2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:configlocation< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-05-15 21:50:12 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:04 +02:00
< meta name = "keywords" content = "documentation,2.0,configlocation" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "configlocation.html" / >
< link rel = "contents" href = "configlocation.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : c o n f i g l o c a t i o n " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#backends" > Backends< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#manager" > Manager< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration_text_editor" > Configuration text editor< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#command_line_interface_cli" > Command Line Interface (CLI)< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#apache" > Apache< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#portal" > Portal< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#manager1" > Manager< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#handler" > Handler< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#nginx" > Nginx< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#portal1" > Portal< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#manager2" > Manager< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#handler1" > Handler< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration_reload" > Configuration reload< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#local_file" > Local file< / a > < / div > < / li >
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "configuration_overview" > Configuration overview< / h1 >
< div class = "level1" >
< / div >
<!-- EDIT1 SECTION "Configuration overview" [1 - 38] -->
< h2 class = "sectionedit2" id = "backends" > Backends< / h2 >
< div class = "level2" >
< p >
LemonLDAP::NG configuration is stored in a backend that allows all modules to access it.
< / p >
< div class = "noteimportant" > Note that all < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > components must have access:< ul >
< li class = "level1" > < div class = "li" > to the configuration backend< / div >
< / li >
< li class = "level1" > < div class = "li" > to the sessions storage backend< / div >
< / li >
< / ul >
< p >
Detailed configuration backends documentation is available < a href = "start.html#configuration_database" class = "wikilink1" title = "documentation:2.0:start" > here< / a > .
< / p >
< / div >
< p >
By default, configuration is stored in < a href = "fileconfbackend.html" class = "wikilink1" title = "documentation:2.0:fileconfbackend" > files< / a > , so access trough network is not possible. To allow this, use < a href = "soapconfbackend.html" class = "wikilink1" title = "documentation:2.0:soapconfbackend" > SOAP< / a > for configuration access, or use a network service like < a href = "sqlconfbackend.html" class = "wikilink1" title = "documentation:2.0:sqlconfbackend" > SQL database< / a > or < a href = "ldapconfbackend.html" class = "wikilink1" title = "documentation:2.0:ldapconfbackend" > LDAP directory< / a > .
< / p >
< p >
Configuration backend can be set in the < a href = "#local_file" title = "documentation:2.0:configlocation ↵" class = "wikilink1" > local configuration file< / a > , in < code > configuration< / code > section.
< / p >
< p >
For example, to configure the < code > File< / code > configuration backend:
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > configuration< span class = "br0" > ] < / span > < / span >
< span class = "re1" > type< / span > < span class = "sy0" > =< / span > < span class = "re2" > File< / span >
< span class = "re1" > dirName< / span > < span class = "sy0" > =< / span > < span class = "re2" > /usr/local/lemonldap-ng/data/conf< / span > < / pre >
< div class = "notetip" > See < a href = "changeconfbackend.html" class = "wikilink1" title = "documentation:2.0:changeconfbackend" > How to change configuration backend< / a > to known how to change this.
< / div >
< / div >
<!-- EDIT2 SECTION "Backends" [39 - 1047] -->
< h2 class = "sectionedit3" id = "manager" > Manager< / h2 >
< div class = "level2" >
< p >
Most of configuration can be done trough LemonLDAP::NG Manager (by default < a href = "http://manager.example.com" class = "urlextern" title = "http://manager.example.com" rel = "nofollow" > http://manager.example.com< / a > ).
< / p >
< p >
By default, Manager is protected to allow only the demonstration user “dwho”.
< / p >
< div class = "noteimportant" > This user will not be available anymore if you configure a new authentication backend! Remember to change the access rule in Manager virtual host to allow new administrators.
< / div >
< p >
If you can not access the Manager anymore, you can unprotect it by editing < code > lemonldap-ng.ini< / code > and changing the < code > protection< / code > parameter:
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > manager< span class = "br0" > ] < / span > < / span >
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
# * authenticate : all authenticated users can access
# * manager : manager is protected like other virtual hosts: you
# have to set rules in the corresponding virtual host
# * rule: < rule> : you can set here directly the rule to apply
# * none : no protection< / pre >
< div class = "notetip" > See < a href = "managerprotection.html" class = "wikilink1" title = "documentation:2.0:managerprotection" > Manager protection documentation< / a > to know how to use Apache modules or < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > to manage access to Manager.
< / div >
< p >
The Manager displays main branches:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > General Parameters< / strong > : Authentication modules, portal, etc.< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Variables< / strong > : User information, macros and groups used to fill < abbr title = "Single Sign On" > SSO< / abbr > session< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Virtual Hosts< / strong > : Access rules, headers, etc.< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > < abbr title = "Security Assertion Markup Language" > SAML< / abbr > 2 Service< / strong > : < abbr title = "Security Assertion Markup Language" > SAML< / abbr > metadata administration< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > < abbr title = "Security Assertion Markup Language" > SAML< / abbr > identity providers< / strong > : Registered IDP< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > < abbr title = "Security Assertion Markup Language" > SAML< / abbr > service providers< / strong > : Registered SP< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > OpenID Connect Service< / strong > : OpenID Connect service configuration< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > OpenID Connect Providers< / strong > : Registered OP< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > OpenID Connect Relying Parties< / strong > : Registered RP< / div >
< / li >
< / ul >
< p >
LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.
< / p >
< p >
When all modifications are done, click on < code > Save< / code > to store configuration.
< / p >
< div class = "notewarning" > LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration < strong > is not saved< / strong > if errors occur.
< / div >
< / div >
<!-- EDIT3 SECTION "Manager" [1048 - 3236] -->
< h2 class = "sectionedit4" id = "configuration_text_editor" > Configuration text editor< / h2 >
< div class = "level2" >
< p >
2017-02-07 17:35:26 +01:00
LemonLDAP::NG provide a script that allows one to edit configuration without graphical interface, this script is called < code > lmConfigEditor< / code > and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
2016-10-15 19:57:04 +02:00
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lmConfigEditor< / pre >
< div class = "notetip" > This script must be run as root, it will then use the Apache user and group to access configuration.
< / div >
< p >
The script uses the < code > editor< / code > system command, that links to your favorite editor. To change it:
< / p >
< pre class = "code" > update-alternatives --config editor< / pre >
< p >
The configuration is displayed as a big Perl Hash, that you can edit:
< / p >
< pre class = "code file perl" > < span class = "re0" > $VAR1< / span > < span class = "sy0" > =< / span > < span class = "br0" > { < / span >
< span class = "st_h" > 'ldapAuthnLevel'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '2'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'notificationWildcard'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'allusers'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'loginHistoryEnabled'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '1'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'key'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'q`e)kJE%< & wm> uaA'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPSSODescriptorSingleSignOnServiceHTTPPost'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'portalSkin'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'pastel'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'failedLoginNumber'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '5'< / span > < span class = "sy0" > ,< / span >
< span class = "sy0" > ...< / span >
< span class = "br0" > } < / span > < span class = "sy0" > ;< / span > < / pre >
< p >
If a modification is done, the configuration is saved with a new configuration number. Else, current configuration is kept.
< / p >
< / div >
2017-02-07 17:35:26 +01:00
<!-- EDIT4 SECTION "Configuration text editor" [3237 - 4465] -->
2016-10-15 19:57:04 +02:00
< h2 class = "sectionedit5" id = "command_line_interface_cli" > Command Line Interface (CLI)< / h2 >
< div class = "level2" >
2018-04-23 14:58:36 +02:00
2016-10-15 19:57:04 +02:00
< p >
2017-02-07 17:35:26 +01:00
LemonLDAP::NG provide a script that allows one to edit configuration items in non interactive mode. This script is called < code > lemonldap-ng-cli< / code > and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
2016-10-15 19:57:04 +02:00
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli< / pre >
< div class = "notetip" > This script must be run as root, it will then use the Apache user and group to access configuration.
< / div >
< p >
To see available actions, do:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli help< / pre >
< p >
You can force an update of configuration cache with:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache< / pre >
< p >
To get information about current configuration:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli info< / pre >
< p >
To view a configuration parameter, for example portal < abbr title = "Uniform Resource Locator" > URL< / abbr > :
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal< / pre >
< p >
To set a parameter, for example domain:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli set domain example.org< / pre >
< p >
You can use accessors (options) to change the behavior:
< / p >
< ul >
< li class = "level1" > < div class = "li" > -sep: separator of hierarchical values (by default: /).< / div >
< / li >
< li class = "level1" > < div class = "li" > -iniFile: the lemonldap-ng.ini file to use if not default value.< / div >
< / li >
< li class = "level1" > < div class = "li" > -yes: do not prompt for confirmation before saving new configuration.< / div >
< / li >
< li class = "level1" > < div class = "li" > -cfgNum: the configuration number. If not set, it will use the latest configuration.< / div >
< / li >
< li class = "level1" > < div class = "li" > -force: set it to 1 to save a configuration earlier than latest.< / div >
< / li >
< / ul >
< p >
Some examples:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ' ,' get macros,_whatToTrace< / pre >
2018-04-23 14:58:36 +02:00
< div class = "notetip" > See < a href = "cli_examples.html" class = "wikilink1" title = "documentation:2.0:cli_examples" > other examples< / a > .
< / div >
2016-10-15 19:57:04 +02:00
< / div >
2018-04-23 14:58:36 +02:00
<!-- EDIT5 SECTION "Command Line Interface (CLI)" [4466 - 6260] -->
2016-10-15 19:57:04 +02:00
< h2 class = "sectionedit6" id = "apache" > Apache< / h2 >
< div class = "level2" >
< div class = "noteimportant" > LemonLDAP::NG does not manage Apache configuration
< / div >
< p >
LemonLDAP::NG ships 3 Apache configuration files:
< / p >
< ul >
2017-08-30 18:47:22 +02:00
< li class = "level1" > < div class = "li" > < strong > portal-apache2.conf< / strong > : Portal virtual host, with SOAP/REST end points< / div >
2016-10-15 19:57:04 +02:00
< / li >
< li class = "level1" > < div class = "li" > < strong > manager-apache2.conf< / strong > : Manager virtual host< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > handler-apache2.conf< / strong > : Handler declaration, reload and sample virtual hosts< / div >
< / li >
< / ul >
< p >
See < a href = "configapache.html" class = "wikilink1" title = "documentation:2.0:configapache" > how to deploy them< / a > .
< / p >
2017-08-30 18:47:22 +02:00
2016-10-15 19:57:04 +02:00
< / div >
2018-04-23 14:58:36 +02:00
<!-- EDIT6 SECTION "Apache" [6261 - 6659] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit7" id = "portal" > Portal< / h3 >
< div class = "level3" >
< p >
In Portal virtual host, you will find several configuration parts:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Standard virtual host directives, to serve portal pages:< / div >
< / li >
< / ul >
< pre class = "code file apache" > < span class = "kw1" > ServerName< / span > auth.example.com
< span class = "co1" > # DocumentRoot< / span >
< span class = "kw1" > DocumentRoot< / span > /usr/local/lemonldap-ng/htdocs/portal/
< < span class = "kw3" > Directory< / span > /usr/local/lemonldap-ng/htdocs/portal/>
2017-08-30 18:47:22 +02:00
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > granted
< span class = "kw1" > Options< / span > +ExecCGI +< span class = "kw2" > FollowSymLinks< / span >
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Directory< / span > >
2017-08-30 18:47:22 +02:00
< span class = "co1" > # For performances, you can put static html files: simply put the HTML< / span >
< span class = "co1" > # result (example: /oauth2/checksession.html) as static file. Then< / span >
< span class = "co1" > # uncomment the following line.< / span >
< span class = "co1" > # RewriteCond " %{REQUEST_FILENAME}" " !\.html$" < / span >
< span class = "kw1" > RewriteCond< / span > < span class = "st0" > " %{REQUEST_FILENAME}" < / span > < span class = "st0" > " !^/(?:(?:static|javascript|favicon).*|.*< span class = "es0" > \.< / span > fcgi)$" < / span >
< span class = "kw1" > RewriteRule< / span > < span class = "st0" > " ^/(.+)$" < / span > < span class = "st0" > " /index.fcgi/$1" < / span > [PT]
2016-10-15 19:57:04 +02:00
2017-08-30 18:47:22 +02:00
< span class = "co1" > # Note that Content-Security-Policy header is generated by portal itself< / span >
< < span class = "kw3" > Files< / span > *.fcgi>
< span class = "kw1" > SetHandler< / span > fcgid-< span class = "kw1" > script< / span >
< span class = "co1" > #CGIPassAuth on< / span >
< span class = "kw1" > Options< / span > +ExecCGI
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Files< / span > >
2017-08-30 18:47:22 +02:00
< span class = "co1" > # Static files< / span >
< span class = "kw1" > Alias< / span > /static/ __PORTALSTATICDIR__/
< < span class = "kw3" > Directory< / span > __PORTALSTATICDIR__>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > granted
< span class = "kw1" > Options< / span > +< span class = "kw2" > FollowSymLinks< / span >
< /< span class = "kw3" > Directory< / span > >
< < span class = "kw3" > Location< / span > /static/>
< < span class = "kw3" > IfModule< / span > mod_expires.c>
< span class = "kw1" > ExpiresActive< / span > < span class = "kw2" > On< / span >
< span class = "kw1" > ExpiresDefault< / span > < span class = "st0" > " access plus 1 month" < / span >
< /< span class = "kw3" > IfModule< / span > >
< /< span class = "kw3" > Location< / span > >
2016-10-15 19:57:04 +02:00
< < span class = "kw3" > IfModule< / span > mod_dir.c>
2017-08-30 18:47:22 +02:00
< span class = "kw1" > DirectoryIndex< / span > index.fcgi index.html
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > IfModule< / span > > < / pre >
< ul >
2017-08-30 18:47:22 +02:00
< li class = "level1" > < div class = "li" > REST/SOAP end points (inactivated by default):< / div >
2016-10-15 19:57:04 +02:00
< / li >
< / ul >
2017-08-30 18:47:22 +02:00
< pre class = "code file apache" > < span class = "co1" > # REST/SOAP functions for sessions management (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/adminSessions>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Location< / span > >
2017-08-30 18:47:22 +02:00
< span class = "co1" > # REST/SOAP functions for sessions access (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/sessions>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Location< / span > >
2017-08-30 18:47:22 +02:00
< span class = "co1" > # REST/SOAP functions for configuration access (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/config>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Location< / span > >
2017-08-30 18:47:22 +02:00
< span class = "co1" > # REST/SOAP functions for notification insertion (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/notification>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Location< / span > > < / pre >
2017-08-30 18:47:22 +02:00
< / div >
2018-04-23 14:58:36 +02:00
<!-- EDIT7 SECTION "Portal" [6660 - 8760] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit8" id = "manager1" > Manager< / h3 >
< div class = "level3" >
< p >
Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI application:
< / p >
< pre class = "code file apache" > < span class = "co1" > # FASTCGI CONFIGURATION< / span >
< span class = "co1" > # ---------------------< / span >
< span class = "co1" > # 1) URI management< / span >
< span class = "kw1" > RewriteEngine< / span > < span class = "kw2" > on< / span >
< span class = "kw1" > RewriteRule< / span > < span class = "st0" > " ^/$" < / span > < span class = "st0" > " /psgi/manager-server.fcgi" < / span > [PT]
< span class = "co1" > # For performances, you can delete the previous RewriteRule line after< / span >
2017-02-07 17:35:26 +01:00
< span class = "co1" > # puttings html files: simply put the HTML results of different modules< / span >
2016-10-15 19:57:04 +02:00
< span class = "co1" > # (configuration, sessions, notifications) as manager.html, sessions.html,< / span >
< span class = "co1" > # notifications.html and uncomment the 2 following lines:< / span >
< span class = "co1" > # DirectoryIndex manager.html< / span >
< span class = "co1" > # RewriteCond " %{REQUEST_FILENAME}" " !\.html$" < / span >
< span class = "co1" > # REST URLs< / span >
2018-06-25 23:17:51 +02:00
< span class = "kw1" > RewriteCond< / span > < span class = "st0" > " %{REQUEST_FILENAME}" < / span > < span class = "st0" > " !^/(?:static|doc|lib).*" < / span >
2016-10-15 19:57:04 +02:00
< span class = "kw1" > RewriteRule< / span > < span class = "st0" > " ^/(.+)$" < / span > < span class = "st0" > " /psgi/manager-server.fcgi/$1" < / span > [PT]
< span class = "kw1" > Alias< / span > /psgi/ /var/lib/lemonldap-ng/manager/psgi/
< span class = "co1" > # 2) FastCGI engine< / span >
< span class = "co1" > # You can choose any FastCGI system. Here is an example using mod_fcgid< / span >
< span class = "co1" > # mod_fcgid configuration< / span >
< < span class = "kw3" > Directory< / span > /var/lib/lemonldap-ng/manager/psgi/>
< span class = "kw1" > SetHandler< / span > fcgid-< span class = "kw1" > script< / span >
< span class = "kw1" > Options< / span > +ExecCGI
< /< span class = "kw3" > Directory< / span > >
< span class = "co1" > # If you want to use mod_fastcgi, replace lines below by:< / span >
< span class = "co1" > #FastCgiServer /var/lib/lemonldap-ng/manager/psgi/manager-server.fcgi< / span >
< span class = "co1" > # Or if you prefer to use CGI, use /psgi/manager-server.cgi instead of< / span >
< span class = "co1" > # /psgi/manager-server.fcgi and adapt the rewrite rules.< / span > < / pre >
< p >
Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see < code > lemonldap-ng.ini< / code > ).
< / p >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT8 SECTION "Manager" [8761 - 10304] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit9" id = "handler" > Handler< / h3 >
< div class = "level3" >
< ul >
< li class = "level1" > < div class = "li" > Load Handler in Apache memory:< / div >
< / li >
< / ul >
< pre class = "code file apache" > PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler< / pre >
< ul >
< li class = "level1" > < div class = "li" > Catch error pages:< / div >
< / li >
< / ul >
< pre class = "code file apache" > < span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 403< / span > http://auth.example.com/?lmError=< span class = "nu0" > 403< / span >
2017-08-30 18:47:22 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 404< / span > http://auth.example.com/?lmError=< span class = "nu0" > 404< / span >
2016-10-15 19:57:04 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 500< / span > http://auth.example.com/?lmError=< span class = "nu0" > 500< / span >
2017-08-30 18:47:22 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 502< / span > http://auth.example.com/?lmError=< span class = "nu0" > 502< / span >
2016-10-15 19:57:04 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 503< / span > http://auth.example.com/?lmError=< span class = "nu0" > 503< / span > < / pre >
< ul >
< li class = "level1" > < div class = "li" > Reload virtual host:< / div >
< / li >
< / ul >
< pre class = "code file apache" > < < span class = "kw3" > VirtualHost< / span > *:< span class = "nu0" > 80< / span > >
< span class = "kw1" > ServerName< / span > reload.example.com
< span class = "co1" > # Configuration reload mechanism (only 1 per physical server is< / span >
< span class = "co1" > # needed): choose your URL to avoid restarting Apache when< / span >
< span class = "co1" > # configuration change< / span >
< < span class = "kw3" > Location< / span > /reload>
< span class = "kw1" > Order< / span > < span class = "kw1" > deny< / span > ,< span class = "kw1" > allow< / span >
< span class = "kw1" > Deny< / span > from < span class = "kw2" > all< / span >
< span class = "kw1" > Allow< / span > from 127.0.0.0/< span class = "nu0" > 8< / span >
2017-09-14 14:55:18 +02:00
< span class = "kw1" > SetHandler< / span > perl-< span class = "kw1" > script< / span >
PerlResponseHandler Lemonldap::NG::Handler-> reload
2016-10-15 19:57:04 +02:00
< /< span class = "kw3" > Location< / span > >
< span class = "co1" > # Uncomment this to activate status module< / span >
< span class = "co1" > #< Location /status> < / span >
< span class = "co1" > # Order deny,allow< / span >
< span class = "co1" > # Deny from all< / span >
< span class = "co1" > # Allow from 127.0.0.0/8< / span >
2017-09-14 14:55:18 +02:00
< span class = "co1" > # SetHandler perl-script< / span >
< span class = "co1" > # PerlResponseHandler Lemonldap::NG::Handler-> status< / span >
2016-10-15 19:57:04 +02:00
< span class = "co1" > #< /Location> < / span >
< /< span class = "kw3" > VirtualHost< / span > > < / pre >
< p >
Then, to protect a standard virtual host, the only configuration line to add is:
< / p >
< pre class = "code file apache" > PerlHeaderParserHandler Lemonldap::NG::Handler< / pre >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT9 SECTION "Handler" [10305 - 11663] -->
2016-10-15 19:57:04 +02:00
< h2 class = "sectionedit10" id = "nginx" > Nginx< / h2 >
< div class = "level2" >
< div class = "noteimportant" > LemonLDAP::NG does not manage Nginx configuration
< / div >
< p >
LemonLDAP::NG ships 3 Nginx configuration files:
< / p >
< ul >
2017-08-30 18:47:22 +02:00
< li class = "level1" > < div class = "li" > < strong > portal-nginx.conf< / strong > : Portal virtual host, with REST/SOAP end points< / div >
2016-10-15 19:57:04 +02:00
< / li >
< li class = "level1" > < div class = "li" > < strong > manager-nginx.conf< / strong > : Manager virtual host< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > handler-nginx.conf< / strong > : Handler reload virtual hosts< / div >
< / li >
< / ul >
< p >
See < a href = "confignginx.html" class = "wikilink1" title = "documentation:2.0:confignginx" > how to deploy them< / a > .
< / p >
< div class = "notewarning" > < a href = "fastcgiserver.html" class = "wikilink1" title = "documentation:2.0:fastcgiserver" > LL::NG FastCGI< / a > server must be loaded separately.
< / div >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT10 SECTION "Nginx" [11664 - 12117] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit11" id = "portal1" > Portal< / h3 >
< div class = "level3" >
< p >
In Portal virtual host, you will find several configuration parts:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Standard virtual host directives, to serve portal pages:< / div >
< / li >
< / ul >
< pre class = "code file nginx" > server {
listen 80;
server_name auth.example.com;
root /var/lib/lemonldap-ng/portal/;
2017-08-30 18:47:22 +02:00
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
2016-10-15 19:57:04 +02:00
2017-08-30 18:47:22 +02:00
location ~ \.psgi(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
2016-10-15 19:57:04 +02:00
include /etc/nginx/fastcgi_params;
2017-08-30 18:47:22 +02:00
fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
2016-10-15 19:57:04 +02:00
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
2017-08-30 18:47:22 +02:00
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default " " ;
# ~/CN=(?< CN> [^/]+) $CN;
#}
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn
2016-10-15 19:57:04 +02:00
}
2017-08-30 18:47:22 +02:00
index index.psgi;
2016-10-15 19:57:04 +02:00
location / {
try_files $uri $uri/ =404;
2017-08-30 18:47:22 +02:00
# Uncomment this if you use https only
#add_header Strict-Transport-Security " 15768000" ;
}
location /static/ {
alias __PORTALSTATICDIR__;
2016-10-15 19:57:04 +02:00
}
}< / pre >
< ul >
2017-08-30 18:47:22 +02:00
< li class = "level1" > < div class = "li" > REST/SOAP end points (inactivated by default):< / div >
2016-10-15 19:57:04 +02:00
< / li >
< / ul >
2017-08-30 18:47:22 +02:00
< pre class = "code file nginx" > # REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
2016-10-15 19:57:04 +02:00
deny all;
}
2017-08-30 18:47:22 +02:00
# REST/SOAP functions for sessions access (disabled by default)
location /index.psgi/sessions {
2016-10-15 19:57:04 +02:00
deny all;
}
2017-08-30 18:47:22 +02:00
# REST/SOAP functions for configuration access (disabled by default)
location /index.psgi/config {
2016-10-15 19:57:04 +02:00
deny all;
}
2017-08-30 18:47:22 +02:00
# REST/SOAP functions for notification insertion (disabled by default)
location /index.psgi/notification {
2016-10-15 19:57:04 +02:00
deny all;
}< / pre >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT11 SECTION "Portal" [12118 - 13909] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit12" id = "manager2" > Manager< / h3 >
< div class = "level3" >
< p >
Manager virtual host is used to serve configuration interface and local documentation.
< / p >
< pre class = "code file nginx" > server {
listen 80;
server_name manager.example.com;
root /usr/share/lemonldap-ng/manager/;
2018-06-25 23:17:51 +02:00
if ($uri !~ ^/(static|doc|lib|javascript)) {
2016-10-15 19:57:04 +02:00
rewrite ^/(.*)$ /manager.psgi/$1 break;
}
location /manager.psgi {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager;
fastcgi_param SCRIPT_NAME /manager.psgi;
}
location / {
index manager.psgi;
try_files $uri $uri/ =404;
}
}< / pre >
< p >
By default, configuration interface access is not protected by Nginx but by LemonLDAP::NG itself (see < code > lemonldap-ng.ini< / code > ).
< / p >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT12 SECTION "Manager" [13910 - 14655] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit13" id = "handler1" > Handler< / h3 >
< div class = "level3" >
< p >
Nginx handler is provided by the < a href = "fastcgiserver.html" class = "wikilink1" title = "documentation:2.0:fastcgiserver" > LemonLDAP::NG FastCGI server< / a > .
< / p >
< ul >
< li class = "level1" > < div class = "li" > Handle errors:< / div >
< / li >
< / ul >
< pre class = "code file nginx" > error_page 403 http://auth.example.com/?lmError=403;
2017-08-30 18:47:22 +02:00
error_page 404 http://auth.example.com/?lmError=404;
2016-10-15 19:57:04 +02:00
error_page 500 http://auth.example.com/?lmError=500;
2017-08-30 18:47:22 +02:00
error_page 502 http://auth.example.com/?lmError=502;
2016-10-15 19:57:04 +02:00
error_page 503 http://auth.example.com/?lmError=503;< / pre >
< ul >
< li class = "level1" > < div class = "li" > Reload virtual host:< / div >
< / li >
< / ul >
< pre class = "code file nginx" > server {
listen 80;
server_name reload.example.com;
root /var/www/html;
location = /reload {
allow 127.0.0.1;
deny all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
2017-09-14 14:55:18 +02:00
fastcgi_param LLTYPE reload;
2016-10-15 19:57:04 +02:00
}
# Other requests
location / {
deny all;
}
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}< / pre >
< p >
Then, to protect a standard virtual host, you must insert this (or create an included file):
< / p >
< pre class = "code file nginx" > # Insert $_user in logs
include /etc/lemonldap-ng/nginx-lmlog.conf;
access_log /var/log/nginx/access.log lm_combined;
# Internal call to FastCGI server
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH " " ;
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
#include /path/to/nginx-lua-headers.conf
# ELSE
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR
#fastcgi_param HTTP_COOKIE $lmcookie;
# Insert then your configuration (fastcgi_* or proxy_*)< / pre >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT13 SECTION "Handler" [14656 - 17742] -->
2016-10-15 19:57:04 +02:00
< h2 class = "sectionedit14" id = "configuration_reload" > Configuration reload< / h2 >
< div class = "level2" >
2018-06-25 23:17:51 +02:00
< div class = "noteclassic" > As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set < code > checkTime = 240< / code > in your lemonldap-ng.ini file < em > (values in seconds)< / em >
2016-10-15 19:57:04 +02:00
< / div >
< p >
After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, < code > General Parameters< / code > > < code > reload configuration URLs< / code > : keys are server names or < abbr title = "Internet Protocol" > IP< / abbr > the requests will be sent to, and values are the requested URLs.
< / p >
< p >
These parameters can be overwritten in LemonLDAP::NG ini file, in the section < code > apply< / code > .
< / p >
< div class = "notetip" > You only need a reload < abbr title = "Uniform Resource Locator" > URL< / abbr > per physical servers, as Handlers share the same configuration cache on each physical server.
< / div >
< p >
2017-02-07 17:35:26 +01:00
The < code > reload< / code > target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache→handler or Nginx→Handler).
2016-10-15 19:57:04 +02:00
< / p >
< div class = "noteimportant" > You must allow access to declared URLs to your Manager < abbr title = "Internet Protocol" > IP< / abbr > .
2018-06-25 23:17:51 +02:00
< / div > < div class = "noteimportant" > If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include < code > handler-nginx.conf< / code > or < code > handler-apache2.conf< / code > for example
2016-10-15 19:57:04 +02:00
< / div >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT14 SECTION "Configuration reload" [17743 - 19256] -->
2016-10-15 19:57:04 +02:00
< h2 class = "sectionedit15" id = "local_file" > Local file< / h2 >
< div class = "level2" >
< p >
LemonLDAP::NG configuration can be managed in a local file with < a href = "http://en.wikipedia.org/wiki/INI_file" class = "urlextern" title = "http://en.wikipedia.org/wiki/INI_file" rel = "nofollow" > INI format< / a > . This file is called < code > lemonldap-ng.ini< / code > and has the following sections:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > configuration< / strong > : where configuration is stored< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > apply< / strong > : reload < abbr title = "Uniform Resource Locator" > URL< / abbr > for distant Hanlders< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > all< / strong > : parameters for all modules< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > portal< / strong > : parameters only for Portal< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > manager< / strong > : parameters only for Manager< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > handler< / strong > : parameters only for Handler< / div >
< / li >
< / ul >
< p >
When you set a parameter in < code > lemonldap-ng.ini< / code > , it will override the parameter from the global configuration.
< / p >
< p >
For example, to override configured skin for portal:
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > portal< span class = "br0" > ] < / span > < / span >
< span class = "re1" > portalSkin< / span > < span class = "sy0" > =< / span > < span class = "re2" > dark< / span > < / pre >
< div class = "notetip" > You need to know the technical name of configuration parameter to do this. You can refer to < a href = "parameterlist.html" class = "wikilink1" title = "documentation:2.0:parameterlist" > parameter list< / a > to find it.
< / div >
< / div >
2018-06-25 23:17:51 +02:00
<!-- EDIT15 SECTION "Local file" [19257 - ] --> < / div >
2016-10-15 19:57:04 +02:00
< / body >
< / html >