commit 6351a4e526247f7841e653a905e6fe3e769041bb Author: Daniel Berteaud Date: Wed Jun 20 10:03:36 2012 +0200 premier commit diff --git a/createlinks b/createlinks new file mode 100644 index 0000000..df27905 --- /dev/null +++ b/createlinks @@ -0,0 +1,14 @@ +#!/usr/bin/perl -w + +use esmith::Build::CreateLinks qw(:all); + +templates2events("/etc/lemonldap-ng/lemonldap-ng.ini", qw/webapps-update bootstrap-console-save/); +templates2events("/etc/lemonldap-ng/soap-htpasswd", qw/webapps-update bootstrap-console-save/); + +event_link("lemonldap-init-domains", "webapps-update", "20"); +foreach my $event (qw/webapps-update network-create network-delete bootstrap-ldap-save remoteaccess-update/){ + event_link("lemonldap-update-conf", "$event", "25"); +} + +safe_touch("root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/template-begin"); + diff --git a/root/etc/e-smith/db/accounts/defaults/lm-reload/type b/root/etc/e-smith/db/accounts/defaults/lm-reload/type new file mode 100644 index 0000000..96cdd3b --- /dev/null +++ b/root/etc/e-smith/db/accounts/defaults/lm-reload/type @@ -0,0 +1 @@ +url diff --git a/root/etc/e-smith/db/configuration/defaults/lemonldap/status b/root/etc/e-smith/db/configuration/defaults/lemonldap/status new file mode 100644 index 0000000..86981e6 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/lemonldap/status @@ -0,0 +1 @@ +enabled diff --git a/root/etc/e-smith/db/configuration/defaults/lemonldap/type b/root/etc/e-smith/db/configuration/defaults/lemonldap/type new file mode 100644 index 0000000..24e1098 --- /dev/null +++ b/root/etc/e-smith/db/configuration/defaults/lemonldap/type @@ -0,0 +1 @@ +service diff --git a/root/etc/e-smith/db/configuration/migrate/lemonldap-enable-mod_perl b/root/etc/e-smith/db/configuration/migrate/lemonldap-enable-mod_perl new file mode 100644 index 0000000..357b79f --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/lemonldap-enable-mod_perl @@ -0,0 +1,12 @@ +{ + + my $mp = $DB->get('modPerl') || $DB->new_record("modPerl", { type => "service", status => "enabled" }); + + if ( ($mp->prop('status') || 'disabled') eq 'enabled'){ + return ""; + } + else{ + $DB->set_prop('modPerl', 'status', 'enabled'); + } + +} diff --git a/root/etc/e-smith/db/configuration/migrate/lemonldap-soappasswd b/root/etc/e-smith/db/configuration/migrate/lemonldap-soappasswd new file mode 100644 index 0000000..2da183b --- /dev/null +++ b/root/etc/e-smith/db/configuration/migrate/lemonldap-soappasswd @@ -0,0 +1,13 @@ +{ + +my $rec = $DB->get('lemonldap') + || $DB->new_record('lemonldap', {type => 'service'}); + +my $pw = $rec->prop('SoapPassword'); + +if (not $pw){ + my $rand = `/usr/bin/openssl rand -base64 35 | tr -cd '[:alnum:]'`; + $rec->set_prop('SoapPassword', "$rand"); +} + +} diff --git a/root/etc/e-smith/events/actions/lemonldap-init-domains b/root/etc/e-smith/events/actions/lemonldap-init-domains new file mode 100644 index 0000000..f6d7c38 --- /dev/null +++ b/root/etc/e-smith/events/actions/lemonldap-init-domains @@ -0,0 +1,88 @@ +#!/usr/bin/perl -w +#---------------------------------------------------------------------- +# copyright (C) 2010 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +use strict; +use warnings; +use esmith::DomainsDB; +use esmith::ConfigDB; + +my $d = esmith::DomainsDB->open or die "Couldn't open DomainsDB\n"; +my $c = esmith::ConfigDB->open_ro() or die "Couldn't open ConfigDB\n"; + +my $domain = $c->get('DomainName')->value; +my $vhost; + +$vhost = $d->get("sso-manager.$domain"); + +if (!$vhost){ + $d->new_record("sso-manager.$domain",{ + type => 'domain', + Content => 'Primary', + Description => "LemonLDAP-NG Manager", + Nameservers => 'internet', + TemplatePath => 'LemonLDAPManager', + Removable => 'no', + }); + + unless ( system("/sbin/e-smith/signal-event", "domain-create", "sso-manager.$domain") == 0 ){ + die "Failed to create domain sso-manager.$domain\n"; + } +} + +$vhost = $d->get("auth.$domain"); + +if (!$vhost){ + $d->new_record("auth.$domain",{ + type => 'domain', + Content => 'Primary', + Description => "LemonLDAP-NG Portal", + Nameservers => 'internet', + TemplatePath => 'LemonLDAPPortal', + Removable => 'no', + }); + + unless ( system("/sbin/e-smith/signal-event", "domain-create", "auth.$domain") == 0 ){ + die "Failed to create domain auth.$domain\n"; + } +} + +$vhost = $d->get("soapsso.$domain"); + +if (!$vhost){ + $d->new_record("soapsso.$domain",{ + type => 'domain', + Content => 'Primary', + Description => "LemonLDAP-NG SOAP Handler", + Nameservers => 'internet', + TemplatePath => 'LemonLDAPSoap', + Removable => 'no', + }); + + unless ( system("/sbin/e-smith/signal-event", "domain-create", "soapsso.$domain") == 0 ){ + die "Failed to create domain soapsso.$domain\n"; + } +} + + +exit 0; + diff --git a/root/etc/e-smith/events/actions/lemonldap-update-conf b/root/etc/e-smith/events/actions/lemonldap-update-conf new file mode 100644 index 0000000..217fa88 --- /dev/null +++ b/root/etc/e-smith/events/actions/lemonldap-update-conf @@ -0,0 +1,43 @@ +#!/usr/bin/perl -w +#---------------------------------------------------------------------- +# copyright (C) 2011 Firewall-Services +# daniel@firewall-services.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Technical support for this program is available from Mitel Networks +# Please visit our web site www.mitel.com/sme/ for details. +#---------------------------------------------------------------------- + +use esmith::ConfigDB; +use esmith::templates; + +my $c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n"; +my $llng = $c->get('lemonldap'); + +my $status = $llng->prop('status') || 'disabled'; +my $manual = $llng->prop('ManualConf') || 'disabled'; + +# Don't touch the configuration if it's set to be manual +# or if the service is disabled +exit (0) if ($manual eq 'enabled' or $status ne 'enabled'); + +processTemplate( + { + TEMPLATE_PATH => "/var/lib/lemonldap-ng/conf/lmConf", + OUTPUT_FILENAME => "/var/lib/lemonldap-ng/conf/lmConf", + }); + +exit (0); diff --git a/root/etc/e-smith/templates.metadata/etc/lemonldap-ng/lemonldap-ng.ini b/root/etc/e-smith/templates.metadata/etc/lemonldap-ng/lemonldap-ng.ini new file mode 100644 index 0000000..bad4258 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/lemonldap-ng/lemonldap-ng.ini @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="www" diff --git a/root/etc/e-smith/templates.metadata/etc/lemonldap-ng/soap-htpasswd b/root/etc/e-smith/templates.metadata/etc/lemonldap-ng/soap-htpasswd new file mode 100644 index 0000000..bad4258 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/etc/lemonldap-ng/soap-htpasswd @@ -0,0 +1,3 @@ +PERMS=0640 +UID="root" +GID="www" diff --git a/root/etc/e-smith/templates.metadata/var/lib/lemonldap-ng/conf/lmConf-2 b/root/etc/e-smith/templates.metadata/var/lib/lemonldap-ng/conf/lmConf-2 new file mode 100644 index 0000000..7d87103 --- /dev/null +++ b/root/etc/e-smith/templates.metadata/var/lib/lemonldap-ng/conf/lmConf-2 @@ -0,0 +1,3 @@ +PERMS=0640 +UID="www" +GID="www" diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/97LemonLDAPHandler b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/97LemonLDAPHandler new file mode 100644 index 0000000..3c3ad95 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/97LemonLDAPHandler @@ -0,0 +1,32 @@ +#==================================================================== +# Apache configuration for LemonLDAP::NG Handler +#==================================================================== + +# Load LemonLDAP::NG Handler +PerlOptions +GlobalRequest +PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm + +# Common error page and security parameters +#ErrorDocument 403 http://auth.{$DomainName}/?lmError=403 +#ErrorDocument 500 http://auth.{$DomainName}/?lmError=500 + + +# Configuration reload mechanism (only 1 per physical server is +# needed): choose your URL to avoid restarting Apache when +# configuration change + + SSLRequireSSL on + Order deny,allow + Deny from all + Allow from {"$localAccess $externalSSLAccess";} + PerlHeaderParserHandler My::Package->refresh + + +# Uncomment this to activate status module +# +# Order deny,allow +# Deny from all +# Allow from 127.0.0.0/8 +# PerlHeaderParserHandler My::Package->status +# + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/00Setup b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/00Setup new file mode 100644 index 0000000..e00a95b --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/00Setup @@ -0,0 +1,10 @@ +{ + use esmith::DomainsDB; + # Convert the passed hash for the domain object back into an object. + $domain = bless \%domain, 'esmith::DB::db::Record'; + + # Make scalars from some of the properties of the domain + $virtualHost = $domain->key; + $OUT = ""; +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/10ServerName b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/10ServerName new file mode 100644 index 0000000..38f4ddf --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/10ServerName @@ -0,0 +1 @@ + ServerName {$virtualHost} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80LemonLDAPManager b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80LemonLDAPManager new file mode 100644 index 0000000..f8651bb --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80LemonLDAPManager @@ -0,0 +1,105 @@ +{ + + use esmith::util; + + if ( $port ne ($modSSL{'TCPPort'} || '443')){ + $OUT .=<<"EOF"; + + #==================================================================== + # HTTPS redirection for LemonLDAP::NG Manager + #==================================================================== + + RewriteEngine on + RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\] +EOF + } + else{ + my $authtype = $lemonldap{'ManagerAuth'} || 'basic'; + my $auth = ''; + my $base = esmith::util::ldapBase($DomainName); + + unless ( $authtype eq 'self' ) { + $auth = "AuthName 'LemonLDAP NG Manager Interface'\n" . + " AuthType Basic\n" . + " AuthBasicProvider ldap\n" . + " AuthLDAPURL ldap://localhost/ou=Users,$base?uid\n" . + " AuthLDAPGroupAttribute memberUid\n" . + " AuthLDAPGroupAttributeIsDN off\n" . + " require ldap-user admin"; + } + + $OUT .=<<"EOF"; + + SSLEngine On + + PerlOptions +Parent + + #==================================================================== + # Apache configuration for LemonLDAP::NG Manager + #==================================================================== + + # DocumentRoot + DocumentRoot /var/lib/lemonldap-ng/manager/ + + Order deny,allow + Deny from all + Allow from $localAccess $externalSSLAccess + Options +ExecCGI +FollowSymlinks + $auth + Satisfy all + + + # On-line documentation + Alias /doc/ /var/lib/lemonldap-ng/doc/ + Alias /lib/ /var/lib/lemonldap-ng/doc/lib/ + + Order deny,allow + Allow from all + ErrorDocument 404 /notfound.html + Options +FollowSymlinks + DirectoryIndex index.pl index.html + + + # Perl script + # Note: to avoid manager stay in memory, we don't use ModPerl::Registry + # by default. Change this to increase manager performances + + #SetHandler cgi-script + SetHandler perl-script + PerlResponseHandler ModPerl::Registry + + + # Directory index + + DirectoryIndex index.pl index.html + + + + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css + SetOutputFilter DEFLATE + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary + + + Header append Vary User-Agent env=!dont-vary + + + + + ExpiresActive On + ExpiresDefault "access plus 1 month" + + + + + ExpiresActive On + ExpiresDefault "access plus 1 month" + + +EOF + } +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-begin b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-begin new file mode 100644 index 0000000..b050035 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-begin @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-end b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-end new file mode 100644 index 0000000..50d3d92 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-end @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/00Setup b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/00Setup new file mode 100644 index 0000000..e00a95b --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/00Setup @@ -0,0 +1,10 @@ +{ + use esmith::DomainsDB; + # Convert the passed hash for the domain object back into an object. + $domain = bless \%domain, 'esmith::DB::db::Record'; + + # Make scalars from some of the properties of the domain + $virtualHost = $domain->key; + $OUT = ""; +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/10ServerName b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/10ServerName new file mode 100644 index 0000000..38f4ddf --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/10ServerName @@ -0,0 +1 @@ + ServerName {$virtualHost} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80LemonLDAPPortal b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80LemonLDAPPortal new file mode 100644 index 0000000..034e4fa --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80LemonLDAPPortal @@ -0,0 +1,116 @@ +{ + +use esmith::AccountsDB; +my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n"; + +if ( $port ne ($modSSL{'TCPPort'} || '443')){ + $OUT .=<<"EOF"; + + #==================================================================== + # HTTPS redirection for LemonLDAP::NG Portal + #==================================================================== + + RewriteEngine on + RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\] + +EOF + } +else{ + + # SSL Authentication + my $SSLAuth = $lemonldap{'SSLAuth'} || 'disabled'; + my $sslDirectives = ' # SSL Auth is disabled'; + if ((-e '/etc/pki/tls/certs/cacert.pem') && + ($SSLAuth =~ m/^(require)|(optional)$/)) { + $sslDirectives =<<"HERE"; + + SSLVerifyClient $SSLAuth + SSLVerifyDepth 1 + SSLOptions +StdEnvVars + SSLUserName SSL_CLIENT_S_DN_CN + +HERE + } + + $OUT .=<<"EOF"; + + SSLEngine On + + PerlOptions +Parent + + #==================================================================== + # Apache configuration for LemonLDAP::NG Portal + #==================================================================== + + # DocumentRoot + DocumentRoot /var/lib/lemonldap-ng/portal/ + + + require Lemonldap::NG::Portal::SharedConf; + Lemonldap::NG::Portal::SharedConf->compile( + qw(delete header cache read_from_client cookie redirect unescapeHTML)); + # Uncomment this line if you use Lemonldap::NG menu + require Lemonldap::NG::Portal::Menu; + + + + Order allow,deny + Allow from all + Options +ExecCGI +FollowSymlinks + +$sslDirectives + + # Perl script + + SetHandler perl-script + PerlResponseHandler ModPerl::Registry + + + + DirectoryIndex index.pl index.html + + + # SAML2 Issuer + + RewriteEngine On + RewriteRule ^/saml/metadata /metadata.pl + RewriteRule ^/saml/.* /index.pl + + + # CAS Issuer + + RewriteEngine On + RewriteRule ^/cas/.* /index.pl + + + # OpenID Issuer + + RewriteEngine On + RewriteRule ^/openidserver/.* /index.pl + + + + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css + SetOutputFilter DEFLATE + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary + + + Header append Vary User-Agent env=!dont-vary + + + + + ExpiresActive On + ExpiresDefault "access plus 1 month" + + + +EOF + } +} + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-begin b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-begin new file mode 100644 index 0000000..b050035 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-begin @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-end b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-end new file mode 100644 index 0000000..50d3d92 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-end @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/00Setup b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/00Setup new file mode 100644 index 0000000..e00a95b --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/00Setup @@ -0,0 +1,10 @@ +{ + use esmith::DomainsDB; + # Convert the passed hash for the domain object back into an object. + $domain = bless \%domain, 'esmith::DB::db::Record'; + + # Make scalars from some of the properties of the domain + $virtualHost = $domain->key; + $OUT = ""; +} + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/10ServerName b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/10ServerName new file mode 100644 index 0000000..38f4ddf --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/10ServerName @@ -0,0 +1 @@ + ServerName {$virtualHost} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80LemonLDAPSoap b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80LemonLDAPSoap new file mode 100644 index 0000000..d4d27c3 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80LemonLDAPSoap @@ -0,0 +1,119 @@ +{ + +use esmith::AccountsDB; +my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n"; + +if ( $port ne ($modSSL{'TCPPort'} || '443')){ + $OUT .=<<"EOF"; + + #==================================================================== + # HTTPS redirection for LemonLDAP::NG Portal + #==================================================================== + + RewriteEngine on + RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\] + +EOF + } +else{ + my $soapAllow = join (" ", split(/[;,]/, ($lemonldap{'SoapAllowFrom'} || ''))); + $soapAllow = ( $soapAllow eq '' ) ? '' : "Allow from $soapAllow\n "; + my $soapPassword = $lemonldap{'SoapPassword'} || ''; + $soapAllow .= ($soapPassword eq '') ? '' : + 'AuthName "LemonLDAP SOAP interface"' . "\n " . + 'AuthType Basic' . "\n " . + 'AuthBasicProvider file' . "\n " . + 'AuthUserFile /etc/lemonldap-ng/soap-htpasswd' . "\n " . + 'Require valid-user' . "\n " . + 'Satisfy all'; + + $OUT .=<<"EOF"; + + SSLEngine On + + PerlOptions +Parent + + #==================================================================== + # Apache configuration for LemonLDAP::NG Portal + #==================================================================== + + # DocumentRoot + DocumentRoot /var/lib/lemonldap-ng/portal/ + + + require Lemonldap::NG::Portal::SharedConf; + Lemonldap::NG::Portal::SharedConf->compile( + qw(delete header cache read_from_client cookie redirect unescapeHTML)); + # Uncomment this line if you use portal SOAP capabilities + require SOAP::Lite; + + + + Order allow,deny + Allow from all + Options +ExecCGI +FollowSymlinks + + + # Perl script + + SetHandler perl-script + PerlResponseHandler ModPerl::Registry + + + + DirectoryIndex index.pl index.html + + + # SOAP functions for sessions management (disabled by default) + + Order deny,allow + Deny from all + $soapAllow + + + # SOAP functions for sessions access (disabled by default) + + Order deny,allow + Deny from all + $soapAllow + + + # SOAP functions for configuration access (disabled by default) + + Order deny,allow + Deny from all + $soapAllow + + + # SOAP functions for notification insertion (disabled by default) + + Order deny,allow + Deny from all + $soapAllow + + + + + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css + SetOutputFilter DEFLATE + BrowserMatch ^Mozilla/4 gzip-only-text/html + BrowserMatch ^Mozilla/4\.0[678] no-gzip + BrowserMatch \bMSIE !no-gzip !gzip-only-text/html + SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary + + + Header append Vary User-Agent env=!dont-vary + + + + + ExpiresActive On + ExpiresDefault "access plus 1 month" + + + +EOF + } +} + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-begin b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-begin new file mode 100644 index 0000000..b050035 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-begin @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-end b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-end new file mode 100644 index 0000000..50d3d92 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-end @@ -0,0 +1,2 @@ + + diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/05LemonLDAPHandler b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/05LemonLDAPHandler new file mode 100644 index 0000000..a866835 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/05LemonLDAPHandler @@ -0,0 +1,10 @@ +{ + +if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){ + $OUT .= " # This virtualhost is configured to be protected by LemonLDAP NG\n" . + " PerlHeaderParserHandler My::Package\n" . + " ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" . + " ErrorDocument 500 https://auth.$DomainName/?lmError=500\n"; +} + +} diff --git a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/05LemonLDAPHandler b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/05LemonLDAPHandler new file mode 100644 index 0000000..a866835 --- /dev/null +++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/05LemonLDAPHandler @@ -0,0 +1,10 @@ +{ + +if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){ + $OUT .= " # This virtualhost is configured to be protected by LemonLDAP NG\n" . + " PerlHeaderParserHandler My::Package\n" . + " ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" . + " ErrorDocument 500 https://auth.$DomainName/?lmError=500\n"; +} + +} diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/00header b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/00header new file mode 100644 index 0000000..3e401fc --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/00header @@ -0,0 +1,19 @@ +#============================================================================== +# LemonLDAP::NG local configuration parameters +# +# This file is dedicated to configuration parameters override +# You can set here configuration parameters that will be used only by +# local LemonLDAP::NG elements +# +# Section "all" is always read first before "portal", "handler" +# and "manager" +# +# Section "configuration" is used to load global configuration and set cache +# (replace old storage.conf file) +# +# Section "apply" is read by Manager to reload handlers +# (replace old apply.conf file) +# +# Other section are only read by the specific LemonLDAP::NG component +#============================================================================== + diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/05All b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/05All new file mode 100644 index 0000000..84ad484 --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/05All @@ -0,0 +1,5 @@ + +[all] +globalStorage = Apache::Session::File +globalStorageOptions = \{ 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', \} + diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/10configuration b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/10configuration new file mode 100644 index 0000000..f7e1193 --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/10configuration @@ -0,0 +1,9 @@ + +[configuration] + +type=File +dirName = /var/lib/lemonldap-ng/conf + +localStorage=Cache::FileCache +localStorageOptions=\{ 'namespace' => 'localcache', 'default_expires_in' => 600, 'directory_umask' => '007', 'cache_root' => '/var/cache/lemonldap-ng', 'cache_depth' => 5, \} + diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/15apply b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/15apply new file mode 100644 index 0000000..5d44fe4 --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/15apply @@ -0,0 +1,11 @@ +[apply] + +{"$SystemName.$DomainName";} = https://{"$SystemName.$DomainName";}/lm-reload + +{ + +foreach my $srv (split(/[;,]/, ($lemonldap{'Reload'} || ''))){ + my ($name,$url) = split(/=/, $srv); + $OUT .= "$name = $url\n"; +} +} diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/20manager b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/20manager new file mode 100644 index 0000000..466001f --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/20manager @@ -0,0 +1,10 @@ + +[manager] +{ + $OUT .= (($lemonldap{'ManagerAuth'} || 'basic') eq 'self') ? + 'protection = manager' : ''; +} + +[sessionsExplorer] + + diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/25handler b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/25handler new file mode 100644 index 0000000..0be2cb2 --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/25handler @@ -0,0 +1,6 @@ +[handler] + +https = 1 +status = 0 +useRedirectOnError = 1 + diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/30portal b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/30portal new file mode 100644 index 0000000..2787e6a --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/30portal @@ -0,0 +1,3 @@ + +[portal] + diff --git a/root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/05lemonsoap b/root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/05lemonsoap new file mode 100644 index 0000000..807ffd0 --- /dev/null +++ b/root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/05lemonsoap @@ -0,0 +1,6 @@ +{ + my $pw = $lemonldap{'SoapPassword'} || 'secret'; + my $res = `/usr/bin/htpasswd -bnm lemonsoap $pw`; + chomp($res); + $OUT .= $res; +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/000open b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/000open new file mode 100644 index 0000000..a69f1a3 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/000open @@ -0,0 +1,30 @@ +{ +use esmith::ConfigDB; +use esmith::DomainsDB; +use esmith::NetworksDB; +use esmith::util; +use Lemonldap::NG::Common::Conf; + +$c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n"; +$d = esmith::DomainsDB->open_ro or die "Error opening DomainsDB\n"; +$n = esmith::NetworksDB->open_ro or die "Error opening NetworksDB\n"; +$domain = $c->get('DomainName')->value; +$base = esmith::util::ldapBase ($domain); +$ldap = $c->get('ldap') || die "Error reading ldap service entry\n"; +$port = $ldap->prop('TCPPort') || '389'; +$llng = $c->get('lemonldap'); + +$manual = $llng->prop('ManualConf') || 'disabled'; + +$confAccess = new Lemonldap::NG::Common::Conf( + { + type=>'File', + dirName=>"/var/lib/lemonldap-ng/conf", + }, +) or die "Unable to build Lemonldap::NG::Common::Conf, see Apache logs\n"; + +$conf = $confAccess->getConf(); + +$OUT = ''; + +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/005global b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/005global new file mode 100644 index 0000000..74d3286 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/005global @@ -0,0 +1,13 @@ +{ + +# Global parameters +$conf->{'grantSessionRule'} = '$groups =~ /\\bshared\\b/'; +$conf->{'domain'} = "$domain"; +$conf->{'portal'} = "https://auth.$domain/"; +$conf->{'storePassword'} = '0'; +$conf->{'portalUserAttr'} = 'cn' if (($conf->{'portalUserAttr'} || '_user') eq "_user"); +$conf->{'portalDisplayChangePassword'} = '0'; + +$OUT .= ''; + +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/010ldap b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/010ldap new file mode 100644 index 0000000..d5e2cd5 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/010ldap @@ -0,0 +1,17 @@ +{ + +# LDAP parameters +$conf->{'passwordDB'} = 'LDAP'; +$conf->{'userDB'} = 'LDAP'; +$conf->{'ldapServer'} = 'localhost'; +$conf->{'ldapPort'} = "$port"; +$conf->{'ldapVersion'} = '3'; +$conf->{'ldapBase'} = "ou=Users,$base"; +$conf->{'ldapGroupBase'} = "ou=Groups,$base"; +$conf->{'ldapGroupAttributeNameUser'} = 'uid'; +$conf->{'ldapGroupAttributeNameSearch'} = 'cn'; +$conf->{'ldapGroupAttributeName'} = 'memberUid'; +$conf->{'ldapGroupObjectClass'} = 'mailboxRelatedObject'; + +$OUT .= ''; +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/015soap b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/015soap new file mode 100644 index 0000000..4875634 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/015soap @@ -0,0 +1,18 @@ +{ + +# SOAP +if (($llng->prop('SoapAllowFrom') || '') ne ''){ + my $password = $llng->prop('SoapPassword') || 'secret'; + $conf->{'Soap'} = '1'; + $conf->{'globalStorage'} = 'Lemonldap::NG::Common::Apache::Session::SOAP'; + $conf->{'globalStorageOptions'} = { + proxy => "https://lemonsoap:$password\@soapsso.$domain/index.pl/sessions" + }; +} +else { + $conf->{'Soap'} = '0'; +} + +$OUT = ''; + +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/020auth b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/020auth new file mode 100644 index 0000000..9bea084 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/020auth @@ -0,0 +1,26 @@ +{ + +# SSL Auth +my $ssl = $llng->prop('SSLAuth') || ''; + +if ($ssl eq 'optional' || $ssl eq 'require'){ + # SSL Auth is enabled + # Configure common attributes + $conf->{'SSLLDAPField'} = 'uid'; + $conf->{'SSLVar'} = 'SSL_CLIENT_S_DN_CN'; + $conf->{'SSLRequire'} = '1'; + + if ($ssl eq 'optional'){ + $conf->{'authentication'} = 'Multi SSL;LDAP'; + } + else{ + $conf->{'authentication'} = 'SSL'; + } +} +else{ + $conf->{'authentication'} = 'LDAP'; +} + +$OUT = ''; + +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/025localnet b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/025localnet new file mode 100644 index 0000000..cbf0da7 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/025localnet @@ -0,0 +1,48 @@ +{ + +my $reg = '$ipAddr =~ /^'; +my $count = 0; + +# Build a regexp to check if the client IP +# is part of a local network +# Then, we can easily use this macro to restrict +# access to local networks on some applications + +foreach my $net ($n->networks){ + my $addr = $net->key; + my $mask = $net->prop('Mask') || '255.255.255.255'; + $reg .= '|' if ($count > 0); + foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){ + $reg .= "($_)"; + $count++; + } +} + +$reg .= '/'; +$reg =~ s/\./\\\./g; + +$conf->{'macros'}->{'localAccess'} = '(' . $reg . ") ? '1':'0'"; + +$reg = '$ipAddr =~ /^'; +$count = 0; + +# Do the same for extenal SSL access + +foreach my $net (split(/[;,]/,(${'httpd-admin'}{'ValidFrom'} || ''))){ + my ($addr,$mask) = split(/\//,$net); + $reg .= '|' if ($count > 0); + foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){ + $reg .= "($_)"; + $count++; + } +} + +$reg .= '/'; +$reg =~ s/\./\\\./g; + +$conf->{'macros'}->{'externalSSLAccess'} = '(' . $reg . ") ? '1':'0'"; + +$OUT = ''; + +} + diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/030notifications b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/030notifications new file mode 100644 index 0000000..5f42906 --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/030notifications @@ -0,0 +1,10 @@ +{ + +if (($conf->{'notification'} || '0') eq '1'){ + $conf->{'notificationStorage'} = 'File'; + $conf->{'notificationStorageOptions'} = { + 'dirName' => '/var/lib/lemonldap-ng/notifications' + }, +} + +} diff --git a/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/template-end b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/template-end new file mode 100644 index 0000000..14bc02a --- /dev/null +++ b/root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/template-end @@ -0,0 +1,16 @@ +{ + +# Now, update the configuration +my $num = $confAccess->saveConf($conf); + +if ($num > 0){ + esmith::util::chownFile('www', 'www', "/var/lib/lemonldap-ng/conf/lmConf-$num"); + chmod 0660, "/var/lib/lemonldap-ng/conf/lmConf-$num"; +} +else { + die "An error occured saving LemonLDAP::NG configuration: $num\n"; +} + +$OUT = '# This is just a dummy config file'; + +} diff --git a/smeserver-lemonldap-ng.spec b/smeserver-lemonldap-ng.spec new file mode 100644 index 0000000..d815d79 --- /dev/null +++ b/smeserver-lemonldap-ng.spec @@ -0,0 +1,135 @@ +# Authority: vip-ire +# Name: Daniel Berteaud + +Summary: LemonLDAP NG is a web SSO solution +%define name smeserver-lemonldap-ng +Name: %{name} +%define version 0.2.0 +%define release 1 +Version: %{version} +Release: %{release}%{?dist} +License: GPL +Group: SME Server +Source: %{name}-%{version}.tar.gz + +BuildArchitectures: noarch + +BuildRequires: e-smith-devtools +BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot + +Requires: e-smith-base >= 5.2.0-56 +Requires: e-smith-ldap +Requires: smeserver-webapps-common >= 0.1-8 +Requires: lemonldap-ng + +%description +This package contains all the needed scripts and templates +to run LemonLDAP NG on your SME Server. It uses LDAP as authentication source +but can also use SSL auth (either optional with a fallback to LDAP, or SSL required) + +%changelog +* Wed Jun 20 2012 Daniel Berteaud 0.2.0-1.sme +- Import in GIT + +* Mon Dec 19 2011 Daniel Berteaud 0.1-22.sme +- Change SSL Auth to work with LocationMatch, so CAS proxy can work with + SSL Auth enabled + +* Wed Jul 13 2011 Daniel Berteaud 0.1-21.sme +- Disable password reset form + +* Wed Jul 13 2011 Daniel Berteaud 0.1-20.sme +- Fix uninitilized values in lemonldap conf templates + +* Mon Jul 11 2011 Daniel Berteaud 0.1-19.sme +- reserve /lm-reload + +* Sun Jul 10 2011 Daniel Berteaud 0.1-18.sme +- Fix notification check + +* Sat Jul 09 2011 Daniel Berteaud 0.1-17.sme +- Don't force notifications on + +* Fri Jul 08 2011 Daniel Berteaud 0.1-16.sme +- Enable and configure notifications + +* Thu Jun 30 2011 Daniel Berteaud 0.1-15.sme +- Manage some configuration from the DB + +* Fri Mar 11 2011 Daniel Berteaud 0.1-14.sme +- Make LemonLDAP compatible with ocsinventory-ng + +* Mon Mar 7 2011 Daniel Berteaud 0.1-13.sme +- Add support for SSL Auth on the portal +- Use a separated vhost for SOAP requests + +* Tue Feb 1 2011 Daniel Berteaud 0.1-12.sme +- Requires recent version of smeserver-webapps-common +- Switch to LDAP based auth to protect the manager + +* Tue Jan 25 2011 Daniel Berteaud 0.1-11.sme +- Fix a spacing issue in httpd templates + +* Fri Jan 21 2011 Daniel Berteaud 0.1-10.sme +- Add SSLEngine directives in https virtualhosts + +* Fri Jan 21 2011 Daniel Berteaud 0.1-9.sme +- Fix empty SoapPassword + +* Thu Jan 06 2011 Daniel Berteaud 0.1-8.sme +- Fix Soap ressources authentication + +* Tue Jan 03 2011 Daniel Berteaud 0.1-7.sme +- Run the manager as a perl script (instead of CGI mode) + +* Tue Jan 03 2011 Daniel Berteaud 0.1-6.sme +- Use https links for error pages + +* Tue Dec 30 2010 Daniel Berteaud 0.1-5.sme +- use only alphanumeric characters for soap password +- use htpasswd to hash the password + +* Tue Dec 28 2010 Daniel Berteaud 0.1-4.sme +- don't load mod_auth_external if not needed +- move cache dir in /var/cache +- Fix several hosts listed in SoapAllowFrom + +* Fri Dec 24 2010 Daniel Berteaud 0.1-3.sme +- Use htpasswd file to protect SOAP services +- Configure session storage in lemonldap-ng.ini +- Support additionnal server reload URL + +* Fri Dec 17 2010 Daniel Berteaud 0.1-2.sme +- Let the manager be self-protected if ManagerAuth eq self + +* Wed Dec 16 2010 Daniel Berteaud 0.1-1.sme +- initial public release + +%prep +%setup -q -n %{name}-%{version} + +%build +perl createlinks +%{__mkdir_p} root/var/cache/lemonldap-ng +%{__mkdir_p} root/var/lib/lemonldap-ng/notifications + +%install +/bin/rm -rf $RPM_BUILD_ROOT +(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) +/bin/rm -f %{name}-%{version}-filelist +/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ + --dir /var/cache/lemonldap-ng 'attr(0770,root,www)' \ + --dir /var/lib/lemonldap-ng/notifications 'attr(0770,root,www)' \ + > %{name}-%{version}-filelist + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) + +%clean +rm -rf $RPM_BUILD_ROOT + +%post + +%preun + +true