LEMONLDAP::NG : more documentation and virtual host names control
This commit is contained in:
parent
e72c18ccd1
commit
046b90dbd9
|
@ -154,3 +154,6 @@ static_example: example
|
|||
cd ${EXAMPLEDIRBUILD}/static/;ln -s ../manager/imgs;cd -
|
||||
scripts/make_static_example.pl ${EXAMPLEDIRBUILD}/manager/index.pl ${EXAMPLEDIRBUILD}/static/index.html $(EXAMPLELANG)
|
||||
|
||||
documentation:
|
||||
cd doc && ../scripts/doc.pl
|
||||
|
||||
|
|
|
@ -24,3 +24,5 @@ Order rules :
|
|||
Documentation :
|
||||
* Translate FAQ in English (http://lemonldap.objectweb.org/)
|
||||
* Security document
|
||||
* AD Howto
|
||||
* apply.conf Howto
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
lemonldap-ng (0.8.2.1) unstable; urgency=low
|
||||
|
||||
* More documentation
|
||||
* Virtual host names control
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Fri, 11 May 2007 09:49:20 +0200
|
||||
|
||||
lemonldap-ng (0.8.2) unstable; urgency=low
|
||||
|
||||
* Little bug fix if whatToTrace parameter is not defined and display it in
|
||||
|
|
|
@ -7,14 +7,14 @@ our $configStorage;
|
|||
BEGIN {
|
||||
open F, '/etc/lemonldap-ng/storage.conf' or die "/etc/lemonldap-ng/storage.conf: $!";
|
||||
while(<F>) {
|
||||
next if(/^\s*$/ or /^\s*#/);
|
||||
chomp;
|
||||
/^\s*([\w]+)[\s=:]+(["']?)([\S].*[\S])\2.*$/ or next;
|
||||
$configStorage->{$1} = $3;
|
||||
my $k = $1;
|
||||
if($configStorage->{$k} =~ /^([{\[]).*[}\]]$/) {
|
||||
eval "\$configStorage->{$k} = $configStorage->{$k}";
|
||||
}
|
||||
next if(/^\s*$/ or /^\s*#/);
|
||||
chomp;
|
||||
/^\s*([\w]+)\s*[=:]\s*(["']?)([\S].*[\S])\2.*$/ or next;
|
||||
$configStorage->{$1} = $3;
|
||||
my $k = $1;
|
||||
if($configStorage->{$k} =~ /^([{\[]).*[}\]]$/) {
|
||||
eval "\$configStorage->{$k} = $configStorage->{$k}";
|
||||
}
|
||||
}
|
||||
close F;
|
||||
}
|
||||
|
|
|
@ -23,6 +23,8 @@
|
|||
# type = SOAP
|
||||
# proxy = https://manager.example.com/soapmanager.pl
|
||||
# proxyOptions = { timeout => 5 }
|
||||
# User = lemonldap
|
||||
# Password = mypassword
|
||||
|
||||
type = File
|
||||
dirName = /var/lib/lemonldap-ng/conf
|
||||
|
|
|
@ -0,0 +1,377 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id="HADVANCEDINSTALLATION">ADVANCED
|
||||
INSTALLATION</span></h2>
|
||||
|
||||
<p class="paragraph"></p><strong class="strong">Warning:</strong> This
|
||||
document is written for people who know Lemonldap::NG. For other people,
|
||||
it is recommended to build the <span class="wikilink"><a href=
|
||||
"/xwiki/bin/view/NG/DocInstallExample">example</a></span> provided in the
|
||||
source and next to adapt it to local installation.
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HPREREQ">PREREQ</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HApache">Apache</a></li>
|
||||
|
||||
<li><a href="#HPerlprereq">Perl prereq</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HSOFTWAREINSTALLATION">SOFTWARE INSTALLATION</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HLEMONLDAPINSTALLATION">LEMONLDAP INSTALLATION</a>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HDatabaseconfiguration">Database configuration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href=
|
||||
"#HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG
|
||||
Configuration database</a></li>
|
||||
|
||||
<li><a href="#HApache3A3ASessiondatabase">Apache::Session
|
||||
database</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HManagerconfiguration">Manager configuration</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HConfigurationedition">Configuration edition</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HGeneralparameters">General parameters</a></li>
|
||||
|
||||
<li><a href="#HUsergroups">User groups</a></li>
|
||||
|
||||
<li><a href="#HVirtualhosts">Virtual hosts</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HPREREQ">PREREQ</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HApache">Apache</span></h4>
|
||||
|
||||
<p class="paragraph"></p>To use Lemonldap::NG, you have to run a LDAP
|
||||
server and of course an Apache server compiled with mod-perl (version 1.3
|
||||
or 2.x). Generaly, the version of Apache proposed with your Linux
|
||||
distribution match, but some distributions used an experimental version of
|
||||
mod_perl with Apache2 (mod_perl-1.99) which does not work with
|
||||
Lemonldap::NG. With such distributions (like Debian-3.1), you have to use
|
||||
Apache-1.3 or to use a mod_perl backport (www.backports.org package for
|
||||
Debian works fine).
|
||||
|
||||
<p class="paragraph"></p>For Apache2, you can use both mpm-worker and
|
||||
mpm-prefork. Mpm-worker works faster and Lemonldap::NG use the thread
|
||||
system for best performance. If you have to use mpm-prefork (for example
|
||||
if you use PHP), Lemonldap::NG will work anyway.
|
||||
|
||||
<p class="paragraph"></p>You can use Lemonldap::NG in an heterogene world:
|
||||
the authentication portal and the manager can work in any version of
|
||||
Apache 1.3 or more even if mod_perl is not compiled, with
|
||||
ModPerl::Registry or not… Only the handler (site protector) need
|
||||
mod_perl. The different handlers can run on different servers with
|
||||
different versions of Apache/mod_perl.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HPerlprereq">Perl prereq</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Perl modules: Apache::Session, Net::LDAP,
|
||||
MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple
|
||||
|
||||
<p class="paragraph"></p>With Debian:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl
|
||||
libdbi-perl perl-modules libwww-perl libcache-cache-perl
|
||||
libxml-simple-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Portal:
|
||||
|
||||
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
|
||||
DBI
|
||||
|
||||
<p class="paragraph"></p>With Debian:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl
|
||||
perl-modules
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Handler:
|
||||
|
||||
<p class="paragraph"></p>Apache::Session, LWP::UserAgent, Cache::Cache,
|
||||
DBI
|
||||
|
||||
<p class="paragraph"></p>With Debian:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libdbi-perl libwww-perl
|
||||
libcache-cache-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Manager:
|
||||
|
||||
<p class="paragraph"></p>CGI, XML::Simple, DBI
|
||||
|
||||
<p class="paragraph"></p>With Debian:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
apt-get install perl-modules libxml-simple-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HSOFTWAREINSTALLATION">SOFTWARE
|
||||
INSTALLATION</span></h3>
|
||||
|
||||
<p class="paragraph"></p>If you just want to install a handler or a portal
|
||||
or a manager:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
||||
$ perl Makefile.PL && make && make test
|
||||
$ sudo make install
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>else for a complete install:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>See prereq in
|
||||
|
||||
<h3 class="heading-1-1"><span id="HLEMONLDAPINSTALLATION">LEMONLDAP
|
||||
INSTALLATION</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HDatabaseconfiguration">Database
|
||||
configuration</span></h4>If you use DBI or another system to share
|
||||
Lemonldap::NG configuration, you have to initialize the database.
|
||||
|
||||
<p class="paragraph"></p>For example, create the database "lemonldapng" :
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
# mysqladmin create lemonldapng
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG Configuration
|
||||
database</span></h5>
|
||||
|
||||
<p class="paragraph"></p>To store configuration, use this table :
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
CREATE TABLE lmConfig (
|
||||
cfgNum <span class="java-object">int</span> not <span class=
|
||||
"java-keyword">null</span> primary key,
|
||||
locationRules text,
|
||||
exportedHeaders text,
|
||||
globalStorage text,
|
||||
globalStorageOptions text,
|
||||
macros text,
|
||||
groups text,
|
||||
portal text,
|
||||
domain text,
|
||||
ldapServer text,
|
||||
ldapPort <span class="java-object">int</span>,
|
||||
ldapBase text,
|
||||
securedCookie <span class="java-object">int</span>,
|
||||
cookieName text,
|
||||
authentication text,
|
||||
exportedVars text,
|
||||
managerDn text,
|
||||
managerPassword text,
|
||||
whatToTrace text
|
||||
);
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HApache3A3ASessiondatabase">Apache::Session database</span></h5>
|
||||
|
||||
<p class="paragraph"></p>The choice of Apache::Session::* module is free.
|
||||
See Apache::Session::Store::* or Apache::Session::* to know how to
|
||||
configure the module. For example, if you want to use
|
||||
Apache::Session::MySQL, you can create the database like this:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
CREATE TABLE sessions (
|
||||
id <span class="java-object">char</span>(32),
|
||||
a_session text
|
||||
);
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HManagerconfiguration">Manager
|
||||
configuration</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Copy example/manager.cgi and personalize it if
|
||||
you want (see Lemonldap::NG::Manager). You have to set in particular
|
||||
configStorage. For example with MySQL:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$my $manager = Lemonldap::NG::Manager-><span class=
|
||||
"java-keyword">new</span> ( {
|
||||
dbiChain => <span class=
|
||||
"java-quote">"DBI:mysql:database=mybase;host=1.2.3.4"</span>,
|
||||
dbiUser => <span class=
|
||||
"java-quote">"lemonldap-ng"</span>,
|
||||
dbiPasword => <span class=
|
||||
"java-quote">"mypass"</span>,
|
||||
} );
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Securise Manager access with Apache: Lemonldap
|
||||
does not securise the manager itself yet:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
SSLEngine On
|
||||
Order Deny, Allow
|
||||
Deny from all
|
||||
Allow from admin/network
|
||||
AuthType Basic
|
||||
...
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HConfigurationedition">Configuration
|
||||
edition</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Connect to the manager with your browser start
|
||||
configure your Web-SSO. You have to set at least some parameters:
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
|
||||
parameters</span></h5>
|
||||
|
||||
<ul class="star">
|
||||
<li>Authentication parameters -> portal URL to access to the
|
||||
authentication portal.</li>
|
||||
|
||||
<li>Domain: the cookie domain. All protected VirtualHosts have to be
|
||||
under it.</li>
|
||||
|
||||
<li>LDAP parameters -> LDAP Server.</li>
|
||||
|
||||
<li>LDAP parameters -> LDAP Accout and password: required only if
|
||||
anonymous binds are not accepted.</li>
|
||||
|
||||
<li>Session Storage -> Apache::Session module: how to store user
|
||||
sessions. You can use all module that inherit from Apache::Session like
|
||||
Apache::Session::MySQL.</li>
|
||||
|
||||
<li>Session Storage -> Apache::Session Module parameters: see
|
||||
Apache::Session::<Choosen module>.</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HUsergroups">User groups</span></h5>
|
||||
|
||||
<p class="paragraph"></p>Use the "New Group" button to add your first
|
||||
group. On the left, set the keyword which will be used later and set on
|
||||
the right the corresponding rule. You can use :
|
||||
|
||||
<ul class="star">
|
||||
<li>an LDAP filter (it will be tested with the user uid)</li>
|
||||
</ul>or
|
||||
|
||||
<ul class="star">
|
||||
<li>a Perl condition enclosed with {}. All variables declared in
|
||||
"General parameters -> LDAP attributes" can be used with a "$". For
|
||||
example: MyGroup / { $uid eq "foo" or $uid eq "bar" }</li>
|
||||
</ul>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HVirtualhosts">Virtual
|
||||
hosts</span></h5>
|
||||
|
||||
<p class="paragraph"></p>You have to create a virtual host for each Apache
|
||||
host (virtual or real) protected by Lemonldap::NG even if just a
|
||||
sub-directory is protected. Else, user who want to access to the protected
|
||||
area will be rejected with a "500 Internal Server Error" message and the
|
||||
apache logs will explain the problem.
|
||||
|
||||
<p class="paragraph"></p>Each virtual host has 2 groups of parameters:
|
||||
|
||||
<ul class="star">
|
||||
<li>Headers: the headers added to the apache request. Default: Auth-User
|
||||
=> $uid.</li>
|
||||
|
||||
<li>Rules: subdivised in 2 categories:
|
||||
|
||||
<ul class="star">
|
||||
<li>default: the default rule</li>
|
||||
|
||||
<li>personalized rules: association of a Perl regular expression and
|
||||
a condition. For example: ^/restricted.*$ / $groups =~
|
||||
/bMyGroupb/</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,382 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id="HFoireauxquestionsLemonldap3A3ANG">Foire
|
||||
aux questions Lemonldap::NG</span></h2>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HLemonldap3A3ANG">Lemonldap::NG</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HQu27estcequ27unWebSSO3F">Qu'est-ce qu'un Web-SSO
|
||||
?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HQu27apporteLemonldap3A3ANGparrapportauxautresSSO3F">Qu'apporte
|
||||
Lemonldap::NG par rapport aux autres SSO ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HConfiguration">Configuration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href=
|
||||
"#HQuelsystC3A8medestockagedeconfigurationchoisir3F">Quel
|
||||
système de stockage de configuration choisir ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HL27exemplefournifonctionneenHTTP2CmaispasenHTTPS">L'exemple
|
||||
fourni fonctionne en HTTP, mais pas en HTTPS.</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HCommentfairefonctionnerLemonldap3A3ANGavecunannuaireActiveDirectory3F">
|
||||
Comment faire fonctionner Lemonldap::NG avec un annuaire
|
||||
Active-Directory ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HFonctionnement">Fonctionnement</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HAquoisertlecachelocaldesagents28handlers293F">A quoi
|
||||
sert le cache local des agents (handlers) ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HPourquoinepeutonpasconfigurerlecachelocaldesagents28handlers29danslaconsoled27administration3F">
|
||||
Pourquoi ne peut-on pas configurer le cache local des agents
|
||||
(handlers) dans la console d'administration ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HQu27estcequele7E7ECrossDomainAuthentication7E7E28CDA293F">Qu'est
|
||||
ce que le <i class="italic">Cross Domain Authentication</i> (CDA)
|
||||
?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HCommentfonctionnele7E7ECrossDomainAuthentication7E7E28CDA293F">Comment
|
||||
fonctionne le <i class="italic">Cross Domain Authentication</i>
|
||||
(CDA) ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HAuthentification">Authentification</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HPeutonchangerlemoded27authentification3F">Peut-on
|
||||
changer le mode d'authentification ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HLemonldap3A3ANG">Lemonldap::NG</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HQu27estcequ27unWebSSO3F">Qu'est-ce
|
||||
qu'un Web-SSO ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Un SSO <i class="italic">(Single Sign On)</i> est
|
||||
un dispositif qui permet de partager les authentifications entre plusieurs
|
||||
applications. L'utilisateur ne s'authentifie ainsi qu'une fois et n'est
|
||||
pas interrompu lorsqu'il change d'application. Kerberos (utilisé
|
||||
dans Active Directory) par exemple est un SSO. Le problème de ces
|
||||
systèmes est qu'outre leur lourdeur, ils ne s'appliquent
|
||||
qu'à des Intranets sur des machines relativement homogènes.
|
||||
|
||||
<p class="paragraph"></p>Le Web-SSO est le portage de ce principe
|
||||
restreint aux applications Web. L'utilisateur est donc authentifié
|
||||
au premier accès à une application web
|
||||
protégée et les authentifications se propagent lorsqu'il
|
||||
change d'application. Le gros avantage est alors que le système est
|
||||
utilisable sur Internet sans pré-requis sur les postes clients (il
|
||||
suffit d'accepter les cookies de session). Par exemple, lorsqu'un
|
||||
utilisateur accède à une boîte-aux-lettres Google, il
|
||||
n'est pas réauthentifié s'il accède à
|
||||
l'application de gestion des groupes ou tout autre application Google.
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG est un des systèmes
|
||||
permettant la gestion du Web-SSO.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HQu27apporteLemonldap3A3ANGparrapportauxautresSSO3F">Qu'apporte
|
||||
Lemonldap::NG par rapport aux autres SSO ?</span></h4>
|
||||
|
||||
<ul class="star">
|
||||
<li>Lemonldap comme lemonldap::NG sont des modules Apache Perl et
|
||||
offrent des performances qui rendent imperceptible le traitement de
|
||||
l'accès.</li>
|
||||
|
||||
<li>Un des autres points forts de Lemonldap::NG est sa capacité
|
||||
à gérer les droits de façon centralisée: les
|
||||
SSO type Kerberos ou CAS permettent le partage des authentifications
|
||||
mais délèguent aux applications la gestion des
|
||||
autorisations d'accès. Dans le cas de Lemonldap::NG, la gestion
|
||||
des droits peut être centralisée totalement, en partie ou
|
||||
pas du tout pour chaque application: Lemonldap::NG fournit un
|
||||
système d'autorisations basé sur le tri des URL par
|
||||
expressions régulières auquelles on associe une
|
||||
règle. Il fournit également des en-têtes HTTP
|
||||
à l'application contenant n'importe quel attribut issue de
|
||||
l'annuaire LDAP. Celle-ci peut alors gérer la
|
||||
traçabilité des accès et éventuellement des
|
||||
droits d'accès (voir la <span class="wikiexternallink"><a href=
|
||||
"http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation#HMC3A9canismesd27authentification2Cd27autorisationetdetraC3A7abilitC3A9">
|
||||
documentation AAA</a></span>).</li>
|
||||
|
||||
<li>Lemonldap::NG n'imose aucune modification de l'annuaire: les droits
|
||||
sont calculés à partir de n'importe quel attribut.</li>
|
||||
|
||||
<li>Lemonldap::NG peut publier n'importe quel attribut LDAP ou des
|
||||
expressions calculées à partir de ces attributs dans les
|
||||
en-têtes HTTP. On peut ainsi éviter aux applications
|
||||
d'avoir à consulter l'annuaire LDAP.</li>
|
||||
|
||||
<li>Lemonldap::NG traite tous les sites hébergés (virtuels
|
||||
ou réels) indépendamment: on peut ainsi fournir à
|
||||
chaque application des en-têtes personnalisés.</li>
|
||||
|
||||
<li>Lemonldap::NG fournit une interface web d'administration
|
||||
présentant simplement la configuration, les droits d'accès
|
||||
et les en-têtes par site protégé (voir la
|
||||
démonstration><span class="nobr"><a href=
|
||||
"http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">http://lemonldap.objectweb.org/NG/ManagerDemo/fr/</a></span>).
|
||||
On peut également ne montrer qu'une partie de la configuration en
|
||||
lecture seule et une autre en lecture écriture: l'interface
|
||||
d'administration peut ainsi être partiellement
|
||||
déléguée par site protégé.</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HConfiguration">Configuration</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HQuelsystC3A8medestockagedeconfigurationchoisir3F">Quel système de
|
||||
stockage de configuration choisir ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG fournit 3 types de stockage de
|
||||
configuration:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">File</strong>: le système le plus
|
||||
simple, il ne permet en revanche de partager la configuration que parmi
|
||||
les serveurs qui partagent un système de fichier. On peut ainsi
|
||||
l'utiliser dans le cas où tous les VirtualHosts à
|
||||
protéger se trouvent sur le même serveur,</li>
|
||||
|
||||
<li><strong class="strong">DBI</strong>: <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://www.linuxmanpages.com/man3/DBI.3pm.php">DBI(3)</a></span> est
|
||||
une couche d'abstraction de l'accès aux bases de données
|
||||
fournie par Perl. Utilisée dans Lemonldap::NG, elle permet de
|
||||
partager la configuration entre serveurs mais suppose que tous ces
|
||||
serveurs accèdent à la même base de donnée.
|
||||
C'est une solution recommandée pour partager la configuration sur
|
||||
un réseau de serveurs,</li>
|
||||
|
||||
<li><strong class="strong">SOAP</strong>: Ce système n'est pas
|
||||
à proprement parler un système de stockage, mais permet
|
||||
à un serveur distant d'accéder à la configuration
|
||||
par une simple connexion HTTP(S). Le serveur SOAP accède lui
|
||||
à la configuration par un des systèmes
|
||||
précédents (File ou DBI).</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HL27exemplefournifonctionneenHTTP2CmaispasenHTTPS">L'exemple fourni
|
||||
fonctionne en HTTP, mais pas en HTTPS.</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Dans le mécanisme des redirections vers le
|
||||
portail puis vers le site protégé, il faut indiquer à
|
||||
l'agent (handler) s'il est de type HTTPS ou non. Ceci est fait par le
|
||||
paramètre <tt>https</tt> qui doit être mis à 1. Ce
|
||||
paramètre n'est pas accessible dans la configuration (manager), car
|
||||
il est spécifique aux hôtes virtuels. C'est donc lors de
|
||||
l'appel à la fonction <tt>init</tt> (dans le fichier My::Package)
|
||||
qu'il doit être renseigné:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
<pre>
|
||||
__PACKAGE__->init ( {
|
||||
localStorage => "Cache::FileCache",
|
||||
localStorageOptions => {
|
||||
'namespace' => 'MyNamespace',
|
||||
'default_expires_in' => 600,
|
||||
'directory_umask' => '007',
|
||||
'cache_root' => '/tmp',
|
||||
'cache_depth' => 5,
|
||||
},
|
||||
configStorage => {
|
||||
type => 'File',
|
||||
dirName => '/var/lib/lemonldap-ng/conf',
|
||||
},
|
||||
<strong class="strong">https => 1</strong>,
|
||||
} );
|
||||
</pre>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HCommentfairefonctionnerLemonldap3A3ANGavecunannuaireActiveDirectory3F">Comment
|
||||
faire fonctionner Lemonldap::NG avec un annuaire Active-Directory
|
||||
?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Active-Directory utilise le champ <tt>cn</tt>
|
||||
comme identifiant unique au lieu de <tt>uid</tt>. Il faut donc modifier la
|
||||
configuration de Lemonldap::NG en deux points :
|
||||
|
||||
<ol>
|
||||
<li>la recherche de l'utilisateur dans l'annuaire doit être
|
||||
effectuée avec le champ <tt>cn</tt> (ou
|
||||
<tt>samAccountName</tt>),</li>
|
||||
|
||||
<li>les journaux d'Apache doivent être enrichis avec ce même
|
||||
champ.</li>
|
||||
</ol>Pour le deuxième point, la modification est très simple
|
||||
: il faut remplacer <tt>$uid</tt> par <tt>$cn</tt> dans le champ
|
||||
"Paramètres généraux -> Donnée à
|
||||
inscrire dans les journaux d'Apache (et vérifier que cette variable
|
||||
est déclarée dand les attributs à exporter). Le
|
||||
changement de filtre de recherche nécessite la surcharge d'une
|
||||
méthode dans le portail. Cette modification peut être
|
||||
effectuée comme suit:
|
||||
<pre>
|
||||
#!/usr/bin/perl
|
||||
use Lemonldap::NG::Portal::SharedConf;
|
||||
my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||
{
|
||||
configStorage => {
|
||||
type => 'File',
|
||||
dirName => '/var/lib/lemonldap-ng/conf',
|
||||
},
|
||||
<strong class="strong">formateFilter => sub {</strong>
|
||||
my $self = shift;
|
||||
$self->{filter} = "(&(cn=" . $self->{user} . ")(objectClass=person))";
|
||||
PE_OK;
|
||||
} # fin de la surcharge
|
||||
}
|
||||
);
|
||||
</pre>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HFonctionnement">Fonctionnement</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HAquoisertlecachelocaldesagents28handlers293F">A quoi sert le cache local
|
||||
des agents (handlers) ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Le cache local des agents a deux fonctions:
|
||||
|
||||
<ul class="star">
|
||||
<li>partager la configuration entre processus Apache: on évite
|
||||
ainsi un téléchargement de la configuration à
|
||||
chaque création d'un processus. C'est également
|
||||
indispensable pour utiliser le mécanisme de rechargement de la
|
||||
configuration sans relance du serveur Apache,</li>
|
||||
|
||||
<li>partager les sessions en cours entre processus et threads Apache:
|
||||
ceci permet d'éviter d'avoir à effectuer une requête
|
||||
au magasin central des sessions à chaque requête (on ne
|
||||
retombe en effet pas nécessairement sur le même processus).
|
||||
Dans le cas où le cache central des sessions est accessible par
|
||||
le réseau, on transforme ainsi une requête TCP en une
|
||||
requête au système de ficher voir simplement à la
|
||||
mémoire partagée ce qui augmente fortement les
|
||||
performances.</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HPourquoinepeutonpasconfigurerlecachelocaldesagents28handlers29danslaconsoled27administration3F">
|
||||
Pourquoi ne peut-on pas configurer le cache local des agents (handlers)
|
||||
dans la console d'administration ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Le cache local doit être choisi ou
|
||||
paramétré en fonction du serveur: si on choisit par exemple
|
||||
le module Cache::FileCache, le répertoire de stockage n'est pas
|
||||
nécessairement le même partout. De plus, une modification du
|
||||
cache ne peut être appliquée sans redémarrage du
|
||||
serveur Apache contrairement aux autres paramètres
|
||||
gérés par la console d'administration.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HQu27estcequele7E7ECrossDomainAuthentication7E7E28CDA293F">Qu'est ce que
|
||||
le <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Le système de propagation de la session
|
||||
Lemonldap::NG est basé sur des cookies. Or ces cookies sont
|
||||
attachés au domaine dont ils sont issus. Lemonldap::NG fournit un
|
||||
dispositif permettant de passer outre ce problème: il suffit
|
||||
d'utiliser le portail Lemonldap::NG::Portal::CDA et les agents
|
||||
Lemonldap::NG::Handler::CDA sur les sites protégés en dehors
|
||||
du domaine du portail.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HCommentfonctionnele7E7ECrossDomainAuthentication7E7E28CDA293F">Comment
|
||||
fonctionne le <i class="italic">Cross Domain Authentication</i> (CDA)
|
||||
?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Un portail Lemonldap::NG::Portal::CDA
|
||||
détecte si l'URL demandée n'est pas dans le même
|
||||
domaine. Si c'est le cas, il ajoute un paramètre à cette
|
||||
requête correspondant au cookie de session. Lorsque l'utilisateur
|
||||
est renvoyé vers cette URL, l'agent Lemonldap::NG::Handler::CDA
|
||||
reconnaît ce paramètre et génère alors le
|
||||
cookie dans son domaine. Il retire alors le paramètre ajouté
|
||||
par le portail et effectue le traitement normal de la requête.
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HAuthentification">Authentification</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HPeutonchangerlemoded27authentification3F">Peut-on changer le mode
|
||||
d'authentification ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG fournit plusieurs modes
|
||||
d'authentification (à paramétrer dans le champ
|
||||
"authentification" de l'interface d'administration) :
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">ldap</strong> : c'est le mode par
|
||||
défaut: le portail tente de se connecter avec les
|
||||
éléments fournis par l'utilisateur</li>
|
||||
|
||||
<li><strong class="strong">CAS</strong> : le portail Lemonldap::NG
|
||||
devient alors un simple relais CAS: si l'utilisateur n'est pas
|
||||
authentifié, on le revoie vers le portail CAS</li>
|
||||
|
||||
<li><strong class="strong">SSL</strong> : ce dispositif confie à
|
||||
Apache le soin d'authentifier les utilisateurs par mécanisme SSL.
|
||||
Ce dispositif est très intéressant lorsqu'on utilise des
|
||||
certificats SSL: si on protège toutes les applications par
|
||||
certificats mutuels les nombreuses négociations SSL
|
||||
pénaliserons les performances et en cas d'emploi de cartes
|
||||
à puces protégeant chaque opération, l'utilisateur
|
||||
devra saisir plusieurs fois son code. Avec ce dispositif, seule
|
||||
l'accès au portail Lemonldap::NG nécessite la
|
||||
présentation du certificat client. Ensuite, c'est le cookie
|
||||
sécurisé qui assure la propagation de
|
||||
l'authentification.</li>
|
||||
|
||||
<li><strong class="strong">Apache</strong> : dans le même esprit,
|
||||
on confie à Apache l'authentification. Par exemple avec Kerberos,
|
||||
le module Kerberos d'Apache assure la protection du portail. On
|
||||
améliore ainsi les performances puisqu'une seule
|
||||
négociation Kerberos est nécessaire pour toute la
|
||||
session.</li>
|
||||
</ul>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,182 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id="HINSTALLATIONDEL27EXEMPLE">INSTALLATION DE
|
||||
L'EXEMPLE</span></h2>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HPREREQUIS">PRE REQUIS</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HLogiciels">Logiciels</a></li>
|
||||
|
||||
<li><a href="#HModulesPerlrequis">Modules Perl requis</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HCOMPILATION">COMPILATION</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HInstallationcomplC3A8te">Installation
|
||||
complète</a></li>
|
||||
|
||||
<li><a href="#HInstallationsurDebian">Installation sur
|
||||
Debian</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HCONFIGURATIONDEL27EXEMPLE">CONFIGURATION DE
|
||||
L'EXEMPLE</a></li>
|
||||
</ul>L'exemple proposé utilise un site protégé
|
||||
nommé test.example.com. Les utilisateurs non-authentifiés
|
||||
sont redirigés vers auth.example.com.
|
||||
|
||||
<h3 class="heading-1-1"><span id="HPREREQUIS">PRE REQUIS</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HLogiciels">Logiciels</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Pour utiliser Lemonldap::NG, vous devez disposer
|
||||
d'un server LDAP et d'un server Apache compilé avec le module
|
||||
mod-perl (version 1.3 ou 2.x). Généralement, la version
|
||||
d'Apache proposée par votre distribution Linux est suffisante, mais
|
||||
certaines distributions utilisent une version expérimentale de
|
||||
mod_perl2 avec Apache2 (mod_perl-1.99) qui ne fonctionne pas avec
|
||||
Lemonldap::NG. Avec de telles distributions (Debian-3.1 par exemple), vous
|
||||
devez utiliser Apache-1.3 ou utiliser des backports mod_perl, CGI.pm et
|
||||
CGI/Cookie.pm (les paquets Debian du site www.backports.org fonctionnent
|
||||
très bien).
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HModulesPerlrequis">Modules Perl
|
||||
requis</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
|
||||
LWP::UserAgent, Cache::Cache, DBI, XML::Simple, SOAP::Lite (only if you
|
||||
want to use SOAP with the manager).
|
||||
|
||||
<p class="paragraph"></p>Sur Debian, lancez:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl
|
||||
# et si vous souhaitez utiliser les fonctionnalités SOAP du manager:
|
||||
apt-get install libsoap-lite-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HCOMPILATION">COMPILATION</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HInstallationcomplC3A8te">Installation
|
||||
complète</span></h4>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
$ make example
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HInstallationsurDebian">Installation
|
||||
sur Debian</span></h4>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ debuild
|
||||
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HCONFIGURATIONDEL27EXEMPLE">CONFIGURATION DE L'EXEMPLE</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Après compilation, vous disposez d'un
|
||||
fichier example/apache.conf. Vous avez simplement à l'inclure dans
|
||||
le fichier de configuration d'Apache:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
# Apache-1.3: add <span class="java-keyword">this</span> to httpd.conf
|
||||
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||
# Apache-2.x:
|
||||
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||
# Debian Apache-1.3
|
||||
ln -s /usr/share/doc/lemonldap-ng/example/apache.conf /etc/apache/conf.d/test.conf
|
||||
# or with Apache-2.x
|
||||
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Modifiez votre fichier /etc/hosts pour y ajouter:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
127.0.0.2 auth.example.com
|
||||
127.0.0.3 test.example.com
|
||||
127.0.0.4 manager.example.com
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Vous devez ensuite indiquer les paramètres
|
||||
de connexion LDAP. Vous pouvez au choix :
|
||||
|
||||
<ul class="star">
|
||||
<li>utiliser l'interface d'administration: redémarrez Apache et
|
||||
connectez vous à <span class="nobr"><a href=
|
||||
"http://manager.example.com/">http://manager.example.com/</a></span></li>
|
||||
|
||||
<li>éditer /path/to/lemonldap-ng/source/example/lmConfig-1 et
|
||||
renseigner vos paramètres LDAP (utilisateurs Debian:
|
||||
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
|
||||
</ul>Si vous ne renseignez pas managerDn et managerPassword, Lemonldap::NG
|
||||
utilisera une connexion anonyme pour trouver le dn de l'utilisateur.
|
||||
|
||||
<p class="paragraph"></p>NOTES:
|
||||
|
||||
<ul class="star">
|
||||
<li>seuls quelques paramètres peuvent être
|
||||
édités à la main dans le fichier de configuration.
|
||||
Vous devez utiliser le manager pour la modifier, mais comme l'exemple
|
||||
est déjà configuré, vous pouvez éditer ce
|
||||
fichier directement,</li>
|
||||
|
||||
<li>chaque nouvelle configuration est sauvegarder dans un nouveau
|
||||
fichier par le manager (ou un nouvel enregistrement avec l'interface de
|
||||
connexion au bases de données DBI) ainsi vous pouvez restaurer
|
||||
une ancienne configuration.</li>
|
||||
</ul>Redémarrez ensuite Apache et utilisez votre navigateur
|
||||
préféré pour vous connecter à <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://test.example.com/">http://test.example.com/</a></span>. Vous serez
|
||||
redirigés vers auth.example.com. Connectez-vous avec un compte
|
||||
valide et la page protégée apparaîtra.
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -1,377 +1,172 @@
|
|||
<html>
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<title>Lemonldap::NG</title>
|
||||
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<meta name="DESCRIPTION" content="Lemonldap::NG installation">
|
||||
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG, INSTALLATION">
|
||||
<style>
|
||||
</style>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id="HEXAMPLEINSTALLATION">EXAMPLE
|
||||
INSTALLATION</span></h2>
|
||||
|
||||
<h1 style="text-align: center;">Lemonldap::NG Installation</h1>
|
||||
<p>Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the application.
|
||||
It manages both authentication and authorization and provides headers for
|
||||
accounting. So you can have a full AAA protection.</p>
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<p>See <a href=overview.html>README file</a> to known how it works.</p>
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HPREREQ">PREREQ</a>
|
||||
|
||||
<ol type="I">
|
||||
<li><a href="#example">Example installation</a>
|
||||
<ol type="1">
|
||||
<li><a href="#prereq1">Prereq</a></li>
|
||||
<li><a href="#ebuilding">Building</a></li>
|
||||
<li><a href="#econf">Example configuration</a></li>
|
||||
</ol>
|
||||
</li>
|
||||
<li><a href="#advanced">Advanced installation</a>
|
||||
<ol type="1">
|
||||
<li><a href="#prereq2">Prereq</a></li>
|
||||
<li><a href="#softInst">Software installation</a></li>
|
||||
<li><a href="#lmInst">Lemonldap::NG installation</a></li>
|
||||
</ol>
|
||||
</li>
|
||||
</ol>
|
||||
<ul>
|
||||
<li><a href="#HSoftware">Software</a></li>
|
||||
|
||||
<li><a href="#HNeededPerlmodules">Needed Perl modules</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<ol type="I">
|
||||
<li>
|
||||
<a href="#HBUILDING">BUILDING</a>
|
||||
|
||||
<h2><li><a name="example">Example installation</a></li></h2>
|
||||
<ul>
|
||||
<li><a href="#HCompleteinstall">Complete install</a></li>
|
||||
|
||||
<p>The proposed example use a protected site named test.example.com. Non
|
||||
authenticated users are redirected to auth.example.com.</p>
|
||||
<li><a href="#HDebianinstall">Debian install</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<ol type="1">
|
||||
<li><a href="#HEXAMPLECONFIGURATION">EXAMPLE CONFIGURATION</a></li>
|
||||
</ul>The proposed example use a protected site named test.example.com. Non
|
||||
authenticated users are redirected to auth.example.com.
|
||||
|
||||
<h3><li><a name="prereq1">Prereq</a></li></h3>
|
||||
<h3 class="heading-1-1"><span id="HPREREQ">PREREQ</span></h3>
|
||||
|
||||
<ol type="a">
|
||||
<h4><li>Software</li></h4>
|
||||
<h4 class="heading-1-1-1"><span id="HSoftware">Software</span></h4>
|
||||
|
||||
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||
Apache proposed with your Linux distribution match, but some distributions used
|
||||
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||
package for Debian works fine).</p>
|
||||
<p class="paragraph"></p>To use Lemonldap::NG, you have to run a LDAP
|
||||
server and of course an Apache server compiled with mod-perl (version 1.3
|
||||
or 2.x). Generaly, the version of Apache proposed with your Linux
|
||||
distribution match, but some distributions used an experimental version of
|
||||
mod_perl with Apache2 (mod_perl-1.99) which does not work with
|
||||
Lemonldap::NG. With such distributions (like Debian-3.1), you have to use
|
||||
Apache-1.3 or to use a mod_perl, CGI.pm and CGI/Cookie.pm backports
|
||||
(www.backports.org package for Debian works fine).
|
||||
|
||||
<h4><li>Perl prereq</li></h4>
|
||||
<h4 class="heading-1-1-1"><span id="HNeededPerlmodules">Needed Perl
|
||||
modules</span></h4>
|
||||
|
||||
<dl>
|
||||
<dt><b>Perl modules :</b></dt>
|
||||
<dd>
|
||||
<p>Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
|
||||
DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)</p>
|
||||
</dd>
|
||||
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
|
||||
LWP::UserAgent, Cache::Cache, DBI, XML::Simple, SOAP::Lite (only if you
|
||||
want to use SOAP with the manager).
|
||||
|
||||
<dt><b>With Debian :</b></dt>
|
||||
<dd>
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
|
||||
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
|
||||
libxml-simple-perl
|
||||
</pre>
|
||||
<p>If you want to use SOAP with the manager :</p>
|
||||
<pre>
|
||||
apt-get install libsoap-lite-perl
|
||||
</pre>
|
||||
</dd>
|
||||
</dl>
|
||||
</ol>
|
||||
<p class="paragraph"></p>With Debian, use:
|
||||
|
||||
<h3><li><a name="ebuilding">Building</a></li></h3>
|
||||
|
||||
<ol type="a">
|
||||
|
||||
<h4><li>Complete installation</li></h4>
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
$ make example
|
||||
<div class="code">
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl
|
||||
# If you want to use SOAP with the manager:
|
||||
apt-get install libsoap-lite-perl
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h4><li>Installation on Debian</li></h4>
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ debuild # or fakeroot dpkg-buildpackage
|
||||
$ sudo dpkg -i ../*lemonldap-ng*.deb
|
||||
<h3 class="heading-1-1"><span id="HBUILDING">BUILDING</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HCompleteinstall">Complete
|
||||
install</span></h4>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
$ make example
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
</ol>
|
||||
<h4 class="heading-1-1-1"><span id="HDebianinstall">Debian
|
||||
install</span></h4>
|
||||
|
||||
<h3><li><a name="econf">Example configuration</a></li></h3>
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<p>After build, you have new files in the example/ directory
|
||||
(<code>/usr/share/doc/lemonldap-ng/example</code> with Debian). You just have
|
||||
to include this file in Apache configuration :</p>
|
||||
|
||||
<ul>
|
||||
<li>in httpd.conf (with Apache-1.3.x)
|
||||
<pre>
|
||||
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||
</pre>
|
||||
</li>
|
||||
|
||||
<li>or with Apache2
|
||||
<pre>
|
||||
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||
</pre>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p>Modify your /etc/hosts file to include :</p>
|
||||
|
||||
<pre>
|
||||
127.0.0.2 auth.example.com
|
||||
127.0.0.3 test.example.com
|
||||
127.0.0.4 manager.example.com
|
||||
<div class="code">
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ debuild
|
||||
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p>and restart Apache.</p>
|
||||
<h3 class="heading-1-1"><span id="HEXAMPLECONFIGURATION">EXAMPLE
|
||||
CONFIGURATION</span></h3>
|
||||
|
||||
<p>Before the example works, you have to set your LDAP settings. There are two
|
||||
ways to do it :
|
||||
<p class="paragraph"></p>After build, you have a new file named
|
||||
example/apache.conf. You just have to include this file in Apache
|
||||
configuration:
|
||||
|
||||
<ul>
|
||||
<li>Connect to <a href="http://manager.example.com/">http://manager.example.com/</a>
|
||||
and edit the corresponding parameters in "general parameters"</li>
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<li>Edit <code>/path/to/lemonldap-ng/source/example/conf/lmConfig-1</code> and
|
||||
specify your LDAP settings.</li>
|
||||
</ul>
|
||||
|
||||
<p>If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||
use an anonymous bind to find user dn.</p>
|
||||
|
||||
<p>WARNINGS :</p>
|
||||
|
||||
<ul>
|
||||
<li> only few parameters can be set by hand in the configuration file. You have
|
||||
to use the manager to change configuration, but since the example is yet
|
||||
configured, you can edit directly the file</li>
|
||||
<li> each new configuration is saved by the manager in a new file (or a new
|
||||
record with DBI) so you can recover an old configuration by removing</li>
|
||||
</ul>
|
||||
|
||||
<p>Next, try to connect to <a href="http://test.example.com/">http://test.example.com/</a>.
|
||||
You'll be redirect to auth.example.com. Try to authenticate yourself with a
|
||||
valid account and the protected page will appear. You will find other
|
||||
explanations on this page.</p>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2><li><a name="advanced">Advanced installation</a></li></h2>
|
||||
|
||||
<ol type="1">
|
||||
|
||||
<h3><li><a name="prereq2">Prereq</a></li></h3>
|
||||
|
||||
<ol type="a">
|
||||
|
||||
<h4><li>Apache</li></h4>
|
||||
|
||||
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||
Apache proposed with your Linux distribution match, but some distributions used
|
||||
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||
package for Debian works fine).</p>
|
||||
|
||||
<p>For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
|
||||
faster and Lemonldap::NG use the thread system for best performance. If you
|
||||
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
|
||||
anyway.</p>
|
||||
|
||||
<p>You can use Lemonldap::NG in an heterogene world : the authentication portal and
|
||||
the manager can work in any version of Apache 1.3 or more even if mod_perl is
|
||||
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
|
||||
need mod_perl. The different handlers can run on different servers with
|
||||
different versions of Apache/mod_perl.</p>
|
||||
|
||||
<h4><li>Perl Prereq</li></h4>
|
||||
|
||||
<p>Warning : Handler and Portal parts both need Lemonldap::NG::Manager components
|
||||
to access to configuration.</p>
|
||||
|
||||
<dl>
|
||||
<dt>Manager :</dt>
|
||||
<dd><p>CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)</p>
|
||||
|
||||
<p>With Debian :</p>
|
||||
<pre>
|
||||
# apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
|
||||
</pre>
|
||||
<p>And if you want to use SOAP :</p>
|
||||
<pre>
|
||||
# apt-get install libsoap-lite-perl
|
||||
</pre>
|
||||
</dd>
|
||||
|
||||
<dt>Portal :</dt>
|
||||
<dd><p>Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager</p>
|
||||
|
||||
<p>With Debian :</p>
|
||||
<pre>
|
||||
# apt-get install libapache-session-perl libnet-ldap-perl perl-modules
|
||||
</pre>
|
||||
</dd>
|
||||
|
||||
<dt>Handler :</dt>
|
||||
<dd><p>Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager</p>
|
||||
|
||||
<p>With Debian :</p>
|
||||
<pre>
|
||||
# apt-get install libapache-session-perl libwww-perl libcache-cache-perl
|
||||
</pre>
|
||||
</dd>
|
||||
</dl>
|
||||
</ol>
|
||||
|
||||
<h3><li><a name="softInst">Software installation</a></li></h3>
|
||||
|
||||
<p>If you just want to install a handler or a portal or a manager :</p>
|
||||
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
||||
$ perl Makefile.PL && make && make test
|
||||
$ sudo make install
|
||||
<div class="code">
|
||||
<pre>
|
||||
# Apache-1.3: add <span class="java-keyword">this</span> to httpd.conf
|
||||
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||
# Apache-2.x:
|
||||
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||
# Debian Apache-1.3
|
||||
ln -s /usr/share/doc/lemonldap-ng/example/apache.conf /etc/apache/conf.d/test.conf
|
||||
# or with Apache-2.x
|
||||
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p>else for a complete install :</p>
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
<p class="paragraph"></p>Modify your /etc/hosts file to include:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
127.0.0.2 auth.example.com
|
||||
127.0.0.3 test.example.com
|
||||
127.0.0.4 manager.example.com
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p>See prereq in Exeample installation</p>
|
||||
<p class="paragraph"></p>Now you have to edit configuration to set your
|
||||
LDAP settings. You can either use :
|
||||
|
||||
<h3><li><a name="lmInst">Lemonldap::NG installation</a></li></h3>
|
||||
<ul class="star">
|
||||
<li>the manager interface: restart Apache and connect to <span class=
|
||||
"nobr"><a href=
|
||||
"http://manager.example.com/">http://manager.example.com/</a></span></li>
|
||||
|
||||
<ol type="a">
|
||||
<li>edit /path/to/lemonldap-ng/source/example/lmConfig-1 and specify
|
||||
your LDAP settings (Debian users:
|
||||
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
|
||||
</ul>If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||
use an anonymous bind to find user dn.
|
||||
|
||||
<h4><li>Databases configuration</li></h4>
|
||||
<p class="paragraph"></p>WARNINGS:
|
||||
|
||||
<h5>Lemonldap::NG Configuration database</h5>
|
||||
<ul class="star">
|
||||
<li>only few parameters can be set by hand in the configuration file.
|
||||
You have to use the manager to change configuration, but since the
|
||||
example is yet configured, you can edit directly the file,</li>
|
||||
|
||||
<p>If you use DBI or another system to share Lemonldap::NG configuration, you have
|
||||
to initialize the database. An example is given in example/lmConfig.mysql for
|
||||
MySQL.</p>
|
||||
<!-- TODO: File -->
|
||||
|
||||
<h5>Apache::Session database</h5>
|
||||
|
||||
<p>The choice of Apache::Session::* module is free. See Apache::Session::Store::*
|
||||
or Apache::Session::* to know how to configure the module. For example, if you
|
||||
want to use Apache::Session::MySQL, you can create the database like this :</p>
|
||||
|
||||
<pre>
|
||||
CREATE DATABASE sessions (
|
||||
id char(32),
|
||||
a_session text
|
||||
);
|
||||
</pre>
|
||||
|
||||
<h4><li>Manager configuration</li></h4>
|
||||
|
||||
<p>Copy example/manager.cgi and personalize it if you want (see
|
||||
Lemonldap::NG::Manager). You have to set in particular configStorage. For
|
||||
example with MySQL :</p>
|
||||
|
||||
<pre>
|
||||
$my $manager = Lemonldap::NG::Manager->new ( {
|
||||
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
|
||||
dbiUser => "lemonldap-ng",
|
||||
dbiPassword => "mypass",
|
||||
} );
|
||||
</pre>
|
||||
|
||||
<p>You can securise Manager access with Lemonldap::NG like any other site (after
|
||||
configuring it) or with Apache. Example :</p>
|
||||
|
||||
<pre>
|
||||
SSLEngine On
|
||||
Order Deny, Allow
|
||||
Deny from all
|
||||
Allow from admin-network/netmask
|
||||
AuthType Basic
|
||||
...
|
||||
</pre>
|
||||
|
||||
<h4><li>Configuration edition</li></h4>
|
||||
|
||||
<p>Connect to the manager with your browser start configure your Web-SSO. You have
|
||||
to set at least some parameters :</p>
|
||||
|
||||
<h5>General parameters</h5>
|
||||
|
||||
<p>Main parameters :</p>
|
||||
<ul>
|
||||
<li> <b>Authentication parameters -> portal</b> : URL to access to the authentication portal</li>
|
||||
<li> <b>Domain</b> : the cookie domain. Unless some protected VirtualHosts
|
||||
are not under it, you have to use Lemonldap::NG::Portal::CDA and
|
||||
Lemonldap::NG::Handler::CDA </li>
|
||||
<li> <b>LDAP parameters -> LDAP Server</b></li>
|
||||
<li> <b>LDAP parameters -> LDAP Accout and password</b> : required only if anonymous binds are not accepted</li>
|
||||
<li> <b>Session Storage -> Apache::Session module</b> : how to store user sessions. You can use all module that inherit
|
||||
from Apache::Session like Apache::Session::MySQL</li>
|
||||
<li> <b>Session Storage -> Apache::Session Module parameters</b> : see Apache::Session::<Choosen module></li>
|
||||
</ul>
|
||||
|
||||
<h5>User groups</h5>
|
||||
|
||||
<p>Use the "New Group" button to add your first group. On the left, set the
|
||||
keyword which will be used later and set on the right the corresponding rule.
|
||||
you can use :</p>
|
||||
|
||||
<ul>
|
||||
<li> an LDAP filter (it will be tested with the user uid)</li>
|
||||
<li> or a Perl condition enclosed with <b>{}</b>. All variables declared in
|
||||
"General parameters -> LDAP attributes" or "macros"
|
||||
can be used with a "<b>$</b>". For example :
|
||||
<pre>
|
||||
MyGroup => { $uid eq "foo" or $uid eq "bar" }
|
||||
</pre>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h5>Virtual hosts</h5>
|
||||
|
||||
<p>You have to create a virtual host for each Apache host (virtual or real)
|
||||
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
|
||||
user who want to access to the protected area will be rejected with a "500
|
||||
Internal Server Error" message and the apache logs will explain the problem.</p>
|
||||
|
||||
<p>Each virtual host has 2 groups of parameters :</p>
|
||||
|
||||
<ul>
|
||||
<li> Headers : the headers added to the apache request. Default :
|
||||
<pre>
|
||||
Auth-User => $uid
|
||||
</pre>
|
||||
</li>
|
||||
<li> Rules : subdivised in 2 categories :
|
||||
<ul>
|
||||
<li><b>default</b> : the default rule</li>
|
||||
<li>personalized rules : association of a Perl regular expression and a
|
||||
condition. For example :
|
||||
<pre>
|
||||
^/restricted.*$ / $groups =~ /\bMyGroup\b/
|
||||
</pre>
|
||||
</li>
|
||||
</ul>
|
||||
</ol>
|
||||
</ol>
|
||||
</ol>
|
||||
<li>each new configuration is saved by the manager in a new file (or a
|
||||
new record with DBI) so you can recover an old configuration by removing
|
||||
the new one.</li>
|
||||
</ul>Next, restart Apache and use your prefered browser and try to connect
|
||||
to <span class="wikiexternallink"><a href=
|
||||
"http://test.example.com/">http://test.example.com/</a></span>. You'll be
|
||||
redirect to auth.example.com. Try to authenticate yourself with a valid
|
||||
account and the protected page will appear.
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
|
|
@ -0,0 +1,377 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id=
|
||||
"HLemonLDAP3A3ANG">LemonLDAP::NG</span></h2>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG est un Web-SSO modulaire
|
||||
basé sur les modules Apache::Session. Il simplifie la construction
|
||||
d'une aire protégée en minimisant les impacts sur les
|
||||
applications. Il gère à la fois les authentifications et les
|
||||
autorisations et fournit des en-têtes HTTP pour la
|
||||
traçabilité. On obtient ainsi une protection AAA complete
|
||||
<i class="italic">(Authentication, Authorization and Accounting)</i> des
|
||||
espaces web.
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG est une réécriture
|
||||
complète de Lemonldap. Tous les éléments
|
||||
nécessaires à son exploitation et son administration sont
|
||||
fournis dans le package. En revanche les composants
|
||||
développés pour Lemonldap ne sont pas compatibles avec
|
||||
Lemonldap::NG.
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href=
|
||||
"#HMC3A9canismesd27authentification2Cd27autorisationetdetraC3A7abilitC3A9">
|
||||
Mécanismes d'authentification, d'autorisation et de
|
||||
traçabilité</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HAuthentification">Authentification</a></li>
|
||||
|
||||
<li>
|
||||
<a href="#HAutorisation">Autorisation</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HPerformances">Performances</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HTraC3A7abilitC3A9">Traçabilité</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HTracerlesaccC3A8sauportail">Tracer les
|
||||
accès au portail</a></li>
|
||||
|
||||
<li><a href="#HTracerlesaccC3A8sauxapplications">Tracer les
|
||||
accès aux applications</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li><a href="#HInstallation">Installation</a></li>
|
||||
|
||||
<li><a href="#HSystC3A8medestockagedessessions">Système de
|
||||
stockage des sessions</a></li>
|
||||
|
||||
<li><a href="#HAuteur">Auteur</a></li>
|
||||
|
||||
<li><a href="#HCopyrightetlicense">Copyright et license</a></li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HMC3A9canismesd27authentification2Cd27autorisationetdetraC3A7abilitC3A9">Mécanismes
|
||||
d'authentification, d'autorisation et de
|
||||
traçabilité</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Tous les paramètres abordés dans ce
|
||||
chapître sont accessibles via l'interface d'administration (voir la
|
||||
<span class="wikiexternallink"><a href=
|
||||
"http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">démonstration</a></span>).
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HAuthentification">Authentification</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Si un utilisateur n'est pas encore
|
||||
authentifié et tente de se connecter à une aire
|
||||
protégée par un agent Lemonldap::NG, il est redirigé
|
||||
vers le portail. Celui-ci authentifie l'utilisateur par défaut par
|
||||
une connexion LDAP, mais vous pouvez également utiliser un autre
|
||||
schéma tel les certificats x509 (voir
|
||||
Lemonldap::NG::Portal::AuthSSL(3)).
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG utilise les cookies de session
|
||||
générés par le module Apache::Session soit aussi
|
||||
sécurisé que n'importe quelle système basé sur
|
||||
des cookies aléatoires de 128 bits. Il est recommandé
|
||||
d'activer l'option "cookie sécurisé" pour éviter les
|
||||
vols de session.
|
||||
|
||||
<p class="paragraph"></p>Par défaut, une session reste 10 minutes
|
||||
dans le magasin local du serveur Apache, donc dans le pire des cas, un
|
||||
utilisateur conserve son autorisation au plus 10 minutes après
|
||||
avoir perdu ses droits.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HAutorisation">Autorisation</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Les autorisations sont controlées
|
||||
seulement par les agents protégeant les applications. En effet, le
|
||||
portail ne peut connaître à l'avance les applications sur
|
||||
lesquels l'utilisateur se connectera. En configurant votre Web-SSO, vous
|
||||
devez:
|
||||
|
||||
<ul class="star">
|
||||
<li>choisir les attributs LDAP que vous souhaitez utiliser pour les
|
||||
autorisations et la traçabilité,</li>
|
||||
|
||||
<li>créer d'éventuelles expressions Perl pour
|
||||
définir des groupes d'utilisateur (en utilisant les attributs
|
||||
LDAP),</li>
|
||||
|
||||
<li>créer des règles d'accès associant des
|
||||
expressions régulières triant les URL à des
|
||||
expressions Perl calculant le droit d'accès correspondant.</li>
|
||||
</ul>Exemple (Voir Lemonldap::NG::Manager::Conf(3) pour comprendre le
|
||||
stockage de la configuration) :
|
||||
|
||||
<ul class="star">
|
||||
<li>Variables exportées (attributs LDAP):</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
# Nom-choisi => attribut LDAP
|
||||
cn => cn
|
||||
departmentUID => departmentUID
|
||||
login => uid
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>Groupes d'utilisateurs :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
# Nom-choisi => définition du groupe
|
||||
group1 => { $departmentUID eq <span class=
|
||||
"java-quote">"unit1"</span> or $login = <span class=
|
||||
"java-quote">"user1"</span> }
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>Protection d'un site web: chaque VirtualHost (ou hôte
|
||||
réel) Apache dispose de ses propres règles d'accès:
|
||||
|
||||
<ul class="star">
|
||||
<li>www1.domain.com :</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
^/<span class="java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
||||
<span class="java-keyword">default</span> => accept
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>www2.domain.com :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
^/site/.*$ => $uid eq <span class=
|
||||
"java-quote">"admin"</span> or $groups =~ /bgroup2b/
|
||||
^/(js|css) => accept
|
||||
<span class="java-keyword">default</span> => deny
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HPerformances">Performances</span></h5>
|
||||
|
||||
<p class="paragraph"></p>Vous pouvez utiliser des expressions Perl aussi
|
||||
complexe que nécessaire et vous pouvez utiliser tous les attibuts
|
||||
LDAP (et créer vos propres attributs additionnels avec le
|
||||
mécanisme des macros) dans les définitions de groupes, les
|
||||
règles d'accès et les en-têtes HTTP
|
||||
personnalisés: vous devez seulement utiliser le nom choisi
|
||||
précédé d'un "$".
|
||||
|
||||
<p class="paragraph"></p>Vous devez toutefois bien choisir vos
|
||||
expressions:
|
||||
|
||||
<ul class="star">
|
||||
<li>les groupes et les macros ne sont évaluées que lorsque
|
||||
l'utilisateur est renvoyé vers le portail,</li>
|
||||
|
||||
<li>les règles d'accès et les en-têtes
|
||||
exportés sont évalués à chaque requête
|
||||
sur un site protégé.</li>
|
||||
</ul>Il est donc recommandé d'utiliser le mécanisme des
|
||||
groupes pour éviter de calculer de longues expressions à
|
||||
chaque requête:
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
^/<span class=
|
||||
"java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Dans la définition des groupes, vous
|
||||
pouvez au choix utiliser des filtres LDAP ou des expressions Perl ou
|
||||
encore mixer les deux. Les expressions Perl sont encadrées par {} :
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||
group1 => <uid eq <span class=
|
||||
"java-quote">"xavier.guimard"</span> or $ou eq <span class=
|
||||
"java-quote">"unit1"</span>>
|
||||
group1 => (|(uid=xavier.guimard)<ou eq <span class=
|
||||
"java-quote">"unit1"</span>>)
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p class="paragraph"></p>Pour limiter les requêtes LDAP, il est
|
||||
conseillé d'utiliser les expressions Perl. Ainsi seuls 2
|
||||
sollicitations de l'annuaire sont nécessaires.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HTraC3A7abilitC3A9">Traçabilité</span></h4>
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id="HTracerlesaccC3A8sauportail">Tracer
|
||||
les accès au portail</span></h5>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG::Portal n'enregistre pas les
|
||||
événements de connexion par défaut, mais il est
|
||||
très facile de surcharger la méthode "log".
|
||||
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HTracerlesaccC3A8sauxapplications">Tracer les accès aux
|
||||
applications</span></h5>
|
||||
|
||||
<p class="paragraph"></p>Comme un Web-SSO ne peut interpréter le
|
||||
contenu des requêtes HTTP transmise aux applications
|
||||
protégées, il ne peut enregistrer au mieux que les URL. Et
|
||||
comme Apache le fait parfaitement, Lemonldap::NG::Handler(3) lui fournit
|
||||
le nom à enregistrer dans les journaux. Le paramètre
|
||||
optionnel "whatToTrace" indique la variable à utiliser ($uid par
|
||||
défaut).
|
||||
|
||||
<p class="paragraph"></p>La trace réelle doit être
|
||||
effectuée par l'application seule capable d'interpréter le
|
||||
résultat des transactions.
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG peut exporter des en-têtes
|
||||
HTTP aussi bien en utilisant Apache en reverse-proxy qu'en
|
||||
protégent directement les applications. Par défaut, le champ
|
||||
Auth-User est utilisé mais vous pouvez choisir les en-têtes
|
||||
que vous transmettez à chaque application séparemment. Les
|
||||
expressions définissant les en-têtes associent :
|
||||
|
||||
<ul class="star">
|
||||
<li>le nom d'en-tête,</li>
|
||||
|
||||
<li>une expression Perl utilisant les données de l'utilisateur
|
||||
(attributs, macros et groupes).</li>
|
||||
</ul>Exemple:
|
||||
|
||||
<ul class="star">
|
||||
<li>www1.domain.com :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Auth-User => $uid
|
||||
Unit => $ou
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>www2.domain.com :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Authorization => <span class=
|
||||
"java-quote">"Basic "</span>.encode_base64($employeeNumber.<span class=
|
||||
"java-quote">":dummy"</span>)
|
||||
Remote-IP => $ip
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HInstallation">Installation</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Attention :
|
||||
|
||||
<ul class="star">
|
||||
<li>Lemonldap::NG est un projet différent de Lemonldap et
|
||||
contient tous les éléments nécessaires à son
|
||||
utilisation et son administration. Ainsi les logiciels tel le module
|
||||
webmin de Lemonldap ne fonctionnent pas avec Lemonldap::NG.</li>
|
||||
|
||||
<li>L'agent de protection Apache ("handler") fonctionne à la fois
|
||||
avec les versions 1.3 et 2.x d'Apache, c'est à dire avec les
|
||||
versions 1 et 2 de mod_perl (mais pas avec mod_perl 1.99). Le portail et
|
||||
le l'interface d'administration ("manager") sont de simples CGI et
|
||||
peuvent donc fonctionner sur n'importe quel serveur compatible.</li>
|
||||
|
||||
<li>La configuration de Lemonldap::NG ne doit être
|
||||
éditée qu'avec l'interface d'administration à oins
|
||||
que vous ne sachiez exactement ce que vous faites. Les paramètres
|
||||
présentés dans ce document sont tous accessibles dans
|
||||
l'arbre de configuration.</li>
|
||||
</ul>Voir <span class="wikilink"><a href=
|
||||
"/xwiki/bin/view/NG/DocInstall">installation manuel</a></span> pour la
|
||||
documentation d'installation.
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HSystC3A8medestockagedessessions">Système de stockage des
|
||||
sessions</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG utilise 3 niveaux de cache pour les
|
||||
données des utilisateurs authentifiés :
|
||||
|
||||
<ul class="star">
|
||||
<li>un module Apache::Session:: <strong class="strong">au choix
|
||||
utilisé par le portail lemonldap::NG::Portal pour stocker les
|
||||
données après authentification,</strong></li>
|
||||
|
||||
<li>un module Cache::Cache au choix utilisé par l'agent
|
||||
Lemonldap::NG::Handler pour partager les données entre les
|
||||
threads et les processus d'Apache et bien sur entre les hôtes
|
||||
virtuels hébergés sur le même serveur,</li>
|
||||
|
||||
<li>les variables internes à l'agent Lemonldap::NG::Handler : si
|
||||
le même utilisateur utilise de nouveau le même thread ou
|
||||
processus, aucune requête n'est nécessaire pour calculer le
|
||||
droit d'accès. Ceci est particulièrement
|
||||
intéressant avec le système de connexions persistantes du
|
||||
protocole HTTP/1.1 (Keep-Alive).</li>
|
||||
</ul>Ainsi, le nombre de requêtes au cache principal est
|
||||
limité à 1 par utilisateur actif toutes les 10 minutes.
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG est très rapide, mais vous
|
||||
pouvez encore améliorer les performances en utilisnt un module
|
||||
Cache::Cache ne nécessitant pas d'accès au disque.
|
||||
|
||||
<h3 class="heading-1-1"><span id="HAuteur">Auteur</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Xavier Guimard, <x.guimard@free.fr>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HCopyrightetlicense">Copyright et
|
||||
license</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Copyright © 2005-2007 par Xavier Guimard
|
||||
<x.guimard@free.fr>
|
||||
|
||||
<p class="paragraph"></p>Ce logiciel est libre, vous pouvez le
|
||||
redistribuer et/ou le modifier sous les mêmes termes que Perl
|
||||
lui-même en version 5.8.4 ou à votre guise en version Perl 5
|
||||
supérieure.
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -1,247 +1,342 @@
|
|||
<html>
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<title>Lemonldap::NG</title>
|
||||
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<meta name="DESCRIPTION" content="Lemonldap::NG overview">
|
||||
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG">
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id=
|
||||
"HLemonLDAP3A3ANG">LemonLDAP::NG</span></h2>
|
||||
|
||||
<h1 style="text-align: center;">Lemonldap::NG</h1>
|
||||
<p class="paragraph"></p>Lemonldap::NG is a modular Web-SSO based on
|
||||
Apache::Session modules. It simplifies the build of a protected area with
|
||||
a few changes in the application. It manages both authentication and
|
||||
authorization and provides headers for accounting. So you can have a full
|
||||
AAA protection for your web space as described below.
|
||||
|
||||
<p> Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the application.
|
||||
It manages both authentication and authorization and provides headers for
|
||||
accounting. So you can have a full AAA protection for your web space as
|
||||
described below.</p>
|
||||
<p class="paragraph"></p>Lemonldap::NG is a complete rewrite of Lemonldap.
|
||||
All components needed to use it and to aminister it are included in the
|
||||
tarball. Contrary, all modules developed for Lemonldap may not work with
|
||||
Lemonldap::NG.
|
||||
|
||||
<ol type="1">
|
||||
<li><a href="#aaa">Authentication, Authorization and Accounting mechanisms</a></li>
|
||||
<li><a href="#inst">Installation</a></li>
|
||||
<li><a href="#storage">Session storage system</a></li>
|
||||
<li><a href="#logout">Logout system</a></li>
|
||||
<li><a href="#author">Author</a></li>
|
||||
<li><a href="#copyright">Copyright and licence</a></li>
|
||||
</ol>
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ol type="I">
|
||||
<h2><li><a name="aaa">Authentication, Authorization and Accounting mechanisms</a></li></h2>
|
||||
<ul>
|
||||
<li>
|
||||
<a href=
|
||||
"#HAuthentication2CAuthorizationandAccountingmechanisms">Authentication,
|
||||
Authorization and Accounting mechanisms</a>
|
||||
|
||||
<ol type="1">
|
||||
<h3><li>Authentication</li></h3>
|
||||
<ul>
|
||||
<li><a href="#HAuthentication">Authentication</a></li>
|
||||
|
||||
<p>If a user isn't authenticated and attemps to connect to an area protected by a
|
||||
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
||||
authenticates user with a ldap bind by default, but you can also use another
|
||||
authentication sheme like using x509 user certificates (see
|
||||
Lemonldap::NG::Portal::AuthSSL(3) for more).</p>
|
||||
<li>
|
||||
<a href="#HAuthorization">Authorization</a>
|
||||
|
||||
<p>Lemonldap::NG use session cookies generated by Apache::Session so as secure
|
||||
as a 128-bit random cookie. You may use the securedCookie options to avoid
|
||||
session hijacking.</p>
|
||||
<ul>
|
||||
<li><a href="#HPerformance">Performance</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<p>You have to manage life of sessions by yourself since Lemonldap::NG knows
|
||||
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
||||
using a simple cron script because Lemonldap::NG::Portal stores the start
|
||||
time in the _utime field.<br>
|
||||
By default, a session stay 10 minutes in the local storage, so in the worth
|
||||
case, a user is authorized 10 minutes after he lost his rights.</p>
|
||||
<li>
|
||||
<a href="#HAccounting">Accounting</a>
|
||||
|
||||
<h3><li>Authorization</li></h3>
|
||||
<ul>
|
||||
<li><a href="#HLoggingportalaccess">Logging portal
|
||||
access</a></li>
|
||||
|
||||
<p>Authorization is controled only by handlers because the portal knows nothing
|
||||
about the way the user will choose. When configuring your Web-SSO, you have to:</p>
|
||||
<li><a href="#HLoggingapplicationaccess">Logging application
|
||||
access</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<ul type="disc">
|
||||
<li> choose the ldap attributes you want to use to manage accounting and
|
||||
authorization.</li>
|
||||
<li> create Perl expressions to define user groups (using ldap attributes)</li>
|
||||
<li> create an array foreach virtual host associating URI regular expressions and
|
||||
Perl expressions to use to grant access.</li>
|
||||
</ul>
|
||||
<li><a href="#HInstallation">Installation</a></li>
|
||||
|
||||
<p>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored) :</p>
|
||||
<li><a href="#HSessionstoragesystem">Session storage system</a></li>
|
||||
|
||||
<ul>
|
||||
<li> Exported variables :
|
||||
<pre>
|
||||
<li><a href="#HAuthor">Author</a></li>
|
||||
|
||||
<li><a href="#HCopyrightandlicence">Copyright and licence</a></li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HAuthentication2CAuthorizationandAccountingmechanisms">Authentication,
|
||||
Authorization and Accounting mechanisms</span></h3>
|
||||
|
||||
<p class="paragraph"></p>All parameters described here can be edited by
|
||||
the administration interface (See <span class="wikiexternallink"><a href=
|
||||
"http://lemonldap.objectweb.org/NG/ManagerDemo/en/">Manager
|
||||
demonstration</a></span>).
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HAuthentication">Authentication</span></h4>
|
||||
|
||||
<p class="paragraph"></p>If a user isn't authenticated and attemps to
|
||||
connect to an area protected by a Lemonldap::NG compatible handler, he is
|
||||
redirected to a portal. The portal authenticates user with a ldap bind by
|
||||
default, but you can also use another authentication sheme like using x509
|
||||
user certificates (see Lemonldap::NG::Portal::AuthSSL(3) for more).
|
||||
|
||||
<p class="paragraph"></p>Lemonldap use session cookies generated by
|
||||
Apache::Session so as secure as a 128-bit random cookie. You may use the
|
||||
securedCookie options to avoid session hijacking.
|
||||
|
||||
<p class="paragraph"></p>You have to manage life of sessions by yourself
|
||||
since Lemonldap::NG knows nothing about the L module you've choosed, but
|
||||
it's very easy using a simple cron script because Lemonldap::NG::Portal
|
||||
stores the start time in the _utime field.
|
||||
|
||||
<p class="paragraph"></p>By default, a session stay 10 minutes in the
|
||||
local storage, so in the worth case, a user is authorized 10 minutes after
|
||||
he lost his rights.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HAuthorization">Authorization</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Authorization is controled only by handlers
|
||||
because the portal knows nothing about the way the user will choose. When
|
||||
configuring your Web-SSO, you have to:
|
||||
|
||||
<ul class="star">
|
||||
<li>choose the ldap attributes you want to use to manage accounting and
|
||||
authorization.</li>
|
||||
|
||||
<li>create Perl expressions to define user groups (using ldap
|
||||
attributes)</li>
|
||||
|
||||
<li>create an array foreach virtual host associating URI regular
|
||||
expressions and Perl expressions to use to grant access.</li>
|
||||
</ul>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration
|
||||
is stored) :
|
||||
|
||||
<ul class="star">
|
||||
<li>Exported variables :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
# Custom-Name => LDAP attribute
|
||||
cn => cn
|
||||
departmentUID => departmentUID
|
||||
login => uid
|
||||
</pre></li>
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<li> User groups :
|
||||
<pre>
|
||||
<ul class="star">
|
||||
<li>User groups :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
# Custom-Name => group definition
|
||||
group1 => { $departmentUID eq "unit1" or $login = "user1" }
|
||||
</pre></li>
|
||||
|
||||
<li> Area protection:
|
||||
<pre>
|
||||
# Each VirtualHost has its own configuration
|
||||
# associating URL regexp to Perl expression
|
||||
* www1.domain.com :
|
||||
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||
default => accept
|
||||
},
|
||||
* www2.domain.com :
|
||||
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
||||
^/(js|css) => accept
|
||||
default => deny
|
||||
</pre></li>
|
||||
</ul>
|
||||
|
||||
<ol type="a">
|
||||
<h4><li>Performance</li></h4>
|
||||
|
||||
<p>You can use Perl expressions as complicated as you want and you can use all
|
||||
the exported LDAP attributes (and create your own attributes: with 'macros'
|
||||
mechanism) in groups evaluations, area protections or custom HTTP headers
|
||||
(you just have to call them with a "$").</p>
|
||||
|
||||
<p>You have to be careful when choosing your expressions:</p>
|
||||
|
||||
<ul>
|
||||
<li> groups and macros are evaluated each time a user is redirected to the portal,</li>
|
||||
<li> virtual host rules and exported headers are evaluated for each request on a
|
||||
protected area.</li>
|
||||
</ul>
|
||||
|
||||
<p>It is also recommanded to use the groups mechanism to avoid having to evaluate
|
||||
a long expression at each HTTP request :</p>
|
||||
|
||||
<pre>
|
||||
# Virtual hosts :
|
||||
...
|
||||
www1.domain.com :
|
||||
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||
group1 => { $departmentUID eq <span class=
|
||||
"java-quote">"unit1"</span> or $login = <span class=
|
||||
"java-quote">"user1"</span> }
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p>You can also use LDAP filters, or Perl expression or mixed expressions in
|
||||
groups definitions. Perl expressions has to be enclosed with {} :</p>
|
||||
<ul class="star">
|
||||
<li>Area protection: each VirtualHost has its own configuration
|
||||
associating URL regexp to Perl expression
|
||||
|
||||
<pre>
|
||||
* group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
|
||||
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
|
||||
<ul class="star">
|
||||
<li>www1.domain.com :</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
^/<span class="java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
||||
<span class="java-keyword">default</span> => accept
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p>It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
||||
server more than 2 times per authentication.</p>
|
||||
<ul class="star">
|
||||
<li>www2.domain.com :</li>
|
||||
</ul>
|
||||
|
||||
</ol>
|
||||
<h3><li>Accounting</li></h3>
|
||||
|
||||
<ol type="a">
|
||||
<h4><li>Logging portal access</li></h4>
|
||||
|
||||
<p>Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
||||
overload log method for normal portal access.</p>
|
||||
|
||||
<h4><li>Logging application access</li></h4>
|
||||
|
||||
<p>Because a Web-SSO knows nothing about the protected application, it can't do
|
||||
more than logging URL. As Apache does this fine, Lemonldap::NG::Handler(3)
|
||||
gives it the name to used in logs. The whatToTrace parameter indicates
|
||||
which variable Apache has to use ($uid by default).</p>
|
||||
|
||||
<p>The real accounting has to be done by the application itself which knows the
|
||||
result of SQL transaction for example.</p>
|
||||
|
||||
<p>Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
||||
directly the application. By default, the Auth-User field is used but you can
|
||||
change it using the exportedHeaders parameters (in the Manager, each virtual
|
||||
host as custom headers branch). This parameters contains an associative array
|
||||
per virtual host :</p>
|
||||
|
||||
<ul>
|
||||
<li> keys are the names of the choosen headers,</li>
|
||||
<li> values are Perl expressions where you can use user datas stored in the
|
||||
global storage.</li>
|
||||
</ul>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<pre>
|
||||
* www1.domain.com :
|
||||
Auth-User => $uid
|
||||
Unit => $ou
|
||||
* www2.domain.com :
|
||||
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
||||
Remote-IP => $ip
|
||||
<div class="code">
|
||||
<pre>
|
||||
^/site/.*$ => $uid eq <span class=
|
||||
"java-quote">"admin"</span> or $groups =~ /bgroup2b/
|
||||
^/(js|css) => accept
|
||||
<span class="java-keyword">default</span> => deny
|
||||
</pre>
|
||||
</ol>
|
||||
</ol>
|
||||
</div>
|
||||
|
||||
<h2><li><a name="inst">Installation</a></li></h2>
|
||||
<h5 class="heading-1-1-1-1"><span id=
|
||||
"HPerformance">Performance</span></h5>
|
||||
|
||||
<p><b>Warnings :</b></p>
|
||||
<ul>
|
||||
<li><p> Lemonldap::NG is a different project than Lemonldap and contains all you need
|
||||
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
||||
work with Lemonldap::NG.</p></li>
|
||||
<p class="paragraph"></p>You can use Perl expressions as complicated as
|
||||
you want and you can use all the exported LDAP attributes (and create your
|
||||
own attributes: with 'macros' mechanism) in groups evaluations, area
|
||||
protections or custom HTTP headers (you just have to call them with a
|
||||
"$").
|
||||
|
||||
<li><p>The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
||||
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
||||
act as CGI, so they can work everywhere.</p></li>
|
||||
<li><p>Lemonldap::NG configuration has to be edited using the manager unless
|
||||
you know exactly what you are doing. The parameters discussed below are all in
|
||||
the configuration tree.</p></li>
|
||||
</ul>
|
||||
<p class="paragraph"></p>ou have to be careful when choosing your
|
||||
expressions:
|
||||
|
||||
<p>See <a href="install.html">INSTALL file</a> for a complete installation documentation.</p>
|
||||
<ul class="star">
|
||||
<li>groups and macros are evaluated each time a user is redirected to
|
||||
the portal,</li>
|
||||
|
||||
<h2><li><a name="storage">Session storage system</a></li></h2>
|
||||
<li>virtual host rules and exported headers are evaluated for each
|
||||
request on a protected area.</li>
|
||||
</ul>It is also recommanded to use the groups mechanism to avoid having to
|
||||
evaluate a long expression at each HTTP request :
|
||||
|
||||
<p>Lemonldap::NG use 3 levels of cache for authenticated users :</p>
|
||||
<div class="code">
|
||||
<pre>
|
||||
^/<span class=
|
||||
"java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul>
|
||||
<li> an Apache::Session::* module used by lemonldap::NG::Portal to store
|
||||
authenticated user parameters,</li>
|
||||
<li> a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
||||
users between Apache's threads or processus and of course between virtual
|
||||
hosts on the same machine,</li>
|
||||
<li> Lemonldap::NG::Handler variables : if the same user use the same thread or
|
||||
processus a second time, no request are needed to grant or refuse access.
|
||||
This is very efficient with HTTP/1.1 Keep-Alive system.</li>
|
||||
</ul>
|
||||
<p class="paragraph"></p>You can also use LDAP filters, or Perl expression
|
||||
or mixed expressions in groups definitions. Perl expressions has to be
|
||||
enclosed with {} :
|
||||
|
||||
<p>So the number of request to the central storage is limited to 1 per active
|
||||
user each 10 minutes.</p>
|
||||
<div class="code">
|
||||
<pre>
|
||||
group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||
group1 => <uid eq <span class=
|
||||
"java-quote">"xavier.guimard"</span> or $ou eq <span class=
|
||||
"java-quote">"unit1"</span>>
|
||||
group1 => (|(uid=xavier.guimard)<ou eq <span class=
|
||||
"java-quote">"unit1"</span>>)
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<p>Lemonldap::NG is very fast, but you can increase performance using a
|
||||
Cache::Cache module that does not use disk access.</p>
|
||||
<p class="paragraph"></p>It is also recommanded to use Perl expressions to
|
||||
avoid requiering the LDAP server more than 2 times per authentication.
|
||||
|
||||
<h2><li><a name="logout">Logout system</a></li></h2>
|
||||
<h4 class="heading-1-1-1"><span id="HAccounting">Accounting</span></h4>
|
||||
|
||||
<p>Lemonldap::NG provides a single logout system : you can use it by
|
||||
adding a link to the portal with "logout=1" parameter in the portal (See
|
||||
Lemonldap::NG::Portal(3)) and/or by configuring handler to intercept some URL
|
||||
(See Lemonldap::NG::Handler(3)). The logout system:
|
||||
<h5 class="heading-1-1-1-1"><span id="HLoggingportalaccess">Logging portal
|
||||
access</span></h5>
|
||||
|
||||
<ul>
|
||||
<li> delete session in the global session storage,</li>
|
||||
<li> replace Lemonldap::NG cookie by '',</li>
|
||||
<li> delete handler caches only if logout action was started from a
|
||||
protected application and only in the current Apache server. So in other
|
||||
servers, session is still in cache for 10 minutes maximum if the user was
|
||||
connected on it in the last 10 minutes.</li>
|
||||
</ul>
|
||||
<p class="paragraph"></p>Lemonldap::NG::Portal doesn't log anything by
|
||||
default, but it's easy to overload log method for normal portal access.
|
||||
|
||||
<h2><li><a name="author">Author</a></li></h2>
|
||||
<h5 class="heading-1-1-1-1"><span id="HLoggingapplicationaccess">Logging
|
||||
application access</span></h5>
|
||||
|
||||
<p>Xavier Guimard, <x.guimard@free.fr>
|
||||
<p class="paragraph"></p>Because a Web-SSO knows nothing about the
|
||||
protected application, it can't do more than logging URL. As Apache does
|
||||
this fine, Lemonldap::NG::Handler(3) gives it the name to used in logs.
|
||||
The whatToTrace parameter indicates which variable Apache has to use ($uid
|
||||
by default).
|
||||
|
||||
<h2><li><a name="copyright">Copyright and licence</a></li></h2>
|
||||
<p class="paragraph"></p>The real accounting has to be done by the
|
||||
application itself which knows the result of SQL transaction for example.
|
||||
|
||||
<p>Copyright © 2005-2007 by Xavier Guimard <x.guimard@free.fr></p>
|
||||
<p class="paragraph"></p>Lemonldap::NG can export HTTP headers either
|
||||
using a proxy or protecting directly the application. By default, the
|
||||
Auth-User field is used but you can change it using the exportedHeaders
|
||||
parameters (in the Manager, each virtual host as custom headers branch).
|
||||
This parameters contains an associative array per virtual host :
|
||||
|
||||
<p>This library is free software; you can redistribute it and/or modify
|
||||
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
||||
at your option, any later version of Perl 5 you may have available.</p>
|
||||
<ul class="star">
|
||||
<li>keys are the names of the choosen headers,</li>
|
||||
|
||||
</ol>
|
||||
<li>values are Perl expressions where you can use user datas stored in
|
||||
the global storage.</li>
|
||||
</ul>Example:
|
||||
|
||||
<ul class="star">
|
||||
<li>www1.domain.com :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Auth-User => $uid
|
||||
Unit => $ou
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<ul class="star">
|
||||
<li>www2.domain.com :</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
<pre>
|
||||
Authorization => <span class=
|
||||
"java-quote">"Basic "</span>.encode_base64($employeeNumber.<span class=
|
||||
"java-quote">":dummy"</span>)
|
||||
Remote-IP => $ip
|
||||
</pre>
|
||||
</div>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HInstallation">Installation</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Warnings :
|
||||
|
||||
<ul class="star">
|
||||
<li>Lemonldap::NG is a different project than Lemonldap and contains all
|
||||
you need to use and administer it. So softwares, like Lemonldap webmin
|
||||
module, may not work with Lemonldap::NG.</li>
|
||||
|
||||
<li>The Apache module part (Lemonldap::NG::Handler) works both with
|
||||
Apache 1.3.x and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99).
|
||||
Portal and Manager act as CGI, so they can work everywhere.</li>
|
||||
|
||||
<li>Lemonldap::NG configuration has to be edited using the manager
|
||||
unless you know exactly what you are doing. The parameters discussed
|
||||
below are all in the configuration tree.</li>
|
||||
</ul>See <span class="wikilink"><a href=
|
||||
"/xwiki/bin/view/NG/DocInstall">installation manuel</a></span> for a
|
||||
complete installation documentation.
|
||||
|
||||
<h3 class="heading-1-1"><span id="HSessionstoragesystem">Session storage
|
||||
system</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG use 3 levels of cache for
|
||||
authenticated users :
|
||||
|
||||
<ul class="star">
|
||||
<li>an Apache::Session:: <strong class="strong">module used by
|
||||
lemonldap::NG::Portal to store authenticated user
|
||||
parameters,</strong></li>
|
||||
|
||||
<li>a Cache::Cache module used by Lemonldap::NG::Handler to share
|
||||
authenticated users between Apache's threads or processus and of course
|
||||
between virtual hosts on the same machine,</li>
|
||||
|
||||
<li>Lemonldap::NG::Handler variables : if the same user use the same
|
||||
thread or processus a second time, no request are needed to grant or
|
||||
refuse access. This is very efficient with HTTP/1.1 Keep-Alive
|
||||
system.</li>
|
||||
</ul>So the number of request to the central storage is limited to 1 per
|
||||
active user each 10 minutes.
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG is very fast, but you can increase
|
||||
performance using a Cache::Cache module that does not use disk access.
|
||||
|
||||
<h3 class="heading-1-1"><span id="HAuthor">Author</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Xavier Guimard, <x.guimard@free.fr>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HCopyrightandlicence">Copyright and
|
||||
licence</span></h3>
|
||||
|
||||
<p class="paragraph"></p>Copyright © 2005-2007 by Xavier Guimard
|
||||
<x.guimard@free.fr>
|
||||
|
||||
<p class="paragraph"></p>This library is free software; you can
|
||||
redistribute it and/or modify it under the same terms as Perl itself,
|
||||
either Perl version 5.8.4 or, at your option, any later version of Perl 5
|
||||
you may have available.
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
use strict;
|
||||
use XML::Simple;
|
||||
use utf8;
|
||||
|
||||
my $docs = {
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=fr' => 'faq-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=en' => 'overview.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=fr' => 'overview-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=en' => 'install.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=fr' => 'install-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstall?language=en' => 'advanced-install.html',
|
||||
};
|
||||
|
||||
while ( my ( $url, $file ) = each %$docs ) {
|
||||
open DOC, "wget -q -O - $url |";
|
||||
|
||||
#open DOC, '/tmp/doc';
|
||||
|
||||
my $buf;
|
||||
my $ind = 0;
|
||||
my $div;
|
||||
while (<DOC>) {
|
||||
$ind++ if (/<div class="main-content">/);
|
||||
next unless ($ind);
|
||||
$div++ if (/<div/);
|
||||
$div-- if (/<\/div/);
|
||||
$ind-- unless ($div);
|
||||
s/\r//g;
|
||||
utf8::decode($_);
|
||||
$buf .= $_;
|
||||
}
|
||||
close DOC;
|
||||
|
||||
open FILE, "|tidy -u -c -i -wrap 79 >$file";
|
||||
print FILE '<?xml version="1.0" encoding="UTF-8" ?>
|
||||
<!DOCTYPE html PUBLIC "XHTML 1.0 Strict"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
|
||||
</head>
|
||||
<body>
|
||||
';
|
||||
print FILE "$buf</body></html>";
|
||||
close FILE;
|
||||
}
|
|
@ -7,9 +7,9 @@ __PACKAGE__->init ( {
|
|||
localStorageOptions => {
|
||||
'namespace' => 'MyNamespace',
|
||||
'default_expires_in' => 600,
|
||||
'directory_umask' => '007',
|
||||
'cache_root' => '/tmp',
|
||||
'cache_depth' => 5,
|
||||
'directory_umask' => '007',
|
||||
'cache_root' => '/tmp',
|
||||
'cache_depth' => 5,
|
||||
},
|
||||
|
||||
configStorage => {
|
||||
|
|
|
@ -332,7 +332,7 @@ sub print_upload {
|
|||
}
|
||||
|
||||
sub upload {
|
||||
my $self = shift;
|
||||
my $self = shift;
|
||||
my $config = $self->tree2conf(@_);
|
||||
return SYNTAX_ERROR unless( $self->checkConf($config) );
|
||||
return $self->config->saveConf($config);
|
||||
|
|
|
@ -81,7 +81,8 @@ sub javascript {
|
|||
newRule newHeader httpHeaders waitingResult unknownError
|
||||
configurationWasChanged configLoaded warningConfNotApplied
|
||||
applyConf prevConf lastConf nextConf deleteVirtualHost
|
||||
areYouSure syntaxError deleteConf confirmDeleteConf)) {
|
||||
areYouSure syntaxError deleteConf confirmDeleteConf
|
||||
invalidVirtualHostName)) {
|
||||
$text{$_} = &{"txt_$_"};
|
||||
$text{$_} =~s/'/\\'/g;
|
||||
}
|
||||
|
@ -127,7 +128,7 @@ function onNodeSelect(nodeId) {
|
|||
switch(tree.getUserData(nodeId,"modif")) {
|
||||
case 'text':
|
||||
k='valeur';
|
||||
v='<input value="'+nodeId+'" onChange="tree.setItemText('+"'"+nodeId+"'"+',this.value.replace(/^([^a-z])/i,\\'z\$1\\'));tree.changeItemId('+"'"+nodeId+"'"+',this.value);">';
|
||||
v='<input value="'+nodeId+'" onChange="var tmp=this.value.replace(/^([^a-z])/i,\\'z\$1\\');tmp=tmp.replace(/^([a-zA-Z0-9_\\.\\-]*).*\$/,\\'\$1\\');tree.setItemText('+"'"+nodeId+"'"+',tmp);tree.changeItemId('+"'"+nodeId+"'"+',tmp);this.value=tmp">';
|
||||
break;
|
||||
case 'both':
|
||||
k='<input value="'+tree.getItemText(nodeId)+'" onChange="tree.setItemText('+"'"+nodeId+"'"+',this.value.replace(/^([^a-z])/i,\\'z\$1\\'))">';
|
||||
|
@ -240,6 +241,10 @@ function insertNewChild(a,b,c) {
|
|||
function newVirtualHost() {
|
||||
var rep=prompt("$text{newVirtualHost}");
|
||||
if(rep) {
|
||||
if(!rep.match(/^\\w[\\w\\.\\-]*\\w\$/)){
|
||||
alert('$text{invalidVirtualHostName}');
|
||||
return 0;
|
||||
}
|
||||
insertNewChild('virtualHosts',rep,rep)
|
||||
tree.setUserData(rep,'modif','text');
|
||||
insertNewChild(rep,rep+'_exportedHeaders','$text{httpHeaders}');
|
||||
|
|
|
@ -94,6 +94,7 @@ sub fr {
|
|||
confirmDeleteConf => "Vous allez effacer cette configuration. Confirmez-vous ?",
|
||||
configurationDeleted => 'Configuration éffacée',
|
||||
configurationNotDeleted => 'Configuration non éffacée',
|
||||
invalidVirtualHostName => "Nom de d'hôte virtuel incorrect",
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -157,5 +158,6 @@ sub en {
|
|||
confirmDeleteConf => "You're going to delete configuration. Do you confirm ?",
|
||||
configurationDeleted => 'Configuration deleted',
|
||||
configurationNotDeleted => 'Configuration not deleted',
|
||||
invalidVirtualHostName => 'Invalid virtual host name',
|
||||
};
|
||||
}
|
||||
|
|
|
@ -7,7 +7,7 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
|||
configStorage => {
|
||||
type => 'File',
|
||||
dirName => '__CONFDIR__',
|
||||
}
|
||||
},
|
||||
}
|
||||
);
|
||||
|
||||
|
|
Loading…
Reference in New Issue