dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

First version of imported doc (#1646)

Browse Source
This commit is contained in:
Maxime Besson 2020-05-14 23:29:41 +02:00
parent 3b066f1710
commit 350502feea
377 changed files with 27279 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
doc/sources/admin/.nojekyll Normal file
View File

225
doc/sources/admin/Makefile Normal file
View File

@ -0,0 +1,225 @@
# Makefile for Sphinx documentation
#
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = _build
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
# the i18n builder cannot share the environment and doctrees with the others
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
.PHONY: help
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " dirhtml to make HTML files named index.html in directories"
@echo " singlehtml to make a single large HTML file"
@echo " pickle to make pickle files"
@echo " json to make JSON files"
@echo " htmlhelp to make HTML files and a HTML help project"
@echo " qthelp to make HTML files and a qthelp project"
@echo " applehelp to make an Apple Help Book"
@echo " devhelp to make HTML files and a Devhelp project"
@echo " epub to make an epub"
@echo " epub3 to make an epub3"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " latexpdf to make LaTeX files and run them through pdflatex"
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
@echo " text to make text files"
@echo " man to make manual pages"
@echo " texinfo to make Texinfo files"
@echo " info to make Texinfo files and run them through makeinfo"
@echo " gettext to make PO message catalogs"
@echo " changes to make an overview of all changed/added/deprecated items"
@echo " xml to make Docutils-native XML files"
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
@echo " linkcheck to check all external links for integrity"
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
@echo " coverage to run coverage check of the documentation (if enabled)"
@echo " dummy to check syntax errors of document sources"
.PHONY: clean
clean:
rm -rf $(BUILDDIR)/*
.PHONY: html
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
.PHONY: dirhtml
dirhtml:
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
.PHONY: singlehtml
singlehtml:
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
@echo
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
.PHONY: pickle
pickle:
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
@echo
@echo "Build finished; now you can process the pickle files."
.PHONY: json
json:
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
@echo
@echo "Build finished; now you can process the JSON files."
.PHONY: htmlhelp
htmlhelp:
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
@echo
@echo "Build finished; now you can run HTML Help Workshop with the" \
".hhp project file in $(BUILDDIR)/htmlhelp."
.PHONY: qthelp
qthelp:
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
@echo
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/LemonLDAPNG.qhcp"
@echo "To view the help file:"
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/LemonLDAPNG.qhc"
.PHONY: applehelp
applehelp:
$(SPHINXBUILD) -b applehelp $(ALLSPHINXOPTS) $(BUILDDIR)/applehelp
@echo
@echo "Build finished. The help book is in $(BUILDDIR)/applehelp."
@echo "N.B. You won't be able to view it unless you put it in" \
"~/Library/Documentation/Help or install it in your application" \
"bundle."
.PHONY: devhelp
devhelp:
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
@echo
@echo "Build finished."
@echo "To view the help file:"
@echo "# mkdir -p $$HOME/.local/share/devhelp/LemonLDAPNG"
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/LemonLDAPNG"
@echo "# devhelp"
.PHONY: epub
epub:
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
@echo
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
.PHONY: epub3
epub3:
$(SPHINXBUILD) -b epub3 $(ALLSPHINXOPTS) $(BUILDDIR)/epub3
@echo
@echo "Build finished. The epub3 file is in $(BUILDDIR)/epub3."
.PHONY: latex
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make' in that directory to run these through (pdf)latex" \
"(use \`make latexpdf' here to do that automatically)."
.PHONY: latexpdf
latexpdf:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through pdflatex..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
.PHONY: latexpdfja
latexpdfja:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo "Running LaTeX files through platex and dvipdfmx..."
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
.PHONY: text
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Build finished. The text files are in $(BUILDDIR)/text."
.PHONY: man
man:
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
@echo
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
.PHONY: texinfo
texinfo:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
@echo "Run \`make' in that directory to run these through makeinfo" \
"(use \`make info' here to do that automatically)."
.PHONY: info
info:
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
@echo "Running Texinfo files through makeinfo..."
make -C $(BUILDDIR)/texinfo info
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
.PHONY: gettext
gettext:
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
@echo
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
.PHONY: changes
changes:
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
@echo
@echo "The overview file is in $(BUILDDIR)/changes."
.PHONY: linkcheck
linkcheck:
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
@echo
@echo "Link check complete; look for any errors in the above output " \
"or in $(BUILDDIR)/linkcheck/output.txt."
.PHONY: doctest
doctest:
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
@echo "Testing of doctests in the sources finished, look at the " \
"results in $(BUILDDIR)/doctest/output.txt."
.PHONY: coverage
coverage:
$(SPHINXBUILD) -b coverage $(ALLSPHINXOPTS) $(BUILDDIR)/coverage
@echo "Testing of coverage in the sources finished, look at the " \
"results in $(BUILDDIR)/coverage/python.txt."
.PHONY: xml
xml:
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
@echo
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
.PHONY: pseudoxml
pseudoxml:
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
@echo
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
.PHONY: dummy
dummy:
$(SPHINXBUILD) -b dummy $(ALLSPHINXOPTS) $(BUILDDIR)/dummy
@echo
@echo "Build finished. Dummy builder generates no files."

23
doc/sources/admin/activedirectoryminihowto.rst Normal file
View File

@ -0,0 +1,23 @@
Using LemonLDAP::NG with Active-Directory
=========================================
Authentication with login/password
----------------------------------
To use Active Directory as LDAP backend, you must change few things in
the manager :
- Use "Active Directory" as authentication, userDB and
passwordDBbackends,
- Export sAMAccountName in a variable declared in
:doc:`exported variables<exportedvars>`
- Change the user attribute to store in Apache logs *("General
Parameters » Logs » REMOTE_USER")*: use the variable declared above
Authentication with Kerberos
----------------------------
- Choose "Apache" as authentication module *("General Parameters »
Authentication modules » Authentication module")*
- :doc:`Configure the Apache server<authapache>` that host the portal
to use the Apache Kerberos authentication module

76
doc/sources/admin/applications.rst Normal file
View File

@ -0,0 +1,76 @@
Applications
============
How to integrate
----------------
To integrate a Web application in LL::NG, you have the following
possibilities:
- Protect the application with the Handler, and push user identity
trough HTTP headers. This is how main Access Manager products, like
CA SiteMinder, are working. This also how Apache authentication
modules are working, so if your application is compatible with Apache
authentication (often called "external authentifcation"), then you
can use the Handler.
- Specific Handler: some applications can require a specific Handler,
to manage preauthentication process for example.
- CAS: your application is a CAS client, you can configure LL::NG as a
:doc:`CAS server<idpcas>`.
- SAML: your application is a SAML Service Provider, you can configure
LL::NG as a :doc:`SAML Identity Provider<idpsaml>`.
- OpenID Connect: your application is a OpenID Connect Relying Party,
you can configure LL::NG as a
:doc:`OpenID Connect Provider<idpopenidconnect>`.
If none of above methods is available, you can try:
- :doc:`HTTP Auth-Basic<applications/authbasic>`: replay Auth Basic
authentication
- :doc:`Form replay<formreplay>`: replay form based authentication
Application list
----------------
================================================================= ==================================================== ============ ================ === ==== ====
Application Configuration guide HTTP headers Specific Handler CAS SAML OIDC
================================================================= ==================================================== ============ ================ === ==== ====
.. image:: applications/microsoft-adfs.png :doc:`ADFS<applications/adfs>`
.. image:: applications/alfresco_logo.png :doc:`Alfresco<applications/alfresco>` ✔ ✔
.. image:: applications/logo_amazon_web_services.jpg :doc:`Amazon Web Services<applications/aws>`
.. image:: applications/logo-awx.png :doc:`AWX (Ansible Tower)<applications/awx>`
.. image:: applications/bugzilla_logo.png :doc:`Bugzilla<applications/bugzilla>`
.. image:: applications/csod_logo.png :doc:`Cornerstone<applications/cornerstone>`
.. image:: applications/discourse.jpg :doc:`Discourse<applications/discourse>` ✔ ✔
.. image:: applications/django_logo.png :doc:`Django<applications/django>`
.. image:: applications/dokuwiki_logo.png :doc:`Dokuwiki<applications/dokuwiki>`
.. image:: applications/drupal_logo.png :doc:`Drupal<applications/drupal>`
.. image:: applications/fusiondirectory-logo.jpg :doc:`FusionDirectory<applications/fusiondirectory>`
.. image:: applications/gitlab_logo.png :doc:`Gitlab<applications/gitlab>` ✔ ✔
.. image:: applications/glpi_logo.png :doc:`GLPI<applications/glpi>`
.. image:: applications/googleapps_logo.png :doc:`Google Apps<applications/googleapps>`
.. image:: applications/grafana_logo.png :doc:`Grafana<applications/grafana>`
.. image:: applications/grr_logo.png :doc:`GRR<applications/grr>`
.. image:: applications/guacamole.png :doc:`Apache Guacamole<applications/guacamole>` ✔ ✔ ✔
.. image:: applications/humhub_logo.png :doc:`HumHub<applications/humhub>`
.. image:: applications/logo-jitsimeet.png :doc:`Jitsi Meet<applications/jitsimeet>`
.. image:: applications/liferay_logo.png :doc:`Liferay<applications/liferay>`
.. image:: applications/limesurvey_logo.png :doc:`LimeSurvey<applications/limesurvey>`
.. image:: applications/mattermost_logo.png :doc:`Mattermost<applications/mattermost>`
.. image:: applications/mediawiki_logo.png :doc:`Mediawiki<applications/mediawiki>`
.. image:: applications/nextcloud-logo.png :doc:`NextCloud<applications/nextcloud>`
.. image:: applications/obm_logo.png :doc:`OBM<applications/obm>`
.. image:: applications/logo_office_365.png :doc:`Office 365<applications/office365>`
.. image:: applications/phpldapadmin_logo.png :doc:`phpLDAPAdmin<applications/phpldapadmin>`
.. image:: applications/roundcube_logo.png :doc:`Roundcube<applications/roundcube>`
.. image:: applications/salesforce-logo.jpg :doc:`SalesForce<applications/salesforce>`
.. image:: applications/SAPLogo.gif :doc:`SAP<applications/sap>` ✔ ✔
.. image:: applications/simplesamlphp_logo.png :doc:`simpleSAMLphp<applications/simplesamlphp>`
.. image:: applications/spring_logo.png :doc:`Spring<applications/spring>`
.. image:: applications/symfony_logo.png :doc:`Symfony<applications/symfony>`
.. image:: applications/sympa_logo.png :doc:`Sympa<applications/sympa>`
.. image:: applications/tomcat_logo.png :doc:`Tomcat<applications/tomcat>`
.. image:: applications/wordpress_logo.png :doc:`Wordpress<applications/wordpress>`
.. image:: applications/xwiki.png :doc:`XWiki<applications/xwiki>`
.. image:: applications/zimbra_logo.png :doc:`Zimbra<applications/zimbra>`
================================================================= ==================================================== ============ ================ === ==== ====

BIN
doc/sources/admin/applications/.tomcat.rst +92.swp Normal file
View File

Binary file not shown.

BIN
doc/sources/admin/applications/SAPLogo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 538 B

37
doc/sources/admin/applications/adfs.rst Normal file
View File

@ -0,0 +1,37 @@
Active Directory Federation Services
====================================
|image0|
Presentation
------------
Microsoft ADFS (Active Directory Federation Services) is an
Identity/Service Provider, compatible with several protocols, including
SAML 2.0.
.. important::
This documentation does not explains how to setup ADFS,
but give only tricks to make it works with LL::NG
ADFS as Identity Provider
-------------------------
When ADFS is declared as an Identity Provider in LemonLDAP::NG, you need
to take care of the following items:
- HTTPS is mandatory on LL::NG portal
- You need to use a certificate in LL::NG SAML metadata instead of a
raw public key
- Activate option ``Use specific query_string method`` in SAML Service
- Use SHA1 instead of SHA256 as signature algorithm on ADFS if using a
Lasso version < 2.5.0
- Force SAML response to be sent by POST and not Artifact (signature
verification fails with Artifact)
- Enable ``Allow proxy authentication`` in IDP options on LL::NG side
.. |image0| image:: /applications/microsoft-adfs.png
:class: align-center

458
doc/sources/admin/applications/alfresco.rst Normal file
View File

@ -0,0 +1,458 @@
Alfresco
========
|image0|
Presentation
------------
`Alfresco <https://www.alfresco.com/>`__ is an ECM/BPM software.
Since 4.0 release, it offers an easy way to configure SSO thanks to
authentication subsystems.
Authentication against LL::NG can be done trough:
- HTTP headers (LL::NG Handler)
- SAML 2 (LL::NG as SAML2 IDP)
.. tip::
Alfresco now recommends SAML2 method
HTTP headers
------------
.. _alfresco-1:
Alfresco
~~~~~~~~
.. tip::
The official documentation can be found here:
http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\
You need to find the following files in your Alfresco installation:
- ``alfresco-global.properties`` (ex:
``tomcat/shared/classes/alfresco-global.properties``)
- ``share-config-custom.xml`` (ex:
``tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml``)
The first will allow one to configure SSO for the alfresco webapp, and
the other for the share webapp.
Edit first ``alfresco-global.properties`` and add the following:
.. code:: java
### SSO ###
authentication.chain=external1:external
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=
external.authentication.proxyUserName=
external.authentication.proxyHeader=Auth-User
external.authentication.userIdPattern=
Edit then ``share-config-custom.xml`` and uncomment the last part. In
the ``<endpoint>``, change ``<connector-id>`` value to
``alfrescoHeader`` and change the ``<userHeader>`` value to
``Auth-User``:
.. code:: xml
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>Auth-User</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/s</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
You need to restart Tomcat to apply changes.
.. warning::
Now you can log in with a simple HTTP header. You need to
restrict access to Alfresco to LL::NG.
LL::NG
~~~~~~
Headers
^^^^^^^
Just set the ``Auth-User`` header with the attribute that carries the
user login, for example ``$uid``.
Rules
^^^^^
Set the default rule to what you need.
Other rules:
- Unprotect access to some resources: ``^/share/res => unprotect``
- Catch logout: ``^/share/page/dologout => logout_app_sso``
SAML2
-----
.. _alfresco-2:
Alfresco
~~~~~~~~
Install SAML Alfresco module package:
::
cp alfresco-saml-repo-1.0.1.amp <ALFRESCO_HOME>/amps
cp alfresco-saml-share-1.0.1.amp <ALFRESCO_HOME>/amps_share
./bin/apply_amp.sh
Generate SAML certificate:
::
keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS
Export the keystore:
::
mv my-saml.keystore alf_data/keystore
cat <<EOT > alf_data/keystore/my-saml.keystore-metadata.properties
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
EOT
cat <<EOT >> tomcat/shared/classes/alfresco-global.properties
saml.keystore.location=\${dir.keystore}/my-saml.keystore
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
EOT
Edit then ``share-config-custom.xml``:
.. code:: xml
...
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<!--
If using https make a CSRFPolicy with replace="true" and override the properties section.
Note, localhost is there to allow local checks to succeed.
I.e.
<properties>
<token>Alfresco-CSRFToken</token>
<referer>https://your-domain.com/.*|http://localhost:8080/.*</referer>
<origin>https://your-domain.com|http://localhost:8080</origin>
</properties>
-->
<filter>
<!-- SAML SPECIFIC CONFIG - START -->
<!--
Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET to avoid them
having to pass through the remaining rules.
-->
<rule>
<request>
<method>GET</method>
<path>/res/.*</path>
</request>
</rule>
<!-- Incoming posts from IDPs do not require a token -->
<rule>
<request>
<method>POST</method>
<path>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest</path>
</request>
</rule>
<!-- SAML SPECIFIC CONFIG - STOP -->
<!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml -->
<!--
Certain webscripts shall not be allowed to be accessed directly form the browser.
Make sure to throw an error if they are used.
-->
<rule>
<request>
<path>/proxy/alfresco/remoteadm/.*</path>
</request>
<action name="throwError">
<param name="message">It is not allowed to access this url from your browser</param>
</action>
</rule>
<!--
Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.
TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.
-->
<rule>
<request>
<method>POST</method>
<path>/proxy/alfresco/api/publishing/channels/.+</path>
</request>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Certain Surf POST requests from the WebScript console must be allowed to pass without a token since
the Surf WebScript console code can't be dependent on a Share specific filter.
-->
<rule>
<request>
<method>POST</method>
<path>/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console</path>
</request>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!-- Certain Share POST requests does NOT require a token -->
<rule>
<request>
<method>POST</method>
<path>/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow</path>
</request>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!-- Assert logout is done from a valid domain, if so clear the token when logging out -->
<rule>
<request>
<method>POST</method>
<path>/page/dologout(\?.+)?</path>
</request>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
<action name="clearToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!-- Make sure the first token is generated -->
<rule>
<request>
<session>
<attribute name="_alf_USER_ID">.+</attribute>
<attribute name="{token}"/>
<!-- empty attribute element indicates null, meaning the token has not yet been set -->
</session>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!-- Refresh token on new "page" visit when a user is logged in -->
<rule>
<request>
<method>GET</method>
<path>/page/.*</path>
<session>
<attribute name="_alf_USER_ID">.+</attribute>
<attribute name="{token}">.+</attribute>
</session>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!--
Verify multipart requests from logged in users contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
<session>
<attribute name="_alf_USER_ID">.+</attribute>
</session>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Verify that all remaining state changing requests from logged in users' requests contains a token in the
header and correct referer & origin headers if available. We "catch" all content types since just setting it to
"application/json.*" since a webscript that doesn't require a json request body otherwise would be
successfully executed using i.e."text/plain".
-->
<rule>
<request>
<method>POST|PUT|DELETE</method>
<session>
<attribute name="_alf_USER_ID">.+</attribute>
</session>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
</filter>
</config>
...
Configure SAML service provider using the Alfresco admin console
(/alfresco/s/enterprise/admin/admin-saml).
Set the following parameters:
- Enable SAML Authentication (SSO): on
- Authentication service URL:
https://auth.example.com/saml/singleSignOn
- Single Logout URL: https://auth.example.com/saml/singleLogout
- Single logout return URL:
https://auth.example.com/saml/singleLogoutReturn
- Entity identification: http://alfresco.myecm.org:8080/share
- User ID mapping: Subject/NameID
To finish with Alfresco configuration, tick the “Enable SAML
authentication (SSO)” box.
.. _llng-1:
LL::NG
~~~~~~
Configure SAML service and set a certificate as signature public key in
metadata.
Export Alfresco SAML Metadata from admin console and import them in
LL::NG.
In the authentication response option, set:
- Default NameID Format: Unspecified
- Force NameID session key: uid
And you can define these exported attributes:
- GivenName
- Surname
- Email
Other resources
---------------
- `DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi
Belmekki <https://www.youtube.com/watch?v=5tS0XrC_-rw>`__
- `Setting up Alfresco SAML authentication with
LemonLDAP::NG <https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng>`__
.. |image0| image:: /applications/alfresco_logo.png
:class: align-center

BIN
doc/sources/admin/applications/alfresco_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.6 KiB

73
doc/sources/admin/applications/authbasic.rst Normal file
View File

@ -0,0 +1,73 @@
HTTP Basic Authentication
=========================
|image0|
Presentation
------------
.. important::
For now, this feature is only supported by Apache
handler.
Extract from the `Wikipedia
article <http://en.wikipedia.org/wiki/Basic_access_authentication>`__:
In the context of an HTTP transaction, the basic access authentication
is a method designed to allow a web browser, or other client program, to
provide credentials in the form of a user name and password when
making a request.
Before transmission, the username and password are encoded as a sequence
of base-64 characters. For example, the user name Aladdin and password
open sesame would be combined as Aladdin:open sesame which is
equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64.
Little effort is required to translate the encoded string back into the
user name and password, and many popular security tools will decode the
strings "on the fly".
So HTTP Basic Authentication is managed trough an HTTP header
(``Authorization``), that can be forged by LL::NG, with this
precautions:
- Data should not contains accents or special characters, as HTTP
protocol only allow ASCII values in header (but depending on the HTTP
server, you can use ISO encoded values)
- You need to forward the password, which can be the user main password
(if :doc:`password is stored in session<../passwordstore>`, or any
user attribute (if you keep secondary passwords in users database).
Configuration
-------------
The Basic Authentication relies on a specific HTTP header, as described
above. So you have just to declare this header for the virtual host in
Manager.
For example, to forward login (``$uid``) and password (``$_password`` if
:doc:`password is stored in session<../passwordstore>`):
::
Authorization => "Basic ".encode_base64("$uid:$_password", "")
LL::NG provides a special function named
:doc:`basic<../extendedfunctions>` to build this header.
So the above example can also be written like this:
::
Authorization => basic($uid,$_password)
.. tip::
The ``basic`` function will also force conversion from UTF-8
to ISO-8859-1, which should be accepted by most of HTTP servers.
.. |image0| image:: /applications/http_logo.png
:class: align-center

102
doc/sources/admin/applications/aws.rst Normal file
View File

@ -0,0 +1,102 @@
Amazon Web Services
===================
`Amazon Web Services <https://aws.amazon.com>`__ allows one to delegate
authentication through SAML2.
SAML
----
- Make sure you have followed the steps
`here <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html>`__.
- Go to https://your.portal.com/saml/metadata and save the resulting
file locally.
- In each AWS account, go to IAM -> Identity providers -> Create
Provider.
- Select ``SAML`` as the provider type
- Choose a name (best if kept consistent between accounts), and then
choose the metadata file you saved above.
- Looking again at the links on the left side of the page, go to Roles
-> Create role
- Choose ``SAML / Saml 2.0 federation``
- Select the provider you just configured, click
``Allow programmatic and AWSManagement Console access`` which will
fill in the rest of the form for you, then click next.
- Set whatever permissions you need to and then click ``Review``.
- Choose a name for the role. These will shown to people when they log
in, so make them descriptive. We have different accounts for
different regions of the world, so I put the region into the role
name so people know which account is which.
.. important::
If you have only one role, the configuration is simple. If you
have multiple roles for different people, it is a little trickier. As
you will see, the SAML attributes are not dynamic, so you have to set
them in the session when a user logs in or use a custom function. In
this example, I wanted to avoid managing custom functions on all the
servers, so the SAML attributes are set in the session. We also use LDAP
for user information, so I will describe that. In our LDAP tree, each
user has attributes which are used quite heavily for dynamic groups and
authorisation. You will want something similar, using whatever attribute
makes sense to you. For example:
.. code::
dn: uid=user,ou=people,dc=your,dc=com
...
ou: sysadmin
ou: database
ou: root
- Assuming you use the web interface to manage lemonldap, go to General
Parameters -> Authentication parameters -> LDAP parameters ->
Exported variables. Here set the key to the LDAP attribute and the
value to something sensible. I keep them the same to make it easy.
- Now go to \*Variables -> Macros*. Here set up variables which will be
computed based on the attributes you exported above. You will need to
emit strings in this format
``arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name``.
The parts you need to change are ``account-number``, ``role-name1``
and ``provier-name``. The last two will be the provider name and role
names you just set up in AWS.
- Perl works in here, so something like this is valid: ``aws_eu_role``
-> ``$ou =~ sysadmin ? "arn:aws..." : "arn:..."``
- If it easier, split multiple roles into different macros. Then tie
all the variables you define together into one string concatenating
them with whatever is in General Parameters -> Advanced Parameters ->
Separator. Actually click into this field and move around with the
arrow keys to see if there is a space, since spaces can be part of
the separator.
- Remember macros are defined alphanumerically, so you want one right
at the end, like ``z_aws_roles`` ->
``join("; ", $role_name1, $role_name2, ...)``
- On the left again, click ``SAML service providers``, then
``Add SAML SP``.
- Enter a name, click ok, then select it on the left. Select
``Metadata``, then enter
\`\ https://signin.aws.amazon.com/static/saml-metadata.xml\ \` in the
``URL`` field, then click load.
- Click ``Exported attributes`` on the left, then ``Add attribute``
twice to add two attributes. The first field is the name of a
variable set in the user's session:
- ``_whatToTrace`` ->
``https://aws.amazon.com/SAML/Attributes/RoleSessionName`` (leave
the rest)
- ``z_aws_roles`` (the macro name you defined above) ->
``https://aws.amazon.com/SAML/Attributes/Role`` (leave the rest)
- On the left, select Options -> Security -> Enable use of IDP
initiated URL -> On
- Select General Parameters -> Portal -> Menu -> Categories and
applications
- Select a category or create a new one if you need to. Then click
``New application``.
- Enter a name etc. For the URL, use
``https://your.portal.com/saml/singleSignOn?IDPInitiated=1&sp=urn:amazon:webservices``
- Display application should be set to ``Enabled``
- Go to your portal, click on the link, and check that it works!

BIN
doc/sources/admin/applications/awx-attr.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
doc/sources/admin/applications/awx-metadata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

BIN
doc/sources/admin/applications/awx-saml-login.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

209
doc/sources/admin/applications/awx.rst Normal file
View File

@ -0,0 +1,209 @@
AWX (Ansible Tower)
===================
|logo-awx.png| |logo-ansibletower.png|
Presentation
------------
`AWX <https://github.com/ansible/awx>`__ is the upstream version for
Ansible Tower.
This documentation explains how to interconnect LemonLDAP::NG and AWX
using SAML 2.0 protocol.
You can find the Official AWX documentation about this topic here :
https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings
Please read it before the LLNG doc.
Configuration
-------------
This page assumes you already have configured the SAML Service in
LemonLDAP::NG, if not please follow :
:doc:`SAML service configuration<../samlservice>`
AWX SAML Key & Certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~
You'll need a private key and the corresponding certificate to setup
saml in AWX, you can do it with your pki or with openssl on your machine
:
::
openssl req -x509 -newkey rsa:4096 -keyout saml-awx.key -out saml-awx.crt -days 3650 -nodes
LLNG SAML Certificate
~~~~~~~~~~~~~~~~~~~~~
AWX need a certificate for the IDP signature, a public key won't work.
You can either just generate a certificate from the private key and put
it in AWX conf, or you can do it globally.
Generate Certificate from Key
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You can find your private key in : SAML2 Service -> Security Parameters
-> Signature -> Private Key
Copy it somewhere secure as lemonldap.key, and then generate the
certificate with this command :
::
openssl req -new -x509 -days 3650 -key lemonldap.key > lemonldap.crt
After that, if you want, you can replace your SAML public key with this
certificate in LLNG configuration, this is not mandatory.
AWX
~~~
You'll need an administrator account, then go to Settings ->
Authentication -> SAML
|image2|
There is a few settings :
SAML Service Provider Entity ID
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is the entityID for awx, lets put the fqdn : ``awx.example.com``
SAML Service Provider Public Certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Put the content of ``saml-awx.crt`` : ``-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----``
SAML Service Provider Private Key
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Put the content of ``saml-awx.key`` : ``-----BEGIN RSA PRIVATE KEY-----
key
-----END RSA PRIVATE KEY-----``
It will be replaced with ``$encrypted$`` after you save the settings.
SAML Service Provider Organization Info
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Organization Info for The SP, this is purely "for looks"
::
{
"en-US": {
"displayname": "AWX ACME",
"url": "https://awx.example.com",
"name": "awxacme"
}
}
SAML Service Provider Technical Contact
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Technical Contact for the SP
::
{
"emailAddress": "support@example.com",
"givenName": "Support ACME"
}
SAML Service Provider Support Contact
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Support Contact for the SP
::
{
"emailAddress": "support@example.com",
"givenName": "Support ACME"
}
SAML Enabled Identity Providers
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This is the configuration of the IdP :
::
{
"lemonldap": {
"attr_last_name": "sn",
"x509cert": "SOXGp.....",
"attr_username": "uid",
"entity_id": "https://auth.example.com/saml/metadata",
"attr_first_name": "givenName",
"attr_email": "mail",
"attr_user_permanent_id": "uid",
"url": "https://auth.example.com/saml/singleSignOn"
}
}
- "attr_last_name": "sn" SAML Attribute for the user last name
- "x509cert": "SOXGp....." the content of ``lemonldap.crt`` generated
in the "LLNG SAML Certificate" section
- "attr_username": "uid" SAML Attribute for the user username
- "entity_id": "https://auth.example.com/saml/metadata" entityID of the
IdP
- "attr_first_name": "givenName" SAML Attribute for the user first name
- "attr_email": "mail" SAML Attribute user for the user email
- "attr_user_permanent_id": "uid" SAML Attribute for the user unique id
inside AWX
- "url": "https://auth.example.com/saml/singleSignOn" SAML SSO Url
Save your configuration.
LemonLDAP:NG
~~~~~~~~~~~~
We now have to define a service provider in LL:NG.
Go to "SAML service providers", click on "Add SAML SP" and name it as
you want (example : 'AWX')
In the new subtree 'AWX', open 'Metadata' and paste the content of the
AWX Metadatas, wich can be found at the
``SAML Service Provider Metadata URL`` in AWX :
https://awx.example.com/sso/metadata/saml/
|image3|
Now go in "Exported attributes" and add, the 'uid', 'sn', 'givenName',
'mail'.
All four attributes are mandatory for AWX. Make sure they match the
names of the attributes available in your LemonLDAP sessions.
|image4|
Don't forget to save your configuration.
You are now good to go, and you can add the application in
:doc:`your menu<../portalmenu>` and
:doc:`your virtual hosts<../configvhost>`.
You should now have a SAML button on the login page :
|image5|
.. |logo-awx.png| image:: /applications/logo-awx.png
:class: align-center
.. |logo-ansibletower.png| image:: /applications/logo-ansibletower.png
:class: align-center
.. |image2| image:: /applications/saml-awx.png
:class: align-center
.. |image3| image:: /applications/awx-metadata.png
:class: align-center
.. |image4| image:: /applications/awx-attr.png
:class: align-center
.. |image5| image:: /applications/awx-saml-login.png
:class: align-center

109
doc/sources/admin/applications/bugzilla.rst Normal file
View File

@ -0,0 +1,109 @@
Bugzilla
========
|image0|
Presentation
------------
`Bugzilla <http://www.bugzilla.org>`__ is server software designed to
help you manage software development.
Bugzilla can authenticate a user with HTTP headers, and auto-create its
account with a few information:
- User ID
- Email
- Real name
Configuration
-------------
Bugzilla administration
~~~~~~~~~~~~~~~~~~~~~~~
In Bugzilla administration interface, go in ``Parameters`` »
``User authentication``
Then set:
- **auth_env_id**: HTTP_AUTH_USER
- **auth_env_email**: HTTP_AUTH_MAIL
- **auth_env_realname**: HTTP_AUTH_CN
- **user_info_class**: Env or Env,CGI
Bugzilla virtual host
~~~~~~~~~~~~~~~~~~~~~
Configure Bugzilla virtual host like other
:doc:`protected virtual host<../configvhost>`.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName bugzilla.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name bugzilla.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
Bugzilla virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Bugzilla.
Configure the :doc:`access rules<../writingrulesand_headers>`.
Configure the following :doc:`headers<../writingrulesand_headers>`.
- **Auth-User**: $uid
- **Auth-Mail**: $mail
- **Auth-Cn**: $cn
.. |image0| image:: /applications/bugzilla_logo.png
:class: align-center

BIN
doc/sources/admin/applications/bugzilla_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.8 KiB

90
doc/sources/admin/applications/cornerstone.rst Normal file
View File

@ -0,0 +1,90 @@
Cornerstone On Demand
=====================
|image0|
Presentation
------------
`CornerStone On Demand (CSOD) <http://www.cornerstoneondemand.com/>`__
allows one to use SAML to authenticate users. It works by default with
IDP intiated mechanism, but can works with the standard SP initiated
cinematic.
To work with LL::NG it requires:
- An enterprise account
- LL::NG configured as :doc:`SAML Identity Provider<../idpsaml>`
- Registered users on CSOD with the same email than those used by
LL::NG (email will be the NameID exchanged between CSOD and LL::NG)
Configuration
-------------
New Service Provider
~~~~~~~~~~~~~~~~~~~~
You should have configured LL::NG as an
:doc:`SAML Identity Provider<../idpsaml>`,
Now we will add CSOD as a new SAML Service Provider:
#. In Manager, click on SAML service providers and the button
``New service provider``.
#. Set csod as Service Provider name.
#. Set ``Email`` in ``Options`` » ``Authentication Response`` »
``Default NameID format``
#. Select ``Metadata``, and unprotect the field to paste the following
value:
.. code:: xml
<md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
Base64 encoded CSOD certificate
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mycompanyid.csod.com/samldefault.aspx" index="1" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
</md:EntityDescriptor>
.. important::
Change **mycompanyid** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your CSOD company ID and put the
certificate value inside the ds:X509Certificate markup
CSOD control panel
~~~~~~~~~~~~~~~~~~
CSOD needs two things to configure LL::NG as an IDP:
- Certificate
- SAML assertion
Certificate
^^^^^^^^^^^
See :doc:`SAML security parameters<../samlservice>` to know how generate
a certificate from you SAML private key.
SAML assertion
^^^^^^^^^^^^^^
You need to use the IDP initiated feature of LL::NG. Just call this URL:
::
https://auth.example.com/saml/singleSignOn?IDPInitiated=1&sp=mycompanyid.csod.com
.. |image0| image:: /applications/csod_logo.png
:class: align-center

BIN
doc/sources/admin/applications/csod_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
doc/sources/admin/applications/discourse.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

65
doc/sources/admin/applications/discourse.rst Normal file
View File

@ -0,0 +1,65 @@
Discourse
=========
|discourse.jpg|
Presentation
------------
`Discourse <https://www.discourse.org/>`__ is a conversation-oriented
forum engine
Discourse supports `its own Single-Sign-On
scheme <https://meta.discourse.org/t/official-single-sign-on-for-discourse-sso/13045>`__
but is also compatible with standard protocols such as SAML and OpenID
Connect, through plugins.
This documentation illustrates the OpenID Connect plugin.
First, make sure you have set up LemonLDAP::NG 's
:doc:`OpenID Connect service<..//openidconnectservice>` and added
:doc:`a Relaying Party for your Discourse instance<..//idpopenidconnect>`
Discourse can use the following OpenID Connect attributes to fill the
user's profile:
::
* name
* email
* given_name
* family_name
* preferred_username
* picture
Make sure you create a username and password for the Relying Party, and
that the discourse callback URL is allowed :
https://discourse.example.com/auth/oidc/callback
Discourse configuration
-----------------------
Plugin installation
~~~~~~~~~~~~~~~~~~~
Install the `Discourse OpenID Connect
Plugin <https://meta.discourse.org/t/openid-connect-authentication-plugin/103632>`__
according to these instructions
Plugin configuration
~~~~~~~~~~~~~~~~~~~~
Browse to your Discourse admin interface, and to the plugin settings
- openid_connect_enabled: *Yes*
- openid_connect_discovery_document:
https://auth.example.com/.well-known/openid-configuration
- openid_connect_client_id: *Client ID you chose when configuring the
Relying Party*
- openid_connect_client_secret: *Client Secret you chose when
configuring the Relying Party*
- openid_connect_authorize_scope: *openid email profile*
.. |discourse.jpg| image:: /applications/discourse.jpg
:class: align-center

16
doc/sources/admin/applications/django.rst Normal file
View File

@ -0,0 +1,16 @@
Django
======
Presentation
------------
`Django <https://www.djangoproject.com/>`__ is a high-level Python Web
framework that encourages rapid development and clean, pragmatic design.
Connector
---------
The Django connector is available on GitHub:
https://github.com/rclsilver/django-lemonldap
See the README to know how install and configure it.

BIN
doc/sources/admin/applications/django_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

127
doc/sources/admin/applications/dokuwiki.rst Normal file
View File

@ -0,0 +1,127 @@
Dokuwiki
========
|image0|
Presentation
------------
`DokuWiki <http://www.dokuwiki.org/>`__ is a standards compliant, simple
to use Wiki, mainly aimed at creating documentation of any kind. It is
targeted at developer teams, workgroups and small companies. It has a
simple but powerful syntax which makes sure the data files remain
readable outside the Wiki and eases the creation of structured texts.
All data is stored in plain text files no database is required.
.. tip::
LemonLDAP::NG wiki uses Dokuwiki!
HTTP headers
------------
You need to install a Dokuwiki plugin, available on `Dokuwiki plugins
registry <https://www.dokuwiki.org/plugins>`__:
https://www.dokuwiki.org/plugin:authlemonldap
Plugin installation
~~~~~~~~~~~~~~~~~~~
Install the plugin using the `Plugin
Manager <https://www.dokuwiki.org/plugin:plugin>`__.
Dokuwiki configuration
~~~~~~~~~~~~~~~~~~~~~~
As administrator, go in Dokuwiki parameters and set:
- Authentication backend: authlemonldap
- Manager: set which users and/or groups will be admin
|image1|
Dokuwiki virtual host
~~~~~~~~~~~~~~~~~~~~~
Configure Dokuwiki virtual host like other
:doc:`protected virtual host<../configvhost>`.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName dokuwiki.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name dokuwiki.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
Dokuwiki virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Dokuwiki.
Configure the :doc:`access rules<../writingrulesand_headers>`.
Configure the :doc:`headers<../writingrulesand_headers>`:
- Auth-User $uid
- Auth-Cn: $cn
- Auth-Mail: $mail
- Auth-Groups: encode_base64($groups,"")
.. important::
To allow execution of encode_base64() method, you must
deactivate the :doc:`Safe jail<../safejail>`.
.. |image0| image:: /applications/dokuwiki_logo.png
:class: align-center
.. |image1| image:: /applications/screenshot_dokuwiki_configuration.png
:class: align-center

BIN
doc/sources/admin/applications/dokuwiki_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

158
doc/sources/admin/applications/drupal.rst Normal file
View File

@ -0,0 +1,158 @@
Drupal
======
|image0|
Presentation
------------
`Drupal <http://drupal.org>`__ is a CMS written in PHP. It can works
with external modules to extends its functionalities. One of this module
can be used to delegate authentication server to the web server:
`Webserver Auth <http://drupal.org/project/Webserver_auth>`__.
Installation
------------
Install `Webserver Auth <http://drupal.org/project/Webserver_auth>`__
module, by downloading it, and unarchive it in the drupal modules/
directory.
Configuration
-------------
Drupal module activation
~~~~~~~~~~~~~~~~~~~~~~~~
Go on Drupal administration interface and enable the Webserver Auth
module.
Drupal virtual host
~~~~~~~~~~~~~~~~~~~
Configure Drupal virtual host like other
:doc:`protected virtual host<../configvhost>`.
.. important::
If you are protecting Drupal with LL::NG as reverse
proxy,
:doc:`convert header into REMOTE_USER environment variable<../header_remote_user_conversion>`.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName drupal.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name drupal.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
Drupal virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Drupal.
Just configure the :doc:`access rules<../writingrulesand_headers>`.
If using LL::NG as reverse proxy, configure the ``Auth-User``
:doc:`header<../writingrulesand_headers>`, else no headers are needed.
Protect only the administration pages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the above solution, all the Drupal site will be protected, so no
anonymous access will be allowed.
.. important::
You cannot use the ``unprotect`` rule because Drupal
navigation is based on query strings (?q=admin, ?q=user, etc.), and
unprotect rule only works on URL patterns.
You can create a special virtual host and use `Apache rewrite
module <http://httpd.apache.org/docs/current/mod/mod_rewrite.html>`__ to
switch between open and protected hosts:
.. code:: apache
<VirtualHost *:80>
ServerName drupal.example.com
# DocumentRoot
DocumentRoot /var/www/html/drupal/
DirectoryIndex index.php
# Redirect admin pages
RewriteEngine On
RewriteCond %{QUERY_STRING} q=(admin|user)
RewriteRule ^/(.*)$ http://admindrupal.example.com/$1 [R]
LogLevel warn
ErrorLog /var/log/httpd/drupal-error.log
CustomLog /var/log/httpd/drupal-access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName admindrupal.example.com
# SSO protection
PerlHeaderParserHandler Lemonldap::NG::Handler
# DocumentRoot
DocumentRoot /var/www/html/drupal/
DirectoryIndex index.php
LogLevel warn
ErrorLog /var/log/httpd/admindrupal-error.log
CustomLog /var/log/httpd/admindrupal-access.log combined
</VirtualHost>
.. |image0| image:: /applications/drupal_logo.png
:class: align-center

BIN
doc/sources/admin/applications/drupal_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.5 KiB

BIN
doc/sources/admin/applications/franceconnect_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
doc/sources/admin/applications/fusiondirectory-logo.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

36
doc/sources/admin/applications/fusiondirectory.rst Normal file
View File

@ -0,0 +1,36 @@
FusionDirectory
===============
|image0|
Presentation
------------
`FusionDirectory <https://www.fusiondirectory.org/>`__ provides a
solution to daily management of data stored in an LDAP directory.
Configuration
-------------
.. _fusiondirectory-1:
FusionDirectory
~~~~~~~~~~~~~~~
Go in Configuration and in Login and Session panel. Set:
- **HTTP Header authentication**: Activate
- **Header name**: Auth-User
See also
https://documentation.fusiondirectory.org/en/documentation/admin_installation/core_configuration#login-and-session
LL::NG
~~~~~~
Just set the ``Auth-User`` header with the attribute that carries the
user login, for example ``$uid``.
.. |image0| image:: /applications/fusiondirectory-logo.jpg
:class: align-center

190
doc/sources/admin/applications/gitlab.rst Normal file
View File

@ -0,0 +1,190 @@
Gitlab
======
|image0|
Presentation
------------
See `Gitlab <https://about.gitlab.com/>`__ page for product
presentation.
Gitlab allows one to use SAML to authenticate users, see `official
documentation <https://docs.gitlab.com/ee/integration/saml.html>`__
SAML
----
For this example, we use these sample values:
- Gitlab URL : https://gitlab.example.com
- LL::NG portal URL : https://auth.example.com
Gitlab configuration
~~~~~~~~~~~~~~~~~~~~
Find the gitlab.rb file and add these settings:
::
vi /etc/gitlab/gitlab.rb
.. code:: ruby
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
args: {
assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
idp_cert_fingerprint: '99:BE:7B:68:3F:XX:7D:EF:6B:C3:XX:C0:0E:XX:D4:EA:02:XX:83:2A',
idp_sso_target_url: 'https://auth.example.com/saml/singleSignOn',
issuer: 'https://gitlab.example.com',
name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'
},
label: 'Login with LL::NG' # optional label for SAML login button
}
]
.. tip::
To get the fingerprint of IDP certificate, copy SAML
certificate from LL::NG configuration in a file and use openssl:
::
openssl x509 -in CERT.pem -noout -fingerprint
You can force SAML by default with this option:
.. code:: ruby
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
In this case, users won't be able to log directly on gitlab. Set it once
you are sure the SAML configuration is valid.
To apply changes:
::
gitlab-ctl reconfigure
LL::NG configuration
~~~~~~~~~~~~~~~~~~~~
We suppose LL::NG is configured as SAML IDP, and that you converted the
public key into a certificate for SAML signature. You must enable the
option to send certificates in response. If you don't want to, you need
to copy the certificate value into Gitlab configuration, in \`idp_cert\`
parameter.
You can get Gitlab SAML metadata on
https://gitlab.example.com/users/auth/saml/metadata
Register them in LL::NG and send these SAML attributes:
- mail => email
- uid => uid
- cn => name
.. important::
The value from LL::NG mail session attribute must be the
email of the user in Gitlab database, in order to associate
accounts.
Manage groups
~~~~~~~~~~~~~
You can pass groups to Gitlab. For this, declare groups attribute in
gitlab.rb:
.. code:: ruby
...
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
groups_attribute: 'groups',
...
And in LL::NG, export the groups attribute:
- groups => groups
OpenID Connect
--------------
**Alternatively** to SAML, you can choose to configure Gitlab to use
OpenID Connect.
.. _gitlab-configuration-1:
Gitlab configuration
~~~~~~~~~~~~~~~~~~~~
In ``/etc/gitlab/gitlab.rb``
.. code:: ruby
...
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'openid_connect',
'label' => 'LemonLDAP::NG',
'args' => {
'name' => 'openid_connect',
'issuer' => 'https://auth.example.com',
'scope' => ['openid', 'profile', 'email'],
'response_type' => 'code',
'client_auth_method' => 'client_secret_post',
'discovery' => true,
'uid_field' => 'sub',
'client_options' => {
'redirect_uri' => 'http://gitlab.example.com/users/auth/openid_connect/callback',
'identifier' => 'LEMONLDAP_CLIENT_ID',
'secret' => 'LEMONLDAP_CLIENT_SECRET',
}
}
}
];
...
.. _llng-configuration-1:
LL::NG configuration
~~~~~~~~~~~~~~~~~~~~
Add an OpenID Connect RP to LemonLDAP::NG
- Chose a client ID and a client secret, and write the same values in
the ``gitlab.rb`` file above
- You need to chose an asymetrical signature algorithm for the ID Token
(RS256 or above)
- You also need to set a key identifier on your LemonLDAP::NG server in
``OpenID Connect service`` » ``Security`` » ``Signing key ID`` (use
something like ``default`` as the value).
- Make sure the attribute containing the user email in the
LemonLDAP::NG session is mapped to the ``email`` claim.
.. important::
You need to set a key identifier, or you will get a
*JSON::JWK::Set::KidNotFound* error on Gitlab
.. |image0| image:: /applications/gitlab_logo.png
:class: align-center

BIN
doc/sources/admin/applications/gitlab_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.0 KiB

38
doc/sources/admin/applications/glpi.rst Normal file
View File

@ -0,0 +1,38 @@
GLPI
====
|image0|
Presentation
------------
`GLPI <http://www.glpi-project.org>`__ is the Information
Resource-Manager with an additional Administration- Interface. You can
use it to build up a database with an inventory for your company
(computer, software, printers...). It has enhanced functions to make the
daily life for the administrators easier, like a job-tracking-system
with mail-notification and methods to build a database with basic
information about your network-topology.
Configuration
-------------
For GLPI >= 0.71, it is a simple configuration in GLPI: Setup →
Authentication. In “External authentications” click “Others” and in
“Field holding the login in the \_SERVER array” select “REMOTE_USER”
For older version, check
http://wiki.glpi-project.org/doku.php?id=en:authautoad
If you use Nginx, you need to add this in configuration:
.. code:: nginx
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
.. |image0| image:: /applications/glpi_logo.png
:class: align-center

BIN
doc/sources/admin/applications/glpi_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.7 KiB

BIN
doc/sources/admin/applications/google_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

171
doc/sources/admin/applications/googleapps.rst Normal file
View File

@ -0,0 +1,171 @@
Google Apps
===========
|image0|
Presentation
------------
`Google Apps <http://www.google.com/apps/>`__ can use SAML to
authenticate users, behaving as an SAML service provider, as explained
`here <http://code.google.com/googleapps/domain/sso/saml_reference_implementation.html>`__.
To work with LL::NG it requires:
- An `enterprise Google Apps
account <http://www.google.com/apps/intl/en/business/index.html>`__
- LL::NG configured as :doc:`SAML Identity Provider<../idpsaml>`
- Registered users on Google Apps with the same email than those used
by LL::NG (email will be the NameID exchanged between Google Apps and
LL::NG)
Configuration
-------------
Google Apps control panel
~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
This part is based on `SimpleSAMLPHP
documentation <http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps>`__.
As administrator, go in Google Apps control panel and click on Advanced
tools:
|image1|
Then select ``Set up single sign-on (SSO)``:
|image2|
Now configure all SAML parameters:
|image3|
- **Enable Single Sign-On**: check the box. Uncheck it to disable SAML
authentication (for example, if your Identity Provider is down).
- **Sign-in page URL**: SSO access point (HTTP-Redirect binding).
Example: http://auth.example.com/saml/singleSignOn
- **Sign-out page URL**: this in not the SLO access point (Google Apps
does not support SLO), but the main logout page. Example:
http://auth.example.com/?logout=1
- **Change password URL**: where users can change their password.
Example: http://auth.example.com
.. important::
You must check the option
``Use a specific domain transmitter`` to force Google Apps to send the
full entityId.
Certificate
~~~~~~~~~~~
For the certificate, you can build it from the signing private key
registered in Manager. Select the key, and export it (button
``Download``). This will download the public and the private key.
Keep the private key in a file, for example lemonldap-ng-priv.key, then
use openssl to generate an auto-signed certificate:
::
openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
You can now the upload the certificate (``cert.pem``) on Google Apps.
.. tip::
You can also use the certificate instead of public key in SAML
metadata, see :doc:`SAML service configuration<../samlservice>`\
New Service Provider
~~~~~~~~~~~~~~~~~~~~
You should have configured LL::NG as an
:doc:`SAML Identity Provider<../idpsaml>`,
Now we will add Google Apps as a new SAML Service Provider:
#. In Manager, click on SAML service providers and the button
``New service provider``.
#. Set GoogleApps as Service Provider name.
#. Set ``Email`` in ``Options`` » ``Authentication Response`` »
``Default NameID format``
#. Disable all signature flags in ``Options`` » ``Signature``, except
``Sign SSO message`` which should be to ``On``
#. Select ``Metadata``, and unprotect the field to paste the following
value:
.. code:: xml
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
</md:EntityDescriptor>
.. important::
Change **mydomain.org** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your Google Apps domain. Also adapt
your entityID to match the Assertion issuer: google.com/a/mydomain.org
Application menu
~~~~~~~~~~~~~~~~
You can add a link in :doc:`application menu<../portalmenu>` to display
Google Apps to users.
You need to adapt some parameters:
- **Address**: set one of Google Apps URL (all Google Apps product a
distinct URL), for example
http://www.google.com/calendar/hosted/mydomain.org/render
- **Display**: As Google Apps is not a protected application, set to
``On`` to always display it
.. important::
Change **mydomain.org** into your Google Apps
domain
Logout
~~~~~~
Google Apps does not support Single Logout (SLO).
Google Apps has a configuration parameter to redirect user on a specific
URL after Google Apps logout (see :doc:`Google Apps control panel<>`).
To manage the other way (LL::NG → Google Apps), you can add a dedicated
:doc:`logout forward rule<../logoutforward>`:
::
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
.. important::
Change **mydomain.org** into your Google Apps
domain
.. |image0| image:: /applications/googleapps_logo.png
:class: align-center
.. |image1| image:: /documentation/googleapps-menu.png
:class: align-center
.. |image2| image:: /documentation/googleapps-sso.png
:class: align-center
.. |image3| image:: /documentation/googleapps-ssoconfig.png
:class: align-center

BIN
doc/sources/admin/applications/googleapps_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

77
doc/sources/admin/applications/grafana.rst Normal file
View File

@ -0,0 +1,77 @@
Grafana
=======
|image0|
Presentation
------------
`Grafana <https://grafana.com/>`__ is an Open Source dashboard for
monitoring databases such as Prometheus, Graphite or Elasticsearch
Grafana offers social login through a generic OAuth 2 connector.
Thankfully, it is close enough to OpenID Connect to work well with
LemonLDAP::NG
Pre-requisites
--------------
Grafana configuration
~~~~~~~~~~~~~~~~~~~~~
You should start by following the generic OAuth2 documentation provided
by Grafana: https://grafana.com/docs/grafana/latest/auth/generic-oauth/
Your configuration file will have to look something like this:
::
[auth.generic_oauth]
enabled = true
client_id = CHOOSE_A_CLIENT_ID
client_secret = CHOOSE_A_CLIENT_SECRET
scopes = openid email profile
auth_url = https://auth.example.com/oauth2/authorize
token_url = https://auth.example.com/oauth2/token
api_url = https://auth.example.com/oauth2/userinfo
allow_sign_up = true
name = LemonLDAP::NG
send_client_credentials_via_post = false
email_attribute_name = email
LL:NG
~~~~~
Make sure you have already
:doc:`enabled OpenID Connect<../idpopenidconnect>` on your LemonLDAP::NG
server
Then, add a Relaying Party with the following configuration
- Options » Authentification » Client ID : same as ``client_id`` above
- Options » Allowed redirection address : same as ''client_secret ''
above
If you want to transmit user attributes to Grafana, you also need to
configure
- Extra Claims »
- add a key named ``profile``
- set a value of ``name username display_name upn``
- Exported Attributes (not all of them are mandatory)
- replace the existing keys with the following 5 new keys:
- ``name``
- ``username``
- ``display_name``
- ``upn``
- ``email``
- map them to your corresponding LemonLDAP::NG session attribute
.. |image0| image:: /applications/grafana_logo.png
:class: align-center

BIN
doc/sources/admin/applications/grafana_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.9 KiB

50
doc/sources/admin/applications/grr.rst Normal file
View File

@ -0,0 +1,50 @@
GRR
===
|image0|
Presentation
------------
`GRR <http://grr.devome.com/fr/>`__ is a room booking software.
HTTP header
-----------
Configuration
~~~~~~~~~~~~~
GRR has a SSO configuration page in its administration panel.
Do not use Lemonldap mode, which is for a very old Lemonldap version,
but HTTP authentication.
Set the default profile of connected users and which headers contains
surname, firstname and mail.
|image1|
GRR will check the username in REMOTE_USER, so use
:doc:`remote header conversion<../header_remote_user_conversion>` if you
are in proxy mode.
GRR virtual host in LL::NG
~~~~~~~~~~~~~~~~~~~~~~~~~~
Access rules:
- ^/index.php => accept
- default => unprotect
Headers:
- Auth-User $uid
- Auth-Sn: $sn
- Auth-GivenName: $givenName
- Auth-Mail: $mail
.. |image0| image:: /applications/grr_logo.png
:class: align-center
.. |image1| image:: /applications/screenshot_grr_configuration.png
:class: align-center

BIN
doc/sources/admin/applications/grr_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.9 KiB

BIN
doc/sources/admin/applications/guacamole.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.5 KiB

89
doc/sources/admin/applications/guacamole.rst Normal file
View File

@ -0,0 +1,89 @@
Guacamole
=========
|image0|
Presentation
------------
`Apache Guacamole <https://guacamole.apache.org/>`__ is a web-based
remote desktop gateway. It supports standard protocols like VNC, RDP,
and SSH.
As of version 0.9.14, Guacamole can use
:doc:`OpenID Connect<../idpopenidconnect>` , :doc:`CAS<../idpcas>` or
:doc:`HTTP Headers<../writingrulesand_headers>` as authentication
sources through plug-ins.
This document explains how to implement OpenID Connect
Pre-requisites
--------------
.. _guacamole-1:
Guacamole
~~~~~~~~~
Refer to `the official Guacamole
documentation <http://guacamole.apache.org/doc/gug/>`__ to install
Guacamole, either manually or through Docker images
You need to be able to enable extensions. If you are using docker, you
need to `follow these instructions in order to provide your own
extensions directory and Guacamole configuration
file <http://guacamole.apache.org/doc/gug/guacamole-docker.html#guacamole-docker-guacamole-home>`__
Your Guacamole configuration directory will look something like this.
::
├── extensions
│   └── 00-guacamole-auth-openid-1.0.0.jar
└── guacamole.properties
.. warning::
Make sure to rename the JAR in a way that `ensures that it
will be loaded
first <https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E>`__\
And ``guacamole.properties`` should contain at least
::
openid-authorization-endpoint: http://auth.example.com/oauth2/authorize
openid-jwks-endpoint: http://auth.example.com/oauth2/jwks
openid-issuer: http://auth.example.com
openid-client-id: guacamole
openid-redirect-uri: http://guacamole.example.com/guacamole/
openid-username-claim-type: sub
.. tip::
Remplace the ``redirect uri`` with your Guacamole server's URL
LL:NG
~~~~~
Make sure you have already
:doc:`enabled OpenID Connect<../idpopenidconnect>` on your LemonLDAP::NG
server
You also need to allow the ``Implicit Flow`` under
``OpenID Connect Service`` » ``Security``
Then, add a Relaying Party with the following configuration
- Options » Authentification » Client ID : same as ``openid-client-id``
in ``guacamole.properties``
- Options » Allowed redirection address : same as
``openid-redirect-uri`` in ``guacamole.properties``
- Options » ID Token Signature Algorithm : ``RS512``
.. |image0| image:: /applications/guacamole.png
:class: align-center

BIN
doc/sources/admin/applications/http_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

247
doc/sources/admin/applications/humhub.rst Normal file
View File

@ -0,0 +1,247 @@
HumHub
======
|image0|
Présentation
------------
`HumHub <https://humhub.org/>`__ is a free and open-source social
network written on top of the `Yii2 PHP
framework <https://www.yiiframework.com/>`__ that provides an easy to
use toolkit for creating and launching your own social network.
Unauthenticated users may connect using a login form against HumHub
local database or a LDAP directory, or choose which authentication
service they want to use.
Administrator can configure one or several OAuth, OAuth2 or OIDC
authentication services to be displayed as buttons on the login page.
With :doc:`OpenID Connect<>` authentication service, users successfully
authenticated by LemonLDAP::NG will be registered in HumHub upon their
first login.
.. warning::
HumHub retrieves a user from his username and the
authentication service he came through. As a result, a former local or
LDAP user will be rejected when trying to authenticate using another
authentication service. See
:doc:`Migrate former local or ldap Humhub account to connect through SSO<>`
OpenID Connect
--------------
.. note::
This set-up works with option enablePrettyUrl activated in
Humhub. If not activated, rewrite URL in Humhub HTTP server and allowed
redirect URL in LemonLDAP needs to be adapted to work with the non
pretty URL format.
Configuring HumHub
~~~~~~~~~~~~~~~~~~
First disable LDAP (Administration > Users section) and delete (or
:doc:`migrate<>`) any local users whose username or email are
conflicting with the username or email of your OIDC users.
Then install and configure the `OIDC connector for
humhub <https://github.com/Worteks/humhub-auth-oidc>`__ extension using
composer :
- Install composer.
- Consider using prestissimo, to speed up composer update command (4x
faster):
::
composer global require hirak/prestissimo
::
* Go to {humhub_home} folder
- Check if composer.json file is present. If not, download it for your
current version:
::
wget https://raw.githubusercontent.com/humhub/humhub/v1.3.15/composer.json
- Install the connector as a dependency:
::
composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv
.. note::
If you just need to update the connector, change its version
in composer.json and run the above composer update command.
::
* Edit {humhub_home}/protected/config/common.php with the client configuration :
::
'components' => [
'authClientCollection' => [
'clients' => [
// ...
'lemonldapng' => [
'class' => 'worteks\humhub\authclient\OIDC',
'domain' => 'https://auth.example.com',
'clientId' => 'myClientId', // Client ID for this RP in LemonLDAP
'clientSecret' => 'myClientSecret', // Client secret for this RP in LemonLDAP
'defaultTitle' => 'auth.example.com', // Text displayed in login button
'cssIcon' => 'fa fa-lemon-o', // Icon displayed in login button
],
],
// ...
]
::
* Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:
::
return [
// ...
'modules' => [
'user' => [
'logoutUrl' => 'https://auth.domain.com/?logout=1',
],
]
];
User can now log in through SSO using a button on humhub logging page.
If you want to remove this intermediate login page, so user are
automatically logged in through SSO when they first access Humhub, you
can set up a redirection in the http server in front of the application
:
- Example in apache
::
RewriteEngine On
RewriteCond %{QUERY_STRING} !nosso [NC]
RewriteRule "^/user/auth/login$" "/user/auth/external?authclient=lemonldapng" [L,R=301]
- Example in nginx
::
if ($query_string !~ "nosso"){
rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
}
If the authentication was successful but the user could not be
registered in Humhub (which often happen if there is a conflict between
source, username or email), Humhub will redirect to the login page to
display the error, which trigger a redirection to the portal, ultimately
triggering a loop error while registration error is not displayed.
To change this behavior and display the registration error,
AuthController.onAuthSuccess method needs to be adapted so redirect to
SSO will be bypassed when a registration error occured. This works for
version 1.3.15 :
::
* Go to {humhub_home} folder
* Execute
::
sed -i "s|return \$this->redirect(\['/user/auth/login'\]);|return \$this->redirect(['/user/auth/login','nosso'=>'showerror']);|" protected/humhub/modules/user/controllers/AuthController.php
Configuring LemonLDAP
~~~~~~~~~~~~~~~~~~~~~
If not done yet, configure LemonLDAP::NG as an
:doc:`OpenID Connect service<..//openidconnectservice>`.
Then, configure LemonLDAP::NG to recognize your HumHub instance as a
valid :doc:`new OpenID Connect Relying Party<..//idpopenidconnect>`
using the following parameters:
::
* **Client ID**: the same you set in HumHub configuration
* **Client Secret**: the same you set in HumHub configuration
* Add the following **exported attributes**
* **given_name**: user's givenName attribute
* **family_name**: user's sn attribute
* **email**: user's mail attribute
* **Redirect URIs** containing your Yii2 auth client ID.
Configuration sample using CLI:
::
$ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataExportedVars/humhub given_name givenName \
oidcRPMetaDataExportedVars/humhub family_name sn \
oidcRPMetaDataExportedVars/humhub email mail \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientID myClientId \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientSecret myClientSecret \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsRedirectUris 'https://humhub.example.com/user/auth/external?authclient=lemonldapng' \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsPostLogoutRedirectUris 'https://humhub.example.com' \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenExpiration 3600 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 && \
Migrate former local or ldap Humhub account to connect through SSO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You need to manually update Humhub database to swith authentication mode
to LemonLDAP::NG.
Table "user":
::
* Columns "username" and "email" should match exactly OIDC sub and email attributes ;
* If former ldap user, change column "auth_mode" to "local".
Table "user_auth":
::
* Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :
::
+---------+-------------+-------------+
| user_id | source | source_id |
+---------+-------------+-------------+
| 4 | lemonldapng | jdoe |
Troubleshooting
~~~~~~~~~~~~~~~
If LemonLDAP login page freezes because of a browser security blockage,
adapt security's CSP Form Action to allow HumHub host :
::
$ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
cspFormAction "'self' https://*.example.com"
.. |image0| image:: /applications/humhub_logo.png
:class: align-center

BIN
doc/sources/admin/applications/humhub_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.0 KiB

118
doc/sources/admin/applications/jitsimeet.rst Normal file
View File

@ -0,0 +1,118 @@
Jitsi Meet
==========
|image0|
Presentation
------------
`Jitsi Meet <https://github.com/jitsi/jitsi-meet>`__ is a WEBRTC-based
video conferencing application, powering the
`meet.jit.si <http://meet.jit.si>`__ online service.
Users may install their own instance of Jitsi Meet for private use, in
which case, they may use authentication to control the creation of
conference rooms.
The official documentation provides instructions on `how to configure
Jitsi Meet to use
Shibboleth <https://github.com/jitsi/jicofo/blob/master/doc/shibboleth.md>`__,
but with a little adaptation, it can work just as fine with
LemonLDAP::NG.
Configuration
-------------
Pre-requisites
~~~~~~~~~~~~~~
In this guide, it is assumed that you have followed the `Jitsi Meet
quick
start <https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md>`__
and that **you have installed Nginx on your Jitsi Meet server first**
If you have not done that, the Jitsi Meet installer will not generate a
Nginx configuration file for you. This is not a problem is you are
already using your own reverse proxy.
Jitsi Meet configuration
~~~~~~~~~~~~~~~~~~~~~~~~
As with the Shibboleth guide, you need to configure
``/etc/jitsi/jicofo/sip-communicator.properties``
::
org.jitsi.jicofo.auth.URL=shibboleth:default
org.jitsi.jicofo.auth.LOGOUT_URL=/logout/
This defines the login servlet as ``/login/`` and the logout URL as
``/logout/``
Jitsi Meet Nginx configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the Nginx configuration that the Jitsi Meet quickstart generated, you
must add the following blocks, just like you would in a typical handler
configuration file:
::
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Protect only the /login/ URL
# You may want to change this is your goal is to make the whole Jitsi Meet instance private
location /login/ {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
auth_request_set $mail $upstream_http_mail;
proxy_set_header mail $mail;
auth_request_set $displayname $upstream_http_displayName;
proxy_set_header displayName $displayname;
auth_request_set $lmcookie $upstream_http_cookie;
proxy_set_header Cookie: $lmcookie;
proxy_pass http://127.0.0.1:8888/login;
}
Jitsi Meet Virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Jitsi Meet.
Configure the :doc:`access rules<../writingrulesand_headers>`.
::
* Don't forget to configure the /logout/ URL
Configure the following :doc:`headers<../writingrulesand_headers>`.
- **mail**: $mail
- **displayName**: $cn
.. warning::
Jitsi meet expects to find a ``mail`` HTTP header, it
will ignore REMOTE_USER and only use the mail value to identify the
user.
.. |image0| image:: /applications/logo-jitsimeet.png
:class: align-center

190
doc/sources/admin/applications/liferay.rst Normal file
View File

@ -0,0 +1,190 @@
Liferay
=======
|image0|
Presentation
------------
`Liferay <http://www.liferay.com/>`__ is an enterprise portal.
Liferay can use LL::NG as an SSO provider but you have to manage how
users are created:
- By hand in Liferay administration screens
- Imported from an LDAP directory
Of course, integration will be full if you use the LDAP directory as
users backend for LL::NG and Liferay.
.. important::
If the user is not created, or can not be created via
LDAP import, the connection to Liferay will be refused. With LDAP,
login, mail, first name and last name are required attributes. If one is
missing, the user is not created.
This documentation just explains how to set up the SSO part. Please
refer to Liferay documentation to enable LDAP provisionning.
Configuration
-------------
Liferay administration
~~~~~~~~~~~~~~~~~~~~~~
Access to Liferay (first time):
|image1|
Login as administrator:
|image2|
Go to ``My Account``:
|image3|
Go to ``Portal`` » ``Settings``:
|image4|
Go to ``Configuration`` » ``Authentication``:
|image5|
In ``General``, fill at least the following information:
- **How do users authenticate?**: by login
.. tip::
We advice to deactivate other options, cause users will use
LL::NG portal to modify or reset their password.
|image6|
.. important::
You need to activate LDAP authentication, else SSO
authentication will not work. Do this in the control panel or in the
configuration file:
::
ldap.auth.enabled=true
Then use the ``SiteMinder`` tab to configure SSO:
- **Enabled**: Yes
- **Import from LDAP**: Yes (see :doc:`presentation<>`)
- **User Header**: Auth-User (case sensitive)
|image7|
.. important::
Do not forget to save your changes!
Liferay virtual host
~~~~~~~~~~~~~~~~~~~~
Configure Liferay virtual host like other
:doc:`protected virtual host<../configvhost>`.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName liferay.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name liferay.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
Liferay virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Liferay.
Just configure the :doc:`access rules<../writingrulesand_headers>`. You
can add a rule for logout:
::
^/c/portal/logout => logout_sso
Configure the ``Auth-User`` :doc:`header<../writingrulesand_headers>`.
.. |image0| image:: /applications/liferay_logo.png
:class: align-center
.. |image1| image:: /documentation/liferay_1.png
:class: align-center
:width: 600px
.. |image2| image:: /documentation/liferay_2.png
:class: align-center
:width: 600px
.. |image3| image:: /documentation/liferay_3.png
:class: align-center
:width: 600px
.. |image4| image:: /documentation/liferay_4.png
:class: align-center
:width: 600px
.. |image5| image:: /documentation/liferay_5.png
:class: align-center
:width: 600px
.. |image6| image:: /documentation/liferay_6.png
:class: align-center
:width: 600px
.. |image7| image:: /documentation/liferay_7.png
:class: align-center
:width: 600px

BIN
doc/sources/admin/applications/liferay_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.9 KiB

124
doc/sources/admin/applications/limesurvey.rst Normal file
View File

@ -0,0 +1,124 @@
LimeSurvey
==========
|image0|
Presentation
------------
`LimeSurvey <http://www.limesurvey.org>`__ is a web survey software
written in PHP.
HTTP Headers
------------
LimeSurvey has a webserver authentication mode that allows one to
integrate it directly into LemonLDAP::NG.
To have a stronger integration, we will configure LimeSurvey to
autocreate unknown users and use HTTP headers to fill name and mail.
.. important::
We suppose that LimeSurvey is installed in
/var/www/html/limesurvey
LimeSurvey configuration
~~~~~~~~~~~~~~~~~~~~~~~~
In Administration panel, go in Configuration > Parameters > Extensions
manager. Select the WebServer module and configure it.
|image1|
This is enough for the authentication part.
.. tip::
If you are blocked, you can deactivate the plugin with this
request in database:
::
update lime_plugins SET active=0 where name="Authwebserver";
To configure account autocreation, you need to edit
application/config/config.php: The configuration is done in config.php:
::
vi /var/www/html/limesurvey/application/config/config.php
.. code:: php
'config'=>array(
// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory
// on your webspace.
// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates
'debug'=>0,
'debugsql'=>0, // Set this to 1 to enanble sql logging, only active when debug = 2
// Update default LimeSurvey config here
'auth_webserver_autocreate_user' => true,
'auth_webserver_autocreate_profile' => Array('full_name' => $_SERVER['HTTP_AUTH_CN'],'email' => $_SERVER['HTTP_AUTH_MAIL'],'lang'=>'en'),
'auth_webserver_autocreate_permissions' => Array('surveys' => array('create'=>true,'read'=>false,'update'=>false,'delete'=>false)),
)
See also
https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import
LimeSurvey virtual host
~~~~~~~~~~~~~~~~~~~~~~~
Configure LimeSurvey virtual host like other
:doc:`protected virtual host<../configvhost>`.
LimeSurvey virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for LimeSurvey.
Headers
^^^^^^^
=========== ==============
Header name Description
=========== ==============
Auth-User user login
Auth-Cn user full name
Auth-Mail user email
=========== ==============
Rules
^^^^^
========= =========== ========================================
Rule name Expression Description
========= =========== ========================================
Logout /sa/logout$ Logout rule (for example logout_app_sso)
Admin Allow only admin and superadmin users
Default default Allow only users with a LimeSurvey role
========= =========== ========================================
.. tip::
You can set the default access to:
::
* **accept**: all authenticated users will access surveys
* **unprotect**: no authentication will be asked to access surveys
.. |image0| image:: /applications/limesurvey_logo.png
:class: align-center
.. |image1| image:: /applications/screenshot_limesurvey_configuration.png
:class: align-center

BIN
doc/sources/admin/applications/limesurvey_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
doc/sources/admin/applications/logo-ansibletower.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 47 KiB

BIN
doc/sources/admin/applications/logo-awx.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
doc/sources/admin/applications/logo-jitsimeet.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.8 KiB

BIN
doc/sources/admin/applications/logo_amazon_web_services.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.8 KiB

BIN
doc/sources/admin/applications/logo_office_365.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

135
doc/sources/admin/applications/mattermost.rst Normal file
View File

@ -0,0 +1,135 @@
Mattermost Team Edition
=======================
|image0|
Presentation
------------
Mattermost is a team-based instant messaging application.
See `the official Mattermost website <https://mattermost.com/>`__ for a
complete presentation.
Mattermost follows an Open Core development model. The freely available
`Team edition <https://docs.mattermost.com/developer/manifesto.html>`__
contains all the basic chat features, but lack the integration
capabilities found in the `Enterprise
edition <https://mattermost.com/pricing/>`__.
The Enterprise edition provides `SAML
integration <https://docs.mattermost.com/deployment/sso-saml.html>`__
out of the box, and you can configure it just like
:doc:`any other SAML service in LemonLDAP::NG<..//idpsaml>`
The Team edition, however, only provides SSO integration with Gitlab.
However, it is possible to configure LemonLDAP::NG to behave exactly
like a Gitlab Oauth2 server, allowing Mattermost Team Edition to be
integrated with LemonLDAP::NG without having to use a
:doc:`Gitlab<gitlab>` server.
.. warning::
The following configuration requires your user database
to expose a unique numeric identifier for every user.
Configuring Mattermost Team Edition
-----------------------------------
Configuring Mattermost through the *System Console* will not allow you
to set the correct URLs. You need to edit the Mattermost configuration
file, and avoid changing Gitlab integration settings in the *System
Console*
Set the following settings in ``/opt/mattermost/config/config.json``
::
"GitLabSettings": {
"Enable": true,
"Secret": "CHOOSE_A_CLIENT_SECRET",
"Id": "CHOOSE_A_CLIENT_ID",
"Scope": "",
"AuthEndpoint": "https://auth.example.com/oauth2/gitlab_authorize",
"TokenEndpoint": "https://auth.example.com/oauth2/token",
"UserApiEndpoint": "https://auth.example.com/oauth2/userinfo"
},
Configuring your web server
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mattermost does not use OpenID Connect to communicate with Gitlab, but
uses plain OAuth2 instead. Because of that, LemonLDAP::NG will not
receive the ``scope=`` parameter and will display an error on the portal
when trying to authenticate.
In order to fix this, we can add a fake OAuth2 authorize URL on the
LemonLDAP::NG server that will automatically add this ``scope=``
parametrer, before sending the request to the correct OIDC URL
Here is an example configuration for Nginx, add it in your Portal
virtualhost before any other rewrite rule:
::
rewrite ^/oauth2/gitlab_(authorize.*)$ https://auth.example.com/oauth2/$1?scope=openid%20gitlab ;
And if you are using Apache
::
RewriteRule "^/oauth2/gitlab_authorize(.*)$" "https://auth.example.com/oauth2/authorize?$1scope=openid gitlab" [QSA,NE]
Configuring LemonLDAP
~~~~~~~~~~~~~~~~~~~~~
We now have to configure LemonLDAP::NG to recognize Mattermost as a
valid OAuth2 relaying party and send it the information it needs to
recognize a user.
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
with the following parameters:
::
* **Client ID**: the same you set in Mattermost configuration
* **Client Secret**: the same you set in Mattermost configuration
* Add a new scope in "Extra claims"
* **Key**: ''gitlab''
* **Value**: ''id username name email''
* Add the following exported attributes
* ''username'': set it to the session attribute containing the user login
* ''name'': session attribute containing the user's full name
* ''email'': session attribute containing the user's email
* ''id'': session attribute containing the user's numeric ID
.. warning::
Mattermost absolutely needs to receive a numerical value
in the ``id`` claim. If you are using a LDAP server, you could use the
``uidNumber`` LDAP attribute. If you use something else, you will have
to find a trick to assign a unique numeric ID to each Mattermost user.
The ``id`` attribute has to be different for each user, since this is
the field Mattermost will use internally to map Gitlab identities to
Mattermost accouts.
Troubleshooting
~~~~~~~~~~~~~~~
If you see a HTTP code 500 when going back to mattermost, with a panic()
in ``(*GitLabUser).IsValid(...)`` , it probably means that you are not
exporting the correct attributes, but it can also mean that ``id`` is
exported as a JSON string.
If this case, it can help to create a macro, for example
``uidNumber_n``, with a value of ``$uidNumber + 0`` to force conversion
to a numeric value. You must then export it as the ``id`` field in the
Relaying Party configuration.
.. |image0| image:: /applications/mattermost_logo.png
:class: align-center

BIN
doc/sources/admin/applications/mattermost_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.6 KiB

208
doc/sources/admin/applications/mediawiki.rst Normal file
View File

@ -0,0 +1,208 @@
MediaWiki
=========
|image0|
Presentation
------------
`MediaWiki <http://www.mediawiki.org>`__ is a wiki software, used by the
well known `Wikipedia <http://www.wikipedia.org>`__.
Several extensions allows one to configure SSO on MediaWiki:
- `Automatic
REMOTE_USER <http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER>`__
- `Siteminder
Authentication <http://www.mediawiki.org/wiki/Extension:Siteminder_Authentication>`__
We will explain how to use `Automatic
REMOTE_USER <http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER>`__
extension.
Installation
------------
The extension is presented here:
http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER
You can download the code here:
https://www.mediawiki.org/wiki/Special:ExtensionDistributor/Auth_remoteuser
You have to install '' Auth_remoteuser'' in the ``extensions/``
directory of your MediaWiki installation:
::
cp -a Auth_remoteuser/ extensions/
Configuration
-------------
MediWiki local configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Then edit MediaWiki local settings
::
vi LocalSettings.php
.. code:: php
require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
$wgAuth = new Auth_remoteuser();
Add then extension configuration, for example:
.. code:: php
$wgAuthRemoteuserAuthz = true; /* Your own authorization test */
$wgAuthRemoteuserName = $_SERVER["HTTP_AUTH_CN"]; /* User's name */
$wgAuthRemoteuserMail = $_SERVER["HTTP_AUTH_MAIL"]; /* User's Mail */
$wgAuthRemoteuserNotify = false; /* Do not send mail notifications */
//$wgAuthRemoteuserDomain = "NETBIOSDOMAIN"; /* Remove NETBIOSDOMAIN\ from the beginning or @NETBIOSDOMAIN at the end of a IWA username */
/* User's mail domain to append to the user name to make their email address */
//$wgAuthRemoteuserMailDomain = "example.com";
// see http://www.mediawiki.org/wiki/Manual:Hooks/SpecialPage_initList
// and http://www.mediawiki.org/w/Manual:Special_pages
// and http://lists.wikimedia.org/pipermail/mediawiki-l/2009-June/031231.html
// disable login and logout functions for all users
function LessSpecialPages(&$list) {
unset( $list['Userlogout'] );
unset( $list['Userlogin'] );
return true;
}
$wgHooks['SpecialPage_initList'][]='LessSpecialPages';
// http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth
// remove login and logout buttons for all users
function StripLogin(&$personal_urls, &$wgTitle) {
unset( $personal_urls["login"] );
unset( $personal_urls["logout"] );
unset( $personal_urls['anonlogin'] );
return true;
}
$wgHooks['PersonalUrls'][] = 'StripLogin';
.. warning::
In last version of Auth_remoteuser and Mediawiki, empty
passwords are not authorized, so you may need to patch the extension
code if you get the error: "Unexpected REMOTE_USER authentication
failure. Login Error was:EmptyPass". If necessary, use the code
below to patch the extension:
::
sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php
.. warning::
In last version of Auth_remoteuser and Mediawiki,
auto-provisioning requires REMOTE_USER to match the normalized mediawiki
username (for example: john_doe -> john doe), so you may need to patch
the extension code if you get the error: "Unexpected REMOTE_USER
authentication failure. Login Error was:WrongPluginPass" You can
use the code below for normalizing logins containing "_" in the
extension:
::
sed -i '/$usertest = $this->getRemoteUsername();/a\ $usertest = str_replace( "_"," ", $usertest );' extensions/Auth_remoteuser/Auth_remoteuser.body.php
MediaWiki virtual host
~~~~~~~~~~~~~~~~~~~~~~
Configure MediaWiki virtual host like other
:doc:`protected virtual host<../configvhost>`.
.. important::
If you are protecting MediaWiki with LL::NG as reverse
proxy,
:doc:`convert header into REMOTE_USER environment variable<../header_remote_user_conversion>`.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName mediawiki.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name mediawiki.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
MediaWiki virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for MediaWiki.
Just configure the :doc:`access rules<../writingrulesand_headers>`. You
can also add a rule for logout:
::
Userlogout => logout_sso
You can create these two headers to fill user name and mail (see
extension configuration):
::
Auth-Cn => $cn
Auth-Mail => $mail
If using LL::NG as reverse proxy, configure also the ``Auth-User``
:doc:`header<../writingrulesand_headers>`,
.. |image0| image:: /applications/mediawiki_logo.png
:class: align-center

BIN
doc/sources/admin/applications/mediawiki_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
doc/sources/admin/applications/microsoft-adfs.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.9 KiB

BIN
doc/sources/admin/applications/my_domain_salesforce-resize-web.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
doc/sources/admin/applications/nextcloud-logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.2 KiB

137
doc/sources/admin/applications/nextcloud.rst Normal file
View File

@ -0,0 +1,137 @@
NextCloud
=========
|image0|
Presentation
------------
`NextCloud <https://nextcloud.com/>`__ is a fork of Owncloud, suite of
client-server software for creating file hosting services and using
them.
This documentation explains how to interconnect LemonLDAP::NG and
NextCloud using SAML 2.0 protocol.
Pre-requisites
--------------
.. _nextcloud-1:
NextCloud
~~~~~~~~~
You need to `install the
software <https://docs.nextcloud.com/server/10/admin_manual/installation/index.html>`__.
.. tip::
If your NextCloud is behind a proxy (thus having a private
IP), metadata generated by NextCloud won't work.
Consider changing the configuration of NextCloud to force the domain, in
**$nextcloudrootwww/config/config.php**, add the following:
.. code:: php
'overwritehost' => 'nextcloud.example.com',
You also need to enable the "SAML authentication" plugin in your
NextCloud. <code> + Apps -> Not enabled -> SAML authentication</code>
LL:NG
~~~~~
You need to enable SAML 2.0 issuer module in LL:NG:
::
"General Parameters -> Issuer modules -> SAML -> Activation"
|image1|
NextCloud, SAML 2.0 configuration
---------------------------------
Configuration of SAML 2.0 in NextCloud is pretty straightforward.
::
Administration -> SAML authentication
You will find the following fields:
- **Attribute to map the UID to**: Identity attribute provided by your
LL:NG that will be used as UID in NextCloud.
- **Identity Provider Data**:
- **Identifier of the IdP entity**: SAML Metadata URL of your LL:NG
- **URL Target of the IdP where the SP will send the Authentication
Request Message**: SingleSignOn URL of your LL:NG
- **URL Location of the IdP where the SP will send the SLO
Request**: SingleLogOut URL of your LL:NG
- **Public X.509 certificate of the IdP**: Certificate of your LL:NG
(see below for instructions)
We need a few steps to generate our LL:NG certificate (unless you
already have one). You first need to create a pair of SSH Keys in LL:NG:
::
SAML 2 Service -> Security Parameters -> Signature
and click "New keys" |image2|
Take the private key in a private.key file, and run the following:
::
openssl req -new -key private.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey private.key -out cert.pem
Copy/Paste the content of your new cert.pem in the "Public X.509
certificate of the IdP" field of your NextCloud.
Your fields should look like this: |image3|
You can now download your metadata xml file.
LL:NG, SAML 2.0 Service Provider configuration
----------------------------------------------
We now have to define a service provider (e.g our nextcloud) in LL:NG.
Go to "SAML service providers", click on "Add SAML SP" and name it as
you want (example : 'NextCloud')
In the new subtree 'NextCloud', open 'Metadata' and paste the content of
your previously downloaded file (or upload the file)
|image4|
Now go in "Exported attributes" and add, at least, the 'uid'
|image5|
Don't forget to save your configuration.
You are now good to go, and you can add the application in
:doc:`your menu<../portalmenu>` and
:doc:`your virtual hosts<../configvhost>`.
.. |image0| image:: /applications/nextcloud-logo.png
:class: align-center
.. |image1| image:: /applications/nextcloud_saml_activation.png
:class: align-center
.. |image2| image:: /applications/nextcloud_certificate_keys.png
:class: align-center
.. |image3| image:: /applications/nextcloud_saml_configuration.png
:class: align-center
.. |image4| image:: /applications/nextcloud_service_metadata.png
:class: align-center
.. |image5| image:: /applications/nextcloud_service_exportedattributes.png
:class: align-center

BIN
doc/sources/admin/applications/nextcloud_certificate_keys.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 187 KiB

BIN
doc/sources/admin/applications/nextcloud_saml_activation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
doc/sources/admin/applications/nextcloud_saml_configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
doc/sources/admin/applications/nextcloud_service_exportedattributes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
doc/sources/admin/applications/nextcloud_service_metadata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

18
doc/sources/admin/applications/nginx.rst Normal file
View File

@ -0,0 +1,18 @@
Nginx
=====
.. important::
Nginx is fully supported by LemonLDAP::NG since version
1.9.
Presentation
------------
Nginx is a very fast web server. It can be used to host the portal or
the manager through its FastCGI support and can be used to protect
applications using the auth_request module (dialing with a FastCGI
authorization server). See
:doc:`installation pages<../start>` to know how install
and use it.

260
doc/sources/admin/applications/obm.rst Normal file
View File

@ -0,0 +1,260 @@
OBM
===
|image0|
Presentation
------------
`OBM <http://obm.org>`__ is enterprise-class messaging and collaboration
platform for workgroup or enterprises with many thousands users. OBM
includes Groupware, messaging server, CRM, LDAP, Windows Domain,
smartphone and PDA synchronization…
OBM is shipped with a LL::NG plugin with these features:
- SSO on OBM web interface
- Logout
- User provisioning (account auto creation at first connection)
Configuration
-------------
.. _obm-1:
OBM
~~~
To enable LL::NG authentication plugin, go in ``/etc/obm/obm_conf.inc``:
.. code:: php
$auth_kind = 'LemonLDAP';
$lemonldap_config = Array(
"auto_update" => true,
"auto_update_force_user" => true,
"auto_update_force_group" => false,
"url_logout" => "https://OBMURL/logout",
"server_ip_address" => "localhost",
"server_ip_check" => false,
"debug_level" => "NONE",
// "debug_header_name" => "HTTP_OBM_UID",
// "group_header_name" => "HTTP_OBM_GROUPS",
"headers_map" => Array(
//"userobm_gid" => "HTTP_OBM_GID",
//"userobm_domain_id" => ,
"userobm_login" => "HTTP_OBM_UID",
"userobm_password" => "HTTP_OBM_USERPASSWORD",
//"userobm_password_type" => ,
"userobm_perms" => "HTTP_OBM_PERMS",
//"userobm_kind" => ,
"userobm_lastname" => "HTTP_OBM_SN",
"userobm_firstname" => "HTTP_OBM_GIVENNAME",
// "userobm_title" => "HTTP_OBM_TITLE",
"userobm_email" => "HTTP_OBM_MAIL",
"userobm_datebegin" => "HTTP_OBM_DATEBEGIN",
//"userobm_account_dateexp" => ,
//"userobm_delegation_target" => ,
//"userobm_delegation" => ,
"userobm_description" => "HTTP_OBM_DESCRIPTION",
//"userobm_archive" => ,
//"userobm_hidden" => ,
//"userobm_status" => ,
//"userobm_local" => ,
//"userobm_photo_id" => ,
"userobm_phone" => "HTTP_OBM_TELEPHONENUMBER",
//"userobom_phone2" => ,
//"userobm_mobile" => ,
"userobm_fax" => "HTTP_OBM_FACSIMILETELEPHONENUMBER",
//"userobm_fax2" => ,
"userobm_company" => "HTTP_OBM_O",
//"userobm_direction" => ,
"userobm_service" => "HTTP_OBM_OU",
"userobm_address1" => "HTTP_OBM_POSTALADDRESS",
//"userobm_address2" => ,
//"userobm_address3" => ,
"userobm_zipcode" => "HTTP_OBM_POSTALCODE",
"userobm_town" => "HTTP_OBM_L",
"userobm_zipcode" => "HTTP_OBM_POSTALCODE",
"userobm_town" => "HTTP_OBM_L",
//"userobm_expresspostal" => ,
//"userobm_host_id" => ,
//"userobm_web_perms" => ,
//"userobm_web_list" => ,
//"userobm_web_all" => ,
//"userobm_mail_perms" => ,
//"userobm_mail_ext_perms" => ,
//"userobm_mail_server_id" => ,
//"userobm_mail_server_hostname" => ,
"userobm_mail_quota" => "HTTP_OBM_MAILQUOTA",
//"userobm_nomade_perms" => ,
//"userobm_nomade_enable" => ,
//"userobm_nomade_local_copy" => ,
//"userobm_email_nomade" => ,
//"userobm_vacation_enable" => ,
//"userobm_vacation_datebegin" => ,
//"userobm_vacation_dateend" => ,
//"userobm_vacation_message" => ,
//"userobm_samba_perms" => ,
//"userobm_samba_home" => ,
//"userobm_samba_home_drive" => ,
//"userobm_samba_logon_script" => ,
// ---- Unused values ? ----
"userobm_ext_id" => "HTTP_OBM_SERIALNUMBER",
//"userobm_system" => ,
//"userobm_nomade_datebegin" => ,
//"userobm_nomade_dateend" => ,
//"userobm_location" => ,
//"userobm_education" => ,
),
);
Parameters:
- **url_logout**: URL used by OBM to logout, will be caught by LL::NG
- **headers_map**: map OBM internal field to LL::NG header
Edit also OBM configuration to enable LL::NG Handler:
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName obm.example.com
# SSO protection
PerlHeaderParserHandler Lemonldap::NG::Handler
DocumentRoot /usr/share/obm/php
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name obm.example.com;
root /usr/share/obm/php;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location ~ \.php$ {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
LL::NG
~~~~~~
Attributes and macros
^^^^^^^^^^^^^^^^^^^^^
You will need to collect all attributes needed to create a user in OBM,
this includes:
- First name
- Last name
- Login
- Mail
- ...
To add these attributes, go in Manager, ``Variables`` »
``Exported Variables``.
.. important::
If you plan to forward user's password to OBM, then you
have to :doc:`keep the password in session<../passwordstore>`.
You may also create these macros to manage OBM administrator account
(``Variables`` » ``Macros``):
===== ====================================================== =============================== == ==============================
field value
===== ====================================================== =============================== == ==============================
uidR ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
mailR %%($uid =~ / admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com" %%
===== ====================================================== =============================== == ==============================
Virtual host
^^^^^^^^^^^^
Create OBM virtual host (for example obm.example.com) in LL::NG
configuration: ``Virtual Hosts`` » ``New virtual host``.
Then edit rules and headers.
Rules
'''''
Define at least:
- **Default rule**: who can access to the application
- **Logout rule**: catch OBM logout
- **Exceptions**: allow anonymous access for specific URLs (connectors,
etc.)
============================= =============================
field value
============================= =============================
^/logout logout_sso
^/obm-sync unprotect
^/minig unprotect
^/Microsoft-Server-ActiveSync unprotect
^/caldav unprotect
default accept (or whatever you want)
============================= =============================
Headers
'''''''
Define headers used in OBM mapping, for example:
================ ==========
field valeur
================ ==========
OBM_GIVENNAME $givenName
OBM_GROUPS $groups
OBM_UID $uidR
OBM_MAIL $mailR
OBM_USERPASSWORD $_password
================ ==========
Other
^^^^^
Do not forget to add OBM in :doc:`applications menu<../portalmenu>`.
.. |image0| image:: /applications/obm_logo.png
:class: align-center

BIN
doc/sources/admin/applications/obm_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

75
doc/sources/admin/applications/office365.rst Normal file
View File

@ -0,0 +1,75 @@
Office 365
==========
|image0|
Presentation
------------
`Office 365 <https://en.wikipedia.org/wiki/Office_365>`__ provides
online access to Microsoft products like Office, Outlook or Yammer.
Authentication is done on https://login.microsoftonline.com/ and can be
forwarded to an SAML Identity Provider.
Configuration
-------------
.. _office-365-1:
Office 365
~~~~~~~~~~
You first need to install AzureAD PowerShell to be able to run
administrative commands.
Then run this script:
.. code:: bash
$dom = "mycompany.com"
$brand = "My Company"
$url = "https://auth.example.com/saml/singleSignOn"
$uri = "https://auth.example.com/saml/metadata"
$logouturl = "https://auth.example.com/?logout=1"
$cert = "xxxxxxxxxxxxxxxxxxx"
Set-MsolDomainAuthentication DomainName $dom -FederationBrandName $brand -Authentication Federated -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
Where parameters are:
- dom: Your Office 365 domain
- brand: Simple label
- url: The SAML SSO endpoint
- uri: The SAML metadata endpoint
- logouturl: Logout URL
- cert: The SAML certificate containing the signature public key
If you have several Office365 domains, you can't use the same URLs for
each domains. To be able to have a single SAML IDP for several domains,
you must add the 'domain' GET parameters at the end of SSO endpoint and
metadata URLs, for example:
- domain 'mycompany.com':
- url: https://auth.example.com/saml/singleSignOn?domain=mycompany
- uri: https://auth.example.com/saml/metadata?domain=mycompany
- domain 'myfirm.com':
- url: https://auth.example.com/saml/singleSignOn?domain=myfirm
- uri: https://auth.example.com/saml/metadata?domain=myfirm
LemonLDAP::NG
~~~~~~~~~~~~~
Create a new SAML Service Provider and import Microsoft metadata from
https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml
Set the NameID value to persistent, or any immutable value for the user.
Create a SAML attribute named IDPEmail which contains the user principal
name (UPN).
.. |image0| image:: /applications/logo_office_365.png
:class: align-center

109
doc/sources/admin/applications/phpldapadmin.rst Normal file
View File

@ -0,0 +1,109 @@
phpLDAPadmin
============
|image0|
Presentation
------------
`phpLDAPadmin <http://phpldapadmin.sourceforge.net>`__ is an LDAP
administration tool written in PHP.
phpLDAPadmin will connect to the directory with a static DN and
password, and so will not request authentication anymore. The access to
phpLDAPadmin will be protected by LemonLDAP::NG with specific access
rules.
.. warning::
phpLDAPadmin will have no idea of the user connected to
the WebSSO. So a simple user can have admin rights on the LDAP directory
if your access rules are too lazy.
Configuration
-------------
phpLDAPadmin local configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Just set the authentication type to ``config`` and indicate DN and
password inside the file ``config.php``:
.. code:: php
$ldapservers->SetValue($i,'server','auth_type','config');
$ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=com');
$ldapservers->SetValue($i,'login','pass','secret');
phpLDAPadmin virtual host
~~~~~~~~~~~~~~~~~~~~~~~~~
Configure phpLDAPadmin virtual host like other
:doc:`protected virtual host<../configvhost>`.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName phpldapadmin.example.com
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name phpldapadmin.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
phpLDAPadmin virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for phpLDAPadmin.
Just configure the :doc:`access rules<../writingrulesand_headers>`.
No :doc:`headers<../writingrulesand_headers>` are required.
.. |image0| image:: /applications/phpldapadmin_logo.png
:class: align-center

BIN
doc/sources/admin/applications/phpldapadmin_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

48
doc/sources/admin/applications/roundcube.rst Normal file
View File

@ -0,0 +1,48 @@
RoundCube
=========
Presentation
------------
`RoundCube <http://www.roundcube.net>`__ webmail is a browser-based
multilingual IMAP client with an application-like user interface. It
provides full functionality you expect from an email client, including
MIME support, address book, folder manipulation, message searching and
spell checking.
Configuration
-------------
LemonLDAP::NG
~~~~~~~~~~~~~
- Add a new virtual host webmail.domain.tld
- Add a new rule:
::
"^/\?_task\=logout" -> "logout_app https://auth.domain.tld"
- in HTTP headers, you need Auth-User ($mail) and Auth-Pw ($_password).
.. important::
To be able to forward password to RoundCube, see
:doc:`how to store password in session<../passwordstore>`\
- Configure :doc:`Apache or Nginx virtual host<../configvhost>`
.. _roundcube-1:
RoundCube
~~~~~~~~~
- install http_authentication plugin
- Patch it to replace ``PHP_AUTH_*`` by ``HTTP_AUTH_*``
- enable http_authentication plugin in main.inc.php :
.. code:: php
$rcmail_config['plugins'] = array('http_authentication');

BIN
doc/sources/admin/applications/roundcube_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.4 KiB

BIN
doc/sources/admin/applications/salesforce-logo.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

130
doc/sources/admin/applications/salesforce.rst Normal file
View File

@ -0,0 +1,130 @@
SalesForce
==========
|image0|
Presentation
------------
Salesforce Inc. is a cloud computing company. It is best known for their
CRM products and social networking applications.
It allows one to use SAML to authenticate users. It can deal with both
SP and IdP initiated modes.
This page presents the SP initiated mode.
To work with LL::NG it requires:
- LL::NG configured as :doc:`SAML Identity Provider<../idpsaml>`
Configuration
-------------
You should have configured LL::NG as a
:doc:`SAML Identity Provider<../idpsaml>`.
Create Salesforce domain
~~~~~~~~~~~~~~~~~~~~~~~~
|image1|
For using SP-initiated mode, you must create your salesforce domain.
Creation can take up to 1 hour. (if it is superior to 1h, then there is
a problem. Problems are generally resolved in up to 72 hours)
Then you must **deploy** this domain in order to go on with the
configuration.
Finally, just ensure that at least:
- Login policy
- Redirect policy
- domain name
- authentication service
match with the correct values. (adapt the domain if necessary)
.. important::
For now, the authentication service parameter has no
domain available. You must come back later to fill this parameter. Once
SAML cinematics are working, you can then put your domain, and delete
the login form, and you'll have an automatic redirection to your
Identity Provider (no need for the user to click). Note that you can
always access Salesforce by the general login page:
https://login.salesforce.com\
SAML settings
~~~~~~~~~~~~~
Salesforce is not able to read metadata, you must fill the information
into a form.
|image2|
Go to the SAML Single Sign On settings, and fill these information:
- Name: should be filled automatically with your organization or domain
- SAML Version: check that version 2.0 is used
- Issuer: this is the LemonLDAP::NG (our IdP) Entity Id, which is by
default #PORTAL#/saml/metadata
- Identity Provider Certificate: whereas it is mentioned that this is
the authentication certificate, you must give your LemonLDAP::NG
(IdP) signing certificate. If you don't have one, create it with the
signing key pair already generated (you could do this with openssl).
SSL authentication (https) does not seem to be checked anyway.
- Signing Certificate: choose a certificate for SP signature. (create
one if none is present)
- Assertion decryption Certificate: choose a certificate only if you
want to cipher your assertion. (default is not to cipher)
- SAML Identity Type: choose Federation ID. This means that the user
Name ID will be mapped to the Federation ID field. (see next section)
- SAML Identity Location: choose if the user Name ID is held in the
subject or in some attribute
- Identity Provider Login URL: the user/password SAML portal location
on the IdP
- Identity Provider Logout URL: the logout location on the IdP
- Custom Error URL: you can redirect the user to a special page when an
error is happening
- SP Initiated Binding: chose any of the supported binding (every one
listed there is currently supported on LemonLDAP::NG) HTTP POST is a
good choice
- Salesforce Login URL: generated automatically. This is the entry
point of our login cinematic.
- OAuth 2.0 Token Endpoint: not used here
- API Name: filled automatically
- User Provisioning Enabled: should create automatically the user in
Salesforce (not functionnal right now)
- EntityId: Salesforce (the SP) Entity ID. Fill this field accordingly.
It should be the same value as the organization domain url, displayed
on the previous section
Configure Federation ID
~~~~~~~~~~~~~~~~~~~~~~~
Finally, configure for each user his Federation ID value. It will be the
link between the SAML assertion coming from LemonLDAP::NG (the IdP) and
a given user in Salesforce. Here, the mail has been chosen as the user
Name ID.
|image3|
Once this is completed, click to export the Salesforce metadata and
import them into LemonLDAP::NG, into the declaration of the Salesforce
Service Provider.
See
:doc:`Register partner Service Provider on LemonLDAP::NG<../idpsaml>`
configuration chapter.
.. |image0| image:: /applications/salesforce-logo.jpg
:class: align-center
.. |image1| image:: /applications/my_domain_salesforce-resize-web.png
:class: align-center
.. |image2| image:: /applications/saml_sso_settings-resize-web.png
:class: align-center
.. |image3| image:: /applications/user_federation_id-resize-web.png
:class: align-center

BIN
doc/sources/admin/applications/saml-awx.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 152 KiB

BIN
doc/sources/admin/applications/saml_sso_settings-resize-web.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 106 KiB

20
doc/sources/admin/applications/sap.rst Normal file
View File

@ -0,0 +1,20 @@
SAP
===
|SAP|
HTTP header
-----------
Read the following documentation:
http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm
SAML
----
Read the following documentation:
https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm
.. |SAP| image:: /applications/SAPLogo.gif
:class: align-center

BIN
doc/sources/admin/applications/saplogo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 538 B

BIN
doc/sources/admin/applications/screenshot_dokuwiki_configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
doc/sources/admin/applications/screenshot_grr_configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
doc/sources/admin/applications/screenshot_limesurvey_configuration.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

253
doc/sources/admin/applications/simplesamlphp.rst Normal file
View File

@ -0,0 +1,253 @@
simpleSAMLphp
=============
|image0|
Presentation
------------
`simpleSAMLphp <https://simplesamlphp.org/>`__ is an identity/service
provider written in PHP. It supports a lot of protocols like CAS, OpenID
and SAML.
This documentation explains how to interconnect LemonLDAP::NG and
simpleSAMLphp using SAML 2.0 protocol.
Pre-requisites
--------------
.. _simplesamlphp-1:
simpleSAMLphp
~~~~~~~~~~~~~
You need to `install the
software <https://simplesamlphp.org/docs/stable/simplesamlphp-install>`__.
If using Debian, just do:
::
apt-get install simplesamlphp
We suppose that configuration is done in ``/etc/simplesamlphp`` and that
simpleSAMLphp is accessible at http://localhost/simplesamlphp.
To be able to sign SAML messages, you need to create a certificate.
First set where certificates are stored:
::
vi /etc/simplesamlphp/config.php
.. code:: php
'certdir' => '/etc/simplesamlphp/certs/',
Create directory and generate the certificate
::
mkdir /etc/simplesamlphp/certs/
cd /etc/simplesamlphp/certs/
openssl req -newkey rsa:2048 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
Then associate this certificate to the default SP:
::
vi /etc/simplesamlphp/authsources.php
.. code:: php
'default-sp' => array(
'saml:SP',
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
LemonLDAP::NG
~~~~~~~~~~~~~
You need to configure :doc:`SAML Service<../samlservice>`. Be sure to
convert public key in a certificate, as described in the
:doc:`security chapter<../samlservice>` as simpleSAMLphp can't use the
public key.
simpleSAMLphp as Service Provider
---------------------------------
We suppose you configured LemonLDAP::NG as
:doc:`SAML Identity Provider<../idpsaml>` and want to use simpleSAMLphp
as Service Provider.
In LL::NG Manager, create an new SP and load simpleSAMLphp metadata
trough URL (by default:
http://localhost/simplesamlphp/module.php/saml/sp/metadata.php/default-sp):
|image1|
Then set some attributes that will be sent to simpleSAMLphp:
|image2|
.. tip::
Set ``Mandatory`` to ``On`` to force attributes in
authentication response.
You can also force all signatures:
|image3|
On simpleSAMLphp side, use the metadata converter (by default:
http://localhost/simplesamlphp/admin/metadata-converter.php) to convert
LL::NG metadata (by default: http://auth.example.com/saml/metadata) into
internal PHP representation. Copy the ``saml20-idp-remote`` content:
::
vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
.. code:: php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
'entityid' => 'http://auth.example.com/saml/metadata',
...
// Add this option to force SLO requests signature
'sign.logout' => true,
);
?>
.. tip::
Don't forget PHP start and end tag to have a valid PHP
file.
All is ready, you can now test the authentication (by default:
http://localhost/simplesamlphp/module.php/core/authenticate.php). You
should see something like that:
|image4|
simpleSAMLphp as Identity Provider
----------------------------------
We suppose you configured LemonLDAP::NG as
:doc:`SAML Service Provider<../authsaml>` and want to use simpleSAMLphp
as Identity Provider.
First, you need to activate IDP feature in simpleSAMLphp:
::
vi /etc/simplesamlphp/config.php
.. code:: php
'enable.saml20-idp' => true,
And create a default IDP configuration:
::
vi /etc/simplesamlphp/metadata/saml20-idp-hosted.php
.. code:: php
<?php
$metadata['__DYNAMIC:1__'] = array(
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
* should be used by default.
*/
'host' => '__DEFAULT__',
/*
* The private key and certificate to use when signing responses.
* These are stored in the cert-directory.
*/
'privatekey' => 'saml.pem',
'certificate' => 'saml.crt',
/*
* The authentication source which should be used to authenticate the
* user. This must match one of the entries in config/authsources.php.
*/
'auth' => 'admin',
// Sign SLO messages
'sign.logout' => true,
);
?>
.. important::
You need to configure your own certificates and
authentication scheme
Now in LL::NG Manager, create a new IDP and import metadata with URL (by
default: http://localhost/simplesamlphp/saml2/idp/metadata.php):
|image5|
List attributes you want to collect:
|image6|
.. tip::
You can keep ``Mandatory`` to ``Off`` to not fail if attribute
is not sent by IDP
And activate all signatures:
|image7|
To finish, you need to declare LL::NG SP in simpleSAMLphp. Use the
metadata converter (by default:
http://localhost/simplesamlphp/admin/metadata-converter.php) to convert
LL::NG metadata (by default: http://auth.example.com/saml/metadata) into
internal PHP representation. Copy the ``saml20-sp-remote`` content:
::
vi /etc/simplesamlphp/metadata/saml20-sp-remote.php
.. code:: php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
'entityid' => 'http://auth.example.com/saml/metadata',
...
);
?>
.. tip::
Don't forget PHP start and end tag to have a valid PHP
file.
All is ready, you can now test the authentication from LL::NG portal.
.. |image0| image:: /applications/simplesamlphp_logo.png
:class: align-center
.. |image1| image:: /applications/simplesamlphp_sp_metadata.png
:class: align-center
.. |image2| image:: /applications/simplesamlphp_sp_attributes.png
:class: align-center
.. |image3| image:: /applications/simplesamlphp_sp_signature.png
:class: align-center
.. |image4| image:: /applications/simplesamlphp_sp_authentication.png
:class: align-center
.. |image5| image:: /applications/simplesamlphp_idp_metadata.png
:class: align-center
.. |image6| image:: /applications/simplesamlphp_idp_attributes.png
:class: align-center
.. |image7| image:: /applications/simplesamlphp_idp_signature.png
:class: align-center

BIN
doc/sources/admin/applications/simplesamlphp_idp_attributes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
doc/sources/admin/applications/simplesamlphp_idp_metadata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
doc/sources/admin/applications/simplesamlphp_idp_signature.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
doc/sources/admin/applications/simplesamlphp_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
doc/sources/admin/applications/simplesamlphp_sp_attributes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
doc/sources/admin/applications/simplesamlphp_sp_authentication.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
doc/sources/admin/applications/simplesamlphp_sp_metadata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
doc/sources/admin/applications/simplesamlphp_sp_signature.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

48
doc/sources/admin/applications/spring.rst Normal file
View File

@ -0,0 +1,48 @@
Spring Security (ACEGI)
=======================
|image0|
Presentation
------------
`Spring
Security <http://static.springsource.org/spring-security/site/>`__ is
the new ACEGI name. This is a well known security framework for J2EE
applications.
Spring Security provides a default ``pre-authentication`` mechanism that
can be used to connect your J2EE application to LL::NG.
Configuration
-------------
You can find all suitable information here:
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html
To summarize, to get the user connected trough the ``Auth-User`` HTTP
Header, use this Sping Security configuration:
.. code:: xml
<bean id="LemonLDAPNGFilter" class=
"org.springframework.security.web.authentication.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
<security:custom-filter position="PRE_AUTH_FILTER" />
<property name="principalRequestHeader" value="Auth-User"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<security:custom-authentication-provider />
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager" />
.. |image0| image:: /applications/spring_logo.png
:class: align-center

BIN
doc/sources/admin/applications/spring_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

190
doc/sources/admin/applications/symfony.rst Normal file
View File

@ -0,0 +1,190 @@
PHP (Symfony)
=============
|image0|
Presentation
------------
`Symfony <https://symfony.com/>`__ is the well-known PHP framework. It
is intended to ease the development of PHP applications.
Symfony provides many methods conventions to authenticate users (basic,
ldap,...) and to load external user sources (ldap, database). The method
presented here relies on the "remote_user" method. (in security
firewall)
Configuration
-------------
Follow these step to protect your application using the "REMOTE_USER"
HTTP header.
1. Adapt the app/config/security.yml configuration file as below:
.. code:: json
security:
encoders:
AppBundle\Security\User\HeaderUser: plaintext
providers:
header:
id: AppBundle\Security\User\HeaderUserProvider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
remote_user:
user: HTTP_REMOTE_USER
provider: header
- encoders : define a password hashing scheme (useless in our case, but
the parameter is mandatory)
- providers : define the user providers (even virtual)
- remote_user : define the authentication method to "assume the user is
already authenticated and get an http variable to know his username"
- user : define the HTTP header containing the username
- provider : references the previously defined provider owning the user
data (in our scenario, a virtual)
2. Define a "header user" class
Create the file src/AppBundle/Security/User/HeaderUser.php :
.. code:: php
<?php
// src/Security/User/HeaderUser.php
namespace AppBundle\Security\User;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\EquatableInterface;
class HeaderUser implements UserInterface, EquatableInterface
{
private $username;
private $password;
private $salt;
private $roles;
public function __construct($username, $password, $salt, array $roles)
{
$this->username = $username;
$this->password = $password;
$this->salt = $salt;
$this->roles = $roles;
}
public function getRoles()
{
return $this->roles;
}
public function getPassword()
{
return $this->password;
}
public function getSalt()
{
return $this->salt;
}
public function getUsername()
{
return $this->username;
}
public function eraseCredentials()
{
}
public function isEqualTo(UserInterface $user)
{
if (!$user instanceof HeaderUser) {
return false;
}
if ($this->username !== $user->getUsername()) {
return false;
}
//if ($this->password !== $user->getPassword()) {
// return false;
//}
return true;
}
}
?>
3. Define a "header user provider" class relying on the previous class
Create the file src/AppBundle/Security/User/HeaderUserProvider.php :
.. code:: php
<?php
// src/Security/User/HeaderUserProvider.php
namespace AppBundle\Security\User;
use AppBundle\Security\User\HeaderUser;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
class HeaderUserProvider implements UserProviderInterface
{
public function loadUserByUsername($username)
{
if ($username) {
$password = "dummy";
$salt = "";
$roles = array('ROLE_USER');
return new HeaderUser($username, $password, $salt, $roles);
}
throw new UsernameNotFoundException(
sprintf('Username "%s" does not exist.', $username)
);
}
public function refreshUser(UserInterface $user)
{
if (!$user instanceof HeaderUser) {
throw new UnsupportedUserException(
sprintf('Instances of "%s" are not supported.', get_class($user))
);
}
return $this->loadUserByUsername($user->getUsername());
}
public function supportsClass($class)
{
return HeaderUser::class === $class;
}
}
?>
References
----------
- http://symfony.com/doc/current/security/pre_authenticated.html#remote-user-based-authentication
- https://symfony.com/doc/current/security/custom_provider.html
.. |image0| image:: /applications/symfony_logo.png
:class: align-center

BIN
doc/sources/admin/applications/symfony_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.6 KiB

139
doc/sources/admin/applications/sympa.rst Normal file
View File

@ -0,0 +1,139 @@
Sympa
=====
|image0|
Presentation
------------
`Sympa <http://www.sympa.org>`__ is a mailing list manager.
To configure SSO with Sympa, use **Magic authentication**: a special SSO
URL is protected by LL::NG, Sympa will display a button for users who
wants to use this feature.
.. tip::
Since version 1.9 of LLNG, old Auto-Login feature has been
removed since it works only with Sympa-5 which has been deprecated
Configuration
-------------
Sympa configuration
~~~~~~~~~~~~~~~~~~~
Edit the file "auth.conf", for example:
::
vi /etc/sympa/auth.conf
And fill it:
::
generic_sso
service_name Centralized auth service
service_id lemonldapng
email_http_header HTTP_MAIL
netid_http_header HTTP_AUTH_USER
internal_email_by_netid 1
logout_url http://sympa.example.com/wws/logout
.. tip::
You can also disable internal Sympa authentication to keep
only LemonLDAP::NG by removing user_table paragraph
Note that if you use FastCGI, you must restart Apache to enable changes.
You can also use <portal>?logout=1 as logout_url to remove LemonLDAP::NG
session when "disconnect" is chosen.
Sympa virtual host
~~~~~~~~~~~~~~~~~~
Configure Sympa virtual host like other
:doc:`protected virtual host<../configvhost>` but protect only magic
authentication URL.
.. tip::
The location URL end is based on the ``service_id`` defined in
Sympa apache configuration.
- For Apache:
.. code:: apache
<VirtualHost *:80>
ServerName sympa.example.com
<Location /wws/sso_login/lemonldapng>
PerlHeaderParserHandler Lemonldap::NG::Handler
</Location>
...
</VirtualHost>
- For Nginx:
.. code:: nginx
server {
listen 80;
server_name sympa.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Client requests
location /wws/sso_login/lemonldapng {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}
Sympa virtual host in Manager
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Sympa.
Configure the :doc:`access rules<../writingrulesand_headers>` and define
the following :doc:`headers<../writingrulesand_headers>`:
- Auth-User
- Mail
.. |image0| image:: /applications/sympa_logo.png
:class: align-center

Some files were not shown because too many files have changed in this diff Show More