initial commit of file from CVS for smeserver-lemonldap-ng on Sat Sep 7 20:31:17 AEST 2024

root/etc/e-smith/db/accounts/defaults/lm-reload/type

@@ -0,0 +1 @@
+url

root/etc/e-smith/db/configuration/defaults/lemonldap/status

@@ -0,0 +1 @@
+enabled

root/etc/e-smith/db/configuration/defaults/lemonldap/type

@@ -0,0 +1 @@
+service

root/etc/e-smith/db/configuration/migrate/90MigrateLemonLDAP

@@ -0,0 +1,14 @@
+{
+
+use esmith::DomainsDB;
+my $d = esmith::DomainsDB->open() or die "Couldn't open DomainsDB\n";
+
+foreach my $domain ($d->domains){
+    my $llng = $domain->prop('LemonLDAP') || '';
+    next unless $llng eq 'enabled';
+    $domain->set_prop('Authentication', 'LemonLDAP');
+    $domain->delete_prop('LemonLDAP');
+}
+
+}
+

root/etc/e-smith/db/configuration/migrate/lemonldap-enable-mod_perl

@@ -0,0 +1,12 @@
+{
+
+    my $mp = $DB->get('modPerl') || $DB->new_record("modPerl", { type => "service", status => "enabled" });
+
+    if ( ($mp->prop('status') || 'disabled') eq 'enabled'){
+        return "";
+    }
+    else{
+        $DB->set_prop('modPerl', 'status', 'enabled');
+    }
+
+}

root/etc/e-smith/db/configuration/migrate/lemonldap-soappasswd

@@ -0,0 +1,13 @@
+{
+
+my $rec = $DB->get('lemonldap')
+        || $DB->new_record('lemonldap', {type => 'service'});
+
+my $pw = $rec->prop('SoapPassword');
+
+if (not $pw){
+    my $rand = `/usr/bin/openssl rand -base64 35 | tr -cd '[:alnum:]'`;
+    $rec->set_prop('SoapPassword', "$rand");
+}
+
+}

root/etc/e-smith/events/actions/lemonldap-init-domains

@@ -0,0 +1,88 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 2010 Firewall-Services
+# daniel@firewall-services.com
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+# Technical support for this program is available from Mitel Networks 
+# Please visit our web site www.mitel.com/sme/ for details.
+#----------------------------------------------------------------------
+
+use strict;
+use warnings;
+use esmith::DomainsDB;
+use esmith::ConfigDB;
+
+my $d = esmith::DomainsDB->open or die "Couldn't open DomainsDB\n";
+my $c = esmith::ConfigDB->open_ro() or die "Couldn't open ConfigDB\n";
+
+my $domain = $c->get('DomainName')->value;
+my $vhost;
+
+$vhost = $d->get("sso-manager.$domain");
+
+if (!$vhost){
+    $d->new_record("sso-manager.$domain",{
+        type         => 'domain',
+        Content      => 'Primary',
+        Description  => "LemonLDAP-NG Manager",
+        Nameservers  => 'internet',
+        TemplatePath => 'LemonLDAPManager',
+        Removable    => 'no',
+    });
+
+    unless ( system("/sbin/e-smith/signal-event", "domain-create", "sso-manager.$domain") == 0 ){
+        die "Failed to create domain sso-manager.$domain\n";
+    }
+}
+
+$vhost = $d->get("auth.$domain");
+
+if (!$vhost){
+    $d->new_record("auth.$domain",{
+        type         => 'domain',
+        Content      => 'Primary',
+        Description  => "LemonLDAP-NG Portal",
+        Nameservers  => 'internet',
+        TemplatePath => 'LemonLDAPPortal',
+        Removable    => 'no',
+    });
+
+    unless ( system("/sbin/e-smith/signal-event", "domain-create", "auth.$domain") == 0 ){
+        die "Failed to create domain auth.$domain\n";
+    }
+}
+
+$vhost = $d->get("soapsso.$domain");
+
+if (!$vhost){
+    $d->new_record("soapsso.$domain",{
+        type         => 'domain',
+        Content      => 'Primary',
+        Description  => "LemonLDAP-NG SOAP Handler",
+        Nameservers  => 'internet',
+        TemplatePath => 'LemonLDAPSoap',
+        Removable    => 'no',
+    });
+
+    unless ( system("/sbin/e-smith/signal-event", "domain-create", "soapsso.$domain") == 0 ){
+        die "Failed to create domain soapsso.$domain\n";
+    }
+}
+
+
+exit 0;
+

root/etc/e-smith/events/actions/lemonldap-update-conf

@@ -0,0 +1,43 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 2011 Firewall-Services
+# daniel@firewall-services.com
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+# Technical support for this program is available from Mitel Networks 
+# Please visit our web site www.mitel.com/sme/ for details.
+#----------------------------------------------------------------------
+
+use esmith::ConfigDB;
+use esmith::templates;
+
+my $c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n";
+my $llng = $c->get('lemonldap');
+
+my $status = $llng->prop('status') || 'disabled';
+my $manual = $llng->prop('ManualConf') || 'disabled';
+
+# Don't touch the configuration if it's set to be manual
+# or if the service is disabled
+exit (0) if ($manual eq 'enabled' or $status ne 'enabled');
+
+processTemplate(
+        {   
+            TEMPLATE_PATH => "/var/lib/lemonldap-ng/conf/lmConf",
+            OUTPUT_FILENAME => "/var/lib/lemonldap-ng/conf/lmConf",
+        });
+
+exit (0);

root/etc/e-smith/templates.metadata/etc/lemonldap-ng/lemonldap-ng.ini

@@ -0,0 +1,3 @@
+PERMS=0640
+UID="root"
+GID="www"

root/etc/e-smith/templates.metadata/etc/lemonldap-ng/soap-htpasswd

@@ -0,0 +1,3 @@
+PERMS=0640
+UID="root"
+GID="www"

root/etc/e-smith/templates.metadata/var/lib/lemonldap-ng/conf/lmConf-2

@@ -0,0 +1,3 @@
+PERMS=0640
+UID="www"
+GID="www"

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/97LemonLDAPHandler

@@ -0,0 +1,34 @@
+#====================================================================
+# Apache configuration for LemonLDAP::NG Handler
+#====================================================================
+
+# Load LemonLDAP::NG Handler
+PerlOptions +GlobalRequest
+PerlRequire Lemonldap/NG/Handler.pm
+
+# Common error page and security parameters
+#ErrorDocument 403 http://auth.{$DomainName}/?lmError=403
+#ErrorDocument 500 http://auth.{$DomainName}/?lmError=500
+
+
+# Configuration reload mechanism (only 1 per physical server is
+# needed): choose your URL to avoid restarting Apache when
+# configuration change
+# Dummy Alias so apache allows access to /lm-reload
+Alias /lm-reload /etc/httpd/proxy/proxy.pac
+<Location /lm-reload>
+    SSLRequireSSL on
+    Order deny,allow
+    Deny from all
+    Allow from {"$LocalIP $localAccess $externalSSLAccess";}
+    PerlHeaderParserHandler Lemonldap::NG::Handler->refresh
+</Location>
+
+# Uncomment this to activate status module
+#<Location /status>
+#    Order deny,allow
+#    Deny from all
+#    Allow from 127.0.0.0/8
+#    PerlHeaderParserHandler Lemonldap::NG::Handler->status
+#</Location>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/00Setup

@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $OUT = "";
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/10ServerName

@@ -0,0 +1 @@
+    ServerName {$virtualHost}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/80LemonLDAPManager

@@ -0,0 +1,114 @@
+{
+
+    use esmith::util;
+
+    if ( $port ne ($modSSL{'TCPPort'} || '443')){
+        $OUT .=<<"EOF";
+
+    #====================================================================
+    # HTTPS redirection for LemonLDAP::NG Manager
+    #====================================================================
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
+    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
+EOF
+    }
+    else{
+        my $authtype = $lemonldap{'ManagerAuth'} || 'basic';
+        my $auth = '';
+        my $base = esmith::util::ldapBase($DomainName);
+
+        unless ( $authtype eq 'self' ) {
+            $auth = "AuthName 'LemonLDAP NG Manager Interface'\n" .
+                    "        AuthType Basic\n" .
+                    "        AuthBasicProvider ldap\n" .
+                    "        AuthLDAPURL ldap://localhost/ou=Users,$base?uid\n" .
+                    "        AuthLDAPGroupAttribute memberUid\n" .
+                    "        AuthLDAPGroupAttributeIsDN off\n" .
+                    "        require ldap-user admin";
+        }
+
+        $OUT .=<<"EOF";
+
+    SSLEngine On
+
+    PerlOptions +Parent
+
+    #====================================================================
+    # Apache configuration for LemonLDAP::NG Manager
+    #====================================================================
+
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/manager/
+    <Directory /var/lib/lemonldap-ng/manager/>
+        Order deny,allow
+        Deny from all
+        Allow from $localAccess $externalSSLAccess
+        Options +ExecCGI +FollowSymlinks
+        $auth
+        Satisfy all
+    </Directory>
+
+    # On-line documentation
+    Alias /doc/ /var/lib/lemonldap-ng/doc/
+    Alias /fr-doc/ /var/lib/lemonldap-ng/fr-doc/
+    Alias /lib/ /var/lib/lemonldap-ng/doc/lib/
+    <Directory /var/lib/lemonldap-ng/doc/>
+        Order deny,allow
+        Allow from all
+        ErrorDocument 404 /notfound.html
+        Options +FollowSymlinks
+        DirectoryIndex index.pl index.html
+    </Directory>
+    <Directory /var/lib/lemonldap-ng/fr-doc/>
+        Order deny,allow
+        Allow from all
+        ErrorDocument 404 /notfound.html
+        Options +FollowSymlinks
+        DirectoryIndex index.pl index.html
+    </Directory>
+
+    # Perl script
+    # Note: to avoid manager stay in memory, we don't use ModPerl::Registry
+    #       by default. Change this to increase manager performances
+    <Files *.pl>
+        #SetHandler cgi-script
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+
+    # Directory index
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+    <Location /doc/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+    <Location /skins/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+EOF
+    }
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-begin

@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPManager/template-end

@@ -0,0 +1,2 @@
+</VirtualHost>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/00Setup

@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $OUT = "";
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/10ServerName

@@ -0,0 +1 @@
+    ServerName {$virtualHost}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/80LemonLDAPPortal

@@ -0,0 +1,133 @@
+{
+
+use esmith::AccountsDB;
+my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";
+
+if ( $port ne ($modSSL{'TCPPort'} || '443')){
+    $OUT .=<<"EOF";
+
+    #====================================================================
+    # HTTPS redirection for LemonLDAP::NG Portal
+    #====================================================================
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
+    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
+
+EOF
+    }
+else{
+
+    # SSL Authentication
+    my $SSLAuth = $lemonldap{'SSLAuth'} || 'disabled';
+    my $sslDirectives = '    # SSL Auth is disabled';
+    my $sogoWorkArround = '';
+    if ((-e '/etc/pki/tls/certs/cacert.pem') &&
+        ($SSLAuth =~ m/^(require)|(optional)$/)) {
+        $sslDirectives =<<"HERE";
+    <LocationMatch "^/(\$|\\?url=.*|cas/login.*)">
+        SSLVerifyClient $SSLAuth
+        SSLVerifyDepth 1
+        SSLOptions +StdEnvVars
+        SSLUserName SSL_CLIENT_S_DN_CN
+    </LocationMatch>
+HERE
+    }
+    if (-e '/usr/lib/perl5/site_perl/Apache/FilterChangeLength.pm' ||
+        -e '/usr/share/perl5/vendor_perl/Apache/FilterChangeLength.pm'){
+        # Looks like iPasserelle groupware is installed
+        # SOPE doesn't supports chunked encoding
+        # the following makes it happy
+        # see http://sogo.nu/bugs/view.php?id=2408
+        $sogoWorkArround =<<"HERE";
+    <Location /cas>
+        BrowserMatch "SOPE/" downgrade-1.0
+        PerlOutputFilterHandler Apache::FilterChangeLength
+        Header set Access-Control-Allow-Origin '*'
+    </Location>
+HERE
+    }
+ 
+    $OUT .=<<"EOF";
+
+    SSLEngine On
+
+    PerlOptions +Parent
+
+    #====================================================================
+    # Apache configuration for LemonLDAP::NG Portal
+    #====================================================================
+
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/portal/
+
+    <Perl>
+        require Lemonldap::NG::Portal::SharedConf;
+        Lemonldap::NG::Portal::SharedConf->compile(
+            qw(delete header cache read_from_client cookie redirect unescapeHTML));
+        # Uncomment this line if you use Lemonldap::NG menu
+        require Lemonldap::NG::Portal::Menu;
+    </Perl>
+
+    <Directory /var/lib/lemonldap-ng/portal/>
+        Order allow,deny
+        Allow from all
+        Options +ExecCGI +FollowSymlinks
+    </Directory>
+$sslDirectives
+$sogoWorkArround
+
+    # Perl script
+    <Files *.pl>
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    # SAML2 Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/saml/metadata /metadata.pl
+        RewriteRule ^/saml/.* /index.pl
+    </IfModule>
+
+    # CAS Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/cas/.* /index.pl
+    </IfModule>
+
+    # OpenID Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/openidserver/.* /index.pl
+    </IfModule>
+
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+    <Location /skins/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+EOF
+    }
+}
+
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-begin

@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPPortal/template-end

@@ -0,0 +1,2 @@
+</VirtualHost>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/00Setup

@@ -0,0 +1,10 @@
+{
+    use esmith::DomainsDB;
+    # Convert the passed hash for the domain object back into an object.
+    $domain = bless \%domain, 'esmith::DB::db::Record';
+
+    # Make scalars from some of the properties of the domain
+    $virtualHost = $domain->key;
+    $OUT = "";
+}
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/10ServerName

@@ -0,0 +1 @@
+    ServerName {$virtualHost}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/80LemonLDAPSoap

@@ -0,0 +1,120 @@
+{
+
+use esmith::AccountsDB;
+my $a = esmith::AccountsDB->open_ro() or die "Couldn't open AccountsDB\n";
+
+if ( $port ne ($modSSL{'TCPPort'} || '443')){
+    $OUT .=<<"EOF";
+
+    #====================================================================
+    # HTTPS redirection for LemonLDAP::NG Portal
+    #====================================================================
+
+    RewriteEngine on
+    RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.*
+    RewriteRule ^/(.*|\$) https://%{HTTP_HOST}/\$1 \[L,R\]
+
+EOF
+    }
+else{
+    my $soapAllow = join (" ", split(/[;,]/, ($lemonldap{'SoapAllowFrom'} || '')));
+    $soapAllow = ( $soapAllow eq '' ) ? '' : "Allow from $soapAllow\n        ";
+    my $soapPassword = $lemonldap{'SoapPassword'} || '';
+    $soapAllow .=  ($soapPassword eq '') ? '' :
+        'AuthName "LemonLDAP SOAP interface"' . "\n        " .
+        'AuthType Basic' . "\n        " .
+        'AuthBasicProvider file' . "\n        " .
+        'AuthUserFile /etc/lemonldap-ng/soap-htpasswd' . "\n        " .
+        'Require valid-user' . "\n        " .
+        'Satisfy all';
+
+    $OUT .=<<"EOF";
+
+    SSLEngine On
+
+    PerlOptions +Parent
+
+    #====================================================================
+    # Apache configuration for LemonLDAP::NG Portal
+    #====================================================================
+
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/portal/
+
+    <Perl>
+        require Lemonldap::NG::Portal::SharedConf;
+        Lemonldap::NG::Portal::SharedConf->compile(
+            qw(delete header cache read_from_client cookie redirect unescapeHTML));
+        # Uncomment this line if you use portal SOAP capabilities
+        require SOAP::Lite;
+    </Perl>
+
+    <Directory /var/lib/lemonldap-ng/portal/>
+        Order allow,deny
+        Allow from all
+        Options +ExecCGI +FollowSymlinks
+    </Directory>
+
+    # Perl script
+    <Files *.pl>
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
+    # SOAP functions for sessions management (disabled by default)
+    <Location /index.pl/adminSessions>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    # SOAP functions for sessions access (disabled by default)
+    <Location /index.pl/sessions>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    # SOAP functions for configuration access (disabled by default)
+    <Location /index.pl/config>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    # SOAP functions for notification insertion (disabled by default)
+    <Location /index.pl/notification>
+        Order deny,allow
+        Deny from all
+        $soapAllow
+    </Location>
+
+    <Location />
+        <IfModule mod_deflate.c>
+                AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css
+                SetOutputFilter DEFLATE
+                BrowserMatch ^Mozilla/4 gzip-only-text/html
+                BrowserMatch ^Mozilla/4\.0[678] no-gzip
+                BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
+                SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)\$ no-gzip dont-vary
+        </IfModule>
+        <IfModule mod_headers.c>
+                Header append Vary User-Agent env=!dont-vary
+        </IfModule>
+    </Location>
+    <Location /skins/>
+        <IfModule mod_expires.c>
+                ExpiresActive On
+                ExpiresDefault "access plus 1 month"
+        </IfModule>
+    </Location>
+
+EOF
+    }
+}
+
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-begin

@@ -0,0 +1,2 @@
+
+<VirtualHost {$ipAddress}:{$port}>

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/LemonLDAPSoap/template-end

@@ -0,0 +1,2 @@
+</VirtualHost>
+

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/05LemonLDAPHandler

@@ -0,0 +1,21 @@
+{
+
+my $auth = $domain->prop('Authentication') || 'none';
+
+if (($modSSL{'TCPPort'} || '443') eq $port){
+  if ($auth eq 'LemonLDAP'){
+    $OUT .= "    # This virtualhost is configured to be protected by LemonLDAP NG\n" .
+            "    PerlHeaderParserHandler Lemonldap::NG::Handler\n" .
+            "    ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" .
+            "    ErrorDocument 500 https://auth.$DomainName/?lmError=500\n";
+    if (($domain->prop('LemonLDAPMenu') || 'disabled') eq 'enabled'){
+        $OUT .= "    PerlOutputFilterHandler Lemonldap::NG::Handler::Menu\n";
+    }
+  }
+  elsif ($auth eq 'LemonLDAPBasic'){
+    $OUT .= "    # This virtualhost is configured to be protected by LemonLDAP NG (basic auth)\n" .
+            "    PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::AuthBasic\n";
+  }
+}
+
+}

root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/WebAppVirtualHost/05LemonLDAPHandler

@@ -0,0 +1,21 @@
+{
+
+my $auth = $domain->prop('Authentication') || 'none';
+
+if (($modSSL{'TCPPort'} || '443') eq $port){
+  if ($auth eq 'LemonLDAP'){
+    $OUT .= "    # This virtualhost is configured to be protected by LemonLDAP NG\n" .
+            "    PerlHeaderParserHandler Lemonldap::NG::Handler\n" .
+            "    ErrorDocument 403 https://auth.$DomainName/?lmError=403\n" .
+            "    ErrorDocument 500 https://auth.$DomainName/?lmError=500\n";
+    if (($domain->prop('LemonLDAPMenu') || 'disabled') eq 'enabled'){
+        $OUT .= "    PerlOutputFilterHandler Lemonldap::NG::Handler::Menu\n";
+    }
+  }
+  elsif ($auth eq 'LemonLDAPBasic'){
+    $OUT .= "    # This virtualhost is configured to be protected by LemonLDAP NG (basic auth)\n" .
+            "    PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::AuthBasic\n";
+  }
+}
+
+}

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/00header

@@ -0,0 +1,19 @@
+#==============================================================================
+# LemonLDAP::NG local configuration parameters
+#
+# This file is dedicated to configuration parameters override
+# You can set here configuration parameters that will be used only by
+# local LemonLDAP::NG elements
+#
+# Section "all" is always read first before "portal", "handler"
+# and "manager"
+#
+# Section "configuration" is used to load global configuration and set cache
+# (replace old storage.conf file)
+#
+# Section "apply" is read by Manager to reload handlers
+# (replace old apply.conf file)
+#
+# Other section are only read by the specific LemonLDAP::NG component
+#==============================================================================
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/05All

@@ -0,0 +1,7 @@
+
+[all]
+globalStorage = Apache::Session::File
+globalStorageOptions = \{ 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', \}
+localSessionStorage=Cache::FileCache
+localSessionStorageOptions=\{ 'namespace' => 'sessions', 'default_expires_in' => '600', 'directory_umask' => '007', 'cache_root' => '/var/cache/lemonldap-ng', 'cache_depth' => 3, \}
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/10configuration

@@ -0,0 +1,11 @@
+
+[configuration]
+
+type=File
+dirName = /var/lib/lemonldap-ng/conf
+globalStorageOptions=\{ 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \}
+
+localStorage=Cache::FileCache
+localStorageOptions=\{ 'namespace' => 'localcache', 'default_expires_in' => 600, 'directory_umask' => '007', 'cache_root' => '/var/cache/lemonldap-ng', 'cache_depth' => 5, \}
+
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/15apply

@@ -0,0 +1,11 @@
+[apply]
+
+{"$SystemName.$DomainName";} = https://{"$SystemName.$DomainName";}/lm-reload
+
+{
+
+foreach my $srv (split(/[;,]/, ($lemonldap{'Reload'} || ''))){
+    my ($name,$url) = split(/=/, $srv);
+    $OUT .= "$name = $url\n";
+}
+}

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/20manager

@@ -0,0 +1,10 @@
+
+[manager]
+{
+    $OUT .= (($lemonldap{'ManagerAuth'} || 'basic') eq 'self') ?
+        'protection = manager' : '';
+}
+
+[sessionsExplorer]
+
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/25handler

@@ -0,0 +1,6 @@
+[handler]
+
+https = 1
+status = 0
+useRedirectOnError = 1
+

root/etc/e-smith/templates/etc/lemonldap-ng/lemonldap-ng.ini/30portal

@@ -0,0 +1,3 @@
+
+[portal]
+

root/etc/e-smith/templates/etc/lemonldap-ng/soap-htpasswd/05lemonsoap

@@ -0,0 +1,6 @@
+{
+    my $pw = $lemonldap{'SoapPassword'} || 'secret';
+    my $res = `/usr/bin/htpasswd -bnm lemonsoap $pw`;
+    chomp($res);
+    $OUT .= $res;
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/000open

@@ -0,0 +1,31 @@
+{
+use esmith::ConfigDB;
+use esmith::DomainsDB;
+use esmith::NetworksDB;
+use esmith::util;
+use Lemonldap::NG::Common::Conf;
+
+$c = esmith::ConfigDB->open_ro or die "Error opening ConfigDB\n";
+$d = esmith::DomainsDB->open_ro or die "Error opening DomainsDB\n";
+$n = esmith::NetworksDB->open_ro or die "Error opening NetworksDB\n";
+$domain = $c->get('DomainName')->value;
+$host = $c->get('SystemName')->value;
+$base = esmith::util::ldapBase ($domain);
+$ldap = $c->get('ldap') || die "Error reading ldap service entry\n";
+$port = $ldap->prop('TCPPort') || '389';
+$llng = $c->get('lemonldap');
+
+$manual = $llng->prop('ManualConf') || 'disabled';
+
+$confAccess = new Lemonldap::NG::Common::Conf(
+          {
+              type=>'File',
+              dirName=>"/var/lib/lemonldap-ng/conf",
+          },
+) or die "Unable to build Lemonldap::NG::Common::Conf, see Apache logs\n";
+
+$conf = $confAccess->getConf();
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/005global

@@ -0,0 +1,15 @@
+{
+
+# Global parameters
+$conf->{'domain'} = "$domain";
+$conf->{'portal'} = "https://auth.$domain/";
+$conf->{'storePassword'} = '0';
+$conf->{'portalUserAttr'} = 'cn' if (($conf->{'portalUserAttr'} || '_user') eq "_user");
+$conf->{'portalDisplayChangePassword'} = '0';
+$conf->{'syslog'} = 'auth';
+$conf->{'https'} = '1';
+$conf->{'port'} = '443';
+
+$OUT .= '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/010ldap

@@ -0,0 +1,17 @@
+{
+
+# LDAP parameters
+$conf->{'passwordDB'} = 'LDAP';
+$conf->{'userDB'} = 'LDAP';
+$conf->{'ldapServer'} = 'localhost';
+$conf->{'ldapPort'} = "$port";
+$conf->{'ldapVersion'} = '3';
+$conf->{'ldapBase'} = "ou=Users,$base";
+$conf->{'ldapGroupBase'} = "ou=Groups,$base";
+$conf->{'ldapGroupAttributeNameUser'} = 'uid';
+$conf->{'ldapGroupAttributeNameSearch'} = 'cn';
+$conf->{'ldapGroupAttributeName'} = 'memberUid';
+$conf->{'ldapGroupObjectClass'} = 'mailboxRelatedObject';
+
+$OUT .= '';
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/015soap

@@ -0,0 +1,19 @@
+{
+
+# SOAP
+if (($llng->prop('SoapAllowFrom') || '') ne ''){
+    my $password = $llng->prop('SoapPassword') || 'secret';
+    $conf->{'Soap'} = '1';
+    $conf->{'globalStorage'} = 'Lemonldap::NG::Common::Apache::Session::SOAP';
+    $conf->{'globalStorageOptions'} = {
+        proxy          => "https://lemonsoap:$password\@soapsso.$domain/index.pl/sessions",
+        generateModule => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256'
+    };
+}
+else {
+    $conf->{'Soap'} = '0';
+}
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/020auth

@@ -0,0 +1,34 @@
+{
+
+# SSL Auth
+my $ssl = $llng->prop('SSLAuth') || '';
+
+if ($ssl eq 'optional' || $ssl eq 'require'){
+    # SSL Auth is enabled
+    # Configure common attributes
+    $conf->{'SSLLDAPField'} = 'uid';
+    $conf->{'SSLVar'} = 'SSL_CLIENT_S_DN_CN';
+    $conf->{'SSLRequire'} = '1';
+
+    if ($ssl eq 'optional'){
+         $conf->{'authentication'} = 'Multi SSL;LDAP';
+    }
+    else{
+         $conf->{'authentication'} = 'SSL';
+    }
+}
+else{
+    $conf->{'authentication'} = 'LDAP';
+}
+
+# Enable CAS issuer DB
+$conf->{'issuerDBCASActivation'} = 1;
+
+# default cookie settings
+$conf->{'securedCookie'} = 1 unless ($conf->{'securedCookie'});
+$conf->{'httpOnly'} = 1 unless ($conf->{'httpOnly'});
+
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/025localnet

@@ -0,0 +1,45 @@
+{
+
+my $reg = '$ipAddr =~ /^';
+
+# Build a regexp to check if the client IP
+# is part of a local network
+# Then, we can easily use this macro to restrict
+# access to local networks on some applications
+my @net = ();
+
+foreach my $net ($n->networks){
+    my $addr = $net->key;
+    my $mask = $net->prop('Mask') || '255.255.255.255';
+    foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){
+        push @net, "($_)";
+    }
+}
+
+$reg .= join('|', @net);
+$reg .= '/';
+$reg =~ s/\./\\\./g;
+
+$conf->{'macros'}->{'localAccess'} = '(' . $reg . ") ? '1':'0'";
+
+$reg = '$ipAddr =~ /^';
+@net = ();
+
+# Do the same for extenal SSL access
+foreach my $net (split(/[;,]/,(${'httpd-admin'}{'ValidFrom'} || ''))){
+    my ($addr,$mask) = split(/\//,$net);
+    foreach (esmith::util::computeAllLocalNetworkPrefixes($addr,$mask)){
+        push @net, "($_)";
+    }
+}
+
+$reg .= join('|', @net);
+$reg .= '/';
+$reg =~ s/\./\\\./g;
+
+$conf->{'macros'}->{'externalSSLAccess'} = '(' . $reg . ") ? '1':'0'";
+
+$OUT = '';
+
+}
+

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/030notifications

@@ -0,0 +1,10 @@
+{
+
+if (($conf->{'notification'} || '0') eq '1'){
+    $conf->{'notificationStorage'} = 'File';
+    $conf->{'notificationStorageOptions'} = {
+        'dirName' => '/var/lib/lemonldap-ng/notifications'
+    },
+}
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/035portal

@@ -0,0 +1,9 @@
+{
+
+# Portal elements
+$conf->{'portalDisplayRegister'} = 0;
+$conf->{'portalDisplayResetPassword'} = 0;
+
+$OUT = '';
+
+}

root/etc/e-smith/templates/var/lib/lemonldap-ng/conf/lmConf/template-end

@@ -0,0 +1,16 @@
+{
+
+# Now, update the configuration
+my $num = $confAccess->saveConf($conf);
+
+if ($num > 0){
+    esmith::util::chownFile('www', 'www', "/var/lib/lemonldap-ng/conf/lmConf-$num");
+    chmod 0660, "/var/lib/lemonldap-ng/conf/lmConf-$num";
+}
+else {
+    die "An error occured saving LemonLDAP::NG configuration: $num\n";
+}
+
+$OUT = '# This is just a dummy config file';
+
+}