From 153ef2df00f5065923f43d94914ccbd79116bd08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20OUDOT?= Date: Mon, 26 Nov 2018 14:15:43 +0100 Subject: [PATCH] Update documentation --- .../current/applications/img/icons.png | 4 +- .../current/applications/img/loader.gif | 4 +- .../documentation/current/authchoice.html | 1 + .../documentation/current/authcustom.html | 31 +- doc/pages/documentation/current/authdbi.html | 26 +- doc/pages/documentation/current/authldap.html | 11 +- doc/pages/documentation/current/authrest.html | 2 +- doc/pages/documentation/current/authsaml.html | 4 +- .../documentation/current/autosignin.html | 10 +- .../current/browseablesessionbackend.html | 33 +- .../current/bruteforceprotection.html | 80 ++ .../documentation/current/cli_examples.html | 22 +- .../documentation/current/configlocation.html | 26 +- .../documentation/current/configvhost.html | 34 +- doc/pages/documentation/current/dos | 254 ++++++ doc/pages/documentation/current/exploit | 254 ++++++ .../documentation/current/external2f.html | 12 +- .../documentation/current/forcereauthn.html | 79 ++ .../header_remote_user_conversion.html | 6 +- .../documentation/current/loginhistory.html | 12 +- .../documentation/current/logos/1renater.png | Bin 0 -> 8565 bytes .../current/memcachedsessionbackend.html | 6 +- doc/pages/documentation/current/mitm | 254 ++++++ .../current/mongodbsessionbackend.html | 13 +- .../documentation/current/monitoring.html | 2 +- .../current/nosqlsessionbackend.html | 14 +- .../documentation/current/parameterlist.html | 758 +++++++++--------- .../documentation/current/plugincustom.html | 160 ++++ .../documentation/current/portalcustom.html | 148 ++-- doc/pages/documentation/current/prereq.html | 2 +- doc/pages/documentation/current/psgi.html | 12 +- doc/pages/documentation/current/renater.html | 238 ++++++ doc/pages/documentation/current/rest2f.html | 18 +- .../current/restconfbackend.html | 20 +- .../documentation/current/restserverplugin | 4 +- .../documentation/current/samlservice.html | 54 +- .../documentation/current/secondfactor.html | 15 +- doc/pages/documentation/current/security.html | 43 +- .../current/selfmadeapplication.html | 38 +- .../current/soapconfbackend.html | 18 +- .../documentation/current/soapservices.html | 11 +- .../current/sqlsessionbackend.html | 31 +- .../documentation/current/ssocookie.html | 24 +- doc/pages/documentation/current/start.html | 180 ++++- doc/pages/documentation/current/stayconnected | 254 ++++++ doc/pages/documentation/current/totp2f.html | 16 +- doc/pages/documentation/current/u2f.html | 14 +- doc/pages/documentation/current/upgrade.html | 110 +-- .../current/writingrulesand_headers.html | 26 +- .../documentation/current/yubikey2f.html | 16 +- 50 files changed, 2682 insertions(+), 722 deletions(-) create mode 100644 doc/pages/documentation/current/bruteforceprotection.html create mode 100644 doc/pages/documentation/current/dos create mode 100644 doc/pages/documentation/current/exploit create mode 100644 doc/pages/documentation/current/forcereauthn.html create mode 100644 doc/pages/documentation/current/logos/1renater.png create mode 100644 doc/pages/documentation/current/mitm create mode 100644 doc/pages/documentation/current/plugincustom.html create mode 100644 doc/pages/documentation/current/renater.html create mode 100644 doc/pages/documentation/current/stayconnected diff --git a/doc/pages/documentation/current/applications/img/icons.png b/doc/pages/documentation/current/applications/img/icons.png index ad5bf35af..8a662fc68 100644 --- a/doc/pages/documentation/current/applications/img/icons.png +++ b/doc/pages/documentation/current/applications/img/icons.png @@ -90,7 +90,7 @@ +
    • @@ -241,7 +241,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio -
    +
    diff --git a/doc/pages/documentation/current/applications/img/loader.gif b/doc/pages/documentation/current/applications/img/loader.gif index 1ea403e4a..bb40a8163 100644 --- a/doc/pages/documentation/current/applications/img/loader.gif +++ b/doc/pages/documentation/current/applications/img/loader.gif @@ -90,7 +90,7 @@ +
    • @@ -241,7 +241,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio -
    +
    diff --git a/doc/pages/documentation/current/authchoice.html b/doc/pages/documentation/current/authchoice.html index 8517ef72c..bf040f471 100644 --- a/doc/pages/documentation/current/authchoice.html +++ b/doc/pages/documentation/current/authchoice.html @@ -144,6 +144,7 @@ Define here:
    You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces. +
    You can also override some LLNG parameters for each chain. See Parameter list to have the key names to use
    diff --git a/doc/pages/documentation/current/authcustom.html b/doc/pages/documentation/current/authcustom.html index 9c73b5547..3e63e41a2 100644 --- a/doc/pages/documentation/current/authcustom.html +++ b/doc/pages/documentation/current/authcustom.html @@ -4,7 +4,7 @@ documentation:2.0:authcustom - + @@ -63,24 +63,41 @@

    -This artifact allows one to define its own modules (authentication, user database, password or register DB). +This artifact allows one to define its own modules (authentication, user database, password or register database).

    -
    The developer documentation is available in Portal manpages. +
    The developer documentation is available in Portal manpages. See Auth.pod and UserDB.pod +
    - +

    Configuration

    -You just have to define class names of your custom modules in “Custom module names”. You can also add your custom parameters in “Additional parameters”. Be careful to use names not already used elsewhere in configuration. This parameters are available in your plugins using $self→conf→{customName}. +In Manager, go in General Parameters > Authentication modules and choose 'Custom module'.

    -See portal manpages to see how to write these plugins. +Then, you just have to define class names of your custom modules in “Custom module names”. Custom parameters can be set in “Additional parameters”. Full path must be specify. +

    + +

    +You can define your own customAuth module icon. Icon must be in site/htdocs/static/common/modules/icon.png +

    +
    ::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev.pm + +
    Be careful. Don' t use an already attributed name in configuration. + +
    +

    +These parameters are available in your plugins using $self→conf→{customName}. +

    + +

    +Read portal manpages to see how to write these plugins.

    -
    + diff --git a/doc/pages/documentation/current/authdbi.html b/doc/pages/documentation/current/authdbi.html index a680fef59..cca2e87fb 100644 --- a/doc/pages/documentation/current/authdbi.html +++ b/doc/pages/documentation/current/authdbi.html @@ -101,7 +101,7 @@ LL::NG can use a lot of databases as authentication, users and password backend:

    - +

    Configuration

    @@ -238,7 +238,7 @@ In Manager, go in General Parameters > Authentication modu

    - +

    Authentication level

    @@ -254,7 +254,7 @@ The authentication level given to users authenticated with this module.
    - +

    Exported variables

    @@ -263,7 +263,7 @@ List of columns to query to fill user session. See also +

    Connection

    Connection settings can be configured differently for authentication process and user process. This allows one to use different databases for these process. By default, if user process connection settings are empty, authentication process connection settings will be used. @@ -277,7 +277,7 @@ List of columns to query to fill user session. See also +

    Schema

    -
    +
    diff --git a/doc/pages/documentation/current/authldap.html b/doc/pages/documentation/current/authldap.html index ea54521e1..695f196d6 100644 --- a/doc/pages/documentation/current/authldap.html +++ b/doc/pages/documentation/current/authldap.html @@ -177,9 +177,10 @@ List of attributes to query to fill user session. See also
    Binary attributes: regular expression matching binary attributes (see Net::LDAP documentation).
    - +
    LemonLDAP::NG need anonymous access to LDAP Directory RootDSE in order to check LDAP connection.
    - +
    +

    Filters

    In LDAP filters, $user is replaced by user login, and $mail by user email. @@ -203,7 +204,7 @@ And the mail filter is:
    - +

    Groups

      @@ -224,7 +225,7 @@ And the mail filter is:
    - +

    Password

      @@ -258,6 +259,6 @@ And the mail filter is:

    - + diff --git a/doc/pages/documentation/current/authrest.html b/doc/pages/documentation/current/authrest.html index 0f0f567ff..ebd15e854 100644 --- a/doc/pages/documentation/current/authrest.html +++ b/doc/pages/documentation/current/authrest.html @@ -117,7 +117,7 @@ Then you just have to set REST URL

    -REST web services just have to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”). +REST web services have just to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).

    diff --git a/doc/pages/documentation/current/authsaml.html b/doc/pages/documentation/current/authsaml.html index 76207e8f9..ec60c46d9 100644 --- a/doc/pages/documentation/current/authsaml.html +++ b/doc/pages/documentation/current/authsaml.html @@ -223,7 +223,7 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
  • Allow login from IDP: allow a user to connect directly from an IDP link. In this case, authentication is not a response to an issued authentication request, and we have less control on conditions.
    • -
  • Requested authentication context: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped ton an internal authentication level (see how configure the mapping), that you can check to allow or deny session creation.
    +
  • Requested authentication context: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped to an internal authentication level (see how configure the mapping), that you can check to allow or deny session creation.
  • Allow URL as RelayState: Set to On if the RelayState value sent by IDP is the URL where the user must be redirected after authentication.
    • @@ -240,6 +240,8 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
  • Store SAML Token: allows one to keep SAML token (assertion) inside user session. Don't enable it unless you need to replay this token on an application.
    • +
  • Attribute containing user identifier: set the value of SAML attribute (“Name”) that should be used as user main identifier ($user). If empty, the NameID content is used.
    +
    • diff --git a/doc/pages/documentation/current/autosignin.html b/doc/pages/documentation/current/autosignin.html index 94adc1ef6..0204c1dbd 100644 --- a/doc/pages/documentation/current/autosignin.html +++ b/doc/pages/documentation/current/autosignin.html @@ -48,16 +48,16 @@

    -Auto-Signin add-on provides a simple way to bypass authentication based on rules. For example, a TV can be automatically authenticated by its IP address. +Auto-Signin add-on provides an easy way to bypass authentication process based on rules. For example, a TV can be automatically authenticated by its IP address.

    - +

    Configuration

    -This add-on is automatically enabled if a rule is declared. A rule links username to a rule. The only usable variable here is $env. Example: +This add-on is automatically enabled if a rule is declared. A rule links rule to a username. The only usable variable here is $env. Example:

    @@ -69,9 +69,9 @@ This add-on is automatically enabled if a rule is declared. A rule links usernam
    dwho $env→{REMOTE_ADDR} == '192.168.42.42'
    -
    Username must be defined in the user database. +
    Username must be defined in the user database.
    -
    + diff --git a/doc/pages/documentation/current/browseablesessionbackend.html b/doc/pages/documentation/current/browseablesessionbackend.html index ff13c9f47..623cb437a 100644 --- a/doc/pages/documentation/current/browseablesessionbackend.html +++ b/doc/pages/documentation/current/browseablesessionbackend.html @@ -74,7 +74,7 @@

    -Browseable session backend (Apache::Session::Browseable) works exactly like Apache::Session::* corresponding module but add index that increase session explorer and session restrictions performances. +Browseable session backend (Apache::Session::Browseable) works exactly like Apache::Session::* corresponding module but add index that increase session explorer and session restrictions performances.

    @@ -104,7 +104,7 @@ The following table list fields to index depending on the feature you want to in Session restrictions _session_kind ipAddr WHATTOTRACE

    - +

    See Apache::Session::Browseable::* man page to see how use indexes.

    @@ -113,7 +113,7 @@ See Apache::Session::Browseable::* man page to see how use indexes.
    Documentation below explains how set index on ipAddr and _whatToTrace. Adapt it to configure the index you need.
    - +

    Browseable NoSQL

    @@ -140,15 +140,15 @@ You then just have to add the Index parameter in General par Index Index _whatToTrace ipAddr
    - + - +

    Browseable SQL

    This documentation concerns PostgreSQL. Some adaptations are needed with other databases.
    - +

    Prepare database

    @@ -163,6 +163,7 @@ Database must be prepared exactly like in , _session_kind text, _utime BIGINT, + USER text, ipAddr text ); CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace); @@ -177,12 +178,12 @@ Database must be prepared exactly like in With new Apache::Session::Browseable::PgHstore and PgJSON, you don't need to declare indexes in CREATE TABLE since “json” and “hstore” type are browseable. You should anyway add some indexes (see manpage).
    - +

    Manager

    -Go in the Manager and set the session module (Apache::Session::Browseable::MySQL for MySQL) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): +Go in the Manager and set the session module (Apache::Session::Browseable::MySQL for MySQL) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive):

    @@ -194,7 +195,7 @@ Go in the Manager and set the session module ( - + @@ -206,14 +207,14 @@ Go in the Manager and set the session module ( Index
    DataSource The DBI string dbi:Pg:database=sessions DataSource The DBI string dbi:Pg:database=sessions
    UserName The database username lemonldapng Index _whatToTrace ipAddr _session_kind _utime
    -
    Apache::Session::Browseable::MySQL doesn't use locks so performances are keeped. +
    Apache::Session::Browseable::MySQL doesn't use locks so performances are keeped.

    For databases like PostgreSQL, don't forget to add “Commit” with a value of 1

    - +

    Browseable LDAP

    @@ -267,9 +268,9 @@ You need to add the Index field and can also configure the ld ldapAttributeIndex Attribute storing index ou
    - +
    - +

    Security

    @@ -282,7 +283,7 @@ You can also use different user/password for your servers by overriding paramete

    - +

    Performances

    @@ -299,6 +300,7 @@ Here are some recommended configurations: _whatToTrace text, _session_kind text, _utime BIGINT, + USER text, ipAddr VARCHAR(64) ); CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace text_pattern_ops); @@ -314,6 +316,7 @@ Here are some recommended configurations: a_session text, _whatToTrace VARCHAR(64), _session_kind VARCHAR(15), + USER text, _utime BIGINT ); CREATE INDEX uid1 ON sessions (_whatToTrace) USING BTREE; @@ -322,6 +325,6 @@ Here are some recommended configurations: CREATE INDEX ip1 ON sessions (ipAddr) USING BTREE;
    - + diff --git a/doc/pages/documentation/current/bruteforceprotection.html b/doc/pages/documentation/current/bruteforceprotection.html new file mode 100644 index 000000000..80ba90060 --- /dev/null +++ b/doc/pages/documentation/current/bruteforceprotection.html @@ -0,0 +1,80 @@ + + + + + documentation:2.0:bruteforceprotection + + + + + + + + + + + + + + + + + + + + +
    + +

    +bruteForceProtection plugin prevents brute force attack. Plugin DISABLED by default. +

    + +

    +After three failed login attempts, user must wait (30 seconds by default) before try to log in again. +

    + +

    +The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds. +

    + +

    Configuration

    +
    + +

    +To enable Brute Force Attack protection : +

    + +

    +Go in Manager, General Parameters » Advanced Parameters » Security » Brute-force attack protection and set to On. +

    + +

    +To modify waiting time (30 seconds by default) before reAuthentication and MaxAge between current and last stored failed login (300 seconds by default) edit lemonldap-ng.ini in section [portal]: +

    +
    [portal]
+bruteForceProtectionTempo = 30
+bruteForceProtectionMaxAge = 300
    + +
    +
    + + diff --git a/doc/pages/documentation/current/cli_examples.html b/doc/pages/documentation/current/cli_examples.html index 0c0bcafe5..48130e1fc 100644 --- a/doc/pages/documentation/current/cli_examples.html +++ b/doc/pages/documentation/current/cli_examples.html @@ -57,6 +57,7 @@
  • Register an SAML Service Provider
  • Configure OpenID Connect Identity Provider
  • Register an OpenID Connect Relying Party
    • +
  • Categories and applications in menu
    • @@ -339,6 +340,25 @@ In this example we have: 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp  oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600
    - + +

    Categories and applications in menu

    +
    + +

    +Create the category “applications”: +``` +/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/applications type category applicationList/applications catname Applications +``` +

    + +

    +Create the application “sample” inside category “applications”: +``` +/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/icons/kmultiple.png” applicationList/applications/sample/options name “Sample application” applicationList/applications/sample/options uri “https://sample.example.com/” +``` +

    + +
    + diff --git a/doc/pages/documentation/current/configlocation.html b/doc/pages/documentation/current/configlocation.html index 7feb6f591..950430b56 100644 --- a/doc/pages/documentation/current/configlocation.html +++ b/doc/pages/documentation/current/configlocation.html @@ -4,7 +4,7 @@ documentation:2.0:configlocation - + @@ -706,6 +706,10 @@ Then, to protect a standard virtual host, you must insert this (or create an inc After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, General Parameters > reload configuration URLs: keys are server names or IP the requests will be sent to, and values are the requested URLs.

    +

    +You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds. +

    +

    These parameters can be overwritten in LemonLDAP::NG ini file, in the section apply.

    @@ -717,8 +721,24 @@ The reload target is managed in Apache or Nginx configuration, insi
    You must allow access to declared URLs to your Manager IP.
    If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include handler-nginx.conf or handler-apache2.conf for example
    +

    +Practical use case: configure reload in a LL::NG cluster. In this case you will have two servers (with IP 1.1.1.1 and 1.1.1.2), but you can keep only one reload URL (reload.example.com): +

    +
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
+reloadUrls '1.1.1.1' 'http://reload.example.com/reload' \
+reloadUrls '1.1.1.2' 'http://reload.example.com/reload'
    + +

    +You also need to adjust the protection of the reload vhost, for example: +

    +
        <Location /reload>
+        Require ip 127 ::1 1.1.1.1 1.1.1.2
+        SetHandler perl-script
+        PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
+    </Location>
    + - +

    Local file

    @@ -752,6 +772,6 @@ For example, to override configured skin for portal:
    You need to know the technical name of configuration parameter to do this. You can refer to parameter list to find it.
    - + diff --git a/doc/pages/documentation/current/configvhost.html b/doc/pages/documentation/current/configvhost.html index 586b5cd7f..f2340d522 100644 --- a/doc/pages/documentation/current/configvhost.html +++ b/doc/pages/documentation/current/configvhost.html @@ -92,10 +92,10 @@ To protect a virtual host in Apache, the LemonLDAP::NG Handler must be activated

    Then you can take any virtual host, and simply add this line to protect it:

    -
    PerlHeaderParserHandler Lemonldap::NG::Handler
    +
    PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
    - +

    Hosted application

    @@ -105,7 +105,7 @@ Example of a protected virtual host for a local application: 
    <VirtualHost *:80>
         ServerName localsite.example.com
  
-        PerlHeaderParserHandler Lemonldap::NG::Handler
+        PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
  
         DocumentRoot /var/www/localsite
  
@@ -115,7 +115,7 @@ Example of a protected virtual host for a local application:
 </VirtualHost>
    - +

    Reverse proxy

    @@ -125,7 +125,7 @@ Example of a protected virtual host with LemonLDAP::NG as reverse proxy: 
    <VirtualHost *:80>
         ServerName application.example.com
  
-        PerlHeaderParserHandler Lemonldap::NG::Handler
+        PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
  
         # Reverse-Proxy
         ProxyPass / http://private-name/
@@ -144,7 +144,7 @@ Same with remote server configured with the same host name:
 
    <VirtualHost *:80>
         ServerName application.example.com
  
-        PerlHeaderParserHandler Lemonldap::NG::Handler
+        PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
  
         # Reverse-Proxy
         ProxyPass / http://APPLICATION_IP/
@@ -160,7 +160,7 @@ To learn more about using Apache as reverse-proxy, see Some applications need the REMOTE_USER environment variable to get the connected user, which is not set in reverse-proxy mode. In this case, see how convert header into environment variable.
    - +

    Add a floating menu

    @@ -168,18 +168,18 @@ To learn more about using Apache as reverse-proxy, see PerlModule Lemonldap::NG::Handler::Menu -PerlOutputFilterHandler Lemonldap::NG::Handler::Menu->run +PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run

    Pages where this menu is displayed can be restricted, for example: 

    <Location /var/www/html/index.php>
-PerlOutputFilterHandler Lemonldap::NG::Handler::Menu->run
+PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
 </Location>
    You need to disable mod_deflate to use the floating menu
    - +

    Nginx configuration

    @@ -253,7 +253,7 @@ Then you can take any virtual host and modify it: }
    - +

    Hosted application

    @@ -312,7 +312,7 @@ server { }
    - +

    Reverse proxy

    @@ -363,7 +363,7 @@ server { }
    - +

    LemonLDAP::NG configuration

    @@ -390,7 +390,7 @@ A virtual host contains:
    - +

    Access rules and HTTP headers

    @@ -399,7 +399,7 @@ See +

    POST data

    @@ -408,7 +408,7 @@ See +

    Options

    @@ -435,6 +435,6 @@ Some options are available:

    -
    +
    diff --git a/doc/pages/documentation/current/dos b/doc/pages/documentation/current/dos new file mode 100644 index 000000000..d86e8a2fd --- /dev/null +++ b/doc/pages/documentation/current/dos @@ -0,0 +1,254 @@ + + + + + + documentation:2.0:dos [LemonLDAP::NG] + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + + + +
    +
    +
    You are here: start » documentation » 2.0 » dos
    +
    +
    + +

    + documentation:2.0:dos +

    + +
    +
    + +
    + + + +
    + +
    +
    + + +
    +
    + + + +

    This topic does not exist yet

    +
    + +

    +You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”. +

    + +
    + + + + +
    +
    + +
    + + + + +
    + + + + +
    + +
    +
    + + + + +
    +
    + + + diff --git a/doc/pages/documentation/current/exploit b/doc/pages/documentation/current/exploit new file mode 100644 index 000000000..6ea7babc2 --- /dev/null +++ b/doc/pages/documentation/current/exploit @@ -0,0 +1,254 @@ + + + + + + documentation:2.0:exploit [LemonLDAP::NG] + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + + + +
    +
    +
    You are here: start » documentation » 2.0 » exploit
    +
    +
    + +

    + documentation:2.0:exploit +

    + +
    +
    + +
    + + + +
    + +
    +
    + + +
    +
    + + + +

    This topic does not exist yet

    +
    + +

    +You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”. +

    + +
    + + + + +
    +
    + +
    + + + + +
    + + + + +
    + +
    +
    + + + + +
    +
    + + + diff --git a/doc/pages/documentation/current/external2f.html b/doc/pages/documentation/current/external2f.html index 1befe908b..fcad0957d 100644 --- a/doc/pages/documentation/current/external2f.html +++ b/doc/pages/documentation/current/external2f.html @@ -48,20 +48,20 @@

    -This simple plugin can be used to add a second factor for authentication (SMS, OTP,…). It uses external commands to send and validate the second factor. You can use any language to call your 2nd factor system. +This basic plugin can be used to add a second factor authentication device (SMS, OTP,…). It uses external commands to send and validate a second factor. Any language is allowed to call your 2nd factor system.

    - +

    Commands

    -Commands received arguments on the command line and must return a 0 code if succeed, another else. Nothing must be written to STDOUT, STDERR is reported in logs (but may be lost with FastCGI server). +Commands receive arguments on command line and must return a 0 code if succeed, another else. Nothing must be written to STDOUT, STDERR is reported in logs (but may be lost with FastCGI server).

    - +

    Configuration

    @@ -80,9 +80,9 @@ All parameters are configured in “General Parameters » Portal Parameters » E
  • Logo (Optional): logo file (in static/<skin> directory)
    • -
    The command line is split in an array and launch with exec(). So you don't need to enclose arguments in “” and this protects your system against shell injection. However, you can not use any space except to separate arguments. +
    The command line is split in an array and launched with exec(). So you don't need to enclose arguments in “” and this feature protects your system against shell injection. However, you can not use any space except to separate arguments.
    -
    + diff --git a/doc/pages/documentation/current/forcereauthn.html b/doc/pages/documentation/current/forcereauthn.html new file mode 100644 index 000000000..862b467e1 --- /dev/null +++ b/doc/pages/documentation/current/forcereauthn.html @@ -0,0 +1,79 @@ + + + + + documentation:2.0:forcereauthn + + + + + + + + + + + + + + + + + + + + +
    + +

    +forceAuthentication plugin forces users to authenticate again to access to Portal. Plugin DISABLED by default. +

    + +

    +Users can access all protected applications except Portal. +

    + +

    +Users have to authenticate again to access to Portal if there last login is older than 5 seconds by default. +

    + +

    Configuration

    +
    + +

    +To enabled forceAuthentication plugin : +

    + +

    +Go in Manager, General Parameters » Advanced Parameters » Security » Force authentication and set to On. +

    + +

    +To modify last login interval (5 seconds by default) edit lemonldap-ng.ini in section [portal]: +

    +
    [portal]
+portalForceAuthnInterval = 5
    + +
    +
    + + diff --git a/doc/pages/documentation/current/header_remote_user_conversion.html b/doc/pages/documentation/current/header_remote_user_conversion.html index 6691ba778..69defe526 100644 --- a/doc/pages/documentation/current/header_remote_user_conversion.html +++ b/doc/pages/documentation/current/header_remote_user_conversion.html @@ -71,7 +71,7 @@ This can be used to protect applications relying on REMOTE_USER env 
    <VirtualHost *:80>
         ServerName application.example.com
  
-        PerlHeaderParserHandler Lemonldap::NG::Handler
+        PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
  
         ProxyPreserveHost on
         ProxyPass / http://APPLICATION_IP/
@@ -100,7 +100,7 @@ Of course, you need to 
+
 
    Nginx
    
 
    
 
@@ -111,6 +111,6 @@ Nginx doesn't launch directly PHP pages (or other languages): it dials with
 fastcgi_param HTTP_MYVAR $authuser;
    - + diff --git a/doc/pages/documentation/current/loginhistory.html b/doc/pages/documentation/current/loginhistory.html index 71cea331f..9bf3d09ac 100644 --- a/doc/pages/documentation/current/loginhistory.html +++ b/doc/pages/documentation/current/loginhistory.html @@ -57,11 +57,15 @@ LemonLDAP::NG allows one to store user logins and login attempts in their persis

    -Users can see their own history in menu, if menu module Login history is enabled. Session history is always visible in session explorer for administrators. +Users can see their own history in menu, if menu module Login history is enabled. +

    + +

    +Session history is always visible in session explorer for administrators.

    - +

    Configuration

    @@ -74,7 +78,7 @@ A login is considered as successful if user get authenticated and is granted a s

    -By default, login time and IP address are stored in history, and the error message prompted to the user for failed logins. It is possible to store any additional session data. For example to store authentication mode, you can set in Session data to store a new key $_auth with value Authentication mode. The value will be used to display the data. +By default, login time and IP address are stored in history, and the error message prompted to the user for failed logins. It is possible to store any additional session data. For example to store authentication mode, you can set in Session data to store a new key _auth with value Authentication mode. The value will be used to display the data.

    @@ -86,6 +90,6 @@ You can also display a check box on the authentication form, to allow user to se

    - + diff --git a/doc/pages/documentation/current/logos/1renater.png b/doc/pages/documentation/current/logos/1renater.png new file mode 100644 index 0000000000000000000000000000000000000000..467bb143e8c93691ba025c29704c1f89a1b32110 GIT binary patch literal 8565 zcmdrx^-tUn&mY`}kKsOGxVw!TFx(E;VPm)rJ=|S}4tJL!hs%b$yTfoBcI>cs-@O0D z)240G_J=l2o2HFaQ<1~LB*O#%0OzATNaLS`|3~Pk|9HfyzW6_ZY%Q%U4FL7=SdV5X z0D#GDBO{~sQAUQw$;Hvi#?BG|5X3S|=O>7qgr)ay@>NkMbYPDJFXA1$g$H#@v8#=mb; z!~AS>J15tzFCYtTK*D1%%1U83!S{)pIUYg04?>`MU24%l*PXn6nnUKTL} z(RV4vE`#u%q_gc6&EJQ2vyw5rz)SA8Ry{gyKrKDy;Oc(akd$OtNL(k25vn?z-pr>w z!KE-krx(Pdo$PwWX5f35VTmhz%@ZO2nY; zltz%gHPj4?O(u-qo}5%Zi0&WbdLK!P70#F|8=M1mw^M+l~^_{!^7=uhykM$1hw|3@NrX4AnHe# z`zweuRhzG|M&AybHEZSCnxP^>t}P4a;RQVRmA{OM@1#c8`o(WE&+BBNBsXpuV?hTi z?-Eeo(8P|@U+n$d@Ox^sXLqXC_>T--5uD#XfJRG{Xp~Z$42B3JP%_?!N!{mW-sApy zE?RC)ja<3MpGwt5ET$!s@}mNn-{I3>_*k$`T|lq~H_$>hL780T~a|E)pDfd?qA;?SLf z)O_uHfx-%PG_~w9i8=5b^B2rpd}UeNg7N8zL%@wqgfu&vLslp6`xND2!y*2S5S$n_ zINv;mJMN9Y62)8M2E+!^2J+cB;ZV|n7_*Xk-71jYMH6GJhT2-ZIEmcA2{la3Q%3uyDgbtt9jh10m zdaZ80C&*d;PdS0{uzX~7pSpgrR-v2LQP@l)4|rKtSW8&OtHCAu3gx#P5nF%6j?A`t z6!QbKHM6-^NQJ7UX6u~$ob0jQu@H_7ZwbnjhD~v!xEb6XE(&G`tAe|Z-_8rnvsTp3@0WR%{h3#oTbY-g+bHLqgUrp&LCZbL zH)o}6(rrR)_r9D?3swGcdu1OtN^zc*BpiOQwh+QU&PUIu^Z9(1Vk&E4X5ngfWTs+9 zr0`bjd(ByXc15SmL&#mxEAXJQTwa6BLD7VH80N3!#ECMC8}1S}e)lJL#~3g6}c<9$$7%ZDaTOu+sDJ% zr(UbPejkk*O|C>Ro1F2>&N5DahCP@ai@lvKSC3S;-@v}%7z+Pv@0jhd{uweD_KEPb z=I2@S>&og3_QmFbyA{JL!_C&pgRhei2Wy8x=&HHLY|a1jv3x80f2Qba;t+GAdi+TxHe-+ukSy=AXJM~@qOF~kjn5h^&TIe-!eSb}M5Zij( z>SB0eRP2Ba1wlIWmIdaK^A*JQk6$jFj*2W9QbhWQ)7wxR?6z*6Y z`&K90`+TOtcL;xLp1E%7ObRYT=RHOyHylGZS^OLQ6J7*f$Px4r)&lke%B2Q-QUW2; zMR_RF^U}CM<3S&K#c7@7O^5Ch+OKgAuns&zgQfze&hlYDV}7NELa5^~aItDJ{NI=n zs^d*}2eg?E2c@Fa(sj~}(p`WuKpzXd3yBK}3%(bc40;ZJ844aip}wbZ0Gj{1S`@o+jRFp74gThNy<3(X6yHLjgui0)9)G<>(*n z{d~)la{+yzAI3bHyQ!MV*KY+yVDdRGIb4pWt;<)+qfA$j>u%#f{a&MKgFJ(}W>dG~ zgAq7*s-n2kTj!*fLtngWz;QgVDWu89)}OhNgN@U-mBY$NHBoyyv!MRg@5CUQIO;>c zpg@aV*=ocJ^O8`D&3Q?MGPR;7BZ*?QBCEotUs*~n6@sp%Nvu5c?K ztE22wZFN?%ve@p`UVHjyX;!-wtfLQes5QM9_wI&IpcaNjLDC_@4^#rOf_MJo@V3^E zh2@P$zx=lSjshc)Amef4bRVt`3uHdafi8=w8lDXVgO`jNFg!sov_v5ow3g?}*}9LX)_g1KC2ZC8W5AeFOVsD4yNERJIPg&~mN+{xkM!qA z@1hNZMsa=n(05>TLb3Lw1XG07ia~|5!i7?zVlX;*=tKX``ilN)j`{q;r%qY|o@6N= z=xw$nL6UfK!kE%q+9eoF%rnEn>O#*4Vhgc7YZ3tP{}+IA#e(_O4kwN>iW4nSF3FaY zxs$r0`TQ)KUqQYZ&agVRL)Z=~kPF^IufJ^Jd;=$o&OO{EIBd3;=3+ks*8;G=LHWn| zBkv;8+i(kZW-N2LzZf6wB2%$|ZmzO#EAOsc@F)w!+sHaQCUcPvnm+d4;ai8tZT+SZ zLH2R;|JV;H$5c8*un*5t(|%7QCpUYuh(Wf#vS&5 z(~3j{8h2UEqViukC0{(5)O5m+?*siN1=p#VP`Jt8=^!~-J4Zn1beUu?>>PCejO2|` zDnX-@HxBz^HWNZV>Z4SLIy4Go$7wG$55x1W_gj6p&6y4!+FRJ{9XIr^Jq~QcQMyIH zP>bctla`XkhLYPpr`{q=wAS>bv5CAb-jVMOPZViqS&b*t`=sjfaqhymy0{pEmeXEc zy;xN@M^#9c&83U5u$4xcgKT}Kq?S}!q18Y{p&ySC}$wtvJiCsBmEksyBMVb&Fv zK2%FG1zebZnO#PwnmI8^&|^#MEE@2=!S>LuR+Pf$qggAZc&z9a`JY)XC(R2-1z$N+ zBeX%-P$`J#Ss=jwLWDZ)1SNDIri+O(Rj4_9tSdX;Q|u%S8Q>(qE(b7>I?AKM*Qo4l z{Hngl86&L+byZRh_b@Q0(o@wkn}FLVJo}7WFGn3===bpBMPTeMCBy-*cjPp#a+W52 zpIY=;;G1?;?BMNrGgHL|rRR1fKrkd!oEXQtkd1ou>`#R?kM+3W*^VqDiMgm#eF`^o z3@5fpHs*i>XW~69?Fd93-FbCM3!OsO@Z?u>!BqDhiFp0Ua_jDvK1p4vON@wr5H5@7 z%z7=;UBG3~FvENfXTNYU%|kSs+C~f~&z#wPe~PU`J?c?)oP5fc7Yy_gM#7e5YV0$o zcCqU$QiXUalOM;4EOZORhQ=FpZY_7dJ9%_kVxHN zvgVVd)UGs&)P(X^INS#p~dt@X>tGml5$X ztMDj`jDS;wEaq2oWZ(63QWU2w*}Kg{{KMv_BGITJaX@9d#!v=e#zw|Nif_TY{h-$6 zt*J;&xqy!TPHe{S_sl%`sLq<&9RT9vU#iSy!CWcTi*Q7Al2yS#amz%UHB2qPOAGl5 zxEK`WUxg!K2Ykh9Bd3e>^PAS_!HHmQ)D3uVU5Y|)ayf|&5uMRZIa&{Ui{FUNCOi%M zQAULFPH0lnc3C{JdenrhV&pKFR0JuC8x3Cn6C7uZXhdWWe8ts1=8$U1J)wM!g_QY5 zJ6LHk0tBin-Q?AFC-0dj-7?qU*G#%f zzWO~r;F>fZ4_r&SJ=ZmDJachb58K7IHzNtz1n3-p#;3eY*CA4O)=T4etX@k!vdH<< zJc(ck1%ygi3rUb^bkVosuyH&14WT+gZoV*N;=6JM z+B|LRTS{tXBX9i{hyDwVFMbd(W57soDgwqcUU?<_Cm!W_latZ>5$RKjy}|QAvStF` zVq_?1xyZRgc^s}7`FDI&GKx<6Dd9wO)a}0R!+OJRtm>MxY1eS->SaRJJfZ|Bnr962 z+Avyp8zP@$!*}{yen~+N*Rb~+%A>Cy3#~XFpxasJR;0euMRjae|br7B}UjS97z~krfoM7-qwLyhP zWcp^2JCa|#0Tb@8zoKqg5IT?o%%icHw_>fQ4Ml=;aR~# zUptOL^qB0aE!e=zIc#9_%4gT{Z}KzjQuXKA04{PwQOfV`8+127*V%lzaz1*0BJl8l z*i&HgV25~KG_9(}Xw5vx!S=Ta(f(tWlO9dD!c)d~j}_DjbD8e8vlY*Z?EIqi{DNwZ3MT_bk77P-l&|Xn@JVWg;~w z>P5q&4r`?cq`A)oo`2Jb3&o_RVu6C{r)t zPZ_<@c_02g-lgkJjma|)$hP5cUQzl(n2a=Q)nsYsoI}R__h0oIZWCW>byB{{mGC1} z;Py6Ox7{>c55M1~;5-YRz9_}<(XM0^r7YI7BQ+Yh94|mnZ7caDZ+0A=IWuk1`2Oq; zrJ+!9(Qc(ED*DRJL4q~k10g+m=9s~#xqfU7dm|Sw(bnLk;@M42(Q`vghsI@%y~1YK zIq)REkve`7DYx&6mRMJ30n!@5Q%>vtHaYRKbhK$5(tv~9%LS!rweUfGPs zpZ5?dzDNyk@g2gw3XSd`)0VEQ>cG_P zGEzlc%`GkGIQm$J)7!4jW7vl}ZLn|l*&Z^tKEl?{Ho@V;PGmXa3I6z}?KoyOXrBp! zTGDvEZ0b_-n)c&koaIV6Tc8fkE1e-^;;f2_U6iCBM}r!tYlN;Ze5F#gt$ybwql2x94XJ6{hGke=AhEmUmHf4|^d%?-eS4DSHr3R}30Xj}OWXA|$$bd7<_ z3BauoASJ+9R*_>EM_gX(M~jCoZWmCCQTLK_ZH5U!k5i^wedk?jDrwyZt) z@la@jGN7c3qHf}$5^_{%&GG8g#*masLem%zUukIPN=j6_*0TRZfudB_5j+$@Md@&W z=yCd@6Mq~oKeGkD!O_l$9|jT8E&guZD+yT;3h8oBov_JPMI(4p#4eq5+BXA0M~A?x>A{2_&HB;FPA1Qj zBInvE6vqj^Wl{6hvEc6GL=1~-?s>s62xdY@&3jE<6IDuIAD`8tE8jk1VbRt4L(`KE zv_}bK|Ip(R`K??3ad*RVI(s!fB)D;jKhgaZ!FZ=q^YYo3G0OlE>(5BC{Co*=K7SQP zC7CKFHa^FP?!n+WYCM%hPBq_HwXilRI2J{0_)w+UDo^O|rSe*1Cm9Q^KQL(3Yvx@r zUxonIAhHVY@wW{dC7DWn-6t;X-N>d|e)=_YOnq(ajj$!&!XFZ=v3E%18bh+g>&Xj0 z{bch9XD2F`TgJZm@=39~gTDiIWXG6mGipytc??>WsfL(fM{5M7%a+?-fi2foBdtY5 zsX-CcH|*Q+OeWvnE5f`5ql697^qaFXL`oeoQ8zb}hpOC|_*G$FJrLF+E-% z#Vi2{dGZG;(%XT>TXKtK3ftV4ukWuOZvOoXK<%mW10BOR#QMg}`-SF|yrxIe1{fp~ zqlAciv5m&oVy4y9g0Q!n`G)cOqRj^mD0AExMd5lY{)`IjuWV_7Zu+N6Bo3_pWZKgRqc^ z{D`|&PGhZC8%a8=0vyTA!SXA+;Z7D+>ka2>wes|Mon%gag81kviuyd9$*_3g!Mo@Y zjB;0UxZz?Z;2o7~Wt-kYB+0__G6g32|Dg$+V#kgPnTf&aYQbzlJ_D-e#T*^|(ehknT`^wQn$>ZNclQnKKm_gm?a#M^afoTcu(_ z{gJ^x&g{Hd?=r0O6WGG#5T)$Fc+x7}b7Ho0G<(#Lho`D4@lB1VJGA5ej@o0F_mu%> zlPj;uuWqi`d|{CK1vo}qxopWN1`|;fYkyS z#KDpY=7va>`zTooP*i4LB{z+-t}|tJ6l}U9R{WxylC0=#>K810{N!xVG-2S7x})jm zXs3)kbcldi;8Mh?%e}=me8rG6vY7l;;y+gt4L@QUTma2C&m1#eu{I>ae7KVD*VcK~ zKBki0wS*@f+M1)8BGiutuOB|+UxzZ^=`wK??&OV zP}&Gmps=FK*M;yZL?haR-|aNu-?$HhRzde4NE@+#S!FH!tE+3E-srg||6<;CYSP!D znlz&E3eOh)U^Hd2-XpcA{(vBgh%a;eSUuNXC){Ke)L6)A&$6^8s9Pg6bX~_)ss(L= zhNr_eyVDbJu+LL(6coswyY)hq@HYkNA$zTIWSeCVT9^hb%7GD12mtbHZ4D@>eg! zyOWCHr8g99c6+E0p&$~y+Kb0TwY2ZFOu8nXAnNk?aPZAvpAtF;NU=ZK(5R+^8T=7V zO<;ToQKnpbNA1iVNSzY07E{l0zrXGp}P8r5fD$N8R{E@(QYeky*7tX-+|sJ+U#kqo@_5<`g! zFWd1=xqsdK4NotN%t~a$ge;S+ywV#VSeu~&>%OQZ;$E+s($##*oE>;>*Sf)RFIv}* zKj^pQ5-T@o9j30*tu2_HX`Pv$XqWZR->Jz6 zV#~a|b7y#iA^8e%54d~EltZ%l8x4qs+Ah}qgFk3iUB$zoTz)o<`u zNUkrS&UVrJm>wjNqXG62L|q_>_E-L@yZ^xsRppQm+t;EM0wRvzjBB?#&7qEZsW zDoieu@NvxYN|B%JApache::Session::Memcached     in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): +In the manager: set Apache::Session::Memcached in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive):

    @@ -85,9 +85,9 @@ In the manager: set Servers
    Memcached servers 10.0.0.1:20000 10.0.0.2:20000
    - +

    -See Apache::Session::Memcached for optional parameters. +See Apache::Session::Memcached for optional parameters.

    diff --git a/doc/pages/documentation/current/mitm b/doc/pages/documentation/current/mitm new file mode 100644 index 000000000..3cde8c7ef --- /dev/null +++ b/doc/pages/documentation/current/mitm @@ -0,0 +1,254 @@ + + + + + + documentation:2.0:mitm [LemonLDAP::NG] + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + + + +
    +
    +
    You are here: start » documentation » 2.0 » mitm
    +
    +
    + +

    + documentation:2.0:mitm +

    + +
    +
    + +
    + + + +
    + +
    +
    + + +
    +
    + + + +

    This topic does not exist yet

    +
    + +

    +You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”. +

    + +
    + + + + +
    +
    + +
    + + + + +
    + + + + +
    + +
    +
    + + + + +
    +
    + + + diff --git a/doc/pages/documentation/current/mongodbsessionbackend.html b/doc/pages/documentation/current/mongodbsessionbackend.html index fec59b5cb..09ec09eb6 100644 --- a/doc/pages/documentation/current/mongodbsessionbackend.html +++ b/doc/pages/documentation/current/mongodbsessionbackend.html @@ -48,11 +48,12 @@

    -Apache::Session::MongoDB is a faster shareable session backend +Apache::Session::MongoDB is a faster shareable session backend.

    - +
    Use an up-to-date version of Apache::Session::MongoDB, at least 1.8.1.
    - +
    +

    Setup

    @@ -101,9 +102,9 @@ In the manager: set password Password llpassword
    - + - +

    Security

    @@ -112,6 +113,6 @@ Restrict network access to the MongoDB server. For remote servers, you can use <

    - + diff --git a/doc/pages/documentation/current/monitoring.html b/doc/pages/documentation/current/monitoring.html index 311fa420b..430ff76e0 100644 --- a/doc/pages/documentation/current/monitoring.html +++ b/doc/pages/documentation/current/monitoring.html @@ -4,7 +4,7 @@ documentation:2.0:monitoring - + diff --git a/doc/pages/documentation/current/nosqlsessionbackend.html b/doc/pages/documentation/current/nosqlsessionbackend.html index e32f71718..31e0e0b72 100644 --- a/doc/pages/documentation/current/nosqlsessionbackend.html +++ b/doc/pages/documentation/current/nosqlsessionbackend.html @@ -48,21 +48,21 @@

    -Apache::Session::Browseable::Redis is the faster shareable session backend +Apache::Session::Browseable::Redis is the faster shareable session backend

    - +

    Setup

    Install and launch a Redis server. Install -Apache::Session::Browseable::Redis Perl module. +Apache::Session::Browseable::Redis Perl module.

    -In the manager: set Apache::Session::Browseable::Redis in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): +In the manager: set Apache::Session::Browseable::Redis in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive):

    @@ -77,9 +77,9 @@ In the manager: set server
    Redis server 127.0.0.1:6379
    - +
    - +

    Security

    @@ -88,6 +88,6 @@ Restrict network access to the redis server. For remote servers, you can use
    - + diff --git a/doc/pages/documentation/current/parameterlist.html b/doc/pages/documentation/current/parameterlist.html index cea3fb6d8..1500b41ca 100644 --- a/doc/pages/documentation/current/parameterlist.html +++ b/doc/pages/documentation/current/parameterlist.html @@ -343,1039 +343,1045 @@ The attribute key name can be used directly in lemonldap-ng.ini or facebookExportedVars Facebook exported variables ✔ - failedLoginNumber Number of failures stored in login history ✔ + facebookUserField ✔ - formTimeout Token timeout for forms ✔ + failedLoginNumber Number of failures stored in login history ✔ - globalStorage Session backend module ✔ ✔ + formTimeout Token timeout for forms ✔ - globalStorageOptions Session backend module options ✔ ✔ + globalStorage Session backend module ✔ ✔ - grantSessionRules Rules to grant sessions ✔ + globalStorageOptions Session backend module options ✔ ✔ - groups Groups ✔ + grantSessionRules Rules to grant sessions ✔ - hiddenAttributes Name of attributes to hide in logs ✔ + groups Groups ✔ - hideOldPassword Hide old password in portal ✔ + hiddenAttributes Name of attributes to hide in logs ✔ - httpOnly Enable httpOnly flag in cookie ✔ ✔ + hideOldPassword Hide old password in portal ✔ - https Use HTTPS for redirection from portal ✔ + httpOnly Enable httpOnly flag in cookie ✔ ✔ - infoFormMethod HTTP method for info page form ✔ + https Use HTTPS for redirection from portal ✔ - issuerDBCASActivation CAS server activation ✔ + infoFormMethod HTTP method for info page form ✔ - issuerDBCASPath CAS server request path ✔ + issuerDBCASActivation CAS server activation ✔ - issuerDBCASRule CAS server rule ✔ + issuerDBCASPath CAS server request path ✔ - issuerDBGetActivation Get issuer activation ✔ + issuerDBCASRule CAS server rule ✔ - issuerDBGetParameters List of virtualHosts with their get parameters ✔ + issuerDBGetActivation Get issuer activation ✔ - issuerDBGetPath Get issuer request path ✔ + issuerDBGetParameters List of virtualHosts with their get parameters ✔ - issuerDBGetRule Get issuer rule ✔ + issuerDBGetPath Get issuer request path ✔ - issuerDBOpenIDActivation OpenID server activation ✔ + issuerDBGetRule Get issuer rule ✔ - issuerDBOpenIDConnectActivation OpenID Connect server activation ✔ + issuerDBOpenIDActivation OpenID server activation ✔ - issuerDBOpenIDConnectPath OpenID Connect server request path ✔ + issuerDBOpenIDConnectActivation OpenID Connect server activation ✔ - issuerDBOpenIDConnectRule OpenID Connect server rule ✔ + issuerDBOpenIDConnectPath OpenID Connect server request path ✔ - issuerDBOpenIDPath OpenID server request path ✔ + issuerDBOpenIDConnectRule OpenID Connect server rule ✔ - issuerDBOpenIDRule OpenID server rule ✔ + issuerDBOpenIDPath OpenID server request path ✔ - issuerDBSAMLActivation SAML IDP activation ✔ + issuerDBOpenIDRule OpenID server rule ✔ - issuerDBSAMLPath SAML IDP request path ✔ + issuerDBSAMLActivation SAML IDP activation ✔ - issuerDBSAMLRule SAML IDP rule ✔ + issuerDBSAMLPath SAML IDP request path ✔ - jsRedirect Use javascript for redirections ✔ + issuerDBSAMLRule SAML IDP rule ✔ - key Secret key ✔ + jsRedirect Use javascript for redirections ✔ - krbAuthnLevel Null authentication level ✔ + key Secret key ✔ - krbByJs Launch Kerberos authentication by Ajax ✔ + krbAuthnLevel Null authentication level ✔ - krbKeytab Kerberos keytab ✔ + krbByJs Launch Kerberos authentication by Ajax ✔ - krbRemoveDomain Remove domain in Kerberos username ✔ + krbKeytab Kerberos keytab ✔ - ldapAllowResetExpiredPassword Allow a user to reset his expired password ✔ + krbRemoveDomain Remove domain in Kerberos username ✔ - ldapAuthnLevel LDAP authentication level ✔ + ldapAllowResetExpiredPassword Allow a user to reset his expired password ✔ - ldapBase LDAP search base ✔ + ldapAuthnLevel LDAP authentication level ✔ - ldapChangePasswordAsUser ✔ + ldapBase LDAP search base ✔ - ldapExportedVars LDAP exported variables ✔ + ldapChangePasswordAsUser ✔ - ldapGroupAttributeName LDAP attribute name for member in groups ✔ + ldapExportedVars LDAP exported variables ✔ - ldapGroupAttributeNameGroup LDAP attribute name in group entry referenced as member in groups ✔ + ldapGroupAttributeName LDAP attribute name for member in groups ✔ - ldapGroupAttributeNameSearch LDAP attributes to search in groups ✔ + ldapGroupAttributeNameGroup LDAP attribute name in group entry referenced as member in groups ✔ - ldapGroupAttributeNameUser LDAP attribute name in user entry referenced as member in groups ✔ + ldapGroupAttributeNameSearch LDAP attributes to search in groups ✔ - ldapGroupBase ✔ + ldapGroupAttributeNameUser LDAP attribute name in user entry referenced as member in groups ✔ - ldapGroupObjectClass LDAP object class of groups ✔ + ldapGroupBase ✔ - ldapGroupRecursive LDAP recursive search in groups ✔ + ldapGroupObjectClass LDAP object class of groups ✔ - ldapPasswordResetAttribute LDAP password reset attribute ✔ + ldapGroupRecursive LDAP recursive search in groups ✔ - ldapPasswordResetAttributeValue LDAP password reset value ✔ + ldapPasswordResetAttribute LDAP password reset attribute ✔ - ldapPort LDAP port ✔ + ldapPasswordResetAttributeValue LDAP password reset value ✔ - ldapPpolicyControl ✔ + ldapPort LDAP port ✔ - ldapPwdEnc LDAP password encoding ✔ + ldapPpolicyControl ✔ - ldapRaw ✔ + ldapPwdEnc LDAP password encoding ✔ - ldapSearchDeref “deref” param of Net::LDAP::search() ✔ + ldapRaw ✔ - ldapServer LDAP server (host or URI) ✔ + ldapSearchDeref “deref” param of Net::LDAP::search() ✔ - ldapSetPassword ✔ + ldapServer LDAP server (host or URI) ✔ - ldapTimeout LDAP connection timeout ✔ + ldapSetPassword ✔ - ldapUsePasswordResetAttribute LDAP store reset flag in an attribute ✔ + ldapTimeout LDAP connection timeout ✔ - ldapVersion LDAP protocol version ✔ + ldapUsePasswordResetAttribute LDAP store reset flag in an attribute ✔ - linkedInAuthnLevel LinkedIn authentication level ✔ + ldapVersion LDAP protocol version ✔ - linkedInClientID ✔ + linkedInAuthnLevel LinkedIn authentication level ✔ - linkedInClientSecret ✔ + linkedInClientID ✔ - linkedInFields ✔ + linkedInClientSecret ✔ - linkedInScope ✔ + linkedInFields ✔ - linkedInUserField ✔ + linkedInScope ✔ - localSessionStorage Local sessions cache module ✔ + linkedInUserField ✔ - localSessionStorageOptions Sessions cache module options ✔ + localSessionStorage Local sessions cache module ✔ - localStorage Local cache ✔ ✔ ✔ ✔ + localSessionStorageOptions Sessions cache module options ✔ - localStorageOptions Local cache parameters ✔ ✔ ✔ ✔ + localStorage Local cache ✔ ✔ ✔ ✔ - log4perlConfFile Log4Perl logger configuration file ✔ ✔ ✔ ✔ + localStorageOptions Local cache parameters ✔ ✔ ✔ ✔ - logLevel Log level, must be set in .ini ✔ ✔ ✔ ✔ + log4perlConfFile Log4Perl logger configuration file ✔ ✔ ✔ ✔ - logger technical logger ✔ ✔ ✔ ✔ + logLevel Log level, must be set in .ini ✔ ✔ ✔ ✔ - loginHistoryEnabled Enable login history ✔ + logger technical logger ✔ ✔ ✔ ✔ - logoutServices Send logout trough GET request to these services ✔ + loginHistoryEnabled Enable login history ✔ - lwpOpts Options given to LWP::UserAgent ✔ + logoutServices Send logout trough GET request to these services ✔ - lwpSslOpts SSL options given to LWP::UserAgent ✔ + lwpOpts Options given to LWP::UserAgent ✔ - macros Macros ✔ + lwpSslOpts SSL options given to LWP::UserAgent ✔ - mailBody Custom mail body ✔ + macros Macros ✔ - mailCharset Mail charset ✔ + mailBody Custom mail body ✔ - mailConfirmBody Custom confirm mail body ✔ + mailCharset Mail charset ✔ - mailConfirmSubject Mail subject for reset confirmation ✔ + mailConfirmBody Custom confirm mail body ✔ - mailFrom Sender email ✔ + mailConfirmSubject Mail subject for reset confirmation ✔ - mailLDAPFilter LDAP filter for mail search ✔ + mailFrom Sender email ✔ - mailOnPasswordChange Send a mail when password is changed ✔ + mailLDAPFilter LDAP filter for mail search ✔ - mailReplyTo Reply-To address ✔ + mailOnPasswordChange Send a mail when password is changed ✔ - mailSessionKey Session parameter where mail is stored ✔ + mailReplyTo Reply-To address ✔ - mailSubject Mail subject for new password email ✔ + mailSessionKey Session parameter where mail is stored ✔ - mailTimeout Mail session timeout ✔ + mailSubject Mail subject for new password email ✔ - mailUrl URL of password reset page ✔ + mailTimeout Mail session timeout ✔ - maintenance Maintenance mode for all virtual hosts ✔ + mailUrl URL of password reset page ✔ - managerDn LDAP manager DN ✔ + maintenance Maintenance mode for all virtual hosts ✔ - managerPassword LDAP manager Password ✔ + managerDn LDAP manager DN ✔ - max2FDevices Maximum registered 2F devices ✔ ✔ + managerPassword LDAP manager Password ✔ - max2FDevicesNameLength Maximum 2F devices name length ✔ ✔ + max2FDevices Maximum registered 2F devices ✔ ✔ - multiValuesSeparator Separator for multiple values ✔ ✔ ✔ + max2FDevicesNameLength Maximum 2F devices name length ✔ ✔ - mySessionAuthorizedRWKeys Alterable session keys by user itself ✔ ✔ + multiValuesSeparator Separator for multiple values ✔ ✔ ✔ - nginxCustomHandlers Custom Nginx handler (deprecated) ✔ + mySessionAuthorizedRWKeys Alterable session keys by user itself ✔ ✔ - noAjaxHook Avoid replacing 302 by 401 for Ajax responses ✔ + nginxCustomHandlers Custom Nginx handler (deprecated) ✔ - notification Notification activation ✔ + noAjaxHook Avoid replacing 302 by 401 for Ajax responses ✔ - notificationServer Notification server activation ✔ + notification Notification activation ✔ - notificationStorage Notification backend ✔ + notificationServer Notification server activation ✔ - notificationStorageOptions Notification backend options ✔ + notificationStorage Notification backend ✔ - notificationWildcard Notification string to match all users ✔ + notificationStorageOptions Notification backend options ✔ - notificationXSLTfile Custom XSLT document for notifications ✔ + notificationWildcard Notification string to match all users ✔ - notifyDeleted Show deleted sessions in portal ✔ + notificationXSLTfile Custom XSLT document for notifications ✔ - notifyOther Show other sessions in portal ✔ + notifyDeleted Show deleted sessions in portal ✔ - nullAuthnLevel Null authentication level ✔ + notifyOther Show other sessions in portal ✔ - oidcAuthnLevel OpenID Connect authentication level ✔ + nullAuthnLevel Null authentication level ✔ - oidcOPMetaDataOptions ✔ [1] + oidcAuthnLevel OpenID Connect authentication level ✔ - oidcRPCallbackGetParam OpenID Connect Callback GET URLparameter ✔ + oidcOPMetaDataOptions ✔ [1] - oidcRPMetaDataOptions ✔ [1] + oidcRPCallbackGetParam OpenID Connect Callback GET URLparameter ✔ - oidcRPStateTimeout OpenID Connect Timeout of state sessions ✔ + oidcRPMetaDataOptions ✔ [1] - oidcServiceAllowAuthorizationCodeFlow OpenID Connect allow authorization code flow ✔ + oidcRPStateTimeout OpenID Connect Timeout of state sessions ✔ - oidcServiceAllowDynamicRegistration OpenID Connect allow dynamic client registration ✔ + oidcServiceAllowAuthorizationCodeFlow OpenID Connect allow authorization code flow ✔ - oidcServiceAllowHybridFlow OpenID Connect allow hybrid flow ✔ + oidcServiceAllowDynamicRegistration OpenID Connect allow dynamic client registration ✔ - oidcServiceAllowImplicitFlow OpenID Connect allow implicit flow ✔ + oidcServiceAllowHybridFlow OpenID Connect allow hybrid flow ✔ - oidcServiceKeyIdSig OpenID Connect Signature Key ID ✔ + oidcServiceAllowImplicitFlow OpenID Connect allow implicit flow ✔ - oidcServiceMetaDataAuthnContext OpenID Connect Authentication Context Class Ref ✔ + oidcServiceKeyIdSig OpenID Connect Signature Key ID ✔ - oidcServiceMetaDataAuthorizeURI OpenID Connect authorizaton endpoint ✔ + oidcServiceMetaDataAuthnContext OpenID Connect Authentication Context Class Ref ✔ - oidcServiceMetaDataBackChannelURI OpenID Connect Front-Channel logout endpoint ✔ + oidcServiceMetaDataAuthorizeURI OpenID Connect authorizaton endpoint ✔ - oidcServiceMetaDataCheckSessionURI OpenID Connect check session iframe ✔ + oidcServiceMetaDataBackChannelURI OpenID Connect Front-Channel logout endpoint ✔ - oidcServiceMetaDataEndSessionURI OpenID Connect end session endpoint ✔ + oidcServiceMetaDataCheckSessionURI OpenID Connect check session iframe ✔ - oidcServiceMetaDataFrontChannelURI OpenID Connect Front-Channel logout endpoint ✔ + oidcServiceMetaDataEndSessionURI OpenID Connect end session endpoint ✔ - oidcServiceMetaDataIssuer OpenID Connect issuer ✔ + oidcServiceMetaDataFrontChannelURI OpenID Connect Front-Channel logout endpoint ✔ - oidcServiceMetaDataJWKSURI OpenID Connect JWKS endpoint ✔ + oidcServiceMetaDataIssuer OpenID Connect issuer ✔ - oidcServiceMetaDataRegistrationURI OpenID Connect registration endpoint ✔ + oidcServiceMetaDataJWKSURI OpenID Connect JWKS endpoint ✔ - oidcServiceMetaDataTokenURI OpenID Connect token endpoint ✔ + oidcServiceMetaDataRegistrationURI OpenID Connect registration endpoint ✔ - oidcServiceMetaDataUserInfoURI OpenID Connect user info endpoint ✔ + oidcServiceMetaDataTokenURI OpenID Connect token endpoint ✔ - oidcServicePrivateKeySig ✔ + oidcServiceMetaDataUserInfoURI OpenID Connect user info endpoint ✔ - oidcServicePublicKeySig ✔ + oidcServicePrivateKeySig ✔ - oidcStorage Apache::Session module to store OIDC user data ✔ + oidcServicePublicKeySig ✔ - oidcStorageOptions Apache::Session module parameters ✔ + oidcStorage Apache::Session module to store OIDC user data ✔ - oldNotifFormat Use old XML format for notifications ✔ + oidcStorageOptions Apache::Session module parameters ✔ - openIdAttr ✔ + oldNotifFormat Use old XML format for notifications ✔ - openIdAuthnLevel OpenID authentication level ✔ + openIdAttr ✔ - openIdExportedVars OpenID exported variables ✔ + openIdAuthnLevel OpenID authentication level ✔ - openIdIDPList ✔ + openIdExportedVars OpenID exported variables ✔ - openIdIssuerSecret ✔ + openIdIDPList ✔ - openIdSPList ✔ + openIdIssuerSecret ✔ - openIdSecret ✔ + openIdSPList ✔ - openIdSreg_country ✔ + openIdSecret ✔ - openIdSreg_dob ✔ + openIdSreg_country ✔ - openIdSreg_email OpenID SREG email session parameter ✔ + openIdSreg_dob ✔ - openIdSreg_fullname OpenID SREG fullname session parameter ✔ + openIdSreg_email OpenID SREG email session parameter ✔ - openIdSreg_gender ✔ + openIdSreg_fullname OpenID SREG fullname session parameter ✔ - openIdSreg_language ✔ + openIdSreg_gender ✔ - openIdSreg_nickname OpenID SREG nickname session parameter ✔ + openIdSreg_language ✔ - openIdSreg_postcode ✔ + openIdSreg_nickname OpenID SREG nickname session parameter ✔ - openIdSreg_timezone OpenID SREG timezone session parameter ✔ + openIdSreg_postcode ✔ - pamAuthnLevel PAM authentication level ✔ + openIdSreg_timezone OpenID SREG timezone session parameter ✔ - pamService PAM service ✔ + pamAuthnLevel PAM authentication level ✔ - passwordDB Password module ✔ + pamService PAM service ✔ - persistentStorage Storage module for persistent sessions ✔ + passwordDB Password module ✔ - persistentStorageOptions Options for persistent sessions storage module ✔ + persistentStorage Storage module for persistent sessions ✔ - port Force port in redirection ✔ + persistentStorageOptions Options for persistent sessions storage module ✔ - portal Portal URL ✔ ✔ ✔ + port Force port in redirection ✔ - portalAntiFrame Avoid portal to be displayed inside frames ✔ + portal Portal URL ✔ ✔ ✔ - portalCheckLogins Display login history checkbox in portal ✔ + portalAntiFrame Avoid portal to be displayed inside frames ✔ - portalDisplayAppslist Display applications tab in portal ✔ + portalCheckLogins Display login history checkbox in portal ✔ - portalDisplayChangePassword Display password tab in portal ✔ + portalDisplayAppslist Display applications tab in portal ✔ - portalDisplayLoginHistory Display login history tab in portal ✔ + portalDisplayChangePassword Display password tab in portal ✔ - portalDisplayLogout Display logout tab in portal ✔ + portalDisplayLoginHistory Display login history tab in portal ✔ - portalDisplayOidcConsents Display OIDC consent tab in portal ✔ + portalDisplayLogout Display logout tab in portal ✔ - portalDisplayRegister Display register button in portal ✔ + portalDisplayOidcConsents Display OIDC consent tab in portal ✔ - portalDisplayResetPassword Display reset password button in portal ✔ + portalDisplayRegister Display register button in portal ✔ - portalErrorOnExpiredSession Show error if session is expired ✔ + portalDisplayResetPassword Display reset password button in portal ✔ - portalErrorOnMailNotFound Show error if mail is not found in password reset process ✔ + portalErrorOnExpiredSession Show error if session is expired ✔ - portalForceAuthnInterval Minimum number of seconds since last authentifcation to force reauthentication ✔ + portalErrorOnMailNotFound Show error if mail is not found in password reset process ✔ - portalOpenLinkInNewWindow Open applications in new windows ✔ + portalForceAuthnInterval Minimum number of seconds since last authentifcation to force reauthentication ✔ - portalPingInterval Interval in ms between portal Ajax pings ✔ + portalOpenLinkInNewWindow Open applications in new windows ✔ - portalRequireOldPassword Old password is required to change the password ✔ + portalPingInterval Interval in ms between portal Ajax pings ✔ - portalSkin Name of portal skin ✔ + portalRequireOldPassword Old password is required to change the password ✔ - portalSkinBackground Background image of portal skin ✔ + portalSkin Name of portal skin ✔ - portalSkinRules Rules to choose portal skin ✔ + portalSkinBackground Background image of portal skin ✔ - portalStatus Enable portal status ✔ + portalSkinRules Rules to choose portal skin ✔ - portalUserAttr Session parameter to display connected user in portal ✔ + portalStatus Enable portal status ✔ - protection Manager protection method ✔ ✔ ✔ + portalUserAttr Session parameter to display connected user in portal ✔ - proxyAuthService ✔ + protection Manager protection method ✔ ✔ ✔ - proxyAuthnLevel Proxy authentication level ✔ + proxyAuthService ✔ - proxySessionService ✔ + proxyAuthnLevel Proxy authentication level ✔ - proxyUseSoap Use SOAP instead of REST ✔ + proxySessionService ✔ - radiusAuthnLevel Radius authentication level ✔ + proxyUseSoap Use SOAP instead of REST ✔ - radiusSecret ✔ + radiusAuthnLevel Radius authentication level ✔ - radiusServer ✔ + radiusSecret ✔ - randomPasswordRegexp Regular expression to create a random password ✔ + radiusServer ✔ - redirectFormMethod HTTP method for redirect page form ✔ + randomPasswordRegexp Regular expression to create a random password ✔ - registerConfirmSubject Mail subject for register confirmation ✔ + redirectFormMethod HTTP method for redirect page form ✔ - registerDB Register module ✔ + registerConfirmSubject Mail subject for register confirmation ✔ - registerDoneSubject Mail subject when register is done ✔ + registerDB Register module ✔ - registerTimeout Register session timeout ✔ + registerDoneSubject Mail subject when register is done ✔ - registerUrl URL of register page ✔ + registerTimeout Register session timeout ✔ - reloadUrls URL to call on reload ✔ + registerUrl URL of register page ✔ - remoteCookieName ✔ + reloadUrls URL to call on reload ✔ - remoteGlobalStorage Remote session backend ✔ + remoteCookieName ✔ - remoteGlobalStorageOptions Apache::Session module parameters ✔ + remoteGlobalStorage Remote session backend ✔ - remotePortal ✔ + remoteGlobalStorageOptions Apache::Session module parameters ✔ - requireToken Enable token for forms ✔ + remotePortal ✔ - rest2fActivation REST second factor activation ✔ + requireToken Enable token for forms ✔ - rest2fAuthnLevel Authentication level for users authentified by REST second factor ✔ + rest2fActivation REST second factor activation ✔ - rest2fInitArgs Args for REST 2F init ✔ + rest2fAuthnLevel Authentication level for users authentified by REST second factor ✔ - rest2fInitUrl REST 2F init URL ✔ + rest2fInitArgs Args for REST 2F init ✔ - rest2fLogo Custom logo for REST 2F ✔ + rest2fInitUrl REST 2F init URL ✔ - rest2fVerifyArgs Args for REST 2F init ✔ + rest2fLogo Custom logo for REST 2F ✔ - rest2fVerifyUrl REST 2F init URL ✔ + rest2fVerifyArgs Args for REST 2F init ✔ - restAuthUrl ✔ + rest2fVerifyUrl REST 2F init URL ✔ - restConfigServer Enable REST config server ✔ + restAuthUrl ✔ - restPwdConfirmUrl ✔ + restConfigServer Enable REST config server ✔ - restPwdModifyUrl ✔ + restPwdConfirmUrl ✔ - restSessionServer Enable REST session server ✔ + restPwdModifyUrl ✔ - restUserDBUrl ✔ + restSessionServer Enable REST session server ✔ - samlAttributeAuthorityDescriptorAttributeServiceSOAP SAML Attribute Authority SOAP ✔ + restUserDBUrl ✔ - samlAuthnContextMapKerberos SAML authn context kerberos level ✔ + samlAttributeAuthorityDescriptorAttributeServiceSOAP SAML Attribute Authority SOAP ✔ - samlAuthnContextMapPassword SAML authn context password level ✔ + samlAuthnContextMapKerberos SAML authn context kerberos level ✔ - samlAuthnContextMapPasswordProtectedTransport SAML authn context password protected transport level ✔ + samlAuthnContextMapPassword SAML authn context password level ✔ - samlAuthnContextMapTLSClient SAML authn context TLS client level ✔ + samlAuthnContextMapPasswordProtectedTransport SAML authn context password protected transport level ✔ - samlCommonDomainCookieActivation SAML CDC activation ✔ + samlAuthnContextMapTLSClient SAML authn context TLS client level ✔ - samlCommonDomainCookieDomain ✔ + samlCommonDomainCookieActivation SAML CDC activation ✔ - samlCommonDomainCookieReader ✔ + samlCommonDomainCookieDomain ✔ - samlCommonDomainCookieWriter ✔ + samlCommonDomainCookieReader ✔ - samlEntityID SAML service entityID ✔ + samlCommonDomainCookieWriter ✔ - samlIDPMetaDataOptions ✔ [1] + samlEntityID SAML service entityID ✔ - samlIDPSSODescriptorArtifactResolutionServiceArtifact SAML IDP artifact resolution service ✔ + samlIDPMetaDataOptions ✔ [1] - samlIDPSSODescriptorSingleLogoutServiceHTTPPost SAML IDP SLO HTTP POST ✔ + samlIDPSSODescriptorArtifactResolutionServiceArtifact SAML IDP artifact resolution service ✔ - samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect SAML IDP SLO HTTP Redirect ✔ + samlIDPSSODescriptorSingleLogoutServiceHTTPPost SAML IDP SLO HTTP POST ✔ - samlIDPSSODescriptorSingleLogoutServiceSOAP SAML IDP SLO SOAP ✔ + samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect SAML IDP SLO HTTP Redirect ✔ - samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact SAML IDP SSO HTTP Artifact ✔ + samlIDPSSODescriptorSingleLogoutServiceSOAP SAML IDP SLO SOAP ✔ - samlIDPSSODescriptorSingleSignOnServiceHTTPPost SAML IDP SSO HTTP POST ✔ + samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact SAML IDP SSO HTTP Artifact ✔ - samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect SAML IDP SSO HTTP Redirect ✔ + samlIDPSSODescriptorSingleSignOnServiceHTTPPost SAML IDP SSO HTTP POST ✔ - samlIDPSSODescriptorWantAuthnRequestsSigned SAML IDP want authn request signed ✔ + samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect SAML IDP SSO HTTP Redirect ✔ - samlIdPResolveCookie SAML IDP resolution cookie ✔ + samlIDPSSODescriptorWantAuthnRequestsSigned SAML IDP want authn request signed ✔ - samlMetadataForceUTF8 SAML force metadata UTF8 conversion ✔ + samlIdPResolveCookie SAML IDP resolution cookie ✔ - samlNameIDFormatMapEmail SAML session parameter for NameID email ✔ + samlMetadataForceUTF8 SAML force metadata UTF8 conversion ✔ - samlNameIDFormatMapKerberos SAML session parameter for NameID kerberos ✔ + samlNameIDFormatMapEmail SAML session parameter for NameID email ✔ - samlNameIDFormatMapWindows SAML session parameter for NameID windows ✔ + samlNameIDFormatMapKerberos SAML session parameter for NameID kerberos ✔ - samlNameIDFormatMapX509 SAML session parameter for NameID x509 ✔ + samlNameIDFormatMapWindows SAML session parameter for NameID windows ✔ - samlOrganizationDisplayName SAML service organization display name ✔ + samlNameIDFormatMapX509 SAML session parameter for NameID x509 ✔ - samlOrganizationName SAML service organization name ✔ + samlOrganizationDisplayName SAML service organization display name ✔ - samlOrganizationURL SAML service organization URL ✔ + samlOrganizationName SAML service organization name ✔ - samlRelayStateTimeout SAML timeout of relay state ✔ + samlOrganizationURL SAML service organization URL ✔ - samlSPMetaDataOptions ✔ [1] + samlRelayStateTimeout SAML timeout of relay state ✔ - samlSPSSODescriptorArtifactResolutionServiceArtifact SAML SP artifact resolution service ✔ + samlSPMetaDataOptions ✔ [1] - samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact SAML SP ACS HTTP artifact ✔ + samlSPSSODescriptorArtifactResolutionServiceArtifact SAML SP artifact resolution service ✔ - samlSPSSODescriptorAssertionConsumerServiceHTTPPost SAML SP ACS HTTP POST ✔ + samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact SAML SP ACS HTTP artifact ✔ - samlSPSSODescriptorAuthnRequestsSigned SAML SP AuthnRequestsSigned ✔ + samlSPSSODescriptorAssertionConsumerServiceHTTPPost SAML SP ACS HTTP POST ✔ - samlSPSSODescriptorSingleLogoutServiceHTTPPost SAML SP SLO HTTP POST ✔ + samlSPSSODescriptorAuthnRequestsSigned SAML SP AuthnRequestsSigned ✔ - samlSPSSODescriptorSingleLogoutServiceHTTPRedirect SAML SP SLO HTTP Redirect ✔ + samlSPSSODescriptorSingleLogoutServiceHTTPPost SAML SP SLO HTTP POST ✔ - samlSPSSODescriptorSingleLogoutServiceSOAP SAML SP SLO SOAP ✔ + samlSPSSODescriptorSingleLogoutServiceHTTPRedirect SAML SP SLO HTTP Redirect ✔ - samlSPSSODescriptorWantAssertionsSigned SAML SP WantAssertionsSigned ✔ + samlSPSSODescriptorSingleLogoutServiceSOAP SAML SP SLO SOAP ✔ - samlServicePrivateKeyEnc SAML encryption private key ✔ + samlSPSSODescriptorWantAssertionsSigned SAML SP WantAssertionsSigned ✔ - samlServicePrivateKeyEncPwd ✔ + samlServicePrivateKeyEnc SAML encryption private key ✔ - samlServicePrivateKeySig SAML signature private key ✔ + samlServicePrivateKeyEncPwd ✔ - samlServicePrivateKeySigPwd SAML signature private key password ✔ + samlServicePrivateKeySig SAML signature private key ✔ - samlServicePublicKeyEnc SAML encryption public key ✔ + samlServicePrivateKeySigPwd SAML signature private key password ✔ - samlServicePublicKeySig SAML signature public key ✔ + samlServicePublicKeyEnc SAML encryption public key ✔ - samlServiceSignatureMethod ✔ + samlServicePublicKeySig SAML signature public key ✔ - samlServiceUseCertificateInResponse Use certificate instead of public key in SAML responses ✔ + samlServiceSignatureMethod ✔ - samlStorage Apache::Session module to store SAML user data ✔ + samlServiceUseCertificateInResponse Use certificate instead of public key in SAML responses ✔ - samlStorageOptions Apache::Session module parameters ✔ + samlStorage Apache::Session module to store SAML user data ✔ - samlUseQueryStringSpecific SAML use specific method for query_string ✔ + samlStorageOptions Apache::Session module parameters ✔ - secureTokenAllowOnError Secure Token allow requests in error ✔ ✔ + samlUseQueryStringSpecific SAML use specific method for query_string ✔ - secureTokenAttribute Secure Token attribute ✔ ✔ + secureTokenAllowOnError Secure Token allow requests in error ✔ ✔ - secureTokenExpiration Secure Token expiration ✔ ✔ + secureTokenAttribute Secure Token attribute ✔ ✔ - secureTokenHeader Secure Token header ✔ ✔ + secureTokenExpiration Secure Token expiration ✔ ✔ - secureTokenMemcachedServers Secure Token Memcached servers ✔ ✔ + secureTokenHeader Secure Token header ✔ ✔ - secureTokenUrls ✔ ✔ + secureTokenMemcachedServers Secure Token Memcached servers ✔ ✔ - securedCookie Cookie securisation method ✔ ✔ + secureTokenUrls ✔ ✔ - sentryDsn Sentry logger DSN ✔ ✔ ✔ ✔ + securedCookie Cookie securisation method ✔ ✔ - sessionDataToRemember Data to remember in login history ✔ + sentryDsn Sentry logger DSN ✔ ✔ ✔ ✔ - sfEngine Second factor engine ✔ ✔ + sessionDataToRemember Data to remember in login history ✔ - singleIP Allow only one session per IP ✔ + sfEngine Second factor engine ✔ ✔ - singleSession Allow only one session per user ✔ + singleIP Allow only one session per IP ✔ - singleSessionUserByIP Allow only one session per user on an IP ✔ + singleSession Allow only one session per user ✔ - singleUserByIP Allow only one user per IP ✔ + singleSessionUserByIP Allow only one session per user on an IP ✔ - skipRenewConfirmation Avoid asking confirmation when an Issuer asks to renew auth ✔ + singleUserByIP Allow only one user per IP ✔ - slaveAuthnLevel Slave authentication level ✔ + skipRenewConfirmation Avoid asking confirmation when an Issuer asks to renew auth ✔ - slaveExportedVars Slave exported variables ✔ + slaveAuthnLevel Slave authentication level ✔ - slaveHeaderContent ✔ + slaveExportedVars Slave exported variables ✔ - slaveHeaderName ✔ + slaveHeaderContent ✔ - slaveMasterIP ✔ + slaveHeaderName ✔ - slaveUserHeader ✔ + slaveMasterIP ✔ - soapConfigServer Enable SOAP config server ✔ + slaveUserHeader ✔ - soapSessionServer Enable SOAP session server ✔ + soapConfigServer Enable SOAP config server ✔ - sslByAjax Use Ajax request for SSL ✔ + soapSessionServer Enable SOAP session server ✔ - sslHost URL for SSL Ajax request ✔ + sslByAjax Use Ajax request for SSL ✔ - staticPrefix Prefix of static files for HTML templates ✔ ✔ + sslHost URL for SSL Ajax request ✔ - status Status daemon activation ✔ ✔ + staticPrefix Prefix of static files for HTML templates ✔ ✔ - stayConnected Enable StayConnected plugin ✔ + status Status daemon activation ✔ ✔ - storePassword Store password in session ✔ + stayConnected Enable StayConnected plugin ✔ - successLoginNumber Number of success stored in login history ✔ + storePassword Store password in session ✔ - syslogFacility Syslog logger technical facility ✔ ✔ ✔ ✔ + successLoginNumber Number of success stored in login history ✔ - timeout Session timeout on server side ✔ + syslogFacility Syslog logger technical facility ✔ ✔ ✔ ✔ - timeoutActivity Session activity timeout on server side ✔ + timeout Session timeout on server side ✔ - timeoutActivityInterval Update session timeout interval on server side ✔ + timeoutActivity Session activity timeout on server side ✔ - tokenUseGlobalStorage Enable global token storage ✔ + timeoutActivityInterval Update session timeout interval on server side ✔ - totp2fActivation TOTP activation ✔ + tokenUseGlobalStorage Enable global token storage ✔ - totp2fAuthnLevel Authentication level for users authentified by password+TOTP ✔ + totp2fActivation TOTP activation ✔ - totp2fDigits Number of digits for TOTP code ✔ + totp2fAuthnLevel Authentication level for users authentified by password+TOTP ✔ - totp2fDisplayExistingSecret Display existing TOTP secret in registration form ✔ + totp2fDigits Number of digits for TOTP code ✔ - totp2fInterval TOTP interval ✔ + totp2fDisplayExistingSecret Display existing TOTP secret in registration form ✔ - totp2fIssuer TOTP Issuer ✔ + totp2fInterval TOTP interval ✔ - totp2fRange TOTP range (number of interval to test) ✔ + totp2fIssuer TOTP Issuer ✔ - totp2fSelfRegistration TOTP self registration activation ✔ + totp2fRange TOTP range (number of interval to test) ✔ - totp2fUserCanChangeKey Authorize users to change existing TOTP secret ✔ + totp2fSelfRegistration TOTP self registration activation ✔ - totp2fUserCanRemoveKey Authorize users to remove existing TOTP secret ✔ + totp2fUserCanChangeKey Authorize users to change existing TOTP secret ✔ - trustedDomains Trusted domains ✔ + totp2fUserCanRemoveKey Authorize users to remove existing TOTP secret ✔ - trustedProxies Trusted proxies ✔ + trustedDomains Trusted domains ✔ - twitterAppName ✔ + trustedProxies Trusted proxies ✔ - twitterAuthnLevel Twitter authentication level ✔ + twitterAppName ✔ - twitterKey ✔ + twitterAuthnLevel Twitter authentication level ✔ - twitterSecret ✔ + twitterKey ✔ - u2fActivation U2F activation ✔ + twitterSecret ✔ - u2fAuthnLevel Authentication level for users authentified by password+U2F ✔ + twitterUserField ✔ - u2fSelfRegistration U2F self registration activation ✔ + u2fActivation U2F activation ✔ - u2fUserCanRemoveKey Authorize users to remove existing U2F key ✔ + u2fAuthnLevel Authentication level for users authentified by password+U2F ✔ - upgradeSession Upgrade session activation ✔ + u2fSelfRegistration U2F self registration activation ✔ - useRedirectOnError Use 302 redirect code for error (500) ✔ + u2fUserCanRemoveKey Authorize users to remove existing U2F key ✔ - useRedirectOnForbidden Use 302 redirect code for forbidden (403) ✔ + upgradeSession Upgrade session activation ✔ - useSafeJail Activate Safe jail ✔ ✔ + useRedirectOnError Use 302 redirect code for error (500) ✔ - userControl Regular expression to validate login ✔ + useRedirectOnForbidden Use 302 redirect code for forbidden (403) ✔ - userDB User module ✔ + useSafeJail Activate Safe jail ✔ ✔ - userLogger User actions logger ✔ ✔ ✔ ✔ + userControl Regular expression to validate login ✔ - userPivot ✔ + userDB User module ✔ - userSyslogFacility Syslog logger user-actions facility ✔ ✔ ✔ ✔ + userLogger User actions logger ✔ ✔ ✔ ✔ - utotp2fActivation UTOTP activation (mixed U2F/TOTP module) ✔ + userPivot ✔ - utotp2fAuthnLevel Authentication level for users authentified by password+(U2F or TOTP) ✔ + userSyslogFacility Syslog logger user-actions facility ✔ ✔ ✔ ✔ - vhostOptions ✔ [1] + utotp2fActivation UTOTP activation (mixed U2F/TOTP module) ✔ - webIDAuthnLevel WebID authentication level ✔ + utotp2fAuthnLevel Authentication level for users authentified by password+(U2F or TOTP) ✔ - webIDExportedVars WebID exported variables ✔ + vhostOptions ✔ [1] - webIDWhitelist ✔ + webIDAuthnLevel WebID authentication level ✔ - whatToTrace Session parameter used to fill REMOTE_USER ✔ ✔ + webIDExportedVars WebID exported variables ✔ - yubikey2fActivation Yubikey second factor activation ✔ + webIDWhitelist ✔ - yubikey2fAuthnLevel Authentication level for users authentified by Yubikey second factor ✔ + whatToTrace Session parameter used to fill REMOTE_USER ✔ ✔ - yubikey2fClientID Yubico client ID ✔ + yubikey2fActivation Yubikey second factor activation ✔ - yubikey2fNonce Yubico nonce ✔ + yubikey2fAuthnLevel Authentication level for users authentified by Yubikey second factor ✔ - yubikey2fPublicIDSize Yubikey public ID size ✔ + yubikey2fClientID Yubico client ID ✔ - yubikey2fSecretKey Yubico secret key ✔ + yubikey2fNonce Yubico nonce ✔ - yubikey2fSelfRegistration Yubikey self registration activation ✔ + yubikey2fPublicIDSize Yubikey public ID size ✔ - yubikey2fUrl Yubico server ✔ + yubikey2fSecretKey Yubico secret key ✔ - yubikey2fUserCanRemoveKey Authorize users to remove existing Yubikey ✔ + yubikey2fSelfRegistration Yubikey self registration activation ✔ - zimbraAccountKey Zimbra account session key ✔ ✔ + yubikey2fUrl Yubico server ✔ - zimbraBy Zimbra account type ✔ ✔ + yubikey2fUserCanRemoveKey Authorize users to remove existing Yubikey ✔ - zimbraPreAuthKey Zimbra preauthentication key ✔ ✔ + zimbraAccountKey Zimbra account session key ✔ ✔ - zimbraSsoUrl Zimbra local SSO URL pattern ✔ ✔ + zimbraBy Zimbra account type ✔ ✔ + zimbraPreAuthKey Zimbra preauthentication key ✔ ✔ + + + zimbraSsoUrl Zimbra local SSO URL pattern ✔ ✔ + + zimbraUrl Zimbra preauthentication URL ✔ ✔ - +

    [1]: complex nodes

    - +

    Configuration backend parameters

    @@ -1385,50 +1391,86 @@ The attribute key name can be used directly in lemonldap-ng.ini or - + - + - + - + - + - + - + - + - + - + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    DBI connection string dbiChain CDBI / RDBI Directory dirName File
    DBI user dbiUser DBI connection string dbiChain CDBI / RDBI
    DBI password dbiPassword DBI user dbiUser
    DBI table name dbiTable DBI password dbiPassword
    Storage directory dirName File DBI table name dbiTable
    LDAP server ldapServer LDAP Storage directory dirName File / YAML
    LDAP port ldapPort LDAP server ldapServer LDAP
    LDAP base ldapConfBase LDAP port ldapPort
    LDAP bind dn ldapBindDN LDAP base ldapConfBase
    LDAP bind password ldapBindPassword LDAP bind dn ldapBindDN
    Certificate authorities file caFile LDAP bind password ldapBindPassword
    Certificate authorities directory caPath LDAP ObjectClass ldapObjectClass
    SOAP server location (URL) proxy SOAP LDAP ID attribute ldapAttributeId
    LDAP content atribute ldapAttributeContent
    Certificate authorities file caFile
    Certificate authorities directory caPath
    MongoDB database dbName MongoDB
    MongoDB collection collectionName
    REST base URL baseUrl REST
    REST realm realm
    REST user user
    REST password password
    SOAP server location (URL) proxy SOAP
    LWP::UserAgent parameters proxyOptions
    SOAP user User
    SOAP password Password
    - +
    - + diff --git a/doc/pages/documentation/current/plugincustom.html b/doc/pages/documentation/current/plugincustom.html new file mode 100644 index 000000000..11718ff5b --- /dev/null +++ b/doc/pages/documentation/current/plugincustom.html @@ -0,0 +1,160 @@ + + + + + documentation:2.0:plugincustom + + + + + + + + + + + + + + + + + + + + +
    + +
    +

    Table of Contents

    +     +
    + + +

    Write a custom plugin

    +
    + +
    + +

    Presentation

    +
    + +

    +You can now write a custom portal plugin that will hook in the authentication process: +

    +
      +
    • beforeAuth: method called before authentication process
      +
      • +
    • betweenAuthAndData: method called after authentication and before setting “sessionInfo” provisionning
      +
      • +
    • afterData: method called after “sessionInfo” provisionning
      +
      • +
    • endAuth: method called when session is validated (after cookie build)
      +
      • +
    • authCancel: method called when user click on “cancel” during auth process
      +
      • +
    • forAuthUser: method called for already authenticated users
      +
      • +
    • beforeLogout: method called before logout
      +
      • +
    + +

    +The plugin can also define new routes and call actions on them. +

    + +

    +See also Lemonldap::NG::Portal::Main::Plugin man page. +

    + +
    + +

    Example

    +
    + +
    + +

    Plugin Perl module

    +
    + +

    +Create for example the MyPlugin module: +

    +
    vi /usr/share/perl5/Lemonldap/NG/Portal/MyPlugin.pm
    +
    package Lemonldap::NG::Portal::MyPlugin;
+ 
+use Mouse;
+use Lemonldap::NG::Portal::Main::Constants;
+extends 'Lemonldap::NG::Portal::Main::Plugin';
+ 
+use constant beforeAuth => 'verifyIP';
+ 
+sub init {
+          my ($self) = @_;
+          $self->addUnauthRoute( mypath => 'hello', [ 'GET', 'PUT' ] );
+          $self->addAuthRoute( mypath => 'welcome', [ 'GET', 'PUT' ] );
+          return 1;
+}
+sub verifyIP {
+          my ($self, $req) = @_;
+          return PE_ERROR if($req->address !~ /^10/);
+          return PE_OK;
+}
+sub hello {
+          my ($self, $req) = @_;
+          ...
+          return $self->p->sendJSONresponse($req, { hello => 1 });
+}
+sub welcome {
+          my ($self, $req) = @_;
+          ...
+          return $self->p->sendHtml($req, 'template', params => { WELCOME => 1 });
+}
+1;
    + +
    + +

    Configuration

    +
    + +

    +Declare the plugin in lemonldap-ng.ini: +

    +
    vi /etc/lemonldap-ng/lemonldap-ng.ini
    +
    [portal]
+customPlugins = Lemonldap::NG::Portal::MyPlugin
+;customPlugins = Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2, ...
    + +
    +
    + + diff --git a/doc/pages/documentation/current/portalcustom.html b/doc/pages/documentation/current/portalcustom.html index 026a9041e..b2422db53 100644 --- a/doc/pages/documentation/current/portalcustom.html +++ b/doc/pages/documentation/current/portalcustom.html @@ -49,8 +49,9 @@ -

    Skin

    + +
    + +

    +You can change the default Main Logo in Manager: General Parameters > Portal > Customization > Main Logo. +

    + +

    +A blank value disables Main Logo display. +

    +
    - Logo files must be stored in lemonldap-ng-portal/site/htdocs/static/my/path directory +

    +- Logo file path must be like my/path/logo.png +

    + +

    +- Main logo is included in Portal templates AND mail body +

    + +
    +
    + +

    Show languages choice

    +
    + +

    +You can disabled languages choice in Manager: General Parameters > Portal > Customization > Show languages choice. +

    + +

    +Option enabled by default. +

    +
    If languages choice is disabled, Portal displays accepted languages by your browser (EN by default). +
    +
    + +

    Skin

    -LemonLDAP::NG is shipped with 4 skins: +LemonLDAP::NG is shipped with bootstrap skin.

    -
      -
    • pastel
      -
      • -
    • impact
      -
      • -
    • dark
      -
      • -
    • bootstrap
      -
      • -
    -
    It is recommended to use bootstrap skin, as other may be deprecated in the future. -
    +

    -But you can make your own, see Skin customization below. +But you can make your own. See Skin customization below.

    - -

    Default skin

    + +

    Default skin

    @@ -110,8 +134,8 @@ Select the Custom skin, then set the name of the skin you want to u

    - -

    Skin background

    + +

    Skin background

    @@ -123,8 +147,8 @@ Go in General Parameters > Portal > Custom

    - -

    Skin rules

    + +

    Skin rules

    @@ -142,8 +166,8 @@ To achieve this, you can create a rule in the Manager: select General Para

    - -

    Skin files

    + +

    Skin files

    @@ -165,18 +189,21 @@ A skin will often refer to the common skin, which is not a real ski

    - -

    Skin customization

    + +

    Skin customization

    If you modify directly the skin files, your modifications will certainly be erased on the next upgrade. The best is to create your own skin, based on an existing skin.

    Here we explain how to create a new skin, named myskin, from the bootstrap skin.

    -
    cd /usr/share/lemonldap-ng/portal-skins/
+
+
    
+First copy static content:
+
    
+
    cd /usr/share/lemonldap-ng/portal/htdocs/static
 mkdir myskin
 cd myskin/
-cp -a ../bootstrap/fonts/ .
 cp -a ../bootstrap/js/ .
 cp -a ../bootstrap/css/ .
 mkdir images
    
@@ -184,7 +211,10 @@ mkdir images

    Then create symbolic links on template files, as you might not want to rewrite all HTML code (else, do as you want).

    -
    ln -s ../bootstrap/*.tpl .
    +
    cd /usr/share/lemonldap-ng/portal/templates/
+mkdir myskin
+cd myskin/
+ln -s ../bootstrap/*.tpl .

    We include some template files that can be customized: @@ -205,21 +235,33 @@ To use custom files, delete links and copy them into your skin folder: cp ../bootstrap/custom* .

    -Create a symlink in main skin directory: +Then you can add your media to myskin/images, you will be able to use them in HTML template with this code:

    -
    ln -s /usr/share/lemonldap-ng/portal-skins/myskin /var/lib/lemonldap-ng/portal/skins/
    +
    <img src="<TMPL_VAR NAME="STATIC_PREFIX">myskin/images/logo.png" class="img-responsive center-block" />

    -Then you only have to edit JS/CSS and add your media to myskin/images. Put all custom HTML code in the custom template files. +To change CSS, two options: +

    +
      +
    • Edit myksin/css/skin.css and myskin/css/skin.min.css
      +
      • +
    • Create a new CSS file, for example myskin/css/myskin.css and load it in customhead.tpl:
      +
      • +
    +
    <link href="<TMPL_VAR NAME="STATIC_PREFIX">myskin/css/myskin.css" rel="stylesheet" type="text/css" />
    + +

    +Put then all custom HTML code in the custom template files.

    -To configure your new skin in Manager, select the custom skin, and enter your skin name in the configuration field. +To configure your new skin in Manager, select the custom skin, and enter your skin name in the configuration field. For example with lemonldap-ng-cli:

    +
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portalSkin 'myskin' portalSkinBackground ''
    - -

    Messages

    + +

    Messages

    @@ -231,16 +273,17 @@ Messages are defined in source code. If they really do not please you, override error_0 = Big brother is watching you, authenticated user   # Custom standard messages -msg_22 = Your last connections +msg_lastLogins = Your last connections

    You can alse define messages in several languages: 
    [portal]
 error_en_0 = Big brother is watching you, authenticated user
-error_fr_0 = Souriez vous êtes surveillés !
    +error_fr_0 = Souriez vous êtes surveillés ! +msg_fr_lastLogins = Dernières connexions
    - -

    Template parameters

    + +

    Template parameters

    @@ -256,9 +299,14 @@ Then you will be able to use it in your template like this: 

    Hello <TMPL_VAR NAME="myparam">!
    +

    +All session variables are also available in templates, with the prefix “session_” : +

    +
    Hello <TMPL_VAR NAME="session_cn">!
    +
    - -

    Buttons

    + +

    Buttons

    @@ -267,15 +315,15 @@ This node allows one to enable/disable buttons on the login page:

    • Check last logins: displays a checkbox on login form, allowing user to check his login history right after opening session
      • -
    • Reset password: display a link to reset your password page (for password based authentication backends)
      +
    • Reset password: display a link to reset your password page (for password based authentication backends). Number of allowed retries can be set (3 times by default)
    • Register: display a link to register page (for password based authentication backends)
    - -

    Password management

    + +

    Password management

    • Require old password: used only in the password changing module of the menu, will check the old password before updating it
      @@ -287,8 +335,8 @@ This node allows one to enable/disable buttons on the login page:
    - -

    Other parameters

    + +

    Other parameters

    • User attribute: which session attribute will be used to display Connected as in the menu
      @@ -306,6 +354,6 @@ This node allows one to enable/disable buttons on the login page:
    - + diff --git a/doc/pages/documentation/current/prereq.html b/doc/pages/documentation/current/prereq.html index 1ea28ac5d..bd647c92e 100644 --- a/doc/pages/documentation/current/prereq.html +++ b/doc/pages/documentation/current/prereq.html @@ -4,7 +4,7 @@ documentation:2.0:prereq - + diff --git a/doc/pages/documentation/current/psgi.html b/doc/pages/documentation/current/psgi.html index 73aa61538..c53a16d5e 100644 --- a/doc/pages/documentation/current/psgi.html +++ b/doc/pages/documentation/current/psgi.html @@ -103,7 +103,7 @@ uWSGI or
    with a FCGI Plack server, but you just have to change llng-fastcgi-server engine (in /etc/default/llng-fastcgi-server) to have the same result. Available engines:
    +
  • with a FCGI Plack server, but you just have to change llng-fastcgi-server engine (in /etc/default/lemonldap-ng-fastcgi-server) to have the same result. Available engines:
    • FCGI (default). It can use the following managers:
        @@ -141,7 +141,7 @@ There are also some other psgi files in examples directory.

        - +

        LLNG FastCGI Server

        @@ -185,7 +185,7 @@ There are also some other psgi files in examples directory. –plackOptions Other options to path to Plack. Can bu multi-valued. Values must look like key=value
        - +

        See llng-fastcgi-server(1) manpage.

        @@ -208,7 +208,7 @@ FCGI::Engine::ProcManager -e FCGI::Engine::ProcManager - +

        Using uWSGI

        @@ -239,7 +239,7 @@ Then adapt your Nginx configuration to use this uWSGI app.

        - +

        Protect a PSGI application

        @@ -283,6 +283,6 @@ builder {
        - + diff --git a/doc/pages/documentation/current/renater.html b/doc/pages/documentation/current/renater.html new file mode 100644 index 000000000..13fd2774e --- /dev/null +++ b/doc/pages/documentation/current/renater.html @@ -0,0 +1,238 @@ + + + + + documentation:2.0:renater + + + + + + + + + + + + + + + + + + + + +
        + +
        +

        Table of Contents

        + +
        + + +

        Connect to Renater Federation

        +
        + +

        + +

        + +
        + +

        Presentation

        +
        + +

        +Renater provides an SAML federation for higher education in France. +

        + +

        +It is based on SAMLv2 but add some specific items like a WAYF service and a metadata bundle to list all SP and IDP from the federation. +

        + +

        +Since LL::NG 2.0, you can register into Renater federation. +

        + +
        + +

        Register as Service Provider

        +
        + +
        + +

        LL::NG configuration

        +
        + +

        +Configure LL::NG as SAML Service Provider with this documentation. You don't need to declare any IDP for the moment. +

        + +

        +Configure SAML Discovery Protocol to redirect users on WAYF Service. The endpoint URL is https://discovery.renater.fr/renater/WAYF. +

        + +
        + +

        Metadata import

        +
        + +

        +You now need to import IDP metadata in LL::NG configuration. Use the importMetadata script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: https://services.renater.fr/federation/technique/metadata, for example: +

        +
        /usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml -r -i "idp-renater" -s "sp-renater"
        +
        You need to add this in cron to refresh metadata into LL::NG configuration. +
        +

        +If you need too customize some settings of the script, copy it and edit configuration: +

        +
        cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom
+vi /usr/share/lemonldap-ng/bin/importMetadataCustom
        + +

        +Set attributes (use the SAML Name, not FriendlyName) that are provided by IDPs, for example: +

        +
        my $exportedAttributes = {
+    'cn'                          => '0;urn:oid:2.5.4.3',
+    'eduPersonPrincipalName'      => '1;urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
+    'givenName'                   => '0;urn:oid:2.5.4.42',
+    'sn'                          => '0;urn:oid:2.5.4.4',
+    'eduPersonAffiliation'        => '0;urn:oid:1.3.6.1.4.1.5923.1.1.1.1',
+    'eduPersonPrimaryAffiliation' => '0;urn:oid:1.3.6.1.4.1.5923.1.1.1.5',
+    'mail'                        => '0;urn:oid:0.9.2342.19200300.100.1.3',
+    'supannListeRouge'            => '0;urn:oid:1.3.6.1.4.1.7135.1.2.1.1',
+    'supannEtuCursusAnnee'        => '0;rn:oid:1.3.6.1.4.1.5923.1.1.1.10',
+};
        + +

        +Adapt IDP options, for example: +

        +
        my $idpOptions = {
+    'samlIDPMetaDataOptionsAdaptSessionUtime'        => 0,
+    'samlIDPMetaDataOptionsAllowLoginFromIDP'        => 0,
+    'samlIDPMetaDataOptionsAllowProxiedAuthn'        => 0,
+    'samlIDPMetaDataOptionsCheckAudience'            => 1,
+    'samlIDPMetaDataOptionsCheckSLOMessageSignature' => 1,
+    'samlIDPMetaDataOptionsCheckSSOMessageSignature' => 1,
+    'samlIDPMetaDataOptionsCheckTime'                => 1,
+    'samlIDPMetaDataOptionsEncryptionMode'           => 'none',
+    'samlIDPMetaDataOptionsForceAuthn'               => 0,
+    'samlIDPMetaDataOptionsForceUTF8'                => 1,
+    'samlIDPMetaDataOptionsIsPassive'                => 0,
+    'samlIDPMetaDataOptionsNameIDFormat'             => 'transient',
+    'samlIDPMetaDataOptionsRelayStateURL'            => 0,
+    'samlIDPMetaDataOptionsSignSLOMessage'           => -1,
+    'samlIDPMetaDataOptionsSignSSOMessage'           => -1,
+    'samlIDPMetaDataOptionsStoreSAMLToken'           => 0,
+    'samlIDPMetaDataOptionsUserAttribute' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6',
+};
        + +
        + +

        Add your SP into the federation

        +
        + +

        +Go to https://federation.renater.fr/registry and register your SP. +

        +
        Be sure to check all attributes as mandatory to be able to get them in SAML assertions. +
        +
        + +

        Register as Identity Provider

        +
        + +
        + +

        LL::NG configuration

        +
        + +

        +Configure LL::NG as SAML Identity Provider with this documentation. You don't need to declare any SP for the moment. +

        + +
        + +

        Metadata import

        +
        + +

        +You now need to import SP metadata in LL::NG configuration. Use the importMetadata script that should be installed in /usr/share/lemonldap-ng/bin. You need to select the correct metadata bundle proposed by Renater: https://services.renater.fr/federation/technique/metadata, for example: +

        +
        /usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-sps-renater-metadata.xml -r -i "idp-renater" -s "sp-renater"
        +
        You need to add this in cron to refresh metadata into LL::NG configuration. +
        +

        +If you need too customize some settings of the script, copy it and edit configuration: +

        +
        cp /usr/share/lemonldap-ng/bin/importMetadata /usr/share/lemonldap-ng/bin/importMetadataCustom
+vi /usr/share/lemonldap-ng/bin/importMetadataCustom
        + +

        +Adapt IDP options, for example: +

        +
        my $spOptions = {
+    'samlSPMetaDataOptionsCheckSLOMessageSignature'   => 1,
+    'samlSPMetaDataOptionsCheckSSOMessageSignature'   => 1,
+    'samlSPMetaDataOptionsEnableIDPInitiatedURL'      => 0,
+    'samlSPMetaDataOptionsEncryptionMode'             => 'none',
+    'samlSPMetaDataOptionsForceUTF8'                  => 1,
+    'samlSPMetaDataOptionsNameIDFormat'               => '',
+    'samlSPMetaDataOptionsNotOnOrAfterTimeout'        => 72000,
+    'samlSPMetaDataOptionsOneTimeUse'                 => 0,
+    'samlSPMetaDataOptionsSessionNotOnOrAfterTimeout' => 72000,
+    'samlSPMetaDataOptionsSignSLOMessage'             => 1,
+    'samlSPMetaDataOptionsSignSSOMessage'             => 1
+};
        + +
        + +

        Add your IDP into the federation

        +
        + +

        +Go to https://federation.renater.fr/registry and register your IDP. +

        + +
        +
        + + diff --git a/doc/pages/documentation/current/rest2f.html b/doc/pages/documentation/current/rest2f.html index 6076a66a3..a40c32cad 100644 --- a/doc/pages/documentation/current/rest2f.html +++ b/doc/pages/documentation/current/rest2f.html @@ -61,16 +61,16 @@

        -This plugin can be used to add a second factor for authentication (SMS, OTP,…). It uses external web service to send and validate the second factor. +This plugin can be used to append a second factor authentication device like SMS or OTP. It uses an external web service to submit and validate the second factor.

        - +

        Configuration

        -All parameters are configured in “General Parameters » Portal Parameters » Second Factors » REST 2nd Factor”. +All parameters are set in “General Parameters » Portal Parameters » Second Factors » REST 2nd Factor”.

        • Activation
          @@ -83,14 +83,14 @@ All parameters are configured in “General Parameters » Portal Parameters » S
        • Verify arguments: list of arguments to send (see below)
          • -
        • Authentication Level: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5
          +
        • Authentication Level: if you want to overwrite the value sent by your authentication module, you can define here a new authentication level. Example: 5
        • Logo (optional): logo file (in static/<skin> directory)
        - +

        Arguments

        @@ -100,12 +100,12 @@ Arguments are a list of key/value. Key is the name of JSON entry, value is attri
        For Verify URL, you should send $code at least
        - +

        REST Dialog

        -REST web services just have to respond with a “result” key in a JSON file. Auth/UserDB can add a “info” array to will be copied is session data (without reading “Exported variables”). +REST web services have just to reply with a “result” key in a JSON file. Auth/UserDB can add an “info” array. It will be stored in session data (without reading “Exported variables”).

        @@ -120,8 +120,8 @@ REST web services just have to respond with a “result” key in a JSON file. A
        Verify URL JSON file: {“user”:$user,“code”:“$code”,…} JSON file: {“result”:true/false}
        - +
        - + diff --git a/doc/pages/documentation/current/restconfbackend.html b/doc/pages/documentation/current/restconfbackend.html index 277162357..3626298a1 100644 --- a/doc/pages/documentation/current/restconfbackend.html +++ b/doc/pages/documentation/current/restconfbackend.html @@ -81,16 +81,28 @@ You can share your configuration over the network using REST proxy system.
      • Enable REST server in the configuration using the manager (in portal plugins)
        • -
      • Configure Apache to allow remote access: in portal-apache2.conf, remote REST access is disabled by default. Change it:
        +
      • Configure your web server to allow remote access. Remote REST access is disabled by default. Change it as follow:
      -
      # SOAP functions for configuration access (disabled by default)
+
+
      
+* In portal-apache2.conf:
+
      
+
      # REST functions for configuration access (disabled by default)
 <Location /index.fcgi/config>
     Require ip 192.168.2.0/24
 </Location>
      
 
+
      
+* In portal-nginx.conf:
+
      
+
      # REST functions for configuration access (disabled by default)
+location /index.psgi/config {
+  allow 192.168.2.0/24;
+}
      
+
 
-
+
 
      Next, configure REST for your remote servers
      
 
      
 
@@ -109,6 +121,6 @@ You can also add some other parameters
 proxyOptions = { timeout => 5 }
      - + diff --git a/doc/pages/documentation/current/restserverplugin b/doc/pages/documentation/current/restserverplugin index b96e11808..9ed409e04 100644 --- a/doc/pages/documentation/current/restserverplugin +++ b/doc/pages/documentation/current/restserverplugin @@ -90,7 +90,7 @@ +
    @@ -241,7 +241,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio -
    +
    diff --git a/doc/pages/documentation/current/samlservice.html b/doc/pages/documentation/current/samlservice.html index b7d6b0708..f7986c261 100644 --- a/doc/pages/documentation/current/samlservice.html +++ b/doc/pages/documentation/current/samlservice.html @@ -93,6 +93,7 @@
    • @@ -148,7 +149,8 @@ SAML2 implementation is based on http://deb.entrouvert.org/.

    - +
    We recommend Lasso 2.6 for the SHA256 support, so use the stretch-testing repository of deb.entrouvert.org. +

    You will only need to install liblasso-perl package:

    @@ -179,7 +181,7 @@ Then install lasso and lasso-perl packages:

    - +

    Service configuration

    @@ -189,7 +191,7 @@ Go in Manager and click on You can use #PORTAL# in values to replace the portal URL.
    - +

    Entry Identifier

    @@ -204,7 +206,7 @@ Your EntityID, often use as metadata URL<
    If you modify /saml/metadata suffix you have to change corresponding Apache rewrite rule.
    - +

    Security parameters

    @@ -243,7 +245,7 @@ $ openssl x509 -req -days 3650 -in cert.csr -signkey private.key -out cert.pemDefault value is RSA SHA1 for compatibility purpose but we recommend to use RSA SHA256. This requires to test all partners to check their compatibility.
    - +

    NameID formats

    @@ -280,7 +282,7 @@ Other NameID formats are automatically managed:
    - +

    Authentication contexts

    @@ -304,7 +306,7 @@ Customizable NameID formats are:
    - +

    Organization

    This concerns all parameters for the Organization metadata section: @@ -324,7 +326,7 @@ Customizable NameID formats are:
    - +

    Service Provider

    This concerns all parameters for the Service Provider metadata section: @@ -407,7 +409,7 @@ The only authorized binding is SOAP. This should be set as Default.

    - +

    Identity Provider

    This concerns all parameters for the Service Provider metadata section: @@ -492,7 +494,7 @@ The only authorized binding is SOAP. This should be set as Default.

    - +

    Attribute Authority

    This concerns all parameters for the Attribute Authority metadata section @@ -515,7 +517,7 @@ Response Location should be empty, as SOAP responses are directly returned (sync

    - +

    Advanced

    @@ -553,8 +555,7 @@ This is not the case of Common Domain Cookie
    -
    Common Domain Cookie is also know as WAYF Service. -
    +

    The common domain is used by SAML SP to find an Identity Provider for the user, and by SAML IDP to register itself in user's IDP list.

    @@ -574,6 +575,31 @@ Configuration parameters are:
    -
    + +

    Discovery Protocol

    +
    +
    Discovery Protocol is also know as WAYF Service. More information can be found in the specification: sstc-saml-idp-discovery-cs-01.pdf. +
    +

    +When Discovery Protocol is enabled, the LL::NG IDP list is no more used. Instead user is redirected on the discovery service and is redirected back to LL::NG with the choosen IDP. +

    +
    If the choosen IDP is not registered in LL::NG, user will be redirected to discovery service again. +
    +

    +Configuration parameters are: +

    +
      +
    • Activation: Set to On to enable Discovery Protocol support.
      +
      • +
    • EndPoint URL: Discovery service page
      +
      • +
    • Policy: Set a value here if you don't want to use the default policy (urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single)
      +
      • +
    • Is passive: Enable this option to avoid user interaction on discovery service page
      +
      • +
    + +
    +
    diff --git a/doc/pages/documentation/current/secondfactor.html b/doc/pages/documentation/current/secondfactor.html index 67083c59c..34886c6c8 100644 --- a/doc/pages/documentation/current/secondfactor.html +++ b/doc/pages/documentation/current/secondfactor.html @@ -94,9 +94,10 @@ Since 2.0, LLNG provides some second factor plugins that can be used to complete
  • External 2F (to call an external command)
    • - +
    If you want to force a 2F registration on first login, you can use “Require 2FA”. You can also use a rule to force 2FA registration only for some users.
    - +
    +

    Providing tokens from an external source

    @@ -106,25 +107,25 @@ If you don't want to use self-registration features for U2F, TOTP and so on 
    [ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_token>}, …]
    - +

    U2F Tokens

    {"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}
    - +

    TOTP Tokens

    {"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}
    - +

    Yubikey Tokens

    {"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}
    - +

    Developer corner

    @@ -141,6 +142,6 @@ To enable manager Second Factor Administration Module, set enabledModules< enabledModules = conf, sessions, notifications, 2ndFA
    -
    +
    diff --git a/doc/pages/documentation/current/security.html b/doc/pages/documentation/current/security.html index 9baf75ac9..a6f8e26e9 100644 --- a/doc/pages/documentation/current/security.html +++ b/doc/pages/documentation/current/security.html @@ -161,10 +161,17 @@ LLNG portal now embeds the following features:
  • Content-Security-Policy header: portal build dynamically this header. You can modify default values in the manager (Général parameters » Advanced parameters » Security » Content-Security-Policy).
    • +
  • Brute-force attack protection: after some failed logins, user must wait before re-try to log into Portal.
    +
    • +
    * Brute-force attack protection is DISABLED by default +

    +* Browser implementations of form Action directive are inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome does). Administrators may have to modify form Action value with wildcard likes *. +

    - + +

    Split portal when using SOAP/REST

    @@ -173,12 +180,12 @@ If you use +

    Write good rules

    - +

    Order your rules

    @@ -211,7 +218,7 @@ For example, if these rules are used without comments: ^/pub/ accept
    - +

    Then the second rule will be applied first, so every authenticated user will access to /pub/admin directory.

    @@ -232,7 +239,7 @@ Use comment to correct this: ^/pub/ accept 2_pub
    -
      +
      • Reload the Manager to see the effective order
      • Use rule comments to order your rules
        @@ -241,7 +248,7 @@ Use comment to correct this:
    - +

    Be careful with URL parameters

    @@ -265,7 +272,7 @@ For example with this rule on the access parameter: default accept
    - +

    Then a user that try to access to one of the following will be granted !

    @@ -295,20 +302,20 @@ You can use the following rules instead: default accept -
    (?i) means case no sensitive. +
    (?i) means case no sensitive.
    Remember that rules written on GET parameters must be tested.
    - +

    Encoded characters

    -Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, LL::NG decode them using http://search.cpan.org/perldoc?Apache2::URI#unescape_url. So write your rules using normal characters. +Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, LL::NG decode them using https://metacpan.org/pod/Apache2::URI#unescape_url. So write your rules using normal characters.

    - +

    Secure reverse-proxies

    @@ -354,7 +361,7 @@ It is recommended to secure the channel between reverse-proxies and application
    - +

    Configure security settings

    @@ -364,7 +371,7 @@ Go in Manager, General parameters » Advanced parameters
  • Username control: Regular expression used to check user login syntax.
    • -
  • Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session
    +
  • Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session.
  • Force authentication interval: time interval (in seconds) when a authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances, you can increase this value.
    • @@ -376,12 +383,14 @@ Go in Manager, General parameters » Advanced parameters
  • Check XSS Attacks: Set to 'Off' to disable XSS checks. XSS checks will still be done with warning in logs, but this will not prevent the process to continue.
    • +
  • Brute-Force Attack protection: set to 'On' to enable it. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds, making it easy for an attacker to beat a password-based authentication system.
    +
  • LWP::UserAgent SSL options: insert here options to pass to LWP::UserAgent object (used by SAML or OpenID-Connect to query partners). Example: verify_hostname ⇒ 0, SSL_verify_mode ⇒ 0
    • - +

    Fail2ban

    @@ -433,7 +442,7 @@ Restart fail2ban

    - +

    Sessions identifier

    @@ -446,7 +455,7 @@ We recommend to use : Lemonldap::NG::Common::Apache::Session::Generate::SH

    - +

    SAML

    @@ -455,6 +464,6 @@ See
    + diff --git a/doc/pages/documentation/current/selfmadeapplication.html b/doc/pages/documentation/current/selfmadeapplication.html index 9c8190771..317bdb8d3 100644 --- a/doc/pages/documentation/current/selfmadeapplication.html +++ b/doc/pages/documentation/current/selfmadeapplication.html @@ -119,28 +119,46 @@ Examples with a First create a PSGI module based on Lemonldap::NG::Handler:

    -
      package My::PSGI;
+
    package My::PSGI;
  
-  use base Lemonldap::NG::Handler;
+use base "Lemonldap::NG::Handler::PSGI";
  
-  sub init {
+sub init {
     my ($self,$args) = @_;
     $self->protection('manager');
+    $self->SUPER::init($args) or return 0;
+    $self->staticPrefix("/static");
+    $self->templateDir("/usr/share/lemonldap-ng/portal/templates");
     # See Lemonldap::NG::Common::PSGI for more
-    ...
+    #...
     # Return a boolean. If false, then error message has to be stored in
     # $self->error
     return 1;
-  }
+}
  
-  sub handler {
+sub handler {
     my ( $self, $req ) = @_;
  
     # Will be called only if authorisated
-    my $userId = $self->userId;
-    ...
-    $self->sendJSONresponse(...);
-  }
    
+    my $userId = $self->userId($req);
+    #...
+ 
+    # Return JSON
+    # $self->sendJSONresponse(...);
+ 
+    # or Return HTML
+    $self->sendHtml($req, "myskin/mytemplate", ( params => { 'userId' => $userId }) );
+}
    + +

    +They create a FCGI script like this: +

    +
    #!/usr/bin/env perl
+ 
+use My::PSGI;
+use Plack::Handler::FCGI;
+ 
+Plack::Handler::FCGI->new->run( My::PSGI->run() );

    See our LLNG Nginx/Apache configurations to see how to launch it or read PSGI/Plack documentation. diff --git a/doc/pages/documentation/current/soapconfbackend.html b/doc/pages/documentation/current/soapconfbackend.html index 358789d2e..331fd0f95 100644 --- a/doc/pages/documentation/current/soapconfbackend.html +++ b/doc/pages/documentation/current/soapconfbackend.html @@ -81,16 +81,28 @@ You can share your configuration over the network using SOAP proxy system.

  • Set SOAP parameter to true in the configuration using the manager: the portal will become a SOAP server
    • -
  • Configure Apache to allow remote access: in portal-apache2.conf, remote SOAP access is disabled by default. Change it:
    +
  • Configure your web server to allow remote access. Remote SOAP access is disabled by default. You must change it as follow :
    • + +

    +* in portal-apache2.conf : +

    # SOAP functions for configuration access (disabled by default)
 <Location /index.fcgi/config>
     Require ip 192.168.2.0/24
 </Location>
    +

    +* in portal-nginx.conf : +

    +
    # SOAP functions for configuration access (disabled by default)
+location /index.psgi/config {
+  allow 192.168.2.0/24;
+}
    + - +

    Next, configure SOAP for your remote servers

    @@ -109,6 +121,6 @@ You can also add some other parameters proxyOptions = { timeout => 5 }
    - + diff --git a/doc/pages/documentation/current/soapservices.html b/doc/pages/documentation/current/soapservices.html index cf702224f..8d5194639 100644 --- a/doc/pages/documentation/current/soapservices.html +++ b/doc/pages/documentation/current/soapservices.html @@ -101,6 +101,15 @@ SOAP functions are not accessible by network by default. SOAP functions are prot - + +

    WSDL

    +
    + +

    +You can enable WSDL server in the manager. It will deliver WSDL file (/portal.wsdl). +

    + +
    + diff --git a/doc/pages/documentation/current/sqlsessionbackend.html b/doc/pages/documentation/current/sqlsessionbackend.html index d751e5516..f54e5190f 100644 --- a/doc/pages/documentation/current/sqlsessionbackend.html +++ b/doc/pages/documentation/current/sqlsessionbackend.html @@ -77,27 +77,27 @@ SQL session backend can be used with many SQL databases such as:

    - +

    Setup

    - +

    Prepare the database

    @@ -126,6 +126,7 @@ Create sessions table: );
    Change char(32) by varchar(64) if you use the now recommended SHA256 hash algorithm. See Sessions for more details
    You can change table name sessions to whatever you want, just adapt the parameter TableName in module options. +
    For a better UTF-8 support, use DBD::MariaDB with Apache::Session*::MySQL instead of DBD::mysql
    @@ -159,12 +160,12 @@ lemonldap-ng=> q
    Change char(32) by varchar(64) if you use the now recommended SHA256 hash algorithm. See Sessions for more details
    - +

    Manager

    -Go in the Manager and set the session module (for example Apache::Session::Postgres for PostgreSQL) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): +Go in the Manager and set the session module (for example Apache::Session::Postgres for PostgreSQL) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive):

    @@ -176,7 +177,7 @@ Go in the Manager and set the session module (for example - + @@ -191,9 +192,9 @@ Go in the Manager and set the session module (for example TableName
    DataSource The DBI string dbi:Pg:dbname=sessions;host=10.2.3.1 DataSource The DBI string dbi:Pg:dbname=sessions;host=10.2.3.1
    UserName The database username lemonldapng (Optional) Name of the table sessions
    - +

    -You must read the man page corresponding to your database (Apache::Session::MySQL, …) to learn more about parameters. You must also install the database connector (DBD::Oracle, DBD::Pg,…) +You must read the man page corresponding to your database (Apache::Session::MySQL, …) to learn more about parameters. You must also install the database connector (https://metacpan.org/pod/DBD::Oracle, DBD::Pg,…)

    For MySQL, you need to set additional parameters:
    • LockDataSource
      @@ -234,9 +235,9 @@ If you may store some non- SQLite sqlite_unicode 1
    - +
    - +

    Security

    @@ -249,6 +250,6 @@ You can also use different user/password for your servers by overriding paramete

    - + diff --git a/doc/pages/documentation/current/ssocookie.html b/doc/pages/documentation/current/ssocookie.html index 942adcd16..0454a6b8c 100644 --- a/doc/pages/documentation/current/ssocookie.html +++ b/doc/pages/documentation/current/ssocookie.html @@ -74,34 +74,20 @@ To edit SSO cookie parameters, go in Manager
  • Double cookie: two cookies are delivered, one for HTTP and HTTPS connections, the other for HTTPS only
    • -
  • Double cookie for single session: as same, two cookies are delivered, but only one session is written in session database
    +
  • Double cookie for single session: same as double cookie but only one session is created in session database
    • -
  • Javascript protection: set httpOnly flag, to avoid cookie been caught by javascript code
    +
  • Javascript protection: set httpOnly flag, to prevent cookie from being caught by javascript code
    • -
  • Cookie expiration time: by default, SSO cookie is a session cookie, which mean it will be destroyed when the browser is closed. You can change this behavior and set a cookie duration, for example:
    -
      -
    • +30s: 30 seconds from session creation
      -
      • -
    • +10m: ten minutes from session creation
      -
      • -
    • +1h: one hour from session creation
      -
      • -
    • +3M: three months from session creation
      -
      • -
    • +10y: ten years from session creation
      -
      • -
    • Thursday, 25-Apr-1999 00:40:33 GMT: at the indicated time and date (but this is probably a bad idea)
      -
      • -
    +
  • Cookie expiration time: by default, SSO cookie is a session cookie, which means it will be destroyed when browser is closed. You can change this behavior by setting a cookie expiration time. It must be an integer. Cookie Expiration Time value is a number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.
    • When you change cookie expiration time, it is written on the user hard disk unlike session cookie
    Changing the domain value will not update other configuration parameters, like virtual host names, portal URL, etc. You have to update them by yourself.
    - +

    Portal URL

    @@ -117,6 +103,6 @@ Portal URL is the address used to
    The portal URL must be inside SSO domain. If secured cookie is enabled, the portal URL must be HTTPS.
    - + diff --git a/doc/pages/documentation/current/start.html b/doc/pages/documentation/current/start.html index 53dee1d26..e6e2b65dd 100644 --- a/doc/pages/documentation/current/start.html +++ b/doc/pages/documentation/current/start.html @@ -4,7 +4,7 @@ documentation:2.0:start - + @@ -64,6 +64,8 @@
  • Handlers
    • @@ -430,8 +432,132 @@

    - -

    Handlers

    + +

    Attacks and Protection

    +
    +
      +
    • To learn or find out more about security, go to Security documentation
      +
      • +
    + +
    +

    +

    + +
    +

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Attack LLNG protection System Integrator protection
    Brute Force
    Page Content
    CSRF
    Deny of Service
    Invisible iFrame
    Man-in-the-Middle
    Software Exploit
    SSO by-passing
    XSS
    + +

    +

    +

    + +
    + +

    Plugins

    +
    + +

    +

    + +
    +

    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Name Description
    Auto Signin Auto Signin Addon
    Brute Force protection User must wait to log in after 3 failed login attempts
    CDA Cross Domain Authentication
    Check state Check state plugin (test page)
    Custom Write a custom plugin
    Force Authentication Force authentication to access to Portal
    Display login history
    Grant Sessions rules
    Notifications system
    Public pages Enable public pages system
    Reset password by mail
    REST services REST server for Proxy
    SOAP services SOAP server for Proxy
    Portal Status Experimental portal status page
    Stay connected Enable persistent connection on same browser
    Upgrade session Plugin that explain to user that a more secure authentication is needed instead of rejected it
    + +

    +

    +

    + +
    + +

    Handlers

    @@ -443,7 +569,7 @@

    Handlers are software control agents to be installed on your web servers (Nginx, Apache, PSGI like Plack based servers or Node.js).

    -
    +
    @@ -474,7 +600,7 @@ Handlers are software control agents to be installed on your web servers (Ng
    Handler type Apache Nginx Plack* servers Node.js Comment Zimbra PreAuth
    - +

    (*): Node.js handler has not yet reached the same level of functionalities.

    @@ -484,8 +610,8 @@ Handlers are software control agents to be installed on your web servers (Ng

    - -

    LLNG databases

    + +

    LLNG databases

    @@ -502,7 +628,7 @@ Handlers are software control agents to be installed on your web servers (Ng

    LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one in the following list:

    -
    +
    @@ -533,7 +659,7 @@ Handlers are software control agents to be installed on your web servers (Ng
    Backend Shareable Comment Local Use only lemonldap-ng.ini parameters.
    -
    You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one. +
    You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one.

    @@ -555,7 +681,7 @@ Sessions are stored using If you plan to use LLNG in a large-scale system, take a look at Performance Test to choose the right backend. A Browseable SQL backend is generally a good choice. -
    +
    @@ -588,14 +714,14 @@ Sessions are stored using -

    Applications protection

    + +

    Applications protection

    @@ -623,8 +749,8 @@ Sessions are stored using -

    Well known compatible applications

    + +

    Well known compatible applications

    Here is a list of well known applications that are compatible with LL::NG. A full list is available on vendor applications page.
    @@ -721,8 +847,8 @@ Sessions are stored using -

    Advanced features

    + +

    Advanced features

    @@ -778,8 +904,8 @@ Sessions are stored using -

    Mini howtos

    + +

    Mini howtos

    @@ -804,6 +930,8 @@ Sessions are stored using

    Convert HTTP header into environment variable
    +
  • Connect to Renater Federation
    +

    • @@ -811,8 +939,8 @@ Sessions are stored using -

    Exploitation

    + +

    Exploitation

    @@ -846,8 +974,8 @@ Sessions are stored using -

    Bug report

    + +

    Bug report

    @@ -855,8 +983,8 @@ See How to report a

    - -

    Developer corner

    + +

    Developer corner

    @@ -914,6 +1042,6 @@ If you don't want to publish your translation (XX must be

    -
    +
    diff --git a/doc/pages/documentation/current/stayconnected b/doc/pages/documentation/current/stayconnected new file mode 100644 index 000000000..c6a1b6a34 --- /dev/null +++ b/doc/pages/documentation/current/stayconnected @@ -0,0 +1,254 @@ + + + + + + documentation:2.0:stayconnected [LemonLDAP::NG] + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    + + + +
    + +
    + + + +
    +
    +
    You are here: start » documentation » 2.0 » stayconnected
    +
    +
    + +

    + documentation:2.0:stayconnected +

    + +
    +
    + +
    + + + +
    + +
    +
    + + +
    +
    + + + +

    This topic does not exist yet

    +
    + +

    +You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”. +

    + +
    + + + + +
    +
    + +
    + + + + +
    + + + + +
    + +
    +
    + + + + +
    +
    + + + diff --git a/doc/pages/documentation/current/totp2f.html b/doc/pages/documentation/current/totp2f.html index 59f3932b3..88c6744ce 100644 --- a/doc/pages/documentation/current/totp2f.html +++ b/doc/pages/documentation/current/totp2f.html @@ -4,7 +4,7 @@ documentation:2.0:totp2f - + @@ -63,7 +63,7 @@

    -Time based One Time Password (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. This is currently what Google Authenticator or FreeOTP use. +Time based One Time Password (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. This is currently use by Google Authenticator or FreeOTP.

    @@ -72,7 +72,7 @@ LLNG can propose to users to register this kind of software to increase authenti

    Note that it's a second factor, not an authentication module. Users are authenticated both by login form and TOTP.
    - +

    Prerequisites and dependencies

    @@ -88,7 +88,7 @@ Or from CPAN repository : 
    cpanm Convert::Base32
    - +

    Configuration

    @@ -118,7 +118,7 @@ In the manager (advanced parameters), you just have to enable it:
    If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule that $_2fDevices =~ /“type”:\s*“TOTP”/s is set, else TOTP will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
    - +

    Enrollment

    @@ -127,12 +127,12 @@ If you've enabled self registration, users can register their keys by using

    - +

    Assistance

    -If a user lost its key, you may remove it from manager Second Factor module. +If a user loses its key, you can remove it from manager Second Factor module. To enable manager Second Factor Administration Module, set enabledModules key in your lemonldap-ng.ini file : @@ -141,7 +141,7 @@ To enable manager Second Factor Administration Module, set enabledModules< enabledModules = conf, sessions, notifications, 2ndFA

    - +

    Developer corner

    diff --git a/doc/pages/documentation/current/u2f.html b/doc/pages/documentation/current/u2f.html index b3241e384..dca1d6043 100644 --- a/doc/pages/documentation/current/u2f.html +++ b/doc/pages/documentation/current/u2f.html @@ -78,12 +78,12 @@ LLNG can propose to users to register their keys. When done, 2F registered users

    -This feature uses Crypt::U2F::Server::Simple that is available only via CPAN for now. Before compiling it, you must install Yubico's C library headers (called libu2f-server-dev on Debian). +This feature uses Crypt::U2F::Server::Simple that is only available on CPAN repository for now. Before compiling it, you must install Yubico's C library headers (called libu2f-server-dev on Debian).

    An HTTPS portal is required to use U2F
    - +

    Configuration

    @@ -101,7 +101,7 @@ In the manager (second factors), you just have to enable it:
    If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: $_2fDevices =~ /“type”:\s*“U2F”/s, else U2F will be required even if users are not registered. This is automatically done when “activation” is set to “on”.
    - +

    Browser compatibility

      @@ -122,7 +122,7 @@ In the manager (second factors), you just have to enable it:
    - +

    Enrollment

    @@ -131,18 +131,18 @@ If you have enabled self registration, users can register their U2F keys using <

    - +

    Assistance

    -If a user lost its key, you can delete the 2F device from the manager Second Factor module. To enable manager Second Factor Administration Module, set enabledModules key in your lemonldap-ng.ini file : +If a user loses its key, you can delete it from the manager Second Factor module. To enable manager Second Factor Administration Module, set enabledModules key in your lemonldap-ng.ini file : 

    [portal]
 enabledModules = conf, sessions, notifications, 2ndFA
    - +

    Developer corner

    diff --git a/doc/pages/documentation/current/upgrade.html b/doc/pages/documentation/current/upgrade.html index 0844a18e1..8c01cf395 100644 --- a/doc/pages/documentation/current/upgrade.html +++ b/doc/pages/documentation/current/upgrade.html @@ -56,6 +56,7 @@
  • Configuration refresh
    • +
  • LDAP connection
  • Kerberos or SSL usage
  • Logs
  • Security
    • @@ -77,20 +78,20 @@

    Upgrade from 1.9 to 2.0

    -
    2.0 is a major release, many things have been changed. You must read this document before upgrade. +
    2.0 is a major release, lot of things have been changed. You must read this document before upgrade.
    - +

    Upgrade order from 1.9.*

    -As usual, if you use more than 1 server and don't want to stop the SSO service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order: +As usual, if you use more than 1 server and don't want to stop SSO service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:

      -
    1. servers that have only handlers;
      +
    2. servers with handlers only;
      3. -
    3. portal servers (all together if your load balancer doesn't keep state by user or client IP and if users use the menu);
      +
    4. portal servers (all together if your load balancer is stateless (user or client IP) and if users use the menu);
    5. manager server
      6. @@ -98,7 +99,7 @@ As usual, if you use more than 1 server and don't want to stop the You must revalidate your configuration using the manager.
    - +

    Installation

    French documentation is no more available. Only English version of this documentation is maintained now. @@ -118,33 +119,33 @@ This release of LL::NG requires these minimal

    -For SAML features, we require Lasso 2.5. +For SAML features, we require at least Lasso 2.5 and we recommend Lasso 2.6.

    - +

    Configuration

    • User module in authentication parameters now provides a “Same as authentication” value. You must revalidate it in the manager since all special values must be replaced by this (Multi, Choice, Proxy, Slave, SAML, OpenID*,…)
      • -
    • “Multi” doesn't exist anymore: it is replaced by the more powerful Combination
      +
    • “Multi” doesn't exist anymore: it is replaced by Combination, a more powerful module.
      • -
    • Apache and Nginx configurations must updated to use the FastCGI portal
      +
    • Apache and Nginx configurations must be updated to use FastCGI portal
    • URLs for mail reset and register pages have changed, you must update configuration parameters. For example:
      mailUrl => 'http://auth.example.com/resetpwd',
   registerUrl => 'http://auth.example.com/register',
    -
    Apache mod_perl has a lot of issues since version 2.4 (many segfaults,…), especially when using mpm-worker. That's why LL::NG doesn't use anymore ModPerl::Registry: all is now handled by FastCGI (portal and manager). +
    Apache mod_perl has got lot of troubleshooting problems since 2.4 version(many segfaults,…), especially when using mpm-worker. That's why LL::NG doesn't use anymore ModPerl::Registry: all is now handled by FastCGI (portal and manager).

    For Handlers, it is now recommended to migrate to Nginx, but Apache 2 is still supported

    - +

    Configuration refresh

    @@ -154,8 +155,17 @@ Now portal has the same behavior than handlers: it looks to configuration stored
    If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include handler-nginx.conf or handler-apache2.conf for example
    - -

    Kerberos or SSL usage

    + +

    LDAP connection

    +
    + +

    +Now LDAP connections are kept open to improve performances. To allow that, LL::NG requires an anonymous access to LDAP RootDSE entry to check connection. +

    + +
    + +

    Kerberos or SSL usage

    • A new Kerberos authentication backend has been added since 2.0. This module solves many Kerberos integration problems (usage in conjunction with other backends, better error display,…). However, you can retain the old integration manner (using Apache authentication module).
      @@ -165,19 +175,19 @@ Now portal has the same behavior than handlers: it looks to configuration stored
    - -

    Logs

    + +

    Logs

      -
    • Syslog: logs are now configured only in lemonldap-ng.ini file. If you use Syslog, you must reconfigure it. See logs for more.
      +
    • Syslog: logs are now configured in lemonldap-ng.ini file only. If you use Syslog, you must reconfigure it. See logs for more.
      • -
    • Apache2: Portal doesn't use anymore Apache2 logger. Logs continue to be written to Apache error.log but Apache “LogLevel” parameter has no effet on it: portal is now a FastCGI application and doesn't use anymore ModPerl. See logs for more.
      +
    • Apache2: Portal doesn't use anymore Apache2 logger. Logs are always written to Apache error.log but Apache “LogLevel” parameter has no more effect on it. Portal is now a FastCGI application and doesn't use anymore ModPerl. See logs for more.
    - -

    Security

    + +

    Security

    @@ -191,19 +201,27 @@ LLNG portal now embeds the following features:

    - -

    Handlers

    + +

    Handlers

      +
    • Apache only:
      +
        +
      • Apache handler is now Lemonldap::NG::Handler::ApacheMP2 and Menu is now Lemonldap::NG::Handler::ApacheMP2::Menu
        +
        • +
      • because of an Apache behaviour change, PerlHeaderParserHandler must no more be used with “reload” URLs (replaced by PerlResponseHandler). Any “reload url” that are inside a protected vhost must be unprotected in vhost rules (protection has to be done by web server configuration).
        +
        • +
      +
    • CDA, ZimbraPreAuth, SecureToken and AuthBasic are now Handler Types. So there is no more special file to load: you just have to choose “VirtualHost type” in the manager/VirtualHosts.
      • -
    • Apache only: because of an Apache behaviour change, PerlHeaderParserHandler must no more be used with “reload” URLs (replaced by PerlResponseHandler). Any “reload url” that are inside a protected vhost must be unprotected in vhost rules (protection has to be done by web server configuration).
      +
    • SSOCookie: Since Firefox 60 and Chrome 68, “+2d, +5M, 12h and so on…” cookie expiration time notation is no more supported. CookieExpiration value is a number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately.
    - -

    Rules and headers

    + +

    Rules and headers

    • hostname() and remote_ip() are no more provided to avoid some name conflicts (replaced by $ENV{})
      @@ -215,8 +233,8 @@ LLNG portal now embeds the following features:
    - -

    Supported servers

    + +

    Supported servers

    • Apache-1.3 files are not provided now. You can build them yourself by looking at Apache-2 configuration files
      @@ -224,24 +242,24 @@ LLNG portal now embeds the following features:
    - -

    Ajax requests

    + +

    Ajax requests

    -Before 2.0, an Ajax query that was launched after session timeout received a 302 code. Now a 401 HTTP code is given in response. The WWW-Authenticate header contains: SSO <portal-URL> +Before 2.0, an Ajax query launched after session timeout received a 302 code. Now a 401 HTTP code is returned. WWW-Authenticate header contains: SSO <portal-URL>

    - -

    SOAP/REST services

    + +

    SOAP/REST services

    • SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled
    • Notifications are now REST/JSON by default. You can force old format in the manager. Note that SOAP proxy has changed: http://portal/notifications now.
      • -
    • If you use “adminSessions” endpoint with “singleSession*” features, you must upgrade all portals in the same time
      +
    • If you use “adminSessions” endpoint with “singleSession*” features, you must upgrade all portals simultaneously
    • SOAP services can be replaced by new REST services
      • @@ -249,26 +267,26 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
      AuthBasic Handler uses now REST services instead of SOAP.
    - -

    Developer corner

    + +

    Developer corner

    - -

    APIs

    + +

    APIs

    -Portal has now many REST features and includes a plugin API. See Portal manpages to see how to write auth modules, issuers or other feature. +Portal has now many REST features and includes an API plugin. See Portal manpages to learn how to write auth modules, issuers or other features.

    - -

    Portal overview

    + +

    Portal overview

    -Portal is no more a big CGI object. it is written for Plack/PSGI. Little resume +Portal is no more a single CGI object. Since 2.0, It is based on Plack/PSGI and Mouse modules. Little resume 

    Portal object
   |
@@ -281,12 +299,12 @@ Portal is no more a big CGI object. it is written for Plack/PSGI. Little resume
   +-> other plugins (notification,...)

    -The request is a separated object based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more. +Requests are independant objects based on Lemonldap::NG::Portal::Main::Request which inherits from Lemonldap::NG::Common::PSGI::Request which inherits from Plack::Request. See manpages for more.

    - -

    Handler

    + +

    Handler

    @@ -294,10 +312,10 @@ Handler libraries have been totally rewritten. If you've made custom handle

    -If you had auto protected CGI, you also need to rewrite them, see documentation. +If you used self protected CGI, you also need to rewrite them, see documentation.

    -
    +
    diff --git a/doc/pages/documentation/current/writingrulesand_headers.html b/doc/pages/documentation/current/writingrulesand_headers.html index 86d7debd3..1c97e54f0 100644 --- a/doc/pages/documentation/current/writingrulesand_headers.html +++ b/doc/pages/documentation/current/writingrulesand_headers.html @@ -92,6 +92,14 @@ The %ENV table provides: +
  • For portal:
    +
      +
    • $ENV{urldc} : Origin URL before Handler redirection, in cleartext
      +
      • +
    • $ENV{_url} : Origin URL before Handler redirection, base64 encoded
      +
      • +
    +

    • @@ -99,7 +107,7 @@ See also +

    Rules

    @@ -139,7 +147,7 @@ Examples:
    Backend Shareable Session explorer Session restrictions Session expiration Comment Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) default $description eq "LDAP administrator"
    - +

    The “default” access rule is used if no other access rule match the current URL.

    @@ -170,7 +178,7 @@ Rules can also be used to intercept logout Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ (Apache only) ^/index.php\?logout logout_app_sso http://intranet/ -
    logout_app and logout_app_sso rules are not available on Nginx, only on Apache. +
    logout_app and logout_app_sso rules are not available on Nginx, only on Apache.

    By default, user will be redirected on portal if no URL defined, or on the specified URL if any. @@ -178,7 +186,7 @@ By default, user will be redirected on portal if no Only current application is concerned by logout_app* targets. Be careful with some applications which doesn't verify Lemonldap::NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.

    - +

    Rules on authentication level

    @@ -212,7 +220,7 @@ There are two way to impose users to have a high authentication level:
    Instead of returning a 403 code, “minimum level” returns user to a form that explain that a higher level is required and propose to user to reauthenticate itself.
    - +

    Headers

    @@ -242,7 +250,7 @@ Examples: Give a non ascii data Display-Name encode_base64($givenName." ".$surName,"")
    - +

    As described in performances chapter, you can use macros, local macros,…

    @@ -260,7 +268,7 @@ As described in +

    Available functions

    @@ -275,7 +283,7 @@ In addition to macros and name, you can use some functions in rules and headers:
    - +

    Wildcards in hostnames

    @@ -298,6 +306,6 @@ Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is
    - + diff --git a/doc/pages/documentation/current/yubikey2f.html b/doc/pages/documentation/current/yubikey2f.html index e543f7fbd..68182361b 100644 --- a/doc/pages/documentation/current/yubikey2f.html +++ b/doc/pages/documentation/current/yubikey2f.html @@ -62,24 +62,24 @@

    -The Yubikey is a small material token shipped by Yubico. It sends an OTP, which is validated against Yubico server. +A Yubikey is a small material token manufactured by Yubico. It sends an OTP, which is validated via Yubico server.

    - +

    Prerequisites and dependencies

    -You need Auth::Yubikey_WebClient package. +You must install Auth::Yubikey_WebClient package.

    -You need to get an client ID and a secret key from Yubico. See Yubico API page. +You have to retrieve a client ID and a secret key from Yubico. See Yubico API page.

    - +

    Configuration

    @@ -107,7 +107,7 @@ In the manager (second factors), you just have to enable it:
    If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: $_2fDevices =~ /“type”:\s*“UBK”/s, else Yubikey will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
    - +

    Provisioning

    @@ -117,7 +117,7 @@ If you don't want to use self-registration, set public part of user's 
    [{"name" : "MyYubikey" , "type" : "UBK" , "_secret" : "########" , "epoch":"1524078936"}, ...]
    - +

    Enrollment

    @@ -126,6 +126,6 @@ If you have enabled self registration, users can register their U2F keys using <

    - +