Merge branch 'master' into dist/eole/2.7.2/master

ref #31347

debian/control

@@ -1,30 +1,51 @@
 Source: eole-lemonldap
 Section: web
 Priority: optional
-Maintainer: Cadoles <eole@ac-dijon.fr>
-Build-Depends: debhelper (>= 9)
-Standards-Version: 3.9.3
-Homepage: https://forge.cadoles.com/Cadoles/eole-lemonldap
-Vcs-Git: https://forge.cadoles.com/Cadoles/eole-lemonldap.git
-Vcs-Browser: https://forge.cadoles.com/Cadoles/eole-lemonldap
+Maintainer: Équipe EOLE <eole@ac-dijon.fr>
+Build-Depends: debhelper-compat (= 12)
+Standards-Version: 4.5.0
+Homepage: https://dev-eole.ac-dijon.fr/projects/sso
+Vcs-Git: https://dev-eole.ac-dijon.fr/git/eole-lemonldap.git
+Vcs-Browser: https://dev-eole.ac-dijon.fr/projects/sso/repository
 
 Package: eole-lemonldap
 Architecture: all
-Depends: ${misc:Depends}, eole-client-annuaire, python-configparser, eole-lemonldap-pkg
-Conflicts: eole-sso
-Provides: eole-sso
-Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG, testée uniquement avec eolebase
+Depends: eole-lemonldap-pkg,
+         ${misc:Depends}
+Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG
+ Pour toute information complémentaire, veuillez vous rendre sur le
+ site du projet EOLE.
+
+Package: eole-lemonldap-scribe
+Architecture: all
+Depends: eole-scribe,
+         eole-lemonldap,
+	 libapache2-mod-perl2,
+         ${misc:Depends}
+Description: Dictionnaire pour calculer les valeurs automatiquement sur Scribe
  .
- Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.
+ Pour toute information complémentaire, veuillez vous rendre sur le
+ site du projet EOLE.
 
 Package: eole-lemonldap-pkg
 Architecture: all
-Depends: ${misc:Depends}, lemonldap-ng, lemonldap-ng-doc, lemonldap-ng-fastcgi-server,
-   libxml-libxml-perl, libxml-libxslt-perl, libcgi-emulate-psgi-perl, libauthen-captcha-perl, liblasso-perl,
-   libxml-simple-perl, libcgi-compile-perl, libmouse-perl, libio-string-perl, libnet-openid-server-perl,
-   libemail-sender-perl, libgd-securityimage-perl, libimage-magick-perl, libnet-ldap-perl,
-   libunicode-string-perl, libsoap-lite-perl, libhtml-template-perl, libcache-cache-perl,
-   libdbi-perl, perl-modules, libwww-perl
+Section: metapackages
+Depends: lemonldap-ng,
+         lemonldap-ng-doc,
+         lemonldap-ng-fastcgi-server,
+         lemonldap-ng-handler,
+         liblemonldap-ng-handler-perl,
+         liblemonldap-ng-manager-perl,
+         liblemonldap-ng-portal-perl,
+         libauthen-captcha-perl,
+         libauthen-sasl-perl,
+         libemail-sender-perl,
+         libgd-securityimage-perl,
+         libimage-magick-perl,
+         libio-string-perl,
+         liblasso-perl,
+         libnet-openid-server-perl,
+         ${misc:Depends}
 Description: Paquet de dépendances pour eole-lemonldap.
  .
  Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

debian/eole-lemonldap-ng-scribe.install

@@ -0,0 +1,2 @@
+usr/share/eole/creole/dicos/71_lemonldap_ng_scribe.xml
+usr/share/eole/postservice/98-lemonldap-ng-scribe-register-hosts

dicos/70_lemonldap_ng.xml

@@ -27,6 +27,14 @@
     </files>
 
     <variables>
+        <family name='eole-sso'>
+            <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+                <value>/cas</value>
+            </variable>
+            <variable name='eolesso_port' redefine="True" exists='True'>
+                <value>443</value>
+            </variable>
+        </family>
         <family name='Services'>
             <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
                 <value>non</value>
@@ -39,6 +47,10 @@
             <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
             <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
 
+	    <variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
+                <value>LDAP</value>
+            </variable>
+
             <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
             <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
             <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@@ -80,7 +92,13 @@
             <variable name='llCheckLogins' type='oui/non' description="Permettre aux utilisateurs d'afficher l'historique de connection">
                 <value>non</value>
             </variable>
-            <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
+            <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe par mail">
+                <value>oui</value>
+            </variable>
+            <variable name='llChangePassword' type='oui/non' description="Permettre aux utilisateurs de changer leurs mots de passe depuis LemonLDAP">
+                <value>oui</value>
+            </variable>
+            <variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
                 <value>oui</value>
             </variable>
             <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
@@ -124,12 +142,16 @@
             <param>['ldaps','ldap']</param>
         </check>
 
+        <check name="valid_enum" target="lemon_user_db">
+            <param>['LDAP','AD']</param>
+        </check>
+
         <check name='valid_enum' target="lm_loglevel">
             <param>['info','notice','warn','error','debug']</param>
         </check>
 
         <check name="valid_enum" target="llRegisterDB">
-            <param>['LDAP','Demo','Custom']</param>
+            <param>['LDAP','AD','Demo','Custom']</param>
         </check>
         <group master="casAttribute">
             <slave>casLDAPAttribute</slave>
@@ -168,6 +190,7 @@
         <condition name='disabled_if_in' source='llResetPassword'>
             <param>non</param>
             <target type='variable'>llResetUrl</target>
+            <target type='variable'>llResetExpiredPassword</target>
         </condition>
         <check name='valid_enum' target='llSkin'>
             <param>['bootstrap','dark','impact','pastel']</param>

dicos/71_lemonldap_ng_scribe.xml

@@ -5,20 +5,13 @@
 
     <variables>
 
-    <family name='eole sso'>
-        <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
-        <variable name='eolesso_cas_folder' redefine="True" exists='True'>
-            <value>cas</value>
-        </variable>
-        <variable name='eolesso_port' redefine="True" exists='True'>
-            <value>443</value>
-        </variable>
-    </family>
+        <family name='eole sso'>
+            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
+        </family>
 
     </variables>
 
     <constraints>
-
         <fill name='calc_multi_condition' target='activer_sso'>
             <param>oui</param>
             <param type='eole' name='condition_1'>activerLemon</param>
@@ -31,11 +24,8 @@
             <target type='variable'>activer_sso</target>
         </condition>
 
-        <auto name='calc_multi_condition' target='ldapScheme'>
-            <param>oui</param>
-            <param type='eole' name='condition_1'>ldap_tls</param>
-            <param name='match'>ldaps</param>
-            <param name='default_mismatch'>ldap</param>
+        <auto name='calc_val' target='ldapScheme'>
+            <param>ldaps</param>
         </auto>
 
         <fill name='calc_val_first_value' target='eolesso_adresse'>
@@ -44,25 +34,37 @@
             <param type='eole'>nom_domaine_machine</param>
         </fill>
 
+        <auto name='calc_val' target='ldap_port'>
+	    <param>636</param>
+	</auto>
+
         <condition name='frozen_if_in' source='activerLemon'>
             <param>oui</param>
             <target type='variable'>eolesso_adresse</target>
         </condition>
 
         <auto name='calc_val' target='ldapServer'>
-            <param type='eole'>adresse_ip_ldap</param>
+            <param type='eole'>ad_address</param>
         </auto>
 
         <auto name='calc_val' target='ldapServerPort'>
-            <param type='eole'>ldap_port</param>
+            <param type='number'>636</param>
+        </auto>
+
+        <auto name='calc_val' target='lemon_user_db'>
+            <param>AD</param>
+        </auto>
+
+        <auto name='calc_val' target='llRegisterDB'>
+            <param>AD</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserDN'>
-            <param type='eole'>ldap_reader</param>
+            <param type='eole'>sasl_ldap_reader</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserPassword'>
-            <param type='eole'>ldap_reader_passfile</param>
+	    <param>/etc/eole/private/sasl-reader.password</param>
         </auto>
 
         <auto name='calc_val' target='casFolder'>

tmpl/handler-apache2.X.conf

@@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%reloadWebName
 
+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
     # Configuration reload mechanism (only 1 per physical server is
     # needed): choose your URL to avoid restarting Apache when
     # configuration change

tmpl/lemonldap-ng.ini

@@ -197,11 +197,11 @@ portalSkin = %%llSkin
 ; Modules displayed
 ;portalDisplayLogout = 1
 portalDisplayResetPassword = %%boolean[%%llResetPassword]
-;portalDisplayChangePassword = 1
+portalDisplayChangePassword = %%boolean[%%llChangePassword]
 ;portalDisplayAppslist = 1
 ;portalDisplayLoginHistory = 1
 ; Require the old password when changing password
-;portalRequireOldPassword = 1
+portalRequireOldPassword = %%boolean[%%llChangePassword]
 ; Attribute displayed as connected user
 ;portalUserAttr = mail
 ; Old menu HTML code

tmpl/lmConf-1.json

@@ -85,7 +85,7 @@
     },
     "authChoiceModules": {},
     "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
     "browserIdAuthnLevel": 1,
     "captchaStorage": "Apache::Session::File",
     "captchaStorageOptions": {
@@ -152,10 +152,37 @@
     "issuerDBSAMLRule": 1,
     "jsRedirect": 0,
     "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+    "ldapChangePasswordAsUser": 1,
+  %else
+    "ldapPpolicyControl": 0,
     "ldapAllowResetExpiredPassword": 0,
+    "ldapChangePasswordAsUser": 1,
+  %end if
+%end if
     "ldapAuthnLevel": 2,
+    "ldapSearchDeref": "find",
+%if %%eole_module == "scribe"
+    "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+    "ldapExportedVars": {
+        "cn": "cn",
+        "mail": "mail",
+        "uid": "cn"
+    },
+    "ldapGroupAttributeName": "memberUid",
+    "ldapGroupAttributeNameGroup": "dn",
+    "ldapGroupAttributeNameSearch": "cn",
+    "ldapGroupAttributeNameUser": "cn",
+    "ldapGroupObjectClass": "group",
+%else
     "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
     "ldapExportedVars": {
         "cn": "cn",
         "mail": "mail",
@@ -166,11 +193,11 @@
     "ldapGroupAttributeNameSearch": "cn",
     "ldapGroupAttributeNameUser": "uid",
     "ldapGroupObjectClass": "eolegroupe",
+%end if
     "ldapGroupRecursive": 0,
     "ldapPasswordResetAttribute": "pwdReset",
     "ldapPasswordResetAttributeValue": "TRUE",
     "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
     "ldapPwdEnc": "utf-8",
     "ldapServer": "%%ldapScheme://%%ldapServer",
 %if %%ldapScheme == "ldaps"
@@ -219,13 +246,17 @@
     "mailTimeout": 0,
 %if %%llResetPassword == "oui"
     %if %%is_empty(%%llResetUrl)
-    "mailUrl": "https://%%authWebName/mail.pl",
+    "mailUrl": "https://%%authWebName/resetpwd",
     %else
     "mailUrl": "%%llResetUrl",
     %end if
 %end if
     "maintenance": 0,
+%if %%eole_module == "scribe"
+    "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "managerDn": "%%ldapBindUserDN",
+%end if
 %if %%is_file(%%ldapBindUserPassword)
     "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
 %else
@@ -258,7 +289,7 @@
     "openIdSreg_fullname": "cn",
     "openIdSreg_nickname": "uid",
     "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
     "persistentStorage": "Apache::Session::File",
     "persistentStorageOptions": {
         "Directory": "/var/lib/lemonldap-ng/psessions",
@@ -268,7 +299,7 @@
     "portalAntiFrame": 1,
     "portalCheckLogins": %%boolean[%%llCheckLogins],
     "portalDisplayAppslist": 1,
-    "portalDisplayChangePassword": "$_auth =~ /^(LDAP|DBI|Demo)$/",
+    "portalDisplayChangePassword": "$_auth =~ /^(AD|LDAP|DBI|Demo)$/",
     "portalDisplayLoginHistory": 1,
     "portalDisplayLogout": 1,
     "portalDisplayRegister": 1,
@@ -378,7 +409,7 @@
     "useRedirectOnForbidden": 0,
     "useSafeJail": 1,
     "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
     "vhostOptions": {
         "%%managerWebName": {
             "vhostHttps": "1"

tmpl/manager-apache2.X.conf

@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%managerWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/manager_error.log
     CustomLog /var/log/apache2/manager_access.log common
 

tmpl/portal-apache2.X.conf

@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%authWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/portal_error.log
     CustomLog /var/log/apache2/portal_access.log common