premier commit

tags/smeserver-lemonldap-ng-0.2.19-1
Daniel Berteaud 12 years ago
commit 6351a4e526
  1. 14
      createlinks
  2. 1
      root/etc/e-smith/db/accounts/defaults/lm-reload/type
  3. 1
      root/etc/e-smith/db/configuration/defaults/lemonldap/status
  4. 1
      root/etc/e-smith/db/configuration/defaults/lemonldap/type
  5. 12
      root/etc/e-smith/db/configuration/migrate/lemonldap-enable-mod_perl
  6. 13
      root/etc/e-smith/db/configuration/migrate/lemonldap-soappasswd
  7. 88
      root/etc/e-smith/events/actions/lemonldap-init-domains
  8. 43
      root/etc/e-smith/events/actions/lemonldap-update-conf
  9. 3
      root/etc/e-smith/templates.metadata/etc/lemonldap-ng/lemonldap-ng.ini
  10. 3
      root/etc/e-smith/templates.metadata/etc/lemonldap-ng/soap-htpasswd
  11. 3
      root/etc/e-smith/templates.metadata/var/lib/lemonldap-ng/conf/lmConf-2
  12. 32
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/97LemonLDAPHandler
  13. 10
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/00Setup
  14. 1
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/10ServerName
  15. 105
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80LemonLDAPManager
  16. 2
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-begin
  17. 2
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-end
  18. 10
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/00Setup
  19. 1
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/10ServerName
  20. 116
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80LemonLDAPPortal
  21. 2
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-begin
  22. 2
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-end
  23. 10
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/00Setup
  24. 1
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/10ServerName
  25. 119
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80LemonLDAPSoap
  26. 2
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-begin
  27. 2
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-end
  28. 10
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/05LemonLDAPHandler
  29. 10
      root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/05LemonLDAPHandler
  30. 19
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/00header
  31. 5
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/05All
  32. 9
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/10configuration
  33. 11
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/15apply
  34. 10
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/20manager
  35. 6
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/25handler
  36. 3
      root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/30portal
  37. 6
      root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/05lemonsoap
  38. 30
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/000open
  39. 13
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/005global
  40. 17
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/010ldap
  41. 18
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/015soap
  42. 26
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/020auth
  43. 48
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/025localnet
  44. 10
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/030notifications
  45. 16
      root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/template-end
  46. 135
      smeserver-lemonldap-ng.spec

@ -0,0 +1,14 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
templates2events("/etc/lemonldap-ng/lemonldap-ng.ini", qw/webapps-update bootstrap-console-save/);
templates2events("/etc/lemonldap-ng/soap-htpasswd", qw/webapps-update bootstrap-console-save/);
event_link("lemonldap-init-domains", "webapps-update", "20");
foreach my $event (qw/webapps-update network-create network-delete bootstrap-ldap-save remoteaccess-update/){
event_link("lemonldap-update-conf", "$event", "25");
}
safe_touch("root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/template-begin");

@ -0,0 +1,12 @@
{
my $mp = $DB->get('modPerl') || $DB->new_record("modPerl", { type => "service", status => "enabled" });
if ( ($mp->prop('status') || 'disabled') eq 'enabled'){
return "";
}
else{
$DB->set_prop('modPerl', 'status', 'enabled');
}
}

@ -0,0 +1,13 @@
{
my $rec = $DB->get('lemonldap')
|| $DB->new_record('lemonldap', {type => 'service'});
my $pw = $rec->prop('SoapPassword');
if (not $pw){
my $rand = `/usr/bin/openssl rand -base64 35 | tr -cd '[:alnum:]'`;
$rec->set_prop('SoapPassword', "$rand");
}
}

@ -0,0 +1,88 @@
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2010 Firewall-Services
# daniel@firewall-services.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Technical support for this program is available from Mitel Networks
# Please visit our web site www.mitel.com/sme/ for details.
#----------------------------------------------------------------------
use strict;
use warnings;
use esmith::DomainsDB;
use esmith::ConfigDB;
my $d = esmith::DomainsDB->open or die "Couldn't open DomainsDB\n";
my $c = esmith::ConfigDB->open_ro() or die "Couldn't open ConfigDB\n";
my $domain = $c->get('DomainName')->value;
my $vhost;
$vhost = $d->get("sso-manager.$domain");
if (!$vhost){
$d->new_record("sso-manager.$domain",{
type => 'domain',
Content => 'Primary',
Description => "LemonLDAP-NG Manager",
Nameservers => 'internet',
TemplatePath => 'LemonLDAPManager',
Removable => 'no',
});
unless ( system("/sbin/e-smith/signal-event", "domain-create", "sso-manager.$domain") == 0 ){
die "Failed to create domain sso-manager.$domain\n";
}
}
$vhost = $d->get("auth.$domain");
if (!$vhost){
$d->new_record("auth.$domain",{
type => 'domain',
Content => 'Primary',
Description => "LemonLDAP-NG Portal",
Nameservers => 'internet',
TemplatePath => 'LemonLDAPPortal',
Removable => 'no',
});
unless ( system("/sbin/e-smith/signal-event", "domain-create", "auth.$domain") == 0 ){
die "Failed to create domain auth.$domain\n";
}
}
$vhost = $d->get("soapsso.$domain");
if (!$vhost){
$d->new_record("soapsso.$domain",{
type => 'domain',
Content => 'Primary',
Description => "LemonLDAP-NG SOAP Handler",
Nameservers => 'internet',
TemplatePath => 'LemonLDAPSoap',
Removable => 'no',
});
unless ( system("/sbin/e-smith/signal-event", "domain-create", "soapsso.$domain") == 0 ){
die "Failed to create domain soapsso.$domain\n";
}
}
exit 0;

@ -0,0 +1,43 @@
#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2011 Firewall-Services
# daniel@firewall-services.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Technical support for this program is available from Mitel Networks
# Please visit our web site www.mitel.com/sme/ for details.
#----------------------------------------------------------------------
use esmith::ConfigDB;
use esmith::templates;
my $c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n";
my $llng = $c->get('lemonldap');
my $status = $llng->prop('status') || 'disabled';
my $manual = $llng->prop('ManualConf') || 'disabled';
# Don't touch the configuration if it's set to be manual
# or if the service is disabled
exit (0) if ($manual eq 'enabled' or $status ne 'enabled');
processTemplate(
{
TEMPLATE_PATH => "/var/lib/lemonldap-ng/conf/lmConf",
OUTPUT_FILENAME => "/var/lib/lemonldap-ng/conf/lmConf",
});
exit (0);

@ -0,0 +1,32 @@
#====================================================================
# Apache configuration for LemonLDAP::NG Handler
#====================================================================
# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
# Common error page and security parameters
#ErrorDocument 403 http://auth.{$DomainName}/?lmError=403
#ErrorDocument 500 http://auth.{$DomainName}/?lmError=500
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<Location /lm-reload>
SSLRequireSSL on
Order deny,allow
Deny from all
Allow from {"$localAccess $externalSSLAccess";}
PerlHeaderParserHandler My::Package->refresh
</Location>
# Uncomment this to activate status module
#<Location /status>
# Order deny,allow
# Deny from all
# Allow from 127.0.0.0/8
# PerlHeaderParserHandler My::Package->status
#</Location>

@ -0,0 +1,10 @@
{
use esmith::DomainsDB;
# Convert the passed hash for the domain object back into an object.
$domain = bless \%domain, 'esmith::DB::db::Record';
# Make scalars from some of the properties of the domain
$virtualHost = $domain->key;
$OUT = "";
}

@ -0,0 +1,105 @@
{
use esmith::util;
if ( $port ne ($modSSL{'TCPPort'} || '443')){
$OUT .=<<"EOF";
#====================================================================
# HTTPS redirection for LemonLDAP::NG Manager
#====================================================================
RewriteEngine on
RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
EOF
}
else{
my $authtype = $lemonldap{'ManagerAuth'} || 'basic';
my $auth = '';
my $base = esmith::util::ldapBase($DomainName);
unless ( $authtype eq 'self' ) {
$auth = "AuthName 'LemonLDAP NG Manager Interface'\n" .
" AuthType Basic\n" .
" AuthBasicProvider ldap\n" .
" AuthLDAPURL ldap://localhost/ou=Users,$base?uid\n" .
" AuthLDAPGroupAttribute memberUid\n" .
" AuthLDAPGroupAttributeIsDN off\n" .
" require ldap-user admin";
}
$OUT .=<<"EOF";
SSLEngine On
PerlOptions +Parent
#====================================================================
# Apache configuration for LemonLDAP::NG Manager
#====================================================================
# DocumentRoot
DocumentRoot /var/lib/lemonldap-ng/manager/
<Directory /var/lib/lemonldap-ng/manager/>
Order deny,allow
Deny from all
Allow from $localAccess $externalSSLAccess
Options +ExecCGI +FollowSymlinks
$auth
Satisfy all
</Directory>
# On-line documentation
Alias /doc/ /var/lib/lemonldap-ng/doc/
Alias /lib/ /var/lib/lemonldap-ng/doc/lib/
<Directory /var/lib/lemonldap-ng/doc/>
Order deny,allow
Allow from all
ErrorDocument 404 /notfound.html
Options +FollowSymlinks
DirectoryIndex index.pl index.html
</Directory>
# Perl script
# Note: to avoid manager stay in memory, we don't use ModPerl::Registry
# by default. Change this to increase manager performances
<Files *.pl>
#SetHandler cgi-script
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
</Files>
# Directory index
<IfModule mod_dir.c>
DirectoryIndex index.pl index.html
</IfModule>
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
<Location /doc/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
<Location /skins/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
EOF
}
}

@ -0,0 +1,10 @@
{
use esmith::DomainsDB;
# Convert the passed hash for the domain object back into an object.
$domain = bless \%domain, 'esmith::DB::db::Record';
# Make scalars from some of the properties of the domain
$virtualHost = $domain->key;
$OUT = "";
}

@ -0,0 +1,116 @@
{
use esmith::AccountsDB;
my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";
if ( $port ne ($modSSL{'TCPPort'} || '443')){
$OUT .=<<"EOF";
#====================================================================
# HTTPS redirection for LemonLDAP::NG Portal
#====================================================================
RewriteEngine on
RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
EOF
}
else{
# SSL Authentication
my $SSLAuth = $lemonldap{'SSLAuth'} || 'disabled';
my $sslDirectives = ' # SSL Auth is disabled';
if ((-e '/etc/pki/tls/certs/cacert.pem') &&
($SSLAuth =~ m/^(require)|(optional)$/)) {
$sslDirectives =<<"HERE";
<LocationMatch "^/(\$|\\?url=.*|cas/login.*)">
SSLVerifyClient $SSLAuth
SSLVerifyDepth 1
SSLOptions +StdEnvVars
SSLUserName SSL_CLIENT_S_DN_CN
</LocationMatch>
HERE
}
$OUT .=<<"EOF";
SSLEngine On
PerlOptions +Parent
#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# DocumentRoot
DocumentRoot /var/lib/lemonldap-ng/portal/
<Perl>
require Lemonldap::NG::Portal::SharedConf;
Lemonldap::NG::Portal::SharedConf->compile(
qw(delete header cache read_from_client cookie redirect unescapeHTML));
# Uncomment this line if you use Lemonldap::NG menu
require Lemonldap::NG::Portal::Menu;
</Perl>
<Directory /var/lib/lemonldap-ng/portal/>
Order allow,deny
Allow from all
Options +ExecCGI +FollowSymlinks
</Directory>
$sslDirectives
# Perl script
<Files *.pl>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
</Files>
<IfModule mod_dir.c>
DirectoryIndex index.pl index.html
</IfModule>
# SAML2 Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/saml/metadata /metadata.pl
RewriteRule ^/saml/.* /index.pl
</IfModule>
# CAS Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/cas/.* /index.pl
</IfModule>
# OpenID Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/openidserver/.* /index.pl
</IfModule>
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
<Location /skins/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
EOF
}
}

@ -0,0 +1,10 @@
{
use esmith::DomainsDB;
# Convert the passed hash for the domain object back into an object.
$domain = bless \%domain, 'esmith::DB::db::Record';
# Make scalars from some of the properties of the domain
$virtualHost = $domain->key;
$OUT = "";
}

@ -0,0 +1,119 @@
{
use esmith::AccountsDB;
my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";
if ( $port ne ($modSSL{'TCPPort'} || '443')){
$OUT .=<<"EOF";
#====================================================================
# HTTPS redirection for LemonLDAP::NG Portal
#====================================================================
RewriteEngine on
RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
EOF
}
else{
my $soapAllow = join (" ", split(/[;,]/, ($lemonldap{'SoapAllowFrom'} || '')));
$soapAllow = ( $soapAllow eq '' ) ? '' : "Allow from $soapAllow\n ";
my $soapPassword = $lemonldap{'SoapPassword'} || '';
$soapAllow .= ($soapPassword eq '') ? '' :
'AuthName "LemonLDAP SOAP interface"' . "\n " .
'AuthType Basic' . "\n " .
'AuthBasicProvider file' . "\n " .
'AuthUserFile /etc/lemonldap-ng/soap-htpasswd' . "\n " .
'Require valid-user' . "\n " .
'Satisfy all';
$OUT .=<<"EOF";
SSLEngine On
PerlOptions +Parent
#====================================================================
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# DocumentRoot
DocumentRoot /var/lib/lemonldap-ng/portal/
<Perl>
require Lemonldap::NG::Portal::SharedConf;
Lemonldap::NG::Portal::SharedConf->compile(
qw(delete header cache read_from_client cookie redirect unescapeHTML));
# Uncomment this line if you use portal SOAP capabilities
require SOAP::Lite;
</Perl>
<Directory /var/lib/lemonldap-ng/portal/>
Order allow,deny
Allow from all
Options +ExecCGI +FollowSymlinks
</Directory>
# Perl script
<Files *.pl>
SetHandler perl-script
PerlResponseHandler ModPerl::Registry
</Files>
<IfModule mod_dir.c>
DirectoryIndex index.pl index.html
</IfModule>
# SOAP functions for sessions management (disabled by default)
<Location /index.pl/adminSessions>
Order deny,allow
Deny from all
$soapAllow
</Location>
# SOAP functions for sessions access (disabled by default)
<Location /index.pl/sessions>
Order deny,allow
Deny from all
$soapAllow
</Location>
# SOAP functions for configuration access (disabled by default)
<Location /index.pl/config>
Order deny,allow
Deny from all
$soapAllow
</Location>
# SOAP functions for notification insertion (disabled by default)
<Location /index.pl/notification>
Order deny,allow
Deny from all
$soapAllow
</Location>
<Location />
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
</IfModule>
<IfModule mod_headers.c>
Header append Vary User-Agent env=!dont-vary
</IfModule>
</Location>
<Location /skins/>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
</IfModule>
</Location>
EOF
}
}

@ -0,0 +1,10 @@
{
if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){
$OUT .= " # This virtualhost is configured to be protected by LemonLDAP NG\n" .
" PerlHeaderParserHandler My::Package\n" .
" ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" .
" ErrorDocument 500 https://auth.$DomainName/?lmError=500\n";
}
}

@ -0,0 +1,10 @@
{
if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){
$OUT .= " # This virtualhost is configured to be protected by LemonLDAP NG\n" .
" PerlHeaderParserHandler My::Package\n" .
" ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" .
" ErrorDocument 500 https://auth.$DomainName/?lmError=500\n";
}
}

@ -0,0 +1,19 @@
#==============================================================================
# LemonLDAP::NG local configuration parameters
#
# This file is dedicated to configuration parameters override
# You can set here configuration parameters that will be used only by
# local LemonLDAP::NG elements
#
# Section "all" is always read first before "portal", "handler"
# and "manager"
#
# Section "configuration" is used to load global configuration and set cache
# (replace old storage.conf file)
#
# Section "apply" is read by Manager to reload handlers
# (replace old apply.conf file)
#
# Other section are only read by the specific LemonLDAP::NG component
#==============================================================================

@ -0,0 +1,5 @@
[all]
globalStorage = Apache::Session::File
globalStorageOptions = \{ 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', \}

@ -0,0 +1,9 @@
[configuration]
type=File
dirName = /var/lib/lemonldap-ng/conf
localStorage=Cache::FileCache
localStorageOptions=\{ 'namespace' => 'localcache', 'default_expires_in' => 600, 'directory_umask' => '007', 'cache_root' => '/var/cache/lemonldap-ng', 'cache_depth' => 5, \}

@ -0,0 +1,11 @@
[apply]
{"$SystemName.$DomainName";} = https://{"$SystemName.$DomainName";}/lm-reload
{
foreach my $srv (split(/[;,]/, ($lemonldap{'Reload'} || ''))){
my ($name,$url) = split(/=/, $srv);
$OUT .= "$name = $url\n";
}
}

@ -0,0 +1,10 @@
[manager]
{
$OUT .= (($lemonldap{'ManagerAuth'} || 'basic') eq 'self') ?
'protection = manager' : '';
}
[sessionsExplorer]

@ -0,0 +1,6 @@
[handler]
https = 1
status = 0
useRedirectOnError = 1

@ -0,0 +1,6 @@
{
my $pw = $lemonldap{'SoapPassword'} || 'secret';
my $res = `/usr/bin/htpasswd -bnm lemonsoap $pw`;
chomp($res);
$OUT .= $res;
}

@ -0,0 +1,30 @@
{
use esmith::ConfigDB;
use esmith::DomainsDB;
use esmith::NetworksDB;
use esmith::util;
use Lemonldap::NG::Common::Conf;
$c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n";
$d = esmith::DomainsDB->open_ro or die "Error opening DomainsDB\n";
$n = esmith::NetworksDB->open_ro or die "Error opening NetworksDB\n";
$domain = $c->get('DomainName')->value;
$base = esmith::util::ldapBase ($domain);
$ldap = $c->get('ldap') || die "Error reading ldap service entry\n";
$port = $ldap->prop('TCPPort') || '389';
$llng = $c->get('lemonldap');
$manual = $llng->prop('ManualConf') || 'disabled';
$confAccess = new Lemonldap::NG::Common::Conf(
{
type=>'File',
dirName=>"/var/lib/lemonldap-ng/conf",
},
) or die "Unable to build Lemonldap::NG::Common::Conf, see Apache logs\n";
$conf = $confAccess->getConf();
$OUT = '';
}

@ -0,0 +1,13 @@
{
# Global parameters
$conf->{'grantSessionRule'} = '$groups =~ /\\bshared\\b/';
$conf->{'domain'} = "$domain";
$conf->{'portal'} = "https://auth.$domain/";
$conf->{'storePassword'} = '0';
$conf->{'portalUserAttr'} = 'cn' if (($conf->{'portalUserAttr'} || '_user') eq "_user");
$conf->{'portalDisplayChangePassword'} = '0';
$OUT .= '';
}

@ -0,0 +1,17 @@
{
# LDAP parameters
$conf->{'passwordDB'} = 'LDAP';
$conf->{'userDB'} = 'LDAP';
$conf->{'ldapServer'} = 'localhost';
$conf->{'ldapPort'} = "$port";
$conf->{'ldapVersion'} = '3';
$conf->{'ldapBase'} = "ou=Users,$base";
$conf->{'ldapGroupBase'} = "ou=Groups,$base";
$conf->{'ldapGroupAttributeNameUser'} = 'uid';
$conf->{'ldapGroupAttributeNameSearch'} = 'cn';
$conf->{'ldapGroupAttributeName'} = 'memberUid';
$conf->{'ldapGroupObjectClass'} = 'mailboxRelatedObject';
$OUT .= '';
}

@ -0,0 +1,18 @@
{
# SOAP
if (($llng->prop('SoapAllowFrom') || '') ne ''){
my $password = $llng->prop('SoapPassword') || 'secret';
$conf->{'Soap'} = '1';
$conf->{'globalStorage'} = 'Lemonldap::NG::Common::Apache::Session::SOAP';
$conf->{'globalStorageOptions'} = {
proxy => "https://lemonsoap:$password\@soapsso.$domain/index.pl/sessions"
};
}
else {
$conf->{'Soap'} = '0';
}
$OUT = '';
}

@ -0,0 +1,26 @@
{
# SSL Auth
my $ssl = $llng->prop('SSLAuth') || '';
if ($ssl eq 'optional' || $ssl eq 'require'){
# SSL Auth is enabled
# Configure common attributes
$conf->{'SSLLDAPField'} = 'uid';
$conf->{'SSLVar'} = 'SSL_CLIENT_S_DN_CN';
$conf->{'SSLRequire'} = '1';
if ($ssl eq 'optional'){
$conf->{'authentication'} = 'Multi SSL;LDAP';
}
else{
$conf->{'authentication'} = 'SSL';
}
}
else{
$conf->{'authentication'} = 'LDAP';
}
$OUT = '';
}

@ -0,0 +1,48 @@
{
my $reg = '$ipAddr =~ /^';
my $count = 0;
# Build a regexp to check if the client IP
# is part of a local network
# Then, we can easily use this macro to restrict
# access to local networks on some applications
foreach my $net ($n->networks){
my $addr = $net->key;
my $mask = $net->prop('Mask') || '255.255.255.255';
$reg .= '|' if ($count > 0);
foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){
$reg .= "($_)";
$count++;
}
}
$reg .= '/';
$reg =~ s/\./\\\./g;
$conf->{'macros'}->{'localAccess'} = '(' . $reg . ") ? '1':'0'";
$reg = '$ipAddr =~ /^';
$count = 0;
# Do the same for extenal SSL access
foreach my $net (split(/[;,]/,(${'httpd-admin'}{'ValidFrom'} || ''))){
my ($addr,$mask) = split(/\//,$net);
$reg .= '|' if ($count > 0);
foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){
$reg .= "($_)";
$count++;
}
}
$reg .= '/';
$reg =~ s/\./\\\./g;
$conf->{'macros'}->{'externalSSLAccess'} = '(' . $reg . ") ? '1':'0'";
$OUT = '';
}

@ -0,0 +1,10 @@
{
if (($conf->{'notification'} || '0') eq '1'){
$conf->{'notificationStorage'} = 'File';
$conf->{'notificationStorageOptions'} = {
'dirName' => '/var/lib/lemonldap-ng/notifications'
},
}
}

@ -0,0 +1,16 @@
{
# Now, update the configuration
my $num = $confAccess->saveConf($conf);
if ($num > 0){
esmith::util::chownFile('www', 'www', "/var/lib/lemonldap-ng/conf/lmConf-$num");
chmod 0660, "/var/lib/lemonldap-ng/conf/lmConf-$num";
}
else {
die "An error occured saving LemonLDAP::NG configuration: $num\n";
}
$OUT = '# This is just a dummy config file';
}

@ -0,0 +1,135 @@
# Authority: vip-ire
# Name: Daniel Berteaud
Summary: LemonLDAP NG is a web SSO solution
%define name smeserver-lemonldap-ng
Name: %{name}
%define version 0.2.0
%define release 1
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: SME Server
Source: %{name}-%{version}.tar.gz
BuildArchitectures: noarch
BuildRequires: e-smith-devtools
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
Requires: e-smith-base >= 5.2.0-56
Requires: e-smith-ldap
Requires: smeserver-webapps-common >= 0.1-8
Requires: lemonldap-ng
%description
This package contains all the needed scripts and templates
to run LemonLDAP NG on your SME Server. It uses LDAP as authentication source
but can also use SSL auth (either optional with a fallback to LDAP, or SSL required)
%changelog
* Wed Jun 20 2012 Daniel Berteaud <daniel@firewall-services.com> 0.2.0-1.sme
- Import in GIT
* Mon Dec 19 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-22.sme
- Change SSL Auth to work with LocationMatch, so CAS proxy can work with
SSL Auth enabled
* Wed Jul 13 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-21.sme
- Disable password reset form
* Wed Jul 13 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-20.sme
- Fix uninitilized values in lemonldap conf templates
* Mon Jul 11 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-19.sme
- reserve /lm-reload
* Sun Jul 10 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-18.sme
- Fix notification check
* Sat Jul 09 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-17.sme
- Don't force notifications on
* Fri Jul 08 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-16.sme
- Enable and configure notifications
* Thu Jun 30 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-15.sme
- Manage some configuration from the DB
* Fri Mar 11 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-14.sme
- Make LemonLDAP compatible with ocsinventory-ng
* Mon Mar 7 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-13.sme
- Add support for SSL Auth on the portal
- Use a separated vhost for SOAP requests
* Tue Feb 1 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-12.sme
- Requires recent version of smeserver-webapps-common
- Switch to LDAP based auth to protect the manager
* Tue Jan 25 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-11.sme
- Fix a spacing issue in httpd templates
* Fri Jan 21 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-10.sme
- Add SSLEngine directives in https virtualhosts
* Fri Jan 21 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-9.sme
- Fix empty SoapPassword
* Thu Jan 06 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-8.sme
- Fix Soap ressources authentication
* Tue Jan 03 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-7.sme
- Run the manager as a perl script (instead of CGI mode)
* Tue Jan 03 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-6.sme
- Use https links for error pages
* Tue Dec 30 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-5.sme
- use only alphanumeric characters for soap password
- use htpasswd to hash the password
* Tue Dec 28 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-4.sme
- don't load mod_auth_external if not needed
- move cache dir in /var/cache
- Fix several hosts listed in SoapAllowFrom
* Fri Dec 24 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-3.sme
- Use htpasswd file to protect SOAP services
- Configure session storage in lemonldap-ng.ini
- Support additionnal server reload URL
* Fri Dec 17 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-2.sme
- Let the manager be self-protected if ManagerAuth eq self
* Wed Dec 16 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-1.sme
- initial public release
%prep
%setup -q -n %{name}-%{version}
%build
perl createlinks
%{__mkdir_p} root/var/cache/lemonldap-ng
%{__mkdir_p} root/var/lib/lemonldap-ng/notifications
%install
/bin/rm -rf $RPM_BUILD_ROOT
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--dir /var/cache/lemonldap-ng 'attr(0770,root,www)' \
--dir /var/lib/lemonldap-ng/notifications 'attr(0770,root,www)' \
> %{name}-%{version}-filelist
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%clean
rm -rf $RPM_BUILD_ROOT
%post
%preun
true
Loading…
Cancel
Save