%compiler-settings
commentStartToken = §
%end compiler-settings
{
"mailFrom" : "%%lemon_mail_admin",
"mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
"portalSkinBackground" : "",
"portalCustomCss": "risotto/risotto.css",
"authentication" : "LDAP",
"AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
"managerDn" : "%%ldapclient_user",
"managerPassword" : "%%ldapclient_user_password",
"ldapPpolicyControl" : 1,
"ldapAllowResetExpiredPassword" : 1,
"ldapChangePasswordAsUser" : 1,
"ldapBase" : "%%ldapclient_search_dn",
"ldapExportedVars" : {
"uid" : "uid",
"cn" : "cn",
"sn" : "sn",
"mail" : "mail",
"givenName" : "givenName",
"home" : "homeDirectory"
},
"ldapGroupBase" : "%%ldapclient_group_dn",
"ldapGroupAttributeName" : "member",
"ldapGroupAttributeNameUser" : "cn",
"ldapGroupAttributeNameGroup" : "dn",
"ldapGroupAttributeNameSearch" : "cn",
"ldapGroupAttributeNameUser" : "dn",
"ldapGroupObjectClass" : "groupOfNames",
"ldapPort" : "636",
"ldapServer" : "ldaps://%%ldap_server_address",
"ldapVerify" : "required",
"ldapTimeout" : 120,
"cfgAuthor" : "Risotto",
"cfgNum" : 1,
"cfgVersion" : "2.0.9",
"demoExportedVars" : {
"cn" : "cn",
"mail" : "mail",
"uid" : "uid"
},
"domain" : "%%revprox_client_external_domainnames[0]",
"exportedVars" : {
"UA" : "HTTP_USER_AGENT",
"cn" : "cn",
"mail" : "mail"
},
"globalStorageOptions" : {
"Directory" : "/srv/lemonldap-ng/sessions",
"LockDirectory" : "/srv/lemonldap-ng/sessions/lock"
},
"issuerDBOpenIDConnectActivation" : 1,
"localSessionStorageOptions" : {
"cache_depth" : 3,
"cache_root" : "/srv/lemonldap-ng/cache",
"default_expires_in" : 600,
"directory_umask" : "007",
"namespace" : "lemonldap-ng-sessions"
},
"locationRules" : {
"%%revprox_client_external_domainnames[0]" : {
"default" : "accept"
%set %%domains = []
%for %%app in %%oauth2.remotes
%set %%key = %%normalize_family(%%app)
§ somethink like ['https://domain/']
%for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
%set %%domain = %%str(%%external).split('/', 3)[-2]
%if %%domain not in %%domains
},
"%%domain" : {
"^/logout" : "logout_sso",
"default" : "$groups eq \"%%external['family_' + %%key]\""
%%domains.append(%%domain)%slurp
%end if
%end for
%end for
}
},
"loginHistoryEnabled" : 1,
"macros" : {
"UA" : "$ENV{HTTP_USER_AGENT}",
"_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
},
"mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
"mySessionAuthorizedRWKeys" : [
"_appsListOrder",
"_oidcConnectedRP",
"_oidcConsents"
],
"notification" : 1,
"notificationStorageOptions" : {
"dirName" : "/srv/lemonldap-ng/notifications"
},
"oidcRPMetaDataExportedVars" : {
%set %%len_app = %%len(%%oauth2.remotes)
%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
%set %%key = %%normalize_family(%%app)
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
"%%app" : {
"email" : "mail",
"family_name" : "sn",
"name" : "cn",
"nickname" : "uid",
"home" : "home"
%if %%len_app - 1 == %%idx
}
%else
},
%end if
%end for
},
"oidcRPMetaDataOptions" : {
%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
%set %%key = %%normalize_family(%%app)
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
"%%app" : {
"oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
"oidcRPMetaDataOptionsAllowOffline" : 1,
"oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
"oidcRPMetaDataOptionsBypassConsent" : 1,
"oidcRPMetaDataOptionsClientID" : "%%key",
"oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
"oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
"oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
"oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
"oidcRPMetaDataOptionsLogoutType" : "front",
§ "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
§FIXME
"oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
"oidcRPMetaDataOptionsPublic" : 0,
%if %%oauth2['oauth2_' + %%key]['login_' + %%key]
"oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
%end if
"oidcRPMetaDataOptionsRefreshToken" : 0,
"oidcRPMetaDataOptionsRequirePKCE" : 0
%if %%len_app - 1 == %%idx
}
%else
},
%end if
%end for
},
"oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
"oidcServiceMetaDataAuthnContext" : {
"loa-1" : 1,
"loa-2" : 2,
"loa-3" : 3,
"loa-4" : 4,
"loa-5" : 5
},
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
"oidcServicePublicKeySig" : "%%pub",
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
"oidcServicePrivateKeySig" : "%%priv",
"passwordDB" : "LDAP",
"persistentStorage" : "Apache::Session::File",
"persistentStorageOptions" : {
"Directory": "/srv/lemonldap-ng/psessions",
"LockDirectory": "/srv/lemonldap-ng/psessions/lock"
},
"portal" : "https://%%revprox_client_external_domainnames[0]/",
"portalCheckLogins": 0,
"portalDisplayRegister": 0,
"portalDisplayResetPassword": 0,
"portalMainLogo": "risotto/logo.png",
"showLanguages": 0,
"requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
"whatToTrace" : "_whatToTrace",
%set %%remotes = {}
%for %%index, %%app in %%enumerate(%%oauth2.remotes)
%set %%key = %%normalize_family(%%app)
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
%if not %%description
%continue
%end if
%set %%dico = {'key': %%key,
'description': %%description,
'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
%end for
"applicationList" : {
%for %%index, %%cat in %%enumerate(%%remotes)
%if %%index != 0
,
%end if
"cat_%%index" : {
"catname" : "%%cat",
%for %%dico in %%remotes[%%cat]
%for %%idx, %%uri in %%enumerate(%%dico['uri'])
"%%{dico['key']}_%%idx" : {
"options" : {
"description" : "%%dico['description']",
"display" : "auto",
"logo" : "%%dico['logo']",
"name" : "%%dico['name']",
"uri" : "%%uri"
},
"type" : "application"
},
%end for
%end for
"type" : "category"
}%slurp
%end for
}
}