LemonLDAP::NG configuration is stored in a backend that allows all modules to access it.
</p>
<divclass="noteimportant">Note that all <abbrtitle="LemonLDAP::NG">LL::NG</abbr> components must have access:<ul>
<liclass="level1"><divclass="li"> to the configuration backend</div>
</li>
<liclass="level1"><divclass="li"> to the sessions storage backend</div>
</li>
</ul>
<p>
Detailed configuration backends documentation is available <ahref="start.html#configuration_database"class="wikilink1"title="documentation:2.0:start">here</a>.
</p>
</div>
<p>
By default, configuration is stored in <ahref="fileconfbackend.html"class="wikilink1"title="documentation:2.0:fileconfbackend">files</a>, so access trough network is not possible. To allow this, use <ahref="soapconfbackend.html"class="wikilink1"title="documentation:2.0:soapconfbackend">SOAP</a> for configuration access, or use a network service like <ahref="sqlconfbackend.html"class="wikilink1"title="documentation:2.0:sqlconfbackend">SQL database</a> or <ahref="ldapconfbackend.html"class="wikilink1"title="documentation:2.0:ldapconfbackend">LDAP directory</a>.
</p>
<p>
Configuration backend can be set in the <ahref="#local_file"title="documentation:2.0:configlocation ↵"class="wikilink1">local configuration file</a>, in <code>configuration</code> section.
</p>
<p>
For example, to configure the <code>File</code> configuration backend:
<divclass="notetip">See <ahref="changeconfbackend.html"class="wikilink1"title="documentation:2.0:changeconfbackend">How to change configuration backend</a> to known how to change this.
</div>
</div>
<!-- EDIT2 SECTION "Backends" [39-1047] -->
<h2class="sectionedit3"id="manager">Manager</h2>
<divclass="level2">
<p>
Most of configuration can be done trough LemonLDAP::NG Manager (by default <ahref="http://manager.example.com"class="urlextern"title="http://manager.example.com"rel="nofollow">http://manager.example.com</a>).
<divclass="noteimportant">This user will not be available anymore if you configure a new authentication backend! Remember to change the access rule in Manager virtual host to allow new administrators.
</div>
<p>
If you can not access the Manager anymore, you can unprotect it by editing <code>lemonldap-ng.ini</code> and changing the <code>protection</code> parameter:
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
# * authenticate : all authenticated users can access
# * manager : manager is protected like other virtual hosts: you
# have to set rules in the corresponding virtual host
# * rule: <rule> : you can set here directly the rule to apply
# * none : no protection</pre>
<divclass="notetip">See <ahref="managerprotection.html"class="wikilink1"title="documentation:2.0:managerprotection">Manager protection documentation</a> to know how to use Apache modules or <abbrtitle="LemonLDAP::NG">LL::NG</abbr> to manage access to Manager.
<liclass="level1"><divclass="li"><strong>Variables</strong>: User information, macros and groups used to fill <abbrtitle="Single Sign On">SSO</abbr> session</div>
LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.
</p>
<p>
When all modifications are done, click on <code>Save</code> to store configuration.
</p>
<divclass="notewarning">LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration <strong>is not saved</strong> if errors occur.
</div>
</div>
<!-- EDIT3 SECTION "Manager" [1048-3236] -->
<h2class="sectionedit4"id="configuration_text_editor">Configuration text editor</h2>
LemonLDAP::NG provide a script that allows one to edit configuration without graphical interface, this script is called <code>lmConfigEditor</code> and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
LemonLDAP::NG provide a script that allows one to edit configuration items in non interactive mode. This script is called <code>lemonldap-ng-cli</code> and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the <strong>portal-apache2.conf</strong> configuration file.
In order to allow configuration reload from a different server (if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in
<divclass="notewarning"><ahref="fastcgiserver.html"class="wikilink1"title="documentation:2.0:fastcgiserver">LL::NG FastCGI</a> server must be enabled and started separately.
After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the <strong>portal-nginx.conf</strong> configuration file.
In order to allow configuration reload from a different server (if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in
<divclass="noteclassic">As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set <code>checkTime = 240</code> in your lemonldap-ng.ini file <em>(values in seconds)</em>
After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, <code>General Parameters</code>><code>reload configuration URLs</code>: keys are server names or <abbrtitle="Internet Protocol">IP</abbr> the requests will be sent to, and values are the requested URLs.
<divclass="noteimportant">Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable "Don't compact configuration file" option.
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
</p>
<divclass="notetip">You only need a reload <abbrtitle="Uniform Resource Locator">URL</abbr> per physical servers, as Handlers share the same configuration cache on each physical server.
The <code>reload</code> target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache->handler or Nginx->Handler).
</div><divclass="noteimportant">If reload <abbrtitle="Uniform Resource Locator">URL</abbr> is served in HTTPS, to avoid "Error 500 (certificate verify failed)", Go to :
</div><divclass="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
Practical use case: configure reload in a <abbrtitle="LemonLDAP::NG">LL::NG</abbr> cluster. In this case you will have two servers (with <abbrtitle="Internet Protocol">IP</abbr> 1.1.1.1 and 1.1.1.2), but you can keep only one reload <abbrtitle="Uniform Resource Locator">URL</abbr> (reload.example.com):
LemonLDAP::NG configuration can be managed in a local file with <ahref="http://en.wikipedia.org/wiki/INI_file"class="urlextern"title="http://en.wikipedia.org/wiki/INI_file"rel="nofollow">INI format</a>. This file is called <code>lemonldap-ng.ini</code> and has the following sections:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>configuration</strong>: where configuration is stored</div>
</li>
<liclass="level1"><divclass="li"><strong>apply</strong>: reload <abbrtitle="Uniform Resource Locator">URL</abbr> for distant Hanlders</div>
</li>
<liclass="level1"><divclass="li"><strong>all</strong>: parameters for all modules</div>
</li>
<liclass="level1"><divclass="li"><strong>portal</strong>: parameters only for Portal</div>
</li>
<liclass="level1"><divclass="li"><strong>manager</strong>: parameters only for Manager</div>
</li>
<liclass="level1"><divclass="li"><strong>handler</strong>: parameters only for Handler</div>
</li>
</ul>
<p>
When you set a parameter in <code>lemonldap-ng.ini</code>, it will override the parameter from the global configuration.
</p>
<p>
For example, to override configured skin for portal:
<divclass="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <ahref="parameterlist.html"class="wikilink1"title="documentation:2.0:parameterlist">parameter list</a> to find it.