212 lines
7.1 KiB
JSON
212 lines
7.1 KiB
JSON
%compiler-settings
|
|
commentStartToken = §
|
|
%end compiler-settings
|
|
{
|
|
"mailFrom" : "%%lemon_mail_admin",
|
|
"mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
|
|
"portalSkinBackground" : "",
|
|
"portalCustomCss": "risotto/risotto.css",
|
|
"authentication" : "LDAP",
|
|
"AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
|
|
"managerDn" : "%%ldapclient_user",
|
|
"managerPassword" : "%%ldapclient_user_password",
|
|
"ldapPpolicyControl" : 1,
|
|
"ldapAllowResetExpiredPassword" : 1,
|
|
"ldapChangePasswordAsUser" : 1,
|
|
"ldapBase" : "%%ldapclient_search_dn",
|
|
"ldapExportedVars" : {
|
|
"uid" : "uid",
|
|
"cn" : "cn",
|
|
"sn" : "sn",
|
|
"mail" : "mail",
|
|
"givenName" : "givenName",
|
|
"home" : "homeDirectory"
|
|
},
|
|
"ldapGroupBase" : "%%ldapclient_group_dn",
|
|
"ldapGroupAttributeName" : "member",
|
|
"ldapGroupAttributeNameUser" : "cn",
|
|
"ldapGroupAttributeNameGroup" : "dn",
|
|
"ldapGroupAttributeNameSearch" : "cn",
|
|
"ldapGroupAttributeNameUser" : "dn",
|
|
"ldapGroupObjectClass" : "groupOfNames",
|
|
"ldapPort" : "636",
|
|
"ldapServer" : "ldaps://%%ldap_server_address",
|
|
"ldapVerify" : "required",
|
|
"ldapTimeout" : 120,
|
|
"cfgAuthor" : "Risotto",
|
|
"cfgNum" : 1,
|
|
"cfgVersion" : "2.0.9",
|
|
"demoExportedVars" : {
|
|
"cn" : "cn",
|
|
"mail" : "mail",
|
|
"uid" : "uid"
|
|
},
|
|
"domain" : "%%revprox_client_external_domainnames[0]",
|
|
"exportedVars" : {
|
|
"UA" : "HTTP_USER_AGENT",
|
|
"cn" : "cn",
|
|
"mail" : "mail"
|
|
},
|
|
"globalStorageOptions" : {
|
|
"Directory" : "/srv/lemonldap-ng/sessions",
|
|
"LockDirectory" : "/srv/lemonldap-ng/sessions/lock"
|
|
},
|
|
"issuerDBOpenIDConnectActivation" : 1,
|
|
"localSessionStorageOptions" : {
|
|
"cache_depth" : 3,
|
|
"cache_root" : "/srv/lemonldap-ng/cache",
|
|
"default_expires_in" : 600,
|
|
"directory_umask" : "007",
|
|
"namespace" : "lemonldap-ng-sessions"
|
|
},
|
|
"locationRules" : {
|
|
"%%revprox_client_external_domainnames[0]" : {
|
|
"default" : "accept"
|
|
%set %%domains = []
|
|
%for %%app in %%oauth2.remotes
|
|
%set %%key = %%normalize_family(%%app)
|
|
§ somethink like ['https://domain/']
|
|
%for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
|
|
%set %%domain = %%str(%%external).split('/', 3)[-2]
|
|
%if %%domain not in %%domains
|
|
},
|
|
"%%domain" : {
|
|
"^/logout" : "logout_sso",
|
|
"default" : "$groups eq \"%%external['family_' + %%key]\""
|
|
%%domains.append(%%domain)%slurp
|
|
%end if
|
|
%end for
|
|
%end for
|
|
}
|
|
},
|
|
"loginHistoryEnabled" : 1,
|
|
"macros" : {
|
|
"UA" : "$ENV{HTTP_USER_AGENT}",
|
|
"_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
|
|
},
|
|
"mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
|
|
"mySessionAuthorizedRWKeys" : [
|
|
"_appsListOrder",
|
|
"_oidcConnectedRP",
|
|
"_oidcConsents"
|
|
],
|
|
"notification" : 1,
|
|
"notificationStorageOptions" : {
|
|
"dirName" : "/srv/lemonldap-ng/notifications"
|
|
},
|
|
"oidcRPMetaDataExportedVars" : {
|
|
%set %%len_app = %%len(%%oauth2.remotes)
|
|
%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
|
|
%set %%key = %%normalize_family(%%app)
|
|
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
|
|
"%%app" : {
|
|
"email" : "mail",
|
|
"family_name" : "sn",
|
|
"name" : "cn",
|
|
"nickname" : "uid",
|
|
"home" : "home"
|
|
%if %%len_app - 1 == %%idx
|
|
}
|
|
%else
|
|
},
|
|
%end if
|
|
%end for
|
|
},
|
|
"oidcRPMetaDataOptions" : {
|
|
%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
|
|
%set %%key = %%normalize_family(%%app)
|
|
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
|
|
"%%app" : {
|
|
"oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
|
|
"oidcRPMetaDataOptionsAllowOffline" : 1,
|
|
"oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
|
|
"oidcRPMetaDataOptionsBypassConsent" : 1,
|
|
"oidcRPMetaDataOptionsClientID" : "%%key",
|
|
"oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
|
|
"oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
|
|
"oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
|
|
"oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
|
|
"oidcRPMetaDataOptionsLogoutType" : "front",
|
|
§ "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
|
|
§FIXME
|
|
"oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
|
|
"oidcRPMetaDataOptionsPublic" : 0,
|
|
%if %%oauth2['oauth2_' + %%key]['login_' + %%key]
|
|
"oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
|
|
%end if
|
|
"oidcRPMetaDataOptionsRefreshToken" : 0,
|
|
"oidcRPMetaDataOptionsRequirePKCE" : 0
|
|
%if %%len_app - 1 == %%idx
|
|
}
|
|
%else
|
|
},
|
|
%end if
|
|
%end for
|
|
},
|
|
"oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
|
|
"oidcServiceMetaDataAuthnContext" : {
|
|
"loa-1" : 1,
|
|
"loa-2" : 2,
|
|
"loa-3" : 3,
|
|
"loa-4" : 4,
|
|
"loa-5" : 5
|
|
},
|
|
%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
|
|
"oidcServicePublicKeySig" : "%%pub",
|
|
%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
|
|
"oidcServicePrivateKeySig" : "%%priv",
|
|
"passwordDB" : "LDAP",
|
|
"persistentStorage" : "Apache::Session::File",
|
|
"persistentStorageOptions" : {
|
|
"Directory": "/srv/lemonldap-ng/psessions",
|
|
"LockDirectory": "/srv/lemonldap-ng/psessions/lock"
|
|
},
|
|
"portal" : "https://%%revprox_client_external_domainnames[0]/",
|
|
"portalCheckLogins": 0,
|
|
"portalDisplayRegister": 0,
|
|
"portalDisplayResetPassword": 0,
|
|
"portalMainLogo": "risotto/logo.png",
|
|
"showLanguages": 0,
|
|
"requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
|
|
"whatToTrace" : "_whatToTrace",
|
|
%set %%remotes = {}
|
|
%for %%index, %%app in %%enumerate(%%oauth2.remotes)
|
|
%set %%key = %%normalize_family(%%app)
|
|
%set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
|
|
%if not %%description
|
|
%continue
|
|
%end if
|
|
%set %%dico = {'key': %%key,
|
|
'description': %%description,
|
|
'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
|
|
'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
|
|
'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
|
|
%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
|
|
%end for
|
|
"applicationList" : {
|
|
%for %%index, %%cat in %%enumerate(%%remotes)
|
|
%if %%index != 0
|
|
,
|
|
%end if
|
|
"cat_%%index" : {
|
|
"catname" : "%%cat",
|
|
%for %%dico in %%remotes[%%cat]
|
|
%for %%idx, %%uri in %%enumerate(%%dico['uri'])
|
|
"%%{dico['key']}_%%idx" : {
|
|
"options" : {
|
|
"description" : "%%dico['description']",
|
|
"display" : "auto",
|
|
"logo" : "%%dico['logo']",
|
|
"name" : "%%dico['name']",
|
|
"uri" : "%%uri"
|
|
},
|
|
"type" : "application"
|
|
},
|
|
%end for
|
|
%end for
|
|
"type" : "category"
|
|
}%slurp
|
|
%end for
|
|
|
|
}
|
|
}
|