debian: begin new version for squeeze

This commit is contained in:
Jérôme Schneider 2013-06-13 19:07:12 +02:00
parent 3d6e0b612a
commit d1e4ef613b
13 changed files with 202 additions and 363 deletions

15
debian/README.Debian vendored
View File

@ -1,17 +1,8 @@
Setting up an Authentic server
==============================
On installation the package will have created an empty database, you should add
a super user, using the following command::
You need to create an empty database and you should add a
super user, using the following command::
su authentic -p -c "python /usr/share/authentic2/manage.py createsuperuser"
The package doesn't ship a startup script, that would start Authentic
automatically, that is because running an identity server on the builtin HTTP
server (not HTTPS!) is definitely not a good idea.
Even though, if you want a quick look, before configuring properly a real HTTP
server, you can use this command::
su authentic -p -c "python /usr/share/authentic2/manage.py runserver"
su authentic -p -c "authentic2-ctl syncdb"

2
debian/apache2.conf vendored
View File

@ -1,2 +0,0 @@
WSGIScriptAlias / /usr/share/authentic2/authentic.wsgi
Alias /media/admin/ /usr/share/pyshared/django/contrib/admin/media/

View File

@ -1,2 +1,3 @@
etc/authentic2
usr/share/authentic2
usr/share/authentic2/static
var/lib/authentic2/media

161
debian/authentic2.init vendored Normal file
View File

@ -0,0 +1,161 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: passerelle
# Required-Start: $network $local_fs
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Passerelle provides an uniform access to multiple data sources and services
# Description: Passerelle provides an uniform access to multiple data sources and services.
### END INIT INFO
# Author: Jérôme Schneider <jschneider@entrouvert.com>
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC=passerelle
NAME=passerelle
DAEMON=/usr/bin/gunicorn
PIDFILE=/var/run/passerelle/$NAME.pid
LOG_DIR=/var/log/passerelle
SCRIPTNAME=/etc/init.d/$NAME
USER=authentic
GROUP=authentic
DAEMON_ARGS="--pid $PIDFILE \
--user $USER --group $GROUP \
--daemon \
--access-logfile $LOG_DIR/gunicorn-access.log \
--log-file $LOG_DIR/gunicorn-error.log \
--bind=127.0.0.1:8091 \
--workers=10 \
--worker-class=sync \
--timeout=60 \
authentic2.wsgi:application"
# Exit if the package is not installed
[ -x $DAEMON ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
log_daemon_msg "Starting $DESC " "$NAME"
do_start
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
stop)
log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) log_end_msg 0 ;;
2) log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac

2
debian/authentic2.install vendored Normal file
View File

@ -0,0 +1,2 @@
debian/local_settings.py /etc/authentic2/
debian/apache-example /etc/authentic2/

View File

@ -25,10 +25,17 @@ case "$1" in
echo "..done"
fi
mkdir -p /var/lib/authentic2
chmod 755 /var/lib/authentic2
chown $AUTHENTIC_USER:$AUTHENTIC_GROUP /var/lib/authentic2
/usr/bin/authentic2-ctl collectstatic --noinput --link
/usr/bin/authentic2-ctl compilemessages
;;
reconfigure)
/usr/bin/authentic2-ctl collectstatic --noinput --link
/usr/bin/authentic2-ctl compilemessages
;;
abort-upgrade|abort-remove|abort-deconfigure)
@ -40,14 +47,6 @@ case "$1" in
;;
esac
rm -f /var/lib/pycentral/authentic2.pkgremove
if which pycentral >/dev/null 2>&1; then
pycentral pkginstall authentic2
if grep -qs '^authentic2$' /var/lib/pycentral/delayed-pkgs; then
sed -i '/^authentic2$/d' /var/lib/pycentral/delayed-pkgs
fi
fi
case "$1" in
configure)
if [ -z "$2" ]; then

8
debian/changelog vendored
View File

@ -1,3 +1,11 @@
authentic2 (2.0.2.196.g8409882-1) unstable; urgency=low
* debian: port to squeeze
* debian: add an init script
* debian: add static files
-- Jérôme Schneider <jschneider@entrouvert.com> Thu, 13 Jun 2013 17:14:30 +0200
authentic2 (1.9.0-0) unstable; urgency=low
* Initial packaging.

11
debian/control vendored
View File

@ -1,18 +1,17 @@
Source: authentic
Source: authentic2
Section: python
Priority: optional
Maintainer: Frederic Peters <fpeters@debian.org>
Build-Depends-Indep: python-all-dev (>= 2.3.5-11), python-central (>= 0.5.6)
Build-Depends: debhelper (>= 7.0.50~), quilt (>= 0.40), python-setuptools
XS-Python-Version: current, >= 2.3
Build-Depends-Indep: python-all-dev (>= 2.5)
Build-Depends: debhelper (>= 8.0), python-setuptools, git
Standards-Version: 3.8.3
Homepage: http://authentic.labs.libre-entreprise.org
X-Python-Version: >= 2.6
Package: authentic
Package: authentic2
Architecture: all
Pre-Depends: python-django
Depends: ${misc:Depends}, ${python:Depends}, python-django-registration
XB-Python-Version: ${python:Versions}
Description: Versatile identity server
Authentic is a versatile identity provider aiming to address a broad
range of needs, from simple to complex setups; it has support for many

View File

@ -1,13 +0,0 @@
diff --git a/authentic2/settings.py b/authentic2/settings.py
index e65f7ae..3919505 100644
--- a/authentic2/settings.py
+++ b/authentic2/settings.py
@@ -19,7 +19,7 @@ MANAGERS = ADMINS
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
- 'NAME': 'authentic.db',
+ 'NAME': '/var/lib/authentic/authentic.db',
}
}

View File

@ -1,14 +0,0 @@
diff --git a/authentic2/settings.py b/authentic2/settings.py
index e65f7ae..cb8faec 100644
--- a/authentic2/settings.py
+++ b/authentic2/settings.py
@@ -4,8 +4,8 @@ import os
gettext_noop = lambda s: s
-DEBUG = True
-USE_DEBUG_TOOLBAR = True
+DEBUG = False
+USE_DEBUG_TOOLBAR = False
STATIC_SERVE = True
TEMPLATE_DEBUG = DEBUG

View File

@ -1,2 +0,0 @@
database_path.patch
disable_debug.patch

20
debian/rules vendored
View File

@ -3,14 +3,18 @@
d=$(CURDIR)/debian/authentic2
%:
dh --with quilt --with python-central $@
dh $@
override_dh_install:
dh_install
# FIXME: remove this overrides when we will have a clean upstream branch
override_dh_auto_clean:
git status
dh_auto_clean
override_dh_pycentral:
dh_pycentral
touch $(d)/etc/authentic2/local_settings.py
cp $(CURDIR)/debian/apache2.conf $(d)/usr/share/authentic/
cp $(CURDIR)/debian/authentic.wsgi $(d)/usr/share/authentic/
override_dh_auto_build:
git status
dh_auto_build
override_dh_auto_install:
git status
dh_auto_install

View File

@ -1,295 +0,0 @@
.. _README:
======================================
Authentic2 - Versatile Identity Server
======================================
Authentic2 is a versatile identity provider aiming to address a broad
range of needs, from simple to complex setups; it has support for many
protocols and can bridge between them.
Authentic2 is under the GNU AGPL version 3 licence.
It has support for SAMLv2 thanks to Lasso, a free (GNU GPL)
implementation of the Liberty Alliance specifications.
Features
========
Authentic can authenticate users against:
- an LDAP directory,
- a SAML 2.0 identity provider,
- an OpenID identity provider,
- with an X509 certificate.
Authentic can provide authentication to web applications using the following
protocols:
- OpenID,
- SAML 2.0,
- CAS 1.0 & CAS 2.0.
Authentic can proxy authentication between any two different protocols it
support.
Installation
============
Dependencies
------------
You must install the following packages to use Authentic
- Python Lasso binding 2.3.5:
From sources: http://lasso.entrouvert.org/download
Debian based distribution: apt-get install python-lasso
- Django 1.3:
From sources: http://www.djangoproject.com/download/1.3/tarball/
- Django-registration 0.8-alpha-1:
From sources: http://bitbucket.org/ubernostrum/django-registration/downloads
Debian based distribution: apt-get install python-django-registration
- Django-authopenid 0.9.6:
From sources: http://bitbucket.org/benoitc/django-authopenid/downloads
- Django-south 0.7.3:
From sources:: http://south.aeracode.org/docs/installation.html
- Django-profiles 0.2:
From sources:: http://pypi.python.org/pypi/django-profiles
You install all the django libraries quickly using pip::
pip install django django-profiles django-registration \
django-debug-toolbar django-authopenid south
or easy_install::
easy_install django django-profiles django-registration \
django-debug-toolbar django-authopenid south
Quick Start
-----------
Then launch the following commands::
python manage.py syncdb --migrate
python manage.py runserver
You should see the following output::
Validating models...
0 errors found
Django version 1.2, using settings 'authentic.settings'
Development server is running at http://127.0.0.1:8000/
Quit the server with CONTROL-C.
You can access the running application on http://127.0.0.1:8000/
Specifying a different database
-------------------------------
This is done by modifying the DATABASES dictionary in your local_settings.py file
(create it in Authentic project directory); for example::
DATABASES['default'] = {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'authentic',
'USER': 'admindb',
'PASSWORD': 'foobar',
'HOST': 'db.example.com',
'PORT': '', # empty string means default value
}
You should refer to the Django documentation on databases settings at
http://docs.djangoproject.com/en/dev/ref/settings/#databases for all
the details.
How to upgrade to a new version of authentic ?
----------------------------------------------
Authentic store all its data in a relational database as specified in its
settings.py or local_settings.py file. So in order to upgrade to a new version
of authentic you have to update your database schema using the
migration command — you will need to have installed the dependency django-south,
see the beginning of this README file.::
python ./manage.py migrate
Then you will need to create new tables if there are.::
python ./manage.py syncdb
Using Authentic with an LDAP directory
======================================
Authentic use the module django_auth_ldap to synchronize the Django user tables
with an LDAP. For complex use case, we will refer you to the django_auth_ldap
documentation, see http://packages.python.org/django-auth-ldap/.
How to authenticate users against an LDAP server with anonymous binding ?
-------------------------------------------------------------------------
1. Install the django_auth_ldap module for Django::
pip install django_auth_ldap
2. Configure your local_settings.py file for authenticating against LDAP.
The next lines must be added::
AUTHENTICATION_BACKENDS += ( 'django_auth_ldap.backend.LDAPBackend', )
import ldap
from django_auth_ldap.config import LDAPSearch
# Here put the LDAP URL of your server
AUTH_LDAP_SERVER_URI = 'ldap://ldap.example.com'
# Let the bind DN and bind password blank for anonymous binding
AUTH_LDAP_BIND_DN = ""
AUTH_LDAP_BIND_PASSWORD = ""
# Lookup user under the branch o=base and by mathcing their uid against the
# received login name
AUTH_LDAP_USER_SEARCH = LDAPSearch("o=base",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
How to allow members of an LDAP group to manage Authentic ?
-----------------------------------------------------------
1. First you must know the objectClass of groups in your LDAP schema, this FAQ
will show you the configuration for two usual classes: groupOfNames and
groupOfUniqueNames.
2. Find the relevant groupname. We will say it is: cn=admin,o=mycompany
3. Add the following lines::
from django_auth_ldap.config import GroupOfNamesType
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("o=mycompany",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)")
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_staff": "cn=admin,o=mycompany"
}
For an objectClass of groupOfUniqueNames you would change the string
GroupOfNamesType to GroupOfUniqueNamesType and grouOfNames to
groupOfUniqueNames. For more complex cases see the django_auth_ldap
documentation.
SAML 2.0
========
How to I authenticate against Authentic2 with a SAMLv2 service provider ?
-------------------------------------------------------------------------
1. Grab the SAML2 IdP metadata:
http[s]://your.domain.com/idp/saml2/metadata
2. And configure your service provider with it.
Go to the providers admin panel on:
http[s]://your.domain.com/admin/saml/libertyprovider/add/
There create a new provider using the service provider metadata and enable it
as a service provider, you can customize some behaviours like the preferred
assertion consumer or encryption for the NameID or the Assertion element.
CAS
===
How to use Authentic2 as a CAS 1.0 or CAS 2.0 identity provider ?
-----------------------------------------------------------------
1. Activate CAS IdP support in settings.py::
IDP_CAS = True
2. Then create the database table to hold CAS service tickets::
python authentic2/manage.py syncdb --migrate
3. Also configure authentic2 to authenticate against your LDAP directory (see
above) if your want your user attributes to be accessible from your service,
if it is not necessary you can use the normal relational database storage
for you users.
4. Finally configure your service to point to the CAS endpoint at:
http[s]://your.domain.com/idp/cas/
5. If needed configure your service to resolve authenticated user with your
LDAP directory (if user attributes are needed for your service)
PAM authentication
==================
This module is copied from https://bitbucket.org/wnielson/django-pam/ by Weston
Nielson and the pam ctype module by Chris Atlee http://atlee.ca/software/pam/.
Add 'authentic2.vendor.dpam.backends.PAMBackend' to your
``settings.py``::
AUTHENTICATION_BACKENDS = (
...
'authentic2.vendor.dpam.backends.PAMBackend',
...
)
Now you can login via the system-login credentials. If the user is
successfully authenticated but has never logged-in before, a new ``User``
object is created. By default this new ``User`` has both ``is_staff`` and
``is_superuser`` set to ``False``. You can change this behavior by adding
``PAM_IS_STAFF=True`` and ``PAM_IS_SUPERUSER`` in your ``settings.py`` file.
The default PAM service used is ``login`` but you can change it by setting the
``PAM_SERVICE`` variable in your ``settings.py`` file.
Attribute Management in Authentic2
==================================
See `attribute management <attribute_management.html>`_ page.
Roadmap
=======
- All (or nearly) settings will be configurable from the /admin panels
- Login page will remember user choices for authentication and authenticate
the user passively using hidden iframes
- After a logout no passive login will be done
- CAS IdP will allow to whitelist service URL and proxy granting ticket URLs,
and to refuse request from unkown URLs. It will also allow to use patterns
as URLs.
- Extended CAS 2.0, with SAML attribute inside the CAS 2.0 validated ticket.
- A virtual LDAP directory based on the OpenLDAP socket backend would remove
the need for a real LDAP directory to pass user attributes to CAS relying
parties.
- WS-Trust token service endpoint
- Email forwarder, so that relying parties never get the real user email.
- Support slo in the CAS logout endpoint
Copyright
---------
Authentic is copyrighted by Entr'ouvert and is licensed through the GNU General
Public Licence, version 2 or later. A copy of the whole license text is
available in the COPYING file.
The OpenID IdP originates in the project django_openid_provider by Roman
Barczy¿ski, which is under the Apache 2.0 licence. This imply that you must
distribute authentic2 under the AGPL3 licence when distributing this part of the
project which is the only AGPL licence version compatible with the Apache 2.0
licence.