e493a59e68
|
||
|---|---|---|
| debian | ||
| portal | ||
| .gitignore | ||
| CONTRIBUTORS.md | ||
| LICENSE | ||
| README.md | ||
| access.lua | ||
| conf.json.example | ||
| config.lua | ||
| headers.lua | ||
| helpers.lua | ||
| hige.lua | ||
| init.lua | ||
README.md
SSOwat
A simple LDAP SSO for nginx, written in Lua
Issues
- Please report issues on YunoHost bugtracker (no registration needed).
Requirements
- Nginx-extras from Debian wheezy-backports
- lua-json
- lua-ldap
OR
- Nginx "Openresty" flavored : http://openresty.org/
- lua-ldap
Installation
- Fetch the repository
git clone https://github.com/Kloadut/SSOwat /etc/ssowat
Nginx configuration
- Add SSOwat's Nginx configuration (
http{}scope)
nano /etc/nginx/conf.d/ssowat.conf
lua_shared_dict cache 10m;
init_by_lua_file /etc/ssowat/init.lua;
access_by_lua_file /etc/ssowat/access.lua;
You can also put the access_by_lua_file directive in a server{} scope if you want to protect only a vhost.
SSOwat configuration
mv /etc/ssowat/conf.json.example /etc/ssowat/conf.json
nano /etc/ssowat/conf.json
If you use YunoHost, you may want to edit the /etc/ssowat/conf.json.persistent file, since the /etc/ssowat/conf.json will often be overwritten.
Available parameters
These are the SSOwat's configuration parameters. Only portal_domain is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
portal_domain
Domain of the authentication portal. It has to be a domain, IP addresses will not work with SSOwat (Required)
portal_path
URI of the authentication portal (default: /ssowat/). This path must end with “/”.
portal_port
Web port of the authentication portal (default: 443 for https, 80 for http)
portal_scheme
Whether authentication should use secure connection or not (default: https)
domains
List of handled domains (default: similar to portal_domain)
ldap_host
LDAP server hostname (default: localhost)
ldap_group
LDAP group to search in (default: ou=users,dc=yunohost,dc=org)
ldap_identifier
LDAP user identifier (default: uid)
ldap_attributes
User's attributes to fetch from LDAP (default: ["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"])
ldap_enforce_crypt
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (default: true)
allow_mail_authentication
Whether users can authenticate with their mail address (default: true)
login_arg
URI argument to use for cross-domain authentication (default: sso_login)
additional_headers
Array of additionnal HTTP headers to set once user is authenticated (default: { "Remote-User": "uid" })
session_timeout
The session expiracy time limit in seconds, since the last connection (default: 86400 / one day)
session_max_timeout
The session expiracy time limit in seconds (default: 604800 / one week)
protected_urls
List of priorily protected URLs and/or URIs (by default, every URL is protected)
protected_regex
List of regular expressions to be matched against URLs and URIs to protect them
skipped_urls
List of URLs and/or URIs that will not be affected by SSOwat. This must be a JSON array, and SSOwat automatically adds itself to this array.
skipped_regex
List of regular expressions to be matched against URLs and URIs to ignore them
unprotected_urls
List of URLs and/or URIs that will not be affected by SSOwat unless user is authenticated
unprotected_regex
List of regular expressions to be matched against URLs and URIs to ignore them unless user is authenticated
redirected_urls
Array of URLs and/or URIs to redirect and their redirect URI/URL (example: { "/": "example.org/subpath" })
redirected_regex
Array of regular expressions to be matched against URLS and URIs and their redirect URI/URL (example: { "example.org/megusta$": "example.org/subpath" })
users
3-level array containing usernames and their ACL (allow/deny), each consisting of allowed URLs along with an App name; fake user “*” is for global ACL (example: { "*": { "allow": { "kload.fr/blog": "Blog" } }, "kload": { "allow": { "kload.fr/admin/": "Admin" } }, "visitor": { "deny": { "kload.fr/blog": "no access" } } })
logout
Associative array; when logging out of SSOwat, any existing cookie that is found as a key of this array triggers the associated logout URL. This only works on http[s]://[*.]portal_domain/, though. (example: { "dcxd": "https://example.org/dotclear/admin/index.php?logout=1" })
default_language
Language code used by default in views (default: en)