utilisation de la variable lemonproc dans la conf fastcgi

Replace header with nicer values

debian/compat

@@ -1 +0,0 @@
-9

debian/control

@@ -1,38 +0,0 @@
-Source: eole-lemonldap
-Section: web
-Priority: optional
-Maintainer: Cadoles <eole@ac-dijon.fr>
-Build-Depends: debhelper (>= 9)
-Standards-Version: 3.9.3
-Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
-Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
-Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
-
-Package: eole-lemonldap
-Architecture: all
-Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fastcgi-server,
-   libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
-   libxml-simple-perl, libcgi-compile-perl, libmouse-perl,
-   libio-string-perl,
-   libnet-openid-server-perl,
-   libemail-sender-perl,
-   libgd-securityimage-perl,
-   libimage-magick-perl
-Conflicts: eole-sso, eole-sso-client, eole-sso-server
-Provides: eole-sso, eole-sso-client, eole-sso-server
-Replaces: eole-sso, eole-sso-client, eole-sso-server
-Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
- .
- Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.
-
-Package: eole-lemonldap-pkg
-Architecture: all
-Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fastcgi-server,
-   libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
-   libxml-simple-perl, libcgi-compile-perl, libmouse-perl, libio-string-perl, libnet-openid-server-perl,
-   libemail-sender-perl, libgd-securityimage-perl, libimage-magick-perl, libnet-ldap-perl,
-   libunicode-string-perl, libsoap-lite-perl, libhtml-template-perl, libcache-cache-perl,
-   libdbi-perl, perl-modules, libwww-perl
-Description: Paquet de dépendances pour eole-lemonldap.
- .
- Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

debian/copyright

@@ -1,44 +0,0 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: {PROJECT}
-Source: {URL}
-
-Files: *
-Copyright: YEAR {UPSTREAM} {AUTHOR} <{MAIL}>
-License: {UPSTREAM LICENSE}
-
-Files: debian/*
-Copyright: 2012 Équipe EOLE <eole@ac-dijon.fr>
-License: CeCILL-2
-
-License: {UPSTREAM LICENSE}
- {TEXT OF THE LICENSE}
-
-License: CeCILL-2
- This software is governed by the CeCILL-2 license under French law and
- abiding by the rules of distribution of free software.  You can  use,
- modify and or redistribute the software under the terms of the CeCILL-2
- license as circulated by CEA, CNRS and INRIA at the following URL
- "http://www.cecill.info";.
- .
- As a counterpart to the access to the source code and  rights to copy,
- modify and redistribute granted by the license, users are provided only
- with a limited warranty  and the software's author,  the holder of the
- economic rights,  and the successive licensors  have only  limited
- liability.
- .
- In this respect, the user's attention is drawn to the risks associated
- with loading,  using,  modifying and/or developing or reproducing the
- software by the user in light of its specific status of free software,
- that may mean  that it is complicated to manipulate,  and  that  also
- therefore means  that it is reserved for developers  and  experienced
- professionals having in-depth computer knowledge. Users are therefore
- encouraged to load and test the software's suitability as regards their
- requirements in conditions enabling the security of their systems and/or
- data to be ensured and,  more generally, to use and operate it in the
- same conditions as regards security.
- .
- The fact that you are presently reading this means that you have had
- knowledge of the CeCILL-2 license and that you accept its terms.
- .
- On Eole systems, the complete text of the CeCILL-2 License can be found
- in '/usr/share/common-licenses/CeCILL-2-en'.

debian/eole-lemonldap.install

@@ -1 +0,0 @@
-usr

debian/gbp.conf

@@ -1,3 +0,0 @@
-# Set per distribution debian tag
-[DEFAULT]
-debian-tag = debian/eole/%(version)s

debian/rules

@@ -1,8 +0,0 @@
-#!/usr/bin/make -f
-# -*- makefile -*-
-
-# Uncomment this to turn on verbose mode.
-#export DH_VERBOSE=1
-
-%:
-	dh $@

debian/source/format

@@ -1 +0,0 @@
-3.0 (native)

dicos/70_lemonldap_ng.xml

@@ -2,18 +2,17 @@
 <creole>
     <files>
 		<!-- Je suis un commentaire -->
-		<file filelist='lemonng' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemonng' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemonng' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
-		<file filelist='lemona2' name='/etc/lemonldap-ng/manager-apache2.conf' source='manager-apache2.4.conf' mkdir='True' rm='True'/>
-		<file filelist='lemona2' name='/etc/lemonldap-ng/handler-apache2.conf' source='handler-apache2.4.conf' mkdir='True' rm='True'/>
-		<file filelist='lemona2' name='/etc/lemonldap-ng/portal-apache2.conf' source='portal-apache2.4.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/manager-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/handler-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/portal-nginx.conf' mkdir='True' rm='True'/>
+		<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
 		<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
+        <file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
 		<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
 		<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
 		<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
-		<service servicelist='llonnginx'>lemonldap-ng-fastcgi-server</service>
+		<service>lemonldap-ng-fastcgi-server</service>
 		<service_access service='nginx'>
 			<port service_accesslist="saLemon">80</port>
 			<port service_accesslist="saLemon">443</port>
@@ -36,6 +35,10 @@
 			<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
 			<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
 			<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
+            <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
+                <value>4</value>
+            </variable>
+
 			<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
 				<value>admin</value>
 			</variable>
@@ -69,6 +72,7 @@
 			</variable>
 			<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
 			<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
+			<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
 		</family>
         <separators>
 		    <separator name="managerWebName">Configuration DNS</separator>
@@ -78,14 +82,6 @@
 		</separators>
 	</variables>
 	<constraints>
-		<condition name='disabled_if_in' source='activer_nginx_web'>
-			<param>non</param>
-			<target type='filelist'>lemonng</target>
-		</condition>
-		<condition name='disabled_if_in' source='activer_apache'>
-			<param>non</param>
-			<target type='filelist'>lemona2</target>
-		</condition>
 		<fill name='concat' target='managerWebName'>
   			<param>manager.</param>
   			<param type='eole'>nom_domaine_local</param>
@@ -113,8 +109,7 @@
 		</group>
 		<condition name='disabled_if_in' source='activerLemon'>
 			<param>non</param>
-			<target type='filelist'>lemonng</target>
-			<target type='filelist'>lemona2</target>
+			<target type='filelist'>lemon</target>
 			<target type='filelist'>lemonCAS</target>
 			<target type='family'>LemonLDAP</target>
 			<target type='service_accesslist'>saLemon</target>
@@ -143,5 +138,6 @@
 		<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
 		<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
 		<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
+		<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
 	</help>
 </creole>

dicos/71_eolesso_compat.xml

@@ -1,206 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<creole>
-    <files>
-    </files>
-    <variables>
-
-        <family name='services'>
-            <variable name='activer_sso' redefine='True' hidden='True'>
-            </variable>
-        </family>
-
-        <family name='eole sso' icon='group'>
-
-            <!-- Configuration -->
-            <variable name='eolesso_adresse' type='domain_strict' description= "Nom de domaine du serveur d'authentification SSO" hidden='True'/>
-            <variable name='eolesso_port' type='port' description='Port utilisé par le service EoleSSO' mandatory='True' hidden='True' />
-            <variable name='eolesso_session_timeout' type='number' description="Durée de vie d'une session sur le serveur SSO (en secondes)" hidden='True' />
-            <variable name='eolesso_css' type='string' description="CSS par défaut du service SSO (sans le .css)" hidden='True'/>
-
-            <!-- LDAP -->
-            <variable name='eolesso_ldap' type='domain' description='Adresse du serveur LDAP utilisé par EoleSSO' multi='True' hidden='True'/>
-            <variable name='eolesso_port_ldap' type='port' description='Port du serveur LDAP utilisé par EoleSSO' hidden='True' />
-            <variable name='eolesso_ldap_use_tls' type='string' description="Le serveur LDAP supporte TLS" mode='expert' hidden='True' />
-            <variable name='eolesso_base_ldap' type='string' description="Chemin de recherche dans l'annuaire" mandatory='True'/>
-            <variable name='eolesso_ldap_label' type='string' description="Libellé à présenter aux utilisateurs en cas d'homonymes" mandatory='True'/>
-            <variable name='eolesso_ldap_infos' type='string' description="Informations supplémentaire dans le cadre d'information sur les homonymes" hidden='True' />
-            <variable name='eolesso_ldap_reader' type='string' description='Utilisateur de lecture des comptes LDAP (nécessaire pour la fédération)' hidden='True' />
-            <variable name='eolesso_ldap_reader_passfile' type='filename' description="Fichier de mot de passe de l'utilisateur de lecture" hidden='True' />
-            <variable name='eolesso_ldap_match_attribute' type='string' description="Attribut de recherche des utilisateurs" hidden='True' />
-            <variable name='eolesso_ldap_login_otp' type='string' description="Identifiants OTP pour cet annuaire" hidden='True' />
-            <variable name='eolesso_ldap_filter_user' type='string' description="Filtre d'utilisateurs" hidden='True' />
-            <variable name='eolesso_ldap_filter_group' type='string' description="Filtre de groupes" hidden='True' />
-            <variable name='eolesso_ldap_dntree_user' type='string' description="DN racine de l'arbre utilisateurs" hidden='True' />
-            <variable name='eolesso_ldap_dntree_group' type='string' description="DN racine de l'arbre groupes" hidden='True' />
-            <variable name='eolesso_ldap_fill_displayname' type='string' description="Champ 'nom d'affichage' de l'utilisateur" hidden='True' />
-            <variable name='eolesso_ldap_fill_mail' type='string' description="Champ 'mail' de l'utilisateur" hidden='True' />
-            <variable name='eolesso_ldap_fill_fonction' type='string' description="Champ 'fonction' de l'utilisateur" hidden='True' />
-            <variable name='eolesso_ldap_fill_categorie' type='string' description="Champ 'categorie' de l'utilisateur" hidden='True' />
-            <variable name='eolesso_ldap_fill_rne' type='string' description="Champ 'rne' de l'utilisateur" hidden='True' />
-            <variable name='eolesso_ldap_fill_fredurne' type='string' description="Champ 'fredurne' de l'utilisateur" hidden='True' />
-            <variable name='eolesso_ldap_fill_displaygroup' type='string' description="Champ 'nom d'affichage' du groupe" hidden='True' />
-            <variable name='eolesso_ldap_apps_params' type='oui/non' description="Information LDAP supplémentaires (applications)" hidden='True' />
-
-            <!-- SSO parent -->
-            <variable name='eolesso_adresse_parent' type='string' description='Adresse du serveur SSO parent' hidden='True' />
-            <variable name='eolesso_port_parent' type='number' description='Port du serveur SSO parent' hidden='True' />
-
-            <!-- federation -->
-            <variable name='eolesso_entity_name' type='string' description="Nom d'entité SAML du serveur eole-sso (ou rien)" hidden='True' />
-            <variable name='federation_transparente' type='oui/non' description="Cacher le formulaire lors de l'envoi des informations de fédération" hidden='True' />
-
-            <!-- OTP -->
-            <variable name='eolesso_pam_securid' type='oui/non' description="Gestion de l'authentification OTP (RSA SecurID)" hidden='True' />
-            <variable name='eolesso_otppass_minsize' type='number' description="Taille minimum du passcode OTP" hidden='True' />
-            <variable name='eolesso_otppass_maxsize' type='number' description="Taille maximum du passcode OTP" hidden='True' />
-            <variable name='eolesso_otppass_regx' type='string' description="Expression régulière de détection des passcodes OTP" hidden='True' />
-            <variable name='eolesso_otp_desync' type='oui/non' description="Gestion locale des clés OTP désynchronisées" hidden='True' />
-            <variable name='eolesso_otp_portal' type='string' description="Adresse de la mire OTP en cas désynchronisation de clé" hidden='True' />
-
-            <!-- Certificats -->
-            <variable name='eolesso_cert' type='string' description='Chemin du certificat SSL' hidden='True' />
-            <variable name='eolesso_key' type='string' description='Chemin de la clé privée liée au certificat SSL' hidden='True' />
-            <variable name='eolesso_ca_location' type='string' description="Chemin de l'autorité de certification (ou rien)" hidden='True' />
-
-            <!-- Autres -->
-            <variable name='eolesso_cas_folder' type='filename' description="Alias d'accès au service SSO (paramètre : __CAS_FOLDER)" mode='expert' hidden='True'/>
-            <variable name='eolesso_cookie_name' type='string' description="Nom du cookie EoleSSO" mode="expert" hidden='True' />
-            <variable name='eolesso_cookie_domain' type='string' description= "Domaine du cookie EoleSSO" mode="expert" hidden='True' />
-            <variable name='eolesso_responsive' type='oui/non' description="Activer la balise meta viewport (CSS responsive)" mode="expert" hidden='True' />
-            <variable name='eolesso_metrics' type='oui/non' description="Générer des statistiques d'usage du service" mode="expert" hidden='True' />
-            <variable name='cas_verify_service' type='oui/non' description="Ne pas répondre aux demandes CAS des applications inconnues" mode="expert" hidden='True' />
-            <variable name='sso_saml_time_adjust' type='number' description="Décalage de temps (en secondes) dans les messages de fédération SAML" mode="expert" hidden='True' />
-        </family>
-
-        <separators>
-        </separators>
-
-    </variables>
-
-    <constraints>
-        <auto name='calc_val' target='eolesso_ldap_label'>
-            <param></param>
-        </auto>
-        <auto name='calc_val' target='eolesso_base_ldap'>
-            <param type='eole'>ldapUserBaseDN</param>
-        </auto>
-        <auto name='calc_val' target='eolesso_port'>
-            <param type='eole'>ldapServerPort</param>
-        </auto>
-            
-
-        <!--
-        <fill name='calc_val_first_value' target='eolesso_adresse'>
-            <param type='eole' optional='True' hidden='False'>web_url</param>
-            <param type='eole'>nom_domaine_machine</param>
-        </fill>
-        <fill name='calc_val_first_value' target='eolesso_base_ldap'>
-            <param type='eole' optional='True' hidden='False'>ldap_base_dn</param>
-            <param>o=gouv,c=fr</param>
-        </fill>
-        <fill name='concat' target='eolesso_ldap_reader'>
-            <param>cn=reader,</param>
-            <param type='eole'>eolesso_base_ldap</param>
-        </fill>
-        <fill name='calc_val' target='eolesso_cert'>
-            <param type='eole' name='valeur'>server_cert</param>
-        </fill>
-        <fill name='calc_val' target='eolesso_key'>
-            <param type='eole' name='valeur'>server_key</param>
-        </fill>
-        <condition name='disabled_if_in' source='activer_sso'>
-            <param>non</param>
-            <target type='family'>eole sso</target>
-            <target type='filelist'>ssoclient</target>
-        </condition>
-        <condition name='disabled_if_not_in' source='activer_sso'>
-            <param>local</param>
-            <target type='servicelist'>sso</target>
-            <target type='filelist'>sso</target>
-            <target type='variable'>eolesso_ldap</target>
-            <target type='variable'>eolesso_port_ldap</target>
-            <target type='variable'>eolesso_ldap_use_tls</target>
-            <target type='variable'>eolesso_base_ldap</target>
-            <target type='variable'>eolesso_ldap_label</target>
-            <target type='variable'>eolesso_ldap_infos</target>
-            <target type='variable'>eolesso_ldap_reader</target>
-            <target type='variable'>eolesso_ldap_reader_passfile</target>
-            <target type='variable'>eolesso_ldap_match_attribute</target>
-            <target type='variable'>eolesso_adresse_parent</target>
-            <target type='variable'>eolesso_port_parent</target>
-            <target type='variable'>eolesso_cert</target>
-            <target type='variable'>eolesso_key</target>
-            <target type='variable'>eolesso_ca_location</target>
-            <target type='variable'>eolesso_css</target>
-            <target type='variable'>eolesso_responsive</target>
-            <target type='variable'>federation_transparente</target>
-            <target type='variable'>eolesso_entity_name</target>
-            <target type='variable'>eolesso_pam_securid</target>
-            <target type='variable'>eolesso_ldap_apps_params</target>
-        </condition>
-        <condition name='disabled_if_in' source='eolesso_pam_securid'>
-            <param>non</param>
-            <target>eolesso_otp_desync</target>
-            <target>eolesso_ldap_login_otp</target>
-            <target>eolesso_otppass_minsize</target>
-            <target>eolesso_otppass_maxsize</target>
-            <target>eolesso_otppass_regx</target>
-        </condition>
-        <condition name='disabled_if_in' source='eolesso_otp_desync'>
-            <param>oui</param>
-            <target>eolesso_otp_portal</target>
-        </condition>
-        <condition name='disabled_if_in' source='eolesso_ldap_apps_params'>
-            <param>non</param>
-            <target>eolesso_ldap_filter_user</target>
-            <target>eolesso_ldap_filter_group</target>
-            <target>eolesso_ldap_dntree_user</target>
-            <target>eolesso_ldap_dntree_group</target>
-            <target>eolesso_ldap_fill_displayname</target>
-            <target>eolesso_ldap_fill_mail</target>
-            <target>eolesso_ldap_fill_fonction</target>
-            <target>eolesso_ldap_fill_categorie</target>
-            <target>eolesso_ldap_fill_rne</target>
-            <target>eolesso_ldap_fill_fredurne</target>
-            <target>eolesso_ldap_fill_displaygroup</target>
-        </condition>
-        <check name='valid_enum' target='activer_sso'>
-            <param>['non', 'local', 'distant']</param>
-        </check>
-        <check name='valid_enum' target='eolesso_ldap_login_otp'>
-            <param>['inactifs','identiques','configurables']</param>
-        </check>
-        <fill name='calc_libelle_annuaire' target='eolesso_ldap_label'>
-            <param type='eole'>eolesso_ldap</param>
-            <param type='eole'>nom_machine</param>
-            <param type='eole'>nom_domaine_local</param>
-        </fill>
-        <group master='eolesso_ldap'>
-            <slave>eolesso_port_ldap</slave>
-            <slave>eolesso_ldap_use_tls</slave>
-            <slave>eolesso_base_ldap</slave>
-            <slave>eolesso_ldap_label</slave>
-            <slave>eolesso_ldap_infos</slave>
-            <slave>eolesso_ldap_reader</slave>
-            <slave>eolesso_ldap_reader_passfile</slave>
-            <slave>eolesso_ldap_match_attribute</slave>
-            <slave>eolesso_ldap_login_otp</slave>
-            <slave>eolesso_ldap_filter_user</slave>
-            <slave>eolesso_ldap_filter_group</slave>
-            <slave>eolesso_ldap_dntree_user</slave>
-            <slave>eolesso_ldap_dntree_group</slave>
-            <slave>eolesso_ldap_fill_displayname</slave>
-            <slave>eolesso_ldap_fill_mail</slave>
-            <slave>eolesso_ldap_fill_fonction</slave>
-            <slave>eolesso_ldap_fill_categorie</slave>
-            <slave>eolesso_ldap_fill_rne</slave>
-            <slave>eolesso_ldap_fill_fredurne</slave>
-            <slave>eolesso_ldap_fill_displaygroup</slave>
-        </group> -->
-    </constraints>
-
-    <help></help>
-
-</creole>
-<!-- vim: ts=4 sw=4 expandtab
--->

posttemplate/70-lemon-nginx

@@ -1,29 +1,17 @@
 #!/bin/bash
 
 ENABLE=$(CreoleGet activerLemon 'non')
-if [ "$(CreoleGet activer_nginx_web non)" = 'oui' ];then
-    SERVER=nginx
-else
-    SERVER=apache2
-fi
+CONF_FILES="manager-nginx.conf"
+CONF_FILES="${CONF_FILES} handler-nginx.conf"
+CONF_FILES="${CONF_FILES} portal-nginx.conf"
+CONF_FILES="${CONF_FILES} test-nginx.conf"
 
-SERVICES="manager"
-SERVICES="${SERVICES} handler"
-SERVICES="${SERVICES} portal"
-
-for SERVICE in ${SERVICES}
+for CONF_FILE in ${CONF_FILES}
 do
-   if [ -L /etc/nginx/sites-enabled/${SERVICE}-nginx.conf ];then
-       rm /etc/nginx/sites-enabled/${SERVICE}-nginx.conf
-   fi
-   if [ -L /etc/apache2/sites-enabled/${SERVICE}-apache2.conf ];then
-       a2dissite ${SERVICE}-apache2
+   if [ -L /etc/nginx/sites-enabled/${CONF_FILE} ];then
+       rm /etc/nginx/sites-enabled/${CONF_FILE}
    fi
    if [ "${ENABLE}" = 'oui' ];then
-       if [ "${SERVER}" = 'nginx' ];then
-           ln -s /etc/nginx/sites-available/${SERVICE}-nginx.conf /etc/nginx/sites-enabled/${SERVICE}-nginx.conf
-       elif [ "${SERVER}" = 'apache2' ];then
-           a2ensite ${SERVICE}-apache2.conf
-       fi
+       ln -s /etc/nginx/sites-available/${CONF_FILE} /etc/nginx/sites-enabled/${CONF_FILE}
    fi
-done
+done

tmpl/handler-apache2.4.conf

@@ -1,56 +0,0 @@
-#========================================================================
-# Apache configuration for LemonLDAP::NG Handler
-#========================================================================
-# This file implements the reload virtualhost that permits to reload
-# configuration without restarting server, and some common instructions.
-# You need then to declare this vhost in reloadUrls (in the manager
-# interface if this server doesn't host the manager itself):
-#
-#         KEY       :               VALUE
-#   host-or-IP:port :  http://reload.example.com/reload
-#
-# IMPORTANT:
-# To protect applications, see test-apache.conf template in example files
-
-# Load LemonLDAP::NG Handler
-PerlOptions +GlobalRequest
-PerlModule Lemonldap::NG::Handler::ApacheMP2
-
-# Common error page and security parameters
-ErrorDocument 403 https//%%authWebName/lmerror/403
-ErrorDocument 404 https//%%authWebName/lmerror/404
-ErrorDocument 500 https//%%authWebName/lmerror/500
-ErrorDocument 502 https//%%authWebName/lmerror/502
-ErrorDocument 503 https//%%authWebName/lmerror/503
-
-%if %%container_ip_web != '127.0.0.1'
-<VirtualHost %%container_ip_web:443>
-%else
-<VirtualHost %%adresse_ip_eth0:443>
-%end if
-    ServerName %%reloadWebName
-
-    # Configuration reload mechanism (only 1 per physical server is
-    # needed): choose your URL to avoid restarting Apache when
-    # configuration change
-    <Location /reload>
-        Require ip 127 ::1
-        SetHandler perl-script
-        PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
-    </Location>
-
-    # Uncomment this to activate status module
-    #<Location /status>
-    #    Require ip 127 ::1
-    #    SetHandler perl-script
-    #    PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->status
-    #    # You may have to uncomment the next directive to skip
-    #    # an upper PerlHeaderParserHandler directive
-    #    #PerlHeaderParserHandler Apache2::Const::DECLINED
-    #</Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
-</VirtualHost>
-
-

tmpl/handler-nginx.conf

@@ -39,7 +39,7 @@ server {
 
   error_page   403 404 502 503 504  /nginx.html;
   location = /nginx.html{
-       root /usr/share/nginx/www;
+       root /usr/share/nginx/html;
     }
 
   location = /reload {

tmpl/lemonldap-ng-fastcgi-server

@@ -0,0 +1,15 @@
+# Number of process (default: 7)
+NPROC = %%lemonproc
+
+# Unix socket to listen to
+SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
+
+# Pid file
+PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
+
+# User and GROUP
+USER=www-data
+GROUP=www-data
+
+# Custom functions file
+#CUSTOM_FUNCTIONS_FILE=/var/lib/lemonldap-ng/myfile.pm

tmpl/lmConf-1.js

@@ -0,0 +1,441 @@
+%set %%ssoFilters = %%getSSOFilters
+{
+    "ldapGroupAttributeNameUser": "dn",
+    "cfgAuthorIP": "172.16.0.1",
+    "samlSPMetaDataXML": null,
+    "facebookAuthnLevel": 1,
+    "mailConfirmSubject": "[LemonLDAP::NG] Password reset confirmation",
+    "secureTokenAttribute": "uid",
+    "singleSession": 0,
+    "registerConfirmSubject": "[LemonLDAP::NG] Account register confirmation",
+    "CAS_pgtFile": "/tmp/pgt.txt",
+    "cookieName": "lemonldap",
+    "slaveExportedVars": {},
+    "whatToTrace": "_whatToTrace",
+    "oidcRPMetaDataOptions": {},
+    "notifyDeleted": 1,
+    "useRedirectOnError": 1,
+    "samlSPMetaDataExportedAttributes": null,
+    "ldapPwdEnc": "utf-8",
+    "openIdSPList": "0;",
+    "samlNameIDFormatMapEmail": "mail",
+    "samlSPMetaDataOptions": null,
+    "issuerDBOpenIDRule": 1,
+    "casStorageOptions": {},
+    "mailFrom": "noreply@%%nom_domaine_local",
+    "timeoutActivity": 0,
+    "oidcRPMetaDataExportedVars": {},
+    "issuerDBSAMLActivation": 0,
+    "issuerDBCASPath": "^/%%casFolder/",
+    "randomPasswordRegexp": "[A-Z]{3}[a-z]{5}.\\d{2}",
+    "samlIDPSSODescriptorSingleSignOnServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleSignOnSOAP;",
+    "samlSPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
+    "exportedHeaders": {
+        "test1.%%nom_domaine_local": {
+            "Auth-User": "$uid"
+        },
+        "test2.%%nom_domaine_local": {
+            "Auth-User": "$uid"
+        },
+        "%%managerWebName": {}
+    },
+    "vhostOptions": {
+        "%%managerWebName": {
+            "vhostHttps" : "1"
+        },
+        "test1.%%nom_domaine_local": {},
+        "test2.%%nom_domaine_local": {}
+    },
+    "radiusAuthnLevel": 3,
+    "dbiAuthnLevel": 2,
+    "ldapPasswordResetAttribute": "pwdReset",
+    "ldapGroupObjectClass": "groupOfNames",
+    "apacheAuthnLevel": 4,
+    "samlNameIDFormatMapKerberos": "uid",
+    "groups": {},
+    "securedCookie": 0,
+    "httpOnly": 1,
+    "yubikeyAuthnLevel": 3,
+    "ADPwdMaxAge": 0,
+    "samlUseQueryStringSpecific": 0,
+    "loginHistoryEnabled": 1,
+    "samlSPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;",
+    "failedLoginNumber": 5,
+    "samlServicePrivateKeyEncPwd": "",
+    "portalForceAuthnInterval": 0,
+    "cfgLog": "",
+    "samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
+    "exportedVars": {
+        "UA": "HTTP_USER_AGENT",
+%for att in %%casAttribute
+        "%%att": "%%att",
+%end for
+%set %%idx = 0
+%set %%size = %%len(%%ssoFilters) - 1
+%for key,value in %%ssoFilters
+    %if %%idx == %%size
+        "%%key": "%%value"
+    %else
+        "%%key": "%%value",
+    %end if
+        %set %%idx += 1
+%end for
+    },
+    "notificationStorage": "File",
+    "applicationList": {
+        "1sample": {
+            "test2": {
+                "options": {
+                    "name": "Application Test 2",
+                    "logo": "thumbnail.png",
+                    "uri": "https://test2.%%nom_domaine_local/",
+                    "display": "auto",
+                    "description": "The same simple application displaying authenticated user"
+                },
+                "type": "application"
+            },
+            "type": "category",
+            "catname": "Sample applications",
+            "test1": {
+                "type": "application",
+                "options": {
+                    "description": "A simple application displaying authenticated user",
+                    "uri": "https://test1.%%nom_domaine_local/",
+                    "logo": "demo.png",
+                    "display": "auto",
+                    "name": "Application Test 1"
+                }
+            }
+        },
+        "2administration": {
+            "notifications": {
+                "options": {
+                    "name": "Notifications explorer",
+                    "display": "auto",
+                    "description": "Explore WebSSO notifications",
+                    "uri": "https://%%managerWebName/notifications.pl",
+                    "logo": "database.png"
+                },
+                "type": "application"
+            },
+            "manager": {
+                "options": {
+                    "uri": "https://%%managerWebName/",
+                    "display": "auto",
+                    "description": "Configure LemonLDAP::NG WebSSO",
+                    "logo": "configure.png",
+                    "name": "WebSSO Manager"
+                },
+                "type": "application"
+            },
+            "type": "category",
+            "sessions": {
+                "type": "application",
+                "options": {
+                    "description": "Explore WebSSO sessions",
+                    "uri": "https://%%managerWebName/sessions.pl",
+                    "logo": "database.png",
+                    "display": "auto",
+                    "name": "Sessions explorer"
+                }
+            },
+            "catname": "Administration"
+        },
+        "3documentation": {
+            "catname": "Documentation",
+            "officialwebsite": {
+                "type": "application",
+                "options": {
+                    "name": "Offical Website",
+                    "description": "Official LemonLDAP::NG Website",
+                    "logo": "network.png",
+                    "display": "on",
+                    "uri": "http://lemonldap-ng.org/"
+                }
+            },
+            "type": "category",
+            "localdoc": {
+                "options": {
+                    "logo": "help.png",
+                    "description": "Documentation supplied with LemonLDAP::NG",
+                    "display": "on",
+                    "uri": "https://%%managerWebName/doc/",
+                    "name": "Local documentation"
+                },
+                "type": "application"
+            }
+        }
+    },
+    "userControl": "^[\\w\\.\\-@]+$",
+    "timeout": 72000,
+    "portalAntiFrame": 1,
+    "SMTPServer": "",
+    "ldapTimeout": 120,
+    "samlAuthnContextMapPasswordProtectedTransport": 3,
+    "ldapUsePasswordResetAttribute": 1,
+    "ldapPpolicyControl": 0,
+    "casAttributes": {
+%for att in %%casAttribute
+        "%%att": "%%att.casLDAPAttribute",
+%end for
+%set %%idx = 0
+%set %%size = %%len(%%ssoFilters) - 1
+%for key,value in %%ssoFilters
+    %if %%idx == %%size
+        "%%key": "%%key"
+    %else
+        "%%key": "%%key",
+    %end if
+        %set %%idx += 1
+%end for
+    },
+    "issuerDBSAMLPath": "^/saml/",
+    "samlAttributeAuthorityDescriptorAttributeServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;",
+    "portalDisplayAppslist": 1,
+    "confirmFormMethod": "post",
+    "domain": "%%nom_domaine_local",
+    "cfgNum": "1",
+    "authentication": "LDAP",
+    "samlNameIDFormatMapWindows": "uid",
+    "authChoiceModules": {},
+    "ldapGroupAttributeName": "member",
+    "samlServicePrivateKeySigPwd": "",
+    "googleAuthnLevel": 1,
+    "successLoginNumber": 5,
+    "localSessionStorageOptions": {
+        "cache_root": "/tmp",
+        "namespace": "lemonldap-ng-sessions",
+        "default_expires_in": 600,
+        "directory_umask": "007",
+        "cache_depth": 3
+    },
+    "samlSPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
+    "portalRequireOldPassword": 1,
+    "samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;",
+    "ADPwdExpireWarning": 0,
+    "yubikeyPublicIDSize": 12,
+    "ldapGroupAttributeNameGroup": "dn",
+    "oidcRPMetaDataOptionsExtraClaims": null,
+    "ldapGroupRecursive": 0,
+    "mailSubject": "[LemonLDAP::NG] Your new password",
+    "nginxCustomHandlers": {},
+    "samlSPSSODescriptorAuthnRequestsSigned": 1,
+%if %%llResetPassword == "oui"
+    "portalDisplayResetPassword": 1,
+%else
+    "portalDisplayResetPassword": 0,
+%end if
+    "openIdSreg_timezone": "_timezone",
+    "infoFormMethod": "get",
+    "openIdAuthnLevel": 1,
+    "openIdSreg_nickname": "uid",
+    "samlServicePublicKeyEnc": "",
+    "userDB": "LDAP",
+    "grantSessionRules": {},
+    "remoteGlobalStorage": "Lemonldap::NG::Common::Apache::Session::SOAP",
+    "reloadUrls": {
+        "%%reloadWebName": "https://%%reloadWebName/reload"
+    },
+    "registerTimeout": 0,
+    "samlIDPSSODescriptorSingleSignOnServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;",
+    "slaveAuthnLevel": 2,
+    "samlIDPSSODescriptorSingleLogoutServiceHTTPPost": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn",
+    "Soap": 1,
+%set %%RegisterDB=%%getVar('llRegisterDB', 'Demo')
+%if %%RegisterDB == "Custom"
+    "registerDB": "Null",
+%else
+    "registerDB": "%%RegisterDB",
+%end if
+    "locationRules": {
+        "%%managerWebName": {
+            "default": "$uid eq \"%%lemonAdmin\""
+        },
+        "test1.%%nom_domaine_local": {
+            "default": "accept",
+            "^/logout": "logout_sso"
+        },
+        "test2.%%nom_domaine_local": {
+            "default": "accept",
+            "^/logout": "logout_sso"
+        }
+    },
+    "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
+    "hideOldPassword": 0,
+%if %%is_file(%%ldapBindUserPassword)
+    "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
+%else
+    "managerPassword": "%%ldapBindUserPassword",
+%end if
+    "authChoiceParam": "lmAuth",
+    "lwpSslOpts": {},
+    "portalSkinRules": {},
+    "issuerDBOpenIDPath": "^/openidserver/",
+    "redirectFormMethod": "get",
+    "portalDisplayRegister": 1,
+    "secureTokenMemcachedServers": "127.0.0.1:11211",
+    "notificationStorageOptions": {
+        "dirName": "/var/lib/lemonldap-ng/notifications"
+    },
+    "browserIdAuthnLevel": 1,
+    "portalUserAttr": "_user",
+    "ldapVersion": 3,
+    "sessionDataToRemember": {},
+    "samlNameIDFormatMapX509": "mail",
+    "managerDn": "%%ldapBindUserDN",
+    "mailSessionKey": "mail",
+    "openIdSreg_email": "mail",
+    "localSessionStorage": "Cache::FileCache",
+    "persistentStorage": "Apache::Session::File",
+    "mailOnPasswordChange": 0,
+    "captchaStorage": "Apache::Session::File",
+    "remoteGlobalStorageOptions": {
+        "proxy": "https://%%authWebName/index.pl/sessions",
+        "ns": "https://%%authWebName/Lemonldap/NG/Common/CGI/SOAPService"
+    },
+    "passwordDB": "LDAP",
+    "captcha_size": 6,
+    "mailCharset": "utf-8",
+    "facebookExportedVars": {},
+    "nullAuthnLevel": 2,
+    "singleIP": 0,
+    "dbiExportedVars": {},
+    "portalSkin": "bootstrap",
+    "storePassword": 0,
+    "hiddenAttributes": "_password",
+    "samlServicePrivateKeySig": "",
+    "globalStorage": "Apache::Session::File",
+    "notificationWildcard": "allusers",
+    "portalForceAuthn": 0,
+    "samlMetadataForceUTF8": 1,
+    "secureTokenUrls": ".*",
+    "secureTokenAllowOnError": 1,
+    "samlAuthnContextMapTLSClient": 5,
+    "ldapAllowResetExpiredPassword": 0,
+    "oidcOPMetaDataExportedVars": {},
+    "notifyOther": 0,
+    "secureTokenExpiration": 60,
+    "captcha_mail_enabled": 0,
+    "samlStorageOptions": {},
+    "samlOrganizationDisplayName": "Example",
+    "trustedProxies": "",
+    "secureTokenHeader": "Auth-Token",
+    "issuerDBCASActivation": 1,
+    "samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;",
+    "samlSPSSODescriptorSingleLogoutServiceHTTPRedirect": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn",
+    "samlIDPMetaDataXML": {},
+    "oidcStorageOptions": {},
+    "cfgDate": 1519998069,
+    "samlAuthnContextMapPassword": 2,
+    "portalDisplayLoginHistory": 1,
+    "ldapPasswordResetAttributeValue": "TRUE",
+    "ldapServer": "%%ldapScheme://%%ldapServer",
+    "samlIDPSSODescriptorSingleLogoutServiceSOAP": "urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;",
+    "samlIDPMetaDataExportedAttributes": null,
+    "samlServicePrivateKeyEnc": "",
+    "useRedirectOnForbidden": 0,
+    "captcha_login_enabled": 0,
+    "https": 0,
+    "checkXSS": 1,
+    "ldapSetPassword": 0,
+    "portalPingInterval": 60000,
+    "captchaStorageOptions": {
+        "Directory": "/var/lib/lemonldap-ng/captcha/"
+    },
+    "useSafeJail": 1,
+    "registerDoneSubject": "[LemonLDAP::NG] Your new account",
+    "issuerDBCASRule": 1,
+    "samlAuthnContextMapKerberos": 4,
+    "ldapGroupAttributeNameSearch": "cn",
+    "logoutServices": {},
+    "samlIDPSSODescriptorWantAuthnRequestsSigned": 1,
+    "portalDisplayLogout": 1,
+    "issuerDBGetParameters": {},
+    "googleExportedVars": {},
+    "openIdSreg_fullname": "cn",
+    "samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact",
+    "demoExportedVars": {
+        "mail": "mail",
+        "uid": "uid",
+        "cn": "cn"
+    },
+    "oidcOPMetaDataJSON": null,
+    "samlIdPResolveCookie": "lemonldapidp",
+    "samlRelayStateTimeout": 600,
+    "samlOrganizationURL": "https://auth.%%nom_domaine_local",
+    "globalStorageOptions": {
+        "Directory": "/var/lib/lemonldap-ng/sessions",
+        "LockDirectory": "/var/lib/lemonldap-ng/sessions/lock"
+    },
+    "ldapExportedVars": {
+        "mail": "mail",
+        "cn": "cn",
+        "uid": "uid"
+    },
+    "webIDExportedVars": {},
+    "activeTimer": 1,
+    "cda": 0,
+    "samlServicePublicKeySig": "",
+%if %%llCheckLogins == "oui"
+    "portalCheckLogins": 1,
+%else
+    "portalCheckLogins": 0,
+%end if
+    "CAS_authnLevel": 1,
+    "macros": {
+        "_whatToTrace": "$_auth eq 'SAML' ? \"$_user\\@$_idpConfKey\" : \"$_user\""
+    },
+    "samlIDPMetaDataOptions": null,
+    "twitterAuthnLevel": 1,
+    "openIdExportedVars": {},
+    "captcha_register_enabled": 1,
+    "oidcOPMetaDataJWKS": null,
+    "webIDAuthnLevel": 1,
+    "issuerDBOpenIDActivation": "1",
+%if %%is_empty(%%llResetUrl)    
+    "mailUrl": "https://%%authWebName/mail.pl",
+%else
+    "mailUrl": "%%llResetUrl",
+%end if
+    "maintenance": 0,
+    "jsRedirect": 0,
+    "cfgAuthor": "Cadoles",
+    "persistentStorageOptions": {
+        "LockDirectory": "/var/lib/lemonldap-ng/psessions/lock",
+        "Directory": "/var/lib/lemonldap-ng/psessions"
+    },
+    "SSLAuthnLevel": 5,
+    "oidcServiceMetaDataAuthnContext": {},
+    "samlIDPSSODescriptorArtifactResolutionServiceArtifact": "1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact",
+    "notification": 1,
+    "ldapChangePasswordAsUser": 0,
+    "CAS_proxiedServices": {},
+    "key": "e\"bTCt3*eU9^\\V%b",
+    "portal": "https://%%authWebName/",
+    "singleSessionUserByIP": 0,
+    "portalOpenLinkInNewWindow": 0,
+    "post": {
+        "test2.%%nom_domaine_local": {},
+        "test1.%%nom_domaine_local": {},
+        "%%managerWebName": {}
+    },
+    "samlSPSSODescriptorAssertionConsumerServiceHTTPPost": "0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost",
+    "issuerDBSAMLRule": 1,
+    "samlCommonDomainCookieActivation": 0,
+    "syslog": "",
+    "ldapBase": "%%ldapUserBaseDN",
+    "ldapAuthnLevel": 2,
+    "mailTimeout": 0,
+    "samlEntityID": "#PORTAL#/saml/metadata",
+    "oidcOPMetaDataOptions": null,
+    "samlSPSSODescriptorWantAssertionsSigned": 1,
+    "samlOrganizationName": "%%samlOrganizationName",
+%if %%RegisterDB == "Custom"
+    "registerUrl": "%%llRegisterURL",
+%else
+    "registerUrl": "https://%%authWebName/register.pl",
+%end if
+    "casAccessControlPolicy": "none",
+    "multiValuesSeparator": ";",
+    "ldapPort": %%ldapServerPort
+}

tmpl/manager-apache2.4.conf

@@ -1,106 +0,0 @@
-#====================================================================
-# Apache configuration for LemonLDAP::NG Manager
-#====================================================================
-
-# To insert LLNG user id in Apache logs, declare this format and use it in
-# CustomLog directive
-#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O" llng
-
-# Manager virtual host (manager.__DNSDOMAIN__)
-%if %%container_ip_web != '127.0.0.1'
-<VirtualHost %%container_ip_web:443>
-%else
-<VirtualHost %%adresse_ip_eth0:443>
-%end if
-    ServerName %%managerWebName
-    LogLevel notice
-    # See above to set LLNG user id in Apache logs
-    #CustomLog ${APACHE_LOG_DIR}/manager.log llng
-    #ErrorLog ${APACHE_LOG_DIR}/lm_err.log
-    SSLEngine on
-    SSLCertificateFile    %%apache_cert
-    SSLCertificateKeyFile %%server_key
-    SSLProtocol all -SSLv3 -SSLv2
-
-    # Uncomment this if you are running behind a reverse proxy and want
-    # LemonLDAP::NG to see the real IP address of the end user
-    # Adjust the settings to match the IP address of your reverse proxy
-    # and the header containing the original IP address
-    #
-    #RemoteIPHeader X-Forwarded-For
-    #RemoteIPInternalProxy 127.0.0.1
-
-
-    # FASTCGI CONFIGURATION
-    # ---------------------
-
-    # 1) URI management
-    RewriteEngine on
-
-    # For performances, you can delete the previous RewriteRule line after
-    # puttings html files: simply put the HTML results of differents modules
-    # (configuration, sessions, notifications) as manager.html, sessions.html,
-    # notifications.html and uncomment the 2 following lines:
-    # DirectoryIndex manager.html
-    # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
-
-    # REST URLs
-    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib|javascript|favicon).*"
-    RewriteRule "^/(.+)$" "/manager.fcgi/$1" [PT]
-
-    # 2) FastCGI engine
-
-    # You can choose any FastCGI system. Here is an example using mod_fcgid
-    # mod_fcgid configuration
-    FcgidMaxRequestLen 2000000
-    <Files *.fcgi>
-        SetHandler fcgid-script
-        Options +ExecCGI
-        header unset Lm-Remote-User
-    </Files>
-
-    # If you want to use mod_fastcgi, replace lines below by:
-    #FastCgiServer /usr/share/lemonldap-ng/manager/htdocs/manager.fcgi
-
-    # GLOBAL CONFIGURATION
-    # --------------------
-
-    DocumentRoot /usr/share/lemonldap-ng/manager/htdocs
-
-    <Location />
-        Require all granted
-
-        <IfModule mod_deflate.c>
-            AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
-            SetOutputFilter DEFLATE
-            BrowserMatch ^Mozilla/4 gzip-only-text/html
-            BrowserMatch ^Mozilla/4\.0[678] no-gzip
-            BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-            SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
-        </IfModule>
-        <IfModule mod_headers.c>
-            Header append Vary User-Agent env=!dont-vary
-        </IfModule>
-    </Location>
-
-    # Static files (javascripts, HTML forms,...)
-
-    Alias /static/ /usr/share/lemonldap-ng/manager/htdocs/static/
-    <Directory /usr/share/lemonldap-ng/manager/htdocs/static>
-        Require all granted
-        Options +FollowSymLinks
-    </Directory>
-
-    # On-line documentation
-    Alias /doc/ /usr/share/lemonldap-ng/htdocs/doc/
-    Alias /lib/ /usr/share/lemonldap-ng/htdocs/doc/pages/documentation/current/lib/
-    <Directory /usr/share/lemonldap-ng/htdocs/doc/>
-        Require all granted
-        ErrorDocument 404 /notfound.html
-        Options +FollowSymLinks
-        DirectoryIndex index.html start.html
-    </Directory>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
-</VirtualHost>

tmpl/manager-nginx.conf

@@ -20,7 +20,7 @@ server {
 
   error_page   403 404 502 503 504  /nginx.html;
   location = /nginx.html{
-    root /usr/share/nginx/www;
+    root /usr/share/nginx/html;
   } 
 
   root /usr/share/lemonldap-ng/manager/htdocs/;

tmpl/portal-apache2.4.conf

@@ -1,116 +0,0 @@
-#====================================================================
-# Apache configuration for LemonLDAP::NG Portal
-#====================================================================
-
-# To insert LLNG user id in Apache logs, declare this format and use it in
-# CustomLog directive
-#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O" llng
-
-# Portal Virtual Host (auth.__DNSDOMAIN__)
-%if %%container_ip_web != '127.0.0.1'
-<VirtualHost %%container_ip_web:443>
-%else
-<VirtualHost %%adresse_ip_eth0:443>
-%end if
-    ServerName %%authWebName
-    # See above to set LLNG user id in Apache logs
-    #CustomLog ${APACHE_LOG_DIR}/portal.log llng
-
-    # Uncomment this if you are running behind a reverse proxy and want
-    # LemonLDAP::NG to see the real IP address of the end user
-    # Adjust the settings to match the IP address of your reverse proxy
-    # and the header containing the original IP address
-    #
-    #RemoteIPHeader X-Forwarded-For
-    #RemoteIPInternalProxy 127.0.0.1
-
-    # DocumentRoot (FCGI scripts)
-    DocumentRoot /usr/share/lemonldap-ng/portal/htdocs/
-    <Directory /usr/share/lemonldap-ng/portal/htdocs>
-        Require all granted
-        Options +ExecCGI +FollowSymLinks
-    </Directory>
-    RewriteEngine On
-    # For performances, you can put static html files: simply put the HTML
-    # result (example: /oauth2/checksession.html) as static file. Then
-    # uncomment the following line.
-    # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
-    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
-    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
-
-    # Note that Content-Security-Policy header is generated by portal itself
-    <Files *.fcgi>
-        SetHandler fcgid-script
-
-        # Authorization header needs to be passed when using Kerberos or OIDC
-        <IfVersion >= 2.4.13>
-            CGIPassAuth On
-        </IfVersion>
-        <IfVersion < 2.4.13>
-            RewriteCond %{HTTP:Authorization} ^(.*)
-            RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
-        </IfVersion>
-
-        Options +ExecCGI
-        header unset Lm-Remote-User
-    </Files>
-
-    # Uncomment this if status is enabled
-    #FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
-
-    # Static files
-    Alias /static/ /usr/share/lemonldap-ng/portal/htdocs/static/
-    <Directory /usr/share/lemonldap-ng/portal/htdocs/static/>
-        Require all granted
-        Options +FollowSymLinks
-    </Directory>
-    <Location /static/>
-        <IfModule mod_expires.c>
-            ExpiresActive On
-            ExpiresDefault "access plus 1 month"
-        </IfModule>
-    </Location>
-
-    <IfModule mod_dir.c>
-        DirectoryIndex index.fcgi index.html
-    </IfModule>
-
-    # REST/SOAP functions for sessions management (disabled by default)
-    <Location /index.fcgi/adminSessions>
-        Require all denied
-    </Location>
-
-    # REST/SOAP functions for sessions access (disabled by default)
-    <Location /index.fcgi/sessions>
-        Require all denied
-    </Location>
-
-    # REST/SOAP functions for configuration access (disabled by default)
-    <Location /index.fcgi/config>
-        Require all denied
-    </Location>
-
-    # REST/SOAP functions for notification insertion (disabled by default)
-    <Location /index.fcgi/notification>
-        Require all denied
-    </Location>
-
-    # Enabe compression
-    <Location />
-        <IfModule mod_deflate.c>
-                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
-                SetOutputFilter DEFLATE
-                BrowserMatch ^Mozilla/4 gzip-only-text/html
-                BrowserMatch ^Mozilla/4\.0[678] no-gzip
-                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
-        </IfModule>
-        <IfModule mod_headers.c>
-                Header append Vary User-Agent env=!dont-vary
-        </IfModule>
-    </Location>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
-</VirtualHost>
-

tmpl/portal-nginx.conf

@@ -4,6 +4,9 @@
 #  default           "";
 #  ~/CN=(?<CN>[^/]+) $CN;
 #}
+%set %%webDomain = %%authWebName.split('.',1)[1]
+%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')
+
 
 server {
   listen 80;
@@ -22,6 +25,7 @@ server {
   ssl_certificate_key %%server_key;
 %end if
   ssl_client_certificate /etc/ssl/certs/ca..crt;
+  ssl_session_cache shared:SSL:10m;
   access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
   server_name %%authWebName;
   root /usr/share/lemonldap-ng/portal/htdocs/;
@@ -40,6 +44,8 @@ server {
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
     fastcgi_param PATH_INFO  $fastcgi_path_info;
+    fastcgi_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";
 
   }
 

tmpl/test-apache2.4.conf

@@ -1,47 +0,0 @@
-#====================================================================
-# Apache configuration for LemonLDAP::NG sample applications
-#====================================================================
-
-PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
-
-# Sample application
-<VirtualHost __VHOSTLISTEN__>
-    ServerName test1.__DNSDOMAIN__
-    ServerAlias test2.__DNSDOMAIN__
-
-    # Uncomment this if you are running behind a reverse proxy and want
-    # LemonLDAP::NG to see the real IP address of the end user
-    # Adjust the settings to match the IP address of your reverse proxy
-    # and the header containing the original IP address
-    #
-    #RemoteIPHeader X-Forwarded-For
-    #RemoteIPInternalProxy 127.0.0.1
-
-    # SSO protection
-    PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
-
-    # DocumentRoot
-    DocumentRoot __TESTDIR__
-    <Directory __TESTDIR__>
-        Require all granted
-        Options +ExecCGI
-    </Directory>
-
-    # Perl script (application test is written in Perl)
-    <Files *.pl>
-        SetHandler perl-script
-        PerlResponseHandler ModPerl::Registry
-
-        # Display Menu
-        PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
-
-    </Files>
-
-    # Directory index
-    <IfModule mod_dir.c>
-        DirectoryIndex index.pl index.html
-    </IfModule>
-
-    # Uncomment this if site if you use SSL only
-    #Header set Strict-Transport-Security "max-age=15768000"
-</VirtualHost>

tmpl/test-nginx.conf

@@ -50,6 +50,7 @@ server {
     ##################################
     auth_request /lmauth;
     auth_request_set $lmremote_user $upstream_http_lm_remote_user;
+    auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
     auth_request_set $lmlocation $upstream_http_location;
     # If CDA is used, uncomment this
     #auth_request_set $cookie_value $upstream_http_set_cookie;