First commit
This commit is contained in:
commit
dbaf6ac407
|
@ -0,0 +1,32 @@
|
|||
NAME=authentic2-supann
|
||||
VERSION=`git describe | tr - . | cut -c2-`
|
||||
FULLNAME=$(NAME)-$(VERSION)
|
||||
|
||||
all:
|
||||
|
||||
install:
|
||||
|
||||
uninstall:
|
||||
|
||||
dist-bzip2:
|
||||
rm -rf build dist
|
||||
mkdir -p build/$(FULLNAME) sdist
|
||||
for i in *; do \
|
||||
if [ "$$i" != "build" ]; then \
|
||||
cp -R "$$i" build/$(NAME)-$(VERSION); \
|
||||
fi; \
|
||||
done
|
||||
cd build && tar cfj ../sdist/$(FULLNAME).tar.bz2 .
|
||||
rm -rf build
|
||||
|
||||
clean:
|
||||
rm -rf sdist build
|
||||
|
||||
version:
|
||||
@(echo $(VERSION))
|
||||
|
||||
name:
|
||||
@(echo $(NAME))
|
||||
|
||||
fullname:
|
||||
@(echo $(FULLNAME))
|
|
@ -0,0 +1,89 @@
|
|||
import os
|
||||
|
||||
A2_PROFILE_CAN_CHANGE_EMAIL = False
|
||||
A2_PROFILE_CAN_EDIT_PROFILE = False
|
||||
A2_CAN_RESET_PASSWORD = False
|
||||
REGISTRATION_OPEN = False
|
||||
A2_REGISTRATION_CAN_CHANGE_PASSWORD = False
|
||||
A2_REGISTRATION_CAN_DELETE_ACCOUNT = False
|
||||
|
||||
SAML_SIGNATURE_PUBLIC_KEY = file('/etc/authentic2/cert.pem').read()
|
||||
SAML_SIGNATURE_PRIVATE_KEY = file('/etc/authentic2/key.pem').read()
|
||||
|
||||
LDAP_AUTH_SETTINGS = [
|
||||
{
|
||||
'url': os.environ['SUPANN_LDAP_URL'],
|
||||
'user_filter': '(&(|(mail=%s)(supannAutreMail=%s)(supannAliasLogin=%s)(uid=%s))(objectClass=supannPerson))',
|
||||
'basedn': os.environ['SUPANN_LDAP_BASE_DN'],
|
||||
'binddn': os.environ.get('SUPANN_LDAP_BINDDN'),
|
||||
'bindpw': os.environ.get('SUPANN_LDAP_BINDPW'),
|
||||
'groupsu': 'cn=admin,ou=groups,%s' % os.environ['SUPANN_LDAP_BASE_DN'],
|
||||
'groupstaff': 'cn=admin,ou=groups,%s' % os.environ['SUPANN_LDAP_BASE_DN'],
|
||||
'transient': False,
|
||||
'username_template': '{uid[0]}',
|
||||
'external_id_tuples': (('uid',), ('dn:noquote',), ),
|
||||
'lookups': ('external_id',),
|
||||
'update_username': False,
|
||||
'attributes': [
|
||||
'uid',
|
||||
'eduPersonPrincipalName',
|
||||
'eduPersonOrgDN',
|
||||
'eduPersonOrgUnitDN',
|
||||
'eduPersonPrimaryOrgUnitDN',
|
||||
'supannAliasLogin',
|
||||
'supannRefId',
|
||||
'supannCivilite',
|
||||
'givenName',
|
||||
'sn',
|
||||
'cn',
|
||||
'displayName',
|
||||
'eduPersonNickname',
|
||||
'userPassword',
|
||||
'description',
|
||||
'eduPersonAffiliation',
|
||||
'eduPersonPrimaryAffiliation',
|
||||
'supannActivite',
|
||||
'supannCodeINE',
|
||||
'supannEmpCorps',
|
||||
'supannEmpId',
|
||||
'supannEntiteAffectation',
|
||||
'supannEntiteAffectationPrincipale',
|
||||
'supannEtablissement',
|
||||
'supannEtuAnneeInscription',
|
||||
'supannEtuCursusAnnee',
|
||||
'supannEtuDiplome',
|
||||
'supannEtuElementPedagogique',
|
||||
'supannEtuEtape',
|
||||
'supannEtuId',
|
||||
'supannEtuInscription',
|
||||
'supannEtuRegimeInscription',
|
||||
'supannEtuSecteurDisciplinaire',
|
||||
'supannEtuTypeDiplome',
|
||||
'supannParrainDN',
|
||||
'supannRoleEntite',
|
||||
'supannRoleGenerique',
|
||||
'supannTypeEntiteAffectation',
|
||||
'preferredLanguage',
|
||||
'telephoneNumber',
|
||||
'supannAutreTelephone',
|
||||
'mobile',
|
||||
'facsimileTelephoneNumber',
|
||||
'mail',
|
||||
'supannAutreMail',
|
||||
'mailForwardingAddress',
|
||||
'supannMailPerso',
|
||||
'labeledURI',
|
||||
'userCertificate',
|
||||
'postalAddress',
|
||||
'physicalDeliveryOfficeName',
|
||||
'supannListeRouge'
|
||||
],
|
||||
'attribute_mappings': (('mail', 'email'),),
|
||||
'mandatory_attributes_values': {
|
||||
# edugain support
|
||||
'schacHomeOrganization': [os.environ['EDUGAIN_SCHAC_HOME_ORGANIZATION']],
|
||||
'schacHomeOrganizationtype': [os.environ['EDUGAIN_SCHAC_HOME_ORGANIZATION_TYPE']],
|
||||
},
|
||||
}
|
||||
]
|
||||
AUTHENTICATION_BACKENDS = ('authentic2.backends.LDAPBackend',)
|
|
@ -0,0 +1,60 @@
|
|||
# Fichier /etc/default/authentic2
|
||||
#
|
||||
# Configuration du LDAP
|
||||
#
|
||||
# URL de l'annuaire LDAP
|
||||
#
|
||||
export SUPANN_LDAP_URL=ldap://192.168.43.23/
|
||||
#
|
||||
# Base DN de l'annuaire LDAP
|
||||
#
|
||||
export SUPANN_LDAP_BASE_DN=dc=sorbine,dc=fr
|
||||
#
|
||||
# Bind DN pour connexion à l'annuaire LDAP (optionnel)
|
||||
#
|
||||
# export SUPANN_LDAP_BINDDN=...
|
||||
#
|
||||
# Bind Password pour connexion à l'annuaire LDAP (optionnel)
|
||||
#
|
||||
# export SUPANN_LDAP_BINDPW=...
|
||||
|
||||
# Données de fédération
|
||||
# Prod
|
||||
#
|
||||
# URL des métadonnées
|
||||
#
|
||||
export RENATER_METADATA=https://federation.renater.fr/renater/renater-metadata.xml
|
||||
#
|
||||
# URL des règles de filtrage des attributs
|
||||
#
|
||||
export RENATER_ATTRIBUTE_FILTERS=https://federation.renater.fr/renater/filtres/renater-attribute-filters-all.xml
|
||||
#
|
||||
# URL du certificat de signature des métadonnées
|
||||
#
|
||||
export RENATER_CERTIFICATE=https://federation.renater.fr/renater/metadata-federation-renater.crt
|
||||
|
||||
# Test
|
||||
# export RENATER_METADATA=https://federation.renater.fr/test/renater-test-metadata.xml # test
|
||||
# export RENATER_ATTRIBUTE_FILTERS=https://federation.renater.fr/test/filtres/renater-test-attribute-filters-all.xml # test
|
||||
# export RENATER_CERTIFICATE=https://federation.renater.fr/test/metadata-federation-renater.crt # test
|
||||
|
||||
# Raccordement EduGain
|
||||
#
|
||||
# Nom de l'organisation
|
||||
#
|
||||
export EDUGAIN_SCHAC_HOME_ORGANIZATION="Université de la Sorbine"
|
||||
#
|
||||
# Type de l'organisation
|
||||
#
|
||||
export EDUGAIN_SCHAC_HOME_ORGANIZATION_TYPE="urn:schac:homeOrganizationType:int:university"
|
||||
#
|
||||
# Une valeur parmi:
|
||||
# urn:schac:homeOrganizationType:int:university
|
||||
# urn:schac:homeOrganizationType:int:researchHospital
|
||||
# urn:schac:homeOrganizationType:int:health-research-institution
|
||||
# urn:schac:homeOrganizationType:int:supercomputing-centre
|
||||
# urn:schac:homeOrganizationType:int:public-research-institution
|
||||
# urn:schac:homeOrganizationType:int:private-research-institution
|
||||
# urn:schac:homeOrganizationType:int:library
|
||||
# urn:schac:homeOrganizationType:int:museum
|
||||
# urn:schac:homeOrganizationType:int:nren
|
|
@ -0,0 +1,55 @@
|
|||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
DEFAULT="/etc/default/authentic2"
|
||||
BASEDIR=`dirname $0`
|
||||
METADATA_TMP=`tempfile`
|
||||
FILTERS_TMP=`tempfile`
|
||||
CERTIFICATE_TMP=`tempfile`
|
||||
|
||||
function cleanup {
|
||||
rm -f $METADATA_TMP $FILTERS_TMP $CERTIFICATE_TMP;
|
||||
}
|
||||
|
||||
trap "cleanup" EXIT
|
||||
|
||||
if [ -f ]; then
|
||||
. /etc/default/authentic2
|
||||
else
|
||||
. $BASEDIR/`basename $DEFAULT`
|
||||
fi
|
||||
|
||||
if ! wget --quiet $RENATER_METADATA -O$METADATA_TMP; then
|
||||
echo ERROR: unable to retrieve metadata from $RENATER_METADATA
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! wget --quiet $RENATER_ATTRIBUTE_FILTERS -O$FILTERS_TMP; then
|
||||
echo ERROR: unable to retrieve attribute filters from $RENATER_ATTRIBUTE_FILTERS
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! wget --quiet $RENATER_CERTIFICATE -O$CERTIFICATE_TMP; then
|
||||
echo ERROR: unable to retrieve Renater metadata signing certificate from $RENATER_CERTIFICATE
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! xmllint $METADATA_TMP >/dev/null; then
|
||||
echo ERROR: xmllint failed on renater metadata
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! xmllint $FILTERS_TMP >/dev/null; then
|
||||
echo ERROR: xmllint failed on renater attribute filters
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify metadata signature
|
||||
if ! xmlsec1 --verify --id-attr:ID EntitiesDescriptor --pubkey-cert-pem $CERTIFICATE_TMP --enabled-key-data key-name $METADATA_TMP 2>/dev/null >/dev/null; then
|
||||
echo ERROR: unable to validate signature on $RENATER_METADATA
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Load metadataas
|
||||
authentic2-ctl sync-metadata --source=renater --shibboleth-attribute-filter-policy=$FILTERS_TMP --sp -v1 $METADATA_TMP
|
Reference in New Issue