Merge branch 'master' into dist/eole/2.6.2/master

README.md

@@ -1,73 +1,16 @@
 # eole-lemonldap
 
-LemonLDAP::NG EOLE integration
+Intégration LemonLDAP::NG pour EOLE
 
 ## Howto
 
-### Repository configuration
-
 * Add the lemonldap-ng deb respository we need the last version of LemonLDAP.
 
-GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
+Gen_config -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
 
-#### LemonLDAP::NG repository
+ ### LemonLDAP::NG repository
  
 * deb     https://lemonldap-ng.org/deb stable main
 * deb-src https://lemonldap-ng.org/deb stable main
 * Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 
 
-#### Cadoles Repository
-* deb [ arch=all  ] https://vulcain.cadoles.com 2.6.2-dev main
-* Key URL : https://vulcain.cadoles.com/cadoles.gpg
-
-### Install packages
-
-apt update
-apt install eole-lemonldap
-
-### Configure LemonLDAP in GenConfig
-
-* Enable lemonldap in "Services" tab
-
-Gen_Config -> Services ->  Activer LemonLDAP::NG -> "Oui"
-
-* Fill LemonLDAP configuration
-
-#### Nginx Web case
-
-By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
-not be served properly, so we need to disable this function
-
-GenConfig -> Services -> Activer la publication d’applications web par Nginx -> "Non'
-
-#### Configuration DNS
-* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
-* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
-
-#### Configuration LDAP
-* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
-* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
-* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
-* GenConfig -> Lemonldap -> Base DN des utilisateurs dans l'annuaire
-* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
-* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
-
-#### Configuration CAS
-
-Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
-
-* GenConfig -> Lemonldap -> Nom de l'attribut CAS
-* GenConfig -> Lemonldap -> Attribut LDAP équivalent
-
-### SSL issues
-
-If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
-You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)
-
-* GenConfig -> Mode Expert -> Certificats ssl -> Nom Alternatif de la machine (SubjectAltName)
-
-If you use "manual" certificates make sure this names are covered by your SSL Certificate
-
-If you use "letsencrypt" mode you also need to add this names to the let'sencrypt request:
-
-* GenConfig -> Mode Expert -> Certificat ssl -> Nom de domaines supplémentaires

creolefuncs/lemonldap.py

@@ -1,66 +0,0 @@
-# -*- coding: utf-8 -*-
-
-def toCidr(ip,mask=False):
-    """ Convert to CIDR notation
-        ip can be like this : 192.168.5.100/255.255.255.0
-        or you can provide the ip and the mask
-    """
-    from IPy import IP
-    try:
-        if mask:
-            data="{0}/{1}".format(ip,mask)
-        else:
-            data=ip
-        return str(IP(data))
-    except:
-        return data
-
-def readPass(encoder,reader):
-    try:
-        mypwdreader=open(reader, "r").readline().rstrip()
-        if encoder == "":
-            return mypwdreader
-        elif encoder == "base64":
-            import base64
-            return base64.b64encode(mypwdreader)
-
-    except:
-        return "mot de passe inconnu"
-
-def getSSOFilters():
-    """ Convert former eole-sso filters to LemonLDAP filters
-    """
-    import glob
-    from ConfigParser import ConfigParser
-    import json
-    try:
-       filters = {}
-       filterDirectory = "/usr/share/sso/app_filters/"
-       filterExtention = ".ini"
-       filterSection = "utilisateur"
-       filterFiles = glob.glob("{0}/*{1}".format(filterDirectory, filterExtention))
-       toClean = ["uid","mail","cn","__name__"]
-       for fi in filterFiles:
-          # Don't parse "applications.ini"
-          config = ConfigParser()
-          config.read(fi)
-          if filterSection in config._sections:
-             filters.update(config._sections[filterSection].items())
-
-       for key in toClean:
-           del(filters[key])
-
-       res = ""
-       index=0
-       size=len(filters)
-       for k,v in filters.items():
-           res += "        \"{0}\": \"{1}\",".format(k,v)
-           index += 1
-           if index != size:
-               res += "\n"
-
-       return(res)
-
-    except:
-        return "Error Generating Filters"
-

creolefuncs/netmask.py

@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+
+def toCidr(ip,mask=False):
+    """ Convert to CIDR notation
+        ip can be like this : 192.168.5.100/255.255.255.0
+        or you can provide the ip and the mask
+    """
+    from IPy import IP
+    try:
+        if mask:
+            data="{0}/{1}".format(ip,mask)
+        else:
+            data=ip
+        return str(IP(data))
+    except:
+        return data

debian/compat

@@ -0,0 +1 @@
+9

debian/control

@@ -0,0 +1,18 @@
+Source: eole-lemonldap
+Section: web
+Priority: optional
+Maintainer: Cadoles <eole@ac-dijon.fr>
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.3
+Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
+Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
+Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
+
+Package: eole-lemonldap
+Architecture: all
+Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fr-doc, lemonldap-ng-fastcgi-server,
+   libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
+   libxml-simple-perl, libcgi-compile-perl
+Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
+ .
+ Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

debian/copyright

@@ -0,0 +1,44 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: {PROJECT}
+Source: {URL}
+
+Files: *
+Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
+License: {UPSTREAM LICENSE}
+
+Files: debian/*
+Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
+License: CeCILL-2
+
+License: {UPSTREAM LICENSE}
+ {TEXT OF THE LICENSE}
+
+License: CeCILL-2
+ This software is governed by the CeCILL-2 license under French law and
+ abiding by the rules of distribution of free software.  You can  use,
+ modify and or redistribute the software under the terms of the CeCILL-2
+ license as circulated by CEA, CNRS and INRIA at the following URL
+ "http://www.cecill.info";.
+ .
+ As a counterpart to the access to the source code and  rights to copy,
+ modify and redistribute granted by the license, users are provided only
+ with a limited warranty  and the software's author,  the holder of the
+ economic rights,  and the successive licensors  have only  limited
+ liability.
+ .
+ In this respect, the user's attention is drawn to the risks associated
+ with loading,  using,  modifying and/or developing or reproducing the
+ software by the user in light of its specific status of free software,
+ that may mean  that it is complicated to manipulate,  and  that  also
+ therefore means  that it is reserved for developers  and  experienced
+ professionals having in-depth computer knowledge. Users are therefore
+ encouraged to load and test the software's suitability as regards their
+ requirements in conditions enabling the security of their systems and/or
+ data to be ensured and,  more generally, to use and operate it in the
+ same conditions as regards security.
+ .
+ The fact that you are presently reading this means that you have had
+ knowledge of the CeCILL-2 license and that you accept its terms.
+ .
+ On Eole systems, the complete text of the CeCILL-2 License can be found
+ in '/usr/share/common-licenses/CeCILL-2-en'.

debian/gbp.conf

@@ -0,0 +1,3 @@
+# Set per distribution debian tag
+[DEFAULT]
+debian-tag = debian/eole/%(version)s

debian/rules

@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

dicos/70_lemonldap_ng.xml

@@ -2,12 +2,12 @@
 <creole>
     <files>
 		<!-- Je suis un commentaire -->
+		<file filelist='lemon' name='/etc/nginx/nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/nginx/sites-available/manager-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/nginx/sites-available/handler-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
-		<service>lemonldap-ng-fastcgi-server</service>
 		<service_access service='nginx'>
 			<port service_accesslist="saLemon">80</port>
 			<port service_accesslist="saLemon">443</port>
@@ -79,7 +79,6 @@
 		<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
 		<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
 		<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
-		<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
 		<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
 	</help>
 </creole>

tmpl/handler-nginx.conf

@@ -12,10 +12,6 @@
 # IMPORTANT:
 # To protect applications, see test-nginx.conf template in example files
 
-%if %%getVar("revprox_hash_bucket_size", "non") == "non"
-server_names_hash_bucket_size %%nginxBucketSize;
-%end if
-
 # Log format
 include /etc/lemonldap-ng/nginx-lmlog.conf;
 #access_log /var/log/nginx/access.log lm_combined;

tmpl/lmConf-1.js

@@ -160,7 +160,6 @@
     "ldapPpolicyControl": 0,
     "casAttributes": {
         "uid":"uid",
-%%getSSOFilters
 %for att in %%casAttribute
         "%%att": "%%att.casLDAPAttribute",
 %end for
@@ -230,11 +229,7 @@
     },
     "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
     "hideOldPassword": 0,
-%if %%is_file(%%ldapBindUserPassword)
-    "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
-%else
     "managerPassword": "%%ldapBindUserPassword",
-%end if
     "authChoiceParam": "lmAuth",
     "lwpSslOpts": {},
     "portalSkinRules": {},

tmpl/nginx.conf

@@ -0,0 +1,85 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size %%nginxBucketSize;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}