Compare commits
13 Commits
pkg/dev/eo
...
fix-nginx
Author | SHA1 | Date | |
---|---|---|---|
8f33de7f55 | |||
a4a385a439 | |||
982c5f44ee | |||
1eb5faaa82 | |||
4f16447856 | |||
93ee02b73d | |||
eb40396a26 | |||
d33fa9c421 | |||
0ff7961616 | |||
41a941615d | |||
c35086567c | |||
76f19ced94 | |||
8a944db515 |
63
README.md
63
README.md
@ -1,16 +1,73 @@
|
||||
# eole-lemonldap
|
||||
|
||||
Intégration LemonLDAP::NG pour EOLE
|
||||
LemonLDAP::NG EOLE integration
|
||||
|
||||
## Howto
|
||||
|
||||
### Repository configuration
|
||||
|
||||
* Add the lemonldap-ng deb respository we need the last version of LemonLDAP.
|
||||
|
||||
Gen_config -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
|
||||
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
|
||||
|
||||
### LemonLDAP::NG repository
|
||||
#### LemonLDAP::NG repository
|
||||
|
||||
* deb https://lemonldap-ng.org/deb stable main
|
||||
* deb-src https://lemonldap-ng.org/deb stable main
|
||||
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
|
||||
|
||||
#### Cadoles Repository
|
||||
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
|
||||
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
|
||||
|
||||
### Install packages
|
||||
|
||||
apt update
|
||||
apt install eole-lemonldap
|
||||
|
||||
### Configure LemonLDAP in GenConfig
|
||||
|
||||
* Enable lemonldap in "Services" tab
|
||||
|
||||
Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
|
||||
|
||||
* Fill LemonLDAP configuration
|
||||
|
||||
#### Nginx Web case
|
||||
|
||||
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
|
||||
not be served properly, so we need to disable this function
|
||||
|
||||
GenConfig -> Services -> Activer la publication d’applications web par Nginx -> "Non'
|
||||
|
||||
#### Configuration DNS
|
||||
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
|
||||
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
|
||||
|
||||
#### Configuration LDAP
|
||||
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
|
||||
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
|
||||
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
|
||||
* GenConfig -> Lemonldap -> Base DN des utilisateurs dans l'annuaire
|
||||
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
|
||||
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
|
||||
|
||||
#### Configuration CAS
|
||||
|
||||
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
|
||||
|
||||
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
|
||||
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
|
||||
|
||||
### SSL issues
|
||||
|
||||
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
|
||||
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)
|
||||
|
||||
* GenConfig -> Mode Expert -> Certificats ssl -> Nom Alternatif de la machine (SubjectAltName)
|
||||
|
||||
If you use "manual" certificates make sure this names are covered by your SSL Certificate
|
||||
|
||||
If you use "letsencrypt" mode you also need to add this names to the let'sencrypt request:
|
||||
|
||||
* GenConfig -> Mode Expert -> Certificat ssl -> Nom de domaines supplémentaires
|
||||
|
28
creolefuncs/lemonldap.py
Normal file
28
creolefuncs/lemonldap.py
Normal file
@ -0,0 +1,28 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
def toCidr(ip,mask=False):
|
||||
""" Convert to CIDR notation
|
||||
ip can be like this : 192.168.5.100/255.255.255.0
|
||||
or you can provide the ip and the mask
|
||||
"""
|
||||
from IPy import IP
|
||||
try:
|
||||
if mask:
|
||||
data="{0}/{1}".format(ip,mask)
|
||||
else:
|
||||
data=ip
|
||||
return str(IP(data))
|
||||
except:
|
||||
return data
|
||||
|
||||
def readPass(encoder,reader):
|
||||
try:
|
||||
mypwdreader=open(reader, "r").readline().rstrip()
|
||||
if encoder == "":
|
||||
return mypwdreader
|
||||
elif encoder == "base64":
|
||||
import base64
|
||||
return base64.b64encode(mypwdreader)
|
||||
|
||||
except:
|
||||
return "mot de passe inconnu"
|
@ -7,6 +7,7 @@
|
||||
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/>
|
||||
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
|
||||
<service>lemonldap-ng-fastcgi-server</service>
|
||||
<service_access service='nginx'>
|
||||
<port service_accesslist="saLemon">80</port>
|
||||
<port service_accesslist="saLemon">443</port>
|
||||
@ -32,10 +33,16 @@
|
||||
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
|
||||
<value>admin</value>
|
||||
</variable>
|
||||
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
|
||||
<value>64</value>
|
||||
</variable>
|
||||
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
|
||||
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
|
||||
</family>
|
||||
<separators>
|
||||
<separator name="managerWebName">Configuration DNS</separator>
|
||||
<separator name="ldapScheme">Configuration LDAP</separator>
|
||||
<separator name="casAttribute">Configuration CAS</separator>
|
||||
</separators>
|
||||
</variables>
|
||||
<constraints>
|
||||
@ -58,6 +65,9 @@
|
||||
<check name="valid_enum" target="ldapScheme">
|
||||
<param>['ldaps','ldap']</param>
|
||||
</check>
|
||||
<group master="casAttribute">
|
||||
<slave>casLDAPAttribute</slave>
|
||||
</group>
|
||||
<condition name='disabled_if_in' source='activerLemon'>
|
||||
<param>non</param>
|
||||
<target type='filelist'>lemon</target>
|
||||
@ -69,5 +79,7 @@
|
||||
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
|
||||
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
|
||||
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
|
||||
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
|
||||
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
|
||||
</help>
|
||||
</creole>
|
||||
|
1
eole-lemonldap.mk
Normal file
1
eole-lemonldap.mk
Normal file
@ -0,0 +1 @@
|
||||
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs
|
@ -12,6 +12,10 @@
|
||||
# IMPORTANT:
|
||||
# To protect applications, see test-nginx.conf template in example files
|
||||
|
||||
%if %%getVar("revprox_hash_bucket_size", "non") == "non"
|
||||
server_names_hash_bucket_size %%nginxBucketSize;
|
||||
%end if
|
||||
|
||||
# Log format
|
||||
include /etc/lemonldap-ng/nginx-lmlog.conf;
|
||||
#access_log /var/log/nginx/access.log lm_combined;
|
||||
@ -44,6 +48,9 @@ server {
|
||||
|
||||
location = /reload {
|
||||
allow 127.0.0.1;
|
||||
%for ipaddr in %%ip_ssh_eth0
|
||||
allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0);
|
||||
%end for
|
||||
deny all;
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||
|
@ -72,7 +72,7 @@
|
||||
"options": {
|
||||
"name": "Application Test 2",
|
||||
"logo": "thumbnail.png",
|
||||
"uri": "http://test2.%%nom_domaine_local/",
|
||||
"uri": "https://test2.%%nom_domaine_local/",
|
||||
"display": "auto",
|
||||
"description": "The same simple application displaying authenticated user"
|
||||
},
|
||||
@ -84,7 +84,7 @@
|
||||
"type": "application",
|
||||
"options": {
|
||||
"description": "A simple application displaying authenticated user",
|
||||
"uri": "http://test1.%%nom_domaine_local/",
|
||||
"uri": "https://test1.%%nom_domaine_local/",
|
||||
"logo": "demo.png",
|
||||
"display": "auto",
|
||||
"name": "Application Test 1"
|
||||
@ -143,7 +143,7 @@
|
||||
"logo": "help.png",
|
||||
"description": "Documentation supplied with LemonLDAP::NG",
|
||||
"display": "on",
|
||||
"uri": "http://%%managerWebName/doc/",
|
||||
"uri": "https://%%managerWebName/doc/",
|
||||
"name": "Local documentation"
|
||||
},
|
||||
"type": "application"
|
||||
@ -158,13 +158,19 @@
|
||||
"samlAuthnContextMapPasswordProtectedTransport": 3,
|
||||
"ldapUsePasswordResetAttribute": 1,
|
||||
"ldapPpolicyControl": 0,
|
||||
"casAttributes": {},
|
||||
"casAttributes": {
|
||||
"uid":"uid",
|
||||
%for att in %%casAttribute
|
||||
"%%att": "%%att.casLDAPAttribute",
|
||||
%end for
|
||||
"mail":"mail"
|
||||
},
|
||||
"issuerDBSAMLPath": "^/saml/",
|
||||
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
|
||||
"portalDisplayAppslist": 1,
|
||||
"confirmFormMethod": "post",
|
||||
"domain": "%%nom_domaine_local",
|
||||
"cfgNum": "9",
|
||||
"cfgNum": "1",
|
||||
"authentication": "LDAP",
|
||||
"samlNameIDFormatMapWindows": "uid",
|
||||
"authChoiceModules": {},
|
||||
@ -200,7 +206,7 @@
|
||||
"grantSessionRules": {},
|
||||
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
|
||||
"reloadUrls": {
|
||||
"%%reloadWebName": "http://%%reloadWebName/reload"
|
||||
"%%reloadWebName": "https://%%reloadWebName/reload"
|
||||
},
|
||||
"registerTimeout": 0,
|
||||
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
|
||||
@ -223,7 +229,11 @@
|
||||
},
|
||||
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
|
||||
"hideOldPassword": 0,
|
||||
%if %%is_file(%%ldapBindUserPassword)
|
||||
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
|
||||
%else
|
||||
"managerPassword": "%%ldapBindUserPassword",
|
||||
%end if
|
||||
"authChoiceParam": "lmAuth",
|
||||
"lwpSslOpts": {},
|
||||
"portalSkinRules": {},
|
||||
@ -247,8 +257,8 @@
|
||||
"mailOnPasswordChange": 0,
|
||||
"captchaStorage": "Apache::Session::File",
|
||||
"remoteGlobalStorageOptions": {
|
||||
"proxy": "http://%%authWebName/index.pl/sessions",
|
||||
"ns": "http://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
|
||||
"proxy": "https://%%authWebName/index.pl/sessions",
|
||||
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
|
||||
},
|
||||
"passwordDB": "LDAP",
|
||||
"captcha_size": 6,
|
||||
@ -319,7 +329,7 @@
|
||||
"oidcOPMetaDataJSON": null,
|
||||
"samlIdPResolveCookie": "lemonldapidp",
|
||||
"samlRelayStateTimeout": 600,
|
||||
"samlOrganizationURL": "http://www.%%nom_domaine_local",
|
||||
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
|
||||
"globalStorageOptions": {
|
||||
"Directory": "/var/lib/lemonldap-ng/sessions",
|
||||
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
|
||||
@ -345,10 +355,10 @@
|
||||
"oidcOPMetaDataJWKS": null,
|
||||
"webIDAuthnLevel": 1,
|
||||
"issuerDBOpenIDActivation": "1",
|
||||
"mailUrl": "http://%%authWebName/mail.pl",
|
||||
"mailUrl": "https://%%authWebName/mail.pl",
|
||||
"maintenance": 0,
|
||||
"jsRedirect": 0,
|
||||
"cfgAuthor": "dwho",
|
||||
"cfgAuthor": "Cadoles",
|
||||
"persistentStorageOptions": {
|
||||
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
|
||||
"Directory": "/var/lib/lemonldap-ng/psessions"
|
||||
@ -360,7 +370,7 @@
|
||||
"ldapChangePasswordAsUser": 0,
|
||||
"CAS_proxiedServices": {},
|
||||
"key": "e\"bTCt3*eU9^\\V%b",
|
||||
"portal": "http://%%authWebName/",
|
||||
"portal": "https://%%authWebName/",
|
||||
"singleSessionUserByIP": 0,
|
||||
"portalOpenLinkInNewWindow": 0,
|
||||
"post": {
|
||||
@ -379,7 +389,7 @@
|
||||
"oidcOPMetaDataOptions": null,
|
||||
"samlSPSSODescriptorWantAssertionsSigned": 1,
|
||||
"samlOrganizationName": "%%samlOrganizationName",
|
||||
"registerUrl": "http://%%authWebName/register.pl",
|
||||
"registerUrl": "https://%%authWebName/register.pl",
|
||||
"casAccessControlPolicy": "none",
|
||||
"multiValuesSeparator": ";",
|
||||
"ldapPort": %%ldapServerPort
|
||||
|
Reference in New Issue
Block a user