dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

LEMONLDAP::NG : more documentation and virtual host names control

This commit is contained in:
Xavier Guimard 2007-05-11 07:52:19 +00:00
parent e72c18ccd1
commit 046b90dbd9
17 changed files with 1828 additions and 550 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
build/lemonldap-ng/Makefile
View File

@ -154,3 +154,6 @@ static_example: example
cd ${EXAMPLEDIRBUILD}/static/;ln -s ../manager/imgs;cd -
scripts/make_static_example.pl ${EXAMPLEDIRBUILD}/manager/index.pl ${EXAMPLEDIRBUILD}/static/index.html $(EXAMPLELANG)
documentation:
cd doc && ../scripts/doc.pl

2
build/lemonldap-ng/TODO
View File

@ -24,3 +24,5 @@ Order rules :
Documentation :
* Translate FAQ in English (http://lemonldap.objectweb.org/)
* Security document
* AD Howto
* apply.conf Howto

7
build/lemonldap-ng/debian/changelog
View File

@ -1,3 +1,10 @@
lemonldap-ng (0.8.2.1) unstable; urgency=low
* More documentation
* Virtual host names control
-- Xavier Guimard <x.guimard@free.fr> Fri, 11 May 2007 09:49:20 +0200
lemonldap-ng (0.8.2) unstable; urgency=low
* Little bug fix if whatToTrace parameter is not defined and display it in

16
build/lemonldap-ng/debian/configStorage.pm
View File

@ -7,14 +7,14 @@ our $configStorage;
BEGIN {
open F, '/etc/lemonldap-ng/storage.conf' or die "/etc/lemonldap-ng/storage.conf: $!";
while(<F>) {
next if(/^\s*$/ or /^\s*#/);
chomp;
/^\s*([\w]+)[\s=:]+(["']?)([\S].*[\S])\2.*$/ or next;
$configStorage->{$1} = $3;
my $k = $1;
if($configStorage->{$k} =~ /^([{\[]).*[}\]]$/) {
eval "\$configStorage->{$k} = $configStorage->{$k}";
}
next if(/^\s*$/ or /^\s*#/);
chomp;
/^\s*([\w]+)\s*[=:]\s*(["']?)([\S].*[\S])\2.*$/ or next;
$configStorage->{$1} = $3;
my $k = $1;
if($configStorage->{$k} =~ /^([{\[]).*[}\]]$/) {
eval "\$configStorage->{$k} = $configStorage->{$k}";
}
}
close F;
}

2
build/lemonldap-ng/debian/storage.conf
View File

@ -23,6 +23,8 @@
# type = SOAP
# proxy = https://manager.example.com/soapmanager.pl
# proxyOptions = { timeout => 5 }
# User = lemonldap
# Password = mypassword
type = File
dirName = /var/lib/lemonldap-ng/conf

377
build/lemonldap-ng/doc/advanced-install.html Normal file
View File

@ -0,0 +1,377 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HADVANCEDINSTALLATION">ADVANCED
INSTALLATION</span></h2>
<p class="paragraph"></p><strong class="strong">Warning:</strong> This
document is written for people who know Lemonldap::NG. For other people,
it is recommended to build the <span class="wikilink"><a href=
"/xwiki/bin/view/NG/DocInstallExample">example</a></span> provided in the
source and next to adapt it to local installation.
<p class="paragraph"></p>
<ul>
<li>
<a href="#HPREREQ">PREREQ</a>
<ul>
<li><a href="#HApache">Apache</a></li>
<li><a href="#HPerlprereq">Perl prereq</a></li>
</ul>
</li>
<li><a href="#HSOFTWAREINSTALLATION">SOFTWARE INSTALLATION</a></li>
<li>
<a href="#HLEMONLDAPINSTALLATION">LEMONLDAP INSTALLATION</a>
<ul>
<li>
<a href="#HDatabaseconfiguration">Database configuration</a>
<ul>
<li><a href=
"#HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG
Configuration database</a></li>
<li><a href="#HApache3A3ASessiondatabase">Apache::Session
database</a></li>
</ul>
</li>
<li><a href="#HManagerconfiguration">Manager configuration</a></li>
<li>
<a href="#HConfigurationedition">Configuration edition</a>
<ul>
<li><a href="#HGeneralparameters">General parameters</a></li>
<li><a href="#HUsergroups">User groups</a></li>
<li><a href="#HVirtualhosts">Virtual hosts</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h3 class="heading-1-1"><span id="HPREREQ">PREREQ</span></h3>
<h4 class="heading-1-1-1"><span id="HApache">Apache</span></h4>
<p class="paragraph"></p>To use Lemonldap::NG, you have to run a LDAP
server and of course an Apache server compiled with mod-perl (version 1.3
or 2.x). Generaly, the version of Apache proposed with your Linux
distribution match, but some distributions used an experimental version of
mod_perl with Apache2 (mod_perl-1.99) which does not work with
Lemonldap::NG. With such distributions (like Debian-3.1), you have to use
Apache-1.3 or to use a mod_perl backport (www.backports.org package for
Debian works fine).
<p class="paragraph"></p>For Apache2, you can use both mpm-worker and
mpm-prefork. Mpm-worker works faster and Lemonldap::NG use the thread
system for best performance. If you have to use mpm-prefork (for example
if you use PHP), Lemonldap::NG will work anyway.
<p class="paragraph"></p>You can use Lemonldap::NG in an heterogene world:
the authentication portal and the manager can work in any version of
Apache 1.3 or more even if mod_perl is not compiled, with
ModPerl::Registry or not&hellip; Only the handler (site protector) need
mod_perl. The different handlers can run on different servers with
different versions of Apache/mod_perl.
<h4 class="heading-1-1-1"><span id="HPerlprereq">Perl prereq</span></h4>
<p class="paragraph"></p>Perl modules: Apache::Session, Net::LDAP,
MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple
<p class="paragraph"></p>With Debian:
<p class="paragraph"></p>
<div class="code">
<pre>
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl &#13;
libdbi-perl perl-modules libwww-perl libcache-cache-perl &#13;
libxml-simple-perl
</pre>
</div>
<p class="paragraph"></p>Portal:
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
DBI
<p class="paragraph"></p>With Debian:
<p class="paragraph"></p>
<div class="code">
<pre>
apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl &#13;
perl-modules
</pre>
</div>
<p class="paragraph"></p>Handler:
<p class="paragraph"></p>Apache::Session, LWP::UserAgent, Cache::Cache,
DBI
<p class="paragraph"></p>With Debian:
<p class="paragraph"></p>
<div class="code">
<pre>
apt-get install libapache-session-perl libdbi-perl libwww-perl &#13;
libcache-cache-perl
</pre>
</div>
<p class="paragraph"></p>Manager:
<p class="paragraph"></p>CGI, XML::Simple, DBI
<p class="paragraph"></p>With Debian:
<p class="paragraph"></p>
<div class="code">
<pre>
apt-get install perl-modules libxml-simple-perl
</pre>
</div>
<h3 class="heading-1-1"><span id="HSOFTWAREINSTALLATION">SOFTWARE
INSTALLATION</span></h3>
<p class="paragraph"></p>If you just want to install a handler or a portal
or a manager:
<p class="paragraph"></p>
<div class="code">
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
$ perl Makefile.PL &amp;&amp; make &amp;&amp; make test
$ sudo make install
</pre>
</div>
<p class="paragraph"></p>else for a complete install:
<p class="paragraph"></p>
<div class="code">
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make &amp;&amp; make test
$ sudo make install
</pre>
</div>
<p class="paragraph"></p>See prereq in
<h3 class="heading-1-1"><span id="HLEMONLDAPINSTALLATION">LEMONLDAP
INSTALLATION</span></h3>
<h4 class="heading-1-1-1"><span id="HDatabaseconfiguration">Database
configuration</span></h4>If you use DBI or another system to share
Lemonldap::NG configuration, you have to initialize the database.
<p class="paragraph"></p>For example, create the database "lemonldapng" :
<p class="paragraph"></p>
<div class="code">
<pre>
# mysqladmin create lemonldapng
</pre>
</div>
<h5 class="heading-1-1-1-1"><span id=
"HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG Configuration
database</span></h5>
<p class="paragraph"></p>To store configuration, use this table :
<p class="paragraph"></p>
<div class="code">
<pre>
CREATE TABLE lmConfig (
cfgNum <span class="java-object">int</span> not <span class=
"java-keyword">null</span> primary key,
locationRules text,
exportedHeaders text,
globalStorage text,
globalStorageOptions text,
macros text,
groups text,
portal text,
domain text,
ldapServer text,
ldapPort <span class="java-object">int</span>,
ldapBase text,
securedCookie <span class="java-object">int</span>,
cookieName text,
authentication text,
exportedVars text,
managerDn text,
managerPassword text,
whatToTrace text
);
</pre>
</div>
<h5 class="heading-1-1-1-1"><span id=
"HApache3A3ASessiondatabase">Apache::Session database</span></h5>
<p class="paragraph"></p>The choice of Apache::Session::* module is free.
See Apache::Session::Store::* or Apache::Session::* to know how to
configure the module. For example, if you want to use
Apache::Session::MySQL, you can create the database like this:
<p class="paragraph"></p>
<div class="code">
<pre>
CREATE TABLE sessions (
id <span class="java-object">char</span>(32),
a_session text
);
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HManagerconfiguration">Manager
configuration</span></h4>
<p class="paragraph"></p>Copy example/manager.cgi and personalize it if
you want (see Lemonldap::NG::Manager). You have to set in particular
configStorage. For example with MySQL:
<p class="paragraph"></p>
<div class="code">
<pre>
$my $manager = Lemonldap::NG::Manager-&gt;<span class=
"java-keyword">new</span> ( {
dbiChain =&gt; <span class=
"java-quote">"DBI:mysql:database=mybase;host=1.2.3.4"</span>,
dbiUser =&gt; <span class=
"java-quote">"lemonldap-ng"</span>,
dbiPasword =&gt; <span class=
"java-quote">"mypass"</span>,
} );
</pre>
</div>
<p class="paragraph"></p>Securise Manager access with Apache: Lemonldap
does not securise the manager itself yet:
<p class="paragraph"></p>
<div class="code">
<pre>
SSLEngine On
Order Deny, Allow
Deny from all
Allow from admin/network
AuthType Basic
...
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HConfigurationedition">Configuration
edition</span></h4>
<p class="paragraph"></p>Connect to the manager with your browser start
configure your Web-SSO. You have to set at least some parameters:
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
parameters</span></h5>
<ul class="star">
<li>Authentication parameters -&gt; portal URL to access to the
authentication portal.</li>
<li>Domain: the cookie domain. All protected VirtualHosts have to be
under it.</li>
<li>LDAP parameters -&gt; LDAP Server.</li>
<li>LDAP parameters -&gt; LDAP Accout and password: required only if
anonymous binds are not accepted.</li>
<li>Session Storage -&gt; Apache::Session module: how to store user
sessions. You can use all module that inherit from Apache::Session like
Apache::Session::MySQL.</li>
<li>Session Storage -&gt; Apache::Session Module parameters: see
Apache::Session::&lt;Choosen module&gt;.</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HUsergroups">User groups</span></h5>
<p class="paragraph"></p>Use the "New Group" button to add your first
group. On the left, set the keyword which will be used later and set on
the right the corresponding rule. You can use :
<ul class="star">
<li>an LDAP filter (it will be tested with the user uid)</li>
</ul>or
<ul class="star">
<li>a Perl condition enclosed with {}. All variables declared in
"General parameters -&gt; LDAP attributes" can be used with a "$". For
example: MyGroup / { $uid eq "foo" or $uid eq "bar" }</li>
</ul>
<h5 class="heading-1-1-1-1"><span id="HVirtualhosts">Virtual
hosts</span></h5>
<p class="paragraph"></p>You have to create a virtual host for each Apache
host (virtual or real) protected by Lemonldap::NG even if just a
sub-directory is protected. Else, user who want to access to the protected
area will be rejected with a "500 Internal Server Error" message and the
apache logs will explain the problem.
<p class="paragraph"></p>Each virtual host has 2 groups of parameters:
<ul class="star">
<li>Headers: the headers added to the apache request. Default: Auth-User
=&gt; $uid.</li>
<li>Rules: subdivised in 2 categories:
<ul class="star">
<li>default: the default rule</li>
<li>personalized rules: association of a Perl regular expression and
a condition. For example: ^/restricted.*$ / $groups =~
/bMyGroupb/</li>
</ul>
</li>
</ul>
</div>
</body>
</html>

382
build/lemonldap-ng/doc/faq-fr.html Normal file
View File

@ -0,0 +1,382 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HFoireauxquestionsLemonldap3A3ANG">Foire
aux questions Lemonldap::NG</span></h2>
<p class="paragraph"></p>
<ul>
<li>
<a href="#HLemonldap3A3ANG">Lemonldap::NG</a>
<ul>
<li><a href="#HQu27estcequ27unWebSSO3F">Qu'est-ce qu'un Web-SSO
?</a></li>
<li><a href=
"#HQu27apporteLemonldap3A3ANGparrapportauxautresSSO3F">Qu'apporte
Lemonldap::NG par rapport aux autres SSO ?</a></li>
</ul>
</li>
<li>
<a href="#HConfiguration">Configuration</a>
<ul>
<li><a href=
"#HQuelsystC3A8medestockagedeconfigurationchoisir3F">Quel
syst&egrave;me de stockage de configuration choisir ?</a></li>
<li><a href=
"#HL27exemplefournifonctionneenHTTP2CmaispasenHTTPS">L'exemple
fourni fonctionne en HTTP, mais pas en HTTPS.</a></li>
<li><a href=
"#HCommentfairefonctionnerLemonldap3A3ANGavecunannuaireActiveDirectory3F">
Comment faire fonctionner Lemonldap::NG avec un annuaire
Active-Directory ?</a></li>
</ul>
</li>
<li>
<a href="#HFonctionnement">Fonctionnement</a>
<ul>
<li><a href="#HAquoisertlecachelocaldesagents28handlers293F">A quoi
sert le cache local des agents (handlers) ?</a></li>
<li><a href=
"#HPourquoinepeutonpasconfigurerlecachelocaldesagents28handlers29danslaconsoled27administration3F">
Pourquoi ne peut-on pas configurer le cache local des agents
(handlers) dans la console d'administration ?</a></li>
<li><a href=
"#HQu27estcequele7E7ECrossDomainAuthentication7E7E28CDA293F">Qu'est
ce que le <i class="italic">Cross Domain Authentication</i> (CDA)
?</a></li>
<li><a href=
"#HCommentfonctionnele7E7ECrossDomainAuthentication7E7E28CDA293F">Comment
fonctionne le <i class="italic">Cross Domain Authentication</i>
(CDA) ?</a></li>
</ul>
</li>
<li>
<a href="#HAuthentification">Authentification</a>
<ul>
<li><a href="#HPeutonchangerlemoded27authentification3F">Peut-on
changer le mode d'authentification ?</a></li>
</ul>
</li>
</ul>
<h3 class="heading-1-1"><span id=
"HLemonldap3A3ANG">Lemonldap::NG</span></h3>
<h4 class="heading-1-1-1"><span id="HQu27estcequ27unWebSSO3F">Qu'est-ce
qu'un Web-SSO ?</span></h4>
<p class="paragraph"></p>Un SSO <i class="italic">(Single Sign On)</i> est
un dispositif qui permet de partager les authentifications entre plusieurs
applications. L'utilisateur ne s'authentifie ainsi qu'une fois et n'est
pas interrompu lorsqu'il change d'application. Kerberos (utilis&eacute;
dans Active Directory) par exemple est un SSO. Le probl&egrave;me de ces
syst&egrave;mes est qu'outre leur lourdeur, ils ne s'appliquent
qu'&agrave; des Intranets sur des machines relativement homog&egrave;nes.
<p class="paragraph"></p>Le Web-SSO est le portage de ce principe
restreint aux applications Web. L'utilisateur est donc authentifi&eacute;
au premier acc&egrave;s &agrave; une application web
prot&eacute;g&eacute;e et les authentifications se propagent lorsqu'il
change d'application. Le gros avantage est alors que le syst&egrave;me est
utilisable sur Internet sans pr&eacute;-requis sur les postes clients (il
suffit d'accepter les cookies de session). Par exemple, lorsqu'un
utilisateur acc&egrave;de &agrave; une bo&icirc;te-aux-lettres Google, il
n'est pas r&eacute;authentifi&eacute; s'il acc&egrave;de &agrave;
l'application de gestion des groupes ou tout autre application Google.
<p class="paragraph"></p>Lemonldap::NG est un des syst&egrave;mes
permettant la gestion du Web-SSO.
<h4 class="heading-1-1-1"><span id=
"HQu27apporteLemonldap3A3ANGparrapportauxautresSSO3F">Qu'apporte
Lemonldap::NG par rapport aux autres SSO ?</span></h4>
<ul class="star">
<li>Lemonldap comme lemonldap::NG sont des modules Apache Perl et
offrent des performances qui rendent imperceptible le traitement de
l'acc&egrave;s.</li>
<li>Un des autres points forts de Lemonldap::NG est sa capacit&eacute;
&agrave; g&eacute;rer les droits de fa&ccedil;on centralis&eacute;e: les
SSO type Kerberos ou CAS permettent le partage des authentifications
mais d&eacute;l&egrave;guent aux applications la gestion des
autorisations d'acc&egrave;s. Dans le cas de Lemonldap::NG, la gestion
des droits peut &ecirc;tre centralis&eacute;e totalement, en partie ou
pas du tout pour chaque application: Lemonldap::NG fournit un
syst&egrave;me d'autorisations bas&eacute; sur le tri des URL par
expressions r&eacute;guli&egrave;res auquelles on associe une
r&egrave;gle. Il fournit &eacute;galement des en-t&ecirc;tes HTTP
&agrave; l'application contenant n'importe quel attribut issue de
l'annuaire LDAP. Celle-ci peut alors g&eacute;rer la
tra&ccedil;abilit&eacute; des acc&egrave;s et &eacute;ventuellement des
droits d'acc&egrave;s (voir la <span class="wikiexternallink"><a href=
"http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation#HMC3A9canismesd27authentification2Cd27autorisationetdetraC3A7abilitC3A9">
documentation AAA</a></span>).</li>
<li>Lemonldap::NG n'imose aucune modification de l'annuaire: les droits
sont calcul&eacute;s &agrave; partir de n'importe quel attribut.</li>
<li>Lemonldap::NG peut publier n'importe quel attribut LDAP ou des
expressions calcul&eacute;es &agrave; partir de ces attributs dans les
en-t&ecirc;tes HTTP. On peut ainsi &eacute;viter aux applications
d'avoir &agrave; consulter l'annuaire LDAP.</li>
<li>Lemonldap::NG traite tous les sites h&eacute;berg&eacute;s (virtuels
ou r&eacute;els) ind&eacute;pendamment: on peut ainsi fournir &agrave;
chaque application des en-t&ecirc;tes personnalis&eacute;s.</li>
<li>Lemonldap::NG fournit une interface web d'administration
pr&eacute;sentant simplement la configuration, les droits d'acc&egrave;s
et les en-t&ecirc;tes par site prot&eacute;g&eacute; (voir la
d&eacute;monstration&gt;<span class="nobr"><a href=
"http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">http://lemonldap.objectweb.org/NG/ManagerDemo/fr/</a></span>).
On peut &eacute;galement ne montrer qu'une partie de la configuration en
lecture seule et une autre en lecture &eacute;criture: l'interface
d'administration peut ainsi &ecirc;tre partiellement
d&eacute;l&eacute;gu&eacute;e par site prot&eacute;g&eacute;.</li>
</ul>
<h3 class="heading-1-1"><span id=
"HConfiguration">Configuration</span></h3>
<h4 class="heading-1-1-1"><span id=
"HQuelsystC3A8medestockagedeconfigurationchoisir3F">Quel syst&egrave;me de
stockage de configuration choisir ?</span></h4>
<p class="paragraph"></p>Lemonldap::NG fournit 3 types de stockage de
configuration:
<ul class="star">
<li><strong class="strong">File</strong>: le syst&egrave;me le plus
simple, il ne permet en revanche de partager la configuration que parmi
les serveurs qui partagent un syst&egrave;me de fichier. On peut ainsi
l'utiliser dans le cas o&ugrave; tous les VirtualHosts &agrave;
prot&eacute;ger se trouvent sur le m&ecirc;me serveur,</li>
<li><strong class="strong">DBI</strong>: <span class=
"wikiexternallink"><a href=
"http://www.linuxmanpages.com/man3/DBI.3pm.php">DBI(3)</a></span> est
une couche d'abstraction de l'acc&egrave;s aux bases de donn&eacute;es
fournie par Perl. Utilis&eacute;e dans Lemonldap::NG, elle permet de
partager la configuration entre serveurs mais suppose que tous ces
serveurs acc&egrave;dent &agrave; la m&ecirc;me base de donn&eacute;e.
C'est une solution recommand&eacute;e pour partager la configuration sur
un r&eacute;seau de serveurs,</li>
<li><strong class="strong">SOAP</strong>: Ce syst&egrave;me n'est pas
&agrave; proprement parler un syst&egrave;me de stockage, mais permet
&agrave; un serveur distant d'acc&eacute;der &agrave; la configuration
par une simple connexion HTTP(S). Le serveur SOAP acc&egrave;de lui
&agrave; la configuration par un des syst&egrave;mes
pr&eacute;c&eacute;dents (File ou DBI).</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HL27exemplefournifonctionneenHTTP2CmaispasenHTTPS">L'exemple fourni
fonctionne en HTTP, mais pas en HTTPS.</span></h4>
<p class="paragraph"></p>Dans le m&eacute;canisme des redirections vers le
portail puis vers le site prot&eacute;g&eacute;, il faut indiquer &agrave;
l'agent (handler) s'il est de type HTTPS ou non. Ceci est fait par le
param&egrave;tre <tt>https</tt> qui doit &ecirc;tre mis &agrave; 1. Ce
param&egrave;tre n'est pas accessible dans la configuration (manager), car
il est sp&eacute;cifique aux h&ocirc;tes virtuels. C'est donc lors de
l'appel &agrave; la fonction <tt>init</tt> (dans le fichier My::Package)
qu'il doit &ecirc;tre renseign&eacute;:
<p class="paragraph"></p>
<pre>
__PACKAGE__-&gt;init ( {
localStorage =&gt; "Cache::FileCache",
localStorageOptions =&gt; {
'namespace' =&gt; 'MyNamespace',
'default_expires_in' =&gt; 600,
'directory_umask' =&gt; '007',
'cache_root' =&gt; '/tmp',
'cache_depth' =&gt; 5,
},
configStorage =&gt; {
type =&gt; 'File',
dirName =&gt; '/var/lib/lemonldap-ng/conf',
},
<strong class="strong">https =&gt; 1</strong>,
} );
</pre>
<h4 class="heading-1-1-1"><span id=
"HCommentfairefonctionnerLemonldap3A3ANGavecunannuaireActiveDirectory3F">Comment
faire fonctionner Lemonldap::NG avec un annuaire Active-Directory
?</span></h4>
<p class="paragraph"></p>Active-Directory utilise le champ <tt>cn</tt>
comme identifiant unique au lieu de <tt>uid</tt>. Il faut donc modifier la
configuration de Lemonldap::NG en deux points&nbsp;:
<ol>
<li>la recherche de l'utilisateur dans l'annuaire doit &ecirc;tre
effectu&eacute;e avec le champ <tt>cn</tt> (ou
<tt>samAccountName</tt>),</li>
<li>les journaux d'Apache doivent &ecirc;tre enrichis avec ce m&ecirc;me
champ.</li>
</ol>Pour le deuxi&egrave;me point, la modification est tr&egrave;s simple
: il faut remplacer <tt>$uid</tt> par <tt>$cn</tt> dans le champ
"Param&egrave;tres g&eacute;n&eacute;raux -&gt; Donn&eacute;e &agrave;
inscrire dans les journaux d'Apache (et v&eacute;rifier que cette variable
est d&eacute;clar&eacute;e dand les attributs &agrave; exporter). Le
changement de filtre de recherche n&eacute;cessite la surcharge d'une
m&eacute;thode dans le portail. Cette modification peut &ecirc;tre
effectu&eacute;e comme suit:
<pre>
#!/usr/bin/perl
use Lemonldap::NG::Portal::SharedConf;
my $portal = Lemonldap::NG::Portal::SharedConf-&gt;new(
{
configStorage =&gt; {
type =&gt; 'File',
dirName =&gt; '/var/lib/lemonldap-ng/conf',
},
<strong class="strong">formateFilter =&gt; sub {</strong>
my $self = shift;
$self-&gt;{filter} = "(&amp;(cn=" . $self-&gt;{user} . ")(objectClass=person))";
PE_OK;
} # fin de la surcharge
}
);
</pre>
<h3 class="heading-1-1"><span id=
"HFonctionnement">Fonctionnement</span></h3>
<h4 class="heading-1-1-1"><span id=
"HAquoisertlecachelocaldesagents28handlers293F">A quoi sert le cache local
des agents (handlers) ?</span></h4>
<p class="paragraph"></p>Le cache local des agents a deux fonctions:
<ul class="star">
<li>partager la configuration entre processus Apache: on &eacute;vite
ainsi un t&eacute;l&eacute;chargement de la configuration &agrave;
chaque cr&eacute;ation d'un processus. C'est &eacute;galement
indispensable pour utiliser le m&eacute;canisme de rechargement de la
configuration sans relance du serveur Apache,</li>
<li>partager les sessions en cours entre processus et threads Apache:
ceci permet d'&eacute;viter d'avoir &agrave; effectuer une requ&ecirc;te
au magasin central des sessions &agrave; chaque requ&ecirc;te (on ne
retombe en effet pas n&eacute;cessairement sur le m&ecirc;me processus).
Dans le cas o&ugrave; le cache central des sessions est accessible par
le r&eacute;seau, on transforme ainsi une requ&ecirc;te TCP en une
requ&ecirc;te au syst&egrave;me de ficher voir simplement &agrave; la
m&eacute;moire partag&eacute;e ce qui augmente fortement les
performances.</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HPourquoinepeutonpasconfigurerlecachelocaldesagents28handlers29danslaconsoled27administration3F">
Pourquoi ne peut-on pas configurer le cache local des agents (handlers)
dans la console d'administration ?</span></h4>
<p class="paragraph"></p>Le cache local doit &ecirc;tre choisi ou
param&eacute;tr&eacute; en fonction du serveur: si on choisit par exemple
le module Cache::FileCache, le r&eacute;pertoire de stockage n'est pas
n&eacute;cessairement le m&ecirc;me partout. De plus, une modification du
cache ne peut &ecirc;tre appliqu&eacute;e sans red&eacute;marrage du
serveur Apache contrairement aux autres param&egrave;tres
g&eacute;r&eacute;s par la console d'administration.
<h4 class="heading-1-1-1"><span id=
"HQu27estcequele7E7ECrossDomainAuthentication7E7E28CDA293F">Qu'est ce que
le <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
<p class="paragraph"></p>Le syst&egrave;me de propagation de la session
Lemonldap::NG est bas&eacute; sur des cookies. Or ces cookies sont
attach&eacute;s au domaine dont ils sont issus. Lemonldap::NG fournit un
dispositif permettant de passer outre ce probl&egrave;me: il suffit
d'utiliser le portail Lemonldap::NG::Portal::CDA et les agents
Lemonldap::NG::Handler::CDA sur les sites prot&eacute;g&eacute;s en dehors
du domaine du portail.
<h4 class="heading-1-1-1"><span id=
"HCommentfonctionnele7E7ECrossDomainAuthentication7E7E28CDA293F">Comment
fonctionne le <i class="italic">Cross Domain Authentication</i> (CDA)
?</span></h4>
<p class="paragraph"></p>Un portail Lemonldap::NG::Portal::CDA
d&eacute;tecte si l'URL demand&eacute;e n'est pas dans le m&ecirc;me
domaine. Si c'est le cas, il ajoute un param&egrave;tre &agrave; cette
requ&ecirc;te correspondant au cookie de session. Lorsque l'utilisateur
est renvoy&eacute; vers cette URL, l'agent Lemonldap::NG::Handler::CDA
reconna&icirc;t ce param&egrave;tre et g&eacute;n&egrave;re alors le
cookie dans son domaine. Il retire alors le param&egrave;tre ajout&eacute;
par le portail et effectue le traitement normal de la requ&ecirc;te.
<h3 class="heading-1-1"><span id=
"HAuthentification">Authentification</span></h3>
<h4 class="heading-1-1-1"><span id=
"HPeutonchangerlemoded27authentification3F">Peut-on changer le mode
d'authentification ?</span></h4>
<p class="paragraph"></p>Lemonldap::NG fournit plusieurs modes
d'authentification (&agrave; param&eacute;trer dans le champ
"authentification" de l'interface d'administration) :
<ul class="star">
<li><strong class="strong">ldap</strong> : c'est le mode par
d&eacute;faut: le portail tente de se connecter avec les
&eacute;l&eacute;ments fournis par l'utilisateur</li>
<li><strong class="strong">CAS</strong> : le portail Lemonldap::NG
devient alors un simple relais CAS: si l'utilisateur n'est pas
authentifi&eacute;, on le revoie vers le portail CAS</li>
<li><strong class="strong">SSL</strong> : ce dispositif confie &agrave;
Apache le soin d'authentifier les utilisateurs par m&eacute;canisme SSL.
Ce dispositif est tr&egrave;s int&eacute;ressant lorsqu'on utilise des
certificats SSL: si on prot&egrave;ge toutes les applications par
certificats mutuels les nombreuses n&eacute;gociations SSL
p&eacute;naliserons les performances et en cas d'emploi de cartes
&agrave; puces prot&eacute;geant chaque op&eacute;ration, l'utilisateur
devra saisir plusieurs fois son code. Avec ce dispositif, seule
l'acc&egrave;s au portail Lemonldap::NG n&eacute;cessite la
pr&eacute;sentation du certificat client. Ensuite, c'est le cookie
s&eacute;curis&eacute; qui assure la propagation de
l'authentification.</li>
<li><strong class="strong">Apache</strong> : dans le m&ecirc;me esprit,
on confie &agrave; Apache l'authentification. Par exemple avec Kerberos,
le module Kerberos d'Apache assure la protection du portail. On
am&eacute;liore ainsi les performances puisqu'une seule
n&eacute;gociation Kerberos est n&eacute;cessaire pour toute la
session.</li>
</ul>
</div>
</body>
</html>

182
build/lemonldap-ng/doc/install-fr.html Normal file
View File

@ -0,0 +1,182 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HINSTALLATIONDEL27EXEMPLE">INSTALLATION DE
L'EXEMPLE</span></h2>
<p class="paragraph"></p>
<ul>
<li>
<a href="#HPREREQUIS">PRE REQUIS</a>
<ul>
<li><a href="#HLogiciels">Logiciels</a></li>
<li><a href="#HModulesPerlrequis">Modules Perl requis</a></li>
</ul>
</li>
<li>
<a href="#HCOMPILATION">COMPILATION</a>
<ul>
<li><a href="#HInstallationcomplC3A8te">Installation
compl&egrave;te</a></li>
<li><a href="#HInstallationsurDebian">Installation sur
Debian</a></li>
</ul>
</li>
<li><a href="#HCONFIGURATIONDEL27EXEMPLE">CONFIGURATION DE
L'EXEMPLE</a></li>
</ul>L'exemple propos&eacute; utilise un site prot&eacute;g&eacute;
nomm&eacute; test.example.com. Les utilisateurs non-authentifi&eacute;s
sont redirig&eacute;s vers auth.example.com.
<h3 class="heading-1-1"><span id="HPREREQUIS">PRE REQUIS</span></h3>
<h4 class="heading-1-1-1"><span id="HLogiciels">Logiciels</span></h4>
<p class="paragraph"></p>Pour utiliser Lemonldap::NG, vous devez disposer
d'un server LDAP et d'un server Apache compil&eacute; avec le module
mod-perl (version 1.3 ou 2.x). G&eacute;n&eacute;ralement, la version
d'Apache propos&eacute;e par votre distribution Linux est suffisante, mais
certaines distributions utilisent une version exp&eacute;rimentale de
mod_perl2 avec Apache2 (mod_perl-1.99) qui ne fonctionne pas avec
Lemonldap::NG. Avec de telles distributions (Debian-3.1 par exemple), vous
devez utiliser Apache-1.3 ou utiliser des backports mod_perl, CGI.pm et
CGI/Cookie.pm (les paquets Debian du site www.backports.org fonctionnent
tr&egrave;s bien).
<h4 class="heading-1-1-1"><span id="HModulesPerlrequis">Modules Perl
requis</span></h4>
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
LWP::UserAgent, Cache::Cache, DBI, XML::Simple, SOAP::Lite (only if you
want to use SOAP with the manager).
<p class="paragraph"></p>Sur Debian, lancez:
<div class="code">
<pre>
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl
# et si vous souhaitez utiliser les fonctionnalit&eacute;s SOAP du manager:
apt-get install libsoap-lite-perl
</pre>
</div>
<h3 class="heading-1-1"><span id="HCOMPILATION">COMPILATION</span></h3>
<h4 class="heading-1-1-1"><span id="HInstallationcomplC3A8te">Installation
compl&egrave;te</span></h4>
<p class="paragraph"></p>
<div class="code">
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make &amp;&amp; make test
$ sudo make install
$ make example
</pre>
</div>
<h4 class="heading-1-1-1"><span id="HInstallationsurDebian">Installation
sur Debian</span></h4>
<p class="paragraph"></p>
<div class="code">
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ debuild
$ sudo dpkg -i ../lemonldap-ng*.deb
</pre>
</div>
<h3 class="heading-1-1"><span id=
"HCONFIGURATIONDEL27EXEMPLE">CONFIGURATION DE L'EXEMPLE</span></h3>
<p class="paragraph"></p>Apr&egrave;s compilation, vous disposez d'un
fichier example/apache.conf. Vous avez simplement &agrave; l'inclure dans
le fichier de configuration d'Apache:
<p class="paragraph"></p>
<div class="code">
<pre>
# Apache-1.3: add <span class="java-keyword">this</span> to httpd.conf
include /path/to/lemonldap-ng/source/example/apache.conf
# Apache-2.x:
include /path/to/lemonldap-ng/source/example/apache2.conf
# Debian Apache-1.3
ln -s /usr/share/doc/lemonldap-ng/example/apache.conf /etc/apache/conf.d/test.conf
# or with Apache-2.x
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
</pre>
</div>
<p class="paragraph"></p>Modifiez votre fichier /etc/hosts pour y ajouter:
<p class="paragraph"></p>
<div class="code">
<pre>
127.0.0.2 auth.example.com
127.0.0.3 test.example.com
127.0.0.4 manager.example.com
</pre>
</div>
<p class="paragraph"></p>Vous devez ensuite indiquer les param&egrave;tres
de connexion LDAP. Vous pouvez au choix :
<ul class="star">
<li>utiliser l'interface d'administration: red&eacute;marrez Apache et
connectez vous &agrave; <span class="nobr"><a href=
"http://manager.example.com/">http://manager.example.com/</a></span></li>
<li>&eacute;diter /path/to/lemonldap-ng/source/example/lmConfig-1 et
renseigner vos param&egrave;tres LDAP (utilisateurs Debian:
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
</ul>Si vous ne renseignez pas managerDn et managerPassword, Lemonldap::NG
utilisera une connexion anonyme pour trouver le dn de l'utilisateur.
<p class="paragraph"></p>NOTES:
<ul class="star">
<li>seuls quelques param&egrave;tres peuvent &ecirc;tre
&eacute;dit&eacute;s &agrave; la main dans le fichier de configuration.
Vous devez utiliser le manager pour la modifier, mais comme l'exemple
est d&eacute;j&agrave; configur&eacute;, vous pouvez &eacute;diter ce
fichier directement,</li>
<li>chaque nouvelle configuration est sauvegarder dans un nouveau
fichier par le manager (ou un nouvel enregistrement avec l'interface de
connexion au bases de donn&eacute;es DBI) ainsi vous pouvez restaurer
une ancienne configuration.</li>
</ul>Red&eacute;marrez ensuite Apache et utilisez votre navigateur
pr&eacute;f&eacute;r&eacute; pour vous connecter &agrave; <span class=
"wikiexternallink"><a href=
"http://test.example.com/">http://test.example.com/</a></span>. Vous serez
redirig&eacute;s vers auth.example.com. Connectez-vous avec un compte
valide et la page prot&eacute;g&eacute;e appara&icirc;tra.
</div>
</body>
</html>

469
build/lemonldap-ng/doc/install.html
View File

@ -1,377 +1,172 @@
<html>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<title>Lemonldap::NG</title>
<meta name="ROBOTS" content="INDEX,FOLLOW">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="DESCRIPTION" content="Lemonldap::NG installation">
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG, INSTALLATION">
<style>
</style>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HEXAMPLEINSTALLATION">EXAMPLE
INSTALLATION</span></h2>
<h1 style="text-align: center;">Lemonldap::NG Installation</h1>
<p>Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for
accounting. So you can have a full AAA protection.</p>
<p class="paragraph"></p>
<p>See <a href=overview.html>README file</a> to known how it works.</p>
<ul>
<li>
<a href="#HPREREQ">PREREQ</a>
<ol type="I">
<li><a href="#example">Example installation</a>
<ol type="1">
<li><a href="#prereq1">Prereq</a></li>
<li><a href="#ebuilding">Building</a></li>
<li><a href="#econf">Example configuration</a></li>
</ol>
</li>
<li><a href="#advanced">Advanced installation</a>
<ol type="1">
<li><a href="#prereq2">Prereq</a></li>
<li><a href="#softInst">Software installation</a></li>
<li><a href="#lmInst">Lemonldap::NG installation</a></li>
</ol>
</li>
</ol>
<ul>
<li><a href="#HSoftware">Software</a></li>
<li><a href="#HNeededPerlmodules">Needed Perl modules</a></li>
</ul>
</li>
<ol type="I">
<li>
<a href="#HBUILDING">BUILDING</a>
<h2><li><a name="example">Example installation</a></li></h2>
<ul>
<li><a href="#HCompleteinstall">Complete install</a></li>
<p>The proposed example use a protected site named test.example.com. Non
authenticated users are redirected to auth.example.com.</p>
<li><a href="#HDebianinstall">Debian install</a></li>
</ul>
</li>
<ol type="1">
<li><a href="#HEXAMPLECONFIGURATION">EXAMPLE CONFIGURATION</a></li>
</ul>The proposed example use a protected site named test.example.com. Non
authenticated users are redirected to auth.example.com.
<h3><li><a name="prereq1">Prereq</a></li></h3>
<h3 class="heading-1-1"><span id="HPREREQ">PREREQ</span></h3>
<ol type="a">
<h4><li>Software</li></h4>
<h4 class="heading-1-1-1"><span id="HSoftware">Software</span></h4>
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
Apache proposed with your Linux distribution match, but some distributions used
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
package for Debian works fine).</p>
<p class="paragraph"></p>To use Lemonldap::NG, you have to run a LDAP
server and of course an Apache server compiled with mod-perl (version 1.3
or 2.x). Generaly, the version of Apache proposed with your Linux
distribution match, but some distributions used an experimental version of
mod_perl with Apache2 (mod_perl-1.99) which does not work with
Lemonldap::NG. With such distributions (like Debian-3.1), you have to use
Apache-1.3 or to use a mod_perl, CGI.pm and CGI/Cookie.pm backports
(www.backports.org package for Debian works fine).
<h4><li>Perl prereq</li></h4>
<h4 class="heading-1-1-1"><span id="HNeededPerlmodules">Needed Perl
modules</span></h4>
<dl>
<dt><b>Perl modules :</b></dt>
<dd>
<p>Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)</p>
</dd>
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
LWP::UserAgent, Cache::Cache, DBI, XML::Simple, SOAP::Lite (only if you
want to use SOAP with the manager).
<dt><b>With Debian :</b></dt>
<dd>
<pre>
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
libxml-simple-perl
</pre>
<p>If you want to use SOAP with the manager&nbsp;:</p>
<pre>
apt-get install libsoap-lite-perl
</pre>
</dd>
</dl>
</ol>
<p class="paragraph"></p>With Debian, use:
<h3><li><a name="ebuilding">Building</a></li></h3>
<ol type="a">
<h4><li>Complete installation</li></h4>
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make &amp;&amp; make test
$ sudo make install
$ make example
<div class="code">
<pre>
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl
# If you want to use SOAP with the manager:
apt-get install libsoap-lite-perl
</pre>
</div>
<h4><li>Installation on Debian</li></h4>
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ debuild # or fakeroot dpkg-buildpackage
$ sudo dpkg -i ../*lemonldap-ng*.deb
<h3 class="heading-1-1"><span id="HBUILDING">BUILDING</span></h3>
<h4 class="heading-1-1-1"><span id="HCompleteinstall">Complete
install</span></h4>
<p class="paragraph"></p>
<div class="code">
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make &amp;&amp; make test
$ sudo make install
$ make example
</pre>
</div>
</ol>
<h4 class="heading-1-1-1"><span id="HDebianinstall">Debian
install</span></h4>
<h3><li><a name="econf">Example configuration</a></li></h3>
<p class="paragraph"></p>
<p>After build, you have new files in the example/ directory
(<code>/usr/share/doc/lemonldap-ng/example</code> with Debian). You just have
to include this file in Apache configuration&nbsp;:</p>
<ul>
<li>in httpd.conf (with Apache-1.3.x)
<pre>
include /path/to/lemonldap-ng/source/example/apache.conf
</pre>
</li>
<li>or with Apache2
<pre>
include /path/to/lemonldap-ng/source/example/apache2.conf
</pre>
</li>
</ul>
<p>Modify your /etc/hosts file to include&nbsp;:</p>
<pre>
127.0.0.2 auth.example.com
127.0.0.3 test.example.com
127.0.0.4 manager.example.com
<div class="code">
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ debuild
$ sudo dpkg -i ../lemonldap-ng*.deb
</pre>
</div>
<p>and restart Apache.</p>
<h3 class="heading-1-1"><span id="HEXAMPLECONFIGURATION">EXAMPLE
CONFIGURATION</span></h3>
<p>Before the example works, you have to set your LDAP settings. There are two
ways to do it&nbsp;:
<p class="paragraph"></p>After build, you have a new file named
example/apache.conf. You just have to include this file in Apache
configuration:
<ul>
<li>Connect to <a href="http://manager.example.com/">http://manager.example.com/</a>
and edit the corresponding parameters in "general parameters"</li>
<p class="paragraph"></p>
<li>Edit <code>/path/to/lemonldap-ng/source/example/conf/lmConfig-1</code> and
specify your LDAP settings.</li>
</ul>
<p>If you don't set managerDn and managerPassword, Lemonldap::NG will
use an anonymous bind to find user dn.</p>
<p>WARNINGS :</p>
<ul>
<li> only few parameters can be set by hand in the configuration file. You have
to use the manager to change configuration, but since the example is yet
configured, you can edit directly the file</li>
<li> each new configuration is saved by the manager in a new file (or a new
record with DBI) so you can recover an old configuration by removing</li>
</ul>
<p>Next, try to connect to <a href="http://test.example.com/">http://test.example.com/</a>.
You'll be redirect to auth.example.com. Try to authenticate yourself with a
valid account and the protected page will appear. You will find other
explanations on this page.</p>
</ol>
<h2><li><a name="advanced">Advanced installation</a></li></h2>
<ol type="1">
<h3><li><a name="prereq2">Prereq</a></li></h3>
<ol type="a">
<h4><li>Apache</li></h4>
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
Apache proposed with your Linux distribution match, but some distributions used
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
package for Debian works fine).</p>
<p>For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
faster and Lemonldap::NG use the thread system for best performance. If you
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
anyway.</p>
<p>You can use Lemonldap::NG in an heterogene world&nbsp;: the authentication portal and
the manager can work in any version of Apache 1.3 or more even if mod_perl is
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
need mod_perl. The different handlers can run on different servers with
different versions of Apache/mod_perl.</p>
<h4><li>Perl Prereq</li></h4>
<p>Warning : Handler and Portal parts both need Lemonldap::NG::Manager components
to access to configuration.</p>
<dl>
<dt>Manager :</dt>
<dd><p>CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)</p>
<p>With Debian :</p>
<pre>
# apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
</pre>
<p>And if you want to use SOAP :</p>
<pre>
# apt-get install libsoap-lite-perl
</pre>
</dd>
<dt>Portal :</dt>
<dd><p>Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager</p>
<p>With Debian :</p>
<pre>
# apt-get install libapache-session-perl libnet-ldap-perl perl-modules
</pre>
</dd>
<dt>Handler :</dt>
<dd><p>Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager</p>
<p>With Debian :</p>
<pre>
# apt-get install libapache-session-perl libwww-perl libcache-cache-perl
</pre>
</dd>
</dl>
</ol>
<h3><li><a name="softInst">Software installation</a></li></h3>
<p>If you just want to install a handler or a portal or a manager&nbsp;:</p>
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
$ perl Makefile.PL &amp;&amp; make &amp;&amp; make test
$ sudo make install
<div class="code">
<pre>
# Apache-1.3: add <span class="java-keyword">this</span> to httpd.conf
include /path/to/lemonldap-ng/source/example/apache.conf
# Apache-2.x:
include /path/to/lemonldap-ng/source/example/apache2.conf
# Debian Apache-1.3
ln -s /usr/share/doc/lemonldap-ng/example/apache.conf /etc/apache/conf.d/test.conf
# or with Apache-2.x
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
</pre>
</div>
<p>else for a complete install&nbsp;:</p>
<pre>
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make &amp;&amp; make test
$ sudo make install
<p class="paragraph"></p>Modify your /etc/hosts file to include:
<p class="paragraph"></p>
<div class="code">
<pre>
127.0.0.2 auth.example.com
127.0.0.3 test.example.com
127.0.0.4 manager.example.com
</pre>
</div>
<p>See prereq in Exeample installation</p>
<p class="paragraph"></p>Now you have to edit configuration to set your
LDAP settings. You can either use :
<h3><li><a name="lmInst">Lemonldap::NG installation</a></li></h3>
<ul class="star">
<li>the manager interface: restart Apache and connect to <span class=
"nobr"><a href=
"http://manager.example.com/">http://manager.example.com/</a></span></li>
<ol type="a">
<li>edit /path/to/lemonldap-ng/source/example/lmConfig-1 and specify
your LDAP settings (Debian users:
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
</ul>If you don't set managerDn and managerPassword, Lemonldap::NG will
use an anonymous bind to find user dn.
<h4><li>Databases configuration</li></h4>
<p class="paragraph"></p>WARNINGS:
<h5>Lemonldap::NG Configuration database</h5>
<ul class="star">
<li>only few parameters can be set by hand in the configuration file.
You have to use the manager to change configuration, but since the
example is yet configured, you can edit directly the file,</li>
<p>If you use DBI or another system to share Lemonldap::NG configuration, you have
to initialize the database. An example is given in example/lmConfig.mysql for
MySQL.</p>
<!-- TODO: File -->
<h5>Apache::Session database</h5>
<p>The choice of Apache::Session::* module is free. See Apache::Session::Store::*
or Apache::Session::* to know how to configure the module. For example, if you
want to use Apache::Session::MySQL, you can create the database like this&nbsp;:</p>
<pre>
CREATE DATABASE sessions (
id char(32),
a_session text
);
</pre>
<h4><li>Manager configuration</li></h4>
<p>Copy example/manager.cgi and personalize it if you want (see
Lemonldap::NG::Manager). You have to set in particular configStorage. For
example with MySQL&nbsp;:</p>
<pre>
$my $manager = Lemonldap::NG::Manager-&gt;new ( {
dbiChain =&gt; "DBI:mysql:database=mybase;host=1.2.3.4",
dbiUser =&gt; "lemonldap-ng",
dbiPassword =&gt; "mypass",
} );
</pre>
<p>You can securise Manager access with Lemonldap::NG like any other site (after
configuring it) or with Apache. Example&nbsp;:</p>
<pre>
SSLEngine On
Order Deny, Allow
Deny from all
Allow from admin-network/netmask
AuthType Basic
...
</pre>
<h4><li>Configuration edition</li></h4>
<p>Connect to the manager with your browser start configure your Web-SSO. You have
to set at least some parameters&nbsp;:</p>
<h5>General parameters</h5>
<p>Main parameters :</p>
<ul>
<li> <b>Authentication parameters -&gt; portal</b> : URL to access to the authentication portal</li>
<li> <b>Domain</b> : the cookie domain. Unless some protected VirtualHosts
are not under it, you have to use Lemonldap::NG::Portal::CDA and
Lemonldap::NG::Handler::CDA </li>
<li> <b>LDAP parameters -&gt; LDAP Server</b></li>
<li> <b>LDAP parameters -&gt; LDAP Accout and password</b> : required only if anonymous binds are not accepted</li>
<li> <b>Session Storage -&gt; Apache::Session module</b> : how to store user sessions. You can use all module that inherit
from Apache::Session like Apache::Session::MySQL</li>
<li> <b>Session Storage -&gt; Apache::Session Module parameters</b> : see Apache::Session::&lt;Choosen module&gt;</li>
</ul>
<h5>User groups</h5>
<p>Use the "New Group" button to add your first group. On the left, set the
keyword which will be used later and set on the right the corresponding rule.
you can use&nbsp;:</p>
<ul>
<li> an LDAP filter (it will be tested with the user uid)</li>
<li> or a Perl condition enclosed with <b>{}</b>. All variables declared in
"General&nbsp;parameters&nbsp;-&gt;&nbsp;LDAP&nbsp;attributes" or "macros"
can be used with a "<b>$</b>". For example&nbsp;:
<pre>
MyGroup =&gt; { $uid eq "foo" or $uid eq "bar" }
</pre>
</li>
</ul>
<h5>Virtual hosts</h5>
<p>You have to create a virtual host for each Apache host (virtual or real)
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
user who want to access to the protected area will be rejected with a "500
Internal Server Error" message and the apache logs will explain the problem.</p>
<p>Each virtual host has 2 groups of parameters&nbsp;:</p>
<ul>
<li> Headers : the headers added to the apache request. Default&nbsp;:
<pre>
Auth-User =&gt; $uid
</pre>
</li>
<li> Rules : subdivised in 2 categories&nbsp;:
<ul>
<li><b>default</b> : the default rule</li>
<li>personalized rules : association of a Perl regular expression and a
condition. For example&nbsp;:
<pre>
^/restricted.*$ / $groups =~ /\bMyGroup\b/
</pre>
</li>
</ul>
</ol>
</ol>
</ol>
<li>each new configuration is saved by the manager in a new file (or a
new record with DBI) so you can recover an old configuration by removing
the new one.</li>
</ul>Next, restart Apache and use your prefered browser and try to connect
to <span class="wikiexternallink"><a href=
"http://test.example.com/">http://test.example.com/</a></span>. You'll be
redirect to auth.example.com. Try to authenticate yourself with a valid
account and the protected page will appear.
</div>
</body>
</html>

377
build/lemonldap-ng/doc/overview-fr.html Normal file
View File

@ -0,0 +1,377 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id=
"HLemonLDAP3A3ANG">LemonLDAP::NG</span></h2>
<p class="paragraph"></p>Lemonldap::NG est un Web-SSO modulaire
bas&eacute; sur les modules Apache::Session. Il simplifie la construction
d'une aire prot&eacute;g&eacute;e en minimisant les impacts sur les
applications. Il g&egrave;re &agrave; la fois les authentifications et les
autorisations et fournit des en-t&ecirc;tes HTTP pour la
tra&ccedil;abilit&eacute;. On obtient ainsi une protection AAA complete
<i class="italic">(Authentication, Authorization and Accounting)</i> des
espaces web.
<p class="paragraph"></p>Lemonldap::NG est une r&eacute;&eacute;criture
compl&egrave;te de Lemonldap. Tous les &eacute;l&eacute;ments
n&eacute;cessaires &agrave; son exploitation et son administration sont
fournis dans le package. En revanche les composants
d&eacute;velopp&eacute;s pour Lemonldap ne sont pas compatibles avec
Lemonldap::NG.
<p class="paragraph"></p>
<ul>
<li>
<a href=
"#HMC3A9canismesd27authentification2Cd27autorisationetdetraC3A7abilitC3A9">
M&eacute;canismes d'authentification, d'autorisation et de
tra&ccedil;abilit&eacute;</a>
<ul>
<li><a href="#HAuthentification">Authentification</a></li>
<li>
<a href="#HAutorisation">Autorisation</a>
<ul>
<li><a href="#HPerformances">Performances</a></li>
</ul>
</li>
<li>
<a href="#HTraC3A7abilitC3A9">Tra&ccedil;abilit&eacute;</a>
<ul>
<li><a href="#HTracerlesaccC3A8sauportail">Tracer les
acc&egrave;s au portail</a></li>
<li><a href="#HTracerlesaccC3A8sauxapplications">Tracer les
acc&egrave;s aux applications</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#HInstallation">Installation</a></li>
<li><a href="#HSystC3A8medestockagedessessions">Syst&egrave;me de
stockage des sessions</a></li>
<li><a href="#HAuteur">Auteur</a></li>
<li><a href="#HCopyrightetlicense">Copyright et license</a></li>
</ul>
<h3 class="heading-1-1"><span id=
"HMC3A9canismesd27authentification2Cd27autorisationetdetraC3A7abilitC3A9">M&eacute;canismes
d'authentification, d'autorisation et de
tra&ccedil;abilit&eacute;</span></h3>
<p class="paragraph"></p>Tous les param&egrave;tres abord&eacute;s dans ce
chap&icirc;tre sont accessibles via l'interface d'administration (voir la
<span class="wikiexternallink"><a href=
"http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">d&eacute;monstration</a></span>).
<h4 class="heading-1-1-1"><span id=
"HAuthentification">Authentification</span></h4>
<p class="paragraph"></p>Si un utilisateur n'est pas encore
authentifi&eacute; et tente de se connecter &agrave; une aire
prot&eacute;g&eacute;e par un agent Lemonldap::NG, il est redirig&eacute;
vers le portail. Celui-ci authentifie l'utilisateur par d&eacute;faut par
une connexion LDAP, mais vous pouvez &eacute;galement utiliser un autre
sch&eacute;ma tel les certificats x509 (voir
Lemonldap::NG::Portal::AuthSSL(3)).
<p class="paragraph"></p>Lemonldap::NG utilise les cookies de session
g&eacute;n&eacute;r&eacute;s par le module Apache::Session soit aussi
s&eacute;curis&eacute; que n'importe quelle syst&egrave;me bas&eacute; sur
des cookies al&eacute;atoires de 128 bits. Il est recommand&eacute;
d'activer l'option "cookie s&eacute;curis&eacute;" pour &eacute;viter les
vols de session.
<p class="paragraph"></p>Par d&eacute;faut, une session reste 10 minutes
dans le magasin local du serveur Apache, donc dans le pire des cas, un
utilisateur conserve son autorisation au plus 10 minutes apr&egrave;s
avoir perdu ses droits.
<h4 class="heading-1-1-1"><span id=
"HAutorisation">Autorisation</span></h4>
<p class="paragraph"></p>Les autorisations sont control&eacute;es
seulement par les agents prot&eacute;geant les applications. En effet, le
portail ne peut conna&icirc;tre &agrave; l'avance les applications sur
lesquels l'utilisateur se connectera. En configurant votre Web-SSO, vous
devez:
<ul class="star">
<li>choisir les attributs LDAP que vous souhaitez utiliser pour les
autorisations et la tra&ccedil;abilit&eacute;,</li>
<li>cr&eacute;er d'&eacute;ventuelles expressions Perl pour
d&eacute;finir des groupes d'utilisateur (en utilisant les attributs
LDAP),</li>
<li>cr&eacute;er des r&egrave;gles d'acc&egrave;s associant des
expressions r&eacute;guli&egrave;res triant les URL &agrave; des
expressions Perl calculant le droit d'acc&egrave;s correspondant.</li>
</ul>Exemple (Voir Lemonldap::NG::Manager::Conf(3) pour comprendre le
stockage de la configuration) :
<ul class="star">
<li>Variables export&eacute;es (attributs LDAP):</li>
</ul>
<div class="code">
<pre>
# Nom-choisi =&gt; attribut LDAP
cn =&gt; cn
departmentUID =&gt; departmentUID
login =&gt; uid
</pre>
</div>
<ul class="star">
<li>Groupes d'utilisateurs :</li>
</ul>
<div class="code">
<pre>
# Nom-choisi =&gt; d&eacute;finition du groupe
group1 =&gt; { $departmentUID eq <span class=
"java-quote">"unit1"</span> or $login = <span class=
"java-quote">"user1"</span> }
</pre>
</div>
<ul class="star">
<li>Protection d'un site web: chaque VirtualHost (ou h&ocirc;te
r&eacute;el) Apache dispose de ses propres r&egrave;gles d'acc&egrave;s:
<ul class="star">
<li>www1.domain.com :</li>
</ul>
</li>
</ul>
<div class="code">
<pre>
^/<span class="java-keyword">protected</span>/.*$ =&gt; $groups =~ /bgroup1b/
<span class="java-keyword">default</span> =&gt; accept
</pre>
</div>
<ul class="star">
<li>www2.domain.com :</li>
</ul>
<div class="code">
<pre>
^/site/.*$ =&gt; $uid eq <span class=
"java-quote">"admin"</span> or $groups =~ /bgroup2b/
^/(js|css) =&gt; accept
<span class="java-keyword">default</span> =&gt; deny
</pre>
</div>
<h5 class="heading-1-1-1-1"><span id=
"HPerformances">Performances</span></h5>
<p class="paragraph"></p>Vous pouvez utiliser des expressions Perl aussi
complexe que n&eacute;cessaire et vous pouvez utiliser tous les attibuts
LDAP (et cr&eacute;er vos propres attributs additionnels avec le
m&eacute;canisme des macros) dans les d&eacute;finitions de groupes, les
r&egrave;gles d'acc&egrave;s et les en-t&ecirc;tes HTTP
personnalis&eacute;s: vous devez seulement utiliser le nom choisi
pr&eacute;c&eacute;d&eacute; d'un "$".
<p class="paragraph"></p>Vous devez toutefois bien choisir vos
expressions:
<ul class="star">
<li>les groupes et les macros ne sont &eacute;valu&eacute;es que lorsque
l'utilisateur est renvoy&eacute; vers le portail,</li>
<li>les r&egrave;gles d'acc&egrave;s et les en-t&ecirc;tes
export&eacute;s sont &eacute;valu&eacute;s &agrave; chaque requ&ecirc;te
sur un site prot&eacute;g&eacute;.</li>
</ul>Il est donc recommand&eacute; d'utiliser le m&eacute;canisme des
groupes pour &eacute;viter de calculer de longues expressions &agrave;
chaque requ&ecirc;te:
<div class="code">
<pre>
^/<span class=
"java-keyword">protected</span>/.*$ =&gt; $groups =~ /bgroup1b/
</pre>
</div>
<p class="paragraph"></p>Dans la d&eacute;finition des groupes, vous
pouvez au choix utiliser des filtres LDAP ou des expressions Perl ou
encore mixer les deux. Les expressions Perl sont encadr&eacute;es par {} :
<div class="code">
<pre>
group1 =&gt; (|(uid=xavier.guimard)(ou=unit1))
group1 =&gt; &lt;uid eq <span class=
"java-quote">"xavier.guimard"</span> or $ou eq <span class=
"java-quote">"unit1"</span>&gt;
group1 =&gt; (|(uid=xavier.guimard)&lt;ou eq <span class=
"java-quote">"unit1"</span>&gt;)
</pre>
</div>
<p class="paragraph"></p>Pour limiter les requ&ecirc;tes LDAP, il est
conseill&eacute; d'utiliser les expressions Perl. Ainsi seuls 2
sollicitations de l'annuaire sont n&eacute;cessaires.
<h4 class="heading-1-1-1"><span id=
"HTraC3A7abilitC3A9">Tra&ccedil;abilit&eacute;</span></h4>
<h5 class="heading-1-1-1-1"><span id="HTracerlesaccC3A8sauportail">Tracer
les acc&egrave;s au portail</span></h5>
<p class="paragraph"></p>Lemonldap::NG::Portal n'enregistre pas les
&eacute;v&eacute;nements de connexion par d&eacute;faut, mais il est
tr&egrave;s facile de surcharger la m&eacute;thode "log".
<h5 class="heading-1-1-1-1"><span id=
"HTracerlesaccC3A8sauxapplications">Tracer les acc&egrave;s aux
applications</span></h5>
<p class="paragraph"></p>Comme un Web-SSO ne peut interpr&eacute;ter le
contenu des requ&ecirc;tes HTTP transmise aux applications
prot&eacute;g&eacute;es, il ne peut enregistrer au mieux que les URL. Et
comme Apache le fait parfaitement, Lemonldap::NG::Handler(3) lui fournit
le nom &agrave; enregistrer dans les journaux. Le param&egrave;tre
optionnel "whatToTrace" indique la variable &agrave; utiliser ($uid par
d&eacute;faut).
<p class="paragraph"></p>La trace r&eacute;elle doit &ecirc;tre
effectu&eacute;e par l'application seule capable d'interpr&eacute;ter le
r&eacute;sultat des transactions.
<p class="paragraph"></p>Lemonldap::NG peut exporter des en-t&ecirc;tes
HTTP aussi bien en utilisant Apache en reverse-proxy qu'en
prot&eacute;gent directement les applications. Par d&eacute;faut, le champ
Auth-User est utilis&eacute; mais vous pouvez choisir les en-t&ecirc;tes
que vous transmettez &agrave; chaque application s&eacute;paremment. Les
expressions d&eacute;finissant les en-t&ecirc;tes associent :
<ul class="star">
<li>le nom d'en-t&ecirc;te,</li>
<li>une expression Perl utilisant les donn&eacute;es de l'utilisateur
(attributs, macros et groupes).</li>
</ul>Exemple:
<ul class="star">
<li>www1.domain.com :</li>
</ul>
<div class="code">
<pre>
Auth-User =&gt; $uid
Unit =&gt; $ou
</pre>
</div>
<ul class="star">
<li>www2.domain.com :</li>
</ul>
<div class="code">
<pre>
Authorization =&gt; <span class=
"java-quote">"Basic "</span>.encode_base64($employeeNumber.<span class=
"java-quote">":dummy"</span>)
Remote-IP =&gt; $ip
</pre>
</div>
<h3 class="heading-1-1"><span id="HInstallation">Installation</span></h3>
<p class="paragraph"></p>Attention :
<ul class="star">
<li>Lemonldap::NG est un projet diff&eacute;rent de Lemonldap et
contient tous les &eacute;l&eacute;ments n&eacute;cessaires &agrave; son
utilisation et son administration. Ainsi les logiciels tel le module
webmin de Lemonldap ne fonctionnent pas avec Lemonldap::NG.</li>
<li>L'agent de protection Apache ("handler") fonctionne &agrave; la fois
avec les versions 1.3 et 2.x d'Apache, c'est &agrave; dire avec les
versions 1 et 2 de mod_perl (mais pas avec mod_perl 1.99). Le portail et
le l'interface d'administration ("manager") sont de simples CGI et
peuvent donc fonctionner sur n'importe quel serveur compatible.</li>
<li>La configuration de Lemonldap::NG ne doit &ecirc;tre
&eacute;dit&eacute;e qu'avec l'interface d'administration &agrave; oins
que vous ne sachiez exactement ce que vous faites. Les param&egrave;tres
pr&eacute;sent&eacute;s dans ce document sont tous accessibles dans
l'arbre de configuration.</li>
</ul>Voir <span class="wikilink"><a href=
"/xwiki/bin/view/NG/DocInstall">installation manuel</a></span> pour la
documentation d'installation.
<h3 class="heading-1-1"><span id=
"HSystC3A8medestockagedessessions">Syst&egrave;me de stockage des
sessions</span></h3>
<p class="paragraph"></p>Lemonldap::NG utilise 3 niveaux de cache pour les
donn&eacute;es des utilisateurs authentifi&eacute;s :
<ul class="star">
<li>un module Apache::Session:: <strong class="strong">au choix
utilis&eacute; par le portail lemonldap::NG::Portal pour stocker les
donn&eacute;es apr&egrave;s authentification,</strong></li>
<li>un module Cache::Cache au choix utilis&eacute; par l'agent
Lemonldap::NG::Handler pour partager les donn&eacute;es entre les
threads et les processus d'Apache et bien sur entre les h&ocirc;tes
virtuels h&eacute;berg&eacute;s sur le m&ecirc;me serveur,</li>
<li>les variables internes &agrave; l'agent Lemonldap::NG::Handler : si
le m&ecirc;me utilisateur utilise de nouveau le m&ecirc;me thread ou
processus, aucune requ&ecirc;te n'est n&eacute;cessaire pour calculer le
droit d'acc&egrave;s. Ceci est particuli&egrave;rement
int&eacute;ressant avec le syst&egrave;me de connexions persistantes du
protocole HTTP/1.1 (Keep-Alive).</li>
</ul>Ainsi, le nombre de requ&ecirc;tes au cache principal est
limit&eacute; &agrave; 1 par utilisateur actif toutes les 10 minutes.
<p class="paragraph"></p>Lemonldap::NG est tr&egrave;s rapide, mais vous
pouvez encore am&eacute;liorer les performances en utilisnt un module
Cache::Cache ne n&eacute;cessitant pas d'acc&egrave;s au disque.
<h3 class="heading-1-1"><span id="HAuteur">Auteur</span></h3>
<p class="paragraph"></p>Xavier Guimard, &lt;x.guimard@free.fr&gt;
<h3 class="heading-1-1"><span id="HCopyrightetlicense">Copyright et
license</span></h3>
<p class="paragraph"></p>Copyright &copy; 2005-2007 par Xavier Guimard
&lt;x.guimard@free.fr&gt;
<p class="paragraph"></p>Ce logiciel est libre, vous pouvez le
redistribuer et/ou le modifier sous les m&ecirc;mes termes que Perl
lui-m&ecirc;me en version 5.8.4 ou &agrave; votre guise en version Perl 5
sup&eacute;rieure.
</div>
</body>
</html>

491
build/lemonldap-ng/doc/overview.html
View File

@ -1,247 +1,342 @@
<html>
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<title>Lemonldap::NG</title>
<meta name="ROBOTS" content="INDEX,FOLLOW">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="DESCRIPTION" content="Lemonldap::NG overview">
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG">
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id=
"HLemonLDAP3A3ANG">LemonLDAP::NG</span></h2>
<h1 style="text-align: center;">Lemonldap::NG</h1>
<p class="paragraph"></p>Lemonldap::NG is a modular Web-SSO based on
Apache::Session modules. It simplifies the build of a protected area with
a few changes in the application. It manages both authentication and
authorization and provides headers for accounting. So you can have a full
AAA protection for your web space as described below.
<p> Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for
accounting. So you can have a full AAA protection for your web space as
described below.</p>
<p class="paragraph"></p>Lemonldap::NG is a complete rewrite of Lemonldap.
All components needed to use it and to aminister it are included in the
tarball. Contrary, all modules developed for Lemonldap may not work with
Lemonldap::NG.
<ol type="1">
<li><a href="#aaa">Authentication, Authorization and Accounting mechanisms</a></li>
<li><a href="#inst">Installation</a></li>
<li><a href="#storage">Session storage system</a></li>
<li><a href="#logout">Logout system</a></li>
<li><a href="#author">Author</a></li>
<li><a href="#copyright">Copyright and licence</a></li>
</ol>
<p class="paragraph"></p>
<ol type="I">
<h2><li><a name="aaa">Authentication, Authorization and Accounting mechanisms</a></li></h2>
<ul>
<li>
<a href=
"#HAuthentication2CAuthorizationandAccountingmechanisms">Authentication,
Authorization and Accounting mechanisms</a>
<ol type="1">
<h3><li>Authentication</li></h3>
<ul>
<li><a href="#HAuthentication">Authentication</a></li>
<p>If a user isn't authenticated and attemps to connect to an area protected by a
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
authenticates user with a ldap bind by default, but you can also use another
authentication sheme like using x509 user certificates (see
Lemonldap::NG::Portal::AuthSSL(3) for more).</p>
<li>
<a href="#HAuthorization">Authorization</a>
<p>Lemonldap::NG use session cookies generated by Apache::Session so as secure
as a 128-bit random cookie. You may use the securedCookie options to avoid
session hijacking.</p>
<ul>
<li><a href="#HPerformance">Performance</a></li>
</ul>
</li>
<p>You have to manage life of sessions by yourself since Lemonldap::NG knows
nothing about the L<Apache::Session> module you've choosed, but it's very easy
using a simple cron script because Lemonldap::NG::Portal stores the start
time in the _utime field.<br>
By default, a session stay 10 minutes in the local storage, so in the worth
case, a user is authorized 10 minutes after he lost his rights.</p>
<li>
<a href="#HAccounting">Accounting</a>
<h3><li>Authorization</li></h3>
<ul>
<li><a href="#HLoggingportalaccess">Logging portal
access</a></li>
<p>Authorization is controled only by handlers because the portal knows nothing
about the way the user will choose. When configuring your Web-SSO, you have to:</p>
<li><a href="#HLoggingapplicationaccess">Logging application
access</a></li>
</ul>
</li>
</ul>
</li>
<ul type="disc">
<li> choose the ldap attributes you want to use to manage accounting and
authorization.</li>
<li> create Perl expressions to define user groups (using ldap attributes)</li>
<li> create an array foreach virtual host associating URI regular expressions and
Perl expressions to use to grant access.</li>
</ul>
<li><a href="#HInstallation">Installation</a></li>
<p>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored)&nbsp;:</p>
<li><a href="#HSessionstoragesystem">Session storage system</a></li>
<ul>
<li> Exported variables :
<pre>
<li><a href="#HAuthor">Author</a></li>
<li><a href="#HCopyrightandlicence">Copyright and licence</a></li>
</ul>
<h3 class="heading-1-1"><span id=
"HAuthentication2CAuthorizationandAccountingmechanisms">Authentication,
Authorization and Accounting mechanisms</span></h3>
<p class="paragraph"></p>All parameters described here can be edited by
the administration interface (See <span class="wikiexternallink"><a href=
"http://lemonldap.objectweb.org/NG/ManagerDemo/en/">Manager
demonstration</a></span>).
<h4 class="heading-1-1-1"><span id=
"HAuthentication">Authentication</span></h4>
<p class="paragraph"></p>If a user isn't authenticated and attemps to
connect to an area protected by a Lemonldap::NG compatible handler, he is
redirected to a portal. The portal authenticates user with a ldap bind by
default, but you can also use another authentication sheme like using x509
user certificates (see Lemonldap::NG::Portal::AuthSSL(3) for more).
<p class="paragraph"></p>Lemonldap use session cookies generated by
Apache::Session so as secure as a 128-bit random cookie. You may use the
securedCookie options to avoid session hijacking.
<p class="paragraph"></p>You have to manage life of sessions by yourself
since Lemonldap::NG knows nothing about the L module you've choosed, but
it's very easy using a simple cron script because Lemonldap::NG::Portal
stores the start time in the _utime field.
<p class="paragraph"></p>By default, a session stay 10 minutes in the
local storage, so in the worth case, a user is authorized 10 minutes after
he lost his rights.
<h4 class="heading-1-1-1"><span id=
"HAuthorization">Authorization</span></h4>
<p class="paragraph"></p>Authorization is controled only by handlers
because the portal knows nothing about the way the user will choose. When
configuring your Web-SSO, you have to:
<ul class="star">
<li>choose the ldap attributes you want to use to manage accounting and
authorization.</li>
<li>create Perl expressions to define user groups (using ldap
attributes)</li>
<li>create an array foreach virtual host associating URI regular
expressions and Perl expressions to use to grant access.</li>
</ul>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration
is stored) :
<ul class="star">
<li>Exported variables :</li>
</ul>
<div class="code">
<pre>
# Custom-Name =&gt; LDAP attribute
cn =&gt; cn
departmentUID =&gt; departmentUID
login =&gt; uid
</pre></li>
</pre>
</div>
<li> User groups :
<pre>
<ul class="star">
<li>User groups :</li>
</ul>
<div class="code">
<pre>
# Custom-Name =&gt; group definition
group1 =&gt; { $departmentUID eq "unit1" or $login = "user1" }
</pre></li>
<li> Area protection:
<pre>
# Each VirtualHost has its own configuration
# associating URL regexp to Perl expression
* www1.domain.com :
^/protected/.*$ =&gt; $groups =~ /\bgroup1\b/
default =&gt; accept
},
* www2.domain.com :
^/site/.*$ =&gt; $uid eq "admin" or $groups =~ /\bgroup2\b/
^/(js|css) =&gt; accept
default =&gt; deny
</pre></li>
</ul>
<ol type="a">
<h4><li>Performance</li></h4>
<p>You can use Perl expressions as complicated as you want and you can use all
the exported LDAP attributes (and create your own attributes: with 'macros'
mechanism) in groups evaluations, area protections or custom HTTP headers
(you just have to call them with a "$").</p>
<p>You have to be careful when choosing your expressions:</p>
<ul>
<li> groups and macros are evaluated each time a user is redirected to the portal,</li>
<li> virtual host rules and exported headers are evaluated for each request on a
protected area.</li>
</ul>
<p>It is also recommanded to use the groups mechanism to avoid having to evaluate
a long expression at each HTTP request&nbsp;:</p>
<pre>
# Virtual hosts :
...
www1.domain.com :
^/protected/.*$ =&gt; $groups =~ /\bgroup1\b/
group1 =&gt; { $departmentUID eq <span class=
"java-quote">"unit1"</span> or $login = <span class=
"java-quote">"user1"</span> }
</pre>
</div>
<p>You can also use LDAP filters, or Perl expression or mixed expressions in
groups definitions. Perl expressions has to be enclosed with {}&nbsp;:</p>
<ul class="star">
<li>Area protection: each VirtualHost has its own configuration
associating URL regexp to Perl expression
<pre>
* group1 =&gt; (|(uid=xavier.guimard)(ou=unit1))
* group1 =&gt; {$uid eq "xavier.guimard" or $ou eq "unit1"}
* group1 =&gt; (|(uid=xavier.guimard){$ou eq "unit1"})
<ul class="star">
<li>www1.domain.com :</li>
</ul>
</li>
</ul>
<div class="code">
<pre>
^/<span class="java-keyword">protected</span>/.*$ =&gt; $groups =~ /bgroup1b/
<span class="java-keyword">default</span> =&gt; accept
</pre>
</div>
<p>It is also recommanded to use Perl expressions to avoid requiering the LDAP
server more than 2 times per authentication.</p>
<ul class="star">
<li>www2.domain.com :</li>
</ul>
</ol>
<h3><li>Accounting</li></h3>
<ol type="a">
<h4><li>Logging portal access</li></h4>
<p>Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
overload log method for normal portal access.</p>
<h4><li>Logging application access</li></h4>
<p>Because a Web-SSO knows nothing about the protected application, it can't do
more than logging URL. As Apache does this fine, Lemonldap::NG::Handler(3)
gives it the name to used in logs. The whatToTrace parameter indicates
which variable Apache has to use ($uid by default).</p>
<p>The real accounting has to be done by the application itself which knows the
result of SQL transaction for example.</p>
<p>Lemonldap::NG can export HTTP headers either using a proxy or protecting
directly the application. By default, the Auth-User field is used but you can
change it using the exportedHeaders parameters (in the Manager, each virtual
host as custom headers branch). This parameters contains an associative array
per virtual host&nbsp;:</p>
<ul>
<li> keys are the names of the choosen headers,</li>
<li> values are Perl expressions where you can use user datas stored in the
global storage.</li>
</ul>
<p>Example:</p>
<pre>
* www1.domain.com :
Auth-User =&gt; $uid
Unit =&gt; $ou
* www2.domain.com :
Authorization =&gt; "Basic ".encode_base64($employeeNumber.":dummy")
Remote-IP =&gt; $ip
<div class="code">
<pre>
^/site/.*$ =&gt; $uid eq <span class=
"java-quote">"admin"</span> or $groups =~ /bgroup2b/
^/(js|css) =&gt; accept
<span class="java-keyword">default</span> =&gt; deny
</pre>
</ol>
</ol>
</div>
<h2><li><a name="inst">Installation</a></li></h2>
<h5 class="heading-1-1-1-1"><span id=
"HPerformance">Performance</span></h5>
<p><b>Warnings :</b></p>
<ul>
<li><p> Lemonldap::NG is a different project than Lemonldap and contains all you need
to use and administer it. So softwares, like Lemonldap webmin module, may not
work with Lemonldap::NG.</p></li>
<p class="paragraph"></p>You can use Perl expressions as complicated as
you want and you can use all the exported LDAP attributes (and create your
own attributes: with 'macros' mechanism) in groups evaluations, area
protections or custom HTTP headers (you just have to call them with a
"$").
<li><p>The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
act as CGI, so they can work everywhere.</p></li>
<li><p>Lemonldap::NG configuration has to be edited using the manager unless
you know exactly what you are doing. The parameters discussed below are all in
the configuration tree.</p></li>
</ul>
<p class="paragraph"></p>ou have to be careful when choosing your
expressions:
<p>See <a href="install.html">INSTALL file</a> for a complete installation documentation.</p>
<ul class="star">
<li>groups and macros are evaluated each time a user is redirected to
the portal,</li>
<h2><li><a name="storage">Session storage system</a></li></h2>
<li>virtual host rules and exported headers are evaluated for each
request on a protected area.</li>
</ul>It is also recommanded to use the groups mechanism to avoid having to
evaluate a long expression at each HTTP request :
<p>Lemonldap::NG use 3 levels of cache for authenticated users&nbsp;:</p>
<div class="code">
<pre>
^/<span class=
"java-keyword">protected</span>/.*$ =&gt; $groups =~ /bgroup1b/
</pre>
</div>
<ul>
<li> an Apache::Session::* module used by lemonldap::NG::Portal to store
authenticated user parameters,</li>
<li> a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
users between Apache's threads or processus and of course between virtual
hosts on the same machine,</li>
<li> Lemonldap::NG::Handler variables : if the same user use the same thread or
processus a second time, no request are needed to grant or refuse access.
This is very efficient with HTTP/1.1 Keep-Alive system.</li>
</ul>
<p class="paragraph"></p>You can also use LDAP filters, or Perl expression
or mixed expressions in groups definitions. Perl expressions has to be
enclosed with {} :
<p>So the number of request to the central storage is limited to 1 per active
user each 10 minutes.</p>
<div class="code">
<pre>
group1 =&gt; (|(uid=xavier.guimard)(ou=unit1))
group1 =&gt; &lt;uid eq <span class=
"java-quote">"xavier.guimard"</span> or $ou eq <span class=
"java-quote">"unit1"</span>&gt;
group1 =&gt; (|(uid=xavier.guimard)&lt;ou eq <span class=
"java-quote">"unit1"</span>&gt;)
</pre>
</div>
<p>Lemonldap::NG is very fast, but you can increase performance using a
Cache::Cache module that does not use disk access.</p>
<p class="paragraph"></p>It is also recommanded to use Perl expressions to
avoid requiering the LDAP server more than 2 times per authentication.
<h2><li><a name="logout">Logout system</a></li></h2>
<h4 class="heading-1-1-1"><span id="HAccounting">Accounting</span></h4>
<p>Lemonldap::NG provides a single logout system&nbsp;: you can use it by
adding a link to the portal with "logout=1" parameter in the portal (See
Lemonldap::NG::Portal(3)) and/or by configuring handler to intercept some URL
(See Lemonldap::NG::Handler(3)). The logout system:
<h5 class="heading-1-1-1-1"><span id="HLoggingportalaccess">Logging portal
access</span></h5>
<ul>
<li> delete session in the global session storage,</li>
<li> replace Lemonldap::NG cookie by '',</li>
<li> delete handler caches only if logout action was started from a
protected application and only in the current Apache server. So in other
servers, session is still in cache for 10 minutes maximum if the user was
connected on it in the last 10 minutes.</li>
</ul>
<p class="paragraph"></p>Lemonldap::NG::Portal doesn't log anything by
default, but it's easy to overload log method for normal portal access.
<h2><li><a name="author">Author</a></li></h2>
<h5 class="heading-1-1-1-1"><span id="HLoggingapplicationaccess">Logging
application access</span></h5>
<p>Xavier Guimard, &lt;x&#46;guimard&#64;free&#46;fr&gt;
<p class="paragraph"></p>Because a Web-SSO knows nothing about the
protected application, it can't do more than logging URL. As Apache does
this fine, Lemonldap::NG::Handler(3) gives it the name to used in logs.
The whatToTrace parameter indicates which variable Apache has to use ($uid
by default).
<h2><li><a name="copyright">Copyright and licence</a></li></h2>
<p class="paragraph"></p>The real accounting has to be done by the
application itself which knows the result of SQL transaction for example.
<p>Copyright &copy; 2005-2007 by Xavier Guimard &lt;x&#46;guimard&#64;free&#46;fr&gt;</p>
<p class="paragraph"></p>Lemonldap::NG can export HTTP headers either
using a proxy or protecting directly the application. By default, the
Auth-User field is used but you can change it using the exportedHeaders
parameters (in the Manager, each virtual host as custom headers branch).
This parameters contains an associative array per virtual host :
<p>This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.8.4 or,
at your option, any later version of Perl 5 you may have available.</p>
<ul class="star">
<li>keys are the names of the choosen headers,</li>
</ol>
<li>values are Perl expressions where you can use user datas stored in
the global storage.</li>
</ul>Example:
<ul class="star">
<li>www1.domain.com :</li>
</ul>
<div class="code">
<pre>
Auth-User =&gt; $uid
Unit =&gt; $ou
</pre>
</div>
<ul class="star">
<li>www2.domain.com :</li>
</ul>
<div class="code">
<pre>
Authorization =&gt; <span class=
"java-quote">"Basic "</span>.encode_base64($employeeNumber.<span class=
"java-quote">":dummy"</span>)
Remote-IP =&gt; $ip
</pre>
</div>
<h3 class="heading-1-1"><span id="HInstallation">Installation</span></h3>
<p class="paragraph"></p>Warnings :
<ul class="star">
<li>Lemonldap::NG is a different project than Lemonldap and contains all
you need to use and administer it. So softwares, like Lemonldap webmin
module, may not work with Lemonldap::NG.</li>
<li>The Apache module part (Lemonldap::NG::Handler) works both with
Apache 1.3.x and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99).
Portal and Manager act as CGI, so they can work everywhere.</li>
<li>Lemonldap::NG configuration has to be edited using the manager
unless you know exactly what you are doing. The parameters discussed
below are all in the configuration tree.</li>
</ul>See <span class="wikilink"><a href=
"/xwiki/bin/view/NG/DocInstall">installation manuel</a></span> for a
complete installation documentation.
<h3 class="heading-1-1"><span id="HSessionstoragesystem">Session storage
system</span></h3>
<p class="paragraph"></p>Lemonldap::NG use 3 levels of cache for
authenticated users :
<ul class="star">
<li>an Apache::Session:: <strong class="strong">module used by
lemonldap::NG::Portal to store authenticated user
parameters,</strong></li>
<li>a Cache::Cache module used by Lemonldap::NG::Handler to share
authenticated users between Apache's threads or processus and of course
between virtual hosts on the same machine,</li>
<li>Lemonldap::NG::Handler variables : if the same user use the same
thread or processus a second time, no request are needed to grant or
refuse access. This is very efficient with HTTP/1.1 Keep-Alive
system.</li>
</ul>So the number of request to the central storage is limited to 1 per
active user each 10 minutes.
<p class="paragraph"></p>Lemonldap::NG is very fast, but you can increase
performance using a Cache::Cache module that does not use disk access.
<h3 class="heading-1-1"><span id="HAuthor">Author</span></h3>
<p class="paragraph"></p>Xavier Guimard, &lt;x.guimard@free.fr&gt;
<h3 class="heading-1-1"><span id="HCopyrightandlicence">Copyright and
licence</span></h3>
<p class="paragraph"></p>Copyright &copy; 2005-2007 by Xavier Guimard
&lt;x.guimard@free.fr&gt;
<p class="paragraph"></p>This library is free software; you can
redistribute it and/or modify it under the same terms as Perl itself,
either Perl version 5.8.4 or, at your option, any later version of Perl 5
you may have available.
</div>
</body>
</html>

49
build/lemonldap-ng/scripts/doc.pl Executable file
View File

@ -0,0 +1,49 @@
#!/usr/bin/perl
use strict;
use XML::Simple;
use utf8;
my $docs = {
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=fr' => 'faq-fr.html',
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=en' => 'overview.html',
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=fr' => 'overview-fr.html',
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=en' => 'install.html',
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=fr' => 'install-fr.html',
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstall?language=en' => 'advanced-install.html',
};
while ( my ( $url, $file ) = each %$docs ) {
open DOC, "wget -q -O - $url |";
#open DOC, '/tmp/doc';
my $buf;
my $ind = 0;
my $div;
while (<DOC>) {
$ind++ if (/<div class="main-content">/);
next unless ($ind);
$div++ if (/<div/);
$div-- if (/<\/div/);
$ind-- unless ($div);
s/\r//g;
utf8::decode($_);
$buf .= $_;
}
close DOC;
open FILE, "|tidy -u -c -i -wrap 79 >$file";
print FILE '<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "XHTML 1.0 Strict"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<title>FAQ LEMONLDAP::NG</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
';
print FILE "$buf</body></html>";
close FILE;
}

6
modules/lemonldap-ng-handler/example/MyHandler.pm
View File

@ -7,9 +7,9 @@ __PACKAGE__->init ( {
localStorageOptions => {
'namespace' => 'MyNamespace',
'default_expires_in' => 600,
'directory_umask' => '007',
'cache_root' => '/tmp',
'cache_depth' => 5,
'directory_umask' => '007',
'cache_root' => '/tmp',
'cache_depth' => 5,
},
configStorage => {

2
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
View File

@ -332,7 +332,7 @@ sub print_upload {
}
sub upload {
my $self = shift;
my $self = shift;
my $config = $self->tree2conf(@_);
return SYNTAX_ERROR unless( $self->checkConf($config) );
return $self->config->saveConf($config);

9
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_HTML.pm
View File

@ -81,7 +81,8 @@ sub javascript {
newRule newHeader httpHeaders waitingResult unknownError
configurationWasChanged configLoaded warningConfNotApplied
applyConf prevConf lastConf nextConf deleteVirtualHost
areYouSure syntaxError deleteConf confirmDeleteConf)) {
areYouSure syntaxError deleteConf confirmDeleteConf
invalidVirtualHostName)) {
$text{$_} = &{"txt_$_"};
$text{$_} =~s/'/\\'/g;
}
@ -127,7 +128,7 @@ function onNodeSelect(nodeId) {
switch(tree.getUserData(nodeId,"modif")) {
case 'text':
k='valeur';
v='<input value="'+nodeId+'" onChange="tree.setItemText('+"'"+nodeId+"'"+',this.value.replace(/^([^a-z])/i,\\'z\$1\\'));tree.changeItemId('+"'"+nodeId+"'"+',this.value);">';
v='<input value="'+nodeId+'" onChange="var tmp=this.value.replace(/^([^a-z])/i,\\'z\$1\\');tmp=tmp.replace(/^([a-zA-Z0-9_\\.\\-]*).*\$/,\\'\$1\\');tree.setItemText('+"'"+nodeId+"'"+',tmp);tree.changeItemId('+"'"+nodeId+"'"+',tmp);this.value=tmp">';
break;
case 'both':
k='<input value="'+tree.getItemText(nodeId)+'" onChange="tree.setItemText('+"'"+nodeId+"'"+',this.value.replace(/^([^a-z])/i,\\'z\$1\\'))">';
@ -240,6 +241,10 @@ function insertNewChild(a,b,c) {
function newVirtualHost() {
var rep=prompt("$text{newVirtualHost}");
if(rep) {
if(!rep.match(/^\\w[\\w\\.\\-]*\\w\$/)){
alert('$text{invalidVirtualHostName}');
return 0;
}
insertNewChild('virtualHosts',rep,rep)
tree.setUserData(rep,'modif','text');
insertNewChild(rep,rep+'_exportedHeaders','$text{httpHeaders}');

2
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
View File

@ -94,6 +94,7 @@ sub fr {
confirmDeleteConf => "Vous allez effacer cette configuration. Confirmez-vous ?",
configurationDeleted => 'Configuration &eacute;ffac&eacute;e',
configurationNotDeleted => 'Configuration non &eacute;ffac&eacute;e',
invalidVirtualHostName => "Nom de d'hôte virtuel incorrect",
};
}
@ -157,5 +158,6 @@ sub en {
confirmDeleteConf => "You're going to delete configuration. Do you confirm ?",
configurationDeleted => 'Configuration deleted',
configurationNotDeleted => 'Configuration not deleted',
invalidVirtualHostName => 'Invalid virtual host name',
};
}

2
modules/lemonldap-ng-portal/example/index.pl
View File

@ -7,7 +7,7 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
configStorage => {
type => 'File',
dirName => '__CONFDIR__',
}
},
}
);