Lemonldap::NG manage applications by their hostname (Apache's virtualHosts). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,...).
<divclass="noteimportant">Note that variables designed by $xx correspond to the name of the <ahref="exportedvars.html"class="wikilink1"title="documentation:2.0:exportedvars">exported variables</a> or <ahref="performances.html#macros_and_groups"class="wikilink1"title="documentation:2.0:performances">macro names</a> except for <code>$ENV{<cgi-header>}</code> which correspond to CGI header <em>(<code>$ENV{REMOTE_ADDR}</code> for example)</em>.
<liclass="level1"><divclass="li"> all headers in CGI format <em>(<code>User-Agent</code> becomes <code>HTTP_USER_AGENT</code>)</em></div>
</li>
<liclass="level1"><divclass="li"> some CGI variables depending on the context:</div>
<ul>
<liclass="level2"><divclass="li"> For portal: all CGI standard variables <em>(you can add custom headers using <code>fastcgi_param</code> with Nginx)</em>,</div>
A rule associates a <ahref="http://en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions"class="urlextern"title="http://en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions"rel="nofollow">regular expression</a> to a Perl boolean expression or a keyword.
<tdclass="col0 leftalign"> Do not restrict /public/ </td><tdclass="col1 centeralign"> ^/public/ </td><tdclass="col2 centeralign"> skip </td>
</tr>
<trclass="row5 rowodd">
<tdclass="col0 leftalign"> Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) </td><tdclass="col1 centeralign"> ^/forum/ </td><tdclass="col2 centeralign"> unprotect </td>
<tdclass="col0 leftalign"> Restrict access to the whole site to users that have the LDAP description field set to "LDAP administrator" (must be set in exported variables) </td><tdclass="col1 centeralign"> default </td><tdclass="col2 centeralign"> $description eq "LDAP administrator" </td>
The "<strong>default</strong>" access rule is used if no other access rule match the current <abbrtitle="Uniform Resource Locator">URL</abbr>.
<liclass="level1"><divclass="li"> Comments can be used to order your rules: rules are applied in the alphabetical order of comment (or regexp in there is no comment). See <strong><ahref="security.html#write_good_rules"class="wikilink1"title="documentation:2.0:security">security chapter</a></strong> to learn more about writing good rules.</div>
</li>
<liclass="level1"><divclass="li"> See <ahref="performances.html#handler_performance"class="wikilink1"title="documentation:2.0:performances">performances</a> to know how to use macros and groups in rules.</div>
</li>
</ul>
</div>
<p>
Rules can also be used to intercept logout <abbrtitle="Uniform Resource Locator">URL</abbr>:
<tdclass="col0 leftalign"> Logout user from Lemonldap::NG and redirect it to http://intranet/ </td><tdclass="col1 centeralign"> ^/index.php\?logout </td><tdclass="col2 centeralign"> logout_sso http://intranet/ </td>
<tdclass="col0 leftalign"> Logout user from current application and redirect it to the menu <strong><em>(Apache only)</em></strong></td><tdclass="col1 centeralign"> ^/index.php\?logout </td><tdclass="col2 centeralign"> logout_app https://auth.example.com/ </td>
<tdclass="col0"> Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ <strong><em>(Apache only)</em></strong></td><tdclass="col1 centeralign"> ^/index.php\?logout </td><tdclass="col2 centeralign"> logout_app_sso http://intranet/ </td>
<!-- EDIT5 TABLE [2798-3446] --><divclass="notewarning"><code>logout_app</code> and <code>logout_app_sso</code> rules are not available on Nginx, only on Apache.
By default, user will be redirected on portal if no <abbrtitle="Uniform Resource Locator">URL</abbr> defined, or on the specified <abbrtitle="Uniform Resource Locator">URL</abbr> if any.
</p>
<divclass="noteimportant">Only current application is concerned by logout_app* targets. Be careful with some applications which doesn't verify Lemonldap::NG headers after having created their own cookies. If so, you can redirect users to a <abbrtitle="HyperText Markup Language">HTML</abbr> page that explain that it is safe to close browser after disconnect.
LLNG set an "authentication level" during authentication process. This level is the value of the authentication backend used for this user. Default values are:
<liclass="level1"><divclass="li"> 0 for <ahref="authnull.html"class="wikilink1"title="documentation:2.0:authnull">Null</a></div>
</li>
<liclass="level1"><divclass="li"> 1 for <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS</a>, <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">old OpenID-2</a>, <ahref="authfacebook.html"class="wikilink1"title="documentation:2.0:authfacebook">Facebook</a>,…</div>
</li>
<liclass="level1"><divclass="li"> 2 for web-form based authentication <em>(<ahref="authldap.html"class="wikilink1"title="documentation:2.0:authldap">LDAP</a>, <ahref="authdbi.html"class="wikilink1"title="documentation:2.0:authdbi">DBI</a>,…)</em></div>
</li>
<liclass="level1"><divclass="li"> 3 for <ahref="authyubikey.html"class="wikilink1"title="documentation:2.0:authyubikey">Yubikey</a></div>
</li>
<liclass="level1"><divclass="li"> 4 for <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Kerberos</a></div>
</li>
<liclass="level1"><divclass="li"> 5 for <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a></div>
</li>
</ul>
<p>
There are two way to impose users to have a high authentication level:
</p>
<ul>
<liclass="level1"><divclass="li"> writing a rule based en authentication level: <code>$authenticationLevel > 3</code></div>
</li>
<liclass="level1"><divclass="li"> since 2.0, set a minimum level in virtual host options</div>
<divclass="notetip">Instead of returning a 403 code, "minimum level" returns user to a form that explain that a higher level is required and propose the user to reauthenticate himself.
<tdclass="col0 leftalign"> Give a static value </td><tdclass="col1 centeralign"> Some-Thing </td><tdclass="col2 centeralign">"static-value"</td>
<tdclass="col0 leftalign"> Give a non ascii data </td><tdclass="col1 centeralign"> Display-Name </td><tdclass="col2 centeralign"> encode_base64($givenName." ".$surName,"") </td>
As described in <ahref="performances.html#handler_performance"class="wikilink1"title="documentation:2.0:performances">performances chapter</a>, you can use macros, local macros,...
<liclass="level1"><divclass="li"> Since many HTTP servers refuse non ascii headers, it is recommended to use encode_base64() function to transmit those headers</div>
<liclass="level1"><divclass="li"> Don't forget to add an empty string as second argument to encode_base64 function to avoid a "newline" characters insertion in result</div>
</div><divclass="notetip">By default, <abbrtitle="Single Sign On">SSO</abbr> cookie is hidden. So protected applications cannot retrieve <abbrtitle="Single Sign On">SSO</abbr> session key. But you can forward this key if absolutely needed:
<ahref="documentation/new.png"class="media"title="documentation:new.png"><imgsrc="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png"class="media"alt=""width="35"/></a> Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): <code>*.example.com</code> matches all hostnames that belong to <code>example.com</code> domain.