dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Xavier 2019-06-30 09:37:15 +02:00
parent 8b7ce08587 7aa3d03c4e
commit 1718efe6d5
81 changed files with 2475 additions and 916 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
changelog
View File

@ -1,3 +1,66 @@
lemonldap-ng (2.0.5) stable; urgency=medium
* Bugs:
* #1521: The manager renames the id of applications created by lemonldap-ng-cli
* #1655: Can't delete notifications from the manager
* #1717: Warnings "Devel::StackTrace" when using unnative Perl functions
* #1746: Impersonation does not work with double cookies authentication
* #1749: Authentication with "Double Cookies for a single session" (securedCookie==3) does not work
* #1753: Logout with CASv2 is not working (Bad URL)
* #1754: Configuration caching issue when overriding globalStorage in lemonldap-ng.ini
* #1755: CheckUser plugin fails if OTT globalStrorage is enabled
* #1759: Server Error when OpenID Connect provider enabled without any RP
* #1762: CDA sessions are not removed when handler uses SOAP
* #1775: Authentication with double cookies fails when uniq session is enabled
* #1777: Server Error with SAML SLO and expired SSO session
* #1779: Go to portal message not translated in register confirmation mail
* #1795: [Security: low] CAS 3.0 Logout does not validate redirect URL
* #1800: Auth::Slave is unusable with Choice
* #1802: No error returned if no code provided on OpenID Connect token endpoint
* #1805: Auth::LDAP unusable in combination if UserDB::LDAP isn't called
* #1809: UserDB::DBI with Auth::LDAP seems to not work properly
* #1810: [Security: low] llng-fastcgi-server could fail to setgid
* #1811: Lua-headers file is missing
* #1813: searchOn* does not work when a portal uses REST session backend
* #1814: Local cache not fully purged
* #1818: [Security:low] XXE vulnerability in SOAP notification server
* #1819: Portal Notification server unusable with old XML format
* #1821: Pdata not cleared after session upgrade
* #1822: Session upgrade does not work with 2FA
* #1824: lmConfigEditor does not work anymore
* #1826: Race condition on SSL login form button
* New features:
* #1796: Display a message if an expired 2f device is removed
* Improvements:
* #1706: html not interpreted for translated messages
* #1723: Real authentication is masked when using proxy authentication module
* #1732: Sessions explorer and Browseable::Postgres
* #1734: RPM version uses JSON::PP instead of JSON::XS
* #1747: Logging out from portal cause an error with doubleCookie after refreshing rights
* #1750: Wrong version / author / IP / log in lemonldap-ng-cli
* #1758: Warnings in Viewer.pm when saving configuration
* #1763: Transmission of Authorization header should probably be on by default
* #1764: Set choosen language in user session
* #1765: Better CORS handling
* #1766: Warning in logs with SAML
* #1767: Append startTime overScheme to display sessions to avoid browser crash
* #1769: CSRF token is not automatically regenerated after a failed login with Auth::Choice
* #1770: Add save/restore commands in cli
* #1771: SSO sessions _updateTime value is not updated after a refresh request
* #1773: Append option to modify service Token handler TTL
* #1774: CheckUser plugin does not work with SAML
* #1782: Append an option to set 2FA TTL
* #1791: Append an option in Manager to merge only specified SSO groups with Impersonation
* #1797: Allow ServiceToken to send service headers
* #1799: StorePassword in session not working when using session REST server
* #1827: Using lemonldap-ng-cli info gives warning with default configuration
* #1828: 2F plugins and method loadTemplate are not using skin rules
* #1830: [Security:improvement] Improved use of cryptography
-- Clément <clem.oudot@gmail.com> Sat, 29 Jun 2019 22:25:02 +0200
lemonldap-ng (2.0.4) stable; urgency=high
* Bugs:

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.5-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Sat, 29 Jun 2019 22:00:00 +0100
lemonldap-ng (2.0.4-1) unstable; urgency=medium
* New release. See changes on our website:

70
doc/pages/documentation/current/applications.html
View File

@ -140,70 +140,76 @@ If none of above methods is available, you can try:
<td class="col0 centeralign"> <a href="applications/guacamole.html" class="media" title="documentation:2.0:applications:guacamole"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/guacamole.html" class="wikilink1" title="documentation:2.0:applications:guacamole">Apache Guacamole</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4 centeralign"></td><td class="col5 leftalign"> </td><td class="col6 centeralign"></td>
</tr>
<tr class="row18 roweven">
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
<td class="col0 centeralign"> <a href="applications/jitsimet" class="media" title="documentation:2.0:applications:jitsimet"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/jitsimeet.html" class="wikilink1" title="documentation:2.0:applications:jitsimeet">Jitsi Meet</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row20 roweven">
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row21 rowodd">
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/mattermost.html" class="media" title="documentation:2.0:applications:mattermost"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mattermost.html" class="wikilink1" title="documentation:2.0:applications:mattermost">Mattermost</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row22 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row23 rowodd">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
</tr>
<tr class="row24 roweven">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row25 rowodd">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row26 roweven">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row27 rowodd">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row25 rowodd">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row26 roweven">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row27 rowodd">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row31 rowodd">
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
</tr>
<tr class="row32 roweven">
<td class="col0 centeralign"> <a href="applications/symfony.html" class="media" title="documentation:2.0:applications:symfony"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/symfony.html" class="wikilink1" title="documentation:2.0:applications:symfony">Symfony</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row33 rowodd">
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row34 roweven">
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/symfony.html" class="media" title="documentation:2.0:applications:symfony"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/symfony.html" class="wikilink1" title="documentation:2.0:applications:symfony">Symfony</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row35 rowodd">
<td class="col0 centeralign"> <a href="applications/wordpress.html" class="media" title="documentation:2.0:applications:wordpress"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/wordpress.html" class="wikilink1" title="documentation:2.0:applications:wordpress">Wordpress</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4 centeralign"></td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row36 roweven">
<td class="col0 centeralign"> <a href="applications/xwiki.html" class="media" title="documentation:2.0:applications:xwiki"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/xwiki.html" class="wikilink1" title="documentation:2.0:applications:xwiki">XWiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row37 rowodd">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/wordpress.html" class="media" title="documentation:2.0:applications:wordpress"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/wordpress.html" class="wikilink1" title="documentation:2.0:applications:wordpress">Wordpress</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4 centeralign"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row38 roweven">
<td class="col0 centeralign"> <a href="applications/xwiki.html" class="media" title="documentation:2.0:applications:xwiki"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/xwiki.html" class="wikilink1" title="documentation:2.0:applications:xwiki">XWiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row39 rowodd">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"></td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row40 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
</table></div>
<!-- EDIT4 TABLE [1223-5891] -->
<!-- EDIT4 TABLE [1223-6153] -->
</div>
<!-- EDIT3 SECTION "Application list" [1192-] --></div>
</body>

16
doc/pages/documentation/current/applications/gitlab.html
View File

@ -88,12 +88,16 @@ Gitlab allows one to use <abbr title="Security Assertion Markup Language">SAML</
<p>
For this example, we use these sample values:
* Gitlab <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://gitlab.example.com" class="urlextern" title="https://gitlab.example.com" rel="nofollow">https://gitlab.example.com</a>
* <abbr title="LemonLDAP::NG">LL::NG</abbr> portal <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a>
</p>
<ul>
<li class="level1"><div class="li"> Gitlab <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://gitlab.example.com" class="urlextern" title="https://gitlab.example.com" rel="nofollow">https://gitlab.example.com</a></div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> portal <abbr title="Uniform Resource Locator">URL</abbr> : <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a></div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "SAML" [301-456] -->
<!-- EDIT3 SECTION "SAML" [301-457] -->
<h3 class="sectionedit4" id="gitlab_configuration">Gitlab configuration</h3>
<div class="level3">
@ -138,7 +142,7 @@ To apply changes:
<pre class="code">gitlab-ctl reconfigure</pre>
</div>
<!-- EDIT4 SECTION "Gitlab configuration" [457-1849] -->
<!-- EDIT4 SECTION "Gitlab configuration" [458-1850] -->
<h3 class="sectionedit5" id="llng_configuration">LL::NG configuration</h3>
<div class="level3">
@ -164,7 +168,7 @@ Register them in <abbr title="LemonLDAP::NG">LL::NG</abbr> and send these <abbr
<div class="noteimportant">The value from <abbr title="LemonLDAP::NG">LL::NG</abbr> mail session attribute must be the email of the user in Gitlab database, in order to associate accounts.
</div>
</div>
<!-- EDIT5 SECTION "LL::NG configuration" [1850-2524] -->
<!-- EDIT5 SECTION "LL::NG configuration" [1851-2525] -->
<h3 class="sectionedit6" id="manage_groups">Manage groups</h3>
<div class="level3">
@ -187,6 +191,6 @@ And in <abbr title="LemonLDAP::NG">LL::NG</abbr>, export the groups attribute:
</ul>
</div>
<!-- EDIT6 SECTION "Manage groups" [2525-] --></div>
<!-- EDIT6 SECTION "Manage groups" [2526-] --></div>
</body>
</html>

18
doc/pages/documentation/current/applications/img/icons.png
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=f5d398c4fc6f21e5e626ce5d49ffe634" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -218,8 +218,18 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
<div class="level3">
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="media" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
<strong>OW2con&#039;14 Community Award</strong>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
@ -262,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1557671456" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1561840284" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

18
doc/pages/documentation/current/applications/img/loader.gif
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=f5d398c4fc6f21e5e626ce5d49ffe634" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -218,8 +218,18 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
<div class="level3">
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="media" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
<strong>OW2con&#039;14 Community Award</strong>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
@ -262,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1557671456" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1561840284" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

191
doc/pages/documentation/current/applications/jitsimeet.html Normal file
View File

@ -0,0 +1,191 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:jitsimeet</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,jitsimeet"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="jitsimeet.html"/>
<link rel="contents" href="jitsimeet.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:jitsimeet","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#pre-requisites">Pre-requisites</a></div></li>
<li class="level2"><div class="li"><a href="#jitsi_meet_configuration">Jitsi Meet configuration</a></div></li>
<li class="level2"><div class="li"><a href="#jitsi_meet_nginx_configuration">Jitsi Meet Nginx configuration</a></div></li>
<li class="level2"><div class="li"><a href="#jitsi_meet_virtual_host_in_manager">Jitsi Meet Virtual host in Manager</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="jitsi_meet">Jitsi Meet</h1>
<div class="level1">
<p>
<a href="logo-jitsimeet.png_documentation_2.0_applications_jitsimeet.html" class="media" title="applications:logo-jitsimeet.png"><img src="logo-jitsimeet.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- EDIT1 SECTION "Jitsi Meet" [1-67] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://github.com/jitsi/jitsi-meet" class="urlextern" title="https://github.com/jitsi/jitsi-meet" rel="nofollow">Jitsi Meet</a> is a WEBRTC-based video conferencing application, powering the <a href="http://meet.jit.si" class="urlextern" title="http://meet.jit.si" rel="nofollow">meet.jit.si</a> online service.
</p>
<p>
Users may install their own instance of Jitsi Meet for private use, in which case, they may use authentication to control the creation of conference rooms.
</p>
<p>
The official documentation provides instructions on <a href="https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md" class="urlextern" title="https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md" rel="nofollow">how to configure Jitsi Meet to use Shibboleth</a>, but with a little adaptation, it can work just as fine with LemonLDAP::NG.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [68-657] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [658-684] -->
<h3 class="sectionedit4" id="pre-requisites">Pre-requisites</h3>
<div class="level3">
<p>
In this guide, it is assumed that you have followed the <a href="https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md" class="urlextern" title="https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md" rel="nofollow">Jitsi Meet quick start</a> and that <strong>you have installed Nginx on your Jitsi Meet server first</strong>
</p>
<p>
If you have not done that, the Jitsi Meet installer will not generate a Nginx configuration file for you. This is not a problem is you are already using your own reverse proxy.
</p>
</div>
<!-- EDIT4 SECTION "Pre-requisites" [685-1112] -->
<h3 class="sectionedit5" id="jitsi_meet_configuration">Jitsi Meet configuration</h3>
<div class="level3">
<p>
As with the Shibboleth guide, you need to configure <code>/etc/jitsi/jicofo/sip-communicator.properties</code>
</p>
<pre class="code">org.jitsi.jicofo.auth.URL=shibboleth:default
org.jitsi.jicofo.auth.LOGOUT_URL=/logout/</pre>
<p>
This defines the login servlet as <code>/login/</code> and the logout <abbr title="Uniform Resource Locator">URL</abbr> as <code>/logout/</code>
</p>
</div>
<!-- EDIT5 SECTION "Jitsi Meet configuration" [1113-1437] -->
<h3 class="sectionedit6" id="jitsi_meet_nginx_configuration">Jitsi Meet Nginx configuration</h3>
<div class="level3">
<p>
In the Nginx configuration that the Jitsi Meet quickstart generated, you must add the following blocks, just like you would in a typical handler configuration file:
</p>
<pre class="code">
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH &quot;&quot;;
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Protect only the /login/ and /logout/ URLs.
# You may want to change this is your goal is to make the whole Jitsi Meet instance private
location ~ ^/log(in|out)/ {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
auth_request_set $mail $upstream_http_mail;
proxy_set_header mail $mail;
auth_request_set $lmcookie $upstream_http_cookie;
proxy_set_header Cookie: $lmcookie;
proxy_pass http://127.0.0.1:8888;
}</pre>
</div>
<!-- EDIT6 SECTION "Jitsi Meet Nginx configuration" [1438-2531] -->
<h3 class="sectionedit7" id="jitsi_meet_virtual_host_in_manager">Jitsi Meet Virtual host in Manager</h3>
<div class="level3">
<p>
Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" class="wikilink1" title="documentation:2.0:configvhost">create a new virtual host</a> for Jitsi Meet.
</p>
<p>
Configure the <a href="../writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">access rules</a>.
</p>
<ul>
<li class="level1"><div class="li"> Don&#039;t forget to configure the /logout/ <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
</ul>
<p>
Configure the following <a href="../writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">headers</a>.
</p>
<ul>
<li class="level1"><div class="li"> <strong>mail</strong>: $mail</div>
</li>
<li class="level1"><div class="li"> <strong>displayName</strong>: $cn</div>
</li>
</ul>
<div class="notewarning">Jitsi meet expects to find a <code>mail</code> HTTP header, it will ignore REMOTE_USER and only use the mail value to identify the user.
</div>
</div>
<!-- EDIT7 SECTION "Jitsi Meet Virtual host in Manager" [2532-] --></div>
</body>
</html>

285
doc/pages/documentation/current/applications/jitsimet Normal file
View File

@ -0,0 +1,285 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>documentation:2.0:applications:jitsimet [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="/lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="/lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<link type="text/css" rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootswatch/3.3.4/flatly/bootstrap.min.css" />
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,follow"/>
<meta name="keywords" content="documentation,2.0,applications,jitsimet"/>
<link rel="search" type="application/opensearchdescription+xml" href="/lib/exe/opensearch.php" title="LemonLDAP::NG"/>
<link rel="start" href="/"/>
<link rel="contents" href="/documentation/2.0/applications/jitsimet?do=index" title="Sitemap"/>
<link rel="alternate" type="application/rss+xml" title="Recent changes" href="/feed.php"/>
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0:applications"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/applications/jitsimet"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/applications/jitsimet"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:jitsimet","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
</style>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script type="text/javascript" src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script type="text/javascript" src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body class="flatly page-on-panel">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__site" class="container">
<div id="dokuwiki__top" class="site dokuwiki mode_show tpl_bootstrap3 notFound hasSidebar">
<!-- header -->
<div id="dokuwiki__header">
<nav class="navbar navbar-default" role="navigation">
<div class="container-fluid">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/start" accesskey="h" title="[H]" class="navbar-brand"><img src="/_media/wiki/logo.png" alt="LemonLDAP::NG" class="pull-left" id="dw__logo" width="20" height="20" /> <span id="dw__title" >LemonLDAP::NG</span></a>
</div>
<div class="collapse navbar-collapse">
<ul class="nav navbar-nav" id="dw__navbar">
<!-- <li>
<a href="/start" ><i class="glyphicon glyphicon-home"></i> Home</a></li> -->
<li>
<a href="/download" ><i class="glyphicon glyphicon-download"></i> Download</a></li>
<li>
<a href="/documentation" ><i class="glyphicon glyphicon-book"></i> Documentation</a></li>
<li>
<a href="/screenshots" ><i class="glyphicon glyphicon-picture"></i> Screenshots</a></li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-question-sign"></span> Contact <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/contact" ><i class="glyphicon glyphicon-envelope"></i> Mails, IRC and more</a></li>
<li><a href="/team" ><i class="glyphicon glyphicon-user"></i> The team</a></li>
<li><a href="/professionalservices" ><i class="glyphicon glyphicon-briefcase"></i> Professional Services</a></li>
<li><a href="/references" ><i class="glyphicon glyphicon-sunglasses"></i> References</a></li>
<li><a href="/sponsors" ><i class="glyphicon glyphicon-piggy-bank"></i> Sponsors</a></li>
</ul>
</li>
</ul>
<div class="navbar-right">
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
</div>
</div>
</nav>
</div>
<!-- /header -->
<div id="dw__breadcrumbs">
<hr/>
<div class="breadcrumb"><span class="bchead">You are here: </span><span class="home"><bdi><a href="/start" class="wikilink1" title="start">start</a></bdi></span> » <bdi><a href="/documentation" class="wikilink1" title="documentation">documentation</a></bdi> » <bdi><a href="/documentation/2.0/start" class="wikilink1" title="documentation:2.0:start">2.0</a></bdi> » <bdi><a href="/documentation/2.0/applications" class="wikilink1" title="documentation:2.0:applications">applications</a></bdi> » <bdi><span class="curid"><a href="/documentation/2.0/applications/jitsimet" class="wikilink2" title="documentation:2.0:applications:jitsimet" rel="nofollow">jitsimet</a></span></bdi></div>
<hr/>
</div>
<p class="pageId text-right">
<span class="label label-default">documentation:2.0:applications:jitsimet</span>
</p>
<div id="dw__msgarea">
</div>
<main class="main row" role="main">
<!-- ********** CONTENT ********** -->
<article id="dokuwiki__content" class="col-sm-9 col-md-10 " >
<div class="panel panel-default" >
<div class="page group panel-body">
<div class="pull-right hidden-print" data-spy="affix" data-offset-top="150" style="z-index:1024; top:10px; right:10px;">
</div>
<!-- wikipage start -->
<h1 class="sectionedit1" id="this_topic_does_not_exist_yet">This topic does not exist yet</h1>
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
</p>
</div>
<!-- wikipage stop -->
</div>
</div>
</article>
<!-- ********** ASIDE ********** -->
<aside id="dokuwiki__aside" class="dw__sidebar col-sm-3 col-md-2 hidden-print">
<div class="content">
<div class="toogle hidden-lg hidden-md hidden-sm" data-toggle="collapse" data-target="#dokuwiki__aside .collapse">
<i class="glyphicon glyphicon-th-list"></i> Sidebar </div>
<div class="collapse in">
<p>
<div class="text-center">
</p>
<h3 class="sectionedit1" id="social_networks">Social networks</h3>
<div class="level3">
<p>
<p><a href="https://twitter.com/lemonldapng/" class="btn btn-large btn-info"><i class="glyphicon glyphicon-retweet"></i> Twitter</a></p>
<p><a href="https://www.facebook.com/lemonldapng/" class="btn btn-large btn-primary"><i class="glyphicon glyphicon-thumbs-up"></i> Facebook</a></p>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT1 SECTION "Social networks" [41-433] -->
<h3 class="sectionedit2" id="hosted_by">Hosted by</h3>
<div class="level3">
<p>
<a href="http://www.ow2.org" class="media" title="http://www.ow2.org" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT2 SECTION "Hosted by" [434-568] -->
<h3 class="sectionedit3" id="certifications">Certifications</h3>
<div class="level3">
<p>
<a href="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" class="media" title="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" rel="nofollow"><img src="/_media/applications/franceconnect_logo.png" class="mediacenter" alt="" /></a>
<strong>France Connect</strong>
</p>
<p>
<a href="https://fusioniam.org" class="media" title="https://fusioniam.org" rel="nofollow"><img src="/_media/logos/fusioniam_logo_icon_dragon_circle.png" class="mediacenter" alt="" /></a>
<strong>FusionIAM projet member</strong>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT3 SECTION "Certifications" [569-928] -->
<h3 class="sectionedit4" id="awards">Awards</h3>
<div class="level3">
<p>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
<p>
<script type="text/javascript" src="http://www.openhub.net/p/12421/widgets/project_users.js?style=blue"></script>
</div>
</p>
<script type='text/javascript'>
var ab_h = '321e562442494652658acbc3fd84ec80';
var ab_s = '6ca5df30810665e075f684a87e742175';
</script>
<script type='text/javascript' src='http://cdn1.adbard.net/js/ab1.js'></script>
</div>
<!-- EDIT4 SECTION "Awards" [929-] --> </div>
</div>
</aside>
</main>
<footer id="dokuwiki__footer" class="small hidden-print">
<a href="javascript:void(0)" class="back-to-top hidden-print btn btn-default btn-sm" title="skip to content>" id="back-to-top"><i class="glyphicon glyphicon-chevron-up"></i></a>
<div class="text-center">
<p id="dw__license">
<div class="license">Except where otherwise noted, content on this wiki is licensed under the following license: <bdi><a href="http://creativecommons.org/licenses/by-nc-sa/3.0/" rel="license" class="urlextern">CC Attribution-Noncommercial-Share Alike 3.0 Unported</a></bdi></div> </p>
</div>
</footer>
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1561840300" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
<span class="visible-md"></span>
<span class="visible-lg"></span>
</div>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

103
doc/pages/documentation/current/applications/logo-jitsimeet.png_documentation_2.0_applications_jitsimeet.html Normal file
View File

@ -0,0 +1,103 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<title>applications:logo-jitsimeet.png [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="../lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="../lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->/>
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="jitsimeet.html"/>
<link rel="contents" href="jitsimeet.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = null;
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
<script type="text/javascript" src="/javascript/bootstrap/js/bootstrap.min.js"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<![endif]-->
</head>
<body class="container">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__detail" class="dokuwiki mode_ tpl_bootstrap3 ">
<h1 class="page-header">
<i class="glyphicon glyphicon-picture"></i> applications:logo-jitsimeet.png </h1>
<div class="content">
<a href="logo-jitsimeet.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="215" height="70" class="img_detail" alt="logo-jitsimeet.png" title="logo-jitsimeet.png" src="logo-jitsimeet.c57b9842beb20cba1e840f922bc0767f.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> logo-jitsimeet.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2019/06/03 16:28</dd><dt>Filename:</dt><dd>logo-jitsimeet.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>9KB</dd><dt>Width:</dt><dd>215</dd><dt>Height:</dt><dd>70</dd></dl> </div>
</div>
</div>
</div><!-- /.content -->
<p class="back">
<hr/>
<div class="btn-group">
<a href="jitsimeet.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:applications:jitsimeet [B]">Back to documentation:2.0:applications:jitsimeet</a> </div>
</p>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

207
doc/pages/documentation/current/applications/mattermost.html Normal file
View File

@ -0,0 +1,207 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:mattermost</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,mattermost"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="mattermost.html"/>
<link rel="contents" href="mattermost.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:mattermost","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuring_mattermost_team_edition">Configuring Mattermost Team Edition</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_your_web_server">Configuring your web server</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li>
<li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="mattermost_team_edition">Mattermost Team Edition</h1>
<div class="level1">
<p>
<img src="mattermost_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Mattermost Team Edition" [1-88] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
Mattermost is a team-based instant messaging application.
</p>
<p>
See <a href="https://mattermost.com/" class="urlextern" title="https://mattermost.com/" rel="nofollow">the official Mattermost website</a> for a complete presentation.
</p>
<p>
Mattermost follows an Open Core development model. The freely available <a href="https://docs.mattermost.com/developer/manifesto.html" class="urlextern" title="https://docs.mattermost.com/developer/manifesto.html" rel="nofollow">Team edition</a> contains all the basic chat features, but lack the integration capabilities found in the <a href="https://mattermost.com/pricing/" class="urlextern" title="https://mattermost.com/pricing/" rel="nofollow">Enterprise edition</a>.
</p>
<p>
The Enterprise edition provides <a href="https://docs.mattermost.com/deployment/sso-saml.html" class="urlextern" title="https://docs.mattermost.com/deployment/sso-saml.html" rel="nofollow">SAML integration</a> out of the box, and you can configure it just like <a href="../idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">any other SAML service in LemonLDAP::NG</a>
</p>
<p>
The Team edition, however, only provides <abbr title="Single Sign On">SSO</abbr> integration with Gitlab.
</p>
<p>
However, it is possible to configure LemonLDAP::NG to behave exactly like a Gitlab Oauth2 server, allowing Mattermost Team Edition to be integrated with LemonLDAP::NG without having to use a <a href="gitlab.html" class="wikilink1" title="documentation:2.0:applications:gitlab">Gitlab</a> server.
</p>
<div class="notewarning">The following configuration requires your user database to expose a unique numeric identifier for every user.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [89-1191] -->
<h2 class="sectionedit3" id="configuring_mattermost_team_edition">Configuring Mattermost Team Edition</h2>
<div class="level2">
<p>
Configuring Mattermost through the <em>System Console</em> will not allow you to set the correct URLs. You need to edit the Mattermost configuration file, and avoid changing Gitlab integration settings in the <em>System Console</em>
</p>
<p>
Set the following settings in <code>/opt/mattermost/config/config.json</code>
</p>
<pre class="code"> &quot;GitLabSettings&quot;: {
&quot;Enable&quot;: true,
&quot;Secret&quot;: &quot;CHOOSE_A_CLIENT_SECRET&quot;,
&quot;Id&quot;: &quot;CHOOSE_A_CLIENT_ID&quot;,
&quot;Scope&quot;: &quot;&quot;,
&quot;AuthEndpoint&quot;: &quot;https://auth.example.com/oauth2/gitlab_authorize&quot;,
&quot;TokenEndpoint&quot;: &quot;https://auth.example.com/oauth2/token&quot;,
&quot;UserApiEndpoint&quot;: &quot;https://auth.example.com/oauth2/userinfo&quot;
},</pre>
</div>
<!-- EDIT3 SECTION "Configuring Mattermost Team Edition" [1192-1919] -->
<h3 class="sectionedit4" id="configuring_your_web_server">Configuring your web server</h3>
<div class="level3">
<p>
Mattermost does not use OpenID Connect to communicate with Gitlab, but uses plain OAuth2 instead. Because of that, LemonLDAP::NG will not receive the <code>scope=</code> parameter and will display an error on the portal when trying to authenticate.
</p>
<p>
In order to fix this, we can add a fake OAuth2 authorize <abbr title="Uniform Resource Locator">URL</abbr> on the LemonLDAP::NG server that will automatically add this <code>scope=</code> parametrer, before sending the request to the correct OIDC <abbr title="Uniform Resource Locator">URL</abbr>
</p>
<p>
Here is an example configuration for Nginx, add it in your Portal virtualhost before any other rewrite rule:
</p>
<pre class="code"> rewrite ^/oauth2/gitlab_(authorize.*)$ https://auth.example.com/oauth2/$1?scope=openid%20gitlab ;</pre>
<p>
And if you are using Apache
</p>
<pre class="code">RewriteRule &quot;^/oauth2/gitlab_authorize(.*)$&quot; &quot;https://auth.example.com/oauth2/authorize?$1scope=openid gitlab&quot; [QSA,NE]</pre>
</div>
<!-- EDIT4 SECTION "Configuring your web server" [1920-2789] -->
<h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3">
<p>
We now have to configure LemonLDAP::NG to recognize Mattermost as a valid OAuth2 relaying party and send it the information it needs to recognize a user.
</p>
<p>
Add a <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> with the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in Mattermost configuration</div>
</li>
<li class="level2"><div class="li"> <strong>Client Secret</strong>: the same you set in Mattermost configuration</div>
</li>
<li class="level2"><div class="li"> Add a new scope in “Extra claims”</div>
<ul>
<li class="level4"><div class="li"> <strong>Key</strong>: <code>gitlab</code></div>
</li>
<li class="level4"><div class="li"> <strong>Value</strong>: <code>id username name email</code></div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> Add the following exported attributes</div>
<ul>
<li class="level4"><div class="li"> <code>username</code>: set it to the session attribute containing the user login</div>
</li>
<li class="level4"><div class="li"> <code>name</code>: session attribute containing the user&#039;s full name</div>
</li>
<li class="level4"><div class="li"> <code>email</code>: session attribute containing the user&#039;s email</div>
</li>
<li class="level4"><div class="li"> <code>id</code>: session attribute containing the user&#039;s numeric ID</div>
</li>
</ul>
</li>
</ul>
<div class="notewarning">Mattermost absolutely needs to receive a numerical value in the <code>id</code> claim. If you are using a LDAP server, you could use the <code>uidNumber</code> LDAP attribute. If you use something else, you will have to find a trick to assign a unique numeric ID to each Mattermost user.
<p>
The <code>id</code> attribute has to be different for each user, since this is the field Mattermost will use internally to map Gitlab identities to Mattermost accouts.
</p>
</div>
</div>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [2790-4119] -->
<h3 class="sectionedit6" id="troubleshooting">Troubleshooting</h3>
<div class="level3">
<p>
If you see a HTTP code 500 when going back to mattermost, with a panic() in <code>(*GitLabUser).IsValid(...)</code> , it probably means that you are not exporting the correct attributes, but it can also mean that <code>id</code> is exported as a JSON string.
</p>
<p>
If this case, it can help to create a macro, for example <code>uidNumber_n</code>, with a value of <code>$uidNumber + 0</code> to force conversion to a numeric value. You must then export it as the <code>id</code> field in the Relaying Party configuration.
</p>
</div>
<!-- EDIT6 SECTION "Troubleshooting" [4120-] --></div>
</body>
</html>

159
doc/pages/documentation/current/applications/wekan.html Normal file
View File

@ -0,0 +1,159 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:wekan</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,applications,wekan"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="wekan.html"/>
<link rel="contents" href="wekan.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:wekan","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuring_wekan">Configuring Wekan</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#singlemail_macro">_singleMail Macro</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="wekan">Wekan</h1>
<div class="level1">
<p>
<img src="wekan-logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Wekan" [1-65] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
Wekan is an open-source Kanban, similar to trello.
</p>
<p>
See <a href="https://wekan.github.io/" class="urlextern" title="https://wekan.github.io/" rel="nofollow">the official Wekan website</a> for a complete presentation.
</p>
<p>
It feature an oauth2 login feature that work with LemonLDAP::NG
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [66-298] -->
<h2 class="sectionedit3" id="configuring_wekan">Configuring Wekan</h2>
<div class="level2">
<p>
Wekan is mostly configured with environement variables, you need to set theses :
</p>
<ul>
<li class="level1"><div class="li"> <strong>OAUTH2_ENABLED</strong>: <code>TRUE</code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_CLIENT_ID</strong>: <code>ClientID</code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_SECRET</strong>: <code>Secret</code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_SERVER_<abbr title="Uniform Resource Locator">URL</abbr></strong>: <code><a href="https://auth.example.com/" class="urlextern" title="https://auth.example.com/" rel="nofollow">https://auth.example.com/</a></code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_AUTH_ENDPOINT</strong>: <code>oauth2/authorize</code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_USERINFO_ENDPOINT</strong>: <code>oauth2/userinfo</code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_TOKEN_ENDPOINT</strong>: <code>oauth2/token</code></div>
</li>
<li class="level2"><div class="li"> <strong>OAUTH2_ID_MAP</strong>: <code>sub</code></div>
</li>
</ul>
<div class="notewarning">Be careful to the / in server_url and endpoints, the complete <abbr title="Uniform Resource Locator">URL</abbr> need to be valid, ie auth.example.com/ for url &amp; oauth2/xxx for endpoints, OR, auth.example.com &amp; /oauth2/xxx for endpoints.
</div>
</div>
<!-- EDIT3 SECTION "Configuring Wekan" [299-990] -->
<h3 class="sectionedit4" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3">
<p>
We now have to configure LemonLDAP::NG to recognize Wekan as a valid OAuth2 relaying party and send it the information it needs to recognize a user.
</p>
<p>
Add a <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> with the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)</div>
</li>
<li class="level2"><div class="li"> <strong>Client Secret</strong>: the same you set in Wekan configuration (same as OAUTH2_SECRET)</div>
</li>
<li class="level2"><div class="li"> Add the following exported attributes</div>
<ul>
<li class="level4"><div class="li"> <code>name</code>: session attribute containing the user&#039;s full name</div>
</li>
<li class="level4"><div class="li"> <code>email</code>: session attribute containing the user&#039;s email or _singleMail</div>
</li>
</ul>
</li>
</ul>
</div>
<h4 id="singlemail_macro">_singleMail Macro</h4>
<div class="level4">
<div class="notewarning">OIDC login fails when an user as a multi-valued email attribute, this need to be fixed on wekan&#039;s side, we can bypass that by telling lemonldap to only send one email
</div>
<p>
Create a new macro, name it (_singleMail is an example), the macro should contain <code>(split(/; /,$mail))[1]</code>
</p>
</div>
<!-- EDIT4 SECTION "Configuring LemonLDAP" [991-] --></div>
</body>
</html>

28
doc/pages/documentation/current/authcombination.html
View File

@ -69,7 +69,9 @@
<li class="level2"><div class="li"><a href="#federation_protocols">Federation protocols</a></div></li>
<li class="level2"><div class="li"><a href="#authapache_authentication">Auth::Apache authentication</a></div></li>
<li class="level2"><div class="li"><a href="#ssl_authentication">SSL authentication</a></div></li>
</ul></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#migrating_from_multi">Migrating from Multi</a></div></li>
</ul>
</div>
</div>
@ -375,6 +377,28 @@ To chain SSL, you have to set “SSLRequire optional” in Apache configuration,
</p>
</div>
<!-- EDIT17 SECTION "SSL authentication" [6578-] --></div>
<!-- EDIT17 SECTION "SSL authentication" [6578-6731] -->
<h2 class="sectionedit18" id="migrating_from_multi">Migrating from Multi</h2>
<div class="level2">
<p>
Old <a href="documentation/1.9/authmulti.html" class="wikilink1" title="documentation:1.9:authmulti">Multiple backends stack</a> implemented only `if` and `or` keywords. Examples:
</p>
<div class="table sectionedit19"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Multi expressions </th><th class="col1 centeralign"> Combination </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <code>LDAP;<abbr title="Database Interface">DBI</abbr></code> </td><td class="col1 centeralign"> <code>[myLDAP] or [myDBI]</code> </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> <code><abbr title="Database Interface">DBI</abbr> $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/</code> </td><td class="col1 centeralign"> <code>if $env-&gt;{REMOTE_ADDR} then [myDBI] else [myLDAP]</code> </td>
</tr>
</table></div>
<!-- EDIT19 TABLE [6878-7093] -->
</div>
<!-- EDIT18 SECTION "Migrating from Multi" [6732-] --></div>
</body>
</html>

17
doc/pages/documentation/current/authssl.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authssl</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authssl"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authssl.html"/>
@ -213,7 +213,8 @@ You must also export SSL_CLIENT_S_<abbr title="Distinguished Name">DN</abbr>_CN
<pre class="code file nginx"># map directive must be in http context
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default &quot;&quot;;
~/CN=(?&lt;CN&gt;[^/]+) $CN;
~/CN=(?&lt;CN&gt;[^/]+) $CN; # prior Nginx 1.11.6
#~,CN=(?&lt;CN&gt;[^,]+) $CN; # Nginx &gt;= 1.11.6
}
fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;</pre>
@ -254,9 +255,13 @@ fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;</pre>
add_header Strict-Transport-Security &quot;max-age=15768000&quot;;
}
}</pre>
<div class="noteimportant">Nginx 1.11.6 change: format of the $ssl_client_s_dn and $ssl_client_i_dn variables
has been changed to follow <abbr title="Request for Comments">RFC</abbr> 2253 (<abbr title="Request for Comments">RFC</abbr> 4514); values in the old format are available
in the $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
</div>
<!-- EDIT6 SECTION "With Nginx" [2685-4320] -->
</div>
<!-- EDIT6 SECTION "With Nginx" [2685-4659] -->
<h3 class="sectionedit7" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</h3>
<div class="level3">
@ -276,7 +281,7 @@ Then, go in <code>SSL parameters</code>:
</ul>
</div>
<!-- EDIT7 SECTION "Configuration of LemonLDAP::NG" [4321-4746] -->
<!-- EDIT7 SECTION "Configuration of LemonLDAP::NG" [4660-5085] -->
<h3 class="sectionedit8" id="auto_reloading_ssl_certificates">Auto reloading SSL Certificates</h3>
<div class="level3">
@ -384,7 +389,7 @@ $('.enteteBouton').click( function (e) {
<div class="notewarning">It is incompatible with authentication combination because of Apache parameter “SSLVerifyClient”, which must have the value “require”. To enable SSL with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>, use <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a>
</div>
</div>
<!-- EDIT8 SECTION "Auto reloading SSL Certificates" [4747-8010] -->
<!-- EDIT8 SECTION "Auto reloading SSL Certificates" [5086-8349] -->
<h2 class="sectionedit9" id="ssl_by_ajax">SSL by Ajax</h2>
<div class="level2">
@ -427,6 +432,6 @@ and set :
</div>
</div>
<!-- EDIT9 SECTION "SSL by Ajax" [8011-] --></div>
<!-- EDIT9 SECTION "SSL by Ajax" [8350-] --></div>
</body>
</html>

45
doc/pages/documentation/current/browseablesessionbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:browseablesessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,browseablesessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="browseablesessionbackend.html"/>
@ -151,10 +151,10 @@ You then just have to add the <code>Index</code> parameter in <code>General par
<!-- EDIT4 SECTION "Browseable NoSQL" [1754-2199] -->
<h2 class="sectionedit6" id="browseable_sql">Browseable SQL</h2>
<div class="level2">
<div class="noteclassic">This documentation concerns PostgreSQL. Some adaptations are needed with other databases.
<div class="noteclassic">This documentation concerns PostgreSQL. Some adaptations are needed with other databases. When using Apache::Session::Browseable::Postgres, it is strongly recommended to use version 1.3.1 at least. See <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732" rel="nofollow">bug 1732</a>.
</div>
</div>
<!-- EDIT6 SECTION "Browseable SQL" [2200-2331] -->
<!-- EDIT6 SECTION "Browseable SQL" [2200-2518] -->
<h3 class="sectionedit7" id="prepare_database">Prepare database</h3>
<div class="level3">
@ -173,13 +173,14 @@ Database must be prepared exactly like in <a href="sqlsessionbackend.html#prepar
_whatToTrace text,
_session_kind text,
_utime bigint,
user text,
_httpSessionType text,
ipAddr text
);
CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace);
CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace text_pattern_ops);
CREATE INDEX s1 ON sessions (_session_kind);
CREATE INDEX u1 ON sessions (_utime);
CREATE INDEX ip1 ON sessions USING BTREE (ipAddr);</pre>
CREATE INDEX ip1 ON sessions USING BTREE (ipAddr);
CREATE INDEX h1 ON sessions (_httpSessionType);</pre>
<div class="noteimportant">For Session Explorer and one-off sessions, it is recommended to use BTREE or any index method that indexes partial content.
</div>
<p>
@ -188,7 +189,7 @@ CREATE INDEX ip1 ON sessions USING BTREE (ipAddr);</pre>
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don&#039;t need to declare indexes in <code>CREATE TABLE</code> since “json” and “hstore” type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
</div>
</div>
<!-- EDIT7 SECTION "Prepare database" [2332-3966] -->
<!-- EDIT7 SECTION "Prepare database" [2519-4234] -->
<h3 class="sectionedit8" id="manager">Manager</h3>
<div class="level3">
@ -205,7 +206,7 @@ Go in the Manager and set the session module (<a href="https://metacpan.org/pod/
</tr>
</thead>
<tr class="row2 roweven">
<td class="col0 centeralign"> <strong>DataSource</strong> </td><td class="col1"> The <a href="https://metacpan.org/pod/DBI" class="urlextern" title="https://metacpan.org/pod/DBI" rel="nofollow">DBI</a> string </td><td class="col2"> dbi:Pg:database=sessions </td>
<td class="col0 centeralign"> <strong>DataSource</strong> </td><td class="col1"> The <a href="https://metacpan.org/pod/DBI" class="urlextern" title="https://metacpan.org/pod/DBI" rel="nofollow">DBI</a> string </td><td class="col2"> dbi:Pg:database=lemonldap-ng </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <strong>UserName</strong> </td><td class="col1"> The database username </td><td class="col2"> lemonldapng </td>
@ -214,17 +215,20 @@ Go in the Manager and set the session module (<a href="https://metacpan.org/pod/
<td class="col0 centeralign"> <strong>Password</strong> </td><td class="col1"> The database password </td><td class="col2"> mysuperpassword </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr _session_kind _utime </td>
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr _session_kind _utime _httpSessionType </td>
</tr>
<tr class="row6 roweven">
<td class="col0 centeralign"> <strong>TableName</strong> </td><td class="col1"> Table name (optional) </td><td class="col2"> sessions </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [4289-4634] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<!-- EDIT9 TABLE [4557-4978] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<p>
For databases like PostgreSQL, don&#039;t forget to add “Commit” with a value of 1
</p>
</div>
</div>
<!-- EDIT8 SECTION "Manager" [3967-4813] -->
<!-- EDIT8 SECTION "Manager" [4235-5157] -->
<h2 class="sectionedit10" id="browseable_ldap">Browseable LDAP</h2>
<div class="level2">
@ -278,9 +282,9 @@ You need to add the <code>Index</code> field and can also configure the <code>ld
<td class="col0 centeralign"> <strong>ldapAttributeIndex</strong> </td><td class="col1"> Attribute storing index </td><td class="col2"> ou </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [5165-5899] -->
<!-- EDIT11 TABLE [5509-6243] -->
</div>
<!-- EDIT10 SECTION "Browseable LDAP" [4814-5900] -->
<!-- EDIT10 SECTION "Browseable LDAP" [5158-6244] -->
<h2 class="sectionedit12" id="security">Security</h2>
<div class="level2">
@ -293,7 +297,7 @@ You can also use different user/password for your servers by overriding paramete
</p>
</div>
<!-- EDIT12 SECTION "Security" [5901-6120] -->
<!-- EDIT12 SECTION "Security" [6245-6464] -->
<h2 class="sectionedit13" id="performances">Performances</h2>
<div class="level2">
@ -310,13 +314,14 @@ Here are some recommended configurations:
_whatToTrace text,
_session_kind text,
_utime bigint,
user text,
ipAddr varchar(64)
_httpSessionType text,
ipAddr text
);
CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace text_pattern_ops);
CREATE INDEX _s1 ON sessions (_session_kind);
CREATE INDEX _u1 ON sessions (_utime);
CREATE INDEX ip1 ON sessions USING BTREE (ipAddr)</pre>
CREATE INDEX s1 ON sessions (_session_kind);
CREATE INDEX u1 ON sessions (_utime);
CREATE INDEX ip1 ON sessions USING BTREE (ipAddr);
CREATE INDEX h1 ON sessions (_httpSessionType);</pre>
<p>
<strong>Browseable::MySQL</strong>:
@ -335,6 +340,6 @@ CREATE INDEX _u1 ON sessions (_utime);
CREATE INDEX ip1 ON sessions (ipAddr) USING BTREE;</pre>
</div>
<!-- EDIT13 SECTION "Performances" [6121-] --></div>
<!-- EDIT13 SECTION "Performances" [6465-] --></div>
</body>
</html>

293
doc/pages/documentation/current/cli_examples.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:cli_examples</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,cli_examples"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="cli_examples.html"/>
@ -49,6 +49,7 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#saverestore_configuration">Save/restore configuration</a></div></li>
<li class="level1"><div class="li"><a href="#configure_https">Configure HTTPS</a></div></li>
<li class="level1"><div class="li"><a href="#configure_sessions_backend">Configure sessions backend</a></div></li>
<li class="level1"><div class="li"><a href="#configure_virtual_host">Configure virtual host</a></div></li>
@ -58,6 +59,7 @@
<li class="level1"><div class="li"><a href="#configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</a></div></li>
<li class="level1"><div class="li"><a href="#register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</a></div></li>
<li class="level1"><div class="li"><a href="#categories_and_applications_in_menu">Categories and applications in menu</a></div></li>
<li class="level1"><div class="li"><a href="#encryption_key">Encryption key</a></div></li>
</ul>
</div>
</div>
@ -72,17 +74,44 @@ This page shows some examples of <abbr title="LemonLDAP::NG">LL::NG</abbr> Comma
</div>
<!-- EDIT1 SECTION "Command Line Interface (lemonldap-ng-cli) examples" [1-205] -->
<h2 class="sectionedit2" id="configure_https">Configure HTTPS</h2>
<h2 class="sectionedit2" id="saverestore_configuration">Save/restore configuration</h2>
<div class="level2">
<p>
This part requires LLNG 2.0.5 at least.
</p>
<p>
Save:
</p>
<pre class="code sh">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli save &gt;config.json</pre>
<p>
Restore:
</p>
<pre class="code shell">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore config.json
# Or
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore - &lt;config.json</pre>
</div>
<!-- EDIT2 SECTION "Save/restore configuration" [206-543] -->
<h2 class="sectionedit3" id="configure_https">Configure HTTPS</h2>
<div class="level2">
<p>
When setting HTTPS, you first need to modify Apache/Nginx configuration, then you must configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to change portal <abbr title="Uniform Resource Locator">URL</abbr>, Handler redirections, cookie settings, ...
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portal https://auth.example.com https 1 securedCookie 1</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
portal https://auth.example.com \
mailUrl https://auth.example.com/resetpwd \
registerUrl https://auth.example.com/register \
https 1 \
securedCookie 1</pre>
</div>
<!-- EDIT2 SECTION "Configure HTTPS" [206-532] -->
<h2 class="sectionedit3" id="configure_sessions_backend">Configure sessions backend</h2>
<!-- EDIT3 SECTION "Configure HTTPS" [544-1014] -->
<h2 class="sectionedit4" id="configure_sessions_backend">Configure sessions backend</h2>
<div class="level2">
<p>
@ -108,38 +137,96 @@ In this example we have:
<li class="level1"><div class="li"> <abbr title="Single Sign On">SSO</abbr> sessions:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey globalStorageOptions Directory globalStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set globalStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey globalStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; globalStorageOptions UserName &#039;lemonldaplogin&#039; globalStorageOptions Password &#039;lemonldappw&#039; globalStorageOptions Commit 1 globalStorageOptions Index &#039;ipAddr _whatToTrace user&#039; globalStorageOptions TableName &#039;sessions&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
delKey \
globalStorageOptions Directory \
globalStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
globalStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
globalStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; \
globalStorageOptions UserName &#039;lemonldaplogin&#039; \
globalStorageOptions Password &#039;lemonldappw&#039; \
globalStorageOptions Commit 1 \
globalStorageOptions Index &#039;ipAddr _whatToTrace user&#039; \
globalStorageOptions TableName &#039;sessions&#039;
</pre>
<ul>
<li class="level1"><div class="li"> Persistent sessions:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey persistentStorageOptions Directory persistentStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set persistentStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey persistentStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; persistentStorageOptions UserName &#039;lemonldaplogin&#039; persistentStorageOptions Password &#039;lemonldappw&#039; persistentStorageOptions Commit 1 persistentStorageOptions Index &#039;_session_uid&#039; persistentStorageOptions TableName &#039;psessions&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
delKey \
persistentStorageOptions Directory \
persistentStorageOptions LockDirectory
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
persistentStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
persistentStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; \
persistentStorageOptions UserName &#039;lemonldaplogin&#039; \
persistentStorageOptions Password &#039;lemonldappw&#039; \
persistentStorageOptions Commit 1 \
persistentStorageOptions Index &#039;_session_uid&#039; \
persistentStorageOptions TableName &#039;psessions&#039;</pre>
<ul>
<li class="level1"><div class="li"> <abbr title="Central Authentication Service">CAS</abbr> sessions</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set casStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey casStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; casStorageOptions UserName &#039;lemonldaplogin&#039; casStorageOptions Password &#039;lemonldappw&#039; casStorageOptions Commit 1 casStorageOptions Index &#039;_cas_id&#039; casStorageOptions TableName &#039;cassessions&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
casStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
casStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; \
casStorageOptions UserName &#039;lemonldaplogin&#039; \
casStorageOptions Password &#039;lemonldappw&#039; \
casStorageOptions Commit 1 \
casStorageOptions Index &#039;_cas_id&#039; \
casStorageOptions TableName &#039;cassessions&#039;</pre>
<ul>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> sessions</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; samlStorageOptions UserName &#039;lemonldaplogin&#039; samlStorageOptions Password &#039;lemonldappw&#039; samlStorageOptions Commit 1 samlStorageOptions Index &#039;_saml_id ProxyID _nameID _assert_id _art_id _session_id&#039; samlStorageOptions TableName &#039;samlsessions&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
samlStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
samlStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; \
samlStorageOptions UserName &#039;lemonldaplogin&#039; \
samlStorageOptions Password &#039;lemonldappw&#039; \
samlStorageOptions Commit 1 \
samlStorageOptions Index &#039;_saml_id ProxyID _nameID _assert_id _art_id _session_id&#039; \
samlStorageOptions TableName &#039;samlsessions&#039;</pre>
<ul>
<li class="level1"><div class="li"> OpenID Connect sessions</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; oidcStorageOptions UserName &#039;lemonldaplogin&#039; oidcStorageOptions Password &#039;lemonldappw&#039; oidcStorageOptions Commit 1 oidcStorageOptions TableName &#039;oidcsessions&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
oidcStorage Apache::Session::Browseable::Postgres
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcStorageOptions DataSource &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039; \
oidcStorageOptions UserName &#039;lemonldaplogin&#039; \
oidcStorageOptions Password &#039;lemonldappw&#039; \
oidcStorageOptions Commit 1 \
oidcStorageOptions TableName &#039;oidcsessions&#039;</pre>
</div>
<!-- EDIT3 SECTION "Configure sessions backend" [533-3673] -->
<h2 class="sectionedit4" id="configure_virtual_host">Configure virtual host</h2>
<!-- EDIT4 SECTION "Configure sessions backend" [1015-4603] -->
<h2 class="sectionedit5" id="configure_virtual_host">Configure virtual host</h2>
<div class="level2">
<p>
@ -169,11 +256,16 @@ In this example we have:
</ul>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey &#039;locationRules/test.example.com&#039; &#039;default&#039; &#039;accept&#039; &#039;locationRules/test.example.com&#039; &#039;(?#Logout)^/logout\.php&#039; &#039;logout_sso&#039; &#039;exportedHeaders/test.example.com&#039; &#039;Auth-User&#039; &#039;$uid&#039; &#039;exportedHeaders/test.example.com&#039; &#039;Auth-Mail&#039; &#039;$mail&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
&#039;locationRules/test.example.com&#039; &#039;default&#039; &#039;accept&#039; \
&#039;locationRules/test.example.com&#039; &#039;(?#Logout)^/logout\.php&#039; &#039;logout_sso&#039; \
&#039;exportedHeaders/test.example.com&#039; &#039;Auth-User&#039; &#039;$uid&#039; \
&#039;exportedHeaders/test.example.com&#039; &#039;Auth-Mail&#039; &#039;$mail&#039;</pre>
</div>
<!-- EDIT4 SECTION "Configure virtual host" [3674-4328] -->
<h2 class="sectionedit5" id="configure_ldap_authentication_backend">Configure LDAP authentication backend</h2>
<!-- EDIT5 SECTION "Configure virtual host" [4604-5304] -->
<h2 class="sectionedit6" id="configure_ldap_authentication_backend">Configure LDAP authentication backend</h2>
<div class="level2">
<p>
@ -209,40 +301,72 @@ In this example we use:
<li class="level1"><div class="li"> Use recursive search for groups</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set authentication LDAP userDB LDAP passwordDB LDAP ldapServer &#039;ldap://ldap.example.com&#039; managerDn &#039;cn=lemonldapng,ou=dsa,dc=example,dc=com&#039; managerPassword &#039;changeit&#039; ldapBase &#039;ou=users,dc=example,dc=com&#039;
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey ldapExportedVars uid uid ldapExportedVars cn cn ldapExportedVars sn sn ldapExportedVars mobile mobile ldapExportedVars mail mail ldapExportedVars givenName givenName
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set ldapGroupBase &#039;ou=groups,dc=example,dc=com&#039; ldapGroupObjectClass groupOfNames ldapGroupAttributeName member ldapGroupAttributeNameGroup dn ldapGroupAttributeNameSearch cn ldapGroupAttributeNameUser dn ldapGroupRecursive 1</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
authentication LDAP \
userDB LDAP \
passwordDB LDAP \
ldapServer &#039;ldap://ldap.example.com&#039; \
managerDn &#039;cn=lemonldapng,ou=dsa,dc=example,dc=com&#039; \
managerPassword &#039;changeit&#039; \
ldapBase &#039;ou=users,dc=example,dc=com&#039;
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
ldapExportedVars uid uid \
ldapExportedVars cn cn \
ldapExportedVars sn sn \
ldapExportedVars mobile mobile \
ldapExportedVars mail mail \
ldapExportedVars givenName givenName
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
ldapGroupBase &#039;ou=groups,dc=example,dc=com&#039; \
ldapGroupObjectClass groupOfNames \
ldapGroupAttributeName member \
ldapGroupAttributeNameGroup dn \
ldapGroupAttributeNameSearch cn \
ldapGroupAttributeNameUser dn \
ldapGroupRecursive 1</pre>
</div>
<!-- EDIT5 SECTION "Configure LDAP authentication backend" [4329-5582] -->
<h2 class="sectionedit6" id="configure_saml_identity_provider">Configure SAML Identity Provider</h2>
<!-- EDIT6 SECTION "Configure LDAP authentication backend" [5305-6778] -->
<h2 class="sectionedit7" id="configure_saml_identity_provider">Configure SAML Identity Provider</h2>
<div class="level2">
<p>
Activate the <abbr title="Security Assertion Markup Language">SAML</abbr> Issuer:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBSAMLActivation 1</pre>
<p>
You can then generate a private key and a self-signed certificate with these commands;
</p>
<pre class="code">openssl genrsa -out saml.key 4096
openssl req -new -key saml.key -out saml.csr
openssl x509 -req -days 3650 -in saml.csr -signkey saml.key -out saml.pem</pre>
<pre class="code">openssl req -new -newkey rsa:4096 -keyout saml.key -nodes -out saml.pem -x509 -days 3650</pre>
<p>
Import them in configuration:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlServicePrivateKeySig &quot;`cat saml.key`&quot; samlServicePublicKeySig &quot;`cat saml.pem`&quot;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
samlServicePrivateKeySig &quot;`cat saml.key`&quot; \
samlServicePublicKeySig &quot;`cat saml.pem`&quot;</pre>
<p>
Activate the <abbr title="Security Assertion Markup Language">SAML</abbr> Issuer:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
issuerDBSAMLActivation 1</pre>
<p>
You can also define organization name and <abbr title="Uniform Resource Locator">URL</abbr> for <abbr title="Security Assertion Markup Language">SAML</abbr> metadata:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set samlOrganizationName &#039;ACME&#039; samlOrganizationDisplayName &#039;ACME Corporation&#039; samlOrganizationURL &#039;http://www.acme.com&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
samlOrganizationName &#039;ACME&#039; \
samlOrganizationDisplayName &#039;ACME Corporation&#039; \
samlOrganizationURL &#039;http://www.acme.com&#039;</pre>
</div>
<!-- EDIT6 SECTION "Configure SAML Identity Provider" [5583-6446] -->
<h2 class="sectionedit7" id="register_an_saml_service_provider">Register an SAML Service Provider</h2>
<!-- EDIT7 SECTION "Configure SAML Identity Provider" [6779-7657] -->
<h2 class="sectionedit8" id="register_an_saml_service_provider">Register an SAML Service Provider</h2>
<div class="level2">
<p>
@ -256,17 +380,23 @@ In this example we have:
<li class="level1"><div class="li"> SP exported attribute: EmailAdress (filled with mail session key)</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey samlSPMetaDataXML/testsp samlSPMetaDataXML &quot;`cat metadata-testsp.xml`&quot; samlSPMetaDataExportedAttributes/testsp mail &#039;1;EmailAddress&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
samlSPMetaDataXML/testsp samlSPMetaDataXML &quot;`cat metadata-testsp.xml`&quot; \
samlSPMetaDataExportedAttributes/testsp mail &#039;1;EmailAddress&#039;</pre>
</div>
<!-- EDIT7 SECTION "Register an SAML Service Provider" [6447-6873] -->
<h2 class="sectionedit8" id="configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</h2>
<!-- EDIT8 SECTION "Register an SAML Service Provider" [7658-8110] -->
<h2 class="sectionedit9" id="configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</h2>
<div class="level2">
<p>
Activate the OpenID Connect Issuer and set issuer name (equal to portal <abbr title="Uniform Resource Locator">URL</abbr>):
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set issuerDBOpenIDConnectActivation 1 oidcServiceMetaDataIssuer http://auth.example.com</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
issuerDBOpenIDConnectActivation 1 \
oidcServiceMetaDataIssuer http://auth.example.com</pre>
<p>
Generate keys:
@ -277,16 +407,23 @@ openssl rsa -pubout -in oidc.key -out oidc_pub.key</pre>
<p>
Import them:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServicePrivateKeySig &quot;`cat oidc.key`&quot; oidcServicePublicKeySig &quot;`cat oidc_pub.key`&quot; oidcServiceKeyIdSig &quot;`genpasswd`&quot;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
oidcServicePrivateKeySig &quot;`cat oidc.key`&quot; \
oidcServicePublicKeySig &quot;`cat oidc_pub.key`&quot; \
oidcServiceKeyIdSig &quot;`genpasswd`&quot;</pre>
<p>
If needed you can allow implicit and hybrid flows:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set oidcServiceAllowImplicitFlow 1 oidcServiceAllowHybridFlow 1</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
oidcServiceAllowImplicitFlow 1 \
oidcServiceAllowHybridFlow 1</pre>
</div>
<!-- EDIT8 SECTION "Configure OpenID Connect Identity Provider" [6874-7669] -->
<h2 class="sectionedit9" id="register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</h2>
<!-- EDIT9 SECTION "Configure OpenID Connect Identity Provider" [8111-8994] -->
<h2 class="sectionedit10" id="register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</h2>
<div class="level2">
<p>
@ -322,47 +459,75 @@ In this example we have:
<li class="level1"><div class="li"> Exported attributes:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataExportedVars/testrp email mail oidcRPMetaDataExportedVars/testrp family_name sn oidcRPMetaDataExportedVars/testrp name cn</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataExportedVars/testrp email mail \
oidcRPMetaDataExportedVars/testrp family_name sn \
oidcRPMetaDataExportedVars/testrp name cn</pre>
<ul>
<li class="level1"><div class="li"> Credentials:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID testclientid oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret testclientsecret</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientID testclientid \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsClientSecret testclientsecret</pre>
<ul>
<li class="level1"><div class="li"> Redirection:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris &#039;https://testrp.example.com/?callback=1&#039; oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris &#039;https://testrp.example.com/&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris &#039;https://testrp.example.com/?callback=1&#039; \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris &#039;https://testrp.example.com/&#039;</pre>
<ul>
<li class="level1"><div class="li"> Signature and token expiration:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 \
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
</div>
<!-- EDIT9 SECTION "Register an OpenID Connect Relying Party" [7670-9177] -->
<h2 class="sectionedit10" id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<!-- EDIT10 SECTION "Register an OpenID Connect Relying Party" [8995-10626] -->
<h2 class="sectionedit11" id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<div class="level2">
<p>
Create the category “applications”:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey \
applicationList/applications type category \
applicationList/applications catname Applications</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
applicationList/applications type category \
applicationList/applications catname Applications</pre>
<p>
Create the application “sample” inside category “applications”:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey \
applicationList/applications/sample type application \
applicationList/applications/sample/options description &quot;A sample application&quot; \
applicationList/applications/sample/options display &quot;auto&quot; \
applicationList/icons/kmultiple.png&quot; \
applicationList/applications/sample/options name &quot;Sample application&quot; \
applicationList/applications/sample/options uri &quot;https://sample.example.com/&quot;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
applicationList/applications/sample type application \
applicationList/applications/sample/options description &quot;A sample application&quot; \
applicationList/applications/sample/options display &quot;auto&quot; \
applicationList/icons/kmultiple.png&quot; \
applicationList/applications/sample/options name &quot;Sample application&quot; \
applicationList/applications/sample/options uri &quot;https://sample.example.com/&quot;</pre>
</div>
<!-- EDIT10 SECTION "Categories and applications in menu" [9178-] --></div>
<!-- EDIT11 SECTION "Categories and applications in menu" [10627-11508] -->
<h2 class="sectionedit12" id="encryption_key">Encryption key</h2>
<div class="level2">
<p>
To update the master encryption key:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
key &#039;xxxxxxxxxxxxxxx&#039;</pre>
</div>
<!-- EDIT12 SECTION "Encryption key" [11509-] --></div>
</body>
</html>

19
doc/pages/documentation/current/configvhost.html
View File

@ -397,9 +397,18 @@ A virtual host contains:
<p>
See <strong><a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Writing rules and headers</a></strong> to learn how to configure access control and HTTP headers sent to application by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
<div class="noteimportant">With <strong>Nginx</strong>-based ReverseProxy, headers directives can be appended by a LUA script.
<p>
To send more than <strong>TEN</strong> headers to protected applications, you have to edit and modify :
</p>
<p>
<code>/etc/nginx/nginx-lua-headers.conf</code>
</p>
</div>
<!-- EDIT10 SECTION "Access rules and HTTP headers" [8534-8726] -->
</div>
<!-- EDIT10 SECTION "Access rules and HTTP headers" [8534-8968] -->
<h3 class="sectionedit11" id="post_data">POST data</h3>
<div class="level3">
@ -408,7 +417,7 @@ See <strong><a href="formreplay.html" class="wikilink1" title="documentation:2.0
</p>
</div>
<!-- EDIT11 SECTION "POST data" [8727-8861] -->
<!-- EDIT11 SECTION "POST data" [8969-9103] -->
<h3 class="sectionedit12" id="options">Options</h3>
<div class="level3">
@ -428,13 +437,17 @@ Some options are available:
</li>
<li class="level1"><div class="li"> Authentication level required: this options avoid to reject user with a rule based on <code>$_authenticationLevel</code>. When user hasn&#039;t the required level, he is redirected to an upgrade page in the portal</div>
</li>
<li class="level1"><div class="li"> ServiceToken timeout: The Service Token is only available during 30 seconds by default. This TTL can be customized for each virtual host.</div>
</li>
</ul>
<div class="noteimportant">A neagative or null ServiceToken timeout value will be overloaded by <code>handlerServiceTokenTTL</code> (30 seconds by default).
</div>
<p>
“Port” and “HTTPS” options are used to build redirection <abbr title="Uniform Resource Locator">URL</abbr> <em>(when user is not logged, or for <abbr title="Cross Domain Authentication">CDA</abbr> requests)</em>. By default, default values are used. These options are only here to override default values.
</p>
</div>
<!-- EDIT12 SECTION "Options" [8862-] --></div>
<!-- EDIT12 SECTION "Options" [9104-] --></div>
</body>
</html>

24
doc/pages/documentation/current/contribute.html
View File

@ -120,6 +120,9 @@ aptitude install libauth-yubikey-webclient-perl libnet-smtp-server-perl
cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple
curl -sL https://deb.nodesource.com/setup_9.x | bash -
apt-get install -y nodejs
npm install -g protractor # end-2-end tests
webdriver-manager update # install/update selenium driver</pre>
@ -139,7 +142,7 @@ git config --global color.ui true
git config --list</pre>
</div>
<!-- EDIT3 SECTION "Install basic tools" [448-1151] -->
<!-- EDIT3 SECTION "Install basic tools" [448-1239] -->
<h3 class="sectionedit4" id="import_project_and_using_git">Import Project and using Git</h3>
<div class="level3">
@ -162,9 +165,8 @@ git fetch upstream</pre>
<em>on linux station :</em>
</p>
<pre class="code">git checkout v2.0
git fetch upstream --all
git rebase upstream/v2.0 # to align to parent project remote branch
git push # to push to working remote branch</pre>
git fetch upstream
git rebase upstream/v2.0 # to align to parent project remote branch</pre>
<p>
<em>on gitlab, create working branch, one per thematic</em>
@ -177,14 +179,14 @@ git commit -am &quot;explanations (#number gitlab ticket)&quot;
git commit --amend file(s) # to modify a commit
git rebase v2.0 # align local working branch to local 2.0
git checkout -- file(s) # revert
git push # to send on remote working branch</pre>
git push # to send on remote working branch ! Only after doing some commits !</pre>
<p>
On gitlab, submit merge request when tests are corrects.
</p>
</div>
<!-- EDIT4 SECTION "Import Project and using Git" [1152-2220] -->
<!-- EDIT4 SECTION "Import Project and using Git" [1240-2290] -->
<h2 class="sectionedit5" id="install_dependencies">Install dependencies</h2>
<div class="level2">
<pre class="code">aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl
@ -198,10 +200,16 @@ aptitude install perltidy</pre>
<pre class="code">aptitude install liblasso-perl libglib-perl </pre>
</div>
<!-- EDIT5 SECTION "Install dependencies" [2221-3121] -->
<!-- EDIT5 SECTION "Install dependencies" [2291-3191] -->
<h2 class="sectionedit6" id="working_project">Working Project</h2>
<div class="level2">
<pre class="code">make test # or manager_test, portal_test, ... to launch unit tests
# Doing one unit test :
## Go to parent test directory
cd ~/lemonldap-ng/lemonldap-ng-portal
## and execute the test :
prove -v t/67-CheckUser.t
# Using local platform :
make start_web_server # TESTUSESSL=1 to enable SSL engine (only available for Apache)
make start_web_server TESTWEBSERVER=nginx # to use Nginx web server
make stop_web_server
@ -214,6 +222,6 @@ make tidy # to magnify perl files (perl best pratices)
cd lemonldap-ng-portal &amp;&amp; prove t/XXXX # To launch specific unit test</pre>
</div>
<!-- EDIT6 SECTION "Working Project" [3122-] --></div>
<!-- EDIT6 SECTION "Working Project" [3192-] --></div>
</body>
</html>

66
doc/pages/documentation/current/customfunctions.html
View File

@ -49,10 +49,11 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#implementation">Implementation</a></div></li>
<li class="level1"><div class="li"><a href="#write_custom_functions_library">Write custom functions library</a></div></li>
<li class="level1"><div class="li"><a href="#import_custom_functions_in_lemonldapng">Import custom functions in LemonLDAP::NG</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#declare_module_in_handler_server">Declare module in handler server</a></div>
<li class="level2"><div class="li"><a href="#load_relevant_code_in_handler_server">Load relevant code in handler server</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#new_method">New method</a></div></li>
<li class="level3"><div class="li"><a href="#old_method">Old method</a></div></li>
@ -71,18 +72,41 @@
<div class="level1">
<p>
Custom functions allow one to extend <abbr title="LemonLDAP::NG">LL::NG</abbr>, they can be used in <a href="writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">headers</a>, <a href="writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rules</a> or <a href="formreplay.html" class="wikilink1" title="documentation:2.0:formreplay">form replay data</a>.
Custom functions allow one to extend <abbr title="LemonLDAP::NG">LL::NG</abbr>, they can be used in <a href="writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">headers</a>, <a href="writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rules</a> or <a href="formreplay.html" class="wikilink1" title="documentation:2.0:formreplay">form replay data</a>. Two actions are needed:
</p>
<ul>
<li class="level1"><div class="li"> declare them in LLNG configuration</div>
</li>
<li class="level1"><div class="li"> load the relevant code</div>
</li>
</ul>
</div>
<!-- EDIT1 SECTION "Custom functions" [1-309] -->
<h2 class="sectionedit2" id="implementation">Implementation</h2>
<div class="level2">
<p>
Your perl custom function must be declared on appropriate server when separating :
</p>
<p>
portal type : declare custom function here when using it in rules, macros, menu
</p>
<p>
reverse-proxy type : declare custom function here when using it in headers
</p>
</div>
<!-- EDIT1 SECTION "Custom functions" [1-219] -->
<h2 class="sectionedit2" id="write_custom_functions_library">Write custom functions library</h2>
<!-- EDIT2 SECTION "Implementation" [310-578] -->
<h2 class="sectionedit3" id="write_custom_functions_library">Write custom functions library</h2>
<div class="level2">
<p>
Create your Perl module with custom functions. You can name your module as you want, for example <code>SSOExtensions.pm</code>:
</p>
<pre class="code">vi /root/SSOExtensions.pm</pre>
<pre class="code">vi /path/to/SSOExtensions.pm</pre>
<pre class="code file perl"><a href="http://perldoc.perl.org/functions/package.html"><span class="kw3">package</span></a> SSOExtensions<span class="sy0">;</span>
&nbsp;
<span class="kw2">sub</span> function1 <span class="br0">&#123;</span>
@ -92,16 +116,20 @@ Create your Perl module with custom functions. You can name your module as you w
<a href="http://perldoc.perl.org/functions/return.html"><span class="kw3">return</span></a> <span class="re0">$result</span><span class="sy0">;</span>
<span class="br0">&#125;</span>
&nbsp;
<span class="kw2">sub</span> function2 <span class="br0">&#123;</span>
<a href="http://perldoc.perl.org/functions/return.html"><span class="kw3">return</span></a> <span class="co5">$_</span><span class="br0">&#91;</span><span class="nu0">0</span><span class="br0">&#93;</span><span class="sy0">;</span>
<span class="br0">&#125;</span>
&nbsp;
<span class="nu0">1</span><span class="sy0">;</span></pre>
</div>
<!-- EDIT2 SECTION "Write custom functions library" [220-554] -->
<h2 class="sectionedit3" id="import_custom_functions_in_lemonldapng">Import custom functions in LemonLDAP::NG</h2>
<!-- EDIT3 SECTION "Write custom functions library" [579-951] -->
<h2 class="sectionedit4" id="import_custom_functions_in_lemonldapng">Import custom functions in LemonLDAP::NG</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Import custom functions in LemonLDAP::NG" [555-608] -->
<h3 class="sectionedit4" id="declare_module_in_handler_server">Declare module in handler server</h3>
<!-- EDIT4 SECTION "Import custom functions in LemonLDAP::NG" [952-1005] -->
<h3 class="sectionedit5" id="load_relevant_code_in_handler_server">Load relevant code in handler server</h3>
<div class="level3">
</div>
@ -113,9 +141,9 @@ Create your Perl module with custom functions. You can name your module as you w
Just declare files or Perl module that must be loaded:
</p>
<pre class="code file :ini"><span class="re0"><span class="br0">&#91;</span>all<span class="br0">&#93;</span></span>
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> /path/to/functions.pl, /path/to/func2.pm</span>
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> /path/to/functions.pl, /path/to/SSOExtensions.pm</span>
# OR
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> My::Func1, My::Func2</span></pre>
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> SSOExtensions::function1, SSOExtensions::function2</span></pre>
</div>
@ -133,7 +161,7 @@ Your module has to be loaded by Apache (for example after Handler load):
</p>
<pre class="code file apache"><span class="co1"># Perl environment</span>
PerlRequire Lemonldap::NG::Handler
PerlRequire /root/SSOExtensions.pm
PerlRequire /path/to/SSOExtensions.pm
PerlOptions +GlobalRequest</pre>
</div>
@ -158,22 +186,22 @@ USER=www-data
GROUP=www-data
&nbsp;
# Custom functions file
CUSTOM_FUNCTIONS_FILE=/root/SSOExtensions.pm</pre>
CUSTOM_FUNCTIONS_FILE=/path/to/SSOExtensions.pm</pre>
</div>
<!-- EDIT4 SECTION "Declare module in handler server" [609-1892] -->
<h3 class="sectionedit5" id="declare_custom_functions">Declare custom functions</h3>
<!-- EDIT5 SECTION "Load relevant code in handler server" [1006-2337] -->
<h3 class="sectionedit6" id="declare_custom_functions">Declare custom functions</h3>
<div class="level3">
<p>
Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Custom functions</code> and set:
</p>
<pre class="code">SSOExtensions::function1</pre>
<pre class="code">SSOExtensions::function1 SSOExtensions::function2</pre>
<div class="noteimportant">If your function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail.
</div>
</div>
<!-- EDIT5 SECTION "Declare custom functions" [1893-2189] -->
<h2 class="sectionedit6" id="use_it">Use it</h2>
<!-- EDIT6 SECTION "Declare custom functions" [2338-2659] -->
<h2 class="sectionedit7" id="use_it">Use it</h2>
<div class="level2">
<p>
@ -182,6 +210,6 @@ You can now use your function in a macro, an header or an access rule, for examp
<pre class="code">Custom-Header =&gt; function1( $uid, $ENV{REMOTE_ADDR} )</pre>
</div>
<!-- EDIT6 SECTION "Use it" [2190-] --></div>
<!-- EDIT7 SECTION "Use it" [2660-] --></div>
</body>
</html>

18
doc/pages/documentation/current/dos
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=f5d398c4fc6f21e5e626ce5d49ffe634" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -218,8 +218,18 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
<div class="level3">
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="media" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
<strong>OW2con&#039;14 Community Award</strong>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
@ -262,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1557671508" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1561840344" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

18
doc/pages/documentation/current/exploit
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=f5d398c4fc6f21e5e626ce5d49ffe634" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -218,8 +218,18 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
<div class="level3">
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="media" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
<strong>OW2con&#039;14 Community Award</strong>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
@ -262,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1557671508" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1561840344" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

2
doc/pages/documentation/current/external2f.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:external2f</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,external2f"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="external2f.html"/>

6
doc/pages/documentation/current/handlerauthbasic.html
View File

@ -110,12 +110,12 @@ If you want to protect only a virtualHost part, keep type on “Main” and set
<ul>
<li class="level1"><div class="li"> Apache: use simply a <code>PerlSetVar VHOSTTYPE AuthBasic</code></div>
</li>
<li class="level1"><div class="li"> Nginx: create another FastCGI with a <code>fastcgi_param VHOSTTYPE = AuthBasic;</code> <em>(and remove error_page 401)</em></div>
<li class="level1"><div class="li"> Nginx: create another FastCGI with a <code>fastcgi_param VHOSTTYPE AuthBasic;</code> <em>(and remove error_page 401)</em></div>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "Virtual host" [727-1117] -->
<!-- EDIT5 SECTION "Virtual host" [727-1115] -->
<h3 class="sectionedit6" id="handler_parameters">Handler parameters</h3>
<div class="level3">
@ -129,6 +129,6 @@ requireToken =&gt; $env-&gt;{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
</div>
</div>
<!-- EDIT6 SECTION "Handler parameters" [1118-] --></div>
<!-- EDIT6 SECTION "Handler parameters" [1116-] --></div>
</body>
</html>

18
doc/pages/documentation/current/impersonation.html
View File

@ -48,23 +48,23 @@
<div class="level1">
<p>
This plugin allows us to use identity of another user. User have to log in with its real account and can choose to use an another profile. Can be useful for training/learning or development platforms.
This plugin allows certain users to assume the identity of another user. A privileged User first logs in with their real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
</p>
</div>
<!-- EDIT1 SECTION "Impersonation plugin" [1-239] -->
<!-- EDIT1 SECTION "Impersonation plugin" [1-303] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be forbidden to impersonate.
Just enable it in the Manager (section “plugins”) by setting a rule. Impersonation can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be protected from being impersonated.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Parameters</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Use rule</strong>: Allow or deny only specific users to use this plugin</div>
<li class="level2"><div class="li"> <strong>Use rule</strong>: Select which users may use this plugin</div>
</li>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be spoofed. Useful to prevent impersonation with specific identities like CEO, administrators or anonymous/protected users.</div>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.</div>
</li>
<li class="level2"><div class="li"> <strong>Real attributes prefix</strong>: Prefix use to rename user real profile attributes.</div>
</li>
@ -72,7 +72,7 @@ Just enable it in the Manager (section “plugins”) by setting a rule. Imperso
</li>
<li class="level2"><div class="li"> <strong>Skip empty values</strong>: Do not use empty profile attributes</div>
</li>
<li class="level2"><div class="li"> <strong>Merge spoofed and real <abbr title="Single Sign On">SSO</abbr> groups</strong>: Can be useful for administrators to keep higher privileges</div>
<li class="level2"><div class="li"> <strong>Merge spoofed and real <abbr title="Single Sign On">SSO</abbr> groups</strong>: Can be useful for administrators to keep higher privileges. “Special rule” field can be used to set <abbr title="Single Sign On">SSO</abbr> groups to merge if exist in real session. Multivalue <code>separator</code> is used. By example : <code>su; admins; anonymous</code></div>
</li>
</ul>
</li>
@ -83,7 +83,7 @@ Set a macro like this :
</p>
<p>
<code> _whatToTrace -&gt; $real__user ? &quot;$real__user / $_user&quot; : $_user / $_user </code>
<code> _whatToTrace -&gt; $real__user ? &quot;$real__user/$_user&quot; : &quot;$_user/$_user&quot; </code>
</p>
<p>
@ -99,13 +99,13 @@ By example : <code>$real_uid eq &#039;dwho</code>&#039; or <code>$real_groups =~
Keep in mind that real session is computed first. Afterward, if access is granted, impersonated session is computed with real and spoofed session attributes if Impersonation is allowed.
</p>
</div><div class="noteimportant">By example, to prevent impersonation with &#039;dwho&#039; set <strong>Identities use rule</strong> like :
</div><div class="noteimportant">By example, to prevent impersonation as &#039;dwho&#039; set <strong>Identities use rule</strong> like :
<p>
<code> $uid ne &#039;dwho&#039; </code>
</p>
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [240-] --></div>
<!-- EDIT2 SECTION "Configuration" [304-] --></div>
</body>
</html>

23
doc/pages/documentation/current/installdeb.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:installdeb</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,installdeb"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="installdeb.html"/>
@ -177,15 +177,18 @@ Packages are available on the <a href="download.html" class="wikilink1" title="d
<!-- EDIT6 SECTION "Manual download" [1896-1982] -->
<h2 class="sectionedit7" id="install_packages">Install packages</h2>
<div class="level2">
<div class="noteimportant">By default packages will require Nginx. If you want to use Apache2, install it first with mod_perl:
<pre class="code">apt install apache2 libapache2-mod-perl</pre>
</div>
<!-- EDIT7 SECTION "Install packages" [1983-2012] -->
</div>
<!-- EDIT7 SECTION "Install packages" [1983-2191] -->
<h3 class="sectionedit8" id="with_apt">With apt</h3>
<div class="level3">
<pre class="code">apt install lemonldap-ng</pre>
</div>
<!-- EDIT8 SECTION "With apt" [2013-2073] -->
<!-- EDIT8 SECTION "With apt" [2192-2252] -->
<h3 class="sectionedit9" id="with_dpkg">With dpkg</h3>
<div class="level3">
@ -199,12 +202,12 @@ Then:
<pre class="code">dpkg -i liblemonldap-ng-* lemonldap-ng*</pre>
</div>
<!-- EDIT9 SECTION "With dpkg" [2074-2222] -->
<!-- EDIT9 SECTION "With dpkg" [2253-2401] -->
<h2 class="sectionedit10" id="first_configuration_steps">First configuration steps</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "First configuration steps" [2223-2261] -->
<!-- EDIT10 SECTION "First configuration steps" [2402-2440] -->
<h3 class="sectionedit11" id="change_default_dns_domain">Change default DNS domain</h3>
<div class="level3">
@ -214,7 +217,7 @@ By default, <abbr title="Domain Name System">DNS</abbr> domain is <code>example.
<pre class="code shell">sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json</pre>
</div>
<!-- EDIT11 SECTION "Change default DNS domain" [2262-2545] -->
<!-- EDIT11 SECTION "Change default DNS domain" [2441-2724] -->
<h3 class="sectionedit12" id="upgrade">Upgrade</h3>
<div class="level3">
@ -223,7 +226,7 @@ If you upgraded <abbr title="LemonLDAP::NG">LL::NG</abbr>, check all <a href="up
</p>
</div>
<!-- EDIT12 SECTION "Upgrade" [2546-2626] -->
<!-- EDIT12 SECTION "Upgrade" [2725-2805] -->
<h3 class="sectionedit13" id="dns">DNS</h3>
<div class="level3">
@ -244,7 +247,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</p>
</div>
<!-- EDIT13 SECTION "DNS" [2627-2931] -->
<!-- EDIT13 SECTION "DNS" [2806-3110] -->
<h2 class="sectionedit14" id="file_location">File location</h2>
<div class="level2">
<ul>
@ -265,7 +268,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</ul>
</div>
<!-- EDIT14 SECTION "File location" [2932-3499] -->
<!-- EDIT14 SECTION "File location" [3111-3678] -->
<h2 class="sectionedit15" id="build_your_packages">Build your packages</h2>
<div class="level2">
@ -277,6 +280,6 @@ cd lemonldap-ng-*
make debian-packages</pre>
</div>
<!-- EDIT15 SECTION "Build your packages" [3500-] --></div>
<!-- EDIT15 SECTION "Build your packages" [3679-] --></div>
</body>
</html>

10
doc/pages/documentation/current/installtarball.html
View File

@ -238,7 +238,7 @@ See also <a href="installdeb.html" class="wikilink1" title="documentation:2.0:in
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> use cron jobs to:
<abbr title="LemonLDAP::NG">LL::NG</abbr> use cron jobs (or systemd timers) to:
</p>
<ul>
<li class="level1"><div class="li"> purge old sessions</div>
@ -252,8 +252,12 @@ To install them on system:
</p>
<pre class="code">sudo ln -s /usr/local/lemonldap-ng/etc/cron.d/* /etc/cron.d/</pre>
<p>
or install .timers files in systemd directory (/lib/systemd/system)
</p>
</div>
<!-- EDIT6 SECTION "Install cron jobs" [3645-3854] -->
<!-- EDIT6 SECTION "Install cron jobs" [3645-3941] -->
<h2 class="sectionedit7" id="dns">DNS</h2>
<div class="level2">
@ -274,6 +278,6 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</p>
</div>
<!-- EDIT7 SECTION "DNS" [3855-] --></div>
<!-- EDIT7 SECTION "DNS" [3942-] --></div>
</body>
</html>

18
doc/pages/documentation/current/mitm
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=f5d398c4fc6f21e5e626ce5d49ffe634" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -218,8 +218,18 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
<div class="level3">
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="media" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
<strong>OW2con&#039;14 Community Award</strong>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
@ -262,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1557671508" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1561840344" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

901
doc/pages/documentation/current/parameterlist.html
View File

File diff suppressed because it is too large Load Diff

105
doc/pages/documentation/current/performances.html
View File

@ -49,9 +49,14 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#built-in">Built-in</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#cache_system">Cache system</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#global_performance">Global performance</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#cron_optimization">Cron optimization</a></div></li>
<li class="level2"><div class="li"><a href="#cron_optimization_or_systemd_timers">Cron optimization (or systemd timers)</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#handler_performance">Handler performance</a></div>
@ -87,12 +92,48 @@
<div class="level1">
<p>
LemonLDAP::NG is designed to be very performant. Indeed, it uses Apache2 threads capabilities. So to increase performances, prefer using <a href="http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#compiletime" class="urlextern" title="http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#compiletime" rel="nofollow">mpm-worker</a>.
LemonLDAP::NG is designed for high performance, both in throughput and response time. Indeed, it can use Apache2 threads capabilities <strong>but</strong> since Apache version 2.4, mpm_worker seems to break mod_perl. So to increase performances, prefer using Nginx.
</p>
</div>
<!-- EDIT1 SECTION "Performances" [1-249] -->
<h2 class="sectionedit2" id="global_performance">Global performance</h2>
<!-- EDIT1 SECTION "Performances" [1-282] -->
<h2 class="sectionedit2" id="built-in">Built-in</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Built-in" [283-303] -->
<h3 class="sectionedit3" id="cache_system">Cache system</h3>
<div class="level3">
<p>
LLNG uses different cache systems to avoid querying to many the databases:
</p>
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 leftalign"> </th><th class="col1 centeralign" colspan="2"> Lifetime in memory </th><th class="col3 centeralign" colspan="2"> Lifetime in Local-Cache (file) </th><th class="col5 centeralign"> DB </th>
</tr>
<tr class="row1 rowodd">
<th class="col0 leftalign"> </th><th class="col1 centeralign"> Parameter </th><th class="col2 centeralign"> Default </th><th class="col3 centeralign"> Parameter </th><th class="col4 centeralign"> Default </th><th class="col5 leftalign"> </th>
</tr>
</thead>
<tr class="row2 roweven">
<th class="col0 centeralign"> Configuration </th><td class="col1 centeralign"> <code>checkTime</code> </td><td class="col2 centeralign"> 10 minutes </td><td class="col3 leftalign"> </td><td class="col4 centeralign"> Until “reload” order </td><td class="col5 centeralign"></td>
</tr>
<tr class="row3 rowodd">
<th class="col0 centeralign"> Session </th><td class="col1 centeralign"> <code>handlerInternalCache</code> </td><td class="col2 centeralign"> 15 seconds </td><td class="col3 centeralign"> <code>default_expires_in</code>(*) </td><td class="col4 centeralign"> 10 minutes </td><td class="col5 centeralign"></td>
</tr>
</table></div>
<!-- EDIT4 TABLE [404-879] -->
<p>
<em>(*): Manager &gt;&gt; General parameters &gt;&gt; Sessions &gt;&gt; Sessions storage &gt;&gt; Cache module options</em>
</p>
<div class="noteclassic">Configuration and sessions are first looked up in-memory, then in the cache file, and then in their backing store. This means that after a configuration reload <em>(using Manager)</em>, you have to wait for <code>checkTime</code> before you can see your changes.
</div>
</div>
<!-- EDIT3 SECTION "Cache system" [304-1241] -->
<h2 class="sectionedit5" id="global_performance">Global performance</h2>
<div class="level2">
<p>
@ -105,28 +146,28 @@ To bypass this, you can:
<ul>
<li class="level1"><div class="li"> Use <abbr title="Internet Protocol">IP</abbr> in configuration to avoid <abbr title="Domain Name System">DNS</abbr> resolution</div>
</li>
<li class="level1"><div class="li"> Install a <abbr title="Domain Name System">DNS</abbr> cache like nscd, netmask or bind</div>
<li class="level1"><div class="li"> Install a <abbr title="Domain Name System">DNS</abbr> cache like nscd, dnsmasq or unbound</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Global performance" [250-650] -->
<h3 class="sectionedit3" id="cron_optimization">Cron optimization</h3>
<!-- EDIT5 SECTION "Global performance" [1242-1645] -->
<h3 class="sectionedit6" id="cron_optimization_or_systemd_timers">Cron optimization (or systemd timers)</h3>
<div class="level3">
<p>
LLNG installs its cron files without knowing how many servers are installed. You should optimize this to launch:
</p>
<ul>
<li class="level1"><div class="li"> purgeCentralCache: only 1 time every 10 minutes for the whole system</div>
<li class="level1"><div class="li"> purgeCentralCache: only 1 time every 10 minutes for the whole system (or more)</div>
</li>
<li class="level1"><div class="li"> purgeLocalCache: ~ 1 time per hour on each server</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Cron optimization" [651-920] -->
<h2 class="sectionedit4" id="handler_performance">Handler performance</h2>
<!-- EDIT6 SECTION "Cron optimization (or systemd timers)" [1646-1945] -->
<h2 class="sectionedit7" id="handler_performance">Handler performance</h2>
<div class="level2">
<p>
@ -142,8 +183,8 @@ Handlers check rights and calculate headers for each HTTP hit. So to improve per
</p>
</div>
<!-- EDIT4 SECTION "Handler performance" [921-1350] -->
<h3 class="sectionedit5" id="macros_and_groups">Macros and groups</h3>
<!-- EDIT7 SECTION "Handler performance" [1946-2376] -->
<h3 class="sectionedit8" id="macros_and_groups">Macros and groups</h3>
<div class="level3">
<p>
@ -203,8 +244,8 @@ admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>
</div>
<!-- EDIT5 SECTION "Macros and groups" [1351-3445] -->
<h3 class="sectionedit6" id="local_macros">Local macros</h3>
<!-- EDIT8 SECTION "Macros and groups" [2377-4471] -->
<h3 class="sectionedit9" id="local_macros">Local macros</h3>
<div class="level3">
<p>
@ -217,13 +258,13 @@ Display<span class="sy0">-</span>Name <span class="sy0">-&gt;</span> <span class
<div class="notetip">Note that this feature is interesting only for the Lemonldap::NG systems protecting a high number of applications
</div>
</div>
<!-- EDIT6 SECTION "Local macros" [3446-4107] -->
<h2 class="sectionedit7" id="portal_performances">Portal performances</h2>
<!-- EDIT9 SECTION "Local macros" [4472-5133] -->
<h2 class="sectionedit10" id="portal_performances">Portal performances</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "Portal performances" [4108-4140] -->
<h3 class="sectionedit8" id="general_performances">General performances</h3>
<!-- EDIT10 SECTION "Portal performances" [5134-5166] -->
<h3 class="sectionedit11" id="general_performances">General performances</h3>
<div class="level3">
<p>
@ -245,12 +286,12 @@ By default it uses local storage to store its tokens. If you have more than 1 po
</div>
</div>
<!-- EDIT8 SECTION "General performances" [4141-5018] -->
<h3 class="sectionedit9" id="apachesession_performances">Apache::Session performances</h3>
<!-- EDIT11 SECTION "General performances" [5167-6044] -->
<h3 class="sectionedit12" id="apachesession_performances">Apache::Session performances</h3>
<div class="level3">
<p>
Lemonldap::NG handlers use a local cache to store sessions (for 10 minutes). So Apache::Session module is not a problem for handlers. It can be a brake for the portal:
Lemonldap::NG handlers use a local cache to store sessions (for 10 minutes). So Apache::Session module is not a problem for handlers. But it can be a bottleneck for the portal:
</p>
<ol>
<li class="level1"><div class="li"> When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an <a href="https://metacpan.org/module/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable" rel="nofollow">Apache::Session::Browseable</a> module.</div>
@ -308,7 +349,7 @@ Look at <a href="browseablesessionbackend.html" class="wikilink1" title="documen
<p>
This test isn&#039;t an “only-backend” test but embedded some LLNG methods, so real differences between engines are mitigate here.
</p>
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
<div class="table sectionedit13"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign" colspan="2"> Backend </th><th class="col2 centeralign" colspan="3"> Portal and handlers </th><th class="col5 centeralign" colspan="3"> Session explorer and one-off sessions </th>
@ -357,7 +398,7 @@ This test isn&#039;t an “only-backend” test but embedded some LLNG methods,
<td class="col0 centeralign" colspan="8"> <em>The source of this test is available in sources: e2e-tests/sbperf.pl</em> </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [7910-9813] --><ul>
<!-- EDIT13 TABLE [8945-10848] --><ul>
<li class="level1"><div class="li"> <em><strong>(1) :</strong> “purge” test is done with Apache::Session::Browseable-1.2.5 and LLG-2.0. Earlier results are not so good.</em></div>
</li>
<li class="level1"><div class="li"> <em><strong>(2) :</strong> “purge” test is done with Apache::Session::Browseable-1.2.6 and LLG-2.0.</em></div>
@ -381,8 +422,8 @@ Analysis:
</ul>
</div>
<!-- EDIT9 SECTION "Apache::Session performances" [5019-10591] -->
<h3 class="sectionedit11" id="ldap_performances">LDAP performances</h3>
<!-- EDIT12 SECTION "Apache::Session performances" [6045-11626] -->
<h3 class="sectionedit14" id="ldap_performances">LDAP performances</h3>
<div class="level3">
<p>
@ -418,13 +459,13 @@ Now ldapgroups contains “admin su”
</div>
</div>
<!-- EDIT11 SECTION "LDAP performances" [10592-11726] -->
<h2 class="sectionedit12" id="manager_performances">Manager performances</h2>
<!-- EDIT14 SECTION "LDAP performances" [11627-12761] -->
<h2 class="sectionedit15" id="manager_performances">Manager performances</h2>
<div class="level2">
</div>
<!-- EDIT12 SECTION "Manager performances" [11727-11760] -->
<h3 class="sectionedit13" id="disable_unused_modules">Disable unused modules</h3>
<!-- EDIT15 SECTION "Manager performances" [12762-12795] -->
<h3 class="sectionedit16" id="disable_unused_modules">Disable unused modules</h3>
<div class="level3">
<p>
@ -434,8 +475,8 @@ In lemonldap-ng.ini, set only modules that you will use. By default, configurati
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions</span></pre>
</div>
<!-- EDIT13 SECTION "Disable unused modules" [11761-12022] -->
<h3 class="sectionedit14" id="use_static_html_files">Use static HTML files</h3>
<!-- EDIT16 SECTION "Disable unused modules" [12796-13057] -->
<h3 class="sectionedit17" id="use_static_html_files">Use static HTML files</h3>
<div class="level3">
<p>
@ -461,6 +502,6 @@ So manager <abbr title="HyperText Markup Language">HTML</abbr> templates will be
</p>
</div>
<!-- EDIT14 SECTION "Use static HTML files" [12023-] --></div>
<!-- EDIT17 SECTION "Use static HTML files" [13058-] --></div>
</body>
</html>

12
doc/pages/documentation/current/portalservers.html
View File

@ -101,6 +101,10 @@ Go in <code>General Parameters</code> &gt; <code>Plugins</code> &gt; <code>Porta
<li class="level1"><div class="li"> <strong>REST configuration server</strong>: Enable REST for configuration</div>
</li>
<li class="level1"><div class="li"> <strong>SOAP/REST exported attributes</strong>: list session attributes shared trough REST</div>
<ul>
<li class="level2"><div class="li"> use <code>+</code> to append to the default list of technical attributes, example: <code>+ uid mail</code></div>
</li>
</ul>
</li>
</ul>
@ -109,7 +113,7 @@ See also <a href="restservices.html" class="wikilink1" title="documentation:2.0:
</p>
</div>
<!-- EDIT4 SECTION "REST" [276-600] -->
<!-- EDIT4 SECTION "REST" [276-695] -->
<h3 class="sectionedit5" id="soapdeprecated">SOAP //(deprecated)//</h3>
<div class="level3">
@ -122,6 +126,10 @@ Go in <code>General Parameters</code> &gt; <code>Plugins</code> &gt; <code>Porta
<li class="level1"><div class="li"> <strong>SOAP configuration server</strong>: Enable SOAP for configuration</div>
</li>
<li class="level1"><div class="li"> <strong>SOAP/REST exported attributes</strong>: list session attributes shared trough SOAP</div>
<ul>
<li class="level2"><div class="li"> use <code>+</code> to append to the default list of technical attributes, example: <code>+ uid mail</code></div>
</li>
</ul>
</li>
</ul>
@ -130,6 +138,6 @@ See also <a href="soapservices.html" class="wikilink1" title="documentation:2.0:
</p>
</div>
<!-- EDIT5 SECTION "SOAP //(deprecated)//" [601-] --></div>
<!-- EDIT5 SECTION "SOAP //(deprecated)//" [696-] --></div>
</body>
</html>

30
doc/pages/documentation/current/prereq.html
View File

@ -121,6 +121,8 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</li>
<li class="level1"><div class="li"> Convert::PEM</div>
</li>
<li class="level1"><div class="li"> Cookie::Baker::XS</div>
</li>
<li class="level1"><div class="li"> Crypt::OpenSSL::Bignum</div>
</li>
<li class="level1"><div class="li"> Crypt::OpenSSL::RSA</div>
@ -175,6 +177,8 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</li>
<li class="level1"><div class="li"> String::Random</div>
</li>
<li class="level1"><div class="li"> Text::Unidecode <em>(versions ≥ 2.0.5)</em></div>
</li>
<li class="level1"><div class="li"> Unicode::String</div>
</li>
<li class="level1"><div class="li"> <abbr title="Uniform Resource Identifier">URI</abbr></div>
@ -184,7 +188,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT4 SECTION "Core" [795-1437] -->
<!-- EDIT4 SECTION "Core" [795-1504] -->
<h3 class="sectionedit5" id="deprecated_features">Deprecated features</h3>
<div class="level3">
<ul>
@ -207,7 +211,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT5 SECTION "Deprecated features" [1438-1606] -->
<!-- EDIT5 SECTION "Deprecated features" [1505-1673] -->
<h3 class="sectionedit6" id="saml2">SAML2</h3>
<div class="level3">
<ul>
@ -220,7 +224,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT6 SECTION "SAML2" [1607-1692] -->
<!-- EDIT6 SECTION "SAML2" [1674-1759] -->
<h3 class="sectionedit7" id="second_factor">Second factor</h3>
<div class="level3">
<ul>
@ -231,7 +235,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT7 SECTION "Second factor" [1693-1786] -->
<!-- EDIT7 SECTION "Second factor" [1760-1853] -->
<h3 class="sectionedit8" id="specific_authentication_backends">Specific authentication backends</h3>
<div class="level3">
<ul>
@ -274,7 +278,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT8 SECTION "Specific authentication backends" [1787-2015] -->
<!-- EDIT8 SECTION "Specific authentication backends" [1854-2082] -->
<h3 class="sectionedit9" id="smtpreset_password_by_mail">SMTP / Reset password by mail</h3>
<div class="level3">
<ul>
@ -287,7 +291,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT9 SECTION "SMTP / Reset password by mail" [2016-2108] -->
<!-- EDIT9 SECTION "SMTP / Reset password by mail" [2083-2175] -->
<h3 class="sectionedit10" id="unit_tests">Unit tests</h3>
<div class="level3">
<ul>
@ -304,29 +308,31 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT10 SECTION "Unit tests" [2109-2222] -->
<!-- EDIT10 SECTION "Unit tests" [2176-2289] -->
<h2 class="sectionedit11" id="other">Other</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Jquery (javascript framework) is included in tarball and RPMs, but is a dependency on Debian official releases</div>
</li>
<li class="level1"><div class="li"> Cache::Memcached : used by SecureToken handler</div>
</li>
</ul>
</div>
<!-- EDIT11 SECTION "Other" [2223-2357] -->
<!-- EDIT11 SECTION "Other" [2290-2475] -->
<h2 class="sectionedit12" id="install_dependencies_on_your_system">Install dependencies on your system</h2>
<div class="level2">
<div class="notewarning">You don&#039;t need to install them if you use <abbr title="LemonLDAP::NG">LL::NG</abbr> packages. With <code>apt</code> or <code>yum</code>, dependencies will be automatically installed.
</div>
</div>
<!-- EDIT12 SECTION "Install dependencies on your system" [2358-2557] -->
<!-- EDIT12 SECTION "Install dependencies on your system" [2476-2675] -->
<h3 class="sectionedit13" id="apt">APT</h3>
<div class="level3">
<p>
Perl dependencies:
</p>
<pre class="code">apt install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl</pre>
<pre class="code">apt install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libtext-unidecode-perl libcookie-baker-xs-perl</pre>
<p>
For Apache:
@ -339,7 +345,7 @@ For Nginx:
<pre class="code">apt install nginx nginx-extras</pre>
</div>
<!-- EDIT13 SECTION "APT" [2558-3358] -->
<!-- EDIT13 SECTION "APT" [2676-3523] -->
<h3 class="sectionedit14" id="yum">YUM</h3>
<div class="level3">
<div class="notetip">You need <a href="http://fedoraproject.org/wiki/EPEL/" class="urlextern" title="http://fedoraproject.org/wiki/EPEL/" rel="nofollow">EPEL</a> repository. See below how to enable this repository: <a href="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse" class="urlextern" title="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse" rel="nofollow">http://fedoraproject.org/wiki/EPEL/FAQ#howtouse</a>
@ -361,6 +367,6 @@ For Nginx:
<div class="noteimportant">As you need a recent version of Nginx, the best is to install <a href="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages" class="urlextern" title="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages" rel="nofollow">Nginx official packages</a>.
</div>
</div>
<!-- EDIT14 SECTION "YUM" [3359-] --></div>
<!-- EDIT14 SECTION "YUM" [3524-] --></div>
</body>
</html>

33
doc/pages/documentation/current/psgi.html
View File

@ -59,6 +59,7 @@
<li class="level2"><div class="li"><a href="#using_uwsgi">Using uWSGI</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#using_debian_lemonldap-ng-uwsgi-app_package">Using Debian lemonldap-ng-uwsgi-app package</a></div></li>
<li class="level3"><div class="li"><a href="#configuration">Configuration</a></div></li>
</ul>
</li>
</ul>
@ -239,7 +240,31 @@ Then adapt your Nginx configuration to use this uWSGI app.
</p>
</div>
<!-- EDIT5 SECTION "Using uWSGI" [3425-4282] -->
<h4 id="configuration">Configuration</h4>
<div class="level4">
<p>
To serve large requests with uWsgi, you could have to modify in uWsgi and/or Nginx init files several options. Example:
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/psgi/codeblock.4.code" title="Download Snippet" class="mediafile mf_ini">uWsgi.ini</a></dt>
<dd><pre class="code file ini"><span class="re1">workers</span> <span class="sy0">=</span><span class="re2"> 4</span>
<span class="re1">buffer-size</span> <span class="sy0">=</span><span class="re2"> 65535</span>
<span class="re1">limit-post</span> <span class="sy0">=</span><span class="re2"> 0</span></pre>
</dd></dl>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/psgi/codeblock.5.code" title="Download Snippet" class="mediafile mf_conf">nginx.conf</a></dt>
<dd><pre class="code file nginx">client_max_body_size 300M;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_connect_timeout 600;
uwsgi_read_timeout 120;
uwsgi_send_timeout 120;</pre>
</dd></dl>
</div>
<!-- EDIT5 SECTION "Using uWSGI" [3425-4685] -->
<h2 class="sectionedit6" id="protect_a_psgi_application">Protect a PSGI application</h2>
<div class="level2">
@ -247,7 +272,7 @@ Then adapt your Nginx configuration to use this uWSGI app.
LLNG provides <code>Plack::Middleware::Auth::LemonldapNG</code> that can be used to protect any PSGI application: it acts exactly like a LLNG handler. Simple example:
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/psgi/codeblock.4.code" title="Download Snippet" class="mediafile mf_psgi">app.psgi</a></dt>
<dt><a href="_export/code/documentation/2.0/psgi/codeblock.6.code" title="Download Snippet" class="mediafile mf_psgi">app.psgi</a></dt>
<dd><pre class="code file perl"><span class="kw2">use</span> Plack<span class="sy0">::</span><span class="me2">Builder</span><span class="sy0">;</span>
&nbsp;
<span class="kw1">my</span> <span class="re0">$app</span> <span class="sy0">=</span> <span class="kw2">sub</span> <span class="br0">&#123;</span> <span class="sy0">...</span> <span class="br0">&#125;</span><span class="sy0">;</span>
@ -261,7 +286,7 @@ builder <span class="br0">&#123;</span>
More advanced example:
</p>
<dl class="file">
<dt><a href="_export/code/documentation/2.0/psgi/codeblock.5.code" title="Download Snippet" class="mediafile mf_psgi">app.psgi</a></dt>
<dt><a href="_export/code/documentation/2.0/psgi/codeblock.7.code" title="Download Snippet" class="mediafile mf_psgi">app.psgi</a></dt>
<dd><pre class="code file perl"><span class="kw2">use</span> Plack<span class="sy0">::</span><span class="me2">Builder</span><span class="sy0">;</span>
&nbsp;
<span class="kw1">my</span> <span class="re0">$app</span> <span class="sy0">=</span> <span class="kw2">sub</span> <span class="br0">&#123;</span> <span class="sy0">...</span> <span class="br0">&#125;</span><span class="sy0">;</span>
@ -283,6 +308,6 @@ builder <span class="br0">&#123;</span>
</dd></dl>
</div>
<!-- EDIT6 SECTION "Protect a PSGI application" [4283-] --></div>
<!-- EDIT6 SECTION "Protect a PSGI application" [4686-] --></div>
</body>
</html>

10
doc/pages/documentation/current/rest2f.html
View File

@ -85,12 +85,12 @@ All parameters are set in “General Parameters » Portal Parameters » Second F
</li>
<li class="level1"><div class="li"> <strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here a new authentication level. Example: 5</div>
</li>
<li class="level1"><div class="li"> Logo (optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
<li class="level1"><div class="li"> <strong>Logo</strong> (optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Configuration" [199-904] -->
<!-- EDIT2 SECTION "Configuration" [199-908] -->
<h2 class="sectionedit3" id="arguments">Arguments</h2>
<div class="level2">
@ -100,7 +100,7 @@ Arguments are a list of key/value. Key is the name of JSON entry, value is attri
<div class="noteimportant">For Verify <abbr title="Uniform Resource Locator">URL</abbr>, you should send $code at least
</div>
</div>
<!-- EDIT3 SECTION "Arguments" [905-1099] -->
<!-- EDIT3 SECTION "Arguments" [909-1103] -->
<h2 class="sectionedit4" id="rest_dialog">REST Dialog</h2>
<div class="level2">
@ -120,8 +120,8 @@ REST web services have just to reply with a “result” key in a JSON file. Aut
<td class="col0 centeralign"> Verify <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user,“code”:“$code”,...}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false}</code> </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [1310-1539] -->
<!-- EDIT5 TABLE [1314-1543] -->
</div>
<!-- EDIT4 SECTION "REST Dialog" [1100-] --></div>
<!-- EDIT4 SECTION "REST Dialog" [1104-] --></div>
</body>
</html>

8
doc/pages/documentation/current/restservices.html
View File

@ -112,7 +112,7 @@ Request parameters:
</li>
<li class="level2"><div class="li"> <code>password</code>: user password</div>
</li>
<li class="level2"><div class="li"> xxx: optional parameters, like <code>lmAuth</code> if your portal uses <code>Choice</code></div>
<li class="level2"><div class="li"> xxx: optional parameters, like <code>lmAuth</code> if your portal uses <code>Choice</code> or <code>spoofId</code> to impersonate.</div>
</li>
</ul>
</li>
@ -160,7 +160,7 @@ The JSON response fields are:
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT3 SECTION "Authentication" [165-1931] -->
<!-- EDIT3 SECTION "Authentication" [165-1962] -->
<h3 class="sectionedit4" id="sessions">Sessions</h3>
<div class="level3">
@ -173,7 +173,7 @@ See <a href="restsessionbackend.html" class="wikilink1" title="documentation:2.0
</p>
</div>
<!-- EDIT4 SECTION "Sessions" [1932-2153] -->
<!-- EDIT4 SECTION "Sessions" [1963-2184] -->
<h3 class="sectionedit5" id="configuration">Configuration</h3>
<div class="level3">
@ -186,6 +186,6 @@ See <a href="restconfbackend.html" class="wikilink1" title="documentation:2.0:re
</p>
</div>
<!-- EDIT5 SECTION "Configuration" [2154-] --></div>
<!-- EDIT5 SECTION "Configuration" [2185-] --></div>
</body>
</html>

9
doc/pages/documentation/current/restsessionbackend.html
View File

@ -152,9 +152,10 @@ Then, set <code>Lemonldap::NG::Common::Apache::Session::REST</code> in <code>Gen
<td class="col0 centeralign"> <strong>password</strong> </td><td class="col1"> Password to use for auth basic mechanism </td><td class="col2 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [1790-2116] -->
<!-- EDIT4 TABLE [1790-2116] --><div class="noteimportant">By default, user password and other secret keys are hidden by LLNG REST server. You can force REST server to export their real values by selecting “Export secret attributes in REST” in the manager. This less secure option is disabled by default.
</div>
<!-- EDIT3 SECTION "Manager" [1452-2117] -->
</div>
<!-- EDIT3 SECTION "Manager" [1452-2386] -->
<h3 class="sectionedit5" id="apache">Apache</h3>
<div class="level3">
@ -167,7 +168,7 @@ Sessions REST end points access must be allowed in Apache portal configuration (
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT5 SECTION "Apache" [2118-2408] -->
<!-- EDIT5 SECTION "Apache" [2387-2677] -->
<h3 class="sectionedit6" id="real_session_backend">Real session backend</h3>
<div class="level3">
@ -198,6 +199,6 @@ To share only the listed attributes:
<pre class="code">authenticationLevel groups ipAddr _startTime _utime _lastSeen _session_id uid cn mail</pre>
</div>
<!-- EDIT6 SECTION "Real session backend" [2409-] --></div>
<!-- EDIT6 SECTION "Real session backend" [2678-] --></div>
</body>
</html>

15
doc/pages/documentation/current/secondfactor.html
View File

@ -94,10 +94,11 @@ Since 2.0, LLNG provides some second factor plugins that can be used to complete
<li class="level1"><div class="li"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External 2F</a> <em>(to call an external command)</em> </div>
</li>
</ul>
<div class="notetip">If you want to force a 2F registration on first login, you can use “Require 2FA”. You can also use a rule to force 2FA registration only for some users.
<div class="notetip">If you want to force a 2F registration on first login, you can use &#039;Require 2FA&#039;. You can also use a rule to force 2FA registration only for some users.
</div><div class="notetip">You can display a message if an expired second factor has been removed by enabling &#039;Display a message if an expired SF is removed&#039; option or setting a rule.
</div>
</div>
<!-- EDIT1 SECTION "Second Factors" [1-1165] -->
<!-- EDIT1 SECTION "Second Factors" [1-1339] -->
<h2 class="sectionedit2" id="providing_tokens_from_an_external_source">Providing tokens from an external source</h2>
<div class="level2">
@ -107,25 +108,25 @@ If you don&#039;t want to use self-registration features for U2F, TOTP and so on
<pre class="code json">[ {&quot;type&quot; : &quot;TOTP&quot;, &quot;name&quot; : &quot;MyTOTP&quot;, …}, {&lt;other_token&gt;}, …]</pre>
</div>
<!-- EDIT2 SECTION "Providing tokens from an external source" [1166-1559] -->
<!-- EDIT2 SECTION "Providing tokens from an external source" [1340-1733] -->
<h3 class="sectionedit3" id="u2f_tokens">U2F Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyU2FKey&quot; , &quot;type&quot; : &quot;U2F&quot; , &quot;_userKey&quot; : &quot;########&quot; , &quot;_keyHandle&quot;:&quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}</pre>
</div>
<!-- EDIT3 SECTION "U2F Tokens" [1560-1717] -->
<!-- EDIT3 SECTION "U2F Tokens" [1734-1891] -->
<h3 class="sectionedit4" id="totp_tokens">TOTP Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyTOTP&quot; , &quot;type&quot; : &quot;TOTP&quot; , &quot;_secret&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817955&quot;}</pre>
</div>
<!-- EDIT4 SECTION "TOTP Tokens" [1718-1850] -->
<!-- EDIT4 SECTION "TOTP Tokens" [1892-2024] -->
<h3 class="sectionedit5" id="yubikey_tokens">Yubikey Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyYubikey&quot; , &quot;type&quot; : &quot;UBK&quot; , &quot;_yubikey&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817715&quot;}</pre>
</div>
<!-- EDIT5 SECTION "Yubikey Tokens" [1851-1989] -->
<!-- EDIT5 SECTION "Yubikey Tokens" [2025-2163] -->
<h2 class="sectionedit6" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -142,6 +143,6 @@ To enable manager Second Factor Administration Module, set <code>enabledModules<
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT6 SECTION "Developer corner" [1990-] --></div>
<!-- EDIT6 SECTION "Developer corner" [2164-] --></div>
</body>
</html>

47
doc/pages/documentation/current/securetoken.html
View File

@ -52,12 +52,7 @@
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#virtual_host">Virtual host</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level3"><div class="li"><a href="#other_web_servers">Other web servers</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#virtual_host">Virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#handler_parameters">Handler parameters</a></div></li>
</ul></li>
</ul>
@ -86,38 +81,32 @@ This mechanism allows one to protect an application with an unsafe link between
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
Install Cache::Memcached dependency.
</p>
</div>
<!-- EDIT3 SECTION "Configuration" [515-541] -->
<!-- EDIT3 SECTION "Configuration" [515-579] -->
<h3 class="sectionedit4" id="virtual_host">Virtual host</h3>
<div class="level3">
</div>
<h4 id="apache">Apache</h4>
<div class="level4">
<p>
You just have to set “Type: SecureToken” in the VirtualHost options in the manager.
</p>
<p>
VirtualHost has to be configured like other <a href="configvhost.html" class="wikilink1" title="documentation:2.0:configvhost">protected virtual hosts</a> but by using Secure Token Handler instead of default Handler.
If you want to protect only a virtualHost part, keep type on “Main” and set type in your configuration file:
</p>
<pre class="code file apache">PerlModule Lemonldap::NG::Handler::Specific::SecureToken
&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> secure.example.com
&nbsp;
<span class="co1"># Load SecureToken Handler</span>
PerlHeaderParserHandler Lemonldap::NG::Handler::Specific::SecureToken
&nbsp;
...
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</div>
<h4 id="other_web_servers">Other web servers</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> Apache: use simply a <code>PerlSetVar VHOSTTYPE AuthBasic</code></div>
</li>
<li class="level1"><div class="li"> Nginx: create another FastCGI with a <code>fastcgi_param VHOSTTYPE SecureToken;</code></div>
</li>
</ul>
<div class="noteclassic">This handler uses Apache2Filter Module to hide token, prefer <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">Handling server webservice calls</a> for other servers.
</div>
</div>
<!-- EDIT4 SECTION "Virtual host" [542-1184] -->
<!-- EDIT4 SECTION "Virtual host" [580-1086] -->
<h3 class="sectionedit5" id="handler_parameters">Handler parameters</h3>
<div class="level3">
@ -149,6 +138,6 @@ SecureToken parameters are the following:
</div>
</div>
<!-- EDIT5 SECTION "Handler parameters" [1185-] --></div>
<!-- EDIT5 SECTION "Handler parameters" [1087-] --></div>
</body>
</html>

65
doc/pages/documentation/current/security.html
View File

@ -158,11 +158,13 @@ To protect the manager by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you just ha
LLNG portal now embeds the following features:
</p>
<ul>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-site_request_forgery" rel="nofollow">CSRF</a> protection <em>(Cross-Site Request Forgery)</em>: a token is build for each form. To disable it, set &#039;require Token for forms&#039; to Off <em>(portal security parameters in the manager)</em>. Token timeout can be defined via manager (default to 120 seconds),</div>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-site_request_forgery" rel="nofollow">CSRF</a> protection <em>(Cross-Site Request Forgery)</em>: a token is build for each form. To disable it, set &#039;require Token for forms&#039; to Off <em>(portal security parameters in the manager)</em>. Token timeout can be defined via manager (default to 120 seconds)</div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Content_Security_Policy" class="urlextern" title="https://en.wikipedia.org/wiki/Content_Security_Policy" rel="nofollow">Content-Security-Policy</a> header: portal builds dynamically this header. You can modify default values in the manager <em>(Général parameters » Advanced parameters » Security » Content-Security-Policy)</em>.</div>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Brute-force_attack" class="urlextern" title="https://en.wikipedia.org/wiki/Brute-force_attack" rel="nofollow">Brute-force attack</a> protection: after some failed logins, user must wait before re-try to log into Portal</div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Brute-force_attack" class="urlextern" title="https://en.wikipedia.org/wiki/Brute-force_attack" rel="nofollow">Brute-force attack</a> protection: after some failed logins, user must wait before re-try to log into Portal.</div>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Content_Security_Policy" class="urlextern" title="https://en.wikipedia.org/wiki/Content_Security_Policy" rel="nofollow">Content-Security-Policy</a> header: portal builds dynamically this header. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Content-Security-Policy)</em></div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="nofollow">Cross-Origin Resource Sharing</a> headers: CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain “cross-domain” requests, notably Ajax requests, are forbidden by default by the same-origin security policy. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Cross-Origin Resource Sharing)</em></div>
</li>
</ul>
<div class="noteimportant"><ul>
@ -174,7 +176,7 @@ LLNG portal now embeds the following features:
</div>
</div>
<!-- EDIT6 SECTION "Portal" [2106-3218] -->
<!-- EDIT6 SECTION "Portal" [2106-3831] -->
<h3 class="sectionedit7" id="split_portal_when_using_soaprest">Split portal when using SOAP/REST</h3>
<div class="level3">
@ -183,12 +185,12 @@ If you use <a href="soapsessionbackend.html" class="wikilink1" title="documentat
</p>
</div>
<!-- EDIT7 SECTION "Split portal when using SOAP/REST" [3219-3409] -->
<!-- EDIT7 SECTION "Split portal when using SOAP/REST" [3832-4022] -->
<h2 class="sectionedit8" id="write_good_rules">Write good rules</h2>
<div class="level2">
</div>
<!-- EDIT8 SECTION "Write good rules" [3410-3439] -->
<!-- EDIT8 SECTION "Write good rules" [4023-4052] -->
<h3 class="sectionedit9" id="order_your_rules">Order your rules</h3>
<div class="level3">
@ -221,7 +223,7 @@ For example, if these rules are used without comments:
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [3853-3963] -->
<!-- EDIT10 TABLE [4466-4576] -->
<p>
Then the second rule will be applied first, so every authenticated user will access to <code>/pub/admin</code> directory.
</p>
@ -242,7 +244,7 @@ Use comment to correct this:
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> 2_pub </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [4108-4232] --><div class="notetip"><ul>
<!-- EDIT11 TABLE [4721-4845] --><div class="notetip"><ul>
<li class="level1"><div class="li"> Reload the Manager to see the effective order</div>
</li>
<li class="level1"><div class="li"> Use rule comments to order your rules</div>
@ -251,7 +253,7 @@ Use comment to correct this:
</div>
</div>
<!-- EDIT9 SECTION "Order your rules" [3440-4345] -->
<!-- EDIT9 SECTION "Order your rules" [4053-4958] -->
<h3 class="sectionedit12" id="be_careful_with_url_parameters">Be careful with URL parameters</h3>
<div class="level3">
@ -275,7 +277,7 @@ For example with this rule on the <code>access</code> parameter:
<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [4582-4716] -->
<!-- EDIT13 TABLE [5195-5329] -->
<p>
Then a user that try to access to one of the following <em class="u">will be granted</em> !
</p>
@ -305,11 +307,11 @@ You can use the following rules instead:
<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [4914-5117] --><div class="notetip"><strong>(?i)</strong> means case no sensitive.
<!-- EDIT14 TABLE [5527-5730] --><div class="notetip"><strong>(?i)</strong> means case no sensitive.
</div><div class="notewarning">Remember that rules written on GET parameters must be tested.
</div>
</div>
<!-- EDIT12 SECTION "Be careful with URL parameters" [4346-5254] -->
<!-- EDIT12 SECTION "Be careful with URL parameters" [4959-5867] -->
<h3 class="sectionedit15" id="encoded_characters">Encoded characters</h3>
<div class="level3">
@ -318,13 +320,13 @@ Some characters are encoded in URLs by the browser (such as space,...). To avoid
</p>
</div>
<!-- EDIT15 SECTION "Encoded characters" [5255-5502] -->
<!-- EDIT15 SECTION "Encoded characters" [5868-6115] -->
<h3 class="sectionedit16" id="ip_in_rules">IP in rules</h3>
<div class="level3">
<div class="notewarning">If you are running LemonLDAP::NG behind a reverse proxy, make sure you check the <a href="behindproxyminihowto.html" class="wikilink1" title="documentation:2.0:behindproxyminihowto">Reverse Proxy how-to</a> so that the rule applies to the real user <abbr title="Internet Protocol">IP</abbr> and not the reverse proxy&#039;s <abbr title="Internet Protocol">IP</abbr>. Make sure you only specify trusted proxy addresses so that an attacker cannot forge the <code>X-Forwarded-For</code> header
</div>
</div>
<!-- EDIT16 SECTION "IP in rules" [5503-5866] -->
<!-- EDIT16 SECTION "IP in rules" [6116-6479] -->
<h2 class="sectionedit17" id="secure_reverse-proxies">Secure reverse-proxies</h2>
<div class="level2">
@ -370,7 +372,7 @@ It is recommended to secure the channel between reverse-proxies and application
</ul>
</div>
<!-- EDIT17 SECTION "Secure reverse-proxies" [5867-7535] -->
<!-- EDIT17 SECTION "Secure reverse-proxies" [6480-8148] -->
<h2 class="sectionedit18" id="configure_security_settings">Configure security settings</h2>
<div class="level2">
@ -386,7 +388,13 @@ Go in Manager, <code>General parameters</code> » <code>Advanced parameters</cod
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal. Set &#039;*&#039; to accept all.</div>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal.</div>
<ul>
<li class="level2"><div class="li"> Example: <code>myapp.example.com .subdomain.example.com</code></div>
</li>
<li class="level2"><div class="li"> <code>*</code> allows redirections to any external domain (DANGEROUS)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Use Safe jail</strong>: set to &#039;Off&#039; to disable Safe jail. Safe module is used to eval expressions in headers, rules, etc. Disabling it can lead to security issues.</div>
</li>
@ -394,25 +402,32 @@ Go in Manager, <code>General parameters</code> » <code>Advanced parameters</cod
</li>
<li class="level1"><div class="li"> <strong>Brute-Force Attack protection</strong>: set to &#039;On&#039; to enable it. The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds, making it easy for an attacker to beat a password-based authentication system.</div>
</li>
<li class="level1"><div class="li"> <strong>LWP::UserAgent and SSL options</strong>: insert here options to pass to LWP::UserAgent object (used by <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect to query partners). Example: <code>verify_hostname =&gt; 0</code>, <code>SSL_verify_mode =&gt; 0</code></div>
</li>
<li class="level1"><div class="li"> <strong>Content Security Policy</strong>: Portal builds dynamically this header. You can modify default values. Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does). Administrators may have to modify formAction value with wildcard likes *.</div>
</li>
<li class="level1"><div class="li"> <strong>Required token for forms</strong>: To prevent CSRF attack, a token is build for each form. To disable it, set this parameter to &#039;Off&#039; or set a special rule</div>
</li>
<li class="level1"><div class="li"> <strong>Form timeout</strong>: Form token timeout (default to 120 seconds)</div>
</li>
<li class="level1"><div class="li"> <strong>Use global storage</strong>: Local cache is used by default for one time tokens. To use global storage, set it to &#039;On&#039;</div>
</li>
<li class="level1"><div class="li"> <strong>LWP::UserAgent and SSL options</strong>: insert here options to pass to LWP::UserAgent object (used by <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect to query partners). Example: <code>verify_hostname =&gt; 0</code>, <code>SSL_verify_mode =&gt; 0</code></div>
</li>
<li class="level1"><div class="li"> <strong>Content Security Policy</strong>: Portal builds dynamically this header. You can modify default values. Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does). Administrators may have to modify <code>formAction</code> value with wildcard likes *.</div>
</li>
<li class="level1"><div class="li"> <strong>Cross-Origin Resource Sharing</strong>: Portal builds those headers. You can modify default values. Administrators may have to modify <code>Access-Control-Allow-Origin</code> value with &#039; &#039;.</div>
</li>
</ul>
<div class="notewarning">If URLs are protected with AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers <abbr title="Internet Protocol">IP</abbr> address like this :
<div class="noteimportant">If URLs are protected with AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers <abbr title="Internet Protocol">IP</abbr> address like this :
<p>
requireToken =&gt; $env-&gt;{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
</p>
</div><div class="notewarning">Enable global storage for one time tokens will downgrade Portal performance!!!
<p>
Must be use ONLY with outdated or low performance Load Balancer.
</p>
</div>
</div>
<!-- EDIT18 SECTION "Configure security settings" [7536-10113] -->
<!-- EDIT18 SECTION "Configure security settings" [8149-11184] -->
<h2 class="sectionedit19" id="fail2ban">Fail2ban</h2>
<div class="level2">
@ -464,7 +479,7 @@ Restart fail2ban
</p>
</div>
<!-- EDIT19 SECTION "Fail2ban" [10114-11168] -->
<!-- EDIT19 SECTION "Fail2ban" [11185-12239] -->
<h2 class="sectionedit20" id="sessions_identifier">Sessions identifier</h2>
<div class="level2">
@ -477,7 +492,7 @@ We recommend to use : <code>Lemonldap::NG::Common::Apache::Session::Generate::SH
</p>
</div>
<!-- EDIT20 SECTION "Sessions identifier" [11169-11431] -->
<!-- EDIT20 SECTION "Sessions identifier" [12240-12502] -->
<h2 class="sectionedit21" id="saml">SAML</h2>
<div class="level2">
@ -486,6 +501,6 @@ See <a href="samlservice.html#security_parameters" class="wikilink1" title="docu
</p>
</div>
<!-- EDIT21 SECTION "SAML" [11432-] --></div>
<!-- EDIT21 SECTION "SAML" [12503-] --></div>
</body>
</html>

28
doc/pages/documentation/current/servertoserver.html
View File

@ -51,7 +51,7 @@
In modern applications, web application may need to request some other web applications on behalf of the authenticated users. There are three ways to do this:
</p>
<ul>
<li class="level1"><div class="li"> the Ugly : provide to all applications the <abbr title="Single Sign On">SSO</abbr> cookie. Not secured because the <abbr title="Single Sign On">SSO</abbr> cookie can be caught and used everywhere, every time by everyone!!! <strong>NOT RECOMMENDED</strong>. </div>
<li class="level1"><div class="li"> the Ugly : provide to all applications <abbr title="Single Sign On">SSO</abbr> cookie. Not secured because <abbr title="Single Sign On">SSO</abbr> cookie can be caught and used everywhere, every time by everyone!!! <strong>NOT RECOMMENDED</strong>. </div>
</li>
<li class="level1"><div class="li"> the Bad (<a href="securetoken.html" class="wikilink1" title="documentation:2.0:securetoken">Secure Token Handler</a>) : <strong>Deprecated</strong>. Can be used in specific cases </div>
</li>
@ -60,11 +60,11 @@ In modern applications, web application may need to request some other web appli
</ul>
<p>
The “Bad” method consists to give the token (cookie value) to webapp1 which uses it as cookie header in its request. Since 2.0 version, <abbr title="LemonLDAP::NG">LL::NG</abbr> gives a better way (the Good !) to do this by using limited scope tokens.
The “Bad” method consists to give the token (cookie value) to WebApp1 which uses it as cookie header in its request. Since 2.0 version, <abbr title="LemonLDAP::NG">LL::NG</abbr> gives a better way (the Good !) to do this by using limited scope tokens.
</p>
<p>
Tokens are time limited (30 seconds) and <abbr title="Uniform Resource Locator">URL</abbr> restricted (three max).
Tokens are time limited (30 seconds by default) and <abbr title="Uniform Resource Locator">URL</abbr> restricted.
</p>
<p>
@ -72,29 +72,37 @@ Tokens are time limited (30 seconds) and <abbr title="Uniform Resource Locator">
</p>
</div>
<!-- EDIT1 SECTION "Handling server webservice calls" [1-902] -->
<!-- EDIT1 SECTION "Handling server webservice calls" [1-893] -->
<h2 class="sectionedit2" id="webapp1_handler_configuration">Webapp1 handler configuration</h2>
<div class="level2">
<p>
Insert a header filled with this value:
Select <strong>Main</strong> handler type to protect WebApp1 and
insert a header named <strong>X-Llng-Token</strong> filled with this value:
</p>
<pre class="code file perl">token<span class="br0">&#40;</span> <span class="re0">$_session_id</span><span class="sy0">,</span> <span class="st_h">'webapp2.example.com'</span><span class="sy0">,</span> <span class="st_h">'webapp3.example.com'</span> <span class="br0">&#41;</span></pre>
<pre class="code file perl">token<span class="br0">&#40;</span> <span class="re0">$_session_id</span><span class="sy0">,</span> <span class="st_h">'webapp2.example.com'</span><span class="sy0">,</span> <span class="st_h">'webapp3.example.com'</span><span class="sy0">,</span> <span class="st_h">'serviceHeader1=webapp1.example.com'</span><span class="sy0">,</span> <span class="st_h">'testHeader=$uid'</span> <span class="br0">&#41;</span></pre>
<p>
Webapp1 can read this header and use it in its requests by setting the <code>X-Llng-Token</code> header. The token is built using the session ID and the authorized virtualhosts list. The token is only available during 30 seconds and for the specified virtualhosts.
WebApp1 can read this header and use it in its requests by setting the <code>X-Llng-Token</code> header. The token is built by using the session ID and authorized virtualhosts list. By default, the Service Token is only available during 30 seconds and for specified virtualhosts. The token can be use to send service headers to webapp2 like origin host by example.
</p>
<p>
You can set ServiceToken default timeout (30 seconds) by editing <code>lemonldap-ng.ini</code> in section [handler]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>handler<span class="br0">&#93;</span></span>
<span class="re1">handlerServiceTokenTTL</span> <span class="sy0">=</span><span class="re2"> 30</span></pre>
<div class="noteclassic">Service token timeout can be set for each virtual hosts.
</div>
<!-- EDIT2 SECTION "Webapp1 handler configuration" [903-1331] -->
</div>
<!-- EDIT2 SECTION "Webapp1 handler configuration" [894-1790] -->
<h2 class="sectionedit3" id="webapp2_handler_configuration">Webapp2 handler configuration</h2>
<div class="level2">
<p>
Change handler type to “ServiceToken”. So it is able to manage both user and server connections. And that&#039;s all !
Change handler type to <strong>ServiceToken</strong>. So it is able to manage both user and server connections. And that&#039;s all !
</p>
</div>
<!-- EDIT3 SECTION "Webapp2 handler configuration" [1332-] --></div>
<!-- EDIT3 SECTION "Webapp2 handler configuration" [1791-] --></div>
</body>
</html>

16
doc/pages/documentation/current/sqlsessionbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:sqlsessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,sqlsessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="sqlsessionbackend.html"/>
@ -115,7 +115,7 @@ Your database must have a specific table to host sessions. Here are some example
<p>
Create a database if necessary:
</p>
<pre class="code">mysqladmin create lemonldapng</pre>
<pre class="code">mysqladmin create lemonldap-ng</pre>
<p>
Create sessions table:
@ -160,7 +160,7 @@ lemonldap-ng=&gt; q</pre>
<div class="noteimportant">Change <code>char(32)</code> by <code>varchar(64)</code> if you use the now recommended SHA256 hash algorithm. See <a href="documentation/latest/sessions.html" class="wikilink1" title="documentation:latest:sessions">Sessions</a> for more details
</div>
</div>
<!-- EDIT3 SECTION "Prepare the database" [468-2379] -->
<!-- EDIT3 SECTION "Prepare the database" [468-2380] -->
<h3 class="sectionedit4" id="manager">Manager</h3>
<div class="level3">
@ -180,7 +180,7 @@ Go in the Manager and set the session module (for example <a href="https://metac
<td class="col0 centeralign"> <strong>DataSource</strong> </td><td class="col1"> The <a href="https://metacpan.org/pod/DBI" class="urlextern" title="https://metacpan.org/pod/DBI" rel="nofollow">DBI</a> string </td><td class="col2"> dbi:Pg:dbname=sessions;host=10.2.3.1 </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <strong>UserName</strong> </td><td class="col1"> The database username </td><td class="col2"> lemonldapng </td>
<td class="col0 centeralign"> <strong>UserName</strong> </td><td class="col1"> The database username </td><td class="col2"> lemonldap-ng </td>
</tr>
<tr class="row4 roweven">
<td class="col0 centeralign"> <strong>Password</strong> </td><td class="col1"> The database password </td><td class="col2"> mysuperpassword </td>
@ -192,7 +192,7 @@ Go in the Manager and set the session module (for example <a href="https://metac
<td class="col0 centeralign"> <strong>TableName</strong> </td><td class="col1"> <em>(Optional)</em> Name of the table </td><td class="col2"> sessions </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [2702-3105] -->
<!-- EDIT5 TABLE [2703-3107] -->
<p>
You must read the man page corresponding to your database (<a href="https://metacpan.org/pod/Apache::Session::MySQL" class="urlextern" title="https://metacpan.org/pod/Apache::Session::MySQL" rel="nofollow">Apache::Session::MySQL</a>, ...) to learn more about parameters. You must also install the database connector (<a href="https://metacpan.org/pod/DBD::Oracle" class="urlextern" title="https://metacpan.org/pod/DBD::Oracle" rel="nofollow">https://metacpan.org/pod/DBD::Oracle</a>, <a href="https://metacpan.org/pod/DBD::Pg" class="urlextern" title="https://metacpan.org/pod/DBD::Pg" rel="nofollow">DBD::Pg</a>,...)
</p>
@ -235,9 +235,9 @@ If you may store some non-<abbr title="American Standard Code for Information In
<td class="col0 centeralign"> SQLite </td><td class="col1 centeralign"> sqlite_unicode </td><td class="col2 centeralign"> 1 </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [3895-4058] -->
<!-- EDIT6 TABLE [3897-4060] -->
</div>
<!-- EDIT4 SECTION "Manager" [2380-4059] -->
<!-- EDIT4 SECTION "Manager" [2381-4061] -->
<h2 class="sectionedit7" id="security">Security</h2>
<div class="level2">
@ -250,6 +250,6 @@ You can also use different user/password for your servers by overriding paramete
</p>
</div>
<!-- EDIT7 SECTION "Security" [4060-] --></div>
<!-- EDIT7 SECTION "Security" [4062-] --></div>
</body>
</html>

2
doc/pages/documentation/current/ssoaas.html
View File

@ -296,7 +296,7 @@ This configuration handles <code>*.dev.sso.my.domain</code> <abbr title="Uniform
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/home/xavier/dev/lemonldap/e2e-tests/conf/llng-fastcgi.sock;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Force handler type:
fastcgi_param VHOSTTYPE DevOps;
# Drop post datas

26
doc/pages/documentation/current/start.html
View File

@ -581,7 +581,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<div class="table sectionedit15"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0"> Handler type </th><th class="col1 centeralign"> Apache </th><th class="col2 centeralign"> Nginx </th><th class="col3 rightalign"> <a href="https://plackperl.org" class="urlextern" title="https://plackperl.org" rel="nofollow">Plack* servers</a></th><th class="col4 centeralign"> Node.js </th><th class="col5 centeralign"> <a href="selfmadeapplication.html#perl_auto-protected_cgi" class="wikilink1" title="documentation:2.0:selfmadeapplication">Self protected apps</a> </th><th class="col6 centeralign"> Comment </th>
<th class="col0"> Handler type </th><th class="col1 centeralign"> Apache </th><th class="col2 centeralign"> LLNG FastCGI/uWSGI server <em>(Nginx, or <a href="ssoaas.html" class="wikilink1" title="documentation:2.0:ssoaas">SSOaaS</a>)</em> </th><th class="col3 centeralign"> <a href="https://plackperl.org" class="urlextern" title="https://plackperl.org" rel="nofollow">Plack* servers</a> </th><th class="col4 centeralign"> Node.js <em>(<a href="http://expressjs.com/" class="urlextern" title="http://expressjs.com/" rel="nofollow">express apps</a> or <a href="ssoaas.html" class="wikilink1" title="documentation:2.0:ssoaas">SSOaaS</a>)</em> </th><th class="col5 centeralign"> <a href="selfmadeapplication.html#perl_auto-protected_cgi" class="wikilink1" title="documentation:2.0:selfmadeapplication">Self protected apps</a> </th><th class="col6 centeralign"> Comment </th>
</tr>
</thead>
<tr class="row1 rowodd">
@ -612,7 +612,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra PreAuth</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT15 TABLE [8652-10173] --><ul>
<!-- EDIT15 TABLE [8651-10287] --><ul>
<li class="level1"><div class="li"> <em>(1): <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionalities.</em></div>
</li>
<li class="level1"><div class="li"> <em>(2): <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2 Handler</a> is available with LLNG ≥ 2.0.4</em></div>
@ -624,7 +624,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
</p>
</div>
<!-- EDIT14 SECTION "Handlers" [8378-10381] -->
<!-- EDIT14 SECTION "Handlers" [8378-10495] -->
<h3 class="sectionedit16" id="llng_databases">LLNG databases</h3>
<div class="level3">
@ -673,7 +673,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0 centeralign"> <a href="localconfbackend.html" class="wikilink1" title="documentation:2.0:localconfbackend">Local</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 leftalign"> </td><td class="col2 leftalign"> Use only lemonldap-ng.ini parameters. </td>
</tr>
</table></div>
<!-- EDIT17 TABLE [10686-11798] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
<!-- EDIT17 TABLE [10800-11912] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
</div>
<p>
</div></div>
@ -728,13 +728,13 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
<strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT18 TABLE [12663-14363] -->
<!-- EDIT18 TABLE [12777-14477] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT16 SECTION "LLNG databases" [10382-14391] -->
<!-- EDIT16 SECTION "LLNG databases" [10496-14505] -->
<h2 class="sectionedit19" id="applications_protection">Applications protection</h2>
<div class="level2">
@ -763,7 +763,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT19 SECTION "Applications protection" [14392-14882] -->
<!-- EDIT19 SECTION "Applications protection" [14506-14996] -->
<h3 class="sectionedit20" id="well_known_compatible_applications">Well known compatible applications</h3>
<div class="level3">
<div class="noteclassic">Here is a list of well known applications that are compatible with <abbr title="LemonLDAP::NG">LL::NG</abbr>. A full list is available on <a href="applications.html" class="wikilink1" title="documentation:2.0:applications">vendor applications page</a>.
@ -867,7 +867,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT20 SECTION "Well known compatible applications" [14883-17221] -->
<!-- EDIT20 SECTION "Well known compatible applications" [14997-17335] -->
<h2 class="sectionedit21" id="advanced_features">Advanced features</h2>
<div class="level2">
@ -926,7 +926,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT21 SECTION "Advanced features" [17222-18441] -->
<!-- EDIT21 SECTION "Advanced features" [17336-18555] -->
<h2 class="sectionedit22" id="mini_howtos">Mini howtos</h2>
<div class="level2">
@ -963,7 +963,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT22 SECTION "Mini howtos" [18442-19336] -->
<!-- EDIT22 SECTION "Mini howtos" [18556-19450] -->
<h2 class="sectionedit23" id="exploitation">Exploitation</h2>
<div class="level2">
@ -998,7 +998,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT23 SECTION "Exploitation" [19337-19854] -->
<!-- EDIT23 SECTION "Exploitation" [19451-19968] -->
<h2 class="sectionedit24" id="bug_report">Bug report</h2>
<div class="level2">
@ -1007,7 +1007,7 @@ See <a href="bugreport.html" class="wikilink1" title="bugreport">How to report a
</p>
</div>
<!-- EDIT24 SECTION "Bug report" [19855-19919] -->
<!-- EDIT24 SECTION "Bug report" [19969-20033] -->
<h2 class="sectionedit25" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -1074,6 +1074,6 @@ If you don&#039;t want to publish your translation <em>(<code>XX</code> must be
</ul>
</div>
<!-- EDIT25 SECTION "Developer corner" [19920-] --></div>
<!-- EDIT25 SECTION "Developer corner" [20034-] --></div>
</body>
</html>

18
doc/pages/documentation/current/stayconnected
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/stayconnected?do=login&amp;sectok=f5d398c4fc6f21e5e626ce5d49ffe634" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/stayconnected?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -218,8 +218,18 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
<div class="level3">
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="media" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
<strong>OW2con&#039;14 Community Award</strong>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
@ -262,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Astayconnected&amp;1557671508" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Astayconnected&amp;1561840344" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

30
doc/pages/documentation/current/totp2f.html
View File

@ -97,29 +97,33 @@ Or from CPAN repository :
In the manager (advanced parameters), you just have to enable it:
</p>
<ul>
<li class="level1"><div class="li"> TOTP =&gt; Activation: set it to “on”</div>
<li class="level1"><div class="li"> <strong>Activation</strong>: set it to “on”</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Self registration: set it to “on” if users are authorized to generate themselves a TOTP secret</div>
<li class="level1"><div class="li"> <strong>Self registration</strong>: set it to “on” if users are authorized to generate themselves a TOTP secret</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Authentication level: you can overwrite here auth level for TOTP registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to users enrolled</strong></div>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: you can overwrite here auth level for TOTP registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to users enrolled</strong></div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Issuer: default to portal hostname</div>
<li class="level1"><div class="li"> <strong>Issuer</strong>: default to portal hostname</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Interval: interval for TOTP algorithm (default: 30)</div>
<li class="level1"><div class="li"> <strong>Interval</strong>: interval for TOTP algorithm (default: 30)</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Range: number of additional intervals to test (default: 1)</div>
<li class="level1"><div class="li"> <strong>Range</strong>: number of additional intervals to test (default: 1)</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Digits: number of digit by codes (default: 6)</div>
<li class="level1"><div class="li"> <strong>Digits</strong>: number of digit by codes (default: 6)</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Display existing secret: display an already registered secret (default: disabled)</div>
<li class="level1"><div class="li"> <strong>Display existing secret</strong>: display an already registered secret (default: disabled)</div>
</li>
<li class="level1"><div class="li"> TOTP =&gt; Change existing secret: authorize a user to change its previoulsy registered TOTP secret</div>
<li class="level1"><div class="li"> <strong>Change existing secret</strong>: authorize a user to change its previoulsy registered TOTP secret</div>
</li>
<li class="level1"><div class="li"> <strong>Allow users to remove TOTP</strong>: If enabled, users can unregister TOTP.</div>
</li>
<li class="level1"><div class="li"> <strong>Lifetime</strong>: Unlimited by default. Set a Time To Live in seconds. TTL is checked at each login process if set. If TTL is expired, relative TOTP is removed.</div>
</li>
</ul>
<div class="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule that <code>$_2fDevices =~ /“type”:\s*“TOTP”/s</code> is set, else TOTP will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [944-2274] -->
<!-- EDIT3 SECTION "Configuration" [944-2474] -->
<h2 class="sectionedit4" id="enrollment">Enrollment</h2>
<div class="level2">
@ -128,7 +132,7 @@ If you&#039;ve enabled self registration, users can register their keys by using
</p>
</div>
<!-- EDIT4 SECTION "Enrollment" [2275-2402] -->
<!-- EDIT4 SECTION "Enrollment" [2475-2602] -->
<h2 class="sectionedit5" id="assistance">Assistance</h2>
<div class="level2">
@ -142,7 +146,7 @@ To enable manager Second Factor Administration Module, set <code>enabledModules<
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT5 SECTION "Assistance" [2403-2718] -->
<!-- EDIT5 SECTION "Assistance" [2603-2918] -->
<h2 class="sectionedit6" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -152,6 +156,6 @@ If you have another TOTP registration interface, you have to set these keys in S
<pre class="code file json">[{&quot;name&quot; : &quot;MyTOTP&quot; , &quot;type&quot; : &quot;TOTP&quot; , &quot;_secret&quot; : &quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}, ...]</pre>
</div>
<!-- EDIT6 SECTION "Developer corner" [2719-] --></div>
<!-- EDIT6 SECTION "Developer corner" [2919-] --></div>
</body>
</html>

22
doc/pages/documentation/current/u2f.html
View File

@ -91,17 +91,21 @@ This feature uses <a href="https://metacpan.org/pod/Crypt::U2F::Server::Simple"
In the manager (second factors), you just have to enable it:
</p>
<ul>
<li class="level1"><div class="li"> U2F =&gt; Activation: set it to “on”</div>
<li class="level1"><div class="li"> <strong>Activation</strong>: set it to “on”</div>
</li>
<li class="level1"><div class="li"> U2F =&gt; Self registration: set it to “on” if users are authorized to register their keys</div>
<li class="level1"><div class="li"> <strong>Self registration</strong>: set it to “on” if users are authorized to register their keys</div>
</li>
<li class="level1"><div class="li"> U2F =&gt; Authentication level: you can overwrite here auth level for U2F registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only for enrolled users</strong></div>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: you can overwrite here auth level for U2F registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only for enrolled users</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Allow users to remove U2F key</strong>: If enabled, users can unregister enrolled U2F device.</div>
</li>
<li class="level1"><div class="li"> <strong>Lifetime</strong>: Unlimited by default. Set a Time To Live in seconds. TTL is checked at each login process if set. If TTL is expired, relative 2F device is removed.</div>
</li>
</ul>
<div class="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: <code>$_2fDevices =~ /“type”:\s*“U2F”/s</code>, else U2F will be required even if users are not registered. This is automatically done when “activation” is set to “on”.
<div class="noteimportant">If you want to use a custom rule for “activation” and enable self-registration, you have to include this in your rule: <code>$_2fDevices =~ /“type”:\s*“U2F”/s</code>, else U2F will be required even if users are not registered. This is automatically done when “activation” is set to “on”.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [892-1745] -->
<!-- EDIT3 SECTION "Configuration" [892-1992] -->
<h2 class="sectionedit4" id="browser_compatibility">Browser compatibility</h2>
<div class="level2">
<ul>
@ -122,7 +126,7 @@ In the manager (second factors), you just have to enable it:
</ul>
</div>
<!-- EDIT4 SECTION "Browser compatibility" [1746-2186] -->
<!-- EDIT4 SECTION "Browser compatibility" [1993-2433] -->
<h2 class="sectionedit5" id="enrollment">Enrollment</h2>
<div class="level2">
@ -131,7 +135,7 @@ If you have enabled self registration, users can register their U2F keys using <
</p>
</div>
<!-- EDIT5 SECTION "Enrollment" [2187-2317] -->
<!-- EDIT5 SECTION "Enrollment" [2434-2564] -->
<h2 class="sectionedit6" id="assistance">Assistance</h2>
<div class="level2">
@ -142,7 +146,7 @@ If a user loses its key, you can delete it from the manager Second Factor module
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT6 SECTION "Assistance" [2318-2625] -->
<!-- EDIT6 SECTION "Assistance" [2565-2872] -->
<h2 class="sectionedit7" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -157,6 +161,6 @@ Note that both “origin” and “appId” are fixed to portal <abbr title="Uni
</p>
</div>
<!-- EDIT7 SECTION "Developer corner" [2626-] --></div>
<!-- EDIT7 SECTION "Developer corner" [2873-] --></div>
</body>
</html>

114
doc/pages/documentation/current/upgrade.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:upgrade</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,upgrade"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="upgrade.html"/>
@ -49,6 +49,7 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#rpm_users">RPM users</a></div></li>
<li class="level1"><div class="li"><a href="#upgrade_order_from_19">Upgrade order from 1.9.*</a></div></li>
<li class="level1"><div class="li"><a href="#installation">Installation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
@ -76,15 +77,48 @@
</div>
</div>
<!-- TOC END -->
<div class="notetip"><strong>Upgrade from 2.0.x to 2.0.x</strong> : nothing to do !
<h1 class="sectionedit1" id="upgrade_from_20x_to_20y">Upgrade from 2.0.x to 2.0.y</h1>
<div class="level1">
<p>
Update from one minor version to another does not require any particular action except:
</p>
<ul>
<li class="level1"><div class="li"> The Text::Unidecode perl module becomes a requirement after version 2.0.5 <em>(it will be automatically installed if you upgrade from from the deb or RPM repositories)</em></div>
</li>
<li class="level1"><div class="li"> Since 2.0.5, <abbr title="Central Authentication Service">CAS</abbr> logout starts validating the service= parameter, but only if you use the <abbr title="Central Authentication Service">CAS</abbr> Access control policy. The <abbr title="Uniform Resource Locator">URL</abbr> sent in the service= parameter will be checked against <a href="idpcas.html#configuring_cas_applications" class="wikilink1" title="documentation:2.0:idpcas">known CAS applications</a>, Virtual Hosts, and <a href="security.html#configure_security_settings" class="wikilink1" title="documentation:2.0:security">trusted domains</a>. Add your target domain to trusted domains if you suddenly start having “Invalid <abbr title="Uniform Resource Locator">URL</abbr>” messages on logout</div>
</li>
<li class="level1"><div class="li"> 2.0.5 adds some improvements in cryptographic functions. To take advantage of them, <strong>you must change the encryption key</strong> of LemonLDAP::NG (see <a href="cli_examples.html#encryption_key" class="wikilink1" title="documentation:2.0:cli_examples">CLI example</a>).</div>
</li>
</ul>
<p>
Please apply general caution as you would with any software: have backups and a rollback plan ready!
</p>
<p>
Do not forget to read the release notes of the version you are about to install for any specific instructions.
</p>
</div>
<h1 class="sectionedit1" id="upgrade_from_19_to_20">Upgrade from 1.9 to 2.0</h1>
<!-- EDIT1 SECTION "Upgrade from 2.0.x to 2.0.y" [1-1143] -->
<h2 class="sectionedit2" id="rpm_users">RPM users</h2>
<div class="level2">
<p>
If you have <a href="installrpm.html" class="wikilink1" title="documentation:2.0:installrpm">installed LemonLDAP::NG from official RPMs</a>, you may run into bug <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1757" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1757" rel="nofollow">#1757</a> and lose your Apache configuration files while updating from LemonLDAP::NG 2.0.0 or 2.0.1 to later versions. Please backup your <code>/etc/httpd/conf.d/z-lemonldap-ng-*.conf</code> files before the update.
</p>
</div>
<!-- EDIT2 SECTION "RPM users" [1144-1527] -->
<h1 class="sectionedit3" id="upgrade_from_19_to_20">Upgrade from 1.9 to 2.0</h1>
<div class="level1">
<div class="noteimportant">2.0 is a major release, lot of things have been changed. You must read this document before upgrade.
</div>
</div>
<!-- EDIT1 SECTION "Upgrade from 1.9 to 2.0" [69-232] -->
<h2 class="sectionedit2" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<!-- EDIT3 SECTION "Upgrade from 1.9 to 2.0" [1528-1691] -->
<h2 class="sectionedit4" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<div class="level2">
<p>
@ -101,8 +135,8 @@ As usual, if you use more than 1 server and don&#039;t want to stop <abbr title=
<div class="noteimportant">You must revalidate your configuration using the manager.
</div>
</div>
<!-- EDIT2 SECTION "Upgrade order from 1.9.*" [233-707] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<!-- EDIT4 SECTION "Upgrade order from 1.9.*" [1692-2166] -->
<h2 class="sectionedit5" id="installation">Installation</h2>
<div class="level2">
<div class="noteimportant">French documentation is no more available. Only English version of this documentation is maintained now.
</div>
@ -125,8 +159,8 @@ For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we re
</p>
</div>
<!-- EDIT3 SECTION "Installation" [708-1093] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<!-- EDIT5 SECTION "Installation" [2167-2552] -->
<h2 class="sectionedit6" id="configuration">Configuration</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>lemonldap-ng.ini</strong> requires some new fields in portal section. Update yours using the one given installed by default. New requires fields are:</div>
@ -163,8 +197,8 @@ For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we re
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [1094-2921] -->
<h3 class="sectionedit5" id="configuration_refresh">Configuration refresh</h3>
<!-- EDIT6 SECTION "Configuration" [2553-4380] -->
<h3 class="sectionedit7" id="configuration_refresh">Configuration refresh</h3>
<div class="level3">
<p>
@ -173,8 +207,8 @@ Now portal has the same behavior than handlers: it looks to configuration stored
<div class="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
</div>
</div>
<!-- EDIT5 SECTION "Configuration refresh" [2922-3343] -->
<h2 class="sectionedit6" id="ldap_connection">LDAP connection</h2>
<!-- EDIT7 SECTION "Configuration refresh" [4381-4802] -->
<h2 class="sectionedit8" id="ldap_connection">LDAP connection</h2>
<div class="level2">
<p>
@ -182,8 +216,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</p>
</div>
<!-- EDIT6 SECTION "LDAP connection" [3344-3527] -->
<h2 class="sectionedit7" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<!-- EDIT8 SECTION "LDAP connection" [4803-4986] -->
<h2 class="sectionedit9" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> A new <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
@ -193,8 +227,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</ul>
</div>
<!-- EDIT7 SECTION "Kerberos or SSL usage" [3528-4036] -->
<h2 class="sectionedit8" id="logs">Logs</h2>
<!-- EDIT9 SECTION "Kerberos or SSL usage" [4987-5495] -->
<h2 class="sectionedit10" id="logs">Logs</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>Syslog</strong>: logs are now configured in <code>lemonldap-ng.ini</code> file only. If you use Syslog, you must reconfigure it. See <a href="logs.html" class="wikilink1" title="documentation:2.0:logs">logs</a> for more.</div>
@ -206,8 +240,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</ul>
</div>
<!-- EDIT8 SECTION "Logs" [4037-4618] -->
<h2 class="sectionedit9" id="security">Security</h2>
<!-- EDIT10 SECTION "Logs" [5496-6077] -->
<h2 class="sectionedit11" id="security">Security</h2>
<div class="level2">
<p>
@ -221,8 +255,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT9 SECTION "Security" [4619-5186] -->
<h2 class="sectionedit10" id="handlers">Handlers</h2>
<!-- EDIT11 SECTION "Security" [6078-6645] -->
<h2 class="sectionedit12" id="handlers">Handlers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>Apache only</strong>:</div>
@ -240,8 +274,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT10 SECTION "Handlers" [5187-6272] -->
<h2 class="sectionedit11" id="rules_and_headers">Rules and headers</h2>
<!-- EDIT12 SECTION "Handlers" [6646-7731] -->
<h2 class="sectionedit13" id="rules_and_headers">Rules and headers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
@ -253,8 +287,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT11 SECTION "Rules and headers" [6273-6591] -->
<h2 class="sectionedit12" id="supported_servers">Supported servers</h2>
<!-- EDIT13 SECTION "Rules and headers" [7732-8050] -->
<h2 class="sectionedit14" id="supported_servers">Supported servers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Apache-1.3 files are not provided now. You can build them yourself by looking at Apache-2 configuration files</div>
@ -262,8 +296,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT12 SECTION "Supported servers" [6592-6737] -->
<h2 class="sectionedit13" id="ajax_requests">Ajax requests</h2>
<!-- EDIT14 SECTION "Supported servers" [8051-8196] -->
<h2 class="sectionedit15" id="ajax_requests">Ajax requests</h2>
<div class="level2">
<p>
@ -271,8 +305,8 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
</p>
</div>
<!-- EDIT13 SECTION "Ajax requests" [6738-6935] -->
<h2 class="sectionedit14" id="soaprest_services">SOAP/REST services</h2>
<!-- EDIT15 SECTION "Ajax requests" [8197-8394] -->
<h2 class="sectionedit16" id="soaprest_services">SOAP/REST services</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
@ -287,8 +321,8 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
<div class="noteimportant"><a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
</div>
</div>
<!-- EDIT14 SECTION "SOAP/REST services" [6936-7533] -->
<h2 class="sectionedit15" id="cas">CAS</h2>
<!-- EDIT16 SECTION "SOAP/REST services" [8395-8992] -->
<h2 class="sectionedit17" id="cas">CAS</h2>
<div class="level2">
<p>
@ -300,13 +334,13 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
</p>
</div>
<!-- EDIT15 SECTION "CAS" [7534-7911] -->
<h2 class="sectionedit16" id="developer_corner">Developer corner</h2>
<!-- EDIT17 SECTION "CAS" [8993-9370] -->
<h2 class="sectionedit18" id="developer_corner">Developer corner</h2>
<div class="level2">
</div>
<!-- EDIT16 SECTION "Developer corner" [7912-7941] -->
<h3 class="sectionedit17" id="apis">APIs</h3>
<!-- EDIT18 SECTION "Developer corner" [9371-9400] -->
<h3 class="sectionedit19" id="apis">APIs</h3>
<div class="level3">
<p>
@ -314,8 +348,8 @@ Portal has now many REST features and includes an <abbr title="Application Progr
</p>
</div>
<!-- EDIT17 SECTION "APIs" [7942-8103] -->
<h3 class="sectionedit18" id="portal_overview">Portal overview</h3>
<!-- EDIT19 SECTION "APIs" [9401-9562] -->
<h3 class="sectionedit20" id="portal_overview">Portal overview</h3>
<div class="level3">
<p>
@ -336,8 +370,8 @@ Requests are independent objects based on Lemonldap::NG::Portal::Main::Request w
</p>
</div>
<!-- EDIT18 SECTION "Portal overview" [8104-8579] -->
<h3 class="sectionedit19" id="handler">Handler</h3>
<!-- EDIT20 SECTION "Portal overview" [9563-10038] -->
<h3 class="sectionedit21" id="handler">Handler</h3>
<div class="level3">
<p>
@ -349,6 +383,6 @@ If you used self protected CGI, you also need to rewrite them, see <a href="self
</p>
</div>
<!-- EDIT19 SECTION "Handler" [8580-] --></div>
<!-- EDIT21 SECTION "Handler" [10039-] --></div>
</body>
</html>

8
doc/pages/documentation/current/utotp2f.html
View File

@ -64,16 +64,16 @@ Difference between enabled both U2F and TOTP is that only one page is displayed
In the manager (second factors), you just have to enable it:
</p>
<ul>
<li class="level1"><div class="li"> Activation: set it to “on”. Note that you should not enable <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F</a> and <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> separately <em>(except for self-registration: see below)</em></div>
<li class="level1"><div class="li"> <strong>Activation</strong>: set it to “on”. Note that you should not enable <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F</a> and <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> separately <em>(except for self-registration: see below)</em></div>
</li>
<li class="level1"><div class="li"> Authentication level: you can overwrite here auth level for registered users. Leave it blank keeps auth level provided by first authentication module (By default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to apps just for enrolled users.</div>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: you can overwrite here auth level for registered users. Leave it blank keeps auth level provided by first authentication module (By default: 2 for user/password based modules). It is recommended to set an higher value here if you want to give access to apps just for enrolled users.</div>
</li>
</ul>
<div class="notetip">Every other parameters of <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F</a> and <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> can be set in the corresponding 2F modules except that you should not enable them.
</div><div class="noteimportant">If you want to give a different level for U2F or TOTP, leave this parameter blank and set U2F and TOTP “authentication level” in corresponding modules.
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [351-1236] -->
<!-- EDIT2 SECTION "Configuration" [351-1244] -->
<h3 class="sectionedit3" id="self-registration">Self-registration</h3>
<div class="level3">
@ -92,6 +92,6 @@ Automatically, U2F registration will be hidden for unregistered TOTP users and d
</p>
</div>
<!-- EDIT3 SECTION "Self-registration" [1237-] --></div>
<!-- EDIT3 SECTION "Self-registration" [1245-] --></div>
</body>
</html>

26
doc/pages/documentation/current/yubikey2f.html
View File

@ -87,27 +87,31 @@ You have to retrieve a client ID and a secret key from Yubico. See <a href="http
In the manager (second factors), you just have to enable it:
</p>
<ul>
<li class="level1"><div class="li"> Activation: set it to “on”</div>
<li class="level1"><div class="li"> <strong>Activation</strong>: set it to “on”</div>
</li>
<li class="level1"><div class="li"> Self registration: set it to “on” if users are authorized to register their keys</div>
<li class="level1"><div class="li"> <strong>Self registration</strong>: set it to “on” if users are authorized to register their keys</div>
</li>
<li class="level1"><div class="li"> Authentication level: you can overwrite here auth level for Yubikey registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to enrolled users</strong></div>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: you can overwrite here auth level for Yubikey registered users. Leave it blank keeps auth level provided by first authentication module <em>(default: 2 for user/password based modules)</em>. <strong>It is recommended to set an higher value here if you want to give access to some apps only to enrolled users</strong></div>
</li>
<li class="level1"><div class="li"> Client ID: given by Yubico or another service</div>
<li class="level1"><div class="li"> <strong>Client ID</strong>: given by Yubico or another service</div>
</li>
<li class="level1"><div class="li"> <abbr title="Application Programming Interface">API</abbr> secret key: given by Yubico or another service</div>
<li class="level1"><div class="li"> <strong><abbr title="Application Programming Interface">API</abbr> secret key</strong>: given by Yubico or another service</div>
</li>
<li class="level1"><div class="li"> Nonce (optional): if any</div>
<li class="level1"><div class="li"> <strong>Nonce (optional)</strong>: if any</div>
</li>
<li class="level1"><div class="li"> <abbr title="Uniform Resource Locator">URL</abbr>: Url of service (leave blank to use Yubico cloud services)</div>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr></strong>: Url of service (leave blank to use Yubico cloud services)</div>
</li>
<li class="level1"><div class="li"> OTP public ID part size: leave it to default (12) unless you know what you are doing</div>
<li class="level1"><div class="li"> <strong>OTP public ID part size</strong>: leave it to default (12) unless you know what you are doing</div>
</li>
<li class="level1"><div class="li"> <strong>Allow users to remove Yubikey</strong>: If enabled, users can unregister Yubikey device.</div>
</li>
<li class="level1"><div class="li"> <strong>Lifetime</strong>: Unlimited by default. Set a Time To Live in seconds. TTL is checked at each login process if set. If TTL is expired, relative Yubikey is removed.</div>
</li>
</ul>
<div class="noteimportant">If you want to use a custom rule for “activation” and want to keep self-registration, you must include this in your rule: <code>$_2fDevices =~ /“type”:\s*“UBK”/s</code>, else Yubikey will be required even if users are not registered. This is automatically done when “activation” is simply set to “on”.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [495-1631] -->
<!-- EDIT3 SECTION "Configuration" [495-1915] -->
<h2 class="sectionedit4" id="provisioning">Provisioning</h2>
<div class="level2">
@ -117,7 +121,7 @@ If you don&#039;t want to use self-registration, set public part of user&#039;s
<pre class="code file json">[{&quot;name&quot; : &quot;MyYubikey&quot; , &quot;type&quot; : &quot;UBK&quot; , &quot;_secret&quot; : &quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}, ...]</pre>
</div>
<!-- EDIT4 SECTION "Provisioning" [1632-1999] -->
<!-- EDIT4 SECTION "Provisioning" [1916-2283] -->
<h2 class="sectionedit5" id="enrollment">Enrollment</h2>
<div class="level2">
@ -126,6 +130,6 @@ If you have enabled self registration, users can register their U2F keys using <
</p>
</div>
<!-- EDIT5 SECTION "Enrollment" [2000-] --></div>
<!-- EDIT5 SECTION "Enrollment" [2284-] --></div>
</body>
</html>

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
View File

@ -288,7 +288,7 @@ sub run {
'2fchoice',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
MODULES => [ map { { CODE => $_->prefix, LOGO => $_->logo } } @am ],
CHECKLOGINS => $checkLogins
@ -443,7 +443,7 @@ sub _displayRegister {
'2fregisters',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
MODULES => \@am,
SFDEVICES => $_2fDevices,
ACTION => $action,

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Ext2F.pm
View File

@ -80,7 +80,7 @@ sub run {
'ext2fcheck',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
CHECKLOGINS => $checkLogins
}

3
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Mail2F.pm
View File

@ -86,6 +86,7 @@ sub run {
# Use HTML template
$body = $self->loadTemplate(
$req,
'mail_2fcode',
filter => $tr,
params => \%tplPrms
@ -109,7 +110,7 @@ sub run {
'ext2fcheck',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
TARGET => '/' . $self->prefix . '2fcheck',
CHECKLOGINS => $checkLogins

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/REST.pm
View File

@ -90,7 +90,7 @@ sub run {
'ext2fcheck',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
TARGET => '/rest2fcheck',
CHECKLOGINS => $checkLogins

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/TOTP.pm
View File

@ -55,7 +55,7 @@ sub run {
'totp2fcheck',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
CHECKLOGINS => $checkLogins
}

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/U2F.pm
View File

@ -96,7 +96,7 @@ sub run {
'u2fcheck',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
DATA => $data,
TOKEN => $token,
CHECKLOGINS => $checkLogins
@ -186,7 +186,7 @@ sub fail {
MAIN_LOGO => $self->conf->{portalMainLogo},
AUTH_ERROR => $req->error,
AUTH_ERROR_TYPE => $req->error_type,
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
FAILED => 1
}
)

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/UTOTP.pm
View File

@ -65,7 +65,7 @@ sub run {
my %tplPrms = (
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
CHECKLOGINS => $checkLogins
);

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Yubikey.pm
View File

@ -106,7 +106,7 @@ sub run {
'ext2fcheck',
params => {
MAIN_LOGO => $self->conf->{portalMainLogo},
SKIN => $self->conf->{portalSkin},
SKIN => $self->p->getSkin($req),
TOKEN => $token,
TARGET => '/yubikey2fcheck',
INPUTLOGO => 'yubikey.png',

1
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/AD.pm
View File

@ -114,6 +114,7 @@ sub authenticate {
my $remainingTime = $_pwdExpire - $timestamp;
$req->info(
$self->loadTemplate(
$req,
'pwdWillExpire',
params => {
time => join(

3
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
View File

@ -308,7 +308,8 @@ sub run {
$req->info(
$self->loadTemplate(
'casBack2Url', params => { url => $logout_url }
$req, 'casBack2Url',
params => { url => $logout_url }
)
);
$req->data->{activeTimer} = 0;

1
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenID.pm
View File

@ -231,6 +231,7 @@ sub _openIDResponse {
# TODO
$req->info(
$self->loadTemplate(
$req,
'simpleInfo',
params => { trspan => "openidExchange,$data->{trust_root}" }
)

3
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm
View File

@ -556,6 +556,7 @@ sub run {
}
$req->info(
$self->loadTemplate(
$req,
'oidcGiveConsent',
params => {
displayName => $display_name,
@ -947,7 +948,7 @@ sub run {
: PE_OK;
}
$req->info( $self->loadTemplate('oidcLogout') );
$req->info( $self->loadTemplate( $req, 'oidcLogout' ) );
$req->data->{activeTimer} = 0;
return PE_CONFIRM;
}

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pm
View File

@ -917,8 +917,10 @@ sub run {
. ' width="0" height="0" frameborder="0"></iframe>';
$req->info(
$self->loadTemplate( 'simpleInfo',
params => { trspan => 'updateCdc' } )
$self->loadTemplate(
$req, 'simpleInfo',
params => { trspan => 'updateCdc' }
)
. $cdc_iframe
);
}

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
View File

@ -209,6 +209,7 @@ sub userBind {
if ( $resp->grace_authentications_remaining ) {
$req->info(
$self->{portal}->loadTemplate(
$req,
'ldapPpGrace',
params => {
number => $resp->grace_authentications_remaining
@ -220,6 +221,7 @@ sub userBind {
if ( $resp->time_before_expiration ) {
$req->info(
$self->{portal}->loadTemplate(
$req,
'simpleInfo',
params => {
trspan => 'authRemaining,'

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Notifications/JSON.pm
View File

@ -62,7 +62,7 @@ sub checkForNotifications {
# Go to next file if no notification found
next unless $j;
$i++;
$form .= $self->toForm(@res);
$form .= $self->toForm( $req, @res );
}
# Stop here if nothing to display
@ -192,7 +192,7 @@ sub getNotifBack {
}
sub toForm {
my ( $self, @notifs ) = @_;
my ( $self, $req, @notifs ) = @_;
my $i = 0;
@notifs = map {
$i++;
@ -205,7 +205,7 @@ sub toForm {
$_->{id} = "1x$i";
$_;
} @notifs;
return $self->loadTemplate( 'notifinclude',
return $self->loadTemplate( $req, 'notifinclude',
params => { notifications => \@notifs } );
}

5
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenID/SREG.pm
View File

@ -73,6 +73,7 @@ sub sregHook {
}
}
$req->data->{_openIdTrustExtMsg} .= $self->loadTemplate(
$req,
'openIdPol',
params => {
policies => \@pol,
@ -96,7 +97,8 @@ sub sregHook {
$req->info(
$self->loadTemplate(
'simpleInfo', params => { trspan => "openidRpns,$k" }
$req, 'simpleInfo',
params => { trspan => "openidRpns,$k" }
)
);
return ( 0, {} );
@ -198,6 +200,7 @@ sub sregHook {
}
$req->data->{_openIdTrustExtMsg} .= $self->loadTemplate(
$req,
'openIdTrust',
params => {
required => \@mreq,

5
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
View File

@ -2547,6 +2547,7 @@ sub sendLogoutRequestToProvider {
# Create iFrame
$info .= $self->loadTemplate(
$req,
'samlSpLogout',
params => {
url => $slo_url,
@ -2582,6 +2583,7 @@ sub sendLogoutRequestToProvider {
# Create iFrame
$info .= $self->loadTemplate(
$req,
'samlSpLogout',
params => {
url => $slo_url,
@ -2620,6 +2622,7 @@ sub sendLogoutRequestToProvider {
# Display information to the user
$info .= $self->loadTemplate(
$req,
'samlSpSoapLogout',
params => {
imgUrl => $slo_url,
@ -2718,7 +2721,7 @@ sub sendLogoutRequestToProviders {
# Print some information to the user.
$req->info(
$self->loadTemplate(
'samlSpsLogout', params => { content => $content }
$req, 'samlSpsLogout', params => { content => $content }
)
) if $providersCount;

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
View File

@ -432,12 +432,13 @@ sub getSkin {
# @param $displaError To display "Error" column
# @return HTML string
sub mkSessionArray {
my ( $self, $sessions, $title, $displayUser, $displayError ) = @_;
my ( $self, $req, $sessions, $title, $displayUser, $displayError ) = @_;
return "" unless ( ref $sessions eq "ARRAY" and @$sessions );
my @fields = sort keys %{ $self->conf->{sessionDataToRemember} };
return $self->loadTemplate(
$req,
'sessionArray',
params => {
title => $title,
@ -465,7 +466,7 @@ sub mkSessionArray {
}
sub mkOidcConsent {
my ( $self, $session ) = @_;
my ( $self, $req, $session ) = @_;
if ( defined( $self->conf->{oidcRPMetaDataOptions} )
and ref( $self->conf->{oidcRPMetaDataOptions} ) )
@ -508,6 +509,7 @@ sub mkOidcConsent {
# Display existing oidcConsents
return $self->loadTemplate(
$req,
'oidcConsents',
params => {
partners => [

4
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Menu.pm
View File

@ -147,7 +147,7 @@ sub displayModules {
}
elsif ( $module->[0] eq 'LoginHistory' ) {
$moduleHash->{'SUCCESS_LOGIN'} =
$self->p->mkSessionArray(
$self->p->mkSessionArray($req,
$req->{userData}->{_loginHistory}->{successLogin},
"", 0, 0 );
$moduleHash->{'FAILED_LOGIN'} =
@ -157,7 +157,7 @@ sub displayModules {
}
elsif ( $module->[0] eq 'OidcConsents' ) {
$moduleHash->{'OIDC_CONSENTS'} =
$self->p->mkOidcConsent( $req->userData );
$self->p->mkOidcConsent( $req, $req->userData );
}
push @$displayModules, $moduleHash;
}

9
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Plugin.pm
View File

@ -69,11 +69,7 @@ sub loadTemplate {
sub displayTemplate {
my ( $self, $req, $template, $params ) = @_;
$self->logger->debug("Return $template template");
$req->info(
$self->loadTemplate(
$template, params => $params
)
);
$req->info( $self->loadTemplate( $req, $template, params => $params ) );
return PE_INFO;
}
@ -95,8 +91,7 @@ sub createNotification {
$content =~ s/_title_/$title/;
$content =~ s/_msg_/$msg/;
if ( $notifEngine->module->notifObject->newNotification($content) )
{
if ( $notifEngine->module->notifObject->newNotification($content) ) {
$self->logger->debug("Notification $ref successfully created");
$self->userLogger->notice(
"Notification $ref / $date successfully created for $uid");

5
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm
View File

@ -160,7 +160,7 @@ sub authLogout {
sub deleteSession {
my ( $self, $req ) = @_;
if ( my $id = $req->id || $req->userData->{_session_id} ) {
my $apacheSession = $self->getApacheSession( $id );
my $apacheSession = $self->getApacheSession($id);
unless ($apacheSession) {
$self->logger->debug("Session $id already deleted");
return PE_OK;
@ -183,7 +183,8 @@ sub deleteSession {
$req->info(
$self->loadTemplate(
'simpleInfo', params => { trspan => 'logoutFromOtherApp' }
$req, 'simpleInfo',
params => { trspan => 'logoutFromOtherApp' }
)
);

5
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
View File

@ -176,6 +176,7 @@ sub refresh {
if ($res) {
$req->info(
$self->loadTemplate(
$req,
'simpleInfo', params => { trspan => 'rightsReloadNeedsLogout' }
)
);
@ -1026,12 +1027,12 @@ sub _sumUpSession {
# Temlate loader
sub loadTemplate {
my ( $self, $name, %prm ) = @_;
my ( $self, $req, $name, %prm ) = @_;
$name .= '.tpl';
my $tpl = HTML::Template->new(
filename => $name,
path => [
$self->conf->{templateDir} . '/' . $self->conf->{portalSkin},
$self->conf->{templateDir} . '/' . $self->getSkin($req),
$self->conf->{templateDir} . '/bootstrap/',
$self->conf->{templateDir} . '/common/'
],

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/GrantSession.pm
View File

@ -73,7 +73,7 @@ sub run {
$self->logger->debug("Transformed message -> $msg");
$req->info(
$self->loadTemplate(
'simpleInfo', params => { trspan => $msg }
$req, 'simpleInfo', params => { trspan => $msg }
)
);
$self->userLogger->error( 'User '

6
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/History.pm
View File

@ -23,7 +23,7 @@ sub run {
$self->logger->debug('History asked');
$req->info( (
$req->sessionInfo->{_loginHistory}->{successLogin}
? $self->p->mkSessionArray(
? $self->p->mkSessionArray( $req,
$req->sessionInfo->{_loginHistory}->{successLogin},
'lastLogins', 0, 0 )
: ""
@ -31,14 +31,14 @@ sub run {
. ("<hr>")
. (
$req->sessionInfo->{_loginHistory}->{failedLogin}
? $self->p->mkSessionArray(
? $self->p->mkSessionArray( $req,
$req->sessionInfo->{_loginHistory}->{failedLogin},
'lastFailedLogins', 0, 1 )
: ""
)
);
unless ( $req->info ) {
$req->info( $self->loadTemplate('noHistory') );
$req->info( $self->loadTemplate( $req, 'noHistory' ) );
}
return PE_INFO;
}

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm
View File

@ -335,6 +335,7 @@ sub _reset {
# Use HTML template
$body = $self->loadTemplate(
$req,
'mail_confirm',
filter => $tr,
params => \%tplPrms
@ -473,6 +474,7 @@ sub changePwd {
# Use HTML template
$body = $self->loadTemplate(
$req,
'mail_password',
filter => $tr,
params => \%tplPrms

2
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm
View File

@ -310,6 +310,7 @@ sub _register {
# Use HTML template
$body = $self->loadTemplate(
$req,
'mail_register_confirm',
filter => $tr,
params => \%tplPrms
@ -369,6 +370,7 @@ sub _register {
# Use HTML template
$body = $self->loadTemplate(
$req,
'mail_register_done',
filter => $tr,
params => \%tplPrms

11
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/SingleSession.pm
View File

@ -69,10 +69,12 @@ sub run {
}
}
}
$req->info( $self->p->mkSessionArray( $deleted, 'sessionsDeleted', 1 ) )
$req->info(
$self->p->mkSessionArray( $req, $deleted, 'sessionsDeleted', 1 ) )
if ( $self->conf->{notifyDeleted} and @$deleted );
$req->info( $self->p->mkSessionArray( $otherSessions, 'otherSessions', 1 )
. $self->_mkRemoveOtherLink() )
$req->info(
$self->p->mkSessionArray( $req, $otherSessions, 'otherSessions', 1 )
. $self->_mkRemoveOtherLink($req) )
if ( $self->conf->{notifyOther} and @$otherSessions );
PE_OK;
@ -82,10 +84,11 @@ sub run {
# Last part of URL is built trough javascript
# @return removeOther link in HTML code
sub _mkRemoveOtherLink {
my $self = shift;
my ( $self, $req ) = @_;
# TODO: remove this
return $self->loadTemplate(
$req,
'removeOther',
params => {
link => $self->conf->{portal} . "?removeOther=1"

1
lemonldap-ng-portal/site/coffee/ssl.coffee
View File

@ -19,5 +19,6 @@ tryssl = () ->
error: () ->
$('#lform').submit()
console.log 'Error'
false
$(document).ready ->
$('.sslclick').on 'click', tryssl

1
lemonldap-ng-portal/site/coffee/sslChoice.coffee
View File

@ -19,5 +19,6 @@ tryssl = () ->
error: () ->
$('#lformSSL').submit()
console.log 'Error'
false
$(document).ready ->
$('.sslclick').on 'click', tryssl

5
lemonldap-ng-portal/site/htdocs/static/common/js/ssl.js
View File

@ -1,10 +1,10 @@
// Generated by CoffeeScript 1.12.8
// Generated by CoffeeScript 1.10.0
(function() {
var tryssl;
tryssl = function() {
console.log('Call URL -> ', window.datas.sslHost);
return $.ajax(window.datas.sslHost, {
$.ajax(window.datas.sslHost, {
dataType: 'jsonp',
statusCode: {
401: function() {
@ -21,6 +21,7 @@
return console.log('Error');
}
});
return false;
};
$(document).ready(function() {

2
lemonldap-ng-portal/site/htdocs/static/common/js/ssl.min.js vendored
View File

@ -1 +1 @@
(function(){var tryssl;tryssl=function(){console.log("Call URL -> ",window.datas.sslHost);return $.ajax(window.datas.sslHost,{dataType:"jsonp",statusCode:{401:function(){$("#lform").submit();return console.log("Error code 401")}},success:function(data){$("#lform").submit();return console.log("Success -> ",data)},error:function(){$("#lform").submit();return console.log("Error")}})};$(document).ready(function(){return $(".sslclick").on("click",tryssl)})}).call(this);
(function(){var tryssl;tryssl=function(){console.log("Call URL -> ",window.datas.sslHost);$.ajax(window.datas.sslHost,{dataType:"jsonp",statusCode:{401:function(){$("#lform").submit();return console.log("Error code 401")}},success:function(data){$("#lform").submit();return console.log("Success -> ",data)},error:function(){$("#lform").submit();return console.log("Error")}});return false};$(document).ready(function(){return $(".sslclick").on("click",tryssl)})}).call(this);

5
lemonldap-ng-portal/site/htdocs/static/common/js/sslChoice.js
View File

@ -1,10 +1,10 @@
// Generated by CoffeeScript 1.12.8
// Generated by CoffeeScript 1.10.0
(function() {
var tryssl;
tryssl = function() {
console.log('Call URL -> ', window.datas.sslHost);
return $.ajax(window.datas.sslHost, {
$.ajax(window.datas.sslHost, {
dataType: 'jsonp',
statusCode: {
401: function() {
@ -21,6 +21,7 @@
return console.log('Error');
}
});
return false;
};
$(document).ready(function() {

2
lemonldap-ng-portal/site/htdocs/static/common/js/sslChoice.min.js vendored
View File

@ -1 +1 @@
(function(){var tryssl;tryssl=function(){console.log("Call URL -> ",window.datas.sslHost);return $.ajax(window.datas.sslHost,{dataType:"jsonp",statusCode:{401:function(){$("#lformSSL").submit();return console.log("Error code 401")}},success:function(data){$("#lformSSL").submit();return console.log("Success -> ",data)},error:function(){$("#lformSSL").submit();return console.log("Error")}})};$(document).ready(function(){return $(".sslclick").on("click",tryssl)})}).call(this);
(function(){var tryssl;tryssl=function(){console.log("Call URL -> ",window.datas.sslHost);$.ajax(window.datas.sslHost,{dataType:"jsonp",statusCode:{401:function(){$("#lformSSL").submit();return console.log("Error code 401")}},success:function(data){$("#lformSSL").submit();return console.log("Success -> ",data)},error:function(){$("#lformSSL").submit();return console.log("Error")}});return false};$(document).ready(function(){return $(".sslclick").on("click",tryssl)})}).call(this);

3
rpm/lemonldap-ng.spec
View File

@ -662,6 +662,9 @@ fi
# Changelog
#==============================================================================
%changelog
* Sat Jun 29 2019 Clement Oudot <clem.oudot@gmail.com> - 2.0.5-1
- Update to 2.0.5
* Fri Jun 07 2019 Xavier Bachelot <xavier@bachelot.org> - 2.0.4-2
- BR: gnupg to fix test 29-AuthGPG.t failure in manager.