vi /etc/obm/obm_conf.ini
-----------------
obm-ldap=true
ldapServer=ldap://localhost/
-----------------
vi /etc/obm/obm_conf.inc
-----------------
$auth_kind = 'LemonLDAP';
$lemonldap_config = Array(
"auto_update" => true,
"url_logout" => "*<URL AGENDA>*/logout",
"server_ip_address" => "localhost",
"server_ip_check" => false,
"debug" => true,
"debug_filepath" =>
"/export/home/tmp/obm-lemonldapng.log",
"debug_header_name" => "HTTP_OBM_UID",
"group_header_name" => "HTTP_OBM_GROUPS",
"ldap_server" => "*<LDAP_SERVER>*",
"ldap_basedn" => "*<BaseDn de l'annuaire LDAP>*",
"ldap_binddn" => "*<Dn d'un user en lecture seule sur
l'annuaire LDAP>*",
"ldap_bindpw" => "*<Bind password>*",
"ldap_filter" => "(objectclass=fichannuaire)",
"ldap_scope" => "one",
"ldap_version" => 3,
"ldap_usessl" => false,
"headers_map" => Array(
"userobm_gid" =>
"HTTP_OBM_GIDNUMBER",
//"userobm_domain_id" => ,
"userobm_login" => "HTTP_OBM_UID",
"userobm_password" =>
"HTTP_OBM_USERPASSWORD",
//"userobm_password_type" => ,
//"userobm_perms" => ,
//"userobm_kind" => ,
"userobm_lastname" => "HTTP_OBM_SN",
"userobm_firstname" =>
"HTTP_OBM_GIVENNAME",
"userobm_title" => "HTTP_OBM_TITLE",
"userobm_email" => "HTTP_OBM_MAIL",
"userobm_datebegin" =>
"HTTP_OBM_DATEBEGIN",
//"userobm_account_dateexp" => ,
//"userobm_delegation_target" => ,
"userobm_delegation" => "HTTP_OBM_L",
"userobm_description" =>
"HTTP_OBM_DESCRIPTION",
//"userobm_archive" => ,
//"userobm_hidden" => ,
//"userobm_status" => ,
//"userobm_local" => ,
//"userobm_photo_id" => ,
"userobm_phone" =>
"HTTP_OBM_TELEPHONENUMBER",
//"userobom_phone2" => ,
//"userobm_mobile" => ,
"userobm_fax" =>
"HTTP_OBM_FACSIMILETELEPHONENUMBER",
//"userobm_fax2" => ,
"userobm_company" => "HTTP_OBM_O",
//"userobm_direction" => ,
"userobm_service" => "HTTP_OBM_OU",
"userobm_address1" =>
"HTTP_OBM_POSTALADDRESS",
//"userobm_address2" => ,
//"userobm_address3" => ,
"userobm_zipcode" =>
"HTTP_OBM_POSTALCODE",
"userobm_town" => "HTTP_OBM_L",
//"userobm_expresspostal" => ,
//"userobm_host_id" => ,
//"userobm_web_perms" => ,
//"userobm_web_list" => ,
//"userobm_web_all" => ,
//"userobm_mail_perms" => ,
//"userobm_mail_ext_perms" => ,
//"userobm_mail_server_id" => ,
//"userobm_mail_server_hostname" => ,
"userobm_mail_quota" =>
"HTTP_OBM_MAILQUOTA",
//"userobm_nomade_perms" => ,
//"userobm_nomade_enable" => ,
//"userobm_nomade_local_copy" => ,
//"userobm_email_nomade" => ,
//"userobm_vacation_enable" => ,
//"userobm_vacation_datebegin" => ,
//"userobm_vacation_dateend" => ,
//"userobm_vacation_message" => ,
//"userobm_samba_perms" => ,
//"userobm_samba_home" => ,
//"userobm_samba_home_drive" => ,
//"userobm_samba_logon_script" => ,
// ---- Unused values ? ----
"userobm_ext_id" =>
"HTTP_OBM_SERIALNUMBER",
//"userobm_system" => ,
//"userobm_nomade_datebegin" => ,
//"userobm_nomade_dateend" => ,
//"userobm_location" => ,
//"userobm_education" => ,
),
);
-----------------
/etc/init.d/apache2 restart
_Paramétrage de LemonLDAP::NG_
aptitude install libcache-cache-perl libregexp-assemble-perl
libcrypt-rijndael-perl \
libapache-session-perl libwww-perl libapache2-mod-perl2 liburi-perl
libxml-simple-perl \
libjs-jquery libnet-ldap-perl libhtml-template-perl libxml-perl
libxml-libxslt-perl \
libstring-random-perl libsoap-lite-perl
aptitude install libdbi-perl
cd /export/home/tmp
(Verifier la derniere version de lemon)
wget
http://download.forge.objectweb.org/lemonldap/lemonldap-ng-0.9.4.1_deb.tar.gz
mkdir lemonldap-ng-0.9.4.1
tar zxf lemonldap-ng-0.9.4.1_deb.tar.gz -C ./lemonldap-ng-0.9.4.1
dpkg -i lemonldap-ng-0.9.4.1/*.deb
sed -i 's/example.com/lmng.ifremer.fr/g' /etc/lemonldap-ng/portal-apache2.conf \
/etc/lemonldap-ng/manager-apache2.conf /etc/lemonldap-ng/apps-list.xml \
/var/lib/lemonldap-ng/conf/lmConf-1 /etc/lemonldap-ng/apply.conf \
/var/lib/lemonldap-ng/test/index.pl
sed -i 's/auth.lmng.ifremer.fr/lmng.ifremer.fr/g' \
/etc/lemonldap-ng/portal-apache2.conf /etc/lemonldap-ng/manager-apache2.conf \
/etc/lemonldap-ng/apps-list.xml /var/lib/lemonldap-ng/conf/lmConf-1 \
/etc/lemonldap-ng/apply.conf /var/lib/lemonldap-ng/test/index.pl
ln -s /etc/lemonldap-ng/portal-apache2.conf \
/etc/apache2/sites-enabled/001-lemonldap-ng-portal.conf
ln -s /etc/lemonldap-ng/manager-apache2.conf \
/etc/apache2/sites-enabled/002-lemonldap-ng-manager.conf
vi /etc/lemonldap-ng/portal-apache2.conf
-----------------
#NameVirtualHost *:80
<VirtualHost xxx.xxx.xxx.xxx:80>
...
#require SOAP::Lite;
-----------------
Le manager n'est reservé qu'a un sous domaine IP
vi /etc/lemonldap-ng/manager-apache2.conf
-----------------
#NameVirtualHost *:80
<VirtualHost xxx.xxx.xxx.xxx:80>
...
# DocumentRoot
DocumentRoot /var/lib/lemonldap-ng/manager
<Directory /var/lib/lemonldap-ng/manager>
Order deny,allow
#Allow from All
Deny from all
allow from xxx.xxx.xxx
Options +ExecCGI
</Directory>
-----------------
vi /etc/lemonldap-ng/init-apache2.conf
-----------------
# Perl environment
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
PerlOptions +GlobalRequest
<Files ~ "\.(pl)$">
SetHandler perl-script
PerlHandler ModPerl::Registry
PerlSendHeader On
</Files>
-----------------
ln -s /etc/lemonldap-ng/init-apache2.conf /etc/apache2/conf.d/lemonldap-ng.conf
vi /var/lib/lemonldap-ng/portal/index.pl
-----------------
storePassword => 1,
-----------------
/etc/init.d/apache2 restart
updatedb
locate AuthCAS.pm
-----------------
/usr/share/perl5/Lemonldap/NG/Portal/AuthCAS.pm
-----------------
grep VERSION /usr/share/perl5/Lemonldap/NG/Portal/AuthCAS.pm
-----------------
our $VERSION = '0.11';
-----------------
wget
http://forge.ow2.org/tracker/download.php/274/350401/314458/2110/lemonldap-ng-portal-authcas-12.patch
cd /usr/share/perl5/Lemonldap/NG/Portal/
patch -p0 AuthCAS.pm</export/home/tmp/lemonldap-ng-portal-authcas-12.patch
-----------------
patching file AuthCAS.pm
-----------------
grep VERSION /usr/share/perl5/Lemonldap/NG/Portal/AuthCAS.pm
-----------------
our $VERSION = '0.12';
-----------------
PAS D'ALIAS PR LE MANAGER SSO
ATTENTION : Par rapport a la doc linagora : pas de imagePath => '/images/', dans
/var/lib/lemonldap-ng/manager/index.pl. Il existe ds session.pl, mais la valeur
en 2.2.14 est /session/images....
============================================================================
#vi /etc/lemonldap-ng/portal-apache2.conf
#-----------------
# # Manager
# Alias /manager /var/lib/lemonldap-ng/manager
# <Directory /var/lib/lemonldap-ng/manager>
# Order deny,allow
# #Deny from all
# #Allow from 127.0.0.0/8
# Allow from All
# Options +ExecCGI
# </Directory>
#-----------------
#
#vi /var/lib/lemonldap-ng/manager/index.pl
#-----------------
# dhtmlXTreeImageLocation => "/manager/imgs/",
#-----------------
============================================================================
/etc/init.d/apache2 restart
_Configuration système_
Chargement du skin lemonLdap IFREMER (contient des ref vers agenda !!)
-----------------
cd /usr/share/lemonldap-ng/portal-skins
tar -zxf /export/home/obm_ifremer/ressources/skin_lemon_ifremer.tgz
cd /var/lib/lemonldap-ng/portal/skins
ln -s /usr/share/lemonldap-ng/portal-skins/ifremer
-----------------
vi /var/lib/lemonldap-ng/portal/index.pl
-----------------
# Menu configuration
my $skin = "ifremer";
...
# Menu configuration
use constant USER_CAN_CHANGE_PASSWORD => 0;
use constant REQUIRE_OLDPASSWORD => 0;
use constant DISPLAY_LOGOUT => 1;
use constant AUTOCOMPLETE => "on";
use constant DISPLAY_RESETPASSWORD => "0";
...
AuthLDAPFilter => '(&(uid=$user)(objectClass=person))',
-----------------
/etc/init.d/apache2 restart
vi /var/lib/lemonldap-ng/handler/MyHandler.pm
-----------------
https => 1,
-----------------
/etc/init.d/apache2 restart
vi /etc/lemonldap-ng/manager-apache2.conf
-----------------
<Directory /var/lib/lemonldap-ng/manager>
Order deny,allow
#Allow from All
Deny from all
allow from xxx.xxx.xxx
Options +ExecCGI
</Directory>
-----------------
/etc/init.d/apache2 restart
_Securisation du manager Lemonldap_
Activer les modules auth && ldap apache2
-----------------
cd /etc/apache2/mods-enabled
ln -s ../mods-available/authnz_ldap.load
ln -s ../mods-available/authn_default.load
ln -s ../mods-available/authz_groupfile.load
ln -s ../mods-available/authz_user.load
ln -s ../mods-available/ldap.load
-----------------
/etc/init.d/apache2 restart
cd /var/lib/lemonldap-ng/manager
vi .htaccess
-----------------
AuthType basic
AuthName "Acces Restreint"
AuthBasicProvider ldap
AuthLDAPURL ldap://*<LDAP_SERVER>/<BaseDn>*
AuthLDAPRemoteUserIsDN off
require ldap-filter*<FILTRE LDAP RESTRICTION ACCES>*
-----------------
_Configuration par le manager http://manager.lmng.ifremer.fr/_
# recopier 1 a 1 les elements definis sur lemonldap du 2.2.14
Type d'authentification ldap
Portail d'authentification http://lmng.ifremer.fr/
Domaine*<Domaine OBM>*
# paramètres LDAP
Base de recherche LDAP*<BaseDn>*
Port du serveur LDAP 389
Serveur LDAP*<LDAP_SERVER>*
Compte de connexion LDAP*<Dn d'un user en lecture seule sur l'annuaire LDAP>*
Mot de passe LDAP*<Bind Password>*
# Attributs à exporter
c c
facSimileTelephoneNumber facSimileTelephoneNumber
givenName givenName
l l
mail mail
mailQuota mailQuota
postalCode postalCode
serialNumber serialNumber
sn sn
telephoneNumber telephoneNumber
uid uid
title title
o o
ou service
groupeunix groupeunix
# hôte virtuel d'OBM
OBM_C $c
OBM_FACSIMILETELEPHONENUMBER $facSimileTelephoneNumber
OBM_GIVENNAME $givenName
OBM_L $l
OBM_MAIL $mail
OBM_MAILQUOTA $mailQuota
OBM_POSTALCODE $postalCode
OBM_SERIALNUMBER $serialNumber
OBM_SN $sn
OBM_TELEPHONENUMBER $telephoneNumber
OBM_UID $uid
OBM_TITLE $title
OBM_O $o
OBM_OU $ou
OBM_GROUPS $groupeunix
OBM_USERPASSWORD $_password
# regles
^/logout logout_sso http:/*<URL AGENDA>*/
default accept
/etc/init.d/apache2 restart
_Configurer la protection SSO d'OBM_
cp /etc/apache2/sites-available/obm.conf
/etc/apache2/sites-available/obm.admin.conf
vi /etc/apache2/sites-available/obm.admin.conf
-----------------
!!!!!!!!!!!!!! VIRER LE NameVirtualHost !!!!!!!!!!!!!!
!!!!!!!!!!!!!! VIRER LE VHOST EN :80 !!!!!!!!!!!!!!
remplacer le vhost 443 par 80 :
<VirtualHost xxx.xxx.xxx.xxx:80>
ServerName obm.admin.ifremer.fr
ServerAdmin [email protected]
ServerAlias obm.admin
<Directory />
Order deny,allow
Deny from all
allow from xxx.xxx.xxx
</Directory>
Virer les lignes SSL :
# SSL
SSLEngine on
SSLCACertificateFile /var/lib/obm-ca/cacert.pem
SSLCertificateFile /etc/obm/certs/obm_cert.pem
SSLVerifyClient none
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
-----------------
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/obm.admin.conf
vi /etc/apache2/sites-enabled/obm.conf
-----------------
# SSO protection
PerlHeaderParserHandler My::Package
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<Location /reload>
Order deny,allow
Deny from all
Allow from 127.0.0.0/8
PerlHeaderParserHandler My::Package->refresh
</Location>
-----------------
/etc/init.d/apache2 restart
_Modification LemonLDAP_
vi /etc/lemonldap-ng/apps-list.xml
-----------------
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE menu SYSTEM "apps-list.dtd">
<menu>
<category name="Applications">
<application id="obm">
<name>Agenda OBM</name>
<uri>http://*<URL AGENDA>*/</uri>
<description>Accéder à l'agenda OBM</description>
<logo>wheels.png</logo>
<display>auto</display>
</application>
</category>
</menu>
-----------------
/etc/init.d/obm-tomcat restart
