Compare commits

..

35 Commits

Author SHA1 Message Date
96d8a8364b Merge branch 'master' into dist/eole/2.6.2/master 2020-01-16 10:07:15 +01:00
116ff7c243 report des modifs debian de staging à master 2020-01-16 10:06:54 +01:00
33ec79b371 mise à jour dépendances 2020-01-13 12:31:01 +01:00
efd63a3db0 Merge branch 'master' into dist/eole/2.6.2/master 2020-01-13 10:27:01 +01:00
78393b2ba9 Merge branch 'master' into dist/eole/2.6.2/master 2020-01-06 15:08:43 +01:00
c9eebbb0a5 Merge branch 'master' into dist/eole/2.6.2/master 2018-09-13 14:37:01 +02:00
c7c5f08b7a Merge branch 'master' into dist/eole/2.6.2/master 2018-04-12 09:27:39 +02:00
889010cfe7 Merge branch 'master' into dist/eole/2.6.2/master 2018-04-09 14:32:24 +02:00
f0d6325cf5 Merge branch 'master' into dist/eole/2.6.2/master 2018-04-09 13:30:56 +02:00
3b4d3ccb41 Adding missing perl library for lemonldap-ng-cli command
This is mandatory to refresh the cache
2018-04-09 13:26:59 +02:00
66be6dc37e Merge branch 'master' into dist/eole/2.6.2/master 2018-03-27 12:27:19 +02:00
08ed6a21dc Merge branch 'master' into dist/eole/2.6.2/master 2018-03-26 11:31:14 +02:00
faf2a361db Merge branch 'master' into dist/eole/2.6.2/master 2018-03-21 15:31:05 +01:00
7ae579b670 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-21 14:22:00 +01:00
baa4dca9de Merge branch 'master' into dist/eole/2.6.2/master 2018-03-21 14:18:42 +01:00
849c3f0a88 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-21 14:15:00 +01:00
6f1cb45eac Merge branch 'master' into dist/eole/2.6.2/master 2018-03-21 12:29:44 +01:00
4916317d30 Setting up an conflict with eole-sso, this replace eole-sso so
we had also a Provides eole-sso
2018-03-21 12:29:09 +01:00
b7556a03b8 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-19 16:12:38 +01:00
f1defd2626 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-16 10:49:06 +01:00
7269e252de Merge branch 'master' into dist/eole/2.6.2/master 2018-03-13 10:49:05 +01:00
9e64f5ca8d Merge branch 'master' into dist/eole/2.6.2/master 2018-03-13 10:24:36 +01:00
84f41d0196 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-09 16:10:23 +01:00
b90eb474f5 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-09 15:08:45 +01:00
d69f20c896 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-09 14:30:05 +01:00
658013c177 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-09 12:01:42 +01:00
35edad1538 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-08 16:58:04 +01:00
32d336e37b Merge branch 'master' into dist/eole/2.6.2/master 2018-03-08 16:51:00 +01:00
4b26fc5c38 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-08 16:38:06 +01:00
904abd02a4 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-08 16:11:59 +01:00
e2f656f9f8 Merge branch 'master' into dist/eole/2.6.2/master 2018-03-08 16:04:28 +01:00
e5ada4d3eb Merge branch 'master' into dist/eole/2.6.2/master 2018-03-08 15:47:47 +01:00
dab8085a83 Adding missing Depends for eole-lemonldap 2018-03-06 16:12:59 +01:00
ad490d3810 Fix typo 2018-03-05 16:55:22 +01:00
0fc774cd05 Adding Debian packaging 2018-03-05 16:48:11 +01:00
40 changed files with 1333 additions and 1406 deletions

4
.gitignore vendored
View File

@ -1,4 +0,0 @@
# Backup and swap files
*~
*#
*.swp

View File

@ -4,8 +4,8 @@
SOURCE=eole-lemonldap SOURCE=eole-lemonldap
VERSION=0.1 VERSION=0.1
EOLE_VERSION=2.7 EOLE_VERSION=2.6
EOLE_RELEASE=2.7.2 EOLE_RELEASE=2.6.2
PKGAPPS=non PKGAPPS=non
#FLASK_MODULE=<APPLICATION> #FLASK_MODULE=<APPLICATION>

View File

@ -10,14 +10,14 @@ LemonLDAP::NG EOLE integration
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
#### LemonLDAP::NG repository (if you use EOLE 2.8.X this is not needed anymore) #### LemonLDAP::NG repository
* deb https://lemonldap-ng.org/deb stable main * deb https://lemonldap-ng.org/deb 1.9 main
* deb-src https://lemonldap-ng.org/deb stable main * deb-src https://lemonldap-ng.org/deb 1.9 main
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 * Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### Cadoles Repository #### Cadoles Repository
* deb [ arch=all ] https://vulcain.cadoles.com 2.7.2-dev main * deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
* Key URL : https://vulcain.cadoles.com/cadoles.gpg * Key URL : https://vulcain.cadoles.com/cadoles.gpg
### Install packages ### Install packages
@ -33,28 +33,18 @@ Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
* Fill LemonLDAP configuration * Fill LemonLDAP configuration
#### On Scribe #### Nginx Web case
* LemonLDAP::NG is configured to use the local LDAP service
* We register the supplementary host names to the AD DNS
* We add the supplementary host names to the `ssl_subjectalt_names`
#### Manual configuration
##### Nginx Web case
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
not be served properly, so we need to disable this function not be served properly, so we need to disable this function
GenConfig -> Services -> Activer la publication dapplications web par Nginx -> "Non' GenConfig -> Services -> Activer la publication dapplications web par Nginx -> "Non'
##### Configuration DNS #### Configuration DNS
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG * GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG * GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
##### Configuration LDAP #### Configuration LDAP
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser * GenConfig -> Lemonldap -> Protocole LDAP à utiliser
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG * GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG * GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
@ -62,14 +52,14 @@ GenConfig -> Services -> Activer la publication dapplications web par Nginx -
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr) * GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password) * GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
##### Configuration CAS #### Configuration CAS
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default) Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
* GenConfig -> Lemonldap -> Nom de l'attribut CAS * GenConfig -> Lemonldap -> Nom de l'attribut CAS
* GenConfig -> Lemonldap -> Attribut LDAP équivalent * GenConfig -> Lemonldap -> Attribut LDAP équivalent
##### SSL issues ### SSL issues
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names. If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG) You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)

View File

@ -31,7 +31,7 @@ def getSSOFilters():
""" Convert former eole-sso filters to LemonLDAP filters """ Convert former eole-sso filters to LemonLDAP filters
""" """
import glob import glob
from configparser import ConfigParser from ConfigParser import ConfigParser
try: try:
filters = { 'uid': "uid", "mail": "mail" } filters = { 'uid': "uid", "mail": "mail" }

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
9

30
debian/control vendored Normal file
View File

@ -0,0 +1,30 @@
Source: eole-lemonldap
Section: web
Priority: optional
Maintainer: Cadoles <eole@ac-dijon.fr>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.3
Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
Package: eole-lemonldap
Architecture: all
Depends: ${misc:Depends}, eole-lemonldap-pkg
Conflicts: eole-sso
Provides: eole-sso
Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
.
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.
Package: eole-lemonldap-pkg
Architecture: all
Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fastcgi-server,
libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
libxml-simple-perl, libcgi-compile-perl, libmouse-perl, libio-string-perl, libnet-openid-server-perl,
libemail-sender-perl, libgd-securityimage-perl, libimage-magick-perl, libnet-ldap-perl,
libunicode-string-perl, libsoap-lite-perl, libhtml-template-perl, libcache-cache-perl,
libdbi-perl, perl-modules, libwww-perl
Description: Paquet de dépendances pour eole-lemonldap.
.
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

44
debian/copyright vendored Normal file
View File

@ -0,0 +1,44 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: {PROJECT}
Source: {URL}
Files: *
Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
License: {UPSTREAM LICENSE}
Files: debian/*
Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
License: CeCILL-2
License: {UPSTREAM LICENSE}
{TEXT OF THE LICENSE}
License: CeCILL-2
This software is governed by the CeCILL-2 license under French law and
abiding by the rules of distribution of free software. You can use,
modify and or redistribute the software under the terms of the CeCILL-2
license as circulated by CEA, CNRS and INRIA at the following URL
"http://www.cecill.info";.
.
As a counterpart to the access to the source code and rights to copy,
modify and redistribute granted by the license, users are provided only
with a limited warranty and the software's author, the holder of the
economic rights, and the successive licensors have only limited
liability.
.
In this respect, the user's attention is drawn to the risks associated
with loading, using, modifying and/or developing or reproducing the
software by the user in light of its specific status of free software,
that may mean that it is complicated to manipulate, and that also
therefore means that it is reserved for developers and experienced
professionals having in-depth computer knowledge. Users are therefore
encouraged to load and test the software's suitability as regards their
requirements in conditions enabling the security of their systems and/or
data to be ensured and, more generally, to use and operate it in the
same conditions as regards security.
.
The fact that you are presently reading this means that you have had
knowledge of the CeCILL-2 license and that you accept its terms.
.
On Eole systems, the complete text of the CeCILL-2 License can be found
in '/usr/share/common-licenses/CeCILL-2-en'.

1
debian/eole-lemonldap.install vendored Normal file
View File

@ -0,0 +1 @@
usr

3
debian/gbp.conf vendored Normal file
View File

@ -0,0 +1,3 @@
# Set per distribution debian tag
[DEFAULT]
debian-tag = debian/eole/%(version)s

8
debian/rules vendored Executable file
View File

@ -0,0 +1,8 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
%:
dh $@

BIN
debian/source/.format.un~ vendored Normal file

Binary file not shown.

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (native)

View File

@ -1,7 +1,6 @@
#!/bin/bash #!/bin/bash
if [ $(CreoleGet activerLemon 'non') = 'oui' ] if [ $(CreoleGet activerLemon) = "oui" ];then
then
. /usr/lib/eole/diagnose.sh . /usr/lib/eole/diagnose.sh
manager=$(CreoleGet managerWebName) manager=$(CreoleGet managerWebName)
portal=$(CreoleGet authWebName) portal=$(CreoleGet authWebName)

View File

@ -1,111 +1,69 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<creole> <creole>
<files> <files>
<file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/> <!-- Je suis un commentaire -->
<file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/> <file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
<file filelist='lemonldap-nginx' name='/etc/lemonldap-ng/nginx-lmlog.conf' mkdir='True' rm='True'/> <file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/manager-apache2.X.conf' mkdir='True' rm='True'/> <file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/> <file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
<file filelist='lemonldap-apache' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/> <service>lemonldap-ng-fastcgi-server</service>
<service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
<service method='apache' servicelist='lemonldap-apache'>manager-apache2</service>
<service method='apache' servicelist='lemonldap-apache'>portal-apache2</service>
<service method='apache' servicelist='lemonldap-apache'>handler-apache2</service>
<service_access service='nginx'> <service_access service='nginx'>
<port service_accesslist="saLemon">80</port> <port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port> <port service_accesslist="saLemon">443</port>
</service_access> </service_access>
</files> </files>
<variables> <variables>
<family name='eole-sso'>
<variable name='eolesso_cas_folder' redefine="True" exists='True'>
<value>/cas</value>
</variable>
<variable name='eolesso_port' redefine="True" exists='True'>
<value>443</value>
</variable>
</family>
<family name='Services'> <family name='Services'>
<variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG"> <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
<value>non</value> <value>non</value>
</variable> </variable>
</family> </family>
<family name='LemonLDAP'>
<family name='LemonLDAP' icon='lemon'>
<variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/> <variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
<variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/> <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
<variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/> <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/> -->
<variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
<value>LDAP</value>
</variable>
<variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
<variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/> <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
<variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/> <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
<variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/> <variable name='ldapUserBaseDN' type='string' description="Base DN des utilisateurs dans l'annuaire" mandatory='True'/>
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/> <variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/> <variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/> <variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
<variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP"> <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
<value>oui</value>
</variable>
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
<value>4</value> <value>4</value>
</variable> </variable>
<variable name="lm_loglevel" type='string' description="Verbosité des journaux" mode='expert'>
<value>info</value>
</variable>
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'> <variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
<value>admin</value> <value>admin</value>
</variable> </variable>
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
<value>64</value>
</variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/> <variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/> <variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert"> <variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
<value>cas</value> <value>cas</value>
</variable> </variable>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True'>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True' exists='False'>
<value>oui</value> <value>oui</value>
</variable> </variable>
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/> <variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
<variable name='ssoDebug' type='string' description="Activer le Debug pour la lib php-CAS" mode="expert">
<value>non</value>
</variable>
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG"> <variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
<value>bootstrap</value> <value>bootstrap</value>
</variable> </variable>
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection"> <variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
<value>non</value> <value>non</value>
</variable> </variable>
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail"> <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
<value>oui</value>
</variable>
<variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
<value>oui</value>
</variable>
<variable name='llADPasswordMaxAge' type='number' description="Durée de vie des mots de passe (en secondes)" mode='expert'>
<value>5184000</value>
</variable>
<variable name='llADPasswordExpireWarn' type='number' description="Délai avant affichage d'un message d'alerte sur l'expiration du mot de passe (en secondes)">
<value>3456000</value>
</variable>
<variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
<value>oui</value> <value>oui</value>
</variable> </variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" /> <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
@ -115,18 +73,14 @@
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/> <variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/> <variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/> <variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
</family> </family>
<separators> <separators>
<separator name="managerWebName">Configuration DNS</separator> <separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator> <separator name="ldapScheme">Configuration LDAP</separator>
<separator name="casAttribute">Configuration CAS</separator> <separator name="casAttribute">Configuration CAS</separator>
<separator name="llSkin">Personnalisation de la mire SSO</separator> <separator name="llSkin">Personnalisation de la mire SSO</separator>
</separators> </separators>
</variables> </variables>
<constraints> <constraints>
<fill name='concat' target='managerWebName'> <fill name='concat' target='managerWebName'>
<param>manager.</param> <param>manager.</param>
@ -144,54 +98,22 @@
<param>SAML</param> <param>SAML</param>
<param type='eole'>nom_domaine_local</param> <param type='eole'>nom_domaine_local</param>
</fill> </fill>
<check name="valid_enum" target="ldapScheme"> <check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param> <param>['ldaps','ldap']</param>
</check> </check>
<check name="valid_enum" target="lemon_user_db">
<param>['LDAP','AD']</param>
</check>
<check name='valid_enum' target="lm_loglevel">
<param>['info','notice','warn','error','debug']</param>
</check>
<check name="valid_enum" target="llRegisterDB"> <check name="valid_enum" target="llRegisterDB">
<param>['LDAP','AD','Demo','Custom']</param> <param>['LDAP','Demo','Custom']</param>
</check> </check>
<group master="casAttribute"> <group master="casAttribute">
<slave>casLDAPAttribute</slave> <slave>casLDAPAttribute</slave>
</group> </group>
<condition name='disabled_if_not_in' source='lemon_user_db'>
<param>AD</param>
<target type='variable'>llADPasswordMaxAge</target>
<target type='variable'>llADPasswordExpireWarn</target>
</condition>
<condition name='disabled_if_in' source='activerLemon'> <condition name='disabled_if_in' source='activerLemon'>
<param>non</param> <param>non</param>
<target type='filelist'>lemonldap</target> <target type='filelist'>lemon</target>
<target type='filelist'>lemonldap-nginx</target> <target type='filelist'>lemonCAS</target>
<target type='filelist'>lemonldap-apache</target>
<target type='servicelist'>lemonldap-apache</target>
<target type='servicelist'>sllemon</target>
<target type='family'>LemonLDAP</target> <target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target> <target type='service_accesslist'>saLemon</target>
</condition> </condition>
<condition name="disabled_if_in" source="activer_nginx_web" fallback="True">
<param>non</param>
<target type='filelist'>lemonldap-nginx</target>
</condition>
<condition name="disabled_if_in" source="activer_apache" fallback="True">
<param>non</param>
<target type='filelist'>lemonldap-apache</target>
<target type='servicelist'>lemonldap-apache</target>
</condition>
<condition name='disabled_if_in' source='llRegisterAccount'> <condition name='disabled_if_in' source='llRegisterAccount'>
<param>non</param> <param>non</param>
<target type='variable'>llRegisterDB</target> <target type='variable'>llRegisterDB</target>
@ -203,21 +125,18 @@
<condition name='disabled_if_in' source='llResetPassword'> <condition name='disabled_if_in' source='llResetPassword'>
<param>non</param> <param>non</param>
<target type='variable'>llResetUrl</target> <target type='variable'>llResetUrl</target>
<target type='variable'>llResetExpiredPassword</target>
</condition> </condition>
<check name='valid_enum' target='llSkin'> <check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param> <param>['bootstrap','dark','impact','pastel']</param>
<param name="checkval">False</param> <param name="checkval">False</param>
</check> </check>
</constraints> </constraints>
<help> <help>
<family name='LemonLDAP'>Configuration de la solution d'authentification unique LemonLDAP::NG</family> <variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable> <variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable> <variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable> <variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable> <variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
<variable name='ldapBindUserDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable> <variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable> <variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
</help> </help>

View File

@ -1,80 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<creole>
<files />
<variables>
<family name='eole sso'>
<variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
</family>
</variables>
<constraints>
<fill name='calc_multi_condition' target='activer_sso'>
<param>oui</param>
<param type='eole' name='condition_1'>activerLemon</param>
<param name='match'>distant</param>
<param name='default_mismatch'>local</param>
</fill>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>activer_sso</target>
</condition>
<fill name='calc_val_first_value' target='eolesso_adresse'>
<param type='eole' optional='True' hidden='False'>authWebName</param>
<param type='eole' optional='True' hidden='False'>web_url</param>
<param type='eole'>nom_domaine_machine</param>
</fill>
<condition name='frozen_if_in' source='activerLemon'>
<param>oui</param>
<target type='variable'>eolesso_adresse</target>
</condition>
<auto name='calc_multi_condition' target='ldapScheme'>
<param>oui</param>
<param type='eole' name='condition_1'>ldap_tls</param>
<param name='match'>ldaps</param>
<param name='default_mismatch'>ldap</param>
</auto>
<auto name='calc_val' target='ldapServer'>
<param type='eole'>adresse_ip_ldap</param>
</auto>
<auto name='calc_val' target='ldapServerPort'>
<param type='eole'>ldap_port</param>
</auto>
<auto name='calc_val' target='lemon_user_db'>
<param>LDAP</param>
</auto>
<auto name='calc_val' target='llRegisterDB'>
<param>LDAP</param>
</auto>
<auto name='calc_val' target='ldapUserBaseDN'>
<param type='eole'>ldap_base_dn</param>
</auto>
<auto name='calc_val' target='ldapBindUserDN'>
<param type='eole'>ldap_reader</param>
</auto>
<auto name='calc_val' target='ldapBindUserPassword'>
<param type='eole'>ldap_reader_passfile</param>
</auto>
<auto name='calc_val' target='casFolder'>
<param type='eole'>eolesso_cas_folder</param>
</auto>
</constraints>
<help />
</creole>

View File

@ -1,2 +0,0 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs
lemonldap-ng_DATA_DIR := $(eole_DIR)/lemonldap-ng

1
eole-lemonldap.mk Normal file
View File

@ -0,0 +1 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs

View File

@ -1,102 +0,0 @@
package Lemonldap::NG::Portal::UserDB::LDAP;
use strict;
use Mouse;
use utf8;
use Lemonldap::NG::Portal::Main::Constants qw(PE_OK);
extends 'Lemonldap::NG::Portal::Lib::LDAP';
our $VERSION = '2.0.6';
has ldapGroupAttributeNameSearch => (
is => 'rw',
lazy => 1,
builder => sub {
my $attributes = [];
@$attributes =
split( /\s+/, $_[0]->{conf}->{ldapGroupAttributeNameSearch} )
if $_[0]->{conf}->{ldapGroupAttributeNameSearch};
push( @$attributes, $_[0]->{conf}->{ldapGroupAttributeNameGroup} )
if ( $_[0]->{conf}->{ldapGroupRecursive}
and $_[0]->{conf}->{ldapGroupAttributeNameGroup} ne "dn" );
return $attributes;
}
);
# RUNNING METHODS
#
# getUser is provided by Portal::Lib::LDAP
# Load all parameters included in exportedVars parameter.
# Multi-value parameters are loaded in a single string with
# a separator (param multiValuesSeparator)
# @return Lemonldap::NG::Portal constant
sub setSessionInfo {
my ( $self, $req ) = @_;
$req->{sessionInfo}->{_dn} = $req->data->{dn};
my %vars = ( %{ $self->conf->{exportedVars} },
%{ $self->conf->{ldapExportedVars} } );
while ( my ( $k, $v ) = each %vars ) {
# getLdapValue returns an empty string for missing attribute
# but we really want to return undef so they don't get stored in session
$req->sessionInfo->{$k} =
$self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
}
PE_OK;
}
# Load all groups in $groups.
# @return Lemonldap::NG::Portal constant
sub setGroups {
my ( $self, $req ) = @_;
my $groups = $req->{sessionInfo}->{groups};
my $hGroups = $req->{sessionInfo}->{hGroups};
if ( $self->conf->{ldapGroupBase} ) {
# Get value for group search
my $group_value = $self->ldap->getLdapValue( $req->data->{ldapentry},
$self->conf->{ldapGroupAttributeNameUser} );
if ( $self->conf->{ldapGroupDecodeSearchedValue} ) {
utf8::decode($group_value);
}
$self->logger->debug( "Searching LDAP groups in "
. $self->conf->{ldapGroupBase}
. " for $group_value" );
# Call searchGroups
my $ldapGroups = $self->ldap->searchGroups(
$self->conf->{ldapGroupBase},
$self->conf->{ldapGroupAttributeName},
$group_value,
$self->ldapGroupAttributeNameSearch,
$req->{ldapGroupDuplicateCheck}
);
foreach ( keys %$ldapGroups ) {
my $groupName = $_;
$hGroups->{$groupName} = $ldapGroups->{$groupName};
my $groupValues = [];
foreach ( @{ $self->ldapGroupAttributeNameSearch } ) {
next if $_ =~ /^name$/;
my $firstValue = $ldapGroups->{$groupName}->{$_}->[0];
push @$groupValues, $firstValue;
}
$groups .= $self->conf->{multiValuesSeparator} if $groups;
$groups .= join( '|', @$groupValues );
}
}
$req->{sessionInfo}->{groups} = $groups;
$req->{sessionInfo}->{hGroups} = $hGroups;
PE_OK;
}
1;

View File

@ -1,20 +0,0 @@
--- /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm.old 2019-12-11 12:05:54.000000000 +0100
+++ /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm 2021-01-05 10:54:19.188732119 +0100
@@ -40,10 +40,15 @@
%{ $self->conf->{ldapExportedVars} } );
while ( my ( $k, $v ) = each %vars ) {
+ my $value = $self->ldap->getLdapValue( $req->data->{ldapentry}, $v );
+
# getLdapValue returns an empty string for missing attribute
# but we really want to return undef so they don't get stored in session
- $req->sessionInfo->{$k} =
- $self->ldap->getLdapValue( $req->data->{ldapentry}, $v ) || undef;
+ # This has to be a string comparison because "0" is a valid attribute
+ # value. See #2403
+ $value = undef if ( $value eq "" );
+
+ $req->sessionInfo->{$k} = $value;
}
PE_OK;

View File

@ -1,45 +0,0 @@
#!/bin/bash
[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0
[ -f /usr/lib/eole/eolead.sh ] || exit 0
. /usr/lib/eole/eolead.sh
# ScribeAD/HorusAD
. $CONTAINER_ROOTFS/etc/eole/samba4-vars.conf
DNS_IP="${CONTAINER_IP}"
CONTAINER_EXEC='lxc-attach -n addc --'
EXT_IP=$(CreoleGet adresse_ip_eth0)
for service in manager auth reload
do
fqdn=$(CreoleGet "${service}WebName")
service_addr=$(dig "@${DNS_IP}" "${fqdn}" +short)
if [ "${service_addr}" != "${EXT_IP}" ]
then
${CONTAINER_EXEC} kinit "${AD_HOST_NAME^^}@${AD_REALM^^}" -k -t "${AD_HOST_KEYTAB_FILE}"
if [ -n "${service_addr}" ]
then
echo -n "Suppression de lenregistrement DNS '${fqdn} IN A ${service_addr}' : "
$CONTAINER_EXEC samba-tool \
dns \
delete \
"${AD_HOST_NAME}.${AD_REALM}" \
"${AD_REALM}" \
"${fqdn}" A "${service_addr}" \
-k 1
fi
echo -n "Ajout de lenregistrement DNS '${fqdn} IN A ${EXT_IP}' : "
$CONTAINER_EXEC samba-tool \
dns \
add \
"${AD_HOST_NAME}.${AD_REALM}" \
"${AD_REALM}" \
"${fqdn}" A "${EXT_IP}" \
-k 1
fi
done
exit 0

View File

@ -1,12 +1,9 @@
#!/bin/bash #!/bin/bash
[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0
# Updating Configuration cache # Updating Configuration cache
cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache" cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
opt="update-cache" opt="update-cache"
# Updating Configuration cache res=$(${cmd} ${opt} 2>&1)
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1 exit ${?}

View File

@ -1,8 +1,5 @@
#!/bin/bash #!/bin/bash
# Don't run on ScribeAD
[ ! -f /usr/lib/eole/eolead.sh ] || exit 0
ENABLE=$(CreoleGet activerLemon 'non') ENABLE=$(CreoleGet activerLemon 'non')
HOSTS="/etc/hosts" HOSTS="/etc/hosts"

17
posttemplate/70-lemon-nginx Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
CONF_FILES="manager-nginx.conf"
CONF_FILES="${CONF_FILES} handler-nginx.conf"
CONF_FILES="${CONF_FILES} portal-nginx.conf"
CONF_FILES="${CONF_FILES} test-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do
if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' ];then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

View File

@ -1,19 +0,0 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
NGINX_ENABLE=$(CreoleGet activer_nginx_web 'non')
CONF_FILES="manager-nginx.conf handler-nginx.conf portal-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do
if [ -e /etc/nginx/sites-enabled/${CONF_FILE} ]
then
rm /etc/nginx/sites-enabled/${CONF_FILE}
fi
if [ "${ENABLE}" = 'oui' -a "${NGINX_ENABLE}" = 'oui' ]
then
ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
fi
done

View File

@ -1,12 +0,0 @@
#!/bin/bash
# vérifie si le patch est déjà appliqué
grep -q 2403 /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm && exit 0
# copie de sauvegarde
cp -a /usr/share/perl5/Lemonldap/NG/Portal/UserDB/LDAP.pm /usr/share/eole/lemonldap-ng/
# application du patch
patch -d / -p 0 < /usr/share/eole/lemonldap-ng/LDAP.pm.patch
exit 0

27
tmpl/cas.inc.php.tmpl Normal file
View File

@ -0,0 +1,27 @@
<?php
define("__CAS_SERVER", "%%authWebName");
define("__CAS_VERSION", "2.0");
define("__CAS_FOLDER", "%%casFolder");
define("__CAS_PORT", 443);
define("__CAS_PROTO", "https");
%if %%cas_send_logout == 'oui'
define("__CAS_LOGOUT", true);
%else
define("__CAS_LOGOUT", false);
%end if
%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
define("__CAS_VALIDER_CA", true);
%else
define("__CAS_VALIDER_CA", false);
%end if
%if %%is_empty(%%getVar('ssoCALocation', ''))
define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
%else
define("__CAS_CA_LOCATION", "%%ssoCALocation");
%end if
%if %%getVar("ssoDebug", 'non') == "oui"
define("__CAS_DEBUG", true);
%else
define("__CAS_DEBUG", false);
%end if
?>

View File

@ -0,0 +1,7 @@
<?php
%if %%mode_conteneur_actif != "non"
define("__CAS_IP", "%%adresse_ip_br0");
%else
define("__CAS_IP", "false");
%end if
?>

View File

@ -1,78 +0,0 @@
#========================================================================
# Apache configuration for LemonLDAP::NG Handler
#========================================================================
# This file implements the reload virtualhost that permits to reload
# configuration without restarting server, and some common instructions.
# You need then to declare this vhost in reloadUrls (in the manager
# interface if this server doesn't host the manager itself):
#
# KEY : VALUE
# host-or-IP:port : http://reload.domscribe.ac-test.fr/reload
#
# IMPORTANT:
# To protect applications, see test-apache.conf template in example files
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::ApacheMP2
# Common error page and security parameters
ErrorDocument 403 https://%%authWebName/lmerror/403
ErrorDocument 404 https://%%authWebName/lmerror/404
ErrorDocument 500 https://%%authWebName/lmerror/500
ErrorDocument 502 https://%%authWebName/lmerror/502
ErrorDocument 503 https://%%authWebName/lmerror/503
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%reloadWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/handler_error.log
CustomLog /var/log/apache2/handler_access.log common
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<Location /reload>
<IfVersion >= 2.3>
Require ip 127 ::1
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
Allow from 127.0.0.0/8 ::1
</IfVersion>
SetHandler perl-script
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
</Location>
# Uncomment this to activate status module
#<Location /status>
# <IfVersion >= 2.3>
# Require ip 127 ::1
# </IfVersion>
# <IfVersion < 2.3>
# Order Deny,Allow
# Deny from all
# Allow from 127.0.0.0/8 ::1
# </IfVersion>
# SetHandler perl-script
# PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
# # You may have to uncomment the next directive to skip
# # an upper PerlHeaderParserHandler directive
# #PerlHeaderParserHandler Apache2::Const::DECLINED
#</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -23,7 +23,8 @@ server {
} }
server { server {
listen 443 ssl; listen 443;
ssl on;
%if %%cert_type == "letsencrypt" %if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -61,7 +62,7 @@ server {
deny all; deny all;
# Uncomment this if you use https only # Uncomment this if you use https only
add_header Strict-Transport-Security "max-age=15768000"; #add_header Strict-Transport-Security "max-age=15768000";
} }
} }

View File

@ -1,5 +1,5 @@
# Number of process (default: 7) # Number of process (default: 7)
NPROC=%%lemonproc NPROC = %%lemonproc
# Unix socket to listen to # Unix socket to listen to
SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock

View File

@ -1,4 +1,3 @@
%set %%boolean = {'oui': 1, 'non': 0}
;============================================================================== ;==============================================================================
; LemonLDAP::NG local configuration parameters ; LemonLDAP::NG local configuration parameters
; ;
@ -12,6 +11,9 @@
; Section "configuration" is used to load global configuration and set cache ; Section "configuration" is used to load global configuration and set cache
; (replace old storage.conf file) ; (replace old storage.conf file)
; ;
; Section "apply" is read by Manager to reload handlers
; (replace old apply.conf file)
;
; Other section are only read by the specific LemonLDAP::NG component ; Other section are only read by the specific LemonLDAP::NG component
;============================================================================== ;==============================================================================
@ -32,80 +34,16 @@
; Warning: this can allow malicious code in custom functions or rules ; Warning: this can allow malicious code in custom functions or rules
;useSafeJail = 0 ;useSafeJail = 0
; LOGGING
;
; 1 - Defined logging level
; Set here one of error, warn, notice, info or debug
logLevel = %%lm_loglevel
; Note that this has no effect for Apache2 logging: Apache LogLevel is used
; instead
;
; 2 - Change logger
;
; By default, logging is set to:
; - Lemonldap::NG::Common::Logger::Apache2 for ApacheMP2 handlers
; - Lemonldap::NG::Common::Logger::Syslog for FastCGI (Nginx)
; - Lemonldap::NG::Common::Logger::Std for PSGI applications (manager,
; portal,...) when they are not
; launched by FastCGI server
; Other loggers availables:
; - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
;
; "Std" is redirected to the web server logs for Apache. For Nginx, only if
; request failed
;
; You can overload this in this section (for all) or in another section if
; you want to change logger for a specified app.
;
; LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
; (userLogger). "userLogger" uses the same class as "logger" if not set.
;logger = Lemonldap::NG::Common::Logger::Syslog
;userLogger = Lemonldap::NG::Common::Logger::Std
;
; 2.1 - Using Syslog
;
; For Syslog logging, you can also overwrite facilities. Default values:
logger = Lemonldap::NG::Common::Logger::Syslog
syslogFacility = daemon
userSyslogFacility = auth
;
; 2.2 - Using Log4perl
;
; If you want to use Log4perl, you can set these parameters. Here are default
; values:
;logger = Lemonldap::NG::Common::Logger::Log4perl
;log4perlConfFile = /etc/lemonldap-ng/log4perl.conf
;log4perlLogger = LLNG
;log4perlUserLogger = LLNG.user
;
; Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
; value points to the logger class. Example:
; log4perl.logger.LLNG = WARN, File1
; log4perl.logger.LLNG.user = INFO, File2
; ...
; CONFIGURATION CHECK
;
; LLNG verify configuration at server start. If you use "reload" mechanism,
; local cache will be updated. Configuration is checked locally every
; 10 minutes by each LLNG component. You can change this value using
; `checkTime` (time in seconds).
; To increase performances, you should comment this parameter and rely on cache.
checkTime = 1
[configuration] [configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE ; GLOBAL CONFIGURATION ACCESS TYPE
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile) ; (File, SOAP, RDBI/CDBI, LDAP)
; Set here the parameters needed to access to LemonLDAP::NG configuration. ; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings : ; You have to set "type" to one of the followings :
; ;
; * File/YAMLFile: you have to set 'dirName' parameter. Example: ; * File: you have to set 'dirName' parameter. Example:
; ;
; type = File ; or type = YAMLFile ; type = File
; dirName = /var/lib/lemonldap-ng/conf ; dirName = /var/lib/lemonldap-ng/conf
; ;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword' ; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
@ -113,28 +51,17 @@ checkTime = 1
; ;
; type = RDBI ; type = RDBI
; ;type = CDBI ; ;type = CDBI
; dbiChain = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4 ; dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
; dbiUser = lemonldap ; dbiUser = lemonldap
; dbiPassword = password ; dbiPassword = password
; ;
; * REST: REST configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for
; example).
; You have to set 'baseUrl' parameter. Example:
;
; type = REST
; baseUrl = https://auth.example.com/config
; proxyOptions = { timeout => 5 }
; User = lemonldap
; Password = mypassword
;
; * SOAP: SOAP configuration access is a sort of proxy: the portal is ; * SOAP: SOAP configuration access is a sort of proxy: the portal is
; configured to use the real session storage type (DBI or File for ; configured to use the real session storage type (DBI or File for
; example). ; example).
; You have to set 'proxy' parameter. Example: ; You have to set 'proxy' parameter. Example:
; ;
; type = SOAP ; type = SOAP
; proxy = https://auth.example.com/config ; proxy = https://auth.example.com/index.pl/config
; proxyOptions = { timeout => 5 } ; proxyOptions = { timeout => 5 }
; User = lemonldap ; User = lemonldap
; Password = mypassword ; Password = mypassword
@ -164,7 +91,7 @@ dirName = /var/lib/lemonldap-ng/conf
; 'default_expires_in' => 600, \ ; 'default_expires_in' => 600, \
; 'directory_umask' => '007', \ ; 'directory_umask' => '007', \
; 'cache_root' => '/tmp', \ ; 'cache_root' => '/tmp', \
; 'cache_depth' => 3, \ ; 'cache_depth' => 0, \
; } ; }
localStorage=Cache::FileCache localStorage=Cache::FileCache
localStorageOptions={ \ localStorageOptions={ \
@ -172,36 +99,38 @@ localStorageOptions={ \
'default_expires_in' => 600, \ 'default_expires_in' => 600, \
'directory_umask' => '007', \ 'directory_umask' => '007', \
'cache_root' => '/tmp', \ 'cache_root' => '/tmp', \
'cache_depth' => 3, \ 'cache_depth' => 0, \
} }
[portal] [portal]
; PORTAL CUSTOMIZATION ; PERFORMANCES
; By setting useLocalConf, Portal will use only local cached configuration
; I - Required parameters ; To refresh it, you must have an handler on the same server or you have to
; restart your server. This increase performances
;useLocalConf = 1
; staticPrefix: relative (or URL) location of static HTML components ; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static staticPrefix = /static
; location of HTML templates directory ; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/portal/templates templateDir = /usr/share/lemonldap-ng/portal/templates
; languages: available languages for portal interface ; languages: available languages for portal interface
languages = fr, en, vi, it, ar, de, fi, tr languages = fr, en
; PORTAL CUSTOMIZATION
; II - Optional parameters (overwrite configuration)
; Name of the skin ; Name of the skin
portalSkin = %%llSkin portalSkin = %%llSkin
; Modules displayed ; Modules displayed
;portalDisplayLogout = 1 ;portalDisplayLogout = 1
portalDisplayResetPassword = %%boolean[%%llResetPassword] %if %%llResetPassword == "oui"
portalDisplayChangePassword = %%boolean[%%llChangePassword] portalDisplayResetPassword = 1
%else
portalDisplayResetPassword = 0
%end if
;portalDisplayChangePassword = 1
;portalDisplayAppslist = 1 ;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1 ;portalDisplayLoginHistory = 1
; Require the old password when changing password ; Require the old password when changing password
portalRequireOldPassword = %%boolean[%%llChangePassword] ;portalRequireOldPassword = 1
; Attribute displayed as connected user ; Attribute displayed as connected user
;portalUserAttr = mail ;portalUserAttr = mail
; Old menu HTML code ; Old menu HTML code
@ -213,17 +142,16 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
; For example to use <TMPL_VAR NAME="myparam"> ; For example to use <TMPL_VAR NAME="myparam">
;tpl_myparam = test ;tpl_myparam = test
; COMBINATION FORMS ; LOG
; If you want to fix forms to display, you can use this; ; By default, all is logged in Apache file. To log user actions by
;combinationForms = standardform, yubikeyform ; syslog, just set syslog facility here:
;syslog = auth ;syslog = auth
; SOAP FUNCTIONS ; SOAP FUNCTIONS
; Remove comment to activate SOAP Functions getCookies(user,pwd) and ; Remove comment to activate SOAP Functions getCookies(user,pwd) and
; error(language, code) ; error(language, code)
;Soap = 1 ;Soap = 1
; Note that getAttibutes() will be activated but on a different URI ; Note that getAttibutes() will be activated but on a different URI
; (http://auth.example.com/sessions) ; (http://auth.example.com/index.pl/sessions)
; You can also restrict attributes and macros exported by getAttributes ; You can also restrict attributes and macros exported by getAttributes
;exportedAttr = uid mail ;exportedAttr = uid mail
@ -280,8 +208,8 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
; Use it to be able to notify messages during authentication ; Use it to be able to notify messages during authentication
;notification = 1 ;notification = 1
; Note that the SOAP function newNotification will be activated on ; Note that the SOAP function newNotification will be activated on
; http://auth.example.com/notification ; http://auth.example.com/index.pl/notification
; If you want to hide this, just protect "/index.fcgi/notification" in ; If you want to hide this, just protect "/index.pl/notification" in
; your Apache configuration file ; your Apache configuration file
; XSS protection bypass ; XSS protection bypass
; By default, the portal refuse redirections that comes from sites not ; By default, the portal refuse redirections that comes from sites not
@ -297,21 +225,6 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
; Set to 0 to disable error on XSS attack detection ; Set to 0 to disable error on XSS attack detection
;checkXSS = 0 ;checkXSS = 0
; pdata cookie domain
; pdata cookie could not be sent with cross domains AJAX request
; Null is default value
;pdataDomain = example.com
; CUSTOM PLUGINS
; If you want to add custom plugins, set list here (comma separated)
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
;customPlugins = ::My::Package1, ::My::Package2
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
;forceGlobalStorageUpgradeOTT = 1
;forceGlobalStorageIssuerOTT = 1
[handler] [handler]
; Handler cache configuration ; Handler cache configuration
@ -327,7 +240,7 @@ portalRequireOldPassword = %%boolean[%%llChangePassword]
; Set https to 1 if your handler protect a https website (used only for ; Set https to 1 if your handler protect a https website (used only for
; redirections to the portal) ; redirections to the portal)
https = 1 ;https = 0
; Set port if your your hanlder protect a website on a non standard port ; Set port if your your hanlder protect a website on a non standard port
; - 80 for http, 443 for https (used only for redirections to the portal) ; - 80 for http, 443 for https (used only for redirections to the portal)
;port = 8080 ;port = 8080
@ -339,10 +252,6 @@ status = 0
;useRedirectOnForbidden = 1 ;useRedirectOnForbidden = 1
; Hide LemonLDAP::NG Handler in Apache Server Signature ; Hide LemonLDAP::NG Handler in Apache Server Signature
;hideSignature = 1 ;hideSignature = 1
; Set ServiceToken timeout
;handlerServiceTokenTTL = 30
; Set Impersonation/ContextSwitching prefix
; impersonationPrefix = real_
useRedirectOnError = 1 useRedirectOnError = 1
; Zimbra Handler parameters ; Zimbra Handler parameters
@ -366,6 +275,9 @@ useRedirectOnError = 1
; * none : no protection ; * none : no protection
protection = manager protection = manager
; logLevel. Set here one of error, warn, notice, info or debug
logLevel = warn
; staticPrefix: relative (or URL) location of static HTML components ; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static staticPrefix = /static
; ;
@ -373,29 +285,10 @@ staticPrefix = /static
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
; languages: available languages for manager interface ; languages: available languages for manager interface
languages = fr, en, it, vi, ar, tr languages = fr, en
; Manager modules enabled ; Manager modules enabled
; Set here the list of modules you want to see in manager interface ; Set here the list of modules you want to see in manager interface
; The first will be used as default module displayed ; The first will be used as default module displayed
;enabledModules = conf, sessions, notifications, 2ndFA, viewer enabledModules = conf, sessions, notifications
enabledModules = conf, sessions, notifications, 2ndFA
; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
; 'conf' is set by default
;defaultModule = viewer
; Viewer module allows us to edit configuration in read-only mode
; Options can be set with specific rules like this :
;viewerAllowBrowser = $uid eq 'dwho'
;viewerAllowDiff = $uid ne 'dwho'
;
; Viewer options - Default values
;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
;viewerAllowBrowser = 0
;viewerAllowDiff = 0
;[node-handler]
;
;This section is for node-lemonldap-ng-handler
;nodeVhosts = test3.example.com, test4.example.com

441
tmpl/lmConf-1.js Normal file
View File

@ -0,0 +1,441 @@
%set %%ssoFilters = %%getSSOFilters
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {
"vhostHttps" : "1"
},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else
"%%key": "%%value",
%end if
%set %%idx += 1
%end for
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "https://%%managerWebName/doc/",
"name": "Local documentation"
},
"type": "application"
}
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
"mailUrl": "%%llResetUrl",
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
%if %%RegisterDB == "Custom"
"registerUrl": "%%llRegisterURL",
%else
"registerUrl": "https://%%authWebName/register.pl",
%end if
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
}

View File

@ -1,406 +1,441 @@
%set %%boolean = {'oui': 1, 'non': 0}
%set %%ssoFilters = %%getSSOFilters %set %%ssoFilters = %%getSSOFilters
%set %%ldapAttributes = {"uid": "uid", "mail": "mail", "cn":"cn"}
%set %%exported_vars = ['"UA": "HTTP_USER_AGENT"']
%set %%cas_attributes = []
%set %%ldap_attributes = {}
%for %%attr in %%casAttribute
%silent %%exported_vars.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
%silent %%cas_attributes.append('"' + %%attr + '": "' + %%attr.casLDAPAttribute + '"')
%set %%ldap_attributes[%%attr.casLDAPAttribute] = %%attr.casLDAPAttribute
%end for
%for %%key, %%value in %%ssoFilters
%silent %%exported_vars.append('"' + %%key + '": "' + %%value + '"')
%silent %%cas_attributes.append('"' + %%key + '": "' + %%value + '"')
%set %%ldap_attributes[%%value] = %%value
%end for
%silent %%exported_vars.sort()
%silent %%cas_attributes.sort()
%set %%ldapAttr = []
%for %%k, %%v in %%ldap_attributes.items()
%silent %%ldapAttr.append('"' + %%k + '": "' + %%v + '"')
%end for
{ {
%if %%lemon_user_db == "AD" "ldapGroupAttributeNameUser": "dn",
"ADPwdExpireWarning": %%llADPasswordExpireWarn, "cfgAuthorIP": "172.16.0.1",
"ADPwdMaxAge": %%llADPasswordMaxAge, "samlSPMetaDataXML": null,
%end if "facebookAuthnLevel": 1,
"CAS_authnLevel": 1, "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt", "CAS_pgtFile": "/tmp/pgt.txt",
"CAS_proxiedServices": {},
"SMTPServer": "",
"SSLAuthnLevel": 5,
"Soap": 1,
"activeTimer": 1,
"apacheAuthnLevel": 4,
"applicationList": {
"1administration": {
"catname": "Administration",
"manager": {
"options": {
"description": "Configure LemonLDAP::NG WebSSO",
"display": "auto",
"logo": "configure.png",
"name": "WebSSO Manager",
"uri": "https://%%managerWebName/"
},
"type": "application"
},
"notifications": {
"options": {
"description": "Explore WebSSO notifications",
"display": "auto",
"logo": "database.png",
"name": "Notifications explorer",
"uri": "https://%%managerWebName/notifications.pl"
},
"type": "application"
},
"sessions": {
"options": {
"description": "Explore WebSSO sessions",
"display": "auto",
"logo": "database.png",
"name": "Sessions explorer",
"uri": "https://%%managerWebName/sessions.pl"
},
"type": "application"
},
"type": "category"
},
"2documentation": {
"catname": "Documentation",
"localdoc": {
"options": {
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"logo": "help.png",
"name": "Local documentation",
"uri": "http://%%managerWebName/doc/"
},
"type": "application"
},
"officialwebsite": {
"options": {
"description": "Official LemonLDAP::NG Website",
"display": "on",
"logo": "network.png",
"name": "Offical Website",
"uri": "http://lemonldap-ng.org/"
},
"type": "application"
},
"type": "category"
}
},
"authChoiceModules": {},
"authChoiceParam": "lmAuth",
"authentication": "%%lemon_user_db",
"browserIdAuthnLevel": 1,
"captchaStorage": "Apache::Session::File",
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"captcha_login_enabled": 0,
"captcha_mail_enabled": 0,
"captcha_register_enabled": 1,
"captcha_size": 6,
"casAccessControlPolicy": "none",
"casAttributes": {
%%custom_join(%%cas_attributes, ',\n ')
},
"casStorageOptions": {},
"cda": 0,
"cfgAuthor": "EOLE",
"cfgAuthorIP": "127.0.0.1",
"cfgDate": 1600257889,
"cfgLog": "",
"cfgNum": "1",
"checkXSS": 1,
"confirmFormMethod": "post",
"cookieName": "lemonldap", "cookieName": "lemonldap",
"dbiAuthnLevel": 2, "slaveExportedVars": {},
"dbiExportedVars": {}, "whatToTrace": "_whatToTrace",
"demoExportedVars": { "oidcRPMetaDataOptions": {},
"cn": "cn", "notifyDeleted": 1,
"mail": "mail", "useRedirectOnError": 1,
"uid": "uid" "samlSPMetaDataExportedAttributes": null,
}, "ldapPwdEnc": "utf-8",
"domain": "%%nom_domaine_local", "openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": { "exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {} "%%managerWebName": {}
}, },
"exportedVars": { "vhostOptions": {
%%custom_join(%%exported_vars, ',\n ') "%%managerWebName": {
"vhostHttps" : "1"
}, },
"facebookAuthnLevel": 1, "test1.%%nom_domaine_local": {},
"facebookExportedVars": {}, "test2.%%nom_domaine_local": {}
"failedLoginNumber": 5,
"globalStorage": "Apache::Session::File",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
}, },
"googleAuthnLevel": 1, "radiusAuthnLevel": 3,
"googleExportedVars": {}, "dbiAuthnLevel": 2,
"grantSessionRules": {},
"groups": {},
"hiddenAttributes": "_password",
"hideOldPassword": 0,
"httpOnly": 1,
"https": 0,
"infoFormMethod": "get",
"issuerDBCASActivation": 1,
"issuerDBCASPath": "^/%%casFolder/",
"issuerDBCASRule": 1,
"issuerDBGetParameters": {},
"issuerDBOpenIDActivation": "1",
"issuerDBOpenIDPath": "^/openidserver/",
"issuerDBOpenIDRule": 1,
"issuerDBSAMLActivation": 0,
"issuerDBSAMLPath": "^/saml/",
"issuerDBSAMLRule": 1,
"jsRedirect": 0,
"key": "e\"bTCt3*eU9^\\V%b",
%if %%llResetPassword == "oui"
%if %%llResetExpiredPassword == "oui"
%if %%lemon_user_db == "AD"
"ldapPpolicyControl": 0,
%else
"ldapPpolicyControl": 1,
%end if
"ldapAllowResetExpiredPassword": 1,
"ldapChangePasswordAsUser": 1,
%else
"ldapPpolicyControl": 0,
"ldapAllowResetExpiredPassword": 0,
"ldapChangePasswordAsUser": 1,
%end if
%end if
"ldapAuthnLevel": 2,
"ldapSearchDeref": "find",
"ldapBase": "%%ldapUserBaseDN",
"ldapExportedVars": {
%%custom_join(%%ldapAttr, ',\n ')
},
"ldapGroupAttributeName": "memberUid",
"ldapGroupAttributeNameGroup": "dn",
"ldapGroupAttributeNameSearch": "cn",
"ldapGroupAttributeNameUser": "uid",
"ldapGroupObjectClass": "eolegroupe",
"ldapGroupRecursive": 0,
"ldapPasswordResetAttribute": "pwdReset", "ldapPasswordResetAttribute": "pwdReset",
"ldapPasswordResetAttributeValue": "TRUE", "ldapGroupObjectClass": "groupOfNames",
"ldapPort": "%%ldapServerPort", "apacheAuthnLevel": 4,
"ldapPwdEnc": "utf-8", "samlNameIDFormatMapKerberos": "uid",
"ldapServer": "%%ldapScheme://%%ldapServer", "groups": {},
%if %%ldapScheme == "ldaps" "securedCookie": 0,
%if %%lmldapverify == "oui" "httpOnly": 1,
"ldapVerify": "Require", "yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else %else
"ldapVerify": "None", "%%key": "%%value",
%end if %end if
%end if %set %%idx += 1
"ldapSetPassword": 0, %end for
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"name": "Local documentation"
},
"type": "application"
}
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120, "ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1, "ldapUsePasswordResetAttribute": 1,
"ldapVersion": 3, "ldapPpolicyControl": 0,
"localSessionStorage": "Cache::FileCache", "casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": { "localSessionStorageOptions": {
"cache_depth": 3,
"cache_root": "/tmp", "cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600, "default_expires_in": 600,
"directory_umask": "007", "directory_umask": "007",
"namespace": "lemonldap-ng-sessions" "cache_depth": 3
}, },
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": { "locationRules": {
"%%managerWebName": { "%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\"" "default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
} }
}, },
"loginHistoryEnabled": 1, "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"logoutServices": {}, "hideOldPassword": 0,
"lwpSslOpts": {},
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"mailCharset": "utf-8",
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"mailFrom": "noreply@%%nom_domaine_local",
"mailOnPasswordChange": 0,
"mailSessionKey": "mail",
"mailSubject": "[LemonLDAP::NG] Your new password",
"mailTimeout": 0,
%if %%llResetPassword == "oui"
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/resetpwd",
%else
"mailUrl": "%%llResetUrl",
%end if
%end if
"maintenance": 0,
"managerDn": "%%ldapBindUserDN",
%if %%is_file(%%ldapBindUserPassword) %if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)", "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else %else
"managerPassword": "%%ldapBindUserPassword", "managerPassword": "%%ldapBindUserPassword",
%end if %end if
"multiValuesSeparator": ";", "authChoiceParam": "lmAuth",
"nginxCustomHandlers": {}, "lwpSslOpts": {},
"notification": 1, "portalSkinRules": {},
"notificationStorage": "File", "issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": { "notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications" "dirName": "/var/lib/lemonldap-ng/notifications"
}, },
"notificationWildcard": "allusers", "browserIdAuthnLevel": 1,
"notifyDeleted": 1,
"notifyOther": 0,
"nullAuthnLevel": 2,
"oidcOPMetaDataExportedVars": {},
"oidcOPMetaDataJSON": null,
"oidcOPMetaDataJWKS": null,
"oidcOPMetaDataOptions": null,
"oidcRPMetaDataExportedVars": {},
"oidcRPMetaDataOptions": {},
"oidcRPMetaDataOptionsExtraClaims": null,
"oidcServiceMetaDataAuthnContext": {},
"oidcStorageOptions": {},
"openIdAuthnLevel": 1,
"openIdExportedVars": {},
"openIdSPList": "0;",
"openIdSreg_email": "mail",
"openIdSreg_fullname": "cn",
"openIdSreg_nickname": "uid",
"openIdSreg_timezone": "_timezone",
"passwordDB": "%%lemon_user_db",
"persistentStorage": "Apache::Session::File",
"persistentStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/psessions",
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock"
},
"portal": "https://%%authWebName/",
"portalAntiFrame": 1,
"portalCheckLogins": %%boolean[%%llCheckLogins],
"portalDisplayAppslist": 1,
"portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
"portalDisplayLoginHistory": 1,
"portalDisplayLogout": 1,
"portalDisplayRegister": %%boolean[%%llRegisterAccount],
"portalDisplayResetPassword": %%boolean[%%llResetPassword],
"portalForceAuthn": 0,
"portalForceAuthnInterval": 0,
"portalOpenLinkInNewWindow": 0,
"portalPingInterval": 60000,
"portalRequireOldPassword": 1,
"portalSkin": "bootstrap",
"portalSkinRules": {},
"portalUserAttr": "_user", "portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
"mailUrl": "%%llResetUrl",
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": { "post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {} "%%managerWebName": {}
}, },
"radiusAuthnLevel": 3, "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}", "issuerDBSAMLRule": 1,
"redirectFormMethod": "get", "samlCommonDomainCookieActivation": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation", "syslog": "",
%set %%register_db = %%getVar('llRegisterDB', 'Demo') "ldapBase": "%%ldapUserBaseDN",
%if %%register_db == 'Custom' "ldapAuthnLevel": 2,
"registerDB": "Null", "mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
%if %%RegisterDB == "Custom"
"registerUrl": "%%llRegisterURL", "registerUrl": "%%llRegisterURL",
%else %else
"registerDB": "%%register_db",
"registerUrl": "https://%%authWebName/register.pl", "registerUrl": "https://%%authWebName/register.pl",
%end if %end if
"registerDoneSubject": "[LemonLDAP::NG] Your new account", "casAccessControlPolicy": "none",
"registerTimeout": 0, "multiValuesSeparator": ";",
"reloadUrls": { "ldapPort": %%ldapServerPort
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"remoteGlobalStorageOptions": {
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService",
"proxy": "https://%%authWebName/index.pl/sessions"
},
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"samlAuthnContextMapKerberos": 4,
"samlAuthnContextMapPassword": 2,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"samlAuthnContextMapTLSClient": 5,
"samlCommonDomainCookieActivation": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"samlIDPMetaDataExportedAttributes": null,
"samlIDPMetaDataOptions": null,
"samlIDPMetaDataXML": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"samlIdPResolveCookie": "lemonldapidp",
"samlMetadataForceUTF8": 1,
"samlNameIDFormatMapEmail": "mail",
"samlNameIDFormatMapKerberos": "uid",
"samlNameIDFormatMapWindows": "uid",
"samlNameIDFormatMapX509": "mail",
"samlOrganizationDisplayName": "Example",
"samlOrganizationName": "%%samlOrganizationName",
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"samlRelayStateTimeout": 600,
"samlSPMetaDataExportedAttributes": null,
"samlSPMetaDataOptions": null,
"samlSPMetaDataXML": null,
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"samlSPSSODescriptorAuthnRequestsSigned": 1,
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlServicePrivateKeyEnc": "",
"samlServicePrivateKeyEncPwd": "",
"samlServicePrivateKeySig": "",
"samlServicePrivateKeySigPwd": "",
"samlServicePublicKeyEnc": "",
"samlServicePublicKeySig": "",
"samlStorageOptions": {},
"samlUseQueryStringSpecific": 0,
"secureTokenAllowOnError": 1,
"secureTokenAttribute": "uid",
"secureTokenExpiration": 60,
"secureTokenHeader": "Auth-Token",
"secureTokenMemcachedServers": "127.0.0.1:11211",
"secureTokenUrls": ".*",
"securedCookie": 0,
"sessionDataToRemember": {},
"singleIP": 0,
"singleSession": 0,
"singleSessionUserByIP": 0,
"slaveAuthnLevel": 2,
"slaveExportedVars": {},
"storePassword": 0,
"successLoginNumber": 5,
"syslog": "",
"timeout": 72000,
"timeoutActivity": 0,
"trustedProxies": "",
"twitterAuthnLevel": 1,
"useRedirectOnError": 1,
"useRedirectOnForbidden": 0,
"useSafeJail": 1,
"userControl": "^[\\w\\.\\-@]+$",
"userDB": "%%lemon_user_db",
"vhostOptions": {
"%%managerWebName": {
"vhostHttps": "1"
}
},
"webIDAuthnLevel": 1,
"webIDExportedVars": {},
"whatToTrace": "_whatToTrace",
"yubikeyAuthnLevel": 3,
"yubikeyPublicIDSize": 12
} }

View File

@ -1,130 +0,0 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Manager
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Manager virtual host (manager.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%managerWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/manager_error.log
CustomLog /var/log/apache2/manager_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/manager.log llng
#ErrorLog /var/log/apache2/lm_err.log
# Uncomment this if you are running behind a reverse proxy and want
# LemonLDAP::NG to see the real IP address of the end user
# Adjust the settings to match the IP address of your reverse proxy
# and the header containing the original IP address
#
#RemoteIPHeader X-Forwarded-For
#RemoteIPInternalProxy 127.0.0.1
# FASTCGI CONFIGURATION
# ---------------------
# 1) URI management
RewriteEngine on
# For performances, you can delete the previous RewriteRule line after
# puttings html files: simply put the HTML results of differents modules
# (configuration, sessions, notifications) as manager.html, sessions.html,
# notifications.html and uncomment the 2 following lines:
# DirectoryIndex manager.html
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:static|doc|lib|javascript|favicon).*"
RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
# 2) FastCGI engine
# You can choose any FastCGI system. Here is an example using mod_fcgid
# mod_fcgid configuration
FcgidMaxRequestLen 2000000
<Files *.fcgi>
SetHandler fcgid-script
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# If you want to use mod_fastcgi, replace lines below by:
#FastCgiServer /usr/share/lemonldap-ng/manager/htdocs//manager.fcgi
# GLOBAL CONFIGURATION
# --------------------
DocumentRoot /usr/share/lemonldap-ng/manager/htdocs/
<Location />
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Static files (javascripts, HTML forms,...)
Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static//
<Directory /usr/share/lemonldap-ng/manager/htdocs/static/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +FollowSymLinks
</Directory>
# On-line documentation
Alias /doc/ /usr/share/doc/lemonldap-ng/
Alias /lib/ /usr/share/doc/lemonldap-ng/pages/documentation/current/lib/
<Directory /usr/share/doc/lemonldap-ng/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -5,7 +5,8 @@ server {
} }
server { server {
listen 443 ssl; listen 443;
ssl on;
%if %%cert_type == "letsencrypt" %if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem; ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem; ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -69,8 +70,8 @@ server {
# DEBIAN # DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this # If install was made with USEDEBIANLIBS (official releases), uncomment this
location /javascript/ { #location /javascript/ {
alias /usr/share/javascript/; # alias /usr/share/javascript/;
} #}
} }

View File

@ -1,3 +1,3 @@
log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] ' log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom'; '"$http_referer" "$http_user_agent"';

35
tmpl/pam_cas_auth.conf Normal file
View File

@ -0,0 +1,35 @@
# sample pam_cas config
# host from CAS server. mandatory
host %%authWebName
# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 443
# uri to validate ticket. Default to /proxyValidate
uriValidate /proxyValidate
# https or no. values on or off. Default to on.
ssl on
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug off
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
#proxy https://%%authWebName/proxycas/casimap.php
#proxy https://imp.its.yale.edu/cas/casProxy.php
#proxy https://uportal1.its.yale.edu/CasProxyServlet
#proxy https://uportal2.its.yale.edu/CasProxyServlet
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
# certificate from high level CA
%if not %%is_empty(%%getVar('ssoCALocation', ''))
trusted_ca %%ssoCALocation
%else
trusted_ca /etc/ssl/certs/ca.crt
%end if

View File

@ -1,147 +0,0 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost "*:80"
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O %{Lm-Remote-Custom}o" llng
# Portal Virtual Host (auth.example.com)
<VirtualHost %%adresse_ip_eth0:443>
ServerName %%authWebName
SSLEngine on
SSLCertificateFile %%server_cert
SSLCertificateKeyFile %%server_key
SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
SSLProtocol all -SSLv3 -SSLv2
SSLProxyEngine on
LogLevel %%lm_loglevel
ErrorLog /var/log/apache2/portal_error.log
CustomLog /var/log/apache2/portal_access.log common
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
<Directory /usr/share/lemonldap-ng/portal/htdocs/>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
Options +ExecCGI +FollowSymLinks
</Directory>
RewriteEngine On
# For performances, you can put static html files: simply put the HTML
# result (example: /oauth2/checksession.html) as static file. Then
# uncomment the following line.
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
RewriteCond "%{REQUEST_URI}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi(?:/.*)?)$"
RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
# Authorization header needs to be passed when using Kerberos or OIDC
<IfVersion >= 2.4.13>
CGIPassAuth On
</IfVersion>
<IfVersion < 2.4.13>
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfVersion>
Options +ExecCGI
header unset Lm-Remote-User
</Files>
# Uncomment this if status is enabled
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
<Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
Require all granted
Options +FollowSymLinks
</Directory>
<Location /static/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
<IfModule mod_dir.c>
DirectoryIndex index.fcgi index.html
</IfModule>
# REST/SOAP functions for sessions management (disabled by default)
<Location /index.fcgi/adminSessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for configuration access (disabled by default)
<Location /index.fcgi/config>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for notification insertion (disabled by default)
<Location /index.fcgi/notification>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# Enable compression
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

View File

@ -15,7 +15,8 @@ server {
} }
server { server {
listen 443 ssl; listen 443;
ssl on;
%if %%cert_type == "letsencrypt" %if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem; ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem; ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
@ -82,7 +83,7 @@ server {
# DEBIAN # DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this # If install was made with USEDEBIANLIBS (official releases), uncomment this
location /javascript/ { #location /javascript/ {
alias /usr/share/javascript/; # alias /usr/share/javascript/;
} #}
} }

117
tmpl/test-nginx.conf Normal file
View File

@ -0,0 +1,117 @@
server {
listen 80;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
return 301 https://$host$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/test1-2-lemon-ldap.access-ssl.log;
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
root /var/lib/lemonldap-ng/test/;
# Internal authentication request
location = /lmauth {
internal;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
#fastcgi_buffer_size 32k;
#fastcgi_buffers 32 32k;
}
# Client requests
location / {
# Local application
index index.pl;
try_files $uri $uri/ =404;
# Reverse proxy
#proxy_pass http://remote.server/;
#include /etc/nginx/proxy_params;
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
# ELSE
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR in the corresponding block
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
}
# Handle test CGI
location ~ ^(?<sc>/.*\.pl)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
fastcgi_param REMOTE_USER $lmremote_user;
# Or with uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE cgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
}
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
### Or with uWSGI
## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000;
## uwsgi_param LLTYPE status;
#}
}