From 5cc9b9c96f79746d8ebac20f61aea38416582995 Mon Sep 17 00:00:00 2001 From: Jeff Date: Fri, 5 May 2017 17:34:15 +0200 Subject: [PATCH] LDAP and HTTP auth YunoHost users are now instantly logged in with HTTP auth For this feature to work, the app now needs to be private, all YNH users must be added in the database, and the admin user must be a YNH user. As a result, the manifest has changed: - Admin password is replaced by admin user - Public/Private is removed - Adding YNH users as Dolibarr users is removed: this is default now Unfortunately, upgrading the app will not change the previous behavior (ie no automatic login). For automatic login to work, you **must** reinstall the app The sync script does not delete users. Therefore the post_user_delete hook is not needed (and does not work anyway) --- README.md | 1 + check_process | 14 ++++++------- conf/ldap_member.sql | 1 - conf/ldap_user.sql | 1 - conf/nginx.conf | 3 +++ hooks/post_user_create | 9 +++----- hooks/post_user_delete | 17 --------------- manifest.json | 37 +++++++++----------------------- scripts/install | 43 +++++++++++++++++++------------------- scripts/upgrade | 10 +++------ sources/install.forced.php | 2 +- 11 files changed, 49 insertions(+), 89 deletions(-) delete mode 100644 hooks/post_user_delete diff --git a/README.md b/README.md index a5b0a0b..4a8d2dc 100644 --- a/README.md +++ b/README.md @@ -18,5 +18,6 @@ What does not work yet: see Issues What works: - Install, upgrade, remove, backup, restore +- Automatic login - Sync YNH users with Dolibarr users - Sync YNH users with members in Dolibarr diff --git a/check_process b/check_process index 329a97d..33912c1 100644 --- a/check_process +++ b/check_process @@ -3,19 +3,19 @@ ; Manifest domain="domain.tld" (DOMAIN) path="/dolibarr" (PATH) - password="admin" (PASSWORD) - is_public=0 (PUBLIC|public=0|private=1) + admin="homer" (USER) + member="1" ; Checks pkg_linter=1 setup_sub_dir=1 setup_root=1 setup_nourl=0 setup_private=1 - setup_public=1 + setup_public=0 upgrade=1 backup_restore=1 - multi_instance=0 - wrong_user=0 + multi_instance=1 + wrong_user=1 wrong_path=1 incorrect_path=1 corrupt_source=0 @@ -26,8 +26,8 @@ Level 1=auto Level 2=auto Level 3=auto - Level 4=na -# LDAP is not integrated yet + Level 4=1 +# LDAP is integrated with HTTP auth Level 5=auto Level 6=auto Level 7=auto diff --git a/conf/ldap_member.sql b/conf/ldap_member.sql index bc0b091..b8dba1e 100644 --- a/conf/ldap_member.sql +++ b/conf/ldap_member.sql @@ -5,7 +5,6 @@ REPLACE INTO ynh_const (`name`, `value`, `type`) VALUES ('LDAP_MEMBER_FIELD_NAME', 'sn', 'chaine'), ('LDAP_MEMBER_FIELD_LOGIN', 'uid', 'chaine'), ('LDAP_MEMBER_FIELD_MAIL', 'mail', 'chaine'), -('LDAP_MEMBER_FIELD_PASSWORD_CRYPTED', 'userPassword', 'chaine'), ('LDAP_MEMBER_FILTER', '&(objectClass=posixAccount)', 'chaine'), ('LDAP_MEMBER_OBJECT_CLASS', 'organizationalUnit,top', 'chaine'), ('LDAP_MEMBER_FIELD_MAIL', 'mail', 'chaine'), diff --git a/conf/ldap_user.sql b/conf/ldap_user.sql index 5c26a7e..aa4dd60 100644 --- a/conf/ldap_user.sql +++ b/conf/ldap_user.sql @@ -8,5 +8,4 @@ REPLACE INTO ynh_const (`name`, `value`, `type`) VALUES ('LDAP_FIELD_FIRSTNAME', 'givenName', 'chaine'), ('LDAP_FIELD_MAIL', 'mail', 'chaine'), ('LDAP_KEY_USERS', 'uid', 'chaine'), -('LDAP_FIELD_PASSWORD_CRYPTED', 'userPassword', 'chaine'), ('LDAP_SYNCHRO_ACTIVE', 'ldap2dolibarr', 'chaine'); diff --git a/conf/nginx.conf b/conf/nginx.conf index 944a41f..be2d9fb 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -17,4 +17,7 @@ location YNH_WWW_PATH/ { fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; } + + # show YunoHost panel access + include conf.d/yunohost_panel.conf.inc; } diff --git a/hooks/post_user_create b/hooks/post_user_create index 418fecb..a9b62cc 100644 --- a/hooks/post_user_create +++ b/hooks/post_user_create @@ -4,13 +4,10 @@ src_path=/var/www/$app user=YNH_USER member=YNH_MEMBER -# If YNH users should be users, sync users - if [ $user = 1 ]; - then - sudo sudo -u www-data php $src_path/scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y - fi +# Sync users + sudo sudo -u www-data php $src_path/scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y -# If YNH users should be members, sync members +# If YNH users should also be members, sync members if [ $member = 1 ]; then sudo sudo -u www-data php $src_path/scripts/members/sync_members_ldap2dolibarr.php commitiferror 1 --server=localhost -y diff --git a/hooks/post_user_delete b/hooks/post_user_delete deleted file mode 100644 index 418fecb..0000000 --- a/hooks/post_user_delete +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -app=YNH_APP -src_path=/var/www/$app -user=YNH_USER -member=YNH_MEMBER - -# If YNH users should be users, sync users - if [ $user = 1 ]; - then - sudo sudo -u www-data php $src_path/scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y - fi - -# If YNH users should be members, sync members - if [ $member = 1 ]; - then - sudo sudo -u www-data php $src_path/scripts/members/sync_members_ldap2dolibarr.php commitiferror 1 --server=localhost -y - fi diff --git a/manifest.json b/manifest.json index 9056925..fd46543 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "requirements": { "yunohost": ">> 2.4.0" }, - "multi_instance": false, + "multi_instance": true, "services": [ "nginx", "php5-fpm", @@ -43,39 +43,22 @@ "default": "/dolibarr" }, { - "name": "password", - "type": "password", + "name": "admin", + "type": "user", "ask": { - "en": "Choose a strong password for the 'admin' user", - "fr": "Choisissez un mot de passe fort pour l'administrateur 'admin'" - } - }, - { - "name": "is_public", - "type": "boolean", - "ask": { - "en": "Is it a public site?", - "fr": "Est-ce un site public ?" + "en": "Choose an admin user", + "fr": "Choisissez l’administrateur" }, - "default": false - }, - { - "name": "user", - "type": "boolean", - "ask": { - "en": "Should YunoHost users be users in Dolibarr?", - "fr": "Les utilisateurs YunoHost doivent-ils être des utilisateurs Dolibarr ?" - }, - "default": true - }, + "example": "johndoe" + }, { "name": "member", "type": "boolean", "ask": { - "en": "Should YunoHost users be draft members in Dolibarr?", - "fr": "Les utilisateurs YunoHost doivent-ils être des adhérents à l'état brouillon dans Dolibarr ?" + "en": "Should YunoHost users also be added as members awaiting approval in Dolibarr?", + "fr": "Les utilisateurs YunoHost doivent-ils aussi être ajoutés comme adhérents en attente de validation dans Dolibarr ?" }, - "default": true + "default": false } ] } diff --git a/scripts/install b/scripts/install index 4021e52..4d9c558 100644 --- a/scripts/install +++ b/scripts/install @@ -10,9 +10,7 @@ version=$(cat ../sources/version) # Retrieve arguments domain=$YNH_APP_ARG_DOMAIN path=$YNH_APP_ARG_PATH - password=$YNH_APP_ARG_PASSWORD - is_public=$YNH_APP_ARG_IS_PUBLIC - user=$YNH_APP_ARG_USER + admin=$YNH_APP_ARG_ADMIN member=$YNH_APP_ARG_MEMBER # Correct path: puts a / at the start and nothing at the end @@ -25,12 +23,15 @@ version=$(cat ../sources/version) # Check domain/path availability sudo yunohost app checkurl "${domain}${path}" -a "$app" \ - || ynh_die "Path not available: ${domain}${path}" + || ynh_die "path not available: ${domain}${path}" + +# Check user parameter + ynh_user_exists "$admin" \ + || ynh_die "The chosen admin user does not exist." # Store settings ynh_app_setting_set $app domain $domain - ynh_app_setting_set $app is_public $is_public - ynh_app_setting_set $app user $user + ynh_app_setting_set $app admin $admin ynh_app_setting_set $app member $member ynh_app_setting_set $app version $version @@ -73,6 +74,7 @@ version=$(cat ../sources/version) sed -i "s@YNH_DBNAME@$dbname@g" ../sources/install.forced.php sed -i "s@YNH_DBUSER@$dbuser@g" ../sources/install.forced.php sed -i "s@YNH_DBPASS@$dbpass@g" ../sources/install.forced.php + sed -i "s@YNH_ADMIN@$admin@g" ../sources/install.forced.php if [ $member = 1 ]; then # If YNH users are members, we must activate the members module @@ -93,6 +95,9 @@ version=$(cat ../sources/version) ynh_app_setting_set "$app" unprotected_uris "/" sudo yunohost app ssowatconf + # Generate a random password for the admin user (will be ignored because of LDAP) + password=$(ynh_string_random 8) + # Install with CURL curl -kL -H "Host: $domain" -X POST https://$domain$path/install/fileconf.php > /dev/null 2>&1 curl -kL -H "Host: $domain" -X POST https://$domain$path/install/step1.php --data "testpost=ok&action=set&selectlang=fr_FR" > /dev/null 2>&1 @@ -102,13 +107,10 @@ version=$(cat ../sources/version) # Populate the LDAP parameters mysql -u ${dbuser} -p${dbpass} ${dbname} < ../conf/ldap.sql - - # If YNH users should be users, populate the database accordingly and sync users. Set the script as executable by all users to tackle a Hook limitation - if [ $user = 1 ]; - then - mysql -u ${dbuser} -p${dbpass} ${dbname} < ../conf/ldap_user.sql - sudo sudo -u www-data php $src_path/scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y - fi + + # Populate the database with YNH users. + mysql -u ${dbuser} -p${dbpass} ${dbname} < ../conf/ldap_user.sql + sudo sudo -u www-data php $src_path/scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y # If YNH users should be members, populate the database accordingly, create the member list, and sync members if [ $member = 1 ]; @@ -117,18 +119,15 @@ version=$(cat ../sources/version) sudo sudo -u www-data php $src_path/scripts/members/sync_members_ldap2dolibarr.php commitiferror 1 --server=localhost -y fi - # Enable SSO if chosen by the user - if [ $is_public = 0 ]; - then - ynh_app_setting_delete $app unprotected_uris - sudo yunohost app ssowatconf - fi + # Re-enable SSO if chosen by the user + ynh_app_setting_delete $app unprotected_uris + sudo yunohost app ssowatconf + +# Setup HTTP auth in conf + sudo sed -i "s@\$dolibarr_main_authentication='dolibarr';@\$dolibarr_main_authentication='http';@g" $src_path/htdocs/conf/conf.php # Setup hooks sed -i "s@YNH_APP@$app@g" ../hooks/post_user_create - sed -i "s@YNH_USER@$user@g" ../hooks/post_user_create sed -i "s@YNH_MEMBER@$member@g" ../hooks/post_user_create - sed -i "s@YNH_APP@$app@g" ../hooks/post_user_delete - sed -i "s@YNH_USER@$user@g" ../hooks/post_user_delete sed -i "s@YNH_MEMBER@$member@g" ../hooks/post_user_delete diff --git a/scripts/upgrade b/scripts/upgrade index ae19d85..269f27a 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -12,7 +12,6 @@ version=$(cat ../sources/version) # Retrieve app settings domain=$(ynh_app_setting_get "$app" domain) path=$(ynh_app_setting_get "$app" path) - is_public=$(ynh_app_setting_get "$app" is_public) old_version=$(ynh_app_setting_get "$app" version) # Copy source files @@ -65,12 +64,9 @@ version=$(cat ../sources/version) sudo chmod 444 $lock sudo chown www-data: $lock - # Enable SSO if chosen by the user - if [ $is_public = 0 ]; - then - ynh_app_setting_delete $app unprotected_uris - sudo yunohost app ssowatconf - fi + # Re-enable SSO + ynh_app_setting_delete $app unprotected_uris + sudo yunohost app ssowatconf # Store the new version ynh_app_setting_set $app version $version diff --git a/sources/install.forced.php b/sources/install.forced.php index d415ebc..267f849 100644 --- a/sources/install.forced.php +++ b/sources/install.forced.php @@ -38,7 +38,7 @@ $force_install_createuser = false; //$force_install_databaserootpass = ''; /** @var string Dolibarr super-administrator username */ -$force_install_dolibarrlogin = 'admin'; +$force_install_dolibarrlogin = 'YNH_ADMIN'; /** @var string Enable module(s) (Comma separated class names list) */ $force_install_module = 'modLdap';