premier commit

createlinks

@@ -0,0 +1,14 @@
+#!/usr/bin/perl -w
+
+use esmith::Build::CreateLinks qw(:all);
+
+templates2events("/etc/lemonldap-ng/lemonldap-ng.ini", qw/webapps-update bootstrap-console-save/);
+templates2events("/etc/lemonldap-ng/soap-htpasswd", qw/webapps-update bootstrap-console-save/);
+
+event_link("lemonldap-init-domains", "webapps-update", "20");
+foreach my $event (qw/webapps-update network-create network-delete bootstrap-ldap-save remoteaccess-update/){
+    event_link("lemonldap-update-conf", "$event", "25");
+}
+
+safe_touch("root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/template-begin");
+

root/etc/e-smith/db/accounts/defaults/lm-reload/type

@@ -0,0 +1 @@
+url

root/etc/e-smith/db/configuration/defaults/lemonldap/status

@@ -0,0 +1 @@
+enabled

root/etc/e-smith/db/configuration/defaults/lemonldap/type

@@ -0,0 +1 @@
+service

root/etc/e-smith/db/configuration/migrate/lemonldap-enable-mod_perl

@@ -0,0 +1,12 @@
+{
+
+    my $mp = $DB->get('modPerl') || $DB->new_record("modPerl", { type => "service", status => "enabled" });
+
+    if ( ($mp->prop('status') || 'disabled') eq 'enabled'){
+        return "";
+    }
+    else{
+        $DB->set_prop('modPerl', 'status', 'enabled');
+    }
+
+}

root/etc/e-smith/db/configuration/migrate/lemonldap-soappasswd

@@ -0,0 +1,13 @@
+{
+
+my $rec = $DB->get('lemonldap')
+        || $DB->new_record('lemonldap', {type => 'service'});
+
+my $pw = $rec->prop('SoapPassword');
+
+if (not $pw){
+    my $rand = `/usr/bin/openssl rand -base64 35 | tr -cd '[:alnum:]'`;
+    $rec->set_prop('SoapPassword', "$rand");
+}
+
+}

root/etc/e-smith/events/actions/lemonldap-init-domains

@@ -0,0 +1,88 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 2010 Firewall-Services
+# daniel@firewall-services.com
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+# Technical support for this program is available from Mitel Networks 
+# Please visit our web site www.mitel.com/sme/ for details.
+#----------------------------------------------------------------------
+
+use strict;
+use warnings;
+use esmith::DomainsDB;
+use esmith::ConfigDB;
+
+my $d = esmith::DomainsDB->open or die "Couldn't open DomainsDB\n";
+my $c = esmith::ConfigDB->open_ro() or die "Couldn't open ConfigDB\n";
+
+my $domain = $c->get('DomainName')->value;
+my $vhost;
+
+$vhost = $d->get("sso-manager.$domain");
+
+if (!$vhost){
+    $d->new_record("sso-manager.$domain",{
+        type         => 'domain',
+        Content      => 'Primary',
+        Description  => "LemonLDAP-NG Manager",
+        Nameservers  => 'internet',
+        TemplatePath => 'LemonLDAPManager',
+        Removable    => 'no',
+    });
+
+    unless ( system("/sbin/e-smith/signal-event", "domain-create", "sso-manager.$domain") == 0 ){
+        die "Failed to create domain sso-manager.$domain\n";
+    }
+}
+
+$vhost = $d->get("auth.$domain");
+
+if (!$vhost){
+    $d->new_record("auth.$domain",{
+        type         => 'domain',
+        Content      => 'Primary',
+        Description  => "LemonLDAP-NG Portal",
+        Nameservers  => 'internet',
+        TemplatePath => 'LemonLDAPPortal',
+        Removable    => 'no',
+    });
+
+    unless ( system("/sbin/e-smith/signal-event", "domain-create", "auth.$domain") == 0 ){
+        die "Failed to create domain auth.$domain\n";
+    }
+}
+
+$vhost = $d->get("soapsso.$domain");
+
+if (!$vhost){
+    $d->new_record("soapsso.$domain",{
+        type         => 'domain',
+        Content      => 'Primary',
+        Description  => "LemonLDAP-NG SOAP Handler",
+        Nameservers  => 'internet',
+        TemplatePath => 'LemonLDAPSoap',
+        Removable    => 'no',
+    });
+
+    unless ( system("/sbin/e-smith/signal-event", "domain-create", "soapsso.$domain") == 0 ){
+        die "Failed to create domain soapsso.$domain\n";
+    }
+}
+
+
+exit 0;
+

root/etc/e-smith/events/actions/lemonldap-update-conf

@@ -0,0 +1,43 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 2011 Firewall-Services
+# daniel@firewall-services.com
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+# Technical support for this program is available from Mitel Networks 
+# Please visit our web site www.mitel.com/sme/ for details.
+#----------------------------------------------------------------------
+
+use esmith::ConfigDB;
+use esmith::templates;
+
+my $c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n";
+my $llng = $c->get('lemonldap');
+
+my $status = $llng->prop('status') || 'disabled';
+my $manual = $llng->prop('ManualConf') || 'disabled';
+
+# Don't touch the configuration if it's set to be manual
+# or if the service is disabled
+exit (0) if ($manual eq 'enabled' or $status ne 'enabled');
+
+processTemplate(
+        {   
+            TEMPLATE_PATH => "/var/lib/lemonldap-ng/conf/lmConf",
+            OUTPUT_FILENAME => "/var/lib/lemonldap-ng/conf/lmConf",
+        });
+
+exit (0);

root/etc/e-smith/templates.metadata/etc/lemonldap-ng/lemonldap-ng.ini

@@ -0,0 +1,3 @@
+PERMS=0640
+UID="root"
+GID="www"

root/etc/e-smith/templates.metadata/etc/lemonldap-ng/soap-htpasswd

@@ -0,0 +1,3 @@
+PERMS=0640
+UID="root"
+GID="www"

root/etc/e-smith/templates.metadata/var/lib/lemonldap-ng/conf/lmConf-2

@@ -0,0 +1,3 @@
+PERMS=0640
+UID="www"
+GID="www"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/97LemonLDAPHandler

@@ -0,0 +1,32 @@
+#====================================================================
+# Apache configuration for LemonLDAP::NG Handler
+#====================================================================
+
+# Load LemonLDAP::NG Handler
+PerlOptions +GlobalRequest
+PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
+
+# Common error page and security parameters
+#ErrorDocument 403 http://auth.{$DomainName}/?lmError=403
+#ErrorDocument 500 http://auth.{$DomainName}/?lmError=500
+
+
+# Configuration reload mechanism (only 1 per physical server is
+# needed): choose your URL to avoid restarting Apache when
+# configuration change
+<Location /lm-reload>
+    SSLRequireSSL on
+    Order deny,allow
+    Deny from all
+    Allow from {"$localAccess $externalSSLAccess";}
+    PerlHeaderParserHandler My::Package->refresh
+</Location>
+
+# Uncomment this to activate status module
+#<Location /status>
+#    Order deny,allow
+#    Deny from all
+#    Allow from 127.0.0.0/8
+#    PerlHeaderParserHandler My::Package->status
+#</Location>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/00Setup

@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $OUT = "";
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/10ServerName

@@ -0,0 +1 @@
+    ServerName {$virtualHost}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80LemonLDAPManager

@@ -0,0 +1,105 @@
+{
+
+    use esmith::util;
+
+    if ( $port ne ($modSSL{'TCPPort'} || '443')){
+        $OUT .=<<"EOF";
+
+    #====================================================================
+    # HTTPS redirection for LemonLDAP::NG Manager
+    #====================================================================
+
+    RewriteEngine on
+    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
+EOF
+    }
+    else{
+        my $authtype = $lemonldap{'ManagerAuth'} || 'basic';
+        my $auth = '';
+        my $base = esmith::util::ldapBase($DomainName);
+
+        unless ( $authtype eq 'self' ) {
+            $auth = "AuthName 'LemonLDAP NG Manager Interface'\n" .
+                    "        AuthType Basic\n" .
+                    "        AuthBasicProvider ldap\n" .
+                    "        AuthLDAPURL ldap://localhost/ou=Users,$base?uid\n" .
+                    "        AuthLDAPGroupAttribute memberUid\n" .
+                    "        AuthLDAPGroupAttributeIsDN off\n" .
+                    "        require ldap-user admin";
+        }
+
+        $OUT .=<<"EOF";
+
+    SSLEngine On
+
+    PerlOptions +Parent
+
+    #====================================================================
+    # Apache configuration for LemonLDAP::NG Manager
+    #====================================================================
+
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/manager/
+    <Directory /var/lib/lemonldap-ng/manager/>
+        Order deny,allow
+        Deny from all
+        Allow from $localAccess $externalSSLAccess
+        Options +ExecCGI +FollowSymlinks
+        $auth
+        Satisfy all
+    </Directory>
+
+    # On-line documentation
+    Alias /doc/ /var/lib/lemonldap-ng/doc/
+    Alias /lib/ /var/lib/lemonldap-ng/doc/lib/
+    <Directory /var/lib/lemonldap-ng/doc/>
+        Order deny,allow
+        Allow from all
+        ErrorDocument 404 /notfound.html
+        Options +FollowSymlinks
+        DirectoryIndex index.pl index.html
+    </Directory>
+
+    # Perl script
+    # Note: to avoid manager stay in memory, we don't use ModPerl::Registry
+    #       by default. Change this to increase manager performances
+    <Files *.pl>
+        #SetHandler cgi-script
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+
+    # Directory index
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+    <Location /doc/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+    <Location /skins/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+EOF
+    }
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-begin

@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-end

@@ -0,0 +1,2 @@
+</VirtualHost>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/00Setup

@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $OUT = "";
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/10ServerName

@@ -0,0 +1 @@
+    ServerName {$virtualHost}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80LemonLDAPPortal

@@ -0,0 +1,116 @@
+{
+
+use esmith::AccountsDB;
+my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";
+
+if ( $port ne ($modSSL{'TCPPort'} || '443')){
+    $OUT .=<<"EOF";
+
+    #====================================================================
+    # HTTPS redirection for LemonLDAP::NG Portal
+    #====================================================================
+
+    RewriteEngine on
+    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
+
+EOF
+    }
+else{
+
+    # SSL Authentication
+    my $SSLAuth = $lemonldap{'SSLAuth'} || 'disabled';
+    my $sslDirectives = '    # SSL Auth is disabled';
+    if ((-e '/etc/pki/tls/certs/cacert.pem') &&
+        ($SSLAuth =~ m/^(require)|(optional)$/)) {
+        $sslDirectives =<<"HERE";
+    <LocationMatch "^/(\$|\\?url=.*|cas/login.*)">
+        SSLVerifyClient $SSLAuth
+        SSLVerifyDepth 1
+        SSLOptions +StdEnvVars
+        SSLUserName SSL_CLIENT_S_DN_CN
+    </LocationMatch>
+HERE
+    }
+ 
+    $OUT .=<<"EOF";
+
+    SSLEngine On
+
+    PerlOptions +Parent
+
+    #====================================================================
+    # Apache configuration for LemonLDAP::NG Portal
+    #====================================================================
+
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/portal/
+
+    <Perl>
+        require Lemonldap::NG::Portal::SharedConf;
+        Lemonldap::NG::Portal::SharedConf->compile(
+            qw(delete header cache read_from_client cookie redirect unescapeHTML));
+        # Uncomment this line if you use Lemonldap::NG menu
+        require Lemonldap::NG::Portal::Menu;
+    </Perl>
+
+    <Directory /var/lib/lemonldap-ng/portal/>
+        Order allow,deny
+        Allow from all
+        Options +ExecCGI +FollowSymlinks
+    </Directory>
+$sslDirectives
+
+    # Perl script
+    <Files *.pl>
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    # SAML2 Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/saml/metadata /metadata.pl
+        RewriteRule ^/saml/.* /index.pl
+    </IfModule>
+
+    # CAS Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/cas/.* /index.pl
+    </IfModule>
+
+    # OpenID Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/openidserver/.* /index.pl
+    </IfModule>
+
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+    <Location /skins/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+EOF
+    }
+}
+
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-begin

@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-end

@@ -0,0 +1,2 @@
+</VirtualHost>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/00Setup

@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $OUT = "";
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/10ServerName

@@ -0,0 +1 @@
+    ServerName {$virtualHost}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80LemonLDAPSoap

@@ -0,0 +1,119 @@
+{
+
+use esmith::AccountsDB;
+my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";
+
+if ( $port ne ($modSSL{'TCPPort'} || '443')){
+    $OUT .=<<"EOF";
+
+    #====================================================================
+    # HTTPS redirection for LemonLDAP::NG Portal
+    #====================================================================
+
+    RewriteEngine on
+    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
+
+EOF
+    }
+else{
+    my $soapAllow = join (" ", split(/[;,]/, ($lemonldap{'SoapAllowFrom'} || '')));
+    $soapAllow = ( $soapAllow eq '' ) ? '' : "Allow from $soapAllow\n        ";
+    my $soapPassword = $lemonldap{'SoapPassword'} || '';
+    $soapAllow .=  ($soapPassword eq '') ? '' :
+        'AuthName "LemonLDAP SOAP interface"' . "\n        " .
+        'AuthType Basic' . "\n        " .
+        'AuthBasicProvider file' . "\n        " .
+        'AuthUserFile /etc/lemonldap-ng/soap-htpasswd' . "\n        " .
+        'Require valid-user' . "\n        " .
+        'Satisfy all';
+
+    $OUT .=<<"EOF";
+
+    SSLEngine On
+
+    PerlOptions +Parent
+
+    #====================================================================
+    # Apache configuration for LemonLDAP::NG Portal
+    #====================================================================
+
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/portal/
+
+    <Perl>
+        require Lemonldap::NG::Portal::SharedConf;
+        Lemonldap::NG::Portal::SharedConf->compile(
+            qw(delete header cache read_from_client cookie redirect unescapeHTML));
+        # Uncomment this line if you use portal SOAP capabilities
+        require SOAP::Lite;
+    </Perl>
+
+    <Directory /var/lib/lemonldap-ng/portal/>
+        Order allow,deny
+        Allow from all
+        Options +ExecCGI +FollowSymlinks
+    </Directory>
+
+    # Perl script
+    <Files *.pl>
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    # SOAP functions for sessions management (disabled by default)
+    <Location /index.pl/adminSessions>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    # SOAP functions for sessions access (disabled by default)
+    <Location /index.pl/sessions>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    # SOAP functions for configuration access (disabled by default)
+    <Location /index.pl/config>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    # SOAP functions for notification insertion (disabled by default)
+    <Location /index.pl/notification>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+    <Location /skins/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+EOF
+    }
+}
+
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-begin

@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-end

@@ -0,0 +1,2 @@
+</VirtualHost>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/05LemonLDAPHandler

@@ -0,0 +1,10 @@
+{
+
+if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){
+    $OUT .= "    # This virtualhost is configured to be protected by LemonLDAP NG\n" .
+            "    PerlHeaderParserHandler My::Package\n" .
+            "    ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" .
+            "    ErrorDocument 500 https://auth.$DomainName/?lmError=500\n";
+}
+
+}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/05LemonLDAPHandler

@@ -0,0 +1,10 @@
+{
+
+if (($domain->prop('LemonLDAP') || 'disabled') eq 'enabled'){
+    $OUT .= "    # This virtualhost is configured to be protected by LemonLDAP NG\n" .
+            "    PerlHeaderParserHandler My::Package\n" .
+            "    ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" .
+            "    ErrorDocument 500 https://auth.$DomainName/?lmError=500\n";
+}
+
+}

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/00header

@@ -0,0 +1,19 @@
+#==============================================================================
+# LemonLDAP::NG local configuration parameters
+#
+# This file is dedicated to configuration parameters override
+# You can set here configuration parameters that will be used only by
+# local LemonLDAP::NG elements
+#
+# Section "all" is always read first before "portal", "handler"
+# and "manager"
+#
+# Section "configuration" is used to load global configuration and set cache
+# (replace old storage.conf file)
+#
+# Section "apply" is read by Manager to reload handlers
+# (replace old apply.conf file)
+#
+# Other section are only read by the specific LemonLDAP::NG component
+#==============================================================================
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/05All

@@ -0,0 +1,5 @@
+
+[all]
+globalStorage = Apache::Session::File
+globalStorageOptions = \{ 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', \}
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/10configuration

@@ -0,0 +1,9 @@
+
+[configuration]
+
+type=File
+dirName = /var/lib/lemonldap-ng/conf
+
+localStorage=Cache::FileCache
+localStorageOptions=\{ 'namespace' => 'localcache', 'default_expires_in' => 600, 'directory_umask' => '007', 'cache_root' => '/var/cache/lemonldap-ng', 'cache_depth' => 5, \}
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/15apply

@@ -0,0 +1,11 @@
+[apply]
+
+{"$SystemName.$DomainName";} = https://{"$SystemName.$DomainName";}/lm-reload
+
+{
+
+foreach my $srv (split(/[;,]/, ($lemonldap{'Reload'} || ''))){
+    my ($name,$url) = split(/=/, $srv);
+    $OUT .= "$name = $url\n";
+}
+}

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/20manager

@@ -0,0 +1,10 @@
+
+[manager]
+{
+    $OUT .= (($lemonldap{'ManagerAuth'} || 'basic') eq 'self') ?
+        'protection = manager' : '';
+}
+
+[sessionsExplorer]
+
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/25handler

@@ -0,0 +1,6 @@
+[handler]
+
+https = 1
+status = 0
+useRedirectOnError = 1
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/30portal

@@ -0,0 +1,3 @@
+
+[portal]
+

root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/05lemonsoap

@@ -0,0 +1,6 @@
+{
+    my $pw = $lemonldap{'SoapPassword'} || 'secret';
+    my $res = `/usr/bin/htpasswd -bnm lemonsoap $pw`;
+    chomp($res);
+    $OUT .= $res;
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/000open

@@ -0,0 +1,30 @@
+{
+use esmith::ConfigDB;
+use esmith::DomainsDB;
+use esmith::NetworksDB;
+use esmith::util;
+use Lemonldap::NG::Common::Conf;
+
+$c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n";
+$d = esmith::DomainsDB->open_ro or die "Error opening DomainsDB\n";
+$n = esmith::NetworksDB->open_ro or die "Error opening NetworksDB\n";
+$domain = $c->get('DomainName')->value;
+$base = esmith::util::ldapBase ($domain);
+$ldap = $c->get('ldap') || die "Error reading ldap service entry\n";
+$port = $ldap->prop('TCPPort') || '389';
+$llng = $c->get('lemonldap');
+
+$manual = $llng->prop('ManualConf') || 'disabled';
+
+$confAccess = new Lemonldap::NG::Common::Conf(
+          {
+              type=>'File',
+              dirName=>"/var/lib/lemonldap-ng/conf",
+          },
+) or die "Unable to build Lemonldap::NG::Common::Conf, see Apache logs\n";
+
+$conf = $confAccess->getConf();
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/005global

@@ -0,0 +1,13 @@
+{
+
+# Global parameters
+$conf->{'grantSessionRule'} = '$groups =~ /\\bshared\\b/';
+$conf->{'domain'} = "$domain";
+$conf->{'portal'} = "https://auth.$domain/";
+$conf->{'storePassword'} = '0';
+$conf->{'portalUserAttr'} = 'cn' if (($conf->{'portalUserAttr'} || '_user') eq "_user");
+$conf->{'portalDisplayChangePassword'} = '0';
+
+$OUT .= '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/010ldap

@@ -0,0 +1,17 @@
+{
+
+# LDAP parameters
+$conf->{'passwordDB'} = 'LDAP';
+$conf->{'userDB'} = 'LDAP';
+$conf->{'ldapServer'} = 'localhost';
+$conf->{'ldapPort'} = "$port";
+$conf->{'ldapVersion'} = '3';
+$conf->{'ldapBase'} = "ou=Users,$base";
+$conf->{'ldapGroupBase'} = "ou=Groups,$base";
+$conf->{'ldapGroupAttributeNameUser'} = 'uid';
+$conf->{'ldapGroupAttributeNameSearch'} = 'cn';
+$conf->{'ldapGroupAttributeName'} = 'memberUid';
+$conf->{'ldapGroupObjectClass'} = 'mailboxRelatedObject';
+
+$OUT .= '';
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/015soap

@@ -0,0 +1,18 @@
+{
+
+# SOAP
+if (($llng->prop('SoapAllowFrom') || '') ne ''){
+    my $password = $llng->prop('SoapPassword') || 'secret';
+    $conf->{'Soap'} = '1';
+    $conf->{'globalStorage'} = 'Lemonldap::NG::Common::Apache::Session::SOAP';
+    $conf->{'globalStorageOptions'} = {
+        proxy    => "https://lemonsoap:$password\@soapsso.$domain/index.pl/sessions"
+    };
+}
+else {
+    $conf->{'Soap'} = '0';
+}
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/020auth

@@ -0,0 +1,26 @@
+{
+
+# SSL Auth
+my $ssl = $llng->prop('SSLAuth') || '';
+
+if ($ssl eq 'optional' || $ssl eq 'require'){
+    # SSL Auth is enabled
+    # Configure common attributes
+    $conf->{'SSLLDAPField'} = 'uid';
+    $conf->{'SSLVar'} = 'SSL_CLIENT_S_DN_CN';
+    $conf->{'SSLRequire'} = '1';
+
+    if ($ssl eq 'optional'){
+         $conf->{'authentication'} = 'Multi SSL;LDAP';
+    }
+    else{
+         $conf->{'authentication'} = 'SSL';
+    }
+}
+else{
+    $conf->{'authentication'} = 'LDAP';
+}
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/025localnet

@@ -0,0 +1,48 @@
+{
+
+my $reg = '$ipAddr =~ /^';
+my $count = 0;
+
+# Build a regexp to check if the client IP
+# is part of a local network
+# Then, we can easily use this macro to restrict
+# access to local networks on some applications
+
+foreach my $net ($n->networks){
+    my $addr = $net->key;
+    my $mask = $net->prop('Mask') || '255.255.255.255';
+    $reg .= '|' if ($count > 0);
+    foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){
+        $reg .= "($_)";
+        $count++;
+    }
+}
+
+$reg .= '/';
+$reg =~ s/\./\\\./g;
+
+$conf->{'macros'}->{'localAccess'} = '(' . $reg . ") ? '1':'0'";
+
+$reg = '$ipAddr =~ /^';
+$count = 0;
+
+# Do the same for extenal SSL access
+
+foreach my $net (split(/[;,]/,(${'httpd-admin'}{'ValidFrom'} || ''))){
+    my ($addr,$mask) = split(/\//,$net);
+     $reg .= '|' if ($count > 0);
+    foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){
+        $reg .= "($_)";
+        $count++;
+    }
+}
+
+$reg .= '/';
+$reg =~ s/\./\\\./g;
+
+$conf->{'macros'}->{'externalSSLAccess'} = '(' . $reg . ") ? '1':'0'";
+
+$OUT = '';
+
+}
+

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/030notifications

@@ -0,0 +1,10 @@
+{
+
+if (($conf->{'notification'} || '0') eq '1'){
+    $conf->{'notificationStorage'} = 'File';
+    $conf->{'notificationStorageOptions'} = {
+        'dirName' => '/var/lib/lemonldap-ng/notifications'
+    },
+}
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/template-end

@@ -0,0 +1,16 @@
+{
+
+# Now, update the configuration
+my $num = $confAccess->saveConf($conf);
+
+if ($num > 0){
+    esmith::util::chownFile('www', 'www', "/var/lib/lemonldap-ng/conf/lmConf-$num");
+    chmod 0660, "/var/lib/lemonldap-ng/conf/lmConf-$num";
+}
+else {
+    die "An error occured saving LemonLDAP::NG configuration: $num\n";
+}
+
+$OUT = '# This is just a dummy config file';
+
+}

smeserver-lemonldap-ng.spec

@@ -0,0 +1,135 @@
+# Authority: vip-ire
+# Name: Daniel Berteaud
+
+Summary: LemonLDAP NG is a web SSO solution
+%define name smeserver-lemonldap-ng
+Name: %{name}
+%define version 0.2.0
+%define release 1
+Version: %{version}
+Release: %{release}%{?dist}
+License: GPL
+Group: SME Server
+Source: %{name}-%{version}.tar.gz
+
+BuildArchitectures: noarch
+
+BuildRequires: e-smith-devtools
+BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
+
+Requires: e-smith-base >= 5.2.0-56
+Requires: e-smith-ldap
+Requires: smeserver-webapps-common >= 0.1-8
+Requires: lemonldap-ng
+
+%description
+This package contains all the needed scripts and templates
+to run LemonLDAP NG on your SME Server. It uses LDAP as authentication source
+but can also use SSL auth (either optional with a fallback to LDAP, or SSL required)
+
+%changelog
+* Wed Jun 20 2012 Daniel Berteaud <daniel@firewall-services.com> 0.2.0-1.sme
+- Import in GIT
+
+* Mon Dec 19 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-22.sme
+- Change SSL Auth to work with LocationMatch, so CAS proxy can work with
+  SSL Auth enabled
+
+* Wed Jul 13 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-21.sme
+- Disable password reset form
+
+* Wed Jul 13 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-20.sme
+- Fix uninitilized values in lemonldap conf templates
+
+* Mon Jul 11 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-19.sme
+- reserve /lm-reload
+
+* Sun Jul 10 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-18.sme
+- Fix notification check
+
+* Sat Jul 09 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-17.sme
+- Don't force notifications on
+
+* Fri Jul 08 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-16.sme
+- Enable and configure notifications
+
+* Thu Jun 30 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-15.sme
+- Manage some configuration from the DB
+
+* Fri Mar 11 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-14.sme
+- Make LemonLDAP compatible with ocsinventory-ng
+
+* Mon Mar 7 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-13.sme
+- Add support for SSL Auth on the portal
+- Use a separated vhost for SOAP requests
+
+* Tue Feb 1 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-12.sme
+- Requires recent version of smeserver-webapps-common
+- Switch to LDAP based auth to protect the manager
+
+* Tue Jan 25 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-11.sme
+- Fix a spacing issue in httpd templates
+
+* Fri Jan 21 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-10.sme
+- Add SSLEngine directives in https virtualhosts
+
+* Fri Jan 21 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-9.sme
+- Fix empty SoapPassword
+
+* Thu Jan 06 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-8.sme
+- Fix Soap ressources authentication
+
+* Tue Jan 03 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-7.sme
+- Run the manager as a perl script (instead of CGI mode)
+
+* Tue Jan 03 2011 Daniel Berteaud <daniel@firewall-services.com> 0.1-6.sme
+- Use https links for error pages
+
+* Tue Dec 30 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-5.sme
+- use only alphanumeric characters for soap password
+- use htpasswd to hash the password
+
+* Tue Dec 28 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-4.sme
+- don't load mod_auth_external if not needed
+- move cache dir in /var/cache
+- Fix several hosts listed in SoapAllowFrom
+
+* Fri Dec 24 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-3.sme
+- Use htpasswd file to protect SOAP services
+- Configure session storage in lemonldap-ng.ini
+- Support additionnal server reload URL
+
+* Fri Dec 17 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-2.sme
+- Let the manager be self-protected if ManagerAuth eq self
+
+* Wed Dec 16 2010 Daniel Berteaud <daniel@firewall-services.com> 0.1-1.sme
+- initial public release
+
+%prep
+%setup -q -n %{name}-%{version}
+
+%build
+perl createlinks
+%{__mkdir_p} root/var/cache/lemonldap-ng
+%{__mkdir_p} root/var/lib/lemonldap-ng/notifications
+
+%install
+/bin/rm -rf $RPM_BUILD_ROOT
+(cd root   ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
+/bin/rm -f %{name}-%{version}-filelist
+/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
+  --dir /var/cache/lemonldap-ng 'attr(0770,root,www)' \
+  --dir /var/lib/lemonldap-ng/notifications 'attr(0770,root,www)' \
+  > %{name}-%{version}-filelist
+
+%files -f %{name}-%{version}-filelist
+%defattr(-,root,root)
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+
+%preun
+
+true