diff --git a/README.md b/README.md index 2945a4b..d825ae0 100644 --- a/README.md +++ b/README.md @@ -32,19 +32,24 @@ Note that while creating new or updating existing basicauth entry will be reload # Lemonldap::NG Handler -The job support running a Lemonldap::NG handler, but in a very specific configuration only for now. You have to use a MySQL or MariaDB for the config and the sessions, and this DB must be reachable through the Consul service mesh. -Then you need to enable support for the handler, in your variables.yml file +The job support running a Lemonldap::NG handler, using the REST API to reach config and session databases ``` lemonldap: enabled: True - db: - service_name: mariadb + config: + url: https://auth.example.org/index.psgi/config user: lemonldap - db: lemonldap + password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}' + realm: Lemonldap::NG API + sessions: + url: https://auth.example.org/index.psgi/sessions/global + user: lemonldap + password: '{{ with secret "kv/service/traefik" }}{{ .Data.data.llng_api_pwd }}{{ end }}' + realm: Lemonldap::NG API ``` -And the password for the DB is stored in vault +And the password for the API is stored in vault ``` -vault kv put kv/service/traefik llng_handler_db_pwd='ThisIsNotAVeryStrongPassword' +vault kv put kv/service/traefik llng_api_pwd='ThisIsNotAVeryStrongPassword' ``` diff --git a/templates/lemonldap-ng.ini.tpl b/templates/lemonldap-ng.ini.tpl index a99ddcf..608eac5 100644 --- a/templates/lemonldap-ng.ini.tpl +++ b/templates/lemonldap-ng.ini.tpl @@ -1,5 +1,5 @@ [all] -logLevel = debug +logLevel = info logger = Lemonldap::NG::Common::Logger::Std userLogger = Lemonldap::NG::Common::Logger::Std localSessionStorage = Cache::FileCache @@ -7,71 +7,33 @@ localSessionStorageOptions = { \ 'namespace' => 'sessions', \ 'default_expires_in' => '10', \ 'directory_umask' => '007', \ - 'cache_root' => '/secrets/cache/', \ + 'cache_root' => '/tmp', \ 'cache_depth' => 3 \ } -globalStorage = Apache::Session::Browseable::MySQL +globalStorage = Lemonldap::NG::Common::Apache::Session::REST globalStorageOptions = { \ - 'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \ - 'UserName' => '[[ .lemonldap.db.user ]]', \ - 'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \ - 'TableName' => 'sessions', \ - 'Index' => 'ipAddr _whatToTrace user _session_kind _utime _httpSessionType', \ - 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \ -} -persistentStorage = Apache::Session::Browseable::MySQL -persistentStorageOptions = { \ - 'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \ - 'UserName' => '[[ .lemonldap.db.user ]]', \ - 'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \ - 'TableName' => 'psessions', \ - 'Index' => 'ipAddr _whatToTrace _session_kind _httpSessionType _session_uid', \ - 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \ -} -samlStorage = Apache::Session::Browseable::MySQL -samlStorageOptions = { \ - 'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \ - 'UserName' => '[[ .lemonldap.db.user ]]', \ - 'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \ - 'TableName' => 'samlsessions', \ - 'Index' => '_session_kind _utime _saml_id', \ - 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \ -} -oidcStorage = Apache::Session::Browseable::MySQL -oidcStorageOptions = { \ - 'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \ - 'UserName' => '[[ .lemonldap.db.user ]]', \ - 'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \ - 'TableName' => 'oidcsessions', \ - 'Index' => '_session_kind _utime', \ - 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \ -} -casStorage = Apache::Session::Browseable::MySQL -casStorageOptions = { \ - 'DataSource' => 'DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1', \ - 'UserName' => '[[ .lemonldap.db.user ]]', \ - 'Password' => '{{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }}', \ - 'TableName' => 'cassessions', \ - 'Index' => '_session_kind _utime _cas_id', \ - 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256' \ + baseUrl => "[[ .lemonldap.sessions.url ]]", \ +[[- if and (has .lemonldap.sessions "user") (has .lemonldap.sessions "password") (has .lemonldap.sessions "realm") ]] + user => "[[ .lemonldap.sessions.user ]]", \ + password => "[[ .lemonldap.sessions.password ]]", \ + realm => "[[ .lemonldap.sessions.realm ]]", \ +[[- end ]] } [configuration] -type = CDBI -dbiChain = DBI:mysql:database=[[ .lemonldap.db.name ]];host=[[ .lemonldap.db.host ]];port=[[ .lemonldap.db.port ]];mysql_enable_utf8=1 -dbiUser = [[ .lemonldap.db.user ]] -dbiPassword = {{ with secret "[[ .vault.prefix ]]kv/service/traefik" }}{{ .Data.data.llng_handler_db_pwd }}{{ end }} +type = REST +baseUrl = [[ .lemonldap.config.url ]] +[[- if and (has .lemonldap.config "user") (has .lemonldap.config "password") (has .lemonldap.config "realm") ]] +user = [[ .lemonldap.config.user ]] +password = [[ .lemonldap.config.password ]] +realm = [[ .lemonldap.config.realm ]] +[[- end ]] localStorage = Cache::FileCache localStorageOptions = { \ 'namespace' => 'config', \ 'default_expires_in' => '5', \ 'directory_umask' => '007', \ - 'cache_root' => '/secrets/cache/', \ + 'cache_root' => '/tmp', \ 'cache_depth' => 0 \ } -[handler] -https = 1 -status = 0 -hideSignature = 1 - diff --git a/traefik.nomad.hcl b/traefik.nomad.hcl index 7300c7c..799dbc4 100644 --- a/traefik.nomad.hcl +++ b/traefik.nomad.hcl @@ -136,6 +136,8 @@ _EOF "secrets/lemonldap-ng.ini:/etc/lemonldap-ng/lemonldap-ng.ini:ro", "local/Traefik.pm:/usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Server/Traefik.pm:ro" ] + # Add a tmpfs to store config and session cache +[[ template "common/tmpfs" dict "size" "10000000" "target" "/tmp" ]] } lifecycle { @@ -151,7 +153,7 @@ _EOF template { data =<<_EOT - [[ template "traefik/lemonldap-ng.ini.tpl" . ]] +[[ template "traefik/lemonldap-ng.ini.tpl" . ]] _EOT destination = "secrets/lemonldap-ng.ini" perms = "0400" diff --git a/variables.yml b/variables.yml index d789a4b..cea59f7 100644 --- a/variables.yml +++ b/variables.yml @@ -93,13 +93,14 @@ lemonldap: cpu: 200 memory: 128 - # DB the handler will use for config and session - # Only MySQL/MariaDB is supported for now - db: - host: 127.0.0.1 - port: 3306 - # DB user - user: lemonldapnghandler - # DB name - name: lemonldapng + config: + url: https://auth.example.org/index.psgi/config + # user: lemonldap + # password: secret + realm: Lemonldap::NG API + sessions: + url: https://auth.example.org/index.psgi/sessions/global + # user: lemonldap + # password: secret + realm: Lemonldap::NG API