%compiler-settings commentStartToken = § %end compiler-settings { "mailFrom" : "%%lemon_mail_admin", "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))", "portalSkinBackground" : "", "portalCustomCss": "risotto/risotto.css", "authentication" : "LDAP", "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))", "managerDn" : "%%ldapclient_remote_user", "managerPassword" : "%%ldapclient_remote_user_password", "ldapPpolicyControl" : 1, "ldapAllowResetExpiredPassword" : 1, "ldapChangePasswordAsUser" : 1, "ldapBase" : "ou=users,%%ldap_base_dn", "ldapExportedVars" : { "uid" : "uid", "cn" : "cn", "sn" : "sn", "mail" : "mail", "givenName" : "givenName" }, "ldapGroupAttributeName" : "memberUid", "ldapGroupAttributeNameUser" : "cn", "ldapGroupObjectClass" : "group", "ldapPort" : "636", "ldapServer" : "ldaps://%%ldap_server_address", "ldapVerify" : "required", "ldapTimeout" : 120, "cfgAuthor" : "EOLE", "cfgNum" : 1, "cfgVersion" : "2.0.9", "demoExportedVars" : { "cn" : "cn", "mail" : "mail", "uid" : "uid" }, "domain" : "%%revprox_client_external_domainname", "exportedVars" : { "UA" : "HTTP_USER_AGENT", "cn" : "cn", "mail" : "mail" }, "globalStorageOptions" : { "Directory" : "/srv/lemonldap-ng/sessions", "LockDirectory" : "/srv/lemonldap-ng/sessions/lock" }, "issuerDBOpenIDConnectActivation" : 1, "localSessionStorageOptions" : { "cache_depth" : 3, "cache_root" : "/srv/lemonldap-ng/cache", "default_expires_in" : 600, "directory_umask" : "007", "namespace" : "lemonldap-ng-sessions" }, "locationRules" : { "%%revprox_client_external_domainname" : { "default" : "accept" %set %%domains = [] %for %%app in %%oauth2.remotes %set %%key = %%normalize_family(%%app) %set %%external = %%oauth2['oauth2_' + %%key]['external_' + %%key] § external is somethink like https://domain/ %if %%external %set %%domain = %%str(%%external).split('/', 3)[-2] %if %%domain not in %%domains }, "%%domain" : { "^/logout" : "logout_sso", "default" : "accept" %%domains.append(%%domain)%slurp %end if %end if %end for } }, "loginHistoryEnabled" : 1, "macros" : { "UA" : "$ENV{HTTP_USER_AGENT}", "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)" }, "mailUrl" : "https://%%revprox_client_external_domainname/resetpwd", "mySessionAuthorizedRWKeys" : [ "_appsListOrder", "_oidcConnectedRP", "_oidcConsents" ], "notification" : 1, "notificationStorageOptions" : { "dirName" : "/srv/lemonldap-ng/notifications" }, "oidcRPMetaDataExportedVars" : { %set %%len_app = %%len(%%oauth2.remotes) %for %%idx, %%app in %%enumerate(%%oauth2.remotes) %set %%key = %%normalize_family(%%app) %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key] "%%app" : { "email" : "mail", "family_name" : "sn", "name" : "cn", "nickname" : "uid" %if %%len_app - 1 == %%idx } %else }, %end if %end for }, "oidcRPMetaDataOptions" : { %for %%idx, %%app in %%enumerate(%%oauth2.remotes) %set %%key = %%normalize_family(%%app) %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key] "%%app" : { "oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0, "oidcRPMetaDataOptionsAllowOffline" : 1, "oidcRPMetaDataOptionsAllowPasswordGrant" : 0, "oidcRPMetaDataOptionsBypassConsent" : 1, "oidcRPMetaDataOptionsClientID" : "%%key", "oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]", "oidcRPMetaDataOptionsIDTokenForceClaims" : 0, "oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]", "oidcRPMetaDataOptionsLogoutSessionRequired" : 0, "oidcRPMetaDataOptionsLogoutType" : "front", § "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout", §FIXME "oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow", "oidcRPMetaDataOptionsPublic" : 0, %if %%oauth2['oauth2_' + %%key]['login_' + %%key] "oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]", %end if "oidcRPMetaDataOptionsRefreshToken" : 0, "oidcRPMetaDataOptionsRequirePKCE" : 0 %if %%len_app - 1 == %%idx } %else }, %end if %end for }, "oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg", "oidcServiceMetaDataAuthnContext" : { "loa-1" : 1, "loa-2" : 2, "loa-3" : 3, "loa-4" : 4, "loa-5" : 5 }, %set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0).split("\n")) "oidcServicePublicKeySig" : "%%pub", %set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0).split("\n")) "oidcServicePrivateKeySig" : "%%priv", "passwordDB" : "LDAP", "persistentStorage" : "Apache::Session::File", "persistentStorageOptions" : { "Directory": "/srv/lemonldap-ng/psessions", "LockDirectory": "/srv/lemonldap-ng/psessions/lock" }, "portal" : "https://%%revprox_client_external_domainname/", "portalCheckLogins": 0, "portalDisplayRegister": 0, "portalDisplayResetPassword": 0, "portalMainLogo": "risotto/logo.png", "showLanguages": 0, "whatToTrace" : "_whatToTrace", %set %%remotes = {} %for %%index, %%app in %%enumerate(%%oauth2.remotes) %set %%key = %%normalize_family(%%app) %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key] %if not %%description %continue %end if %set %%dico = {'key': %%key, 'description': %%description, 'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key], 'name': %%oauth2['oauth2_' + %%key]['name_' + %%key], 'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]} %%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp %end for "applicationList" : { %for %%index, %%cat in %%enumerate(%%remotes) %if %%index != 0 , %end if "cat_%%index" : { "catname" : "%%cat", %for %%dico in %%remotes[%%cat] "%%dico['key']" : { "options" : { "description" : "%%dico['description']", "display" : "auto", "logo" : "%%dico['logo']", "name" : "%%dico['name']", "uri" : "%%dico['uri']" }, "type" : "application" }, %end for "type" : "category" }%slurp %end for } }