for configuration access (disabled by default)
location /index.pl/config {
# REST/SOAP functions for configuration access (disabled by default)
location /index.psgi/config {
deny all;
}
# SOAP functions for notification insertion (disabled by default)
location /index.pl/notification {
# REST/SOAP functions for notification insertion (disabled by default)
location /index.psgi/notification {
deny all;
}
# SAML2 Issuer
rewrite ^/saml/metadata /metadata.pl last;
rewrite ^/saml/.* /index.pl last;
# CAS Issuer
rewrite ^/cas/.* /index.pl;
# OpenID Issuer
rewrite ^/openidserver/.* /index.pl last;
# OpenID Connect Issuer
rewrite ^/oauth2/.* /index.pl last;
rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;
# Get Issuer
rewrite ^/get/.* /index.pl;
# Public pages
rewrite ^/public.* /public.pl;
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
#location /javascript/ {
# alias /usr/share/javascript/;
#}
location /javascript/ {
alias /usr/share/javascript/;
}
}

View File

@ -1,104 +0,0 @@
server {
listen 80;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
root /var/lib/lemonldap-ng/test/;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# To use AuthBasic handler, uncomment this and remove "error_page 401"
# fastcgi_param LLTYPE authbasic;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
# Local application
index index.pl;
try_files $uri $uri/ =404;
# Reverse proxy
#proxy_pass http://remote.server/;
#include /etc/nginx/proxy_params;
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
# Uncomment this if CDA is used
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
# ELSE
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR in the correspondinc block
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
}
# Handle test CGI
location ~ \.pl$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
fastcgi_param REMOTE_USER $lmremote_user;
}
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}