forked from stove/dataset
lemonldap: filter applications
This commit is contained in:
Emmanuel Garette
parent
45a8919741
commit
3f631b1d5b
19 changed files with 151 additions and 136 deletions
|
|
@ -86,6 +86,9 @@
|
|||
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_default_https" redefine="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
<variable name="revprox_client_external_domainnames" redefine="True" mandatory="False"/>
|
||||
<family name="revprox_client">
|
||||
<variable name="revprox_client_location" redefine="True" mandatory="False">
|
||||
|
|
@ -89,7 +89,7 @@
|
|||
<param name="length" type="number">43</param>
|
||||
<target>gitea_lfs_jwt_secret</target>
|
||||
</fill>
|
||||
<fill name="calc_oauth2_client_external">
|
||||
<fill name="calc_oauth2_client_login">
|
||||
<param type="variable" optional="True">revprox_client_external_domainnames</param>
|
||||
<param type="variable" optional="True">revprox_client_location</param>
|
||||
<param>user/oauth2/</param>
|
||||
|
|
|
|||
|
|
@ -22,6 +22,11 @@
|
|||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_default_https" redefine="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
|
||||
<variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
|
||||
<value>1</value>
|
||||
|
|
@ -33,7 +38,15 @@
|
|||
<variable name='ldapclient_family' redefine="True">
|
||||
<value>all</value>
|
||||
</variable>
|
||||
<variable name='ldapclient_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="False"/>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">ldap_group</param>
|
||||
<target>ldapclient_group_dn</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
|||
|
|
@ -2,17 +2,15 @@
|
|||
<rougail version="0.10">
|
||||
<variables>
|
||||
<variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="oauth2"/>
|
||||
<family name="oauth2_" description="OAuth2 for" dynamic="oauth2.remotes">
|
||||
<variable name="secret_" description="Remote secret for" type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
|
||||
<variable name="name_" description="Remote name for" hidden="True" provider="oauth2_name"/>
|
||||
<variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
|
||||
<family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
|
||||
<variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
|
||||
<variable name="name_" description="Remote name for " hidden="True" provider="oauth2_name"/>
|
||||
<variable name="description_" description="Remote description for " hidden="True" provider="oauth2_description"/>
|
||||
<variable name="category_" hidden="True" provider="oauth2_category"/>
|
||||
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
|
||||
<family name="external_" leadership="True">
|
||||
<variable name="hosts_" description="Remote external for" provider="oauth2_external" multi="True"/>
|
||||
<variable name="family_" hidden="True" provider="oauth2_family">
|
||||
<value>users</value>
|
||||
</variable>
|
||||
<variable name="hosts_" description="Remote external for " provider="oauth2_external" multi="True"/>
|
||||
<variable name="family_" hidden="True" provider="oauth2_family"/>
|
||||
</family>
|
||||
<variable name="logo_" hidden="True" provider="oauth2_logo"/>
|
||||
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
|
||||
|
|
@ -21,15 +19,5 @@
|
|||
</variable>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username" type="suffix"/>
|
||||
<param name="description">remote</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>oauth2.oauth2_.secret_</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ commentStartToken = §
|
|||
"givenName" : "givenName",
|
||||
"home" : "homeDirectory"
|
||||
},
|
||||
"ldapGroupBase" : "%%ldapclient_base_dn",
|
||||
"ldapGroupBase" : "%%ldapclient_group_dn",
|
||||
"ldapGroupAttributeName" : "member",
|
||||
"ldapGroupAttributeNameUser" : "cn",
|
||||
"ldapGroupAttributeNameGroup" : "dn",
|
||||
|
|
@ -72,8 +72,7 @@ commentStartToken = §
|
|||
},
|
||||
"%%domain" : {
|
||||
"^/logout" : "logout_sso",
|
||||
§ FIXME "default" : "$groups eq %%external['family_' + %%key]"
|
||||
"default" : "accept"
|
||||
"default" : "$groups eq \"%%external['family_' + %%key]\""
|
||||
%%domains.append(%%domain)%slurp
|
||||
%end if
|
||||
%end for
|
||||
|
|
|
|||
|
|
@ -15,24 +15,24 @@ upstream llng_portal_upstream {
|
|||
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 127.0.0.1:80;
|
||||
server_name localhost;
|
||||
root /usr/share/lemonldap-ng/portal/htdocs/;
|
||||
if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
|
||||
rewrite ^/(.*)$ /index.psgi/$1 break;
|
||||
}
|
||||
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
|
||||
include /etc/nginx/fastcgi_params;
|
||||
fastcgi_pass llng_portal_upstream;
|
||||
fastcgi_param REQUEST_URI /.well-known/openid-configuration;
|
||||
fastcgi_param HTTP_HOST %%domain_name_eth0;
|
||||
fastcgi_param LLTYPE psgi;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
}
|
||||
}
|
||||
# GNUNUX server {
|
||||
# GNUNUX listen 127.0.0.1:80;
|
||||
# GNUNUX server_name localhost;
|
||||
# GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/;
|
||||
# GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
|
||||
# GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break;
|
||||
# GNUNUX }
|
||||
# GNUNUX location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
|
||||
# GNUNUX include /etc/nginx/fastcgi_params;
|
||||
# GNUNUX fastcgi_pass llng_portal_upstream;
|
||||
# GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration;
|
||||
# GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0;
|
||||
# GNUNUX fastcgi_param LLTYPE psgi;
|
||||
# GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
# GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
|
||||
# GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
# GNUNUX }
|
||||
# GNUNUX }
|
||||
|
||||
server {
|
||||
# GNUNUX listen 80;
|
||||
|
|
|
|||
|
|
@ -65,7 +65,7 @@
|
|||
<fill name="calc_oauth2_client_external">
|
||||
<param type="variable">revprox_client_external_domainnames</param>
|
||||
<param type="variable">revprox_client_location</param>
|
||||
<param>/accounts/risotto/login/</param>
|
||||
<param>accounts/risotto/login/</param>
|
||||
<target>oauth2_client_external</target>
|
||||
</fill>
|
||||
</constraints>
|
||||
|
|
|
|||
|
|
@ -11,19 +11,22 @@
|
|||
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
|
||||
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
|
||||
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
|
||||
<file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
|
||||
<file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
|
||||
<file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
|
||||
<file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
|
||||
</service>
|
||||
</services>
|
||||
<variables>
|
||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||
<variable name="nginx_default_http" type="boolean" description="Activer la gestion du répertoire default.d en HTTP sur le serveur" mandatory='True' hidden="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
<variable name="nginx_default_https" type="boolean" description="Activer la gestion du répertoire default.d en HTTPS sur le serveur" mandatory='True' hidden="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
|
||||
<variable name="nginx_root" type="filename" mandatory='False'>
|
||||
<value>/usr/share/nginx/html</value>
|
||||
</variable>
|
||||
<variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
|
||||
<value>False</value>
|
||||
</variable>
|
||||
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
|
||||
<value>128</value>
|
||||
<choice type="string">128</choice>
|
||||
|
|
@ -40,14 +43,17 @@
|
|||
<condition name="disabled_if_not_in" source="os_name">
|
||||
<param>Fedora</param>
|
||||
<target type="filelist">nginx_fedora</target>
|
||||
<target>nginx_default</target>
|
||||
<target>nginx_default_http</target>
|
||||
<target>nginx_default_https</target>
|
||||
</condition>
|
||||
<condition name="disabled_if_in" source="nginx_default">
|
||||
<param type="nil"/>
|
||||
<target type="filelist">nginx_default</target>
|
||||
</condition>
|
||||
<condition name="disabled_if_in" source="nginx_https">
|
||||
<condition name="disabled_if_in" source="nginx_default_https">
|
||||
<param type="boolean">False</param>
|
||||
<target type="filelist">nginx_https</target>
|
||||
<target type="filelist">nginx_default_https</target>
|
||||
</condition>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">tls_ca_directory</param>
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ http {
|
|||
# for more information.
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
%if %%os_name == 'Fedora'
|
||||
%if %%nginx_default
|
||||
%if %%nginx_default_http
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
|
@ -73,7 +73,7 @@ http {
|
|||
%end if
|
||||
# Settings for a TLS enabled server.
|
||||
#
|
||||
%if %%nginx_https
|
||||
%if %%nginx_default_https
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name %%domain_name_eth0;
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
</services>
|
||||
<variables>
|
||||
<family name="nginx">
|
||||
<variable name="nginx_https" redefine="True">
|
||||
<variable name="nginx_default_https" redefine="True">
|
||||
<value>True</value>
|
||||
</variable>
|
||||
<variable name="php_fpm_user" redefine="True" exists="True">
|
||||
|
|
|
|||
|
|
@ -18,6 +18,9 @@
|
|||
</family>
|
||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||
<variable name="nginx_default" redefine="True" mandatory="True"/>
|
||||
<variable name="nginx_default_http" redefine="True">
|
||||
<value>True</value>
|
||||
</variable>
|
||||
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
|
||||
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
|
||||
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@
|
|||
</variable>
|
||||
<variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
|
||||
<variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
|
||||
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" multi="True"/>
|
||||
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login"/>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
|
||||
<variable name="oauth2_client_family" description="OAuth2 family">
|
||||
|
|
@ -37,72 +37,44 @@
|
|||
<param>OAuth2</param>
|
||||
<target>oauth2_client_server_domainname</target>
|
||||
</fill>
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2</param>
|
||||
<param name="linked_value" type="variable">domain_name_eth0</param>
|
||||
<fill name="normalize_family">
|
||||
<param type="variable">domain_name_eth0</param>
|
||||
<target>oauth2_client_id</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_secret</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username" type="variable">oauth2_client_id</param>
|
||||
<param name="description">remote</param>
|
||||
<param name="type">cleartext</param>
|
||||
<param name="hide" type="variable">hide_secret</param>
|
||||
<target>oauth2_client_secret</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">external_domainname</param>
|
||||
<fill name="set_linked_multi_variables">
|
||||
<param type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_value_0" type="variable">domain_name_eth0</param>
|
||||
<param name="linked_provider_0">oauth2</param>
|
||||
<param name="linked_value_1" type="variable">oauth2_client_secret</param>
|
||||
<param name="linked_provider_1">oauth2_secret</param>
|
||||
<param name="linked_value_2" type="variable" propertyerror="False">oauth2_client_name</param>
|
||||
<param name="linked_provider_2">oauth2_name</param>
|
||||
<param name="linked_value_3" type="variable" propertyerror="False">oauth2_client_description</param>
|
||||
<param name="linked_provider_3">oauth2_description</param>
|
||||
<param name="linked_value_4" type="variable" propertyerror="False">oauth2_client_external</param>
|
||||
<param name="linked_provider_4">oauth2_external</param>
|
||||
<param name="linked_value_5" type="variable" propertyerror="False">oauth2_client_family</param>
|
||||
<param name="linked_provider_5">oauth2_family</param>
|
||||
<param name="linked_value_6" type="variable">oauth2_client_category</param>
|
||||
<param name="linked_provider_6">oauth2_category</param>
|
||||
<param name="linked_value_7" type="variable">oauth2_client_logo</param>
|
||||
<param name="linked_provider_7">oauth2_logo</param>
|
||||
<param name="linked_value_8" type="variable">oauth2_client_login</param>
|
||||
<param name="linked_provider_8">oauth2_login</param>
|
||||
<param name="allow_none_8" type="boolean">True</param>
|
||||
<param name="linked_value_9" type="variable">oauth2_client_token_signature_algo</param>
|
||||
<param name="linked_provider_9">oauth2_token_signature_algo</param>
|
||||
<param name="linked_returns">external_domainname</param>
|
||||
<target>oauth2_server_domainname</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_name</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_name</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_description</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_description</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_category</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_category</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_external</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_external</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_logo</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_logo</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_family</param>
|
||||
<param name="leader_provider">oauth2_external</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_family</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_login</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_login</target>
|
||||
</check>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
|
||||
<param name="linked_provider">oauth2_token_signature_algo</param>
|
||||
<param name="dynamic" type="variable">oauth2_client_id</param>
|
||||
<target>oauth2_client_token_signature_algo</target>
|
||||
</check>
|
||||
<fill name="calc_oauth2_client_external">
|
||||
<param type="variable" optional="True">revprox_client_external_domainnames</param>
|
||||
<param type="variable" optional="True">revprox_client_location</param>
|
||||
|
|
|
|||
|
|
@ -8,3 +8,18 @@ def calc_oauth2_client_external(external, location, *extras):
|
|||
if isinstance(external, list):
|
||||
return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external]
|
||||
return f'https://{external}{location[0]}' + ''.join(extras)
|
||||
|
||||
|
||||
def calc_oauth2_client_login(external, location, *extras):
|
||||
if not external or not location or None in extras:
|
||||
return
|
||||
if isinstance(external, list):
|
||||
return f'https://{external[0]}{location[0]}' + ''.join(extras)
|
||||
return f'https://{external}{location[0]}' + ''.join(extras)
|
||||
|
||||
|
||||
@_multi_function
|
||||
def calc_oauth2_families(families: list) -> list:
|
||||
def _calc_family(family):
|
||||
return family if family else 'users'
|
||||
return [_calc_family(family) for family in families]
|
||||
|
|
|
|||
|
|
@ -75,7 +75,10 @@
|
|||
<variable name='ldapclient_user' redefine="True"/>
|
||||
<!--variable name='ldapclient_user_password' redefine="True"/-->
|
||||
<variable name='ldapclient_family' redefine="True" disabled="True"/>
|
||||
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
|
||||
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn" description="Base DN"/>
|
||||
<variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
|
||||
<variable name='ldap_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True"/>
|
||||
<variable name='ldap_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True" provider="ldap_group"/>
|
||||
</family>
|
||||
</family>
|
||||
</variables>
|
||||
|
|
@ -89,6 +92,20 @@
|
|||
<param type="variable">domain_name_eth0</param>
|
||||
<target>ldapclient_base_dn</target>
|
||||
</fill>
|
||||
<fill name="calc_ldapclient_base_dn">
|
||||
<param type="variable">ldapclient_base_dn</param>
|
||||
<param name="base" type="boolean">True</param>
|
||||
<target>ldap_account_dn</target>
|
||||
</fill>
|
||||
<fill name="calc_ldapclient_base_dn">
|
||||
<param type="variable">ldapclient_base_dn</param>
|
||||
<param name="group" type="boolean">True</param>
|
||||
<target>ldap_group_dn</target>
|
||||
</fill>
|
||||
<fill name="calc_ldapclient_base_dn">
|
||||
<param type="variable">ldapclient_base_dn</param>
|
||||
<target>ldap_user_dn</target>
|
||||
</fill>
|
||||
<fill name='calc_value'>
|
||||
<param>cn=admin</param>
|
||||
<param type='variable'>ldapclient_base_dn</param>
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ olcAccess: {0}to attrs=userPassword
|
|||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
|
||||
olcAccess: {1}to dn.subtree="%%ldap_group_dn"
|
||||
%for group in %%groups
|
||||
by dn="%%group" read
|
||||
%end for
|
||||
|
|
@ -21,7 +21,7 @@ olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, fam
|
|||
%set %%aclidx = 2
|
||||
%for %%family, %%remotes in %%dns.items()
|
||||
%if %%family == 'all'
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
|
||||
%else
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
|
||||
%end if
|
||||
|
|
|
|||
|
|
@ -23,13 +23,13 @@ objectClass: inetOrgPerson
|
|||
|
||||
%end for
|
||||
# Accounts
|
||||
dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)
|
||||
dn: %%ldap_account_dn
|
||||
ou: accounts
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
## Accounts users
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None)
|
||||
%set %%users = %%ldap_user_dn
|
||||
dn: %%users
|
||||
ou: users
|
||||
objectClass: top
|
||||
|
|
@ -100,7 +100,7 @@ objectClass: inetLocalMailRecipient
|
|||
%end for
|
||||
%end for
|
||||
## Groups
|
||||
%set %%groupdn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)
|
||||
%set %%groupdn = %%ldap_group_dn
|
||||
dn: %%groupdn
|
||||
ou: groups
|
||||
objectClass: top
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
|
|||
|
||||
%end for
|
||||
# Users
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, '')
|
||||
%set %%users = %%ldap_user_dn
|
||||
%for %%user in %%accounts.users.ldap_user_mail
|
||||
dn: cn=%%user,%%users
|
||||
changetype: modify
|
||||
|
|
|
|||
|
|
@ -20,30 +20,24 @@
|
|||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="normalize_family">
|
||||
<param type="variable">domain_name_eth0</param>
|
||||
<target>pg_client_username</target>
|
||||
</fill>
|
||||
<fill name="get_provider_name">
|
||||
<param type="variable">zone_name_eth0</param>
|
||||
<param>Postgresql</param>
|
||||
<target>pg_client_server_domainname</target>
|
||||
</fill>
|
||||
<fill name="set_linked">
|
||||
<param name="linked_server" type="variable">pg_client_server_domainname</param>
|
||||
<param name="linked_provider">clients</param>
|
||||
<param name="linked_value" type="variable">domain_name_eth0</param>
|
||||
<target>pg_client_username</target>
|
||||
</fill>
|
||||
<fill name="get_linked_configuration">
|
||||
<param name="linked_server" type="variable">pg_client_server_domainname</param>
|
||||
<param name="linked_provider">client_password</param>
|
||||
<param name="dynamic" type="variable">pg_client_username</param>
|
||||
<fill name="set_linked_multi_variables">
|
||||
<param type="variable">pg_client_server_domainname</param>
|
||||
<param name="linked_value_0" type="variable">domain_name_eth0</param>
|
||||
<param name="linked_provider_0">clients</param>
|
||||
<param name="linked_value_1" type="variable">ip_eth0</param>
|
||||
<param name="linked_provider_1">client_ip</param>
|
||||
<param name="linked_returns">client_password</param>
|
||||
<target>pg_client_password</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">pg_client_server_domainname</param>
|
||||
<param name="linked_provider">client_ip</param>
|
||||
<param name="linked_value" type="variable">ip_eth0</param>
|
||||
<param name="dynamic" type="variable">pg_client_username</param>
|
||||
<target>pg_client_password</target>
|
||||
</check>
|
||||
<fill name="calc_value">
|
||||
<param type="variable">pg_client_username</param>
|
||||
<target>pg_client_database</target>
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@
|
|||
</variable>
|
||||
<family name="external">
|
||||
<variable name="oauth2_client_external" redefine="True" multi='True'/>
|
||||
<variable name="oauth2_client_family" redefine="True" multi="True"/>
|
||||
</family>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
|
|
@ -77,6 +78,10 @@
|
|||
<param type="variable">roundcube_domains</param>
|
||||
<target>revprox_client_external_domainnames</target>
|
||||
</fill>
|
||||
<fill name="calc_oauth2_families">
|
||||
<param type="variable">roundcube_family</param>
|
||||
<target>oauth2_client_family</target>
|
||||
</fill>
|
||||
<fill name="calc_roundcube_family">
|
||||
<param type="variable">roundcube_family</param>
|
||||
<target>ldapclient_family</target>
|
||||
|
|
|
|||
Loading…
Reference in a new issue