[Obm] probleme authentification obm via lemonldap
Patrick BOSSARD
Patrick.Bossard at ifremer.fr
Wed Apr 9 17:03:05 CEST 2014
Bonjour,
De mon coté, je ne passe plus par lemonLdap depuis un bon moment , mais par une authentification CAS (qui se base sur un annuaire LDAP).
Ma conf commence à dater, et l'architecture de l'epoque n'est plus du tout valable, mais j'ai retrouvé les notes de configuration de l'époque....
Je les met ci dessous (en brut !) ... si ca peut aider.
Cordialement,
Patrick Bossard.
> vi /etc/obm/obm_conf.ini
> -----------------
> obm-ldap=true
> ldapServer=ldap://localhost/
> -----------------
>
> vi /etc/obm/obm_conf.inc
> -----------------
> $auth_kind = 'LemonLDAP';
> $lemonldap_config = Array(
> "auto_update" => true,
> "url_logout" => "*<URL AGENDA>*/logout",
> "server_ip_address" => "localhost",
> "server_ip_check" => false,
> "debug" => true,
> "debug_filepath" => "/export/home/tmp/obm-lemonldapng.log",
> "debug_header_name" => "HTTP_OBM_UID",
> "group_header_name" => "HTTP_OBM_GROUPS",
> "ldap_server" => "*<LDAP_SERVER>*",
> "ldap_basedn" => "*<BaseDn de l'annuaire LDAP>*",
> "ldap_binddn" => "*<Dn d'un user en lecture seule sur l'annuaire LDAP>*",
> "ldap_bindpw" => "*<Bind password>*",
> "ldap_filter" => "(objectclass=fichannuaire)",
> "ldap_scope" => "one",
> "ldap_version" => 3,
> "ldap_usessl" => false,
> "headers_map" => Array(
> "userobm_gid" => "HTTP_OBM_GIDNUMBER",
> //"userobm_domain_id" => ,
> "userobm_login" => "HTTP_OBM_UID",
> "userobm_password" => "HTTP_OBM_USERPASSWORD",
> //"userobm_password_type" => ,
> //"userobm_perms" => ,
> //"userobm_kind" => ,
> "userobm_lastname" => "HTTP_OBM_SN",
> "userobm_firstname" => "HTTP_OBM_GIVENNAME",
> "userobm_title" => "HTTP_OBM_TITLE",
> "userobm_email" => "HTTP_OBM_MAIL",
> "userobm_datebegin" => "HTTP_OBM_DATEBEGIN",
> //"userobm_account_dateexp" => ,
> //"userobm_delegation_target" => ,
> "userobm_delegation" => "HTTP_OBM_L",
> "userobm_description" => "HTTP_OBM_DESCRIPTION",
> //"userobm_archive" => ,
> //"userobm_hidden" => ,
> //"userobm_status" => ,
> //"userobm_local" => ,
> //"userobm_photo_id" => ,
> "userobm_phone" => "HTTP_OBM_TELEPHONENUMBER",
> //"userobom_phone2" => ,
> //"userobm_mobile" => ,
> "userobm_fax" => "HTTP_OBM_FACSIMILETELEPHONENUMBER",
> //"userobm_fax2" => ,
> "userobm_company" => "HTTP_OBM_O",
> //"userobm_direction" => ,
> "userobm_service" => "HTTP_OBM_OU",
> "userobm_address1" => "HTTP_OBM_POSTALADDRESS",
> //"userobm_address2" => ,
> //"userobm_address3" => ,
> "userobm_zipcode" => "HTTP_OBM_POSTALCODE",
> "userobm_town" => "HTTP_OBM_L",
> //"userobm_expresspostal" => ,
> //"userobm_host_id" => ,
> //"userobm_web_perms" => ,
> //"userobm_web_list" => ,
> //"userobm_web_all" => ,
> //"userobm_mail_perms" => ,
> //"userobm_mail_ext_perms" => ,
> //"userobm_mail_server_id" => ,
> //"userobm_mail_server_hostname" => ,
> "userobm_mail_quota" => "HTTP_OBM_MAILQUOTA",
> //"userobm_nomade_perms" => ,
> //"userobm_nomade_enable" => ,
> //"userobm_nomade_local_copy" => ,
> //"userobm_email_nomade" => ,
> //"userobm_vacation_enable" => ,
> //"userobm_vacation_datebegin" => ,
> //"userobm_vacation_dateend" => ,
> //"userobm_vacation_message" => ,
> //"userobm_samba_perms" => ,
> //"userobm_samba_home" => ,
> //"userobm_samba_home_drive" => ,
> //"userobm_samba_logon_script" => ,
> // ---- Unused values ? ----
> "userobm_ext_id" => "HTTP_OBM_SERIALNUMBER",
> //"userobm_system" => ,
> //"userobm_nomade_datebegin" => ,
> //"userobm_nomade_dateend" => ,
> //"userobm_location" => ,
> //"userobm_education" => ,
> ),
> );
>
> -----------------
> /etc/init.d/apache2 restart
>
>
> _Paramétrage de LemonLDAP::NG_
>
> aptitude install libcache-cache-perl libregexp-assemble-perl libcrypt-rijndael-perl \
> libapache-session-perl libwww-perl libapache2-mod-perl2 liburi-perl libxml-simple-perl \
> libjs-jquery libnet-ldap-perl libhtml-template-perl libxml-perl libxml-libxslt-perl \
> libstring-random-perl libsoap-lite-perl
>
>
> aptitude install libdbi-perl
>
> cd /export/home/tmp
> (Verifier la derniere version de lemon)
> wget http://download.forge.objectweb.org/lemonldap/lemonldap-ng-0.9.4.1_deb.tar.gz
> mkdir lemonldap-ng-0.9.4.1
> tar zxf lemonldap-ng-0.9.4.1_deb.tar.gz -C ./lemonldap-ng-0.9.4.1
> dpkg -i lemonldap-ng-0.9.4.1/*.deb
>
> sed -i 's/example.com/lmng.ifremer.fr/g' /etc/lemonldap-ng/portal-apache2.conf \
> /etc/lemonldap-ng/manager-apache2.conf /etc/lemonldap-ng/apps-list.xml \
> /var/lib/lemonldap-ng/conf/lmConf-1 /etc/lemonldap-ng/apply.conf \
> /var/lib/lemonldap-ng/test/index.pl
>
> sed -i 's/auth.lmng.ifremer.fr/lmng.ifremer.fr/g' \
> /etc/lemonldap-ng/portal-apache2.conf /etc/lemonldap-ng/manager-apache2.conf \
> /etc/lemonldap-ng/apps-list.xml /var/lib/lemonldap-ng/conf/lmConf-1 \
> /etc/lemonldap-ng/apply.conf /var/lib/lemonldap-ng/test/index.pl
>
> ln -s /etc/lemonldap-ng/portal-apache2.conf \
> /etc/apache2/sites-enabled/001-lemonldap-ng-portal.conf
>
> ln -s /etc/lemonldap-ng/manager-apache2.conf \
> /etc/apache2/sites-enabled/002-lemonldap-ng-manager.conf
>
> vi /etc/lemonldap-ng/portal-apache2.conf
> -----------------
> #NameVirtualHost *:80
> <VirtualHost xxx.xxx.xxx.xxx:80>
> ...
> #require SOAP::Lite;
> -----------------
>
> Le manager n'est reservé qu'a un sous domaine IP
> vi /etc/lemonldap-ng/manager-apache2.conf
> -----------------
> #NameVirtualHost *:80
> <VirtualHost xxx.xxx.xxx.xxx:80>
> ...
> # DocumentRoot
> DocumentRoot /var/lib/lemonldap-ng/manager
> <Directory /var/lib/lemonldap-ng/manager>
> Order deny,allow
> #Allow from All
> Deny from all
> allow from xxx.xxx.xxx
> Options +ExecCGI
> </Directory>
>
> -----------------
>
> vi /etc/lemonldap-ng/init-apache2.conf
> -----------------
> # Perl environment
> PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
> PerlOptions +GlobalRequest
> <Files ~ "\.(pl)$">
> SetHandler perl-script
> PerlHandler ModPerl::Registry
> PerlSendHeader On
> </Files>
> -----------------
>
> ln -s /etc/lemonldap-ng/init-apache2.conf /etc/apache2/conf.d/lemonldap-ng.conf
>
> vi /var/lib/lemonldap-ng/portal/index.pl
> -----------------
> storePassword => 1,
> -----------------
>
> /etc/init.d/apache2 restart
> updatedb
> locate AuthCAS.pm
> -----------------
> /usr/share/perl5/Lemonldap/NG/Portal/AuthCAS.pm
> -----------------
>
> grep VERSION /usr/share/perl5/Lemonldap/NG/Portal/AuthCAS.pm
> -----------------
> our $VERSION = '0.11';
> -----------------
>
> wget http://forge.ow2.org/tracker/download.php/274/350401/314458/2110/lemonldap-ng-portal-authcas-12.patch
> cd /usr/share/perl5/Lemonldap/NG/Portal/
> patch -p0 AuthCAS.pm</export/home/tmp/lemonldap-ng-portal-authcas-12.patch
> -----------------
> patching file AuthCAS.pm
> -----------------
>
> grep VERSION /usr/share/perl5/Lemonldap/NG/Portal/AuthCAS.pm
> -----------------
> our $VERSION = '0.12';
> -----------------
>
> PAS D'ALIAS PR LE MANAGER SSO
> ATTENTION : Par rapport a la doc linagora : pas de imagePath => '/images/', dans
> /var/lib/lemonldap-ng/manager/index.pl. Il existe ds session.pl, mais la valeur en 2.2.14 est /session/images....
> ============================================================================
> #vi /etc/lemonldap-ng/portal-apache2.conf
> #-----------------
> # # Manager
> # Alias /manager /var/lib/lemonldap-ng/manager
> # <Directory /var/lib/lemonldap-ng/manager>
> # Order deny,allow
> # #Deny from all
> # #Allow from 127.0.0.0/8
> # Allow from All
> # Options +ExecCGI
> # </Directory>
> #-----------------
> #
> #vi /var/lib/lemonldap-ng/manager/index.pl
> #-----------------
> # dhtmlXTreeImageLocation => "/manager/imgs/",
> #-----------------
> ============================================================================
>
> /etc/init.d/apache2 restart
>
>
> _Configuration système_
>
> Chargement du skin lemonLdap IFREMER (contient des ref vers agenda !!)
> -----------------
> cd /usr/share/lemonldap-ng/portal-skins
> tar -zxf /export/home/obm_ifremer/ressources/skin_lemon_ifremer.tgz
> cd /var/lib/lemonldap-ng/portal/skins
> ln -s /usr/share/lemonldap-ng/portal-skins/ifremer
> -----------------
>
> vi /var/lib/lemonldap-ng/portal/index.pl
> -----------------
> # Menu configuration
> my $skin = "ifremer";
> ...
>
> # Menu configuration
> use constant USER_CAN_CHANGE_PASSWORD => 0;
> use constant REQUIRE_OLDPASSWORD => 0;
> use constant DISPLAY_LOGOUT => 1;
> use constant AUTOCOMPLETE => "on";
> use constant DISPLAY_RESETPASSWORD => "0";
> ...
> AuthLDAPFilter => '(&(uid=$user)(objectClass=person))',
> -----------------
>
>
>
> /etc/init.d/apache2 restart
> vi /var/lib/lemonldap-ng/handler/MyHandler.pm
> -----------------
> https => 1,
> -----------------
>
> /etc/init.d/apache2 restart
> vi /etc/lemonldap-ng/manager-apache2.conf
> -----------------
> <Directory /var/lib/lemonldap-ng/manager>
> Order deny,allow
> #Allow from All
> Deny from all
> allow from xxx.xxx.xxx
> Options +ExecCGI
> </Directory>
> -----------------
> /etc/init.d/apache2 restart
>
>
> _Securisation du manager Lemonldap_
>
> Activer les modules auth && ldap apache2
> -----------------
> cd /etc/apache2/mods-enabled
> ln -s ../mods-available/authnz_ldap.load
> ln -s ../mods-available/authn_default.load
> ln -s ../mods-available/authz_groupfile.load
> ln -s ../mods-available/authz_user.load
> ln -s ../mods-available/ldap.load
> -----------------
> /etc/init.d/apache2 restart
>
> cd /var/lib/lemonldap-ng/manager
> vi .htaccess
> -----------------
> AuthType basic
> AuthName "Acces Restreint"
> AuthBasicProvider ldap
> AuthLDAPURL ldap://*<LDAP_SERVER>/<BaseDn>*
> AuthLDAPRemoteUserIsDN off
> require ldap-filter*<FILTRE LDAP RESTRICTION ACCES>*
> -----------------
>
>
> _Configuration par le manager http://manager.lmng.ifremer.fr/_
>
> # recopier 1 a 1 les elements definis sur lemonldap du 2.2.14
> Type d'authentification ldap
> Portail d'authentification http://lmng.ifremer.fr/
> Domaine*<Domaine OBM>*
> # paramètres LDAP
> Base de recherche LDAP*<BaseDn>*
> Port du serveur LDAP 389
> Serveur LDAP*<LDAP_SERVER>*
> Compte de connexion LDAP*<Dn d'un user en lecture seule sur l'annuaire LDAP>*
> Mot de passe LDAP*<Bind Password>*
>
> # Attributs à exporter
> c c
> facSimileTelephoneNumber facSimileTelephoneNumber
> givenName givenName
> l l
> mail mail
> mailQuota mailQuota
> postalCode postalCode
> serialNumber serialNumber
> sn sn
> telephoneNumber telephoneNumber
> uid uid
> title title
> o o
> ou service
> groupeunix groupeunix
>
> # hôte virtuel d'OBM
> OBM_C $c
> OBM_FACSIMILETELEPHONENUMBER $facSimileTelephoneNumber
> OBM_GIVENNAME $givenName
> OBM_L $l
> OBM_MAIL $mail
> OBM_MAILQUOTA $mailQuota
> OBM_POSTALCODE $postalCode
> OBM_SERIALNUMBER $serialNumber
> OBM_SN $sn
> OBM_TELEPHONENUMBER $telephoneNumber
> OBM_UID $uid
> OBM_TITLE $title
> OBM_O $o
> OBM_OU $ou
> OBM_GROUPS $groupeunix
> OBM_USERPASSWORD $_password
>
>
> # regles
> ^/logout logout_sso http:/*<URL AGENDA>*/
> default accept
>
> /etc/init.d/apache2 restart
>
>
> _Configurer la protection SSO d'OBM_
>
> cp /etc/apache2/sites-available/obm.conf /etc/apache2/sites-available/obm.admin.conf
> vi /etc/apache2/sites-available/obm.admin.conf
> -----------------
> !!!!!!!!!!!!!! VIRER LE NameVirtualHost !!!!!!!!!!!!!!
> !!!!!!!!!!!!!! VIRER LE VHOST EN :80 !!!!!!!!!!!!!!
>
> remplacer le vhost 443 par 80 :
> <VirtualHost xxx.xxx.xxx.xxx:80>
> ServerName obm.admin.ifremer.fr
> ServerAdmin assistance at ifremer.fr
> ServerAlias obm.admin
>
> <Directory />
> Order deny,allow
> Deny from all
> allow from xxx.xxx.xxx
> </Directory>
>
>
> Virer les lignes SSL :
> # SSL
> SSLEngine on
> SSLCACertificateFile /var/lib/obm-ca/cacert.pem
> SSLCertificateFile /etc/obm/certs/obm_cert.pem
> SSLVerifyClient none
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>
>
> -----------------
> cd /etc/apache2/sites-enabled/
> ln -s ../sites-available/obm.admin.conf
>
> vi /etc/apache2/sites-enabled/obm.conf
> -----------------
> # SSO protection
> PerlHeaderParserHandler My::Package
> # Configuration reload mechanism (only 1 per physical server is
> # needed): choose your URL to avoid restarting Apache when
> # configuration change
> <Location /reload>
> Order deny,allow
> Deny from all
> Allow from 127.0.0.0/8
> PerlHeaderParserHandler My::Package->refresh
> </Location>
> -----------------
> /etc/init.d/apache2 restart
>
>
> _Modification LemonLDAP_
>
> vi /etc/lemonldap-ng/apps-list.xml
> -----------------
> <?xml version="1.0" encoding="utf-8" standalone="no"?>
> <!DOCTYPE menu SYSTEM "apps-list.dtd">
>
> <menu>
> <category name="Applications">
> <application id="obm">
> <name>Agenda OBM</name>
> <uri>http://*<URL AGENDA>*/</uri>
> <description>Accéder à l'agenda OBM</description>
> <logo>wheels.png</logo>
> <display>auto</display>
> </application>
> </category>
> </menu>
> -----------------
> /etc/init.d/obm-tomcat restart
Le 04/04/2014 14:41, Huguet William a écrit :
> Bonjour,
>
> Je rencontre un problème d'authentification d'OBM via lemonldap.
> Je dispose de la dernière version d'OBM sur une debian squeeze.
>
> Je m'authentifie bien sur lemonldap mais lorsque je clique sur mon application OBM, j'accède à la page de login d'OBM il me demande de saisir mon utilisateur et mon mot de passe
>
> Je suis bloqué à ce niveau je n'arrive pas à trouver l'erreur dans mes fichiers de logs
> Je vous joins mes fichiers de confs (obm.conf, obm_conf.inc et mon lemonldap.ini)
>
> Avez-vous une solutions ou une piste afin de résoudre mon problème
>
>
> Merci d'avance
>
> William
>
>
> _______________________________________________
> Obm mailing list
> Obm at list.obm.org
> http://list.obm.org/mailman/listinfo/obm
--
Patrick BOSSARD - PDG/IMN/IDM/RIC
IFREMER centre de Brest
BP 70 29280 Plouzane FRANCE
Tel : 02 98 22 44 09 - Fax: 02 98 22 45 46
Email: Patrick.Bossard at ifremer.fr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.obm.org/pipermail/obm/attachments/20140409/89af9b0e/attachment-0001.html
More information about the Obm
mailing list