Compare commits
35 Commits
master
...
dist/eole/
Author | SHA1 | Date | |
---|---|---|---|
96d8a8364b | |||
116ff7c243 | |||
33ec79b371 | |||
efd63a3db0 | |||
78393b2ba9 | |||
c9eebbb0a5 | |||
c7c5f08b7a | |||
889010cfe7 | |||
f0d6325cf5 | |||
3b4d3ccb41 | |||
66be6dc37e | |||
08ed6a21dc | |||
faf2a361db | |||
7ae579b670 | |||
baa4dca9de | |||
849c3f0a88 | |||
6f1cb45eac | |||
4916317d30 | |||
b7556a03b8 | |||
f1defd2626 | |||
7269e252de | |||
9e64f5ca8d | |||
84f41d0196 | |||
b90eb474f5 | |||
d69f20c896 | |||
658013c177 | |||
35edad1538 | |||
32d336e37b | |||
4b26fc5c38 | |||
904abd02a4 | |||
e2f656f9f8 | |||
e5ada4d3eb | |||
dab8085a83 | |||
ad490d3810 | |||
0fc774cd05 |
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,4 +0,0 @@
|
|||||||
# Backup and swap files
|
|
||||||
*~
|
|
||||||
*#
|
|
||||||
*.swp
|
|
4
Makefile
4
Makefile
@ -4,8 +4,8 @@
|
|||||||
|
|
||||||
SOURCE=eole-lemonldap
|
SOURCE=eole-lemonldap
|
||||||
VERSION=0.1
|
VERSION=0.1
|
||||||
EOLE_VERSION=2.7
|
EOLE_VERSION=2.6
|
||||||
EOLE_RELEASE=2.7.2
|
EOLE_RELEASE=2.6.2
|
||||||
PKGAPPS=non
|
PKGAPPS=non
|
||||||
#FLASK_MODULE=<APPLICATION>
|
#FLASK_MODULE=<APPLICATION>
|
||||||
|
|
||||||
|
28
README.md
28
README.md
@ -10,14 +10,14 @@ LemonLDAP::NG EOLE integration
|
|||||||
|
|
||||||
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
|
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
|
||||||
|
|
||||||
#### LemonLDAP::NG repository (if you use EOLE 2.8.X this is not needed anymore)
|
#### LemonLDAP::NG repository
|
||||||
|
|
||||||
* deb https://lemonldap-ng.org/deb stable main
|
* deb https://lemonldap-ng.org/deb 1.9 main
|
||||||
* deb-src https://lemonldap-ng.org/deb stable main
|
* deb-src https://lemonldap-ng.org/deb 1.9 main
|
||||||
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
|
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
|
||||||
|
|
||||||
#### Cadoles Repository
|
#### Cadoles Repository
|
||||||
* deb [ arch=all ] https://vulcain.cadoles.com 2.7.2-dev main
|
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
|
||||||
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
|
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
|
||||||
|
|
||||||
### Install packages
|
### Install packages
|
||||||
@ -33,28 +33,18 @@ Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
|
|||||||
|
|
||||||
* Fill LemonLDAP configuration
|
* Fill LemonLDAP configuration
|
||||||
|
|
||||||
#### On Scribe
|
#### Nginx Web case
|
||||||
|
|
||||||
* LemonLDAP::NG is configured to use the local LDAP service
|
|
||||||
* We register the supplementary host names to the AD DNS
|
|
||||||
* We add the supplementary host names to the `ssl_subjectalt_names`
|
|
||||||
|
|
||||||
#### Manual configuration
|
|
||||||
|
|
||||||
##### Nginx Web case
|
|
||||||
|
|
||||||
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
|
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
|
||||||
not be served properly, so we need to disable this function
|
not be served properly, so we need to disable this function
|
||||||
|
|
||||||
GenConfig -> Services -> Activer la publication d’applications web par Nginx -> "Non'
|
GenConfig -> Services -> Activer la publication d’applications web par Nginx -> "Non'
|
||||||
|
|
||||||
##### Configuration DNS
|
#### Configuration DNS
|
||||||
|
|
||||||
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
|
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
|
||||||
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
|
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
|
||||||
|
|
||||||
##### Configuration LDAP
|
#### Configuration LDAP
|
||||||
|
|
||||||
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
|
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
|
||||||
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
|
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
|
||||||
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
|
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
|
||||||
@ -62,14 +52,14 @@ GenConfig -> Services -> Activer la publication d’applications web par Nginx -
|
|||||||
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
|
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
|
||||||
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
|
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
|
||||||
|
|
||||||
##### Configuration CAS
|
#### Configuration CAS
|
||||||
|
|
||||||
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
|
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
|
||||||
|
|
||||||
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
|
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
|
||||||
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
|
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
|
||||||
|
|
||||||
##### SSL issues
|
### SSL issues
|
||||||
|
|
||||||
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
|
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
|
||||||
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)
|
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)
|
||||||
|
@ -31,7 +31,7 @@ def getSSOFilters():
|
|||||||
""" Convert former eole-sso filters to LemonLDAP filters
|
""" Convert former eole-sso filters to LemonLDAP filters
|
||||||
"""
|
"""
|
||||||
import glob
|
import glob
|
||||||
from configparser import ConfigParser
|
from ConfigParser import ConfigParser
|
||||||
|
|
||||||
try:
|
try:
|
||||||
filters = { 'uid': "uid", "mail": "mail" }
|
filters = { 'uid': "uid", "mail": "mail" }
|
||||||
|
1
debian/compat
vendored
Normal file
1
debian/compat
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
9
|
30
debian/control
vendored
Normal file
30
debian/control
vendored
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
Source: eole-lemonldap
|
||||||
|
Section: web
|
||||||
|
Priority: optional
|
||||||
|
Maintainer: Cadoles <eole@ac-dijon.fr>
|
||||||
|
Build-Depends: debhelper (>= 9)
|
||||||
|
Standards-Version: 3.9.3
|
||||||
|
Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
|
||||||
|
Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
|
||||||
|
Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
|
||||||
|
|
||||||
|
Package: eole-lemonldap
|
||||||
|
Architecture: all
|
||||||
|
Depends: ${misc:Depends}, eole-lemonldap-pkg
|
||||||
|
Conflicts: eole-sso
|
||||||
|
Provides: eole-sso
|
||||||
|
Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
|
||||||
|
.
|
||||||
|
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.
|
||||||
|
|
||||||
|
Package: eole-lemonldap-pkg
|
||||||
|
Architecture: all
|
||||||
|
Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fastcgi-server,
|
||||||
|
libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
|
||||||
|
libxml-simple-perl, libcgi-compile-perl, libmouse-perl, libio-string-perl, libnet-openid-server-perl,
|
||||||
|
libemail-sender-perl, libgd-securityimage-perl, libimage-magick-perl, libnet-ldap-perl,
|
||||||
|
libunicode-string-perl, libsoap-lite-perl, libhtml-template-perl, libcache-cache-perl,
|
||||||
|
libdbi-perl, perl-modules, libwww-perl
|
||||||
|
Description: Paquet de dépendances pour eole-lemonldap.
|
||||||
|
.
|
||||||
|
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.
|
44
debian/copyright
vendored
Normal file
44
debian/copyright
vendored
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||||
|
Upstream-Name: {PROJECT}
|
||||||
|
Source: {URL}
|
||||||
|
|
||||||
|
Files: *
|
||||||
|
Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
|
||||||
|
License: {UPSTREAM LICENSE}
|
||||||
|
|
||||||
|
Files: debian/*
|
||||||
|
Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
|
||||||
|
License: CeCILL-2
|
||||||
|
|
||||||
|
License: {UPSTREAM LICENSE}
|
||||||
|
{TEXT OF THE LICENSE}
|
||||||
|
|
||||||
|
License: CeCILL-2
|
||||||
|
This software is governed by the CeCILL-2 license under French law and
|
||||||
|
abiding by the rules of distribution of free software. You can use,
|
||||||
|
modify and or redistribute the software under the terms of the CeCILL-2
|
||||||
|
license as circulated by CEA, CNRS and INRIA at the following URL
|
||||||
|
"http://www.cecill.info";.
|
||||||
|
.
|
||||||
|
As a counterpart to the access to the source code and rights to copy,
|
||||||
|
modify and redistribute granted by the license, users are provided only
|
||||||
|
with a limited warranty and the software's author, the holder of the
|
||||||
|
economic rights, and the successive licensors have only limited
|
||||||
|
liability.
|
||||||
|
.
|
||||||
|
In this respect, the user's attention is drawn to the risks associated
|
||||||
|
with loading, using, modifying and/or developing or reproducing the
|
||||||
|
software by the user in light of its specific status of free software,
|
||||||
|
that may mean that it is complicated to manipulate, and that also
|
||||||
|
therefore means that it is reserved for developers and experienced
|
||||||
|
professionals having in-depth computer knowledge. Users are therefore
|
||||||
|
encouraged to load and test the software's suitability as regards their
|
||||||
|
requirements in conditions enabling the security of their systems and/or
|
||||||
|
data to be ensured and, more generally, to use and operate it in the
|
||||||
|
same conditions as regards security.
|
||||||
|
.
|
||||||
|
The fact that you are presently reading this means that you have had
|
||||||
|
knowledge of the CeCILL-2 license and that you accept its terms.
|
||||||
|
.
|
||||||
|
On Eole systems, the complete text of the CeCILL-2 License can be found
|
||||||
|
in '/usr/share/common-licenses/CeCILL-2-en'.
|
1
debian/eole-lemonldap.install
vendored
Normal file
1
debian/eole-lemonldap.install
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
usr
|
3
debian/gbp.conf
vendored
Normal file
3
debian/gbp.conf
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
# Set per distribution debian tag
|
||||||
|
[DEFAULT]
|
||||||
|
debian-tag = debian/eole/%(version)s
|
8
debian/rules
vendored
Executable file
8
debian/rules
vendored
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/usr/bin/make -f
|
||||||
|
# -*- makefile -*-
|
||||||
|
|
||||||
|
# Uncomment this to turn on verbose mode.
|
||||||
|
#export DH_VERBOSE=1
|
||||||
|
|
||||||
|
%:
|
||||||
|
dh $@
|
BIN
debian/source/.format.un~
vendored
Normal file
BIN
debian/source/.format.un~
vendored
Normal file
Binary file not shown.
1
debian/source/format
vendored
Normal file
1
debian/source/format
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
3.0 (native)
|
@ -1,7 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
if [ $(CreoleGet activerLemon 'non') = 'oui' ]
|
if [ $(CreoleGet activerLemon) = "oui" ];then
|
||||||
then
|
|
||||||
. /usr/lib/eole/diagnose.sh
|
. /usr/lib/eole/diagnose.sh
|
||||||
manager=$(CreoleGet managerWebName)
|
manager=$(CreoleGet managerWebName)
|
||||||
portal=$(CreoleGet authWebName)
|
portal=$(CreoleGet authWebName)
|
||||||
|
@ -1,111 +1,69 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<creole>
|
<creole>
|
||||||
|
|
||||||
<files>
|
<files>
|
||||||
<file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
|
<!-- Je suis un commentaire -->
|
||||||
<file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
|
<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
|
||||||
<file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
|
<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
|
||||||
|
<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
|
||||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
|
<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
|
||||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
|
<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
|
||||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
|
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
|
||||||
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/nginx-lmlog.conf' mkdir='True' rm='True'/>
|
<file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
|
||||||
|
<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
|
||||||
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/manager-apache2.X.conf' mkdir='True' rm='True'/>
|
<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
|
||||||
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/>
|
<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
|
||||||
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/>
|
<service>lemonldap-ng-fastcgi-server</service>
|
||||||
|
|
||||||
<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
|
|
||||||
|
|
||||||
<service method='apache' servicelist='lemonldap-apache'>manager-apache2</service>
|
|
||||||
<service method='apache' servicelist='lemonldap-apache'>portal-apache2</service>
|
|
||||||
<service method='apache' servicelist='lemonldap-apache'>handler-apache2</service>
|
|
||||||
|
|
||||||
<service_access service='nginx'>
|
<service_access service='nginx'>
|
||||||
<port service_accesslist="saLemon">80</port>
|
<port service_accesslist="saLemon">80</port>
|
||||||
<port service_accesslist="saLemon">443</port>
|
<port service_accesslist="saLemon">443</port>
|
||||||
</service_access>
|
</service_access>
|
||||||
</files>
|
</files>
|
||||||
|
|
||||||
<variables>
|
<variables>
|
||||||
<family name='eole-sso'>
|
|
||||||
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
|
|
||||||
<value>/cas</value>
|
|
||||||
</variable>
|
|
||||||
<variable name='eolesso_port' redefine="True" exists='True'>
|
|
||||||
<value>443</value>
|
|
||||||
</variable>
|
|
||||||
</family>
|
|
||||||
<family name='Services'>
|
<family name='Services'>
|
||||||
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
|
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
|
||||||
<value>non</value>
|
<value>non</value>
|
||||||
</variable>
|
</variable>
|
||||||
</family>
|
</family>
|
||||||
|
<family name='LemonLDAP'>
|
||||||
<family name='LemonLDAP' icon='lemon'>
|
|
||||||
|
|
||||||
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
|
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
|
||||||
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
|
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
|
||||||
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
|
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
|
||||||
|
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
|
||||||
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
|
|
||||||
<value>LDAP</value>
|
|
||||||
</variable>
|
|
||||||
|
|
||||||
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
|
|
||||||
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
|
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
|
||||||
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
|
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
|
||||||
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
|
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
|
||||||
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
|
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
|
||||||
<variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
|
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
|
||||||
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
|
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
|
||||||
<variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
|
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
|
||||||
<value>oui</value>
|
|
||||||
</variable>
|
|
||||||
|
|
||||||
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
|
|
||||||
<value>4</value>
|
<value>4</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
|
||||||
<variable name="lm_loglevel" type='string' description="Verbosité des journaux" mode='expert'>
|
|
||||||
<value>info</value>
|
|
||||||
</variable>
|
|
||||||
|
|
||||||
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
|
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
|
||||||
<value>admin</value>
|
<value>admin</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
|
||||||
|
<value>64</value>
|
||||||
|
</variable>
|
||||||
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
|
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
|
||||||
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
|
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
|
||||||
|
|
||||||
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
|
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
|
||||||
<value>cas</value>
|
<value>cas</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True'>
|
||||||
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True' exists='False'>
|
|
||||||
<value>oui</value>
|
<value>oui</value>
|
||||||
</variable>
|
</variable>
|
||||||
|
|
||||||
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
|
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
|
||||||
|
<variable name='ssoDebug' type='string' description="Activer le Debug pour la lib php-CAS" mode="expert">
|
||||||
|
<value>non</value>
|
||||||
|
</variable>
|
||||||
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
|
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
|
||||||
<value>bootstrap</value>
|
<value>bootstrap</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
|
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
|
||||||
<value>non</value>
|
<value>non</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail">
|
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
|
||||||
<value>oui</value>
|
|
||||||
</variable>
|
|
||||||
<variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
|
|
||||||
<value>oui</value>
|
|
||||||
</variable>
|
|
||||||
<variable name='llADPasswordMaxAge' type='number' description="Durée de vie des mots de passe (en secondes)" mode='expert'>
|
|
||||||
<value>5184000</value>
|
|
||||||
</variable>
|
|
||||||
<variable name='llADPasswordExpireWarn' type='number' description="Délai avant affichage d'un message d'alerte sur l'expiration du mot de passe (en secondes)">
|
|
||||||
<value>3456000</value>
|
|
||||||
</variable>
|
|
||||||
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
|
|
||||||
<value>oui</value>
|
<value>oui</value>
|
||||||
</variable>
|
</variable>
|
||||||
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
|
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
|
||||||
@ -115,18 +73,14 @@
|
|||||||
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
|
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
|
||||||
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
|
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
|
||||||
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
|
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
|
||||||
|
|
||||||
</family>
|
</family>
|
||||||
|
|
||||||
<separators>
|
<separators>
|
||||||
<separator name="managerWebName">Configuration DNS</separator>
|
<separator name="managerWebName">Configuration DNS</separator>
|
||||||
<separator name="ldapScheme">Configuration LDAP</separator>
|
<separator name="ldapScheme">Configuration LDAP</separator>
|
||||||
<separator name="casAttribute">Configuration CAS</separator>
|
<separator name="casAttribute">Configuration CAS</separator>
|
||||||
<separator name="llSkin">Personnalisation de la mire SSO</separator>
|
<separator name="llSkin">Personnalisation de la mire SSO</separator>
|
||||||
</separators>
|
</separators>
|
||||||
|
|
||||||
</variables>
|
</variables>
|
||||||
|
|
||||||
<constraints>
|
<constraints>
|
||||||
<fill name='concat' target='managerWebName'>
|
<fill name='concat' target='managerWebName'>
|
||||||
<param>manager.</param>
|
<param>manager.</param>
|
||||||
@ -144,54 +98,22 @@
|
|||||||
<param>SAML</param>
|
<param>SAML</param>
|
||||||
<param type='eole'>nom_domaine_local</param>
|
<param type='eole'>nom_domaine_local</param>
|
||||||
</fill>
|
</fill>
|
||||||
|
|
||||||
<check name="valid_enum" target="ldapScheme">
|
<check name="valid_enum" target="ldapScheme">
|
||||||
<param>['ldaps','ldap']</param>
|
<param>['ldaps','ldap']</param>
|
||||||
</check>
|
</check>
|
||||||
|
|
||||||
<check name="valid_enum" target="lemon_user_db">
|
|
||||||
<param>['LDAP','AD']</param>
|
|
||||||
</check>
|
|
||||||
|
|
||||||
<check name='valid_enum' target="lm_loglevel">
|
|
||||||
<param>['info','notice','warn','error','debug']</param>
|
|
||||||
</check>
|
|
||||||
|
|
||||||
<check name="valid_enum" target="llRegisterDB">
|
<check name="valid_enum" target="llRegisterDB">
|
||||||
<param>['LDAP','AD','Demo','Custom']</param>
|
<param>['LDAP','Demo','Custom']</param>
|
||||||
</check>
|
</check>
|
||||||
<group master="casAttribute">
|
<group master="casAttribute">
|
||||||
<slave>casLDAPAttribute</slave>
|
<slave>casLDAPAttribute</slave>
|
||||||
</group>
|
</group>
|
||||||
|
|
||||||
<condition name='disabled_if_not_in' source='lemon_user_db'>
|
|
||||||
<param>AD</param>
|
|
||||||
<target type='variable'>llADPasswordMaxAge</target>
|
|
||||||
<target type='variable'>llADPasswordExpireWarn</target>
|
|
||||||
</condition>
|
|
||||||
|
|
||||||
<condition name='disabled_if_in' source='activerLemon'>
|
<condition name='disabled_if_in' source='activerLemon'>
|
||||||
<param>non</param>
|
<param>non</param>
|
||||||
<target type='filelist'>lemonldap</target>
|
<target type='filelist'>lemon</target>
|
||||||
<target type='filelist'>lemonldap-nginx</target>
|
<target type='filelist'>lemonCAS</target>
|
||||||
<target type='filelist'>lemonldap-apache</target>
|
|
||||||
<target type='servicelist'>lemonldap-apache</target>
|
|
||||||
<target type='servicelist'>sllemon</target>
|
|
||||||
<target type='family'>LemonLDAP</target>
|
<target type='family'>LemonLDAP</target>
|
||||||
<target type='service_accesslist'>saLemon</target>
|
<target type='service_accesslist'>saLemon</target>
|
||||||
</condition>
|
</condition>
|
||||||
|
|
||||||
<condition name="disabled_if_in" source="activer_nginx_web" fallback="True">
|
|
||||||
<param>non</param>
|
|
||||||
<target type='filelist'>lemonldap-nginx</target>
|
|
||||||
</condition>
|
|
||||||
|
|
||||||
<condition name="disabled_if_in" source="activer_apache" fallback="True">
|
|
||||||
<param>non</param>
|
|
||||||
<target type='filelist'>lemonldap-apache</target>
|
|
||||||
<target type='servicelist'>lemonldap-apache</target>
|
|
||||||
</condition>
|
|
||||||
|
|
||||||
<condition name='disabled_if_in' source='llRegisterAccount'>
|
<condition name='disabled_if_in' source='llRegisterAccount'>
|
||||||
<param>non</param>
|
<param>non</param>
|
||||||
<target type='variable'>llRegisterDB</target>
|
<target type='variable'>llRegisterDB</target>
|
||||||
@ -203,21 +125,18 @@
|
|||||||
<condition name='disabled_if_in' source='llResetPassword'>
|
<condition name='disabled_if_in' source='llResetPassword'>
|
||||||
<param>non</param>
|
<param>non</param>
|
||||||
<target type='variable'>llResetUrl</target>
|
<target type='variable'>llResetUrl</target>
|
||||||
<target type='variable'>llResetExpiredPassword</target>
|
|
||||||
</condition>
|
</condition>
|
||||||
<check name='valid_enum' target='llSkin'>
|
<check name='valid_enum' target='llSkin'>
|
||||||
<param>['bootstrap','dark','impact','pastel']</param>
|
<param>['bootstrap','dark','impact','pastel']</param>
|
||||||
<param name="checkval">False</param>
|
<param name="checkval">False</param>
|
||||||
</check>
|
</check>
|
||||||
</constraints>
|
</constraints>
|
||||||
|
|
||||||
<help>
|
<help>
|
||||||
<family name='LemonLDAP'>Configuration de la solution d'authentification unique LemonLDAP::NG</family>
|
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
|
||||||
<variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable>
|
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
|
||||||
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
|
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
|
||||||
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
|
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
|
||||||
<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable>
|
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
|
||||||
<variable name='ldapBindUserDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
|
|
||||||
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
|
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
|
||||||
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
|
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
|
||||||
</help>
|
</help>
|
||||||
|
@ -1,80 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?>
|
|
||||||
<creole>
|
|
||||||
|
|
||||||
<files />
|
|
||||||
|
|
||||||
<variables>
|
|
||||||
|
|
||||||
<family name='eole sso'>
|
|
||||||
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
|
|
||||||
</family>
|
|
||||||
|
|
||||||
</variables>
|
|
||||||
|
|
||||||
<constraints>
|
|
||||||
<fill name='calc_multi_condition' target='activer_sso'>
|
|
||||||
<param>oui</param>
|
|
||||||
<param type='eole' name='condition_1'>activerLemon</param>
|
|
||||||
<param name='match'>distant</param>
|
|
||||||
<param name='default_mismatch'>local</param>
|
|
||||||
</fill>
|
|
||||||
|
|
||||||
<condition name='frozen_if_in' source='activerLemon'>
|
|
||||||
<param>oui</param>
|
|
||||||
<target type='variable'>activer_sso</target>
|
|
||||||
</condition>
|
|
||||||
|
|
||||||
|
|
||||||
<fill name='calc_val_first_value' target='eolesso_adresse'>
|
|
||||||
<param type='eole' optional='True' hidden='False'>authWebName</param>
|
|
||||||
<param type='eole' optional='True' hidden='False'>web_url</param>
|
|
||||||
<param type='eole'>nom_domaine_machine</param>
|
|
||||||
</fill>
|
|
||||||
|
|
||||||
<condition name='frozen_if_in' source='activerLemon'>
|
|
||||||
<param>oui</param>
|
|
||||||
<target type='variable'>eolesso_adresse</target>
|
|
||||||
</condition>
|
|
||||||
|
|
||||||
<auto name='calc_multi_condition' target='ldapScheme'>
|
|
||||||
<param>oui</param>
|
|
||||||
<param type='eole' name='condition_1'>ldap_tls</param>
|
|
||||||
<param name='match'>ldaps</param>
|
|
||||||
<param name='default_mismatch'>ldap</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapServer'>
|
|
||||||
<param type='eole'>adresse_ip_ldap</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapServerPort'>
|
|
||||||
<param type='eole'>ldap_port</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
<auto name='calc_val' target='lemon_user_db'>
|
|
||||||
<param>LDAP</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
<auto name='calc_val' target='llRegisterDB'>
|
|
||||||
<param>LDAP</param>
|
|
||||||
</auto>
|
|
||||||
<auto name='calc_val' target='ldapUserBaseDN'>
|
|
||||||
<param type='eole'>ldap_base_dn</param>
|
|
||||||
</auto>
|
|
||||||
<auto name='calc_val' target='ldapBindUserDN'>
|
|
||||||
<param type='eole'>ldap_reader</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
<auto name='calc_val' target='ldapBindUserPassword'>
|
|
||||||
<param type='eole'>ldap_reader_passfile</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
<auto name='calc_val' target='casFolder'>
|
|
||||||
<param type='eole'>eolesso_cas_folder</param>
|
|
||||||
</auto>
|
|
||||||
|
|
||||||
</constraints>
|
|
||||||
|
|
||||||
<help />
|
|
||||||
|
|
||||||
</creole>
|
|
@ -1,2 +0,0 @@
|
|||||||
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs
|
|
||||||
lemonldap-ng_DATA_DIR := $(eole_DIR)/lemonldap-ng
|
|
1
eole-lemonldap.mk
Normal file
1
eole-lemonldap.mk
Normal file
@ -0,0 +1 @@
|
|||||||
|
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs
|
@ -1,102 +0,0 @@
|
|||||||
package Lemonldap::NG::Portal::UserDB::LDAP;
|
|
||||||
|
|
||||||
use strict;
|
|
||||||
use Mouse;
|
|
||||||
use utf8;
|
|
||||||
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
|
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Portal::Lib::LDAP';
|
|
||||||
|
|
||||||
our $VERSION = '2.0.6';
|
|
||||||
|
|
||||||
has ldapGroupAttributeNameSearch => (
|
|
||||||
is => 'rw',
|
|
||||||
lazy => 1,
|
|
||||||
builder => sub {
|
|
||||||
my $attributes = [];
|
|
||||||
@$attributes =
|
|
||||||
split( /\s+/, $_[0]->{conf}->{ldapGroupAttributeNameSearch} )
|
|
||||||
if $_[0]->{conf}->{ldapGroupAttributeNameSearch};
|
|
||||||
push( @$attributes, $_[0]->{conf}->{ldapGroupAttributeNameGroup} )
|
|
||||||
if ( $_[0]->{conf}->{ldapGroupRecursive}
|
|
||||||
and $_[0]->{conf}->{ldapGroupAttributeNameGroup} ne "dn" );
|
|
||||||
return $attributes;
|
|
||||||
}
|
|
||||||
);
|
|
||||||
|
|
||||||
# RUNNING METHODS
|
|
||||||
#
|
|
||||||
# getUser is provided by Portal::Lib::LDAP
|
|
||||||
|
|
||||||
# Load all parameters included in exportedVars parameter.
|
|
||||||
# Multi-value parameters are loaded in a single string with
|
|
||||||
# a separator (param multiValuesSeparator)
|
|
||||||
# @return Lemonldap::NG::Portal constant
|
|
||||||
sub setSessionInfo {
|
|
||||||
my ( $self, $req ) = @_;
|
|
||||||
$req->{sessionInfo}->{_dn} = $req->data->{dn};
|
|
||||||
|
|
||||||
my %vars = ( %{ $self->conf->{exportedVars} },
|
|
||||||
%{ $self->conf->{ldapExportedVars} } );
|
|
||||||
while ( my ( $k, $v ) = each %vars ) {
|
|
||||||
|
|
||||||
# getLdapValue returns an empty string for missing attribute
|
|
||||||
# but we really want to return undef so they don't get stored in session
|
|
||||||
$req->sessionInfo->{$k} =
|
|
||||||
$self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
|
|
||||||
}
|
|
||||||
|
|
||||||
PE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Load all groups in $groups.
|
|
||||||
# @return Lemonldap::NG::Portal constant
|
|
||||||
sub setGroups {
|
|
||||||
my ( $self, $req ) = @_;
|
|
||||||
my $groups = $req->{sessionInfo}->{groups};
|
|
||||||
my $hGroups = $req->{sessionInfo}->{hGroups};
|
|
||||||
|
|
||||||
if ( $self->conf->{ldapGroupBase} ) {
|
|
||||||
|
|
||||||
# Get value for group search
|
|
||||||
my $group_value = $self->ldap->getLdapValue( $req->data->{ldapentry},
|
|
||||||
$self->conf->{ldapGroupAttributeNameUser} );
|
|
||||||
|
|
||||||
if ( $self->conf->{ldapGroupDecodeSearchedValue} ) {
|
|
||||||
utf8::decode($group_value);
|
|
||||||
}
|
|
||||||
|
|
||||||
$self->logger->debug( "Searching LDAP groups in "
|
|
||||||
. $self->conf->{ldapGroupBase}
|
|
||||||
. " for $group_value" );
|
|
||||||
|
|
||||||
# Call searchGroups
|
|
||||||
my $ldapGroups = $self->ldap->searchGroups(
|
|
||||||
$self->conf->{ldapGroupBase},
|
|
||||||
$self->conf->{ldapGroupAttributeName},
|
|
||||||
$group_value,
|
|
||||||
$self->ldapGroupAttributeNameSearch,
|
|
||||||
$req->{ldapGroupDuplicateCheck}
|
|
||||||
);
|
|
||||||
|
|
||||||
foreach ( keys %$ldapGroups ) {
|
|
||||||
my $groupName = $_;
|
|
||||||
$hGroups->{$groupName} = $ldapGroups->{$groupName};
|
|
||||||
my $groupValues = [];
|
|
||||||
foreach ( @{ $self->ldapGroupAttributeNameSearch } ) {
|
|
||||||
next if $_ =~ /^name$/;
|
|
||||||
my $firstValue = $ldapGroups->{$groupName}->{$_}->[0];
|
|
||||||
push @$groupValues, $firstValue;
|
|
||||||
}
|
|
||||||
$groups .= $self->conf->{multiValuesSeparator} if $groups;
|
|
||||||
$groups .= join( '|', @$groupValues );
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
$req->{sessionInfo}->{groups} = $groups;
|
|
||||||
$req->{sessionInfo}->{hGroups} = $hGroups;
|
|
||||||
PE_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
1;
|
|
@ -1,20 +0,0 @@
|
|||||||
--- /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm.old 2019-12-11 12:05:54.000000000 +0100
|
|
||||||
+++ /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm 2021-01-05 10:54:19.188732119 +0100
|
|
||||||
@@ -40,10 +40,15 @@
|
|
||||||
%{ $self->conf->{ldapExportedVars} } );
|
|
||||||
while ( my ( $k, $v ) = each %vars ) {
|
|
||||||
|
|
||||||
+ my $value = $self->ldap->getLdapValue( $req->data->{ldapentry}, $v );
|
|
||||||
+
|
|
||||||
# getLdapValue returns an empty string for missing attribute
|
|
||||||
# but we really want to return undef so they don't get stored in session
|
|
||||||
- $req->sessionInfo->{$k} =
|
|
||||||
- $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
|
|
||||||
+ # This has to be a string comparison because "0" is a valid attribute
|
|
||||||
+ # value. See #2403
|
|
||||||
+ $value = undef if ( $value eq "" );
|
|
||||||
+
|
|
||||||
+ $req->sessionInfo->{$k} = $value;
|
|
||||||
}
|
|
||||||
|
|
||||||
PE_OK;
|
|
@ -1,45 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0
|
|
||||||
|
|
||||||
[ -f /usr/lib/eole/eolead.sh ] || exit 0
|
|
||||||
|
|
||||||
. /usr/lib/eole/eolead.sh
|
|
||||||
# ScribeAD/HorusAD
|
|
||||||
. $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf
|
|
||||||
DNS_IP="${CONTAINER_IP}"
|
|
||||||
CONTAINER_EXEC='lxc-attach -n addc --'
|
|
||||||
|
|
||||||
EXT_IP=$(CreoleGet adresse_ip_eth0)
|
|
||||||
|
|
||||||
for service in manager auth reload
|
|
||||||
do
|
|
||||||
fqdn=$(CreoleGet "${service}WebName")
|
|
||||||
service_addr=$(dig "@${DNS_IP}" "${fqdn}" +short)
|
|
||||||
if [ "${service_addr}" != "${EXT_IP}" ]
|
|
||||||
then
|
|
||||||
${CONTAINER_EXEC} kinit "${AD_HOST_NAME^^}@${AD_REALM^^}" -k -t "${AD_HOST_KEYTAB_FILE}"
|
|
||||||
if [ -n "${service_addr}" ]
|
|
||||||
then
|
|
||||||
echo -n "Suppression de l’enregistrement DNS '${fqdn} IN A ${service_addr}' : "
|
|
||||||
$CONTAINER_EXEC samba-tool \
|
|
||||||
dns \
|
|
||||||
delete \
|
|
||||||
"${AD_HOST_NAME}.${AD_REALM}" \
|
|
||||||
"${AD_REALM}" \
|
|
||||||
"${fqdn}" A "${service_addr}" \
|
|
||||||
-k 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo -n "Ajout de l’enregistrement DNS '${fqdn} IN A ${EXT_IP}' : "
|
|
||||||
$CONTAINER_EXEC samba-tool \
|
|
||||||
dns \
|
|
||||||
add \
|
|
||||||
"${AD_HOST_NAME}.${AD_REALM}" \
|
|
||||||
"${AD_REALM}" \
|
|
||||||
"${fqdn}" A "${EXT_IP}" \
|
|
||||||
-k 1
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
exit 0
|
|
@ -1,12 +1,9 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
|
|
||||||
[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0
|
|
||||||
|
|
||||||
# Updating Configuration cache
|
# Updating Configuration cache
|
||||||
|
|
||||||
cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
|
cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
|
||||||
opt="update-cache"
|
opt="update-cache"
|
||||||
|
|
||||||
# Updating Configuration cache
|
res=$(${cmd} ${opt} 2>&1)
|
||||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1
|
exit ${?}
|
||||||
|
@ -1,8 +1,5 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Don't run on ScribeAD
|
|
||||||
[ ! -f /usr/lib/eole/eolead.sh ] || exit 0
|
|
||||||
|
|
||||||
ENABLE=$(CreoleGet activerLemon 'non')
|
ENABLE=$(CreoleGet activerLemon 'non')
|
||||||
HOSTS="/etc/hosts"
|
HOSTS="/etc/hosts"
|
||||||
|
|
17
posttemplate/70-lemon-nginx
Executable file
17
posttemplate/70-lemon-nginx
Executable file
@ -0,0 +1,17 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ENABLE=$(CreoleGet activerLemon 'non')
|
||||||
|
CONF_FILES="manager-nginx.conf"
|
||||||
|
CONF_FILES="${CONF_FILES} handler-nginx.conf"
|
||||||
|
CONF_FILES="${CONF_FILES} portal-nginx.conf"
|
||||||
|
CONF_FILES="${CONF_FILES} test-nginx.conf"
|
||||||
|
|
||||||
|
for CONF_FILE in ${CONF_FILES}
|
||||||
|
do
|
||||||
|
if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
|
||||||
|
rm /etc/nginx/sites-enabled/${CONF_FILE}
|
||||||
|
fi
|
||||||
|
if [ "${ENABLE}" = 'oui' ];then
|
||||||
|
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
|
||||||
|
fi
|
||||||
|
done
|
@ -1,19 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
ENABLE=$(CreoleGet activerLemon 'non')
|
|
||||||
NGINX_ENABLE=$(CreoleGet activer_nginx_web 'non')
|
|
||||||
|
|
||||||
CONF_FILES="manager-nginx.conf handler-nginx.conf portal-nginx.conf"
|
|
||||||
|
|
||||||
for CONF_FILE in ${CONF_FILES}
|
|
||||||
do
|
|
||||||
if [ -e /etc/nginx/sites-enabled/${CONF_FILE} ]
|
|
||||||
then
|
|
||||||
rm /etc/nginx/sites-enabled/${CONF_FILE}
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "${ENABLE}" = 'oui' -a "${NGINX_ENABLE}" = 'oui' ]
|
|
||||||
then
|
|
||||||
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
|
|
||||||
fi
|
|
||||||
done
|
|
@ -1,12 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# vérifie si le patch est déjà appliqué
|
|
||||||
grep -q 2403 /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm && exit 0
|
|
||||||
|
|
||||||
# copie de sauvegarde
|
|
||||||
cp -a /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm /usr/share/eole/lemonldap-ng/
|
|
||||||
|
|
||||||
# application du patch
|
|
||||||
patch -d / -p 0 < /usr/share/eole/lemonldap-ng/LDAP.pm.patch
|
|
||||||
|
|
||||||
exit 0
|
|
27
tmpl/cas.inc.php.tmpl
Normal file
27
tmpl/cas.inc.php.tmpl
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
<?php
|
||||||
|
define("__CAS_SERVER", "%%authWebName");
|
||||||
|
define("__CAS_VERSION", "2.0");
|
||||||
|
define("__CAS_FOLDER", "%%casFolder");
|
||||||
|
define("__CAS_PORT", 443);
|
||||||
|
define("__CAS_PROTO", "https");
|
||||||
|
%if %%cas_send_logout == 'oui'
|
||||||
|
define("__CAS_LOGOUT", true);
|
||||||
|
%else
|
||||||
|
define("__CAS_LOGOUT", false);
|
||||||
|
%end if
|
||||||
|
%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
|
||||||
|
define("__CAS_VALIDER_CA", true);
|
||||||
|
%else
|
||||||
|
define("__CAS_VALIDER_CA", false);
|
||||||
|
%end if
|
||||||
|
%if %%is_empty(%%getVar('ssoCALocation', ''))
|
||||||
|
define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
|
||||||
|
%else
|
||||||
|
define("__CAS_CA_LOCATION", "%%ssoCALocation");
|
||||||
|
%end if
|
||||||
|
%if %%getVar("ssoDebug", 'non') == "oui"
|
||||||
|
define("__CAS_DEBUG", true);
|
||||||
|
%else
|
||||||
|
define("__CAS_DEBUG", false);
|
||||||
|
%end if
|
||||||
|
?>
|
7
tmpl/eoleCASConfig.php.tmpl
Normal file
7
tmpl/eoleCASConfig.php.tmpl
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
<?php
|
||||||
|
%if %%mode_conteneur_actif != "non"
|
||||||
|
define("__CAS_IP", "%%adresse_ip_br0");
|
||||||
|
%else
|
||||||
|
define("__CAS_IP", "false");
|
||||||
|
%end if
|
||||||
|
?>
|
@ -1,78 +0,0 @@
|
|||||||
#========================================================================
|
|
||||||
# Apache configuration for LemonLDAP::NG Handler
|
|
||||||
#========================================================================
|
|
||||||
# This file implements the reload virtualhost that permits to reload
|
|
||||||
# configuration without restarting server, and some common instructions.
|
|
||||||
# You need then to declare this vhost in reloadUrls (in the manager
|
|
||||||
# interface if this server doesn't host the manager itself):
|
|
||||||
#
|
|
||||||
# KEY : VALUE
|
|
||||||
# host-or-IP:port : http://reload.domscribe.ac-test.fr/reload
|
|
||||||
#
|
|
||||||
# IMPORTANT:
|
|
||||||
# To protect applications, see test-apache.conf template in example files
|
|
||||||
|
|
||||||
# Uncomment this if no previous NameVirtualHost declaration
|
|
||||||
#NameVirtualHost "*:80"
|
|
||||||
|
|
||||||
# Load LemonLDAP::NG Handler
|
|
||||||
PerlOptions +GlobalRequest
|
|
||||||
PerlModule Lemonldap::NG::Handler::ApacheMP2
|
|
||||||
|
|
||||||
# Common error page and security parameters
|
|
||||||
ErrorDocument 403 https://%%authWebName/lmerror/403
|
|
||||||
ErrorDocument 404 https://%%authWebName/lmerror/404
|
|
||||||
ErrorDocument 500 https://%%authWebName/lmerror/500
|
|
||||||
ErrorDocument 502 https://%%authWebName/lmerror/502
|
|
||||||
ErrorDocument 503 https://%%authWebName/lmerror/503
|
|
||||||
|
|
||||||
<VirtualHost %%adresse_ip_eth0:443>
|
|
||||||
ServerName %%reloadWebName
|
|
||||||
|
|
||||||
SSLEngine on
|
|
||||||
SSLCertificateFile %%server_cert
|
|
||||||
SSLCertificateKeyFile %%server_key
|
|
||||||
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
|
||||||
SSLProtocol all -SSLv3 -SSLv2
|
|
||||||
SSLProxyEngine on
|
|
||||||
|
|
||||||
LogLevel %%lm_loglevel
|
|
||||||
|
|
||||||
ErrorLog /var/log/apache2/handler_error.log
|
|
||||||
CustomLog /var/log/apache2/handler_access.log common
|
|
||||||
# Configuration reload mechanism (only 1 per physical server is
|
|
||||||
# needed): choose your URL to avoid restarting Apache when
|
|
||||||
# configuration change
|
|
||||||
<Location /reload>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require ip 127 ::1
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Deny from all
|
|
||||||
Allow from 127.0.0.0/8 ::1
|
|
||||||
</IfVersion>
|
|
||||||
SetHandler perl-script
|
|
||||||
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Uncomment this to activate status module
|
|
||||||
#<Location /status>
|
|
||||||
# <IfVersion >= 2.3>
|
|
||||||
# Require ip 127 ::1
|
|
||||||
# </IfVersion>
|
|
||||||
# <IfVersion < 2.3>
|
|
||||||
# Order Deny,Allow
|
|
||||||
# Deny from all
|
|
||||||
# Allow from 127.0.0.0/8 ::1
|
|
||||||
# </IfVersion>
|
|
||||||
# SetHandler perl-script
|
|
||||||
# PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
|
|
||||||
# # You may have to uncomment the next directive to skip
|
|
||||||
# # an upper PerlHeaderParserHandler directive
|
|
||||||
# #PerlHeaderParserHandler Apache2::Const::DECLINED
|
|
||||||
#</Location>
|
|
||||||
|
|
||||||
# Uncomment this if site if you use SSL only
|
|
||||||
#Header set Strict-Transport-Security "max-age=15768000"
|
|
||||||
</VirtualHost>
|
|
@ -23,7 +23,8 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443;
|
||||||
|
ssl on;
|
||||||
%if %%cert_type == "letsencrypt"
|
%if %%cert_type == "letsencrypt"
|
||||||
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
|
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
|
||||||
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
|
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
|
||||||
@ -61,7 +62,7 @@ server {
|
|||||||
deny all;
|
deny all;
|
||||||
|
|
||||||
# Uncomment this if you use https only
|
# Uncomment this if you use https only
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
#add_header Strict-Transport-Security "max-age=15768000";
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,3 @@
|
|||||||
%set %%boolean = {'oui': 1, 'non': 0}
|
|
||||||
;==============================================================================
|
;==============================================================================
|
||||||
; LemonLDAP::NG local configuration parameters
|
; LemonLDAP::NG local configuration parameters
|
||||||
;
|
;
|
||||||
@ -12,6 +11,9 @@
|
|||||||
; Section "configuration" is used to load global configuration and set cache
|
; Section "configuration" is used to load global configuration and set cache
|
||||||
; (replace old storage.conf file)
|
; (replace old storage.conf file)
|
||||||
;
|
;
|
||||||
|
; Section "apply" is read by Manager to reload handlers
|
||||||
|
; (replace old apply.conf file)
|
||||||
|
;
|
||||||
; Other section are only read by the specific LemonLDAP::NG component
|
; Other section are only read by the specific LemonLDAP::NG component
|
||||||
;==============================================================================
|
;==============================================================================
|
||||||
|
|
||||||
@ -32,80 +34,16 @@
|
|||||||
; Warning: this can allow malicious code in custom functions or rules
|
; Warning: this can allow malicious code in custom functions or rules
|
||||||
;useSafeJail = 0
|
;useSafeJail = 0
|
||||||
|
|
||||||
; LOGGING
|
|
||||||
;
|
|
||||||
; 1 - Defined logging level
|
|
||||||
; Set here one of error, warn, notice, info or debug
|
|
||||||
logLevel = %%lm_loglevel
|
|
||||||
; Note that this has no effect for Apache2 logging: Apache LogLevel is used
|
|
||||||
; instead
|
|
||||||
;
|
|
||||||
; 2 - Change logger
|
|
||||||
;
|
|
||||||
; By default, logging is set to:
|
|
||||||
; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers
|
|
||||||
; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx)
|
|
||||||
; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager,
|
|
||||||
; portal,...) when they are not
|
|
||||||
; launched by FastCGI server
|
|
||||||
; Other loggers availables:
|
|
||||||
; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
|
|
||||||
;
|
|
||||||
; "Std" is redirected to the web server logs for Apache. For Nginx, only if
|
|
||||||
; request failed
|
|
||||||
;
|
|
||||||
; You can overload this in this section (for all) or in another section if
|
|
||||||
; you want to change logger for a specified app.
|
|
||||||
;
|
|
||||||
; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
|
|
||||||
; (userLogger). "userLogger" uses the same class as "logger" if not set.
|
|
||||||
;logger = Lemonldap::NG::Common::Logger::Syslog
|
|
||||||
;userLogger = Lemonldap::NG::Common::Logger::Std
|
|
||||||
;
|
|
||||||
; 2.1 - Using Syslog
|
|
||||||
;
|
|
||||||
; For Syslog logging, you can also overwrite facilities. Default values:
|
|
||||||
logger = Lemonldap::NG::Common::Logger::Syslog
|
|
||||||
syslogFacility = daemon
|
|
||||||
userSyslogFacility = auth
|
|
||||||
;
|
|
||||||
; 2.2 - Using Log4perl
|
|
||||||
;
|
|
||||||
; If you want to use Log4perl, you can set these parameters. Here are default
|
|
||||||
; values:
|
|
||||||
;logger = Lemonldap::NG::Common::Logger::Log4perl
|
|
||||||
;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf
|
|
||||||
;log4perlLogger = LLNG
|
|
||||||
;log4perlUserLogger = LLNG.user
|
|
||||||
;
|
|
||||||
; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
|
|
||||||
; value points to the logger class. Example:
|
|
||||||
; log4perl.logger.LLNG = WARN, File1
|
|
||||||
; log4perl.logger.LLNG.user = INFO, File2
|
|
||||||
; ...
|
|
||||||
|
|
||||||
; CONFIGURATION CHECK
|
|
||||||
;
|
|
||||||
; LLNG verify configuration at server start. If you use "reload" mechanism,
|
|
||||||
; local cache will be updated. Configuration is checked locally every
|
|
||||||
; 10 minutes by each LLNG component. You can change this value using
|
|
||||||
; `checkTime` (time in seconds).
|
|
||||||
; To increase performances, you should comment this parameter and rely on cache.
|
|
||||||
checkTime = 1
|
|
||||||
|
|
||||||
[configuration]
|
[configuration]
|
||||||
|
|
||||||
; confTimeout: maximum time to get configuration (default 10)
|
|
||||||
;confTimeout = 5
|
|
||||||
|
|
||||||
; GLOBAL CONFIGURATION ACCESS TYPE
|
; GLOBAL CONFIGURATION ACCESS TYPE
|
||||||
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
|
; (File, SOAP, RDBI/CDBI, LDAP)
|
||||||
; Set here the parameters needed to access to LemonLDAP::NG configuration.
|
; Set here the parameters needed to access to LemonLDAP::NG configuration.
|
||||||
; You have to set "type" to one of the followings :
|
; You have to set "type" to one of the followings :
|
||||||
;
|
;
|
||||||
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
|
; * File: you have to set 'dirName' parameter. Example:
|
||||||
;
|
;
|
||||||
; type = File ; or type = YAMLFile
|
; type = File
|
||||||
; dirName = /var/lib/lemonldap-ng/conf
|
; dirName = /var/lib/lemonldap-ng/conf
|
||||||
;
|
;
|
||||||
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
|
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
|
||||||
@ -113,28 +51,17 @@ checkTime = 1
|
|||||||
;
|
;
|
||||||
; type = RDBI
|
; type = RDBI
|
||||||
; ;type = CDBI
|
; ;type = CDBI
|
||||||
; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
|
; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
|
||||||
; dbiUser = lemonldap
|
; dbiUser = lemonldap
|
||||||
; dbiPassword = password
|
; dbiPassword = password
|
||||||
;
|
;
|
||||||
; * REST: REST configuration access is a sort of proxy: the portal is
|
|
||||||
; configured to use the real session storage type (DBI or File for
|
|
||||||
; example).
|
|
||||||
; You have to set 'baseUrl' parameter. Example:
|
|
||||||
;
|
|
||||||
; type = REST
|
|
||||||
; baseUrl = https://auth.example.com/config
|
|
||||||
; proxyOptions = { timeout => 5 }
|
|
||||||
; User = lemonldap
|
|
||||||
; Password = mypassword
|
|
||||||
;
|
|
||||||
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
|
; * SOAP: SOAP configuration access is a sort of proxy: the portal is
|
||||||
; configured to use the real session storage type (DBI or File for
|
; configured to use the real session storage type (DBI or File for
|
||||||
; example).
|
; example).
|
||||||
; You have to set 'proxy' parameter. Example:
|
; You have to set 'proxy' parameter. Example:
|
||||||
;
|
;
|
||||||
; type = SOAP
|
; type = SOAP
|
||||||
; proxy = https://auth.example.com/config
|
; proxy = https://auth.example.com/index.pl/config
|
||||||
; proxyOptions = { timeout => 5 }
|
; proxyOptions = { timeout => 5 }
|
||||||
; User = lemonldap
|
; User = lemonldap
|
||||||
; Password = mypassword
|
; Password = mypassword
|
||||||
@ -164,7 +91,7 @@ dirName = /var/lib/lemonldap-ng/conf
|
|||||||
; 'default_expires_in' => 600, \
|
; 'default_expires_in' => 600, \
|
||||||
; 'directory_umask' => '007', \
|
; 'directory_umask' => '007', \
|
||||||
; 'cache_root' => '/tmp', \
|
; 'cache_root' => '/tmp', \
|
||||||
; 'cache_depth' => 3, \
|
; 'cache_depth' => 0, \
|
||||||
; }
|
; }
|
||||||
localStorage=Cache::FileCache
|
localStorage=Cache::FileCache
|
||||||
localStorageOptions={ \
|
localStorageOptions={ \
|
||||||
@ -172,36 +99,38 @@ localStorageOptions={ \
|
|||||||
'default_expires_in' => 600, \
|
'default_expires_in' => 600, \
|
||||||
'directory_umask' => '007', \
|
'directory_umask' => '007', \
|
||||||
'cache_root' => '/tmp', \
|
'cache_root' => '/tmp', \
|
||||||
'cache_depth' => 3, \
|
'cache_depth' => 0, \
|
||||||
}
|
}
|
||||||
|
|
||||||
[portal]
|
[portal]
|
||||||
|
|
||||||
; PORTAL CUSTOMIZATION
|
; PERFORMANCES
|
||||||
|
; By setting useLocalConf, Portal will use only local cached configuration
|
||||||
; I - Required parameters
|
; To refresh it, you must have an handler on the same server or you have to
|
||||||
|
; restart your server. This increase performances
|
||||||
|
;useLocalConf = 1
|
||||||
|
|
||||||
; staticPrefix: relative (or URL) location of static HTML components
|
; staticPrefix: relative (or URL) location of static HTML components
|
||||||
staticPrefix = /static
|
staticPrefix = /static
|
||||||
|
|
||||||
; location of HTML templates directory
|
; location of HTML templates directory
|
||||||
templateDir = /usr/share/lemonldap-ng/portal/templates
|
templateDir = /usr/share/lemonldap-ng/portal/templates
|
||||||
|
|
||||||
; languages: available languages for portal interface
|
; languages: available languages for portal interface
|
||||||
languages = fr, en, vi, it, ar, de, fi, tr
|
languages = fr, en
|
||||||
|
; PORTAL CUSTOMIZATION
|
||||||
; II - Optional parameters (overwrite configuration)
|
|
||||||
|
|
||||||
; Name of the skin
|
; Name of the skin
|
||||||
portalSkin = %%llSkin
|
portalSkin = %%llSkin
|
||||||
; Modules displayed
|
; Modules displayed
|
||||||
;portalDisplayLogout = 1
|
;portalDisplayLogout = 1
|
||||||
portalDisplayResetPassword = %%boolean[%%llResetPassword]
|
%if %%llResetPassword == "oui"
|
||||||
portalDisplayChangePassword = %%boolean[%%llChangePassword]
|
portalDisplayResetPassword = 1
|
||||||
|
%else
|
||||||
|
portalDisplayResetPassword = 0
|
||||||
|
%end if
|
||||||
|
;portalDisplayChangePassword = 1
|
||||||
;portalDisplayAppslist = 1
|
;portalDisplayAppslist = 1
|
||||||
;portalDisplayLoginHistory = 1
|
;portalDisplayLoginHistory = 1
|
||||||
; Require the old password when changing password
|
; Require the old password when changing password
|
||||||
portalRequireOldPassword = %%boolean[%%llChangePassword]
|
;portalRequireOldPassword = 1
|
||||||
; Attribute displayed as connected user
|
; Attribute displayed as connected user
|
||||||
;portalUserAttr = mail
|
;portalUserAttr = mail
|
||||||
; Old menu HTML code
|
; Old menu HTML code
|
||||||
@ -213,17 +142,16 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
|
|||||||
; For example to use <TMPL_VAR NAME="myparam">
|
; For example to use <TMPL_VAR NAME="myparam">
|
||||||
;tpl_myparam = test
|
;tpl_myparam = test
|
||||||
|
|
||||||
; COMBINATION FORMS
|
; LOG
|
||||||
; If you want to fix forms to display, you can use this;
|
; By default, all is logged in Apache file. To log user actions by
|
||||||
;combinationForms = standardform, yubikeyform
|
; syslog, just set syslog facility here:
|
||||||
|
|
||||||
;syslog = auth
|
;syslog = auth
|
||||||
; SOAP FUNCTIONS
|
; SOAP FUNCTIONS
|
||||||
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
|
; Remove comment to activate SOAP Functions getCookies(user,pwd) and
|
||||||
; error(language, code)
|
; error(language, code)
|
||||||
;Soap = 1
|
;Soap = 1
|
||||||
; Note that getAttibutes() will be activated but on a different URI
|
; Note that getAttibutes() will be activated but on a different URI
|
||||||
; (http://auth.example.com/sessions)
|
; (http://auth.example.com/index.pl/sessions)
|
||||||
; You can also restrict attributes and macros exported by getAttributes
|
; You can also restrict attributes and macros exported by getAttributes
|
||||||
;exportedAttr = uid mail
|
;exportedAttr = uid mail
|
||||||
|
|
||||||
@ -280,8 +208,8 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
|
|||||||
; Use it to be able to notify messages during authentication
|
; Use it to be able to notify messages during authentication
|
||||||
;notification = 1
|
;notification = 1
|
||||||
; Note that the SOAP function newNotification will be activated on
|
; Note that the SOAP function newNotification will be activated on
|
||||||
; http://auth.example.com/notification
|
; http://auth.example.com/index.pl/notification
|
||||||
; If you want to hide this, just protect "/index.fcgi/notification" in
|
; If you want to hide this, just protect "/index.pl/notification" in
|
||||||
; your Apache configuration file
|
; your Apache configuration file
|
||||||
; XSS protection bypass
|
; XSS protection bypass
|
||||||
; By default, the portal refuse redirections that comes from sites not
|
; By default, the portal refuse redirections that comes from sites not
|
||||||
@ -297,21 +225,6 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
|
|||||||
; Set to 0 to disable error on XSS attack detection
|
; Set to 0 to disable error on XSS attack detection
|
||||||
;checkXSS = 0
|
;checkXSS = 0
|
||||||
|
|
||||||
; pdata cookie domain
|
|
||||||
; pdata cookie could not be sent with cross domains AJAX request
|
|
||||||
; Null is default value
|
|
||||||
;pdataDomain = example.com
|
|
||||||
|
|
||||||
; CUSTOM PLUGINS
|
|
||||||
; If you want to add custom plugins, set list here (comma separated)
|
|
||||||
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
|
|
||||||
;customPlugins = ::My::Package1, ::My::Package2
|
|
||||||
|
|
||||||
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
|
|
||||||
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
|
|
||||||
;forceGlobalStorageUpgradeOTT = 1
|
|
||||||
;forceGlobalStorageIssuerOTT = 1
|
|
||||||
|
|
||||||
[handler]
|
[handler]
|
||||||
|
|
||||||
; Handler cache configuration
|
; Handler cache configuration
|
||||||
@ -327,7 +240,7 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
|
|||||||
|
|
||||||
; Set https to 1 if your handler protect a https website (used only for
|
; Set https to 1 if your handler protect a https website (used only for
|
||||||
; redirections to the portal)
|
; redirections to the portal)
|
||||||
https = 1
|
;https = 0
|
||||||
; Set port if your your hanlder protect a website on a non standard port
|
; Set port if your your hanlder protect a website on a non standard port
|
||||||
; - 80 for http, 443 for https (used only for redirections to the portal)
|
; - 80 for http, 443 for https (used only for redirections to the portal)
|
||||||
;port = 8080
|
;port = 8080
|
||||||
@ -339,10 +252,6 @@ status = 0
|
|||||||
;useRedirectOnForbidden = 1
|
;useRedirectOnForbidden = 1
|
||||||
; Hide LemonLDAP::NG Handler in Apache Server Signature
|
; Hide LemonLDAP::NG Handler in Apache Server Signature
|
||||||
;hideSignature = 1
|
;hideSignature = 1
|
||||||
; Set ServiceToken timeout
|
|
||||||
;handlerServiceTokenTTL = 30
|
|
||||||
; Set Impersonation/ContextSwitching prefix
|
|
||||||
; impersonationPrefix = real_
|
|
||||||
useRedirectOnError = 1
|
useRedirectOnError = 1
|
||||||
|
|
||||||
; Zimbra Handler parameters
|
; Zimbra Handler parameters
|
||||||
@ -366,6 +275,9 @@ useRedirectOnError = 1
|
|||||||
; * none : no protection
|
; * none : no protection
|
||||||
protection = manager
|
protection = manager
|
||||||
|
|
||||||
|
; logLevel. Set here one of error, warn, notice, info or debug
|
||||||
|
logLevel = warn
|
||||||
|
|
||||||
; staticPrefix: relative (or URL) location of static HTML components
|
; staticPrefix: relative (or URL) location of static HTML components
|
||||||
staticPrefix = /static
|
staticPrefix = /static
|
||||||
;
|
;
|
||||||
@ -373,29 +285,10 @@ staticPrefix = /static
|
|||||||
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
|
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
|
||||||
|
|
||||||
; languages: available languages for manager interface
|
; languages: available languages for manager interface
|
||||||
languages = fr, en, it, vi, ar, tr
|
languages = fr, en
|
||||||
|
|
||||||
; Manager modules enabled
|
; Manager modules enabled
|
||||||
; Set here the list of modules you want to see in manager interface
|
; Set here the list of modules you want to see in manager interface
|
||||||
; The first will be used as default module displayed
|
; The first will be used as default module displayed
|
||||||
;enabledModules = conf, sessions, notifications, 2ndFA, viewer
|
enabledModules = conf, sessions, notifications
|
||||||
enabledModules = conf, sessions, notifications, 2ndFA
|
|
||||||
|
|
||||||
; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
|
|
||||||
; 'conf' is set by default
|
|
||||||
;defaultModule = viewer
|
|
||||||
|
|
||||||
; Viewer module allows us to edit configuration in read-only mode
|
|
||||||
; Options can be set with specific rules like this :
|
|
||||||
;viewerAllowBrowser = $uid eq 'dwho'
|
|
||||||
;viewerAllowDiff = $uid ne 'dwho'
|
|
||||||
;
|
|
||||||
; Viewer options - Default values
|
|
||||||
;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
|
|
||||||
;viewerAllowBrowser = 0
|
|
||||||
;viewerAllowDiff = 0
|
|
||||||
|
|
||||||
;[node-handler]
|
|
||||||
;
|
|
||||||
;This section is for node-lemonldap-ng-handler
|
|
||||||
;nodeVhosts = test3.example.com, test4.example.com
|
|
||||||
|
441
tmpl/lmConf-1.js
Normal file
441
tmpl/lmConf-1.js
Normal file
@ -0,0 +1,441 @@
|
|||||||
|
%set %%ssoFilters = %%getSSOFilters
|
||||||
|
{
|
||||||
|
"ldapGroupAttributeNameUser": "dn",
|
||||||
|
"cfgAuthorIP": "172.16.0.1",
|
||||||
|
"samlSPMetaDataXML": null,
|
||||||
|
"facebookAuthnLevel": 1,
|
||||||
|
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
|
||||||
|
"secureTokenAttribute": "uid",
|
||||||
|
"singleSession": 0,
|
||||||
|
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
|
||||||
|
"CAS_pgtFile": "/tmp/pgt.txt",
|
||||||
|
"cookieName": "lemonldap",
|
||||||
|
"slaveExportedVars": {},
|
||||||
|
"whatToTrace": "_whatToTrace",
|
||||||
|
"oidcRPMetaDataOptions": {},
|
||||||
|
"notifyDeleted": 1,
|
||||||
|
"useRedirectOnError": 1,
|
||||||
|
"samlSPMetaDataExportedAttributes": null,
|
||||||
|
"ldapPwdEnc": "utf-8",
|
||||||
|
"openIdSPList": "0;",
|
||||||
|
"samlNameIDFormatMapEmail": "mail",
|
||||||
|
"samlSPMetaDataOptions": null,
|
||||||
|
"issuerDBOpenIDRule": 1,
|
||||||
|
"casStorageOptions": {},
|
||||||
|
"mailFrom": "noreply@%%nom_domaine_local",
|
||||||
|
"timeoutActivity": 0,
|
||||||
|
"oidcRPMetaDataExportedVars": {},
|
||||||
|
"issuerDBSAMLActivation": 0,
|
||||||
|
"issuerDBCASPath": "^/%%casFolder/",
|
||||||
|
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
|
||||||
|
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
|
||||||
|
"exportedHeaders": {
|
||||||
|
"test1.%%nom_domaine_local": {
|
||||||
|
"Auth-User": "$uid"
|
||||||
|
},
|
||||||
|
"test2.%%nom_domaine_local": {
|
||||||
|
"Auth-User": "$uid"
|
||||||
|
},
|
||||||
|
"%%managerWebName": {}
|
||||||
|
},
|
||||||
|
"vhostOptions": {
|
||||||
|
"%%managerWebName": {
|
||||||
|
"vhostHttps" : "1"
|
||||||
|
},
|
||||||
|
"test1.%%nom_domaine_local": {},
|
||||||
|
"test2.%%nom_domaine_local": {}
|
||||||
|
},
|
||||||
|
"radiusAuthnLevel": 3,
|
||||||
|
"dbiAuthnLevel": 2,
|
||||||
|
"ldapPasswordResetAttribute": "pwdReset",
|
||||||
|
"ldapGroupObjectClass": "groupOfNames",
|
||||||
|
"apacheAuthnLevel": 4,
|
||||||
|
"samlNameIDFormatMapKerberos": "uid",
|
||||||
|
"groups": {},
|
||||||
|
"securedCookie": 0,
|
||||||
|
"httpOnly": 1,
|
||||||
|
"yubikeyAuthnLevel": 3,
|
||||||
|
"ADPwdMaxAge": 0,
|
||||||
|
"samlUseQueryStringSpecific": 0,
|
||||||
|
"loginHistoryEnabled": 1,
|
||||||
|
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
|
||||||
|
"failedLoginNumber": 5,
|
||||||
|
"samlServicePrivateKeyEncPwd": "",
|
||||||
|
"portalForceAuthnInterval": 0,
|
||||||
|
"cfgLog": "",
|
||||||
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
|
||||||
|
"exportedVars": {
|
||||||
|
"UA": "HTTP_USER_AGENT",
|
||||||
|
%for att in %%casAttribute
|
||||||
|
"%%att": "%%att",
|
||||||
|
%end for
|
||||||
|
%set %%idx = 0
|
||||||
|
%set %%size = %%len(%%ssoFilters) - 1
|
||||||
|
%for key,value in %%ssoFilters
|
||||||
|
%if %%idx == %%size
|
||||||
|
"%%key": "%%value"
|
||||||
|
%else
|
||||||
|
"%%key": "%%value",
|
||||||
|
%end if
|
||||||
|
%set %%idx += 1
|
||||||
|
%end for
|
||||||
|
},
|
||||||
|
"notificationStorage": "File",
|
||||||
|
"applicationList": {
|
||||||
|
"1sample": {
|
||||||
|
"test2": {
|
||||||
|
"options": {
|
||||||
|
"name": "Application Test 2",
|
||||||
|
"logo": "thumbnail.png",
|
||||||
|
"uri": "https://test2.%%nom_domaine_local/",
|
||||||
|
"display": "auto",
|
||||||
|
"description": "The same simple application displaying authenticated user"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
},
|
||||||
|
"type": "category",
|
||||||
|
"catname": "Sample applications",
|
||||||
|
"test1": {
|
||||||
|
"type": "application",
|
||||||
|
"options": {
|
||||||
|
"description": "A simple application displaying authenticated user",
|
||||||
|
"uri": "https://test1.%%nom_domaine_local/",
|
||||||
|
"logo": "demo.png",
|
||||||
|
"display": "auto",
|
||||||
|
"name": "Application Test 1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"2administration": {
|
||||||
|
"notifications": {
|
||||||
|
"options": {
|
||||||
|
"name": "Notifications explorer",
|
||||||
|
"display": "auto",
|
||||||
|
"description": "Explore WebSSO notifications",
|
||||||
|
"uri": "https://%%managerWebName/notifications.pl",
|
||||||
|
"logo": "database.png"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
},
|
||||||
|
"manager": {
|
||||||
|
"options": {
|
||||||
|
"uri": "https://%%managerWebName/",
|
||||||
|
"display": "auto",
|
||||||
|
"description": "Configure LemonLDAP::NG WebSSO",
|
||||||
|
"logo": "configure.png",
|
||||||
|
"name": "WebSSO Manager"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
},
|
||||||
|
"type": "category",
|
||||||
|
"sessions": {
|
||||||
|
"type": "application",
|
||||||
|
"options": {
|
||||||
|
"description": "Explore WebSSO sessions",
|
||||||
|
"uri": "https://%%managerWebName/sessions.pl",
|
||||||
|
"logo": "database.png",
|
||||||
|
"display": "auto",
|
||||||
|
"name": "Sessions explorer"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"catname": "Administration"
|
||||||
|
},
|
||||||
|
"3documentation": {
|
||||||
|
"catname": "Documentation",
|
||||||
|
"officialwebsite": {
|
||||||
|
"type": "application",
|
||||||
|
"options": {
|
||||||
|
"name": "Offical Website",
|
||||||
|
"description": "Official LemonLDAP::NG Website",
|
||||||
|
"logo": "network.png",
|
||||||
|
"display": "on",
|
||||||
|
"uri": "http://lemonldap-ng.org/"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"type": "category",
|
||||||
|
"localdoc": {
|
||||||
|
"options": {
|
||||||
|
"logo": "help.png",
|
||||||
|
"description": "Documentation supplied with LemonLDAP::NG",
|
||||||
|
"display": "on",
|
||||||
|
"uri": "https://%%managerWebName/doc/",
|
||||||
|
"name": "Local documentation"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"userControl": "^[\\w\\.\\-@]+$",
|
||||||
|
"timeout": 72000,
|
||||||
|
"portalAntiFrame": 1,
|
||||||
|
"SMTPServer": "",
|
||||||
|
"ldapTimeout": 120,
|
||||||
|
"samlAuthnContextMapPasswordProtectedTransport": 3,
|
||||||
|
"ldapUsePasswordResetAttribute": 1,
|
||||||
|
"ldapPpolicyControl": 0,
|
||||||
|
"casAttributes": {
|
||||||
|
%for att in %%casAttribute
|
||||||
|
"%%att": "%%att.casLDAPAttribute",
|
||||||
|
%end for
|
||||||
|
%set %%idx = 0
|
||||||
|
%set %%size = %%len(%%ssoFilters) - 1
|
||||||
|
%for key,value in %%ssoFilters
|
||||||
|
%if %%idx == %%size
|
||||||
|
"%%key": "%%key"
|
||||||
|
%else
|
||||||
|
"%%key": "%%key",
|
||||||
|
%end if
|
||||||
|
%set %%idx += 1
|
||||||
|
%end for
|
||||||
|
},
|
||||||
|
"issuerDBSAMLPath": "^/saml/",
|
||||||
|
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
|
||||||
|
"portalDisplayAppslist": 1,
|
||||||
|
"confirmFormMethod": "post",
|
||||||
|
"domain": "%%nom_domaine_local",
|
||||||
|
"cfgNum": "1",
|
||||||
|
"authentication": "LDAP",
|
||||||
|
"samlNameIDFormatMapWindows": "uid",
|
||||||
|
"authChoiceModules": {},
|
||||||
|
"ldapGroupAttributeName": "member",
|
||||||
|
"samlServicePrivateKeySigPwd": "",
|
||||||
|
"googleAuthnLevel": 1,
|
||||||
|
"successLoginNumber": 5,
|
||||||
|
"localSessionStorageOptions": {
|
||||||
|
"cache_root": "/tmp",
|
||||||
|
"namespace": "lemonldap-ng-sessions",
|
||||||
|
"default_expires_in": 600,
|
||||||
|
"directory_umask": "007",
|
||||||
|
"cache_depth": 3
|
||||||
|
},
|
||||||
|
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
|
||||||
|
"portalRequireOldPassword": 1,
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
|
||||||
|
"ADPwdExpireWarning": 0,
|
||||||
|
"yubikeyPublicIDSize": 12,
|
||||||
|
"ldapGroupAttributeNameGroup": "dn",
|
||||||
|
"oidcRPMetaDataOptionsExtraClaims": null,
|
||||||
|
"ldapGroupRecursive": 0,
|
||||||
|
"mailSubject": "[LemonLDAP::NG] Your new password",
|
||||||
|
"nginxCustomHandlers": {},
|
||||||
|
"samlSPSSODescriptorAuthnRequestsSigned": 1,
|
||||||
|
%if %%llResetPassword == "oui"
|
||||||
|
"portalDisplayResetPassword": 1,
|
||||||
|
%else
|
||||||
|
"portalDisplayResetPassword": 0,
|
||||||
|
%end if
|
||||||
|
"openIdSreg_timezone": "_timezone",
|
||||||
|
"infoFormMethod": "get",
|
||||||
|
"openIdAuthnLevel": 1,
|
||||||
|
"openIdSreg_nickname": "uid",
|
||||||
|
"samlServicePublicKeyEnc": "",
|
||||||
|
"userDB": "LDAP",
|
||||||
|
"grantSessionRules": {},
|
||||||
|
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
|
||||||
|
"reloadUrls": {
|
||||||
|
"%%reloadWebName": "https://%%reloadWebName/reload"
|
||||||
|
},
|
||||||
|
"registerTimeout": 0,
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
|
||||||
|
"slaveAuthnLevel": 2,
|
||||||
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
|
||||||
|
"Soap": 1,
|
||||||
|
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
|
||||||
|
%if %%RegisterDB == "Custom"
|
||||||
|
"registerDB": "Null",
|
||||||
|
%else
|
||||||
|
"registerDB": "%%RegisterDB",
|
||||||
|
%end if
|
||||||
|
"locationRules": {
|
||||||
|
"%%managerWebName": {
|
||||||
|
"default": "$uid eq \"%%lemonAdmin\""
|
||||||
|
},
|
||||||
|
"test1.%%nom_domaine_local": {
|
||||||
|
"default": "accept",
|
||||||
|
"^/logout": "logout_sso"
|
||||||
|
},
|
||||||
|
"test2.%%nom_domaine_local": {
|
||||||
|
"default": "accept",
|
||||||
|
"^/logout": "logout_sso"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
|
||||||
|
"hideOldPassword": 0,
|
||||||
|
%if %%is_file(%%ldapBindUserPassword)
|
||||||
|
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
|
||||||
|
%else
|
||||||
|
"managerPassword": "%%ldapBindUserPassword",
|
||||||
|
%end if
|
||||||
|
"authChoiceParam": "lmAuth",
|
||||||
|
"lwpSslOpts": {},
|
||||||
|
"portalSkinRules": {},
|
||||||
|
"issuerDBOpenIDPath": "^/openidserver/",
|
||||||
|
"redirectFormMethod": "get",
|
||||||
|
"portalDisplayRegister": 1,
|
||||||
|
"secureTokenMemcachedServers": "127.0.0.1:11211",
|
||||||
|
"notificationStorageOptions": {
|
||||||
|
"dirName": "/var/lib/lemonldap-ng/notifications"
|
||||||
|
},
|
||||||
|
"browserIdAuthnLevel": 1,
|
||||||
|
"portalUserAttr": "_user",
|
||||||
|
"ldapVersion": 3,
|
||||||
|
"sessionDataToRemember": {},
|
||||||
|
"samlNameIDFormatMapX509": "mail",
|
||||||
|
"managerDn": "%%ldapBindUserDN",
|
||||||
|
"mailSessionKey": "mail",
|
||||||
|
"openIdSreg_email": "mail",
|
||||||
|
"localSessionStorage": "Cache::FileCache",
|
||||||
|
"persistentStorage": "Apache::Session::File",
|
||||||
|
"mailOnPasswordChange": 0,
|
||||||
|
"captchaStorage": "Apache::Session::File",
|
||||||
|
"remoteGlobalStorageOptions": {
|
||||||
|
"proxy": "https://%%authWebName/index.pl/sessions",
|
||||||
|
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
|
||||||
|
},
|
||||||
|
"passwordDB": "LDAP",
|
||||||
|
"captcha_size": 6,
|
||||||
|
"mailCharset": "utf-8",
|
||||||
|
"facebookExportedVars": {},
|
||||||
|
"nullAuthnLevel": 2,
|
||||||
|
"singleIP": 0,
|
||||||
|
"dbiExportedVars": {},
|
||||||
|
"portalSkin": "bootstrap",
|
||||||
|
"storePassword": 0,
|
||||||
|
"hiddenAttributes": "_password",
|
||||||
|
"samlServicePrivateKeySig": "",
|
||||||
|
"globalStorage": "Apache::Session::File",
|
||||||
|
"notificationWildcard": "allusers",
|
||||||
|
"portalForceAuthn": 0,
|
||||||
|
"samlMetadataForceUTF8": 1,
|
||||||
|
"secureTokenUrls": ".*",
|
||||||
|
"secureTokenAllowOnError": 1,
|
||||||
|
"samlAuthnContextMapTLSClient": 5,
|
||||||
|
"ldapAllowResetExpiredPassword": 0,
|
||||||
|
"oidcOPMetaDataExportedVars": {},
|
||||||
|
"notifyOther": 0,
|
||||||
|
"secureTokenExpiration": 60,
|
||||||
|
"captcha_mail_enabled": 0,
|
||||||
|
"samlStorageOptions": {},
|
||||||
|
"samlOrganizationDisplayName": "Example",
|
||||||
|
"trustedProxies": "",
|
||||||
|
"secureTokenHeader": "Auth-Token",
|
||||||
|
"issuerDBCASActivation": 1,
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
|
||||||
|
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
|
||||||
|
"samlIDPMetaDataXML": {},
|
||||||
|
"oidcStorageOptions": {},
|
||||||
|
"cfgDate": 1519998069,
|
||||||
|
"samlAuthnContextMapPassword": 2,
|
||||||
|
"portalDisplayLoginHistory": 1,
|
||||||
|
"ldapPasswordResetAttributeValue": "TRUE",
|
||||||
|
"ldapServer": "%%ldapScheme://%%ldapServer",
|
||||||
|
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
|
||||||
|
"samlIDPMetaDataExportedAttributes": null,
|
||||||
|
"samlServicePrivateKeyEnc": "",
|
||||||
|
"useRedirectOnForbidden": 0,
|
||||||
|
"captcha_login_enabled": 0,
|
||||||
|
"https": 0,
|
||||||
|
"checkXSS": 1,
|
||||||
|
"ldapSetPassword": 0,
|
||||||
|
"portalPingInterval": 60000,
|
||||||
|
"captchaStorageOptions": {
|
||||||
|
"Directory": "/var/lib/lemonldap-ng/captcha/"
|
||||||
|
},
|
||||||
|
"useSafeJail": 1,
|
||||||
|
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
|
||||||
|
"issuerDBCASRule": 1,
|
||||||
|
"samlAuthnContextMapKerberos": 4,
|
||||||
|
"ldapGroupAttributeNameSearch": "cn",
|
||||||
|
"logoutServices": {},
|
||||||
|
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
|
||||||
|
"portalDisplayLogout": 1,
|
||||||
|
"issuerDBGetParameters": {},
|
||||||
|
"googleExportedVars": {},
|
||||||
|
"openIdSreg_fullname": "cn",
|
||||||
|
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
|
||||||
|
"demoExportedVars": {
|
||||||
|
"mail": "mail",
|
||||||
|
"uid": "uid",
|
||||||
|
"cn": "cn"
|
||||||
|
},
|
||||||
|
"oidcOPMetaDataJSON": null,
|
||||||
|
"samlIdPResolveCookie": "lemonldapidp",
|
||||||
|
"samlRelayStateTimeout": 600,
|
||||||
|
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
|
||||||
|
"globalStorageOptions": {
|
||||||
|
"Directory": "/var/lib/lemonldap-ng/sessions",
|
||||||
|
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
|
||||||
|
},
|
||||||
|
"ldapExportedVars": {
|
||||||
|
"mail": "mail",
|
||||||
|
"cn": "cn",
|
||||||
|
"uid": "uid"
|
||||||
|
},
|
||||||
|
"webIDExportedVars": {},
|
||||||
|
"activeTimer": 1,
|
||||||
|
"cda": 0,
|
||||||
|
"samlServicePublicKeySig": "",
|
||||||
|
%if %%llCheckLogins == "oui"
|
||||||
|
"portalCheckLogins": 1,
|
||||||
|
%else
|
||||||
|
"portalCheckLogins": 0,
|
||||||
|
%end if
|
||||||
|
"CAS_authnLevel": 1,
|
||||||
|
"macros": {
|
||||||
|
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
|
||||||
|
},
|
||||||
|
"samlIDPMetaDataOptions": null,
|
||||||
|
"twitterAuthnLevel": 1,
|
||||||
|
"openIdExportedVars": {},
|
||||||
|
"captcha_register_enabled": 1,
|
||||||
|
"oidcOPMetaDataJWKS": null,
|
||||||
|
"webIDAuthnLevel": 1,
|
||||||
|
"issuerDBOpenIDActivation": "1",
|
||||||
|
%if %%is_empty(%%llResetUrl)
|
||||||
|
"mailUrl": "https://%%authWebName/mail.pl",
|
||||||
|
%else
|
||||||
|
"mailUrl": "%%llResetUrl",
|
||||||
|
%end if
|
||||||
|
"maintenance": 0,
|
||||||
|
"jsRedirect": 0,
|
||||||
|
"cfgAuthor": "Cadoles",
|
||||||
|
"persistentStorageOptions": {
|
||||||
|
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
|
||||||
|
"Directory": "/var/lib/lemonldap-ng/psessions"
|
||||||
|
},
|
||||||
|
"SSLAuthnLevel": 5,
|
||||||
|
"oidcServiceMetaDataAuthnContext": {},
|
||||||
|
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
|
||||||
|
"notification": 1,
|
||||||
|
"ldapChangePasswordAsUser": 0,
|
||||||
|
"CAS_proxiedServices": {},
|
||||||
|
"key": "e\"bTCt3*eU9^\\V%b",
|
||||||
|
"portal": "https://%%authWebName/",
|
||||||
|
"singleSessionUserByIP": 0,
|
||||||
|
"portalOpenLinkInNewWindow": 0,
|
||||||
|
"post": {
|
||||||
|
"test2.%%nom_domaine_local": {},
|
||||||
|
"test1.%%nom_domaine_local": {},
|
||||||
|
"%%managerWebName": {}
|
||||||
|
},
|
||||||
|
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
|
||||||
|
"issuerDBSAMLRule": 1,
|
||||||
|
"samlCommonDomainCookieActivation": 0,
|
||||||
|
"syslog": "",
|
||||||
|
"ldapBase": "%%ldapUserBaseDN",
|
||||||
|
"ldapAuthnLevel": 2,
|
||||||
|
"mailTimeout": 0,
|
||||||
|
"samlEntityID": "#PORTAL#/saml/metadata",
|
||||||
|
"oidcOPMetaDataOptions": null,
|
||||||
|
"samlSPSSODescriptorWantAssertionsSigned": 1,
|
||||||
|
"samlOrganizationName": "%%samlOrganizationName",
|
||||||
|
%if %%RegisterDB == "Custom"
|
||||||
|
"registerUrl": "%%llRegisterURL",
|
||||||
|
%else
|
||||||
|
"registerUrl": "https://%%authWebName/register.pl",
|
||||||
|
%end if
|
||||||
|
"casAccessControlPolicy": "none",
|
||||||
|
"multiValuesSeparator": ";",
|
||||||
|
"ldapPort": %%ldapServerPort
|
||||||
|
}
|
@ -1,406 +1,441 @@
|
|||||||
%set %%boolean = {'oui': 1, 'non': 0}
|
|
||||||
%set %%ssoFilters = %%getSSOFilters
|
%set %%ssoFilters = %%getSSOFilters
|
||||||
%set %%ldapAttributes = {"uid": "uid", "mail": "mail", "cn":"cn"}
|
|
||||||
%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"']
|
|
||||||
%set %%cas_attributes = []
|
|
||||||
%set %%ldap_attributes = {}
|
|
||||||
%for %%attr in %%casAttribute
|
|
||||||
%silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
|
|
||||||
%silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
|
|
||||||
%set %%ldap_attributes[%%attr.casLDAPAttribute] = %%attr.casLDAPAttribute
|
|
||||||
%end for
|
|
||||||
%for %%key, %%value in %%ssoFilters
|
|
||||||
%silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"')
|
|
||||||
%silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"')
|
|
||||||
%set %%ldap_attributes[%%value] = %%value
|
|
||||||
%end for
|
|
||||||
%silent %%exported_vars.sort()
|
|
||||||
%silent %%cas_attributes.sort()
|
|
||||||
%set %%ldapAttr = []
|
|
||||||
%for %%k, %%v in %%ldap_attributes.items()
|
|
||||||
%silent %%ldapAttr.append('"' + %%k + '": "' + %%v + '"')
|
|
||||||
%end for
|
|
||||||
{
|
{
|
||||||
%if %%lemon_user_db == "AD"
|
"ldapGroupAttributeNameUser": "dn",
|
||||||
"ADPwdExpireWarning": %%llADPasswordExpireWarn,
|
"cfgAuthorIP": "172.16.0.1",
|
||||||
"ADPwdMaxAge": %%llADPasswordMaxAge,
|
"samlSPMetaDataXML": null,
|
||||||
%end if
|
"facebookAuthnLevel": 1,
|
||||||
"CAS_authnLevel": 1,
|
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
|
||||||
|
"secureTokenAttribute": "uid",
|
||||||
|
"singleSession": 0,
|
||||||
|
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
|
||||||
"CAS_pgtFile": "/tmp/pgt.txt",
|
"CAS_pgtFile": "/tmp/pgt.txt",
|
||||||
"CAS_proxiedServices": {},
|
|
||||||
"SMTPServer": "",
|
|
||||||
"SSLAuthnLevel": 5,
|
|
||||||
"Soap": 1,
|
|
||||||
"activeTimer": 1,
|
|
||||||
"apacheAuthnLevel": 4,
|
|
||||||
"applicationList": {
|
|
||||||
"1administration": {
|
|
||||||
"catname": "Administration",
|
|
||||||
"manager": {
|
|
||||||
"options": {
|
|
||||||
"description": "Configure LemonLDAP::NG WebSSO",
|
|
||||||
"display": "auto",
|
|
||||||
"logo": "configure.png",
|
|
||||||
"name": "WebSSO Manager",
|
|
||||||
"uri": "https://%%managerWebName/"
|
|
||||||
},
|
|
||||||
"type": "application"
|
|
||||||
},
|
|
||||||
"notifications": {
|
|
||||||
"options": {
|
|
||||||
"description": "Explore WebSSO notifications",
|
|
||||||
"display": "auto",
|
|
||||||
"logo": "database.png",
|
|
||||||
"name": "Notifications explorer",
|
|
||||||
"uri": "https://%%managerWebName/notifications.pl"
|
|
||||||
},
|
|
||||||
"type": "application"
|
|
||||||
},
|
|
||||||
"sessions": {
|
|
||||||
"options": {
|
|
||||||
"description": "Explore WebSSO sessions",
|
|
||||||
"display": "auto",
|
|
||||||
"logo": "database.png",
|
|
||||||
"name": "Sessions explorer",
|
|
||||||
"uri": "https://%%managerWebName/sessions.pl"
|
|
||||||
},
|
|
||||||
"type": "application"
|
|
||||||
},
|
|
||||||
"type": "category"
|
|
||||||
},
|
|
||||||
"2documentation": {
|
|
||||||
"catname": "Documentation",
|
|
||||||
"localdoc": {
|
|
||||||
"options": {
|
|
||||||
"description": "Documentation supplied with LemonLDAP::NG",
|
|
||||||
"display": "on",
|
|
||||||
"logo": "help.png",
|
|
||||||
"name": "Local documentation",
|
|
||||||
"uri": "http://%%managerWebName/doc/"
|
|
||||||
},
|
|
||||||
"type": "application"
|
|
||||||
},
|
|
||||||
"officialwebsite": {
|
|
||||||
"options": {
|
|
||||||
"description": "Official LemonLDAP::NG Website",
|
|
||||||
"display": "on",
|
|
||||||
"logo": "network.png",
|
|
||||||
"name": "Offical Website",
|
|
||||||
"uri": "http://lemonldap-ng.org/"
|
|
||||||
},
|
|
||||||
"type": "application"
|
|
||||||
},
|
|
||||||
"type": "category"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"authChoiceModules": {},
|
|
||||||
"authChoiceParam": "lmAuth",
|
|
||||||
"authentication": "%%lemon_user_db",
|
|
||||||
"browserIdAuthnLevel": 1,
|
|
||||||
"captchaStorage": "Apache::Session::File",
|
|
||||||
"captchaStorageOptions": {
|
|
||||||
"Directory": "/var/lib/lemonldap-ng/captcha/"
|
|
||||||
},
|
|
||||||
"captcha_login_enabled": 0,
|
|
||||||
"captcha_mail_enabled": 0,
|
|
||||||
"captcha_register_enabled": 1,
|
|
||||||
"captcha_size": 6,
|
|
||||||
"casAccessControlPolicy": "none",
|
|
||||||
"casAttributes": {
|
|
||||||
%%custom_join(%%cas_attributes, ',\n ')
|
|
||||||
},
|
|
||||||
"casStorageOptions": {},
|
|
||||||
"cda": 0,
|
|
||||||
"cfgAuthor": "EOLE",
|
|
||||||
"cfgAuthorIP": "127.0.0.1",
|
|
||||||
"cfgDate": 1600257889,
|
|
||||||
"cfgLog": "",
|
|
||||||
"cfgNum": "1",
|
|
||||||
"checkXSS": 1,
|
|
||||||
"confirmFormMethod": "post",
|
|
||||||
"cookieName": "lemonldap",
|
"cookieName": "lemonldap",
|
||||||
"dbiAuthnLevel": 2,
|
"slaveExportedVars": {},
|
||||||
"dbiExportedVars": {},
|
"whatToTrace": "_whatToTrace",
|
||||||
"demoExportedVars": {
|
"oidcRPMetaDataOptions": {},
|
||||||
"cn": "cn",
|
"notifyDeleted": 1,
|
||||||
"mail": "mail",
|
"useRedirectOnError": 1,
|
||||||
"uid": "uid"
|
"samlSPMetaDataExportedAttributes": null,
|
||||||
},
|
"ldapPwdEnc": "utf-8",
|
||||||
"domain": "%%nom_domaine_local",
|
"openIdSPList": "0;",
|
||||||
|
"samlNameIDFormatMapEmail": "mail",
|
||||||
|
"samlSPMetaDataOptions": null,
|
||||||
|
"issuerDBOpenIDRule": 1,
|
||||||
|
"casStorageOptions": {},
|
||||||
|
"mailFrom": "noreply@%%nom_domaine_local",
|
||||||
|
"timeoutActivity": 0,
|
||||||
|
"oidcRPMetaDataExportedVars": {},
|
||||||
|
"issuerDBSAMLActivation": 0,
|
||||||
|
"issuerDBCASPath": "^/%%casFolder/",
|
||||||
|
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
|
||||||
|
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
|
||||||
"exportedHeaders": {
|
"exportedHeaders": {
|
||||||
|
"test1.%%nom_domaine_local": {
|
||||||
|
"Auth-User": "$uid"
|
||||||
|
},
|
||||||
|
"test2.%%nom_domaine_local": {
|
||||||
|
"Auth-User": "$uid"
|
||||||
|
},
|
||||||
"%%managerWebName": {}
|
"%%managerWebName": {}
|
||||||
},
|
},
|
||||||
"exportedVars": {
|
"vhostOptions": {
|
||||||
%%custom_join(%%exported_vars, ',\n ')
|
"%%managerWebName": {
|
||||||
|
"vhostHttps" : "1"
|
||||||
},
|
},
|
||||||
"facebookAuthnLevel": 1,
|
"test1.%%nom_domaine_local": {},
|
||||||
"facebookExportedVars": {},
|
"test2.%%nom_domaine_local": {}
|
||||||
"failedLoginNumber": 5,
|
|
||||||
"globalStorage": "Apache::Session::File",
|
|
||||||
"globalStorageOptions": {
|
|
||||||
"Directory": "/var/lib/lemonldap-ng/sessions",
|
|
||||||
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
|
|
||||||
},
|
},
|
||||||
"googleAuthnLevel": 1,
|
"radiusAuthnLevel": 3,
|
||||||
"googleExportedVars": {},
|
"dbiAuthnLevel": 2,
|
||||||
"grantSessionRules": {},
|
|
||||||
"groups": {},
|
|
||||||
"hiddenAttributes": "_password",
|
|
||||||
"hideOldPassword": 0,
|
|
||||||
"httpOnly": 1,
|
|
||||||
"https": 0,
|
|
||||||
"infoFormMethod": "get",
|
|
||||||
"issuerDBCASActivation": 1,
|
|
||||||
"issuerDBCASPath": "^/%%casFolder/",
|
|
||||||
"issuerDBCASRule": 1,
|
|
||||||
"issuerDBGetParameters": {},
|
|
||||||
"issuerDBOpenIDActivation": "1",
|
|
||||||
"issuerDBOpenIDPath": "^/openidserver/",
|
|
||||||
"issuerDBOpenIDRule": 1,
|
|
||||||
"issuerDBSAMLActivation": 0,
|
|
||||||
"issuerDBSAMLPath": "^/saml/",
|
|
||||||
"issuerDBSAMLRule": 1,
|
|
||||||
"jsRedirect": 0,
|
|
||||||
"key": "e\"bTCt3*eU9^\\V%b",
|
|
||||||
%if %%llResetPassword == "oui"
|
|
||||||
%if %%llResetExpiredPassword == "oui"
|
|
||||||
%if %%lemon_user_db == "AD"
|
|
||||||
"ldapPpolicyControl": 0,
|
|
||||||
%else
|
|
||||||
"ldapPpolicyControl": 1,
|
|
||||||
%end if
|
|
||||||
"ldapAllowResetExpiredPassword": 1,
|
|
||||||
"ldapChangePasswordAsUser": 1,
|
|
||||||
%else
|
|
||||||
"ldapPpolicyControl": 0,
|
|
||||||
"ldapAllowResetExpiredPassword": 0,
|
|
||||||
"ldapChangePasswordAsUser": 1,
|
|
||||||
%end if
|
|
||||||
%end if
|
|
||||||
"ldapAuthnLevel": 2,
|
|
||||||
"ldapSearchDeref": "find",
|
|
||||||
"ldapBase": "%%ldapUserBaseDN",
|
|
||||||
"ldapExportedVars": {
|
|
||||||
%%custom_join(%%ldapAttr, ',\n ')
|
|
||||||
},
|
|
||||||
"ldapGroupAttributeName": "memberUid",
|
|
||||||
"ldapGroupAttributeNameGroup": "dn",
|
|
||||||
"ldapGroupAttributeNameSearch": "cn",
|
|
||||||
"ldapGroupAttributeNameUser": "uid",
|
|
||||||
"ldapGroupObjectClass": "eolegroupe",
|
|
||||||
"ldapGroupRecursive": 0,
|
|
||||||
"ldapPasswordResetAttribute": "pwdReset",
|
"ldapPasswordResetAttribute": "pwdReset",
|
||||||
"ldapPasswordResetAttributeValue": "TRUE",
|
"ldapGroupObjectClass": "groupOfNames",
|
||||||
"ldapPort": "%%ldapServerPort",
|
"apacheAuthnLevel": 4,
|
||||||
"ldapPwdEnc": "utf-8",
|
"samlNameIDFormatMapKerberos": "uid",
|
||||||
"ldapServer": "%%ldapScheme://%%ldapServer",
|
"groups": {},
|
||||||
%if %%ldapScheme == "ldaps"
|
"securedCookie": 0,
|
||||||
%if %%lmldapverify == "oui"
|
"httpOnly": 1,
|
||||||
"ldapVerify": "Require",
|
"yubikeyAuthnLevel": 3,
|
||||||
|
"ADPwdMaxAge": 0,
|
||||||
|
"samlUseQueryStringSpecific": 0,
|
||||||
|
"loginHistoryEnabled": 1,
|
||||||
|
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
|
||||||
|
"failedLoginNumber": 5,
|
||||||
|
"samlServicePrivateKeyEncPwd": "",
|
||||||
|
"portalForceAuthnInterval": 0,
|
||||||
|
"cfgLog": "",
|
||||||
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
|
||||||
|
"exportedVars": {
|
||||||
|
"UA": "HTTP_USER_AGENT",
|
||||||
|
%for att in %%casAttribute
|
||||||
|
"%%att": "%%att",
|
||||||
|
%end for
|
||||||
|
%set %%idx = 0
|
||||||
|
%set %%size = %%len(%%ssoFilters) - 1
|
||||||
|
%for key,value in %%ssoFilters
|
||||||
|
%if %%idx == %%size
|
||||||
|
"%%key": "%%value"
|
||||||
%else
|
%else
|
||||||
"ldapVerify": "None",
|
"%%key": "%%value",
|
||||||
%end if
|
%end if
|
||||||
%end if
|
%set %%idx += 1
|
||||||
"ldapSetPassword": 0,
|
%end for
|
||||||
|
},
|
||||||
|
"notificationStorage": "File",
|
||||||
|
"applicationList": {
|
||||||
|
"1sample": {
|
||||||
|
"test2": {
|
||||||
|
"options": {
|
||||||
|
"name": "Application Test 2",
|
||||||
|
"logo": "thumbnail.png",
|
||||||
|
"uri": "https://test2.%%nom_domaine_local/",
|
||||||
|
"display": "auto",
|
||||||
|
"description": "The same simple application displaying authenticated user"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
},
|
||||||
|
"type": "category",
|
||||||
|
"catname": "Sample applications",
|
||||||
|
"test1": {
|
||||||
|
"type": "application",
|
||||||
|
"options": {
|
||||||
|
"description": "A simple application displaying authenticated user",
|
||||||
|
"uri": "https://test1.%%nom_domaine_local/",
|
||||||
|
"logo": "demo.png",
|
||||||
|
"display": "auto",
|
||||||
|
"name": "Application Test 1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"2administration": {
|
||||||
|
"notifications": {
|
||||||
|
"options": {
|
||||||
|
"name": "Notifications explorer",
|
||||||
|
"display": "auto",
|
||||||
|
"description": "Explore WebSSO notifications",
|
||||||
|
"uri": "https://%%managerWebName/notifications.pl",
|
||||||
|
"logo": "database.png"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
},
|
||||||
|
"manager": {
|
||||||
|
"options": {
|
||||||
|
"uri": "https://%%managerWebName/",
|
||||||
|
"display": "auto",
|
||||||
|
"description": "Configure LemonLDAP::NG WebSSO",
|
||||||
|
"logo": "configure.png",
|
||||||
|
"name": "WebSSO Manager"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
},
|
||||||
|
"type": "category",
|
||||||
|
"sessions": {
|
||||||
|
"type": "application",
|
||||||
|
"options": {
|
||||||
|
"description": "Explore WebSSO sessions",
|
||||||
|
"uri": "https://%%managerWebName/sessions.pl",
|
||||||
|
"logo": "database.png",
|
||||||
|
"display": "auto",
|
||||||
|
"name": "Sessions explorer"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"catname": "Administration"
|
||||||
|
},
|
||||||
|
"3documentation": {
|
||||||
|
"catname": "Documentation",
|
||||||
|
"officialwebsite": {
|
||||||
|
"type": "application",
|
||||||
|
"options": {
|
||||||
|
"name": "Offical Website",
|
||||||
|
"description": "Official LemonLDAP::NG Website",
|
||||||
|
"logo": "network.png",
|
||||||
|
"display": "on",
|
||||||
|
"uri": "http://lemonldap-ng.org/"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"type": "category",
|
||||||
|
"localdoc": {
|
||||||
|
"options": {
|
||||||
|
"logo": "help.png",
|
||||||
|
"description": "Documentation supplied with LemonLDAP::NG",
|
||||||
|
"display": "on",
|
||||||
|
"uri": "http://%%managerWebName/doc/",
|
||||||
|
"name": "Local documentation"
|
||||||
|
},
|
||||||
|
"type": "application"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"userControl": "^[\\w\\.\\-@]+$",
|
||||||
|
"timeout": 72000,
|
||||||
|
"portalAntiFrame": 1,
|
||||||
|
"SMTPServer": "",
|
||||||
"ldapTimeout": 120,
|
"ldapTimeout": 120,
|
||||||
|
"samlAuthnContextMapPasswordProtectedTransport": 3,
|
||||||
"ldapUsePasswordResetAttribute": 1,
|
"ldapUsePasswordResetAttribute": 1,
|
||||||
"ldapVersion": 3,
|
"ldapPpolicyControl": 0,
|
||||||
"localSessionStorage": "Cache::FileCache",
|
"casAttributes": {
|
||||||
|
%for att in %%casAttribute
|
||||||
|
"%%att": "%%att.casLDAPAttribute",
|
||||||
|
%end for
|
||||||
|
%set %%idx = 0
|
||||||
|
%set %%size = %%len(%%ssoFilters) - 1
|
||||||
|
%for key,value in %%ssoFilters
|
||||||
|
%if %%idx == %%size
|
||||||
|
"%%key": "%%key"
|
||||||
|
%else
|
||||||
|
"%%key": "%%key",
|
||||||
|
%end if
|
||||||
|
%set %%idx += 1
|
||||||
|
%end for
|
||||||
|
},
|
||||||
|
"issuerDBSAMLPath": "^/saml/",
|
||||||
|
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
|
||||||
|
"portalDisplayAppslist": 1,
|
||||||
|
"confirmFormMethod": "post",
|
||||||
|
"domain": "%%nom_domaine_local",
|
||||||
|
"cfgNum": "1",
|
||||||
|
"authentication": "LDAP",
|
||||||
|
"samlNameIDFormatMapWindows": "uid",
|
||||||
|
"authChoiceModules": {},
|
||||||
|
"ldapGroupAttributeName": "member",
|
||||||
|
"samlServicePrivateKeySigPwd": "",
|
||||||
|
"googleAuthnLevel": 1,
|
||||||
|
"successLoginNumber": 5,
|
||||||
"localSessionStorageOptions": {
|
"localSessionStorageOptions": {
|
||||||
"cache_depth": 3,
|
|
||||||
"cache_root": "/tmp",
|
"cache_root": "/tmp",
|
||||||
|
"namespace": "lemonldap-ng-sessions",
|
||||||
"default_expires_in": 600,
|
"default_expires_in": 600,
|
||||||
"directory_umask": "007",
|
"directory_umask": "007",
|
||||||
"namespace": "lemonldap-ng-sessions"
|
"cache_depth": 3
|
||||||
},
|
},
|
||||||
|
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
|
||||||
|
"portalRequireOldPassword": 1,
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
|
||||||
|
"ADPwdExpireWarning": 0,
|
||||||
|
"yubikeyPublicIDSize": 12,
|
||||||
|
"ldapGroupAttributeNameGroup": "dn",
|
||||||
|
"oidcRPMetaDataOptionsExtraClaims": null,
|
||||||
|
"ldapGroupRecursive": 0,
|
||||||
|
"mailSubject": "[LemonLDAP::NG] Your new password",
|
||||||
|
"nginxCustomHandlers": {},
|
||||||
|
"samlSPSSODescriptorAuthnRequestsSigned": 1,
|
||||||
|
%if %%llResetPassword == "oui"
|
||||||
|
"portalDisplayResetPassword": 1,
|
||||||
|
%else
|
||||||
|
"portalDisplayResetPassword": 0,
|
||||||
|
%end if
|
||||||
|
"openIdSreg_timezone": "_timezone",
|
||||||
|
"infoFormMethod": "get",
|
||||||
|
"openIdAuthnLevel": 1,
|
||||||
|
"openIdSreg_nickname": "uid",
|
||||||
|
"samlServicePublicKeyEnc": "",
|
||||||
|
"userDB": "LDAP",
|
||||||
|
"grantSessionRules": {},
|
||||||
|
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
|
||||||
|
"reloadUrls": {
|
||||||
|
"%%reloadWebName": "https://%%reloadWebName/reload"
|
||||||
|
},
|
||||||
|
"registerTimeout": 0,
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
|
||||||
|
"slaveAuthnLevel": 2,
|
||||||
|
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
|
||||||
|
"Soap": 1,
|
||||||
|
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
|
||||||
|
%if %%RegisterDB == "Custom"
|
||||||
|
"registerDB": "Null",
|
||||||
|
%else
|
||||||
|
"registerDB": "%%RegisterDB",
|
||||||
|
%end if
|
||||||
"locationRules": {
|
"locationRules": {
|
||||||
"%%managerWebName": {
|
"%%managerWebName": {
|
||||||
"default": "$uid eq \"%%lemonAdmin\""
|
"default": "$uid eq \"%%lemonAdmin\""
|
||||||
|
},
|
||||||
|
"test1.%%nom_domaine_local": {
|
||||||
|
"default": "accept",
|
||||||
|
"^/logout": "logout_sso"
|
||||||
|
},
|
||||||
|
"test2.%%nom_domaine_local": {
|
||||||
|
"default": "accept",
|
||||||
|
"^/logout": "logout_sso"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"loginHistoryEnabled": 1,
|
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
|
||||||
"logoutServices": {},
|
"hideOldPassword": 0,
|
||||||
"lwpSslOpts": {},
|
|
||||||
"macros": {
|
|
||||||
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
|
|
||||||
},
|
|
||||||
"mailCharset": "utf-8",
|
|
||||||
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
|
|
||||||
"mailFrom": "noreply@%%nom_domaine_local",
|
|
||||||
"mailOnPasswordChange": 0,
|
|
||||||
"mailSessionKey": "mail",
|
|
||||||
"mailSubject": "[LemonLDAP::NG] Your new password",
|
|
||||||
"mailTimeout": 0,
|
|
||||||
%if %%llResetPassword == "oui"
|
|
||||||
%if %%is_empty(%%llResetUrl)
|
|
||||||
"mailUrl": "https://%%authWebName/resetpwd",
|
|
||||||
%else
|
|
||||||
"mailUrl": "%%llResetUrl",
|
|
||||||
%end if
|
|
||||||
%end if
|
|
||||||
"maintenance": 0,
|
|
||||||
"managerDn": "%%ldapBindUserDN",
|
|
||||||
%if %%is_file(%%ldapBindUserPassword)
|
%if %%is_file(%%ldapBindUserPassword)
|
||||||
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
|
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
|
||||||
%else
|
%else
|
||||||
"managerPassword": "%%ldapBindUserPassword",
|
"managerPassword": "%%ldapBindUserPassword",
|
||||||
%end if
|
%end if
|
||||||
"multiValuesSeparator": ";",
|
"authChoiceParam": "lmAuth",
|
||||||
"nginxCustomHandlers": {},
|
"lwpSslOpts": {},
|
||||||
"notification": 1,
|
"portalSkinRules": {},
|
||||||
"notificationStorage": "File",
|
"issuerDBOpenIDPath": "^/openidserver/",
|
||||||
|
"redirectFormMethod": "get",
|
||||||
|
"portalDisplayRegister": 1,
|
||||||
|
"secureTokenMemcachedServers": "127.0.0.1:11211",
|
||||||
"notificationStorageOptions": {
|
"notificationStorageOptions": {
|
||||||
"dirName": "/var/lib/lemonldap-ng/notifications"
|
"dirName": "/var/lib/lemonldap-ng/notifications"
|
||||||
},
|
},
|
||||||
"notificationWildcard": "allusers",
|
"browserIdAuthnLevel": 1,
|
||||||
"notifyDeleted": 1,
|
|
||||||
"notifyOther": 0,
|
|
||||||
"nullAuthnLevel": 2,
|
|
||||||
"oidcOPMetaDataExportedVars": {},
|
|
||||||
"oidcOPMetaDataJSON": null,
|
|
||||||
"oidcOPMetaDataJWKS": null,
|
|
||||||
"oidcOPMetaDataOptions": null,
|
|
||||||
"oidcRPMetaDataExportedVars": {},
|
|
||||||
"oidcRPMetaDataOptions": {},
|
|
||||||
"oidcRPMetaDataOptionsExtraClaims": null,
|
|
||||||
"oidcServiceMetaDataAuthnContext": {},
|
|
||||||
"oidcStorageOptions": {},
|
|
||||||
"openIdAuthnLevel": 1,
|
|
||||||
"openIdExportedVars": {},
|
|
||||||
"openIdSPList": "0;",
|
|
||||||
"openIdSreg_email": "mail",
|
|
||||||
"openIdSreg_fullname": "cn",
|
|
||||||
"openIdSreg_nickname": "uid",
|
|
||||||
"openIdSreg_timezone": "_timezone",
|
|
||||||
"passwordDB": "%%lemon_user_db",
|
|
||||||
"persistentStorage": "Apache::Session::File",
|
|
||||||
"persistentStorageOptions": {
|
|
||||||
"Directory": "/var/lib/lemonldap-ng/psessions",
|
|
||||||
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock"
|
|
||||||
},
|
|
||||||
"portal": "https://%%authWebName/",
|
|
||||||
"portalAntiFrame": 1,
|
|
||||||
"portalCheckLogins": %%boolean[%%llCheckLogins],
|
|
||||||
"portalDisplayAppslist": 1,
|
|
||||||
"portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
|
|
||||||
"portalDisplayLoginHistory": 1,
|
|
||||||
"portalDisplayLogout": 1,
|
|
||||||
"portalDisplayRegister": %%boolean[%%llRegisterAccount],
|
|
||||||
"portalDisplayResetPassword": %%boolean[%%llResetPassword],
|
|
||||||
"portalForceAuthn": 0,
|
|
||||||
"portalForceAuthnInterval": 0,
|
|
||||||
"portalOpenLinkInNewWindow": 0,
|
|
||||||
"portalPingInterval": 60000,
|
|
||||||
"portalRequireOldPassword": 1,
|
|
||||||
"portalSkin": "bootstrap",
|
|
||||||
"portalSkinRules": {},
|
|
||||||
"portalUserAttr": "_user",
|
"portalUserAttr": "_user",
|
||||||
|
"ldapVersion": 3,
|
||||||
|
"sessionDataToRemember": {},
|
||||||
|
"samlNameIDFormatMapX509": "mail",
|
||||||
|
"managerDn": "%%ldapBindUserDN",
|
||||||
|
"mailSessionKey": "mail",
|
||||||
|
"openIdSreg_email": "mail",
|
||||||
|
"localSessionStorage": "Cache::FileCache",
|
||||||
|
"persistentStorage": "Apache::Session::File",
|
||||||
|
"mailOnPasswordChange": 0,
|
||||||
|
"captchaStorage": "Apache::Session::File",
|
||||||
|
"remoteGlobalStorageOptions": {
|
||||||
|
"proxy": "https://%%authWebName/index.pl/sessions",
|
||||||
|
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
|
||||||
|
},
|
||||||
|
"passwordDB": "LDAP",
|
||||||
|
"captcha_size": 6,
|
||||||
|
"mailCharset": "utf-8",
|
||||||
|
"facebookExportedVars": {},
|
||||||
|
"nullAuthnLevel": 2,
|
||||||
|
"singleIP": 0,
|
||||||
|
"dbiExportedVars": {},
|
||||||
|
"portalSkin": "bootstrap",
|
||||||
|
"storePassword": 0,
|
||||||
|
"hiddenAttributes": "_password",
|
||||||
|
"samlServicePrivateKeySig": "",
|
||||||
|
"globalStorage": "Apache::Session::File",
|
||||||
|
"notificationWildcard": "allusers",
|
||||||
|
"portalForceAuthn": 0,
|
||||||
|
"samlMetadataForceUTF8": 1,
|
||||||
|
"secureTokenUrls": ".*",
|
||||||
|
"secureTokenAllowOnError": 1,
|
||||||
|
"samlAuthnContextMapTLSClient": 5,
|
||||||
|
"ldapAllowResetExpiredPassword": 0,
|
||||||
|
"oidcOPMetaDataExportedVars": {},
|
||||||
|
"notifyOther": 0,
|
||||||
|
"secureTokenExpiration": 60,
|
||||||
|
"captcha_mail_enabled": 0,
|
||||||
|
"samlStorageOptions": {},
|
||||||
|
"samlOrganizationDisplayName": "Example",
|
||||||
|
"trustedProxies": "",
|
||||||
|
"secureTokenHeader": "Auth-Token",
|
||||||
|
"issuerDBCASActivation": 1,
|
||||||
|
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
|
||||||
|
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
|
||||||
|
"samlIDPMetaDataXML": {},
|
||||||
|
"oidcStorageOptions": {},
|
||||||
|
"cfgDate": 1519998069,
|
||||||
|
"samlAuthnContextMapPassword": 2,
|
||||||
|
"portalDisplayLoginHistory": 1,
|
||||||
|
"ldapPasswordResetAttributeValue": "TRUE",
|
||||||
|
"ldapServer": "%%ldapScheme://%%ldapServer",
|
||||||
|
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
|
||||||
|
"samlIDPMetaDataExportedAttributes": null,
|
||||||
|
"samlServicePrivateKeyEnc": "",
|
||||||
|
"useRedirectOnForbidden": 0,
|
||||||
|
"captcha_login_enabled": 0,
|
||||||
|
"https": 0,
|
||||||
|
"checkXSS": 1,
|
||||||
|
"ldapSetPassword": 0,
|
||||||
|
"portalPingInterval": 60000,
|
||||||
|
"captchaStorageOptions": {
|
||||||
|
"Directory": "/var/lib/lemonldap-ng/captcha/"
|
||||||
|
},
|
||||||
|
"useSafeJail": 1,
|
||||||
|
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
|
||||||
|
"issuerDBCASRule": 1,
|
||||||
|
"samlAuthnContextMapKerberos": 4,
|
||||||
|
"ldapGroupAttributeNameSearch": "cn",
|
||||||
|
"logoutServices": {},
|
||||||
|
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
|
||||||
|
"portalDisplayLogout": 1,
|
||||||
|
"issuerDBGetParameters": {},
|
||||||
|
"googleExportedVars": {},
|
||||||
|
"openIdSreg_fullname": "cn",
|
||||||
|
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
|
||||||
|
"demoExportedVars": {
|
||||||
|
"mail": "mail",
|
||||||
|
"uid": "uid",
|
||||||
|
"cn": "cn"
|
||||||
|
},
|
||||||
|
"oidcOPMetaDataJSON": null,
|
||||||
|
"samlIdPResolveCookie": "lemonldapidp",
|
||||||
|
"samlRelayStateTimeout": 600,
|
||||||
|
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
|
||||||
|
"globalStorageOptions": {
|
||||||
|
"Directory": "/var/lib/lemonldap-ng/sessions",
|
||||||
|
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
|
||||||
|
},
|
||||||
|
"ldapExportedVars": {
|
||||||
|
"mail": "mail",
|
||||||
|
"cn": "cn",
|
||||||
|
"uid": "uid"
|
||||||
|
},
|
||||||
|
"webIDExportedVars": {},
|
||||||
|
"activeTimer": 1,
|
||||||
|
"cda": 0,
|
||||||
|
"samlServicePublicKeySig": "",
|
||||||
|
%if %%llCheckLogins == "oui"
|
||||||
|
"portalCheckLogins": 1,
|
||||||
|
%else
|
||||||
|
"portalCheckLogins": 0,
|
||||||
|
%end if
|
||||||
|
"CAS_authnLevel": 1,
|
||||||
|
"macros": {
|
||||||
|
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
|
||||||
|
},
|
||||||
|
"samlIDPMetaDataOptions": null,
|
||||||
|
"twitterAuthnLevel": 1,
|
||||||
|
"openIdExportedVars": {},
|
||||||
|
"captcha_register_enabled": 1,
|
||||||
|
"oidcOPMetaDataJWKS": null,
|
||||||
|
"webIDAuthnLevel": 1,
|
||||||
|
"issuerDBOpenIDActivation": "1",
|
||||||
|
%if %%is_empty(%%llResetUrl)
|
||||||
|
"mailUrl": "https://%%authWebName/mail.pl",
|
||||||
|
%else
|
||||||
|
"mailUrl": "%%llResetUrl",
|
||||||
|
%end if
|
||||||
|
"maintenance": 0,
|
||||||
|
"jsRedirect": 0,
|
||||||
|
"cfgAuthor": "Cadoles",
|
||||||
|
"persistentStorageOptions": {
|
||||||
|
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
|
||||||
|
"Directory": "/var/lib/lemonldap-ng/psessions"
|
||||||
|
},
|
||||||
|
"SSLAuthnLevel": 5,
|
||||||
|
"oidcServiceMetaDataAuthnContext": {},
|
||||||
|
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
|
||||||
|
"notification": 1,
|
||||||
|
"ldapChangePasswordAsUser": 0,
|
||||||
|
"CAS_proxiedServices": {},
|
||||||
|
"key": "e\"bTCt3*eU9^\\V%b",
|
||||||
|
"portal": "https://%%authWebName/",
|
||||||
|
"singleSessionUserByIP": 0,
|
||||||
|
"portalOpenLinkInNewWindow": 0,
|
||||||
"post": {
|
"post": {
|
||||||
|
"test2.%%nom_domaine_local": {},
|
||||||
|
"test1.%%nom_domaine_local": {},
|
||||||
"%%managerWebName": {}
|
"%%managerWebName": {}
|
||||||
},
|
},
|
||||||
"radiusAuthnLevel": 3,
|
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
|
||||||
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
|
"issuerDBSAMLRule": 1,
|
||||||
"redirectFormMethod": "get",
|
"samlCommonDomainCookieActivation": 0,
|
||||||
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
|
"syslog": "",
|
||||||
%set %%register_db = %%getVar('llRegisterDB', 'Demo')
|
"ldapBase": "%%ldapUserBaseDN",
|
||||||
%if %%register_db == 'Custom'
|
"ldapAuthnLevel": 2,
|
||||||
"registerDB": "Null",
|
"mailTimeout": 0,
|
||||||
|
"samlEntityID": "#PORTAL#/saml/metadata",
|
||||||
|
"oidcOPMetaDataOptions": null,
|
||||||
|
"samlSPSSODescriptorWantAssertionsSigned": 1,
|
||||||
|
"samlOrganizationName": "%%samlOrganizationName",
|
||||||
|
%if %%RegisterDB == "Custom"
|
||||||
"registerUrl": "%%llRegisterURL",
|
"registerUrl": "%%llRegisterURL",
|
||||||
%else
|
%else
|
||||||
"registerDB": "%%register_db",
|
|
||||||
"registerUrl": "https://%%authWebName/register.pl",
|
"registerUrl": "https://%%authWebName/register.pl",
|
||||||
%end if
|
%end if
|
||||||
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
|
"casAccessControlPolicy": "none",
|
||||||
"registerTimeout": 0,
|
"multiValuesSeparator": ";",
|
||||||
"reloadUrls": {
|
"ldapPort": %%ldapServerPort
|
||||||
"%%reloadWebName": "https://%%reloadWebName/reload"
|
|
||||||
},
|
|
||||||
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
|
|
||||||
"remoteGlobalStorageOptions": {
|
|
||||||
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService",
|
|
||||||
"proxy": "https://%%authWebName/index.pl/sessions"
|
|
||||||
},
|
|
||||||
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
|
|
||||||
"samlAuthnContextMapKerberos": 4,
|
|
||||||
"samlAuthnContextMapPassword": 2,
|
|
||||||
"samlAuthnContextMapPasswordProtectedTransport": 3,
|
|
||||||
"samlAuthnContextMapTLSClient": 5,
|
|
||||||
"samlCommonDomainCookieActivation": 0,
|
|
||||||
"samlEntityID": "#PORTAL#/saml/metadata",
|
|
||||||
"samlIDPMetaDataExportedAttributes": null,
|
|
||||||
"samlIDPMetaDataOptions": null,
|
|
||||||
"samlIDPMetaDataXML": {},
|
|
||||||
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
|
|
||||||
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
|
|
||||||
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
|
|
||||||
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
|
|
||||||
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
|
|
||||||
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
|
|
||||||
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
|
|
||||||
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
|
|
||||||
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
|
|
||||||
"samlIdPResolveCookie": "lemonldapidp",
|
|
||||||
"samlMetadataForceUTF8": 1,
|
|
||||||
"samlNameIDFormatMapEmail": "mail",
|
|
||||||
"samlNameIDFormatMapKerberos": "uid",
|
|
||||||
"samlNameIDFormatMapWindows": "uid",
|
|
||||||
"samlNameIDFormatMapX509": "mail",
|
|
||||||
"samlOrganizationDisplayName": "Example",
|
|
||||||
"samlOrganizationName": "%%samlOrganizationName",
|
|
||||||
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
|
|
||||||
"samlRelayStateTimeout": 600,
|
|
||||||
"samlSPMetaDataExportedAttributes": null,
|
|
||||||
"samlSPMetaDataOptions": null,
|
|
||||||
"samlSPMetaDataXML": null,
|
|
||||||
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
|
|
||||||
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
|
|
||||||
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
|
|
||||||
"samlSPSSODescriptorAuthnRequestsSigned": 1,
|
|
||||||
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
|
|
||||||
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
|
|
||||||
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
|
|
||||||
"samlSPSSODescriptorWantAssertionsSigned": 1,
|
|
||||||
"samlServicePrivateKeyEnc": "",
|
|
||||||
"samlServicePrivateKeyEncPwd": "",
|
|
||||||
"samlServicePrivateKeySig": "",
|
|
||||||
"samlServicePrivateKeySigPwd": "",
|
|
||||||
"samlServicePublicKeyEnc": "",
|
|
||||||
"samlServicePublicKeySig": "",
|
|
||||||
"samlStorageOptions": {},
|
|
||||||
"samlUseQueryStringSpecific": 0,
|
|
||||||
"secureTokenAllowOnError": 1,
|
|
||||||
"secureTokenAttribute": "uid",
|
|
||||||
"secureTokenExpiration": 60,
|
|
||||||
"secureTokenHeader": "Auth-Token",
|
|
||||||
"secureTokenMemcachedServers": "127.0.0.1:11211",
|
|
||||||
"secureTokenUrls": ".*",
|
|
||||||
"securedCookie": 0,
|
|
||||||
"sessionDataToRemember": {},
|
|
||||||
"singleIP": 0,
|
|
||||||
"singleSession": 0,
|
|
||||||
"singleSessionUserByIP": 0,
|
|
||||||
"slaveAuthnLevel": 2,
|
|
||||||
"slaveExportedVars": {},
|
|
||||||
"storePassword": 0,
|
|
||||||
"successLoginNumber": 5,
|
|
||||||
"syslog": "",
|
|
||||||
"timeout": 72000,
|
|
||||||
"timeoutActivity": 0,
|
|
||||||
"trustedProxies": "",
|
|
||||||
"twitterAuthnLevel": 1,
|
|
||||||
"useRedirectOnError": 1,
|
|
||||||
"useRedirectOnForbidden": 0,
|
|
||||||
"useSafeJail": 1,
|
|
||||||
"userControl": "^[\\w\\.\\-@]+$",
|
|
||||||
"userDB": "%%lemon_user_db",
|
|
||||||
"vhostOptions": {
|
|
||||||
"%%managerWebName": {
|
|
||||||
"vhostHttps": "1"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"webIDAuthnLevel": 1,
|
|
||||||
"webIDExportedVars": {},
|
|
||||||
"whatToTrace": "_whatToTrace",
|
|
||||||
"yubikeyAuthnLevel": 3,
|
|
||||||
"yubikeyPublicIDSize": 12
|
|
||||||
}
|
}
|
||||||
|
@ -1,130 +0,0 @@
|
|||||||
#====================================================================
|
|
||||||
# Apache configuration for LemonLDAP::NG Manager
|
|
||||||
#====================================================================
|
|
||||||
|
|
||||||
# Uncomment this if no previous NameVirtualHost declaration
|
|
||||||
#NameVirtualHost "*:80"
|
|
||||||
|
|
||||||
# To insert LLNG user id in Apache logs, declare this format and use it in
|
|
||||||
# CustomLog directive
|
|
||||||
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
|
|
||||||
|
|
||||||
# Manager virtual host (manager.example.com)
|
|
||||||
<VirtualHost %%adresse_ip_eth0:443>
|
|
||||||
ServerName %%managerWebName
|
|
||||||
SSLEngine on
|
|
||||||
SSLCertificateFile %%server_cert
|
|
||||||
SSLCertificateKeyFile %%server_key
|
|
||||||
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
|
||||||
SSLProtocol all -SSLv3 -SSLv2
|
|
||||||
SSLProxyEngine on
|
|
||||||
|
|
||||||
LogLevel %%lm_loglevel
|
|
||||||
ErrorLog /var/log/apache2/manager_error.log
|
|
||||||
CustomLog /var/log/apache2/manager_access.log common
|
|
||||||
|
|
||||||
# See above to set LLNG user id in Apache logs
|
|
||||||
#CustomLog /var/log/apache2/manager.log llng
|
|
||||||
#ErrorLog /var/log/apache2/lm_err.log
|
|
||||||
|
|
||||||
# Uncomment this if you are running behind a reverse proxy and want
|
|
||||||
# LemonLDAP::NG to see the real IP address of the end user
|
|
||||||
# Adjust the settings to match the IP address of your reverse proxy
|
|
||||||
# and the header containing the original IP address
|
|
||||||
#
|
|
||||||
#RemoteIPHeader X-Forwarded-For
|
|
||||||
#RemoteIPInternalProxy 127.0.0.1
|
|
||||||
|
|
||||||
|
|
||||||
# FASTCGI CONFIGURATION
|
|
||||||
# ---------------------
|
|
||||||
|
|
||||||
# 1) URI management
|
|
||||||
RewriteEngine on
|
|
||||||
|
|
||||||
# For performances, you can delete the previous RewriteRule line after
|
|
||||||
# puttings html files: simply put the HTML results of differents modules
|
|
||||||
# (configuration, sessions, notifications) as manager.html, sessions.html,
|
|
||||||
# notifications.html and uncomment the 2 following lines:
|
|
||||||
# DirectoryIndex manager.html
|
|
||||||
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
|
|
||||||
|
|
||||||
# REST URLs
|
|
||||||
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
|
|
||||||
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
|
|
||||||
|
|
||||||
# 2) FastCGI engine
|
|
||||||
|
|
||||||
# You can choose any FastCGI system. Here is an example using mod_fcgid
|
|
||||||
# mod_fcgid configuration
|
|
||||||
FcgidMaxRequestLen 2000000
|
|
||||||
<Files *.fcgi>
|
|
||||||
SetHandler fcgid-script
|
|
||||||
Options +ExecCGI
|
|
||||||
header unset Lm-Remote-User
|
|
||||||
</Files>
|
|
||||||
|
|
||||||
# If you want to use mod_fastcgi, replace lines below by:
|
|
||||||
#FastCgiServer /usr/share/lemonldap-ng/manager/htdocs//manager.fcgi
|
|
||||||
|
|
||||||
# GLOBAL CONFIGURATION
|
|
||||||
# --------------------
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/
|
|
||||||
|
|
||||||
<Location />
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all granted
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Allow from all
|
|
||||||
</IfVersion>
|
|
||||||
Options +FollowSymLinks
|
|
||||||
|
|
||||||
<IfModule mod_deflate.c>
|
|
||||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
|
|
||||||
SetOutputFilter DEFLATE
|
|
||||||
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
|
||||||
BrowserMatch ^Mozilla/4\.0[678] no-gzip
|
|
||||||
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
|
|
||||||
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
|
|
||||||
</IfModule>
|
|
||||||
<IfModule mod_headers.c>
|
|
||||||
Header append Vary User-Agent env=!dont-vary
|
|
||||||
</IfModule>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Static files (javascripts, HTML forms,...)
|
|
||||||
|
|
||||||
Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static//
|
|
||||||
<Directory /usr/share/lemonldap-ng/manager/htdocs/static/>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all granted
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Allow from all
|
|
||||||
</IfVersion>
|
|
||||||
Options +FollowSymLinks
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# On-line documentation
|
|
||||||
Alias /doc/ /usr/share/doc/lemonldap-ng/
|
|
||||||
Alias /lib/ /usr/share/doc/lemonldap-ng/pages/documentation/current/lib/
|
|
||||||
<Directory /usr/share/doc/lemonldap-ng/>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all granted
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Allow from all
|
|
||||||
</IfVersion>
|
|
||||||
ErrorDocument 404 /notfound.html
|
|
||||||
Options +FollowSymLinks
|
|
||||||
DirectoryIndex index.html start.html
|
|
||||||
</Directory>
|
|
||||||
|
|
||||||
# Uncomment this if site if you use SSL only
|
|
||||||
#Header set Strict-Transport-Security "max-age=15768000"
|
|
||||||
</VirtualHost>
|
|
@ -5,7 +5,8 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443;
|
||||||
|
ssl on;
|
||||||
%if %%cert_type == "letsencrypt"
|
%if %%cert_type == "letsencrypt"
|
||||||
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
|
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
|
||||||
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
|
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
|
||||||
@ -69,8 +70,8 @@ server {
|
|||||||
|
|
||||||
# DEBIAN
|
# DEBIAN
|
||||||
# If install was made with USEDEBIANLIBS (official releases), uncomment this
|
# If install was made with USEDEBIANLIBS (official releases), uncomment this
|
||||||
location /javascript/ {
|
#location /javascript/ {
|
||||||
alias /usr/share/javascript/;
|
# alias /usr/share/javascript/;
|
||||||
}
|
#}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
|
log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
|
||||||
'"$request" $status $body_bytes_sent '
|
'"$request" $status $body_bytes_sent '
|
||||||
'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';
|
'"$http_referer" "$http_user_agent"';
|
||||||
|
35
tmpl/pam_cas_auth.conf
Normal file
35
tmpl/pam_cas_auth.conf
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
# sample pam_cas config
|
||||||
|
|
||||||
|
# host from CAS server. mandatory
|
||||||
|
host %%authWebName
|
||||||
|
|
||||||
|
# port from CAS server. Default to 80 or 443, depends from ssl instruction
|
||||||
|
port 443
|
||||||
|
|
||||||
|
# uri to validate ticket. Default to /proxyValidate
|
||||||
|
uriValidate /proxyValidate
|
||||||
|
|
||||||
|
# https or no. values on or off. Default to on.
|
||||||
|
ssl on
|
||||||
|
|
||||||
|
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
|
||||||
|
debug off
|
||||||
|
|
||||||
|
# proxy or proxies who deliver Proxy Ticket.
|
||||||
|
# If no proxy, pam_cas doesn't control it
|
||||||
|
# It may be several proxy instructions
|
||||||
|
#proxy https://%%authWebName/proxycas/casimap.php
|
||||||
|
#proxy https://imp.its.yale.edu/cas/casProxy.php
|
||||||
|
#proxy https://uportal1.its.yale.edu/CasProxyServlet
|
||||||
|
#proxy https://uportal2.its.yale.edu/CasProxyServlet
|
||||||
|
|
||||||
|
# trusted_ca. mandatory if ssl on.
|
||||||
|
# It a file in pem format. It can contents several certificates
|
||||||
|
# If the CAS server certificate is auto-signed, the file must content the certificate
|
||||||
|
# If the certificate is trusted by an Certificate Autority, The file must content
|
||||||
|
# certificate from high level CA
|
||||||
|
%if not %%is_empty(%%getVar('ssoCALocation', ''))
|
||||||
|
trusted_ca %%ssoCALocation
|
||||||
|
%else
|
||||||
|
trusted_ca /etc/ssl/certs/ca.crt
|
||||||
|
%end if
|
@ -1,147 +0,0 @@
|
|||||||
#====================================================================
|
|
||||||
# Apache configuration for LemonLDAP::NG Portal
|
|
||||||
#====================================================================
|
|
||||||
|
|
||||||
# Uncomment this if no previous NameVirtualHost declaration
|
|
||||||
#NameVirtualHost "*:80"
|
|
||||||
|
|
||||||
# To insert LLNG user id in Apache logs, declare this format and use it in
|
|
||||||
# CustomLog directive
|
|
||||||
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
|
|
||||||
|
|
||||||
# Portal Virtual Host (auth.example.com)
|
|
||||||
<VirtualHost %%adresse_ip_eth0:443>
|
|
||||||
ServerName %%authWebName
|
|
||||||
SSLEngine on
|
|
||||||
SSLCertificateFile %%server_cert
|
|
||||||
SSLCertificateKeyFile %%server_key
|
|
||||||
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
|
|
||||||
SSLProtocol all -SSLv3 -SSLv2
|
|
||||||
SSLProxyEngine on
|
|
||||||
|
|
||||||
LogLevel %%lm_loglevel
|
|
||||||
ErrorLog /var/log/apache2/portal_error.log
|
|
||||||
CustomLog /var/log/apache2/portal_access.log common
|
|
||||||
|
|
||||||
# See above to set LLNG user id in Apache logs
|
|
||||||
#CustomLog /var/log/apache2/portal.log llng
|
|
||||||
|
|
||||||
# DocumentRoot (FCGI scripts)
|
|
||||||
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
|
|
||||||
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all granted
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Allow from all
|
|
||||||
</IfVersion>
|
|
||||||
Options +ExecCGI +FollowSymLinks
|
|
||||||
</Directory>
|
|
||||||
RewriteEngine On
|
|
||||||
# For performances, you can put static html files: simply put the HTML
|
|
||||||
# result (example: /oauth2/checksession.html) as static file. Then
|
|
||||||
# uncomment the following line.
|
|
||||||
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
|
|
||||||
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
|
|
||||||
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
|
|
||||||
|
|
||||||
# Note that Content-Security-Policy header is generated by portal itself
|
|
||||||
<Files *.fcgi>
|
|
||||||
SetHandler fcgid-script
|
|
||||||
|
|
||||||
# Authorization header needs to be passed when using Kerberos or OIDC
|
|
||||||
<IfVersion >= 2.4.13>
|
|
||||||
CGIPassAuth On
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.4.13>
|
|
||||||
RewriteCond %{HTTP:Authorization} ^(.*)
|
|
||||||
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
|
|
||||||
</IfVersion>
|
|
||||||
|
|
||||||
Options +ExecCGI
|
|
||||||
header unset Lm-Remote-User
|
|
||||||
</Files>
|
|
||||||
|
|
||||||
# Uncomment this if status is enabled
|
|
||||||
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
|
|
||||||
|
|
||||||
# Static files
|
|
||||||
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
|
|
||||||
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
|
|
||||||
Require all granted
|
|
||||||
Options +FollowSymLinks
|
|
||||||
</Directory>
|
|
||||||
<Location /static/>
|
|
||||||
<IfModule mod_expires.c>
|
|
||||||
ExpiresActive On
|
|
||||||
ExpiresDefault "access plus 1 month"
|
|
||||||
</IfModule>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
<IfModule mod_dir.c>
|
|
||||||
DirectoryIndex index.fcgi index.html
|
|
||||||
</IfModule>
|
|
||||||
|
|
||||||
# REST/SOAP functions for sessions management (disabled by default)
|
|
||||||
<Location /index.fcgi/adminSessions>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all denied
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Deny from all
|
|
||||||
</IfVersion>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# REST/SOAP functions for sessions access (disabled by default)
|
|
||||||
<Location /index.fcgi/sessions>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all denied
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Deny from all
|
|
||||||
</IfVersion>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# REST/SOAP functions for configuration access (disabled by default)
|
|
||||||
<Location /index.fcgi/config>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all denied
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Deny from all
|
|
||||||
</IfVersion>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# REST/SOAP functions for notification insertion (disabled by default)
|
|
||||||
<Location /index.fcgi/notification>
|
|
||||||
<IfVersion >= 2.3>
|
|
||||||
Require all denied
|
|
||||||
</IfVersion>
|
|
||||||
<IfVersion < 2.3>
|
|
||||||
Order Deny,Allow
|
|
||||||
Deny from all
|
|
||||||
</IfVersion>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Enable compression
|
|
||||||
<Location />
|
|
||||||
<IfModule mod_deflate.c>
|
|
||||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
|
|
||||||
SetOutputFilter DEFLATE
|
|
||||||
BrowserMatch ^Mozilla/4 gzip-only-text/html
|
|
||||||
BrowserMatch ^Mozilla/4\.0[678] no-gzip
|
|
||||||
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
|
|
||||||
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
|
|
||||||
</IfModule>
|
|
||||||
<IfModule mod_headers.c>
|
|
||||||
Header append Vary User-Agent env=!dont-vary
|
|
||||||
</IfModule>
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
# Uncomment this if site if you use SSL only
|
|
||||||
#Header set Strict-Transport-Security "max-age=15768000"
|
|
||||||
</VirtualHost>
|
|
@ -15,7 +15,8 @@ server {
|
|||||||
}
|
}
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl;
|
listen 443;
|
||||||
|
ssl on;
|
||||||
%if %%cert_type == "letsencrypt"
|
%if %%cert_type == "letsencrypt"
|
||||||
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
|
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
|
||||||
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
|
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
|
||||||
@ -82,7 +83,7 @@ server {
|
|||||||
|
|
||||||
# DEBIAN
|
# DEBIAN
|
||||||
# If install was made with USEDEBIANLIBS (official releases), uncomment this
|
# If install was made with USEDEBIANLIBS (official releases), uncomment this
|
||||||
location /javascript/ {
|
#location /javascript/ {
|
||||||
alias /usr/share/javascript/;
|
# alias /usr/share/javascript/;
|
||||||
}
|
#}
|
||||||
}
|
}
|
||||||
|
117
tmpl/test-nginx.conf
Normal file
117
tmpl/test-nginx.conf
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443;
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate %%server_cert;
|
||||||
|
ssl_certificate_key %%server_key;
|
||||||
|
ssl_client_certificate /etc/ssl/certs/ca.crt;
|
||||||
|
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
|
||||||
|
|
||||||
|
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
|
||||||
|
root /var/lib/lemonldap-ng/test/;
|
||||||
|
|
||||||
|
# Internal authentication request
|
||||||
|
location = /lmauth {
|
||||||
|
internal;
|
||||||
|
|
||||||
|
# FastCGI configuration
|
||||||
|
include /etc/nginx/fastcgi_params;
|
||||||
|
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||||
|
# Drop post datas
|
||||||
|
fastcgi_pass_request_body off;
|
||||||
|
fastcgi_param CONTENT_LENGTH "";
|
||||||
|
# Keep original hostname
|
||||||
|
fastcgi_param HOST $http_host;
|
||||||
|
# Keep original request (LLNG server will receive /lmauth)
|
||||||
|
fastcgi_param X_ORIGINAL_URI $request_uri;
|
||||||
|
# Improve performances
|
||||||
|
#fastcgi_buffer_size 32k;
|
||||||
|
#fastcgi_buffers 32 32k;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# Client requests
|
||||||
|
location / {
|
||||||
|
# Local application
|
||||||
|
index index.pl;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
|
||||||
|
# Reverse proxy
|
||||||
|
#proxy_pass http://remote.server/;
|
||||||
|
#include /etc/nginx/proxy_params;
|
||||||
|
|
||||||
|
##################################
|
||||||
|
# CALLING AUTHENTICATION #
|
||||||
|
##################################
|
||||||
|
auth_request /lmauth;
|
||||||
|
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
|
||||||
|
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
|
||||||
|
auth_request_set $lmlocation $upstream_http_location;
|
||||||
|
# If CDA is used, uncomment this
|
||||||
|
#auth_request_set $cookie_value $upstream_http_set_cookie;
|
||||||
|
#add_header Set-Cookie $cookie_value;
|
||||||
|
# Remove this for AuthBasic handler
|
||||||
|
error_page 401 $lmlocation;
|
||||||
|
|
||||||
|
##################################
|
||||||
|
# PASSING HEADERS TO APPLICATION #
|
||||||
|
##################################
|
||||||
|
|
||||||
|
# IF LUA IS SUPPORTED
|
||||||
|
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
||||||
|
|
||||||
|
# ELSE
|
||||||
|
# Set manually your headers
|
||||||
|
#auth_request_set $authuser $upstream_http_auth_user;
|
||||||
|
#proxy_set_header Auth-User $authuser;
|
||||||
|
# OR in the corresponding block
|
||||||
|
#fastcgi_param HTTP_AUTH_USER $authuser;
|
||||||
|
|
||||||
|
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
|
||||||
|
#auth_request_set $lmcookie $upstream_http_cookie;
|
||||||
|
#proxy_set_header Cookie: $lmcookie;
|
||||||
|
# OR in the corresponding block
|
||||||
|
#fastcgi_param HTTP_COOKIE $lmcookie;
|
||||||
|
|
||||||
|
# Uncomment this if you use https only
|
||||||
|
#add_header Strict-Transport-Security "max-age=15768000";
|
||||||
|
|
||||||
|
# Set REMOTE_USER (for FastCGI apps only)
|
||||||
|
#fastcgi_param REMOTE_USER $lmremote_user;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Handle test CGI
|
||||||
|
location ~ ^(?<sc>/.*\.pl)(?:$|/) {
|
||||||
|
include /etc/nginx/fastcgi_params;
|
||||||
|
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||||
|
fastcgi_param LLTYPE cgi;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||||
|
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
|
||||||
|
fastcgi_param REMOTE_USER $lmremote_user;
|
||||||
|
|
||||||
|
# Or with uWSGI
|
||||||
|
#include /etc/nginx/uwsgi_params;
|
||||||
|
#uwsgi_pass 127.0.0.1:5000;
|
||||||
|
#uwsgi_param LLTYPE cgi;
|
||||||
|
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
|
||||||
|
#uwsgi_param SCRIPT_NAME $sc;
|
||||||
|
}
|
||||||
|
|
||||||
|
#location = /status {
|
||||||
|
# allow 127.0.0.1;
|
||||||
|
# deny all;
|
||||||
|
# include /etc/nginx/fastcgi_params;
|
||||||
|
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||||
|
# fastcgi_param LLTYPE status;
|
||||||
|
|
||||||
|
### Or with uWSGI
|
||||||
|
## include /etc/nginx/uwsgi_params;
|
||||||
|
## uwsgi_pass 127.0.0.1:5000;
|
||||||
|
## uwsgi_param LLTYPE status;
|
||||||
|
#}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user