dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Christophe Maudoux 2020-01-04 14:00:24 +01:00
parent ff095ca156 f37c2399b1
commit 0546303dac
139 changed files with 5298 additions and 2933 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
changelog
View File

@ -1,3 +1,69 @@
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
* #1893: Issuer urldc is lost after error in 2F flow
* #1909: Reset password by email issue
* #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
* #1945: passwordpolicy.tpl contains wrong tag
* #1948: Tranlation menu does not work with Diff.html
* #1949: Don't Store Password shows password in cleartext
* #1952: "Attributes and macros" session keys should not be translated
* #1953: Outgoing emails are missing a Date: field
* #1954: zimbra preauth not working
* #1955: Redirection lost after notification validation
* #1960: REST config service not working
* #1961: IDP selection rule regression in 2.0.0
* #1963: Server Error with OpenID Connect register endpoint
* #1964: Diff.html does not work with minified JS
* #1966: Configuration reload does not apply changes to location rules
* #1968: skippedUnitTests/skippedGlobalTests have no effect
* #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
* #1974: ServiceToken handler TTL value always set to default
* #1984: Reset expired password doesn't trigger when using Combination
* #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
* #2009: Display authentication error on login form with Combination Kerberos + LDAP
* #2010: Kerberos not working with session upgrade
* #2012: Several issues with notification system
* #2013: Handler, yum install
* #2018: After temporary ldap failure, ldap connections stop working forever
* #2038: Missing type attribute in 2FA HTML inputs
* #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
* New features:
* #813: Provide refresh tokens in OpenID Connect
* #1605: certificate reset by mail
* #1956: DecryptValue plugin
* #1999: Possibility to view/close other sessions opened for the same user
* #2006: Create a web service for "refresh my rights"
* Improvements:
* #1590: Possibility to configure new plugins in Manager
* #1905: Append overScheme for persistent sessions
* #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
* #1947: Highlight active module with Diff.html
* #1967: allow differents type of managerDN
* #1983: The script purgeCentralCache should be more fault tolerant
* #1988: Append a requiredAuthenticationLevel option for each uri
* #1989: Main logo and lang icons are missing with upgradesession template
* #1991: Some user logs not using whatToTrace for username
* #1993: Same issue like (#1884) occures with Issuer redirection
* #1994: Append varInUri extended function
* #1995: Add an option to force claims in ID token
* #1996: REQUEST_URI env variable is not set by CheckUser plugin
* #1997: Enable checkTime option by default
* #1998: Misleading token ID format
* #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
* #2007: Password change prompt displayed even if initial auth fails
* #2008: Specific message and error code for 2F failure
* #2011: Create a function to test if a value belongs to a list
* #2012: Several issues with notification system
* #2014: New script to convert sessions between backends
* #2019: Renew Captcha button
* #2024: Change default value for cspFormAction
* #2042: Add per-service macros
-- Clément <clem.oudot@gmail.com> Sat, 21 Dec 2019 16:59:22 +0100
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.7-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Sat, 21 Dec 2019 17:00:00 +0100
lemonldap-ng (2.0.6-1) unstable; urgency=medium
* New release. See changes on our website:

4
doc/pages/documentation/current/AuthChoice_with_Slave_and_Secured_cookie_gt/double_cookies_for_a_single_session
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1569271173" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1576942824" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

2
doc/pages/documentation/current/applications.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="applications.html"/>

14
doc/pages/documentation/current/applications/alfresco.html
View File

@ -171,7 +171,7 @@ Edit then <code>share-config-custom.xml</code> and uncomment the last part. In t
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/s<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span>
@ -184,7 +184,7 @@ You need to restart Tomcat to apply changes.
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT4 SECTION "Alfresco" [457-3157] -->
<!-- EDIT4 SECTION "Alfresco" [457-3155] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">
@ -217,12 +217,12 @@ Other rules:
</ul>
</div>
<!-- EDIT5 SECTION "LL::NG" [3158-3497] -->
<!-- EDIT5 SECTION "LL::NG" [3156-3495] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "SAML2" [3498-3517] -->
<!-- EDIT6 SECTION "SAML2" [3496-3515] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3">
@ -521,7 +521,7 @@ To finish with Alfresco configuration, tick the “Enable <abbr title="Security
</p>
</div>
<!-- EDIT7 SECTION "Alfresco" [3518-14174] -->
<!-- EDIT7 SECTION "Alfresco" [3516-14172] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3">
@ -556,7 +556,7 @@ And you can define these exported attributes:
</ul>
</div>
<!-- EDIT8 SECTION "LL::NG" [14175-14553] -->
<!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
<div class="level2">
<ul>
@ -567,6 +567,6 @@ And you can define these exported attributes:
</ul>
</div>
<!-- EDIT9 SECTION "Other resources" [14554-] --></div>
<!-- EDIT9 SECTION "Other resources" [14552-] --></div>
</body>
</html>

2
doc/pages/documentation/current/applications/authbasic.html
View File

@ -93,7 +93,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S
<p>
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <a href="../passwordstore.html" class="wikilink1" title="documentation:2.0:passwordstore">password is stored in session</a>):
</p>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;)</pre>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;, &quot;&quot;)</pre>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> provides a special function named <a href="../extendedfunctions.html#basic" class="wikilink1" title="documentation:2.0:extendedfunctions">basic</a> to build this header.

2
doc/pages/documentation/current/applications/dokuwiki.html
View File

@ -198,7 +198,7 @@ Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&#039;&#039;)</div>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&quot;&quot;)</div>
</li>
</ul>
<div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.

143
doc/pages/documentation/current/applications/humhub.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications:humhub</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,humhub"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="humhub.html"/>
@ -54,6 +54,7 @@
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_humhub">Configuring HumHub</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li>
<li class="level2"><div class="li"><a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</a></div></li>
<li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li>
</ul></li>
</ul>
@ -88,28 +89,30 @@ Administrator can configure one or several OAuth, OAuth2 or OIDC authentication
<p>
With <a href="#openid_connect" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
</p>
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service.
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. See <a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> Migrate former local or ldap Humhub account to connect through SSO</a>
</div>
</div>
<!-- EDIT2 SECTION "Présentation" [68-1041] -->
<!-- EDIT2 SECTION "Présentation" [68-1186] -->
<h2 class="sectionedit3" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<div class="noteclassic">This set-up works with option enablePrettyUrl activated in Humhub. If not activated, rewrite <abbr title="Uniform Resource Locator">URL</abbr> in Humhub HTTP server and allowed redirect <abbr title="Uniform Resource Locator">URL</abbr> in LemonLDAP needs to be adapted to work with the non pretty <abbr title="Uniform Resource Locator">URL</abbr> format.
</div>
<!-- EDIT3 SECTION "OpenID Connect" [1042-1069] -->
</div>
<!-- EDIT3 SECTION "OpenID Connect" [1187-1450] -->
<h3 class="sectionedit4" id="configuring_humhub">Configuring HumHub</h3>
<div class="level3">
<p>
First disable LDAP (Administration &gt; Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users.
First disable LDAP (Administration &gt; Users section) and delete (or <a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> migrate</a>) any local users whose username or email are conflicting with the username or email of your OIDC users.
</p>
<p>
Then install and configure the <a href="https://github.com/Worteks/humhub-auth-oidc" class="urlextern" title="https://github.com/Worteks/humhub-auth-oidc" rel="nofollow"> OIDC connector for humhub </a> extension using composer :
</p>
<ul>
<li class="level1"><div class="li"> Install composer and php-tokenizer.</div>
<li class="level1"><div class="li"> Install composer.</div>
</li>
</ul>
<ul>
@ -118,34 +121,89 @@ Then install and configure the <a href="https://github.com/Worteks/humhub-auth-o
</ul>
<pre class="code">composer global require hirak/prestissimo</pre>
<ul>
<li class="level1"><div class="li"> Go to {humhumb_home} folder (containing humhub&#039;s composer.json file) and execute</div>
<li class="level1"><div class="li"> Go to {humhub_home} folder</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Check if composer.json file is present. If not, download it for your current version:</div>
</li>
</ul>
<pre class="code">wget https://raw.githubusercontent.com/humhub/humhub/v1.3.15/composer.json</pre>
<ul>
<li class="level1"><div class="li"> Install the connector as a dependency: </div>
</li>
</ul>
<pre class="code">composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhumb_home}/protected/config/common.php with the client configuration :</div>
<div class="noteclassic">If you just need to update the connector, change its version in composer.json and run the above composer update command.
</div><ul>
<li class="level1"><div class="li"> Edit {humhub_home}/protected/config/common.php with the client configuration :</div>
</li>
</ul>
<pre class="code">&#039;components&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;clients&#039; =&gt; [
// ...
&#039;lemonldapng&#039; =&gt; [
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
],
],
],
&#039;authClientCollection&#039; =&gt; [
&#039;clients&#039; =&gt; [
// ...
&#039;lemonldapng&#039; =&gt; [
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
&#039;cssIcon&#039; =&gt; &#039;fa fa-lemon-o&#039;, // Icon displayed in login button
],
],
// ...
]</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:</div>
</li>
</ul>
<pre class="code">return [
// ...
&#039;modules&#039; =&gt; [
&#039;user&#039; =&gt; [
&#039;logoutUrl&#039; =&gt; &#039;https://auth.domain.com/?logout=1&#039;,
],
]
];</pre>
<p>
User can now log in through <abbr title="Single Sign On">SSO</abbr> using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through <abbr title="Single Sign On">SSO</abbr> when they first access Humhub, you can set up a redirection in the http server in front of the application :
</p>
<ul>
<li class="level1"><div class="li"> Example in apache</div>
</li>
</ul>
<pre class="code">RewriteEngine On
RewriteCond %{QUERY_STRING} !nosso [NC]
RewriteRule &quot;^/user/auth/login$&quot; &quot;/user/auth/external?authclient=lemonldapng&quot; [L,R=301]</pre>
<ul>
<li class="level1"><div class="li"> Example in nginx</div>
</li>
</ul>
<pre class="code">if ($query_string !~ &quot;nosso&quot;){
rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
}</pre>
<p>
If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed.
</p>
<p>
To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to <abbr title="Single Sign On">SSO</abbr> will be bypassed when a registration error occured. This works for version 1.3.15 :
</p>
<ul>
<li class="level1"><div class="li"> Go to {humhub_home} folder</div>
</li>
<li class="level1"><div class="li"> Execute</div>
</li>
</ul>
<pre class="code">sed -i &quot;s|return \$this-&gt;redirect(\[&#039;/user/auth/login&#039;\]);|return \$this-&gt;redirect([&#039;/user/auth/login&#039;,&#039;nosso&#039;=&gt;&#039;showerror&#039;]);|&quot; protected/humhub/modules/user/controllers/AuthController.php</pre>
</div>
<!-- EDIT4 SECTION "Configuring HumHub" [1070-2515] -->
<!-- EDIT4 SECTION "Configuring HumHub" [1451-4994] -->
<h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3">
@ -154,7 +212,7 @@ If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice.
</p>
<p>
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> using the following parameters:
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect Relying Party </a> using the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in HumHub configuration</div>
@ -193,8 +251,39 @@ Configuration sample using CLI:
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 &amp;&amp; \</pre>
</div>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [2516-4258] -->
<h3 class="sectionedit6" id="troubleshooting">Troubleshooting</h3>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [4995-6736] -->
<h3 class="sectionedit6" id="migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</h3>
<div class="level3">
<p>
You need to manually update Humhub database to swith authentication mode to LemonLDAP::NG.
</p>
<p>
Table &quot;user&quot;:
</p>
<ul>
<li class="level1"><div class="li"> Columns &quot;username&quot; and &quot;email&quot; should match exactly OIDC sub and email attributes ;</div>
</li>
<li class="level1"><div class="li"> If former ldap user, change column &quot;auth_mode&quot; to &quot;local&quot;.</div>
</li>
</ul>
<p>
Table &quot;user_auth&quot;:
</p>
<ul>
<li class="level1"><div class="li"> Add an entry with user_id, username and &quot;lemonldapng&quot; as source (or the name you chose in your connector configuration) :</div>
</li>
</ul>
<pre class="code">+---------+-------------+-------------+
| user_id | source | source_id |
+---------+-------------+-------------+
| 4 | lemonldapng | jdoe |</pre>
</div>
<!-- EDIT6 SECTION "Migrate former local or ldap Humhub account to connect through SSO" [6737-7396] -->
<h3 class="sectionedit7" id="troubleshooting">Troubleshooting</h3>
<div class="level3">
<p>
@ -205,6 +294,6 @@ If LemonLDAP login page freezes because of a browser security blockage, adapt se
cspFormAction &quot;&#039;self&#039; https://*.example.com&quot;</pre>
</div>
<!-- EDIT6 SECTION "Troubleshooting" [4259-] --></div>
<!-- EDIT7 SECTION "Troubleshooting" [7397-] --></div>
</body>
</html>

4
doc/pages/documentation/current/applications/img/icons.png
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1569271147" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/applications/img/loader.gif
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1569271147" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/applications/jitsimet
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1569271166" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1576942817" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

63
doc/pages/documentation/current/applications/zimbra.html
View File

@ -56,6 +56,7 @@
<li class="level2"><div class="li"><a href="#zimbra_application_in_menu">Zimbra application in menu</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_virtual_host">Zimbra virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_handler_parameters">Zimbra Handler parameters</a></div></li>
<li class="level2"><div class="li"><a href="#multi-domain_issues">Multi-domain issues</a></div></li>
</ul></li>
</ul>
</div>
@ -163,6 +164,66 @@ Zimbra parameters are the following:
</div>
</div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-] --></div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-2771] -->
<h3 class="sectionedit8" id="multi-domain_issues">Multi-domain issues</h3>
<div class="level3">
<p>
Some organizations have multiple zimbra domains:
</p>
<ol>
<li class="level1"><div class="li"> foo@domain1.com</div>
</li>
<li class="level1"><div class="li"> bar@domain2.com</div>
</li>
</ol>
<p>
However, the zimbra preauth key is:
</p>
<ul>
<li class="level1"><div class="li"> generated for one zimbra domain only</div>
</li>
<li class="level1"><div class="li"> declared globally for every LemonLDAP::NG virtual hosts.</div>
</li>
</ul>
<p>
Thus, if domain1 has been registered on LemonLDAP::NG, user bar won&#039;t be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:
</p>
<p>
We are going to use the first key (the domain1 one) for every domain.
On Zimbra machine, generate the keys:
</p>
<pre class="code"> zmprov generateDomainPreAuthKey domain1.com
preAuthKey: 4e2816f16c44fab20ecdee39fb850c3b0bb54d03f1d8e073aaea376a4f407f0c
zmprov generateDomainPreAuthKey domain2.com
preAuthKey: 6b7ead4bd425836e8cf0079cd6c1a05acc127acd07c8ee4b61023e19250e929c</pre>
<p>
Then, connect to your zimbra LDAP server with your favourite tool (Apache Directory Studio can do the job).
Take care to connect with the super admin and password account.
</p>
<ul>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain1&quot; branch</div>
</li>
<li class="level1"><div class="li"> Get the value of zimbraPreAuthKey</div>
</li>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain2&quot; branch</div>
</li>
<li class="level1"><div class="li"> Replace the value of zimbraPreAuthKey you have previously copied</div>
</li>
<li class="level1"><div class="li"> Wait for all Zimbra servers to update, or restart the zcs server</div>
</li>
</ul>
<p>
That&#039;s it, all zimbra servers will be able to decipher the hmac because they share the same key!
</p>
</div>
<!-- EDIT8 SECTION "Multi-domain issues" [2772-] --></div>
</body>
</html>

6
doc/pages/documentation/current/authcustom.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,authcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authcustom.html"/>
@ -84,13 +84,13 @@ Then, you just have to define class names of your custom modules in &quot;Custom
<p>
You can define your own customAuth module icon. Icon must be in site/htdocs/static/common/modules/icon.png
</p>
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev.pm
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev
</div><div class="noteimportant">Be careful. Don&#039; t use an already attributed name in configuration.
</div>
<p>
These parameters are available in your plugins using <code>$self-&gt;conf-&gt;{<em>customName</em>}</code>.
These parameters are available in your plugins using <code>$self-&gt;conf-&gt;{customAddParams}-&gt;{<em>customName</em>}</code>.
</p>
<p>

2
doc/pages/documentation/current/authopenidconnect.html
View File

@ -248,8 +248,6 @@ You can also define:
</li>
<li class="level1"><div class="li"> endsession_endpoint</div>
</li>
<li class="level1"><div class="li"> introspection_endpoint</div>
</li>
</ul>
<p>

2
doc/pages/documentation/current/authssl.html
View File

@ -416,7 +416,7 @@ To avoid a persistent loop between Portal and a redirection <abbr title="Uniform
<span class="re1">pdataDomain</span> <span class="sy0">=</span><span class="re2"> example.com</span></pre>
<p>
To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens be stored into Global Storage by editing <code>lemonldap-ng.ini</code> in section [portal]:
To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens to be stored into Global Storage by editing <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">forceGlobalStorageUpgradeOTT</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>

285
doc/pages/documentation/current/browseablesessionbackend Normal file
View File

@ -0,0 +1,285 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>browseablesessionbackend [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="/lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="/lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<link type="text/css" rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootswatch/3.3.4/flatly/bootstrap.min.css" />
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,follow"/>
<meta name="keywords" content="browseablesessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="/lib/exe/opensearch.php" title="LemonLDAP::NG"/>
<link rel="start" href="/"/>
<link rel="contents" href="/browseablesessionbackend?do=index" title="Sitemap"/>
<link rel="alternate" type="application/rss+xml" title="Recent changes" href="/feed.php"/>
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns="/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/browseablesessionbackend"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/browseablesessionbackend"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = {"id":"browseablesessionbackend","namespace":""};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
</style>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script type="text/javascript" src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script type="text/javascript" src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body class="flatly page-on-panel">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__site" class="container">
<div id="dokuwiki__top" class="site dokuwiki mode_show tpl_bootstrap3 notFound hasSidebar">
<!-- header -->
<div id="dokuwiki__header">
<nav class="navbar navbar-default" role="navigation">
<div class="container-fluid">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/start" accesskey="h" title="[H]" class="navbar-brand"><img src="/_media/wiki/logo.png" alt="LemonLDAP::NG" class="pull-left" id="dw__logo" width="20" height="20" /> <span id="dw__title" >LemonLDAP::NG</span></a>
</div>
<div class="collapse navbar-collapse">
<ul class="nav navbar-nav" id="dw__navbar">
<!-- <li>
<a href="/start" ><i class="glyphicon glyphicon-home"></i> Home</a></li> -->
<li>
<a href="/download" ><i class="glyphicon glyphicon-download"></i> Download</a></li>
<li>
<a href="/documentation" ><i class="glyphicon glyphicon-book"></i> Documentation</a></li>
<li>
<a href="/screenshots" ><i class="glyphicon glyphicon-picture"></i> Screenshots</a></li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-question-sign"></span> Contact <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/contact" ><i class="glyphicon glyphicon-envelope"></i> Mails, IRC and more</a></li>
<li><a href="/team" ><i class="glyphicon glyphicon-user"></i> The team</a></li>
<li><a href="/professionalservices" ><i class="glyphicon glyphicon-briefcase"></i> Professional Services</a></li>
<li><a href="/references" ><i class="glyphicon glyphicon-sunglasses"></i> References</a></li>
<li><a href="/sponsors" ><i class="glyphicon glyphicon-piggy-bank"></i> Sponsors</a></li>
</ul>
</li>
</ul>
<div class="navbar-right">
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/browseablesessionbackend?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
</div>
</div>
</nav>
</div>
<!-- /header -->
<div id="dw__breadcrumbs">
<hr/>
<div class="breadcrumb"><span class="bchead">You are here: </span><span class="home"><bdi><a href="/start" class="wikilink1" title="start">start</a></bdi></span> » <bdi><span class="curid"><a href="/browseablesessionbackend" class="wikilink2" title="browseablesessionbackend" rel="nofollow">browseablesessionbackend</a></span></bdi></div>
<hr/>
</div>
<p class="pageId text-right">
<span class="label label-default">browseablesessionbackend</span>
</p>
<div id="dw__msgarea">
</div>
<main class="main row" role="main">
<!-- ********** CONTENT ********** -->
<article id="dokuwiki__content" class="col-sm-9 col-md-10 " >
<div class="panel panel-default" >
<div class="page group panel-body">
<div class="pull-right hidden-print" data-spy="affix" data-offset-top="150" style="z-index:1024; top:10px; right:10px;">
</div>
<!-- wikipage start -->
<h1 class="sectionedit1" id="this_topic_does_not_exist_yet">This topic does not exist yet</h1>
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
<!-- wikipage stop -->
</div>
</div>
</article>
<!-- ********** ASIDE ********** -->
<aside id="dokuwiki__aside" class="dw__sidebar col-sm-3 col-md-2 hidden-print">
<div class="content">
<div class="toogle hidden-lg hidden-md hidden-sm" data-toggle="collapse" data-target="#dokuwiki__aside .collapse">
<i class="glyphicon glyphicon-th-list"></i> Sidebar </div>
<div class="collapse in">
<p>
<div class="text-center">
</p>
<h3 class="sectionedit1" id="social_networks">Social networks</h3>
<div class="level3">
<p>
<p><a href="https://twitter.com/lemonldapng/" class="btn btn-large btn-info"><i class="glyphicon glyphicon-retweet"></i> Twitter</a></p>
<p><a href="https://www.facebook.com/lemonldapng/" class="btn btn-large btn-primary"><i class="glyphicon glyphicon-thumbs-up"></i> Facebook</a></p>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT1 SECTION "Social networks" [41-433] -->
<h3 class="sectionedit2" id="hosted_by">Hosted by</h3>
<div class="level3">
<p>
<a href="http://www.ow2.org" class="media" title="http://www.ow2.org" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT2 SECTION "Hosted by" [434-568] -->
<h3 class="sectionedit3" id="certifications">Certifications</h3>
<div class="level3">
<p>
<a href="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" class="media" title="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" rel="nofollow"><img src="/_media/applications/franceconnect_logo.png" class="mediacenter" alt="" /></a>
<strong>France Connect</strong>
</p>
<p>
<a href="https://fusioniam.org" class="media" title="https://fusioniam.org" rel="nofollow"><img src="/_media/logos/fusioniam_logo_icon_dragon_circle.png" class="mediacenter" alt="" /></a>
<strong>FusionIAM projet member</strong>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT3 SECTION "Certifications" [569-928] -->
<h3 class="sectionedit4" id="awards">Awards</h3>
<div class="level3">
<p>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
<p>
<script type="text/javascript" src="http://www.openhub.net/p/12421/widgets/project_users.js?style=blue"></script>
</div>
</p>
<script type='text/javascript'>
var ab_h = '321e562442494652658acbc3fd84ec80';
var ab_s = '6ca5df30810665e075f684a87e742175';
</script>
<script type='text/javascript' src='http://cdn1.adbard.net/js/ab1.js'></script>
</div>
<!-- EDIT4 SECTION "Awards" [929-] --> </div>
</div>
</aside>
</main>
<footer id="dokuwiki__footer" class="small hidden-print">
<a href="javascript:void(0)" class="back-to-top hidden-print btn btn-default btn-sm" title="skip to content>" id="back-to-top"><i class="glyphicon glyphicon-chevron-up"></i></a>
<div class="text-center">
<p id="dw__license">
<div class="license">Except where otherwise noted, content on this wiki is licensed under the following license: <bdi><a href="http://creativecommons.org/licenses/by-nc-sa/3.0/" rel="license" class="urlextern">CC Attribution-Noncommercial-Share Alike 3.0 Unported</a></bdi></div> </p>
</div>
</footer>
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=browseablesessionbackend&amp;1576942827" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
<span class="visible-md"></span>
<span class="visible-lg"></span>
</div>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

28
doc/pages/documentation/current/browseablesessionbackend.html
View File

@ -95,10 +95,10 @@ The following table list fields to index depending on the feature you want to in
<td class="col0"> Database cleanup <em>(cron)</em> </td><td class="col1 centeralign"> _session_kind _utime </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> Session explorer </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
<td class="col0"> Session explorer </td><td class="col1 centeralign"> _session_kind ipAddr _httpSessionType <em>WHATTOTRACE</em> </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> Session explorer (persistent sessions) </td><td class="col1 centeralign"> _session_kind _session_uid </td>
<td class="col0"> Session explorer (persistent sessions) </td><td class="col1 centeralign"> _session_kind _session_uid ipAddr _httpSessionType <em>WHATTOTRACE</em> </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> Session restrictions </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
@ -110,7 +110,7 @@ The following table list fields to index depending on the feature you want to in
<td class="col0"> <abbr title="Security Assertion Markup Language">SAML</abbr> Session </td><td class="col1 centeralign"> _saml_id </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [871-1230] -->
<!-- EDIT3 TABLE [871-1287] -->
<p>
See Apache::Session::Browseable::* man page to see how use indexes.
</p>
@ -119,7 +119,7 @@ See Apache::Session::Browseable::* man page to see how use indexes.
</div><div class="noteclassic">Documentation below explains how set index on ipAddr and _whatToTrace. Adapt it to configure the index you need.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [43-1753] -->
<!-- EDIT2 SECTION "Presentation" [43-1810] -->
<h2 class="sectionedit4" id="browseable_nosql">Browseable NoSQL</h2>
<div class="level2">
@ -146,15 +146,15 @@ You then just have to add the <code>Index</code> parameter in <code>General par
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [2041-2198] -->
<!-- EDIT5 TABLE [2098-2255] -->
</div>
<!-- EDIT4 SECTION "Browseable NoSQL" [1754-2199] -->
<!-- EDIT4 SECTION "Browseable NoSQL" [1811-2256] -->
<h2 class="sectionedit6" id="browseable_sql">Browseable SQL</h2>
<div class="level2">
<div class="noteclassic">This documentation concerns PostgreSQL. Some adaptations are needed with other databases. When using Apache::Session::Browseable::Postgres, it is strongly recommended to use version 1.3.1 at least. See <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732" rel="nofollow">bug 1732</a>.
</div>
</div>
<!-- EDIT6 SECTION "Browseable SQL" [2200-2518] -->
<!-- EDIT6 SECTION "Browseable SQL" [2257-2575] -->
<h3 class="sectionedit7" id="prepare_database">Prepare database</h3>
<div class="level3">
@ -189,7 +189,7 @@ CREATE INDEX h1 ON sessions (_httpSessionType);</pre>
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don&#039;t need to declare indexes in <code>CREATE TABLE</code> since &quot;json&quot; and &quot;hstore&quot; type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
</div>
</div>
<!-- EDIT7 SECTION "Prepare database" [2519-4234] -->
<!-- EDIT7 SECTION "Prepare database" [2576-4291] -->
<h3 class="sectionedit8" id="manager">Manager</h3>
<div class="level3">
@ -221,14 +221,14 @@ Go in the Manager and set the session module (<a href="https://metacpan.org/pod/
<td class="col0 centeralign"> <strong>TableName</strong> </td><td class="col1"> Table name (optional) </td><td class="col2"> sessions </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [4557-4978] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<!-- EDIT9 TABLE [4614-5035] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<p>
For databases like PostgreSQL, don&#039;t forget to add &quot;Commit&quot; with a value of 1
</p>
</div>
</div>
<!-- EDIT8 SECTION "Manager" [4235-5157] -->
<!-- EDIT8 SECTION "Manager" [4292-5214] -->
<h2 class="sectionedit10" id="browseable_ldap">Browseable LDAP</h2>
<div class="level2">
@ -282,9 +282,9 @@ You need to add the <code>Index</code> field and can also configure the <code>ld
<td class="col0 centeralign"> <strong>ldapAttributeIndex</strong> </td><td class="col1"> Attribute storing index </td><td class="col2"> ou </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [5509-6243] -->
<!-- EDIT11 TABLE [5566-6300] -->
</div>
<!-- EDIT10 SECTION "Browseable LDAP" [5158-6244] -->
<!-- EDIT10 SECTION "Browseable LDAP" [5215-6301] -->
<h2 class="sectionedit12" id="security">Security</h2>
<div class="level2">
@ -297,7 +297,7 @@ You can also use different user/password for your servers by overriding paramete
</p>
</div>
<!-- EDIT12 SECTION "Security" [6245-6464] -->
<!-- EDIT12 SECTION "Security" [6302-6521] -->
<h2 class="sectionedit13" id="performances">Performances</h2>
<div class="level2">
@ -340,6 +340,6 @@ CREATE INDEX _u1 ON sessions (_utime);
CREATE INDEX ip1 ON sessions (ipAddr) USING BTREE;</pre>
</div>
<!-- EDIT13 SECTION "Performances" [6465-] --></div>
<!-- EDIT13 SECTION "Performances" [6522-] --></div>
</body>
</html>

105
doc/pages/documentation/current/changesessionbackend.html Normal file
View File

@ -0,0 +1,105 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:changesessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,changesessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="changesessionbackend.html"/>
<link rel="contents" href="changesessionbackend.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:changesessionbackend","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="how_to_change_session_backend">How to change session backend</h1>
<div class="level1">
<p>
LemonLDAP::NG provides a script to change session backend. This script will help you transfer existing persistent sessions (or offline sessions) when migrating from one backend to another, or when adding indexes to a <a href="browseablesessionbackend" class="wikilink2" title="browseablesessionbackend" rel="nofollow">browseable sessio backend</a>. It is available in LemonLDAP::NG utilities directory (<code>convertSessions</code>).
</p>
</div>
<!-- EDIT1 SECTION "How to change session backend" [1-397] -->
<h2 class="sectionedit2" id="how_it_works">How it works</h2>
<div class="level2">
<p>
The <code>convertSessions</code> utility requires you to create a job configuration file with the following content:
</p>
<pre class="file"># This example migrates psessions from the default File backend to a PostgreSQL database
[sessions_from]
storageModule = Apache::Session::File
storageModuleOptions = { \\
&#039;Directory&#039; =&gt; &#039;/var/lib/lemonldap-ng/psessions&#039;, \\
&#039;LockDirectory&#039; =&gt; &#039;/var/lib/lemonldap-ng/psessions/lock&#039;, \\
}
# Only convert some session types
# sessionKind = Persistent, SSO
[sessions_to]
storageModule = Apache::Session::Browseable::Postgres
storageModuleOptions = { \\
&#039;DataSource&#039; =&gt; &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039;, \\
&#039;UserName&#039; =&gt; &#039;lemonldaplogin&#039;, \\
&#039;Password&#039; =&gt; &#039;lemonldappw&#039;, \\
&#039;Commit&#039; =&gt; 1, \\
&#039;Index&#039; =&gt; &#039;ipAddr _whatToTrace user&#039;, \\
&#039;TableName&#039; =&gt; &#039;psessions&#039;, \\
}
</pre>
</div>
<!-- EDIT2 SECTION "How it works" [398-1250] -->
<h2 class="sectionedit3" id="invokation">Invokation</h2>
<div class="level2">
<pre class="code shell">convertSessions -c job.ini </pre>
<p>
Options:
</p>
<ul>
<li class="level1"><div class="li"> <code>-c</code>: job configuration file (mandatory)</div>
</li>
<li class="level1"><div class="li"> <code>-i</code>: ignore errors. By default errors will stop the script execution</div>
</li>
<li class="level1"><div class="li"> <code>-d</code>: print debugging output</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Invokation" [1251-] --></div>
</body>
</html>

36
doc/pages/documentation/current/checkstate.html
View File

@ -43,6 +43,21 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level1"><div class="li"><a href="#usage">Usage</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#example">Example</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="check_state_plugin">Check state plugin</h1>
<div class="level1">
@ -57,11 +72,11 @@ This plugin can be used to check if portal instance is ready. This can be a heal
<div class="level2">
<p>
Just enable it in the manager (section &quot;plugins&quot;). You <em class="u">must</em> also set a shared secret.
Just enable it in the manager (*<em>General Parameters</em> » <em>Plugins</em> » <em>State Check</em>). You <em class="u">must</em> also set a shared secret.
</p>
</div>
<!-- EDIT2 SECTION "Configuration" [196-313] -->
<!-- EDIT2 SECTION "Configuration" [196-353] -->
<h2 class="sectionedit3" id="usage">Usage</h2>
<div class="level2">
@ -84,12 +99,19 @@ When enabled, <code>/checkstate</code> <abbr title="Uniform Resource Locator">UR
<td class="col0 centeralign"> <code>password</code> </td><td class="col1 centeralign"> optional </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [416-670] -->
<p>
Example: <code><a href="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho</a></code>
</p>
<!-- EDIT4 TABLE [456-710] -->
</div>
<!-- EDIT3 SECTION "Usage" [354-711] -->
<h3 class="sectionedit5" id="example">Example</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> Basic availability check: <code><a href="https://auth.example.com/checkstate?secret=qwerty" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty</a></code></div>
</li>
<li class="level1"><div class="li"> Try to log a user in: <code><a href="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho</a></code></div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Usage" [314-] --></div>
<!-- EDIT5 SECTION "Example" [712-] --></div>
</body>
</html>

19
doc/pages/documentation/current/checkuser.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:checkuser</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,checkuser"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="checkuser.html"/>
@ -68,7 +68,7 @@ Just enable it in the manager (section “plugins”).
</li>
<li class="level2"><div class="li"> <strong>Hidden attributes</strong>: Attributes not displayed</div>
</li>
<li class="level2"><div class="li"> <strong>Attributes used for searching sessions</strong>: User&#039;s attributes used for searching sessions in Data Base. Let it blank to search by <code>whatToTrace</code></div>
<li class="level2"><div class="li"> <strong>Attributes used for searching sessions</strong>: User&#039;s attributes used for searching sessions in Data Base if <code>whatToTrace</code> fails. Useful to look for sessions by mail or givenName. Let it blank to search by <code>whatToTrace</code> only.</div>
</li>
<li class="level2"><div class="li"> <strong>Display persistent session</strong>: Display persistent session attributes</div>
</li>
@ -77,7 +77,16 @@ Just enable it in the manager (section “plugins”).
</ul>
</li>
</ul>
<div class="noteimportant">Be careful to not display secret attributes.
<div class="noteclassic">By example :
<p>
Search attributes =&gt; <code>mail uid givenName</code>
</p>
<p>
If <code>whatToTrace</code> fails, sessions are searched by <code>mail</code>, next <code>uid</code> if no sessions are found and so on...
</p>
</div><div class="noteimportant">Be careful to not display secret attributes.
<p>
checkUser plugin hidden attributes are concatenation of
</p>
@ -105,7 +114,7 @@ By example: <code>$groups =~ /\bsu\b/</code>
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [265-1407] -->
<!-- EDIT2 SECTION "Configuration" [265-1680] -->
<h2 class="sectionedit3" id="usage">Usage</h2>
<div class="level2">
@ -114,6 +123,6 @@ When enabled, <code>/checkuser</code> <abbr title="Uniform Resource Locator">URL
</p>
</div>
<!-- EDIT3 SECTION "Usage" [1408-] --></div>
<!-- EDIT3 SECTION "Usage" [1681-] --></div>
</body>
</html>

29
doc/pages/documentation/current/cli_examples.html
View File

@ -341,18 +341,19 @@ You can then generate a private key and a self-signed certificate with these com
<pre class="code">openssl req -new -newkey rsa:4096 -keyout saml.key -nodes -out saml.pem -x509 -days 3650</pre>
<p>
Import them in configuration:
Fix the certificate key format (you can skip this step if you are running &gt;= 2.0.6)
</p>
<pre class="code">sed -e &quot;s/END PRIVATE/END RSA PRIVATE/&quot; \
-e &quot;s/BEGIN PRIVATE/BEGIN RSA PRIVATE/&quot; \
-i saml.key</pre>
<p>
Import them in configuration and activate the <abbr title="Security Assertion Markup Language">SAML</abbr> issuer
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
samlServicePrivateKeySig &quot;`cat saml.key`&quot; \
samlServicePublicKeySig &quot;`cat saml.pem`&quot;</pre>
<p>
Activate the <abbr title="Security Assertion Markup Language">SAML</abbr> Issuer:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
samlServicePublicKeySig &quot;`cat saml.pem`&quot; \
issuerDBSAMLActivation 1</pre>
<p>
@ -365,7 +366,7 @@ You can also define organization name and <abbr title="Uniform Resource Locator"
samlOrganizationURL &#039;http://www.acme.com&#039;</pre>
</div>
<!-- EDIT7 SECTION "Configure SAML Identity Provider" [6779-7657] -->
<!-- EDIT7 SECTION "Configure SAML Identity Provider" [6779-7785] -->
<h2 class="sectionedit8" id="register_an_saml_service_provider">Register an SAML Service Provider</h2>
<div class="level2">
@ -386,7 +387,7 @@ In this example we have:
samlSPMetaDataExportedAttributes/testsp mail &#039;1;EmailAddress&#039;</pre>
</div>
<!-- EDIT8 SECTION "Register an SAML Service Provider" [7658-8110] -->
<!-- EDIT8 SECTION "Register an SAML Service Provider" [7786-8238] -->
<h2 class="sectionedit9" id="configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</h2>
<div class="level2">
@ -422,7 +423,7 @@ If needed you can allow implicit and hybrid flows:
oidcServiceAllowHybridFlow 1</pre>
</div>
<!-- EDIT9 SECTION "Configure OpenID Connect Identity Provider" [8111-8994] -->
<!-- EDIT9 SECTION "Configure OpenID Connect Identity Provider" [8239-9122] -->
<h2 class="sectionedit10" id="register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</h2>
<div class="level2">
@ -491,7 +492,7 @@ In this example we have:
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
</div>
<!-- EDIT10 SECTION "Register an OpenID Connect Relying Party" [8995-10626] -->
<!-- EDIT10 SECTION "Register an OpenID Connect Relying Party" [9123-10754] -->
<h2 class="sectionedit11" id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<div class="level2">
@ -516,7 +517,7 @@ Create the application &quot;sample&quot; inside category &quot;applications&quo
applicationList/applications/sample/options uri &quot;https://sample.example.com/&quot;</pre>
</div>
<!-- EDIT11 SECTION "Categories and applications in menu" [10627-11508] -->
<!-- EDIT11 SECTION "Categories and applications in menu" [10755-11636] -->
<h2 class="sectionedit12" id="encryption_key">Encryption key</h2>
<div class="level2">
@ -528,6 +529,6 @@ To update the master encryption key:
key &#039;xxxxxxxxxxxxxxx&#039;</pre>
</div>
<!-- EDIT12 SECTION "Encryption key" [11509-] --></div>
<!-- EDIT12 SECTION "Encryption key" [11637-] --></div>
</body>
</html>

347
doc/pages/documentation/current/configlocation.html
View File

@ -56,14 +56,14 @@
<li class="level1"><div class="li"><a href="#apache">Apache</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#portal">Portal</a></div></li>
<li class="level2"><div class="li"><a href="#manager1">Manager</a></div></li>
<li class="level2"><div class="li"><a href="#allowing_configuration_reload">Allowing configuration reload</a></div></li>
<li class="level2"><div class="li"><a href="#handler">Handler</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#nginx">Nginx</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#portal1">Portal</a></div></li>
<li class="level2"><div class="li"><a href="#manager2">Manager</a></div></li>
<li class="level2"><div class="li"><a href="#allowing_configuration_reload1">Allowing configuration reload</a></div></li>
<li class="level2"><div class="li"><a href="#handler1">Handler</a></div></li>
</ul>
</li>
@ -303,7 +303,9 @@ LemonLDAP::NG ships 3 Apache configuration files:
</li>
<li class="level1"><div class="li"> <strong>manager-apache2.conf</strong>: Manager virtual host</div>
</li>
<li class="level1"><div class="li"> <strong>handler-apache2.conf</strong> : Handler declaration, reload and sample virtual hosts</div>
<li class="level1"><div class="li"> <strong>handler-apache2.conf</strong> : Handler declaration, reload virtual hosts</div>
</li>
<li class="level1"><div class="li"> <strong>test-apache2.conf</strong> : Example protected virtual hosts</div>
</li>
</ul>
@ -312,141 +314,58 @@ See <a href="configapache.html" class="wikilink1" title="documentation:2.0:confi
</p>
</div>
<!-- EDIT6 SECTION "Apache" [6446-6844] -->
<!-- EDIT6 SECTION "Apache" [6446-6893] -->
<h3 class="sectionedit7" id="portal">Portal</h3>
<div class="level3">
<p>
In Portal virtual host, you will find several configuration parts:
After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the <strong>portal-apache2.conf</strong> configuration file.
</p>
<p>
By default, access to those URLs is denied:
</p>
<ul>
<li class="level1"><div class="li"> Standard virtual host directives, to serve portal pages:</div>
</li>
</ul>
<pre class="code file apache"> <span class="kw1">ServerName</span> auth.example.com
&nbsp;
<span class="co1"># DocumentRoot</span>
<span class="kw1">DocumentRoot</span> /usr/local/lemonldap-ng/htdocs/portal/
&lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/portal/&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> granted
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
&lt;/<span class="kw3">Directory</span>&gt;
<span class="co1"># For performances, you can put static html files: simply put the HTML</span>
<span class="co1"># result (example: /oauth2/checksession.html) as static file. Then</span>
<span class="co1"># uncomment the following line.</span>
<span class="co1"># RewriteCond &quot;%{REQUEST_FILENAME}&quot; &quot;!\.html$&quot;</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi)$&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/index.fcgi/$1&quot;</span> [PT]
&nbsp;
<span class="co1"># Note that Content-Security-Policy header is generated by portal itself</span>
&lt;<span class="kw3">Files</span> *.fcgi&gt;
<span class="kw1">SetHandler</span> fcgid-<span class="kw1">script</span>
<span class="co1"># For Authorization header to be passed, please uncomment one of the following:</span>
<span class="co1"># for Apache &gt;= 2.4.13</span>
<span class="co1">#CGIPassAuth On</span>
<span class="co1"># for Apache &lt; 2.4.13</span>
<span class="co1">#RewriteCond %{HTTP:Authorization} ^(.*)</span>
<span class="co1">#RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Files</span>&gt;
&nbsp;
<span class="co1"># Static files</span>
<span class="kw1">Alias</span> /static/ __PORTALSTATICDIR__/
&lt;<span class="kw3">Directory</span> __PORTALSTATICDIR__&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> granted
<span class="kw1">Options</span> +<span class="kw2">FollowSymLinks</span>
&lt;/<span class="kw3">Directory</span>&gt;
&lt;<span class="kw3">Location</span> /static/&gt;
&lt;<span class="kw3">IfModule</span> mod_expires.c&gt;
<span class="kw1">ExpiresActive</span> <span class="kw2">On</span>
<span class="kw1">ExpiresDefault</span> <span class="st0">&quot;access plus 1 month&quot;</span>
&lt;/<span class="kw3">IfModule</span>&gt;
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
&lt;<span class="kw3">IfModule</span> mod_dir.c&gt;
<span class="kw1">DirectoryIndex</span> index.fcgi index.html
&lt;/<span class="kw3">IfModule</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> REST/SOAP end points (disabled by default):</div>
</li>
</ul>
<pre class="code file apache"> <span class="co1"># REST/SOAP functions for sessions management (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/adminSessions&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># REST/SOAP functions for sessions access (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/sessions&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># REST/SOAP functions for configuration access (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/config&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># REST/SOAP functions for notification insertion (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/notification&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT7 SECTION "Portal" [6845-9192] -->
<h3 class="sectionedit8" id="manager1">Manager</h3>
<!-- EDIT7 SECTION "Portal" [6894-7343] -->
<h3 class="sectionedit8" id="allowing_configuration_reload">Allowing configuration reload</h3>
<div class="level3">
<p>
Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI application:
</p>
<pre class="code file apache"> <span class="co1"># FASTCGI CONFIGURATION</span>
<span class="co1"># ---------------------</span>
&nbsp;
<span class="co1"># 1) URI management</span>
<span class="kw1">RewriteEngine</span> <span class="kw2">on</span>
&nbsp;
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi&quot;</span> [PT]
<span class="co1"># For performances, you can delete the previous RewriteRule line after</span>
<span class="co1"># puttings html files: simply put the HTML results of different modules</span>
<span class="co1"># (configuration, sessions, notifications) as manager.html, sessions.html,</span>
<span class="co1"># notifications.html and uncomment the 2 following lines:</span>
<span class="co1"># DirectoryIndex manager.html</span>
<span class="co1"># RewriteCond &quot;%{REQUEST_FILENAME}&quot; &quot;!\.html$&quot;</span>
&nbsp;
<span class="co1"># REST URLs</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:static|doc|lib).*&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi/$1&quot;</span> [PT]
&nbsp;
<span class="kw1">Alias</span> /psgi/ /var/lib/lemonldap-ng/manager/psgi/
&nbsp;
<span class="co1"># 2) FastCGI engine</span>
&nbsp;
<span class="co1"># You can choose any FastCGI system. Here is an example using mod_fcgid</span>
<span class="co1"># mod_fcgid configuration</span>
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/manager/psgi/&gt;
<span class="kw1">SetHandler</span> fcgid-<span class="kw1">script</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
<span class="co1"># If you want to use mod_fastcgi, replace lines below by:</span>
<span class="co1">#FastCgiServer /var/lib/lemonldap-ng/manager/psgi/manager-server.fcgi</span>
&nbsp;
<span class="co1"># Or if you prefer to use CGI, use /psgi/manager-server.cgi instead of</span>
<span class="co1"># /psgi/manager-server.fcgi and adapt the rewrite rules.</span></pre>
<p>
Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see <code>lemonldap-ng.ini</code>).
In order to allow configuration reload from a different server (if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in
<strong>handler-apache2.conf</strong>
</p>
<pre class="code file apache"> &lt;<span class="kw3">Location</span> /reload&gt;
<span class="co1">#CHANGE THIS######</span>
<span class="kw1">Require</span> ip <span class="nu0">127</span> ::<span class="nu0">1</span>
<span class="co1">###########^^^^^^^</span>
<span class="kw1">SetHandler</span> perl-<span class="kw1">script</span>
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT8 SECTION "Manager" [9193-10736] -->
<!-- EDIT8 SECTION "Allowing configuration reload" [7344-7834] -->
<h3 class="sectionedit9" id="handler">Handler</h3>
<div class="level3">
<p>
In order to protect your application VHosts with the LemonLDAP::NG handler, you need to add these directives:
</p>
<ul>
<li class="level1"><div class="li"> Load Handler in Apache memory:</div>
</li>
</ul>
<p>
(in a global configuration file)
</p>
<pre class="code file apache">PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::Apache2</pre>
PerlModule Lemonldap::NG::Handler::ApacheMP2</pre>
<ul>
<li class="level1"><div class="li"> Catch error pages:</div>
</li>
@ -456,42 +375,18 @@ PerlModule Lemonldap::NG::Handler::Apache2</pre>
<span class="kw1">ErrorDocument</span> <span class="nu0">500</span> http://auth.example.com/lmerror/<span class="nu0">500</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">502</span> http://auth.example.com/lmerror/<span class="nu0">502</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">503</span> http://auth.example.com/lmerror/<span class="nu0">503</span></pre>
<ul>
<li class="level1"><div class="li"> Reload virtual host:</div>
</li>
</ul>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> reload.example.com
&nbsp;
<span class="co1"># Configuration reload mechanism (only 1 per physical server is</span>
<span class="co1"># needed): choose your URL to avoid restarting Apache when</span>
<span class="co1"># configuration change</span>
&lt;<span class="kw3">Location</span> /reload&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 127.0.0.0/<span class="nu0">8</span>
<span class="kw1">SetHandler</span> perl-<span class="kw1">script</span>
PerlResponseHandler Lemonldap::NG::Handler::Apache2-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># Uncomment this to activate status module</span>
<span class="co1">#&lt;Location /status&gt;</span>
<span class="co1"># Order deny,allow</span>
<span class="co1"># Deny from all</span>
<span class="co1"># Allow from 127.0.0.0/8</span>
<span class="co1"># SetHandler perl-script</span>
<span class="co1"># PerlResponseHandler Lemonldap::NG::Handler::Apache2-&gt;status</span>
<span class="co1">#&lt;/Location&gt;</span>
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<p>
Then, to protect a standard virtual host, the only configuration line to add is:
</p>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler::Apache2</pre>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2</pre>
<p>
See <strong>test-apache2.conf</strong> for a complete example of a protected application
</p>
</div>
<!-- EDIT9 SECTION "Handler" [10737-12126] -->
<!-- EDIT9 SECTION "Handler" [7835-8686] -->
<h2 class="sectionedit10" id="nginx">Nginx</h2>
<div class="level2">
<div class="noteimportant">LemonLDAP::NG does not manage Nginx configuration
@ -506,122 +401,57 @@ LemonLDAP::NG ships 3 Nginx configuration files:
</li>
<li class="level1"><div class="li"> <strong>handler-nginx.conf</strong> : Handler reload virtual hosts</div>
</li>
<li class="level1"><div class="li"> <strong>test-nginx.conf</strong> : Example protected application</div>
</li>
</ul>
<p>
See <a href="confignginx.html" class="wikilink1" title="documentation:2.0:confignginx">how to deploy them</a>.
</p>
<div class="notewarning"><a href="fastcgiserver.html" class="wikilink1" title="documentation:2.0:fastcgiserver">LL::NG FastCGI</a> server must be loaded separately.
<div class="notewarning"><a href="fastcgiserver.html" class="wikilink1" title="documentation:2.0:fastcgiserver">LL::NG FastCGI</a> server must be enabled and started separately.
</div>
</div>
<!-- EDIT10 SECTION "Nginx" [12127-12580] -->
<!-- EDIT10 SECTION "Nginx" [8687-9209] -->
<h3 class="sectionedit11" id="portal1">Portal</h3>
<div class="level3">
<p>
In Portal virtual host, you will find several configuration parts:
After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the <strong>portal-nginx.conf</strong> configuration file.
</p>
<ul>
<li class="level1"><div class="li"> Standard virtual host directives, to serve portal pages:</div>
</li>
</ul>
<pre class="code file nginx">## map directive must be in http context
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default &quot;&quot;;
# ~/CN=(?&lt;CN&gt;[^/]+) $CN;
# }
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
&nbsp;
server {
listen 80;
server_name auth.example.com;
root /var/lib/lemonldap-ng/portal/;
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
&nbsp;
location ~ \.psgi(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
&nbsp;
index index.psgi;
location / {
try_files $uri $uri/ =404;
&nbsp;
# Uncomment this if you use https only
#add_header Strict-Transport-Security max-age=15768000;
}
&nbsp;
location /static/ {
alias __PORTALSTATICDIR__;
}
}</pre>
<ul>
<li class="level1"><div class="li"> REST/SOAP end points (inactivated by default):</div>
</li>
</ul>
<pre class="code file nginx"> # REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
deny all;
}
&nbsp;
# REST/SOAP functions for sessions access (disabled by default)
location /index.psgi/sessions {
deny all;
}
&nbsp;
# REST/SOAP functions for configuration access (disabled by default)
location /index.psgi/config {
deny all;
}
&nbsp;
# REST/SOAP functions for notification insertion (disabled by default)
location /index.psgi/notification {
deny all;
}</pre>
<p>
By default, access to those URLs is denied:
</p>
<pre class="code file nginx"> location ~ ^/index.psgi/adminSessions {
fastcgi_pass llng_portal_upstream;
deny all;
}</pre>
</div>
<!-- EDIT11 SECTION "Portal" [12581-14383] -->
<h3 class="sectionedit12" id="manager2">Manager</h3>
<!-- EDIT11 SECTION "Portal" [9210-9587] -->
<h3 class="sectionedit12" id="allowing_configuration_reload1">Allowing configuration reload</h3>
<div class="level3">
<p>
Manager virtual host is used to serve configuration interface and local documentation.
In order to allow configuration reload from a different server (if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in
<strong>handler-nginx.conf</strong>
</p>
<pre class="code file nginx">server {
listen 80;
server_name manager.example.com;
root /usr/share/lemonldap-ng/manager/;
<pre class="code file nginx"> location = /reload {
&nbsp;
if ($uri !~ ^/(static|doc|lib|javascript)) {
rewrite ^/(.*)$ /manager.psgi/$1 break;
}
## CHANGE THIS #
allow 127.0.0.1;
######^^^^^^^^^#
&nbsp;
location /manager.psgi {
deny all;
&nbsp;
# FastCGI configuration
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager;
fastcgi_param SCRIPT_NAME /manager.psgi;
}
&nbsp;
location / {
index manager.psgi;
try_files $uri $uri/ =404;
}
}</pre>
<p>
By default, configuration interface access is not protected by Nginx but by LemonLDAP::NG itself (see <code>lemonldap-ng.ini</code>).
</p>
fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
}</pre>
</div>
<!-- EDIT12 SECTION "Manager" [14384-15129] -->
<!-- EDIT12 SECTION "Allowing configuration reload" [9588-10127] -->
<h3 class="sectionedit13" id="handler1">Handler</h3>
<div class="level3">
@ -637,40 +467,9 @@ error_page 404 http://auth.example.com/lmerror/404;
error_page 500 http://auth.example.com/lmerror/500;
error_page 502 http://auth.example.com/lmerror/502;
error_page 503 http://auth.example.com/lmerror/503;</pre>
<ul>
<li class="level1"><div class="li"> Reload virtual host:</div>
</li>
</ul>
<pre class="code file nginx">server {
listen 80;
server_name reload.example.com;
root /var/www/html;
&nbsp;
location = /reload {
allow 127.0.0.1;
deny all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
}
&nbsp;
# Other requests
location / {
deny all;
}
&nbsp;
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}</pre>
<p>
Then, to protect a standard virtual host, you must insert this (or create an included file):
To protect a standard virtual host, you must insert this (or create an included file):
</p>
<pre class="code file nginx"> # Insert $_user in logs
include /etc/lemonldap-ng/nginx-lmlog.conf;
@ -721,7 +520,7 @@ Then, to protect a standard virtual host, you must insert this (or create an inc
# Insert then your configuration (fastcgi_* or proxy_*)</pre>
</div>
<!-- EDIT13 SECTION "Handler" [15130-18211] -->
<!-- EDIT13 SECTION "Handler" [10128-12131] -->
<h2 class="sectionedit14" id="configuration_reload">Configuration reload</h2>
<div class="level2">
<div class="noteclassic">As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set <code>checkTime = 240</code> in your lemonldap-ng.ini file <em>(values in seconds)</em>
@ -733,7 +532,7 @@ After configuration is saved by Manager, LemonLDAP::NG will try to reload config
<p>
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
</p>
<div class="noteimportant">Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable &quot;Don &#039;t compact configuration file&quot; option.
<div class="noteimportant">Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable &quot;Don&#039;t compact configuration file&quot; option.
</div>
<p>
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
@ -780,7 +579,7 @@ You also need to adjust the protection of the reload vhost, for example:
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT14 SECTION "Configuration reload" [18212-21062] -->
<!-- EDIT14 SECTION "Configuration reload" [12132-14981] -->
<h2 class="sectionedit15" id="local_file">Local file</h2>
<div class="level2">
@ -814,6 +613,6 @@ For example, to override configured skin for portal:
<div class="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">parameter list</a> to find it.
</div>
</div>
<!-- EDIT15 SECTION "Local file" [21063-] --></div>
<!-- EDIT15 SECTION "Local file" [14982-] --></div>
</body>
</html>

143
doc/pages/documentation/current/configvhost.html
View File

@ -179,7 +179,7 @@ PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu-&gt;run
<div class="noteimportant">You need to disable mod_deflate to use the floating menu
</div>
</div>
<!-- EDIT5 SECTION "Add a floating menu" [2576-3123] -->
<!-- EDIT5 SECTION "Add a floating menu" [2576-3125] -->
<h2 class="sectionedit6" id="nginx_configuration">Nginx configuration</h2>
<div class="level2">
@ -253,7 +253,7 @@ Then you can take any virtual host and modify it:
}</pre>
</div>
<!-- EDIT6 SECTION "Nginx configuration" [3124-5010] -->
<!-- EDIT6 SECTION "Nginx configuration" [3126-5012] -->
<h3 class="sectionedit7" id="hosted_application1">Hosted application</h3>
<div class="level3">
@ -312,12 +312,12 @@ server {
}</pre>
</div>
<!-- EDIT7 SECTION "Hosted application" [5011-6639] -->
<!-- EDIT7 SECTION "Hosted application" [5013-6641] -->
<h3 class="sectionedit8" id="reverse_proxy1">Reverse proxy</h3>
<div class="level3">
<p>
Example of a protected reverse-proxy:
* Example of a protected reverse-proxy:
</p>
<pre class="code file nginx"># Log format
include /path/to/lemonldap-ng/nginx-lmlog.conf;
@ -362,8 +362,120 @@ server {
}
}</pre>
<p>
* Example of a Nginx Virtual Host using uWSGI with many URIs protected by different types of handler :
</p>
<pre class="code file nginx"># Log format
include /path/to/lemonldap-ng/nginx-lmlog.conf;
server {
listen 80;
server_name myserver;
root /var/www/html;
&nbsp;
# Internal MAIN handler authentication request
location = /lmauth {
internal;
# uWSGI Configuration
include /etc/nginx/uwsgi_params;
uwsgi_pass 127.0.0.1:5000;
uwsgi_pass_request_body off;
uwsgi_param CONTENT_LENGTH &quot;&quot;;
uwsgi_param HOST $http_host;
uwsgi_param X_ORIGINAL_URI $request_uri;
# Improve performances
uwsgi_buffer_size 32k;
uwsgi_buffers 32 32k;
}
&nbsp;
# Internal AUTH_BASIC handler authentication request
location = /lmauth-basic {
internal;
# uWSGI Configuration
include /etc/nginx/uwsgi_params;
uwsgi_pass 127.0.0.1:5000;
uwsgi_pass_request_body off;
uwsgi_param CONTENT_LENGTH &quot;&quot;;
uwsgi_param HOST $http_host;
uwsgi_param X_ORIGINAL_URI $request_uri;
uwsgi_param VHOSTTYPE AuthBasic;
# Improve performances
uwsgi_buffer_size 32k;
uwsgi_buffers 32 32k;
}
&nbsp;
# Internal SERVICE_TOKEN handler authentication request
location = /lmauth-service {
internal;
# uWSGI Configuration
include /etc/nginx/uwsgi_params;
uwsgi_pass 127.0.0.1:5000;
uwsgi_pass_request_body off;
uwsgi_param CONTENT_LENGTH &quot;&quot;;
uwsgi_param HOST $http_host;
uwsgi_param X_ORIGINAL_URI $request_uri;
uwsgi_param VHOSTTYPE ServiceToken;
# Improve performances
uwsgi_buffer_size 32k;
uwsgi_buffers 32 32k;
}
&nbsp;
# Client requests
location / {
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
&nbsp;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
include /etc/nginx/nginx-lua-headers.conf;
}
&nbsp;
location /AuthBasic/ {
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth-basic;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmremote_custom $upstream_http_lm_remote_custom;
auth_request_set $lmlocation $upstream_http_location;
# Remove this for AuthBasic handler
#error_page 401 $lmlocation;
&nbsp;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
include /etc/nginx/nginx-lua-headers.conf;
}
&nbsp;
location /web-service/ {
##################################
# CALLING AUTHENTICATION #
##################################
auth_request /lmauth-service;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
&nbsp;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
include /etc/nginx/nginx-lua-headers.conf;
}
}</pre>
</div>
<!-- EDIT8 SECTION "Reverse proxy" [6640-7933] -->
<!-- EDIT8 SECTION "Reverse proxy" [6642-11401] -->
<h2 class="sectionedit9" id="lemonldapng_configuration">LemonLDAP::NG configuration</h2>
<div class="level2">
@ -390,7 +502,7 @@ A virtual host contains:
</ul>
</div>
<!-- EDIT9 SECTION "LemonLDAP::NG configuration" [7934-8533] -->
<!-- EDIT9 SECTION "LemonLDAP::NG configuration" [11402-12001] -->
<h3 class="sectionedit10" id="access_rules_and_http_headers">Access rules and HTTP headers</h3>
<div class="level3">
@ -408,7 +520,7 @@ To send more than <strong>TEN</strong> headers to protected applications, you ha
</div>
</div>
<!-- EDIT10 SECTION "Access rules and HTTP headers" [8534-8968] -->
<!-- EDIT10 SECTION "Access rules and HTTP headers" [12002-12436] -->
<h3 class="sectionedit11" id="post_data">POST data</h3>
<div class="level3">
@ -417,7 +529,7 @@ See <strong><a href="formreplay.html" class="wikilink1" title="documentation:2.0
</p>
</div>
<!-- EDIT11 SECTION "POST data" [8969-9103] -->
<!-- EDIT11 SECTION "POST data" [12437-12571] -->
<h3 class="sectionedit12" id="options">Options</h3>
<div class="level3">
@ -435,12 +547,21 @@ Some options are available:
</li>
<li class="level1"><div class="li"> Type: handler type <em>(normal, <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">ServiceToken Handler</a>, <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>,...)</em></div>
</li>
<li class="level1"><div class="li"> Authentication level required: this options avoid to reject user with a rule based on <code>$_authenticationLevel</code>. When user hasn&#039;t the required level, he is redirected to an upgrade page in the portal</div>
<li class="level1"><div class="li"> Authentication level required: this option avoids to reject user with a rule based on <code>$_authenticationLevel</code>. When user hasn&#039;t got the required level, he is redirected to an upgrade page in the portal. This level is applied to ALL VirtualHost locations.</div>
</li>
<li class="level1"><div class="li"> ServiceToken timeout: The Service Token is only available during 30 seconds by default. This TTL can be customized for each virtual host.</div>
</li>
</ul>
<div class="noteimportant">A neagative or null ServiceToken timeout value will be overloaded by <code>handlerServiceTokenTTL</code> (30 seconds by default).
<div class="notewarning">A same virtual host can serve many locations. Each location can be protected by a different type of handler :
<pre class="code">server test1.example.com 80
location ^/AuthBasic =&gt; AuthBasic handler
location ^/AuthCookie =&gt; Main handler</pre>
<p>
Keep in mind that AuthBasic handler use &quot;Login/Password&quot; to authenticate users. If you set &quot;Authentication level required&quot; option to &quot;5&quot; by example, AuthBasic requests will be ALWAYS rejected because AuthBasic authentication level is lower than required level.
</p>
</div><div class="noteimportant">A negative or null ServiceToken timeout value will be overloaded by <code>handlerServiceTokenTTL</code> (30 seconds by default).
</div>
<p>
@ -448,6 +569,6 @@ Some options are available:
</p>
</div>
<!-- EDIT12 SECTION "Options" [9104-] --></div>
<!-- EDIT12 SECTION "Options" [12572-] --></div>
</body>
</html>

79
doc/pages/documentation/current/contribute.html
View File

@ -62,7 +62,11 @@
</ul>
</li>
<li class="level1"><div class="li"><a href="#install_dependencies">Install dependencies</a></div></li>
<li class="level1"><div class="li"><a href="#working_project">Working Project</a></div></li>
<li class="level1"><div class="li"><a href="#working_project">Working Project</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#unit_tests">Unit tests</a></div></li>
<li class="level2"><div class="li"><a href="#other_commands">Other commands</a></div></li>
</ul></li>
</ul>
</div>
</div>
@ -209,7 +213,7 @@ On gitlab, submit merge request when tests are corrects.
<!-- EDIT4 SECTION "Import Project and using Git" [1855-2905] -->
<h2 class="sectionedit5" id="install_dependencies">Install dependencies</h2>
<div class="level2">
<pre class="code">aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
<pre class="code">aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
aptitude install apache2 libapache2-mod-fcgid libapache2-mod-perl2 # install Apache
aptitude install nginx nginx-extras # install Nginx
cpanm perltidy@20181120</pre>
@ -220,34 +224,55 @@ cpanm perltidy@20181120</pre>
<pre class="code">aptitude install liblasso-perl libglib-perl </pre>
</div>
<!-- EDIT5 SECTION "Install dependencies" [2906-3814] -->
<!-- EDIT5 SECTION "Install dependencies" [2906-3838] -->
<h2 class="sectionedit6" id="working_project">Working Project</h2>
<div class="level2">
<pre class="code">## Launch unit tests:
make test # or manager_test, portal_test, ... to launch unit tests
## Same tests launched on a simulated install
make autopkgtest # or autopkg_portal, autopkg_manager, ... to launch unit tests
## Execute an unit test :
# Building project
cd ~/lemonldap-ng/; make
# Go to parent test directory
cd ~/lemonldap-ng/lemonldap-ng-portal
# and execute the unit test:
prove -v t/67-CheckUser.t
## Using local platform :
make start_web_server # TESTUSESSL=1 to enable SSL engine (only available for Apache)
make start_web_server TESTWEBSERVER=nginx # to use Nginx web server
make stop_web_server
make reload_web_server # to reload LL:NG conf
make clean # to clean test files
make minify # to minify and compile coffeescript
make json # to build conf and manager tree
make manifest # to update manifest
make tidy # to magnify perl files (perl best pratices)</pre>
</div>
<!-- EDIT6 SECTION "Working Project" [3815-] --></div>
<!-- EDIT6 SECTION "Working Project" [3839-3868] -->
<h3 class="sectionedit7" id="unit_tests">Unit tests</h3>
<div class="level3">
<p>
Launch unit tests:
</p>
<pre class="code"> make test # or manager_test, portal_test, ... to launch unit tests</pre>
<p>
Same tests launched on a simulated install
</p>
<pre class="code"> make autopkgtest # or autopkg_portal, autopkg_manager, ... to launch unit tests</pre>
<p>
Execute an unit test :
</p>
<pre class="code"> # Building project
cd ~/lemonldap-ng/; make
# Go to parent test directory
cd ~/lemonldap-ng/lemonldap-ng-portal
# and execute the unit test:
prove -v t/67-CheckUser.t</pre>
<p>
Launch tests with LDAP backend, for example with OpenLDAP LTB package:
</p>
<pre class="code">make LLNGTESTLDAP=1 LLNGTESTLDAP_SLAPD_BIN=/usr/local/openldap/libexec/slapd LLNGTESTLDAP_SLAPADD_BIN=/usr/local/openldap/sbin/slapadd LLNGTESTLDAP_SCHEMA_DIR=/usr/local/openldap/etc/openldap/schema/ test</pre>
</div>
<!-- EDIT7 SECTION "Unit tests" [3869-4647] -->
<h3 class="sectionedit8" id="other_commands">Other commands</h3>
<div class="level3">
<pre class="code"> make start_web_server # TESTUSESSL=1 to enable SSL engine (only available for Apache)
make start_web_server TESTWEBSERVER=nginx # to use Nginx web server
make stop_web_server
make reload_web_server # to reload LL:NG conf
make clean # to clean test files
make minify # to minify and compile coffeescript
make json # to build conf and manager tree
make manifest # to update manifest
make tidy # to magnify perl files (perl best pratices)</pre>
</div>
<!-- EDIT8 SECTION "Other commands" [4648-] --></div>
</body>
</html>

83
doc/pages/documentation/current/decryptvalue.html Normal file
View File

@ -0,0 +1,83 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:decryptvalue</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,decryptvalue"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="decryptvalue.html"/>
<link rel="contents" href="decryptvalue.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:decryptvalue","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<p>
<a href="documentation/latest/beta.png_documentation_2.0_decryptvalue.html" class="media" title="documentation:latest:beta.png"><img src="documentation/latest/beta.ea231b49369c9f6406cbdf58d06a616c.png" class="media" alt="" width="100" /></a>
</p>
<h1 class="sectionedit1" id="decrypt_value_plugin">Decrypt value plugin</h1>
<div class="level1">
<p>
This plugin allows us to decrypt ciphered values. <abbr title="LemonLDAP::NG">LL::NG</abbr> can be configured to send encrypted values to protected applications by using <a href="documentation/latest/extendedfunctions.html" class="wikilink1" title="documentation:latest:extendedfunctions">extended functions</a>.
</p>
</div>
<!-- EDIT1 SECTION "Decrypt value plugin" [40-274] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
Just enable it in the Manager (section “plugins”) by setting a rule. DecryptValue plugin can be allowed or denied for specific users.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Parameters</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Use rule</strong>: Select which users may use this plugin</div>
</li>
<li class="level2"><div class="li"> <strong>Decrypt functions</strong>: Set functions used for decrypting ciphered values. Each function is tested until one succeeds. Let it blank to use internal decrypt function.</div>
</li>
</ul>
</li>
</ul>
<div class="notewarning">Custom functions must be defined into <code>Lemonldap::NG::Portal::My::Plugin</code> and set:
<pre class="code">My::Plugin::function1 My::Plugin::function2</pre>
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [275-] --></div>
</body>
</html>

BIN
doc/pages/documentation/current/documentation/beta.2707b90c7f00808e80f984a3026445b0.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
doc/pages/documentation/current/documentation/beta.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

1
doc/pages/documentation/current/documentation/latest/beta.0fea6a13c52b4d4725368f24b045ca84.png Symbolic link
View File

@ -0,0 +1 @@
../beta.png

1
doc/pages/documentation/current/documentation/latest/beta.a9cc3cd1e66eeb67af35a2acc34fd387.png Symbolic link
View File

@ -0,0 +1 @@
../beta.png

BIN
doc/pages/documentation/current/documentation/latest/beta.ea231b49369c9f6406cbdf58d06a616c.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.3 KiB

103
doc/pages/documentation/current/documentation/latest/beta.png_documentation_2.0_decryptvalue.html Normal file
View File

@ -0,0 +1,103 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<title>documentation:latest:beta.png [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="../../lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="../../lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->/>
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="../../decryptvalue.html"/>
<link rel="contents" href="../../decryptvalue.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = null;
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
<script type="text/javascript" src="/javascript/bootstrap/js/bootstrap.min.js"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<![endif]-->
</head>
<body class="container">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__detail" class="dokuwiki mode_ tpl_bootstrap3 ">
<h1 class="page-header">
<i class="glyphicon glyphicon-picture"></i> documentation:latest:beta.png </h1>
<div class="content">
<a href="beta.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="60" height="30" class="img_detail" alt="beta.png" title="beta.png" src="beta.a9cc3cd1e66eeb67af35a2acc34fd387.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> beta.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2019/07/05 21:03</dd><dt>Filename:</dt><dd>beta.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>3KB</dd><dt>Width:</dt><dd>60</dd><dt>Height:</dt><dd>30</dd></dl> </div>
</div>
</div>
</div><!-- /.content -->
<p class="back">
<hr/>
<div class="btn-group">
<a href="../../decryptvalue.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:decryptvalue [B]">Back to documentation:2.0:decryptvalue</a> </div>
</p>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

103
doc/pages/documentation/current/documentation/latest/beta.png_documentation_2.0_globallogout.html Normal file
View File

@ -0,0 +1,103 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<title>documentation:latest:beta.png [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="../../lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="../../lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->/>
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="../../globallogout.html"/>
<link rel="contents" href="../../globallogout.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = null;
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
<script type="text/javascript" src="/javascript/bootstrap/js/bootstrap.min.js"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<![endif]-->
</head>
<body class="container">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__detail" class="dokuwiki mode_ tpl_bootstrap3 ">
<h1 class="page-header">
<i class="glyphicon glyphicon-picture"></i> documentation:latest:beta.png </h1>
<div class="content">
<a href="beta.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="60" height="30" class="img_detail" alt="beta.png" title="beta.png" src="beta.a9cc3cd1e66eeb67af35a2acc34fd387.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> beta.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2019/07/05 21:03</dd><dt>Filename:</dt><dd>beta.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>3KB</dd><dt>Width:</dt><dd>60</dd><dt>Height:</dt><dd>30</dd></dl> </div>
</div>
</div>
</div><!-- /.content -->
<p class="back">
<hr/>
<div class="btn-group">
<a href="../../globallogout.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:globallogout [B]">Back to documentation:2.0:globallogout</a> </div>
</p>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

BIN
doc/pages/documentation/current/documentation/manager-rule.0a159189410beefd4339a7cac832a503.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
doc/pages/documentation/current/documentation/manager-rule.0fea6a13c52b4d4725368f24b045ca84.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 10 KiB

After

Width:  |  Height:  |  Size: 16 KiB

BIN
doc/pages/documentation/current/documentation/manager-rule.defe1afc3662d4c558531ada63b4ce37.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 19 KiB

4
doc/pages/documentation/current/documentation/manager-rule.png_documentation_2.0_security.html
View File

@ -74,7 +74,7 @@
<div class="content">
<a href="manager-rule.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="900" height="177" class="img_detail" alt="manager-rule.png" title="manager-rule.png" src="manager-rule.defe1afc3662d4c558531ada63b4ce37.png"/></a>
<a href="manager-rule.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="900" height="263" class="img_detail" alt="manager-rule.png" title="manager-rule.png" src="manager-rule.0a159189410beefd4339a7cac832a503.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
@ -82,7 +82,7 @@
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> manager-rule.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2016/07/19 12:15</dd><dt>Filename:</dt><dd>manager-rule.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>10KB</dd><dt>Width:</dt><dd>1250</dd><dt>Height:</dt><dd>247</dd></dl> </div>
<dl><dt>Date:</dt><dd>2019/11/06 21:12</dd><dt>Filename:</dt><dd>manager-rule.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>16KB</dd><dt>Width:</dt><dd>1096</dd><dt>Height:</dt><dd>321</dd></dl> </div>
</div>
</div>

4
doc/pages/documentation/current/documentation/manager-rule.png_documentation_2.0_writingrulesand_headers.html
View File

@ -74,7 +74,7 @@
<div class="content">
<a href="manager-rule.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="900" height="177" class="img_detail" alt="manager-rule.png" title="manager-rule.png" src="manager-rule.defe1afc3662d4c558531ada63b4ce37.png"/></a>
<a href="manager-rule.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="900" height="263" class="img_detail" alt="manager-rule.png" title="manager-rule.png" src="manager-rule.0a159189410beefd4339a7cac832a503.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
@ -82,7 +82,7 @@
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> manager-rule.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2016/07/19 12:15</dd><dt>Filename:</dt><dd>manager-rule.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>10KB</dd><dt>Width:</dt><dd>1250</dd><dt>Height:</dt><dd>247</dd></dl> </div>
<dl><dt>Date:</dt><dd>2019/11/06 21:12</dd><dt>Filename:</dt><dd>manager-rule.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>16KB</dd><dt>Width:</dt><dd>1096</dd><dt>Height:</dt><dd>321</dd></dl> </div>
</div>
</div>

4
doc/pages/documentation/current/dos
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1569271210" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1576942869" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/exploit
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1569271210" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1576942869" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

105
doc/pages/documentation/current/extendedfunctions.html
View File

@ -59,9 +59,11 @@
<li class="level2"><div class="li"><a href="#unicode2iso">unicode2iso</a></div></li>
<li class="level2"><div class="li"><a href="#iso2unicode">iso2unicode</a></div></li>
<li class="level2"><div class="li"><a href="#groupmatch">groupMatch</a></div></li>
<li class="level2"><div class="li"><a href="#listmatch">listMatch</a></div></li>
<li class="level2"><div class="li"><a href="#encrypt">encrypt</a></div></li>
<li class="level2"><div class="li"><a href="#token">token</a></div></li>
<li class="level2"><div class="li"><a href="#isinnet6">isInNet6</a></div></li>
<li class="level2"><div class="li"><a href="#varisinuri">varIsInUri</a></div></li>
</ul></li>
</ul>
</div>
@ -126,24 +128,28 @@ Inside this jail, you can access to:
</li>
<li class="level2"><div class="li"> <a href="#groupmatch" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">groupMatch</a></div>
</li>
<li class="level2"><div class="li"> <a href="#listmatch" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">listMatch</a> (<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em> since 2.0.7)</em></div>
</li>
<li class="level2"><div class="li"> <a href="#encrypt" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">encrypt</a></div>
</li>
<li class="level2"><div class="li"> <a href="#token" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">token</a></div>
</li>
<li class="level2"><div class="li"> <a href="#isinnet6" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">isInNet6</a></div>
</li>
<li class="level2"><div class="li"> <a href="#varisinuri" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">varIsInUri</a></div>
</li>
</ul>
</li>
</ul>
<div class="notetip">To know more about the jail, check <a href="http://perldoc.perl.org/Safe.html" class="urlextern" title="http://perldoc.perl.org/Safe.html" rel="nofollow">Safe module documentation</a>.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [35-1215] -->
<!-- EDIT2 SECTION "Presentation" [35-1324] -->
<h2 class="sectionedit3" id="extended_functions_list">Extended Functions List</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Extended Functions List" [1216-1252] -->
<!-- EDIT3 SECTION "Extended Functions List" [1325-1361] -->
<h3 class="sectionedit4" id="date">date</h3>
<div class="level3">
@ -153,7 +159,7 @@ Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT by callin
<pre class="code">date(1)</pre>
</div>
<!-- EDIT4 SECTION "date" [1253-1372] -->
<!-- EDIT4 SECTION "date" [1362-1481] -->
<h3 class="sectionedit5" id="checklogonhours">checkLogonHours</h3>
<div class="level3">
@ -210,7 +216,7 @@ You can modify the default behavior for people without value in ssoLogonHours. I
<pre class="code">checkLogonHours($ssoLogonHours, &#039;&#039;, &#039;&#039;, &#039;1&#039;)</pre>
</div>
<!-- EDIT5 SECTION "checkLogonHours" [1373-3310] -->
<!-- EDIT5 SECTION "checkLogonHours" [1482-3419] -->
<h3 class="sectionedit6" id="checkdate">checkDate</h3>
<div class="level3">
@ -242,7 +248,7 @@ Simple usage example:
<pre class="code">checkDate($ssoStartDate, $ssoEndDate)</pre>
</div>
<!-- EDIT6 SECTION "checkDate" [3311-3938] -->
<!-- EDIT6 SECTION "checkDate" [3420-4047] -->
<h3 class="sectionedit7" id="basic">basic</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
@ -267,7 +273,7 @@ Simple usage example:
<pre class="code">basic($uid,$_password)</pre>
</div>
<!-- EDIT7 SECTION "basic" [3939-4401] -->
<!-- EDIT7 SECTION "basic" [4048-4510] -->
<h3 class="sectionedit8" id="unicode2iso">unicode2iso</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
@ -290,7 +296,7 @@ Simple usage example:
<pre class="code">unicode2iso($name)</pre>
</div>
<!-- EDIT8 SECTION "unicode2iso" [4402-4706] -->
<!-- EDIT8 SECTION "unicode2iso" [4511-4815] -->
<h3 class="sectionedit9" id="iso2unicode">iso2unicode</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
@ -313,7 +319,7 @@ Simple usage example:
<pre class="code">iso2unicode($name)</pre>
</div>
<!-- EDIT9 SECTION "iso2unicode" [4707-5011] -->
<!-- EDIT9 SECTION "iso2unicode" [4816-5120] -->
<h3 class="sectionedit10" id="groupmatch">groupMatch</h3>
<div class="level3">
@ -339,29 +345,67 @@ Simple usage example:
<pre class="code">groupMatch($hGroups, &#039;description&#039;, &#039;Service 1&#039;)</pre>
</div>
<!-- EDIT10 SECTION "groupMatch" [5012-5370] -->
<h3 class="sectionedit11" id="encrypt">encrypt</h3>
<!-- EDIT10 SECTION "groupMatch" [5121-5479] -->
<h3 class="sectionedit11" id="listmatch">listMatch</h3>
<div class="level3">
<p>
(<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em> since 2.0.7)</em>
</p>
<p>
This function lets you test if a particular value can be found with a multi-valued session attribute.
</p>
<p>
Function parameter:
</p>
<ul>
<li class="level1"><div class="li"> <strong>list</strong>: Variable containing several values (plain string with separator, array or hash) </div>
</li>
<li class="level1"><div class="li"> <strong>value</strong>: Value to search in the list</div>
</li>
<li class="level1"><div class="li"> <strong>ignorecase</strong>: Ignore case, by default the search is case-sensitive</div>
</li>
</ul>
<p>
Simple usage example:
</p>
<pre class="code"># Case sensitive match
listMatch($roles, &#039;role-app1&#039;)
# Case insensitive match
listMatch($roles, &#039;RoLe-aPp1&#039;, 1)</pre>
<p>
The function returns 1 if the value was found, and 0 if it was not found.
</p>
</div>
<!-- EDIT11 SECTION "listMatch" [5480-6107] -->
<h3 class="sectionedit12" id="encrypt">encrypt</h3>
<div class="level3">
<div class="notetip">Since version 2.0, this function is now compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
</div>
<p>
This function uses the secret key of LLNG configuration to crypt a data. This can be used to anonymize identifier given to the protected application.
This function uses the secret key of LLNG configuration to crypt a data. This can be used for anonymizing identifier given to the protected application.
</p>
<pre class="code">encrypt($_whatToTrace)</pre>
</div>
<!-- EDIT11 SECTION "encrypt" [5371-5676] -->
<h3 class="sectionedit12" id="token">token</h3>
<!-- EDIT12 SECTION "encrypt" [6108-6416] -->
<h3 class="sectionedit13" id="token">token</h3>
<div class="level3">
<p>
This function generates token used to <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">handle server webservice calls</a>.
This function generates token used for <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">handling server webservice calls</a>.
</p>
<pre class="code">token($_session_id,&#039;webapp1.example.com&#039;,&#039;webapp2.example.com&#039;)</pre>
</div>
<!-- EDIT12 SECTION "token" [5677-5881] -->
<h3 class="sectionedit13" id="isinnet6">isInNet6</h3>
<!-- EDIT13 SECTION "token" [6417-6624] -->
<h3 class="sectionedit14" id="isinnet6">isInNet6</h3>
<div class="level3">
<p>
@ -370,6 +414,33 @@ Function to check if an IPv6 address is in a subnet. Example <em>check if <abbr
<pre class="code perl">isInNet6<span class="br0">&#40;</span><span class="re0">$ipAddr</span><span class="sy0">,</span> <span class="st_h">'fe80::/10'</span><span class="br0">&#41;</span></pre>
</div>
<!-- EDIT13 SECTION "isInNet6" [5882-] --></div>
<!-- EDIT14 SECTION "isInNet6" [6625-6792] -->
<h3 class="sectionedit15" id="varisinuri">varIsInUri</h3>
<div class="level3">
<p>
Function to check if a variable is in requested <abbr title="Uniform Resource Identifier">URI</abbr> (Require <abbr title="LemonLDAP::NG">LL::NG</abbr> &gt;= 2.0.7).
</p>
<p>
Example <em>check if $uid is in /check-auth/ <abbr title="Uniform Resource Identifier">URI</abbr></em>:
</p>
<pre class="code perl">varIsInUri<span class="br0">&#40;</span><span class="re0">$ENV</span><span class="br0">&#123;</span>REQUEST_URI<span class="br0">&#125;</span><span class="sy0">,</span> <span class="st_h">'/check-auth/'</span><span class="sy0">,</span> <span class="re0">$uid</span><span class="br0">&#41;</span>
&nbsp;
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>dwho <span class="sy0">-&gt;</span> <span class="me1">true</span>
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>dwho<span class="sy0">/</span>api <span class="sy0">-&gt;</span> <span class="me1">true</span>
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>dwh <span class="sy0">-&gt;</span> <span class="me1">false</span></pre>
<p>
* You can set &quot;restricted&quot; flag to match exact <abbr title="Uniform Resource Identifier">URI</abbr>:
</p>
<pre class="code perl">varIsInUri<span class="br0">&#40;</span><span class="re0">$ENV</span><span class="br0">&#123;</span>REQUEST_URI<span class="br0">&#125;</span><span class="sy0">,</span> <span class="st_h">'/check-auth/'</span><span class="sy0">,</span> <span class="st0">&quot;$uid/&quot;</span><span class="sy0">,</span> <span class="nu0">1</span><span class="br0">&#41;</span>
&nbsp;
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>rtyler<span class="sy0">/</span> <span class="sy0">-&gt;</span> <span class="me1">true</span>
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>rtyler<span class="sy0">/</span>api <span class="sy0">-&gt;</span> <span class="me1">false</span>
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>rtyler <span class="sy0">-&gt;</span> <span class="me1">false</span></pre>
</div>
<!-- EDIT15 SECTION "varIsInUri" [6793-] --></div>
</body>
</html>

80
doc/pages/documentation/current/globallogout.html Normal file
View File

@ -0,0 +1,80 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:globallogout</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,globallogout"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="globallogout.html"/>
<link rel="contents" href="globallogout.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:globallogout","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<p>
<a href="documentation/latest/beta.png_documentation_2.0_globallogout.html" class="media" title="documentation:latest:beta.png"><img src="documentation/latest/beta.ea231b49369c9f6406cbdf58d06a616c.png" class="media" alt="" width="100" /></a>
</p>
<h1 class="sectionedit1" id="global_logout_plugin">Global logout plugin</h1>
<div class="level1">
<p>
This plugin allows a user to close all his opened sessions at logout process.
</p>
</div>
<!-- EDIT1 SECTION "Global logout plugin" [40-154] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
Just enable it in the Manager (section “plugins”).
</p>
<ul>
<li class="level1"><div class="li"> <strong>Parameters</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Activation</strong>: Enable/Disable or set a rule to select which users are allowed to close there sessions.</div>
</li>
<li class="level2"><div class="li"> <strong>Auto accept time</strong>: Enable/Disable timer. If timer is disabled, all opened sessions are always closed.</div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Configuration" [155-] --></div>
</body>
</html>

2
doc/pages/documentation/current/handlerauthbasic.html
View File

@ -149,7 +149,7 @@ Go to:
</p>
<p>
<code>General Parameters &gt; Advanced Parameters &gt; Security &gt; Choice parameters &gt; SSL options for server requests</code>
<code>General Parameters &gt; Advanced Parameters &gt; Security &gt; SSL options for server requests</code>
</p>
</div>

26
doc/pages/documentation/current/idpcas.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:idpcas</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,idpcas"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpcas.html"/>
@ -56,8 +56,9 @@
<li class="level2"><div class="li"><a href="#configuring_the_cas_service">Configuring the CAS Service</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_cas_applications">Configuring CAS Applications</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#exported_attributes">Exported Attributes</a></div></li>
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#macros">Macros</a></div></li>
</ul></li>
</ul></li>
</ul>
@ -159,6 +160,19 @@ You can then access the configuration of this application.
</div>
<h4 id="exported_attributes">Exported Attributes</h4>
<div class="level4">
<p>
You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the <abbr title="Central Authentication Service">CAS</abbr> response, values are the name of session key.
</p>
<p>
The attributes defined here will completely replace any attributes you may have declared in the global <code><abbr title="Central Authentication Service">CAS</abbr> Service</code> configuration. In order to re-use the global configuration, simply set this section to an empty list.
</p>
</div>
<h4 id="options">Options</h4>
<div class="level4">
<ul>
@ -173,15 +187,11 @@ You can then access the configuration of this application.
</div>
</div>
<h4 id="exported_attributes">Exported Attributes</h4>
<h4 id="macros">Macros</h4>
<div class="level4">
<p>
You may add a list of attributes that will be transmitted in the validate response. Keys are the name of attribute in the <abbr title="Central Authentication Service">CAS</abbr> response, values are the name of session key.
</p>
<p>
The attributes defined here will completely replace any attributes you may have declared in the global <code><abbr title="Central Authentication Service">CAS</abbr> Service</code> configuration. In order to re-use the global configuration, simply set this section to an empty list.
You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
</p>
</div>

68
doc/pages/documentation/current/idpopenidconnect.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:idpopenidconnect</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,idpopenidconnect"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpopenidconnect.html"/>
@ -60,6 +60,8 @@
<li class="level3"><div class="li"><a href="#exported_attributes">Exported attributes</a></div></li>
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#extra_claims">Extra claims</a></div></li>
<li class="level3"><div class="li"><a href="#macros">Macros</a></div></li>
<li class="level3"><div class="li"><a href="#display">Display</a></div></li>
</ul></li>
</ul></li>
</ul>
@ -102,7 +104,7 @@ As an OP, <abbr title="LemonLDAP::NG">LL::NG</abbr> supports a lot of OpenID Con
</li>
<li class="level1"><div class="li"> ID Token signature (HS256/HS384/HS512/RS256/RS384/RS512)</div>
</li>
<li class="level1"><div class="li"> UserInfo end point, as JSON or as JWT</div>
<li class="level1"><div class="li"> UserInfo endpoint, as JSON or as JWT</div>
</li>
<li class="level1"><div class="li"> Request and Request <abbr title="Uniform Resource Identifier">URI</abbr></div>
</li>
@ -112,17 +114,23 @@ As an OP, <abbr title="LemonLDAP::NG">LL::NG</abbr> supports a lot of OpenID Con
</li>
<li class="level1"><div class="li"> BackChannel Logout</div>
</li>
<li class="level1"><div class="li"> PKCE (Since <code>2.0.4</code>)</div>
<li class="level1"><div class="li"> PKCE (Since <code>2.0.4</code>) - See <a href="https://tools.ietf.org/html/rfc7636" class="urlextern" title="https://tools.ietf.org/html/rfc7636" rel="nofollow">RFC 7636</a></div>
</li>
<li class="level1"><div class="li"> Introspection endpoint (Since <code>2.0.6</code>) - See <a href="https://tools.ietf.org/html/rfc7662" class="urlextern" title="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a></div>
</li>
<li class="level1"><div class="li"> Offline access (Since <code>2.0.7</code>)</div>
</li>
<li class="level1"><div class="li"> Refresh Tokens (Since <code>2.0.7</code>)</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [40-996] -->
<!-- EDIT2 SECTION "Presentation" [40-1223] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [997-1023] -->
<!-- EDIT3 SECTION "Configuration" [1224-1250] -->
<h3 class="sectionedit4" id="openid_connect_service">OpenID Connect Service</h3>
<div class="level3">
@ -131,7 +139,7 @@ See <a href="openidconnectservice.html" class="wikilink1" title="documentation:2
</p>
</div>
<!-- EDIT4 SECTION "OpenID Connect Service" [1024-1133] -->
<!-- EDIT4 SECTION "OpenID Connect Service" [1251-1360] -->
<h3 class="sectionedit5" id="issuerdb">IssuerDB</h3>
<div class="level3">
@ -151,7 +159,7 @@ Go in <code>General Parameters</code> » <code>Issuer modules</code> » <code>Op
</div>
</div>
<!-- EDIT5 SECTION "IssuerDB" [1134-1564] -->
<!-- EDIT5 SECTION "IssuerDB" [1361-1791] -->
<h3 class="sectionedit6" id="configuration_of_llng_in_relying_party">Configuration of LL::NG in Relying Party</h3>
<div class="level3">
@ -233,7 +241,7 @@ An example of its content:
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT6 SECTION "Configuration of LL::NG in Relying Party" [1565-3543] -->
<!-- EDIT6 SECTION "Configuration of LL::NG in Relying Party" [1792-3770] -->
<h3 class="sectionedit7" id="configuration_of_relying_party_in_llng">Configuration of Relying Party in LL::NG</h3>
<div class="level3">
@ -384,21 +392,23 @@ You can also define extra claims and link them to attributes (see below). Then y
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Display</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Display name</strong>: Name of the RP application</div>
</li>
<li class="level2"><div class="li"> <strong>Logo</strong>: Logo of the RP application</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>User attribute</strong>: session field that will be used as main identifier (<code>sub</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>ID Token signature algorithm</strong>: Select one of <code>none</code>, <code>HS256</code>, <code>HS384</code>, <code>HS512</code>, <code>RS256</code>, <code>RS384</code>, <code>RS512</code></div>
</li>
<li class="level1"><div class="li"> <strong>ID Token expiration</strong>: Expiration time of ID Tokens</div>
<li class="level1"><div class="li"> <strong>ID Token expiration</strong>: Expiration time of ID Tokens. The default value is one hour.</div>
</li>
<li class="level1"><div class="li"> <strong>Access token expiration</strong>: Expiration time of Access Tokens</div>
<li class="level1"><div class="li"> <strong>Force claims to be returned in ID Token</strong>: This options will make user attributes from the requested scope appear as ID Token claims.</div>
</li>
<li class="level1"><div class="li"> <strong>Access token expiration</strong>: Expiration time of Access Tokens. The default value is one hour.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorization Code expiration</strong>: Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.</div>
</li>
<li class="level1"><div class="li"> <strong>Use refresh tokens</strong>: If this option is set, LemonLDAP::NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.</div>
</li>
<li class="level1"><div class="li"> <strong>Allow offline access</strong>: After enabling this feature, an application may request the <strong>offline_access</strong> scope, and will obtain a Refresh Token that persists even after the user has logged off. See <a href="https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" class="urlextern" title="https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" rel="nofollow">https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess</a> for details. These offline sessions can be administered through the Session Browser.</div>
</li>
<li class="level1"><div class="li"> <strong>Offline session expiration</strong>: This sets the lifetime of the refresh token obtained with the <strong>offline_access</strong> scope. The default value is one month. This parameter only applies if offline sessions are enabled.</div>
</li>
<li class="level1"><div class="li"> <strong>Redirection addresses</strong>: Space separated list of redirect addresses allowed for this RP</div>
</li>
@ -416,6 +426,26 @@ Associate attributes to extra claims if the RP request them, for example <code>b
</p>
</div>
<!-- EDIT7 SECTION "Configuration of Relying Party in LL::NG" [3544-] --></div>
<h4 id="macros">Macros</h4>
<div class="level4">
<p>
You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
</p>
</div>
<h4 id="display">Display</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Display name</strong>: Name of the RP application</div>
</li>
<li class="level1"><div class="li"> <strong>Logo</strong>: Logo of the RP application</div>
</li>
</ul>
</div>
<!-- EDIT7 SECTION "Configuration of Relying Party in LL::NG" [3771-] --></div>
</body>
</html>

16
doc/pages/documentation/current/idpsaml.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:idpsaml</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,idpsaml"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpsaml.html"/>
@ -60,6 +60,7 @@
<li class="level3"><div class="li"><a href="#metadata">Metadata</a></div></li>
<li class="level3"><div class="li"><a href="#exported_attributes">Exported attributes</a></div></li>
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#macros">Macros</a></div></li>
</ul>
</li>
</ul>
@ -284,7 +285,16 @@ For example: <a href="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&a
</div>
</div>
<!-- EDIT7 SECTION "Register partner Service Provider on LemonLDAP::NG" [1287-5022] -->
<h4 id="macros">Macros</h4>
<div class="level4">
<p>
You can define here macros that will be only evaluated for this service, and not registered in the session of the user.
</p>
</div>
<!-- EDIT7 SECTION "Register partner Service Provider on LemonLDAP::NG" [1287-5158] -->
<h2 class="sectionedit8" id="known_issues">Known issues</h2>
<div class="level2">
@ -293,6 +303,6 @@ Using both Issuer::<abbr title="Security Assertion Markup Language">SAML</abbr>
</p>
</div>
<!-- EDIT8 SECTION "Known issues" [5023-] --></div>
<!-- EDIT8 SECTION "Known issues" [5159-] --></div>
</body>
</html>

6
doc/pages/documentation/current/impersonation.html
View File

@ -63,8 +63,12 @@ Just enable it in the Manager (section “plugins”) by setting a rule. Imperso
<ul>
<li class="level1"><div class="li"> <strong>Parameters</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Use rule</strong>: Select which users may use this plugin</div>
<li class="level2"><div class="li"> <strong>Use rule</strong>: </div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Select which users may use this plugin</div>
<ul>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.</div>
</li>
<li class="level2"><div class="li"> <strong>Hidden attributes</strong>: Attributes not displayed</div>

20
doc/pages/documentation/current/installdeb.html
View File

@ -179,17 +179,17 @@ Packages are available on the <a href="download.html" class="wikilink1" title="d
<h2 class="sectionedit7" id="install_packages">Install packages</h2>
<div class="level2">
<div class="noteimportant">By default packages will require Nginx. If you want to use Apache2, install it first with mod_perl:
<pre class="code">apt install apache2 libapache2-mod-perl</pre>
<pre class="code">apt install apache2 libapache2-mod-perl2 libapache2-mod-fcgid</pre>
</div>
</div>
<!-- EDIT7 SECTION "Install packages" [2657-2865] -->
<!-- EDIT7 SECTION "Install packages" [2657-2887] -->
<h3 class="sectionedit8" id="with_apt">With apt</h3>
<div class="level3">
<pre class="code">apt install lemonldap-ng</pre>
</div>
<!-- EDIT8 SECTION "With apt" [2866-2926] -->
<!-- EDIT8 SECTION "With apt" [2888-2948] -->
<h3 class="sectionedit9" id="with_dpkg">With dpkg</h3>
<div class="level3">
@ -203,12 +203,12 @@ Then:
<pre class="code">dpkg -i liblemonldap-ng-* lemonldap-ng*</pre>
</div>
<!-- EDIT9 SECTION "With dpkg" [2927-3075] -->
<!-- EDIT9 SECTION "With dpkg" [2949-3097] -->
<h2 class="sectionedit10" id="first_configuration_steps">First configuration steps</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "First configuration steps" [3076-3114] -->
<!-- EDIT10 SECTION "First configuration steps" [3098-3136] -->
<h3 class="sectionedit11" id="change_default_dns_domain">Change default DNS domain</h3>
<div class="level3">
@ -218,7 +218,7 @@ By default, <abbr title="Domain Name System">DNS</abbr> domain is <code>example.
<pre class="code shell">sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json</pre>
</div>
<!-- EDIT11 SECTION "Change default DNS domain" [3115-3398] -->
<!-- EDIT11 SECTION "Change default DNS domain" [3137-3420] -->
<h3 class="sectionedit12" id="upgrade">Upgrade</h3>
<div class="level3">
@ -227,7 +227,7 @@ If you upgraded <abbr title="LemonLDAP::NG">LL::NG</abbr>, check all <a href="up
</p>
</div>
<!-- EDIT12 SECTION "Upgrade" [3399-3479] -->
<!-- EDIT12 SECTION "Upgrade" [3421-3501] -->
<h3 class="sectionedit13" id="dns">DNS</h3>
<div class="level3">
@ -248,7 +248,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</p>
</div>
<!-- EDIT13 SECTION "DNS" [3480-3784] -->
<!-- EDIT13 SECTION "DNS" [3502-3806] -->
<h2 class="sectionedit14" id="file_location">File location</h2>
<div class="level2">
<ul>
@ -269,7 +269,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</ul>
</div>
<!-- EDIT14 SECTION "File location" [3785-4352] -->
<!-- EDIT14 SECTION "File location" [3807-4374] -->
<h2 class="sectionedit15" id="build_your_packages">Build your packages</h2>
<div class="level2">
@ -281,6 +281,6 @@ cd lemonldap-ng-*
make debian-packages</pre>
</div>
<!-- EDIT15 SECTION "Build your packages" [4353-] --></div>
<!-- EDIT15 SECTION "Build your packages" [4375-] --></div>
</body>
</html>

97
doc/pages/documentation/current/logs.html
View File

@ -49,6 +49,8 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#user_log_samples">User log samples</a></div></li>
<li class="level1"><div class="li"><a href="#default_loggers">Default loggers</a></div></li>
<li class="level1"><div class="li"><a href="#log_levels">Log levels</a></div>
<ul class="toc">
@ -73,17 +75,22 @@
<h1 class="sectionedit1" id="logs">Logs</h1>
<div class="level1">
<p>
<strong>REMOTE_USER</strong> : session attribute used for logging user access.
</p>
</div>
<!-- EDIT1 SECTION "Logs" [1-20] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<strong>REMOTE_CUSTOM</strong> : can be used for logging a second user attribute (optionnal)
</p>
<p>
<strong>Hidden attributes</strong> : session attributes never displayed or sent
Main settings:
</p>
<ul>
<li class="level1"><div class="li"> <strong>REMOTE_USER</strong> : session attribute used for logging user access.</div>
</li>
<li class="level1"><div class="li"> <strong>REMOTE_CUSTOM</strong> : can be used for logging a second user attribute (optional)</div>
</li>
<li class="level1"><div class="li"> <strong>Hidden attributes</strong> : session attributes never displayed or sent</div>
</li>
</ul>
<p>
LemonLDAP::NG provides 5 levels of error and has two kind of logs:
@ -132,8 +139,36 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</p>
</div>
<!-- EDIT1 SECTION "Logs" [1-1787] -->
<h2 class="sectionedit2" id="default_loggers">Default loggers</h2>
<!-- EDIT2 SECTION "Presentation" [21-1837] -->
<h2 class="sectionedit3" id="user_log_samples">User log samples</h2>
<div class="level2">
<p>
Authentication:
</p>
<pre class="file">[notice] Session granted for clement.oudot by LDAP (81.20.13.21)
[notice] User clement.oudot.com successfully authenticated at level 2
[notice] clement.oudot connected</pre>
<p>
Logout:
</p>
<pre class="file">[notice] User clement.oudot has been disconnected from LDAP (81.20.13.21)</pre>
<p>
Access to an <abbr title="Security Assertion Markup Language">SAML</abbr> SP:
</p>
<pre class="file">[notice] User clement.oudot is authorized to access to sp-example-entityid
[notice] SAML authentication response sent to SAML SP sp-example for clement.oudot</pre>
<p>
Access to an OIDC RP:
</p>
<pre class="file">[notice] User clement.oudot is authorized to access to rp-example</pre>
</div>
<!-- EDIT3 SECTION "User log samples" [1838-2465] -->
<h2 class="sectionedit4" id="default_loggers">Default loggers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Apache handlers use by default Apache2 logger. This logger can&#039;t be used for other LLNG components</div>
@ -145,13 +180,13 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</ul>
</div>
<!-- EDIT2 SECTION "Default loggers" [1788-2107] -->
<h2 class="sectionedit3" id="log_levels">Log levels</h2>
<!-- EDIT4 SECTION "Default loggers" [2466-2785] -->
<h2 class="sectionedit5" id="log_levels">Log levels</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Log levels" [2108-2131] -->
<h3 class="sectionedit4" id="technical_log_levels">Technical log levels</h3>
<!-- EDIT5 SECTION "Log levels" [2786-2809] -->
<h3 class="sectionedit6" id="technical_log_levels">Technical log levels</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>error</strong> is used for problems that must be reported to administrator and needs an action. In this case, some feature may not work</div>
@ -167,8 +202,8 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</ul>
</div>
<!-- EDIT4 SECTION "Technical log levels" [2132-2541] -->
<h3 class="sectionedit5" id="log_levels_for_user_actions">Log levels for user actions</h3>
<!-- EDIT6 SECTION "Technical log levels" [2810-3219] -->
<h3 class="sectionedit7" id="log_levels_for_user_actions">Log levels for user actions</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>error</strong> is used to log bad user actions that looks malicious</div>
@ -184,13 +219,13 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</ul>
</div>
<!-- EDIT5 SECTION "Log levels for user actions" [2542-2935] -->
<h2 class="sectionedit6" id="logger_configuration">Logger configuration</h2>
<!-- EDIT7 SECTION "Log levels for user actions" [3220-3613] -->
<h2 class="sectionedit8" id="logger_configuration">Logger configuration</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "Logger configuration" [2936-2969] -->
<h3 class="sectionedit7" id="std_logger">Std logger</h3>
<!-- EDIT8 SECTION "Logger configuration" [3614-3647] -->
<h3 class="sectionedit9" id="std_logger">Std logger</h3>
<div class="level3">
<p>
@ -198,8 +233,8 @@ Nothing to configure except logLevel.
</p>
</div>
<!-- EDIT7 SECTION "Std logger" [2970-3030] -->
<h3 class="sectionedit8" id="apache2_logger">Apache2 logger</h3>
<!-- EDIT9 SECTION "Std logger" [3648-3708] -->
<h3 class="sectionedit10" id="apache2_logger">Apache2 logger</h3>
<div class="level3">
<p>
@ -211,8 +246,8 @@ See <a href="http://httpd.apache.org/docs/current/mod/core.html#loglevel" class=
</p>
</div>
<!-- EDIT8 SECTION "Apache2 logger" [3031-3266] -->
<h3 class="sectionedit9" id="syslog">Syslog</h3>
<!-- EDIT10 SECTION "Apache2 logger" [3709-3944] -->
<h3 class="sectionedit11" id="syslog">Syslog</h3>
<div class="level3">
<p>
@ -222,8 +257,8 @@ You can choose facility in lemonldap-ng.ini file. Default values:
<span class="re1">userSyslogFacility</span> <span class="sy0">=</span><span class="re2"> auth</span></pre>
</div>
<!-- EDIT9 SECTION "Syslog" [3267-3425] -->
<h3 class="sectionedit10" id="log4perl">Log4perl</h3>
<!-- EDIT11 SECTION "Syslog" [3945-4103] -->
<h3 class="sectionedit12" id="log4perl">Log4perl</h3>
<div class="level3">
<p>
@ -234,8 +269,8 @@ You can indicate the Log4perl configuration file and the classes to use. Default
<span class="re1">log4perlUserLogger</span> <span class="sy0">=</span><span class="re2"> LLNG.user</span></pre>
</div>
<!-- EDIT10 SECTION "Log4perl" [3426-3652] -->
<h3 class="sectionedit11" id="sentry">Sentry</h3>
<!-- EDIT12 SECTION "Log4perl" [4104-4330] -->
<h3 class="sectionedit13" id="sentry">Sentry</h3>
<div class="level3">
<p>
@ -245,8 +280,8 @@ You just have to give your DSN:
<div class="noteimportant">This experimental logger requires <a href="https://metacpan.org/pod/Sentry::Raven" class="urlextern" title="https://metacpan.org/pod/Sentry::Raven" rel="nofollow">Sentry::Raven</a> Perl module.
</div>
</div>
<!-- EDIT11 SECTION "Sentry" [3653-3874] -->
<h3 class="sectionedit12" id="dispatch">Dispatch</h3>
<!-- EDIT13 SECTION "Sentry" [4331-4552] -->
<h3 class="sectionedit14" id="dispatch">Dispatch</h3>
<div class="level3">
<p>
@ -263,6 +298,6 @@ Use it to use more than one logger. Example:
<div class="noteimportant">At least <code>logDispatchError</code> <em>(or <code>userLogDispatchError</code> for user logs)</em> must be defined. All sub level will be dispatched on it, until another lever is declared. In the above example, Sentry collects <code>error</code> and <code>warn</code> levels and all user actions, while syslog stores technical <code>notice</code>, <code>info</code> and <code>debug</code> logs.
</div>
</div>
<!-- EDIT12 SECTION "Dispatch" [3875-] --></div>
<!-- EDIT14 SECTION "Dispatch" [4553-] --></div>
</body>
</html>

4
doc/pages/documentation/current/mitm
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1569271210" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1576942869" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

2
doc/pages/documentation/current/mongodbconfbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:mongodbconfbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,mongodbconfbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="mongodbconfbackend.html"/>

2
doc/pages/documentation/current/mongodbsessionbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:mongodbsessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,mongodbsessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="mongodbsessionbackend.html"/>

22
doc/pages/documentation/current/nosqlsessionbackend.html
View File

@ -64,22 +64,30 @@ Install and launch a <a href="http://code.google.com/p/redis/" class="urlextern"
<p>
In the manager: set <a href="https://metacpan.org/pod/Apache::Session::Browseable::Redis" class="urlextern" title="https://metacpan.org/pod/Apache::Session::Browseable::Redis" rel="nofollow">Apache::Session::Browseable::Redis</a> in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
</p>
<p>
Parameters:
</p>
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign" colspan="3"> Required parameters </th>
</tr>
<tr class="row1 rowodd">
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
</tr>
</thead>
<tr class="row2 roweven">
<tr class="row1 rowodd">
<td class="col0 centeralign"> <strong>server</strong> </td><td class="col1"> Redis server </td><td class="col2"> 127.0.0.1:6379 </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> <strong>sentinels</strong> </td><td class="col1"> Redis sentinels list </td><td class="col2"> 127.0.0.1:26379,127.0.0.2:26379,127.0.0.3:26379 </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [643-754] -->
<!-- EDIT3 TABLE [656-832] -->
<p>
You can specify either a single Redis server or a list of Sentinel hosts using the *sentinels* module parameter
</p>
</div>
<!-- EDIT2 SECTION "Setup" [177-755] -->
<!-- EDIT2 SECTION "Setup" [177-945] -->
<h2 class="sectionedit4" id="security">Security</h2>
<div class="level2">
@ -88,6 +96,6 @@ Restrict network access to the redis server. For remote servers, you can use <a
</p>
</div>
<!-- EDIT4 SECTION "Security" [756-] --></div>
<!-- EDIT4 SECTION "Security" [946-] --></div>
</body>
</html>

106
doc/pages/documentation/current/notifications.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:notifications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,notifications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="notifications.html"/>
@ -72,8 +72,8 @@
<li class="level2"><div class="li"><a href="#create_new_notifications_with_notifications_explorer">Create new notifications with notifications explorer</a></div></li>
<li class="level2"><div class="li"><a href="#notification_server">Notification server</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#xml_notifications_trough_soap">XML notifications trough SOAP</a></div></li>
<li class="level3"><div class="li"><a href="#json_notifications_trough_rest">JSON notifications trough REST</a></div></li>
<li class="level3"><div class="li"><a href="#xml_notifications_through_soap">XML notifications through SOAP</a></div></li>
<li class="level3"><div class="li"><a href="#json_notifications_through_rest">JSON notifications through REST</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#test_notification">Test notification</a></div></li>
@ -87,20 +87,20 @@
<div class="level1">
<p>
Since version 0.9.4, LemonLDAP::NG can be used to notify some messages to users: if a user has got messages, they will be displayed when he access to the portal. If a message contains some check boxes, the user has to check all of them else he can not access to the portal and retrieves his session cookie.
LemonLDAP::NG can be used to notify some messages to users. If a user has got some messages, they will be displayed when he access to the portal. If a message contains some check boxes, the user has to check all of them else he can not access to the portal and retrieves his session cookie.
</p>
<p>
Since 1.1.0, a notification explorer is available in Manager, and notifications can be set for all users, with possibility to use display conditions. When the user accept the notification, notification reference is stored in his persistent session.
A notification explorer is available in Manager, and notifications can be set for all users, with possibility to use display conditions. When the user accept the notification, notification reference is stored in his persistent session.
</p>
</div>
<!-- EDIT1 SECTION "Notifications system" [1-594] -->
<!-- EDIT1 SECTION "Notifications system" [1-565] -->
<h2 class="sectionedit2" id="installation">Installation</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Installation" [595-620] -->
<!-- EDIT2 SECTION "Installation" [566-591] -->
<h3 class="sectionedit3" id="activation">Activation</h3>
<div class="level3">
@ -111,7 +111,7 @@ You just have to activate Notifications in the Manager (General Parameters &gt;
<span class="re1">notification</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
</div>
<!-- EDIT3 SECTION "Activation" [621-860] -->
<!-- EDIT3 SECTION "Activation" [592-831] -->
<h3 class="sectionedit4" id="storage">Storage</h3>
<div class="level3">
@ -121,9 +121,9 @@ By default, notifications will be stored in the same database as configuration:
<ul>
<li class="level1"><div class="li"> if you use &quot;File&quot; system and your &quot;dirName&quot; is set to /usr/local/lemonldap-ng/conf/, the notifications will be stored in /usr/local/lemonldap-ng/notifications/</div>
</li>
<li class="level1"><div class="li"> if you use &quot;CDBI&quot; or &quot;RDBI&quot; system, the notifications will be stored in the same database as configuration and in a table called &quot;notifications&quot;.</div>
<li class="level1"><div class="li"> if you use &quot;CDBI&quot; or &quot;RDBI&quot; system, the notifications will be stored in the same database as configuration and in a table named &quot;notifications&quot;.</div>
</li>
<li class="level1"><div class="li"> if you use &quot;LDAP&quot; system, the notifications will be stored in the same directory as configuration and in a branch called &quot;notifications&quot;.</div>
<li class="level1"><div class="li"> if you use &quot;LDAP&quot; system, the notifications will be stored in the same directory as configuration and in a branch named &quot;notifications&quot;.</div>
</li>
</ul>
@ -214,7 +214,7 @@ To summary available options:
</ul>
</div>
<!-- EDIT4 SECTION "Storage" [861-3358] -->
<!-- EDIT4 SECTION "Storage" [832-3326] -->
<h3 class="sectionedit5" id="wildcard">Wildcard</h3>
<div class="level3">
@ -231,13 +231,13 @@ Then creating a notification for <code>alluserscustom</code> will display the no
</p>
</div>
<!-- EDIT5 SECTION "Wildcard" [3359-3829] -->
<!-- EDIT5 SECTION "Wildcard" [3327-3797] -->
<h2 class="sectionedit6" id="using_notification_system">Using notification system</h2>
<div class="level2">
<div class="noteimportant">Since version 2.0, notifications are now stored in JSON format. If you want to keep old format, select &quot;use old format&quot; in the Manager. Note that notification server depends on chosen format: REST for JSON and SOAP for XML.
</div>
</div>
<!-- EDIT6 SECTION "Using notification system" [3830-4116] -->
<!-- EDIT6 SECTION "Using notification system" [3798-4084] -->
<h3 class="sectionedit7" id="notification_format">Notification format</h3>
<div class="level3">
@ -249,7 +249,7 @@ Notifications are JSON (default) or XML files containing:
<ul>
<li class="level2"><div class="li"> Required attributes:</div>
<ul>
<li class="level3"><div class="li"> date: creation date (format YYYY-MM-DD)</div>
<li class="level3"><div class="li"> date: creation date (format YYYY-MM-DD WITHOUT time!)</div>
</li>
<li class="level3"><div class="li"> ref: a reference that can be used later to know what has been notified and when</div>
</li>
@ -280,6 +280,10 @@ Notifications are JSON (default) or XML files containing:
</ul>
<div class="noteimportant">All other elements will be removed including <abbr title="HyperText Markup Language">HTML</abbr> elements like &lt;b&gt;.
</div><div class="notetip">One notification XML document can contain several notifications messages.
<p>
Several notifications can be inserted with a single request by using an array of JSON (Tested with an array of 10,000 elements)
</p>
</div>
</div>
@ -290,19 +294,30 @@ Notifications are JSON (default) or XML files containing:
<h5 id="json">JSON</h5>
<div class="level5">
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;uid&quot;</span><span class="sy0">:</span> <span class="st0">&quot;foo.bar&quot;</span><span class="sy0">,</span>
<pre class="code file javascript"><span class="br0">&#91;</span><span class="br0">&#123;</span>
<span class="st0">&quot;uid&quot;</span><span class="sy0">:</span> <span class="st0">&quot;foo&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;date&quot;</span><span class="sy0">:</span> <span class="st0">&quot;2009-01-27&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;reference&quot;</span><span class="sy0">:</span> <span class="st0">&quot;ABC&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;title&quot;</span><span class="sy0">:</span> <span class="st0">&quot;You have new authorizations&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;subtitle&quot;</span><span class="sy0">:</span> <span class="st0">&quot;Application 1&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;text&quot;</span><span class="sy0">:</span> <span class="st0">&quot;You have been granted to access to appli-1&quot;</span><span class="sy0">,</span>
# An array is required to <span class="kw1">set</span> multi checkboxes
<span class="st0">&quot;check&quot;</span><span class="sy0">:</span> <span class="br0">&#91;</span>
<span class="st0">&quot;I agree&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;Yes, I'm sure&quot;</span>
<span class="br0">&#93;</span>
<span class="br0">&#125;</span></pre>
<span class="br0">&#125;</span><span class="sy0">,</span>
<span class="br0">&#123;</span>
<span class="st0">&quot;uid&quot;</span><span class="sy0">:</span> <span class="st0">&quot;bar&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;date&quot;</span><span class="sy0">:</span> <span class="st0">&quot;2009-01-27&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;reference&quot;</span><span class="sy0">:</span> <span class="st0">&quot;ABC&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;title&quot;</span><span class="sy0">:</span> <span class="st0">&quot;You have new authorizations&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;subtitle&quot;</span><span class="sy0">:</span> <span class="st0">&quot;Application 1&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;text&quot;</span><span class="sy0">:</span> <span class="st0">&quot;You have been granted to access to appli-1&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;check&quot;</span><span class="sy0">:</span> <span class="st0">&quot;I agree&quot;</span>
<span class="br0">&#125;</span><span class="br0">&#93;</span> # No comma at the end</pre>
<div class="notetip">JSON format notifications are displayed sorted by date and reference
</div>
</div>
<h5 id="xml">XML</h5>
@ -325,10 +340,9 @@ Notifications are JSON (default) or XML files containing:
<span class="sc3"><span class="re1">&lt;check<span class="re2">&gt;</span></span></span>Of course I am not evil!<span class="sc3"><span class="re1">&lt;/check<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/notification<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/root<span class="re2">&gt;</span></span></span></pre>
<div class="notetip">JSON format notifications are displayed sorted by date and reference
</div>
</div>
<!-- EDIT7 SECTION "Notification format" [4117-6608] -->
<!-- EDIT7 SECTION "Notification format" [4085-6991] -->
<h3 class="sectionedit8" id="create_new_notifications_with_notifications_explorer">Create new notifications with notifications explorer</h3>
<div class="level3">
@ -349,7 +363,7 @@ When all is ok, click on <code>Save</code>.
</p>
</div>
<!-- EDIT8 SECTION "Create new notifications with notifications explorer" [6609-6927] -->
<!-- EDIT8 SECTION "Create new notifications with notifications explorer" [6992-7310] -->
<h3 class="sectionedit9" id="notification_server">Notification server</h3>
<div class="level3">
@ -360,7 +374,25 @@ LemonLDAP::NG provides two notification servers : SOAP and REST depending on for
<p>
If enabled, the server <abbr title="Uniform Resource Locator">URL</abbr> is <a href="https://auth.your.domain/notifications" class="urlextern" title="https://auth.your.domain/notifications" rel="nofollow">https://auth.your.domain/notifications</a>.
</p>
<div class="noteimportant">If notification server is enabled, you have to protect this <abbr title="Uniform Resource Locator">URL</abbr> using the webserver because there is no authentication required to use it.
<p>
Notification server provides three <abbr title="Application Programming Interface">API</abbr> to insert (POST), delete (DELETE) or list (GET) notification(s).
</p>
<p>
Available options:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Server</strong>: Enable/Disable notification server</div>
</li>
<li class="level1"><div class="li"> <strong>Default condition</strong>: Condition appended to ALL notifications inserted by notification server (JSON format only)</div>
</li>
<li class="level1"><div class="li"> <strong>Notification parameters to send</strong>: Notifications parameters returned by <code>GET</code> method</div>
</li>
<li class="level1"><div class="li"> <strong>HTTP methods</strong>: Enable/Disable HTTP methods</div>
</li>
</ul>
<div class="noteimportant">If notification server is enabled, you have to protect this <abbr title="Uniform Resource Locator">URL</abbr> by using the web server because there is no authentication required to use it.
</div>
<p>
Example:
@ -379,7 +411,7 @@ Example:
</div>
<h4 id="xml_notifications_trough_soap">XML notifications trough SOAP</h4>
<h4 id="xml_notifications_through_soap">XML notifications through SOAP</h4>
<div class="level4">
<p>
@ -446,18 +478,9 @@ If you use old XML format, new notifications can be inserted or deleted by using
</div>
<h4 id="json_notifications_trough_rest">JSON notifications trough REST</h4>
<h4 id="json_notifications_through_rest">JSON notifications through REST</h4>
<div class="level4">
<p>
REST server provides three <abbr title="Application Programming Interface">API</abbr> to insert (POST), delete (DELETE) or list (GET) notification(s).
HTTP methods can enabled/disabled in Manager, <code>General Parameters</code> » <code>Plugins</code> » <code>Notifications</code> » <code>Server</code> » <code>HTTP methods</code>.
</p>
<p>
Notifications parameters returned by <code>GET</code> method can be specfied in Manager, <code>General Parameters</code> » <code>Plugins</code> » <code>Notifications</code> » <code>Server</code> » <code>Notifications parameters to send</code>. By default: &#039;uid reference date title subtitle text check&#039;
</p>
</div>
<h5 id="insertion_example_with_rest_api">* Insertion example with REST API</h5>
@ -498,14 +521,23 @@ GET <abbr title="Application Programming Interface">API</abbr> is available with
<p>
For example with curl:
</p>
<pre class="code">curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications
<pre class="code"># Retrieve &#039;wildcard&#039; notifications
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications
# Retrieve all pending notifications
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/_allPending_
# Retrieve all existing notifications
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/_allExisting_
# Retrieve all &lt;uid&gt;&#039;s notifications
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/&lt;uid&gt;
# Retrieve &lt;uid&gt;/&lt;reference&gt; notification parameters
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/&lt;uid&gt;/&lt;reference&gt;</pre>
</div>
<!-- EDIT9 SECTION "Notification server" [6928-10646] -->
<!-- EDIT9 SECTION "Notification server" [7311-11444] -->
<h3 class="sectionedit10" id="test_notification">Test notification</h3>
<div class="level3">
@ -522,6 +554,6 @@ Try also to create a global notification (to the uid &quot;allusers&quot;), and
</p>
</div>
<!-- EDIT10 SECTION "Test notification" [10647-] --></div>
<!-- EDIT10 SECTION "Test notification" [11445-] --></div>
</body>
</html>

26
doc/pages/documentation/current/openidconnectservice.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:openidconnectservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,openidconnectservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="openidconnectservice.html"/>
@ -56,6 +56,7 @@
<li class="level2"><div class="li"><a href="#authentication_context">Authentication context</a></div></li>
<li class="level2"><div class="li"><a href="#security">Security</a></div></li>
<li class="level2"><div class="li"><a href="#sessions">Sessions</a></div></li>
<li class="level2"><div class="li"><a href="#dynamic_registration">Dynamic Registration</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#key_rotation_script">Key rotation script</a></div></li>
@ -155,7 +156,22 @@ It is recommended to use a separate sessions storage for OpenID Connect sessions
</div>
<!-- EDIT7 SECTION "Sessions" [1389-1543] -->
<h2 class="sectionedit8" id="key_rotation_script">Key rotation script</h2>
<h3 class="sectionedit8" id="dynamic_registration">Dynamic Registration</h3>
<div class="level3">
<p>
If dynamic registration is enabled, you can configure the following options to define attributes and extra claims when a new relying party is registered trough the <code>/oauth2/register</code> endpoint:
</p>
<ul>
<li class="level1"><div class="li"> Exported vars for dynamic registration</div>
</li>
<li class="level1"><div class="li"> Extra claims for dynamic registration</div>
</li>
</ul>
</div>
<!-- EDIT8 SECTION "Dynamic Registration" [1544-1855] -->
<h2 class="sectionedit9" id="key_rotation_script">Key rotation script</h2>
<div class="level2">
<p>
@ -169,8 +185,8 @@ The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be
<div class="notetip">Set the correct Apache user, else generated configuration will not be readable by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT8 SECTION "Key rotation script" [1544-2017] -->
<h2 class="sectionedit9" id="session_management">Session management</h2>
<!-- EDIT9 SECTION "Key rotation script" [1856-2329] -->
<h2 class="sectionedit10" id="session_management">Session management</h2>
<div class="level2">
<p>
@ -183,6 +199,6 @@ A <code>changed</code> state will be sent if the user is disconnected from <abbr
<div class="notetip">To work, the <abbr title="LemonLDAP::NG">LL::NG</abbr> cookie must not be protected against javascript (<code>httpOnly</code> option should be set to <code>0</code>).
</div>
</div>
<!-- EDIT9 SECTION "Session management" [2018-] --></div>
<!-- EDIT10 SECTION "Session management" [2330-] --></div>
</body>
</html>

1087
doc/pages/documentation/current/parameterlist.html
View File

File diff suppressed because it is too large Load Diff

34
doc/pages/documentation/current/performances.html
View File

@ -119,7 +119,7 @@ LLNG uses different cache systems to avoid querying to many the databases:
</tr>
</thead>
<tr class="row2 roweven">
<th class="col0 centeralign"> Configuration </th><td class="col1 centeralign"> <code>checkTime</code> </td><td class="col2 centeralign"> 10 minutes </td><td class="col3 leftalign"> </td><td class="col4 centeralign"> Until &quot;reload&quot; order </td><td class="col5 centeralign"></td>
<th class="col0 centeralign"> Configuration </th><td class="col1 centeralign"> <code>checkTime</code> </td><td class="col2 centeralign"> 1 second </td><td class="col3 leftalign"> </td><td class="col4 centeralign"> Until &quot;reload&quot; order </td><td class="col5 centeralign"></td>
</tr>
<tr class="row3 rowodd">
<th class="col0 centeralign"> Session </th><td class="col1 centeralign"> <code>handlerInternalCache</code> </td><td class="col2 centeralign"> 15 seconds </td><td class="col3 centeralign"> <code>default_expires_in</code>(*) </td><td class="col4 centeralign"> 10 minutes </td><td class="col5 centeralign"></td>
@ -129,11 +129,11 @@ LLNG uses different cache systems to avoid querying to many the databases:
<p>
<em>(*): Manager &gt;&gt; General parameters &gt;&gt; Sessions &gt;&gt; Sessions storage &gt;&gt; Cache module options</em>
</p>
<div class="noteclassic">Configuration and sessions are first looked up in-memory, then in the cache file, and then in their backing store. This means that after a configuration reload <em>(using Manager)</em>, you have to wait for <code>checkTime</code> before you can see your changes.
<div class="noteclassic">Configuration and sessions are first looked up in-memory, then in the cache file, and then in their backing store. This means that after a configuration reload <em>(using Manager)</em>, you have to wait for <code>checkTime</code> before you can see your changes, or wait for configuration cache expiration in <code>checkTime</code> is disabled.
</div>
</div>
<!-- EDIT3 SECTION "Cache system" [304-1241] -->
<!-- EDIT3 SECTION "Cache system" [304-1314] -->
<h2 class="sectionedit5" id="global_performance">Global performance</h2>
<div class="level2">
@ -152,7 +152,7 @@ To bypass this, you can:
</ul>
</div>
<!-- EDIT5 SECTION "Global performance" [1242-1645] -->
<!-- EDIT5 SECTION "Global performance" [1315-1718] -->
<h3 class="sectionedit6" id="cron_optimization_or_systemd_timers">Cron optimization (or systemd timers)</h3>
<div class="level3">
@ -167,7 +167,7 @@ LLNG installs its cron files without knowing how many servers are installed. You
</ul>
</div>
<!-- EDIT6 SECTION "Cron optimization (or systemd timers)" [1646-1945] -->
<!-- EDIT6 SECTION "Cron optimization (or systemd timers)" [1719-2018] -->
<h2 class="sectionedit7" id="handler_performance">Handler performance</h2>
<div class="level2">
@ -184,7 +184,7 @@ Handlers check rights and calculate headers for each HTTP hit. So to improve per
</p>
</div>
<!-- EDIT7 SECTION "Handler performance" [1946-2376] -->
<!-- EDIT7 SECTION "Handler performance" [2019-2449] -->
<h3 class="sectionedit8" id="macros_and_groups">Macros and groups</h3>
<div class="level3">
@ -245,7 +245,7 @@ admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro &quot;macro1&quot; will be computed before macro &quot;macro2&quot;: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>
</div>
<!-- EDIT8 SECTION "Macros and groups" [2377-4471] -->
<!-- EDIT8 SECTION "Macros and groups" [2450-4544] -->
<h3 class="sectionedit9" id="local_macros">Local macros</h3>
<div class="level3">
@ -259,12 +259,12 @@ Display<span class="sy0">-</span>Name <span class="sy0">-&gt;</span> <span class
<div class="notetip">Note that this feature is interesting only for the Lemonldap::NG systems protecting a high number of applications
</div>
</div>
<!-- EDIT9 SECTION "Local macros" [4472-5133] -->
<!-- EDIT9 SECTION "Local macros" [4545-5206] -->
<h2 class="sectionedit10" id="portal_performances">Portal performances</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "Portal performances" [5134-5166] -->
<!-- EDIT10 SECTION "Portal performances" [5207-5239] -->
<h3 class="sectionedit11" id="general_performances">General performances</h3>
<div class="level3">
@ -287,7 +287,7 @@ By default it uses local storage to store its tokens. If you have more than 1 po
</div>
</div>
<!-- EDIT11 SECTION "General performances" [5167-6044] -->
<!-- EDIT11 SECTION "General performances" [5240-6117] -->
<h3 class="sectionedit12" id="apachesession_performances">Apache::Session performances</h3>
<div class="level3">
@ -399,7 +399,7 @@ This test isn&#039;t an &quot;only-backend&quot; test but embedded some LLNG met
<td class="col0 centeralign" colspan="8"> <em>The source of this test is available in sources: e2e-tests/sbperf.pl</em> </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [8945-10848] --><ul>
<!-- EDIT13 TABLE [9018-10921] --><ul>
<li class="level1"><div class="li"> <em><strong>(1) :</strong> &quot;purge&quot; test is done with Apache::Session::Browseable-1.2.5 and LLG-2.0. Earlier results are not so good.</em></div>
</li>
<li class="level1"><div class="li"> <em><strong>(2) :</strong> &quot;purge&quot; test is done with Apache::Session::Browseable-1.2.6 and LLG-2.0.</em></div>
@ -423,7 +423,7 @@ Analysis:
</ul>
</div>
<!-- EDIT12 SECTION "Apache::Session performances" [6045-11626] -->
<!-- EDIT12 SECTION "Apache::Session performances" [6118-11699] -->
<h3 class="sectionedit14" id="ldap_performances">LDAP performances</h3>
<div class="level3">
@ -460,7 +460,7 @@ Now ldapgroups contains &quot;admin su&quot;
</div>
</div>
<!-- EDIT14 SECTION "LDAP performances" [11627-12761] -->
<!-- EDIT14 SECTION "LDAP performances" [11700-12834] -->
<h3 class="sectionedit15" id="nginx_performances">NGINX performances</h3>
<div class="level3">
@ -496,12 +496,12 @@ Restart NGINX and watch web-browser console.
</p>
</div>
<!-- EDIT15 SECTION "NGINX performances" [12762-13684] -->
<!-- EDIT15 SECTION "NGINX performances" [12835-13757] -->
<h2 class="sectionedit16" id="manager_performances">Manager performances</h2>
<div class="level2">
</div>
<!-- EDIT16 SECTION "Manager performances" [13685-13718] -->
<!-- EDIT16 SECTION "Manager performances" [13758-13791] -->
<h3 class="sectionedit17" id="disable_unused_modules">Disable unused modules</h3>
<div class="level3">
@ -512,7 +512,7 @@ In lemonldap-ng.ini, set only modules that you will use. By default, configurati
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions</span></pre>
</div>
<!-- EDIT17 SECTION "Disable unused modules" [13719-13980] -->
<!-- EDIT17 SECTION "Disable unused modules" [13792-14053] -->
<h3 class="sectionedit18" id="use_static_html_files">Use static HTML files</h3>
<div class="level3">
@ -539,6 +539,6 @@ So manager <abbr title="HyperText Markup Language">HTML</abbr> templates will be
</p>
</div>
<!-- EDIT18 SECTION "Use static HTML files" [13981-] --></div>
<!-- EDIT18 SECTION "Use static HTML files" [14054-] --></div>
</body>
</html>

4
doc/pages/documentation/current/plugincustom.html
View File

@ -185,6 +185,10 @@ Declare the plugin in lemonldap-ng.ini:
customPlugins <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">MyPlugin</span>
<span class="sy0">;</span>customPlugins <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">MyPlugin1</span><span class="sy0">,</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">MyPlugin2</span><span class="sy0">,</span> <span class="sy0">...</span></pre>
<p>
Since 2.0.7, it can also be configured in Manager, in General Parameters &gt; Plugins &gt; Custom Plugins.
</p>
</div>
<!-- EDIT5 SECTION "Configuration" [2746-] --></div>
</body>

24
doc/pages/documentation/current/portalcustom.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:portalcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,portalcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="portalcustom.html"/>
@ -253,13 +253,13 @@ To use custom files, copy them into your skin folder:
<p>
Then you can add your media to <code>myskin/images</code>, you will be able to use them in <abbr title="HyperText Markup Language">HTML</abbr> template with this code:
</p>
<pre class="code">&lt;img src=&quot;&lt;TMPL_VAR NAME=&quot;STATIC_PREFIX&quot;&gt;myskin/images/logo.png&quot; class=&quot;img-responsive center-block&quot; /&gt;</pre>
<pre class="code">&lt;img src=&quot;&lt;TMPL_VAR NAME=&quot;STATIC_PREFIX&quot;&gt;myskin/images/logo.png&quot; class=&quot;mx-auto d-block&quot; /&gt;</pre>
<p>
To change <abbr title="Cascading Style Sheets">CSS</abbr>, two options:
</p>
<ul>
<li class="level1"><div class="li"> Edit myksin/css/skin.css and myskin/css/skin.min.css</div>
<li class="level1"><div class="li"> Edit myksin/css/styles.css and myskin/css/styles.min.css</div>
</li>
<li class="level1"><div class="li"> Create a new <abbr title="Cascading Style Sheets">CSS</abbr> file, for example myskin/css/myskin.css and load it in customhead.tpl:</div>
</li>
@ -276,7 +276,7 @@ To configure your new skin in Manager, select the custom skin, and enter your sk
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portalSkin &#039;myskin&#039; portalSkinBackground &#039;&#039;</pre>
</div>
<!-- EDIT9 SECTION "Skin customization" [2841-4818] -->
<!-- EDIT9 SECTION "Skin customization" [2841-4810] -->
<h3 class="sectionedit10" id="messages">Messages</h3>
<div class="level3">
@ -327,7 +327,7 @@ You can also create a file called <code>all.json</code> to override messages in
</p>
</div>
<!-- EDIT10 SECTION "Messages" [4819-5955] -->
<!-- EDIT10 SECTION "Messages" [4811-5947] -->
<h3 class="sectionedit11" id="menu_tabs">Menu tabs</h3>
<div class="level3">
@ -343,7 +343,7 @@ This will allow one to display the tab directly with this <abbr title="Uniform R
</p>
</div>
<!-- EDIT11 SECTION "Menu tabs" [5956-6262] -->
<!-- EDIT11 SECTION "Menu tabs" [5948-6254] -->
<h3 class="sectionedit12" id="template_parameters">Template parameters</h3>
<div class="level3">
@ -371,7 +371,7 @@ You can also display environment variables, with the prefix <code>env_</code>:
<pre class="code file html4strict">Your IP is <span class="sc2">&lt;TMPL_VAR <span class="kw3">NAME</span><span class="sy0">=</span><span class="st0">&quot;env_REMOTE_ADDR&quot;</span>&gt;</span></pre>
</div>
<!-- EDIT12 SECTION "Template parameters" [6263-6910] -->
<!-- EDIT12 SECTION "Template parameters" [6255-6902] -->
<h2 class="sectionedit13" id="buttons">Buttons</h2>
<div class="level2">
@ -388,12 +388,12 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT13 SECTION "Buttons" [6911-7427] -->
<!-- EDIT13 SECTION "Buttons" [6903-7419] -->
<h2 class="sectionedit14" id="password_management">Password management</h2>
<div class="level2">
</div>
<!-- EDIT14 SECTION "Password management" [7428-7460] -->
<!-- EDIT14 SECTION "Password management" [7420-7452] -->
<h3 class="sectionedit15" id="general">General</h3>
<div class="level3">
<ul>
@ -406,7 +406,7 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT15 SECTION "General" [7461-7896] -->
<!-- EDIT15 SECTION "General" [7453-7888] -->
<h3 class="sectionedit16" id="password_policy">Password Policy</h3>
<div class="level3">
<div class="notetip">Available since version 2.0.6
@ -424,7 +424,7 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT16 SECTION "Password Policy" [7897-8329] -->
<!-- EDIT16 SECTION "Password Policy" [7889-8321] -->
<h2 class="sectionedit17" id="other_parameters">Other parameters</h2>
<div class="level2">
<ul>
@ -443,6 +443,6 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT17 SECTION "Other parameters" [8330-] --></div>
<!-- EDIT17 SECTION "Other parameters" [8322-] --></div>
</body>
</html>

80
doc/pages/documentation/current/refreshsessionapi.html Normal file
View File

@ -0,0 +1,80 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:refreshsessionapi</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,refreshsessionapi"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="refreshsessionapi.html"/>
<link rel="contents" href="refreshsessionapi.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:refreshsessionapi","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="refresh_session_plugin_api">Refresh session plugin (API)</h1>
<div class="level1">
<p>
This plugin adds an endpoint to refresh sessions by user. It adds a <code><a href="https://portal/refreshsession" class="urlextern" title="https://portal/refreshsession" rel="nofollow">https://portal/refreshsession</a></code> endpoint. Protect it by webserver configuration.
</p>
<p>
This plugin is available with LLNG ≥ 2.0.7.
</p>
</div>
<!-- EDIT1 SECTION "Refresh session plugin (API)" [1-243] -->
<h2 class="sectionedit2" id="usage">Usage</h2>
<div class="level2">
<p>
This endpoint accepts only POST requests with a JSON content:
</p>
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Request </th><th class="col1 centeralign"> Response </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <code>{&quot;uid&quot;:&quot;userid&quot;}</code> </td><td class="col1 centeralign"> <code>{&quot;updated&quot;:1,&quot;errors&quot;:0}</code> </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [326-412] -->
</div>
<!-- EDIT2 SECTION "Usage" [244-] --></div>
</body>
</html>

48
doc/pages/documentation/current/renater.html
View File

@ -116,16 +116,14 @@ Configure <a href="samlservice.html#discovery_protocol" class="wikilink1" title=
<div class="level3">
<p>
You now need to import IDP metadata in <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration. Use the <code>importMetadata</code> script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: <a href="https://services.renater.fr/federation/technique/metadata" class="urlextern" title="https://services.renater.fr/federation/technique/metadata" rel="nofollow">https://services.renater.fr/federation/technique/metadata</a>, for example:
You now need to import IDP metadata in <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration. Use the <code>importMetadata</code> script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: <a href="https://services.renater.fr/federation/technique/metadata" class="urlextern" title="https://services.renater.fr/federation/technique/metadata" rel="nofollow">https://services.renater.fr/federation/technique/metadata</a>.
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i &quot;idp-renater&quot; -s &quot;sp-renater&quot;</pre>
<div class="noteimportant">You need to add this in cron to refresh metadata into <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration.
</div>
<p>
If you need too customize some settings of the script, copy it and edit configuration:
For Renater, you need to customize some settings of the script, copy it and edit configuration:
</p>
<pre class="code">cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom
vi /usr/share/lemonldap-ng/bin/importMetadataCustom</pre>
<pre class="code">cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataRenater
vi /usr/share/lemonldap-ng/bin/importMetadataRenater</pre>
<p>
Set attributes (use the <abbr title="Security Assertion Markup Language">SAML</abbr> Name, not FriendlyName) that are provided by IDPs, for example:
@ -165,8 +163,14 @@ Adapt IDP options, for example:
<span class="st_h">'samlIDPMetaDataOptionsUserAttribute'</span> <span class="sy0">=&gt;</span> <span class="st_h">'urn:oid:1.3.6.1.4.1.5923.1.1.1.6'</span><span class="sy0">,</span>
<span class="br0">&#125;</span><span class="sy0">;</span></pre>
<p>
Then run the script:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/importMetadataRenater -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i &quot;idp-renater-&quot; -s &quot;sp-renater-&quot;</pre>
<div class="noteimportant">You need to add this in cron to refresh metadata into <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration.
</div>
<!-- EDIT5 SECTION "Metadata import" [779-3520] -->
</div>
<!-- EDIT5 SECTION "Metadata import" [779-3549] -->
<h3 class="sectionedit6" id="add_your_sp_into_the_federation">Add your SP into the federation</h3>
<div class="level3">
@ -176,12 +180,12 @@ Go to <a href="https://federation.renater.fr/registry" class="urlextern" title="
<div class="noteimportant">Be sure to check all attributes as mandatory to be able to get them in <abbr title="Security Assertion Markup Language">SAML</abbr> assertions.
</div>
</div>
<!-- EDIT6 SECTION "Add your SP into the federation" [3521-3747] -->
<!-- EDIT6 SECTION "Add your SP into the federation" [3550-3776] -->
<h2 class="sectionedit7" id="register_as_identity_provider">Register as Identity Provider</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "Register as Identity Provider" [3748-3790] -->
<!-- EDIT7 SECTION "Register as Identity Provider" [3777-3819] -->
<h3 class="sectionedit8" id="llng_configuration1">LL::NG configuration</h3>
<div class="level3">
@ -191,21 +195,19 @@ Configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as <abbr title="Security Ass
<div class="noteimportant">If your <abbr title="LemonLDAP::NG">LL::NG</abbr> server will act as SP and IDP inside Renater federation, you need to set the advanced parameter &quot;Override Entity ID for IDP&quot;. Indeed, Renater do not allow to register a SP and an IDP with the same entityID.
</div>
</div>
<!-- EDIT8 SECTION "LL::NG configuration" [3791-4198] -->
<!-- EDIT8 SECTION "LL::NG configuration" [3820-4227] -->
<h3 class="sectionedit9" id="metadata_import1">Metadata import</h3>
<div class="level3">
<p>
You now need to import SP metadata in <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration. Use the <code>importMetadata</code> script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: <a href="https://services.renater.fr/federation/technique/metadata" class="urlextern" title="https://services.renater.fr/federation/technique/metadata" rel="nofollow">https://services.renater.fr/federation/technique/metadata</a>, for example:
You now need to import SP metadata in <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration. Use the <code>importMetadata</code> script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: <a href="https://services.renater.fr/federation/technique/metadata" class="urlextern" title="https://services.renater.fr/federation/technique/metadata" rel="nofollow">https://services.renater.fr/federation/technique/metadata</a>.
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml -r -i &quot;idp-renater&quot; -s &quot;sp-renater&quot;</pre>
<div class="noteimportant">You need to add this in cron to refresh metadata into <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration.
</div>
<p>
If you need too customize some settings of the script, copy it and edit configuration:
For Renater, you may need to customize some settings of the script, copy it and edit configuration:
</p>
<pre class="code">cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom
vi /usr/share/lemonldap-ng/bin/importMetadataCustom</pre>
<pre class="code">cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataRenater
vi /usr/share/lemonldap-ng/bin/importMetadataRenater</pre>
<p>
Adapt IDP options, for example:
@ -224,8 +226,14 @@ Adapt IDP options, for example:
<span class="st_h">'samlSPMetaDataOptionsSignSSOMessage'</span> <span class="sy0">=&gt;</span> <span class="nu0">1</span>
<span class="br0">&#125;</span><span class="sy0">;</span></pre>
<p>
Then run the script:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/importMetadataRenater -m https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml -r -i &quot;idp-renater&quot; -s &quot;sp-renater&quot;</pre>
<div class="noteimportant">You need to add this in cron to refresh metadata into <abbr title="LemonLDAP::NG">LL::NG</abbr> configuration.
</div>
<!-- EDIT9 SECTION "Metadata import" [4199-5798] -->
</div>
<!-- EDIT9 SECTION "Metadata import" [4228-5857] -->
<h3 class="sectionedit10" id="add_your_idp_into_the_federation">Add your IDP into the federation</h3>
<div class="level3">
@ -234,6 +242,6 @@ Go to <a href="https://federation.renater.fr/registry" class="urlextern" title="
</p>
</div>
<!-- EDIT10 SECTION "Add your IDP into the federation" [5799-] --></div>
<!-- EDIT10 SECTION "Add your IDP into the federation" [5858-] --></div>
</body>
</html>

10
doc/pages/documentation/current/restconfbackend.html
View File

@ -72,7 +72,7 @@ You can share your configuration over the network using REST proxy system:
</li>
<li class="level1"><div class="li"> GET /config/&lt;latest|cfgNum&gt;/&lt;key&gt;: get conf key value</div>
</li>
<li class="level1"><div class="li"> GET /config/&lt;latest|cfgNum&gt;?full: get the full configuration</div>
<li class="level1"><div class="li"> GET /config/&lt;latest|cfgNum&gt;?full=1: get the full configuration</div>
</li>
</ul>
@ -90,12 +90,12 @@ If no &lt;lang&gt; provided, &#039;en&#039; errors file is returned.
<div class="notetip">Note that REST is not a real configuration backend, but just a proxy system to access to your configuration over the network
</div>
</div>
<!-- EDIT1 SECTION "REST configuration backend" [1-694] -->
<!-- EDIT1 SECTION "REST configuration backend" [1-696] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Configuration" [695-721] -->
<!-- EDIT2 SECTION "Configuration" [697-723] -->
<h3 class="sectionedit3" id="first_configure_your_real_backend">First, configure your real backend</h3>
<div class="level3">
<ul>
@ -124,7 +124,7 @@ location /index.psgi/config {
}</pre>
</div>
<!-- EDIT3 SECTION "First, configure your real backend" [722-1502] -->
<!-- EDIT3 SECTION "First, configure your real backend" [724-1504] -->
<h3 class="sectionedit4" id="next_configure_rest_for_your_remote_servers">Next, configure REST for your remote servers</h3>
<div class="level3">
@ -146,6 +146,6 @@ You can also add some other parameters
<span class="re1">proxyOptions</span> <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span> timeout <span class="sy0">=</span>&gt; 5 <span class="br0">&#125;</span></span></pre>
</div>
<!-- EDIT4 SECTION "Next, configure REST for your remote servers" [1503-] --></div>
<!-- EDIT4 SECTION "Next, configure REST for your remote servers" [1505-] --></div>
</body>
</html>

10
doc/pages/documentation/current/servertoserver.html
View File

@ -87,14 +87,18 @@ WebApp1 can read this header and use it in its requests by setting the <code>X-L
</p>
<p>
You can set ServiceToken default timeout (30 seconds) by editing <code>lemonldap-ng.ini</code> in section [handler]:
You can set ServiceToken TTL in the virtualHost options in Manager for each required virtualHost.
</p>
<p>
You can also set ServiceToken default timeout (30 seconds) by editing <code>lemonldap-ng.ini</code> in section [handler]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>handler<span class="br0">&#93;</span></span>
<span class="re1">handlerServiceTokenTTL</span> <span class="sy0">=</span><span class="re2"> 30</span></pre>
<div class="noteclassic">Service token timeout can be set for each virtual hosts.
</div>
</div>
<!-- EDIT2 SECTION "Webapp1 handler configuration" [894-1790] -->
<!-- EDIT2 SECTION "Webapp1 handler configuration" [894-1894] -->
<h2 class="sectionedit3" id="webapp2_handler_configuration">Webapp2 handler configuration</h2>
<div class="level2">
@ -103,6 +107,6 @@ Change handler type to <strong>ServiceToken</strong>. So it is able to manage bo
</p>
</div>
<!-- EDIT3 SECTION "Webapp2 handler configuration" [1791-] --></div>
<!-- EDIT3 SECTION "Webapp2 handler configuration" [1895-] --></div>
</body>
</html>

116
doc/pages/documentation/current/start.html
View File

@ -106,19 +106,17 @@
</li>
<li class="level1"><div class="li"> <a href="documentation/quickstart.html" class="wikilink1" title="documentation:quickstart">Quick start tutorial</a></div>
</li>
<li class="level1"><div class="li"> <a href="https://github.com/LemonLDAPNG/pts2019-llng-workshop" class="urlextern" title="https://github.com/LemonLDAPNG/pts2019-llng-workshop" rel="nofollow">Workshop: connect LL::NG to OpenLDAP and use 2FA</a></div>
</li>
<li class="level1"><div class="li"> <a href="platformsoverview.html" class="wikilink1" title="documentation:2.0:platformsoverview">Choose a platform</a></div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [52-379] -->
<!-- EDIT2 SECTION "Presentation" [52-269] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Installation" [380-405] -->
<!-- EDIT3 SECTION "Installation" [270-295] -->
<h3 class="sectionedit4" id="before_installation">Before installation</h3>
<div class="level3">
@ -139,7 +137,7 @@
</p>
</div>
<!-- EDIT4 SECTION "Before installation" [406-670] -->
<!-- EDIT4 SECTION "Before installation" [296-560] -->
<h3 class="sectionedit5" id="installation1">Installation</h3>
<div class="level3">
@ -168,7 +166,7 @@
</p>
</div>
<!-- EDIT5 SECTION "Installation" [671-1216] -->
<!-- EDIT5 SECTION "Installation" [561-1106] -->
<h3 class="sectionedit6" id="after_installation">After installation</h3>
<div class="level3">
@ -191,12 +189,12 @@
</p>
</div>
<!-- EDIT6 SECTION "After installation" [1217-1653] -->
<!-- EDIT6 SECTION "After installation" [1107-1543] -->
<h2 class="sectionedit7" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "Configuration" [1654-1680] -->
<!-- EDIT7 SECTION "Configuration" [1544-1570] -->
<h3 class="sectionedit8" id="first_steps">First steps</h3>
<div class="level3">
@ -225,7 +223,7 @@
</p>
</div>
<!-- EDIT8 SECTION "First steps" [1681-2140] -->
<!-- EDIT8 SECTION "First steps" [1571-2030] -->
<h3 class="sectionedit9" id="portal">Portal</h3>
<div class="level3">
@ -396,7 +394,7 @@
<td class="col0"> <a href="autosignin.html" class="wikilink1" title="documentation:2.0:autosignin">Auto Signin</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
</table></div>
<!-- EDIT10 TABLE [2677-5552] -->
<!-- EDIT10 TABLE [2567-5442] -->
<p>
</div></div>
</p>
@ -440,11 +438,16 @@
<td class="col0"> <a href="issuerdbget.html" class="wikilink1" title="documentation:2.0:issuerdbget">Get parameters provider</a> <em>(for poor applications)</em> </td><td class="col1 leftalign"> </td><td class="col2 centeralign"></td>
</tr>
</table></div>
<!-- EDIT11 TABLE [5898-6259] -->
<!-- EDIT11 TABLE [5788-6149] -->
<p>
</div></div>
</p>
<div class="notetip">Issuers timeout : Delay for issuers to submit their authentication requests
<div class="notetip">* Issuers timeout : Delay for issuers to submit their authentication requests
<p>
* To avoid a bad/expired token and lose redirection to the SP protected application after authentication if IdP URLs are served by different load balancers, you can force Issuer tokens to be stored into Global Storage by editing <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">forceGlobalStorageIssuerOTT</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
</div>
</div>
@ -493,7 +496,7 @@
<td class="col0"> <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">XSS</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [6641-7155] -->
<!-- EDIT12 TABLE [6866-7380] -->
<p>
</div></div>
</p>
@ -527,61 +530,70 @@
<td class="col0"> <a href="checkstate.html" class="wikilink1" title="documentation:2.0:checkstate">Check state</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Check state plugin (test page) </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> <a href="checkuser.html" class="wikilink1" title="documentation:2.0:checkuser">Check user </a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Check access rights, transmitted headers and session attibutes for a specific user and <abbr title="Uniform Resource Locator">URL</abbr> </td>
<td class="col0"> <a href="checkuser.html" class="wikilink1" title="documentation:2.0:checkuser">Check user </a> <sup><a href="#fn__4" id="fnt__4" class="fn_top">4)</a></sup> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Check access rights, transmitted headers and session attibutes for a specific user and <abbr title="Uniform Resource Locator">URL</abbr> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> <a href="viewer.html" class="wikilink1" title="documentation:2.0:viewer">Configuration viewer</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Edit WebSSO configuration in Read Only mode </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> <a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> <sup><a href="#fn__4" id="fnt__4" class="fn_top">4)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Switch context other users </td>
<td class="col0"> <a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> <sup><a href="#fn__5" id="fnt__5" class="fn_top">5)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Switch context other users </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> <a href="plugincustom.html" class="wikilink1" title="documentation:2.0:plugincustom">Custom</a> </td><td class="col1"> Write a custom plugin </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> <a href="loginhistory.html" class="wikilink1" title="documentation:2.0:loginhistory">Display login history</a> </td><td class="col1"></td>
<td class="col0"> <a href="decryptvalue.html" class="wikilink1" title="documentation:2.0:decryptvalue">Decrypt value</a> <sup><a href="#fn__6" id="fnt__6" class="fn_top">6)</a></sup><a href="documentation/beta.png" class="media" title="documentation:beta.png"><img src="documentation/beta.2707b90c7f00808e80f984a3026445b0.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Decrypt ciphered values </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> <a href="forcereauthn.html" class="wikilink1" title="documentation:2.0:forcereauthn">Force Authentication</a> </td><td class="col1"> Force authentication to access to Portal </td>
<td class="col0"> <a href="loginhistory.html" class="wikilink1" title="documentation:2.0:loginhistory">Display login history</a> </td><td class="col1"></td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> <a href="grantsession.html" class="wikilink1" title="documentation:2.0:grantsession">Grant Sessions</a> </td><td class="col1"> Rules to apply before allowing a user to open a session </td>
<td class="col0"> <a href="forcereauthn.html" class="wikilink1" title="documentation:2.0:forcereauthn">Force Authentication</a> </td><td class="col1"> Force authentication to access to Portal </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> <a href="impersonation.html" class="wikilink1" title="documentation:2.0:impersonation">Impersonation </a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Allow users to use another identity </td>
<td class="col0"> <a href="globallogout.html" class="wikilink1" title="documentation:2.0:globallogout">Global Logout</a> <sup><a href="#fn__7" id="fnt__7" class="fn_top">7)</a></sup><a href="documentation/beta.png" class="media" title="documentation:beta.png"><img src="documentation/beta.2707b90c7f00808e80f984a3026445b0.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Suggest to close all opened sessions at logout </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> <a href="notifications.html" class="wikilink1" title="documentation:2.0:notifications">Notifications system</a> </td><td class="col1"></td>
<td class="col0"> <a href="grantsession.html" class="wikilink1" title="documentation:2.0:grantsession">Grant Sessions</a> </td><td class="col1"> Rules to apply before allowing a user to open a session </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> <a href="status.html" class="wikilink1" title="documentation:2.0:status">Portal Status</a> </td><td class="col1"> Experimental portal status page </td>
<td class="col0"> <a href="impersonation.html" class="wikilink1" title="documentation:2.0:impersonation">Impersonation </a> <sup><a href="#fn__8" id="fnt__8" class="fn_top">8)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Allow users to use another identity </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> <a href="public_pages.html" class="wikilink1" title="documentation:2.0:public_pages">Public pages</a> </td><td class="col1"> Enable public pages system </td>
<td class="col0"> <a href="notifications.html" class="wikilink1" title="documentation:2.0:notifications">Notifications system</a> </td><td class="col1"></td>
</tr>
<tr class="row16 roweven">
<td class="col0"> <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">Reset password by mail</a> </td><td class="col1"></td>
<td class="col0"> <a href="refreshsessionapi.html" class="wikilink1" title="documentation:2.0:refreshsessionapi">Refresh session API</a> <sup><a href="#fn__9" id="fnt__9" class="fn_top">9)</a></sup></td><td class="col1"> Plugin that provides an <abbr title="Application Programming Interface">API</abbr> to refresh a user session </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> <a href="restservices.html" class="wikilink1" title="documentation:2.0:restservices">REST services</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> REST server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
<td class="col0"> <a href="status.html" class="wikilink1" title="documentation:2.0:status">Portal Status</a> </td><td class="col1"> Experimental portal status page </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> <a href="soapservices.html" class="wikilink1" title="documentation:2.0:soapservices">SOAP services</a> <em>(deprecated)</em> </td><td class="col1"> SOAP server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
<td class="col0"> <a href="public_pages.html" class="wikilink1" title="documentation:2.0:public_pages">Public pages</a> </td><td class="col1"> Enable public pages system </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> <a href="stayconnected" class="wikilink2" title="documentation:2.0:stayconnected" rel="nofollow">Stay connected</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Enable persistent connection on same browser </td>
<td class="col0"> <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">Reset password by mail</a> </td><td class="col1"></td>
</tr>
<tr class="row20 roweven">
<td class="col0"> <a href="restservices.html" class="wikilink1" title="documentation:2.0:restservices">REST services</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> REST server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> <a href="soapservices.html" class="wikilink1" title="documentation:2.0:soapservices">SOAP services</a> <em>(deprecated)</em> </td><td class="col1"> SOAP server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> <a href="stayconnected" class="wikilink2" title="documentation:2.0:stayconnected" rel="nofollow">Stay connected</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Enable persistent connection on same browser </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> Upgrade session <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Plugin that explain to user that a more secure authentication is needed instead of rejected it </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [7323-9158] -->
<!-- EDIT13 TABLE [7548-10050] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT9 SECTION "Portal" [2141-9186] -->
<!-- EDIT9 SECTION "Portal" [2031-10078] -->
<h3 class="sectionedit14" id="handlers">Handlers</h3>
<div class="level3">
@ -601,7 +613,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> Main <em>(default handler)</em> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 centeralign"> <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Partial</a> <strong><sup><a href="#fn__5" id="fnt__5" class="fn_top">5)</a></sup></strong> </td><td class="col5 centeralign"></td><td class="col6 leftalign"> </td>
<td class="col0"> Main <em>(default handler)</em> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 centeralign"> <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Partial</a> <strong><sup><a href="#fn__10" id="fnt__10" class="fn_top">10)</a></sup></strong> </td><td class="col5 centeralign"></td><td class="col6 leftalign"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> <a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 centeralign"></td><td class="col6"> Designed for some server-to-server applications </td>
@ -616,7 +628,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0"> <a href="devopssthandler.html" class="wikilink1" title="documentation:2.0:devopssthandler">DevOpsST</a> <em>(<a href="ssoaas.html" class="wikilink1" title="documentation:2.0:ssoaas">SSOaaS</a>)</em> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 centeralign"></td><td class="col5 leftalign"> </td><td class="col6"> Enables both <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a> and <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">Service Token</a> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2</a> <sup><a href="#fn__6" id="fnt__6" class="fn_top">6)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 centeralign"></td><td class="col6"> Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services </td>
<td class="col0"> <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2</a> <sup><a href="#fn__11" id="fnt__11" class="fn_top">11)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 centeralign"></td><td class="col6"> Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> <a href="securetoken.html" class="wikilink1" title="documentation:2.0:securetoken">Secure Token</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 leftalign"> </td><td class="col6"> Designed to secure exchanges between a LLNG reverse-proxy and a remote app </td>
@ -628,13 +640,13 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra PreAuth</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT15 TABLE [9460-11243] -->
<!-- EDIT15 TABLE [10352-12135] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT14 SECTION "Handlers" [9187-11271] -->
<!-- EDIT14 SECTION "Handlers" [10079-12163] -->
<h3 class="sectionedit16" id="llng_databases">LLNG databases</h3>
<div class="level3">
@ -683,7 +695,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0 centeralign"> <a href="localconfbackend.html" class="wikilink1" title="documentation:2.0:localconfbackend">Local</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 leftalign"> </td><td class="col2 leftalign"> Use only lemonldap-ng.ini parameters. </td>
</tr>
</table></div>
<!-- EDIT17 TABLE [11576-12688] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
<!-- EDIT17 TABLE [12468-13580] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
</div>
<p>
</div></div>
@ -738,13 +750,14 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
<strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT18 TABLE [13553-15253] -->
<!-- EDIT18 TABLE [14445-16145] -->
<p>
</div></div>
</p>
<div class="notetip">You can migrate from one session backend to another using the <a href="changesessionbackend.html" class="wikilink1" title="documentation:2.0:changesessionbackend">session conversion script</a>. (<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em>since 2.0.7</em>)
</div>
<!-- EDIT16 SECTION "LLNG databases" [11272-15281] -->
</div>
<!-- EDIT16 SECTION "LLNG databases" [12164-16351] -->
<h2 class="sectionedit19" id="applications_protection">Applications protection</h2>
<div class="level2">
@ -766,6 +779,8 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</li>
<li class="level1"><div class="li"> <a href="customhandlers.html" class="wikilink1" title="documentation:2.0:customhandlers">Custom Handlers</a></div>
</li>
<li class="level1"><div class="li"> <a href="webserviceprotection.html" class="wikilink1" title="documentation:2.0:webserviceprotection">WebServices / API</a></div>
</li>
</ul>
<p>
@ -773,7 +788,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT19 SECTION "Applications protection" [15282-15772] -->
<!-- EDIT19 SECTION "Applications protection" [16352-16889] -->
<h3 class="sectionedit20" id="well_known_compatible_applications">Well known compatible applications</h3>
<div class="level3">
<div class="noteclassic">Here is a list of well known applications that are compatible with <abbr title="LemonLDAP::NG">LL::NG</abbr>. A full list is available on <a href="applications.html" class="wikilink1" title="documentation:2.0:applications">vendor applications page</a>.
@ -877,7 +892,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT20 SECTION "Well known compatible applications" [15773-18111] -->
<!-- EDIT20 SECTION "Well known compatible applications" [16890-19228] -->
<h2 class="sectionedit21" id="advanced_features">Advanced features</h2>
<div class="level2">
@ -936,7 +951,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT21 SECTION "Advanced features" [18112-19331] -->
<!-- EDIT21 SECTION "Advanced features" [19229-20448] -->
<h2 class="sectionedit22" id="mini_howtos">Mini howtos</h2>
<div class="level2">
@ -966,6 +981,8 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</li>
<li class="level1"><div class="li"> <a href="behindproxyminihowto.html" class="wikilink1" title="documentation:2.0:behindproxyminihowto">Run LemonLDAP::NG components behind a reverse proxy</a></div>
</li>
<li class="level1"><div class="li"> <a href="useoutgoingproxy.html" class="wikilink1" title="documentation:2.0:useoutgoingproxy">Configure LL::NG to use an outgoing proxy</a></div>
</li>
</ul>
<p>
@ -973,7 +990,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT22 SECTION "Mini howtos" [19332-20226] -->
<!-- EDIT22 SECTION "Mini howtos" [20449-21410] -->
<h2 class="sectionedit23" id="exploitation">Exploitation</h2>
<div class="level2">
@ -1008,7 +1025,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT23 SECTION "Exploitation" [20227-20744] -->
<!-- EDIT23 SECTION "Exploitation" [21411-21928] -->
<h2 class="sectionedit24" id="bug_report">Bug report</h2>
<div class="level2">
@ -1017,7 +1034,7 @@ See <a href="bugreport.html" class="wikilink1" title="bugreport">How to report a
</p>
</div>
<!-- EDIT24 SECTION "Bug report" [20745-20809] -->
<!-- EDIT24 SECTION "Bug report" [21929-21993] -->
<h2 class="sectionedit25" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -1084,7 +1101,7 @@ If you don&#039;t want to publish your translation <em>(<code>XX</code> must be
</ul>
</div>
<!-- EDIT25 SECTION "Developer corner" [20810-] --><div class="footnotes">
<!-- EDIT25 SECTION "Developer corner" [21994-] --><div class="footnotes">
<div class="fn"><sup><a href="#fnt__1" id="fn__1" class="fn_bot">1)</a></sup>
<a href="authgpg.html" class="wikilink1" title="documentation:2.0:authgpg">GPG</a> is available with LLNG ≥ 2.0.2</div>
<div class="fn"><sup><a href="#fnt__2" id="fn__2" class="fn_bot">2)</a></sup>
@ -1092,10 +1109,19 @@ If you don&#039;t want to publish your translation <em>(<code>XX</code> must be
<div class="fn"><sup><a href="#fnt__3" id="fn__3" class="fn_bot">3)</a></sup>
<a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">Additional second factors</a> is available with LLNG ≥ 2.0.6</div>
<div class="fn"><sup><a href="#fnt__4" id="fn__4" class="fn_bot">4)</a></sup>
<a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> is available with LLNG ≥ 2.0.6</div>
, <sup><a href="#fnt__8" id="fn__8" class="fn_bot">8)</a></sup>
<a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> is available with LLNG ≥ 2.0.3</div>
<div class="fn"><sup><a href="#fnt__5" id="fn__5" class="fn_bot">5)</a></sup>
<a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionalities</div>
<a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> is available with LLNG ≥ 2.0.6</div>
<div class="fn"><sup><a href="#fnt__6" id="fn__6" class="fn_bot">6)</a></sup>
<a href="decryptvalue.html" class="wikilink1" title="documentation:2.0:decryptvalue">Decrypt value</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__7" id="fn__7" class="fn_bot">7)</a></sup>
<a href="globallogout.html" class="wikilink1" title="documentation:2.0:globallogout">Global Logout</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__9" id="fn__9" class="fn_bot">9)</a></sup>
<a href="refreshsessionapi.html" class="wikilink1" title="documentation:2.0:refreshsessionapi">Refresh session plugin</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__10" id="fn__10" class="fn_bot">10)</a></sup>
<a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionalities</div>
<div class="fn"><sup><a href="#fnt__11" id="fn__11" class="fn_bot">11)</a></sup>
<a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2 Handler</a> is available with LLNG ≥ 2.0.4</div>
</div>
</div>

4
doc/pages/documentation/current/stayconnected
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/stayconnected?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/stayconnected?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Astayconnected&amp;1569271210" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Astayconnected&amp;1576942870" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

124
doc/pages/documentation/current/upgrade.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:upgrade</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,upgrade"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="upgrade.html"/>
@ -49,6 +49,7 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#section207">2.0.7</a></div></li>
<li class="level1"><div class="li"><a href="#section206">2.0.6</a></div></li>
<li class="level1"><div class="li"><a href="#section205">2.0.5</a></div></li>
<li class="level1"><div class="li"><a href="#upgrade_order_from_19">Upgrade order from 1.9.*</a></div></li>
@ -89,7 +90,32 @@ Please apply general caution as you would with any software: have backups and a
</div>
</div>
<!-- EDIT1 SECTION "Upgrade from 2.0.x to 2.0.y" [1-527] -->
<h2 class="sectionedit2" id="section206">2.0.6</h2>
<h2 class="sectionedit2" id="section207">2.0.7</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Security:</div>
<ul>
<li class="level2"><div class="li"> <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2040" rel="nofollow">#2040</a>: Configuration of a redirection <abbr title="Uniform Resource Identifier">URI</abbr> for an OpenID Connect Relying Party is now mandatory, as defined in the specifications. If you save your configuration, you will have an error if some of your RP don&#039;t have a redirect <abbr title="Uniform Resource Identifier">URI</abbr> configured.</div>
</li>
<li class="level2"><div class="li"> <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943" rel="nofollow">#1943</a> / <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19791" class="urlextern" title="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19791" rel="nofollow">CVE-2019-19791</a>: along with the patch provided in 2.0.7 in <code>Lemonldap/NG/Common/PSGI/Request.pm</code>, Apache rewrite rule must be updated to avoid an unprotected access to REST services:</div>
</li>
</ul>
</li>
</ul>
<pre class="code file apache"> <span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_URI}&quot;</span> <span class="st0">&quot;!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi(?:/.*)?)$&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/index.fcgi/$1&quot;</span> [PT]</pre>
<ul>
<li class="level1"><div class="li"> Other:</div>
<ul>
<li class="level2"><div class="li"> Option <code>checkTime</code> was enabled by default in <code>lemonldap-ng.ini</code>, this let the portal check the configuration immediately instead of waiting for configuration cache expiration. You can keep this option enabled unless you need strong <a href="performances.html" class="wikilink1" title="documentation:2.0:performances">performances</a>.</div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "2.0.7" [528-1651] -->
<h2 class="sectionedit3" id="section206">2.0.6</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Option was added to display generate password box in <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">password reset by mail plugin</a>. If you use this feature, you must enable this option, which is disabled by default.</div>
@ -97,30 +123,38 @@ Please apply general caution as you would with any software: have backups and a
<li class="level1"><div class="li"> If you use the default _whatToTrace macro and a case insensitive authentication backend, then a user can generate several persistent sessions for the same login (see <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1869" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1869" rel="nofollow">issue 1869</a>). This can lead to a security bug if you enabled 2FA, which rely on data stored in the persistent session. To fix this, either choose a unique attribute for _whatToTrace, either force lower case in your macro:</div>
</li>
</ul>
<pre class="code perl"><span class="re0">$_auth</span> <span class="kw1">eq</span> <span class="st_h">'SAML'</span> <span class="sy0">?</span> <a href="http://perldoc.perl.org/functions/lc.html"><span class="kw3">lc</span></a><span class="br0">&#40;</span><span class="re0">$_user</span><span class="sy0">.</span><span class="st_h">'@'</span><span class="sy0">.</span><span class="re0">$_idpConfKey</span><span class="br0">&#41;</span> <span class="sy0">:</span> <span class="re0">$_auth</span> <span class="kw1">eq</span> <span class="st_h">'OpenIDConnect'</span> <span class="sy0">?</span> <a href="http://perldoc.perl.org/functions/lc.html"><span class="kw3">lc</span></a><span class="br0">&#40;</span><span class="re0">$_user</span><span class="sy0">.</span><span class="st_h">'@'</span><span class="sy0">.</span><span class="re0">$_oidcConnectedRP</span><span class="br0">&#41;</span> <span class="sy0">:</span> <a href="http://perldoc.perl.org/functions/lc.html"><span class="kw3">lc</span></a><span class="br0">&#40;</span><span class="re0">$_user</span><span class="br0">&#41;</span></pre>
<pre class="code perl"><span class="re0">$_auth</span> <span class="kw1">eq</span> <span class="st_h">'SAML'</span> <span class="sy0">?</span> <a href="http://perldoc.perl.org/functions/lc.html"><span class="kw3">lc</span></a><span class="br0">&#40;</span><span class="re0">$_user</span><span class="sy0">.</span><span class="st_h">'@'</span><span class="sy0">.</span><span class="re0">$_idpConfKey</span><span class="br0">&#41;</span> <span class="sy0">:</span> <span class="re0">$_auth</span> <span class="kw1">eq</span> <span class="st_h">'OpenIDConnect'</span> <span class="sy0">?</span> <a href="http://perldoc.perl.org/functions/lc.html"><span class="kw3">lc</span></a><span class="br0">&#40;</span><span class="re0">$_user</span><span class="sy0">.</span><span class="st_h">'@'</span><span class="sy0">.</span><span class="re0">$_oidc_OP</span><span class="br0">&#41;</span> <span class="sy0">:</span> <a href="http://perldoc.perl.org/functions/lc.html"><span class="kw3">lc</span></a><span class="br0">&#40;</span><span class="re0">$_user</span><span class="br0">&#41;</span></pre>
<ul>
<li class="level1"><div class="li"> On CentOS 7 / RHEL 7, a system upgrade breaks ImageMagick, which is used to display captchas (see <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1951" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1951" rel="nofollow">#1951</a>). To fix this, you can run the following commands:</div>
</li>
</ul>
<pre class="code">yum install -y urw-base35-fonts-legacy
sed &#039;s,/usr/share/fonts/default/Type1/,/usr/share/X11/fonts/urw-fonts/,g&#039; -i /etc/ImageMagick/type-ghostscript.xml</pre>
</div>
<!-- EDIT2 SECTION "2.0.6" [528-1336] -->
<h2 class="sectionedit3" id="section205">2.0.5</h2>
<!-- EDIT3 SECTION "2.0.6" [1652-2845] -->
<h2 class="sectionedit4" id="section205">2.0.5</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> The Text::Unidecode perl module becomes a requirement <em>(it will be automatically installed if you upgrade from from the deb or RPM repositories)</em></div>
</li>
<li class="level1"><div class="li"> <abbr title="Central Authentication Service">CAS</abbr> logout starts validating the service= parameter, but only if you use the <abbr title="Central Authentication Service">CAS</abbr> Access control policy. The <abbr title="Uniform Resource Locator">URL</abbr> sent in the service= parameter will be checked against <a href="idpcas.html#configuring_cas_applications" class="wikilink1" title="documentation:2.0:idpcas">known CAS applications</a>, Virtual Hosts, and <a href="security.html#configure_security_settings" class="wikilink1" title="documentation:2.0:security">trusted domains</a>. Add your target domain to trusted domains if you suddenly start having &quot;Invalid <abbr title="Uniform Resource Locator">URL</abbr>&quot; messages on logout</div>
</li>
<li class="level1"><div class="li">Improvements in cryptographic functions: to take advantage of them, <strong>you must change the encryption key</strong> of LemonLDAP::NG (see <a href="cli_examples.html#encryption_key" class="wikilink1" title="documentation:2.0:cli_examples">CLI example</a>).</div>
<li class="level1"><div class="li"> Improvements in cryptographic functions: to take advantage of them, <strong>you must change the encryption key</strong> of LemonLDAP::NG (see <a href="cli_examples.html#encryption_key" class="wikilink1" title="documentation:2.0:cli_examples">CLI example</a>).</div>
</li>
<li class="level1"><div class="li"> Debian packaging: FastCGI / uWsgi servers require llng-lmlog.conf and llng-lua-headers.conf. Those configuration files are now provided by lemonldap-ng-handler package and installed in /etc/nginx/snippets directory.</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "2.0.5" [1337-2105] -->
<h1 class="sectionedit4" id="upgrade_from_19_to_20">Upgrade from 1.9 to 2.0</h1>
<!-- EDIT4 SECTION "2.0.5" [2846-3836] -->
<h1 class="sectionedit5" id="upgrade_from_19_to_20">Upgrade from 1.9 to 2.0</h1>
<div class="level1">
<div class="noteimportant">2.0 is a major release, lot of things have been changed. You must read this document before upgrade.
</div>
</div>
<!-- EDIT4 SECTION "Upgrade from 1.9 to 2.0" [2106-2269] -->
<h2 class="sectionedit5" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<!-- EDIT5 SECTION "Upgrade from 1.9 to 2.0" [3837-4000] -->
<h2 class="sectionedit6" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<div class="level2">
<p>
@ -137,8 +171,8 @@ As usual, if you use more than 1 server and don&#039;t want to stop <abbr title=
<div class="noteimportant">You must revalidate your configuration using the manager.
</div>
</div>
<!-- EDIT5 SECTION "Upgrade order from 1.9.*" [2270-2744] -->
<h2 class="sectionedit6" id="installation">Installation</h2>
<!-- EDIT6 SECTION "Upgrade order from 1.9.*" [4001-4475] -->
<h2 class="sectionedit7" id="installation">Installation</h2>
<div class="level2">
<div class="noteimportant">French documentation is no more available. Only English version of this documentation is maintained now.
</div>
@ -161,8 +195,8 @@ For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we re
</p>
</div>
<!-- EDIT6 SECTION "Installation" [2745-3130] -->
<h2 class="sectionedit7" id="configuration">Configuration</h2>
<!-- EDIT7 SECTION "Installation" [4476-4861] -->
<h2 class="sectionedit8" id="configuration">Configuration</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>lemonldap-ng.ini</strong> requires some new fields in portal section. Update yours using the one given installed by default. New requires fields are:</div>
@ -199,8 +233,8 @@ For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we re
</div>
</div>
<!-- EDIT7 SECTION "Configuration" [3131-4958] -->
<h3 class="sectionedit8" id="configuration_refresh">Configuration refresh</h3>
<!-- EDIT8 SECTION "Configuration" [4862-6689] -->
<h3 class="sectionedit9" id="configuration_refresh">Configuration refresh</h3>
<div class="level3">
<p>
@ -209,8 +243,8 @@ Now portal has the same behavior than handlers: it looks to configuration stored
<div class="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
</div>
</div>
<!-- EDIT8 SECTION "Configuration refresh" [4959-5380] -->
<h2 class="sectionedit9" id="ldap_connection">LDAP connection</h2>
<!-- EDIT9 SECTION "Configuration refresh" [6690-7111] -->
<h2 class="sectionedit10" id="ldap_connection">LDAP connection</h2>
<div class="level2">
<p>
@ -218,8 +252,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</p>
</div>
<!-- EDIT9 SECTION "LDAP connection" [5381-5564] -->
<h2 class="sectionedit10" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<!-- EDIT10 SECTION "LDAP connection" [7112-7295] -->
<h2 class="sectionedit11" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> A new <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
@ -229,8 +263,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</ul>
</div>
<!-- EDIT10 SECTION "Kerberos or SSL usage" [5565-6073] -->
<h2 class="sectionedit11" id="logs">Logs</h2>
<!-- EDIT11 SECTION "Kerberos or SSL usage" [7296-7804] -->
<h2 class="sectionedit12" id="logs">Logs</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>Syslog</strong>: logs are now configured in <code>lemonldap-ng.ini</code> file only. If you use Syslog, you must reconfigure it. See <a href="logs.html" class="wikilink1" title="documentation:2.0:logs">logs</a> for more.</div>
@ -242,8 +276,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</ul>
</div>
<!-- EDIT11 SECTION "Logs" [6074-6655] -->
<h2 class="sectionedit12" id="security">Security</h2>
<!-- EDIT12 SECTION "Logs" [7805-8386] -->
<h2 class="sectionedit13" id="security">Security</h2>
<div class="level2">
<p>
@ -257,8 +291,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT12 SECTION "Security" [6656-7223] -->
<h2 class="sectionedit13" id="handlers">Handlers</h2>
<!-- EDIT13 SECTION "Security" [8387-8954] -->
<h2 class="sectionedit14" id="handlers">Handlers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>Apache only</strong>:</div>
@ -276,8 +310,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT13 SECTION "Handlers" [7224-8309] -->
<h2 class="sectionedit14" id="rules_and_headers">Rules and headers</h2>
<!-- EDIT14 SECTION "Handlers" [8955-10040] -->
<h2 class="sectionedit15" id="rules_and_headers">Rules and headers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
@ -289,8 +323,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT14 SECTION "Rules and headers" [8310-8628] -->
<h2 class="sectionedit15" id="supported_servers">Supported servers</h2>
<!-- EDIT15 SECTION "Rules and headers" [10041-10359] -->
<h2 class="sectionedit16" id="supported_servers">Supported servers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Apache-1.3 files are not provided now. You can build them yourself by looking at Apache-2 configuration files</div>
@ -298,8 +332,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT15 SECTION "Supported servers" [8629-8774] -->
<h2 class="sectionedit16" id="ajax_requests">Ajax requests</h2>
<!-- EDIT16 SECTION "Supported servers" [10360-10505] -->
<h2 class="sectionedit17" id="ajax_requests">Ajax requests</h2>
<div class="level2">
<p>
@ -307,8 +341,8 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
</p>
</div>
<!-- EDIT16 SECTION "Ajax requests" [8775-8972] -->
<h2 class="sectionedit17" id="soaprest_services">SOAP/REST services</h2>
<!-- EDIT17 SECTION "Ajax requests" [10506-10703] -->
<h2 class="sectionedit18" id="soaprest_services">SOAP/REST services</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
@ -323,8 +357,8 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
<div class="noteimportant"><a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
</div>
</div>
<!-- EDIT17 SECTION "SOAP/REST services" [8973-9570] -->
<h2 class="sectionedit18" id="cas">CAS</h2>
<!-- EDIT18 SECTION "SOAP/REST services" [10704-11301] -->
<h2 class="sectionedit19" id="cas">CAS</h2>
<div class="level2">
<p>
@ -336,13 +370,13 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
</p>
</div>
<!-- EDIT18 SECTION "CAS" [9571-9948] -->
<h2 class="sectionedit19" id="developer_corner">Developer corner</h2>
<!-- EDIT19 SECTION "CAS" [11302-11679] -->
<h2 class="sectionedit20" id="developer_corner">Developer corner</h2>
<div class="level2">
</div>
<!-- EDIT19 SECTION "Developer corner" [9949-9978] -->
<h3 class="sectionedit20" id="apis">APIs</h3>
<!-- EDIT20 SECTION "Developer corner" [11680-11709] -->
<h3 class="sectionedit21" id="apis">APIs</h3>
<div class="level3">
<p>
@ -350,8 +384,8 @@ Portal has now many REST features and includes an <abbr title="Application Progr
</p>
</div>
<!-- EDIT20 SECTION "APIs" [9979-10140] -->
<h3 class="sectionedit21" id="portal_overview">Portal overview</h3>
<!-- EDIT21 SECTION "APIs" [11710-11871] -->
<h3 class="sectionedit22" id="portal_overview">Portal overview</h3>
<div class="level3">
<p>
@ -372,8 +406,8 @@ Requests are independent objects based on Lemonldap::NG::Portal::Main::Request w
</p>
</div>
<!-- EDIT21 SECTION "Portal overview" [10141-10616] -->
<h3 class="sectionedit22" id="handler">Handler</h3>
<!-- EDIT22 SECTION "Portal overview" [11872-12347] -->
<h3 class="sectionedit23" id="handler">Handler</h3>
<div class="level3">
<p>
@ -385,6 +419,6 @@ If you used self protected CGI, you also need to rewrite them, see <a href="self
</p>
</div>
<!-- EDIT22 SECTION "Handler" [10617-] --></div>
<!-- EDIT23 SECTION "Handler" [12348-] --></div>
</body>
</html>

87
doc/pages/documentation/current/useoutgoingproxy.html Normal file
View File

@ -0,0 +1,87 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:useoutgoingproxy</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,useoutgoingproxy"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="useoutgoingproxy.html"/>
<link rel="contents" href="useoutgoingproxy.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:useoutgoingproxy","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="use_an_outgoing_proxy">Use an outgoing proxy</h1>
<div class="level1">
<p>
For some protocols, <abbr title="LemonLDAP::NG">LL::NG</abbr> has to directly contact the external server. This is the case for example with <abbr title="Central Authentication Service">CAS</abbr> authentication (validation of service ticket) or OpenID Connect authentication (access to token endpoint and userinfo endpoint).
</p>
<p>
If the <abbr title="LemonLDAP::NG">LL::NG</abbr> server needs a proxy for outgoing connections, then you need to configure some environment variables.
</p>
</div>
<!-- EDIT1 SECTION "Use an outgoing proxy" [1-394] -->
<h2 class="sectionedit2" id="apache">Apache</h2>
<div class="level2">
<p>
In Apache configuration, set:
</p>
<pre class="code file apache">FcgidInitialEnv http_proxy http://X.X.X.X:X
FcgidInitialEnv https_proxy http://X.X.X.X:X
<span class="co1"># on Centos7, you need LWP::Protocol::connect</span>
<span class="co1"># FcgidInitialEnv https_proxy connect://X.X.X.X:X</span></pre>
</div>
<!-- EDIT2 SECTION "Apache" [395-652] -->
<h2 class="sectionedit3" id="nginxfastcgi">Nginx/FastCGI</h2>
<div class="level2">
<p>
add in <code>/etc/default/lemonldap-ng-fastcgi-server</code> :
</p>
<pre class="code">http_proxy=http://X.X.X.X:X
https_proxy=http://X.X.X.X:X
# on Centos7, you need LWP::Protocol::connect
# https_proxy=connect://X.X.X.X:X</pre>
</div>
<!-- EDIT3 SECTION "Nginx/FastCGI" [653-] --></div>
</body>
</html>

179
doc/pages/documentation/current/webserviceprotection.html Normal file
View File

@ -0,0 +1,179 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:webserviceprotection</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,webserviceprotection"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="webserviceprotection.html"/>
<link rel="contents" href="webserviceprotection.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:webserviceprotection","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#servicetoken_handler">ServiceToken Handler</a></div></li>
<li class="level1"><div class="li"><a href="#oauth2_endpoints">OAuth2 endpoints</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#userinfo">UserInfo</a></div></li>
<li class="level2"><div class="li"><a href="#introspection">Introspection</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#oauth2_handler">OAuth2 Handler</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="webservicesapi">WebServices / API</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "WebServices / API" [1-33] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
WebServices and <abbr title="Application Programming Interface">API</abbr> are mostly requested by an application, and not the end-user itself. In this case, you can not rely on <abbr title="LemonLDAP::NG">LL::NG</abbr> standard Handler to protect the webservice, as it will expect a cookie, which is not defined in the application requesting the service.
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> offers several solutions to protect this kind of service.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [34-392] -->
<h2 class="sectionedit3" id="servicetoken_handler">ServiceToken Handler</h2>
<div class="level2">
<p>
Two Handlers will be used:
</p>
<ul>
<li class="level1"><div class="li"> The frontal Handler that will protect the web application, and will forge a specific token</div>
</li>
<li class="level1"><div class="li"> The backend Handler that will protect the web service, and will consume the token</div>
</li>
</ul>
<p>
See <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">ServiceToken Handler documentation</a>.
</p>
</div>
<!-- EDIT3 SECTION "ServiceToken Handler" [393-695] -->
<h2 class="sectionedit4" id="oauth2_endpoints">OAuth2 endpoints</h2>
<div class="level2">
<p>
We suppose here that <abbr title="LemonLDAP::NG">LL::NG</abbr> is acting as <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect provider</a>. The web application will then be able to get an access token from <abbr title="LemonLDAP::NG">LL::NG</abbr>. This token could be sent to the webservice that can then validate it against <abbr title="LemonLDAP::NG">LL::NG</abbr> OAuth2 endpoints.
</p>
</div>
<!-- EDIT4 SECTION "OAuth2 endpoints" [696-989] -->
<h3 class="sectionedit5" id="userinfo">UserInfo</h3>
<div class="level3">
<p>
You can use the UserInfo endpoint, which requires the access token to deliver user attributes.
</p>
<p>
For example:
</p>
<pre class="code">curl \
-H &quot;Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2&quot; \
https://auth.example.ccom/oauth2/userinfo | json_pp</pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
  <span class="st0">&quot;family_name&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;OUDOT&quot;</span><span class="sy0">,</span>
  <span class="st0">&quot;name&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;Clément OUDOT&quot;</span><span class="sy0">,</span>
  <span class="st0">&quot;email&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;clement@example.com&quot;</span><span class="sy0">,</span>
  <span class="st0">&quot;sub&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;coudot&quot;</span>
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT5 SECTION "UserInfo" [990-1412] -->
<h3 class="sectionedit6" id="introspection">Introspection</h3>
<div class="level3">
<p>
Introspection endpoint is defined in <a href="https://tools.ietf.org/html/rfc7662" class="urlextern" title="https://tools.ietf.org/html/rfc7662" rel="nofollow">RFC 7662</a>. It requires an authentication (same as the authentication for the token endpoint) and takes to access token as parameter.
</p>
<p>
For example:
</p>
<pre class="code">curl \
-H &quot;Authorization: Basic bGVtb25sZGFwOnNlY3JldA==&quot; \
-X POST -d &quot;token=a74d504ec9e784785e70a1da2b95d1d2&quot; \
https://auth.example.com/oauth2/introspect | json_pp</pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;client_id&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;lemonldap&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;sub&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;coudot&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;exp&quot;</span> <span class="sy0">:</span> <span class="nu0">1572446485</span><span class="sy0">,</span>
<span class="st0">&quot;active&quot;</span> <span class="sy0">:</span> <span class="kw2">true</span><span class="sy0">,</span>
<span class="st0">&quot;scope&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;openid profile address email phone&quot;</span>
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT6 SECTION "Introspection" [1413-2024] -->
<h2 class="sectionedit7" id="oauth2_handler">OAuth2 Handler</h2>
<div class="level2">
<p>
We also suppose here that <abbr title="LemonLDAP::NG">LL::NG</abbr> is acting as <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect provider</a>. But the webservice will be protected by the OAuth2 Handler and will just have to read the HTTP headers to know which user is connected.
</p>
<pre class="code">curl \
-H &quot;Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2&quot; \
https://oauth2.example.ccom/rest/myapi </pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;check&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;true&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;user&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;coudot&quot;</span>
<span class="br0">&#125;</span></pre>
<p>
See <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2 Handler documentation</a>.
</p>
</div>
<!-- EDIT7 SECTION "OAuth2 Handler" [2025-] --></div>
</body>
</html>

26
doc/pages/documentation/current/writingrulesand_headers.html
View File

@ -52,7 +52,7 @@
<li class="level1"><div class="li"><a href="#available_env_variables">Available $ENV{} variables</a></div></li>
<li class="level1"><div class="li"><a href="#rules">Rules</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#rules_on_authentication_level">Rules on authentication level</a></div></li>
<li class="level2"><div class="li"><a href="#rules_based_on_authentication_level">Rules based on authentication level</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#headers">Headers</a></div></li>
@ -187,11 +187,11 @@ By default, user will be redirected on portal if no <abbr title="Uniform Resourc
</div>
</div>
<!-- EDIT3 SECTION "Rules" [1239-3967] -->
<h3 class="sectionedit6" id="rules_on_authentication_level">Rules on authentication level</h3>
<h3 class="sectionedit6" id="rules_based_on_authentication_level">Rules based on authentication level</h3>
<div class="level3">
<p>
LLNG set an &quot;authentication level&quot; during authentication process. This level is the value of the authentication backend used for this user. Default values are:
LLNG set an &quot;authentication level&quot; during authentication process. This level depends on authentication backend used by this user. Default values are:
</p>
<ul>
<li class="level1"><div class="li"> 0 for <a href="authnull.html" class="wikilink1" title="documentation:2.0:authnull">Null</a></div>
@ -209,18 +209,20 @@ LLNG set an &quot;authentication level&quot; during authentication process. This
</ul>
<p>
There are two way to impose users to have a high authentication level:
There are three ways to impose users a higher authentication level:
</p>
<ul>
<li class="level1"><div class="li"> writing a rule based en authentication level: <code>$authenticationLevel &gt; 3</code></div>
<li class="level1"><div class="li"> writing a rule based on authentication level: <code>$authenticationLevel &gt; 3</code></div>
</li>
<li class="level1"><div class="li"> since 2.0, set a minimum level in virtual host options</div>
<li class="level1"><div class="li"> since 2.0, set a minimum level in virtual host options (default value for ALL access rules)</div>
</li>
<li class="level1"><div class="li"> since 2.0.7, a minimum authentication level can be set for each <abbr title="Uniform Resource Identifier">URI</abbr> access rule. Useful if <abbr title="Uniform Resource Identifier">URI</abbr> are protected by different types of handler (AuthBasic -&gt; level 2, Main -&gt; level set by authentication backend).</div>
</li>
</ul>
<div class="notetip">Instead of returning a 403 code, &quot;minimum level&quot; returns user to a form that explain that a higher level is required and propose the user to reauthenticate himself.
<div class="notetip">Instead of returning a 403 code, &quot;minimum level&quot; returns user to a form that explain that a higher level is required and propose to reauthenticate himself.
</div>
</div>
<!-- EDIT6 SECTION "Rules on authentication level" [3968-4855] -->
<!-- EDIT6 SECTION "Rules based on authentication level" [3968-5088] -->
<h2 class="sectionedit7" id="headers">Headers</h2>
<div class="level2">
@ -250,7 +252,7 @@ Examples:
<td class="col0 leftalign"> Give a non ascii data </td><td class="col1 centeralign"> Display-Name </td><td class="col2 centeralign"> encode_base64($givenName."&nbsp;".$surName,"") </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [5039-5375] -->
<!-- EDIT8 TABLE [5272-5608] -->
<p>
As described in <a href="performances.html#handler_performance" class="wikilink1" title="documentation:2.0:performances">performances chapter</a>, you can use macros, local macros,...
</p>
@ -268,7 +270,7 @@ As described in <a href="performances.html#handler_performance" class="wikilink1
</div>
</div>
<!-- EDIT7 SECTION "Headers" [4856-6048] -->
<!-- EDIT7 SECTION "Headers" [5089-6281] -->
<h2 class="sectionedit9" id="available_functions">Available functions</h2>
<div class="level2">
@ -283,7 +285,7 @@ In addition to macros and name, you can use some functions in rules and headers:
</ul>
</div>
<!-- EDIT9 SECTION "Available functions" [6049-6259] -->
<!-- EDIT9 SECTION "Available functions" [6282-6492] -->
<h2 class="sectionedit10" id="wildcards_in_hostnames">Wildcards in hostnames</h2>
<div class="level2">
@ -306,6 +308,6 @@ Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is
</ol>
</div>
<!-- EDIT10 SECTION "Wildcards in hostnames" [6260-] --></div>
<!-- EDIT10 SECTION "Wildcards in hostnames" [6493-] --></div>
</body>
</html>

25
e2e-tests/portal/00-auth.js
View File

@ -4,11 +4,11 @@
describe('00 Lemonldap::NG', function() {
describe('Auth mechanism', function() {
it('Portal should display 11 lang flags', function() {
it('Portal should display 12 lang flags', function() {
browser.driver.get('http://auth.example.com:' + process.env.TESTWEBSERVERPORT + '/');
browser.sleep(500);
browser.driver.findElements(by.className('langicon')).then(function(elems) {
expect(elems.length).toEqual(11);
expect(elems.length).toEqual(12);
});
browser.sleep(500);
browser.driver.findElement(by.xpath("//img[@title='en']")).click();
@ -67,7 +67,7 @@ describe('00 Lemonldap::NG', function() {
browser.driver.findElement(by.xpath("//input[@name='checkLogins']")).click();
browser.driver.findElement(by.xpath("//button[@type='submit']")).click();
expect(browser.driver.findElement(by.css('[trmsg="5"]')).getText()).toEqual('Identifiant ou mot de passe incorrect');
browser.driver.findElement(by.css('[trspan="goToPortal"]')).click();
//browser.driver.findElement(by.css('[trspan="goToPortal"]')).click();
// Login attempt
browser.driver.findElement(by.xpath("//input[@name='user']")).sendKeys('dwho');
@ -77,7 +77,7 @@ describe('00 Lemonldap::NG', function() {
// Change lang
browser.driver.findElement(by.xpath("//img[@title='de']")).click();
expect(browser.driver.findElement(by.css('[trspan="info"]')).getText()).toEqual("Information");
//expect(browser.driver.findElement(by.css('[trspan="info"]')).getText()).toEqual("Information");
});
it('should display history', function() {
// Three entries
@ -85,11 +85,10 @@ describe('00 Lemonldap::NG', function() {
expect(elems.length).toEqual(3);
});
// Expect history with two logins and one failed login
browser.driver.findElements(by.xpath('//form/div/div/h3')).then(function(elems) {
expect(elems.length).toEqual(3);
expect(elems[0].getText()).toEqual('Information');
expect(elems[1].getText()).toEqual('Letzte Anmeldungen');
expect(elems[2].getText()).toEqual('Letzte fehlgeschlagene Anmeldungen');
browser.driver.findElements(by.xpath("//div[@id='loginHistory']/div/div/h4")).then(function(elems) {
expect(elems.length).toEqual(2);
expect(elems[0].getText()).toEqual('Letzte Anmeldungen');
expect(elems[1].getText()).toEqual('Letzte fehlgeschlagene Anmeldungen');
});
browser.driver.findElements(by.xpath('//table/thead/tr/th')).then(function(elems) {
expect(elems.length).toEqual(5);
@ -105,10 +104,10 @@ describe('00 Lemonldap::NG', function() {
expect(elems[6].getText()).toEqual('Benutzername oder Passwort nicht korrekt');
});
expect(browser.driver.findElement(by.css('[trspan="PE5"]')).getText()).toEqual('Benutzername oder Passwort nicht korrekt');
expect(browser.driver.findElement(by.id('timer')).getText()).toMatch(/^Du wirst in \d{2} Sekunden umgeleitet$/);
browser.driver.findElement(by.xpath("//button[@type='reset']")).click();
expect(browser.driver.findElement(by.id('timer')).isDisplayed()).toEqual(false);
browser.driver.findElement(by.xpath("//button[@type='submit']")).click();
//expect(browser.driver.findElement(by.id('timer')).getText()).toMatch(/^Du wirst in \d{2} Sekunden umgeleitet$/);
//browser.driver.findElement(by.xpath("//button[@type='reset']")).click();
//expect(browser.driver.findElement(by.id('timer')).isDisplayed()).toEqual(false);
//browser.driver.findElement(by.xpath("//button[@type='submit']")).click();
});
});
});

152
lemonldap-ng-common/.prove
View File

@ -1,116 +1,116 @@
---
generation: 3
last_run_time: 1568228253.60673
generation: 4
last_run_time: 1578123129.50232
tests:
t/01-Common-Conf.t:
elapsed: 0.0860559940338135
gen: 3
last_pass_time: 1568228253.51096
elapsed: 0.0778188705444336
gen: 4
last_pass_time: 1578123128.45887
last_result: 0
last_run_time: 1568228253.51096
last_run_time: 1578123128.45887
last_todo: 0
mtime: 1566161618
seq: 14
total_passes: 2
mtime: 1569964806
seq: 23
total_passes: 3
t/02-Common-Conf-File.t:
elapsed: 0.0139250755310059
gen: 3
last_pass_time: 1568228253.60618
elapsed: 0.100058794021606
gen: 4
last_pass_time: 1578123128.56113
last_result: 0
last_run_time: 1568228253.60618
last_run_time: 1578123128.56113
last_todo: 0
mtime: 1566161618
seq: 22
total_passes: 2
seq: 24
total_passes: 3
t/03-Common-Conf-CDBI.t:
elapsed: 0.166121959686279
gen: 3
last_pass_time: 1568228253.58678
elapsed: 0.137683868408203
gen: 4
last_pass_time: 1578123128.70288
last_result: 0
last_run_time: 1568228253.58678
last_run_time: 1578123128.70288
last_todo: 0
mtime: 1567458069
seq: 19
total_passes: 2
mtime: 1569964806
seq: 25
total_passes: 3
t/03-Common-Conf-RDBI.t:
elapsed: 0.187541961669922
gen: 3
last_pass_time: 1568228253.60138
elapsed: 0.177071094512939
gen: 4
last_pass_time: 1578123128.88517
last_result: 0
last_run_time: 1568228253.60138
last_run_time: 1578123128.88517
last_todo: 0
mtime: 1567458069
seq: 21
total_passes: 2
mtime: 1569964806
seq: 26
total_passes: 3
t/05-Common-Conf-LDAP.t:
elapsed: 0.157251119613647
gen: 3
last_pass_time: 1568228253.57577
elapsed: 0.149403095245361
gen: 4
last_pass_time: 1578123129.0415
last_result: 0
last_run_time: 1568228253.57577
last_run_time: 1578123129.0415
last_todo: 0
mtime: 1566161616
seq: 16
total_passes: 2
mtime: 1569964806
seq: 27
total_passes: 3
t/30-Common-Safelib.t:
elapsed: 0.0150928497314453
gen: 3
last_pass_time: 1568228253.58625
elapsed: 0.0528419017791748
gen: 4
last_pass_time: 1578123129.09654
last_result: 0
last_run_time: 1568228253.58625
last_run_time: 1578123129.09654
last_todo: 0
mtime: 1566161617
seq: 18
total_passes: 2
seq: 28
total_passes: 3
t/35-Common-Crypto.t:
elapsed: 0.0329771041870117
gen: 3
last_pass_time: 1568228253.46102
elapsed: 0.0592200756072998
gen: 4
last_pass_time: 1578123129.15818
last_result: 0
last_run_time: 1568228253.46102
last_run_time: 1578123129.15818
last_todo: 0
mtime: 1567541253
seq: 12
total_passes: 2
mtime: 1569964806
seq: 29
total_passes: 3
t/36-Common-Regexp.t:
elapsed: 0.00531005859375
gen: 3
last_pass_time: 1568228253.59092
elapsed: 0.0458948612213135
gen: 4
last_pass_time: 1578123129.20648
last_result: 0
last_run_time: 1568228253.59092
last_run_time: 1578123129.20648
last_todo: 0
mtime: 1566161618
seq: 20
total_passes: 2
mtime: 1569964806
seq: 30
total_passes: 3
t/40-Common-Session.t:
elapsed: 0.0833292007446289
gen: 3
last_pass_time: 1568228253.51475
elapsed: 0.0870401859283447
gen: 4
last_pass_time: 1578123129.29591
last_result: 0
last_run_time: 1568228253.51475
last_run_time: 1578123129.29591
last_todo: 0
mtime: 1566161618
seq: 15
total_passes: 2
mtime: 1569964806
seq: 31
total_passes: 3
t/50-Combination-Parser.t:
elapsed: 0.0678761005401611
gen: 3
last_pass_time: 1568228253.50556
elapsed: 0.07663893699646
gen: 4
last_pass_time: 1578123129.37738
last_result: 0
last_run_time: 1568228253.50556
last_run_time: 1578123129.37738
last_todo: 0
mtime: 1566161617
seq: 13
total_passes: 2
mtime: 1569964806
seq: 32
total_passes: 3
t/99-pod.t:
elapsed: 0.100279092788696
gen: 3
last_pass_time: 1568228253.57739
elapsed: 0.122200965881348
gen: 4
last_pass_time: 1578123129.50186
last_result: 0
last_run_time: 1568228253.57739
last_run_time: 1578123129.50186
last_todo: 0
mtime: 1566161617
seq: 17
total_passes: 2
seq: 33
total_passes: 3
version: 1
...

2
lemonldap-ng-common/lemonldap-ng.ini
View File

@ -304,7 +304,7 @@ languages = en, fr, vi, it, ar, de, fi, tr
; CUSTOM PLUGINS
; If you want to add custom plugins, set list here (comma separated)
; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
;customPlugins = My::Package1, My::Package2
;customPlugins = ::My::Package1, ::My::Package2
; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
; you can override OTT configuration to store Upgrade or Issuer OTT into global storage

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Compact.pm
View File

@ -9,7 +9,7 @@ our $VERSION = '2.1.0';
sub compactConf {
my ( $self, $conf ) = @_;
return $conf if ( $conf->{'dontCompactConf'} );
return $conf unless ( $conf->{'compactConf'} );
# Remove unused auth parameters
my %keep;

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -23,8 +23,8 @@ use constant HANDLERSECTION => "handler";
use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node)|S(?:erviceMetaDataAuthnContext|torageOptions))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|AllowOffline|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Session|Config)Server|ExportSecretKeys)|freshSessions)|d(?:isablePersistentStorage|biDynamicHashEnabled|ontCompactConf)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|br(?:owsersDontStorePassword|uteForceProtection)|(?:(?:globalLogout|active)Tim|wsdlServ)er|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs))$/;
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|ingle(?:Session(?:UserByIP)?|(?:UserBy)?IP)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|AllowOffline|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|heck(?:User(?:Display(?:PersistentInfo|EmptyValues))?|State|XSS)|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|da)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?)?|y(?:Deleted|Other))|AjaxHook)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Session|Config)Server|ExportSecretKeys)|freshSessions)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|br(?:owsersDontStorePassword|uteForceProtection)|(?:(?:globalLogout|active)Tim|wsdlServ)er|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -54,7 +54,7 @@ sub defaultValues {
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspFormAction' => '\'self\'',
'cspFormAction' => '*',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',

19
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/RESTServer.pm
View File

@ -269,9 +269,7 @@ sub _samlMetaDataNodes {
my ( $id, $resp ) = ( 1, [] );
# Return all exported attributes if asked
if ( $query =~
/^saml${type}MetaDataExportedAttributes|samlSPMetaDataMacros$/ )
{
if ( $query =~ /^saml${type}MetaDataExportedAttributes$/ ) {
my $pk =
eval { $self->getConfKey( $req, $query )->{$partner} } // {};
return $self->sendError( $req, undef, 400 ) if ( $req->error );
@ -286,6 +284,21 @@ sub _samlMetaDataNodes {
}
return $self->sendJSONresponse( $req, $resp );
}
elsif ( $query eq "samlSPMetaDataMacros" ) {
my $pk =
eval { $self->getConfKey( $req, $query )->{$partner} } // {};
return $self->sendError( $req, undef, 400 ) if ( $req->error );
foreach my $h ( sort keys %$pk ) {
push @$resp,
{
id => "saml${type}MetaDataNodes/$partner/$query/" . $id++,
title => $h,
data => $pk->{$h},
type => 'keyText',
};
}
return $self->sendJSONresponse( $req, $resp );
}
# Simple root keys
elsif ( $query =~ /^saml${type}MetaDataXML$/ ) {

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
View File

@ -22,7 +22,7 @@ our $specialNodeHash = {
};
our $doubleHashKeys = 'issuerDBGetParameters';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|c(?:as(?:StorageOption|Attribute)|ustom(?:Plugins|Add)Param|ombModule)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|macro)s|o(?:idcS(?:erviceMetaDataAuthnContext|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
our $simpleHashKeys = '(?:(?:l(?:o(?:calSessionStorageOption|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|c(?:as(?:StorageOption|Attribute)|ustom(?:Plugins|Add)Param|ombModule)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|(?:(?:d(?:emo|bi)|facebook|webID)E|e)xportedVar|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|p(?:ersistentStorageOption|ortalSkinRule)|macro)s|o(?:idcS(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|penIdExportedVars)|s(?:(?:amlStorageOption|laveExportedVar)s|essionDataToRemember|fExtra)|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|S(?:MTPTLSOpts|SLVarIf))';
our $specialNodeKeys = '(?:(?:(?:saml(?:ID|S)|oidc[OR])P|cas(?:App|Srv))MetaDataNode|virtualHost)s';
our $casAppMetaDataNodeKeys = 'casAppMetaData(?:Options(?:UserAttribut|Servic|Rul)e|(?:ExportedVar|Macro)s)';
our $casSrvMetaDataNodeKeys = 'casSrvMetaData(?:Options(?:ProxiedServices|DisplayName|SortNumber|Gateway|Renew|Icon|Url)|ExportedVars)';
@ -68,6 +68,6 @@ our $issuerParameters = {
issuerOptions => [qw(issuersTimeout)],
};
our $samlServiceParameters = [qw(samlEntityID samlServicePrivateKeySig samlServicePrivateKeySigPwd samlServicePublicKeySig samlServicePrivateKeyEnc samlServicePrivateKeyEncPwd samlServicePublicKeyEnc samlServiceUseCertificateInResponse samlServiceSignatureMethod samlNameIDFormatMapEmail samlNameIDFormatMapX509 samlNameIDFormatMapWindows samlNameIDFormatMapKerberos samlAuthnContextMapPassword samlAuthnContextMapPasswordProtectedTransport samlAuthnContextMapTLSClient samlAuthnContextMapKerberos samlOrganizationDisplayName samlOrganizationName samlOrganizationURL samlSPSSODescriptorAuthnRequestsSigned samlSPSSODescriptorWantAssertionsSigned samlSPSSODescriptorSingleLogoutServiceHTTPRedirect samlSPSSODescriptorSingleLogoutServiceHTTPPost samlSPSSODescriptorSingleLogoutServiceSOAP samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact samlSPSSODescriptorAssertionConsumerServiceHTTPPost samlSPSSODescriptorArtifactResolutionServiceArtifact samlIDPSSODescriptorWantAuthnRequestsSigned samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect samlIDPSSODescriptorSingleSignOnServiceHTTPPost samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect samlIDPSSODescriptorSingleLogoutServiceHTTPPost samlIDPSSODescriptorSingleLogoutServiceSOAP samlIDPSSODescriptorArtifactResolutionServiceArtifact samlAttributeAuthorityDescriptorAttributeServiceSOAP samlMetadataForceUTF8 samlStorage samlStorageOptions samlRelayStateTimeout samlUseQueryStringSpecific samlCommonDomainCookieActivation samlCommonDomainCookieDomain samlCommonDomainCookieReader samlCommonDomainCookieWriter samlDiscoveryProtocolActivation samlDiscoveryProtocolURL samlDiscoveryProtocolPolicy samlDiscoveryProtocolIsPassive samlOverrideIDPEntityID)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcServiceAuthorizationCodeExpiration oidcServiceAccessTokenExpiration oidcServiceIDTokenExpiration oidcServiceOfflineSessionExpiration oidcStorage oidcStorageOptions)];
our $oidcServiceParameters = [qw(oidcServiceMetaDataAuthorizeURI oidcServiceMetaDataTokenURI oidcServiceMetaDataUserInfoURI oidcServiceMetaDataJWKSURI oidcServiceMetaDataRegistrationURI oidcServiceMetaDataIntrospectionURI oidcServiceMetaDataEndSessionURI oidcServiceMetaDataCheckSessionURI oidcServiceMetaDataFrontChannelURI oidcServiceMetaDataBackChannelURI oidcServiceMetaDataAuthnContext oidcServicePrivateKeySig oidcServicePublicKeySig oidcServiceKeyIdSig oidcServiceAllowDynamicRegistration oidcServiceAllowAuthorizationCodeFlow oidcServiceAllowImplicitFlow oidcServiceAllowHybridFlow oidcServiceAuthorizationCodeExpiration oidcServiceAccessTokenExpiration oidcServiceIDTokenExpiration oidcServiceOfflineSessionExpiration oidcStorage oidcStorageOptions oidcServiceDynamicRegistrationExportedVars oidcServiceDynamicRegistrationExtraClaims)];
1;

8
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications.pm
View File

@ -34,11 +34,11 @@ has notifField => (
sub getNotifications {
my ( $self, $uid ) = @_;
my $forAll = $self->get( $self->conf->{notificationWildcard} );
if ( $uid and $uid eq '_all_' ) {
$self->logger->info("Retrieve ALL pending notifications");
my $all = $self->getAll();
if ( $uid and $uid =~ /^_all(Pending|Existing)_$/ ) {
$self->logger->info("Retrieve all $1 notifications");
my $all = ( $1 eq 'Pending' ? $self->getAll() : $self->getExisting() );
$all = { map { $_ => to_json( $all->{$_} ) } keys %$all };
return { %$all, %$forAll };
return ( $forAll ? { %$all, %$forAll } : $all );
}
my $forUser = $self->get($uid);
if ( $forUser and $forAll ) {

42
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/DBI.pm
View File

@ -93,9 +93,9 @@ sub get {
}
## @method hashref getAll()
# Return all messages not notified.
# Return all pending notifications.
# @return hashref where keys are internal reference and values are hashref with
# keys date, uid and ref.
# keys date, uid, ref and condition.
sub getAll {
my $self = shift;
$self->_execute( 'SELECT * FROM '
@ -114,6 +114,26 @@ sub getAll {
return $result;
}
## @method hashref getExisting()
# Return all notifications.
# @return hashref where keys are internal reference and values are hashref with
# keys date, uid, ref and condition.
sub getExisting {
my $self = shift;
$self->_execute( 'SELECT * FROM ' . $self->dbiTable . ' ORDER BY date' );
my $result;
while ( my $h = $self->sth->fetchrow_hashref() ) {
$result->{"$h->{date}#$h->{uid}#$h->{ref}"} = {
date => $h->{date},
uid => $h->{uid},
ref => $h->{ref},
condition => $h->{condition}
};
}
$self->logger->warn( $self->sth->err() ) if ( $self->sth->err() );
return $result;
}
## @method boolean delete(string myref)
# Mark a notification as done.
# @param $myref identifier returned by get() or getAll()
@ -172,7 +192,12 @@ sub purge {
# @return true if succeed
sub newNotif {
my ( $self, $date, $uid, $ref, $condition, $xml ) = @_;
my @t = split( /\D+/, $date );
$t[1]--;
eval {
timelocal( $t[5] || 0, $t[4] || 0, $t[3] || 0, $t[2], $t[1], $t[0] );
};
return ( 0, "Bad date" ) if ($@);
my $res =
$condition =~ /.+/
? $self->_execute( 'INSERT INTO '
@ -198,8 +223,15 @@ sub getDone {
my $result;
while ( my $h = $self->sth->fetchrow_hashref() ) {
my @t = split( /\D+/, $h->{date} );
my $done =
timelocal( $t[5] || 0, $t[4] || 0, $t[3] || 0, $t[2], $t[1], $t[0] );
$t[1]--;
my $done = eval {
timelocal( $t[5] || 0, $t[4] || 0, $t[3] || 0, $t[2], $t[1],
$t[0] );
};
if ($@) {
$self->logger->warn("Bad date: $h->{date}");
return {};
}
$result->{"$h->{date}#$h->{uid}#$h->{ref}"} =
{ notified => $done, uid => $h->{uid}, ref => $h->{ref}, };
}

37
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/File.pm
View File

@ -7,6 +7,7 @@ package Lemonldap::NG::Common::Notifications::File;
use strict;
use Mouse;
use Time::Local;
use MIME::Base64;
our $VERSION = '2.1.0';
@ -58,9 +59,9 @@ sub get {
}
## @method hashref getAll()
# Return all messages not notified.
# Return all pending notifications.
# @return hashref where keys are internal reference and values are hashref with
# keys date, uid and ref.
# keys date, uid, ref and condition.
sub getAll {
my $self = shift;
opendir D, $self->{dirName};
@ -82,6 +83,31 @@ sub getAll {
return \%h;
}
## @method hashref getExisting()
# Return all notifications.
# @return hashref where keys are internal reference and values are hashref with
# keys date, uid, ref and condition.
sub getExisting {
my $self = shift;
opendir D, $self->{dirName};
my @notif;
my $fns = $self->{fileNameSeparator};
@notif = grep /^\S*\.$ext$/, readdir(D);
my %h = map {
/^(\d{8})${fns}([^\s${fns}]+)${fns}([^\s${fns}]+)(?:${fns}([^\s${fns}]+))?\.(?:$ext|done)$/
? (
$_ => {
date => $1,
uid => $2,
ref => decode_base64($3),
condition => decode_base64( $4 // '' )
}
)
: ()
} @notif;
return \%h;
}
## @method boolean delete(string myref)
# Mark a notification as done.
# @param $myref identifier returned by get() or getAll()
@ -104,6 +130,13 @@ sub purge {
sub newNotif {
my ( $self, $date, $uid, $ref, $condition, $content ) = @_;
my $fns = $self->{fileNameSeparator};
$fns ||= '_';
my @t = split( /\D+/, $date );
$t[1]--;
eval {
timelocal( $t[5] || 0, $t[4] || 0, $t[3] || 0, $t[2], $t[1], $t[0] );
};
return ( 0, "Bad date" ) if ($@);
$date =~ s/-//g;
return ( 0, "Bad date" ) unless ( $date =~ /^\d{8}/ );
my $filename =

52
lemonldap-ng-common/lib/Lemonldap/NG/Common/Notifications/LDAP.pm
View File

@ -78,15 +78,13 @@ sub get {
}
## @method hashref getAll()
# Return all messages not notified.
# Return all pending notifications.
# @return hashref where keys are internal reference and values are hashref with
# keys date, uid and ref.
# keys date, uid, ref and condition.
sub getAll {
my $self = shift;
my $self = shift;
my @entries = $self->_search(
'(&(objectClass=applicationProcess)(!(description={done}*)))');
my $result = {};
foreach my $entry (@entries) {
my @notifValues = $entry->get_value('description');
@ -102,10 +100,34 @@ sub getAll {
ref => $f->{ref},
cond => $f->{condition},
};
}
return $result;
}
## @method hashref getExisting()
# Return all notifications.
# @return hashref where keys are internal reference and values are hashref with
# keys date, uid, ref and condition.
sub getExisting {
my $self = shift;
my @entries = $self->_search('objectClass=applicationProcess');
my $result = {};
foreach my $entry (@entries) {
my @notifValues = $entry->get_value('description');
my $f = {};
foreach (@notifValues) {
my ( $k, $v ) = ( $_ =~ /\{(.*?)\}(.*)/smg );
$v = decodeLdapValue($v);
$f->{$k} = $v;
}
$result->{"$f->{date}#$f->{uid}#$f->{ref}"} = {
date => $f->{date},
uid => $f->{uid},
ref => $f->{ref},
cond => $f->{condition},
};
}
return $result;
}
## @method boolean delete(string myref)
@ -165,6 +187,12 @@ sub newNotif {
my ( $self, $date, $uid, $ref, $condition, $xml ) = @_;
my $fns = $self->conf->{fileNameSeparator};
$fns ||= '_';
my @t = split( /\D+/, $date );
$t[1]--;
eval {
timelocal( $t[5] || 0, $t[4] || 0, $t[3] || 0, $t[2], $t[1], $t[0] );
};
return ( 0, "Bad date" ) if ($@);
$date =~ s/-//g;
return ( 0, "Bad date" ) unless ( $date =~ /^\d{8}/ );
my $cn = "${date}${fns}${uid}${fns}" . encode_base64( $ref, '' );
@ -208,16 +236,20 @@ sub getDone {
$v = decodeLdapValue($v);
$f->{$k} = $v;
}
my @t = split( /\D+/, $f->{done} );
my $done = timelocal( $t[5], $t[4], $t[3], $t[2], $t[1], $t[0] );
my @t = split( /\D+/, $f->{done} );
$t[1]--;
my $done =
eval { timelocal( $t[5], $t[4], $t[3], $t[2], $t[1], $t[0] ) };
if ($@) {
$self->logger->warn("Bad date: $f->{done}");
return {};
}
$result->{"$f->{date}#$f->{uid}#$f->{ref}"} =
{ notified => $done, uid => $f->{uid}, ref => $f->{ref}, };
}
# $ldap->unbind() && delete $self->{ldap};
return $result;
}
## @method object private _ldap()

34
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
View File

@ -438,15 +438,16 @@ sub goToError {
# @return Value of the cookie if found, 0 else
sub fetchId {
my ( $class, $req ) = @_;
my $t = $req->{env}->{HTTP_COOKIE} or return 0;
my $vhost = $class->resolveAlias($req);
my $t = $req->{env}->{HTTP_COOKIE} or return 0;
my $vhost = $class->resolveAlias($req);
$class->logger->debug("VH $vhost is HTTPS") if $class->_isHttps( $req, $vhost );
my $lookForHttpCookie = ( $class->tsv->{securedCookie} =~ /^(2|3)$/
and not $class->_isHttps( $req, $vhost ) );
my $cn = $class->tsv->{cookieName};
my $value =
$lookForHttpCookie
? ( $t =~ /${cn}http=([^,; ]+)/o ? $1 : 0 )
: ( $t =~ /$cn=([^,; ]+)/o ? $1 : 0 );
: ( $t =~ /$cn=([^,; ]+)/o ? $1 : 0 );
if ( $value && $lookForHttpCookie && $class->tsv->{securedCookie} == 3 ) {
$value = $class->tsv->{cipher}->decryptHex( $value, "http" );
@ -481,6 +482,9 @@ sub retrieveSession {
$class->logger->debug("Get session $id from Handler internal cache");
return $class->data;
}
else {
$class->data( {} );
}
# 2. Get the session from cache or backend
my $session = $req->data->{session} = (
@ -574,11 +578,8 @@ sub retrieveSession {
# Returns the port on which this vhost is accessed
# @param $s VHost name
# @return PORT
sub _getPort {
my ( $class, $req, $vhost ) = @_;
if ( defined $class->tsv->{port}->{$vhost}
and ( $class->tsv->{port}->{$vhost} > 0 ) )
{
@ -595,15 +596,14 @@ sub _getPort {
}
}
}
## @cmethod private boot _isHttps(string s)
# Returns whether this VHost should he accessed
## @cmethod private bool _isHttps(string s)
# Returns whether this VHost should be accessed
# via HTTPS
# @param $s VHost name
# @return RUE if the vhost should be accessed over HTTPS
# @return TRUE if the vhost should be accessed over HTTPS
sub _isHttps {
my ( $class, $req, $vhost ) = @_;
if ( defined $class->tsv->{https}->{$vhost}
and ( $class->tsv->{https}->{$vhost} > -1 ) )
{
@ -767,15 +767,11 @@ sub abort {
sub localUnlog {
my ( $class, $req, $id ) = @_;
$class->logger->debug('Local handler logout');
if ( $id //= $class->fetchId($req) ) {
# Delete thread data
if ( $class->data->{_session_id}
and $id eq $class->data->{_session_id} )
{
$class->data( {} );
}
delete $req->data->{session};
# Delete thread data
delete $req->data->{session};
$class->data( {} );
if ( $id //= $class->fetchId($req) ) {
# Delete local cache
if ( $class->tsv->{refLocalStorage}

16
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

@ -971,6 +971,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
},
'type' => 'cmbModuleContainer'
},
'compactConf' => {
'default' => 0,
'type' => 'bool'
},
'configStorage' => {
'type' => 'text'
},
@ -1052,7 +1056,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'type' => 'text'
},
'cspFormAction' => {
'default' => '\'self\'',
'default' => '*',
'type' => 'text'
},
'cspImg' => {
@ -1188,10 +1192,6 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
qr/^(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][-a-zA-Z0-9]*[a-zA-Z0-9]|[a-zA-Z])[.]?))?$/,
'type' => 'text'
},
'dontCompactConf' => {
'default' => 0,
'type' => 'bool'
},
'exportedAttr' => {
'type' => 'text'
},
@ -2207,6 +2207,12 @@ qr/^(?:\*\.)?(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.])*(?:[a-zA-Z][
'default' => 60,
'type' => 'int'
},
'oidcServiceDynamicRegistrationExportedVars' => {
'type' => 'keyTextContainer'
},
'oidcServiceDynamicRegistrationExtraClaims' => {
'type' => 'keyTextContainer'
},
'oidcServiceIDTokenExpiration' => {
'default' => 3600,
'type' => 'int'

81
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
View File

@ -390,10 +390,10 @@ sub attributes {
msgFail => '__badUrl__',
documentation => 'URL to call on reload',
},
dontCompactConf => {
compactConf => {
type => 'bool',
default => 0,
documentation => 'Don t compact configuration',
documentation => 'Compact configuration',
},
portalMainLogo => {
type => 'text',
@ -847,7 +847,7 @@ sub attributes {
},
cspFormAction => {
type => 'text',
default => "'self'",
default => "*",
documentation =>
'Form action destination for Content-Security-Policy',
},
@ -1518,6 +1518,53 @@ sub attributes {
default => 0
},
# Certificate reset by mail
certificateResetByMailCeaAttribute => {
type => 'text',
default => 'description'
},
certificateResetByMailCertificateAttribute => {
type => 'text',
default => 'userCertificate;binary',
},
certificateResetByMailStep1Body => {
type => 'longtext',
documentation => 'Custom Certificate reset mail body',
},
certificateResetByMailStep2Body => {
type => 'longtext',
documentation => 'Custom confirm Certificate reset mail body',
},
certificateResetByMailStep2Subject => {
type => 'text',
documentation => 'Mail subject for reset confirmation',
},
certificateResetByMailStep1Subject => {
type => 'text',
documentation => 'Mail subject for certificate reset email',
},
certificateResetByMailURL => {
type => 'url',
default => 'http://auth.example.com/certificateReset',
documentation => 'URL of certificate reset page',
},
certificateResetByMailSender => {
type => 'text',
default => 'noreply@example.com',
documentation => 'URL of certificate reset page',
},
certificateResetByMailReplyTo => {
type => 'text',
default => 'noreply@example.com',
documentation => 'URL of certificate reset page',
},
certificateResetByMailValidityDelay => {
type => 'int',
default => 0
},
# Registration
registerConfirmSubject => {
type => 'text',
@ -2206,9 +2253,9 @@ sub attributes {
type => 'keyTextContainer',
help =>
'exportedvars.html#extend_variables_using_macros_and_groups',
test => {
keyTest => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
keyMsgFail => '__badMacroName__',
test => {
keyTest => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
keyMsgFail => '__badMacroName__',
test => sub { return perlExpr(@_) },
},
default => {},
@ -2817,9 +2864,9 @@ sub attributes {
type => 'keyTextContainer',
help =>
'exportedvars.html#extend_variables_using_macros_and_groups',
test => {
keyTest => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
keyMsgFail => '__badMacroName__',
test => {
keyTest => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
keyMsgFail => '__badMacroName__',
test => sub { return perlExpr(@_) },
},
default => {},
@ -3745,6 +3792,16 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
default => 3600,
documentation => 'OpenID Connect global access token TTL',
},
oidcServiceDynamicRegistrationExportedVars => {
type => 'keyTextContainer',
documentation =>
'OpenID Connect exported variables for dynamic registration',
},
oidcServiceDynamicRegistrationExtraClaims => {
type => 'keyTextContainer',
documentation =>
'OpenID Connect extra claims for dynamic registration',
},
oidcServiceIDTokenExpiration => {
type => 'int',
default => 3600,
@ -3916,9 +3973,9 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
type => 'keyTextContainer',
help =>
'exportedvars.html#extend_variables_using_macros_and_groups',
test => {
keyTest => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
keyMsgFail => '__badMacroName__',
test => {
keyTest => qr/^[_a-zA-Z][a-zA-Z0-9_]*$/,
keyMsgFail => '__badMacroName__',
test => sub { return perlExpr(@_) },
},
default => {},

38
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
View File

@ -582,8 +582,7 @@ sub tree {
{
title => 'reloadParams',
help => 'configlocation.html#configuration_reload',
nodes =>
[ 'reloadUrls', 'reloadTimeout', 'dontCompactConf' ]
nodes => [ 'reloadUrls', 'reloadTimeout', 'compactConf' ]
},
{
title => 'plugins',
@ -592,6 +591,7 @@ sub tree {
'stayConnected',
'portalStatus',
'upgradeSession',
'refreshSessions',
{
title => 'portalServers',
help => 'portalservers.html',
@ -697,6 +697,34 @@ sub tree {
}
]
},
{
title => 'certificateResetByMailManagement',
help => 'resetcertificate.html',
nodes => [ {
title => 'certificateMailContent',
form => 'simpleInputContainer',
nodes => [
'certificateResetByMailSender',
'certificateResetByMailReplyTo',
'certificateResetByMailStep1Subject',
'certificateResetByMailStep1Body',
'certificateResetByMailStep2Subject',
'certificateResetByMailStep2Body'
]
},
{
title => 'mailOther',
form => 'simpleInputContainer',
nodes => [
'certificateResetByMailURL',
'certificateResetByMailCeaAttribute',
'certificateResetByMailCertificateAttribute',
'certificateResetByMailValidityDelay'
]
}
]
},
{
title => 'register',
help => 'register.html',
@ -773,7 +801,6 @@ sub tree {
help => 'plugincustom.html',
nodes => [ 'customPlugins', 'customPluginsParams' ]
},
'refreshSessions',
]
},
{
@ -1069,7 +1096,8 @@ sub tree {
help => 'samlservice.html#organization',
form => 'simpleInputContainer',
nodes => [
'samlOrganizationDisplayName', 'samlOrganizationName',
'samlOrganizationDisplayName',
'samlOrganizationName',
'samlOrganizationURL'
]
},
@ -1228,6 +1256,8 @@ sub tree {
title => "oidcServiceMetaDataSessions",
nodes => [ 'oidcStorage', 'oidcStorageOptions', ],
},
'oidcServiceDynamicRegistrationExportedVars',
'oidcServiceDynamicRegistrationExtraClaims',
]
},
'oidcOPMetaDataNodes',

25
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Parser.pm
View File

@ -115,19 +115,19 @@ sub check {
$self->message('__confNotChanged__');
return 0;
}
unless ( $self->newConf->{dontCompactConf} ) {
if ( $self->newConf->{compactConf} ) {
foreach ( sort keys %conf ) {
push @removedKeys, $_ unless exists $compactedConf{$_};
}
}
push @{ $self->changes },
(
$self->{newConf}->{dontCompactConf}
? { confCompacted => '0' }
: {
$self->{newConf}->{compactConf}
? {
confCompacted => '1',
removedKeys => join( $separator, @removedKeys )
}
}
: { confCompacted => '0' }
);
return 1;
}
@ -266,7 +266,8 @@ sub _scanNodes {
$leaf->{comment}
? "(?#$leaf->{comment})$leaf->{re}"
: $leaf->{re};
$k .= "(?#AuthnLevel=$leaf->{level})" if $leaf->{level};
$k .= "(?#AuthnLevel=$leaf->{level})"
if $leaf->{level};
$self->set( $target, $key, $k, $leaf->{data} );
}
else {
@ -334,7 +335,9 @@ sub _scanNodes {
hdebug(" SAML data is an array, serializing");
$leaf->{data} = join ';', @{ $leaf->{data} };
}
if ( $target =~ /^saml(?:S|ID)PMetaData(?:ExportedAttributes|Macros)$/ ) {
if ( $target =~
/^saml(?:S|ID)PMetaData(?:ExportedAttributes|Macros)$/ )
{
if ( $leaf->{cnodes} ) {
hdebug(" $target: unopened node");
$self->newConf->{$target}->{$key} =
@ -394,7 +397,9 @@ sub _scanNodes {
hdebug(" $target");
$self->set( $target, $key, $leaf->{data} );
}
elsif ( $target =~ /^oidc(?:O|R)PMetaData(?:ExportedVars|Macros)$/ ) {
elsif (
$target =~ /^oidc(?:O|R)PMetaData(?:ExportedVars|Macros)$/ )
{
hdebug(" $target");
if ( $leaf->{cnodes} ) {
hdebug(' unopened');
@ -463,7 +468,9 @@ sub _scanNodes {
$self->_scanNodes($subNodes);
$self->set( $target, $key, $leaf->{title}, $leaf->{data} );
}
elsif ( $target =~ /^cas(?:App|Srv)MetaData(?:ExportedVars|Macros)$/ ) {
elsif ( $target =~
/^cas(?:App|Srv)MetaData(?:ExportedVars|Macros)$/ )
{
hdebug(" $target");
if ( $leaf->{cnodes} ) {
hdebug(' unopened');

20
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/Tests.pm
View File

@ -719,6 +719,26 @@ sub tests {
return 1;
},
# OIDC redirect URI must not be empty
oidcRPRedirectURINotEmpty => sub {
return 1
unless ( $conf->{oidcRPMetaDataOptions}
and %{ $conf->{oidcRPMetaDataOptions} } );
my @msg;
my $res = 1;
foreach my $oidcRpId ( keys %{ $conf->{oidcRPMetaDataOptions} } ) {
unless ( $conf->{oidcRPMetaDataOptions}->{$oidcRpId}
->{oidcRPMetaDataOptionsRedirectUris} )
{
push @msg,
"$oidcRpId OpenID Connect RP has no redirect URI defined";
$res = 0;
next;
}
}
return ( $res, join( ', ', @msg ) );
},
};
}

3
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/js/sessions.min.js.map
View File

File diff suppressed because one or more lines are too long

6
lemonldap-ng-manager/site/htdocs/static/languages/ar.json
View File

@ -275,7 +275,7 @@
"dateTitle":"تاريخ",
"dn":"دي أن",
"domain":"نطاق",
"dontCompactConf":"Don't compact configuration file",
"compactConf":"Compact configuration file",
"download":"تحميل",
"downloadIt":"نزله",
"duplicate":"مكررة",
@ -618,6 +618,8 @@
"oidcServiceKeyIdSig":"توقيع على هوية المفتاح ",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"انتهاء صلاحية التوكن",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":" انتهاء صلاحية تعريف التوكن",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"اسم وحدة الجلسات",
@ -1105,4 +1107,4 @@
"samlRelayStateTimeout":"تناوب حالة مهلة الجلسة ",
"samlUseQueryStringSpecific":"استخدام أسلوب query_string المعين",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

12
lemonldap-ng-manager/site/htdocs/static/languages/de.json
View File

@ -142,10 +142,10 @@
"casStorageOptions":"CAS sessions module options",
"categoryName":"Category name",
"cda":"Mehrere Domains",
"certifcateMailContent":"Certificate mail content",
"certificateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCeaAttribute":"Certificate CEA attibute",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
@ -154,7 +154,7 @@
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"portalDisplayCertificateResetByMail":"Reset your certificate",
"contentSecurityPolicy":"Content security policy",
"contextSwitching":"Switch context another user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
@ -274,7 +274,7 @@
"dateTitle":"Dates",
"dn":"DN",
"domain":"Domain",
"dontCompactConf":"Don't compact configuration file",
"compactConf":"Compact configuration file",
"download":"Download",
"downloadIt":"Download it",
"duplicate":"Duplicate",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"Signing key ID",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Sessions module name",
@ -1104,4 +1106,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

12
lemonldap-ng-manager/site/htdocs/static/languages/en.json
View File

@ -142,10 +142,10 @@
"casStorageOptions":"CAS sessions module options",
"categoryName":"Category name",
"cda":"Multiple domains",
"certifcateMailContent":"Certificate mail content",
"certificateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCeaAttribute":"Certificate CEA attibute",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
@ -154,7 +154,7 @@
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"portalDisplayCertificateResetByMail":"Reset your certificate",
"contentSecurityPolicy":"Content security policy",
"contextSwitching":"Switch context another user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
@ -176,7 +176,7 @@
"corsAllow_Origin":"Access-Control-Allow-Origin",
"corsExpose_Headers":"Access-Control-Expose-Headers",
"corsMax_Age":"Access-Control-Max-Age",
"cfgLog":"Resume",
"cfgLog":"Summary",
"cfgVersion":"Configuration version",
"checkXSS":"Check XSS attacks",
"clickHereToForce":"Click here to force",
@ -274,7 +274,7 @@
"dateTitle":"Dates",
"dn":"DN",
"domain":"Domain",
"dontCompactConf":"Don't compact configuration file",
"compactConf":"Compact configuration file",
"download":"Download",
"downloadIt":"Download it",
"duplicate":"Duplicate",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"Signing key ID",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Sessions module name",

30
lemonldap-ng-manager/site/htdocs/static/languages/fr.json
View File

@ -142,19 +142,19 @@
"casStorageOptions":"Options du module des sessions CAS",
"categoryName":"Nom de la catégorie",
"cda":"Domaines multiples",
"certifcateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
"certificateResetByMailStep1Subject":"Certificate reset mail subject",
"certificateResetByMailStep1Body":"Certificate reset mail content",
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"certificateMailContent":"Contenu du mail du certificat",
"certificateResetByMailManagement":"Gestion de la réinitialisation des certificats",
"certificateResetByMailURL":"URL de la page de réinitialisation",
"certificateResetByMailCeaAttribute":"Attribut CEA du certificat",
"certificateResetByMailCertificateAttribute":"Nom de l'attribut du certificat",
"certificateResetByMailSender":"Expéditeur",
"certificateResetByMailReplyTo":"Adresse pour la réponse",
"certificateResetByMailStep1Subject":"Sujet du mail",
"certificateResetByMailStep1Body":"Contenu du mail",
"certificateResetByMailStep2Subject":"Sujet du mail de confirmation",
"certificateResetByMailStep2Body":"Contenu du mail de confirmation",
"certificateResetByMailValidityDelay":"Durée minimun avant expiration",
"portalDisplayCertificateResetByMail":"Réinitialiser votre certificat",
"contentSecurityPolicy":"Politique de sécurité de contenu",
"contextSwitching":"Endossement d'identité",
"contextSwitchingHiddenAttributes":"Attributs masqués",
@ -274,7 +274,7 @@
"dateTitle":"Dates",
"dn":"DN",
"domain":"Domaine",
"dontCompactConf":"Ne pas compacter le fichier de configuration",
"compactConf":"Compacter le fichier de configuration",
"download":"Télécharger",
"downloadIt":"Télécharger",
"duplicate":"Dupliquer",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"Identifiant de clef de signature",
"oidcServiceAuthorizationCodeExpiration":"Expiration des codes d'autorisation",
"oidcServiceAccessTokenExpiration":"Expiration des jetons d'accès",
"oidcServiceDynamicRegistrationExportedVars":"Variables exportées pour l'enregistrement dynamique",
"oidcServiceDynamicRegistrationExtraClaims":"Claims supplémentaires pour l'enregistrement dynamique",
"oidcServiceIDTokenExpiration":"Expiration des jetons d'identité",
"oidcServiceOfflineSessionExpiration":"Expiration des sessions hors-ligne",
"oidcStorage":"Nom du module des sessions",

12
lemonldap-ng-manager/site/htdocs/static/languages/it.json
View File

@ -142,10 +142,10 @@
"casStorageOptions":"Opzioni del modulo sessioni CAS",
"categoryName":"Nome della categoria",
"cda":"Domini multipli",
"certifcateMailContent":"Certificate mail content",
"certificateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCeaAttribute":"Certificat CEA attribut",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
@ -154,7 +154,7 @@
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"portalDisplayCertificateResetByMail":"Reset your crtificate",
"contentSecurityPolicy":"Politica di protezione dei contenuti",
"contextSwitching":"Switch context another user",
"contextSwitchingHiddenAttributes":"Attributi nascosti",
@ -274,7 +274,7 @@
"dateTitle":"Date",
"dn":"DN",
"domain":"Dominio",
"dontCompactConf":"Don't compact configuration file",
"compactConf":"Compact configuration file",
"download":"Scarica",
"downloadIt":"Scaricalo",
"duplicate":"Duplicato",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"ID del codice di accesso",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Scadenza accesso token",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":"Scadenza ID Token",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Nome del modulo Sessioni",
@ -1104,4 +1106,4 @@
"samlRelayStateTimeout":"Timeout di sessione di RelayState",
"samlUseQueryStringSpecific":"Utilizza il metodo specifico query_string",
"samlOverrideIDPEntityID":"Sostituisci l'ID entità quando agisce come IDP"
}
}

10
lemonldap-ng-manager/site/htdocs/static/languages/tr.json
View File

@ -142,10 +142,10 @@
"casStorageOptions":"CAS oturumları modül seçenekleri",
"categoryName":"Kategori ismi",
"cda":"Çoklu alan adları",
"certifcateMailContent":"Certificate mail content",
"certificateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCeaAttribute":"Certificate CEA attibute",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
@ -154,7 +154,7 @@
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"portalDisplayCertificateResetByMail":"Reset your certificate",
"contentSecurityPolicy":"İçerik güvenlik ilkesi",
"contextSwitching":"İçeriği başka bir kullanıcıyla değiştir",
"contextSwitchingHiddenAttributes":"Gizli nitelikler",
@ -274,7 +274,7 @@
"dateTitle":"Tarihler",
"dn":"DN",
"domain":"Etki alanı",
"dontCompactConf":"Yapılandırma dosyasını sıkıştırma",
"compactConf":"Compact configuration file",
"download":"İndir",
"downloadIt":"İndir",
"duplicate":"Mükerrer",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"Anahtar ID imzalama",
"oidcServiceAuthorizationCodeExpiration":"Yetkilendirme Kodu sona erme",
"oidcServiceAccessTokenExpiration":"Erişim Jetonu sona erme",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":"ID Jetonu sona erme",
"oidcServiceOfflineSessionExpiration":"Çevrimdışı oturum sona erme",
"oidcStorage":"Oturumlar modülü adı",

12
lemonldap-ng-manager/site/htdocs/static/languages/vi.json
View File

@ -142,10 +142,10 @@
"casStorageOptions":"Các tùy chọn mô-đun phiên CAS",
"categoryName":"Tên thể loại",
"cda":"Nhiều tên miền",
"certifcateMailContent":"Certificate mail content",
"certificateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCeaAttribute":"Certificate CEA attibute",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
@ -154,7 +154,7 @@
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"portalDisplayCertificateResetByMail":"Reset your certificate",
"contentSecurityPolicy":"Chính sách bảo mật nội dung",
"contextSwitching":"Switch context another user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
@ -274,7 +274,7 @@
"dateTitle":"Ngày",
"dn":"DN",
"domain":"Tên miền",
"dontCompactConf":"Don't compact configuration file",
"compactConf":"Compact configuration file",
"download":"Tải xuống",
"downloadIt":"Tải xuống",
"duplicate":"Sao y",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"Khóa ID chính",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Tên mô-đun phiên",
@ -1104,4 +1106,4 @@
"samlRelayStateTimeout":"Thời gian hết hạn phiên RelayState ",
"samlUseQueryStringSpecific":"Sử dụng phương pháp query_string cụ thể",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

12
lemonldap-ng-manager/site/htdocs/static/languages/zh.json
View File

@ -142,10 +142,10 @@
"casStorageOptions":"CAS 会话模块选项",
"categoryName":"分类名称",
"cda":"Multiple domains",
"certifcateMailContent":"Certificate mail content",
"certificateMailContent":"Certificate mail content",
"certificateResetByMailManagement":"Certificate reset management",
"certificateResetByMailURL":"Reset page URL",
"certificateResetByMailCeaAttribute":"Certificate attibute name",
"certificateResetByMailCeaAttribute":"Certificate CEA attibute",
"certificateResetByMailCertificateAttribute":"Certificate attribute name",
"certificateResetByMailSender":"Mail sender",
"certificateResetByMailReplyTo":"Reply address",
@ -154,7 +154,7 @@
"certificateResetByMailStep2Subject":"Confirmation mail subject",
"certificateResetByMailStep2Body":"Confirmation mail content",
"certificateResetByMailValidityDelay":"Minimum duration before expiration",
"portalDisplayCertificateResetByMail":"Reset your Certificate",
"portalDisplayCertificateResetByMail":"Reset your certificate",
"contentSecurityPolicy":"Content security policy",
"contextSwitching":"Switch context another user",
"contextSwitchingHiddenAttributes":"Hidden attributes",
@ -274,7 +274,7 @@
"dateTitle":"日期",
"dn":"LDAP 唯一名称",
"domain":"域",
"dontCompactConf":"Don't compact configuration file",
"compactConf":"Compact configuration file",
"download":"下载",
"downloadIt":"下载它",
"duplicate":"Duplicate",
@ -617,6 +617,8 @@
"oidcServiceKeyIdSig":"Signing key ID",
"oidcServiceAuthorizationCodeExpiration":"Authorization Code expiration",
"oidcServiceAccessTokenExpiration":"Access Token expiration",
"oidcServiceDynamicRegistrationExportedVars":"Exported vars for dynamic registration",
"oidcServiceDynamicRegistrationExtraClaims":"Extra claims for dynamic registration",
"oidcServiceIDTokenExpiration":"ID Token expiration",
"oidcServiceOfflineSessionExpiration":"Offline session expiration",
"oidcStorage":"Sessions module name",
@ -1104,4 +1106,4 @@
"samlRelayStateTimeout":"RelayState session timeout",
"samlUseQueryStringSpecific":"Use specific query_string method",
"samlOverrideIDPEntityID":"Override Entity ID when acting as IDP"
}
}

2
lemonldap-ng-manager/site/htdocs/static/reverseTree.json
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/struct.json
View File

File diff suppressed because one or more lines are too long

30
lemonldap-ng-manager/t/50-notifications-DBI.t
View File

@ -8,7 +8,7 @@ use Test::More;
my $count = 0;
my $file = 't/notifications.db';
my $maintests = 8;
my $maintests = 11;
my ( $res, $client );
eval { unlink $file };
@ -39,7 +39,31 @@ SKIP: {
# Try to create a notification
my $notif =
'{"date":"2099-05-03","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
'{"date":"2099-02-30","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
$res =
$client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{error} =~ /^Notification not created: Bad date/, 'Notification not inserted' );
$notif =
'{"date":"2099-13-30","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
$res =
$client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{error} =~ /^Notification not created: Bad date/, 'Notification not inserted' );
$notif =
'{"date":"2099-05_12","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
$res =
$client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{error} =~ /^Malformed date$/, 'Notification not inserted' );
$notif =
'{"date":"2099-12-31","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
$res =
$client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
@ -70,7 +94,7 @@ SKIP: {
# Delete notification
$res =
$client->_del('notifications/done/dwho_Test_20990503_dwho_VGVzdA==.done');
$client->_del('notifications/done/dwho_Test_20991231_dwho_VGVzdA==.done');
$res =
$client->jsonResponse( 'notifications/done', 'groupBy=substr(uid,1)' );
ok( $res->{result} == 1, 'Result = 1' );

31
lemonldap-ng-manager/t/50-notifications.t
View File

@ -11,11 +11,38 @@ require 't/test-lib.pm';
# Try to create a notification
my $notif =
'{"date":"2099-05-03","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
'{"date":"2099-02-30","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
my $res =
&client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{error} =~ /^Notification not created: Bad date/, 'Notification not inserted' );
count(1);
$notif =
'{"date":"2099-13-30","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
my $res =
&client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{error} =~ /^Notification not created: Bad date/, 'Notification not inserted' );
count(1);
$notif =
'{"date":"2099-05_12","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
my $res =
&client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{error} =~ /^Malformed date$/, 'Notification not inserted' );
count(1);
$notif =
'{"date":"2099-12-31","uid":"dwho","reference":"Test","xml":"{\"title\":\"Test\"}"}';
$res =
&client->jsonPostResponse( 'notifications/actives', '',
IO::String->new($notif),
'application/json', length($notif) );
ok( $res->{result}, 'Result is true' );
count(1);
@ -44,7 +71,7 @@ displayTests('done');
# Delete notification
$res =
&client->_del('notifications/done/dwho_Test_20990503_dwho_VGVzdA==.done');
&client->_del('notifications/done/dwho_Test_20991231_dwho_VGVzdA==.done');
$res = &client->jsonResponse( 'notifications/done', 'groupBy=substr(uid,1)' );
ok( $res->{result} == 1, 'Result = 1' );
ok( $res->{count} == 0, 'Count = 0' );

Some files were not shown because too many files have changed in this diff Show More