From 16f0314de2604f24dc8fcab5440bf79ba2729b1a Mon Sep 17 00:00:00 2001 From: David Coutadeur Date: Mon, 3 Apr 2023 18:08:41 +0200 Subject: [PATCH 1/2] initialize yaml "base" configuration (import lemonldap configuration at deployment step #37) --- .../ansible/llng_config_base.yaml | 105 ++++++++++++++++++ .../lemonldap-ng/ansible/llng_config_db.yml | 4 + 2 files changed, 109 insertions(+) create mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml new file mode 100644 index 0000000..ef62556 --- /dev/null +++ b/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml @@ -0,0 +1,105 @@ +domain: '{{ lemonldap2_domain }}' +port: '443' +https: 1 +mailUrl: 'https://{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/resetpwd' +portal: 'https://{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/' +registerUrl: 'https://{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/register' +reloadUrls: + reload.{{ lemonldap2_domain }}:{{ lemonldap2_local_port }}: 'http://reload.{{ lemonldap2_domain }}:{{ lemonldap2_local_port }}/reload' +locationRules: + test1.example.com: + default: 'deny' + test2.example.com: + default: 'deny' + manager.example.com: + default: 'deny' + {{ lemonldap2_portal }}.{{ lemonldap2_domain }}: + default: 'accept' + {{ lemonldap2_manager }}.{{ lemonldap2_domain }}: + default: 'inGroup('access-llngmanager')' + {{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}: + default: 'inGroup('access-whitepages')' +#TODO: do only if lemonldap2_unprotect_profile_url + ^/index\\.php\\?page=display&dn=: 'unprotect' +#TODO: do only if lemonldap2_unprotect_photo_url + ^/photo\\.php\\?dn=: 'unprotect' + {{ lemonldap2_servicedesk_name }}.{{ lemonldap2_domain }}: + default: 'inGroup('access-servicedesk')' + {{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}: + default: 'inGroup('access-fusiondirectory')' + (?#logout)signout=1: 'logout' +applicationList: + 3documentation: + localdoc: + options: + display: 'off' + 3documentation: + officialwebsite: + options: + display: 'off' + 2administration: + manager: + options: + uri: 'https://{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/manager.html' + notifications: + options: + uri: 'https://{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/notifications.html' + sessions: + options: + uri: 'https://{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/sessions.html' + 1applications: + type: 'category' + catname: 'Applications' + whitepages: + type: 'application' + options: + description: 'Browse directory' + display: 'auto' + logo: 'thumbnail.png' + name: 'White pages' + uri: 'https://{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/' + servicedesk: + type: 'application' + options: + description: 'Manage user accounts' + display: 'auto' + logo: 'help.png' + name: 'Service desk' + uri: 'https://{{ lemonldap2_servicedesk_name }}.{{ lemonldap2_domain }}/' + fusiondirectory: + type: 'application' + options: + description: 'Edit directory entries' + display: 'auto' + logo: 'folder.png' + name: 'Directory manager' + uri: 'https://{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/' +exportedHeaders/{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/Auth-User": '$uid' +portalDisplayRegister: 0 +portalCheckLogins: 0 +portalDisplayResetPassword: '{{ lemonldap2_portaldisplayresetpassword }}' +portalDisplayOidcConsents: 0 +portalDisplayAppslist: 1 +portalDisplayChangePassword: '{{ lemonldap2_portaldisplaychangepassword }}' +portalDisplayLoginHistory: 1 +portalDisplayLogout: 1 +portalDisplayPasswordPolicy: 1 +portalDisplayRefreshMyRights: 1 +requireToken: '{{ lemonldap2_requiretoken }}' +singleSession: '{{ lemonldap2_singlesession }}' +portalMainLogo: '{{ lemonldap2_logo }}' +portalSkinBackground: '{{ lemonldap2_background }}' +portalCustomCss: '{{ lemonldap2_css }}' +securedCookie: 1 +cookieName: 'fusioniam-{{ lookup('env', 'CUSTOMERID') }}' +sameSite: 'None' +totp2fSelfRegistration: 1 +totp2fActivation: 1 +totp2fIssuer: '{{ lemonldap2_sfaissuer }}' +sfManagerRule: '{{ lemonldap2_sfamanagerrule }}' +passwordPolicyMinDigit: '{{ lemonldap2_passwordpolicymindigit }}' +passwordPolicyMinLower: '{{ lemonldap2_passwordpolicyminlower }}' +passwordPolicyMinSize: '{{ lemonldap2_passwordpolicyminsize }}' +passwordPolicyMinSpeChar: '{{ lemonldap2_passwordpolicyminspechar }}' +passwordPolicyMinUpper: '{{ lemonldap2_passwordpolicyminupper }}' +passwordPolicySpecialChar: '{{ lemonldap2_passwordpolicyspecialchar }}' diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_db.yml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_db.yml index c787da3..4dab5fb 100644 --- a/build/rockylinux8/lemonldap-ng/ansible/llng_config_db.yml +++ b/build/rockylinux8/lemonldap-ng/ansible/llng_config_db.yml @@ -116,3 +116,7 @@ - name: i_c_pgtiou table: cassessions columns: "((a_session ->> 'pgtIou'))" + +- name: Import initial config + command: > + /usr/libexec/lemonldap-ng/bin/convertConfig -o -- GitLab From b0a37eaa20201b08933dad4bc2ed0e925230673c Mon Sep 17 00:00:00 2001 From: David Coutadeur Date: Tue, 4 Apr 2023 16:55:27 +0200 Subject: [PATCH 2/2] working version of import lemonldap configuration at deployment step #37 --- .../lemonldap-ng/ansible/deploy.yaml | 37 ++-- .../ansible/llng_config_auth.yaml | 23 +++ .../lemonldap-ng/ansible/llng_config_auth.yml | 53 ----- .../ansible/llng_config_base.yaml | 25 +-- .../lemonldap-ng/ansible/llng_config_base.yml | 187 ------------------ .../ansible/llng_config_issuers.yaml | 16 ++ .../ansible/llng_config_issuers.yml | 39 ---- .../ansible/llng_config_sessions.yaml | 41 ++++ .../ansible/llng_config_sessions.yml | 90 --------- 9 files changed, 116 insertions(+), 395 deletions(-) create mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yaml delete mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yml delete mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yml create mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yaml delete mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yml create mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yaml delete mode 100644 build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yml diff --git a/build/rockylinux8/lemonldap-ng/ansible/deploy.yaml b/build/rockylinux8/lemonldap-ng/ansible/deploy.yaml index 89bbdb0..8034a9e 100644 --- a/build/rockylinux8/lemonldap-ng/ansible/deploy.yaml +++ b/build/rockylinux8/lemonldap-ng/ansible/deploy.yaml @@ -141,26 +141,33 @@ - current_cfgnum.stdout == "0" - container_type == "llng-fastcgi-server" - - name: LLNG basic configuration - import_tasks: llng_config_base.yml - when: - - current_cfgnum.stdout == "0" - - container_type == "llng-fastcgi-server" - - - name: LLNG session config - import_tasks: llng_config_sessions.yml + - name: Replace variables in llng_config_*.yaml template + ansible.builtin.template: + src: /llng_config_{{ item }}.yaml + dest: /tmp/llng_config_{{ item }}.yaml + loop: + - base + - auth + - sessions + - issuers when: - - current_cfgnum.stdout == "0" - container_type == "llng-fastcgi-server" - - name: LLNG authentication config - import_tasks: llng_config_auth.yml + - name: Apply llng_config_* configuration + ansible.builtin.shell: + cmd: /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 merge /tmp/llng_config_*.yaml when: - - current_cfgnum.stdout == "0" - container_type == "llng-fastcgi-server" - - name: LLNG issuers config - import_tasks: llng_config_issuers.yml + - name: Remove llng_config_* + ansible.builtin.file: + path: /tmp/llng_config_{{ item }}.yaml + state: absent + loop: + - base + - auth + - sessions + - issuers when: - - current_cfgnum.stdout == "0" - container_type == "llng-fastcgi-server" + diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yaml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yaml new file mode 100644 index 0000000..7e01000 --- /dev/null +++ b/build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yaml @@ -0,0 +1,23 @@ +authentication: 'LDAP' +userDB: 'LDAP' +passwordDB: 'LDAP' +registerDB: 'Null' +ldapPort: '{{ lemonldap2_ldapport }}' +ldapServer: 'ldap://{{ lemonldap2_ldaphost}}:{{ lemonldap2_ldapport }}/' +managerDn: 'cn={{ lemonldap2_ldapusername }},ou=dsa,o=admin,dc=fusioniam,dc=org' +managerPassword: '{{ lemonldap2_ldappassword }}' +ldapBase: '{{ lemonldap2_ldapbase }}' +ldapGroupBase: 'dc=fusioniam,dc=org' +ldapGroupObjectClass: 'gosaGroupOfNames' +ldapGroupRecursive: 1 +ldapPpolicyControl: 1 +ldapExportedVars: + uid: 'uid' + cn: 'cn' + sn: 'sn' + givenName: 'givenName' + mail: 'mail' +mailLDAPFilter: '{{ lemonldap2_mailldapfilter }}' +macros: + profile_url: '"https://{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/index.php?page=display&dn=".$_dn' + photo_url": '"https://{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/photo.php?dn=".$_dn' diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yml deleted file mode 100644 index 99f4bad..0000000 --- a/build/rockylinux8/lemonldap-ng/ansible/llng_config_auth.yml +++ /dev/null @@ -1,53 +0,0 @@ -- name: Set Auth config - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: authentication - value: LDAP - - name: userDB - value: LDAP - - name: passwordDB - value: LDAP - - name: registerDB - value: "Null" - - name: ldapPort - value: "{{ lemonldap2_ldapport }}" - - name: ldapServer - value: "ldap://{{ lemonldap2_ldaphost}}:{{ lemonldap2_ldapport }}/" - - name: managerDn - value: "cn={{ lemonldap2_ldapusername }},ou=dsa,o=admin,dc=fusioniam,dc=org" - - name: managerPassword - value: "{{ lemonldap2_ldappassword }}" - - name: ldapBase - value: "{{ lemonldap2_ldapbase }}" - - name: ldapGroupBase - value: "dc=fusioniam,dc=org" - - name: ldapGroupObjectClass - value: "gosaGroupOfNames" - - name: ldapGroupRecursive - value: 1 - - name: ldapPpolicyControl - value: 1 - - name: "ldapExportedVars/uid" - value: uid - - name: "ldapExportedVars/cn" - value: cn - - name: "ldapExportedVars/sn" - value: sn - - name: "ldapExportedVars/givenName" - value: givenName - - name: "ldapExportedVars/mail" - value: mail - - name: mailLDAPFilter - value: "{{ lemonldap2_mailldapfilter }}" - -- name: Set macros - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: "macros/profile_url" - value: '"https://{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/index.php?page=display&dn=".$_dn' - - name: "macros/photo_url" - value: '"https://{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/photo.php?dn=".$_dn' diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml index ef62556..3c74f7b 100644 --- a/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml +++ b/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yaml @@ -16,24 +16,25 @@ locationRules: {{ lemonldap2_portal }}.{{ lemonldap2_domain }}: default: 'accept' {{ lemonldap2_manager }}.{{ lemonldap2_domain }}: - default: 'inGroup('access-llngmanager')' + default: 'inGroup("access-llngmanager")' {{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}: - default: 'inGroup('access-whitepages')' -#TODO: do only if lemonldap2_unprotect_profile_url - ^/index\\.php\\?page=display&dn=: 'unprotect' -#TODO: do only if lemonldap2_unprotect_photo_url - ^/photo\\.php\\?dn=: 'unprotect' + default: 'inGroup("access-whitepages")' +{% if lemonldap2_unprotect_profile_url|bool == true %} + '^/index\\.php\\?page=display&dn=': 'unprotect' +{% endif %} +{% if lemonldap2_unprotect_photo_url|bool == true %} + '^/photo\\.php\\?dn=': 'unprotect' +{% endif %} {{ lemonldap2_servicedesk_name }}.{{ lemonldap2_domain }}: - default: 'inGroup('access-servicedesk')' + default: 'inGroup("access-servicedesk")' {{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}: - default: 'inGroup('access-fusiondirectory')' + default: 'inGroup("access-fusiondirectory")' (?#logout)signout=1: 'logout' applicationList: 3documentation: localdoc: options: display: 'off' - 3documentation: officialwebsite: options: display: 'off' @@ -74,7 +75,9 @@ applicationList: logo: 'folder.png' name: 'Directory manager' uri: 'https://{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/' -exportedHeaders/{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/Auth-User": '$uid' +exportedHeaders: + {{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}: + Auth-User: '$uid' portalDisplayRegister: 0 portalCheckLogins: 0 portalDisplayResetPassword: '{{ lemonldap2_portaldisplayresetpassword }}' @@ -91,7 +94,7 @@ portalMainLogo: '{{ lemonldap2_logo }}' portalSkinBackground: '{{ lemonldap2_background }}' portalCustomCss: '{{ lemonldap2_css }}' securedCookie: 1 -cookieName: 'fusioniam-{{ lookup('env', 'CUSTOMERID') }}' +cookieName: 'fusioniam-{{ lookup("env", "CUSTOMERID") }}' sameSite: 'None' totp2fSelfRegistration: 1 totp2fActivation: 1 diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yml deleted file mode 100644 index ceeb049..0000000 --- a/build/rockylinux8/lemonldap-ng/ansible/llng_config_base.yml +++ /dev/null @@ -1,187 +0,0 @@ -- name: Import initial config - command: > - /usr/libexec/lemonldap-ng/bin/convertConfig -o - -- name: Set URLs and applications - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: domain - value: "{{ lemonldap2_domain }}" - - name: port - value: 443 - - name: https - value: 1 - - name: mailUrl - value: "https://{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/resetpwd" - - name: portal - value: "https://{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/" - - name: registerUrl - value: "https://{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/register" - - name: reloadUrls/reload.{{ lemonldap2_domain }}:{{ lemonldap2_local_port }} - value: "http://reload.{{ lemonldap2_domain }}:{{ lemonldap2_local_port }}/reload" - - name: "locationRules/test1.example.com/default" - value: "deny" - - name: "locationRules/test2.example.com/default" - value: "deny" - - name: "locationRules/manager.example.com/default" - value: "deny" - - name: applicationList/3documentation/localdoc/options/display - value: "off" - - name: applicationList/3documentation/officialwebsite/options/display - value: "off" - - name: applicationList/2administration/manager/options/uri - value: "https://{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/manager.html" - - name: applicationList/2administration/notifications/options/uri - value: "https://{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/notifications.html" - - name: applicationList/2administration/sessions/options/uri - value: "https://{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/sessions.html" - - name: "locationRules/{{ lemonldap2_portal }}.{{ lemonldap2_domain }}/default" - value: "accept" - - name: "locationRules/{{ lemonldap2_manager }}.{{ lemonldap2_domain }}/default" - value: "inGroup('access-llngmanager')" - - name: applicationList/1applications/type - value: "category" - - name: applicationList/1applications/catname - value: "Applications" - - name: applicationList/1applications/whitepages/type - value: "application" - - name: applicationList/1applications/whitepages/options/description - value: "Browse directory" - - name: applicationList/1applications/whitepages/options/display - value: "auto" - - name: applicationList/1applications/whitepages/options/logo - value: "thumbnail.png" - - name: applicationList/1applications/whitepages/options/name - value: "White pages" - - name: applicationList/1applications/whitepages/options/uri - value: "https://{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/" - - name: "locationRules/{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}/default" - value: "inGroup('access-whitepages')" - - name: applicationList/1applications/servicedesk/type - value: "application" - - name: applicationList/1applications/servicedesk/options/description - value: "Manage user accounts" - - name: applicationList/1applications/servicedesk/options/display - value: "auto" - - name: applicationList/1applications/servicedesk/options/logo - value: "help.png" - - name: applicationList/1applications/servicedesk/options/name - value: "Service desk" - - name: applicationList/1applications/servicedesk/options/uri - value: "https://{{ lemonldap2_servicedesk_name }}.{{ lemonldap2_domain }}/" - - name: "locationRules/{{ lemonldap2_servicedesk_name }}.{{ lemonldap2_domain }}/default" - value: "inGroup('access-servicedesk')" - - name: applicationList/1applications/fusiondirectory/type - value: "application" - - name: applicationList/1applications/fusiondirectory/options/description - value: "Edit directory entries" - - name: applicationList/1applications/fusiondirectory/options/display - value: "auto" - - name: applicationList/1applications/fusiondirectory/options/logo - value: "folder.png" - - name: applicationList/1applications/fusiondirectory/options/name - value: "Directory manager" - - name: applicationList/1applications/fusiondirectory/options/uri - value: "https://{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/" - - name: "locationRules/{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/default" - value: "inGroup('access-fusiondirectory')" - - name: "locationRules/{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/(?#logout)signout=1" - value: "logout" - - name: "exportedHeaders/{{ lemonldap2_fusiondirectory_name }}.{{ lemonldap2_domain }}/Auth-User" - value: "$uid" - -- name: Unprotect profile URL - lemonldap_config: - name: "locationRules:{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}:^/index\\.php\\?page=display&dn=" - value: "unprotect" - sep: ":" - when: lemonldap2_unprotect_profile_url|bool - -- name: Unprotect photo URL - lemonldap_config: - name: "locationRules:{{ lemonldap2_whitepages_name }}.{{ lemonldap2_domain }}:^/photo\\.php\\?dn=" - value: "unprotect" - sep: ":" - when: lemonldap2_unprotect_photo_url|bool - -- name: Set Portal configuration - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: "portalDisplayRegister" - value: 0 - - name: "portalCheckLogins" - value: 0 - - name: "portalDisplayResetPassword" - value: "{{ lemonldap2_portaldisplayresetpassword }}" - - name: "portalDisplayOidcConsents" - value: 0 - - name: "portalDisplayAppslist" - value: 1 - - name: "portalDisplayChangePassword" - value: "{{ lemonldap2_portaldisplaychangepassword }}" - - name: "portalDisplayLoginHistory" - value: 1 - - name: "portalDisplayLogout" - value: 1 - - name: "portalDisplayPasswordPolicy" - value: 1 - - name: "portalDisplayRefreshMyRights" - value: 1 - - name: "requireToken" - value: "{{ lemonldap2_requiretoken }}" - - name: "singleSession" - value: "{{ lemonldap2_singlesession }}" - - name: "portalMainLogo" - value: "{{ lemonldap2_logo }}" - - name: "portalSkinBackground" - value: "{{ lemonldap2_background }}" - - name: "portalCustomCss" - value: "{{ lemonldap2_css }}" - -- name: Set LLNG Cookie configuration - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: "securedCookie" - value: 1 - - name: "cookieName" - value: "fusioniam-{{ lookup('env', 'CUSTOMERID') }}" - - name: "sameSite" - value: "None" - -- name: Set 2F parameters - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: "totp2fSelfRegistration" - value: 1 - - name: "totp2fActivation" - value: 1 - - name: "totp2fIssuer" - value: "{{ lemonldap2_sfaissuer }}" - - name: "sfManagerRule" - value: "{{ lemonldap2_sfamanagerrule }}" - -- name: Set ppolicy - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: passwordPolicyMinDigit - value: "{{ lemonldap2_passwordpolicymindigit }}" - - name: passwordPolicyMinLower - value: "{{ lemonldap2_passwordpolicyminlower }}" - - name: passwordPolicyMinSize - value: "{{ lemonldap2_passwordpolicyminsize }}" - - name: passwordPolicyMinSpeChar - value: "{{ lemonldap2_passwordpolicyminspechar }}" - - name: passwordPolicyMinUpper - value: "{{ lemonldap2_passwordpolicyminupper }}" - - name: passwordPolicySpecialChar - value: "{{ lemonldap2_passwordpolicyspecialchar }}" diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yaml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yaml new file mode 100644 index 0000000..226adf7 --- /dev/null +++ b/build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yaml @@ -0,0 +1,16 @@ +issuerDBCASActivation: 1 +casAccessControlPolicy: 'error' +oidcServicePrivateKeySig: | +{{ lookup("file", lemonldap2_oidcpriv) | indent(4, True) }} +oidcServicePublicKeySig: | +{{ lookup("file", lemonldap2_oidcpub) | indent(4, True) }} +issuerDBOpenIDConnectActivation: 1 + +samlServicePrivateKeySig: | +{{ lookup("file", lemonldap2_samlpriv) | indent(4, True) }} +samlServicePublicKeySig: | +{{ lookup("file", lemonldap2_samlpub) | indent(4, True) }} +issuerDBSAMLActivation: 1 +samlOrganizationName: 'FusionIAM' +samlOrganizationDisplayName: 'FusionIAM' +samlOrganizationURL: 'https://www.fusioniam.org' diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yml deleted file mode 100644 index 7bf2c7b..0000000 --- a/build/rockylinux8/lemonldap-ng/ansible/llng_config_issuers.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: Enable CAS issuer - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: issuerDBCASActivation - value: 1 - - name: casAccessControlPolicy - value: error - -- name: Enable OIDC issuer - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: oidcServicePrivateKeySig - value: "{{ lookup('file', lemonldap2_oidcpriv) }}" - - name: oidcServicePublicKeySig - value: "{{ lookup('file', lemonldap2_oidcpub) }}" - - name: issuerDBOpenIDConnectActivation - value: 1 - -- name: Enable SAML issuer - lemonldap_config: - name: "{{ item.name }}" - value: "{{ item.value }}" - loop: - - name: samlServicePrivateKeySig - value: "{{ lookup('file', lemonldap2_samlpriv) }}" - - name: samlServicePublicKeySig - value: "{{ lookup('file', lemonldap2_samlpub) }}" - - name: issuerDBSAMLActivation - value: 1 - - name: samlOrganizationName - value: 'FusionIAM' - - name: samlOrganizationDisplayName - value: 'FusionIAM' - - name: samlOrganizationURL - value: 'https://www.fusioniam.org' diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yaml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yaml new file mode 100644 index 0000000..95263fe --- /dev/null +++ b/build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yaml @@ -0,0 +1,41 @@ +globalStorage: 'Apache::Session::Browseable::PgJSON' +persistentStorage: 'Apache::Session::Browseable::PgJSON' +samlStorage: 'Apache::Session::Browseable::PgJSON' +casStorage: 'Apache::Session::Browseable::PgJSON' +oidcStorage: 'Apache::Session::Browseable::PgJSON' + +globalStorageOptions: + DataSource: 'DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}' + TableName: 'sessions' + UserName: '{{ lemonldap2_pguser }}' + Password: '{{ lemonldap2_pgpassword }}' + Commit: 1 + +persistentStorageOptions: + DataSource: 'DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}' + TableName: 'psessions' + UserName: '{{ lemonldap2_pguser }}' + Password: '{{ lemonldap2_pgpassword }}' + Commit: 1 + +samlStorageOptions: + DataSource: 'DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}' + TableName: 'samlsessions' + UserName: '{{ lemonldap2_pguser }}' + Password: '{{ lemonldap2_pgpassword }}' + Commit: 1 + +oidcStorageOptions: + DataSource: 'DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}' + TableName: 'oidcsessions' + UserName: '{{ lemonldap2_pguser }}' + Password: '{{ lemonldap2_pgpassword }}' + Commit: 1 + +casStorageOptions: + DataSource: 'DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}' + TableName: 'cassessions' + UserName: '{{ lemonldap2_pguser }}' + Password: '{{ lemonldap2_pgpassword }}' + Commit: 1 + diff --git a/build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yml b/build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yml deleted file mode 100644 index 847782d..0000000 --- a/build/rockylinux8/lemonldap-ng/ansible/llng_config_sessions.yml +++ /dev/null @@ -1,90 +0,0 @@ -- name: Change session backends - lemonldap_config: - name: "{{ item }}" - value: "Apache::Session::Browseable::PgJSON" - loop: - - globalStorage - - persistentStorage - - samlStorage - - casStorage - - oidcStorage - -- name: Change global session backends options - lemonldap_config: - name: "globalStorageOptions/{{ item.key }}" - value: "{{ item.value }}" - loop: - - key: DataSource - value: "DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}" - - key: TableName - value: sessions - - key: UserName - value: "{{ lemonldap2_pguser }}" - - key: Password - value: "{{ lemonldap2_pgpassword }}" - - key: Commit - value: 1 - -- name: Change persistent session backends options - lemonldap_config: - name: "persistentStorageOptions/{{ item.key }}" - value: "{{ item.value }}" - loop: - - key: DataSource - value: "DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}" - - key: TableName - value: psessions - - key: UserName - value: "{{ lemonldap2_pguser }}" - - key: Password - value: "{{ lemonldap2_pgpassword }}" - - key: Commit - value: 1 - -- name: Change SAML session backends options - lemonldap_config: - name: "samlStorageOptions/{{ item.key }}" - value: "{{ item.value }}" - loop: - - key: DataSource - value: "DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}" - - key: TableName - value: samlsessions - - key: UserName - value: "{{ lemonldap2_pguser }}" - - key: Password - value: "{{ lemonldap2_pgpassword }}" - - key: Commit - value: 1 - -- name: Change OIDC session backends options - lemonldap_config: - name: "oidcStorageOptions/{{ item.key }}" - value: "{{ item.value }}" - loop: - - key: DataSource - value: "DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}" - - key: TableName - value: oidcsessions - - key: UserName - value: "{{ lemonldap2_pguser }}" - - key: Password - value: "{{ lemonldap2_pgpassword }}" - - key: Commit - value: 1 - -- name: Change CAS session backends options - lemonldap_config: - name: "casStorageOptions/{{ item.key }}" - value: "{{ item.value }}" - loop: - - key: DataSource - value: "DBI:Pg:database={{ lemonldap2_pguser }};host={{ lemonldap2_pghost }};port={{ lemonldap2_pgport }}" - - key: TableName - value: cassessions - - key: UserName - value: "{{ lemonldap2_pguser }}" - - key: Password - value: "{{ lemonldap2_pgpassword }}" - - key: Commit - value: 1 -- GitLab