2016-10-15 19:57:54 +02:00
<!DOCTYPE html>
< html lang = "fr" dir = "ltr" >
< head >
< meta http-equiv = "content-type" content = "text/html; charset=UTF-8" >
< meta charset = "utf-8" / >
2017-02-07 17:35:26 +01:00
< title > documentation:2.0:configlocation< / title > <!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else --><!-- //endif -->
2016-10-15 19:57:54 +02:00
< meta name = "generator" content = "DokuWiki" / >
2017-10-24 13:04:03 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:54 +02:00
< meta name = "keywords" content = "documentation,2.0,configlocation" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "configlocation.html" / >
< link rel = "contents" href = "configlocation.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
2016-10-15 19:57:54 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : c o n f i g l o c a t i o n " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
2017-02-07 17:35:26 +01:00
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script > <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script > <!-- //endif --> <!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.js" > < / script > <!-- //endif -->
2016-10-15 19:57:54 +02:00
< / head >
< body >
< div class = "dokuwiki export container" > <!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#backends" > Backends< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#manager" > Manager< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration_text_editor" > Éditeur de configuration en mode text< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#command_line_interface_cli" > Interface en ligne de commande (CLI)< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#apache" > Apache< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#portal" > Portail< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#manager1" > Manager< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#handler" > Agent (Handler)< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#nginx" > Nginx< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#portal1" > Portail< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#manager2" > Manager< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#handler1" > Agent (Handler)< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#configuration_reload" > Rechargement de la configuration< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#local_file" > Fichier local< / a > < / div > < / li >
< / ul >
< / div >
< / div > <!-- TOC END -->
< h1 class = "sectionedit1" id = "configuration_overview" > Vue d'ensemble de la configuration< / h1 >
< div class = "level1" >
< / div > <!-- EDIT1 SECTION "Configuration overview" [1 - 38] -->
< h2 class = "sectionedit2" id = "backends" > Backends< / h2 >
< div class = "level2" >
< p >
La configuration de LemonLDAP::NG est stockée dans un backend permettant à tous les modules d'y accéder.
< / p >
< div class = "noteimportant" > Tous les composants de < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > doivent avoir accès :< ul >
< li class = "level1" > < div class = "li" > au système de stockage de la configuration< / div >
< / li >
< li class = "level1" > < div class = "li" > au système de stockage des sessions< / div >
< / li >
< / ul >
< p >
La configuration détaillée des backends de stockage est disponible < a href = "start.html#configuration_database" class = "wikilink1" title = "documentation:2.0:start" > ici< / a > .
< / p >
< / div >
< p >
Par défaut, la configuration est stockée dans des < a href = "fileconfbackend.html" class = "wikilink1" title = "documentation:2.0:fileconfbackend" > fichiers< / a > , donc l'accès par le réseau n'est en général pas possible. Pour contourner ce problème, utiliser < a href = "soapconfbackend.html" class = "wikilink1" title = "documentation:2.0:soapconfbackend" > SOAP< / a > pour l'accès à la configuration ou un service réseau tel une < a href = "sqlconfbackend.html" class = "wikilink1" title = "documentation:2.0:sqlconfbackend" > base de donnée SQL< / a > ou un < a href = "ldapconfbackend.html" class = "wikilink1" title = "documentation:2.0:ldapconfbackend" > annuaire LDAP< / a > .
< / p >
< p >
Le backend de configuration peut être indiqué dans le < a href = "#local_file" title = "documentation:2.0:configlocation ↵" class = "wikilink1" > fichier local de configuration< / a > , dans la section < code > configuration< / code > .
< / p >
< p >
Par exemple, pour configurer le backend de configuration < code > File< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > configuration< span class = "br0" > ]< / span > < / span >
< span class = "re1" > type< / span > < span class = "sy0" > =< / span > < span class = "re2" > File< / span >
< span class = "re1" > dirName< / span > < span class = "sy0" > =< / span > < span class = "re2" > /usr/local/lemonldap-ng/data/conf< / span > < / pre >
< div class = "notetip" > Voir < a href = "changeconfbackend.html" class = "wikilink1" title = "documentation:2.0:changeconfbackend" > Comment changer le backend de configuration< / a > .
< / div >
< / div > <!-- EDIT2 SECTION "Backends" [39 - 1047] -->
< h2 class = "sectionedit3" id = "manager" > Manager< / h2 >
< div class = "level2" >
< p >
La majeure partie de la configuration peut être réalisée via le manager LemonLDAP::NG (par défaut < a href = "http://manager.example.com" class = "urlextern" title = "http://manager.example.com" rel = "nofollow" > http://manager.example.com< / a > ).
< / p >
< p >
Par défaut, le manager est protégé et n'autorise que l'utilisateur de démonstration “dwho”.
< / p >
< div class = "noteimportant" > Cet utilisateur n'est plus disponible si on change de backend d'authentification ! Ne pas oublier de changer la règle d'accès à l'hôte virtuel du manager pour autoriser les nouveaux administrateurs.
< / div >
< p >
SI l'accès au manager est perdu, on peut le déprotéger en éditant < code > lemonldap-ng.in< / code > et en changeant le paramètre < code > protection< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > manager< span class = "br0" > ]< / span > < / span >
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
# * authenticate : all authenticated users can access
# * manager : manager is protected like other virtual hosts: you
# have to set rules in the corresponding virtual host
# * rule: < rule> : you can set here directly the rule to apply
# * none : no protection< / pre >
< div class = "notetip" > Voir la < a href = "managerprotection.html" class = "wikilink1" title = "documentation:2.0:managerprotection" > documentation de protection du manager< / a > pour savoir comment utiliser les modules d'Apache ou < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > pour gérer l'accès au manager.
< / div >
< p >
Le manager affiche des branches principales :
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > Paramètres généraux< / strong > : modules d'authentification, portail, etc...< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Variables< / strong > : informations utilisateur, macros et groupes utilisés pour renseigner la session < abbr title = "Authentification unique (Single Sign On)" > SSO< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Hôtes virtuels< / strong > : règles d'accès, en-têtes, etc...< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Service < abbr title = "Security Assertion Markup Language" > SAML< / abbr > < / strong > : administration des métadonnées < abbr title = "Security Assertion Markup Language" > SAML< / abbr > < / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Fournisseurs d'identité < abbr title = "Security Assertion Markup Language" > SAML< / abbr > < / strong > : IDP enregistrés< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Fournisseurs de service < abbr title = "Security Assertion Markup Language" > SAML< / abbr > < / strong > : SP enregistrés< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Service OpenID-Connect< / strong > : configuration du service OpenID-Connect< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Fournisseurs OpenID-Connect< / strong > : OP enregistrés< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > Clients OpenID-Connect< / strong > : RP enregistrés< / div >
< / li >
< / ul >
< p >
La configuration de LemonLDAP::NG est essentiellement une structure clef/valeur, ainsi le manager présente toutes les clefs en un arbre structuré. Un click sur la clef affiche la valeur associée.
< / p >
< p >
Lorsque toutes les modifications sont effectuées, cliquer sur < code > Sauver< / code > pour enregistrer la configuration.
< / p >
< div class = "notewarning" > LemonLDAP::NG effectue ensuite quelques tests sur la configuration et affiche les éventuelles erreurs et avertissements. La configuration < strong > n'est pas sauvée< / strong > en cas d'erreur.
< / div >
< / div > <!-- EDIT3 SECTION "Manager" [1048 - 3236] -->
< h2 class = "sectionedit4" id = "configuration_text_editor" > Éditeur de configuration en mode text< / h2 >
< div class = "level2" >
< p >
2017-02-07 17:35:26 +01:00
LemonLDAP::NG provide a script that allows one to edit configuration without graphical interface, this script is called < code > lmConfigEditor< / code > and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
2016-10-15 19:57:54 +02:00
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lmConfigEditor< / pre >
< div class = "notetip" > Ce script doit être lancé par root, il utilisera ensuite le compte et le groupe d'Apache pour accéder à la configuration.
< / div >
< p >
Ce script utilise la commande système < code > editor< / code > , qui est liée à l'éditeur favori. Pour le changer :
< / p >
< pre class = "code" > update-alternatives --config editor< / pre >
< p >
La configuration est affichée en une grande table de hachage Perl, qu'on peut éditer :
< / p >
< pre class = "code file perl" > < span class = "re0" > $VAR1< / span > < span class = "sy0" > =< / span > < span class = "br0" > {< / span >
< span class = "st_h" > 'ldapAuthnLevel'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '2'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'notificationWildcard'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'allusers'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'loginHistoryEnabled'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '1'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'key'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'q`e)kJE%< & wm> uaA'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'samlIDPSSODescriptorSingleSignOnServiceHTTPPost'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'portalSkin'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > 'pastel'< / span > < span class = "sy0" > ,< / span >
< span class = "st_h" > 'failedLoginNumber'< / span > < span class = "sy0" > => < / span > < span class = "st_h" > '5'< / span > < span class = "sy0" > ,< / span >
< span class = "sy0" > ...< / span >
< span class = "br0" > }< / span > < span class = "sy0" > ;< / span > < / pre >
< p >
Si une modification est effectuée, la configuration est sauvée avec un nouveau numéro. Sinon, la configuration courante est gardée.
< / p >
2017-02-07 17:35:26 +01:00
< / div > <!-- EDIT4 SECTION "Configuration text editor" [3237 - 4465] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit5" id = "command_line_interface_cli" > Interface en ligne de commande (CLI)< / h2 >
< div class = "level2" >
< div class = "notewarning" > C'est un outil expérimental qui évoluera dans les prochaines versions.
< / div >
< p >
2017-02-07 23:37:14 +01:00
LemonLDAP::NG provide a script that allows one to edit configuration items in non interactive mode. Ce script se nomme < code > lemonldap-ng-cli< / code > et se trouve dans le répertoire bin/ de LemonLDAP::NG, par exemple /usr/share/lemonldap-ng/bin:
2016-10-15 19:57:54 +02:00
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli< / pre >
< div class = "notetip" > Ce script doit être lancé par root, il utilisera ensuite le compte et le groupe d'Apache pour accéder à la configuration.
< / div >
< p >
Pour connaître les actions possibles, lancer :
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli help< / pre >
< p >
On peut forcer la mise à jour du cache de la configuration :
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache< / pre >
< p >
Pour obtenir quelques informations sur la configuration actuelle :
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli info< / pre >
< p >
Pour voir un paramètre de configuration, par exemple l'< abbr title = "Uniform Resource Locator" > URL< / abbr > du portail :
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal< / pre >
< p >
Pour définir un paramètre, par exemple le domaine :
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli set domain example.org< / pre >
< p >
On peut utiliser des « accessors » (options) pour modifier le comportement :
< / p >
< ul >
< li class = "level1" > < div class = "li" > -sep : séparateur des valeurs hiérarchiques (par défaut: /).< / div >
< / li >
< li class = "level1" > < div class = "li" > -iniFile : le fichier lemonldap-ng.ini à utiliser si ce n'est pas la valeur par défaut.< / div >
< / li >
< li class = "level1" > < div class = "li" > -yes: pour ne pas demander la confirmation avant sauvegarde.< / div >
< / li >
< li class = "level1" > < div class = "li" > -cfgNum : le numéro de configuration. S'il n'est pas défini, la dernière configuration sera utilisée.< / div >
< / li >
< li class = "level1" > < div class = "li" > -force: mettre à 1 pour sauver une configuration plus ancienne que la dernière.< / div >
< / li >
< / ul >
< p >
Quelques exemples:
< / p >
< pre class = "code" > /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace< / pre >
2017-02-07 23:37:14 +01:00
< / div > <!-- EDIT5 SECTION "Command Line Interface (CLI)" [4466 - 6288] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit6" id = "apache" > Apache< / h2 >
< div class = "level2" >
< div class = "noteimportant" > LemonLDAP::NG ne gère pas la configuration d'Apache
< / div >
< p >
LemonLDAP::NG fournit 3 fichiers de configuration Apache :
< / p >
< ul >
2017-08-30 18:47:26 +02:00
< li class = "level1" > < div class = "li" > < strong > portal-apache2.conf< / strong > : Portal virtual host, with SOAP/REST end points< / div >
2016-10-15 19:57:54 +02:00
< / li >
< li class = "level1" > < div class = "li" > < strong > manager-apache2.conf< / strong > : hôte virtuel du manager< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > handler-apache2.conf< / strong > : déclaration du handler, rechargement et exemple d'hôte virtuel< / div >
< / li >
< / ul >
< p >
Voir < a href = "configapache.html" class = "wikilink1" title = "documentation:2.0:configapache" > comment les déployer< / a > .
< / p >
2017-08-30 18:47:26 +02:00
< / div > <!-- EDIT6 SECTION "Apache" [6289 - 6687] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit7" id = "portal" > Portail< / h3 >
< div class = "level3" >
< p >
Dans l'hôte virtuel du portail se trouve plusieurs éléments de configuration :
< / p >
< ul >
< li class = "level1" > < div class = "li" > Directives standard d'hôte virtuel pour servir les pages du portail :< / div >
< / li >
< / ul >
< pre class = "code file apache" > < span class = "kw1" > ServerName< / span > auth.example.com
< span class = "co1" > # DocumentRoot< / span >
< span class = "kw1" > DocumentRoot< / span > /usr/local/lemonldap-ng/htdocs/portal/
< < span class = "kw3" > Directory< / span > /usr/local/lemonldap-ng/htdocs/portal/>
2017-08-30 18:47:26 +02:00
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > granted
< span class = "kw1" > Options< / span > +ExecCGI +< span class = "kw2" > FollowSymLinks< / span >
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Directory< / span > >
2017-08-30 18:47:26 +02:00
< span class = "co1" > # For performances, you can put static html files: simply put the HTML< / span >
< span class = "co1" > # result (example: /oauth2/checksession.html) as static file. Then< / span >
< span class = "co1" > # uncomment the following line.< / span >
< span class = "co1" > # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"< / span >
< span class = "kw1" > RewriteCond< / span > < span class = "st0" > "%{REQUEST_FILENAME}"< / span > < span class = "st0" > "!^/(?:(?:static|javascript|favicon).*|.*< span class = "es0" > \.< / span > fcgi)$"< / span >
< span class = "kw1" > RewriteRule< / span > < span class = "st0" > "^/(.+)$"< / span > < span class = "st0" > "/index.fcgi/$1"< / span > [PT]
2016-10-15 19:57:54 +02:00
2017-08-30 18:47:26 +02:00
< span class = "co1" > # Note that Content-Security-Policy header is generated by portal itself< / span >
< < span class = "kw3" > Files< / span > *.fcgi>
< span class = "kw1" > SetHandler< / span > fcgid-< span class = "kw1" > script< / span >
< span class = "co1" > #CGIPassAuth on< / span >
< span class = "kw1" > Options< / span > +ExecCGI
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Files< / span > >
2017-08-30 18:47:26 +02:00
< span class = "co1" > # Static files< / span >
< span class = "kw1" > Alias< / span > /static/ __PORTALSTATICDIR__/
< < span class = "kw3" > Directory< / span > __PORTALSTATICDIR__>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > granted
< span class = "kw1" > Options< / span > +< span class = "kw2" > FollowSymLinks< / span >
< /< span class = "kw3" > Directory< / span > >
< < span class = "kw3" > Location< / span > /static/>
< < span class = "kw3" > IfModule< / span > mod_expires.c>
< span class = "kw1" > ExpiresActive< / span > < span class = "kw2" > On< / span >
< span class = "kw1" > ExpiresDefault< / span > < span class = "st0" > "access plus 1 month"< / span >
< /< span class = "kw3" > IfModule< / span > >
< /< span class = "kw3" > Location< / span > >
2016-10-15 19:57:54 +02:00
< < span class = "kw3" > IfModule< / span > mod_dir.c>
2017-08-30 18:47:26 +02:00
< span class = "kw1" > DirectoryIndex< / span > index.fcgi index.html
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > IfModule< / span > > < / pre >
< ul >
2017-08-30 18:47:26 +02:00
< li class = "level1" > < div class = "li" > REST/SOAP end points (inactivated by default):< / div >
2016-10-15 19:57:54 +02:00
< / li >
< / ul >
2017-08-30 18:47:26 +02:00
< pre class = "code file apache" > < span class = "co1" > # REST/SOAP functions for sessions management (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/adminSessions>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Location< / span > >
2017-08-30 18:47:26 +02:00
< span class = "co1" > # REST/SOAP functions for sessions access (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/sessions>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Location< / span > >
2017-08-30 18:47:26 +02:00
< span class = "co1" > # REST/SOAP functions for configuration access (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/config>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Location< / span > >
2017-08-30 18:47:26 +02:00
< span class = "co1" > # REST/SOAP functions for notification insertion (disabled by default)< / span >
< < span class = "kw3" > Location< / span > /index.fcgi/notification>
< span class = "kw1" > Require< / span > < span class = "kw2" > all< / span > denied
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Location< / span > > < / pre >
2017-08-30 18:47:26 +02:00
< / div > <!-- EDIT7 SECTION "Portal" [6688 - 8788] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit8" id = "manager1" > Manager< / h3 >
< div class = "level3" >
< p >
L'hôte virtuel du manager est utilisé pour servir l'interface de configuration et la documentation locale. S'il est lancé comme application FastCGI :
< / p >
< pre class = "code file apache" > < span class = "co1" > # CONFIGURATION FASTCGI< / span >
< span class = "co1" > # ---------------------< / span >
< span class = "co1" > # 1) Gestion de l'URI< / span >
< span class = "kw1" > RewriteEngine< / span > < span class = "kw2" > on< / span >
< span class = "kw1" > RewriteRule< / span > < span class = "st0" > "^/$"< / span > < span class = "st0" > "/psgi/manager-server.fcgi"< / span > [PT]
< span class = "co1" > # Pour de meilleures performances, on peut effacer la ligne RewriteRule après< / span >
2017-02-07 17:35:26 +01:00
< span class = "co1" > # puttings html files: simply put the HTML results of different modules< / span >
2016-10-15 19:57:54 +02:00
< span class = "co1" > # (configuration, sessions, notifications) en manager.html, sessions.html,< / span >
< span class = "co1" > # notifications.html, puis décommenter les 2 lignes suivantes :< / span >
< span class = "co1" > # DirectoryIndex manager.html< / span >
< span class = "co1" > # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"< / span >
< span class = "co1" > # URLs REST< / span >
< span class = "kw1" > RewriteCond< / span > < span class = "st0" > "%{REQUEST_FILENAME}"< / span > < span class = "st0" > "!^/(?:static|doc|fr-doc|lib).*"< / span >
< span class = "kw1" > RewriteRule< / span > < span class = "st0" > "^/(.+)$"< / span > < span class = "st0" > "/psgi/manager-server.fcgi/$1"< / span > [PT]
< span class = "kw1" > Alias< / span > /psgi/ /var/lib/lemonldap-ng/manager/psgi/
< span class = "co1" > # 2) Moteur FastCGI< / span >
< span class = "co1" > # On peut utiliser n'importe quel système FastCGI. Ici un exemple utilisant mod_fcgid< / span >
< span class = "co1" > # configuration mod_fcgid< / span >
< < span class = "kw3" > Directory< / span > /var/lib/lemonldap-ng/manager/psgi/>
< span class = "kw1" > SetHandler< / span > fcgid-< span class = "kw1" > script< / span >
< span class = "kw1" > Options< / span > +ExecCGI
< /< span class = "kw3" > Directory< / span > >
< span class = "co1" > # Pour utiliser mod_fastcgi, remplacer les lignes suivantes par :< / span >
< span class = "co1" > #FastCgiServer /var/lib/lemonldap-ng/manager/psgi/manager-server.fcgi< / span >
< span class = "co1" > # Ou pour utiliser simplement CGI, utiliser /psgi/manager-server.cgi à la place de< / span >
< span class = "co1" > # /psgi/manager-server.fcgi et adapter les règles de réécriture.< / span > < / pre >
< p >
L'accès à l'interface de configuration n'est pas protégée par Apache mais par LemonLDAP::NG lui-même (voir < code > lemonldap-ng.ini< / code > ) :
< / p >
2017-08-30 18:47:26 +02:00
< / div > <!-- EDIT8 SECTION "Manager" [8789 - 10339] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit9" id = "handler" > Agent (Handler)< / h3 >
< div class = "level3" >
< ul >
< li class = "level1" > < div class = "li" > Charger l'agent dans la mémoire d'Apache :< / div >
< / li >
< / ul >
< pre class = "code file apache" > PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler< / pre >
< ul >
< li class = "level1" > < div class = "li" > Capture des pages d'erreur :< / div >
< / li >
< / ul >
< pre class = "code file apache" > < span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 403< / span > http://auth.example.com/?lmError=< span class = "nu0" > 403< / span >
2017-08-30 18:47:26 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 404< / span > http://auth.example.com/?lmError=< span class = "nu0" > 404< / span >
2016-10-15 19:57:54 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 500< / span > http://auth.example.com/?lmError=< span class = "nu0" > 500< / span >
2017-08-30 18:47:26 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 502< / span > http://auth.example.com/?lmError=< span class = "nu0" > 502< / span >
2016-10-15 19:57:54 +02:00
< span class = "kw1" > ErrorDocument< / span > < span class = "nu0" > 503< / span > http://auth.example.com/?lmError=< span class = "nu0" > 503< / span > < / pre >
< ul >
< li class = "level1" > < div class = "li" > Hôte virtuel pour le rechargement :< / div >
< / li >
< / ul >
< pre class = "code file apache" > < < span class = "kw3" > VirtualHost< / span > *:< span class = "nu0" > 80< / span > >
< span class = "kw1" > ServerName< / span > reload.example.com
< span class = "co1" > # Mécanisme de rechargement de la configuration (un seul par serveur physique< / span >
< span class = "co1" > # est nécessaire): choisir une URL pour éviter d'avoir à redémarrer Apache lorsque< / span >
< span class = "co1" > # la configuration change< / span >
< < span class = "kw3" > Location< / span > /reload>
< span class = "kw1" > Order< / span > < span class = "kw1" > deny< / span > ,< span class = "kw1" > allow< / span >
< span class = "kw1" > Deny< / span > from < span class = "kw2" > all< / span >
< span class = "kw1" > Allow< / span > from 127.0.0.0/< span class = "nu0" > 8< / span >
2017-09-14 14:55:21 +02:00
< span class = "kw1" > SetHandler< / span > perl-< span class = "kw1" > script< / span >
PerlResponseHandler Lemonldap::NG::Handler-> reload
2016-10-15 19:57:54 +02:00
< /< span class = "kw3" > Location< / span > >
2017-09-14 14:55:21 +02:00
< span class = "co1" > # Uncomment this to activate status module< / span >
2016-10-15 19:57:54 +02:00
< span class = "co1" > #< Location /status> < / span >
< span class = "co1" > # Order deny,allow< / span >
< span class = "co1" > # Deny from all< / span >
< span class = "co1" > # Allow from 127.0.0.0/8< / span >
2017-09-14 14:55:21 +02:00
< span class = "co1" > # SetHandler perl-script< / span >
< span class = "co1" > # PerlResponseHandler Lemonldap::NG::Handler-> status< / span >
2016-10-15 19:57:54 +02:00
< span class = "co1" > #< /Location> < / span >
< /< span class = "kw3" > VirtualHost< / span > > < / pre >
< p >
Protéger ensuite un hôte virtuel standard, la seul ligne de configuration à ajouter est :
< / p >
< pre class = "code file apache" > PerlHeaderParserHandler Lemonldap::NG::Handler< / pre >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT9 SECTION "Handler" [10340 - 11698] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit10" id = "nginx" > Nginx< / h2 >
< div class = "level2" >
< div class = "noteimportant" > LemonLDAP::NG ne gère pas la configuration de Nginx
< / div >
< p >
LemonLDAP::NG fournit 3 fichiers de configuration Nginx :
< / p >
< ul >
2017-08-30 18:47:26 +02:00
< li class = "level1" > < div class = "li" > < strong > portal-nginx.conf< / strong > : Portal virtual host, with REST/SOAP end points< / div >
2016-10-15 19:57:54 +02:00
< / li >
< li class = "level1" > < div class = "li" > < strong > manager-nginx.conf< / strong > : hôte virtuel du manager< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > handler-nginx.conf< / strong > : déclaration du handler, rechargement et exemple d'hôte virtuel< / div >
< / li >
< / ul >
< p >
Voir < a href = "confignginx.html" class = "wikilink1" title = "documentation:2.0:confignginx" > comment les déployer< / a > .
< / p >
< div class = "notewarning" > Le serveur < a href = "fastcgiserver.html" class = "wikilink1" title = "documentation:2.0:fastcgiserver" > FastCGI LL::NG< / a > doit être lancé séparemment.
< / div >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT10 SECTION "Nginx" [11699 - 12152] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit11" id = "portal1" > Portail< / h3 >
< div class = "level3" >
< p >
Dans l'hôte virtuel du portail se trouve plusieurs éléments de configuration :
< / p >
< ul >
< li class = "level1" > < div class = "li" > Directives standard d'hôte virtuel pour servir les pages du portail :< / div >
< / li >
< / ul >
< pre class = "code file nginx" > server {
listen 80;
server_name auth.example.com;
root /var/lib/lemonldap-ng/portal/;
2017-08-30 18:47:26 +02:00
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
2016-10-15 19:57:54 +02:00
2017-08-30 18:47:26 +02:00
location ~ \.psgi(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
2016-10-15 19:57:54 +02:00
include /etc/nginx/fastcgi_params;
2017-08-30 18:47:26 +02:00
fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
2016-10-15 19:57:54 +02:00
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
2017-08-30 18:47:26 +02:00
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default "";
# ~/CN=(?< CN> [^/]+) $CN;
#}
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn
2016-10-15 19:57:54 +02:00
}
2017-08-30 18:47:26 +02:00
index index.psgi;
2016-10-15 19:57:54 +02:00
location / {
try_files $uri $uri/ =404;
2017-08-30 18:47:26 +02:00
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
}
location /static/ {
alias __PORTALSTATICDIR__;
2016-10-15 19:57:54 +02:00
}
}< / pre >
< ul >
2017-08-30 18:47:26 +02:00
< li class = "level1" > < div class = "li" > REST/SOAP end points (inactivated by default):< / div >
2016-10-15 19:57:54 +02:00
< / li >
< / ul >
2017-08-30 18:47:26 +02:00
< pre class = "code file nginx" > # REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
2016-10-15 19:57:54 +02:00
deny all;
}
2017-08-30 18:47:26 +02:00
# REST/SOAP functions for sessions access (disabled by default)
location /index.psgi/sessions {
2016-10-15 19:57:54 +02:00
deny all;
}
2017-08-30 18:47:26 +02:00
# REST/SOAP functions for configuration access (disabled by default)
location /index.psgi/config {
2016-10-15 19:57:54 +02:00
deny all;
}
2017-08-30 18:47:26 +02:00
# REST/SOAP functions for notification insertion (disabled by default)
location /index.psgi/notification {
2016-10-15 19:57:54 +02:00
deny all;
}< / pre >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT11 SECTION "Portal" [12153 - 13944] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit12" id = "manager2" > Manager< / h3 >
< div class = "level3" >
< p >
L'hôte virtuel du manager est utilisé pour servir l'interface de configuration et la documentation locale.
< / p >
< pre class = "code file nginx" > server {
listen 80;
server_name manager.example.com;
root /usr/share/lemonldap-ng/manager/;
if ($uri !~ ^/(static|doc|fr-doc|lib|javascript)) {
rewrite ^/(.*)$ /manager.psgi/$1 break;
}
location /manager.psgi {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager;
fastcgi_param SCRIPT_NAME /manager.psgi;
}
location / {
index manager.psgi;
try_files $uri $uri/ =404;
}
}< / pre >
< p >
L'accès à l'interface de configuration n'est pas protégée par Nginx mais par LemonLDAP::NG lui-même (voir < code > lemonldap-ng.ini< / code > ) :
< / p >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT12 SECTION "Manager" [13945 - 14697] -->
2016-10-15 19:57:54 +02:00
< h3 class = "sectionedit13" id = "handler1" > Agent (Handler)< / h3 >
< div class = "level3" >
< p >
Le handler Nginx est fourni par le < a href = "fastcgiserver.html" class = "wikilink1" title = "documentation:2.0:fastcgiserver" > serveur FastCGI LemonLDAP::NG< / a > .
< / p >
< ul >
< li class = "level1" > < div class = "li" > Intercepter les erreurs :< / div >
< / li >
< / ul >
< pre class = "code file nginx" > error_page 403 http://auth.example.com/?lmError=403;
2017-08-30 18:47:26 +02:00
error_page 404 http://auth.example.com/?lmError=404;
2016-10-15 19:57:54 +02:00
error_page 500 http://auth.example.com/?lmError=500;
2017-08-30 18:47:26 +02:00
error_page 502 http://auth.example.com/?lmError=502;
2016-10-15 19:57:54 +02:00
error_page 503 http://auth.example.com/?lmError=503;< / pre >
< ul >
< li class = "level1" > < div class = "li" > Hôte virtuel pour le rechargement :< / div >
< / li >
< / ul >
< pre class = "code file nginx" > server {
listen 80;
server_name reload.example.com;
root /var/www/html;
location = /reload {
allow 127.0.0.1;
deny all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
2017-09-14 14:55:21 +02:00
fastcgi_param LLTYPE reload;
2016-10-15 19:57:54 +02:00
}
# Autres requêtes
location / {
deny all;
}
# Décommenter ceci si le module de statut est activé
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}< / pre >
< p >
Pour protéger ensuite un hôte virtuel, il faut insérer ceci (ou créer un fichier à inclure) :
< / p >
< pre class = "code file nginx" > # Insérer $_user dans les journaux
include /etc/lemonldap-ng/nginx-lmlog.conf;
access_log /var/log/nginx/access.log lm_combined;
# Appe interne au serveur FastCGI
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Requêtes clients
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
# Définir REMOTE_USER (pour les applications FastCGI seulement)
#fastcgi_param REMOTE_USER $lmremote_user
######################################
# PASSER LES ENTÊTES À L'APPLICATION #
######################################
# SI LUA EST SUPPORTÉ
#include /path/to/nginx-lua-headers.conf
# SINON
# Définir manuellement les en-têtes
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OU
#fastcgi_param HTTP_AUTH_USER $authuser;
# Ensuite (si LUA n'est pas supporté), changer l'en-tête Cookie pour masquer celui de LLNG
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OU
#fastcgi_param HTTP_COOKIE $lmcookie;
# Insérer ensuite la configuration (fastcgi_* ou proxy_*)< / pre >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT13 SECTION "Handler" [14698 - 17784] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit14" id = "configuration_reload" > Rechargement de la configuration< / h2 >
< div class = "level2" >
< div class = "noteclassic" > Comme les agents gardent leur configuration en cache, lorsque la configuration est changée elle doit être mise à jour dans les agents. Un redémarrage d'Apache marchera, mais LemonLDAP::NG offre le moyen de les recharger via une requête HTTP. Le rechargement de la configuration sera effectif en moins de 10 minutes.
< / div >
< p >
Lorsque la configuration est sauvegardée par le manager, LemonLDAP::NG tente de recharger la configuration des agents distants en envoyant une requête HTTP aux serveurs. Les serveurs et URL peuvent être configurées dans le manager, < code > Paramètres généraux< / code > > < code > URL de rechargement de la configuration< / code > : les clefs sont les noms de serveurs ou les adresses < abbr title = "Internet Protocol" > IP< / abbr > à qui les requêtes seront envoyées, et les valeurs sont les URL à requêter.
< / p >
< p >
Ces paramètres peuvent être surchargés dans le fichier ini de LemonLDAP::NG ini file, à la section < code > apply< / code > .
< / p >
< div class = "notetip" > Une < abbr title = "Uniform Resource Locator" > URL< / abbr > par serveur physique est nécessaire, car les agents partagent le même cache de configuration pour chaque serveur physique.
< / div >
< p >
2017-02-07 17:35:26 +01:00
The < code > reload< / code > target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache→handler or Nginx→Handler).
2016-10-15 19:57:54 +02:00
< / p >
< div class = "noteimportant" > Il faut autoriser l'accès à l'URL déclarée au manager.
< / div >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT14 SECTION "Configuration reload" [17785 - 18954] -->
2016-10-15 19:57:54 +02:00
< h2 class = "sectionedit15" id = "local_file" > Fichier local< / h2 >
< div class = "level2" >
< p >
La configuration LemonLDAP::NG peut être gérée par un fichier local au < a href = "http://en.wikipedia.org/wiki/INI_file" class = "urlextern" title = "http://en.wikipedia.org/wiki/INI_file" rel = "nofollow" > format INI< / a > . Le fichier est nommé < code > lemonldap-ng.ini< / code > et dispose des sections suivantes :
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > configuration< / strong > : où la configuration est stockée< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > apply< / strong > : les < abbr title = "Uniform Resource Locator" > URL< / abbr > de rechargement des agents distants< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > all< / strong > : paramètres pour tous les modules< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > portal< / strong > : paramètres réservés au portail< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > manager< / strong > : paramètres réservés au manager< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > manager< / strong > : paramètres réservés aux agents< / div >
< / li >
< / ul >
< p >
Lorsqu'un paramètre et fixé dans < code > lemonldap-ng.ini< / code > , il surcharge le paramètre issu de la configuration globale.
< / p >
< p >
Par exemple, pour surcharger l'apparence du portail :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [< / span > portal< span class = "br0" > ]< / span > < / span >
< span class = "re1" > portalSkin< / span > < span class = "sy0" > =< / span > < span class = "re2" > dark< / span > < / pre >
< div class = "notetip" > Il est nécessaire de connaître le nom technique du paramètre de configuration pour le faire. Se référer à la < a href = "parameterlist.html" class = "wikilink1" title = "documentation:2.0:parameterlist" > liste des paramètres< / a > pour le trouver.
< / div >
2017-09-14 14:55:21 +02:00
< / div > <!-- EDIT15 SECTION "Local file" [18955 - ] -->
2016-10-15 19:57:54 +02:00
< / div >
< / body >
< / html >