Compare commits

...

11 Commits

Author SHA1 Message Date
8f33de7f55 Updating NGINX configuration
We don't need to setup server_names_hash_bucket_size if
it's present in standard eole configuration
2018-03-19 16:12:16 +01:00
a4a385a439 Managing usage of a password file for the LDAP reader user 2018-03-16 10:47:03 +01:00
982c5f44ee Formating README 2018-03-16 10:37:12 +01:00
1eb5faaa82 Updating README Howto 2018-03-16 10:35:13 +01:00
4f16447856 Fixing eole-lemonldap.mk file 2018-03-13 10:48:32 +01:00
93ee02b73d Fix typo 2018-03-13 10:24:17 +01:00
eb40396a26 Adding new mk file 2018-03-09 16:10:11 +01:00
d33fa9c421 Adding new authorisations for reload on ip_ssh_eth0 2018-03-09 16:09:33 +01:00
0ff7961616 Fix typo in for loop 2018-03-09 15:08:11 +01:00
41a941615d Adding CAS attributes 2018-03-09 14:29:22 +01:00
c35086567c Move everything to https 2018-03-09 12:01:20 +01:00
7 changed files with 127 additions and 102 deletions

View File

@ -1,16 +1,73 @@
# eole-lemonldap
Intégration LemonLDAP::NG pour EOLE
LemonLDAP::NG EOLE integration
## Howto
### Repository configuration
* Add the lemonldap-ng deb respository we need the last version of LemonLDAP.
Gen_config -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
### LemonLDAP::NG repository
#### LemonLDAP::NG repository
* deb https://lemonldap-ng.org/deb stable main
* deb-src https://lemonldap-ng.org/deb stable main
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### Cadoles Repository
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
### Install packages
apt update
apt install eole-lemonldap
### Configure LemonLDAP in GenConfig
* Enable lemonldap in "Services" tab
Gen_Config -> Services -> Activer LemonLDAP::NG -> "Oui"
* Fill LemonLDAP configuration
#### Nginx Web case
By default NGINX is configured to serve "web" application, in this case the lemonLDAP::NG application will
not be served properly, so we need to disable this function
GenConfig -> Services -> Activer la publication dapplications web par Nginx -> "Non'
#### Configuration DNS
* GenConfig -> Lemonldap -> Nom DNS du manager LemonLDAP-NG
* GenConfig -> Lemonldap -> Nom DNS du service d'authentification LemonLDAP-NG
#### Configuration LDAP
* GenConfig -> Lemonldap -> Protocole LDAP à utiliser
* GenConfig -> Lemonldap -> Adresse du Serveur LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Port d'écoute du LDAP utilisé par LemonLDAP::NG
* GenConfig -> Lemonldap -> Base DN des utilisateurs dans l'annuaire
* GenConfig -> Lemonldap -> Utilisateur de connection à l'annuaire (DN ex: cn=reader,o=gouv,c=fr)
* GenConfig -> Lemonldap -> Mot de passe de l'utilisateur de connection à l'annuaire (file like /root/.reader or the clear password)
#### Configuration CAS
Add your CAS attributes mapping ( uid = uid and mail = mail are created by default)
* GenConfig -> Lemonldap -> Nom de l'attribut CAS
* GenConfig -> Lemonldap -> Attribut LDAP équivalent
### SSL issues
If you use "autosign" certificates you need to add the "manager" and "auth" service names to the alternative names.
You also need to include "reload" service name (available in GenConfig -> Mode Expert -> Lemonldap -> Nom DNS du service Reload de LemonLDAP-NG)
* GenConfig -> Mode Expert -> Certificats ssl -> Nom Alternatif de la machine (SubjectAltName)
If you use "manual" certificates make sure this names are covered by your SSL Certificate
If you use "letsencrypt" mode you also need to add this names to the let'sencrypt request:
* GenConfig -> Mode Expert -> Certificat ssl -> Nom de domaines supplémentaires

28
creolefuncs/lemonldap.py Normal file
View File

@ -0,0 +1,28 @@
# -*- coding: utf-8 -*-
def toCidr(ip,mask=False):
""" Convert to CIDR notation
ip can be like this : 192.168.5.100/255.255.255.0
or you can provide the ip and the mask
"""
from IPy import IP
try:
if mask:
data="{0}/{1}".format(ip,mask)
else:
data=ip
return str(IP(data))
except:
return data
def readPass(encoder,reader):
try:
mypwdreader=open(reader, "r").readline().rstrip()
if encoder == "":
return mypwdreader
elif encoder == "base64":
import base64
return base64.b64encode(mypwdreader)
except:
return "mot de passe inconnu"

View File

@ -2,12 +2,12 @@
<creole>
<files>
<!-- Je suis un commentaire -->
<file filelist='lemon' name='/etc/nginx/nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/manager-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/handler-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/portal-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/nginx/sites-available/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.js' mkdir='True' rm='True'/>
<service>lemonldap-ng-fastcgi-server</service>
<service_access service='nginx'>
<port service_accesslist="saLemon">80</port>
<port service_accesslist="saLemon">443</port>
@ -36,10 +36,13 @@
<variable name="nginxBucketSize" type='number' description="Taille du hash des noms de serveur pour NGINX" mode='expert'>
<value>64</value>
</variable>
<variable name="casAttribute" description="Nom de l'attribut CAS" type="string" mode="expert" multi="True"/>
<variable name="casLDAPAttribute" description="Attribut LDAP équivalent" type="string" mode="expert"/>
</family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
<separator name="ldapScheme">Configuration LDAP</separator>
<separator name="casAttribute">Configuration CAS</separator>
</separators>
</variables>
<constraints>
@ -62,6 +65,9 @@
<check name="valid_enum" target="ldapScheme">
<param>['ldaps','ldap']</param>
</check>
<group master="casAttribute">
<slave>casLDAPAttribute</slave>
</group>
<condition name='disabled_if_in' source='activerLemon'>
<param>non</param>
<target type='filelist'>lemon</target>
@ -73,6 +79,7 @@
<variable name='activerLemon'>Activer l'hébergement d'une place de marché HTTP pour OpenNebula</variable>
<variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.cadoles.com</variable>
<variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.cadoles.com</variable>
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
</help>
</creole>

1
eole-lemonldap.mk Normal file
View File

@ -0,0 +1 @@
creolefuncs_DATA_DIR := $(DESTDIR)/usr/share/creole/funcs

View File

@ -12,6 +12,10 @@
# IMPORTANT:
# To protect applications, see test-nginx.conf template in example files
%if %%getVar("revprox_hash_bucket_size", "non") == "non"
server_names_hash_bucket_size %%nginxBucketSize;
%end if
# Log format
include /etc/lemonldap-ng/nginx-lmlog.conf;
#access_log /var/log/nginx/access.log lm_combined;
@ -44,6 +48,9 @@ server {
location = /reload {
allow 127.0.0.1;
%for ipaddr in %%ip_ssh_eth0
allow %%toCidr(%%ipaddr, %%ipaddr.netmask_ssh_eth0);
%end for
deny all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;

View File

@ -72,7 +72,7 @@
"options": {
"name": "Application Test 2",
"logo": "thumbnail.png",
"uri": "http://test2.%%nom_domaine_local/",
"uri": "https://test2.%%nom_domaine_local/",
"display": "auto",
"description": "The same simple application displaying authenticated user"
},
@ -84,7 +84,7 @@
"type": "application",
"options": {
"description": "A simple application displaying authenticated user",
"uri": "http://test1.%%nom_domaine_local/",
"uri": "https://test1.%%nom_domaine_local/",
"logo": "demo.png",
"display": "auto",
"name": "Application Test 1"
@ -143,7 +143,7 @@
"logo": "help.png",
"description": "Documentation supplied with LemonLDAP::NG",
"display": "on",
"uri": "http://%%managerWebName/doc/",
"uri": "https://%%managerWebName/doc/",
"name": "Local documentation"
},
"type": "application"
@ -158,13 +158,19 @@
"samlAuthnContextMapPasswordProtectedTransport": 3,
"ldapUsePasswordResetAttribute": 1,
"ldapPpolicyControl": 0,
"casAttributes": {},
"casAttributes": {
"uid":"uid",
%for att in %%casAttribute
"%%att": "%%att.casLDAPAttribute",
%end for
"mail":"mail"
},
"issuerDBSAMLPath": "^/saml/",
"samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
"portalDisplayAppslist": 1,
"confirmFormMethod": "post",
"domain": "%%nom_domaine_local",
"cfgNum": "9",
"cfgNum": "1",
"authentication": "LDAP",
"samlNameIDFormatMapWindows": "uid",
"authChoiceModules": {},
@ -200,7 +206,7 @@
"grantSessionRules": {},
"remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
"reloadUrls": {
"%%reloadWebName": "http://%%reloadWebName/reload"
"%%reloadWebName": "https://%%reloadWebName/reload"
},
"registerTimeout": 0,
"samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
@ -223,7 +229,11 @@
},
"portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
"hideOldPassword": 0,
%if %%is_file(%%ldapBindUserPassword)
"managerPassword": "%%readPass("", %%ldapBindUserPassword)",
%else
"managerPassword": "%%ldapBindUserPassword",
%end if
"authChoiceParam": "lmAuth",
"lwpSslOpts": {},
"portalSkinRules": {},
@ -247,8 +257,8 @@
"mailOnPasswordChange": 0,
"captchaStorage": "Apache::Session::File",
"remoteGlobalStorageOptions": {
"proxy": "http://%%authWebName/index.pl/sessions",
"ns": "http://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
"proxy": "https://%%authWebName/index.pl/sessions",
"ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
},
"passwordDB": "LDAP",
"captcha_size": 6,
@ -319,7 +329,7 @@
"oidcOPMetaDataJSON": null,
"samlIdPResolveCookie": "lemonldapidp",
"samlRelayStateTimeout": 600,
"samlOrganizationURL": "http://www.%%nom_domaine_local",
"samlOrganizationURL": "https://auth.%%nom_domaine_local",
"globalStorageOptions": {
"Directory": "/var/lib/lemonldap-ng/sessions",
"LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
@ -345,10 +355,10 @@
"oidcOPMetaDataJWKS": null,
"webIDAuthnLevel": 1,
"issuerDBOpenIDActivation": "1",
"mailUrl": "http://%%authWebName/mail.pl",
"mailUrl": "https://%%authWebName/mail.pl",
"maintenance": 0,
"jsRedirect": 0,
"cfgAuthor": "dwho",
"cfgAuthor": "Cadoles",
"persistentStorageOptions": {
"LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
"Directory": "/var/lib/lemonldap-ng/psessions"
@ -360,7 +370,7 @@
"ldapChangePasswordAsUser": 0,
"CAS_proxiedServices": {},
"key": "e\"bTCt3*eU9^\\V%b",
"portal": "http://%%authWebName/",
"portal": "https://%%authWebName/",
"singleSessionUserByIP": 0,
"portalOpenLinkInNewWindow": 0,
"post": {
@ -379,7 +389,7 @@
"oidcOPMetaDataOptions": null,
"samlSPSSODescriptorWantAssertionsSigned": 1,
"samlOrganizationName": "%%samlOrganizationName",
"registerUrl": "http://%%authWebName/register.pl",
"registerUrl": "https://%%authWebName/register.pl",
"casAccessControlPolicy": "none",
"multiValuesSeparator": ";",
"ldapPort": %%ldapServerPort

View File

@ -1,85 +0,0 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
server_names_hash_bucket_size %%nginxBucketSize;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}