Merge branch 'master' into dist/eole/2.6.2/master

We need to provide what EoleSSO provides.

For me this 3 new template have to be placed in a dedicated package
like eole-sso-client, this templates are not necessary for the server
only usefull for the clients.

debian/compat

@@ -0,0 +1 @@
+9

debian/control

@@ -0,0 +1,20 @@
+Source: eole-lemonldap
+Section: web
+Priority: optional
+Maintainer: Cadoles <eole@ac-dijon.fr>
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.3
+Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
+Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
+Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
+
+Package: eole-lemonldap
+Architecture: all
+Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fr-doc, lemonldap-ng-fastcgi-server,
+   libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
+   libxml-simple-perl, libcgi-compile-perl
+Conflicts: eole-sso
+Provides: eole-sso
+Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
+ .
+ Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

debian/copyright

@@ -0,0 +1,44 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: {PROJECT}
+Source: {URL}
+
+Files: *
+Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
+License: {UPSTREAM LICENSE}
+
+Files: debian/*
+Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
+License: CeCILL-2
+
+License: {UPSTREAM LICENSE}
+ {TEXT OF THE LICENSE}
+
+License: CeCILL-2
+ This software is governed by the CeCILL-2 license under French law and
+ abiding by the rules of distribution of free software.  You can  use,
+ modify and or redistribute the software under the terms of the CeCILL-2
+ license as circulated by CEA, CNRS and INRIA at the following URL
+ "http://www.cecill.info";.
+ .
+ As a counterpart to the access to the source code and  rights to copy,
+ modify and redistribute granted by the license, users are provided only
+ with a limited warranty  and the software's author,  the holder of the
+ economic rights,  and the successive licensors  have only  limited
+ liability.
+ .
+ In this respect, the user's attention is drawn to the risks associated
+ with loading,  using,  modifying and/or developing or reproducing the
+ software by the user in light of its specific status of free software,
+ that may mean  that it is complicated to manipulate,  and  that  also
+ therefore means  that it is reserved for developers  and  experienced
+ professionals having in-depth computer knowledge. Users are therefore
+ encouraged to load and test the software's suitability as regards their
+ requirements in conditions enabling the security of their systems and/or
+ data to be ensured and,  more generally, to use and operate it in the
+ same conditions as regards security.
+ .
+ The fact that you are presently reading this means that you have had
+ knowledge of the CeCILL-2 license and that you accept its terms.
+ .
+ On Eole systems, the complete text of the CeCILL-2 License can be found
+ in '/usr/share/common-licenses/CeCILL-2-en'.

debian/gbp.conf

@@ -0,0 +1,3 @@
+# Set per distribution debian tag
+[DEFAULT]
+debian-tag = debian/eole/%(version)s

debian/rules

@@ -0,0 +1,8 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

dicos/70_lemonldap_ng.xml

@@ -7,6 +7,9 @@
 		<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
+		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
+		<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
+		<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
 		<service>lemonldap-ng-fastcgi-server</service>
 		<service_access service='nginx'>
 			<port service_accesslist="saLemon">80</port>
@@ -38,6 +41,16 @@
 			</variable>
 			<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
 			<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
+			<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
+				<value>cas</value>
+			</variable>
+			<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True'>
+				<value>oui</value>
+			</variable>
+			<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
+			<variable name='ssoDebug' type='string' description="Activer le Debug pour la lib php-CAS" mode="expert">
+				<value>non</value>
+			</variable>
 		</family>
         <separators>
 		    <separator name="managerWebName">Configuration DNS</separator>
@@ -71,6 +84,7 @@
 		<condition name='disabled_if_in' source='activerLemon'>
 			<param>non</param>
 			<target type='filelist'>lemon</target>
+			<target type='filelist'>lemonCAS</target>
 			<target type='family'>LemonLDAP</target>
 			<target type='service_accesslist'>saLemon</target>
 		</condition>

tmpl/cas.inc.php.tmpl

@@ -0,0 +1,27 @@
+<?php
+define("__CAS_SERVER", "%%authWebName");
+define("__CAS_VERSION", "2.0");
+define("__CAS_FOLDER", "%%casFolder");
+define("__CAS_PORT", 443);
+define("__CAS_PROTO", "https");
+%if %%cas_send_logout == 'oui'
+define("__CAS_LOGOUT", true);
+%else
+define("__CAS_LOGOUT", false);
+%end if
+%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
+define("__CAS_VALIDER_CA", true);
+%else
+define("__CAS_VALIDER_CA", false);
+%end if
+%if %%is_empty(%%getVar('ssoCALocation', ''))
+define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
+%else
+define("__CAS_CA_LOCATION", "%%ssoCALocation");
+%end if
+%if %%getVar("ssoDebug", 'non') == "oui"
+define("__CAS_DEBUG", true);
+%else
+define("__CAS_DEBUG", false);
+%end if
+?>

tmpl/eoleCASConfig.php.tmpl

@@ -0,0 +1,7 @@
+<?php
+%if %%mode_conteneur_actif != "non"
+define("__CAS_IP", "%%adresse_ip_br0");
+%else
+define("__CAS_IP", "false");
+%end if
+?>

tmpl/lmConf-1.js

@@ -25,7 +25,7 @@
     "timeoutActivity": 0,
     "oidcRPMetaDataExportedVars": {},
     "issuerDBSAMLActivation": 0,
-    "issuerDBCASPath": "^/cas/",
+    "issuerDBCASPath": "^/%%casFolder/",
     "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
     "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
     "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",

tmpl/pam_cas_auth.conf

@@ -0,0 +1,35 @@
+# sample pam_cas config
+
+# host from CAS server. mandatory
+host %%authWebName
+
+# port from CAS server. Default to 80 or 443, depends from ssl instruction
+port 443
+
+# uri to validate ticket. Default to /proxyValidate
+uriValidate /proxyValidate
+
+# https or no. values on or off. Default to on.
+ssl on
+
+# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
+debug off
+
+# proxy or proxies who deliver Proxy Ticket.
+# If no proxy, pam_cas doesn't control it
+# It may be several proxy instructions
+#proxy https://%%eolesso_adresse/proxycas/casimap.php
+#proxy https://imp.its.yale.edu/cas/casProxy.php
+#proxy https://uportal1.its.yale.edu/CasProxyServlet
+#proxy https://uportal2.its.yale.edu/CasProxyServlet
+
+# trusted_ca. mandatory if ssl on.
+# It a file in pem format. It can contents several certificates
+# If the CAS server certificate is auto-signed, the file must content the certificate
+# If the certificate is trusted by an Certificate Autority, The file must content
+#    certificate from high level CA
+%if not %%is_empty(%%getVar('ssoCALocation', ''))
+trusted_ca %%eolessoCALocation
+%else
+trusted_ca /etc/ssl/certs/ca.crt
+%end if