LEMONLDAP::NG : documentation update
This commit is contained in:
parent
e355b0b9c0
commit
5048ce41c0
|
@ -17,5 +17,6 @@ CREATE TABLE lmConfig (
|
||||||
exportedVars text,
|
exportedVars text,
|
||||||
managerDn text,
|
managerDn text,
|
||||||
managerPassword text,
|
managerPassword text,
|
||||||
|
timeout int,
|
||||||
whatToTrace text
|
whatToTrace text
|
||||||
);
|
);
|
||||||
|
|
1
build/lemonldap-ng/debian/migrating.sql
Normal file
1
build/lemonldap-ng/debian/migrating.sql
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ALTER TABLE lmConfig ADD COLUMN timeout int;
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -99,11 +99,10 @@
|
||||||
<h4 class="heading-1-1-1"><span id="HPerlprereq">Perl prereq</span></h4>
|
<h4 class="heading-1-1-1"><span id="HPerlprereq">Perl prereq</span></h4>
|
||||||
|
|
||||||
<p class="paragraph"></p>Perl modules: Apache::Session, Net::LDAP,
|
<p class="paragraph"></p>Perl modules: Apache::Session, Net::LDAP,
|
||||||
MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple
|
MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>With Debian:
|
With Debian:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -111,47 +110,42 @@ apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl 
|
||||||
libdbi-perl perl-modules libwww-perl libcache-cache-perl
|
libdbi-perl perl-modules libwww-perl libcache-cache-perl
|
||||||
libxml-simple-perl
|
libxml-simple-perl
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Portal:
|
Portal:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
|
Apache::Session, Net::LDAP, MIME::Base64, CGI, DBI<br />
|
||||||
DBI
|
<br />
|
||||||
|
With Debian:<br />
|
||||||
<p class="paragraph"></p>With Debian:
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl
|
apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl
|
||||||
perl-modules
|
perl-modules
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Handler:
|
Handler:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Apache::Session, LWP::UserAgent, Cache::Cache,
|
Apache::Session, LWP::UserAgent, Cache::Cache, DBI<br />
|
||||||
DBI
|
<br />
|
||||||
|
With Debian:<br />
|
||||||
<p class="paragraph"></p>With Debian:
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
apt-get install libapache-session-perl libdbi-perl libwww-perl
|
apt-get install libapache-session-perl libdbi-perl libwww-perl
|
||||||
libcache-cache-perl
|
libcache-cache-perl
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Manager:
|
Manager:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>CGI, XML::Simple, DBI
|
CGI, XML::Simple, DBI<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>With Debian:
|
With Debian:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -160,12 +154,10 @@ apt-get install perl-modules libxml-simple-perl
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HSOFTWAREINSTALLATION">SOFTWARE
|
<h3 class="heading-1-1"><span id="HSOFTWAREINSTALLATION">SOFTWARE
|
||||||
INSTALLATION</span></h3>
|
INSTALLATION</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>If you just want to install a handler or a portal
|
If you just want to install a handler or a portal or a manager:<br />
|
||||||
or a manager:
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -174,11 +166,10 @@ $ tar xzf lemonldap-ng-*.tar.gz
|
||||||
$ perl Makefile.PL && make && make test
|
$ perl Makefile.PL && make && make test
|
||||||
$ sudo make install
|
$ sudo make install
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>else for a complete install:
|
else for a complete install:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -187,20 +178,19 @@ $ tar xzf lemonldap-ng-*.tar.gz
|
||||||
$ make && make test
|
$ make && make test
|
||||||
$ sudo make install
|
$ sudo make install
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>See prereq in
|
See prereq in
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HLEMONLDAPINSTALLATION">LEMONLDAP
|
<h3 class="heading-1-1"><span id="HLEMONLDAPINSTALLATION">LEMONLDAP
|
||||||
INSTALLATION</span></h3>
|
INSTALLATION</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HDatabaseconfiguration">Database
|
<h4 class="heading-1-1-1"><span id="HDatabaseconfiguration">Database
|
||||||
configuration</span></h4>If you use DBI or another system to share
|
configuration</span></h4>If you use DBI or another system to share
|
||||||
Lemonldap::NG configuration, you have to initialize the database.
|
Lemonldap::NG configuration, you have to initialize the database.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>For example, create the database "lemonldapng" :
|
For example, create the database "lemonldapng" :<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -210,11 +200,10 @@ $ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id=
|
<h5 class="heading-1-1-1-1"><span id=
|
||||||
"HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG Configuration
|
"HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG Configuration
|
||||||
database</span></h5>
|
database</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>To store configuration, use this table :
|
To store configuration, use this table :<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -244,14 +233,13 @@ CREATE TABLE lmConfig (
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id=
|
<h5 class="heading-1-1-1-1"><span id=
|
||||||
"HApache3A3ASessiondatabase">Apache::Session database</span></h5>
|
"HApache3A3ASessiondatabase">Apache::Session database</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>The choice of Apache::Session::* module is free.
|
The choice of Apache::Session::* module is free. See
|
||||||
See Apache::Session::Store::* or Apache::Session::* to know how to
|
Apache::Session::Store::* or Apache::Session::* to know how to configure
|
||||||
configure the module. For example, if you want to use
|
the module. For example, if you want to use Apache::Session::MySQL, you
|
||||||
Apache::Session::MySQL, you can create the database like this:
|
can create the database like this:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -263,13 +251,12 @@ CREATE TABLE sessions (
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HManagerconfiguration">Manager
|
<h4 class="heading-1-1-1"><span id="HManagerconfiguration">Manager
|
||||||
configuration</span></h4>
|
configuration</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Copy example/manager.cgi and personalize it if
|
Copy example/manager.cgi and personalize it if you want (see
|
||||||
you want (see Lemonldap::NG::Manager). You have to set in particular
|
Lemonldap::NG::Manager). You have to set in particular configStorage. For
|
||||||
configStorage. For example with MySQL:
|
example with MySQL:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -283,12 +270,11 @@ $my $manager = Lemonldap::NG::Manager-><span class=
|
||||||
"java-quote">"mypass"</span>,
|
"java-quote">"mypass"</span>,
|
||||||
} );
|
} );
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Securise Manager access with Apache: Lemonldap
|
Securise Manager access with Apache: Lemonldap does not securise the
|
||||||
does not securise the manager itself yet:
|
manager itself yet:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -302,10 +288,10 @@ SSLEngine On
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HConfigurationedition">Configuration
|
<h4 class="heading-1-1-1"><span id="HConfigurationedition">Configuration
|
||||||
edition</span></h4>
|
edition</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Connect to the manager with your browser start
|
Connect to the manager with your browser start configure your Web-SSO. You
|
||||||
configure your Web-SSO. You have to set at least some parameters:
|
have to set at least some parameters:
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
|
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
|
||||||
parameters</span></h5>
|
parameters</span></h5>
|
||||||
|
@ -330,11 +316,12 @@ SSLEngine On
|
||||||
Apache::Session::<Choosen module>.</li>
|
Apache::Session::<Choosen module>.</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id="HUsergroups">User groups</span></h5>
|
<h5 class="heading-1-1-1-1"><span id="HUsergroups">User
|
||||||
|
groups</span></h5><br />
|
||||||
<p class="paragraph"></p>Use the "New Group" button to add your first
|
<br />
|
||||||
group. On the left, set the keyword which will be used later and set on
|
Use the "New Group" button to add your first group. On the left, set the
|
||||||
the right the corresponding rule. You can use :
|
keyword which will be used later and set on the right the corresponding
|
||||||
|
rule. You can use :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>an LDAP filter (it will be tested with the user uid)</li>
|
<li>an LDAP filter (it will be tested with the user uid)</li>
|
||||||
|
@ -347,15 +334,15 @@ SSLEngine On
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id="HVirtualhosts">Virtual
|
<h5 class="heading-1-1-1-1"><span id="HVirtualhosts">Virtual
|
||||||
hosts</span></h5>
|
hosts</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>You have to create a virtual host for each Apache
|
You have to create a virtual host for each Apache host (virtual or real)
|
||||||
host (virtual or real) protected by Lemonldap::NG even if just a
|
protected by Lemonldap::NG even if just a sub-directory is protected.
|
||||||
sub-directory is protected. Else, user who want to access to the protected
|
Else, user who want to access to the protected area will be rejected with
|
||||||
area will be rejected with a "500 Internal Server Error" message and the
|
a "500 Internal Server Error" message and the apache logs will explain the
|
||||||
apache logs will explain the problem.
|
problem.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Each virtual host has 2 groups of parameters:
|
Each virtual host has 2 groups of parameters:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>Headers: the headers added to the apache request. Default: Auth-User
|
<li>Headers: the headers added to the apache request. Default: Auth-User
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -216,18 +216,17 @@
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HL27exemplefournifonctionneenHTTP2CmaispasenHTTPS">L'exemple fourni
|
"HL27exemplefournifonctionneenHTTP2CmaispasenHTTPS">L'exemple fourni
|
||||||
fonctionne en HTTP, mais pas en HTTPS.</span></h4>
|
fonctionne en HTTP, mais pas en HTTPS.</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Dans le mécanisme des redirections vers le
|
Dans le mécanisme des redirections vers le portail puis vers le
|
||||||
portail puis vers le site protégé, il faut indiquer à
|
site protégé, il faut indiquer à l'agent (handler)
|
||||||
l'agent (handler) s'il est de type HTTPS ou non. Ceci est fait par le
|
s'il est de type HTTPS ou non. Ceci est fait par le paramètre
|
||||||
paramètre <tt>https</tt> qui doit être mis à 1. Ce
|
<tt>https</tt> qui doit être mis à 1. Ce paramètre
|
||||||
paramètre n'est pas accessible dans la configuration (manager), car
|
n'est pas accessible dans la configuration (manager), car il est
|
||||||
il est spécifique aux hôtes virtuels. C'est donc lors de
|
spécifique aux hôtes virtuels. C'est donc lors de l'appel
|
||||||
l'appel à la fonction <tt>init</tt> (dans le fichier My::Package)
|
à la fonction <tt>init</tt> (dans le fichier My::Package) qu'il
|
||||||
qu'il doit être renseigné:
|
doit être renseigné:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
__PACKAGE__->init ( {
|
__PACKAGE__->init ( {
|
||||||
localStorage => "Cache::FileCache",
|
localStorage => "Cache::FileCache",
|
||||||
|
@ -248,24 +247,22 @@ __PACKAGE__->init ( {
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HAquoisertleparamC3A8trehttpsduhandler3F">A quoi sert le paramètre
|
"HAquoisertleparamC3A8trehttpsduhandler3F">A quoi sert le paramètre
|
||||||
https du handler ?</span></h4>
|
https du handler ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Ce paramètre n'est utilisé que dans
|
Ce paramètre n'est utilisé que dans les redirections vers le
|
||||||
les redirections vers le portail d'authentification. Il sert juste
|
portail d'authentification. Il sert juste à indiquer à ce
|
||||||
à indiquer à ce dernier qu'après authentification,
|
dernier qu'après authentification, l'utilisateur doit être
|
||||||
l'utilisateur doit être redirigé vers l'application en https
|
redirigé vers l'application en https et non en http.
|
||||||
et non en http.
|
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HQu27estcequ27uneCGIautoprotC3A9gC3A9e3F">Qu'est ce qu'une CGI
|
"HQu27estcequ27uneCGIautoprotC3A9gC3A9e3F">Qu'est ce qu'une CGI
|
||||||
auto-protégée ?</span></h4>
|
auto-protégée ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lorsqu'on a qu'une seule page Perl à
|
Lorsqu'on a qu'une seule page Perl à protéger dans un
|
||||||
protéger dans un VirtualHost, plutôt que de la
|
VirtualHost, plutôt que de la protéger en utilisant un agent
|
||||||
protéger en utilisant un agent Lemonldap::NG dans Apache, on peut
|
Lemonldap::NG dans Apache, on peut utiliser une CGI
|
||||||
utiliser une CGI auto-protégée:
|
auto-protégée:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
use Lemonldap::NG::Handler::CGI;
|
use Lemonldap::NG::Handler::CGI;
|
||||||
my $cgi = Lemonldap::NG::Handler::CGI->new ( {
|
my $cgi = Lemonldap::NG::Handler::CGI->new ( {
|
||||||
|
@ -273,11 +270,11 @@ __PACKAGE__->init ( {
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
$cgi->authenticate;
|
$cgi->authenticate;
|
||||||
</pre>
|
</pre><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Dans l'exemple ci-dessus, $cgi est un objet de
|
Dans l'exemple ci-dessus, $cgi est un objet de type CGI(3). La seule
|
||||||
type CGI(3). La seule différence est qu'il bénéficie
|
différence est qu'il bénéficie de quelques fonctions
|
||||||
de quelques fonctions supplémentaires:
|
supplémentaires:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>authenticate : pour appeler le mécanisme d'authentification
|
<li>authenticate : pour appeler le mécanisme d'authentification
|
||||||
|
@ -297,11 +294,11 @@ __PACKAGE__->init ( {
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HCommentfairefonctionnerLemonldap3A3ANGavecunannuaireActiveDirectory3F">Comment
|
"HCommentfairefonctionnerLemonldap3A3ANGavecunannuaireActiveDirectory3F">Comment
|
||||||
faire fonctionner Lemonldap::NG avec un annuaire Active-Directory
|
faire fonctionner Lemonldap::NG avec un annuaire Active-Directory
|
||||||
?</span></h4>
|
?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Active-Directory utilise le champ <tt>cn</tt>
|
Active-Directory utilise le champ <tt>cn</tt> comme identifiant unique au
|
||||||
comme identifiant unique au lieu de <tt>uid</tt>. Il faut donc modifier la
|
lieu de <tt>uid</tt>. Il faut donc modifier la configuration de
|
||||||
configuration de Lemonldap::NG en deux points :
|
Lemonldap::NG en deux points :
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>la recherche de l'utilisateur dans l'annuaire doit être
|
<li>la recherche de l'utilisateur dans l'annuaire doit être
|
||||||
|
@ -338,13 +335,12 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HCommentutiliserLemonldap3A3ANGenreverseproxy3F">Comment utiliser
|
"HCommentutiliserLemonldap3A3ANGenreverseproxy3F">Comment utiliser
|
||||||
Lemonldap::NG en reverse-proxy ?</span></h4>
|
Lemonldap::NG en reverse-proxy ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG protège simplement les
|
Lemonldap::NG protège simplement les VirtualHosts d'Apache. Pour
|
||||||
VirtualHosts d'Apache. Pour fonctionner en reverse-proxy, il suffit donc
|
fonctionner en reverse-proxy, il suffit donc de configurer Apache en
|
||||||
de configurer Apache en reverse-proxy:
|
reverse-proxy:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
# httpd.conf
|
# httpd.conf
|
||||||
<VirtualHost *>
|
<VirtualHost *>
|
||||||
|
@ -360,20 +356,19 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
# RewriteRule /(.*)$ <span class="nobr"><a href=
|
# RewriteRule /(.*)$ <span class="nobr"><a href=
|
||||||
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
|
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
</pre>
|
</pre><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Si toutefois vous préférez utiliser
|
Si toutefois vous préférez utiliser un proxy Perl,
|
||||||
un proxy Perl, Lemonldap::NG en fournit un
|
Lemonldap::NG en fournit un (Lemonldap::NG::Handler::Proxy(3)).
|
||||||
(Lemonldap::NG::Handler::Proxy(3)).
|
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id=
|
<h3 class="heading-1-1"><span id=
|
||||||
"HFonctionnement">Fonctionnement</span></h3>
|
"HFonctionnement">Fonctionnement</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HAquoisertlecachelocaldesagents28handlers293F">A quoi sert le cache local
|
"HAquoisertlecachelocaldesagents28handlers293F">A quoi sert le cache local
|
||||||
des agents (handlers) ?</span></h4>
|
des agents (handlers) ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Le cache local des agents a deux fonctions:
|
Le cache local des agents a deux fonctions:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>partager la configuration entre processus Apache: on évite
|
<li>partager la configuration entre processus Apache: on évite
|
||||||
|
@ -396,52 +391,53 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HPourquoinepeutonpasconfigurerlecachelocaldesagents28handlers29danslaconsoled27administration3F">
|
"HPourquoinepeutonpasconfigurerlecachelocaldesagents28handlers29danslaconsoled27administration3F">
|
||||||
Pourquoi ne peut-on pas configurer le cache local des agents (handlers)
|
Pourquoi ne peut-on pas configurer le cache local des agents (handlers)
|
||||||
dans la console d'administration ?</span></h4>
|
dans la console d'administration ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Le cache local doit être choisi ou
|
Le cache local doit être choisi ou paramétré en
|
||||||
paramétré en fonction du serveur: si on choisit par exemple
|
fonction du serveur: si on choisit par exemple le module Cache::FileCache,
|
||||||
le module Cache::FileCache, le répertoire de stockage n'est pas
|
le répertoire de stockage n'est pas nécessairement le
|
||||||
nécessairement le même partout. De plus, une modification du
|
même partout. De plus, une modification du cache ne peut être
|
||||||
cache ne peut être appliquée sans redémarrage du
|
appliquée sans redémarrage du serveur Apache contrairement
|
||||||
serveur Apache contrairement aux autres paramètres
|
aux autres paramètres gérés par la console
|
||||||
gérés par la console d'administration.
|
d'administration.
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HQu27estcequele7E7ECrossDomainAuthentication7E7E28CDA293F">Qu'est ce que
|
"HQu27estcequele7E7ECrossDomainAuthentication7E7E28CDA293F">Qu'est ce que
|
||||||
le <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
le <i class="italic">Cross Domain Authentication</i> (CDA)
|
||||||
|
?</span></h4><br />
|
||||||
<p class="paragraph"></p>Le système de propagation de la session
|
<br />
|
||||||
Lemonldap::NG est basé sur des cookies. Or ces cookies sont
|
Le système de propagation de la session Lemonldap::NG est
|
||||||
attachés au domaine dont ils sont issus. Lemonldap::NG fournit un
|
basé sur des cookies. Or ces cookies sont attachés au
|
||||||
dispositif permettant de passer outre ce problème: il suffit
|
domaine dont ils sont issus. Lemonldap::NG fournit un dispositif
|
||||||
d'utiliser le portail Lemonldap::NG::Portal::CDA et les agents
|
permettant de passer outre ce problème: il suffit d'utiliser le
|
||||||
|
portail Lemonldap::NG::Portal::CDA et les agents
|
||||||
Lemonldap::NG::Handler::CDA sur les sites protégés en dehors
|
Lemonldap::NG::Handler::CDA sur les sites protégés en dehors
|
||||||
du domaine du portail.
|
du domaine du portail.
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HCommentfonctionnele7E7ECrossDomainAuthentication7E7E28CDA293F">Comment
|
"HCommentfonctionnele7E7ECrossDomainAuthentication7E7E28CDA293F">Comment
|
||||||
fonctionne le <i class="italic">Cross Domain Authentication</i> (CDA)
|
fonctionne le <i class="italic">Cross Domain Authentication</i> (CDA)
|
||||||
?</span></h4>
|
?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Un portail Lemonldap::NG::Portal::CDA
|
Un portail Lemonldap::NG::Portal::CDA détecte si l'URL
|
||||||
détecte si l'URL demandée n'est pas dans le même
|
demandée n'est pas dans le même domaine. Si c'est le cas, il
|
||||||
domaine. Si c'est le cas, il ajoute un paramètre à cette
|
ajoute un paramètre à cette requête correspondant au
|
||||||
requête correspondant au cookie de session. Lorsque l'utilisateur
|
cookie de session. Lorsque l'utilisateur est renvoyé vers cette
|
||||||
est renvoyé vers cette URL, l'agent Lemonldap::NG::Handler::CDA
|
URL, l'agent Lemonldap::NG::Handler::CDA reconnaît ce
|
||||||
reconnaît ce paramètre et génère alors le
|
paramètre et génère alors le cookie dans son domaine.
|
||||||
cookie dans son domaine. Il retire alors le paramètre ajouté
|
Il retire alors le paramètre ajouté par le portail et
|
||||||
par le portail et effectue le traitement normal de la requête.
|
effectue le traitement normal de la requête.
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id=
|
<h3 class="heading-1-1"><span id=
|
||||||
"HAuthentification">Authentification</span></h3>
|
"HAuthentification">Authentification</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HPeutonchangerlemoded27authentification3F">Peut-on changer le mode
|
"HPeutonchangerlemoded27authentification3F">Peut-on changer le mode
|
||||||
d'authentification ?</span></h4>
|
d'authentification ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG fournit plusieurs modes
|
Lemonldap::NG fournit plusieurs modes d'authentification (à
|
||||||
d'authentification (à paramétrer dans le champ
|
paramétrer dans le champ "authentification" de l'interface
|
||||||
"authentification" de l'interface d'administration) :
|
d'administration) :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li><strong class="strong">ldap</strong> : c'est le mode par
|
<li><strong class="strong">ldap</strong> : c'est le mode par
|
||||||
|
@ -483,16 +479,15 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id=
|
<h3 class="heading-1-1"><span id=
|
||||||
"HMessagesd27erreuretdedC3A9boguage">Messages d'erreur et de
|
"HMessagesd27erreuretdedC3A9boguage">Messages d'erreur et de
|
||||||
déboguage</span></h3>
|
déboguage</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG produit des messages de
|
Lemonldap::NG produit des messages de débogage et d'erreur
|
||||||
débogage et d'erreur enregistrés dans le journal d'Apache
|
enregistrés dans le journal d'Apache (error.log par défaut).
|
||||||
(error.log par défaut). Vous pouvez modifier le niveau d'affichage
|
Vous pouvez modifier le niveau d'affichage en adaptant le paramètre
|
||||||
en adaptant le paramètre LogLevel d'Apache.
|
LogLevel d'Apache.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>La page <span class="wikilink"><a href=
|
La page <span class="wikilink"><a href="errors-fr.html">Erreurs</a></span>
|
||||||
"errors-fr.html">Erreurs</a></span> référence ces messages
|
référence ces messages d'erreur et de débogage.
|
||||||
d'erreur et de débogage.
|
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -183,15 +183,14 @@
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
|
"HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
|
||||||
works with HTTP, but not with HTTPS.</span></h4>
|
works with HTTP, but not with HTTPS.</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>In the redirection mechanism to the portal then
|
In the redirection mechanism to the portal then to the protected site, you
|
||||||
to the protected site, you have to indicate to the handler if users access
|
have to indicate to the handler if users access by HTTPS or HTTP to it.
|
||||||
by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. This
|
This is done by the <tt>https</tt> parameter. This parameter has to be
|
||||||
parameter has to be configured directly in the handlers is not accessible
|
configured directly in the handlers is not accessible by the manager
|
||||||
by the manager interface:
|
interface:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
__PACKAGE__->init ( {
|
__PACKAGE__->init ( {
|
||||||
localStorage => "Cache::FileCache",
|
localStorage => "Cache::FileCache",
|
||||||
|
@ -212,21 +211,18 @@ __PACKAGE__->init ( {
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HForwhatisusedthe22https22parameter3F">For what is used the "https"
|
"HForwhatisusedthe22https22parameter3F">For what is used the "https"
|
||||||
parameter ?</span></h4>
|
parameter ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>This parameter is used only in authentication
|
This parameter is used only in authentication portal redirections. It is
|
||||||
portal redirections. It is just used to indicate to the portal that after
|
just used to indicate to the portal that after authentification, the user
|
||||||
authentification, the user must be redirected towards the application
|
must be redirected towards the application using https and not http.
|
||||||
using https and not http.
|
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
|
<h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
|
||||||
an auto-protected CGI ?</span></h4>
|
an auto-protected CGI ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>When you have just 1 Perl CGI to protect in a
|
When you have just 1 Perl CGI to protect in a VirtualHost, you can use an
|
||||||
VirtualHost, you can use an auto-protected CGI instead of using a
|
auto-protected CGI instead of using a Lemonldap::NG handler:<br />
|
||||||
Lemonldap::NG handler:
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
use Lemonldap::NG::Handler::CGI;
|
use Lemonldap::NG::Handler::CGI;
|
||||||
my $cgi = Lemonldap::NG::Handler::CGI->new ( {
|
my $cgi = Lemonldap::NG::Handler::CGI->new ( {
|
||||||
|
@ -234,10 +230,10 @@ __PACKAGE__->init ( {
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
$cgi->authenticate;
|
$cgi->authenticate;
|
||||||
</pre>
|
</pre><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>In the example above, $cgi is a CGI(3) object.
|
In the example above, $cgi is a CGI(3) object. The only difference is that
|
||||||
The only difference is that it has some additional functions:
|
it has some additional functions:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>authenticate : to call Lemonldap::NG authentication mechanism,</li>
|
<li>authenticate : to call Lemonldap::NG authentication mechanism,</li>
|
||||||
|
@ -255,11 +251,11 @@ __PACKAGE__->init ( {
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG
|
"HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG
|
||||||
with Active-Directory ?</span></h4>
|
with Active-Directory ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Active-Directory uses <tt>cn</tt> field instead
|
Active-Directory uses <tt>cn</tt> field instead of <tt>uid</tt> as unique
|
||||||
of <tt>uid</tt> as unique identifier. You have so to modify Lemonldap::NG
|
identifier. You have so to modify Lemonldap::NG configuration in 2
|
||||||
configuration in 2 points :
|
points :
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>the field <tt>cn</tt> (or <tt>samAccountName</tt>) has to be used to
|
<li>the field <tt>cn</tt> (or <tt>samAccountName</tt>) has to be used to
|
||||||
|
@ -270,9 +266,8 @@ __PACKAGE__->init ( {
|
||||||
<tt>$cn</tt> in the field "General Parameters -> Attribute to use in
|
<tt>$cn</tt> in the field "General Parameters -> Attribute to use in
|
||||||
Apache's logs" (and to verify that this variable is an exported
|
Apache's logs" (and to verify that this variable is an exported
|
||||||
attribute). The LDAP filter change needs to overload a subroutine in the
|
attribute). The LDAP filter change needs to overload a subroutine in the
|
||||||
portail. This can be done so :
|
portail. This can be done so :<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
#!/usr/bin/perl
|
#!/usr/bin/perl
|
||||||
use Lemonldap::NG::Portal::SharedConf;
|
use Lemonldap::NG::Portal::SharedConf;
|
||||||
|
@ -293,13 +288,11 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as
|
"HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as
|
||||||
reverse-proxy ?</span></h4>
|
reverse-proxy ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG protects Apache VirtualHosts. To
|
Lemonldap::NG protects Apache VirtualHosts. To use it as reverse-proxy,
|
||||||
use it as reverse-proxy, you just have to configure Apache as
|
you just have to configure Apache as reverse-proxy :<br />
|
||||||
reverse-proxy :
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
<pre>
|
<pre>
|
||||||
# httpd.conf
|
# httpd.conf
|
||||||
<VirtualHost *>
|
<VirtualHost *>
|
||||||
|
@ -315,18 +308,18 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
# RewriteRule /(.*)$ <span class="nobr"><a href=
|
# RewriteRule /(.*)$ <span class="nobr"><a href=
|
||||||
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
|
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
</pre>
|
</pre><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>If you prefer to use a Perl proxy, Lemonldap::NG
|
If you prefer to use a Perl proxy, Lemonldap::NG provides one
|
||||||
provides one (Lemonldap::NG::Handler::Proxy(3))
|
(Lemonldap::NG::Handler::Proxy(3))
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>
|
<h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HWithwhatservesthehandlerlocalcache3F">With what serves the handler local
|
"HWithwhatservesthehandlerlocalcache3F">With what serves the handler local
|
||||||
cache ?</span></h4>
|
cache ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>The handler local cache is used for 2 things :
|
The handler local cache is used for 2 things :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>share configuration between Apache process : this avoid downloading
|
<li>share configuration between Apache process : this avoid downloading
|
||||||
|
@ -341,44 +334,44 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers
|
"HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers
|
||||||
local cache can not be configured by the manager ?</span></h4>
|
local cache can not be configured by the manager ?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>The local cache has to be choosed nad configured
|
The local cache has to be choosed nad configured for each server: for
|
||||||
for each server: for example with the Cache::FileCache module, the storage
|
example with the Cache::FileCache module, the storage directory can be
|
||||||
directory can be different. An other point is that the local storage can
|
different. An other point is that the local storage can not be reloaded
|
||||||
not be reloaded without restarting Apache, but all parameters managed by
|
without restarting Apache, but all parameters managed by the manager can
|
||||||
the manager can do it.
|
do it.
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
|
"HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
|
||||||
<i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
<i class="italic">Cross Domain Authentication</i> (CDA)
|
||||||
|
?</span></h4><br />
|
||||||
<p class="paragraph"></p>The Lemonldap::NG sessions propagation system is
|
<br />
|
||||||
based on cookies, but cookies are attached to a DNS domain. Lemonldap::NG
|
The Lemonldap::NG sessions propagation system is based on cookies, but
|
||||||
provides a system to bypass this restriction: you just have to use a
|
cookies are attached to a DNS domain. Lemonldap::NG provides a system to
|
||||||
Lemonldap::NG::Portal::CDA portal and Lemonldap::NG::Handler::CDA handlers
|
bypass this restriction: you just have to use a Lemonldap::NG::Portal::CDA
|
||||||
in all protected sites outwards the portal DNS domain.
|
portal and Lemonldap::NG::Handler::CDA handlers in all protected sites
|
||||||
|
outwards the portal DNS domain.
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
|
"HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
|
||||||
<i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
<i class="italic">Cross Domain Authentication</i> (CDA)
|
||||||
|
?</span></h4><br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG::Portal::CDA portal detects if
|
<br />
|
||||||
required URL is in the same domain. If not, it adds a parameter to this
|
Lemonldap::NG::Portal::CDA portal detects if required URL is in the same
|
||||||
request. When the user returns to the protected application,
|
domain. If not, it adds a parameter to this request. When the user returns
|
||||||
Lemonldap::NG::Handler::CDA agent detects this parameter et generate a
|
to the protected application, Lemonldap::NG::Handler::CDA agent detects
|
||||||
cookie in its domain.
|
this parameter et generate a cookie in its domain.
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id=
|
<h3 class="heading-1-1"><span id=
|
||||||
"HAuthentication">Authentication</span></h3>
|
"HAuthentication">Authentication</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HHowtochangeauthenticationscheme3F">How to change authentication scheme
|
"HHowtochangeauthenticationscheme3F">How to change authentication scheme
|
||||||
?</span></h4>
|
?</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG provides several authentication
|
Lemonldap::NG provides several authentication modes (to use in the
|
||||||
modes (to use in the "authentification" field of the administration
|
"authentification" field of the administration interface) :
|
||||||
interface) :
|
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li><strong class="strong">ldap</strong> : this is the default mode :
|
<li><strong class="strong">ldap</strong> : this is the default mode :
|
||||||
|
@ -401,14 +394,14 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HErroranddebugmessages">Error and debug
|
<h3 class="heading-1-1"><span id="HErroranddebugmessages">Error and debug
|
||||||
messages</span></h3>
|
messages</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG produces error and debug messages
|
Lemonldap::NG produces error and debug messages logged by Apache (in
|
||||||
logged by Apache (in error.log by default). You can adapt debug level by
|
error.log by default). You can adapt debug level by setting LogLevel
|
||||||
setting LogLevel parameter in Apache configuration file.
|
parameter in Apache configuration file.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Those messages are described <span class=
|
Those messages are described <span class="wikilink"><a href=
|
||||||
"wikilink"><a href="errors.html">here</a></span>.
|
"errors.html">here</a></span>.
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -88,9 +88,8 @@
|
||||||
<h3 class="heading-1-1"><span id="HCOMPILATION">COMPILATION</span></h3>
|
<h3 class="heading-1-1"><span id="HCOMPILATION">COMPILATION</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HInstallationcomplC3A8te">Installation
|
<h4 class="heading-1-1-1"><span id="HInstallationcomplC3A8te">Installation
|
||||||
complète</span></h4>
|
complète</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -103,9 +102,8 @@ $ make example
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HInstallationsurDebian">Installation
|
<h4 class="heading-1-1-1"><span id="HInstallationsurDebian">Installation
|
||||||
sur Debian</span></h4>
|
sur Debian</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -114,12 +112,10 @@ $ cd lemonldap-ng-*
|
||||||
$ debuild
|
$ debuild
|
||||||
$ sudo dpkg -i ../lemonldap-ng*.deb
|
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Vous pouvez également utiliser le
|
Vous pouvez également utiliser le repository Debian:<br />
|
||||||
repository Debian:
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -131,13 +127,12 @@ deb-src <span class="nobr"><a href=
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id=
|
<h3 class="heading-1-1"><span id=
|
||||||
"HCONFIGURATIONDEL27EXEMPLE">CONFIGURATION DE L'EXEMPLE</span></h3>
|
"HCONFIGURATIONDEL27EXEMPLE">CONFIGURATION DE L'EXEMPLE</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Après compilation, vous disposez d'un
|
Après compilation, vous disposez d'un fichier example/apache.conf.
|
||||||
fichier example/apache.conf. Vous avez simplement à l'inclure dans
|
Vous avez simplement à l'inclure dans le fichier de configuration
|
||||||
le fichier de configuration d'Apache:
|
d'Apache:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -150,11 +145,10 @@ ln -s /usr/share/doc/lemonldap-ng/example/apache.conf /etc/apache/conf.d/test.co
|
||||||
# ou avec Apache-2.x
|
# ou avec Apache-2.x
|
||||||
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
|
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Modifiez votre fichier /etc/hosts pour y ajouter:
|
Modifiez votre fichier /etc/hosts pour y ajouter:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -162,10 +156,10 @@ ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enable
|
||||||
127.0.0.3 test.example.com
|
127.0.0.3 test.example.com
|
||||||
127.0.0.4 manager.example.com
|
127.0.0.4 manager.example.com
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Vous devez ensuite indiquer les paramètres
|
Vous devez ensuite indiquer les paramètres de connexion LDAP. Vous
|
||||||
de connexion LDAP. Vous pouvez au choix :
|
pouvez au choix :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>utiliser l'interface d'administration: redémarrez Apache et
|
<li>utiliser l'interface d'administration: redémarrez Apache et
|
||||||
|
@ -176,9 +170,9 @@ ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enable
|
||||||
renseigner vos paramètres LDAP (utilisateurs Debian:
|
renseigner vos paramètres LDAP (utilisateurs Debian:
|
||||||
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
|
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
|
||||||
</ul>Si vous ne renseignez pas managerDn et managerPassword, Lemonldap::NG
|
</ul>Si vous ne renseignez pas managerDn et managerPassword, Lemonldap::NG
|
||||||
utilisera une connexion anonyme pour trouver le dn de l'utilisateur.
|
utilisera une connexion anonyme pour trouver le dn de l'utilisateur.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>NOTES:
|
NOTES:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>seuls quelques paramètres peuvent être
|
<li>seuls quelques paramètres peuvent être
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -76,9 +76,8 @@ apt-get install libsoap-lite-perl
|
||||||
<h3 class="heading-1-1"><span id="HBUILDING">BUILDING</span></h3>
|
<h3 class="heading-1-1"><span id="HBUILDING">BUILDING</span></h3>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HCompleteinstall">Complete
|
<h4 class="heading-1-1-1"><span id="HCompleteinstall">Complete
|
||||||
install</span></h4>
|
install</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -91,9 +90,8 @@ $ make example
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HDebianinstall">Debian
|
<h4 class="heading-1-1-1"><span id="HDebianinstall">Debian
|
||||||
install</span></h4>
|
install</span></h4><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -102,11 +100,10 @@ $ cd lemonldap-ng-*
|
||||||
$ debuild
|
$ debuild
|
||||||
$ sudo dpkg -i ../lemonldap-ng*.deb
|
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>You can also use the Debian repository :
|
You can also use the Debian repository :<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -118,13 +115,11 @@ deb-src <span class="nobr"><a href=
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HEXAMPLECONFIGURATION">EXAMPLE
|
<h3 class="heading-1-1"><span id="HEXAMPLECONFIGURATION">EXAMPLE
|
||||||
CONFIGURATION</span></h3>
|
CONFIGURATION</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>After build, you have a new file named
|
After build, you have a new file named example/apache.conf. You just have
|
||||||
example/apache.conf. You just have to include this file in Apache
|
to include this file in Apache configuration:<br />
|
||||||
configuration:
|
<br />
|
||||||
|
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -137,11 +132,10 @@ ln -s /usr/share/doc/lemonldap-ng/example/apache.conf /etc/apache/conf.d/test.co
|
||||||
# or with Apache-2.x
|
# or with Apache-2.x
|
||||||
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
|
ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enabled/test.conf
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Modify your /etc/hosts file to include:
|
Modify your /etc/hosts file to include:<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -149,10 +143,10 @@ ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enable
|
||||||
127.0.0.3 test.example.com
|
127.0.0.3 test.example.com
|
||||||
127.0.0.4 manager.example.com
|
127.0.0.4 manager.example.com
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Now you have to edit configuration to set your
|
Now you have to edit configuration to set your LDAP settings. You can
|
||||||
LDAP settings. You can either use :
|
either use :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>the manager interface: restart Apache and connect to <span class=
|
<li>the manager interface: restart Apache and connect to <span class=
|
||||||
|
@ -163,9 +157,9 @@ ln -s /usr/share/doc/lemonldap-ng/example/apache2.conf /etc/apache2/sites-enable
|
||||||
your LDAP settings (Debian users:
|
your LDAP settings (Debian users:
|
||||||
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
|
/usr/share/doc/lemonldap-ng/example/conf/lmConfig-1).</li>
|
||||||
</ul>If you don't set managerDn and managerPassword, Lemonldap::NG will
|
</ul>If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||||
use an anonymous bind to find user dn.
|
use an anonymous bind to find user dn.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>WARNINGS:
|
WARNINGS:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>only few parameters can be set by hand in the configuration file.
|
<li>only few parameters can be set by hand in the configuration file.
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -296,18 +296,17 @@ group1 => { $departmentUID eq <span class=
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id=
|
<h5 class="heading-1-1-1-1"><span id=
|
||||||
"HPerformances">Performances</span></h5>
|
"HPerformances">Performances</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Vous pouvez utiliser des expressions Perl aussi
|
Vous pouvez utiliser des expressions Perl aussi complexe que
|
||||||
complexe que nécessaire et vous pouvez utiliser tous les attibuts
|
nécessaire et vous pouvez utiliser tous les attibuts LDAP (et
|
||||||
LDAP (et créer vos propres attributs additionnels avec le
|
créer vos propres attributs additionnels avec le mécanisme
|
||||||
mécanisme des macros) dans les définitions de groupes, les
|
des macros) dans les définitions de groupes, les règles
|
||||||
règles d'accès et les en-têtes HTTP
|
d'accès et les en-têtes HTTP personnalisés: vous devez
|
||||||
personnalisés: vous devez seulement utiliser le nom choisi
|
seulement utiliser le nom choisi précédé d'un
|
||||||
précédé d'un "$".
|
"$".<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Vous devez toutefois bien choisir vos
|
Vous devez toutefois bien choisir vos expressions:
|
||||||
expressions:
|
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>les groupes et les macros ne sont évaluées que lorsque
|
<li>les groupes et les macros ne sont évaluées que lorsque
|
||||||
|
@ -325,11 +324,11 @@ group1 => { $departmentUID eq <span class=
|
||||||
^/<span class=
|
^/<span class=
|
||||||
"java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
"java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Dans la définition des groupes, vous
|
Dans la définition des groupes, vous pouvez au choix utiliser des
|
||||||
pouvez au choix utiliser des filtres LDAP ou des expressions Perl ou
|
filtres LDAP ou des expressions Perl ou encore mixer les deux. Les
|
||||||
encore mixer les deux. Les expressions Perl sont encadrées par {} :
|
expressions Perl sont encadrées par {} :
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -340,44 +339,43 @@ group1 => {$uid eq <span class=
|
||||||
group1 => (|(uid=xavier.guimard){$ou eq <span class=
|
group1 => (|(uid=xavier.guimard){$ou eq <span class=
|
||||||
"java-quote">"unit1"</span>})
|
"java-quote">"unit1"</span>})
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Pour limiter les requêtes LDAP, il est
|
Pour limiter les requêtes LDAP, il est conseillé d'utiliser
|
||||||
conseillé d'utiliser les expressions Perl. Ainsi seuls 2
|
les expressions Perl. Ainsi seuls 2 sollicitations de l'annuaire sont
|
||||||
sollicitations de l'annuaire sont nécessaires.
|
nécessaires.
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id=
|
<h4 class="heading-1-1-1"><span id=
|
||||||
"HTraC3A7abilitC3A9">Traçabilité</span></h4>
|
"HTraC3A7abilitC3A9">Traçabilité</span></h4>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id="HTracerlesaccC3A8sauportail">Tracer
|
<h5 class="heading-1-1-1-1"><span id="HTracerlesaccC3A8sauportail">Tracer
|
||||||
les accès au portail</span></h5>
|
les accès au portail</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG::Portal n'enregistre pas les
|
Lemonldap::NG::Portal n'enregistre pas les événements de
|
||||||
événements de connexion par défaut, mais il est
|
connexion par défaut, mais il est très facile de surcharger
|
||||||
très facile de surcharger la méthode "log".
|
la méthode "log".
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id=
|
<h5 class="heading-1-1-1-1"><span id=
|
||||||
"HTracerlesaccC3A8sauxapplications">Tracer les accès aux
|
"HTracerlesaccC3A8sauxapplications">Tracer les accès aux
|
||||||
applications</span></h5>
|
applications</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Comme un Web-SSO ne peut interpréter le
|
Comme un Web-SSO ne peut interpréter le contenu des requêtes
|
||||||
contenu des requêtes HTTP transmise aux applications
|
HTTP transmise aux applications protégées, il ne peut
|
||||||
protégées, il ne peut enregistrer au mieux que les URL. Et
|
enregistrer au mieux que les URL. Et comme Apache le fait parfaitement,
|
||||||
comme Apache le fait parfaitement, Lemonldap::NG::Handler(3) lui fournit
|
Lemonldap::NG::Handler(3) lui fournit le nom à enregistrer dans les
|
||||||
le nom à enregistrer dans les journaux. Le paramètre
|
journaux. Le paramètre optionnel "whatToTrace" indique la variable
|
||||||
optionnel "whatToTrace" indique la variable à utiliser ($uid par
|
à utiliser ($uid par défaut).<br />
|
||||||
défaut).
|
<br />
|
||||||
|
La trace réelle doit être effectuée par l'application
|
||||||
<p class="paragraph"></p>La trace réelle doit être
|
seule capable d'interpréter le résultat des
|
||||||
effectuée par l'application seule capable d'interpréter le
|
transactions.<br />
|
||||||
résultat des transactions.
|
<br />
|
||||||
|
Lemonldap::NG peut exporter des en-têtes HTTP aussi bien en
|
||||||
<p class="paragraph"></p>Lemonldap::NG peut exporter des en-têtes
|
utilisant Apache en reverse-proxy qu'en protégent directement les
|
||||||
HTTP aussi bien en utilisant Apache en reverse-proxy qu'en
|
applications. Par défaut, le champ Auth-User est utilisé
|
||||||
protégent directement les applications. Par défaut, le champ
|
mais vous pouvez choisir les en-têtes que vous transmettez à
|
||||||
Auth-User est utilisé mais vous pouvez choisir les en-têtes
|
chaque application séparemment. Les expressions définissant
|
||||||
que vous transmettez à chaque application séparemment. Les
|
les en-têtes associent :
|
||||||
expressions définissant les en-têtes associent :
|
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>le nom d'en-tête,</li>
|
<li>le nom d'en-tête,</li>
|
||||||
|
@ -410,9 +408,10 @@ Remote-IP => $ip
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HInstallation">Installation</span></h3>
|
<h3 class="heading-1-1"><span id=
|
||||||
|
"HInstallation">Installation</span></h3><br />
|
||||||
<p class="paragraph"></p>Attention :
|
<br />
|
||||||
|
Attention :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>Lemonldap::NG est un projet différent de Lemonldap et
|
<li>Lemonldap::NG est un projet différent de Lemonldap et
|
||||||
|
@ -439,10 +438,10 @@ Remote-IP => $ip
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id=
|
<h3 class="heading-1-1"><span id=
|
||||||
"HSystC3A8medestockagedessessions">Système de stockage des
|
"HSystC3A8medestockagedessessions">Système de stockage des
|
||||||
sessions</span></h3>
|
sessions</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG utilise 3 niveaux de cache pour les
|
Lemonldap::NG utilise 3 niveaux de cache pour les données des
|
||||||
données des utilisateurs authentifiés :
|
utilisateurs authentifiés :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>un module Apache::Session::* au choix utilisé par le portail
|
<li>un module Apache::Session::* au choix utilisé par le portail
|
||||||
|
@ -461,26 +460,26 @@ Remote-IP => $ip
|
||||||
intéressant avec le système de connexions persistantes du
|
intéressant avec le système de connexions persistantes du
|
||||||
protocole HTTP/1.1 (Keep-Alive).</li>
|
protocole HTTP/1.1 (Keep-Alive).</li>
|
||||||
</ul>Ainsi, le nombre de requêtes au cache principal est
|
</ul>Ainsi, le nombre de requêtes au cache principal est
|
||||||
limité à 1 par utilisateur actif toutes les 10 minutes.
|
limité à 1 par utilisateur actif toutes les 10
|
||||||
|
minutes.<br />
|
||||||
|
<br />
|
||||||
|
Lemonldap::NG est très rapide, mais vous pouvez encore
|
||||||
|
améliorer les performances en utilisnt un module Cache::Cache ne
|
||||||
|
nécessitant pas d'accès au disque.
|
||||||
|
|
||||||
<p class="paragraph"></p>Lemonldap::NG est très rapide, mais vous
|
<h3 class="heading-1-1"><span id="HAuteur">Auteur</span></h3><br />
|
||||||
pouvez encore améliorer les performances en utilisnt un module
|
<br />
|
||||||
Cache::Cache ne nécessitant pas d'accès au disque.
|
Xavier Guimard, <x.guimard@free.fr>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HAuteur">Auteur</span></h3>
|
|
||||||
|
|
||||||
<p class="paragraph"></p>Xavier Guimard, <x.guimard@free.fr>
|
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HCopyrightetlicense">Copyright et
|
<h3 class="heading-1-1"><span id="HCopyrightetlicense">Copyright et
|
||||||
license</span></h3>
|
license</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Copyright © 2005-2007 par Xavier Guimard
|
Copyright © 2005-2007 par Xavier Guimard
|
||||||
<x.guimard@free.fr>
|
<x.guimard@free.fr><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Ce logiciel est libre, vous pouvez le
|
Ce logiciel est libre, vous pouvez le redistribuer et/ou le modifier sous
|
||||||
redistribuer et/ou le modifier sous les mêmes termes que Perl
|
les mêmes termes que Perl lui-même en version 5.8.4 ou
|
||||||
lui-même en version 5.8.4 ou à votre guise en version Perl 5
|
à votre guise en version Perl 5 supérieure.
|
||||||
supérieure.
|
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||||
<head>
|
<head>
|
||||||
<meta name="generator" content=
|
<meta name="generator" content=
|
||||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
"HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" />
|
||||||
|
|
||||||
<title>FAQ LEMONLDAP::NG</title>
|
<title>FAQ LEMONLDAP::NG</title>
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||||
|
@ -254,16 +254,14 @@ group1 => { $departmentUID eq <span class=
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id=
|
<h5 class="heading-1-1-1-1"><span id=
|
||||||
"HPerformance">Performance</span></h5>
|
"HPerformance">Performance</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>You can use Perl expressions as complicated as
|
You can use Perl expressions as complicated as you want and you can use
|
||||||
you want and you can use all the exported LDAP attributes (and create your
|
all the exported LDAP attributes (and create your own attributes: with
|
||||||
own attributes: with 'macros' mechanism) in groups evaluations, area
|
'macros' mechanism) in groups evaluations, area protections or custom HTTP
|
||||||
protections or custom HTTP headers (you just have to call them with a
|
headers (you just have to call them with a "$").<br />
|
||||||
"$").
|
<br />
|
||||||
|
ou have to be careful when choosing your expressions:
|
||||||
<p class="paragraph"></p>ou have to be careful when choosing your
|
|
||||||
expressions:
|
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>groups and macros are evaluated each time a user is redirected to
|
<li>groups and macros are evaluated each time a user is redirected to
|
||||||
|
@ -279,11 +277,10 @@ group1 => { $departmentUID eq <span class=
|
||||||
^/<span class=
|
^/<span class=
|
||||||
"java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
"java-keyword">protected</span>/.*$ => $groups =~ /bgroup1b/
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>You can also use LDAP filters, or Perl expression
|
You can also use LDAP filters, or Perl expression or mixed expressions in
|
||||||
or mixed expressions in groups definitions. Perl expressions has to be
|
groups definitions. Perl expressions has to be enclosed with {} :
|
||||||
enclosed with {} :
|
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
<pre>
|
<pre>
|
||||||
|
@ -294,36 +291,36 @@ group1 => {$uid eq <span class=
|
||||||
group1 => (|(uid=xavier.guimard){$ou eq <span class=
|
group1 => (|(uid=xavier.guimard){$ou eq <span class=
|
||||||
"java-quote">"unit1"</span>})
|
"java-quote">"unit1"</span>})
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>It is also recommanded to use Perl expressions to
|
It is also recommanded to use Perl expressions to avoid requiering the
|
||||||
avoid requiering the LDAP server more than 2 times per authentication.
|
LDAP server more than 2 times per authentication.
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HAccounting">Accounting</span></h4>
|
<h4 class="heading-1-1-1"><span id="HAccounting">Accounting</span></h4>
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id="HLoggingportalaccess">Logging portal
|
<h5 class="heading-1-1-1-1"><span id="HLoggingportalaccess">Logging portal
|
||||||
access</span></h5>
|
access</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG::Portal doesn't log anything by
|
Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
||||||
default, but it's easy to overload log method for normal portal access.
|
overload log method for normal portal access.
|
||||||
|
|
||||||
<h5 class="heading-1-1-1-1"><span id="HLoggingapplicationaccess">Logging
|
<h5 class="heading-1-1-1-1"><span id="HLoggingapplicationaccess">Logging
|
||||||
application access</span></h5>
|
application access</span></h5><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Because a Web-SSO knows nothing about the
|
Because a Web-SSO knows nothing about the protected application, it can't
|
||||||
protected application, it can't do more than logging URL. As Apache does
|
do more than logging URL. As Apache does this fine,
|
||||||
this fine, Lemonldap::NG::Handler(3) gives it the name to used in logs.
|
Lemonldap::NG::Handler(3) gives it the name to used in logs. The
|
||||||
The whatToTrace parameter indicates which variable Apache has to use ($uid
|
whatToTrace parameter indicates which variable Apache has to use ($uid by
|
||||||
by default).
|
default).<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>The real accounting has to be done by the
|
The real accounting has to be done by the application itself which knows
|
||||||
application itself which knows the result of SQL transaction for example.
|
the result of SQL transaction for example.<br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG can export HTTP headers either
|
Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
||||||
using a proxy or protecting directly the application. By default, the
|
directly the application. By default, the Auth-User field is used but you
|
||||||
Auth-User field is used but you can change it using the exportedHeaders
|
can change it using the exportedHeaders parameters (in the Manager, each
|
||||||
parameters (in the Manager, each virtual host as custom headers branch).
|
virtual host as custom headers branch). This parameters contains an
|
||||||
This parameters contains an associative array per virtual host :
|
associative array per virtual host :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>keys are the names of the choosen headers,</li>
|
<li>keys are the names of the choosen headers,</li>
|
||||||
|
@ -356,9 +353,10 @@ Remote-IP => $ip
|
||||||
</pre>
|
</pre>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HInstallation">Installation</span></h3>
|
<h3 class="heading-1-1"><span id=
|
||||||
|
"HInstallation">Installation</span></h3><br />
|
||||||
<p class="paragraph"></p>Warnings :
|
<br />
|
||||||
|
Warnings :
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>Lemonldap::NG is a different project than Lemonldap and contains all
|
<li>Lemonldap::NG is a different project than Lemonldap and contains all
|
||||||
|
@ -377,10 +375,9 @@ Remote-IP => $ip
|
||||||
installation documentation.
|
installation documentation.
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HSessionstoragesystem">Session storage
|
<h3 class="heading-1-1"><span id="HSessionstoragesystem">Session storage
|
||||||
system</span></h3>
|
system</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Lemonldap::NG use 3 levels of cache for
|
Lemonldap::NG use 3 levels of cache for authenticated users :
|
||||||
authenticated users :
|
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>an Apache::Session::* module used by lemonldap::NG::Portal to store
|
<li>an Apache::Session::* module used by lemonldap::NG::Portal to store
|
||||||
|
@ -395,25 +392,24 @@ Remote-IP => $ip
|
||||||
refuse access. This is very efficient with HTTP/1.1 Keep-Alive
|
refuse access. This is very efficient with HTTP/1.1 Keep-Alive
|
||||||
system.</li>
|
system.</li>
|
||||||
</ul>So the number of request to the central storage is limited to 1 per
|
</ul>So the number of request to the central storage is limited to 1 per
|
||||||
active user each 10 minutes.
|
active user each 10 minutes.<br />
|
||||||
|
<br />
|
||||||
|
Lemonldap::NG is very fast, but you can increase performance using a
|
||||||
|
Cache::Cache module that does not use disk access.
|
||||||
|
|
||||||
<p class="paragraph"></p>Lemonldap::NG is very fast, but you can increase
|
<h3 class="heading-1-1"><span id="HAuthor">Author</span></h3><br />
|
||||||
performance using a Cache::Cache module that does not use disk access.
|
<br />
|
||||||
|
Xavier Guimard, <x.guimard@free.fr>
|
||||||
<h3 class="heading-1-1"><span id="HAuthor">Author</span></h3>
|
|
||||||
|
|
||||||
<p class="paragraph"></p>Xavier Guimard, <x.guimard@free.fr>
|
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HCopyrightandlicence">Copyright and
|
<h3 class="heading-1-1"><span id="HCopyrightandlicence">Copyright and
|
||||||
licence</span></h3>
|
licence</span></h3><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>Copyright © 2005-2007 by Xavier Guimard
|
Copyright © 2005-2007 by Xavier Guimard
|
||||||
<x.guimard@free.fr>
|
<x.guimard@free.fr><br />
|
||||||
|
<br />
|
||||||
<p class="paragraph"></p>This library is free software; you can
|
This library is free software; you can redistribute it and/or modify it
|
||||||
redistribute it and/or modify it under the same terms as Perl itself,
|
under the same terms as Perl itself, either Perl version 5.8.4 or, at your
|
||||||
either Perl version 5.8.4 or, at your option, any later version of Perl 5
|
option, any later version of Perl 5 you may have available.
|
||||||
you may have available.
|
|
||||||
</div>
|
</div>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
|
@ -14,6 +14,8 @@ my $docs = {
|
||||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstall?language=en' => 'advanced-install.html',
|
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstall?language=en' => 'advanced-install.html',
|
||||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Erreurs?language=en' => 'errors-fr.html',
|
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Erreurs?language=en' => 'errors-fr.html',
|
||||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Erreurs?language=fr' => 'errors.html',
|
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Erreurs?language=fr' => 'errors.html',
|
||||||
|
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocSOAP?language=fr' => 'soap-fr.html',
|
||||||
|
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocLA?language=fr' => 'liberty-alliance-fr.html',
|
||||||
};
|
};
|
||||||
|
|
||||||
my %imgs;
|
my %imgs;
|
||||||
|
@ -27,6 +29,7 @@ while ( my ( $url, $file ) = each %$docs ) {
|
||||||
my $buf;
|
my $buf;
|
||||||
my $ind = 0;
|
my $ind = 0;
|
||||||
my $div;
|
my $div;
|
||||||
|
my $pre = 0;
|
||||||
while (<DOC>) {
|
while (<DOC>) {
|
||||||
$ind++ if (/<div class="main-content">/);
|
$ind++ if (/<div class="main-content">/);
|
||||||
next unless ($ind);
|
next unless ($ind);
|
||||||
|
@ -35,6 +38,17 @@ while ( my ( $url, $file ) = each %$docs ) {
|
||||||
$ind-- unless ($div);
|
$ind-- unless ($div);
|
||||||
s/\r//g;
|
s/\r//g;
|
||||||
utf8::decode($_);
|
utf8::decode($_);
|
||||||
|
if(/<pre/) {
|
||||||
|
$pre++;
|
||||||
|
s#(?<=<pre)<p class="paragraph"/>#<br/><br/>#g;
|
||||||
|
print STDERR "Trouvé: $`\n$&\n$'\n\n";
|
||||||
|
}
|
||||||
|
elsif($pre) {
|
||||||
|
s#(?<!<\/pre)<p class="paragraph"/>#<br/><br/>#g;
|
||||||
|
}
|
||||||
|
$pre++ if(/<pre/);
|
||||||
|
s#<p class="paragraph"/>#<br/><br/>#g if($pre);
|
||||||
|
$pre-- if(/<\/pre/);
|
||||||
if(s#(["'])/xwiki/bin/download/NG/Presentation/([\w\.\-]+)\1#$1$2$1#) {
|
if(s#(["'])/xwiki/bin/download/NG/Presentation/([\w\.\-]+)\1#$1$2$1#) {
|
||||||
$imgs{$2} = 1;
|
$imgs{$2} = 1;
|
||||||
}
|
}
|
||||||
|
@ -56,7 +70,7 @@ while ( my ( $url, $file ) = each %$docs ) {
|
||||||
}
|
}
|
||||||
close DOC;
|
close DOC;
|
||||||
|
|
||||||
open FILE, "|tidy -u -c -i -wrap 79 >$file";
|
open FILE, "|tee /tmp/$file|tidy -u -c -i -wrap 79 >$file";
|
||||||
print FILE '<?xml version="1.0" encoding="UTF-8" ?>
|
print FILE '<?xml version="1.0" encoding="UTF-8" ?>
|
||||||
<!DOCTYPE html PUBLIC "XHTML 1.0 Strict"
|
<!DOCTYPE html PUBLIC "XHTML 1.0 Strict"
|
||||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||||
|
|
|
@ -17,5 +17,6 @@ CREATE TABLE lmConfig (
|
||||||
exportedVars text,
|
exportedVars text,
|
||||||
managerDn text,
|
managerDn text,
|
||||||
managerPassword text,
|
managerPassword text,
|
||||||
|
timeout int,
|
||||||
whatToTrace text
|
whatToTrace text
|
||||||
);
|
);
|
||||||
|
|
|
@ -35,6 +35,7 @@ if($opts{c}) {
|
||||||
exportedVars text,
|
exportedVars text,
|
||||||
managerDn text,
|
managerDn text,
|
||||||
managerPassword text,
|
managerPassword text,
|
||||||
|
timeout int,
|
||||||
whatToTrace text\n);\n";
|
whatToTrace text\n);\n";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user