First commit

Makefile

@@ -0,0 +1,32 @@
+NAME=authentic2-supann
+VERSION=`git describe | tr - . | cut -c2-`
+FULLNAME=$(NAME)-$(VERSION)
+
+all:
+
+install:
+
+uninstall:
+
+dist-bzip2:
+	rm -rf build dist
+	mkdir -p build/$(FULLNAME) sdist
+	for i in *; do \
+		if [ "$$i" != "build" ]; then \
+			cp -R "$$i" build/$(NAME)-$(VERSION); \
+		fi; \
+	done
+	cd build && tar cfj ../sdist/$(FULLNAME).tar.bz2 .
+	rm -rf build
+
+clean:
+	rm -rf sdist build
+
+version:
+	@(echo $(VERSION))
+
+name:
+	@(echo $(NAME))
+
+fullname:
+	@(echo $(FULLNAME))

config.py

@@ -0,0 +1,89 @@
+import os
+
+A2_PROFILE_CAN_CHANGE_EMAIL = False
+A2_PROFILE_CAN_EDIT_PROFILE = False
+A2_CAN_RESET_PASSWORD = False
+REGISTRATION_OPEN = False
+A2_REGISTRATION_CAN_CHANGE_PASSWORD = False
+A2_REGISTRATION_CAN_DELETE_ACCOUNT = False
+
+SAML_SIGNATURE_PUBLIC_KEY = file('/etc/authentic2/cert.pem').read()
+SAML_SIGNATURE_PRIVATE_KEY = file('/etc/authentic2/key.pem').read()
+
+LDAP_AUTH_SETTINGS = [
+    {
+        'url': os.environ['SUPANN_LDAP_URL'],
+        'user_filter': '(&(|(mail=%s)(supannAutreMail=%s)(supannAliasLogin=%s)(uid=%s))(objectClass=supannPerson))',
+        'basedn': os.environ['SUPANN_LDAP_BASE_DN'],
+        'binddn': os.environ.get('SUPANN_LDAP_BINDDN'),
+        'bindpw': os.environ.get('SUPANN_LDAP_BINDPW'),
+        'groupsu': 'cn=admin,ou=groups,%s' % os.environ['SUPANN_LDAP_BASE_DN'],
+        'groupstaff': 'cn=admin,ou=groups,%s' % os.environ['SUPANN_LDAP_BASE_DN'],
+        'transient': False,
+        'username_template': '{uid[0]}',
+        'external_id_tuples': (('uid',), ('dn:noquote',), ),
+        'lookups': ('external_id',),
+        'update_username': False,
+        'attributes': [
+            'uid',
+            'eduPersonPrincipalName',
+            'eduPersonOrgDN',
+            'eduPersonOrgUnitDN',
+            'eduPersonPrimaryOrgUnitDN',
+            'supannAliasLogin',
+            'supannRefId',
+            'supannCivilite',
+            'givenName',
+            'sn',
+            'cn',
+            'displayName',
+            'eduPersonNickname',
+            'userPassword',
+            'description',
+            'eduPersonAffiliation',
+            'eduPersonPrimaryAffiliation',
+            'supannActivite',
+            'supannCodeINE',
+            'supannEmpCorps',
+            'supannEmpId',
+            'supannEntiteAffectation',
+            'supannEntiteAffectationPrincipale',
+            'supannEtablissement',
+            'supannEtuAnneeInscription',
+            'supannEtuCursusAnnee',
+            'supannEtuDiplome',
+            'supannEtuElementPedagogique',
+            'supannEtuEtape',
+            'supannEtuId',
+            'supannEtuInscription',
+            'supannEtuRegimeInscription',
+            'supannEtuSecteurDisciplinaire',
+            'supannEtuTypeDiplome',
+            'supannParrainDN',
+            'supannRoleEntite',
+            'supannRoleGenerique',
+            'supannTypeEntiteAffectation',
+            'preferredLanguage',
+            'telephoneNumber',
+            'supannAutreTelephone',
+            'mobile',
+            'facsimileTelephoneNumber',
+            'mail',
+            'supannAutreMail',
+            'mailForwardingAddress',
+            'supannMailPerso',
+            'labeledURI',
+            'userCertificate',
+            'postalAddress',
+            'physicalDeliveryOfficeName',
+            'supannListeRouge' 
+        ],
+        'attribute_mappings': (('mail', 'email'),),
+        'mandatory_attributes_values': {
+                # edugain support
+                'schacHomeOrganization': [os.environ['EDUGAIN_SCHAC_HOME_ORGANIZATION']],
+                'schacHomeOrganizationtype': [os.environ['EDUGAIN_SCHAC_HOME_ORGANIZATION_TYPE']],
+        },
+    }
+]
+AUTHENTICATION_BACKENDS = ('authentic2.backends.LDAPBackend',)

supann.conf

@@ -0,0 +1,60 @@
+# Fichier /etc/default/authentic2
+#
+# Configuration du LDAP
+#
+# URL de l'annuaire LDAP
+#
+export SUPANN_LDAP_URL=ldap://192.168.43.23/
+# 
+# Base DN de l'annuaire LDAP
+#
+export SUPANN_LDAP_BASE_DN=dc=sorbine,dc=fr
+#
+# Bind DN pour connexion à l'annuaire LDAP (optionnel)
+#
+# export SUPANN_LDAP_BINDDN=...
+#
+# Bind Password pour connexion à l'annuaire LDAP (optionnel)
+#
+# export SUPANN_LDAP_BINDPW=...
+
+# Données de fédération
+# Prod
+#
+# URL des métadonnées
+#
+export RENATER_METADATA=https://federation.renater.fr/renater/renater-metadata.xml
+#
+# URL des règles de filtrage des attributs
+#
+export RENATER_ATTRIBUTE_FILTERS=https://federation.renater.fr/renater/filtres/renater-attribute-filters-all.xml
+# 
+# URL du certificat de signature des métadonnées
+#
+export RENATER_CERTIFICATE=https://federation.renater.fr/renater/metadata-federation-renater.crt
+
+# Test
+# export RENATER_METADATA=https://federation.renater.fr/test/renater-test-metadata.xml # test
+# export RENATER_ATTRIBUTE_FILTERS=https://federation.renater.fr/test/filtres/renater-test-attribute-filters-all.xml # test
+# export RENATER_CERTIFICATE=https://federation.renater.fr/test/metadata-federation-renater.crt # test
+
+# Raccordement EduGain
+#
+# Nom de l'organisation
+#
+export EDUGAIN_SCHAC_HOME_ORGANIZATION="Université de la Sorbine"
+#
+# Type de l'organisation
+#
+export EDUGAIN_SCHAC_HOME_ORGANIZATION_TYPE="urn:schac:homeOrganizationType:int:university"
+#
+# Une valeur parmi:
+#  urn:schac:homeOrganizationType:int:university
+#  urn:schac:homeOrganizationType:int:researchHospital
+#  urn:schac:homeOrganizationType:int:health-research-institution
+#  urn:schac:homeOrganizationType:int:supercomputing-centre
+#  urn:schac:homeOrganizationType:int:public-research-institution
+#  urn:schac:homeOrganizationType:int:private-research-institution
+#  urn:schac:homeOrganizationType:int:library
+#  urn:schac:homeOrganizationType:int:museum
+#  urn:schac:homeOrganizationType:int:nren

update-renater-meta.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -e
+
+DEFAULT="/etc/default/authentic2"
+BASEDIR=`dirname $0`
+METADATA_TMP=`tempfile`
+FILTERS_TMP=`tempfile`
+CERTIFICATE_TMP=`tempfile`
+
+function cleanup {
+	rm -f $METADATA_TMP $FILTERS_TMP $CERTIFICATE_TMP;
+}
+
+trap "cleanup" EXIT
+
+if [ -f  ]; then
+	. /etc/default/authentic2
+else
+	. $BASEDIR/`basename $DEFAULT`
+fi
+
+if ! wget --quiet $RENATER_METADATA -O$METADATA_TMP; then
+	echo ERROR: unable to retrieve metadata from $RENATER_METADATA
+	exit 1
+fi
+
+if ! wget --quiet $RENATER_ATTRIBUTE_FILTERS -O$FILTERS_TMP; then
+	echo ERROR: unable to retrieve attribute filters from $RENATER_ATTRIBUTE_FILTERS
+	exit 1
+fi
+
+if ! wget --quiet $RENATER_CERTIFICATE -O$CERTIFICATE_TMP; then
+	echo ERROR: unable to retrieve Renater metadata signing certificate from $RENATER_CERTIFICATE
+	exit 1
+fi
+
+if ! xmllint $METADATA_TMP >/dev/null; then
+	echo ERROR: xmllint failed on renater metadata
+	exit 1
+fi
+
+if ! xmllint $FILTERS_TMP >/dev/null; then
+	echo ERROR: xmllint failed on renater attribute filters
+	exit 1
+fi
+
+# Verify metadata signature
+if ! xmlsec1 --verify --id-attr:ID EntitiesDescriptor --pubkey-cert-pem $CERTIFICATE_TMP --enabled-key-data key-name $METADATA_TMP 2>/dev/null >/dev/null; then
+	echo ERROR: unable to validate signature on $RENATER_METADATA
+	exit 1
+fi
+
+# Load metadataas
+authentic2-ctl sync-metadata --source=renater --shibboleth-attribute-filter-policy=$FILTERS_TMP --sp -v1 $METADATA_TMP