2008-05-10 20:05:46 +02:00
|
|
|
#!/usr/bin/perl
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::SharedConf;
|
|
|
|
use HTML::Template;
|
2010-01-11 17:04:36 +01:00
|
|
|
use strict;
|
2008-05-10 20:05:46 +02:00
|
|
|
|
2009-05-14 10:46:18 +02:00
|
|
|
# Menu configuration
|
2010-01-11 17:58:57 +01:00
|
|
|
my $skin_dir = "__SKINDIR__";
|
|
|
|
my $appsxmlfile = "__APPSXMLFILE__";
|
2008-09-18 10:34:17 +02:00
|
|
|
my $appsimgpath = "apps/";
|
2009-04-07 11:27:23 +02:00
|
|
|
|
2008-05-10 20:05:46 +02:00
|
|
|
my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
|
|
|
{
|
2008-12-25 21:06:23 +01:00
|
|
|
|
|
|
|
# ACCESS TO CONFIGURATION
|
2010-01-11 17:04:36 +01:00
|
|
|
# By default, Lemonldap::NG uses the default lemonldap-ng.ini file to
|
|
|
|
# know where to find its configuration
|
2009-12-04 10:59:21 +01:00
|
|
|
# (generaly /etc/lemonldap-ng/lemonldap-ng.ini)
|
2008-12-25 21:06:23 +01:00
|
|
|
# You can specify by yourself this file :
|
2009-06-29 13:29:52 +02:00
|
|
|
#configStorage => { confFile => '/path/to/my/file' },
|
2009-02-24 18:53:59 +01:00
|
|
|
# or set explicitely parameters :
|
|
|
|
#configStorage => {
|
2009-12-04 10:59:21 +01:00
|
|
|
# type => 'File',
|
|
|
|
# dirName => '/usr/local/lemonldap-ng/data//conf'
|
2009-02-24 18:53:59 +01:00
|
|
|
#},
|
|
|
|
# Note that YOU HAVE TO SET configStorage here if you've declared this
|
|
|
|
# portal as SOAP configuration server in the manager
|
2008-12-25 21:06:23 +01:00
|
|
|
|
2010-01-11 17:04:36 +01:00
|
|
|
# PORTAL CUSTOMIZATION
|
|
|
|
# * Skin
|
|
|
|
# portalSkin => 'pastel',
|
|
|
|
# * Modules displayed
|
|
|
|
# portalDisplayLogout => 1,
|
|
|
|
# portalDisplayResetPassword => 1,
|
|
|
|
# portalDisplayChangePassword => 1,
|
|
|
|
# portalDisplayAppslist => 1,
|
|
|
|
# * Allow password autocompletion
|
|
|
|
# (passwords stored in user web browsers)
|
|
|
|
# portalAutocomplete => "on",
|
|
|
|
# * Require the old password when changing password
|
|
|
|
# portalRequireOldPassword => 1,
|
|
|
|
# * Attribute displayed as connected user
|
|
|
|
# portalUserAttr => "mail",
|
2009-11-25 09:44:12 +01:00
|
|
|
|
2009-02-15 12:30:25 +01:00
|
|
|
# LOG
|
|
|
|
# By default, all is logged in Apache file. To log user actions by
|
|
|
|
# syslog, just set syslog facility here:
|
|
|
|
#syslog => 'auth',
|
|
|
|
|
2008-12-25 21:06:23 +01:00
|
|
|
# SOAP FUNCTIONS
|
|
|
|
# Remove comment to activate SOAP Functions getCookies(user,pwd) and
|
|
|
|
# error(language, code)
|
2009-04-07 11:27:23 +02:00
|
|
|
Soap => 1,
|
2010-01-11 17:04:36 +01:00
|
|
|
|
2009-02-24 18:53:59 +01:00
|
|
|
# Note that getAttibutes() will be activated but on a different URI
|
2009-04-07 11:27:23 +02:00
|
|
|
# (http://auth.example.com/index.pl/sessions)
|
|
|
|
# You can also restrict attributes and macros exported by getAttributes
|
2009-02-24 18:53:59 +01:00
|
|
|
#exportedAttr => 'uid mail',
|
2008-12-25 21:06:23 +01:00
|
|
|
|
|
|
|
# PASSWORD POLICY
|
|
|
|
# Remove comment to use LDAP Password Policy
|
|
|
|
#ldapPpolicyControl => 1,
|
|
|
|
|
|
|
|
# Remove comment to store password in session (use with caution)
|
|
|
|
#storePassword => 1,
|
|
|
|
|
2009-05-18 15:53:51 +02:00
|
|
|
# Remove comment to use LDAP modify password extension
|
|
|
|
# (beware of compatibility with LDAP Password Policy)
|
|
|
|
#ldapSetPassword => 1,
|
2009-06-14 22:58:42 +02:00
|
|
|
|
2009-05-28 18:31:39 +02:00
|
|
|
# RESET PASSWORD BY MAIL
|
2009-06-14 22:58:42 +02:00
|
|
|
# SMTP server (default to localhost), set to '' to use default mail
|
|
|
|
# service
|
2009-05-28 18:31:39 +02:00
|
|
|
#SMTPServer => "localhost",
|
|
|
|
|
|
|
|
# Mail From address
|
|
|
|
#mailFrom => "noreply@test.com",
|
|
|
|
|
|
|
|
# Mail subject
|
|
|
|
#mailSubject => "Password reset",
|
|
|
|
|
2010-01-11 17:04:36 +01:00
|
|
|
# Mail body (can use $password for generated password, and other session
|
|
|
|
# infos, like $cn)
|
2009-06-03 18:40:41 +02:00
|
|
|
#mailBody => 'Hello $cn,\n\nYour new password is $password',
|
|
|
|
|
2009-05-28 18:31:39 +02:00
|
|
|
# LDAP filter to use
|
|
|
|
#mailLDAPFilter => '(&(mail=$mail)(objectClass=inetOrgPerson))',
|
|
|
|
|
|
|
|
# Random regexp
|
|
|
|
#randomPasswordRegexp => '[A-Z]{3}[a-z]{5}.\d{2}',
|
2009-06-14 22:58:42 +02:00
|
|
|
|
|
|
|
# LDAP GROUPS
|
|
|
|
# Set the base DN of your groups branch
|
|
|
|
#ldapGroupBase => 'ou=groups,dc=example,dc=com',
|
|
|
|
# Objectclass used by groups
|
2009-06-04 17:33:53 +02:00
|
|
|
#ldapGroupObjectClass => 'groupOfUniqueNames',
|
|
|
|
# Attribute used by groups to store member
|
|
|
|
#ldapGroupAttributeName => 'uniqueMember',
|
|
|
|
# Attribute used by user to link to groups
|
|
|
|
#ldapGroupAttributeNameUser => 'dn',
|
|
|
|
# Attribute used to identify a group. The group will be displayed as
|
|
|
|
# cn|mail|status, where cn, mail and status will be replaced by their
|
|
|
|
# values.
|
|
|
|
#ldapGroupAttributeNameSearch => ['cn'],
|
2009-06-14 22:58:42 +02:00
|
|
|
|
2008-12-25 21:06:23 +01:00
|
|
|
# CUSTOM FUNCTION
|
|
|
|
# If you want to create customFunctions in rules, declare them here:
|
|
|
|
#customFunctions => 'function1 function2',
|
|
|
|
#customFunctions => 'Package::func1 Package::func2',
|
|
|
|
|
2009-01-28 18:37:10 +01:00
|
|
|
# NOTIFICATIONS SERVICE
|
|
|
|
# Use it to be able to notify messages during authentication
|
|
|
|
#notification => 1,
|
2009-02-24 18:53:59 +01:00
|
|
|
# Note that the SOAP function newNotification will be activated on
|
|
|
|
# http://auth.example.com/index.pl/notification
|
|
|
|
# If you want to hide this, just protect "/index.pl/notification" in
|
|
|
|
# your Apache configuration file
|
2009-01-28 18:37:10 +01:00
|
|
|
|
2009-06-14 22:58:42 +02:00
|
|
|
# CROSS-DOMAIN
|
|
|
|
# If you have some handlers that are not registered on the main domain,
|
|
|
|
# uncomment this
|
|
|
|
#cda => 1,
|
|
|
|
|
|
|
|
# XSS protection bypass
|
|
|
|
# By default, the portal refuse redirections that comes from sites not
|
|
|
|
# registered in the configuration (manager) except for those coming
|
|
|
|
# from trusted domains. By default, trustedDomains contains the domain
|
|
|
|
# declared in the manager. You can set trustedDomains to empty value so
|
|
|
|
# that, undeclared sites will be rejected. You can also set here a list
|
|
|
|
# of trusted domains or hosts separated by spaces. This is usefull if
|
|
|
|
# your website use Lemonldap::NG without handler with SOAP functions.
|
|
|
|
# Exemples :
|
|
|
|
#trustedDomains => 'my.trusted.host example2.com',
|
|
|
|
#trustedDomains => '',
|
|
|
|
|
2008-12-25 21:06:23 +01:00
|
|
|
# OTHERS
|
|
|
|
# You can also overload any parameter issued from manager
|
|
|
|
# configuration. Example:
|
2009-02-24 18:53:59 +01:00
|
|
|
#globalStorage => 'Apache::Session::File',
|
2008-12-25 21:06:23 +01:00
|
|
|
#globalStorageOptions => {
|
2009-07-20 17:18:12 +02:00
|
|
|
# 'Directory' => '/var/lib/lemonldap-ng/sessions/',
|
|
|
|
# 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/',
|
|
|
|
#},
|
2009-02-24 18:53:59 +01:00
|
|
|
# Note that YOU HAVE TO SET globalStorage here if you've declared this
|
|
|
|
# portal as SOAP session server in the manager
|
2008-12-25 21:06:23 +01:00
|
|
|
#},
|
2008-05-10 20:05:46 +02:00
|
|
|
}
|
|
|
|
);
|
|
|
|
|
2009-11-25 09:44:12 +01:00
|
|
|
# Get skin value
|
|
|
|
my $skin = $portal->{portalSkin};
|
|
|
|
|
2010-01-13 13:19:55 +01:00
|
|
|
my ( $skinfile, %templateParams );
|
|
|
|
|
2010-01-13 13:46:19 +01:00
|
|
|
####################
|
|
|
|
# QUERY PROCESSING #
|
|
|
|
####################
|
|
|
|
|
|
|
|
# I - GOOD AUTHENTICATION
|
|
|
|
|
2008-05-10 20:05:46 +02:00
|
|
|
if ( $portal->process() ) {
|
2010-01-12 12:05:01 +01:00
|
|
|
|
2010-01-13 13:46:19 +01:00
|
|
|
# 1.1 Case : there is a message to display
|
2010-01-11 17:04:36 +01:00
|
|
|
if ( my $info = $portal->info() ) {
|
2010-01-13 13:19:55 +01:00
|
|
|
$skinfile = 'info.tpl';
|
|
|
|
%templateParams = (
|
|
|
|
AUTH_ERROR_TYPE => $portal->error_type,
|
|
|
|
MSG => $info,
|
|
|
|
SKIN => $skin,
|
|
|
|
URL => $portal->{urldc},
|
2010-01-11 17:04:36 +01:00
|
|
|
);
|
|
|
|
}
|
2008-05-10 20:05:46 +02:00
|
|
|
|
2010-01-13 13:46:19 +01:00
|
|
|
# 1.2 Case : display menu
|
2010-01-13 13:19:55 +01:00
|
|
|
else {
|
|
|
|
$skinfile = 'menu.tpl';
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
# Menu creation
|
2009-04-07 11:27:23 +02:00
|
|
|
use Lemonldap::NG::Portal::Menu;
|
2008-09-18 10:34:17 +02:00
|
|
|
my $menu = Lemonldap::NG::Portal::Menu->new(
|
2008-11-17 15:02:50 +01:00
|
|
|
{
|
|
|
|
portalObject => $portal,
|
|
|
|
apps => {
|
|
|
|
xmlfile => "$appsxmlfile",
|
|
|
|
imgpath => "$appsimgpath",
|
|
|
|
},
|
|
|
|
modules => {
|
2009-11-25 09:44:12 +01:00
|
|
|
appslist => $portal->{portalDisplayAppslist},
|
|
|
|
password => $portal->{portalDisplayChangePassword},
|
|
|
|
logout => $portal->{portalDisplayLogout},
|
2008-11-17 15:02:50 +01:00
|
|
|
},
|
|
|
|
}
|
2008-09-18 10:34:17 +02:00
|
|
|
);
|
2010-01-13 13:19:55 +01:00
|
|
|
%templateParams = (
|
|
|
|
AUTH_USER => $portal->{sessionInfo}->{ $portal->{portalUserAttr} },
|
|
|
|
AUTOCOMPLETE => $portal->{portalAutocomplete},
|
|
|
|
SKIN => $skin,
|
|
|
|
AUTH_ERROR => $menu->error,
|
|
|
|
AUTH_ERROR_TYPE => $menu->error_type,
|
|
|
|
DISPLAY_APPSLIST => $menu->displayModule("appslist"),
|
|
|
|
DISPLAY_PASSWORD => $menu->displayModule("password"),
|
|
|
|
DISPLAY_LOGOUT => $menu->displayModule("logout"),
|
|
|
|
DISPLAY_TAB => $menu->displayTab,
|
|
|
|
LOGOUT_URL => "$ENV{SCRIPT_NAME}?logout=1",
|
|
|
|
REQUIRE_OLDPASSWORD => $portal->{portalRequireOldPassword},
|
|
|
|
(
|
|
|
|
$menu->displayModule("appslist")
|
|
|
|
? (
|
|
|
|
APPSLIST_MENU => $menu->appslistMenu,
|
|
|
|
APPSLIST_DESC => $menu->appslistDescription
|
|
|
|
)
|
|
|
|
: ()
|
|
|
|
)
|
|
|
|
);
|
2010-01-11 17:04:36 +01:00
|
|
|
}
|
2008-09-04 08:05:24 +02:00
|
|
|
}
|
2010-01-13 13:46:19 +01:00
|
|
|
|
|
|
|
# II - USER NOT AUTHENTICATED
|
|
|
|
|
|
|
|
# 2.1 A notification has to be done (session is created but hidden and unusable
|
|
|
|
# until the user has accept the message)
|
2009-04-07 11:27:23 +02:00
|
|
|
elsif ( my $notif = $portal->notification ) {
|
2010-01-13 13:19:55 +01:00
|
|
|
$skinfile = 'notification.tpl';
|
|
|
|
%templateParams = (
|
|
|
|
AUTH_ERROR_TYPE => $portal->error_type,
|
|
|
|
NOTIFICATION => $notif,
|
|
|
|
SKIN => $skin,
|
2009-01-28 18:37:10 +01:00
|
|
|
);
|
|
|
|
}
|
2010-01-13 13:46:19 +01:00
|
|
|
|
|
|
|
# 2.2 An authentication (or userDB) module needs to ask a question
|
|
|
|
# before processing to the request
|
2010-01-12 12:05:01 +01:00
|
|
|
elsif ( $portal->{error} == PE_CONFIRM ) {
|
2010-01-13 13:19:55 +01:00
|
|
|
$skinfile = 'confirm.tpl';
|
|
|
|
%templateParams = (
|
|
|
|
AUTH_ERROR => $portal->error,
|
|
|
|
AUTH_ERROR_TYPE => $portal->error_type,
|
|
|
|
AUTH_URL => $portal->get_url,
|
|
|
|
MSG => $portal->info(),
|
|
|
|
SKIN => $skin,
|
2010-01-12 12:05:01 +01:00
|
|
|
);
|
|
|
|
}
|
2010-01-13 13:46:19 +01:00
|
|
|
|
|
|
|
# 2.3 Authentication has been refused OR this is the first access
|
2008-09-04 08:05:24 +02:00
|
|
|
else {
|
2010-01-13 13:19:55 +01:00
|
|
|
$skinfile = 'login.tpl';
|
|
|
|
%templateParams = (
|
|
|
|
AUTH_ERROR => $portal->error,
|
|
|
|
AUTH_ERROR_TYPE => $portal->error_type,
|
|
|
|
AUTH_URL => $portal->get_url,
|
|
|
|
LOGIN => $portal->get_user,
|
|
|
|
AUTOCOMPLETE => $portal->{portalAutocomplete},
|
|
|
|
SKIN => $skin,
|
|
|
|
DISPLAY_RESETPASSWORD => $portal->{portalDisplayResetPassword},
|
|
|
|
DISPLAY_FORM => 1,
|
2009-12-04 16:12:40 +01:00
|
|
|
|
|
|
|
# Adapt template if password policy error
|
2010-01-13 13:19:55 +01:00
|
|
|
(
|
2009-11-25 09:44:12 +01:00
|
|
|
$portal->{portalDisplayChangePassword}
|
2010-01-13 13:19:55 +01:00
|
|
|
and ($portal->{error} == PE_PP_CHANGE_AFTER_RESET
|
2009-06-14 22:58:42 +02:00
|
|
|
or $portal->{error} == PE_PP_MUST_SUPPLY_OLD_PASSWORD
|
|
|
|
or $portal->{error} == PE_PP_INSUFFICIENT_PASSWORD_QUALITY
|
|
|
|
or $portal->{error} == PE_PP_PASSWORD_TOO_SHORT
|
|
|
|
or $portal->{error} == PE_PP_PASSWORD_TOO_YOUNG
|
|
|
|
or $portal->{error} == PE_PP_PASSWORD_IN_HISTORY
|
|
|
|
or $portal->{error} == PE_PASSWORD_MISMATCH
|
|
|
|
or $portal->{error} == PE_BADOLDPASSWORD )
|
2010-01-13 13:19:55 +01:00
|
|
|
?
|
|
|
|
|
|
|
|
(
|
|
|
|
REQUIRE_OLDPASSWORD => 1,
|
|
|
|
DISPLAY_PASSWORD => 1,
|
|
|
|
DISPLAY_RESETPASSWORD => 0,
|
|
|
|
DISPLAY_FORM => 0
|
2009-06-14 22:58:42 +02:00
|
|
|
)
|
2010-01-13 13:19:55 +01:00
|
|
|
: ()
|
|
|
|
),
|
2009-12-04 16:12:40 +01:00
|
|
|
|
|
|
|
# Adapt template if external authentication error
|
2010-01-13 13:19:55 +01:00
|
|
|
(
|
|
|
|
$portal->{error} == PE_BADCERTIFICATE
|
2009-12-04 16:12:40 +01:00
|
|
|
or $portal->{error} == PE_CERTIFICATEREQUIRED
|
2010-01-13 13:19:55 +01:00
|
|
|
or $portal->{error} == PE_ERROR
|
|
|
|
? (
|
|
|
|
DISPLAY_RESETPASSWORD => 0,
|
|
|
|
DISPLAY_FORM => 0,
|
|
|
|
)
|
|
|
|
: ()
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
2008-09-18 10:34:17 +02:00
|
|
|
|
2010-01-13 13:46:19 +01:00
|
|
|
# HTML template creation
|
2010-01-13 13:19:55 +01:00
|
|
|
my $template = HTML::Template->new(
|
|
|
|
filename => "$skin_dir/$skin/$skinfile",
|
|
|
|
die_on_bad_params => 0,
|
|
|
|
cache => 0,
|
|
|
|
filter => sub { $portal->translate_template(@_) }
|
|
|
|
);
|
|
|
|
|
2010-01-13 13:46:19 +01:00
|
|
|
# Give parameters to the template
|
2010-01-13 13:19:55 +01:00
|
|
|
while ( my ( $k, $v ) = each %templateParams ) {
|
|
|
|
$template->param( $k, $v );
|
2008-05-10 20:05:46 +02:00
|
|
|
}
|
|
|
|
|
2010-01-13 13:46:19 +01:00
|
|
|
# Display it
|
2010-01-13 13:19:55 +01:00
|
|
|
print $portal->header('text/html; charset=utf-8');
|
|
|
|
print $template->output;
|
|
|
|
|