2020-05-14 23:29:41 +02:00
|
|
|
REST session backend
|
|
|
|
====================
|
|
|
|
|
|
|
|
Session <type> can be 'global' for SSO sessions or 'persistent' for
|
|
|
|
persistent sessions.
|
|
|
|
|
|
|
|
LL::NG portal provides REST end points for sessions management:
|
|
|
|
|
|
|
|
- GET /sessions/<type>/<session-id> : get session datas
|
|
|
|
- GET /sessions/<type>/<session-id>/<key> : get a session key value
|
|
|
|
- GET /sessions/<type>/<session-id>/[k1,k2] : get some session key
|
|
|
|
value
|
|
|
|
- POST /sessions/<type> : create a session
|
|
|
|
- PUT /sessions/<type>/<session-id> : update some keys
|
|
|
|
- DELETE /sessions/<type>/<session-id> : delete a session
|
|
|
|
|
2020-05-18 09:56:39 +02:00
|
|
|
Sessions for connected users (used by :doc:`LLNG Proxy<authproxy>`):
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
- GET /session/my/<type> : get session datas
|
|
|
|
- GET /session/my/<type>/key : get session key
|
|
|
|
- DELETE /session/my : ask for logout
|
|
|
|
|
|
|
|
Authorizations for connected users (always enabled):
|
|
|
|
|
|
|
|
- GET /mysession/?authorizationfor=<base64-encoded-url>: ask if url is
|
|
|
|
authorizated
|
|
|
|
|
|
|
|
This session backend can be used to share sessions stored in a
|
|
|
|
non-network backend (like
|
|
|
|
:doc:`file session backend<filesessionbackend>`) or in a network backend
|
|
|
|
protected with a firewall that only accepts HTTP flows.
|
|
|
|
|
|
|
|
Most of the time, REST session backend is used by Handlers installed on
|
|
|
|
external servers.
|
|
|
|
|
2021-04-02 23:57:30 +02:00
|
|
|
To configure it, REST session backend will be set through Manager in
|
2020-05-14 23:29:41 +02:00
|
|
|
global configuration (used by all Handlers), and the real session
|
|
|
|
backend will be configured for local components in lemonldap-ng.ini.
|
|
|
|
|
|
|
|
Setup
|
|
|
|
-----
|
|
|
|
|
|
|
|
Manager
|
|
|
|
~~~~~~~
|
|
|
|
|
|
|
|
First, activate REST in ``General parameters`` » ``Plugins`` »
|
|
|
|
``Portal servers`` » ``REST session server``.
|
|
|
|
|
|
|
|
Then, set ``Lemonldap::NG::Common::Apache::Session::REST`` in
|
|
|
|
``General parameters`` » ``Sessions`` » ``Session storage`` »
|
|
|
|
``Apache::Session module`` and add the following parameters (case
|
|
|
|
sensitive):
|
|
|
|
|
|
|
|
=================== ======================================== ==================================================
|
2020-05-18 09:56:39 +02:00
|
|
|
Required parameters
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
2020-05-14 23:29:41 +02:00
|
|
|
Name Comment Example
|
2020-05-18 09:56:39 +02:00
|
|
|
=================== ======================================== ==================================================
|
2020-05-14 23:29:41 +02:00
|
|
|
**baseUrl** URL of sessions REST end point http://auth.example.com/index.fcgi/sessions/global
|
2020-05-18 09:56:39 +02:00
|
|
|
=================== ======================================== ==================================================
|
|
|
|
|
|
|
|
=================== ======================================== ==================================================
|
|
|
|
Optional parameters
|
|
|
|
---------------------------------------------------------------------------------------------------------------
|
|
|
|
Name Comment Example
|
|
|
|
=================== ======================================== ==================================================
|
2020-05-14 23:29:41 +02:00
|
|
|
**user** Username to use for auth basic mechanism
|
|
|
|
**password** Password to use for auth basic mechanism
|
|
|
|
=================== ======================================== ==================================================
|
|
|
|
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. attention::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
By default, user password and other secret keys are
|
|
|
|
hidden by LLNG REST server. You can force REST server to export their
|
|
|
|
real values by selecting "Export secret attributes in REST" in the
|
|
|
|
manager. This less secure option is disabled by default.
|
|
|
|
|
|
|
|
Apache
|
|
|
|
~~~~~~
|
|
|
|
|
|
|
|
Sessions REST end points access must be allowed in Apache portal
|
|
|
|
configuration (for example, access by IP range):
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: apache
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
# REST/SOAP functions for sessions access (disabled by default)
|
|
|
|
<Location /index.fcgi/sessions>
|
|
|
|
Require 192.168.2.0/24
|
|
|
|
</Location>
|
|
|
|
|
|
|
|
Real session backend
|
|
|
|
~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Real session backend will be configured in ``lemonldap-ng.ini``, in
|
|
|
|
``portal`` section (the portal hosts the REST service for sessions, and
|
|
|
|
will do the link between REST requests and real sessions).
|
|
|
|
|
|
|
|
For example, if real sessions are stored in
|
|
|
|
:doc:`files<filesessionbackend>`:
|
|
|
|
|
2020-05-21 15:13:24 +02:00
|
|
|
.. code-block:: ini
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
[portal]
|
|
|
|
globalStorage = Apache::Session::File
|
|
|
|
globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }
|
|
|
|
|
|
|
|
|
2020-05-18 09:56:39 +02:00
|
|
|
.. tip::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
Session explorer and "single session" features can't be used
|
|
|
|
using this backend. Session explorer and portal must be launched with
|
|
|
|
real backend.
|
|
|
|
|
|
|
|
By default, only few sessions keys are shared by REST
|
|
|
|
(authenticationLevel, groups, ipAddr, \_startTime, \_utime, \_lastSeen,
|
|
|
|
\_session_id), you need to define which other keys you want to share in
|
|
|
|
``General parameters`` » ``Plugins`` » ``Portal servers`` »
|
|
|
|
``SOAP/REST exported attributes``.
|
|
|
|
|
|
|
|
You must start with ``+`` to keep default keys, else they will not be
|
|
|
|
shared. For example:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
+ uid cn mail
|
|
|
|
|
|
|
|
To share only the listed attributes:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
authenticationLevel groups ipAddr _startTime _utime _lastSeen _session_id uid cn mail
|
|
|
|
|