Compare commits

..

49 Commits

Author SHA1 Message Date
7328d4b968 utilisation de la variable lemonproc dans la conf fastcgi 2020-01-16 09:27:47 +01:00
267b96bd16 optimisation 2020-01-16 09:13:16 +01:00
53e17b8da0 Merge branch 'issue/3-CSP_targets' into develop 2019-12-12 12:01:18 +01:00
207dadd5cc Add variables to defined allowed CSP targets 2019-12-12 12:01:00 +01:00
994166b1fd Merge branch 'issue/2-variable_init' into develop 2019-12-12 11:16:48 +01:00
20c513e4fd declare lmremote_custom variable in test-nginx.conf 2019-12-12 11:16:38 +01:00
0980b3d30c Merge branch 'issue/1-error_page_location' into develop 2019-12-12 11:15:07 +01:00
9003ecbcb3 nginx error pages are located in html subfolder, not www 2019-12-12 11:14:54 +01:00
cc1da0773b Work around CSP form-action issue with CAS.
Replace header with nicer values
2019-09-13 16:02:48 +02:00
e0c7ca8f5e Merge branch 'feature/Migration' into develop 2019-07-15 10:46:29 +02:00
73fb96c026 Update configuration and dictionnary for v2.0 2019-07-15 10:40:26 +02:00
abb1d10a87 Reprise des fichiers de configuration pour intégration au module EOLE 2019-07-12 12:08:17 +02:00
30e142fa98 Importation des fichiers de configuration 2019-07-12 11:03:25 +02:00
6c3adaab2b Mise en place dans le template d'une URL de reset de password (fixes #4) 2018-09-13 14:35:15 +02:00
050e559f75 Adding postservice to update configuration cache
We need to update the configuration cache to apply the
configuration modifications
2018-04-12 09:26:49 +02:00
eef533bfe6 Using exportedVars key names in casAttributes
We need tu use the key name of exportedVars in casAttributes to make
attr availlable
2018-04-09 14:31:35 +02:00
e84ba19b68 Filling exportedVars configuration
User attributes are stored in "local session" so if we want to use
attributes in CAS session we need to make them available in local
session first
2018-04-09 13:29:05 +02:00
b7aefb7a8b llRegisterDB variable could be disabled
If you choose to remove "Registration button"
from the interface llRegisterDB is disabled
so it's not available for the template.
2018-03-27 12:25:52 +02:00
5f5c5359f7 Fixing Custom URL option 2018-03-26 11:21:28 +02:00
51519eae55 Adding Custom Register URL option to template 2018-03-26 11:05:26 +02:00
2afe4dceb4 GenConfig clean up 2018-03-26 09:56:38 +02:00
0f25183778 ajout du template lemonldap-ng.ini et utilisation de la variable llSkin 2018-03-23 16:56:54 +01:00
a4a3d52746 ajout variable llSkin 2018-03-23 16:22:02 +01:00
a5ce48110d Adding SSO auth page customisation 2018-03-23 16:13:40 +01:00
61b982607e Fixing filter generation when no filter file is present in the server 2018-03-21 15:03:50 +01:00
a91abb36f3 Remove all references to eole-sso variable 2018-03-21 14:21:46 +01:00
710ea85f96 443 port is mandatory for lemonLDAP 2018-03-21 14:18:12 +01:00
d3897f1e4a Begin of Eole-SSO replacement work
We need to provide what EoleSSO provides.

For me this 3 new template have to be placed in a dedicated package
like eole-sso-client, this templates are not necessary for the server
only usefull for the clients.
2018-03-21 14:13:15 +01:00
19fc15c324 Using former eole-sso filters in LemonLDAP
Adding a creolefunc to convert eole-sso filter files into
lemonLDAP casAttrubites section, this way we can keep the
EOLE and Envole existing filters
2018-03-21 12:26:15 +01:00
8f33de7f55 Updating NGINX configuration
We don't need to setup server_names_hash_bucket_size if
it's present in standard eole configuration
2018-03-19 16:12:16 +01:00
a4a385a439 Managing usage of a password file for the LDAP reader user 2018-03-16 10:47:03 +01:00
982c5f44ee Formating README 2018-03-16 10:37:12 +01:00
1eb5faaa82 Updating README Howto 2018-03-16 10:35:13 +01:00
4f16447856 Fixing eole-lemonldap.mk file 2018-03-13 10:48:32 +01:00
93ee02b73d Fix typo 2018-03-13 10:24:17 +01:00
eb40396a26 Adding new mk file 2018-03-09 16:10:11 +01:00
d33fa9c421 Adding new authorisations for reload on ip_ssh_eth0 2018-03-09 16:09:33 +01:00
0ff7961616 Fix typo in for loop 2018-03-09 15:08:11 +01:00
41a941615d Adding CAS attributes 2018-03-09 14:29:22 +01:00
c35086567c Move everything to https 2018-03-09 12:01:20 +01:00
76f19ced94 Fixing bad variable name 2018-03-08 16:57:13 +01:00
8a944db515 Adding template for Nginx configuration 2018-03-08 16:50:43 +01:00
c7dcd020a4 Adding test applications configuration 2018-03-08 16:37:40 +01:00
5e2d7457fd Fix typo in posttempalte (again) 2018-03-08 16:11:34 +01:00
6e6a6449a4 Adding LemonLDAP Admin username 2018-03-08 16:03:39 +01:00
92de21a49b Fixing typo in posttemplate 2018-03-08 15:47:20 +01:00
e52faa122b Mettre à jour 'README.md' 2018-03-06 10:39:29 +01:00
32c214343d Mise à jour du README.md 2018-03-06 10:38:56 +01:00
1fabc756b1 Clean README.md 2018-03-06 10:37:24 +01:00
24 changed files with 943 additions and 205 deletions

View File

@ -1,15 +1,73 @@
# eole-lemonldap
Intégration LemonLDAP::NG pour EOLE
LemonLDAP::NG EOLE integration
## Howto
### Repository configuration
* Add the lemonldap-ng deb respository we need the last version of LemonLDAP.
Gen_config -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
*# LemonLDAP::NG repository
deb https://lemonldap-ng.org/deb stable main
deb-src https://lemonldap-ng.org/deb stable main
Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### LemonLDAP::NG repository
* deb https://lemonldap-ng.org/deb stable main
* deb-src https://lemonldap-ng.org/deb stable main
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### Cadoles Repository
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
### Install packages
apt update
apt install eole-lemonldap
### Configure LemonLDAP in GenConfig
* Enable lemonldap in "Services" tab
Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
* Fill LemonLDAP configuration
#### Nginx Web case
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
not be served properly, so we need to disable this function
GenConfig -> Services -> Activer la publication dapplications web par Nginx -> "Non'
#### Configuration DNS
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
#### Configuration LDAP
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Base DN des utilisateurs dans l'annuaire
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
#### Configuration CAS
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
### SSL issues
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)
* GenConfig -> Mode Expert -> Certificats ssl -> Nom Alternatif de la machine (SubjectAltName)
If you use "manual" certificates make sure this names are covered by your SSL Certificate
If you use "letsencrypt" mode you also need to add this names to the let'sencrypt request:
* GenConfig -> Mode Expert -> Certificat ssl -> Nom de domaines supplémentaires

67
creolefuncs/lemonldap.py Normal file
View File

@ -0,0 +1,67 @@
# -*- coding: utf-8 -*-
def toCidr(ip,mask=False):
""" Convert to CIDR notation
ip can be like this : 192.168.5.100/255.255.255.0
or you can provide the ip and the mask
"""
from IPy import IP
try:
if mask:
data="{0}/{1}".format(ip,mask)
else:
data=ip
return str(IP(data))
except:
return data
def readPass(encoder,reader):
try:
mypwdreader=open(reader, "r").readline().rstrip()
if encoder == "":
return mypwdreader
elif encoder == "base64":
import base64
return base64.b64encode(mypwdreader)
except:
return "mot de passe inconnu"
def getSSOFilters():
""" Convert former eole-sso filters to LemonLDAP filters
"""
import glob
from ConfigParser import ConfigParser
try:
filters = { 'uid': "uid", "mail": "mail" }
filterDirectory = "/usr/share/sso/app_filters/"
filterExtention = ".ini"
filterSection = "utilisateur"
filterFiles = glob.glob("{0}/*{1}".format(filterDirectory, filterExtention))
toClean = [ "__name__" ]
if len(filterFiles) != 0:
for fi in filterFiles:
# Don't parse "applications.ini"
config = ConfigParser()
config.read(fi)
if filterSection in config._sections:
filters.update(config._sections[filterSection].items())
for key in toClean:
if key in filters.keys():
del(filters[key])
res = {}
index=0
size=len(filters)
return(filters.items())
"""
for k,v in filters.items():
res[k] " \"{0}\": \"{1}\"".format(k,v)
index += 1
if index != size:
res += ",\n"
return(res)
"""
except:
return "Error Generating Filters"

1
debian/compat vendored
View File

@ -1 +0,0 @@
9

18
debian/control vendored
View File

@ -1,18 +0,0 @@
Source: eole-lemonldap
Section: web
Priority: optional
Maintainer: Cadoles <eole@ac-dijon.fr>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.3
Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
Package: eole-lemonldap
Architecture: all
Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fr-doc, lemonldap-ng-fastcgi-server,
libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
libxml-simple-perl, libcgi-compile-perl
Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
.
Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

44
debian/copyright vendored
View File

@ -1,44 +0,0 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: {PROJECT}
Source: {URL}
Files: *
Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
License: {UPSTREAM LICENSE}
Files: debian/*
Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
License: CeCILL-2
License: {UPSTREAM LICENSE}
{TEXT OF THE LICENSE}
License: CeCILL-2
This software is governed by the CeCILL-2 license under French law and
abiding by the rules of distribution of free software. You can use,
modify and or redistribute the software under the terms of the CeCILL-2
license as circulated by CEA, CNRS and INRIA at the following URL
"http://www.cecill.info";.
.
As a counterpart to the access to the source code and rights to copy,
modify and redistribute granted by the license, users are provided only
with a limited warranty and the software's author, the holder of the
economic rights, and the successive licensors have only limited
liability.
.
In this respect, the user's attention is drawn to the risks associated
with loading, using, modifying and/or developing or reproducing the
software by the user in light of its specific status of free software,
that may mean that it is complicated to manipulate, and that also
therefore means that it is reserved for developers and experienced
professionals having in-depth computer knowledge. Users are therefore
encouraged to load and test the software's suitability as regards their
requirements in conditions enabling the security of their systems and/or
data to be ensured and, more generally, to use and operate it in the
same conditions as regards security.
.
The fact that you are presently reading this means that you have had
knowledge of the CeCILL-2 license and that you accept its terms.
.
On Eole systems, the complete text of the CeCILL-2 License can be found
in '/usr/share/common-licenses/CeCILL-2-en'.

3
debian/gbp.conf vendored
View File

@ -1,3 +0,0 @@
# Set per distribution debian tag
[DEFAULT]
debian-tag = debian/eole/%(version)s

8
debian/rules vendored
View File

@ -1,8 +0,0 @@
#!/usr/bin/make -f
# -*- makefile -*-
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
%:
dh $@

Binary file not shown.

View File

@ -1 +0,0 @@
3.0 (native)

View File

@ -2,10 +2,17 @@
<creole>
<files>
<!-- Je suis un commentaire -->
<file filelist='lemon' name='/etc/nginx/sites-available/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
<service>lemonldap-ng-fastcgi-server</service>
<service_access service='nginx'>
<port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port>
@ -28,10 +35,50 @@
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
<value>4</value>
</variable>
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
<value>admin</value>
</variable>
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
<value>64</value>
</variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
<variable name="casFolder" description="Endpoint du service cas" type="string" mode="expert">
<value>cas</value>
</variable>
<variable name='cas_send_logout' type='oui/non' description="Activer le logout centralisé du serveur SSO" hidden='True'>
<value>oui</value>
</variable>
<variable name='ssoCALocation' type='string' description="Chemin de l'autorité de certification (ou rien)" mode="expert"/>
<variable name='ssoDebug' type='string' description="Activer le Debug pour la lib php-CAS" mode="expert">
<value>non</value>
</variable>
<variable name='llSkin' type='string' description="Skin utilisé par LemonLDAP::NG">
<value>bootstrap</value>
</variable>
<variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
<value>non</value>
</variable>
<variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
<value>oui</value>
</variable>
<variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
<variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
<value>oui</value>
</variable>
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
</family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
<separator name="casAttribute">Configuration CAS</separator>
<separator name="llSkin">Personnalisation de la mire SSO</separator>
</separators>
</variables>
<constraints>
@ -54,16 +101,43 @@
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
</check>
<check name="valid_enum" target="llRegisterDB">
<param>['LDAP','Demo','Custom']</param>
</check>
<group master="casAttribute">
<slave>casLDAPAttribute</slave>
</group>
<condition name='disabled_if_in' source='activerLemon'>
<param>non</param>
<target type='filelist'>lemon</target>
<target type='filelist'>lemonCAS</target>
<target type='family'>LemonLDAP</target>
<target type='service_accesslist'>saLemon</target>
</condition>
<condition name='disabled_if_in' source='llRegisterAccount'>
<param>non</param>
<target type='variable'>llRegisterDB</target>
</condition>
<condition name='disabled_if_not_in' source='llRegisterDB'>
<param>Custom</param>
<target type='variable'>llRegisterURL</target>
</condition>
<condition name='disabled_if_in' source='llResetPassword'>
<param>non</param>
<target type='variable'>llResetUrl</target>
</condition>
<check name='valid_enum' target='llSkin'>
<param>['bootstrap','dark','impact','pastel']</param>
<param name="checkval">False</param>
</check>
</constraints>
<help>
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
</help>
</creole>

1
eole-lemonldap.mk Normal file
View File

@ -0,0 +1 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs

View File

@ -0,0 +1,9 @@
#!/bin/bash
# Updating Configuration cache
cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
opt="update-cache"
res=$(${cmd} ${opt} 2>&1)
exit ${?}

View File

@ -1,9 +1,10 @@
#!/bin/bash
ENABLE=$(CreoleGet activerLemon 'non')
CONF_FILES='manager-nginx.conf'
CONF_FILES='${CONF_FILE} handler-nginx.conf'
CONF_FILES='${CONF_FILE} portal-nginx.conf'
CONF_FILES="manager-nginx.conf"
CONF_FILES="${CONF_FILES} handler-nginx.conf"
CONF_FILES="${CONF_FILES} portal-nginx.conf"
CONF_FILES="${CONF_FILES} test-nginx.conf"
for CONF_FILE in ${CONF_FILES}
do

27
tmpl/cas.inc.php.tmpl Normal file
View File

@ -0,0 +1,27 @@
<?php
define("__CAS_SERVER", "%%authWebName");
define("__CAS_VERSION", "2.0");
define("__CAS_FOLDER", "%%casFolder");
define("__CAS_PORT", 443);
define("__CAS_PROTO", "https");
%if %%cas_send_logout == 'oui'
define("__CAS_LOGOUT", true);
%else
define("__CAS_LOGOUT", false);
%end if
%if %%getVar('activer_web_valider_ca', 'non') == 'oui'
define("__CAS_VALIDER_CA", true);
%else
define("__CAS_VALIDER_CA", false);
%end if
%if %%is_empty(%%getVar('ssoCALocation', ''))
define("__CAS_CA_LOCATION", "/etc/ssl/certs/ca.crt");
%else
define("__CAS_CA_LOCATION", "%%ssoCALocation");
%end if
%if %%getVar("ssoDebug", 'non') == "oui"
define("__CAS_DEBUG", true);
%else
define("__CAS_DEBUG", false);
%end if
?>

View File

@ -0,0 +1,7 @@
<?php
%if %%mode_conteneur_actif != "non"
define("__CAS_IP", "%%adresse_ip_br0");
%else
define("__CAS_IP", "false");
%end if
?>

View File

@ -24,7 +24,7 @@ server {
server {
listen 443;
ssl on;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
@ -35,19 +35,26 @@ server {
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/manager-lemon-ldap.access-ssl.log;
server_name %%reloadWebName;
root /var/www/html;
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
root /usr/share/nginx/html;
}
root /var/www/html;
location = /reload {
allow 127.0.0.1;
deny all;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE reload;
}
# Client requests
@ -55,15 +62,7 @@ server {
deny all;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
#add_header Strict-Transport-Security "max-age=15768000";
}
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}
}

View File

@ -0,0 +1,15 @@
# Number of process (default: 7)
NPROC = %%lemonproc
# Unix socket to listen to
SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
# Pid file
PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
# User and GROUP
USER=www-data
GROUP=www-data
# Custom functions file
#CUSTOM_FUNCTIONS_FILE=/var/lib/lemonldap-ng/myfile.pm

View File

@ -110,12 +110,22 @@ localStorageOptions={ \
; restart your server. This increase performances
;useLocalConf = 1
; staticPrefix: relative (or URL) location of static HTML components
staticPrefix = /static
; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/portal/templates
; languages: available languages for portal interface
languages = fr, en
; PORTAL CUSTOMIZATION
; Name of the skin
;portalSkin = pastel
portalSkin = %%llSkin
; Modules displayed
;portalDisplayLogout = 1
;portalDisplayResetPassword = 1
%if %%llResetPassword == "oui"
portalDisplayResetPassword = 1
%else
portalDisplayResetPassword = 0
%end if
;portalDisplayChangePassword = 1
;portalDisplayAppslist = 1
;portalDisplayLoginHistory = 1
@ -272,7 +282,7 @@ logLevel = warn
staticPrefix = /static
;
; location of HTML templates directory
templateDir = /usr/share/lemonldap-ng/manager/templates
templateDir = /usr/share/lemonldap-ng/manager/htdocs/templates
; languages: available languages for manager interface
languages = fr, en

View File

@ -1,3 +1,4 @@
%set %%ssoFilters = %%getSSOFilters
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
@ -25,7 +26,7 @@
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/cas/",
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
@ -39,7 +40,9 @@
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {},
"%%managerWebName": {
"vhostHttps" : "1"
},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
@ -63,7 +66,20 @@
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT"
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else
"%%key": "%%value",
%end if
%set %%idx += 1
%end for
},
"notificationStorage": "File",
"applicationList": {
@ -72,7 +88,7 @@
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "http://test2.%%nom_domaine_local/",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
@ -84,7 +100,7 @@
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "http://test1.%%nom_domaine_local/",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
@ -143,7 +159,7 @@
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"uri": "https://%%managerWebName/doc/",
"name": "Local documentation"
},
"type": "application"
@ -158,13 +174,27 @@
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {},
"casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "9",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
@ -190,7 +220,11 @@
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
@ -200,17 +234,22 @@
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "http://%%reloadWebName/reload"
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
"registerDB": "Demo",
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"dwho\""
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
@ -223,7 +262,11 @@
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
@ -247,8 +290,8 @@
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "http://%%authWebName/index.pl/sessions",
"ns": "http://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
@ -319,7 +362,7 @@
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "http://www.%%nom_domaine_local",
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
@ -333,7 +376,11 @@
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
@ -345,10 +392,14 @@
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "http://%%authWebName/mail.pl",
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
"mailUrl": "%%llResetUrl",
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "dwho",
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
@ -360,7 +411,7 @@
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "http://%%authWebName/",
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
@ -379,7 +430,11 @@
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"registerUrl": "http://%%authWebName/register.pl",
%if %%RegisterDB == "Custom"
"registerUrl": "%%llRegisterURL",
%else
"registerUrl": "https://%%authWebName/register.pl",
%end if
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort

441
tmpl/lmConf-1.json Normal file
View File

@ -0,0 +1,441 @@
%set %%ssoFilters = %%getSSOFilters
{
"ldapGroupAttributeNameUser": "dn",
"cfgAuthorIP": "172.16.0.1",
"samlSPMetaDataXML": null,
"facebookAuthnLevel": 1,
"mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
"secureTokenAttribute": "uid",
"singleSession": 0,
"registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
"CAS_pgtFile": "/tmp/pgt.txt",
"cookieName": "lemonldap",
"slaveExportedVars": {},
"whatToTrace": "_whatToTrace",
"oidcRPMetaDataOptions": {},
"notifyDeleted": 1,
"useRedirectOnError": 1,
"samlSPMetaDataExportedAttributes": null,
"ldapPwdEnc": "utf-8",
"openIdSPList": "0;",
"samlNameIDFormatMapEmail": "mail",
"samlSPMetaDataOptions": null,
"issuerDBOpenIDRule": 1,
"casStorageOptions": {},
"mailFrom": "noreply@%%nom_domaine_local",
"timeoutActivity": 0,
"oidcRPMetaDataExportedVars": {},
"issuerDBSAMLActivation": 0,
"issuerDBCASPath": "^/%%casFolder/",
"randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
"samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
"samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"exportedHeaders": {
"test1.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"test2.%%nom_domaine_local": {
"Auth-User": "$uid"
},
"%%managerWebName": {}
},
"vhostOptions": {
"%%managerWebName": {
"vhostHttps" : "1"
},
"test1.%%nom_domaine_local": {},
"test2.%%nom_domaine_local": {}
},
"radiusAuthnLevel": 3,
"dbiAuthnLevel": 2,
"ldapPasswordResetAttribute": "pwdReset",
"ldapGroupObjectClass": "groupOfNames",
"apacheAuthnLevel": 4,
"samlNameIDFormatMapKerberos": "uid",
"groups": {},
"securedCookie": 0,
"httpOnly": 1,
"yubikeyAuthnLevel": 3,
"ADPwdMaxAge": 0,
"samlUseQueryStringSpecific": 0,
"loginHistoryEnabled": 1,
"samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
"failedLoginNumber": 5,
"samlServicePrivateKeyEncPwd": "",
"portalForceAuthnInterval": 0,
"cfgLog": "",
"samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"exportedVars": {
"UA": "HTTP_USER_AGENT",
%for att in %%casAttribute
"%%att": "%%att",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%value"
%else
"%%key": "%%value",
%end if
%set %%idx += 1
%end for
},
"notificationStorage": "File",
"applicationList": {
"1sample": {
"test2": {
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
"type": "application"
},
"type": "category",
"catname": "Sample applications",
"test1": {
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
}
}
},
"2administration": {
"notifications": {
"options": {
"name": "Notifications explorer",
"display": "auto",
"description": "Explore WebSSO notifications",
"uri": "https://%%managerWebName/notifications.pl",
"logo": "database.png"
},
"type": "application"
},
"manager": {
"options": {
"uri": "https://%%managerWebName/",
"display": "auto",
"description": "Configure LemonLDAP::NG WebSSO",
"logo": "configure.png",
"name": "WebSSO Manager"
},
"type": "application"
},
"type": "category",
"sessions": {
"type": "application",
"options": {
"description": "Explore WebSSO sessions",
"uri": "https://%%managerWebName/sessions.pl",
"logo": "database.png",
"display": "auto",
"name": "Sessions explorer"
}
},
"catname": "Administration"
},
"3documentation": {
"catname": "Documentation",
"officialwebsite": {
"type": "application",
"options": {
"name": "Offical Website",
"description": "Official LemonLDAP::NG Website",
"logo": "network.png",
"display": "on",
"uri": "http://lemonldap-ng.org/"
}
},
"type": "category",
"localdoc": {
"options": {
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"name": "Local documentation"
},
"type": "application"
}
}
},
"userControl": "^[\\w\\.\\-@]+$",
"timeout": 72000,
"portalAntiFrame": 1,
"SMTPServer": "",
"ldapTimeout": 120,
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
%set %%idx = 0
%set %%size = %%len(%%ssoFilters) - 1
%for key,value in %%ssoFilters
%if %%idx == %%size
"%%key": "%%key"
%else
"%%key": "%%key",
%end if
%set %%idx += 1
%end for
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
"ldapGroupAttributeName": "member",
"samlServicePrivateKeySigPwd": "",
"googleAuthnLevel": 1,
"successLoginNumber": 5,
"localSessionStorageOptions": {
"cache_root": "/tmp",
"namespace": "lemonldap-ng-sessions",
"default_expires_in": 600,
"directory_umask": "007",
"cache_depth": 3
},
"samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"portalRequireOldPassword": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
"ADPwdExpireWarning": 0,
"yubikeyPublicIDSize": 12,
"ldapGroupAttributeNameGroup": "dn",
"oidcRPMetaDataOptionsExtraClaims": null,
"ldapGroupRecursive": 0,
"mailSubject": "[LemonLDAP::NG] Your new password",
"nginxCustomHandlers": {},
"samlSPSSODescriptorAuthnRequestsSigned": 1,
%if %%llResetPassword == "oui"
"portalDisplayResetPassword": 1,
%else
"portalDisplayResetPassword": 0,
%end if
"openIdSreg_timezone": "_timezone",
"infoFormMethod": "get",
"openIdAuthnLevel": 1,
"openIdSreg_nickname": "uid",
"samlServicePublicKeyEnc": "",
"userDB": "LDAP",
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
"slaveAuthnLevel": 2,
"samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
"Soap": 1,
%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
%if %%RegisterDB == "Custom"
"registerDB": "Null",
%else
"registerDB": "%%RegisterDB",
%end if
"locationRules": {
"%%managerWebName": {
"default": "$uid eq \"%%lemonAdmin\""
},
"test1.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
},
"test2.%%nom_domaine_local": {
"default": "accept",
"^/logout": "logout_sso"
}
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
"issuerDBOpenIDPath": "^/openidserver/",
"redirectFormMethod": "get",
"portalDisplayRegister": 1,
"secureTokenMemcachedServers": "127.0.0.1:11211",
"notificationStorageOptions": {
"dirName": "/var/lib/lemonldap-ng/notifications"
},
"browserIdAuthnLevel": 1,
"portalUserAttr": "_user",
"ldapVersion": 3,
"sessionDataToRemember": {},
"samlNameIDFormatMapX509": "mail",
"managerDn": "%%ldapBindUserDN",
"mailSessionKey": "mail",
"openIdSreg_email": "mail",
"localSessionStorage": "Cache::FileCache",
"persistentStorage": "Apache::Session::File",
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
"mailCharset": "utf-8",
"facebookExportedVars": {},
"nullAuthnLevel": 2,
"singleIP": 0,
"dbiExportedVars": {},
"portalSkin": "bootstrap",
"storePassword": 0,
"hiddenAttributes": "_password",
"samlServicePrivateKeySig": "",
"globalStorage": "Apache::Session::File",
"notificationWildcard": "allusers",
"portalForceAuthn": 0,
"samlMetadataForceUTF8": 1,
"secureTokenUrls": ".*",
"secureTokenAllowOnError": 1,
"samlAuthnContextMapTLSClient": 5,
"ldapAllowResetExpiredPassword": 0,
"oidcOPMetaDataExportedVars": {},
"notifyOther": 0,
"secureTokenExpiration": 60,
"captcha_mail_enabled": 0,
"samlStorageOptions": {},
"samlOrganizationDisplayName": "Example",
"trustedProxies": "",
"secureTokenHeader": "Auth-Token",
"issuerDBCASActivation": 1,
"samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
"samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
"samlIDPMetaDataXML": {},
"oidcStorageOptions": {},
"cfgDate": 1519998069,
"samlAuthnContextMapPassword": 2,
"portalDisplayLoginHistory": 1,
"ldapPasswordResetAttributeValue": "TRUE",
"ldapServer": "%%ldapScheme://%%ldapServer",
"samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
"samlIDPMetaDataExportedAttributes": null,
"samlServicePrivateKeyEnc": "",
"useRedirectOnForbidden": 0,
"captcha_login_enabled": 0,
"https": 0,
"checkXSS": 1,
"ldapSetPassword": 0,
"portalPingInterval": 60000,
"captchaStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/captcha/"
},
"useSafeJail": 1,
"registerDoneSubject": "[LemonLDAP::NG] Your new account",
"issuerDBCASRule": 1,
"samlAuthnContextMapKerberos": 4,
"ldapGroupAttributeNameSearch": "cn",
"logoutServices": {},
"samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
"portalDisplayLogout": 1,
"issuerDBGetParameters": {},
"googleExportedVars": {},
"openIdSreg_fullname": "cn",
"samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
"demoExportedVars": {
"mail": "mail",
"uid": "uid",
"cn": "cn"
},
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
},
"ldapExportedVars": {
"mail": "mail",
"cn": "cn",
"uid": "uid"
},
"webIDExportedVars": {},
"activeTimer": 1,
"cda": 0,
"samlServicePublicKeySig": "",
%if %%llCheckLogins == "oui"
"portalCheckLogins": 1,
%else
"portalCheckLogins": 0,
%end if
"CAS_authnLevel": 1,
"macros": {
"_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
},
"samlIDPMetaDataOptions": null,
"twitterAuthnLevel": 1,
"openIdExportedVars": {},
"captcha_register_enabled": 1,
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
%if %%is_empty(%%llResetUrl)
"mailUrl": "https://%%authWebName/mail.pl",
%else
"mailUrl": "%%llResetUrl",
%end if
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
},
"SSLAuthnLevel": 5,
"oidcServiceMetaDataAuthnContext": {},
"samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
"notification": 1,
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
"test2.%%nom_domaine_local": {},
"test1.%%nom_domaine_local": {},
"%%managerWebName": {}
},
"samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
"issuerDBSAMLRule": 1,
"samlCommonDomainCookieActivation": 0,
"syslog": "",
"ldapBase": "%%ldapUserBaseDN",
"ldapAuthnLevel": 2,
"mailTimeout": 0,
"samlEntityID": "#PORTAL#/saml/metadata",
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
%if %%RegisterDB == "Custom"
"registerUrl": "%%llRegisterURL",
%else
"registerUrl": "https://%%authWebName/register.pl",
%end if
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort
}

View File

@ -6,8 +6,8 @@ server {
server {
listen 443;
ssl on;
%if %%cert_type == "letsencrypt"
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%managerWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%managerWebName/privkey.pem;
%else
@ -20,29 +20,41 @@ server {
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
}
root /usr/share/nginx/html;
}
if ($uri !~ ^/(manager\.psgi|static|doc|fr-doc|lib|javascript|favicon)) {
root /usr/share/lemonldap-ng/manager/htdocs/;
if ($uri !~ ^/(.*\.psgi|static|doc|lib|javascript|favicon)) {
rewrite ^/(.*)$ /manager.psgi/$1 break;
}
location /manager.psgi {
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# OR TO USE uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE psgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
#add_header Strict-Transport-Security "max-age=15768000";
}
location / {
index manager.psgi;
try_files $uri $uri/ =404;
allow 127.0.0.0/8;
deny all;
try_files $uri $uri/ =404;
}
location /doc/ {
@ -52,12 +64,8 @@ server {
location /lib/ {
alias /usr/share/doc/lemonldap-ng-doc/pages/documentation/current/lib/;
}
location /fr-doc/ {
alias /usr/share/doc/lemonldap-ng-fr-doc/;
index index.html start.html;
}
location /static/ {
alias /usr/share/lemonldap-ng/manager/static/;
alias /usr/share/lemonldap-ng/manager/htdocs/static/;
}
# DEBIAN
@ -65,4 +73,5 @@ server {
#location /javascript/ {
# alias /usr/share/javascript/;
#}
}

35
tmpl/pam_cas_auth.conf Normal file
View File

@ -0,0 +1,35 @@
# sample pam_cas config
# host from CAS server. mandatory
host %%authWebName
# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 443
# uri to validate ticket. Default to /proxyValidate
uriValidate /proxyValidate
# https or no. values on or off. Default to on.
ssl on
# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug off
# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
#proxy https://%%authWebName/proxycas/casimap.php
#proxy https://imp.its.yale.edu/cas/casProxy.php
#proxy https://uportal1.its.yale.edu/CasProxyServlet
#proxy https://uportal2.its.yale.edu/CasProxyServlet
# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
# certificate from high level CA
%if not %%is_empty(%%getVar('ssoCALocation', ''))
trusted_ca %%ssoCALocation
%else
trusted_ca /etc/ssl/certs/ca.crt
%end if

View File

@ -1,3 +1,13 @@
## map directive must be in http context
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
%set %%webDomain = %%authWebName.split('.',1)[1]
%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')
server {
listen 80;
server_name %%authWebName;
@ -6,88 +16,70 @@ server {
server {
listen 443;
ssl on;
ssl on;
%if %%cert_type == "letsencrypt"
ssl_certificate %%le_config_dir/live/%%authWebName/cert.pem;
ssl_certificate_key %%le_config_dir/live/%%authWebName/privkey.pem;
%else
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca.crt;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
ssl_client_certificate /etc/ssl/certs/ca..crt;
ssl_session_cache shared:SSL:10m;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
server_name %%authWebName;
root /var/lib/lemonldap-ng/portal/;
root /usr/share/lemonldap-ng/portal/htdocs/;
location ~ \.pl(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
set $sn $request_uri;
if ($sn ~ "^(.*)\?") {
set $sn $1;
}
if ($sn ~ "^/index.pl") {
set $sn "/index.pl";
}
fastcgi_param SCRIPT_NAME $sn;
fastcgi_split_path_info ^(.*\.pl)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
index index.pl;
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_hide_header Content-Security-Policy;
add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";
}
index index.psgi;
location / {
try_files $uri $uri/ =404;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
#add_header Strict-Transport-Security "max-age=15768000";
}
# SOAP functions for sessions management (disabled by default)
location /index.pl/adminSessions {
location /static/ {
alias /usr/share/lemonldap-ng/portal/htdocs/static/;
}
# REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
deny all;
}
# SOAP functions for sessions access (disabled by default)
location /index.pl/sessions {
# REST/SOAP functions for sessions access (disabled by default)
location /index.psgi/sessions {
deny all;
}
# SOAP functions for configuration access (disabled by default)
location /index.pl/config {
# REST/SOAP functions for configuration access (disabled by default)
location /index.psgi/config {
deny all;
}
# SOAP functions for notification insertion (disabled by default)
location /index.pl/notification {
# REST/SOAP functions for notification insertion (disabled by default)
location /index.psgi/notification {
deny all;
}
# SAML2 Issuer
rewrite ^/saml/metadata /metadata.pl last;
rewrite ^/saml/.* /index.pl last;
# CAS Issuer
rewrite ^/cas/.* /index.pl;
# OpenID Issuer
rewrite ^/openidserver/.* /index.pl last;
# OpenID Connect Issuer
rewrite ^/oauth2/.* /index.pl last;
rewrite ^/.well-known/openid-configuration$ /openid-configuration.pl last;
# Get Issuer
rewrite ^/get/.* /index.pl;
# Public pages
rewrite ^/public.* /public.pl;
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this

View File

@ -6,7 +6,7 @@ server {
server {
listen 443;
ssl on;
ssl on;
ssl_certificate %%server_cert;
ssl_certificate_key %%server_key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
@ -15,24 +15,24 @@ server {
server_name test1.%%nom_domaine_local test2.%%nom_domaine_local;
root /var/lib/lemonldap-ng/test/;
# Internal authentication request
location = /lmauth {
internal;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# To use AuthBasic handler, uncomment this and remove "error_page 401"
# fastcgi_param LLTYPE authbasic;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
#fastcgi_buffer_size 32k;
#fastcgi_buffers 32 32k;
}
# Client requests
@ -50,8 +50,9 @@ server {
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# Uncomment this if CDA is used
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler
@ -68,30 +69,37 @@ server {
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR in the correspondinc block
# OR in the corresponding block
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA not supported), change cookie header to hide LLNG cookie
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
#add_header Strict-Transport-Security "max-age=15768000";
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
}
# Handle test CGI
location ~ \.pl$ {
location ~ ^(?<sc>/.*\.pl)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE cgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.pl)(/.+)$;
fastcgi_param REMOTE_USER $lmremote_user;
# Or with uWSGI
#include /etc/nginx/uwsgi_params;
#uwsgi_pass 127.0.0.1:5000;
#uwsgi_param LLTYPE cgi;
#uwsgi_param SCRIPT_FILENAME $document_root$sc;
#uwsgi_param SCRIPT_NAME $sc;
}
#location = /status {
@ -100,5 +108,10 @@ server {
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
### Or with uWSGI
## include /etc/nginx/uwsgi_params;
## uwsgi_pass 127.0.0.1:5000;
## uwsgi_param LLTYPE status;
#}
}