lemonldap: filter applications

This commit is contained in:
Emmanuel Garette 2022-06-26 19:33:44 +02:00
parent 45a8919741
commit 3f631b1d5b
19 changed files with 151 additions and 136 deletions

View file

@ -86,6 +86,9 @@
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
</family>
<family name="nginx">
<variable name="nginx_default_https" redefine="True">
<value>False</value>
</variable>
<variable name="revprox_client_external_domainnames" redefine="True" mandatory="False"/>
<family name="revprox_client">
<variable name="revprox_client_location" redefine="True" mandatory="False">

View file

@ -89,7 +89,7 @@
<param name="length" type="number">43</param>
<target>gitea_lfs_jwt_secret</target>
</fill>
<fill name="calc_oauth2_client_external">
<fill name="calc_oauth2_client_login">
<param type="variable" optional="True">revprox_client_external_domainnames</param>
<param type="variable" optional="True">revprox_client_location</param>
<param>user/oauth2/</param>

View file

@ -22,6 +22,11 @@
</service>
</services>
<variables>
<family name="nginx">
<variable name="nginx_default_https" redefine="True">
<value>False</value>
</variable>
</family>
<family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
<variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
<value>1</value>
@ -33,7 +38,15 @@
<variable name='ldapclient_family' redefine="True">
<value>all</value>
</variable>
<variable name='ldapclient_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="False"/>
</family>
</family>
</variables>
<constraints>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">ldap_group</param>
<target>ldapclient_group_dn</target>
</fill>
</constraints>
</rougail>

View file

@ -2,17 +2,15 @@
<rougail version="0.10">
<variables>
<variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="oauth2"/>
<family name="oauth2_" description="OAuth2 for" dynamic="oauth2.remotes">
<variable name="secret_" description="Remote secret for" type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
<variable name="name_" description="Remote name for" hidden="True" provider="oauth2_name"/>
<variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
<family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
<variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
<variable name="name_" description="Remote name for " hidden="True" provider="oauth2_name"/>
<variable name="description_" description="Remote description for " hidden="True" provider="oauth2_description"/>
<variable name="category_" hidden="True" provider="oauth2_category"/>
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
<family name="external_" leadership="True">
<variable name="hosts_" description="Remote external for" provider="oauth2_external" multi="True"/>
<variable name="family_" hidden="True" provider="oauth2_family">
<value>users</value>
</variable>
<variable name="hosts_" description="Remote external for " provider="oauth2_external" multi="True"/>
<variable name="family_" hidden="True" provider="oauth2_family"/>
</family>
<variable name="logo_" hidden="True" provider="oauth2_logo"/>
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
@ -21,15 +19,5 @@
</variable>
</family>
</variables>
<constraints>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="suffix"/>
<param name="description">remote</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>oauth2.oauth2_.secret_</target>
</fill>
</constraints>
</rougail>

View file

@ -22,7 +22,7 @@ commentStartToken = §
"givenName" : "givenName",
"home" : "homeDirectory"
},
"ldapGroupBase" : "%%ldapclient_base_dn",
"ldapGroupBase" : "%%ldapclient_group_dn",
"ldapGroupAttributeName" : "member",
"ldapGroupAttributeNameUser" : "cn",
"ldapGroupAttributeNameGroup" : "dn",
@ -72,8 +72,7 @@ commentStartToken = §
},
"%%domain" : {
"^/logout" : "logout_sso",
§ FIXME "default" : "$groups eq %%external['family_' + %%key]"
"default" : "accept"
"default" : "$groups eq \"%%external['family_' + %%key]\""
%%domains.append(%%domain)%slurp
%end if
%end for

View file

@ -15,24 +15,24 @@ upstream llng_portal_upstream {
server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
}
server {
listen 127.0.0.1:80;
server_name localhost;
root /usr/share/lemonldap-ng/portal/htdocs/;
if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
include /etc/nginx/fastcgi_params;
fastcgi_pass llng_portal_upstream;
fastcgi_param REQUEST_URI /.well-known/openid-configuration;
fastcgi_param HTTP_HOST %%domain_name_eth0;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
# GNUNUX server {
# GNUNUX listen 127.0.0.1:80;
# GNUNUX server_name localhost;
# GNUNUX root /usr/share/lemonldap-ng/portal/htdocs/;
# GNUNUX if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
# GNUNUX rewrite ^/(.*)$ /index.psgi/$1 break;
# GNUNUX }
# GNUNUX location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
# GNUNUX include /etc/nginx/fastcgi_params;
# GNUNUX fastcgi_pass llng_portal_upstream;
# GNUNUX fastcgi_param REQUEST_URI /.well-known/openid-configuration;
# GNUNUX fastcgi_param HTTP_HOST %%domain_name_eth0;
# GNUNUX fastcgi_param LLTYPE psgi;
# GNUNUX fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# GNUNUX fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
# GNUNUX fastcgi_param PATH_INFO $fastcgi_path_info;
# GNUNUX }
# GNUNUX }
server {
# GNUNUX listen 80;

View file

@ -65,7 +65,7 @@
<fill name="calc_oauth2_client_external">
<param type="variable">revprox_client_external_domainnames</param>
<param type="variable">revprox_client_location</param>
<param>/accounts/risotto/login/</param>
<param>accounts/risotto/login/</param>
<target>oauth2_client_external</target>
</fill>
</constraints>

View file

@ -11,19 +11,22 @@
<file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
<file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
<file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
<file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
<file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
<file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
</service>
</services>
<variables>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default_http" type="boolean" description="Activer la gestion du répertoire default.d en HTTP sur le serveur" mandatory='True' hidden="True">
<value>False</value>
</variable>
<variable name="nginx_default_https" type="boolean" description="Activer la gestion du répertoire default.d en HTTPS sur le serveur" mandatory='True' hidden="True">
<value>False</value>
</variable>
<variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
<variable name="nginx_root" type="filename" mandatory='False'>
<value>/usr/share/nginx/html</value>
</variable>
<variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
<value>False</value>
</variable>
<variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
<value>128</value>
<choice type="string">128</choice>
@ -40,14 +43,17 @@
<condition name="disabled_if_not_in" source="os_name">
<param>Fedora</param>
<target type="filelist">nginx_fedora</target>
<target>nginx_default</target>
<target>nginx_default_http</target>
<target>nginx_default_https</target>
</condition>
<condition name="disabled_if_in" source="nginx_default">
<param type="nil"/>
<target type="filelist">nginx_default</target>
</condition>
<condition name="disabled_if_in" source="nginx_https">
<condition name="disabled_if_in" source="nginx_default_https">
<param type="boolean">False</param>
<target type="filelist">nginx_https</target>
<target type="filelist">nginx_default_https</target>
</condition>
<fill name="calc_value">
<param type="variable">tls_ca_directory</param>

View file

@ -52,7 +52,7 @@ http {
# for more information.
include /etc/nginx/conf.d/*.conf;
%if %%os_name == 'Fedora'
%if %%nginx_default
%if %%nginx_default_http
server {
listen 80;
listen [::]:80;
@ -73,7 +73,7 @@ http {
%end if
# Settings for a TLS enabled server.
#
%if %%nginx_https
%if %%nginx_default_https
server {
listen 443 ssl http2;
server_name %%domain_name_eth0;

View file

@ -7,7 +7,7 @@
</services>
<variables>
<family name="nginx">
<variable name="nginx_https" redefine="True">
<variable name="nginx_default_https" redefine="True">
<value>True</value>
</variable>
<variable name="php_fpm_user" redefine="True" exists="True">

View file

@ -18,6 +18,9 @@
</family>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" redefine="True" mandatory="True"/>
<variable name="nginx_default_http" redefine="True">
<value>True</value>
</variable>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
<variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
<variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>

View file

@ -8,7 +8,7 @@
</variable>
<variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
<variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" multi="True"/>
<variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login"/>
<family name="external">
<variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
<variable name="oauth2_client_family" description="OAuth2 family">
@ -37,72 +37,44 @@
<param>OAuth2</param>
<target>oauth2_client_server_domainname</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<fill name="normalize_family">
<param type="variable">domain_name_eth0</param>
<target>oauth2_client_id</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_secret</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="variable">oauth2_client_id</param>
<param name="description">remote</param>
<param name="type">cleartext</param>
<param name="hide" type="variable">hide_secret</param>
<target>oauth2_client_secret</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">external_domainname</param>
<fill name="set_linked_multi_variables">
<param type="variable">oauth2_client_server_domainname</param>
<param name="linked_value_0" type="variable">domain_name_eth0</param>
<param name="linked_provider_0">oauth2</param>
<param name="linked_value_1" type="variable">oauth2_client_secret</param>
<param name="linked_provider_1">oauth2_secret</param>
<param name="linked_value_2" type="variable" propertyerror="False">oauth2_client_name</param>
<param name="linked_provider_2">oauth2_name</param>
<param name="linked_value_3" type="variable" propertyerror="False">oauth2_client_description</param>
<param name="linked_provider_3">oauth2_description</param>
<param name="linked_value_4" type="variable" propertyerror="False">oauth2_client_external</param>
<param name="linked_provider_4">oauth2_external</param>
<param name="linked_value_5" type="variable" propertyerror="False">oauth2_client_family</param>
<param name="linked_provider_5">oauth2_family</param>
<param name="linked_value_6" type="variable">oauth2_client_category</param>
<param name="linked_provider_6">oauth2_category</param>
<param name="linked_value_7" type="variable">oauth2_client_logo</param>
<param name="linked_provider_7">oauth2_logo</param>
<param name="linked_value_8" type="variable">oauth2_client_login</param>
<param name="linked_provider_8">oauth2_login</param>
<param name="allow_none_8" type="boolean">True</param>
<param name="linked_value_9" type="variable">oauth2_client_token_signature_algo</param>
<param name="linked_provider_9">oauth2_token_signature_algo</param>
<param name="linked_returns">external_domainname</param>
<target>oauth2_server_domainname</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_name</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_name</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_description</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_description</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_category</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_category</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_external</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_external</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_logo</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_logo</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_family</param>
<param name="leader_provider">oauth2_external</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_family</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_login</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_login</target>
</check>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">oauth2_client_server_domainname</param>
<param name="linked_provider">oauth2_token_signature_algo</param>
<param name="dynamic" type="variable">oauth2_client_id</param>
<target>oauth2_client_token_signature_algo</target>
</check>
<fill name="calc_oauth2_client_external">
<param type="variable" optional="True">revprox_client_external_domainnames</param>
<param type="variable" optional="True">revprox_client_location</param>

View file

@ -8,3 +8,18 @@ def calc_oauth2_client_external(external, location, *extras):
if isinstance(external, list):
return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external]
return f'https://{external}{location[0]}' + ''.join(extras)
def calc_oauth2_client_login(external, location, *extras):
if not external or not location or None in extras:
return
if isinstance(external, list):
return f'https://{external[0]}{location[0]}' + ''.join(extras)
return f'https://{external}{location[0]}' + ''.join(extras)
@_multi_function
def calc_oauth2_families(families: list) -> list:
def _calc_family(family):
return family if family else 'users'
return [_calc_family(family) for family in families]

View file

@ -75,7 +75,10 @@
<variable name='ldapclient_user' redefine="True"/>
<!--variable name='ldapclient_user_password' redefine="True"/-->
<variable name='ldapclient_family' redefine="True" disabled="True"/>
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
<variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn" description="Base DN"/>
<variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
<variable name='ldap_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True"/>
<variable name='ldap_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True" provider="ldap_group"/>
</family>
</family>
</variables>
@ -89,6 +92,20 @@
<param type="variable">domain_name_eth0</param>
<target>ldapclient_base_dn</target>
</fill>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<param name="base" type="boolean">True</param>
<target>ldap_account_dn</target>
</fill>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<param name="group" type="boolean">True</param>
<target>ldap_group_dn</target>
</fill>
<fill name="calc_ldapclient_base_dn">
<param type="variable">ldapclient_base_dn</param>
<target>ldap_user_dn</target>
</fill>
<fill name='calc_value'>
<param>cn=admin</param>
<param type='variable'>ldapclient_base_dn</param>

View file

@ -13,7 +13,7 @@ olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by * none
olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
olcAccess: {1}to dn.subtree="%%ldap_group_dn"
%for group in %%groups
by dn="%%group" read
%end for
@ -21,7 +21,7 @@ olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, fam
%set %%aclidx = 2
%for %%family, %%remotes in %%dns.items()
%if %%family == 'all'
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
%else
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
%end if

View file

@ -23,13 +23,13 @@ objectClass: inetOrgPerson
%end for
# Accounts
dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)
dn: %%ldap_account_dn
ou: accounts
objectClass: top
objectClass: organizationalUnit
## Accounts users
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None)
%set %%users = %%ldap_user_dn
dn: %%users
ou: users
objectClass: top
@ -100,7 +100,7 @@ objectClass: inetLocalMailRecipient
%end for
%end for
## Groups
%set %%groupdn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)
%set %%groupdn = %%ldap_group_dn
dn: %%groupdn
ou: groups
objectClass: top

View file

@ -8,7 +8,7 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
%end for
# Users
%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, '')
%set %%users = %%ldap_user_dn
%for %%user in %%accounts.users.ldap_user_mail
dn: cn=%%user,%%users
changetype: modify

View file

@ -20,30 +20,24 @@
</family>
</variables>
<constraints>
<fill name="normalize_family">
<param type="variable">domain_name_eth0</param>
<target>pg_client_username</target>
</fill>
<fill name="get_provider_name">
<param type="variable">zone_name_eth0</param>
<param>Postgresql</param>
<target>pg_client_server_domainname</target>
</fill>
<fill name="set_linked">
<param name="linked_server" type="variable">pg_client_server_domainname</param>
<param name="linked_provider">clients</param>
<param name="linked_value" type="variable">domain_name_eth0</param>
<target>pg_client_username</target>
</fill>
<fill name="get_linked_configuration">
<param name="linked_server" type="variable">pg_client_server_domainname</param>
<param name="linked_provider">client_password</param>
<param name="dynamic" type="variable">pg_client_username</param>
<fill name="set_linked_multi_variables">
<param type="variable">pg_client_server_domainname</param>
<param name="linked_value_0" type="variable">domain_name_eth0</param>
<param name="linked_provider_0">clients</param>
<param name="linked_value_1" type="variable">ip_eth0</param>
<param name="linked_provider_1">client_ip</param>
<param name="linked_returns">client_password</param>
<target>pg_client_password</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">pg_client_server_domainname</param>
<param name="linked_provider">client_ip</param>
<param name="linked_value" type="variable">ip_eth0</param>
<param name="dynamic" type="variable">pg_client_username</param>
<target>pg_client_password</target>
</check>
<fill name="calc_value">
<param type="variable">pg_client_username</param>
<target>pg_client_database</target>

View file

@ -39,6 +39,7 @@
</variable>
<family name="external">
<variable name="oauth2_client_external" redefine="True" multi='True'/>
<variable name="oauth2_client_family" redefine="True" multi="True"/>
</family>
</family>
<family name="nginx">
@ -77,6 +78,10 @@
<param type="variable">roundcube_domains</param>
<target>revprox_client_external_domainnames</target>
</fill>
<fill name="calc_oauth2_families">
<param type="variable">roundcube_family</param>
<target>oauth2_client_family</target>
</fill>
<fill name="calc_roundcube_family">
<param type="variable">roundcube_family</param>
<target>ldapclient_family</target>