Use LL::NG REST API for config and sessions
This commit is contained in:
parent
ab87cfd7ea
commit
d24ddc605d
19
README.md
19
README.md
|
@ -32,19 +32,24 @@ Note that while creating new or updating existing basicauth entry will be reload
|
|||
|
||||
|
||||
# Lemonldap::NG Handler
|
||||
The job support running a Lemonldap::NG handler, but in a very specific configuration only for now. You have to use a MySQL or MariaDB for the config and the sessions, and this DB must be reachable through the Consul service mesh.
|
||||
Then you need to enable support for the handler, in your variables.yml file
|
||||
The job support running a Lemonldap::NG handler, using the REST API to reach config and session databases
|
||||
```
|
||||
lemonldap:
|
||||
enabled: True
|
||||
db:
|
||||
service_name: mariadb
|
||||
config:
|
||||
url: https://auth.example.org/index.psgi/config
|
||||
user: lemonldap
|
||||
db: lemonldap
|
||||
password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}'
|
||||
realm: Lemonldap::NG API
|
||||
sessions:
|
||||
url: https://auth.example.org/index.psgi/sessions/global
|
||||
user: lemonldap
|
||||
password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}'
|
||||
realm: Lemonldap::NG API
|
||||
```
|
||||
|
||||
And the password for the DB is stored in vault
|
||||
And the password for the API is stored in vault
|
||||
|
||||
```
|
||||
vault kv put kv/service/traefik llng_handler_db_pwd='ThisIsNotAVeryStrongPassword'
|
||||
vault kv put kv/service/traefik llng_api_pwd='ThisIsNotAVeryStrongPassword'
|
||||
```
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
[all]
|
||||
logLevel = debug
|
||||
logLevel = info
|
||||
logger = Lemonldap::NG::Common::Logger::Std
|
||||
userLogger = Lemonldap::NG::Common::Logger::Std
|
||||
localSessionStorage = Cache::FileCache
|
||||
|
@ -7,71 +7,33 @@ localSessionStorageOptions = { \
|
|||
'namespace' => 'sessions', \
|
||||
'default_expires_in' => '10', \
|
||||
'directory_umask' => '007', \
|
||||
'cache_root' => '/secrets/cache/', \
|
||||
'cache_root' => '/tmp', \
|
||||
'cache_depth' => 3 \
|
||||
}
|
||||
globalStorage = Apache::Session::Browseable::MySQL
|
||||
globalStorage = Lemonldap::NG::Common::Apache::Session::REST
|
||||
globalStorageOptions = { \
|
||||
'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
|
||||
'UserName' => '[[ .lemonldap.db.user ]]', \
|
||||
'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
|
||||
'TableName' => 'sessions', \
|
||||
'Index' => 'ipAddr _whatToTrace user _session_kind _utime _httpSessionType', \
|
||||
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
|
||||
}
|
||||
persistentStorage = Apache::Session::Browseable::MySQL
|
||||
persistentStorageOptions = { \
|
||||
'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
|
||||
'UserName' => '[[ .lemonldap.db.user ]]', \
|
||||
'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
|
||||
'TableName' => 'psessions', \
|
||||
'Index' => 'ipAddr _whatToTrace _session_kind _httpSessionType _session_uid', \
|
||||
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
|
||||
}
|
||||
samlStorage = Apache::Session::Browseable::MySQL
|
||||
samlStorageOptions = { \
|
||||
'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
|
||||
'UserName' => '[[ .lemonldap.db.user ]]', \
|
||||
'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
|
||||
'TableName' => 'samlsessions', \
|
||||
'Index' => '_session_kind _utime _saml_id', \
|
||||
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
|
||||
}
|
||||
oidcStorage = Apache::Session::Browseable::MySQL
|
||||
oidcStorageOptions = { \
|
||||
'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
|
||||
'UserName' => '[[ .lemonldap.db.user ]]', \
|
||||
'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
|
||||
'TableName' => 'oidcsessions', \
|
||||
'Index' => '_session_kind _utime', \
|
||||
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
|
||||
}
|
||||
casStorage = Apache::Session::Browseable::MySQL
|
||||
casStorageOptions = { \
|
||||
'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \
|
||||
'UserName' => '[[ .lemonldap.db.user ]]', \
|
||||
'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \
|
||||
'TableName' => 'cassessions', \
|
||||
'Index' => '_session_kind _utime _cas_id', \
|
||||
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \
|
||||
baseUrl => "[[ .lemonldap.sessions.url ]]", \
|
||||
[[- if and (has .lemonldap.sessions "user") (has .lemonldap.sessions "password") (has .lemonldap.sessions "realm") ]]
|
||||
user => "[[ .lemonldap.sessions.user ]]", \
|
||||
password => "[[ .lemonldap.sessions.password ]]", \
|
||||
realm => "[[ .lemonldap.sessions.realm ]]", \
|
||||
[[- end ]]
|
||||
}
|
||||
|
||||
[configuration]
|
||||
type = CDBI
|
||||
dbiChain = DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1
|
||||
dbiUser = [[ .lemonldap.db.user ]]
|
||||
dbiPassword = {{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}
|
||||
type = REST
|
||||
baseUrl = [[ .lemonldap.config.url ]]
|
||||
[[- if and (has .lemonldap.config "user") (has .lemonldap.config "password") (has .lemonldap.config "realm") ]]
|
||||
user = [[ .lemonldap.config.user ]]
|
||||
password = [[ .lemonldap.config.password ]]
|
||||
realm = [[ .lemonldap.config.realm ]]
|
||||
[[- end ]]
|
||||
localStorage = Cache::FileCache
|
||||
localStorageOptions = { \
|
||||
'namespace' => 'config', \
|
||||
'default_expires_in' => '5', \
|
||||
'directory_umask' => '007', \
|
||||
'cache_root' => '/secrets/cache/', \
|
||||
'cache_root' => '/tmp', \
|
||||
'cache_depth' => 0 \
|
||||
}
|
||||
|
||||
[handler]
|
||||
https = 1
|
||||
status = 0
|
||||
hideSignature = 1
|
||||
|
||||
|
|
|
@ -136,6 +136,8 @@ _EOF
|
|||
"secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro",
|
||||
"local/Traefik.pm:/usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Server/Traefik.pm:ro"
|
||||
]
|
||||
# Add a tmpfs to store config and session cache
|
||||
[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]]
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
|
@ -151,7 +153,7 @@ _EOF
|
|||
|
||||
template {
|
||||
data =<<_EOT
|
||||
[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
|
||||
[[ template "traefik/lemonldap-ng.ini.tpl" . ]]
|
||||
_EOT
|
||||
destination = "secrets/lemonldap-ng.ini"
|
||||
perms = "0400"
|
||||
|
|
|
@ -93,13 +93,14 @@ lemonldap:
|
|||
cpu: 200
|
||||
memory: 128
|
||||
|
||||
# DB the handler will use for config and session
|
||||
# Only MySQL/MariaDB is supported for now
|
||||
db:
|
||||
host: 127.0.0.1
|
||||
port: 3306
|
||||
# DB user
|
||||
user: lemonldapnghandler
|
||||
# DB name
|
||||
name: lemonldapng
|
||||
config:
|
||||
url: https://auth.example.org/index.psgi/config
|
||||
# user: lemonldap
|
||||
# password: secret
|
||||
realm: Lemonldap::NG API
|
||||
|
||||
sessions:
|
||||
url: https://auth.example.org/index.psgi/sessions/global
|
||||
# user: lemonldap
|
||||
# password: secret
|
||||
realm: Lemonldap::NG API
|
||||
|
|
Loading…
Reference in New Issue