Compare commits

...

16 Commits

Author SHA1 Message Date
eb06eaaf5a Merge branch 'develop' into staging 2020-09-10 15:05:11 +02:00
ad9059bfae passage en 2.7.2 2020-09-03 16:44:25 +02:00
7d05697ad0 Merge branch 'develop' into staging 2020-01-16 09:35:09 +01:00
7328d4b968 utilisation de la variable lemonproc dans la conf fastcgi 2020-01-16 09:27:47 +01:00
267b96bd16 optimisation 2020-01-16 09:13:16 +01:00
3326273e21 Merge branch 'develop' into staging 2020-01-06 14:58:33 +01:00
53e17b8da0 Merge branch 'issue/3-CSP_targets' into develop 2019-12-12 12:01:18 +01:00
207dadd5cc Add variables to defined allowed CSP targets 2019-12-12 12:01:00 +01:00
994166b1fd Merge branch 'issue/2-variable_init' into develop 2019-12-12 11:16:48 +01:00
20c513e4fd declare lmremote_custom variable in test-nginx.conf 2019-12-12 11:16:38 +01:00
0980b3d30c Merge branch 'issue/1-error_page_location' into develop 2019-12-12 11:15:07 +01:00
9003ecbcb3 nginx error pages are located in html subfolder, not www 2019-12-12 11:14:54 +01:00
8fbafb4c70 Merge branch 'develop' into staging 2019-09-13 16:08:44 +02:00
cc1da0773b Work around CSP form-action issue with CAS.
Replace header with nicer values
2019-09-13 16:02:48 +02:00
a96d56b19c Merge branch 'develop' 2019-09-13 10:00:17 +02:00
c7b38c52d0 Update README 2019-07-11 09:44:49 +02:00
8 changed files with 36 additions and 7 deletions

View File

@ -4,8 +4,8 @@
SOURCE=eole-lemonldap
VERSION=0.1
EOLE_VERSION=2.6
EOLE_RELEASE=2.6.2
EOLE_VERSION=2.7
EOLE_RELEASE=2.7.2
PKGAPPS=non
#FLASK_MODULE=<APPLICATION>

View File

@ -12,12 +12,12 @@ GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
#### LemonLDAP::NG repository
* deb https://lemonldap-ng.org/deb stable main
* deb-src https://lemonldap-ng.org/deb stable main
* deb https://lemonldap-ng.org/deb 1.9 main
* deb-src https://lemonldap-ng.org/deb 1.9 main
* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
#### Cadoles Repository
* deb [ arch=all ] https://vulcain.cadoles.com 2.6.2-dev main
* deb [ arch=all ] https://vulcain.cadoles.com 2.7.2-dev main
* Key URL : https://vulcain.cadoles.com/cadoles.gpg
### Install packages

View File

@ -8,6 +8,7 @@
<file filelist='lemon' name='/etc/lemonldap-ng/test-nginx.conf' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
<file filelist='lemon' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
<file filelist='lemon' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
<file filelist='lemonCAS' name='/usr/share/php/configCAS/cas.inc.php' source='cas.inc.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/usr/share/php/CAS/eoleCASConfig.php' source='eoleCASConfig.php.tmpl' mkdir='True'/>
<file filelist='lemonCAS' name='/etc/pam_cas.conf' source="pam_cas_auth.conf"/>
@ -34,6 +35,10 @@
<variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name='ldapBindUserPassword' type='string' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
<variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
<variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeur)" mandatory="True">
<value>4</value>
</variable>
<variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
<value>admin</value>
</variable>
@ -67,6 +72,7 @@
</variable>
<variable name='llRegisterDB' type='string' description="Base de comptes pour l'enregistrement"/>
<variable name='llRegisterURL' type='string' description="Adresse de l'application de création de compte"/>
<variable name='llCSPTargets' type='domain' description="Domaines vers lesquels le forumaire peut renvoyer" multi='True'/>
</family>
<separators>
<separator name="managerWebName">Configuration DNS</separator>
@ -132,5 +138,6 @@
<variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
<variable name='nginxBucketSize'>server_names_hash_bucket_size Taille du hash des noms de serveur pour NGINX</variable>
<variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
<variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
</help>
</creole>

View File

@ -39,7 +39,7 @@ server {
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
root /usr/share/nginx/html;
}
location = /reload {

View File

@ -0,0 +1,15 @@
# Number of process (default: 7)
NPROC = %%lemonproc
# Unix socket to listen to
SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
# Pid file
PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
# User and GROUP
USER=www-data
GROUP=www-data
# Custom functions file
#CUSTOM_FUNCTIONS_FILE=/var/lib/lemonldap-ng/myfile.pm

View File

@ -20,7 +20,7 @@ server {
error_page 403 404 502 503 504 /nginx.html;
location = /nginx.html{
root /usr/share/nginx/www;
root /usr/share/nginx/html;
}
root /usr/share/lemonldap-ng/manager/htdocs/;

View File

@ -4,6 +4,9 @@
# default "";
# ~/CN=(?<CN>[^/]+) $CN;
#}
%set %%webDomain = %%authWebName.split('.',1)[1]
%set %%CSPTargets = %%custom_join(['http://*.{0} https://*.{0}'.format(d) for d in set([%%webDomain] + %%getVar('llCSPTargets'))], ' ')
server {
listen 80;
@ -22,6 +25,7 @@ server {
ssl_certificate_key %%server_key;
%end if
ssl_client_certificate /etc/ssl/certs/ca..crt;
ssl_session_cache shared:SSL:10m;
access_log /var/log/nginx/auth-lemon-ldap.access-ssl.log;
server_name %%authWebName;
root /usr/share/lemonldap-ng/portal/htdocs/;
@ -40,6 +44,8 @@ server {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_hide_header Content-Security-Policy;
add_header Content-Security-Policy "default-src 'self'; form-action 'self' %%CSPTargets; object-src 'none'";
}

View File

@ -50,6 +50,7 @@ server {
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;