diff --git a/doc/index/alphabetical.html b/doc/index/alphabetical.html index 19f484c06..68fa2a333 100644 --- a/doc/index/alphabetical.html +++ b/doc/index/alphabetical.html @@ -16,4 +16,4 @@
--
require valid-user
if you want to be able to fail back to another authentication backend for users without Kerberos ticket.
-
+This needs some hacking because the Apache Kerberos authentication module do not work if require valid-user
is not set.
+
+To achieve this, follow these steps: +
++ln -s /var/lib/lemonldap-ng/portal/index.pl /var/lib/lemonldap-ng/portal/kerberos.pl ++
+vi /var/lib/lemonldap-ng/portal/login.pl ++
#!/usr/bin/perl +use CGI ':cgi-lib'; +use strict; +use MIME::Base64; +use CGI::Carp 'fatalsToBrowser'; +my $uri = $ENV{"REDIRECT_QUERY_STRING"}; +print CGI::header(-Refresh => '0; URL=http://auth.example.com/?'.$uri); +exit(0);+
<VirtualHost *> + ServerName auth.example.com + + DocumentRoot /var/lib/lemonldap-ng/portal/ + + <Directory /var/lib/lemonldap-ng/portal/> + Order allow,deny + Allow from all + Options +ExecCGI +FollowSymLinks + </Directory> + + ErrorDocument 401 /login.pl + <Location /kerberos.pl> + <IfModule auth_kerb_module> + AuthType Kerberos + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/lemonldap-ng/auth.keytab + KrbVerifyKDC Off + KrbServiceName HTTP/auth.example.com + </IfModule> + </Location> + +</VirtualHost>+
-When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. We're studying a future solution for this… +When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. +
+ ++To bypass this, follow the documentation of AuthApache module
- +-The following table list fields to index depending on the feature you want to use: +The following table list fields to index depending on the feature you want to increase performance:
Feature | Fields to index | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Session explorer | ipAddr WHATTOTRACE | +Session explorer | ipAddr WHATTOTRACE _httpSessionType ipAddr | |||||||||||||
Session restrictions | ipAddr WHATTOTRACE | +Session restrictions | ipAddr WHATTOTRACE | |||||||||||||
SAML authentication and issuer | _saml_id ProxyID _nameID _assert_id _art_id | +SAML authentication and issuer | _saml_id ProxyID _nameID _assert_id _art_id _session_id | |||||||||||||
CAS issuer | _cas_id | @@ -75,12 +75,12 @@ The following table list fields to index depending on the feature you want to us - +|||||||||||||||
Maintenance mode | maintenance | ✔ | ||||||||||||||
Persistent Session backend | persistentStorage | ✔ | + | |||||||||||||
Persistent Session backend options | persistentStorageOptions | ✔ | + |
Handlers check rights and calculate headers for each HTTP hit. So to improve performances, avoid too complex rules by using the macro or the groups or local macros. +
- ++Note that groups are computed after macros, so a group rule may involve a macro value. +
+ ++Besides, macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group. +
+-In “Apache::Session module” field, set ”Apache::Session::Flex” and use the following parameters: +In “Apache::Session module” field, set ”Apache::Session::Flex” and use the following parameters:
@@ -188,7 +197,7 @@ Password -> ...-Apache::Session::Browseable is a wrapper for other Apache::Session modules that add the capability to manage indexes. To use it (with MySQL for example), choose “Apache::Session::Browseable::MySQL” as “Apache::Session module” and use the following parameters: +Apache::Session::Browseable is a wrapper for other Apache::Session modules that add the capability to manage indexes. To use it (with MySQL for example), choose “Apache::Session::Browseable::MySQL” as “Apache::Session module” and use the following parameters:
@@ -203,7 +212,7 @@ Note that Apache::Session::Browseable::MySQL doesn't use MySQL locks.-
A Apache::Session::Browseable::Redis has been created, it is the faster +- +A Apache::Session::Browseable::Redis has been created, it is the faster (except for session explorer, defeated by Apache::Session::Browseable::DBI/LDAP >= 1.0)@@ -213,7 +222,7 @@ Note that Apache::Session::Browseable::MySQL doesn't use MySQL locks.LDAP performances
@@ -263,4 +272,4 @@ ldapgroups -> memberOf-