Daniel Berteaud
13 years ago
commit
6351a4e526
46 changed files with 1001 additions and 0 deletions
@ -0,0 +1,14 @@ |
||||
#!/usr/bin/perl -w |
||||
|
||||
use esmith::Build::CreateLinks qw(:all); |
||||
|
||||
templates2events("/etc/lemonldap-ng/lemonldap-ng.ini", qw/webapps-update bootstrap-console-save/); |
||||
templates2events("/etc/lemonldap-ng/soap-htpasswd", qw/webapps-update bootstrap-console-save/); |
||||
|
||||
event_link("lemonldap-init-domains", "webapps-update", "20"); |
||||
foreach my $event (qw/webapps-update network-create network-delete bootstrap-ldap-save remoteaccess-update/){ |
||||
event_link("lemonldap-update-conf", "$event", "25"); |
||||
} |
||||
|
||||
safe_touch("root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/template-begin"); |
||||
|
||||
@ -0,0 +1 @@ |
||||
url |
||||
@ -0,0 +1 @@ |
||||
enabled |
||||
@ -0,0 +1 @@ |
||||
service |
||||
@ -0,0 +1,12 @@ |
||||
{ |
||||
|
||||
my $mp = $DB->get('modPerl') || $DB->new_record("modPerl", { type => "service", status => "enabled" }); |
||||
|
||||
if ( ($mp->prop('status') || 'disabled') eq 'enabled'){ |
||||
return ""; |
||||
} |
||||
else{ |
||||
$DB->set_prop('modPerl', 'status', 'enabled'); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,13 @@ |
||||
{ |
||||
|
||||
my $rec = $DB->get('lemonldap') |
||||
|| $DB->new_record('lemonldap', {type => 'service'}); |
||||
|
||||
my $pw = $rec->prop('SoapPassword'); |
||||
|
||||
if (not $pw){ |
||||
my $rand = `/usr/bin/openssl rand -base64 35 | tr -cd '[:alnum:]'`; |
||||
$rec->set_prop('SoapPassword', "$rand"); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,88 @@ |
||||
#!/usr/bin/perl -w |
||||
#---------------------------------------------------------------------- |
||||
# copyright (C) 2010 Firewall-Services |
||||
# daniel@firewall-services.com |
||||
# |
||||
# This program is free software; you can redistribute it and/or modify |
||||
# it under the terms of the GNU General Public License as published by |
||||
# the Free Software Foundation; either version 2 of the License, or |
||||
# (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
||||
# |
||||
# Technical support for this program is available from Mitel Networks |
||||
# Please visit our web site www.mitel.com/sme/ for details. |
||||
#---------------------------------------------------------------------- |
||||
|
||||
use strict; |
||||
use warnings; |
||||
use esmith::DomainsDB; |
||||
use esmith::ConfigDB; |
||||
|
||||
my $d = esmith::DomainsDB->open or die "Couldn't open DomainsDB\n"; |
||||
my $c = esmith::ConfigDB->open_ro() or die "Couldn't open ConfigDB\n"; |
||||
|
||||
my $domain = $c->get('DomainName')->value; |
||||
my $vhost; |
||||
|
||||
$vhost = $d->get("sso-manager.$domain"); |
||||
|
||||
if (!$vhost){ |
||||
$d->new_record("sso-manager.$domain",{ |
||||
type => 'domain', |
||||
Content => 'Primary', |
||||
Description => "LemonLDAP-NG Manager", |
||||
Nameservers => 'internet', |
||||
TemplatePath => 'LemonLDAPManager', |
||||
Removable => 'no', |
||||
}); |
||||
|
||||
unless ( system("/sbin/e-smith/signal-event", "domain-create", "sso-manager.$domain") == 0 ){ |
||||
die "Failed to create domain sso-manager.$domain\n"; |
||||
} |
||||
} |
||||
|
||||
$vhost = $d->get("auth.$domain"); |
||||
|
||||
if (!$vhost){ |
||||
$d->new_record("auth.$domain",{ |
||||
type => 'domain', |
||||
Content => 'Primary', |
||||
Description => "LemonLDAP-NG Portal", |
||||
Nameservers => 'internet', |
||||
TemplatePath => 'LemonLDAPPortal', |
||||
Removable => 'no', |
||||
}); |
||||
|
||||
unless ( system("/sbin/e-smith/signal-event", "domain-create", "auth.$domain") == 0 ){ |
||||
die "Failed to create domain auth.$domain\n"; |
||||
} |
||||
} |
||||
|
||||
$vhost = $d->get("soapsso.$domain"); |
||||
|
||||
if (!$vhost){ |
||||
$d->new_record("soapsso.$domain",{ |
||||
type => 'domain', |
||||
Content => 'Primary', |
||||
Description => "LemonLDAP-NG SOAP Handler", |
||||
Nameservers => 'internet', |
||||
TemplatePath => 'LemonLDAPSoap', |
||||
Removable => 'no', |
||||
}); |
||||
|
||||
unless ( system("/sbin/e-smith/signal-event", "domain-create", "soapsso.$domain") == 0 ){ |
||||
die "Failed to create domain soapsso.$domain\n"; |
||||
} |
||||
} |
||||
|
||||
|
||||
exit 0; |
||||
|
||||
@ -0,0 +1,43 @@ |
||||
#!/usr/bin/perl -w |
||||
#---------------------------------------------------------------------- |
||||
# copyright (C) 2011 Firewall-Services |
||||
# daniel@firewall-services.com |
||||
# |
||||
# This program is free software; you can redistribute it and/or modify |
||||
# it under the terms of the GNU General Public License as published by |
||||
# the Free Software Foundation; either version 2 of the License, or |
||||
# (at your option) any later version. |
||||
# |
||||
# This program is distributed in the hope that it will be useful, |
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||||
# GNU General Public License for more details. |
||||
# |
||||
# You should have received a copy of the GNU General Public License |
||||
# along with this program; if not, write to the Free Software |
||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
||||
# |
||||
# Technical support for this program is available from Mitel Networks |
||||
# Please visit our web site www.mitel.com/sme/ for details. |
||||
#---------------------------------------------------------------------- |
||||
|
||||
use esmith::ConfigDB; |
||||
use esmith::templates; |
||||
|
||||
my $c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n"; |
||||
my $llng = $c->get('lemonldap'); |
||||
|
||||
my $status = $llng->prop('status') || 'disabled'; |
||||
my $manual = $llng->prop('ManualConf') || 'disabled'; |
||||
|
||||
# Don't touch the configuration if it's set to be manual |
||||
# or if the service is disabled |
||||
exit (0) if ($manual eq 'enabled' or $status ne 'enabled'); |
||||
|
||||
processTemplate( |
||||
{ |
||||
TEMPLATE_PATH => "/var/lib/lemonldap-ng/conf/lmConf", |
||||
OUTPUT_FILENAME => "/var/lib/lemonldap-ng/conf/lmConf", |
||||
}); |
||||
|
||||
exit (0); |
||||
@ -0,0 +1,3 @@ |
||||
PERMS=0640 |
||||
UID="root" |
||||
GID="www" |
||||
@ -0,0 +1,3 @@ |
||||
PERMS=0640 |
||||
UID="root" |
||||
GID="www" |
||||
@ -0,0 +1,3 @@ |
||||
PERMS=0640 |
||||
UID="www" |
||||
GID="www" |
||||
@ -0,0 +1,32 @@ |
||||
#==================================================================== |
||||
# Apache configuration for LemonLDAP::NG Handler |
||||
#==================================================================== |
||||
|
||||
# Load LemonLDAP::NG Handler |
||||
PerlOptions +GlobalRequest |
||||
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm |
||||
|
||||
# Common error page and security parameters |
||||
#ErrorDocument 403 http://auth.{$DomainName}/?lmError=403 |
||||
#ErrorDocument 500 http://auth.{$DomainName}/?lmError=500 |
||||
|
||||
|
||||
# Configuration reload mechanism (only 1 per physical server is |
||||
# needed): choose your URL to avoid restarting Apache when |
||||
# configuration change |
||||
<Location /lm-reload> |
||||
SSLRequireSSL on |
||||
Order deny,allow |
||||
Deny from all |
||||
Allow from {"$localAccess $externalSSLAccess";} |
||||
PerlHeaderParserHandler My::Package->refresh |
||||
</Location> |
||||
|
||||
# Uncomment this to activate status module |
||||
#<Location /status> |
||||
# Order deny,allow |
||||
# Deny from all |
||||
# Allow from 127.0.0.0/8 |
||||
# PerlHeaderParserHandler My::Package->status |
||||
#</Location> |
||||
|
||||
@ -0,0 +1,10 @@ |
||||
{ |
||||
use esmith::DomainsDB; |
||||
# Convert the passed hash for the domain object back into an object. |
||||
$domain = bless \%domain, 'esmith::DB::db::Record'; |
||||
|
||||
# Make scalars from some of the properties of the domain |
||||
$virtualHost = $domain->key; |
||||
$OUT = ""; |
||||
} |
||||
|
||||
@ -0,0 +1 @@ |
||||
ServerName {$virtualHost} |
||||
@ -0,0 +1,105 @@ |
||||
{ |
||||
|
||||
use esmith::util; |
||||
|
||||
if ( $port ne ($modSSL{'TCPPort'} || '443')){ |
||||
$OUT .=<<"EOF"; |
||||
|
||||
#==================================================================== |
||||
# HTTPS redirection for LemonLDAP::NG Manager |
||||
#==================================================================== |
||||
|
||||
RewriteEngine on |
||||
RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\] |
||||
EOF |
||||
} |
||||
else{ |
||||
my $authtype = $lemonldap{'ManagerAuth'} || 'basic'; |
||||
my $auth = ''; |
||||
my $base = esmith::util::ldapBase($DomainName); |
||||
|
||||
unless ( $authtype eq 'self' ) { |
||||
$auth = "AuthName 'LemonLDAP NG Manager Interface'\n" . |
||||
" AuthType Basic\n" . |
||||
" AuthBasicProvider ldap\n" . |
||||
" AuthLDAPURL ldap://localhost/ou=Users,$base?uid\n" . |
||||
" AuthLDAPGroupAttribute memberUid\n" . |
||||
" AuthLDAPGroupAttributeIsDN off\n" . |
||||
" require ldap-user admin"; |
||||
} |
||||
|
||||
$OUT .=<<"EOF"; |
||||
|
||||
SSLEngine On |
||||
|
||||
PerlOptions +Parent |
||||
|
||||
#==================================================================== |
||||
# Apache configuration for LemonLDAP::NG Manager |
||||
#==================================================================== |
||||
|
||||
# DocumentRoot |
||||
DocumentRoot /var/lib/lemonldap-ng/manager/ |
||||
<Directory /var/lib/lemonldap-ng/manager/> |
||||
Order deny,allow |
||||
Deny from all |
||||
Allow from $localAccess $externalSSLAccess |
||||
Options +ExecCGI +FollowSymlinks |
||||
$auth |
||||
Satisfy all |
||||
</Directory> |
||||
|
||||
# On-line documentation |
||||
Alias /doc/ /var/lib/lemonldap-ng/doc/ |
||||
Alias /lib/ /var/lib/lemonldap-ng/doc/lib/ |
||||
<Directory /var/lib/lemonldap-ng/doc/> |
||||
Order deny,allow |
||||
Allow from all |
||||
ErrorDocument 404 /notfound.html |
||||
Options +FollowSymlinks |
||||
DirectoryIndex index.pl index.html |
||||
</Directory> |
||||
|
||||
# Perl script |
||||
# Note: to avoid manager stay in memory, we don't use ModPerl::Registry |
||||
# by default. Change this to increase manager performances |
||||
<Files *.pl> |
||||
#SetHandler cgi-script |
||||
SetHandler perl-script |
||||
PerlResponseHandler ModPerl::Registry |
||||
</Files> |
||||
|
||||
# Directory index |
||||
<IfModule mod_dir.c> |
||||
DirectoryIndex index.pl index.html |
||||
</IfModule> |
||||
|
||||
<Location /> |
||||
<IfModule mod_deflate.c> |
||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css |
||||
SetOutputFilter DEFLATE |
||||
BrowserMatch ^Mozilla/4 gzip-only-text/html |
||||
BrowserMatch ^Mozilla/4\.0[678] no-gzip |
||||
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html |
||||
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary |
||||
</IfModule> |
||||
<IfModule mod_headers.c> |
||||
Header append Vary User-Agent env=!dont-vary |
||||
</IfModule> |
||||
</Location> |
||||
<Location /doc/> |
||||
<IfModule mod_expires.c> |
||||
ExpiresActive On |
||||
ExpiresDefault "access plus 1 month" |
||||
</IfModule> |
||||
</Location> |
||||
<Location /skins/> |
||||
<IfModule mod_expires.c> |
||||
ExpiresActive On |
||||
ExpiresDefault "access plus 1 month" |
||||
</IfModule> |
||||
</Location> |
||||
EOF |
||||
} |
||||
} |
||||
|
||||
@ -0,0 +1,2 @@ |
||||
|
||||
<VirtualHost {$ipAddress}:{$port}> |
||||
@ -0,0 +1,2 @@ |
||||
</VirtualHost> |
||||
|
||||
@ -0,0 +1,10 @@ |
||||
{ |
||||
use esmith::DomainsDB; |
||||
# Convert the passed hash for the domain object back into an object. |
||||
$domain = bless \%domain, 'esmith::DB::db::Record'; |
||||
|
||||
# Make scalars from some of the properties of the domain |
||||
$virtualHost = $domain->key; |
||||
$OUT = ""; |
||||
} |
||||
|
||||
@ -0,0 +1 @@ |
||||
ServerName {$virtualHost} |
||||
@ -0,0 +1,116 @@ |
||||
{ |
||||
|
||||
use esmith::AccountsDB; |
||||
my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n"; |
||||
|
||||
if ( $port ne ($modSSL{'TCPPort'} || '443')){ |
||||
$OUT .=<<"EOF"; |
||||
|
||||
#==================================================================== |
||||
# HTTPS redirection for LemonLDAP::NG Portal |
||||
#==================================================================== |
||||
|
||||
RewriteEngine on |
||||
RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\] |
||||
|
||||
EOF |
||||
} |
||||
else{ |
||||
|
||||
# SSL Authentication |
||||
my $SSLAuth = $lemonldap{'SSLAuth'} || 'disabled'; |
||||
my $sslDirectives = ' # SSL Auth is disabled'; |
||||
if ((-e '/etc/pki/tls/certs/cacert.pem') && |
||||
($SSLAuth =~ m/^(require)|(optional)$/)) { |
||||
$sslDirectives =<<"HERE"; |
||||
<LocationMatch "^/(\$|\\?url=.*|cas/login.*)"> |
||||
SSLVerifyClient $SSLAuth |
||||
SSLVerifyDepth 1 |
||||
SSLOptions +StdEnvVars |
||||
SSLUserName SSL_CLIENT_S_DN_CN |
||||
</LocationMatch> |
||||
HERE |
||||
} |
||||
|
||||
$OUT .=<<"EOF"; |
||||
|
||||
SSLEngine On |
||||
|
||||
PerlOptions +Parent |
||||
|
||||
#==================================================================== |
||||
# Apache configuration for LemonLDAP::NG Portal |
||||
#==================================================================== |
||||
|
||||
# DocumentRoot |
||||
DocumentRoot /var/lib/lemonldap-ng/portal/ |
||||
|
||||
<Perl> |
||||
require Lemonldap::NG::Portal::SharedConf; |
||||
Lemonldap::NG::Portal::SharedConf->compile( |
||||
qw(delete header cache read_from_client cookie redirect unescapeHTML)); |
||||
# Uncomment this line if you use Lemonldap::NG menu |
||||
require Lemonldap::NG::Portal::Menu; |
||||
</Perl> |
||||
|
||||
<Directory /var/lib/lemonldap-ng/portal/> |
||||
Order allow,deny |
||||
Allow from all |
||||
Options +ExecCGI +FollowSymlinks |
||||
</Directory> |
||||
$sslDirectives |
||||
|
||||
# Perl script |
||||
<Files *.pl> |
||||
SetHandler perl-script |
||||
PerlResponseHandler ModPerl::Registry |
||||
</Files> |
||||
|
||||
<IfModule mod_dir.c> |
||||
DirectoryIndex index.pl index.html |
||||
</IfModule> |
||||
|
||||
# SAML2 Issuer |
||||
<IfModule mod_rewrite.c> |
||||
RewriteEngine On |
||||
RewriteRule ^/saml/metadata /metadata.pl |
||||
RewriteRule ^/saml/.* /index.pl |
||||
</IfModule> |
||||
|
||||
# CAS Issuer |
||||
<IfModule mod_rewrite.c> |
||||
RewriteEngine On |
||||
RewriteRule ^/cas/.* /index.pl |
||||
</IfModule> |
||||
|
||||
# OpenID Issuer |
||||
<IfModule mod_rewrite.c> |
||||
RewriteEngine On |
||||
RewriteRule ^/openidserver/.* /index.pl |
||||
</IfModule> |
||||
|
||||
<Location /> |
||||
<IfModule mod_deflate.c> |
||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css |
||||
SetOutputFilter DEFLATE |
||||
BrowserMatch ^Mozilla/4 gzip-only-text/html |
||||
BrowserMatch ^Mozilla/4\.0[678] no-gzip |
||||
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html |
||||
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary |
||||
</IfModule> |
||||
<IfModule mod_headers.c> |
||||
Header append Vary User-Agent env=!dont-vary |
||||
</IfModule> |
||||
</Location> |
||||
<Location /skins/> |
||||
<IfModule mod_expires.c> |
||||
ExpiresActive On |
||||
ExpiresDefault "access plus 1 month" |
||||
</IfModule> |
||||
</Location> |
||||
|
||||
EOF |
||||
} |
||||
} |
||||
|
||||
|
||||
@ -0,0 +1,2 @@ |
||||
|
||||
<VirtualHost {$ipAddress}:{$port}> |
||||
@ -0,0 +1,2 @@ |
||||
</VirtualHost> |
||||
|
||||
@ -0,0 +1,10 @@ |
||||
{ |
||||
use esmith::DomainsDB; |
||||
# Convert the passed hash for the domain object back into an object. |
||||
$domain = bless \%domain, 'esmith::DB::db::Record'; |
||||
|
||||
# Make scalars from some of the properties of the domain |
||||
$virtualHost = $domain->key; |
||||
$OUT = ""; |
||||
} |
||||
|
||||
@ -0,0 +1 @@ |
||||
ServerName {$virtualHost} |
||||
@ -0,0 +1,119 @@ |
||||
{ |
||||
|
||||
use esmith::AccountsDB; |
||||
my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n"; |
||||
|
||||
if ( $port ne ($modSSL{'TCPPort'} || '443')){ |
||||
$OUT .=<<"EOF"; |
||||
|
||||
#==================================================================== |
||||
# HTTPS redirection for LemonLDAP::NG Portal |
||||
#==================================================================== |
||||
|
||||
RewriteEngine on |
||||
RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\] |
||||
|
||||
EOF |
||||
} |
||||
else{ |
||||
my $soapAllow = join (" ", split(/[;,]/, ($lemonldap{'SoapAllowFrom'} || ''))); |
||||
$soapAllow = ( $soapAllow eq '' ) ? '' : "Allow from $soapAllow\n "; |
||||
my $soapPassword = $lemonldap{'SoapPassword'} || ''; |
||||
$soapAllow .= ($soapPassword eq '') ? '' : |
||||
'AuthName "LemonLDAP SOAP interface"' . "\n " . |
||||
'AuthType Basic' . "\n " . |
||||
'AuthBasicProvider file' . "\n " . |
||||
'AuthUserFile /etc/lemonldap-ng/soap-htpasswd' . "\n " . |
||||
'Require valid-user' . "\n " . |
||||
'Satisfy all'; |
||||
|
||||
$OUT .=<<"EOF"; |
||||
|
||||
SSLEngine On |
||||
|
||||
PerlOptions +Parent |
||||
|
||||
#==================================================================== |
||||
# Apache configuration for LemonLDAP::NG Portal |
||||
#==================================================================== |
||||
|
||||
# DocumentRoot |
||||
DocumentRoot /var/lib/lemonldap-ng/portal/ |
||||
|
||||
<Perl> |
||||
require Lemonldap::NG::Portal::SharedConf; |
||||
Lemonldap::NG::Portal::SharedConf->compile( |
||||
qw(delete header cache read_from_client cookie redirect unescapeHTML)); |
||||
# Uncomment this line if you use portal SOAP capabilities |
||||
require SOAP::Lite; |
||||
</Perl> |
||||
|
||||
<Directory /var/lib/lemonldap-ng/portal/> |
||||
Order allow,deny |
||||
Allow from all |
||||
Options +ExecCGI +FollowSymlinks |
||||
</Directory> |
||||
|
||||
# Perl script |
||||
<Files *.pl> |
||||
SetHandler perl-script |
||||
PerlResponseHandler ModPerl::Registry |
||||
</Files> |
||||
|
||||
<IfModule mod_dir.c> |
||||
DirectoryIndex index.pl index.html |
||||
</IfModule> |
||||
|
||||
# SOAP functions for sessions management (disabled by default) |
||||
<Location /index.pl/adminSessions> |
||||
Order deny,allow |
||||
Deny from all |
||||
$soapAllow |
||||
</Location> |
||||
|
||||
# SOAP functions for sessions access (disabled by default) |
||||
<Location /index.pl/sessions> |
||||
Order deny,allow |
||||
Deny from all |
||||
$soapAllow |
||||
</Location> |
||||
|
||||
# SOAP functions for configuration access (disabled by default) |
||||
<Location /index.pl/config> |
||||
Order deny,allow |
||||
Deny from all |
||||
$soapAllow |
||||
</Location> |
||||
|
||||
# SOAP functions for notification insertion (disabled by default) |
||||
<Location /index.pl/notification> |
||||
Order deny,allow |
||||
Deny from all |
||||
$soapAllow |
||||
</Location> |
||||
|
||||
<Location /> |
||||
<IfModule mod_deflate.c> |
||||
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css |
||||
SetOutputFilter DEFLATE |
||||
BrowserMatch ^Mozilla/4 gzip-only-text/html |
||||
BrowserMatch ^Mozilla/4\.0[678] no-gzip |
||||
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html |
||||
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary |
||||
</IfModule> |
||||
<IfModule mod_headers.c> |
||||
Header append Vary User-Agent env=!dont-vary |
||||
</IfModule> |
||||
</Location> |
||||
<Location /skins/> |
||||
<IfModule mod_expires.c> |
||||
ExpiresActive On |
||||
ExpiresDefault "access plus 1 month" |
||||
</IfModule> |
||||
</Location> |
||||
|
||||
EOF |
||||
} |
||||
} |
||||
|
||||
|
||||
@ -0,0 +1,2 @@ |
||||
|
||||
<VirtualHost {$ipAddress}:{$port}> |
||||
@ -0,0 +1,2 @@ |
||||
</VirtualHost> |
||||
|
||||
@ -0,0 +1,10 @@ |
||||
{ |
||||
|
||||
if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){ |
||||
$OUT .= " # This virtualhost is configured to be protected by LemonLDAP NG\n" . |
||||
" PerlHeaderParserHandler My::Package\n" . |
||||
" ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" . |
||||
" ErrorDocument 500 https://auth.$DomainName/?lmError=500\n"; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,10 @@ |
||||
{ |
||||
|
||||
if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){ |
||||
$OUT .= " # This virtualhost is configured to be protected by LemonLDAP NG\n" . |
||||
" PerlHeaderParserHandler My::Package\n" . |
||||
" ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" . |
||||
" ErrorDocument 500 https://auth.$DomainName/?lmError=500\n"; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,19 @@ |
||||
#============================================================================== |
||||
# LemonLDAP::NG local configuration parameters |
||||
# |
||||
# This file is dedicated to configuration parameters override |
||||
# You can set here configuration parameters that will be used only by |
||||
# local LemonLDAP::NG elements |
||||
# |
||||
# Section "all" is always read first before "portal", "handler" |
||||
# and "manager" |
||||
# |
||||
# Section "configuration" is used to load global configuration and set cache |
||||
# (replace old storage.conf file) |
||||
# |
||||
# Section "apply" is read by Manager to reload handlers |
||||
# (replace old apply.conf file) |
||||
# |
||||
# Other section are only read by the specific LemonLDAP::NG component |
||||
#============================================================================== |
||||
|
||||
@ -0,0 +1,5 @@ |
||||
|
||||
[all] |
||||
globalStorage = Apache::Session::File |
||||
globalStorageOptions = \{ 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', \} |
||||
|
||||
@ -0,0 +1,9 @@ |
||||
|
||||
[configuration] |
||||
|
||||
type=File |
||||
dirName = /var/lib/lemonldap-ng/conf |
||||
|
||||
localStorage=Cache::FileCache |
||||
localStorageOptions=\{ 'namespace' => 'localcache', 'default_expires_in' => 600, 'directory_umask' => '007', 'cache_root' => '/var/cache/lemonldap-ng', 'cache_depth' => 5, \} |
||||
|
||||
@ -0,0 +1,11 @@ |
||||
[apply] |
||||
|
||||
{"$SystemName.$DomainName";} = https://{"$SystemName.$DomainName";}/lm-reload |
||||
|
||||
{ |
||||
|
||||
foreach my $srv (split(/[;,]/, ($lemonldap{'Reload'} || ''))){ |
||||
my ($name,$url) = split(/=/, $srv); |
||||
$OUT .= "$name = $url\n"; |
||||
} |
||||
} |
||||
@ -0,0 +1,10 @@ |
||||
|
||||
[manager] |
||||
{ |
||||
$OUT .= (($lemonldap{'ManagerAuth'} || 'basic') eq 'self') ? |
||||
'protection = manager' : ''; |
||||
} |
||||
|
||||
[sessionsExplorer] |
||||
|
||||
|
||||
@ -0,0 +1,6 @@ |
||||
[handler] |
||||
|
||||
https = 1 |
||||
status = 0 |
||||
useRedirectOnError = 1 |
||||
|
||||
@ -0,0 +1,3 @@ |
||||
|
||||
[portal] |
||||
|
||||
@ -0,0 +1,6 @@ |
||||
{ |
||||
my $pw = $lemonldap{'SoapPassword'} || 'secret'; |
||||
my $res = `/usr/bin/htpasswd -bnm lemonsoap $pw`; |
||||
chomp($res); |
||||
$OUT .= $res; |
||||
} |
||||
@ -0,0 +1,30 @@ |
||||
{ |
||||
use esmith::ConfigDB; |
||||
use esmith::DomainsDB; |
||||
use esmith::NetworksDB; |
||||
use esmith::util; |
||||
use Lemonldap::NG::Common::Conf; |
||||
|
||||
$c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n"; |
||||
$d = esmith::DomainsDB->open_ro or die "Error opening DomainsDB\n"; |
||||
$n = esmith::NetworksDB->open_ro or die "Error opening NetworksDB\n"; |
||||
$domain = $c->get('DomainName')->value; |
||||
$base = esmith::util::ldapBase ($domain); |
||||
$ldap = $c->get('ldap') || die "Error reading ldap service entry\n"; |
||||
$port = $ldap->prop('TCPPort') || '389'; |
||||
$llng = $c->get('lemonldap'); |
||||
|
||||
$manual = $llng->prop('ManualConf') || 'disabled'; |
||||
|
||||
$confAccess = new Lemonldap::NG::Common::Conf( |
||||
{ |
||||
type=>'File', |
||||
dirName=>"/var/lib/lemonldap-ng/conf", |
||||
}, |
||||
) or die "Unable to build Lemonldap::NG::Common::Conf, see Apache logs\n"; |
||||
|
||||
$conf = $confAccess->getConf(); |
||||
|
||||
$OUT = ''; |
||||
|
||||
} |
||||
@ -0,0 +1,13 @@ |
||||
{ |
||||
|
||||
# Global parameters |
||||
$conf->{'grantSessionRule'} = '$groups =~ /\\bshared\\b/'; |
||||
$conf->{'domain'} = "$domain"; |
||||
$conf->{'portal'} = "https://auth.$domain/"; |
||||
$conf->{'storePassword'} = '0'; |
||||
$conf->{'portalUserAttr'} = 'cn' if (($conf->{'portalUserAttr'} || '_user') eq "_user"); |
||||
$conf->{'portalDisplayChangePassword'} = '0'; |
||||
|
||||
$OUT .= ''; |
||||
|
||||
} |
||||
@ -0,0 +1,17 @@ |
||||
{ |
||||
|
||||
# LDAP parameters |
||||
$conf->{'passwordDB'} = 'LDAP'; |
||||
$conf->{'userDB'} = 'LDAP'; |
||||
$conf->{'ldapServer'} = 'localhost'; |
||||
$conf->{'ldapPort'} = "$port"; |
||||
$conf->{'ldapVersion'} = '3'; |
||||
$conf->{'ldapBase'} = "ou=Users,$base"; |
||||
$conf->{'ldapGroupBase'} = "ou=Groups,$base"; |
||||
$conf->{'ldapGroupAttributeNameUser'} = 'uid'; |
||||
$conf->{'ldapGroupAttributeNameSearch'} = 'cn'; |
||||
$conf->{'ldapGroupAttributeName'} = 'memberUid'; |
||||
$conf->{'ldapGroupObjectClass'} = 'mailboxRelatedObject'; |
||||
|
||||
$OUT .= ''; |
||||
} |
||||
@ -0,0 +1,18 @@ |
||||
{ |
||||
|
||||
# SOAP |
||||
if (($llng->prop('SoapAllowFrom') || '') ne ''){ |
||||
my $password = $llng->prop('SoapPassword') || 'secret'; |
||||
$conf->{'Soap'} = '1'; |
||||
$conf->{'globalStorage'} = 'Lemonldap::NG::Common::Apache::Session::SOAP'; |
||||
$conf->{'globalStorageOptions'} = { |
||||
proxy => "https://lemonsoap:$password\@soapsso.$domain/index.pl/sessions" |
||||
}; |
||||
} |
||||
else { |
||||
$conf->{'Soap'} = '0'; |
||||
} |
||||
|
||||
$OUT = ''; |
||||
|
||||
} |
||||
@ -0,0 +1,26 @@ |
||||
{ |
||||
|
||||
# SSL Auth |
||||
my $ssl = $llng->prop('SSLAuth') || ''; |
||||
|
||||
if ($ssl eq 'optional' || $ssl eq 'require'){ |
||||
# SSL Auth is enabled |
||||
# Configure common attributes |
||||
$conf->{'SSLLDAPField'} = 'uid'; |
||||
$conf->{'SSLVar'} = 'SSL_CLIENT_S_DN_CN'; |
||||
$conf->{'SSLRequire'} = '1'; |
||||
|
||||
if ($ssl eq 'optional'){ |
||||
$conf->{'authentication'} = 'Multi SSL;LDAP'; |
||||
} |
||||
else{ |
||||
$conf->{'authentication'} = 'SSL'; |
||||
} |
||||
} |
||||
else{ |
||||
$conf->{'authentication'} = 'LDAP'; |
||||
} |
||||
|
||||
$OUT = ''; |
||||
|
||||
} |
||||
@ -0,0 +1,48 @@ |
||||
{ |
||||
|
||||
my $reg = '$ipAddr =~ /^'; |
||||
my $count = 0; |
||||
|
||||
# Build a regexp to check if the client IP |
||||
# is part of a local network |
||||
# Then, we can easily use this macro to restrict |
||||
# access to local networks on some applications |
||||
|
||||
foreach my $net ($n->networks){ |
||||
my $addr = $net->key; |
||||
my $mask = $net->prop('Mask') || '255.255.255.255'; |
||||
$reg .= '|' if ($count > 0); |
||||
foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){ |
||||
$reg .= "($_)"; |
||||
$count++; |
||||
} |
||||
} |
||||
|
||||
$reg .= '/'; |
||||
$reg =~ s/\./\\\./g; |
||||
|
||||
$conf->{'macros'}->{'localAccess'} = '(' . $reg . ") ? '1':'0'"; |
||||
|
||||
$reg = '$ipAddr =~ /^'; |
||||
$count = 0; |
||||
|
||||
# Do the same for extenal SSL access |
||||
|
||||
foreach my $net (split(/[;,]/,(${'httpd-admin'}{'ValidFrom'} || ''))){ |
||||
my ($addr,$mask) = split(/\//,$net); |
||||
$reg .= '|' if ($count > 0); |
||||
foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){ |
||||
$reg .= "($_)"; |
||||
$count++; |
||||
} |
||||
} |
||||
|
||||
$reg .= '/'; |
||||
$reg =~ s/\./\\\./g; |
||||
|
||||
$conf->{'macros'}->{'externalSSLAccess'} = '(' . $reg . ") ? '1':'0'"; |
||||
|
||||
$OUT = ''; |
||||
|
||||
} |
||||
|
||||
@ -0,0 +1,10 @@ |
||||
{ |
||||
|
||||
if (($conf->{'notification'} || '0') eq '1'){ |
||||
$conf->{'notificationStorage'} = 'File'; |
||||
$conf->{'notificationStorageOptions'} = { |
||||
'dirName' => '/var/lib/lemonldap-ng/notifications' |
||||
}, |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,16 @@ |
||||
{ |
||||
|
||||
# Now, update the configuration |
||||
my $num = $confAccess->saveConf($conf); |
||||
|
||||
if ($num > 0){ |
||||
esmith::util::chownFile('www', 'www', "/var/lib/lemonldap-ng/conf/lmConf-$num"); |
||||
chmod 0660, "/var/lib/lemonldap-ng/conf/lmConf-$num"; |
||||
} |
||||
else { |
||||
die "An error occured saving LemonLDAP::NG configuration: $num\n"; |
||||
} |
||||
|
||||
$OUT = '# This is just a dummy config file'; |
||||
|
||||
} |
||||
@ -0,0 +1,135 @@ |
||||
# Authority: vip-ire |
||||
# Name: Daniel Berteaud |
||||
|
||||
Summary: LemonLDAP NG is a web SSO solution |
||||
%define name smeserver-lemonldap-ng |
||||
Name: %{name} |
||||
%define version 0.2.0 |
||||
%define release 1 |
||||
Version: %{version} |
||||
Release: %{release}%{?dist} |
||||
License: GPL |
||||
Group: SME Server |
||||
Source: %{name}-%{version}.tar.gz |
||||
|
||||
BuildArchitectures: noarch |
||||
|
||||
BuildRequires: e-smith-devtools |
||||
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot |
||||
|
||||
Requires: e-smith-base >= 5.2.0-56 |
||||
Requires: e-smith-ldap |
||||
Requires: smeserver-webapps-common >= 0.1-8 |
||||
Requires: lemonldap-ng |
||||
|
||||
%description |
||||
This package contains all the needed scripts and templates |
||||
to run LemonLDAP NG on your SME Server. It uses LDAP as authentication source |
||||
but can also use SSL auth (either optional with a fallback to LDAP, or SSL required) |
||||
|
||||
%changelog |
||||
* Wed Jun 20 2012 Daniel Berteaud <daniel@firewall-services.com> 0.2.0-1.sme |
||||
- Import in GIT |
||||
|
||||
* Mon Dec 19 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-22.sme |
||||
- Change SSL Auth to work with LocationMatch, so CAS proxy can work with |
||||
SSL Auth enabled |
||||
|
||||
* Wed Jul 13 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-21.sme |
||||
- Disable password reset form |
||||
|
||||
* Wed Jul 13 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-20.sme |
||||
- Fix uninitilized values in lemonldap conf templates |
||||
|
||||
* Mon Jul 11 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-19.sme |
||||
- reserve /lm-reload |
||||
|
||||
* Sun Jul 10 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-18.sme |
||||
- Fix notification check |
||||
|
||||
* Sat Jul 09 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-17.sme |
||||
- Don't force notifications on |
||||
|
||||
* Fri Jul 08 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-16.sme |
||||
- Enable and configure notifications |
||||
|
||||
* Thu Jun 30 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-15.sme |
||||
- Manage some configuration from the DB |
||||
|
||||
* Fri Mar 11 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-14.sme |
||||
- Make LemonLDAP compatible with ocsinventory-ng |
||||
|
||||
* Mon Mar 7 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-13.sme |
||||
- Add support for SSL Auth on the portal |
||||
- Use a separated vhost for SOAP requests |
||||
|
||||
* Tue Feb 1 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-12.sme |
||||
- Requires recent version of smeserver-webapps-common |
||||
- Switch to LDAP based auth to protect the manager |
||||
|
||||
* Tue Jan 25 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-11.sme |
||||
- Fix a spacing issue in httpd templates |
||||
|
||||
* Fri Jan 21 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-10.sme |
||||
- Add SSLEngine directives in https virtualhosts |
||||
|
||||
* Fri Jan 21 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-9.sme |
||||
- Fix empty SoapPassword |
||||
|
||||
* Thu Jan 06 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-8.sme |
||||
- Fix Soap ressources authentication |
||||
|
||||
* Tue Jan 03 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-7.sme |
||||
- Run the manager as a perl script (instead of CGI mode) |
||||
|
||||
* Tue Jan 03 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-6.sme |
||||
- Use https links for error pages |
||||
|
||||
* Tue Dec 30 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-5.sme |
||||
- use only alphanumeric characters for soap password |
||||
- use htpasswd to hash the password |
||||
|
||||
* Tue Dec 28 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-4.sme |
||||
- don't load mod_auth_external if not needed |
||||
- move cache dir in /var/cache |
||||
- Fix several hosts listed in SoapAllowFrom |
||||
|
||||
* Fri Dec 24 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-3.sme |
||||
- Use htpasswd file to protect SOAP services |
||||
- Configure session storage in lemonldap-ng.ini |
||||
- Support additionnal server reload URL |
||||
|
||||
* Fri Dec 17 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-2.sme |
||||
- Let the manager be self-protected if ManagerAuth eq self |
||||
|
||||
* Wed Dec 16 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-1.sme |
||||
- initial public release |
||||
|
||||
%prep |
||||
%setup -q -n %{name}-%{version} |
||||
|
||||
%build |
||||
perl createlinks |
||||
%{__mkdir_p} root/var/cache/lemonldap-ng |
||||
%{__mkdir_p} root/var/lib/lemonldap-ng/notifications |
||||
|
||||
%install |
||||
/bin/rm -rf $RPM_BUILD_ROOT |
||||
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) |
||||
/bin/rm -f %{name}-%{version}-filelist |
||||
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ |
||||
--dir /var/cache/lemonldap-ng 'attr(0770,root,www)' \ |
||||
--dir /var/lib/lemonldap-ng/notifications 'attr(0770,root,www)' \ |
||||
> %{name}-%{version}-filelist |
||||
|
||||
%files -f %{name}-%{version}-filelist |
||||
%defattr(-,root,root) |
||||
|
||||
%clean |
||||
rm -rf $RPM_BUILD_ROOT |
||||
|
||||
%post |
||||
|
||||
%preun |
||||
|
||||
true |
||||
Loading…
Reference in new issue