diff --git a/saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml b/saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml index 53a7c52..595ba04 100755 --- a/saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml +++ b/saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml @@ -17,6 +17,8 @@ RewriteRule ^/?simplesamlphp/(.*) https://%{SERVER_NAME}/simplesamlphp/$1 [R,L] @!@ + SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 + # AJAX-Requests via UMC must be possible Header always set Access-Control-Allow-Origin "*" SetEnvIf Origin "^https?://" origin=true diff --git a/saml/univention-saml/conffiles/etc/simplesamlphp/00authsources.php b/saml/univention-saml/conffiles/etc/simplesamlphp/00authsources.php index d4c52b3..0d64984 100755 --- a/saml/univention-saml/conffiles/etc/simplesamlphp/00authsources.php +++ b/saml/univention-saml/conffiles/etc/simplesamlphp/00authsources.php @@ -29,7 +29,27 @@ $config = array( // Can be NULL/unset, in which case a builtin discovery service will be used. 'discoURL' => NULL, ), - + 'univention-negotiate' => array( + 'negotiate:Negotiate', + 'keytab' => '/etc/krb5.keytab', + 'fallback' => 'univention-ldap', +@!@ +ldap_user = 'uid=sys-idp-user,cn=users,%s' % configRegistry.get('ldap/base', 'null') +if configRegistry.get('saml/idp/ldap/user'): + ldap_user = configRegistry.get('saml/idp/ldap/user') +password = '' +try: + password = open('/etc/idp-ldap-user.secret','r').read().strip() +except (IOError, OSError): + import sys + print >> sys.stderr, '/etc/idp-ldap-user.secret could not be read!' +print " 'hostname' => '%s.%s'," % (configRegistry['hostname'], configRegistry['domainname']) +print " 'base' => '%s'," % (configRegistry['ldap/base'],) +print " 'adminUser' => '%s'," % (ldap_user,) +print " 'adminPassword' => '%s'," % (password,) +print " )," +print "" +print """ // LDAP authentication source. 'univention-ldap' => array( 'uldap:uLDAP', @@ -43,9 +63,7 @@ $config = array( //'hostname' => '127.0.0.1', // Whether SSL/TLS should be used when contacting the LDAP server. //'enable_tls' => FALSE, - - -@!@ +""" from univention.lib.misc import getLDAPURIs hostname = getLDAPURIs() @@ -61,20 +79,7 @@ print " 'debug' => %s," % configRegistry.get('saml/idp/ldap/debug', 'FALSE') print " 'attributes' => array(%s)," % attributes print " 'search.base' => '%s'," % configRegistry.get('ldap/base', 'null') print " 'search.attributes' => array(%s)," % configRegistry.get('saml/idp/ldap/search_attributes', '\'uid\'') - -ldap_user = 'uid=sys-idp-user,cn=users,%s' % configRegistry.get('ldap/base', 'null') -if configRegistry.get('saml/idp/ldap/user'): - ldap_user = configRegistry.get('saml/idp/ldap/user') - print " 'search.username' => '%s'," % ldap_user - -password = '' -try: - password = open('/etc/idp-ldap-user.secret','r').read().strip() -except (IOError, OSError): - import sys - print >> sys.stderr, '/etc/idp-ldap-user.secret could not be read!' - print " 'search.password' => '%s'," % password @!@ diff --git a/saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00_saml20-idp-hosted.php b/saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00_saml20-idp-hosted.php index 8414f24..2f349f8 100755 --- a/saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00_saml20-idp-hosted.php +++ b/saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00_saml20-idp-hosted.php @@ -26,8 +26,9 @@ print " 'certificate' => '%s'," % configRegistry.get('saml/idp/certificate/certi * Authentication source to use. Must be one that is configured in * 'config/authsources.php'. */ - //'auth' => 'example-userpass', - 'auth' => 'univention-ldap', +@!@ +print " 'auth' => '%s'," % (configRegistry.get('saml/idp/auth', 'univention-ldap'),) +@!@ /* Uncomment the following to use the uri NameFormat on attributes. */ /* diff --git a/saml/univention-saml/debian/univention-saml.postinst b/saml/univention-saml/debian/univention-saml.postinst index eb2d907..f7d6ea6 100755 --- a/saml/univention-saml/debian/univention-saml.postinst +++ b/saml/univention-saml/debian/univention-saml.postinst @@ -63,6 +63,7 @@ configure) if [ ! -e /etc/simplesamlphp/metadata/metadata_include.php ]; then touch /etc/simplesamlphp/metadata/metadata_include.php fi + touch /usr/share/simplesamlphp/modules/negotiate/enable chown -R root:samlcgi /etc/simplesamlphp