Merge branch 'master' into dist/eole/2.8.1/master

Moving to Active Directory the actual auth LDAP server

The password is updated in the Samba4 directory so we
need to use this one and not the OpenLDAP one

README.md

@@ -4,6 +4,27 @@ LemonLDAP::NG EOLE integration
 
 ## Howto
 
+### Repository configuration
+
+* Add the lemonldap-ng deb respository we need the last version of LemonLDAP.
+
+GenConfig -> Mode Expert -> Dépôts tiers -> Libellé du dépôt
+
+#### LemonLDAP::NG repository (if you use EOLE 2.7.2 this is not needed anymore)
+ 
+* deb     https://lemonldap-ng.org/deb stable main
+* deb-src https://lemonldap-ng.org/deb stable main
+* Key URL : https://lemonldap-ng.org/_media/rpm-gpg-key-ow2 
+
+#### Cadoles Repository
+* deb [ arch=all  ] https://vulcain.cadoles.com 2.7.2-dev main
+* Key URL : https://vulcain.cadoles.com/cadoles.gpg
+
+### Install packages
+
+apt update
+apt install eole-lemonldap
+
 ### Configure LemonLDAP in GenConfig
 
 * Enable lemonldap in "Services" tab

debian/control

@@ -0,0 +1,50 @@
+Source: eole-lemonldap-ng
+Section: web
+Priority: optional
+Maintainer: Équipe EOLE <eole@ac-dijon.fr>
+Build-Depends: debhelper-compat (= 12)
+Standards-Version: 4.5.0
+Homepage: https://dev-eole.ac-dijon.fr/projects/sso
+Vcs-Git: https://dev-eole.ac-dijon.fr/git/eole-lemonldap-ng.git
+Vcs-Browser: https://dev-eole.ac-dijon.fr/projects/sso/repository
+
+Package: eole-lemonldap-ng
+Architecture: all
+Depends: eole-lemonldap-ng-pkg,
+         ${misc:Depends}
+Description: Dictionnaires et templates pour la configuration d'un serveur LemonLDAP::NG
+ Pour toute information complémentaire, veuillez vous rendre sur le
+ site du projet EOLE.
+
+Package: eole-lemonldap-ng-scribe
+Architecture: all
+Depends: eole-scribe,
+         eole-lemonldap-ng,
+	 libapache2-mod-perl2,
+         ${misc:Depends}
+Description: Dictionnaire pour calculer les valeurs automatiquement sur Scribe
+ .
+ Pour toute information complémentaire, veuillez vous rendre sur le
+ site du projet EOLE.
+
+Package: eole-lemonldap-ng-pkg
+Architecture: all
+Section: metapackages
+Depends: lemonldap-ng,
+         lemonldap-ng-doc,
+         lemonldap-ng-fastcgi-server,
+         lemonldap-ng-handler,
+         liblemonldap-ng-handler-perl,
+         liblemonldap-ng-manager-perl,
+         liblemonldap-ng-portal-perl,
+         libauthen-captcha-perl,
+         libemail-sender-perl,
+         libgd-securityimage-perl,
+         libimage-magick-perl,
+         libio-string-perl,
+         liblasso-perl,
+         libnet-openid-server-perl,
+         ${misc:Depends}
+Description: Paquet de dépendances pour eole-lemonldap.
+ .
+ Pour toute information complémentaire, veuillez vous rendre sur la forge Cadoles.

debian/copyright

@@ -0,0 +1,37 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: eole-lemonldap-ng
+Source: http://dev-eole.ac-dijon.fr/projects/sso
+
+Files: *
+Copyright: 2020 Équipe EOLE <eole@ac-dijon.fr>
+License: CeCILL-C
+
+License: CeCILL-C
+ This software is governed by the CeCILL-C license under French law and
+ abiding by the rules of distribution of free software.  You can  use,
+ modify and or redistribute the software under the terms of the CeCILL-C
+ license as circulated by CEA, CNRS and INRIA at the following URL
+ "http://www.cecill.info";.
+ .
+ As a counterpart to the access to the source code and  rights to copy,
+ modify and redistribute granted by the license, users are provided only
+ with a limited warranty  and the software's author,  the holder of the
+ economic rights,  and the successive licensors  have only  limited
+ liability.
+ .
+ In this respect, the user's attention is drawn to the risks associated
+ with loading,  using,  modifying and/or developing or reproducing the
+ software by the user in light of its specific status of free software,
+ that may mean  that it is complicated to manipulate,  and  that  also
+ therefore means  that it is reserved for developers  and  experienced
+ professionals having in-depth computer knowledge. Users are therefore
+ encouraged to load and test the software's suitability as regards their
+ requirements in conditions enabling the security of their systems and/or
+ data to be ensured and,  more generally, to use and operate it in the
+ same conditions as regards security.
+ .
+ The fact that you are presently reading this means that you have had
+ knowledge of the CeCILL-C license and that you accept its terms.
+ .
+ On Eole systems, the complete text of the CeCILL-C License can be found
+ in `/usr/share/common-licenses/CeCILL-2'.

debian/eole-lemonldap-ng-scribe.install

@@ -0,0 +1,2 @@
+usr/share/eole/creole/dicos/71_lemonldap_ng_scribe.xml
+usr/share/eole/postservice/98-lemonldap-ng-scribe-register-hosts

debian/eole-lemonldap-ng.install

@@ -0,0 +1,6 @@
+usr/share/creole/
+usr/share/eole/creole/dicos/70_lemonldap_ng.xml
+usr/share/eole/creole/distrib/
+usr/share/eole/diagnose/
+usr/share/eole/postservice/99-lemonldap-ng
+usr/share/eole/posttemplate/

debian/gbp.conf

@@ -0,0 +1,3 @@
+# Set per distribution debian tag
+[DEFAULT]
+debian-tag = debian/eole/%(version)s

debian/rules

@@ -0,0 +1,9 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+export DH_VERBOSE=1
+export DH_OPTIONS=-v
+
+%:
+	dh $@

debian/source/format

@@ -0,0 +1 @@
+3.0 (native)

dicos/70_lemonldap_ng.xml

@@ -2,7 +2,6 @@
 <creole>
 
     <files>
-
         <file filelist='lemonldap' name='/etc/lemonldap-ng/lemonldap-ng.ini' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/var/lib/lemonldap-ng/conf/lmConf-1.json' mkdir='True' rm='True'/>
         <file filelist='lemonldap' name='/etc/default/lemonldap-ng-fastcgi-server' mkdir='True' rm='True'/>
@@ -15,7 +14,7 @@
         <file filelist='lemonldap-apache' name='/etc/lemonldap-ng/handler-apache2.X.conf' mkdir='True' rm='True'/>
         <file filelist='lemonldap-apache' name='/etc/lemonldap-ng/portal-apache2.X.conf' mkdir='True' rm='True'/>
 
-        <service>lemonldap-ng-fastcgi-server</service>
+        <service servicelist="sllemon">lemonldap-ng-fastcgi-server</service>
 
         <service method='apache' servicelist='lemonldap-apache'>manager-apache2</service>
         <service method='apache' servicelist='lemonldap-apache'>portal-apache2</service>
@@ -28,18 +27,30 @@
     </files>
 
     <variables>
+        <family name='eole-sso'>
+            <variable name='eolesso_cas_folder' redefine="True" exists='True'>
+                <value>/cas</value>
+            </variable>
+            <variable name='eolesso_port' redefine="True" exists='True'>
+                <value>443</value>
+            </variable>
+        </family>
         <family name='Services'>
             <variable name='activerLemon' type='oui/non' description="Activer LemonLDAP::NG">
                 <value>non</value>
             </variable>
         </family>
 
-        <family name='LemonLDAP'>
+        <family name='LemonLDAP' icon='lemon'>
 
             <variable name='managerWebName' type='string' description="Nom DNS du manager LemonLDAP-NG"/>
             <variable name='authWebName' type='string' description="Nom DNS du service d'authentification LemonLDAP-NG"/>
             <variable name='reloadWebName' type='string' description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
 
+	    <variable name='lemon_user_db' type='string' description="Backend pour les comptes utilisateurs" mode="expert">
+                <value>LDAP</value>
+            </variable>
+
             <variable name='ldapScheme' type='string' description="Protocole LDAP à utiliser" mandatory='True'/>
             <variable name='ldapServer' type='string' description="Adresse du Serveur LDAP utilisé par LemonLDAP::NG" mandatory="True"/>
             <variable name='ldapServerPort' type='number' description="Port d'écoute du LDAP utilisé par LemonLDAP::NG" mandatory='True'/>
@@ -47,11 +58,18 @@
             <variable name='ldapBindUserDN' type='string' description="Utilisateur de connection à l'annuaire" mandatory="True"/>
             <variable name='ldapBindUserPassword' type='password' description="Mot de passe de l'utilisateur de connection à l'annuaire" mandatory="True"/>
             <variable name="samlOrganizationName" type='string' description="Nom de l'organisation SAML" mode='expert'/>
+            <variable name='lmldapverify' type='oui/non' description="Vérifier les certificats SSL du serveur LDAP">
+                <value>oui</value>
+            </variable>
 
             <variable name="lemonproc" type='number' description="Nombre de processus dédié à Lemon (équivalent au nombre de processeurs)" mandatory="True">
                 <value>4</value>
             </variable>
 
+            <variable name="lm_loglevel" type='string' description="Verbosité des journaux" mode='expert'>
+                <value>info</value>
+            </variable>
+
             <variable name="lemonAdmin" type='string' description="LemonLDAP Administrator username" mode='expert'>
                 <value>admin</value>
             </variable>
@@ -77,6 +95,9 @@
             <variable name='llResetPassword' type='oui/non' description="Permettre aux utilisateurs de réinitialiser leurs mots de passe">
                 <value>oui</value>
             </variable>
+            <variable name='llResetExpiredPassword' type='oui/non' description="Autoriser le renouvellement des mots de passe expirés">
+                <value>oui</value>
+            </variable>
             <variable name='llResetUrl' type='string' description="Adresse de l'application pour réinitialiser leurs mots de passe" />
             <variable name='llRegisterAccount' type='oui/non' description="Permettre aux utilisateurs de créer un compte">
                 <value>oui</value>
@@ -118,10 +139,17 @@
             <param>['ldaps','ldap']</param>
         </check>
 
+        <check name="valid_enum" target="lemon_user_db">
+            <param>['LDAP','AD']</param>
+        </check>
+
+        <check name='valid_enum' target="lm_loglevel">
+            <param>['info','notice','warn','error','debug']</param>
+        </check>
+
         <check name="valid_enum" target="llRegisterDB">
             <param>['LDAP','Demo','Custom']</param>
         </check>
-
         <group master="casAttribute">
             <slave>casLDAPAttribute</slave>
         </group>
@@ -131,6 +159,8 @@
             <target type='filelist'>lemonldap</target>
             <target type='filelist'>lemonldap-nginx</target>
             <target type='filelist'>lemonldap-apache</target>
+            <target type='servicelist'>lemonldap-apache</target>
+            <target type='servicelist'>sllemon</target>
             <target type='family'>LemonLDAP</target>
             <target type='service_accesslist'>saLemon</target>
         </condition>
@@ -157,6 +187,7 @@
         <condition name='disabled_if_in' source='llResetPassword'>
             <param>non</param>
             <target type='variable'>llResetUrl</target>
+            <target type='variable'>llResetExpiredPassword</target>
         </condition>
         <check name='valid_enum' target='llSkin'>
             <param>['bootstrap','dark','impact','pastel']</param>
@@ -165,10 +196,12 @@
     </constraints>
 
     <help>
+        <family name='LemonLDAP'>Configuration de la solution d'authentification unique LemonLDAP::NG</family>
         <variable name='activerLemon'>Activer le service LemonLDAP::NG sur ce serveur</variable>
         <variable name='managerWebName'>Nom DNS de l'application de gestion de LemonLDAP::NG ex:manager.example.fr</variable>
         <variable name='authWebName'>Nom DNS de service d'authentification de LemonLDAP::NG ex:auth.example.fr</variable>
-        <variable name='ldapUserBaseDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
+	<variable name='ldapUserBaseDN'>DN de base de l'emplactement des utilisateurs dans l'annuaire (ex: ou=users,o=gouv,c=fr)</variable>
+	<variable name='ldapBindUserDN'>DN de l'utilisateur de connection en lecture à l'annuaire (ex: cn=reader,o=gouv,c=fr)</variable>
         <variable name='llCheckLogins'>Affiche une case à cocher sur la mire SSO qui permet a l'utilisateur de voir l'historique de connection de son compte avant d'être redirigé vers le service demandé</variable>
         <variable name='llCSPTargets'>Liste des domaines à ajouter à la directive form-action.</variable>
     </help>

dicos/71_lemonldap_ng_scribe.xml

@@ -6,13 +6,12 @@
     <variables>
 
         <family name='eole sso'>
-            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" />
+            <variable name='eolesso_adresse' description="Nom de domaine du serveur d'authentification SSO" redefine="True" exists='True' />
         </family>
 
     </variables>
 
     <constraints>
-
         <fill name='calc_multi_condition' target='activer_sso'>
             <param>oui</param>
             <param type='eole' name='condition_1'>activerLemon</param>
@@ -25,11 +24,8 @@
             <target type='variable'>activer_sso</target>
         </condition>
 
-        <auto name='calc_multi_condition' target='ldapScheme'>
-            <param>oui</param>
-            <param type='eole' name='condition_1'>ldap_tls</param>
-            <param name='match'>ldaps</param>
-            <param name='default_mismatch'>ldap</param>
+        <auto name='calc_val' target='ldapScheme'>
+            <param>ldaps</param>
         </auto>
 
         <fill name='calc_val_first_value' target='eolesso_adresse'>
@@ -38,29 +34,33 @@
             <param type='eole'>nom_domaine_machine</param>
         </fill>
 
+        <auto name='calc_val' target='ldap_port'>
+	    <param>636</param>
+	</auto>
+
         <condition name='frozen_if_in' source='activerLemon'>
             <param>oui</param>
             <target type='variable'>eolesso_adresse</target>
         </condition>
 
         <auto name='calc_val' target='ldapServer'>
-            <param type='eole'>adresse_ip_ldap</param>
+            <param type='eole'>ad_address</param>
         </auto>
 
         <auto name='calc_val' target='ldapServerPort'>
-            <param type='eole'>ldap_port</param>
+            <param type='number'>636</param>
         </auto>
 
-        <auto name='calc_val' target='ldapUserBaseDN'>
-            <param type='eole'>ldap_base_dn</param>
+        <auto name='calc_val' target='lemon_user_db'>
+            <param>AD</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserDN'>
-            <param type='eole'>ldap_reader</param>
+            <param type='eole'>sasl_ldap_reader</param>
         </auto>
 
         <auto name='calc_val' target='ldapBindUserPassword'>
-            <param type='eole'>ldap_reader_passfile</param>
+	    <param>/etc/eole/private/sasl-reader.password</param>
         </auto>
 
         <auto name='calc_val' target='casFolder'>

postservice/99-lemonldap-ng

@@ -1,6 +1,12 @@
 #!/bin/bash
 
-[ "$(CreoleGet activerLemon non)" = 'oui' ] || exit 0
+
+[[ $(CreoleGet activerLemon non) == "non" ]] && exit 0
+
+# Updating Configuration cache
+
+cmd="/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache"
+opt="update-cache"
 
 # Updating Configuration cache
 /usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache 2>&1

tmpl/handler-apache2.X.conf

@@ -29,6 +29,17 @@ ErrorDocument 503 https://%%authWebName/lmerror/503
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%reloadWebName
 
+    SSLEngine on
+    SSLCertificateFile   %%server_cert
+    SSLCertificateKeyFile %%server_key
+    SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
+    SSLProtocol all -SSLv3 -SSLv2
+    SSLProxyEngine on
+
+    LogLevel %%lm_loglevel
+
+    ErrorLog /var/log/apache2/handler_error.log
+    CustomLog /var/log/apache2/handler_access.log common
     # Configuration reload mechanism (only 1 per physical server is
     # needed): choose your URL to avoid restarting Apache when
     # configuration change

tmpl/lemonldap-ng-fastcgi-server

@@ -1,5 +1,5 @@
 # Number of process (default: 7)
-NPROC = %%lemonproc
+NPROC=%%lemonproc
 
 # Unix socket to listen to
 SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock

tmpl/lemonldap-ng.ini

@@ -36,7 +36,7 @@
 ;
 ; 1 - Defined logging level
 ;   Set here one of error, warn, notice, info or debug
-logLevel     = debug
+logLevel     = %%lm_loglevel
 ; Note that this has no effect for Apache2 logging: Apache LogLevel is used
 ; instead
 ;
@@ -65,9 +65,9 @@ logLevel     = debug
 ; 2.1 - Using Syslog
 ;
 ;   For Syslog logging, you can also overwrite facilities. Default values:
-;logger             = Lemonldap::NG::Common::Logger::Syslog
-;syslogFacility     = daemon
-;userSyslogFacility = auth
+logger             = Lemonldap::NG::Common::Logger::Syslog
+syslogFacility     = daemon
+userSyslogFacility = auth
 ;
 ; 2.2 - Using Log4perl
 ;

tmpl/lmConf-1.json

@@ -85,7 +85,7 @@
     },
     "authChoiceModules": {},
     "authChoiceParam": "lmAuth",
-    "authentication": "LDAP",
+    "authentication": "%%lemon_user_db",
     "browserIdAuthnLevel": 1,
     "captchaStorage": "Apache::Session::File",
     "captchaStorageOptions": {
@@ -152,10 +152,27 @@
     "issuerDBSAMLRule": 1,
     "jsRedirect": 0,
     "key": "e\"bTCt3*eU9^\\V%b",
+%if %%llResetPassword == "oui"
+  %if %%llResetExpiredPassword == "oui"
+    %if %%lemon_user_db == "AD"
+    "ldapPpolicyControl": 0,
+    %else
+    "ldapPpolicyControl": 1,
+    %end if
+    "ldapAllowResetExpiredPassword": 1,
+  %else
+    "ldapPpolicyControl": 0,
     "ldapAllowResetExpiredPassword": 0,
+  %end if
+%end if
+    "ldapChangePasswordAsUser": 1,
     "ldapAuthnLevel": 2,
+%if %%eole_module == "scribe"
+    "ldapBase": "cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "ldapBase": "%%ldapUserBaseDN",
-    "ldapChangePasswordAsUser": 0,
+%end if
+    "ldapSearchDeref": "find",
     "ldapExportedVars": {
         "cn": "cn",
         "mail": "mail",
@@ -170,9 +187,15 @@
     "ldapPasswordResetAttribute": "pwdReset",
     "ldapPasswordResetAttributeValue": "TRUE",
     "ldapPort": "%%ldapServerPort",
-    "ldapPpolicyControl": 0,
     "ldapPwdEnc": "utf-8",
     "ldapServer": "%%ldapScheme://%%ldapServer",
+%if %%ldapScheme == "ldaps"
+   %if %%lmldapverify == "oui"
+    "ldapVerify": "required",
+   %else
+    "ldapVerify": "none",
+   %end if
+%end if
     "ldapSetPassword": 0,
     "ldapTimeout": 120,
     "ldapUsePasswordResetAttribute": 1,
@@ -211,7 +234,11 @@
     %end if
 %end if
     "maintenance": 0,
+%if %%eole_module == "scribe"
+    "managerDn": "cn=%%ldapBindUserDN,cn=Users,dc=%echo ",dc=".join(%%ad_domain.split('.')) + '",'
+%else
     "managerDn": "%%ldapBindUserDN",
+%end if
 %if %%is_file(%%ldapBindUserPassword)
     "managerPassword": "%%readPass("", %%ldapBindUserPassword)",
 %else
@@ -244,7 +271,7 @@
     "openIdSreg_fullname": "cn",
     "openIdSreg_nickname": "uid",
     "openIdSreg_timezone": "_timezone",
-    "passwordDB": "LDAP",
+    "passwordDB": "%%lemon_user_db",
     "persistentStorage": "Apache::Session::File",
     "persistentStorageOptions": {
         "Directory": "/var/lib/lemonldap-ng/psessions",
@@ -364,7 +391,7 @@
     "useRedirectOnForbidden": 0,
     "useSafeJail": 1,
     "userControl": "^[\\w\\.\\-@]+$",
-    "userDB": "LDAP",
+    "userDB": "%%lemon_user_db",
     "vhostOptions": {
         "%%managerWebName": {
             "vhostHttps": "1"

tmpl/manager-apache2.X.conf

@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%managerWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/manager_error.log
     CustomLog /var/log/apache2/manager_access.log common
 

tmpl/nginx-lmlog.conf

@@ -1,3 +1,3 @@
-log_format lm_combined '$remote_addr - $lmremote_user [$time_local] '
+log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
 	'"$request" $status $body_bytes_sent '
-	'"$http_referer" "$http_user_agent"';
+	'"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';

tmpl/portal-apache2.X.conf

@@ -13,13 +13,13 @@
 <VirtualHost %%adresse_ip_eth0:443>
     ServerName %%authWebName
     SSLEngine on
-    SSLCertificateFile    /etc/ssl/certs/eole.crt
-    SSLCertificateKeyFile /etc/ssl/private/eole.key
+    SSLCertificateFile    %%server_cert
+    SSLCertificateKeyFile %%server_key
     SSLCertificateChainFile /etc/ssl/certs/ca_local.crt
     SSLProtocol all -SSLv3 -SSLv2
     SSLProxyEngine on
 
-    LogLevel info
+    LogLevel %%lm_loglevel
     ErrorLog /var/log/apache2/portal_error.log
     CustomLog /var/log/apache2/portal_access.log common