dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Christophe Maudoux 2020-05-23 23:30:59 +02:00
parent d2d9988b61 53e16eca8c
commit 532ffe3fea
282 changed files with 20740 additions and 2974 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
.gitlab-ci.yml
View File

@ -9,17 +9,6 @@
- result/*
.build_job_centos:
stage: build
script:
- yum -y install epel-release
- make rpm-dist
- ci-build-pkg
artifacts:
expire_in: 1 day
paths:
- result/*
stages:
- build
- sign
@ -59,8 +48,31 @@ build_bionic:
<<: *job_build
build_centos_7:
image: buildpkg/centos:7
extends: .build_job_centos
image: buildpkg/centos:7
stage: build
script:
- rm -f /etc/yum.repos.d/CentOS-Sources.repo
- yum -y install epel-release
- make rpm-dist
- ci-build-pkg
artifacts:
expire_in: 1 day
paths:
- result/*
#build_centos_8:
# image: buildpkg/centos:8
# stage: build
# script:
# - yum-config-manager --enable PowerTools
# - yum-config-manager --enable AppStream
# - yum -y install epel-release
# - make rpm-dist
# - ci-build-pkg
# artifacts:
# expire_in: 1 day
# paths:
# - result/*
sign:
image: buildpkg/debian:stretch
@ -77,6 +89,7 @@ sign:
- build_disco
- build_bionic
- build_centos_7
# - build_centos_8
artifacts:
expire_in: 1 day
paths:

35
Makefile
View File

@ -321,9 +321,11 @@ $(SRCMANAGERDIR)/site/htdocs/static/js/%.js: $(SRCMANAGERDIR)/site/coffee/%.coff
%.min.js: %.js
@echo "Compressing $*.js"
if test "$(UGLIFYJSVERSION)" = 2; then \
uglifyjs $*.js --compress --mangle --comments='/Copyr/i' --source-map $*.min.js.map -o $*.min.js; \
cd `dirname $*`; \
uglifyjs `basename $*`.js --compress --mangle --comments='/Copyr/i' --source-map `basename $*`.min.js.map -o `basename $*`.min.js; \
else \
uglifyjs $*.js --compress --mangle --comments='/Copyr/i' --source-map -o $*.min.js; \
cd `dirname $*`; \
uglifyjs `basename $*`.js --compress --mangle --comments='/Copyr/i' --source-map -o `basename $*`.min.js; \
fi
fastcgi-server/man/llng-fastcgi-server.8p: fastcgi-server/sbin/llng-fastcgi-server
@ -637,17 +639,30 @@ install_bin: install_conf_dir
${SRCCOMMONDIR}/scripts/rotateOidcKeys \
${SRCMANAGERDIR}/scripts/lmConfigEditor \
${SRCCOMMONDIR}/scripts/lemonldap-ng-cli \
${SRCCOMMONDIR}/scripts/lemonldap-ng-sessions \
${SRCCOMMONDIR}/scripts/importMetadata \
$(RBINDIR)
@if [ ! "$(APACHEUSER)" ]; then \
$(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
$(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' \
$(RBINDIR)/lmConfigEditor \
$(RBINDIR)/lemonldap-ng-cli \
$(RBINDIR)/lemonldap-ng-sessions; \
else \
$(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
$(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' \
$(RBINDIR)/lmConfigEditor \
$(RBINDIR)/lemonldap-ng-cli \
$(RBINDIR)/lemonldap-ng-sessions; \
fi
@if [ ! "$(APACHEGROUP)" ]; then \
$(PERL) -i -pe 's#__APACHEGROUP__#nobody#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
$(PERL) -i -pe 's#__APACHEGROUP__#nobody#g;' \
$(RBINDIR)/lmConfigEditor \
$(RBINDIR)/lemonldap-ng-cli \
$(RBINDIR)/lemonldap-ng-sessions; \
else \
$(PERL) -i -pe 's#__APACHEGROUP__#$(APACHEGROUP)#g;' $(RBINDIR)/lmConfigEditor $(RBINDIR)/lemonldap-ng-cli; \
$(PERL) -i -pe 's#__APACHEGROUP__#$(APACHEGROUP)#g;' \
$(RBINDIR)/lmConfigEditor \
$(RBINDIR)/lemonldap-ng-cli \
$(RBINDIR)/lemonldap-ng-sessions; \
fi
@chmod +x $(RBINDIR)/*
@ -1183,3 +1198,11 @@ e2e_cert:
-reqexts SAN \
-extensions SAN \
-config e2e-tests/openssl.cnf
api_doc: doc/sources/manager-api/openapi-spec.yaml doc/sources/manager-api/config-codegen.json
@if [ -f "$(SWAGGER_CODEGEN)" ] ; then \
java -jar "$(SWAGGER_CODEGEN)" generate -i doc/sources/manager-api/openapi-spec.yaml -l html2 -o doc/pages/manager-api/ -c doc/sources/manager-api/config-codegen.json; \
else \
echo "Please run me with SWAGGER_CODEGEN=/path/to/swagger-codegen.jar"; \
fi

10
_example/etc/api-apache2.4.conf
View File

@ -40,6 +40,7 @@
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:doc)"
RewriteRule "^/(.+)$" "/api.fcgi/$1" [PT]
# 2) FastCGI engine
@ -83,6 +84,15 @@
</IfModule>
</Location>
# On-line documentation
Alias /doc/ __DEFDOCDIR__
<Directory __DEFDOCDIR__>
Require all granted
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

16
_example/etc/api-apache2.X.conf
View File

@ -40,6 +40,7 @@
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:doc)"
RewriteRule "^/(.+)$" "/api.fcgi/$1" [PT]
# 2) FastCGI engine
@ -90,6 +91,21 @@
</IfModule>
</Location>
# On-line documentation
Alias /doc/ __DEFDOCDIR__
<Directory __DEFDOCDIR__>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

11
_example/etc/api-apache2.conf
View File

@ -40,6 +40,7 @@
# RewriteCond "%{REQUEST_URI}" "!\.html(?:/.*)?$"
# REST URLs
RewriteCond "%{REQUEST_URI}" "!^/(?:doc)"
RewriteRule "^/(.+)$" "/api.fcgi/$1" [PT]
# 2) FastCGI engine
@ -84,6 +85,16 @@
</IfModule>
</Location>
# On-line documentation
Alias /doc/ __DEFDOCDIR__
<Directory __DEFDOCDIR__>
Order allow,deny
Allow from all
ErrorDocument 404 /notfound.html
Options +FollowSymLinks
DirectoryIndex index.html start.html
</Directory>
# Uncomment this if site if you use SSL only
#Header set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

27
_example/etc/api-nginx.conf
View File

@ -15,7 +15,13 @@ server {
#set_real_ip_from 127.0.0.1;
#real_ip_header X-Forwarded-For;
rewrite ^/(.*)$ /api.psgi/$1 break;
location /doc/ {
alias /usr/share/doc/lemonldap-ng-doc/;
index index.html start.html;
}
location / {
rewrite ^/(.*)$ /api.psgi/$1;
}
location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
@ -37,17 +43,18 @@ server {
# Uncomment this if you use https only
#add_header Strict-Transport-Security "max-age=15768000";
# By default, access to this VHost is denied
# If you want to enable the manager APIs, you MUST
# implement a robust authentication scheme to protect this
# VHost since LemonLDAP::NG provides no protection to the
# Manager APIs yet
#
#allow 127.0.0.0/8;
#allow ::1/128;
deny all;
}
# By default, access to this VHost is denied
# If you want to enable the manager APIs, you MUST
# implement a robust authentication scheme to protect this
# VHost since LemonLDAP::NG provides no protection to the
# Manager APIs yet
#
#allow 127.0.0.0/8;
#allow ::1/128;
deny all;
# DEBIAN
# If install was made with USEDEBIANLIBS (official releases), uncomment this
#location /javascript/ {

5
_example/etc/portal-apache2.4.conf
View File

@ -79,6 +79,11 @@
Require all denied
</Location>
# REST/SOAP functions for proxy auth and password reset (disabled by default)
<Location /index.fcgi/proxy>
Require all denied
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
Require all denied

11
_example/etc/portal-apache2.X.conf
View File

@ -86,6 +86,17 @@
</IfVersion>
</Location>
# REST/SOAP functions for proxy auth and password reset (disabled by default)
<Location /index.fcgi/proxy>
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
<IfVersion >= 2.3>

6
_example/etc/portal-apache2.conf
View File

@ -72,6 +72,12 @@
Deny from all
</Location>
# REST/SOAP functions for proxy auth and password reset (disabled by default)
<Location /index.fcgi/proxy>
Order deny,allow
Deny from all
</Location>
# REST/SOAP functions for sessions access (disabled by default)
<Location /index.fcgi/sessions>
Order deny,allow

6
_example/etc/portal-nginx.conf
View File

@ -59,6 +59,12 @@ server {
deny all;
}
# REST/SOAP functions for proxy auth and password reset (disabled by default)
location ~ ^/index.psgi/proxy {
fastcgi_pass llng_portal_upstream;
deny all;
}
# REST/SOAP functions for sessions access (disabled by default)
location ~ ^/index.psgi/sessions {
fastcgi_pass llng_portal_upstream;

2
_example/etc/test-nginx.conf
View File

@ -64,7 +64,7 @@ server {
# If CDA is used, uncomment this
#auth_request_set $cookie_value $upstream_http_set_cookie;
#add_header Set-Cookie $cookie_value;
# Remove this for AuthBasic handler
# Remove this for AuthBasic and OAuth2 handlers
error_page 401 $lmlocation;
##################################

118
changelog
View File

@ -1,3 +1,121 @@
lemonldap-ng (2.0.8) stable; urgency=medium
* Bugs:
* #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
* #1659: RESTProxy doesn't fully work as a UserDB module
* #1776: Manager breaks when moving a newly created category or application
* #1939: expired issuer context is not reset when starting new authentication
* #1990: [warn] Route xxx redefined when using the fastCGI server
* #1992: Memory leak issue on CentOS 7 / perl 5.16
* #2048: t/32-OIDC-Refresh-Token.t fails randomly
* #2049: Unable to display notifications marked as done (DBI)
* #2050: Wrong message displayed by CheckUser plugin
* #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
* #2057: Log in request without captcha returns an internal server error
* #2058: Use of configuration cache can mix global and local configuration parameters
* #2059: Error in Manager / CLI / Editor when an attribute is not defined
* #2061: pdata not cleaned with Kerberos authentication
* #2063: Javascript error: window.datas is undefined
* #2072: Configuration comparator error on application menu "order"
* #2074: Portal menu : display condition with sp: does not work for SAML SP
* #2080: SAML POST to SP becomes GET when an info is displayed
* #2081: Parameter added to external redirect URL when info.tpl is used
* #2082: SSLVarIf cannot be set in manager
* #2085: OIDC provider doesn't work when info is displayed during the login process
* #2086: LDAP notifications backend does not work
* #2089: Old format notifications with file backend don t work
* #2090: Session creation mixup when supplying an existing _session_id
* #2097: Error after activating userLogger (Apache)
* #2099: Error 500 when SAML Session is expired
* #2101: Wildcard in virtualhost names : URL contains a non protected host
* #2104: Sessions are not well computed by CheckUser plugin
* #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
* #2111: Bad translation tag for password policy remaining grace message
* #2113: Password policy warning before password expiration is badly displayed
* #2116: Missing goToPortal translation for mails
* #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
* #2120: OIDC: hybrid flow does not issue ID token
* #2123: Rest2F does not transmit session attributes to Verify URL
* #2127: Cache reload throw an error if status enabled
* #2128: Manager with CDA issue
* #2133: Issues with removed second factors notification system
* #2138: logout forward doesn't work anymore
* #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
* #2142: OIDC consent validation fails after second factor form or redirection from external IDP
* #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
* #2144: OTT is not sent if SSL authentication fails with Choice
* #2148: Bad request with Notification SPA
* #2151: Session upgrade does not work with multiple second factors
* #2152: Nginx configuration files do not work with IPv6
* #2159: Single session module configuration
* #2165: Server error with rule on Combination
* #2167: OAuth2 handler should return 401 when access token is missing or invalid
* #2168: LLNG is too strict on OIDC scope syntax
* #2169: duplicates in _oidcConsents when scope is updated
* #2171: Introspection endpoint does not recognize refreshed Access Tokens
* #2179: refresh my rights downgrades authentication level set by 2FA
* #2180: SingleSession plugin does not work if history is displayed
* New features:
* #2033: Manager API to reset 2FA
* #2034: Manager API to manage SAML and OIDC clients
* #2069: Manage Cookie SameSite value
* #2136: Possibility to override language with a parameter in URL
* #2154: Github authentication backend
* Improvements:
* #1598: Proxy Backend support for Password Module (passwordDB)
* #1877: Option to run setMacros after setGroups
* #1902: Configuration is saved even with errors with lemonldap-ng-cli
* #1957: Provide packages for CentOS 8
* #2046: compactConf is confusing
* #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
* #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
* #2068: Append an option to set CSP frame ancestors header
* #2070: LemonLDAP session cookie - SameSite attribute
* #2071: Allow users to see and display theirs accepted notifications
* #2073: Improve notifications SPA
* #2076: Possibility to configure a custom CSS file
* #2084: Make "error" the default log level for lasso
* #2088: BruteForce module: increase delay between each login attempt
* #2091: Better look for buttons in 2FA choice screen
* #2093: CheckUser - Remove persistent session attributes if required
* #2096: Improve introspection endpoint
* #2102: Bad Autologin rule lead to error 500 and crash the portal
* #2103: Add a rollback option to lemonldap-ng-cli
* #2106: CheckUser: Append an option to hide empty headers
* #2108: "Underlying object can't load conf" is a bad error message
* #2109: Securing the new API endpoints for 2.0.8 release
* #2114: Improve adaptive display and show instance name
* #2115: Possibility to select choice tab, as for menu tab
* #2117: Remove warning messages "uninitialized value $encryption_mode"
* #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
* #2121: Prevent Portal to crash if Custom Functions module is not found
* #2125: Internal Server Error when REST backend does not return a JSON Object
* #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
* #2129: AuthenticationLevel based macros and groups should be updated with second factor
* #2130: Append password policy options to define and require special characters
* #2131: Make json does nothing if only a Portal constant is appended
* #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
* #2135: Remove 'underscore' in notification reference
* #2140: Append an option to define applications tooltip
* #2145: Display a custom param with GlobalLogout plugin
* #2149: Add an easy way to set level of additional second factors
* #2155: Implement Resource Owner Password Credentials Grant
* #2156: "Require 2FA" should be renamed
* #2161: DBI should test that "table" is set
* #2164: Make SingleSession options configurable by a rule
* #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
* #2173: Make CheckUser options configurable by a rule
* #2175: Reorganize OIDC RP options in manager
* #2177: OIDC: Allow additional audiences for ID Token
* #2178: Make require old password option configurable by a rule
* #2182: Append a Show/Hide password button into change password form
* #2184: SAML logout request returns 400 error code if session is not found
* #2185: Append a rule to display sfaManager link
-- Clément <clem.oudot@gmail.com> Mon, 04 May 2020 22:43:29 +0200
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.8-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Tue, 05 May 2020 16:00:00 +0100
lemonldap-ng (2.0.7-1) unstable; urgency=medium
* New release. See changes on our website:

2
debian/control vendored
View File

@ -53,7 +53,7 @@ Build-Depends-Indep: libapache-session-perl <!nocheck>,
libxml-libxslt-perl <!nocheck>,
libxml-simple-perl <!nocheck>,
perl
Standards-Version: 4.4.0
Standards-Version: 4.5.0
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/

2
debian/liblemonldap-ng-common-perl.install vendored
View File

@ -3,6 +3,7 @@
/usr/share/man/man1/convertConfig.1p
/usr/share/man/man1/convertSessions.1p
/usr/share/man/man1/lemonldap-ng-cli.1p
/usr/share/man/man1/lemonldap-ng-sessions.1p
/usr/share/man/man3/Lemonldap::NG::Common*
/usr/share/perl5/auto/Lemonldap/NG/Common
/usr/share/perl5/Lemonldap/NG/Common*
@ -10,6 +11,7 @@
/usr/share/lemonldap-ng/bin/convertConfig
/usr/share/lemonldap-ng/bin/convertSessions
/usr/share/lemonldap-ng/bin/importMetadata
/usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
/usr/share/lemonldap-ng/bin/rotateOidcKeys
/var/lib/lemonldap-ng/conf/

7
doc/index.html
View File

@ -5,9 +5,14 @@
</head>
<body>
<div class="container text-center">
<h1>LemonLDAP::NG offline documentation</h1>
<h1>LemonLDAP::NG Administrator documentation</h1>
<hr />
<a href="pages/documentation/current/start.html" class="btn btn-lg btn-primary">Documentation</a>
</div>
<div class="container text-center">
<h1>LemonLDAP::NG Manager API documentation</h1>
<hr />
<a href="pages/manager-api/index.html" class="btn btn-lg btn-primary">API Reference</a>
</div>
</body>
</html>

4
doc/pages/documentation/current/AuthChoice_with_Slave_and_Secured_cookie_gt/double_cookies_for_a_single_session
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1576942824" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1588685826" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

104
doc/pages/documentation/current/applications.html
View File

@ -98,121 +98,127 @@ If none of above methods is available, you can try:
<td class="col0 centeralign"> <a href="applications/aws.html" class="media" title="documentation:2.0:applications:aws"><img src="icons/kmultiple.png" class="media" title="logo_amazon_web_services.jpg" alt="logo_amazon_web_services.jpg" /></a> </td><td class="col1 centeralign"> <a href="applications/aws.html" class="wikilink1" title="documentation:2.0:applications:aws">Amazon Web Services</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row4 roweven">
<td class="col0 centeralign"> <a href="applications/bugzilla.html" class="media" title="documentation:2.0:applications:bugzilla"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/bugzilla.html" class="wikilink1" title="documentation:2.0:applications:bugzilla">Bugzilla</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/awx.html" class="media" title="documentation:2.0:applications:awx"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/awx.html" class="wikilink1" title="documentation:2.0:applications:awx">AWX (Ansible Tower)</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 centeralign"> <a href="applications/cornerstone.html" class="media" title="documentation:2.0:applications:cornerstone"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/cornerstone.html" class="wikilink1" title="documentation:2.0:applications:cornerstone">Cornerstone</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/bugzilla.html" class="media" title="documentation:2.0:applications:bugzilla"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/bugzilla.html" class="wikilink1" title="documentation:2.0:applications:bugzilla">Bugzilla</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0 centeralign"> <a href="applications/discourse.html" class="media" title="documentation:2.0:applications:discourse"><img src="icons/kmultiple.png" class="media" title="discourse.jpg" alt="discourse.jpg" /></a> </td><td class="col1 centeralign"> <a href="applications/discourse.html" class="wikilink1" title="documentation:2.0:applications:discourse">Discourse</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6 centeralign"> </td>
<td class="col0 centeralign"> <a href="applications/cornerstone.html" class="media" title="documentation:2.0:applications:cornerstone"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/cornerstone.html" class="wikilink1" title="documentation:2.0:applications:cornerstone">Cornerstone</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0 centeralign"> <a href="applications/django.html" class="media" title="documentation:2.0:applications:django"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/django.html" class="wikilink1" title="documentation:2.0:applications:django">Django</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/discourse.html" class="media" title="documentation:2.0:applications:discourse"><img src="icons/kmultiple.png" class="media" title="discourse.jpg" alt="discourse.jpg" /></a> </td><td class="col1 centeralign"> <a href="applications/discourse.html" class="wikilink1" title="documentation:2.0:applications:discourse">Discourse</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row8 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
<td class="col0 centeralign"> <a href="applications/django.html" class="media" title="documentation:2.0:applications:django"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/django.html" class="wikilink1" title="documentation:2.0:applications:django">Django</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row9 rowodd">
<td class="col0 centeralign"> <a href="applications/dokuwiki.html" class="media" title="documentation:2.0:applications:dokuwiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/dokuwiki.html" class="wikilink1" title="documentation:2.0:applications:dokuwiki">Dokuwiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row10 roweven">
<td class="col0 centeralign"> <a href="applications/drupal.html" class="media" title="documentation:2.0:applications:drupal"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/drupal.html" class="wikilink1" title="documentation:2.0:applications:drupal">Drupal</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/dokuwiki.html" class="media" title="documentation:2.0:applications:dokuwiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/dokuwiki.html" class="wikilink1" title="documentation:2.0:applications:dokuwiki">Dokuwiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0 centeralign"> <a href="applications/fusiondirectory.html" class="media" title="documentation:2.0:applications:fusiondirectory"><img src="icons/kmultiple.png" class="media" title="fusiondirectory-logo.jpg" alt="fusiondirectory-logo.jpg" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/fusiondirectory.html" class="wikilink1" title="documentation:2.0:applications:fusiondirectory">FusionDirectory</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/drupal.html" class="media" title="documentation:2.0:applications:drupal"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/drupal.html" class="wikilink1" title="documentation:2.0:applications:drupal">Drupal</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row12 roweven">
<td class="col0 centeralign"> <a href="applications/gitlab.html" class="media" title="documentation:2.0:applications:gitlab"><img src="icons/kmultiple.png" class="mediacenter" alt="" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/gitlab.html" class="wikilink1" title="documentation:2.0:applications:gitlab">Gitlab</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6 centeralign"> </td>
<td class="col0 centeralign"> <a href="applications/fusiondirectory.html" class="media" title="documentation:2.0:applications:fusiondirectory"><img src="icons/kmultiple.png" class="media" title="fusiondirectory-logo.jpg" alt="fusiondirectory-logo.jpg" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/fusiondirectory.html" class="wikilink1" title="documentation:2.0:applications:fusiondirectory">FusionDirectory</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0 centeralign"> <a href="applications/glpi.html" class="media" title="documentation:2.0:applications:glpi"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/glpi.html" class="wikilink1" title="documentation:2.0:applications:glpi">GLPI</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/gitlab.html" class="media" title="documentation:2.0:applications:gitlab"><img src="icons/kmultiple.png" class="mediacenter" alt="" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/gitlab.html" class="wikilink1" title="documentation:2.0:applications:gitlab">Gitlab</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0 centeralign"> <a href="applications/googleapps.html" class="media" title="documentation:2.0:applications:googleapps"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/googleapps.html" class="wikilink1" title="documentation:2.0:applications:googleapps">Google Apps</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/glpi.html" class="media" title="documentation:2.0:applications:glpi"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/glpi.html" class="wikilink1" title="documentation:2.0:applications:glpi">GLPI</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row15 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
<td class="col0 centeralign"> <a href="applications/googleapps.html" class="media" title="documentation:2.0:applications:googleapps"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/googleapps.html" class="wikilink1" title="documentation:2.0:applications:googleapps">Google Apps</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0 centeralign"> <a href="applications/grr.html" class="media" title="documentation:2.0:applications:grr"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/grr.html" class="wikilink1" title="documentation:2.0:applications:grr">GRR</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row17 rowodd">
<td class="col0 centeralign"> <a href="applications/guacamole.html" class="media" title="documentation:2.0:applications:guacamole"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/guacamole.html" class="wikilink1" title="documentation:2.0:applications:guacamole">Apache Guacamole</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4 centeralign"> </td><td class="col5 leftalign"> </td><td class="col6 centeralign"> </td>
<td class="col0 centeralign"> <a href="applications/grafana.html" class="media" title="documentation:2.0:applications:grafana"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/grafana.html" class="wikilink1" title="documentation:2.0:applications:grafana">Grafana</a> </td><td class="col2 leftalign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row18 roweven">
<td class="col0 centeralign"> <a href="applications/humhub.html" class="media" title="documentation:2.0:applications:humhub"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/humhub.html" class="wikilink1" title="documentation:2.0:applications:humhub">HumHub</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"> </td>
<td class="col0 centeralign"> <a href="applications/grr.html" class="media" title="documentation:2.0:applications:grr"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/grr.html" class="wikilink1" title="documentation:2.0:applications:grr">GRR</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0 centeralign"> <a href="applications/jitsimet" class="media" title="documentation:2.0:applications:jitsimet"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/jitsimeet.html" class="wikilink1" title="documentation:2.0:applications:jitsimeet">Jitsi Meet</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/guacamole.html" class="media" title="documentation:2.0:applications:guacamole"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/guacamole.html" class="wikilink1" title="documentation:2.0:applications:guacamole">Apache Guacamole</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4 centeralign"> </td><td class="col5 leftalign"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
<td class="col0 centeralign"> <a href="applications/humhub.html" class="media" title="documentation:2.0:applications:humhub"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/humhub.html" class="wikilink1" title="documentation:2.0:applications:humhub">HumHub</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"></td>
</tr>
<tr class="row21 rowodd">
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
<td class="col0 centeralign"> <a href="applications/jitsimet" class="media" title="documentation:2.0:applications:jitsimet"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/jitsimeet.html" class="wikilink1" title="documentation:2.0:applications:jitsimeet">Jitsi Meet</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row22 roweven">
<td class="col0 centeralign"> <a href="applications/mattermost.html" class="media" title="documentation:2.0:applications:mattermost"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mattermost.html" class="wikilink1" title="documentation:2.0:applications:mattermost">Mattermost</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"></td>
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row23 rowodd">
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row24 roweven">
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/mattermost.html" class="media" title="documentation:2.0:applications:mattermost"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mattermost.html" class="wikilink1" title="documentation:2.0:applications:mattermost">Mattermost</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row25 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row26 roweven">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
</tr>
<tr class="row27 rowodd">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row31 rowodd">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row32 roweven">
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row33 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row31 rowodd">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row32 roweven">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row33 rowodd">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row34 roweven">
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
</tr>
<tr class="row35 rowodd">
<td class="col0 centeralign"> <a href="applications/symfony.html" class="media" title="documentation:2.0:applications:symfony"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/symfony.html" class="wikilink1" title="documentation:2.0:applications:symfony">Symfony</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row36 roweven">
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row37 rowodd">
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/symfony.html" class="media" title="documentation:2.0:applications:symfony"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/symfony.html" class="wikilink1" title="documentation:2.0:applications:symfony">Symfony</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row38 roweven">
<td class="col0 centeralign"> <a href="applications/wordpress.html" class="media" title="documentation:2.0:applications:wordpress"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/wordpress.html" class="wikilink1" title="documentation:2.0:applications:wordpress">Wordpress</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4 centeralign"></td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row39 rowodd">
<td class="col0 centeralign"> <a href="applications/xwiki.html" class="media" title="documentation:2.0:applications:xwiki"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/xwiki.html" class="wikilink1" title="documentation:2.0:applications:xwiki">XWiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row40 roweven">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/wordpress.html" class="media" title="documentation:2.0:applications:wordpress"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/wordpress.html" class="wikilink1" title="documentation:2.0:applications:wordpress">Wordpress</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4 centeralign"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row41 rowodd">
<td class="col0 centeralign"> <a href="applications/xwiki.html" class="media" title="documentation:2.0:applications:xwiki"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/xwiki.html" class="wikilink1" title="documentation:2.0:applications:xwiki">XWiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row42 roweven">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"></td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row43 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
</table></div>
<!-- EDIT4 TABLE [1223-6276] -->
<!-- EDIT4 TABLE [1223-6519] -->
</div>
<!-- EDIT3 SECTION "Application list" [1192-] --></div>
</body>

352
doc/pages/documentation/current/applications/awx.html Normal file
View File

@ -0,0 +1,352 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:awx</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,awx"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="awx.html"/>
<link rel="contents" href="awx.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:awx","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#awx_saml_key_certificate">AWX SAML Key &amp; Certificate</a></div></li>
<li class="level2"><div class="li"><a href="#llng_saml_certificate">LLNG SAML Certificate</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#generate_certificate_from_key">Generate Certificate from Key</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#awx">AWX</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#saml_service_provider_entity_id">SAML Service Provider Entity ID</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_public_certificate">SAML Service Provider Public Certificate</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_private_key">SAML Service Provider Private Key</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_organization_info">SAML Service Provider Organization Info</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_technical_contact">SAML Service Provider Technical Contact</a></div></li>
<li class="level3"><div class="li"><a href="#saml_service_provider_support_contact">SAML Service Provider Support Contact</a></div></li>
<li class="level3"><div class="li"><a href="#saml_enabled_identity_providers">SAML Enabled Identity Providers</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#lemonldapng">LemonLDAP:NG</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="awx_ansible_tower">AWX (Ansible Tower)</h1>
<div class="level1">
<p>
<img src="logo-awx.png" class="mediacenter" alt="" />
<img src="logo-ansibletower.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "AWX (Ansible Tower)" [1-127] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://github.com/ansible/awx" class="urlextern" title="https://github.com/ansible/awx" rel="nofollow">AWX</a> is the upstream version for Ansible Tower.
</p>
<p>
This documentation explains how to interconnect LemonLDAP::NG and AWX using <abbr title="Security Assertion Markup Language">SAML</abbr> 2.0 protocol.
</p>
<p>
You can find the Official AWX documentation about this topic here : <a href="https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings" class="urlextern" title="https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings" rel="nofollow">https://docs.ansible.com/ansible-tower/latest/html/administration/ent_auth.html#saml-authentication-settings</a> Please read it before the LLNG doc.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [128-546] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
This page assumes you already have configured the <abbr title="Security Assertion Markup Language">SAML</abbr> Service in LemonLDAP::NG, if not please follow : <a href="../documentation/latest/samlservice.html" class="wikilink1" title="documentation:latest:samlservice">SAML service configuration</a>
</p>
</div>
<!-- EDIT3 SECTION "Configuration" [547-742] -->
<h3 class="sectionedit4" id="awx_saml_key_certificate">AWX SAML Key &amp; Certificate</h3>
<div class="level3">
<p>
You&#039;ll need a private key and the corresponding certificate to setup saml in AWX, you can do it with your pki or with openssl on your machine :
</p>
<pre class="code">openssl req -x509 -newkey rsa:4096 -keyout saml-awx.key -out saml-awx.crt -days 3650 -nodes</pre>
</div>
<!-- EDIT4 SECTION "AWX SAML Key & Certificate" [743-1033] -->
<h3 class="sectionedit5" id="llng_saml_certificate">LLNG SAML Certificate</h3>
<div class="level3">
<p>
AWX need a certificate for the IDP signature, a public key won&#039;t work. You can either just generate a certificate from the private key and put it in AWX conf, or you can do it globally.
</p>
</div>
<h4 id="generate_certificate_from_key">Generate Certificate from Key</h4>
<div class="level4">
<p>
You can find your private key in : SAML2 Service -&gt; Security Parameters -&gt; Signature -&gt; Private Key
</p>
<p>
Copy it somewhere secure as lemonldap.key, and then generate the certificate with this command :
</p>
<pre class="code">openssl req -new -x509 -days 3650 -key lemonldap.key &gt; lemonldap.crt</pre>
<p>
After that, if you want, you can replace your <abbr title="Security Assertion Markup Language">SAML</abbr> public key with this certificate in LLNG configuration, this is not mandatory.
</p>
</div>
<!-- EDIT5 SECTION "LLNG SAML Certificate" [1034-1707] -->
<h3 class="sectionedit6" id="awx">AWX</h3>
<div class="level3">
<p>
You&#039;ll need an administrator account, then go to Settings -&gt; Authentication -&gt; <abbr title="Security Assertion Markup Language">SAML</abbr>
</p>
<p>
<img src="saml-awx.png" class="mediacenter" alt="" />
</p>
<p>
There is a few settings :
</p>
</div>
<h4 id="saml_service_provider_entity_id">SAML Service Provider Entity ID</h4>
<div class="level4">
<p>
This is the entityID for awx, lets put the fqdn :
</p>
<pre class="code">awx.example.com</pre>
</div>
<h4 id="saml_service_provider_public_certificate">SAML Service Provider Public Certificate</h4>
<div class="level4">
<p>
Put the content of <code>saml-awx.crt</code> :
</p>
<pre class="code">-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----</pre>
</div>
<h4 id="saml_service_provider_private_key">SAML Service Provider Private Key</h4>
<div class="level4">
<p>
Put the content of <code>saml-awx.key</code> :
</p>
<pre class="code">-----BEGIN RSA PRIVATE KEY-----
key
-----END RSA PRIVATE KEY-----</pre>
<p>
It will be replaced with
</p>
<pre class="code">$encrypted$</pre>
<p>
after you save the settings.
</p>
</div>
<h4 id="saml_service_provider_organization_info">SAML Service Provider Organization Info</h4>
<div class="level4">
<p>
Organization Info for The SP, this is purely &quot;for looks&quot;
</p>
<pre class="code">{
&quot;en-US&quot;: {
&quot;displayname&quot;: &quot;AWX ACME&quot;,
&quot;url&quot;: &quot;https://awx.example.com&quot;,
&quot;name&quot;: &quot;awxacme&quot;
}
}</pre>
</div>
<h4 id="saml_service_provider_technical_contact">SAML Service Provider Technical Contact</h4>
<div class="level4">
<p>
Technical Contact for the SP
</p>
<pre class="code">{
&quot;emailAddress&quot;: &quot;support@example.com&quot;,
&quot;givenName&quot;: &quot;Support ACME&quot;
}</pre>
</div>
<h4 id="saml_service_provider_support_contact">SAML Service Provider Support Contact</h4>
<div class="level4">
<p>
Support Contact for the SP
</p>
<pre class="code">{
&quot;emailAddress&quot;: &quot;support@example.com&quot;,
&quot;givenName&quot;: &quot;Support ACME&quot;
}</pre>
</div>
<h4 id="saml_enabled_identity_providers">SAML Enabled Identity Providers</h4>
<div class="level4">
<p>
This is the configuration of the IdP :
</p>
<pre class="code">{
&quot;lemonldap&quot;: {
&quot;attr_last_name&quot;: &quot;sn&quot;,
&quot;x509cert&quot;: &quot;SOXGp.....&quot;,
&quot;attr_username&quot;: &quot;uid&quot;,
&quot;entity_id&quot;: &quot;https://auth.example.com/saml/metadata&quot;,
&quot;attr_first_name&quot;: &quot;givenName&quot;,
&quot;attr_email&quot;: &quot;mail&quot;,
&quot;attr_user_permanent_id&quot;: &quot;uid&quot;,
&quot;url&quot;: &quot;https://auth.example.com/saml/singleSignOn&quot;
}
}</pre>
<ul>
<li class="level1"><div class="li"> &quot;attr_last_name&quot;: &quot;sn&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user last name</div>
</li>
<li class="level1"><div class="li"> &quot;x509cert&quot;: &quot;SOXGp.....&quot; the content of <code>lemonldap.crt</code> generated in the &quot;LLNG <abbr title="Security Assertion Markup Language">SAML</abbr> Certificate&quot; section</div>
</li>
<li class="level1"><div class="li"> &quot;attr_username&quot;: &quot;uid&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user username</div>
</li>
<li class="level1"><div class="li"> &quot;entity_id&quot;: &quot;<a href="https://auth.example.com/saml/metadata" class="urlextern" title="https://auth.example.com/saml/metadata" rel="nofollow">https://auth.example.com/saml/metadata</a>&quot; entityID of the IdP</div>
</li>
<li class="level1"><div class="li"> &quot;attr_first_name&quot;: &quot;givenName&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user first name</div>
</li>
<li class="level1"><div class="li"> &quot;attr_email&quot;: &quot;mail&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute user for the user email</div>
</li>
<li class="level1"><div class="li"> &quot;attr_user_permanent_id&quot;: &quot;uid&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> Attribute for the user unique id inside AWX</div>
</li>
<li class="level1"><div class="li"> &quot;url&quot;: &quot;<a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn" rel="nofollow">https://auth.example.com/saml/singleSignOn</a>&quot; <abbr title="Security Assertion Markup Language">SAML</abbr> <abbr title="Single Sign On">SSO</abbr> Url</div>
</li>
</ul>
<p>
Save your configuration.
</p>
</div>
<!-- EDIT6 SECTION "AWX" [1708-3983] -->
<h3 class="sectionedit7" id="lemonldapng">LemonLDAP:NG</h3>
<div class="level3">
<p>
We now have to define a service provider in LL:NG.
</p>
<p>
Go to &quot;<abbr title="Security Assertion Markup Language">SAML</abbr> service providers&quot;, click on &quot;Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP&quot; and name it as you want (example : &#039;AWX&#039;)
</p>
<p>
In the new subtree &#039;AWX&#039;, open &#039;Metadata&#039; and paste the content of the AWX Metadatas, wich can be found at the
</p>
<pre class="code">SAML Service Provider Metadata URL</pre>
<p>
in AWX : <a href="https://awx.example.com/sso/metadata/saml/" class="urlextern" title="https://awx.example.com/sso/metadata/saml/" rel="nofollow">https://awx.example.com/sso/metadata/saml/</a>
</p>
<p>
<img src="awx-metadata.png" class="mediacenter" alt="" />
</p>
<p>
Now go in &quot;Exported attributes&quot; and add, the &#039;uid&#039;, &#039;sn&#039;, &#039;givenName&#039;, &#039;mail&#039;.
</p>
<p>
All four attributes are mandatory for AWX. Make sure they match the names of the attributes available in your LemonLDAP sessions.
</p>
<p>
<img src="awx-attr.png" class="mediacenter" alt="" />
</p>
<p>
Don&#039;t forget to save your configuration.
</p>
<p>
You are now good to go, and you can add the application in <a href="../portalmenu.html" class="wikilink1" title="documentation:2.0:portalmenu">your menu</a> and <a href="../configvhost.html#lemonldapng_configuration" class="wikilink1" title="documentation:2.0:configvhost">your virtual hosts</a>.
</p>
<p>
You should now have a <abbr title="Security Assertion Markup Language">SAML</abbr> button on the login page :
</p>
<p>
<img src="awx-saml-login.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT7 SECTION "LemonLDAP:NG" [3984-] --></div>
</body>
</html>

170
doc/pages/documentation/current/applications/grafana.html Normal file
View File

@ -0,0 +1,170 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:grafana</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,grafana"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="grafana.html"/>
<link rel="contents" href="grafana.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:grafana","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#pre-requisites">Pre-requisites</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#grafana_configuration">Grafana configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng">LL:NG</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="grafana">Grafana</h1>
<div class="level1">
<p>
<img src="grafana_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Grafana" [1-69] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://grafana.com/" class="urlextern" title="https://grafana.com/" rel="nofollow">Grafana</a> is an Open Source dashboard for monitoring databases such as Prometheus, Graphite or Elasticsearch
</p>
<p>
Grafana offers social login through a generic OAuth 2 connector. Thankfully, it is close enough to OpenID Connect to work well with LemonLDAP::NG
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [70-376] -->
<h2 class="sectionedit3" id="pre-requisites">Pre-requisites</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Pre-requisites" [377-404] -->
<h3 class="sectionedit4" id="grafana_configuration">Grafana configuration</h3>
<div class="level3">
<p>
You should start by following the generic OAuth2 documentation provided by Grafana:
<a href="https://grafana.com/docs/grafana/latest/auth/generic-oauth/" class="urlextern" title="https://grafana.com/docs/grafana/latest/auth/generic-oauth/" rel="nofollow">https://grafana.com/docs/grafana/latest/auth/generic-oauth/</a>
</p>
<p>
Your configuration file will have to look something like this:
</p>
<pre class="code">[auth.generic_oauth]
enabled = true
client_id = CHOOSE_A_CLIENT_ID
client_secret = CHOOSE_A_CLIENT_SECRET
scopes = openid email profile
auth_url = https://auth.example.com/oauth2/authorize
token_url = https://auth.example.com/oauth2/token
api_url = https://auth.example.com/oauth2/userinfo
allow_sign_up = true
name = LemonLDAP::NG
send_client_credentials_via_post = false
email_attribute_name = email</pre>
</div>
<!-- EDIT4 SECTION "Grafana configuration" [405-1067] -->
<h3 class="sectionedit5" id="llng">LL:NG</h3>
<div class="level3">
<p>
Make sure you have already <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">enabled OpenID Connect</a> on your LemonLDAP::NG server
</p>
<p>
Then, add a Relaying Party with the following configuration
</p>
<ul>
<li class="level1"><div class="li"> Options » Authentification » Client ID : same as <code>client_id</code> above</div>
</li>
<li class="level1"><div class="li"> Options » Allowed redirection address : same as <code>client_secret </code> above</div>
</li>
</ul>
<p>
If you want to transmit user attributes to Grafana, you also need to configure
</p>
<ul>
<li class="level1"><div class="li"> Extra Claims » </div>
<ul>
<li class="level2"><div class="li"> add a key named <code>profile</code></div>
</li>
<li class="level2"><div class="li"> set a value of <code>name username display_name upn</code></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Exported Attributes (not all of them are mandatory)</div>
<ul>
<li class="level2"><div class="li"> replace the existing keys with the following 5 new keys: </div>
<ul>
<li class="level3"><div class="li"> <code>name</code></div>
</li>
<li class="level3"><div class="li"> <code>username</code></div>
</li>
<li class="level3"><div class="li"> <code>display_name</code></div>
</li>
<li class="level3"><div class="li"> <code>upn</code></div>
</li>
<li class="level3"><div class="li"> <code>email</code> </div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> map them to your corresponding LemonLDAP::NG session attribute</div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "LL:NG" [1068-] --></div>
</body>
</html>

4
doc/pages/documentation/current/applications/img/icons.png
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1576942799" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1588685800" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/applications/img/loader.gif
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1576942799" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1588685800" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

14
doc/pages/documentation/current/applications/jitsimeet.html
View File

@ -131,17 +131,17 @@ In the Nginx configuration that the Jitsi Meet quickstart generated, you must ad
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH &quot;&quot;;
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
}
# Protect only the /login/ and /logout/ URLs.
# Protect only the /login/ URL
# You may want to change this is your goal is to make the whole Jitsi Meet instance private
location ~ ^/log(in|out)/ {
location /login/ {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
@ -150,14 +150,16 @@ location ~ ^/log(in|out)/ {
auth_request_set $mail $upstream_http_mail;
proxy_set_header mail $mail;
auth_request_set $displayname $upstream_http_displayName;
proxy_set_header displayName $displayname;
auth_request_set $lmcookie $upstream_http_cookie;
proxy_set_header Cookie: $lmcookie;
proxy_pass http://127.0.0.1:8888;
proxy_pass http://127.0.0.1:8888/login;
}</pre>
</div>
<!-- EDIT6 SECTION "Jitsi Meet Nginx configuration" [1438-2531] -->
<!-- EDIT6 SECTION "Jitsi Meet Nginx configuration" [1438-2622] -->
<h3 class="sectionedit7" id="jitsi_meet_virtual_host_in_manager">Jitsi Meet Virtual host in Manager</h3>
<div class="level3">
@ -186,6 +188,6 @@ Configure the following <a href="../writingrulesand_headers.html#headers" class=
</div>
</div>
<!-- EDIT7 SECTION "Jitsi Meet Virtual host in Manager" [2532-] --></div>
<!-- EDIT7 SECTION "Jitsi Meet Virtual host in Manager" [2623-] --></div>
</body>
</html>

4
doc/pages/documentation/current/applications/jitsimet
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1576942817" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1588685818" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

5
doc/pages/documentation/current/authchoice.html
View File

@ -118,6 +118,8 @@ Then, go in <code>Choice Parameters</code>:
<ul>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr> parameter</strong>: parameter name used to set choice value (default: <code>lmAuth</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>AuthBasic handler parameter</strong>: authentication module used by AuthBasic handler</div>
</li>
<li class="level1"><div class="li"> <strong>Allowed modules</strong>: click on <code>New chain</code> to add a choice.</div>
</li>
</ul>
@ -140,9 +142,10 @@ Define here:
</li>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr></strong>: optional, can be used to redirect on another <abbr title="Uniform Resource Locator">URL</abbr> (for example <a href="https://authssl.example.com" class="urlextern" title="https://authssl.example.com" rel="nofollow">https://authssl.example.com</a>). This is mandatory if you want to use an Apache authentication module, which is run by Apache before showing the LemonLDAP::NG portal page.</div>
</li>
<li class="level1"><div class="li"> <strong>Condition</strong>: optional, can be used to evaluate an expression to display the tab.</div>
<li class="level1"><div class="li"> <strong>Condition</strong>: optional, can be used to evaluate an expression to display the tab. For example, to display a tab only if redirected by Handler from application <code>test1.example.com</code>, you can set this condition:</div>
</li>
</ul>
<pre class="code perl"><span class="re0">$env</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span>urldc<span class="br0">&#125;</span> <span class="sy0">=~</span> <span class="sy0">/</span>test1\<span class="sy0">.</span>example\<span class="sy0">.</span>com<span class="sy0">/</span></pre>
<div class="noteclassic">Authentication request to an another <abbr title="Uniform Resource Locator">URL</abbr> than Portal <abbr title="Uniform Resource Locator">URL</abbr> can lead to a persistent loop between Portal and a redirection <abbr title="Uniform Resource Locator">URL</abbr> (pdata is not removed because domains mismatch). To avoid this, you have to set pdata cookie domain by editing <code>lemonldap-ng.ini</code> in section [portal]:<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">pdataDomain</span> <span class="sy0">=</span><span class="re2"> example.com</span></pre>

2
doc/pages/documentation/current/authcustom.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authcustom.html"/>

112
doc/pages/documentation/current/authgithub.html Normal file
View File

@ -0,0 +1,112 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:authgithub</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authgithub"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authgithub.html"/>
<link rel="contents" href="authgithub.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authgithub","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="github">GitHub</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1 leftalign"> </td><td class="col2 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [23-82] -->
</div>
<!-- EDIT1 SECTION "GitHub" [1-83] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://github.com/" class="urlextern" title="https://github.com/" rel="nofollow">GitHub</a> uses <a href="http://en.wikipedia.org/wiki/OAuth2" class="urlextern" title="http://en.wikipedia.org/wiki/OAuth2" rel="nofollow">OAuth2</a> protocol to allow applications to reuse its own authentication process (see <a href="https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/" class="urlextern" title="https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/" rel="nofollow">https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/</a>).
</p>
<p>
You need to register a new application on LinkedIn to get an application ID and a secret: <a href="https://github.com/settings/apps/new" class="urlextern" title="https://github.com/settings/apps/new" rel="nofollow">https://github.com/settings/apps/new</a>.
</p>
</div>
<!-- EDIT3 SECTION "Presentation" [84-486] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose GitHub for authentication module.
</p>
<p>
Then, go in <code>GitHub parameters</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: authentication level for this module.</div>
</li>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the application ID you get</div>
</li>
<li class="level1"><div class="li"> <strong>Client secret</strong>: the corresponding secret</div>
</li>
<li class="level1"><div class="li"> <strong>Field containing user identifier</strong>: Field that will be used as main user identifier in <abbr title="LemonLDAP::NG">LL::NG</abbr>, usually <code>login</code> </div>
</li>
<li class="level1"><div class="li"> <strong>Scope</strong>: OAuth 2.0 scopes, see <a href="https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/" class="urlextern" title="https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/" rel="nofollow">https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/</a></div>
</li>
</ul>
<div class="notetip">Collected fields are stored in session in <code>github_</code> keys
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in:
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [487-] --></div>
</body>
</html>

8
doc/pages/documentation/current/authldap.html
View File

@ -225,9 +225,13 @@ And the mail filter is:
<li class="level1"><div class="li"> <strong>Group source attribute</strong>: name of the attribute in groups entries used in the link, for recursive group search (default: dn).</div>
</li>
</ul>
<div class="noteclassic">The groups that the user belongs to are available as <code>$groups</code> and <code>%hGroups</code>, as documented <a href="exportedvars.html#extend_variables_using_macros_and_groups" class="wikilink1" title="documentation:2.0:exportedvars">here</a>
</div><div class="noteimportant">If your LDAP countains over a thousand groups, you should avoid using group processing, check out <a href="performances.html#ldap_performances" class="wikilink1" title="documentation:2.0:performances">the performance page</a> for alternatives
</div>
<!-- EDIT9 SECTION "Groups" [3711-4712] -->
</div>
<!-- EDIT9 SECTION "Groups" [3711-5086] -->
<h3 class="sectionedit10" id="password">Password</h3>
<div class="level3">
<ul>
@ -263,6 +267,6 @@ And the mail filter is:
</p>
</div>
<!-- EDIT10 SECTION "Password" [4713-] --></div>
<!-- EDIT10 SECTION "Password" [5087-] --></div>
</body>
</html>

54
doc/pages/documentation/current/authopenidconnect.html
View File

@ -286,86 +286,86 @@ Define here the mapping between the <abbr title="LemonLDAP::NG">LL::NG</abbr> se
<div class="table sectionedit12"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0"> Claim name </th><th class="col1"> Type </th><th class="col2"> Example of corresponding LDAP attribute </th>
<th class="col0"> Claim name </th><th class="col1"> Associated scope </th><th class="col2"> Type </th><th class="col3"> Example of corresponding LDAP attribute </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> string </td><td class="col2"> uid </td>
<td class="col0"> sub </td><td class="col1"> openid </td><td class="col2"> string </td><td class="col3"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> name </td><td class="col1"> string </td><td class="col2"> cn </td>
<td class="col0"> name </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> string </td><td class="col2"> givenName </td>
<td class="col0"> given_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> string </td><td class="col2"> sn </td>
<td class="col0"> family_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> middle_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> nickname </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> string </td><td class="col2"> displayName </td>
<td class="col0"> preferred_username </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> string </td><td class="col2"> labeledURI </td>
<td class="col0"> profile </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> picture </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> website </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> string </td><td class="col2"> mail </td>
<td class="col0"> email </td><td class="col1"> email </td><td class="col2">string </td><td class="col3"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
<td class="col0"> email_verified </td><td class="col1"> email </td><td class="col2">boolean </td><td class="col3"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> gender </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> birthdate </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> zoneinfo </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> string </td><td class="col2"> preferredLanguage </td>
<td class="col0"> locale </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> string </td><td class="col2"> telephoneNumber </td>
<td class="col0"> phone_number </td><td class="col1"> phone </td><td class="col2">string </td><td class="col3"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
<td class="col0"> phone_number_verified </td><td class="col1"> phone </td><td class="col2">boolean </td><td class="col3"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> updated_at </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> string </td><td class="col2"> registeredAddress </td>
<td class="col0"> formatted </td><td class="col1"> address </td><td class="col2">string </td><td class="col3"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> string </td><td class="col2"> street </td>
<td class="col0"> street_address </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> string </td><td class="col2"> l </td>
<td class="col0"> locality </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> string </td><td class="col2"> st </td>
<td class="col0"> region </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> string </td><td class="col2"> postalCode </td>
<td class="col0"> postal_code </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> string </td><td class="col2"> co </td>
<td class="col0"> country </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> co </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [38-861] -->
<!-- EDIT12 TABLE [38-1104] -->
</div>
<!-- EDIT11 PLUGIN_INCLUDE_END "documentation:2.0:openidconnectclaims" [0-] --></div>
<div class="level4">

14
doc/pages/documentation/current/authproxy.html
View File

@ -54,6 +54,7 @@
<ul class="toc">
<li class="level2"><div class="li"><a href="#external_portal">External portal</a></div></li>
<li class="level2"><div class="li"><a href="#internal_portal">Internal portal</a></div></li>
<li class="level2"><div class="li"><a href="#soap_compatibility_with_19_server">SOAP compatibility with 1.9 server</a></div></li>
</ul></li>
</ul>
</div>
@ -126,6 +127,17 @@ The portal must be configured to accept REST or SOAP authentication requests if
</p>
</div>
<!-- EDIT6 SECTION "Internal portal" [1340-] --></div>
<!-- EDIT6 SECTION "Internal portal" [1340-1598] -->
<h3 class="sectionedit7" id="soap_compatibility_with_19_server">SOAP compatibility with 1.9 server</h3>
<div class="level3">
<p>
If you Proxy is a 2.0.x and your server is a 1.9.x, you should add this in your lemonldap-ng.ini:
</p>
<pre class="code ini"><span class="re1">soapProxyUrn</span> <span class="sy0">=</span><span class="re2"> urn:Lemonldap/NG/Common/CGI/SOAPService</span></pre>
<div class="noteimportant">This needs LLNG version 2.0.8 at least
</div>
</div>
<!-- EDIT7 SECTION "SOAP compatibility with 1.9 server" [1599-] --></div>
</body>
</html>

84
doc/pages/documentation/current/authssl.html
View File

@ -50,7 +50,7 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<li class="level1"><div class="li"><a href="#configuration_as_the_only_authentication_module">Configuration (as the only authentication module)</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#with_apache">With Apache</a></div>
<ul class="toc">
@ -65,10 +65,16 @@
</ul>
</li>
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></div></li>
<li class="level2"><div class="li"><a href="#auto_reloading_ssl_certificates">Auto reloading SSL Certificates</a></div></li>
<li class="level2"><div class="li"><a href="#auto_reloading_ssl_certificates">Auto reloading SSL Certificates</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#apache_server">Apache server</a></div></li>
<li class="level3"><div class="li"><a href="#nginx_server">Nginx server</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#ssl_by_ajax">SSL by Ajax</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#configuration_for_combinationchoice">Configuration (for Combination/Choice)</a></div></li>
<li class="level1"><div class="li"><a href="#extracting_the_username_attribute">Extracting the username attribute</a></div></li>
</ul>
</div>
</div>
@ -104,7 +110,7 @@
</div>
<!-- EDIT3 SECTION "Presentation" [78-401] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<h2 class="sectionedit4" id="configuration_as_the_only_authentication_module">Configuration (as the only authentication module)</h2>
<div class="level2">
<p>
@ -112,7 +118,7 @@ By default, SSL is required before the portal is displayed (handled by webserver
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [402-713] -->
<!-- EDIT4 SECTION "Configuration (as the only authentication module)" [402-749] -->
<h3 class="sectionedit5" id="with_apache">With Apache</h3>
<div class="level3">
@ -192,7 +198,7 @@ Here are the main options used by <abbr title="LemonLDAP::NG">LL::NG</abbr>:
</ul>
</div>
<!-- EDIT5 SECTION "With Apache" [714-2684] -->
<!-- EDIT5 SECTION "With Apache" [750-2720] -->
<h3 class="sectionedit6" id="with_nginx">With Nginx</h3>
<div class="level3">
@ -204,14 +210,20 @@ ssl_verify_client optional;
ssl_certificate /etc/letsencrypt/live/my/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/my/privkey.pem;
ssl_verify_depth 3;
# All CA certificates concatenated in a single file
ssl_client_certificate /etc/nginx/ssl/ca.pem;
ssl_crl /etc/nginx/ssl/crl/my.crl;</pre>
ssl_crl /etc/nginx/ssl/crl/my.crl;
&nbsp;
# Reset SSL connection. User does not have to close his browser to try connecting again
keepalive_timeout 0 0;
add_header 'Connection' 'close';
ssl_session_timeout 1s;</pre>
<p>
You must also export SSL_CLIENT_S_<abbr title="Distinguished Name">DN</abbr>_CN in FastCGI params:
</p>
<pre class="code file nginx"># map directive must be in http context
map $ssl_client_s_dn $ssl_client_s_dn_cn {
<pre class="code file nginx"># map directive must be set in http context
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default &quot;&quot;;
~/CN=(?&lt;CN&gt;[^/]+) $CN; # prior Nginx 1.11.6
#~,CN=(?&lt;CN&gt;[^,]+) $CN; # Nginx &gt;= 1.11.6
@ -261,7 +273,7 @@ in the $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
</div>
</div>
<!-- EDIT6 SECTION "With Nginx" [2685-4659] -->
<!-- EDIT6 SECTION "With Nginx" [2721-4919] -->
<h3 class="sectionedit7" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</h3>
<div class="level3">
@ -281,7 +293,7 @@ Then, go in <code>SSL parameters</code>:
</ul>
</div>
<!-- EDIT7 SECTION "Configuration of LemonLDAP::NG" [4660-5085] -->
<!-- EDIT7 SECTION "Configuration of LemonLDAP::NG" [4920-5345] -->
<h3 class="sectionedit8" id="auto_reloading_ssl_certificates">Auto reloading SSL Certificates</h3>
<div class="level3">
@ -290,6 +302,11 @@ A known problematic is that many browser (Firefox, Chrome) remembers the fact th
It is particularly important for smart cards: when the card is not inserted before the browser starts, the user must restart his browser, or at least refresh (F5) the page.
</p>
</div>
<h4 id="apache_server">Apache server</h4>
<div class="level4">
<p>
It is possible with AJAX code and 3 Apache locations to bypass this limitation.
</p>
@ -386,11 +403,23 @@ $('.enteteBouton').click( function (e) {
});
<span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/script.html"><span class="kw2">script</span></a>&gt;</span>
<span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/body.html"><span class="kw2">body</span></a>&gt;</span></pre>
</div>
<h4 id="nginx_server">Nginx server</h4>
<div class="level4">
<p>
With Nginx, append those server context directives to force SSL connexion reset:
</p>
<pre class="code file nginx">keepalive_timeout 0 0;
add_header 'Connection' 'close';
ssl_session_timeout 1s;</pre>
<div class="notewarning">It is incompatible with authentication combination because of Apache parameter &quot;SSLVerifyClient&quot;, which must have the value &quot;require&quot;. To enable SSL with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>, use <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a>
</div>
</div>
<!-- EDIT8 SECTION "Auto reloading SSL Certificates" [5086-8349] -->
<h2 class="sectionedit9" id="ssl_by_ajax">SSL by Ajax</h2>
<!-- EDIT8 SECTION "Auto reloading SSL Certificates" [5346-8837] -->
<h2 class="sectionedit9" id="configuration_for_combinationchoice">Configuration (for Combination/Choice)</h2>
<div class="level2">
<p>
@ -449,6 +478,33 @@ and set :
</div>
</div>
<!-- EDIT9 SECTION "SSL by Ajax" [8350-] --></div>
<!-- EDIT9 SECTION "Configuration (for Combination/Choice)" [8838-10508] -->
<h2 class="sectionedit10" id="extracting_the_username_attribute">Extracting the username attribute</h2>
<div class="level2">
<p>
The &quot;Extracted certificate field&quot; must be set to the Apache/Nginx environment variable containing the username attribute.
</p>
<p>
See the <a href="https://httpd.apache.org/docs/current/en/mod/mod_ssl.html" class="urlextern" title="https://httpd.apache.org/docs/current/en/mod/mod_ssl.html" rel="nofollow">mod_ssl documentation</a> for a list of supported variables names.
</p>
<p>
If your webserver configuration allows multiple CAs, you may configure a different environment variable for each CA.
</p>
<p>
In the &quot;Conditional extracted certificate field&quot;, add a line for each CA.
</p>
<ul>
<li class="level1"><div class="li"> key: the CA subject <abbr title="Distinguished Name">DN</abbr> (will be printed in debug logs)</div>
</li>
<li class="level1"><div class="li"> value: the variable containing the username when using certificates emitted by this CA</div>
</li>
</ul>
</div>
<!-- EDIT10 SECTION "Extracting the username attribute" [10509-] --></div>
</body>
</html>

4
doc/pages/documentation/current/browseablesessionbackend
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/browseablesessionbackend?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/browseablesessionbackend?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=browseablesessionbackend&amp;1576942827" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=browseablesessionbackend&amp;1588685829" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

66
doc/pages/documentation/current/bruteforceprotection.html
View File

@ -43,24 +43,39 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<h1 class="sectionedit1" id="brute_force_protection_addon">Brute Force Protection Addon</h1>
<ul class="toc">
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#incremental_lock_time_enabled">Incremental lock time enabled</a></div></li>
<li class="level2"><div class="li"><a href="#incremental_lock_time_disabled">Incremental lock time disabled</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="brute_force_protection_plugin">Brute Force Protection plugin</h1>
<div class="level1">
<p>
bruteForceProtection plugin prevents brute force attack. Plugin DISABLED by default.
This plugin prevents brute force attack. Plugin DISABLED by default.
</p>
<p>
After some failed login attempts, user must wait (30 seconds by default) before try to log in again.
After some failed login attempts, user must wait before trying to log in again.
</p>
<p>
The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds.
The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of an user. If disabled, automated tools may submit thousands of password attempts in a matter of seconds.
</p>
</div>
<!-- EDIT1 SECTION "Brute Force Protection Addon" [1-455] -->
<!-- EDIT1 SECTION "Brute Force Protection plugin" [1-414] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
@ -69,18 +84,53 @@ To enable Brute Force Attack protection :
</p>
<p>
Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Brute-force attack protection</code> and set to <code>On</code>.
Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Brute-force attack protection</code> »
<code>Activation</code>and set to <code>On</code>.
</p>
</div>
<!-- EDIT2 SECTION "Configuration" [415-641] -->
<h3 class="sectionedit3" id="incremental_lock_time_enabled">Incremental lock time enabled</h3>
<div class="level3">
<p>
You just have to activate it in the Manager :
</p>
<p>
To modify waiting time (30 seconds by default) before reAuthentication, MaxAge between current and last stored failed login (300 seconds by default) or number of allowed failed login attempts (3 by default) edit <code>lemonldap-ng.ini</code> in section [portal]:
Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Brute-force attack protection</code> »
<code>Incremental lock times</code> and set to <code>On</code>. (DISABLED by default) or in <code>lemonldap-ng.ini</code> [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">bruteForceProtectionIncrementalTempo</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
<p>
Lock time increases between each failed login attempt.
To modify lock time values (&#039;5 15 60 300 600&#039; seconds by default) or max lock time value (900 seconds by default) edit <code>lemonldap-ng.ini</code> in [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">bruteForceProtectionLockTimes</span> <span class="sy0">=</span><span class="re2"> '5 15 60 300 600'</span>
<span class="re1">bruteForceProtectionMaxLockTime</span> <span class="sy0">=</span><span class="re2"> 900</span></pre>
<div class="noteclassic">Max lock time value is used by this plugin if a lock time is missing (number of failed logins higher than listed lock time values). Lock time values can not be higher than max lock time.
</div>
</div>
<!-- EDIT3 SECTION "Incremental lock time enabled" [642-1572] -->
<h3 class="sectionedit4" id="incremental_lock_time_disabled">Incremental lock time disabled</h3>
<div class="level3">
<p>
After <code>bruteForceProtectionMaxFailed</code> failed login attempts, user must wait <code>bruteForceProtectionTempo</code> seconds before trying to log in again.
To modify waiting time (30 seconds by default), MaxAge between current and last stored failed login (300 seconds by default) or number of allowed failed login attempts (3 by default) edit <code>lemonldap-ng.ini</code> in [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">bruteForceProtectionTempo</span> <span class="sy0">=</span><span class="re2"> 30</span>
<span class="re1">bruteForceProtectionMaxAge</span> <span class="sy0">=</span><span class="re2"> 300</span>
<span class="re1">bruteForceProtectionMaxFailed</span> <span class="sy0">=</span><span class="re2"> 3</span></pre>
<div class="noteimportant">Number of failed login attempts stored in history MUST be higher than allowed failed logins for this plugin takes effect.
</div>
<!-- EDIT2 SECTION "Configuration" [456-] --></div>
</div>
<!-- EDIT4 SECTION "Incremental lock time disabled" [1573-] --></div>
</body>
</html>

44
doc/pages/documentation/current/checkuser.html
View File

@ -68,43 +68,41 @@ Just enable it in the manager (section “plugins”).
</li>
<li class="level2"><div class="li"> <strong>Hidden attributes</strong>: Attributes not displayed</div>
</li>
<li class="level2"><div class="li"> <strong>Attributes used for searching sessions</strong>: User&#039;s attributes used for searching sessions in Data Base if <code>whatToTrace</code> fails. Useful to look for sessions by mail or givenName. Let it blank to search by <code>whatToTrace</code> only.</div>
<li class="level2"><div class="li"> <strong>Attributes used for searching sessions</strong>: User&#039;s attributes used for searching sessions in backend if <code>whatToTrace</code> fails. Useful to look for sessions by mail or givenName. Let it blank to search by <code>whatToTrace</code> only.</div>
</li>
<li class="level2"><div class="li"> <strong>Display persistent session</strong>: Display persistent session attributes</div>
<li class="level2"><div class="li"> <strong>Display empty headers</strong>: Rule to display ALL headers appended by LemonLDAP::NG including empty ones</div>
</li>
<li class="level2"><div class="li"> <strong>Display empty value</strong>: Display ALL attributes even empty ones</div>
<li class="level2"><div class="li"> <strong>Display empty value</strong>: Rule to display ALL attributes even empty ones</div>
</li>
<li class="level2"><div class="li"> <strong>Display persistent session</strong>: Rule to display persistent session attributes</div>
</li>
</ul>
</li>
</ul>
<div class="noteclassic">By example :
<div class="noteclassic">By examples :
<p>
Search attributes =&gt; <code>mail uid givenName</code>
* Search attributes =&gt; <code>mail uid givenName</code>
</p>
<p>
If <code>whatToTrace</code> fails, sessions are searched by <code>mail</code>, next <code>uid</code> if no sessions are found and so on...
If <code>whatToTrace</code> fails, sessions are searched by <code>mail</code>, next <code>uid</code> if none session is found and so on...
</p>
<p>
* Display empty headers rule =&gt; <code>$uid eq &quot;dwho&quot;</code> -&gt; Only &#039;dwho&#039; will see empty headers
</p>
</div><div class="noteclassic">Keep in mind that Nginx HTTP proxy module gets rid of empty headers. If the value of a header field is an empty string then this field will not be passed to a proxied server. To avoid misunderstanding, it might be useful to not display empty headers.
</div><div class="noteimportant">Be careful to not display secret attributes.
<p>
checkUser plugin hidden attributes are concatenation of
</p>
<p>
<code>checkUserHiddenAttributes</code> and <code>hiddenAttributes</code>.
</p>
<p>
checkUser plugin hidden attributes are concatenation of <code>checkUserHiddenAttributes</code> and <code>hiddenAttributes</code>.
You just have to append checkUser specific attributes.
</p>
</div><div class="notewarning">This plugin displays ALL user session attributes except the hidden ones.
<p>
You have to restrict access to specific users (administrators, DevOps, power users and so on...)
</p>
<p>
by setting an access rule like other VirtualHosts.
</p>
@ -113,16 +111,24 @@ By example: <code>$groups =~ /\bsu\b/</code>
</p>
</div>
<p>
To modify persistent sessions attributes (&#039;_loginHistory _2fDevices notification_&#039; by default), edit <code>lemonldap-ng.ini</code> in [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">persistentSessionAttributes</span> <span class="sy0">=</span><span class="re2"> _loginHistory _2fDevices notification_</span></pre>
</div>
<!-- EDIT2 SECTION "Configuration" [265-1680] -->
<!-- EDIT2 SECTION "Configuration" [265-2403] -->
<h2 class="sectionedit3" id="usage">Usage</h2>
<div class="level2">
<p>
When enabled, <code>/checkuser</code> <abbr title="Uniform Resource Locator">URL</abbr> path is handled by this plugin.
</p>
<div class="noteimportant">With federated authentication, checkUser plugin works only if a session can be found in backend.
</div>
<!-- EDIT3 SECTION "Usage" [1681-] --></div>
</div>
<!-- EDIT3 SECTION "Usage" [2404-] --></div>
</body>
</html>

85
doc/pages/documentation/current/cli_examples.html
View File

@ -54,6 +54,8 @@
<li class="level1"><div class="li"><a href="#configure_sessions_backend">Configure sessions backend</a></div></li>
<li class="level1"><div class="li"><a href="#configure_virtual_host">Configure virtual host</a></div></li>
<li class="level1"><div class="li"><a href="#configure_ldap_authentication_backend">Configure LDAP authentication backend</a></div></li>
<li class="level1"><div class="li"><a href="#configure_cas_identity_provider">Configure CAS Identity Provider</a></div></li>
<li class="level1"><div class="li"><a href="#register_a_cas_application">Register a CAS application</a></div></li>
<li class="level1"><div class="li"><a href="#configure_saml_identity_provider">Configure SAML Identity Provider</a></div></li>
<li class="level1"><div class="li"><a href="#register_an_saml_service_provider">Register an SAML Service Provider</a></div></li>
<li class="level1"><div class="li"><a href="#configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</a></div></li>
@ -71,9 +73,10 @@
<p>
This page shows some examples of <abbr title="LemonLDAP::NG">LL::NG</abbr> Command Line Interface. See <a href="configlocation.html#command_line_interface_cli" class="wikilink1" title="documentation:2.0:configlocation">how to use the command</a>.
</p>
<div class="noteimportant">On Debian, the command is located in <code>/usr/share/lemonldap-ng/bin</code> and on CentOS in <code>/usr/libexec/lemonldap-ng/bin</code>. Adapt the path for the system you are using.
</div>
<!-- EDIT1 SECTION "Command Line Interface (lemonldap-ng-cli) examples" [1-205] -->
</div>
<!-- EDIT1 SECTION "Command Line Interface (lemonldap-ng-cli) examples" [1-395] -->
<h2 class="sectionedit2" id="saverestore_configuration">Save/restore configuration</h2>
<div class="level2">
@ -93,8 +96,13 @@ Restore:
# Or
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore - &lt;config.json</pre>
<p>
Rollback (restore previous configuration, <em>since 2.0.8</em>):
</p>
<pre class="code shell">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli rollback</pre>
</div>
<!-- EDIT2 SECTION "Save/restore configuration" [206-543] -->
<!-- EDIT2 SECTION "Save/restore configuration" [396-871] -->
<h2 class="sectionedit3" id="configure_https">Configure HTTPS</h2>
<div class="level2">
@ -110,7 +118,7 @@ When setting HTTPS, you first need to modify Apache/Nginx configuration, then yo
securedCookie 1</pre>
</div>
<!-- EDIT3 SECTION "Configure HTTPS" [544-1014] -->
<!-- EDIT3 SECTION "Configure HTTPS" [872-1342] -->
<h2 class="sectionedit4" id="configure_sessions_backend">Configure sessions backend</h2>
<div class="level2">
@ -225,7 +233,7 @@ In this example we have:
oidcStorageOptions TableName &#039;oidcsessions&#039;</pre>
</div>
<!-- EDIT4 SECTION "Configure sessions backend" [1015-4603] -->
<!-- EDIT4 SECTION "Configure sessions backend" [1343-4931] -->
<h2 class="sectionedit5" id="configure_virtual_host">Configure virtual host</h2>
<div class="level2">
@ -264,7 +272,7 @@ In this example we have:
&#039;exportedHeaders/test.example.com&#039; &#039;Auth-Mail&#039; &#039;$mail&#039;</pre>
</div>
<!-- EDIT5 SECTION "Configure virtual host" [4604-5304] -->
<!-- EDIT5 SECTION "Configure virtual host" [4932-5632] -->
<h2 class="sectionedit6" id="configure_ldap_authentication_backend">Configure LDAP authentication backend</h2>
<div class="level2">
@ -331,8 +339,47 @@ In this example we use:
ldapGroupRecursive 1</pre>
</div>
<!-- EDIT6 SECTION "Configure LDAP authentication backend" [5305-6778] -->
<h2 class="sectionedit7" id="configure_saml_identity_provider">Configure SAML Identity Provider</h2>
<!-- EDIT6 SECTION "Configure LDAP authentication backend" [5633-7106] -->
<h2 class="sectionedit7" id="configure_cas_identity_provider">Configure CAS Identity Provider</h2>
<div class="level2">
<p>
You just have to enable the <abbr title="Central Authentication Service">CAS</abbr> server feature, and you can set the access control policy (see <a href="idpcas.html#configuring_the_cas_service" class="wikilink1" title="documentation:2.0:idpcas">CAS service options</a>):
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
issuerDBCASActivation 1 \
casAccessControlPolicy error</pre>
</div>
<!-- EDIT7 SECTION "Configure CAS Identity Provider" [7107-7458] -->
<h2 class="sectionedit8" id="register_a_cas_application">Register a CAS application</h2>
<div class="level2">
<p>
This is only required if your access control policy is not <code>none</code>.
</p>
<p>
In this example we have:
</p>
<ul>
<li class="level1"><div class="li"> App configuration key: testapp</div>
</li>
<li class="level1"><div class="li"> App service <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://testapp.example.com/" class="urlextern" title="https://testapp.example.com/" rel="nofollow">https://testapp.example.com/</a></div>
</li>
<li class="level1"><div class="li"> App exported attribute: mail and cn</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
casAppMetaDataExportedVars/testapp mail mail \
casAppMetaDataExportedVars/testapp cn cn
casAppMetaDataOptions/testapp casAppMetaDataOptionsService &#039;https://testapp.example.com/&#039;</pre>
</div>
<!-- EDIT8 SECTION "Register a CAS application" [7459-8004] -->
<h2 class="sectionedit9" id="configure_saml_identity_provider">Configure SAML Identity Provider</h2>
<div class="level2">
<p>
@ -366,8 +413,8 @@ You can also define organization name and <abbr title="Uniform Resource Locator"
samlOrganizationURL &#039;http://www.acme.com&#039;</pre>
</div>
<!-- EDIT7 SECTION "Configure SAML Identity Provider" [6779-7785] -->
<h2 class="sectionedit8" id="register_an_saml_service_provider">Register an SAML Service Provider</h2>
<!-- EDIT9 SECTION "Configure SAML Identity Provider" [8005-9011] -->
<h2 class="sectionedit10" id="register_an_saml_service_provider">Register an SAML Service Provider</h2>
<div class="level2">
<p>
@ -387,8 +434,8 @@ In this example we have:
samlSPMetaDataExportedAttributes/testsp mail &#039;1;EmailAddress&#039;</pre>
</div>
<!-- EDIT8 SECTION "Register an SAML Service Provider" [7786-8238] -->
<h2 class="sectionedit9" id="configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</h2>
<!-- EDIT10 SECTION "Register an SAML Service Provider" [9012-9464] -->
<h2 class="sectionedit11" id="configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</h2>
<div class="level2">
<p>
@ -423,8 +470,8 @@ If needed you can allow implicit and hybrid flows:
oidcServiceAllowHybridFlow 1</pre>
</div>
<!-- EDIT9 SECTION "Configure OpenID Connect Identity Provider" [8239-9122] -->
<h2 class="sectionedit10" id="register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</h2>
<!-- EDIT11 SECTION "Configure OpenID Connect Identity Provider" [9465-10348] -->
<h2 class="sectionedit12" id="register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</h2>
<div class="level2">
<p>
@ -492,8 +539,8 @@ In this example we have:
oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
</div>
<!-- EDIT10 SECTION "Register an OpenID Connect Relying Party" [9123-10754] -->
<h2 class="sectionedit11" id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<!-- EDIT12 SECTION "Register an OpenID Connect Relying Party" [10349-11980] -->
<h2 class="sectionedit13" id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<div class="level2">
<p>
@ -517,8 +564,8 @@ Create the application &quot;sample&quot; inside category &quot;applications&quo
applicationList/applications/sample/options uri &quot;https://sample.example.com/&quot;</pre>
</div>
<!-- EDIT11 SECTION "Categories and applications in menu" [10755-11636] -->
<h2 class="sectionedit12" id="encryption_key">Encryption key</h2>
<!-- EDIT13 SECTION "Categories and applications in menu" [11981-12862] -->
<h2 class="sectionedit14" id="encryption_key">Encryption key</h2>
<div class="level2">
<p>
@ -529,6 +576,6 @@ To update the master encryption key:
key &#039;xxxxxxxxxxxxxxx&#039;</pre>
</div>
<!-- EDIT12 SECTION "Encryption key" [11637-] --></div>
<!-- EDIT14 SECTION "Encryption key" [12863-] --></div>
</body>
</html>

88
doc/pages/documentation/current/configlocation.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:configlocation</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,configlocation"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="configlocation.html"/>
@ -51,6 +51,7 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#backends">Backends</a></div></li>
<li class="level1"><div class="li"><a href="#manager">Manager</a></div></li>
<li class="level1"><div class="li"><a href="#manager_api">Manager API</a></div></li>
<li class="level1"><div class="li"><a href="#configuration_text_editor">Configuration text editor</a></div></li>
<li class="level1"><div class="li"><a href="#command_line_interface_cli">Command Line Interface (CLI)</a></div></li>
<li class="level1"><div class="li"><a href="#apache">Apache</a></div>
@ -176,10 +177,43 @@ LemonLDAP::NG configuration is mainly a key/value structure, so Manager will pre
When all modifications are done, click on <code>Save</code> to store configuration.
</p>
<div class="notewarning">LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration <strong>is not saved</strong> if errors occur.
</div><div class="notetip"><ul>
<li class="level1"><div class="li"> <a href="viewer.html" class="wikilink1" title="documentation:2.0:viewer">Configuration viewer</a> allow some users to edit WebSSO configuration in Read Only mode.</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> You can set and display instance name in Manager menu by editing <code>lemonldap-ng.ini</code> in [manager] section:</div>
</li>
</ul>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">instanceName</span> <span class="sy0">=</span><span class="re2"> LLNG_Demo</span></pre>
</div>
</div>
<!-- EDIT3 SECTION "Manager" [1048-3236] -->
<h2 class="sectionedit4" id="configuration_text_editor">Configuration text editor</h2>
<!-- EDIT3 SECTION "Manager" [1048-3525] -->
<h2 class="sectionedit4" id="manager_api">Manager API</h2>
<div class="level2">
<p>
Since 2.0.8, a Manager <abbr title="Application Programming Interface">API</abbr> is available for:
</p>
<ul>
<li class="level1"><div class="li"> Second factors management for users</div>
</li>
<li class="level1"><div class="li"> OpenID Connect RP management</div>
</li>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> SP management</div>
</li>
</ul>
<p>
See <a href="https://lemonldap-ng.org/manager-api/2.0/" class="urlextern" title="https://lemonldap-ng.org/manager-api/2.0/" rel="nofollow">Manager API documentation</a>.
</p>
<div class="noteimportant">To access Manager <abbr title="Application Programming Interface">API</abbr>, enable the <code>manager-api</code> virtual host and change the access rule. You can protect the <abbr title="Application Programming Interface">API</abbr> through Basic authentication, <abbr title="Internet Protocol">IP</abbr> white list or any other condition.
</div>
</div>
<!-- EDIT4 SECTION "Manager API" [3526-3977] -->
<h2 class="sectionedit5" id="configuration_text_editor">Configuration text editor</h2>
<div class="level2">
<p>
@ -221,8 +255,8 @@ If a modification is done, the configuration is saved with a new configuration n
</p>
</div>
<!-- EDIT4 SECTION "Configuration text editor" [3237-4556] -->
<h2 class="sectionedit5" id="command_line_interface_cli">Command Line Interface (CLI)</h2>
<!-- EDIT5 SECTION "Configuration text editor" [3978-5297] -->
<h2 class="sectionedit6" id="command_line_interface_cli">Command Line Interface (CLI)</h2>
<div class="level2">
<p>
@ -290,8 +324,8 @@ Some examples:
<div class="notetip">See <a href="cli_examples.html" class="wikilink1" title="documentation:2.0:cli_examples">other examples</a>.
</div>
</div>
<!-- EDIT5 SECTION "Command Line Interface (CLI)" [4557-6445] -->
<h2 class="sectionedit6" id="apache">Apache</h2>
<!-- EDIT6 SECTION "Command Line Interface (CLI)" [5298-7186] -->
<h2 class="sectionedit7" id="apache">Apache</h2>
<div class="level2">
<div class="noteimportant">LemonLDAP::NG does not manage Apache configuration
</div>
@ -314,8 +348,8 @@ See <a href="configapache.html" class="wikilink1" title="documentation:2.0:confi
</p>
</div>
<!-- EDIT6 SECTION "Apache" [6446-6893] -->
<h3 class="sectionedit7" id="portal">Portal</h3>
<!-- EDIT7 SECTION "Apache" [7187-7634] -->
<h3 class="sectionedit8" id="portal">Portal</h3>
<div class="level3">
<p>
@ -332,8 +366,8 @@ By default, access to those URLs is denied:
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT7 SECTION "Portal" [6894-7343] -->
<h3 class="sectionedit8" id="allowing_configuration_reload">Allowing configuration reload</h3>
<!-- EDIT8 SECTION "Portal" [7635-8084] -->
<h3 class="sectionedit9" id="allowing_configuration_reload">Allowing configuration reload</h3>
<div class="level3">
<p>
@ -349,8 +383,8 @@ In order to allow configuration reload from a different server (if your manager
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT8 SECTION "Allowing configuration reload" [7344-7834] -->
<h3 class="sectionedit9" id="handler">Handler</h3>
<!-- EDIT9 SECTION "Allowing configuration reload" [8085-8575] -->
<h3 class="sectionedit10" id="handler">Handler</h3>
<div class="level3">
<p>
@ -386,8 +420,8 @@ See <strong>test-apache2.conf</strong> for a complete example of a protected app
</p>
</div>
<!-- EDIT9 SECTION "Handler" [7835-8686] -->
<h2 class="sectionedit10" id="nginx">Nginx</h2>
<!-- EDIT10 SECTION "Handler" [8576-9427] -->
<h2 class="sectionedit11" id="nginx">Nginx</h2>
<div class="level2">
<div class="noteimportant">LemonLDAP::NG does not manage Nginx configuration
</div>
@ -411,8 +445,8 @@ See <a href="confignginx.html" class="wikilink1" title="documentation:2.0:config
<div class="notewarning"><a href="fastcgiserver.html" class="wikilink1" title="documentation:2.0:fastcgiserver">LL::NG FastCGI</a> server must be enabled and started separately.
</div>
</div>
<!-- EDIT10 SECTION "Nginx" [8687-9209] -->
<h3 class="sectionedit11" id="portal1">Portal</h3>
<!-- EDIT11 SECTION "Nginx" [9428-9950] -->
<h3 class="sectionedit12" id="portal1">Portal</h3>
<div class="level3">
<p>
@ -428,8 +462,8 @@ By default, access to those URLs is denied:
}</pre>
</div>
<!-- EDIT11 SECTION "Portal" [9210-9587] -->
<h3 class="sectionedit12" id="allowing_configuration_reload1">Allowing configuration reload</h3>
<!-- EDIT12 SECTION "Portal" [9951-10328] -->
<h3 class="sectionedit13" id="allowing_configuration_reload1">Allowing configuration reload</h3>
<div class="level3">
<p>
@ -451,8 +485,8 @@ In order to allow configuration reload from a different server (if your manager
}</pre>
</div>
<!-- EDIT12 SECTION "Allowing configuration reload" [9588-10127] -->
<h3 class="sectionedit13" id="handler1">Handler</h3>
<!-- EDIT13 SECTION "Allowing configuration reload" [10329-10868] -->
<h3 class="sectionedit14" id="handler1">Handler</h3>
<div class="level3">
<p>
@ -520,8 +554,8 @@ To protect a standard virtual host, you must insert this (or create an included
# Insert then your configuration (fastcgi_* or proxy_*)</pre>
</div>
<!-- EDIT13 SECTION "Handler" [10128-12131] -->
<h2 class="sectionedit14" id="configuration_reload">Configuration reload</h2>
<!-- EDIT14 SECTION "Handler" [10869-12872] -->
<h2 class="sectionedit15" id="configuration_reload">Configuration reload</h2>
<div class="level2">
<div class="noteclassic">As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set <code>checkTime = 240</code> in your lemonldap-ng.ini file <em>(values in seconds)</em>
</div>
@ -532,7 +566,7 @@ After configuration is saved by Manager, LemonLDAP::NG will try to reload config
<p>
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
</p>
<div class="noteimportant">Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable &quot;Don&#039;t compact configuration file&quot; option.
<div class="noteimportant">If &quot;Compact configuration file&quot; option is enabled, all useless parameters are removed to limit file size. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid useless parameters to be purged, you can disable this option.
</div>
<p>
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
@ -579,8 +613,8 @@ You also need to adjust the protection of the reload vhost, for example:
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT14 SECTION "Configuration reload" [12132-14981] -->
<h2 class="sectionedit15" id="local_file">Local file</h2>
<!-- EDIT15 SECTION "Configuration reload" [12873-15712] -->
<h2 class="sectionedit16" id="local_file">Local file</h2>
<div class="level2">
<p>
@ -613,6 +647,6 @@ For example, to override configured skin for portal:
<div class="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">parameter list</a> to find it.
</div>
</div>
<!-- EDIT15 SECTION "Local file" [14982-] --></div>
<!-- EDIT16 SECTION "Local file" [15713-] --></div>
</body>
</html>

13
doc/pages/documentation/current/configvhost.html
View File

@ -509,7 +509,7 @@ A virtual host contains:
<p>
See <strong><a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Writing rules and headers</a></strong> to learn how to configure access control and HTTP headers sent to application by <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
<div class="noteimportant">With <strong>Nginx</strong>-based ReverseProxy, headers directives can be appended by a LUA script.
<div class="noteimportant">With <strong>Nginx</strong>-based ReverseProxy, header directives can be appended by a LUA script.
<p>
To send more than <strong>TEN</strong> headers to protected applications, you have to edit and modify :
</p>
@ -518,9 +518,14 @@ To send more than <strong>TEN</strong> headers to protected applications, you ha
<code>/etc/nginx/nginx-lua-headers.conf</code>
</p>
</div><div class="notewarning">* <strong>Nginx</strong> gets rid of any empty headers. There is no point of passing along empty values to another server; it would only serve to bloat the request. In other words, headers with <strong>empty values are completely removed</strong> from the passed request.
<p>
* <strong>Nginx</strong>, by default, will consider any header that <strong>contains underscores as invalid</strong>. It will remove these from the proxied request. If you wish to have Nginx interpret these as valid, you can set the <code>underscores_in_headers</code> directive to “on”, otherwise your headers will never make it to the backend server.
</p>
</div>
</div>
<!-- EDIT10 SECTION "Access rules and HTTP headers" [12002-12436] -->
<!-- EDIT10 SECTION "Access rules and HTTP headers" [12002-13028] -->
<h3 class="sectionedit11" id="post_data">POST data</h3>
<div class="level3">
@ -529,7 +534,7 @@ See <strong><a href="formreplay.html" class="wikilink1" title="documentation:2.0
</p>
</div>
<!-- EDIT11 SECTION "POST data" [12437-12571] -->
<!-- EDIT11 SECTION "POST data" [13029-13163] -->
<h3 class="sectionedit12" id="options">Options</h3>
<div class="level3">
@ -569,6 +574,6 @@ Keep in mind that AuthBasic handler use &quot;Login/Password&quot; to authentica
</p>
</div>
<!-- EDIT12 SECTION "Options" [12572-] --></div>
<!-- EDIT12 SECTION "Options" [13164-] --></div>
</body>
</html>

4
doc/pages/documentation/current/contextswitching.html
View File

@ -77,10 +77,10 @@ Just enable it in the Manager (section “plugins”) by setting a rule. Context
</div>
<p>
impersonationPrefix is used to store real user&#039;s session Id. You can set this prefix (&#039;real_&#039; by default) by editing <code>lemonldap-ng.ini</code> in [portal] section:
contextSwitchingPrefix is used to store real user&#039;s session Id. You can set this prefix (&#039;switching&#039; by default) by editing <code>lemonldap-ng.ini</code> in [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">impersonationPrefix</span> <span class="sy0">=</span><span class="re2"> real_</span></pre>
<span class="re1">contextSwitchingPrefix</span> <span class="sy0">=</span><span class="re2"> switching</span></pre>
</div>
<!-- EDIT2 SECTION "Configuration" [236-] --></div>

12
doc/pages/documentation/current/customfunctions.html
View File

@ -143,7 +143,9 @@ Just declare files or Perl module that must be loaded:
<pre class="code file :ini"><span class="re0"><span class="br0">&#91;</span>all<span class="br0">&#93;</span></span>
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> /path/to/functions.pl, /path/to/SSOExtensions.pm</span>
# OR
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> SSOExtensions::function1, SSOExtensions::function2</span></pre>
<span class="re1">require</span> <span class="sy0">=</span><span class="re2"> SSOExtensions::function1, SSOExtensions::function2</span>
<span class="co0">; Prevent Portal to crash if Perl module is not found</span>
<span class="co0">;requireDontDie = 1</span></pre>
</div>
@ -189,7 +191,7 @@ GROUP=www-data
CUSTOM_FUNCTIONS_FILE=/path/to/SSOExtensions.pm</pre>
</div>
<!-- EDIT5 SECTION "Load relevant code in handler server" [1006-2337] -->
<!-- EDIT5 SECTION "Load relevant code in handler server" [1006-2411] -->
<h3 class="sectionedit6" id="declare_custom_functions">Declare custom functions</h3>
<div class="level3">
@ -200,16 +202,16 @@ Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</cod
<div class="noteimportant">If your function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail.
</div>
</div>
<!-- EDIT6 SECTION "Declare custom functions" [2338-2659] -->
<!-- EDIT6 SECTION "Declare custom functions" [2412-2733] -->
<h2 class="sectionedit7" id="use_it">Use it</h2>
<div class="level2">
<p>
You can now use your function in a macro, an header or an access rule, for example:
</p>
<pre class="code">Custom-Header =&gt; function1( $uid, $ENV{REMOTE_ADDR} )</pre>
<pre class="code :perl">SSOExtensions<span class="sy0">::</span><span class="me2">function1</span><span class="br0">&#40;</span> <span class="re0">$uid</span><span class="sy0">,</span> <span class="re0">$ENV</span><span class="br0">&#123;</span>REMOTE_ADDR<span class="br0">&#125;</span> <span class="br0">&#41;</span></pre>
</div>
<!-- EDIT7 SECTION "Use it" [2660-] --></div>
<!-- EDIT7 SECTION "Use it" [2734-] --></div>
</body>
</html>

6
doc/pages/documentation/current/documentation/latest/beta.png_documentation_2.0_globallogout.html → doc/pages/documentation/current/documentation/latest/beta.png_documentation_2.0_resetcertificate.html
View File

@ -23,8 +23,8 @@
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="../../globallogout.html"/>
<link rel="contents" href="../../globallogout.html" title="Sitemap"/>
<link rel="start" href="../../resetcertificate.html"/>
<link rel="contents" href="../../resetcertificate.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
@ -93,7 +93,7 @@
<hr/>
<div class="btn-group">
<a href="../../globallogout.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:globallogout [B]">Back to documentation:2.0:globallogout</a> </div>
<a href="../../resetcertificate.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:resetcertificate [B]">Back to documentation:2.0:resetcertificate</a> </div>
</p>

BIN
doc/pages/documentation/current/documentation/manager-portal-menu-application.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 30 KiB

4
doc/pages/documentation/current/dos
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1576942869" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1588685871" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/exploit
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1576942869" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1588685871" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

22
doc/pages/documentation/current/exportedvars.html
View File

@ -106,8 +106,11 @@ Macros and groups are calculated during authentication process by the portal:
</li>
<li class="level1"><div class="li"> macros can also be used to import environment variables <em>(these variables are in CGI format)</em>. Example: <code>$ENV{HTTP_COOKIE}</code></div>
</li>
<li class="level1"><div class="li"> groups are stored as space-separated strings in the special attribute &quot;groups&quot;: it contains the names of groups whose rules were returned true for the current user</div>
<li class="level1"><div class="li"> groups are stored as a string with values separated by <code>; </code> (default values separator) in the special attribute <code>groups</code>: it contains the names of groups whose rules were returned true for the current user. For example:</div>
</li>
</ul>
<pre class="code perl"><span class="re0">$groups</span> <span class="sy0">=</span> group3<span class="sy0">;</span> admin</pre>
<ul>
<li class="level1"><div class="li"> You can also get groups in <code>$hGroups</code> which is a Hash Reference of this form:</div>
</li>
</ul>
@ -141,16 +144,21 @@ displayName <span class="sy0">-&gt;</span> <span class="re0">$givenName</span><s
Display<span class="sy0">-</span>Name <span class="sy0">-&gt;</span> <span class="re0">$displayName</span></pre>
<p>
Example for groups:
Defining a group for admins
</p>
<pre class="code perl"><span class="co1"># group</span>
admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'foo'</span> <span class="kw1">or</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'bar'</span>
&nbsp;
<span class="co1"># Use a group in a rule</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <span class="re0">$groups</span> <span class="sy0">=~</span> <span class="co2">/\badmin\b/</span>
admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'foo'</span> <span class="kw1">or</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'bar'</span></pre>
<p>
Using groups in a rule
</p>
<pre class="code perl"><span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <span class="re0">$groups</span> <span class="sy0">=~</span> <span class="co2">/\badmin\b/</span>
&nbsp;
<span class="co1"># Or with hGroups</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/defined.html"><span class="kw3">defined</span></a> <span class="re0">$hGroups</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span><span class="st_h">'admin'</span><span class="br0">&#125;</span></pre>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/defined.html"><span class="kw3">defined</span></a> <span class="re0">$hGroups</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span><span class="st_h">'admin'</span><span class="br0">&#125;</span>
&nbsp;
<span class="co1"># Since 2.0.8</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <span class="me1">inGroup</span><span class="br0">&#40;</span><span class="st_h">'admin'</span><span class="br0">&#41;</span></pre>
<div class="noteclassic">Groups are computed after macros, so a group rule may involve a macro value.
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro &quot;macro1&quot; will be computed before macro &quot;macro2&quot;: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>

63
doc/pages/documentation/current/extendedfunctions.html
View File

@ -60,6 +60,7 @@
<li class="level2"><div class="li"><a href="#iso2unicode">iso2unicode</a></div></li>
<li class="level2"><div class="li"><a href="#groupmatch">groupMatch</a></div></li>
<li class="level2"><div class="li"><a href="#listmatch">listMatch</a></div></li>
<li class="level2"><div class="li"><a href="#ingroup">inGroup</a></div></li>
<li class="level2"><div class="li"><a href="#encrypt">encrypt</a></div></li>
<li class="level2"><div class="li"><a href="#token">token</a></div></li>
<li class="level2"><div class="li"><a href="#isinnet6">isInNet6</a></div></li>
@ -130,6 +131,8 @@ Inside this jail, you can access to:
</li>
<li class="level2"><div class="li"> <a href="#listmatch" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">listMatch</a> (<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em> since 2.0.7)</em></div>
</li>
<li class="level2"><div class="li"> <a href="#ingroup" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">inGroup</a> (<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em> since 2.0.8)</em></div>
</li>
<li class="level2"><div class="li"> <a href="#encrypt" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">encrypt</a></div>
</li>
<li class="level2"><div class="li"> <a href="#token" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">token</a></div>
@ -144,12 +147,12 @@ Inside this jail, you can access to:
<div class="notetip">To know more about the jail, check <a href="http://perldoc.perl.org/Safe.html" class="urlextern" title="http://perldoc.perl.org/Safe.html" rel="nofollow">Safe module documentation</a>.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [35-1324] -->
<!-- EDIT2 SECTION "Presentation" [35-1396] -->
<h2 class="sectionedit3" id="extended_functions_list">Extended Functions List</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Extended Functions List" [1325-1361] -->
<!-- EDIT3 SECTION "Extended Functions List" [1397-1433] -->
<h3 class="sectionedit4" id="date">date</h3>
<div class="level3">
@ -159,7 +162,7 @@ Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT by callin
<pre class="code">date(1)</pre>
</div>
<!-- EDIT4 SECTION "date" [1362-1481] -->
<!-- EDIT4 SECTION "date" [1434-1553] -->
<h3 class="sectionedit5" id="checklogonhours">checkLogonHours</h3>
<div class="level3">
@ -216,7 +219,7 @@ You can modify the default behavior for people without value in ssoLogonHours. I
<pre class="code">checkLogonHours($ssoLogonHours, &#039;&#039;, &#039;&#039;, &#039;1&#039;)</pre>
</div>
<!-- EDIT5 SECTION "checkLogonHours" [1482-3419] -->
<!-- EDIT5 SECTION "checkLogonHours" [1554-3491] -->
<h3 class="sectionedit6" id="checkdate">checkDate</h3>
<div class="level3">
@ -248,7 +251,7 @@ Simple usage example:
<pre class="code">checkDate($ssoStartDate, $ssoEndDate)</pre>
</div>
<!-- EDIT6 SECTION "checkDate" [3420-4047] -->
<!-- EDIT6 SECTION "checkDate" [3492-4119] -->
<h3 class="sectionedit7" id="basic">basic</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
@ -273,7 +276,7 @@ Simple usage example:
<pre class="code">basic($uid,$_password)</pre>
</div>
<!-- EDIT7 SECTION "basic" [4048-4510] -->
<!-- EDIT7 SECTION "basic" [4120-4582] -->
<h3 class="sectionedit8" id="unicode2iso">unicode2iso</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
@ -296,7 +299,7 @@ Simple usage example:
<pre class="code">unicode2iso($name)</pre>
</div>
<!-- EDIT8 SECTION "unicode2iso" [4511-4815] -->
<!-- EDIT8 SECTION "unicode2iso" [4583-4887] -->
<h3 class="sectionedit9" id="iso2unicode">iso2unicode</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
@ -319,7 +322,7 @@ Simple usage example:
<pre class="code">iso2unicode($name)</pre>
</div>
<!-- EDIT9 SECTION "iso2unicode" [4816-5120] -->
<!-- EDIT9 SECTION "iso2unicode" [4888-5192] -->
<h3 class="sectionedit10" id="groupmatch">groupMatch</h3>
<div class="level3">
@ -345,7 +348,7 @@ Simple usage example:
<pre class="code">groupMatch($hGroups, &#039;description&#039;, &#039;Service 1&#039;)</pre>
</div>
<!-- EDIT10 SECTION "groupMatch" [5121-5479] -->
<!-- EDIT10 SECTION "groupMatch" [5193-5551] -->
<h3 class="sectionedit11" id="listmatch">listMatch</h3>
<div class="level3">
@ -383,8 +386,32 @@ The function returns 1 if the value was found, and 0 if it was not found.
</p>
</div>
<!-- EDIT11 SECTION "listMatch" [5480-6107] -->
<h3 class="sectionedit12" id="encrypt">encrypt</h3>
<!-- EDIT11 SECTION "listMatch" [5552-6179] -->
<h3 class="sectionedit12" id="ingroup">inGroup</h3>
<div class="level3">
<p>
(<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em> since 2.0.8)</em>
</p>
<p>
This function lets you test if the user is in a given group. It is case-insensitive.
</p>
<p>
Usage example:
</p>
<pre class="code">inGroup(&#039;admins&#039;)
inGroup(&#039;test users&#039;)</pre>
<p>
The function returns 1 if the user belongs to the given group, and 0 if they don&#039;t.
</p>
</div>
<!-- EDIT12 SECTION "inGroup" [6180-6486] -->
<h3 class="sectionedit13" id="encrypt">encrypt</h3>
<div class="level3">
<div class="notetip">Since version 2.0, this function is now compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
</div>
@ -394,8 +421,8 @@ This function uses the secret key of LLNG configuration to crypt a data. This ca
<pre class="code">encrypt($_whatToTrace)</pre>
</div>
<!-- EDIT12 SECTION "encrypt" [6108-6416] -->
<h3 class="sectionedit13" id="token">token</h3>
<!-- EDIT13 SECTION "encrypt" [6487-6795] -->
<h3 class="sectionedit14" id="token">token</h3>
<div class="level3">
<p>
@ -404,8 +431,8 @@ This function generates token used for <a href="servertoserver.html" class="wiki
<pre class="code">token($_session_id,&#039;webapp1.example.com&#039;,&#039;webapp2.example.com&#039;)</pre>
</div>
<!-- EDIT13 SECTION "token" [6417-6624] -->
<h3 class="sectionedit14" id="isinnet6">isInNet6</h3>
<!-- EDIT14 SECTION "token" [6796-7003] -->
<h3 class="sectionedit15" id="isinnet6">isInNet6</h3>
<div class="level3">
<p>
@ -414,8 +441,8 @@ Function to check if an IPv6 address is in a subnet. Example <em>check if <abbr
<pre class="code perl">isInNet6<span class="br0">&#40;</span><span class="re0">$ipAddr</span><span class="sy0">,</span> <span class="st_h">'fe80::/10'</span><span class="br0">&#41;</span></pre>
</div>
<!-- EDIT14 SECTION "isInNet6" [6625-6792] -->
<h3 class="sectionedit15" id="varisinuri">varIsInUri</h3>
<!-- EDIT15 SECTION "isInNet6" [7004-7171] -->
<h3 class="sectionedit16" id="varisinuri">varIsInUri</h3>
<div class="level3">
<p>
@ -441,6 +468,6 @@ https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span cla
https<span class="sy0">://</span>test1<span class="sy0">.</span>example<span class="sy0">.</span>com<span class="sy0">/</span>check<span class="sy0">-</span>auth<span class="sy0">/</span>rtyler <span class="sy0">-&gt;</span> <span class="me1">false</span></pre>
</div>
<!-- EDIT15 SECTION "varIsInUri" [6793-] --></div>
<!-- EDIT16 SECTION "varIsInUri" [7172-] --></div>
</body>
</html>

19
doc/pages/documentation/current/globallogout.html
View File

@ -44,19 +44,15 @@
<body>
<div class="dokuwiki export container">
<p>
<a href="documentation/latest/beta.png_documentation_2.0_globallogout.html" class="media" title="documentation:latest:beta.png"><img src="documentation/latest/beta.ea231b49369c9f6406cbdf58d06a616c.png" class="media" alt="" width="100" /></a>
</p>
<h1 class="sectionedit1" id="global_logout_plugin">Global logout plugin</h1>
<div class="level1">
<p>
This plugin allows a user to close all his opened sessions at logout process.
This plugin allows a user to log out of all his active sessions.
</p>
</div>
<!-- EDIT1 SECTION "Global logout plugin" [40-154] -->
<!-- EDIT1 SECTION "Global logout plugin" [1-102] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
@ -68,13 +64,20 @@ Just enable it in the Manager (section “plugins”).
<ul>
<li class="level2"><div class="li"> <strong>Activation</strong>: Enable/Disable or set a rule to select which users are allowed to close there sessions.</div>
</li>
<li class="level2"><div class="li"> <strong>Auto accept time</strong>: Enable/Disable timer. If timer is disabled, all opened sessions are always closed.</div>
<li class="level2"><div class="li"> <strong>Auto accept time</strong>: Enable/Disable timer. If timer is disabled, all opened sessions will be immediately closed.</div>
</li>
<li class="level2"><div class="li"> <strong>Custom parameter</strong>: Session attribut to display at global logout</div>
</li>
</ul>
</li>
</ul>
<div class="noteclassic">To display more than one session attribute, you can create a macro like this :
<p>
<code>user_USER =&gt; &quot;$uid_&quot; . uc $uid</code>
</p>
</div>
<!-- EDIT2 SECTION "Configuration" [155-] --></div>
</div>
<!-- EDIT2 SECTION "Configuration" [103-] --></div>
</body>
</html>

2
doc/pages/documentation/current/idpcas.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:idpcas</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,idpcas"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpcas.html"/>

168
doc/pages/documentation/current/idpopenidconnect.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:idpopenidconnect</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,idpopenidconnect"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpopenidconnect.html"/>
@ -58,8 +58,8 @@
<li class="level2"><div class="li"><a href="#configuration_of_relying_party_in_llng">Configuration of Relying Party in LL::NG</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#exported_attributes">Exported attributes</a></div></li>
<li class="level3"><div class="li"><a href="#extra_claims">Extra Claims</a></div></li>
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#extra_claims">Extra claims</a></div></li>
<li class="level3"><div class="li"><a href="#macros">Macros</a></div></li>
<li class="level3"><div class="li"><a href="#display">Display</a></div></li>
</ul></li>
@ -246,7 +246,7 @@ An example of its content:
<div class="level3">
<p>
Go in Manager and click on <code>OpenID Connect Relying Parties</code>, then click on <code>Add OpenID Relying Party</code>. Give a technical name (no spaces, no special characters), like “sample-rp”;
Go in Manager and click on <code>OpenID Connect Relying Parties</code>, then click on <code>Add OpenID Relying Party</code>. Give a technical label (no spaces, no special characters), like “sample-rp”;
</p>
<p>
@ -268,86 +268,86 @@ You can map here the attribute names from the <abbr title="LemonLDAP::NG">LL::NG
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0"> Claim name </th><th class="col1"> Type </th><th class="col2"> Example of corresponding LDAP attribute </th>
<th class="col0"> Claim name </th><th class="col1"> Associated scope </th><th class="col2"> Type </th><th class="col3"> Example of corresponding LDAP attribute </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> string </td><td class="col2"> uid </td>
<td class="col0"> sub </td><td class="col1"> openid </td><td class="col2"> string </td><td class="col3"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> name </td><td class="col1"> string </td><td class="col2"> cn </td>
<td class="col0"> name </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> string </td><td class="col2"> givenName </td>
<td class="col0"> given_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> string </td><td class="col2"> sn </td>
<td class="col0"> family_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> middle_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> nickname </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> string </td><td class="col2"> displayName </td>
<td class="col0"> preferred_username </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> string </td><td class="col2"> labeledURI </td>
<td class="col0"> profile </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> picture </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> website </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> string </td><td class="col2"> mail </td>
<td class="col0"> email </td><td class="col1"> email </td><td class="col2">string </td><td class="col3"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
<td class="col0"> email_verified </td><td class="col1"> email </td><td class="col2">boolean </td><td class="col3"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> gender </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> birthdate </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> zoneinfo </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> string </td><td class="col2"> preferredLanguage </td>
<td class="col0"> locale </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> string </td><td class="col2"> telephoneNumber </td>
<td class="col0"> phone_number </td><td class="col1"> phone </td><td class="col2">string </td><td class="col3"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
<td class="col0"> phone_number_verified </td><td class="col1"> phone </td><td class="col2">boolean </td><td class="col3"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> updated_at </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> string </td><td class="col2"> registeredAddress </td>
<td class="col0"> formatted </td><td class="col1"> address </td><td class="col2">string </td><td class="col3"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> string </td><td class="col2"> street </td>
<td class="col0"> street_address </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> string </td><td class="col2"> l </td>
<td class="col0"> locality </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> string </td><td class="col2"> st </td>
<td class="col0"> region </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> string </td><td class="col2"> postalCode </td>
<td class="col0"> postal_code </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> string </td><td class="col2"> co </td>
<td class="col0"> country </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> co </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [38-861] -->
<!-- EDIT10 TABLE [38-1104] -->
</div>
<!-- EDIT9 PLUGIN_INCLUDE_END "documentation:2.0:openidconnectclaims" [0-] --></div>
<div class="level4">
@ -365,22 +365,35 @@ So you can define for example:
</ul>
<div class="noteimportant">The specific <code>sub</code> attribute is not defined here, but in User attribute parameter (see below).
</div>
</div>
<h4 id="extra_claims">Extra Claims</h4>
<div class="level4">
<div class="noteimportant">By default, only claims that are part of standard OpenID Connect scopes will be sent to a client. If you want to send a claim that is not in the OpenID Connect specification, you need to declare it in the Extra Claims section
</div>
<p>
You can also define extra claims and link them to attributes (see below). Then you just have to define the mapping of this new attributes, for example:
If you want to make custom claims visible to OpenID Connect clients, you need to declare them in a scope.
</p>
<p>
Add your additional scope as the <strong>Key</strong>, and a space-separated list of claims as the <strong>Value</strong>:
</p>
<ul>
<li class="level1"><div class="li"> birthplace =&gt; l</div>
</li>
<li class="level1"><div class="li"> birthcountry =&gt; co</div>
<li class="level1"><div class="li"> timelord =&gt; rebirth_count bloodline </div>
</li>
</ul>
<p>
In this example, an OpenID Client asking for the <code>timelord</code> scope will be able to read the <code>rebirth_count</code> and <code>bloodline</code> claims from the Userinfo endpoint.
</p>
<div class="notewarning">Any Claim defined in this section must be mapped to a LemonLDAP::NG session attribute in the <strong>Exported Attributes</strong> section
</div>
</div>
<h4 id="options">Options</h4>
<div class="level4">
<ul>
<li class="level1"><div class="li"> <strong>Authentication</strong>:</div>
<li class="level1"><div class="li"> <strong>Basic</strong></div>
<ul>
<li class="level2"><div class="li"> <strong>Client ID</strong>: Client ID for this RP</div>
</li>
@ -388,42 +401,67 @@ You can also define extra claims and link them to attributes (see below). Then y
</li>
<li class="level2"><div class="li"> <strong>Public client</strong> (since version <code>2.0.4</code>): set this RP as public client, so authentication is not needed on token endpoint</div>
</li>
<li class="level2"><div class="li"> <strong>Redirection addresses</strong>: Space separated list of redirect addresses allowed for this RP</div>
</li>
</ul>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> <strong>Advanced</strong></div>
<ul>
<li class="level2"><div class="li"> <strong>Bypass consent</strong>: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is <strong>not</strong> compliant with OpenID Connect standard.</div>
</li>
<li class="level2"><div class="li"> <strong>User attribute</strong>: session field that will be used as main identifier (<code>sub</code>)</div>
</li>
<li class="level2"><div class="li"> <strong>Force claims to be returned in ID Token</strong>: This options will make user attributes from the requested scope appear as ID Token claims.</div>
</li>
<li class="level2"><div class="li"> <strong>Additional audiences</strong> (since version <code>2.0.8</code>): You can specify a space-separate list of audiences that will be added the audiences of the ID Token</div>
</li>
<li class="level2"><div class="li"> <strong>Use refresh tokens</strong> (since version <code>2.0.7</code>): If this option is set, LemonLDAP::NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Timeouts</strong></div>
<ul>
<li class="level2"><div class="li"> <strong>Authorization Code expiration</strong>: Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.</div>
</li>
<li class="level2"><div class="li"> <strong>ID Token expiration</strong>: Expiration time of ID Tokens. The default value is one hour.</div>
</li>
<li class="level2"><div class="li"> <strong>Access token expiration</strong>: Expiration time of Access Tokens. The default value is one hour.</div>
</li>
<li class="level2"><div class="li"> <strong>Offline session expiration</strong>: This sets the lifetime of the refresh token obtained with the <strong>offline_access</strong> scope. The default value is one month. This parameter only applies if offline sessions are enabled.</div>
</li>
</ul>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> <strong>Security</strong></div>
<ul>
<li class="level2"><div class="li"> <strong>ID Token signature algorithm</strong>: Select one of <code>none</code>, <code>HS256</code>, <code>HS384</code>, <code>HS512</code>, <code>RS256</code>, <code>RS384</code>, <code>RS512</code></div>
</li>
<li class="level2"><div class="li"> <strong>Require PKCE</strong> (since version <code>2.0.4</code>): a code challenge is required at token endpoint (see <a href="https://tools.ietf.org/html/rfc7636" class="urlextern" title="https://tools.ietf.org/html/rfc7636" rel="nofollow">RFC7636</a>)</div>
</li>
</ul>
<li class="level2"><div class="li"> <strong>Allow offline access</strong> (since version <code>2.0.7</code>): After enabling this feature, an application may request the <strong>offline_access</strong> scope, and will obtain a Refresh Token that persists even after the user has logged off. See <a href="https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" class="urlextern" title="https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" rel="nofollow">https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess</a> for details. These offline sessions can be administered through the Session Browser.</div>
</li>
<li class="level1"><div class="li"> <strong>User attribute</strong>: session field that will be used as main identifier (<code>sub</code>)</div>
<li class="level2"><div class="li"> <strong>Allow OAuth2.0 Password Grant</strong> (since version <code>2.0.8</code>): Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.</div>
</li>
<li class="level1"><div class="li"> <strong>ID Token signature algorithm</strong>: Select one of <code>none</code>, <code>HS256</code>, <code>HS384</code>, <code>HS512</code>, <code>RS256</code>, <code>RS384</code>, <code>RS512</code></div>
</li>
<li class="level1"><div class="li"> <strong>ID Token expiration</strong>: Expiration time of ID Tokens. The default value is one hour.</div>
</li>
<li class="level1"><div class="li"> <strong>Force claims to be returned in ID Token</strong>: This options will make user attributes from the requested scope appear as ID Token claims.</div>
</li>
<li class="level1"><div class="li"> <strong>Access token expiration</strong>: Expiration time of Access Tokens. The default value is one hour.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorization Code expiration</strong>: Expiration time of authorization code, when using the Authorization Code flow. The default value is one minute.</div>
</li>
<li class="level1"><div class="li"> <strong>Use refresh tokens</strong>: If this option is set, LemonLDAP::NG will issue a Refresh Token that can be used to obtain new access tokens as long as the user session is still valid.</div>
</li>
<li class="level1"><div class="li"> <strong>Allow offline access</strong>: After enabling this feature, an application may request the <strong>offline_access</strong> scope, and will obtain a Refresh Token that persists even after the user has logged off. See <a href="https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" class="urlextern" title="https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess" rel="nofollow">https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess</a> for details. These offline sessions can be administered through the Session Browser.</div>
</li>
<li class="level1"><div class="li"> <strong>Offline session expiration</strong>: This sets the lifetime of the refresh token obtained with the <strong>offline_access</strong> scope. The default value is one month. This parameter only applies if offline sessions are enabled.</div>
</li>
<li class="level1"><div class="li"> <strong>Redirection addresses</strong>: Space separated list of redirect addresses allowed for this RP</div>
</li>
<li class="level1"><div class="li"> <strong>Bypass consent</strong>: Enable if you never want to display the scope sharing consent screen (consent will be accepted by default). Bypassing the consent is <strong>not</strong> compliant with OpenID Connect standard.</div>
<li class="level2"><div class="li"> <strong>Access Rule</strong>: lets you specify a <a href="rules_examples.html" class="wikilink1" title="documentation:2.0:rules_examples">Perl rule</a> to restrict access to this client</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong>Logout</strong></div>
<ul>
<li class="level2"><div class="li"> <strong>Allowed redirection addresses for logout</strong>: A space separated list of URLs that this client can redirect the user to once the logout is done (through <code>post_logout_redirect_uri</code>)</div>
</li>
<li class="level2"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr></strong>: Specify the relying party&#039;s logout <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
<li class="level2"><div class="li"> <strong>Type</strong>: Type of Logout to perform (only Front-Channel is implemented for now)</div>
</li>
<li class="level2"><div class="li"> <strong>Session required</strong>: Whether to send the Session ID in the logout request</div>
</li>
</ul>
</li>
</ul>
</div>
<h4 id="extra_claims">Extra claims</h4>
<div class="level4">
<p>
Associate attributes to extra claims if the RP request them, for example <code>birth</code> =&gt; <code>birthplace birthcountry</code>
</p>
</div>

2
doc/pages/documentation/current/idpsaml.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:idpsaml</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,idpsaml"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpsaml.html"/>

8
doc/pages/documentation/current/impersonation.html
View File

@ -63,13 +63,9 @@ Just enable it in the Manager (section “plugins”) by setting a rule. Imperso
<ul>
<li class="level1"><div class="li"> <strong>Parameters</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Use rule</strong>: </div>
<li class="level2"><div class="li"> <strong>Use rule</strong>: Rule to allow/deny users to impersonate or define which users may use this plugin.</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Select which users may use this plugin</div>
<ul>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.</div>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users</div>
</li>
<li class="level2"><div class="li"> <strong>Hidden attributes</strong>: Attributes not displayed</div>
</li>

4
doc/pages/documentation/current/mitm
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=cb8543bb80ff783430335c289801b508" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1576942869" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1588685871" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

101
doc/pages/documentation/current/notifications.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:notifications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,notifications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="notifications.html"/>
@ -52,6 +52,12 @@
<li class="level1"><div class="li"><a href="#installation">Installation</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#activation">Activation</a></div></li>
<li class="level2"><div class="li"><a href="#explorer">Explorer</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#usage">Usage</a></div></li>
<li class="level3"><div class="li"><a href="#known_issue">Known issue</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#storage">Storage</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#file">File</a></div></li>
@ -100,19 +106,66 @@ A notification explorer is available in Manager, and notifications can be set fo
<div class="level2">
</div>
<!-- EDIT2 SECTION "Installation" [566-591] -->
<!-- EDIT2 SECTION "Installation" [566-590] -->
<h3 class="sectionedit3" id="activation">Activation</h3>
<div class="level3">
<p>
You just have to activate Notifications in the Manager (General Parameters &gt; Advanced Parameters &gt; Notifications &gt; Activation) or in <code>lemonldap-ng.ini</code> [portal] section:
You just have to activate Notifications in the Manager (General Parameters &gt; Advanced Parameters &gt; Notifications &gt; Activation)
</p>
<p>
or in <code>lemonldap-ng.ini</code> [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">notification</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
</div>
<!-- EDIT3 SECTION "Activation" [592-831] -->
<h3 class="sectionedit4" id="storage">Storage</h3>
<!-- EDIT3 SECTION "Activation" [591-831] -->
<h3 class="sectionedit4" id="explorer">Explorer</h3>
<div class="level3">
<p>
Notifications explorer allows users to see and display theirs accepted notifications. Disable by default, you just have to activate it in the Manager (General Parameters &gt; Advanced Parameters &gt; Notifications &gt; Explorer)
</p>
<p>
or in <code>lemonldap-ng.ini</code> [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">notificationsExplorer</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
<p>
By default, just the three last notifications are displayed. You can modify this by editing <code>lemonldap-ng.ini</code> [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">notificationsMaxRetrieve</span> <span class="sy0">=</span><span class="re2"> 3</span></pre>
</div>
<h4 id="usage">Usage</h4>
<div class="level4">
<p>
When enabled, <code>/mynotifications</code> <abbr title="Uniform Resource Locator">URL</abbr> path is handled by this plugin.
</p>
</div>
<h4 id="known_issue">Known issue</h4>
<div class="level4">
<p>
An XML document can contain several notifications messages. Just the first one can be searched and displayed!
</p>
<div class="noteimportant">Listed notifications are extracted from users persistent session (notification reference and accepted date).
ONLY the notifications explorer can found in notifications backend are available to be displayed.
Notifications content (title, subtitle and so on...) is not stored into persistent session.
</div>
</div>
<!-- EDIT4 SECTION "Explorer" [832-1902] -->
<h3 class="sectionedit5" id="storage">Storage</h3>
<div class="level3">
<p>
@ -212,10 +265,20 @@ To summary available options:
<li class="level1"><div class="li"> <strong>ldapConfBase</strong>: Notifications branch <abbr title="Distinguished Name">DN</abbr>.</div>
</li>
</ul>
<div class="noteclassic"><abbr title="Database Interface">DBI</abbr> configuration example:
<pre class="code">notificationStorage = DBI
notificationStorageOptions={ \
&#039;dbiChain&#039; =&gt; &#039;DBI:Pg:dbname=llng;host=mabdd;port=5432&#039;, \
&#039;dbiTable&#039; =&gt; &#039;notifications&#039;, \
&#039;dbiUser&#039; =&gt; &#039;user&#039;, \
&#039;dbiPassword&#039; =&gt; &#039;qwerty&#039;, \
&#039;type&#039; =&gt; &#039;CDBI&#039;, \
}</pre>
</div>
<!-- EDIT4 SECTION "Storage" [832-3326] -->
<h3 class="sectionedit5" id="wildcard">Wildcard</h3>
</div>
<!-- EDIT5 SECTION "Storage" [1903-4715] -->
<h3 class="sectionedit6" id="wildcard">Wildcard</h3>
<div class="level3">
<p>
@ -231,14 +294,14 @@ Then creating a notification for <code>alluserscustom</code> will display the no
</p>
</div>
<!-- EDIT5 SECTION "Wildcard" [3327-3797] -->
<h2 class="sectionedit6" id="using_notification_system">Using notification system</h2>
<!-- EDIT6 SECTION "Wildcard" [4716-5186] -->
<h2 class="sectionedit7" id="using_notification_system">Using notification system</h2>
<div class="level2">
<div class="noteimportant">Since version 2.0, notifications are now stored in JSON format. If you want to keep old format, select &quot;use old format&quot; in the Manager. Note that notification server depends on chosen format: REST for JSON and SOAP for XML.
</div>
</div>
<!-- EDIT6 SECTION "Using notification system" [3798-4084] -->
<h3 class="sectionedit7" id="notification_format">Notification format</h3>
<!-- EDIT7 SECTION "Using notification system" [5187-5473] -->
<h3 class="sectionedit8" id="notification_format">Notification format</h3>
<div class="level3">
<p>
@ -251,7 +314,7 @@ Notifications are JSON (default) or XML files containing:
<ul>
<li class="level3"><div class="li"> date: creation date (format YYYY-MM-DD WITHOUT time!)</div>
</li>
<li class="level3"><div class="li"> ref: a reference that can be used later to know what has been notified and when</div>
<li class="level3"><div class="li"> ref: a reference that can be used later to know what has been notified and when (Avoid <code>_</code> character)</div>
</li>
<li class="level3"><div class="li"> uid: the user login (it must correspond to the attribute set in whatToTrace parameter, uid by default), or the wildcard string (by default: <code>allusers</code>) if the notification should be displayed for every user.</div>
</li>
@ -342,8 +405,8 @@ Several notifications can be inserted with a single request by using an array of
<span class="sc3"><span class="re1">&lt;/root<span class="re2">&gt;</span></span></span></pre>
</div>
<!-- EDIT7 SECTION "Notification format" [4085-6991] -->
<h3 class="sectionedit8" id="create_new_notifications_with_notifications_explorer">Create new notifications with notifications explorer</h3>
<!-- EDIT8 SECTION "Notification format" [5474-8404] -->
<h3 class="sectionedit9" id="create_new_notifications_with_notifications_explorer">Create new notifications with notifications explorer</h3>
<div class="level3">
<p>
@ -363,8 +426,8 @@ When all is ok, click on <code>Save</code>.
</p>
</div>
<!-- EDIT8 SECTION "Create new notifications with notifications explorer" [6992-7310] -->
<h3 class="sectionedit9" id="notification_server">Notification server</h3>
<!-- EDIT9 SECTION "Create new notifications with notifications explorer" [8405-8723] -->
<h3 class="sectionedit10" id="notification_server">Notification server</h3>
<div class="level3">
<p>
@ -537,8 +600,8 @@ curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: appli
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/&lt;uid&gt;/&lt;reference&gt;</pre>
</div>
<!-- EDIT9 SECTION "Notification server" [7311-11444] -->
<h3 class="sectionedit10" id="test_notification">Test notification</h3>
<!-- EDIT10 SECTION "Notification server" [8724-12857] -->
<h3 class="sectionedit11" id="test_notification">Test notification</h3>
<div class="level3">
<p>
@ -554,6 +617,6 @@ Try also to create a global notification (to the uid &quot;allusers&quot;), and
</p>
</div>
<!-- EDIT10 SECTION "Test notification" [11445-] --></div>
<!-- EDIT11 SECTION "Test notification" [12858-] --></div>
</body>
</html>

26
doc/pages/documentation/current/oauth2handler.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:oauth2handler</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,oauth2handler"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="oauth2handler.html"/>
@ -43,6 +43,19 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level1"><div class="li"><a href="#reference">Reference</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="oauth2_handler">OAuth2 Handler</h1>
<div class="level1">
@ -92,6 +105,15 @@ Define access rules and headers. Then in <code>Options</code> &gt; <code>Type</c
</p>
</div>
<!-- EDIT3 SECTION "Configuration" [1105-] --></div>
<!-- EDIT3 SECTION "Configuration" [1105-1298] -->
<h2 class="sectionedit4" id="reference">Reference</h2>
<div class="level2">
<p>
<a href="https://tools.ietf.org/html/rfc6750" class="urlextern" title="https://tools.ietf.org/html/rfc6750" rel="nofollow">RFC6750</a>
</p>
</div>
<!-- EDIT4 SECTION "Reference" [1299-] --></div>
</body>
</html>

54
doc/pages/documentation/current/openidconnectclaims.html
View File

@ -49,86 +49,86 @@
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0"> Claim name </th><th class="col1"> Type </th><th class="col2"> Example of corresponding LDAP attribute </th>
<th class="col0"> Claim name </th><th class="col1"> Associated scope </th><th class="col2"> Type </th><th class="col3"> Example of corresponding LDAP attribute </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> string </td><td class="col2"> uid </td>
<td class="col0"> sub </td><td class="col1"> openid </td><td class="col2"> string </td><td class="col3"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> name </td><td class="col1"> string </td><td class="col2"> cn </td>
<td class="col0"> name </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> string </td><td class="col2"> givenName </td>
<td class="col0"> given_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> string </td><td class="col2"> sn </td>
<td class="col0"> family_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> middle_name </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> nickname </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> string </td><td class="col2"> displayName </td>
<td class="col0"> preferred_username </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> string </td><td class="col2"> labeledURI </td>
<td class="col0"> profile </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> picture </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> website </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> string </td><td class="col2"> mail </td>
<td class="col0"> email </td><td class="col1"> email </td><td class="col2">string </td><td class="col3"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
<td class="col0"> email_verified </td><td class="col1"> email </td><td class="col2">boolean </td><td class="col3"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> gender </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> birthdate </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> zoneinfo </td><td class="col1"> profile </td><td class="col2"> string </td><td class="col3"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> string </td><td class="col2"> preferredLanguage </td>
<td class="col0"> locale </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> string </td><td class="col2"> telephoneNumber </td>
<td class="col0"> phone_number </td><td class="col1"> phone </td><td class="col2">string </td><td class="col3"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
<td class="col0"> phone_number_verified </td><td class="col1"> phone </td><td class="col2">boolean </td><td class="col3"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> string </td><td class="col2"> </td>
<td class="col0"> updated_at </td><td class="col1"> profile </td><td class="col2">string </td><td class="col3"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> string </td><td class="col2"> registeredAddress </td>
<td class="col0"> formatted </td><td class="col1"> address </td><td class="col2">string </td><td class="col3"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> string </td><td class="col2"> street </td>
<td class="col0"> street_address </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> string </td><td class="col2"> l </td>
<td class="col0"> locality </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> string </td><td class="col2"> st </td>
<td class="col0"> region </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> string </td><td class="col2"> postalCode </td>
<td class="col0"> postal_code </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> string </td><td class="col2"> co </td>
<td class="col0"> country </td><td class="col1"> address </td><td class="col2"> string </td><td class="col3"> co </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [38-861] -->
<!-- EDIT2 TABLE [38-1104] -->
</div>
</div>
</body>

2
doc/pages/documentation/current/openidconnectservice.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:openidconnectservice</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,openidconnectservice"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="openidconnectservice.html"/>

1157
doc/pages/documentation/current/parameterlist.html
View File

File diff suppressed because it is too large Load Diff

93
doc/pages/documentation/current/performances.html
View File

@ -82,6 +82,7 @@
<li class="level1"><div class="li"><a href="#manager_performances">Manager performances</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#disable_unused_modules">Disable unused modules</a></div></li>
<li class="level2"><div class="li"><a href="#enable_compactconf_parameter">Enable compactConf parameter</a></div></li>
<li class="level2"><div class="li"><a href="#use_static_html_files">Use static HTML files</a></div></li>
</ul></li>
</ul>
@ -196,8 +197,11 @@ Macros and groups are calculated during authentication process by the portal:
</li>
<li class="level1"><div class="li"> macros can also be used to import environment variables <em>(these variables are in CGI format)</em>. Example: <code>$ENV{HTTP_COOKIE}</code></div>
</li>
<li class="level1"><div class="li"> groups are stored as space-separated strings in the special attribute &quot;groups&quot;: it contains the names of groups whose rules were returned true for the current user</div>
<li class="level1"><div class="li"> groups are stored as a string with values separated by <code>; </code> (default values separator) in the special attribute <code>groups</code>: it contains the names of groups whose rules were returned true for the current user. For example:</div>
</li>
</ul>
<pre class="code perl"><span class="re0">$groups</span> <span class="sy0">=</span> group3<span class="sy0">;</span> admin</pre>
<ul>
<li class="level1"><div class="li"> You can also get groups in <code>$hGroups</code> which is a Hash Reference of this form:</div>
</li>
</ul>
@ -231,21 +235,26 @@ displayName <span class="sy0">-&gt;</span> <span class="re0">$givenName</span><s
Display<span class="sy0">-</span>Name <span class="sy0">-&gt;</span> <span class="re0">$displayName</span></pre>
<p>
Example for groups:
Defining a group for admins
</p>
<pre class="code perl"><span class="co1"># group</span>
admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'foo'</span> <span class="kw1">or</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'bar'</span>
&nbsp;
<span class="co1"># Use a group in a rule</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <span class="re0">$groups</span> <span class="sy0">=~</span> <span class="co2">/\badmin\b/</span>
admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'foo'</span> <span class="kw1">or</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st_h">'bar'</span></pre>
<p>
Using groups in a rule
</p>
<pre class="code perl"><span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <span class="re0">$groups</span> <span class="sy0">=~</span> <span class="co2">/\badmin\b/</span>
&nbsp;
<span class="co1"># Or with hGroups</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/defined.html"><span class="kw3">defined</span></a> <span class="re0">$hGroups</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span><span class="st_h">'admin'</span><span class="br0">&#125;</span></pre>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/defined.html"><span class="kw3">defined</span></a> <span class="re0">$hGroups</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span><span class="st_h">'admin'</span><span class="br0">&#125;</span>
&nbsp;
<span class="co1"># Since 2.0.8</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <span class="me1">inGroup</span><span class="br0">&#40;</span><span class="st_h">'admin'</span><span class="br0">&#41;</span></pre>
<div class="noteclassic">Groups are computed after macros, so a group rule may involve a macro value.
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro &quot;macro1&quot; will be computed before macro &quot;macro2&quot;: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>
</div>
<!-- EDIT8 SECTION "Macros and groups" [2450-4544] -->
<!-- EDIT8 SECTION "Macros and groups" [2450-4718] -->
<h3 class="sectionedit9" id="local_macros">Local macros</h3>
<div class="level3">
@ -259,12 +268,12 @@ Display<span class="sy0">-</span>Name <span class="sy0">-&gt;</span> <span class
<div class="notetip">Note that this feature is interesting only for the Lemonldap::NG systems protecting a high number of applications
</div>
</div>
<!-- EDIT9 SECTION "Local macros" [4545-5206] -->
<!-- EDIT9 SECTION "Local macros" [4719-5380] -->
<h2 class="sectionedit10" id="portal_performances">Portal performances</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "Portal performances" [5207-5239] -->
<!-- EDIT10 SECTION "Portal performances" [5381-5413] -->
<h3 class="sectionedit11" id="general_performances">General performances</h3>
<div class="level3">
@ -287,7 +296,7 @@ By default it uses local storage to store its tokens. If you have more than 1 po
</div>
</div>
<!-- EDIT11 SECTION "General performances" [5240-6117] -->
<!-- EDIT11 SECTION "General performances" [5414-6291] -->
<h3 class="sectionedit12" id="apachesession_performances">Apache::Session performances</h3>
<div class="level3">
@ -399,7 +408,7 @@ This test isn&#039;t an &quot;only-backend&quot; test but embedded some LLNG met
<td class="col0 centeralign" colspan="8"> <em>The source of this test is available in sources: e2e-tests/sbperf.pl</em> </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [9018-10921] --><ul>
<!-- EDIT13 TABLE [9192-11095] --><ul>
<li class="level1"><div class="li"> <em><strong>(1) :</strong> &quot;purge&quot; test is done with Apache::Session::Browseable-1.2.5 and LLG-2.0. Earlier results are not so good.</em></div>
</li>
<li class="level1"><div class="li"> <em><strong>(2) :</strong> &quot;purge&quot; test is done with Apache::Session::Browseable-1.2.6 and LLG-2.0.</em></div>
@ -423,7 +432,7 @@ Analysis:
</ul>
</div>
<!-- EDIT12 SECTION "Apache::Session performances" [6118-11699] -->
<!-- EDIT12 SECTION "Apache::Session performances" [6292-11873] -->
<h3 class="sectionedit14" id="ldap_performances">LDAP performances</h3>
<div class="level3">
@ -439,28 +448,36 @@ LDAP server can slow you down when you use LDAP groups retrieval. You can avoid
So instead of using LDAP groups retrieval, you just have to store &quot;memberOf&quot; field in your exported variables. With OpenLDAP, you can use the <a href="http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance" class="urlextern" title="http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance" rel="nofollow">memberof overlay</a> to do it automatically.
</p>
<div class="noteimportant">Don&#039;t forget to create an index on the field used to find users (uid by default)
</div><div class="notetip">To avoid having group dn stored in sessions datas, you can use a macro to rewrite memberOf:<ul>
<li class="level1"><div class="li"> Exported variables</div>
</li>
</ul>
<pre class="code">ldapgroups -&gt; memberOf</pre>
<p>
For now, ldapgroups contains &quot;cn=admin,dmdName=groups,dc=example,dc=com cn=su,dmdName=groups,dc=example,dc=com&quot;
</p>
</div><div class="notetip">To avoid storing the full group DNs in session data, you can use a macro to rewrite <code>memberOf</code>:
<ul>
<li class="level1"><div class="li"> A little macro:</div>
<li class="level1"><div class="li"> In *Exported variables*, export the <code>memberof</code> LDAP attribute as a <code>ldapGroups</code> session variable</div>
<ul>
<li class="level2"><div class="li"> key: <code>memberof</code></div>
</li>
<li class="level2"><div class="li"> value: <code>ldapGroups</code></div>
</li>
</ul>
<pre class="code perl">ldapgroups <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/join.html"><span class="kw3">join</span></a><span class="br0">&#40;</span><span class="st0">&quot; &quot;</span><span class="sy0">,</span><span class="br0">&#40;</span><span class="re0">$ldapgroups</span> <span class="sy0">=~</span> <span class="co2">/cn=(.*?),/g</span><span class="br0">&#41;</span><span class="br0">&#41;</span></pre>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Next, add a <code>ldapGroups</code> macro that will overwrite the exported attribute</div>
<ul>
<li class="level2"><div class="li"> key: <code>ldapGroups</code></div>
</li>
<li class="level2"><div class="li"> value: </div>
</li>
</ul>
</li>
</ul>
<pre class="code ="perl""><a href="http://perldoc.perl.org/functions/join.html"><span class="kw3">join</span></a><span class="br0">&#40;</span><span class="st0">&quot;; &quot;</span><span class="sy0">,</span><span class="br0">&#40;</span><span class="re0">$ldapGroups</span> <span class="sy0">=~</span> <span class="co2">/cn=(.*?),/g</span><span class="br0">&#41;</span><span class="br0">&#41;</span></pre>
<p>
Now ldapgroups contains &quot;admin su&quot;
<code>ldapGroups</code> should now contain something like <code>admin; su</code> just like it would if you had used the regular, slower group resolution mechanism.
</p>
</div>
</div>
<!-- EDIT14 SECTION "LDAP performances" [11700-12834] -->
<!-- EDIT14 SECTION "LDAP performances" [11874-13201] -->
<h3 class="sectionedit15" id="nginx_performances">NGINX performances</h3>
<div class="level3">
@ -496,12 +513,12 @@ Restart NGINX and watch web-browser console.
</p>
</div>
<!-- EDIT15 SECTION "NGINX performances" [12835-13757] -->
<!-- EDIT15 SECTION "NGINX performances" [13202-14124] -->
<h2 class="sectionedit16" id="manager_performances">Manager performances</h2>
<div class="level2">
</div>
<!-- EDIT16 SECTION "Manager performances" [13758-13791] -->
<!-- EDIT16 SECTION "Manager performances" [14125-14158] -->
<h3 class="sectionedit17" id="disable_unused_modules">Disable unused modules</h3>
<div class="level3">
@ -512,8 +529,22 @@ In lemonldap-ng.ini, set only modules that you will use. By default, configurati
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions</span></pre>
</div>
<!-- EDIT17 SECTION "Disable unused modules" [13792-14053] -->
<h3 class="sectionedit18" id="use_static_html_files">Use static HTML files</h3>
<!-- EDIT17 SECTION "Disable unused modules" [14159-14420] -->
<h3 class="sectionedit18" id="enable_compactconf_parameter">Enable compactConf parameter</h3>
<div class="level3">
<p>
By enabling compactConf option, all unused configuration parameters are removed. Could be usefull to shrink lemonldap-ng configuration file and save space.
</p>
<p>
Go in Manager, <code>General Parameters</code> » <code>Configuration reload</code> » <code>Compact configuration file
</code> and set to <code>On</code>.
</p>
</div>
<!-- EDIT18 SECTION "Enable compactConf parameter" [14421-14737] -->
<h3 class="sectionedit19" id="use_static_html_files">Use static HTML files</h3>
<div class="level3">
<p>
@ -539,6 +570,6 @@ So manager <abbr title="HyperText Markup Language">HTML</abbr> templates will be
</p>
</div>
<!-- EDIT18 SECTION "Use static HTML files" [14054-] --></div>
<!-- EDIT19 SECTION "Use static HTML files" [14738-] --></div>
</body>
</html>

40
doc/pages/documentation/current/portal.html
View File

@ -43,6 +43,19 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#functioning">Functioning</a></div></li>
<li class="level1"><div class="li"><a href="#kinematics">Kinematics</a></div></li>
<li class="level1"><div class="li"><a href="#url_parameters">URL parameters</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="the_portal">The portal</h1>
<div class="level1">
@ -99,10 +112,12 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
</li>
<li class="level1"><div class="li"> <strong><a href="notifications.html" class="wikilink1" title="documentation:2.0:notifications">Notifications</a></strong>: prompt users with a message if found in the notification database</div>
</li>
<li class="level1"><div class="li"> Second factors management</div>
</li>
</ul>
</div>
<!-- EDIT1 SECTION "The portal" [1-1816] -->
<!-- EDIT1 SECTION "The portal" [1-1846] -->
<h2 class="sectionedit2" id="functioning">Functioning</h2>
<div class="level2">
@ -122,7 +137,7 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
<div class="notetip">Each module can be disabled using the <code>Null</code> backend.
</div>
</div>
<!-- EDIT2 SECTION "Functioning" [1817-2363] -->
<!-- EDIT2 SECTION "Functioning" [1847-2393] -->
<h2 class="sectionedit3" id="kinematics">Kinematics</h2>
<div class="level2">
<ol>
@ -146,6 +161,25 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
<div class="noteclassic">See also <a href="documentation/presentation.html#kinematics" class="wikilink1" title="documentation:presentation">general kinematics presentation</a>.
</div>
</div>
<!-- EDIT3 SECTION "Kinematics" [2364-] --></div>
<!-- EDIT3 SECTION "Kinematics" [2394-3058] -->
<h2 class="sectionedit4" id="url_parameters">URL parameters</h2>
<div class="level2">
<p>
Some parameters in <abbr title="Uniform Resource Locator">URL</abbr> can change the behavior of the portal:
</p>
<ul>
<li class="level1"><div class="li"> <strong>logout</strong>: Launch the logout process (for example: <code>logout=1</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>tab</strong>: Preselect a tab (Choice or Menu) (for example: <code>tab=password</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>llnglanguage</strong>: Force lang used to display the page (for example: <code>llnglanguage=fr</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>setCookieLang</strong>: Update lang cookie to persist the language set with <code>llnglanguage</code> parameter (for example: <code>setCookieLang=1</code>)</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "URL parameters" [3059-] --></div>
</body>
</html>

85
doc/pages/documentation/current/portalcustom.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:portalcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,portalcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="portalcustom.html"/>
@ -51,6 +51,7 @@
<ul class="toc">
<li class="level2"><div class="li"><a href="#main_logo">Main Logo</a></div></li>
<li class="level2"><div class="li"><a href="#show_languages_choice">Show languages choice</a></div></li>
<li class="level2"><div class="li"><a href="#custom_css_file">Custom CSS file</a></div></li>
<li class="level1"><div class="li"><a href="#skin">Skin</a></div></li>
<li class="level2"><div class="li"><a href="#default_skin">Default skin</a></div></li>
<li class="level2"><div class="li"><a href="#skin_background">Skin background</a></div></li>
@ -111,8 +112,28 @@ Option enabled by default.
<div class="notetip">If languages choice is disabled, Portal displays accepted languages by your browser (EN by default).
</div>
</div>
<!-- EDIT3 SECTION "Show languages choice" [529-829] -->
<h2 class="sectionedit4" id="skin">Skin</h2>
<!-- EDIT3 SECTION "Show languages choice" [529-828] -->
<h3 class="sectionedit4" id="custom_css_file">Custom CSS file</h3>
<div class="level3">
<p>
You can define a custom <abbr title="Cascading Style Sheets">CSS</abbr> file, for example <code>custom.css</code>, which will be loaded after default <abbr title="Cascading Style Sheets">CSS</abbr> files. This file needs to be created in the static repository (<code>/usr/share/lemonldap-ng/portal/htdocs/static/boostrap/css</code>).
</p>
<p>
Then set this value in Custom <abbr title="Cascading Style Sheets">CSS</abbr> parameter : <code>bootstrap/css/custom.css</code>.
</p>
<p>
Sample <abbr title="Cascading Style Sheets">CSS</abbr> file, to remove white background of main logo:
</p>
<pre class="code file css"><span class="re0">#header</span> img <span class="br0">&#123;</span>
<span class="kw1">background-color</span><span class="sy0">:</span> <span class="kw2">transparent</span><span class="sy0">;</span>
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT4 SECTION "Custom CSS file" [829-1288] -->
<h2 class="sectionedit5" id="skin">Skin</h2>
<div class="level2">
<p>
@ -124,8 +145,8 @@ But you can make your own. See Skin customization below.
</p>
</div>
<!-- EDIT4 SECTION "Skin" [830-952] -->
<h3 class="sectionedit5" id="default_skin">Default skin</h3>
<!-- EDIT5 SECTION "Skin" [1289-1411] -->
<h3 class="sectionedit6" id="default_skin">Default skin</h3>
<div class="level3">
<p>
@ -137,8 +158,8 @@ Select the <code>Custom</code> skin, then set the name of the skin you want to u
</p>
</div>
<!-- EDIT5 SECTION "Default skin" [953-1192] -->
<h3 class="sectionedit6" id="skin_background">Skin background</h3>
<!-- EDIT6 SECTION "Default skin" [1412-1651] -->
<h3 class="sectionedit7" id="skin_background">Skin background</h3>
<div class="level3">
<p>
@ -161,8 +182,8 @@ You can also use <code>lemonldap-ng-cli</code>:
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set portalSkinBackground file.png</pre>
</div>
<!-- EDIT6 SECTION "Skin background" [1193-1862] -->
<h3 class="sectionedit7" id="skin_rules">Skin rules</h3>
<!-- EDIT7 SECTION "Skin background" [1652-2321] -->
<h3 class="sectionedit8" id="skin_rules">Skin rules</h3>
<div class="level3">
<p>
@ -180,8 +201,8 @@ To achieve this, you can create a rule in the Manager: select <code>General Para
</ul>
</div>
<!-- EDIT7 SECTION "Skin rules" [1863-2505] -->
<h3 class="sectionedit8" id="skin_files">Skin files</h3>
<!-- EDIT8 SECTION "Skin rules" [2322-2964] -->
<h3 class="sectionedit9" id="skin_files">Skin files</h3>
<div class="level3">
<p>
@ -203,8 +224,8 @@ A skin will often refer to the <code>common</code> skin, which is not a real ski
</p>
</div>
<!-- EDIT8 SECTION "Skin files" [2506-2840] -->
<h3 class="sectionedit9" id="skin_customization">Skin customization</h3>
<!-- EDIT9 SECTION "Skin files" [2965-3299] -->
<h3 class="sectionedit10" id="skin_customization">Skin customization</h3>
<div class="level3">
<div class="noteimportant">If you modify directly the skin files, your modifications will certainly be erased on the next upgrade. The best is to create your own skin, based on an existing skin.
</div>
@ -276,8 +297,8 @@ To configure your new skin in Manager, select the custom skin, and enter your sk
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portalSkin &#039;myskin&#039; portalSkinBackground &#039;&#039;</pre>
</div>
<!-- EDIT9 SECTION "Skin customization" [2841-4810] -->
<h3 class="sectionedit10" id="messages">Messages</h3>
<!-- EDIT10 SECTION "Skin customization" [3300-5269] -->
<h3 class="sectionedit11" id="messages">Messages</h3>
<div class="level3">
<p>
@ -327,8 +348,8 @@ You can also create a file called <code>all.json</code> to override messages in
</p>
</div>
<!-- EDIT10 SECTION "Messages" [4811-5947] -->
<h3 class="sectionedit11" id="menu_tabs">Menu tabs</h3>
<!-- EDIT11 SECTION "Messages" [5270-6406] -->
<h3 class="sectionedit12" id="menu_tabs">Menu tabs</h3>
<div class="level3">
<p>
@ -343,8 +364,8 @@ This will allow one to display the tab directly with this <abbr title="Uniform R
</p>
</div>
<!-- EDIT11 SECTION "Menu tabs" [5948-6254] -->
<h3 class="sectionedit12" id="template_parameters">Template parameters</h3>
<!-- EDIT12 SECTION "Menu tabs" [6407-6713] -->
<h3 class="sectionedit13" id="template_parameters">Template parameters</h3>
<div class="level3">
<p>
@ -371,8 +392,8 @@ You can also display environment variables, with the prefix <code>env_</code>:
<pre class="code file html4strict">Your IP is <span class="sc2">&lt;TMPL_VAR <span class="kw3">NAME</span><span class="sy0">=</span><span class="st0">&quot;env_REMOTE_ADDR&quot;</span>&gt;</span></pre>
</div>
<!-- EDIT12 SECTION "Template parameters" [6255-6902] -->
<h2 class="sectionedit13" id="buttons">Buttons</h2>
<!-- EDIT13 SECTION "Template parameters" [6714-7361] -->
<h2 class="sectionedit14" id="buttons">Buttons</h2>
<div class="level2">
<p>
@ -388,13 +409,13 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT13 SECTION "Buttons" [6903-7419] -->
<h2 class="sectionedit14" id="password_management">Password management</h2>
<!-- EDIT14 SECTION "Buttons" [7362-7878] -->
<h2 class="sectionedit15" id="password_management">Password management</h2>
<div class="level2">
</div>
<!-- EDIT14 SECTION "Password management" [7420-7452] -->
<h3 class="sectionedit15" id="general">General</h3>
<!-- EDIT15 SECTION "Password management" [7879-7911] -->
<h3 class="sectionedit16" id="general">General</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Require old password</strong>: used only in the password changing module of the menu, will check the old password before updating it</div>
@ -406,8 +427,8 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT15 SECTION "General" [7453-7888] -->
<h3 class="sectionedit16" id="password_policy">Password Policy</h3>
<!-- EDIT16 SECTION "General" [7912-8347] -->
<h3 class="sectionedit17" id="password_policy">Password Policy</h3>
<div class="level3">
<div class="notetip">Available since version 2.0.6
</div><ul>
@ -419,13 +440,17 @@ This node allows one to enable/disable buttons on the login page:
</li>
<li class="level1"><div class="li"> <strong>Minimal digit characters</strong>: leave 0 to bypass the check</div>
</li>
<li class="level1"><div class="li"> <strong>Minimal special characters</strong>: leave 0 to bypass the check</div>
</li>
<li class="level1"><div class="li"> <strong>Allowed special characters</strong>: set blanck to forbid special characters (<code>_</code> is not a special character)</div>
</li>
<li class="level1"><div class="li"> <strong>Display policy in password form</strong>: enable this to display an information message about password policy constraints</div>
</li>
</ul>
</div>
<!-- EDIT16 SECTION "Password Policy" [7889-8321] -->
<h2 class="sectionedit17" id="other_parameters">Other parameters</h2>
<!-- EDIT17 SECTION "Password Policy" [8348-8955] -->
<h2 class="sectionedit18" id="other_parameters">Other parameters</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>User attribute</strong>: which session attribute will be used to display <code>Connected as</code> in the menu</div>
@ -443,6 +468,6 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT17 SECTION "Other parameters" [8322-] --></div>
<!-- EDIT18 SECTION "Other parameters" [8956-] --></div>
</body>
</html>

16
doc/pages/documentation/current/portalmenu.html
View File

@ -99,21 +99,23 @@ Application parameters:
<ul>
<li class="level1"><div class="li"> <strong>Name</strong>: display text</div>
</li>
<li class="level1"><div class="li"> <strong>Address</strong>: <abbr title="Uniform Resource Locator">URL</abbr> of application</div>
</li>
<li class="level1"><div class="li"> <strong>Description</strong></div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Identifier">URI</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> of the application</div>
</li>
<li class="level1"><div class="li"> <strong>Tooltip</strong>: information display on mouse over the button</div>
</li>
<li class="level1"><div class="li"> <strong>Logo</strong>: file name to use as logo</div>
</li>
<li class="level1"><div class="li"> <strong>Display</strong>:</div>
<li class="level1"><div class="li"> <strong>Display application</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>auto</strong>: display only if the user can access it</div>
<li class="level2"><div class="li"> <strong>Enabled</strong>: always display</div>
</li>
<li class="level2"><div class="li"> <strong>on</strong>: always display</div>
<li class="level2"><div class="li"> <strong>Disabled</strong>: never display</div>
</li>
<li class="level2"><div class="li"> <strong>off</strong>: never display</div>
<li class="level2"><div class="li"> <strong>Automatic</strong>: display only if the user can access it</div>
</li>
<li class="level2"><div class="li"> <strong>rule</strong>: specify a <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rule</a> or &quot;sp: &lt;name&gt;&quot; where &quot;name&quot; is the key name of the service provider, the corresponding rule will be applied <em>(available for <abbr title="Central Authentication Service">CAS</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect)</em></div>
<li class="level2"><div class="li"> <strong>Special rule</strong>: specify a <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rule</a> or &quot;sp: &lt;name&gt;&quot; where &quot;name&quot; is the key name of the service provider, the corresponding rule will be applied <em>(available for <abbr title="Central Authentication Service">CAS</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect)</em></div>
</li>
</ul>
</li>

46
doc/pages/documentation/current/prereq.html
View File

@ -57,7 +57,7 @@
<li class="level2"><div class="li"><a href="#saml2">SAML2</a></div></li>
<li class="level2"><div class="li"><a href="#second_factor">Second factor</a></div></li>
<li class="level2"><div class="li"><a href="#specific_authentication_backends">Specific authentication backends</a></div></li>
<li class="level2"><div class="li"><a href="#smtpreset_password_by_mail">SMTP / Reset password by mail</a></div></li>
<li class="level2"><div class="li"><a href="#smtp_reset_passwordcertificate_by_mail">SMTP &amp; Reset password/certificate by mail</a></div></li>
<li class="level2"><div class="li"><a href="#unit_tests">Unit tests</a></div></li>
</ul>
</li>
@ -177,7 +177,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</li>
<li class="level1"><div class="li"> String::Random</div>
</li>
<li class="level1"><div class="li"> Text::Unidecode <em>(versions ≥ 2.0.5)</em></div>
<li class="level1"><div class="li"> Text::Unidecode <em>(Since LemonLDAP::NG 2.0.5)</em></div>
</li>
<li class="level1"><div class="li"> Unicode::String</div>
</li>
@ -188,7 +188,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT4 SECTION "Core" [795-1504] -->
<!-- EDIT4 SECTION "Core" [795-1511] -->
<h3 class="sectionedit5" id="deprecated_features">Deprecated features</h3>
<div class="level3">
<ul>
@ -211,7 +211,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT5 SECTION "Deprecated features" [1505-1673] -->
<!-- EDIT5 SECTION "Deprecated features" [1512-1680] -->
<h3 class="sectionedit6" id="saml2">SAML2</h3>
<div class="level3">
<ul>
@ -224,7 +224,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT6 SECTION "SAML2" [1674-1759] -->
<!-- EDIT6 SECTION "SAML2" [1681-1766] -->
<h3 class="sectionedit7" id="second_factor">Second factor</h3>
<div class="level3">
<ul>
@ -235,7 +235,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT7 SECTION "Second factor" [1760-1853] -->
<!-- EDIT7 SECTION "Second factor" [1767-1860] -->
<h3 class="sectionedit8" id="specific_authentication_backends">Specific authentication backends</h3>
<div class="level3">
<ul>
@ -278,8 +278,8 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT8 SECTION "Specific authentication backends" [1854-2082] -->
<h3 class="sectionedit9" id="smtpreset_password_by_mail">SMTP / Reset password by mail</h3>
<!-- EDIT8 SECTION "Specific authentication backends" [1861-2089] -->
<h3 class="sectionedit9" id="smtp_reset_passwordcertificate_by_mail">SMTP &amp; Reset password/certificate by mail</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> Email::Sender</div>
@ -288,27 +288,35 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</li>
<li class="level1"><div class="li"> Net::SMTP</div>
</li>
<li class="level1"><div class="li"> Net::SSLeay</div>
</li>
<li class="level1"><div class="li"> DateTime::Format::RFC3339</div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "SMTP / Reset password by mail" [2083-2175] -->
<!-- EDIT9 SECTION "SMTP & Reset password/certificate by mail" [2090-2240] -->
<h3 class="sectionedit10" id="unit_tests">Unit tests</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> Test::POD</div>
</li>
<li class="level1"><div class="li"> Test::MockObject</div>
<li class="level1"><div class="li"> Authen::U2F::Tester</div>
</li>
<li class="level1"><div class="li"> Crypt::U2F::Server</div>
</li>
<li class="level1"><div class="li"> Authen::U2F::Tester</div>
<li class="level1"><div class="li"> Test::MockObject</div>
</li>
<li class="level1"><div class="li"> Test::Output</div>
</li>
<li class="level1"><div class="li"> Test::POD</div>
</li>
<li class="level1"><div class="li"> Time::Fake</div>
</li>
<li class="level1"><div class="li"> YAML</div>
</li>
</ul>
</div>
<!-- EDIT10 SECTION "Unit tests" [2176-2289] -->
<!-- EDIT10 SECTION "Unit tests" [2241-2386] -->
<h2 class="sectionedit11" id="other">Other</h2>
<div class="level2">
<ul>
@ -319,13 +327,13 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
</ul>
</div>
<!-- EDIT11 SECTION "Other" [2290-2475] -->
<!-- EDIT11 SECTION "Other" [2387-2572] -->
<h2 class="sectionedit12" id="install_dependencies_on_your_system">Install dependencies on your system</h2>
<div class="level2">
<div class="notewarning">You don&#039;t need to install them if you use <abbr title="LemonLDAP::NG">LL::NG</abbr> packages. With <code>apt</code> or <code>yum</code>, dependencies will be automatically installed.
</div>
</div>
<!-- EDIT12 SECTION "Install dependencies on your system" [2476-2675] -->
<!-- EDIT12 SECTION "Install dependencies on your system" [2573-2772] -->
<h3 class="sectionedit13" id="apt">APT</h3>
<div class="level3">
@ -345,7 +353,7 @@ For Nginx:
<pre class="code">apt install nginx nginx-extras</pre>
</div>
<!-- EDIT13 SECTION "APT" [2676-3523] -->
<!-- EDIT13 SECTION "APT" [2773-3620] -->
<h3 class="sectionedit14" id="yum">YUM</h3>
<div class="level3">
<div class="notetip">You need <a href="http://fedoraproject.org/wiki/EPEL/" class="urlextern" title="http://fedoraproject.org/wiki/EPEL/" rel="nofollow">EPEL</a> repository. See below how to enable this repository: <a href="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse" class="urlextern" title="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse" rel="nofollow">http://fedoraproject.org/wiki/EPEL/FAQ#howtouse</a>
@ -353,7 +361,7 @@ For Nginx:
<p>
Perl dependencies:
</p>
<pre class="code">yum install perl-Apache-Session perl-Cache-Cache perl-Clone perl-Config-IniFiles perl-Convert-PEM perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 perl-Crypt-Rijndael perl-Digest-HMAC perl-Digest-SHA perl-GD-SecurityImage perl-HTML-Template perl-IO-String perl-JSON perl-LDAP perl-Mouse perl-Plack perl-Regexp-Assemble perl-Regexp-Common perl-SOAP-Lite perl-String-Random perl-Unicode-String perl-version perl-XML-Simple</pre>
<pre class="code">yum install perl-Apache-Session perl-Cache-Cache perl-Clone perl-Config-IniFiles perl-Convert-PEM perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 perl-Crypt-Rijndael perl-Digest-HMAC perl-Digest-SHA perl-GD-SecurityImage perl-HTML-Template perl-IO-String perl-JSON perl-LDAP perl-Mouse perl-Plack perl-Regexp-Assemble perl-Regexp-Common perl-SOAP-Lite perl-String-Random perl-Unicode-String perl-version perl-XML-Simple perl-Crypt-URandom perl-Email-Sender</pre>
<p>
For Apache:
@ -367,6 +375,6 @@ For Nginx:
<div class="noteimportant">As you need a recent version of Nginx, the best is to install <a href="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages" class="urlextern" title="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages" rel="nofollow">Nginx official packages</a>.
</div>
</div>
<!-- EDIT14 SECTION "YUM" [3524-] --></div>
<!-- EDIT14 SECTION "YUM" [3621-] --></div>
</body>
</html>

6
doc/pages/documentation/current/redirections.html
View File

@ -120,7 +120,7 @@ error_page 500 http://auth.example.com/?lmError=500;
error_page 503 http://auth.example.com/?lmError=503;</pre>
<p>
It is also possible to redirect the user without using <code>ErrorDocument</code>: the Handler will not returnV 403, 500, 503 code, but code 302 (REDIRECT).
It is also possible to redirect the user without using <code>ErrorDocument</code>: the Handler will not return 403, 500, 503 code, but code 302 (REDIRECT).
</p>
<p>
@ -138,7 +138,7 @@ These parameters can be configured in Manager, in <code>General Parameters</code
</ul>
</div>
<!-- EDIT4 SECTION "Forbidden and Server error" [757-2126] -->
<!-- EDIT4 SECTION "Forbidden and Server error" [757-2125] -->
<h2 class="sectionedit5" id="portal_redirections">Portal Redirections</h2>
<div class="level2">
<div class="noteclassic">If a user is redirected from handler to portal for authentication and once he is authenticated, portal redirects him to the redirection <abbr title="Uniform Resource Locator">URL</abbr>.
@ -152,6 +152,6 @@ These parameters can be configured in Manager, in <code>General Parameters</code
</ul>
</div>
<!-- EDIT5 SECTION "Portal Redirections" [2127-] --></div>
<!-- EDIT5 SECTION "Portal Redirections" [2126-] --></div>
</body>
</html>

158
doc/pages/documentation/current/resetcertificate.html Normal file
View File

@ -0,0 +1,158 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:resetcertificate</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,resetcertificate"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="resetcertificate.html"/>
<link rel="contents" href="resetcertificate.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:resetcertificate","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<p>
<a href="documentation/latest/beta.png_documentation_2.0_resetcertificate.html" class="media" title="documentation:latest:beta.png"><img src="documentation/latest/beta.ea231b49369c9f6406cbdf58d06a616c.png" class="media" alt="" width="100" /></a>
</p>
<h1 class="sectionedit1" id="global_logout_plugin">Global logout plugin</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Global logout plugin" [40-75] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
This plugin allows users to reset their certificate informations.
</p>
<p>
<strong>Kinematics</strong>:
</p>
<ul>
<li class="level1"><div class="li"> User click reset certificate button.</div>
</li>
<li class="level1"><div class="li"> He enters his mail.</div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> looks for the user in users database with given information.</div>
</li>
<li class="level1"><div class="li"> An email with a link is sent if user exists.</div>
</li>
<li class="level1"><div class="li"> User clicks on the link and he is redirected to the portal.</div>
</li>
<li class="level1"><div class="li"> The portal asks him to upload his certificate file (base64, pem only).</div>
</li>
<li class="level1"><div class="li"> A confirmation mail is sent to confirm the certificate has been successfully reset.</div>
</li>
</ul>
<div class="notewarning"> LDAP backend supported only
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [76-660] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
<strong>Requirements</strong>
</p>
<p>
You have to activate the certificate reset link in the login page, go in Manager, <code>General Parameters</code><code>Portal</code><code> Customization</code><code>Buttons on login page</code><code>Reset your Certificate</code>
</p>
<p>
The SMTP server must be setup, see <a href="smtp.html" class="wikilink1" title="documentation:2.0:smtp">SMTP server setup</a>.
</p>
<p>
The register module also must be setup. Go in Manager, <code>General Parameters</code><code>Authentication parameters</code><code>Register Module</code> and choose your module.
</p>
<p>
<strong>Manager Configuration</strong>
</p>
<p>
Go in Manager, <code>General Parameters</code><code>Plugins</code><code>Certificate Reset Management</code>:
</p>
<p>
<strong>Certificate reset mail content </strong>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Certificat reset mail subject </strong>: Subject of mail sent when certificate is reset</div>
</li>
<li class="level4"><div class="li"> <strong>Certificat reset mail content </strong>: (optional): Content of mail sent when certificate is reset</div>
</li>
<li class="level4"><div class="li"> <strong>Confirmation mail subject</strong>: Subject of mail sent when certificate reset is asked</div>
</li>
<li class="level4"><div class="li"> <strong>Confirmation mail content</strong>: (optional) Content of mail sent when certificate is asked </div>
</li>
</ul>
<div class="noteimportant"> By default, mail contents are empty in order to use templates:<ul>
<li class="level1"><div class="li"> portal/skins/common/mail_certificateConfirm.tpl</div>
</li>
<li class="level2"><div class="li"> portal/skins/common/mail_certificateReset.tpl</div>
</li>
</ul>
<p>
If you define custom mail contents in Manager, then templates won&#039;t be used.
</p>
</div>
<p>
<strong>Other</strong>
</p>
<ul>
<li class="level1"><div class="li"> <strong>Reset Page <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> of certificate reset page (default: [PORTAL]/certificateReset)</div>
</li>
<li class="level2"><div class="li"> <strong>Certificate descrition attribute Name</strong>: Attribute where to save certificate description name (Default description) </div>
</li>
<li class="level2"><div class="li"> <strong>Certificate hash attribute Name</strong>: Attribute where to store certificate hash (Default userCertificate;binary) </div>
</li>
<li class="level2"><div class="li"> <strong>Minimun duration before expiration</strong>: number of days of validity before certificate expires. Default 0.</div>
</li>
</ul>
<div class="notewarning"> .p12 certificates only.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [661-] --></div>
</body>
</html>

11
doc/pages/documentation/current/restservices.html
View File

@ -141,7 +141,10 @@ The JSON response fields are:
</li>
</ul>
<pre class="code">curl -H &quot;Accept: application/json&quot; -d user=rtyler -d password=rtyler http://auth.example.com/ | json_pp</pre>
<ul>
<div class="noteimportant">With <code>cURL &gt; 7.18.0</code>, to include special characters like @, &amp; or + in the cURL POST data:
<pre class="code">curl -H &quot;Accept: application/json&quot; -d name=rtyler --data-urlencode passwd=@31&amp;3+*J http://auth.example.com/ | json_pp</pre>
</div><ul>
<li class="level1"><div class="li"> Response for bad authentication:</div>
</li>
</ul>
@ -160,7 +163,7 @@ The JSON response fields are:
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT3 SECTION "Authentication" [165-1962] -->
<!-- EDIT3 SECTION "Authentication" [165-2213] -->
<h3 class="sectionedit4" id="sessions">Sessions</h3>
<div class="level3">
@ -173,7 +176,7 @@ See <a href="restsessionbackend.html" class="wikilink1" title="documentation:2.0
</p>
</div>
<!-- EDIT4 SECTION "Sessions" [1963-2184] -->
<!-- EDIT4 SECTION "Sessions" [2214-2435] -->
<h3 class="sectionedit5" id="configuration">Configuration</h3>
<div class="level3">
@ -186,6 +189,6 @@ See <a href="restconfbackend.html" class="wikilink1" title="documentation:2.0:re
</p>
</div>
<!-- EDIT5 SECTION "Configuration" [2185-] --></div>
<!-- EDIT5 SECTION "Configuration" [2436-] --></div>
</body>
</html>

118
doc/pages/documentation/current/rules_examples.html Normal file
View File

@ -0,0 +1,118 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:rules_examples</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,rules_examples"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="rules_examples.html"/>
<link rel="contents" href="rules_examples.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:rules_examples","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="rules_examples">Rules examples</h1>
<div class="level1">
<p>
This page contains a few useful Perl expressions you can use in your <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Handler rules</a>, <abbr title="Security Assertion Markup Language">SAML</abbr>/OIDC/<abbr title="Central Authentication Service">CAS</abbr> security rules, 2FA Activation rules, etc.
</p>
</div>
<!-- EDIT1 SECTION "Rules examples" [1-200] -->
<h2 class="sectionedit2" id="using_session_attributes">Using session attributes</h2>
<div class="level2">
<p>
Session attributes are visible in the Manager&#039;s Session browser, any attribute you see there can be used in a rule!
</p>
<ul>
<li class="level1"><div class="li"> Restricting access to a single user:</div>
</li>
</ul>
<pre class="code">$uid eq &quot;dwho&quot;
$uidNumber == 1000
$cn eq &quot;Doctor Who&quot;
$email eq &quot;dwho@tardis.info&quot;
etc.</pre>
<div class="notetip">In Perl, <code>eq</code> means <em>Equal</em> and must be used on strings. <code>==</code> should be used only on numbers
</div><ul>
<li class="level1"><div class="li"> Restricting access to a group</div>
</li>
</ul>
<pre class="code">defined $hGroups{&#039;administrators&#039;}
# 2.0.8 and higher only
inGroup(&#039;administrators&#039;)</pre>
<ul>
<li class="level1"><div class="li"> Combining multiple expressions </div>
</li>
</ul>
<pre class="code">inGroup(&#039;timelords&#039;) and not $uid eq &#039;missy&#039;</pre>
<ul>
<li class="level1"><div class="li"> Using Perl&#039;s regular expressions</div>
</li>
</ul>
<pre class="code">$cn =~ /^Doctor.*/i
$email !~ /@spam.com$/</pre>
<ul>
<li class="level1"><div class="li"> Filtering on Authentication Level</div>
</li>
</ul>
<pre class="code">$authenticationLevel &gt;= 3</pre>
<ul>
<li class="level1"><div class="li"> Filtering on Authentication method </div>
</li>
</ul>
<pre class="code">$_auth ne &#039;Demo&#039;</pre>
<div class="notetip">In Perl, <code>ne</code> means <em>Not Equal</em> and must be used on strings
</div>
</div>
<!-- EDIT2 SECTION "Using session attributes" [201-1187] -->
<h2 class="sectionedit3" id="using_environment_variables">Using environment variables</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Comparing the <abbr title="Internet Protocol">IP</abbr> address </div>
</li>
</ul>
<pre class="code">$env-&gt;{REMOTE_ADDR} =~ /^10\./</pre>
</div>
<!-- EDIT3 SECTION "Using environment variables" [1188-] --></div>
</body>
</html>

25
doc/pages/documentation/current/secondfactor.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:secondfactor</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,secondfactor"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="secondfactor.html"/>
@ -81,19 +81,21 @@ Two-Factor Authentication <em>(as known as 2FA)</em> is a kind (subset) of <a hr
Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :
</p>
<ul>
<li class="level1"><div class="li"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F tokens</a></div>
<li class="level1"><div class="li"> <a href="utotp2f.html" class="wikilink1" title="documentation:2.0:utotp2f">U2F-or-TOTP</a> <em>(enable both U2F and TOTP)</em></div>
</li>
<li class="level1"><div class="li"> <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> <em>(to use with <a href="https://freeotp.github.io/" class="urlextern" title="https://freeotp.github.io/" rel="nofollow">FreeOTP</a>, <a href="https://en.wikipedia.org/wiki/Google_Authenticator" class="urlextern" title="https://en.wikipedia.org/wiki/Google_Authenticator" rel="nofollow">Google-Authenticator</a>,…)</em></div>
</li>
<li class="level1"><div class="li"> <a href="utotp2f.html" class="wikilink1" title="documentation:2.0:utotp2f">U2F-or-TOTP</a> <em>(enable both U2F and TOTP)</em></div>
<li class="level1"><div class="li"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F tokens</a></div>
</li>
<li class="level1"><div class="li"> <a href="yubikey2f.html" class="wikilink1" title="documentation:2.0:yubikey2f">Yubikey tokens</a> <em> provide by Yubico</em> </div>
</li>
<li class="level1"><div class="li"> <a href="rest2f.html" class="wikilink1" title="documentation:2.0:rest2f">REST</a> <em>(Remote REST app)</em> </div>
<li class="level1"><div class="li"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-Mail 2F</a> <em>(Send a code to an email address)</em> </div>
</li>
<li class="level1"><div class="li"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External 2F</a> <em>(to call an external command)</em> </div>
</li>
<li class="level1"><div class="li"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-Mail 2F</a> <em>(Send a code to an email address)</em> </div>
<li class="level1"><div class="li"> <a href="rest2f.html" class="wikilink1" title="documentation:2.0:rest2f">REST</a> <em>(Remote REST app)</em></div>
</li>
<li class="level1"><div class="li"> <a href="radius2f.html" class="wikilink1" title="documentation:2.0:radius2f">RADIUS</a> <em>(Remote RADIUS server)</em></div>
</li>
</ul>
@ -102,9 +104,10 @@ The E-Mail, External and REST 2F modules <a href="sfextra.html" class="wikilink1
</p>
<div class="notetip">If you want to force a 2F registration on first login, you can use &#039;Require 2FA&#039;. You can also use a rule to force 2FA registration only for some users.
</div><div class="notetip">You can display a message if an expired second factor has been removed by enabling &#039;Display a message if an expired SF is removed&#039; option or setting a rule.
</div><div class="notetip">Link to second factor Manager is automatically display if at least a SFA module is enabled. You can set a rule to display or not the link.
</div>
</div>
<!-- EDIT1 SECTION "Second Factors" [1-1523] -->
<!-- EDIT1 SECTION "Second Factors" [1-1731] -->
<h2 class="sectionedit2" id="providing_tokens_from_an_external_source">Providing tokens from an external source</h2>
<div class="level2">
@ -114,25 +117,25 @@ If you don&#039;t want to use self-registration features for U2F, TOTP and so on
<pre class="code json">[ {&quot;type&quot; : &quot;TOTP&quot;, &quot;name&quot; : &quot;MyTOTP&quot;, …}, {&lt;other_token&gt;}, …]</pre>
</div>
<!-- EDIT2 SECTION "Providing tokens from an external source" [1524-1917] -->
<!-- EDIT2 SECTION "Providing tokens from an external source" [1732-2125] -->
<h3 class="sectionedit3" id="u2f_tokens">U2F Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyU2FKey&quot; , &quot;type&quot; : &quot;U2F&quot; , &quot;_userKey&quot; : &quot;########&quot; , &quot;_keyHandle&quot;:&quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}</pre>
</div>
<!-- EDIT3 SECTION "U2F Tokens" [1918-2075] -->
<!-- EDIT3 SECTION "U2F Tokens" [2126-2283] -->
<h3 class="sectionedit4" id="totp_tokens">TOTP Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyTOTP&quot; , &quot;type&quot; : &quot;TOTP&quot; , &quot;_secret&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817955&quot;}</pre>
</div>
<!-- EDIT4 SECTION "TOTP Tokens" [2076-2208] -->
<!-- EDIT4 SECTION "TOTP Tokens" [2284-2416] -->
<h3 class="sectionedit5" id="yubikey_tokens">Yubikey Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyYubikey&quot; , &quot;type&quot; : &quot;UBK&quot; , &quot;_yubikey&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817715&quot;}</pre>
</div>
<!-- EDIT5 SECTION "Yubikey Tokens" [2209-2347] -->
<!-- EDIT5 SECTION "Yubikey Tokens" [2417-2555] -->
<h2 class="sectionedit6" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -149,6 +152,6 @@ To enable manager Second Factor Administration Module, set <code>enabledModules<
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT6 SECTION "Developer corner" [2348-] --></div>
<!-- EDIT6 SECTION "Developer corner" [2556-] --></div>
</body>
</html>

10
doc/pages/documentation/current/sessions.html
View File

@ -78,11 +78,11 @@ To configure sessions, go in Manager, <code>General Parameters</code> » <code>S
</li>
<li class="level1"><div class="li"> <strong>Multiple sessions</strong>, you can restrict the number of open sessions:</div>
<ul>
<li class="level2"><div class="li"> <strong>One session only by user</strong>: a user can not open 2 sessions with the same account.</div>
<li class="level2"><div class="li"> <strong>One session per user</strong>: when a user logs in, all their previous sessions are removed</div>
</li>
<li class="level2"><div class="li"> <strong>One <abbr title="Internet Protocol">IP</abbr> only by user</strong>: a user can not open 2 sessions with different <abbr title="Internet Protocol">IP</abbr>.</div>
<li class="level2"><div class="li"> <strong>One <abbr title="Internet Protocol">IP</abbr> address per user</strong>: when a user logs in, all their previous sessions on a different <abbr title="Internet Protocol">IP</abbr> address are removed</div>
</li>
<li class="level2"><div class="li"> <strong>One user by <abbr title="Internet Protocol">IP</abbr> address</strong>: 2 users can not open a session with the same <abbr title="Internet Protocol">IP</abbr>.</div>
<li class="level2"><div class="li"> <strong>One user per <abbr title="Internet Protocol">IP</abbr> address</strong>: when a user logs in, all sessions that belong to a different user on that <abbr title="Internet Protocol">IP</abbr> address are removed</div>
</li>
<li class="level2"><div class="li"> <strong>Display deleted sessions</strong>: display deleted sessions on authentication phase.</div>
</li>
@ -100,7 +100,7 @@ To configure sessions, go in Manager, <code>General Parameters</code> » <code>S
<div class="noteimportant">Note that since HTTP protocol is not connected, restrictions are not applied to the new session: the oldest are destroyed.
</div>
</div>
<!-- EDIT1 SECTION "Sessions" [1-2404] -->
<!-- EDIT1 SECTION "Sessions" [1-2497] -->
<h1 class="sectionedit2" id="command-line_tools">Command-line tools</h1>
<div class="level1">
<ul>
@ -115,6 +115,6 @@ $ llngDeleteSession dh*
$ llngDeleteSession *</pre>
</div>
<!-- EDIT2 SECTION "Command-line tools" [2405-] --></div>
<!-- EDIT2 SECTION "Command-line tools" [2498-] --></div>
</body>
</html>

6
doc/pages/documentation/current/sfextra.html
View File

@ -80,6 +80,12 @@ You can find the configuration for this feature in <code>General parameters</cod
</li>
<li class="level1"><div class="li"> <code>Type</code>: what type of second factor you want to use</div>
</li>
<li class="level1"><div class="li"> <code>Label</code>: what title to display in the 2F choice screen </div>
</li>
<li class="level1"><div class="li"> <code>Logo</code> : <abbr title="Uniform Resource Locator">URL</abbr> path of a logo to display in the 2F choice screen</div>
</li>
<li class="level1"><div class="li"> <code>Level</code>: authentication level that will be set if this 2F is used</div>
</li>
<li class="level1"><div class="li"> <code>Rule</code>: If you leave this field empty, this second factor will always be enabled. You may use a perl expression to decide when this second factor is available. </div>
<ul>
<li class="level2"><div class="li"> <code>$homeMail</code> : this second factor will only trigger if the <code>$homeMail</code> session key exists</div>

173
doc/pages/documentation/current/start.html
View File

@ -286,115 +286,118 @@
<td class="col0"> <a href="authfacebook.html" class="wikilink1" title="documentation:2.0:authfacebook">Facebook</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> <a href="authgpg.html" class="wikilink1" title="documentation:2.0:authgpg">GPG</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__1" id="fnt__1" class="fn_top">1)</a></sup> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authgithub.html" class="wikilink1" title="documentation:2.0:authgithub">GitHub</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__1" id="fnt__1" class="fn_top">1)</a></sup> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authgpg.html" class="wikilink1" title="documentation:2.0:authgpg">GPG</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__2" id="fnt__2" class="fn_top">2)</a></sup> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> <a href="authldap.html" class="wikilink1" title="documentation:2.0:authldap">LDAP</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 centeralign"> </td>
<td class="col0"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> <a href="authlinkedin.html" class="wikilink1" title="documentation:2.0:authlinkedin">LinkedIn</a> </td><td class="col1 centeralign"></td><td class="col2"> </td><td class="col3"> </td>
<td class="col0"> <a href="authldap.html" class="wikilink1" title="documentation:2.0:authldap">LDAP</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 centeralign"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> <a href="authnull.html" class="wikilink1" title="documentation:2.0:authnull">Null</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 centeralign"> </td>
<td class="col0"> <a href="authlinkedin.html" class="wikilink1" title="documentation:2.0:authlinkedin">LinkedIn</a> </td><td class="col1 centeralign"></td><td class="col2"> </td><td class="col3"> </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> <a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID Connect</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authnull.html" class="wikilink1" title="documentation:2.0:authnull">Null</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> <a href="authpam.html" class="wikilink1" title="documentation:2.0:authpam">PAM</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID Connect</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy LL::NG</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authpam.html" class="wikilink1" title="documentation:2.0:authpam">PAM</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> <a href="authradius.html" class="wikilink1" title="documentation:2.0:authradius">Radius</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy LL::NG</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> <a href="authrest.html" class="wikilink1" title="documentation:2.0:authrest">REST</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 centeralign"> </td>
<td class="col0"> <a href="authradius.html" class="wikilink1" title="documentation:2.0:authradius">Radius</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML 2.0 / Shibboleth</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authrest.html" class="wikilink1" title="documentation:2.0:authrest">REST</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"> </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> <a href="authslave.html" class="wikilink1" title="documentation:2.0:authslave">Slave</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML 2.0 / Shibboleth</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> <a href="authssl.html" class="wikilink1" title="documentation:2.0:authssl">SSL</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authslave.html" class="wikilink1" title="documentation:2.0:authslave">Slave</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> <a href="authtwitter.html" class="wikilink1" title="documentation:2.0:authtwitter">Twitter</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authssl.html" class="wikilink1" title="documentation:2.0:authssl">SSL</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> <a href="authwebid.html" class="wikilink1" title="documentation:2.0:authwebid">WebID</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authtwitter.html" class="wikilink1" title="documentation:2.0:authtwitter">Twitter</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> <del><a href="authyubikey.html" class="wikilink1" title="documentation:2.0:authyubikey">Yubikey</a></del> </td><td class="col1 centeralign" colspan="3"> <em>Deprecated, replaced by Yubikey second factor</em> </td>
<td class="col0"> <a href="authwebid.html" class="wikilink1" title="documentation:2.0:authwebid">WebID</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> <a href="authcustom.html" class="wikilink1" title="documentation:2.0:authcustom">Custom modules</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"> </td>
<td class="col0"> <del><a href="authyubikey.html" class="wikilink1" title="documentation:2.0:authyubikey">Yubikey</a></del> </td><td class="col1 centeralign" colspan="3"> <em>Deprecated, replaced by Yubikey second factor</em> </td>
</tr>
<tr class="row24 roweven">
<th class="col0"> Combo Backends </th><th class="col1 centeralign"> Authentication </th><th class="col2 centeralign"> Users </th><th class="col3 centeralign"> Password </th>
<td class="col0"> <a href="authcustom.html" class="wikilink1" title="documentation:2.0:authcustom">Custom modules</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> <a href="authchoice.html" class="wikilink1" title="documentation:2.0:authchoice">Choice by users</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td>
<th class="col0"> Combo Backends </th><th class="col1 centeralign"> Authentication </th><th class="col2 centeralign"> Users </th><th class="col3 centeralign"> Password </th>
</tr>
<tr class="row26 roweven">
<td class="col0"> <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination of auth schemes</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authchoice.html" class="wikilink1" title="documentation:2.0:authchoice">Choice by users</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"> </td>
</tr>
<tr class="row27 rowodd">
<td class="col0"> <del><a href="authmulti.html" class="wikilink1" title="documentation:2.0:authmulti">Multiple backends stack</a></del> </td><td class="col1 centeralign" colspan="3"> <em>Deprecated, replaced by Combination</em> </td>
<td class="col0"> <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination of auth schemes</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row28 roweven">
<th class="col0"> Obsolete Backends </th><th class="col1 centeralign"> Authentication </th><th class="col2 centeralign"> Users </th><th class="col3 centeralign"> Password </th>
<td class="col0"> <del><a href="authmulti.html" class="wikilink1" title="documentation:2.0:authmulti">Multiple backends stack</a></del> </td><td class="col1 centeralign" colspan="3"> <em>Deprecated, replaced by Combination</em> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0"> <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">OpenID</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<th class="col0"> Obsolete Backends </th><th class="col1 centeralign"> Authentication </th><th class="col2 centeralign"> Users </th><th class="col3 centeralign"> Password </th>
</tr>
<tr class="row30 roweven">
<td class="col0"> <a href="authremote.html" class="wikilink1" title="documentation:2.0:authremote">Remote LL::NG</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">OpenID</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row31 rowodd">
<th class="col0"> Second factor (<a href="secondfactor.html" class="wikilink1" title="documentation:2.0:secondfactor">documentation</a>) </th><th class="col1 centeralign"> Authentication </th><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="authremote.html" class="wikilink1" title="documentation:2.0:authremote">Remote LL::NG</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row32 roweven">
<td class="col0"> <a href="utotp2f.html" class="wikilink1" title="documentation:2.0:utotp2f">TOTP-or-U2F</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<th class="col0"> Second factor (<a href="secondfactor.html" class="wikilink1" title="documentation:2.0:secondfactor">documentation</a>) </th><th class="col1 centeralign"> Authentication </th><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row33 rowodd">
<td class="col0"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="utotp2f.html" class="wikilink1" title="documentation:2.0:utotp2f">TOTP-or-U2F</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row34 roweven">
<td class="col0"> <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> <em>(Google Authenticator,...)</em> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row35 rowodd">
<td class="col0"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-mail Second Factor</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> <em>(Google Authenticator,...)</em> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row36 roweven">
<td class="col0"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External Second Factor</a> <em>(OTP, SMS,...)</em> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-mail Second Factor</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row37 rowodd">
<td class="col0"> <a href="radius2f.html" class="wikilink1" title="documentation:2.0:radius2f">Radius Second Factor</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__2" id="fnt__2" class="fn_top">2)</a></sup> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External Second Factor</a> <em>(OTP, SMS,...)</em> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row38 roweven">
<td class="col0"> <a href="rest2f.html" class="wikilink1" title="documentation:2.0:rest2f">REST Second Factor</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="radius2f.html" class="wikilink1" title="documentation:2.0:radius2f">Radius Second Factor</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__3" id="fnt__3" class="fn_top">3)</a></sup> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row39 rowodd">
<td class="col0"> <a href="yubikey2f.html" class="wikilink1" title="documentation:2.0:yubikey2f">Yubikey</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="rest2f.html" class="wikilink1" title="documentation:2.0:rest2f">REST Second Factor</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row40 roweven">
<td class="col0"> <a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">Additional second factors</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__3" id="fnt__3" class="fn_top">3)</a></sup> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="yubikey2f.html" class="wikilink1" title="documentation:2.0:yubikey2f">Yubikey</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row41 rowodd">
<th class="col0"> Auth addons </th><th class="col1 centeralign"> Authentication </th><td class="col2"></td><td class="col3"></td>
<td class="col0"> <a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">Additional second factors</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <sup><a href="#fn__4" id="fnt__4" class="fn_top">4)</a></sup> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row42 roweven">
<th class="col0"> Auth addons </th><th class="col1 centeralign"> Authentication </th><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row43 rowodd">
<td class="col0"> <a href="autosignin.html" class="wikilink1" title="documentation:2.0:autosignin">Auto Signin</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
</table></div>
<!-- EDIT10 TABLE [2567-5442] -->
<!-- EDIT10 TABLE [2567-5602] -->
<p>
</div></div>
</p>
@ -438,7 +441,7 @@
<td class="col0"> <a href="issuerdbget.html" class="wikilink1" title="documentation:2.0:issuerdbget">Get parameters provider</a> <em>(for poor applications)</em> </td><td class="col1 leftalign"> </td><td class="col2 centeralign"></td>
</tr>
</table></div>
<!-- EDIT11 TABLE [5788-6149] -->
<!-- EDIT11 TABLE [5948-6309] -->
<p>
</div></div>
</p>
@ -496,7 +499,7 @@
<td class="col0"> <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">XSS</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [6866-7380] -->
<!-- EDIT12 TABLE [7026-7540] -->
<p>
</div></div>
</p>
@ -521,7 +524,7 @@
<td class="col0"> <a href="autosignin.html" class="wikilink1" title="documentation:2.0:autosignin">Auto Signin</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Auto Signin Addon </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> <a href="bruteforceprotection.html" class="wikilink1" title="documentation:2.0:bruteforceprotection">Brute Force protection</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> User must wait to log in after 3 failed login attempts </td>
<td class="col0"> <a href="bruteforceprotection.html" class="wikilink1" title="documentation:2.0:bruteforceprotection">Brute Force protection</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> User must wait to log in after some failed login attempts </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> <a href="cda.html" class="wikilink1" title="documentation:2.0:cda">CDA</a> </td><td class="col1"> Cross Domain Authentication </td>
@ -530,19 +533,19 @@
<td class="col0"> <a href="checkstate.html" class="wikilink1" title="documentation:2.0:checkstate">Check state</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Check state plugin (test page) </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> <a href="checkuser.html" class="wikilink1" title="documentation:2.0:checkuser">Check user </a> <sup><a href="#fn__4" id="fnt__4" class="fn_top">4)</a></sup> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Check access rights, transmitted headers and session attibutes for a specific user and <abbr title="Uniform Resource Locator">URL</abbr> </td>
<td class="col0"> <a href="checkuser.html" class="wikilink1" title="documentation:2.0:checkuser">Check user</a> <sup><a href="#fn__5" id="fnt__5" class="fn_top">5)</a></sup> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Check access rights, transmitted headers and session attibutes for a specific user and <abbr title="Uniform Resource Locator">URL</abbr> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> <a href="viewer.html" class="wikilink1" title="documentation:2.0:viewer">Configuration viewer</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Edit WebSSO configuration in Read Only mode </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> <a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> <sup><a href="#fn__5" id="fnt__5" class="fn_top">5)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Switch context other users </td>
<td class="col0"> <a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> <sup><a href="#fn__6" id="fnt__6" class="fn_top">6)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Switch context other users </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> <a href="plugincustom.html" class="wikilink1" title="documentation:2.0:plugincustom">Custom</a> </td><td class="col1"> Write a custom plugin </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> <a href="decryptvalue.html" class="wikilink1" title="documentation:2.0:decryptvalue">Decrypt value</a> <sup><a href="#fn__6" id="fnt__6" class="fn_top">6)</a></sup><a href="documentation/beta.png" class="media" title="documentation:beta.png"><img src="documentation/beta.2707b90c7f00808e80f984a3026445b0.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Decrypt ciphered values </td>
<td class="col0"> <a href="decryptvalue.html" class="wikilink1" title="documentation:2.0:decryptvalue">Decrypt value</a> <sup><a href="#fn__7" id="fnt__7" class="fn_top">7)</a></sup><a href="documentation/beta.png" class="media" title="documentation:beta.png"><img src="documentation/beta.2707b90c7f00808e80f984a3026445b0.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Decrypt ciphered values </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> <a href="loginhistory.html" class="wikilink1" title="documentation:2.0:loginhistory">Display login history</a> </td><td class="col1"></td>
@ -551,49 +554,52 @@
<td class="col0"> <a href="forcereauthn.html" class="wikilink1" title="documentation:2.0:forcereauthn">Force Authentication</a> </td><td class="col1"> Force authentication to access to Portal </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> <a href="globallogout.html" class="wikilink1" title="documentation:2.0:globallogout">Global Logout</a> <sup><a href="#fn__7" id="fnt__7" class="fn_top">7)</a></sup><a href="documentation/beta.png" class="media" title="documentation:beta.png"><img src="documentation/beta.2707b90c7f00808e80f984a3026445b0.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Suggest to close all opened sessions at logout </td>
<td class="col0"> <a href="globallogout.html" class="wikilink1" title="documentation:2.0:globallogout">Global Logout</a> <sup><a href="#fn__8" id="fnt__8" class="fn_top">8)</a></sup> </td><td class="col1"> Suggest to close all opened sessions at logout </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> <a href="grantsession.html" class="wikilink1" title="documentation:2.0:grantsession">Grant Sessions</a> </td><td class="col1"> Rules to apply before allowing a user to open a session </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> <a href="impersonation.html" class="wikilink1" title="documentation:2.0:impersonation">Impersonation </a> <sup><a href="#fn__8" id="fnt__8" class="fn_top">8)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Allow users to use another identity </td>
<td class="col0"> <a href="impersonation.html" class="wikilink1" title="documentation:2.0:impersonation">Impersonation</a> <sup><a href="#fn__9" id="fnt__9" class="fn_top">9)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Allow users to use another identity </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> <a href="notifications.html" class="wikilink1" title="documentation:2.0:notifications">Notifications system</a> </td><td class="col1"></td>
</tr>
<tr class="row16 roweven">
<td class="col0"> <a href="refreshsessionapi.html" class="wikilink1" title="documentation:2.0:refreshsessionapi">Refresh session API</a> <sup><a href="#fn__9" id="fnt__9" class="fn_top">9)</a></sup></td><td class="col1"> Plugin that provides an <abbr title="Application Programming Interface">API</abbr> to refresh a user session </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> <a href="status.html" class="wikilink1" title="documentation:2.0:status">Portal Status</a> </td><td class="col1"> Experimental portal status page </td>
</tr>
<tr class="row18 roweven">
<tr class="row17 rowodd">
<td class="col0"> <a href="public_pages.html" class="wikilink1" title="documentation:2.0:public_pages">Public pages</a> </td><td class="col1"> Enable public pages system </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> <a href="refreshsessionapi.html" class="wikilink1" title="documentation:2.0:refreshsessionapi">Refresh session API</a> <sup><a href="#fn__10" id="fnt__10" class="fn_top">10)</a></sup></td><td class="col1"> Plugin that provides an <abbr title="Application Programming Interface">API</abbr> to refresh a user session </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">Reset password by mail</a> </td><td class="col1"></td>
</tr>
<tr class="row20 roweven">
<td class="col0"> <a href="restservices.html" class="wikilink1" title="documentation:2.0:restservices">REST services</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> REST server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
<td class="col0"> <a href="resetcertificate.html" class="wikilink1" title="documentation:2.0:resetcertificate">Reset certificate by mail</a> <sup><a href="#fn__11" id="fnt__11" class="fn_top">11)</a></sup><a href="documentation/beta.png" class="media" title="documentation:beta.png"><img src="documentation/beta.2707b90c7f00808e80f984a3026445b0.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Allow users to reset their certificate </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> <a href="soapservices.html" class="wikilink1" title="documentation:2.0:soapservices">SOAP services</a> <em>(deprecated)</em> </td><td class="col1"> SOAP server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
<td class="col0"> <a href="restservices.html" class="wikilink1" title="documentation:2.0:restservices">REST services</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> REST server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> <a href="stayconnected" class="wikilink2" title="documentation:2.0:stayconnected" rel="nofollow">Stay connected</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Enable persistent connection on same browser </td>
<td class="col0"> <a href="soapservices.html" class="wikilink1" title="documentation:2.0:soapservices">SOAP services</a> <em>(deprecated)</em> </td><td class="col1"> SOAP server for <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">Proxy</a> </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> Upgrade session <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Plugin that explain to user that a more secure authentication is needed instead of rejected it </td>
<td class="col0"> Stay connected <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> Enable persistent connection on same browser </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> Upgrade session <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1"> This plugin explains to an already authenticated user that a higher authentication level is required to access the <abbr title="Uniform Resource Locator">URL</abbr> instead of reject him </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [7548-10050] -->
<!-- EDIT13 TABLE [7708-10440] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT9 SECTION "Portal" [2031-10078] -->
<!-- EDIT9 SECTION "Portal" [2031-10468] -->
<h3 class="sectionedit14" id="handlers">Handlers</h3>
<div class="level3">
@ -613,7 +619,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> Main <em>(default handler)</em> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 centeralign"> <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Partial</a> <strong><sup><a href="#fn__10" id="fnt__10" class="fn_top">10)</a></sup></strong> </td><td class="col5 centeralign"></td><td class="col6 leftalign"> </td>
<td class="col0"> Main <em>(default handler)</em> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 centeralign"> <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Partial</a> <strong><sup><a href="#fn__12" id="fnt__12" class="fn_top">12)</a></sup></strong> </td><td class="col5 centeralign"></td><td class="col6 leftalign"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> <a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 centeralign"></td><td class="col6"> Designed for some server-to-server applications </td>
@ -628,7 +634,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0"> <a href="devopssthandler.html" class="wikilink1" title="documentation:2.0:devopssthandler">DevOpsST</a> <em>(<a href="ssoaas.html" class="wikilink1" title="documentation:2.0:ssoaas">SSOaaS</a>)</em> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 centeralign"></td><td class="col5 leftalign"> </td><td class="col6"> Enables both <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a> and <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">Service Token</a> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2</a> <sup><a href="#fn__11" id="fnt__11" class="fn_top">11)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 centeralign"></td><td class="col6"> Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services </td>
<td class="col0"> <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2</a> <sup><a href="#fn__13" id="fnt__13" class="fn_top">13)</a></sup><a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 centeralign"></td><td class="col6"> Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> <a href="securetoken.html" class="wikilink1" title="documentation:2.0:securetoken">Secure Token</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 leftalign"> </td><td class="col6"> Designed to secure exchanges between a LLNG reverse-proxy and a remote app </td>
@ -640,13 +646,13 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra PreAuth</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td><td class="col4 leftalign"> </td><td class="col5 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT15 TABLE [10352-12135] -->
<!-- EDIT15 TABLE [10742-12525] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT14 SECTION "Handlers" [10079-12163] -->
<!-- EDIT14 SECTION "Handlers" [10469-12553] -->
<h3 class="sectionedit16" id="llng_databases">LLNG databases</h3>
<div class="level3">
@ -695,7 +701,7 @@ Handlers are software control agents to be installed on your web servers <em>(Ng
<td class="col0 centeralign"> <a href="localconfbackend.html" class="wikilink1" title="documentation:2.0:localconfbackend">Local</a> <a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> </td><td class="col1 leftalign"> </td><td class="col2 leftalign"> Use only lemonldap-ng.ini parameters. </td>
</tr>
</table></div>
<!-- EDIT17 TABLE [12468-13580] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
<!-- EDIT17 TABLE [12858-13970] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
</div>
<p>
</div></div>
@ -750,14 +756,14 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
<strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT18 TABLE [14445-16145] -->
<!-- EDIT18 TABLE [14835-16535] -->
<p>
</div></div>
</p>
<div class="notetip">You can migrate from one session backend to another using the <a href="changesessionbackend.html" class="wikilink1" title="documentation:2.0:changesessionbackend">session conversion script</a>. (<a href="documentation/new.png" class="media" title="documentation:new.png"><img src="documentation/new.ae92cc06c5d7671f1d904a7fe6e5ed09.png" class="media" alt="" width="35" /></a> <em>since 2.0.7</em>)
</div>
</div>
<!-- EDIT16 SECTION "LLNG databases" [12164-16351] -->
<!-- EDIT16 SECTION "LLNG databases" [12554-16741] -->
<h2 class="sectionedit19" id="applications_protection">Applications protection</h2>
<div class="level2">
@ -788,7 +794,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT19 SECTION "Applications protection" [16352-16889] -->
<!-- EDIT19 SECTION "Applications protection" [16742-17279] -->
<h3 class="sectionedit20" id="well_known_compatible_applications">Well known compatible applications</h3>
<div class="level3">
<div class="noteclassic">Here is a list of well known applications that are compatible with <abbr title="LemonLDAP::NG">LL::NG</abbr>. A full list is available on <a href="applications.html" class="wikilink1" title="documentation:2.0:applications">vendor applications page</a>.
@ -809,6 +815,12 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</div>
</p>
<p>
<div class="col-sm-3">
<a href="applications/awx.html" class="media" title="documentation:2.0:applications:awx"><img src="icons/kmultiple.png" class="mediacenter" title="AWX" alt="AWX" /></a>
</div>
</p>
<p>
<div class="col-sm-3">
<a href="applications/bugzilla.html" class="media" title="documentation:2.0:applications:bugzilla"><img src="icons/kmultiple.png" class="mediacenter" title="Bugzilla" alt="Bugzilla" /></a>
@ -892,7 +904,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT20 SECTION "Well known compatible applications" [16890-19228] -->
<!-- EDIT20 SECTION "Well known compatible applications" [17280-19742] -->
<h2 class="sectionedit21" id="advanced_features">Advanced features</h2>
<div class="level2">
@ -951,7 +963,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT21 SECTION "Advanced features" [19229-20448] -->
<!-- EDIT21 SECTION "Advanced features" [19743-20962] -->
<h2 class="sectionedit22" id="mini_howtos">Mini howtos</h2>
<div class="level2">
@ -990,7 +1002,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT22 SECTION "Mini howtos" [20449-21410] -->
<!-- EDIT22 SECTION "Mini howtos" [20963-21924] -->
<h2 class="sectionedit23" id="exploitation">Exploitation</h2>
<div class="level2">
@ -1025,7 +1037,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT23 SECTION "Exploitation" [21411-21928] -->
<!-- EDIT23 SECTION "Exploitation" [21925-22442] -->
<h2 class="sectionedit24" id="bug_report">Bug report</h2>
<div class="level2">
@ -1034,7 +1046,7 @@ See <a href="bugreport.html" class="wikilink1" title="bugreport">How to report a
</p>
</div>
<!-- EDIT24 SECTION "Bug report" [21929-21993] -->
<!-- EDIT24 SECTION "Bug report" [22443-22507] -->
<h2 class="sectionedit25" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -1101,27 +1113,32 @@ If you don&#039;t want to publish your translation <em>(<code>XX</code> must be
</ul>
</div>
<!-- EDIT25 SECTION "Developer corner" [21994-] --><div class="footnotes">
<!-- EDIT25 SECTION "Developer corner" [22508-] --><div class="footnotes">
<div class="fn"><sup><a href="#fnt__1" id="fn__1" class="fn_bot">1)</a></sup>
<a href="authgpg.html" class="wikilink1" title="documentation:2.0:authgpg">GPG</a> is available with LLNG ≥ 2.0.2</div>
<a href="authgithub.html" class="wikilink1" title="documentation:2.0:authgithub">GitHub authentication</a> is available with LLNG ≥ 2.0.8</div>
<div class="fn"><sup><a href="#fnt__2" id="fn__2" class="fn_bot">2)</a></sup>
<a href="radius2f.html" class="wikilink1" title="documentation:2.0:radius2f">Radius second factor</a> is available with LLNG ≥ 2.0.6</div>
<a href="authgpg.html" class="wikilink1" title="documentation:2.0:authgpg">GPG authentication</a> is available with LLNG ≥ 2.0.2</div>
<div class="fn"><sup><a href="#fnt__3" id="fn__3" class="fn_bot">3)</a></sup>
<a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">Additional second factors</a> is available with LLNG ≥ 2.0.6</div>
<a href="radius2f.html" class="wikilink1" title="documentation:2.0:radius2f">Radius second factor</a> is available with LLNG ≥ 2.0.6</div>
<div class="fn"><sup><a href="#fnt__4" id="fn__4" class="fn_bot">4)</a></sup>
, <sup><a href="#fnt__8" id="fn__8" class="fn_bot">8)</a></sup>
<a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> is available with LLNG ≥ 2.0.3</div>
<a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">Additional second factors</a> are available with LLNG ≥ 2.0.6</div>
<div class="fn"><sup><a href="#fnt__5" id="fn__5" class="fn_bot">5)</a></sup>
<a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching</a> is available with LLNG ≥ 2.0.6</div>
<a href="checkuser.html" class="wikilink1" title="documentation:2.0:checkuser">Check user plugin</a> is available with LLNG ≥ 2.0.3</div>
<div class="fn"><sup><a href="#fnt__6" id="fn__6" class="fn_bot">6)</a></sup>
<a href="decryptvalue.html" class="wikilink1" title="documentation:2.0:decryptvalue">Decrypt value</a> is available with LLNG ≥ 2.0.7</div>
<a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">Context switching plugin</a> is available with LLNG ≥ 2.0.6</div>
<div class="fn"><sup><a href="#fnt__7" id="fn__7" class="fn_bot">7)</a></sup>
<a href="globallogout.html" class="wikilink1" title="documentation:2.0:globallogout">Global Logout</a> is available with LLNG ≥ 2.0.7</div>
<a href="decryptvalue.html" class="wikilink1" title="documentation:2.0:decryptvalue">Decrypt value plugin</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__8" id="fn__8" class="fn_bot">8)</a></sup>
<a href="globallogout.html" class="wikilink1" title="documentation:2.0:globallogout">Global Logout plugin</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__9" id="fn__9" class="fn_bot">9)</a></sup>
<a href="refreshsessionapi.html" class="wikilink1" title="documentation:2.0:refreshsessionapi">Refresh session plugin</a> is available with LLNG ≥ 2.0.7</div>
<a href="impersonation.html" class="wikilink1" title="documentation:2.0:impersonation">Impersonation plugin</a> is available with LLNG ≥ 2.0.3</div>
<div class="fn"><sup><a href="#fnt__10" id="fn__10" class="fn_bot">10)</a></sup>
<a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionalities</div>
<a href="refreshsessionapi.html" class="wikilink1" title="documentation:2.0:refreshsessionapi">Refresh session API plugin</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__11" id="fn__11" class="fn_bot">11)</a></sup>
<a href="resetcertificate.html" class="wikilink1" title="documentation:2.0:resetcertificate">Reset certificate by mail plugin</a> is available with LLNG ≥ 2.0.7</div>
<div class="fn"><sup><a href="#fnt__12" id="fn__12" class="fn_bot">12)</a></sup>
<a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionalities</div>
<div class="fn"><sup><a href="#fnt__13" id="fn__13" class="fn_bot">13)</a></sup>
<a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2 Handler</a> is available with LLNG ≥ 2.0.4</div>
</div>
</div>

38
doc/pages/documentation/current/status.html
View File

@ -80,46 +80,44 @@
<div class="level2">
<p>
The portal displays in JSON format its activity. Some d This can give a view to all returned codes.
The Portal displays in JSON format its activity. It can provide a view of all returned codes.
</p>
</div>
<!-- EDIT2 SECTION "Portal Status (experimental)" [29-171] -->
<!-- EDIT2 SECTION "Portal Status (experimental)" [29-165] -->
<h3 class="sectionedit3" id="configuration">Configuration</h3>
<div class="level3">
<p>
* Set <code>portalStatus = 1</code> in lemonldap-ng.ini file (section <code>[Portal]</code>)
* Note that handler status must also been enabled
* Protect <a href="http://portal/portalStatus" class="urlextern" title="http://portal/portalStatus" rel="nofollow">http://portal/portalStatus</a> using your webserver configuration
</p>
<p>
Status is displayed by calling this <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
<ul>
<li class="level1"><div class="li"> Ordered List ItemSet <code>portalStatus = 1</code> in lemonldap-ng.ini file (section <code>[Portal]</code>)</div>
</li>
<li class="level1"><div class="li"> Note that handler status must also been enabled</div>
</li>
<li class="level1"><div class="li"> The <abbr title="Uniform Resource Locator">URL</abbr> <a href="http://portal/status" class="urlextern" title="http://portal/status" rel="nofollow">http://portal/status</a> must be protected by your webserver configuration</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Configuration" [172-439] -->
<!-- EDIT3 SECTION "Configuration" [166-421] -->
<h2 class="sectionedit4" id="handler_status">Handler Status</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Handler Status" [440-467] -->
<!-- EDIT4 SECTION "Handler Status" [422-449] -->
<h3 class="sectionedit5" id="presentation">Presentation</h3>
<div class="level3">
<p>
When status feature is activated, Handlers and portal will collect statistics and save them in their local cache. This means that if several Handlers are deployed, each will manage its own statistics.
When status feature is enabled, Handlers and portal will collect statistics and save them in their local cache. This means that if several Handlers are deployed, each will manage its own statistics.
</p>
<div class="notetip">This page can be browsed for example by <a href="http://oss.oetiker.ch/mrtg/" class="urlextern" title="http://oss.oetiker.ch/mrtg/" rel="nofollow">MRTG</a> using the <a href="mrtg.html" class="wikilink1" title="documentation:2.0:mrtg">MRTG monitoring script</a>.
</div>
<p>
The statistics are collected trough a daemon launched by the Handler. It can be seen in system processes.
Statistics are collected through a daemon launched by the Handler. It can be supervised in system processes.
</p>
<p>
Statistics are displayed when calling the status path on an Handler (for example: <a href="http://reload.example.com/status" class="urlextern" title="http://reload.example.com/status" rel="nofollow">http://reload.example.com/status</a>).
The statistics are displayed when calling the status path on an Handler (for example: <a href="http://reload.example.com/status" class="urlextern" title="http://reload.example.com/status" rel="nofollow">http://reload.example.com/status</a>).
</p>
<p>
@ -131,7 +129,7 @@ Example of status page:
</p>
</div>
<!-- EDIT5 SECTION "Presentation" [468-1126] -->
<!-- EDIT5 SECTION "Presentation" [450-1113] -->
<h3 class="sectionedit6" id="configuration1">Configuration</h3>
<div class="level3">
@ -216,7 +214,7 @@ Then restart webserver.
</p>
</div>
<!-- EDIT6 SECTION "Configuration" [1127-3029] -->
<!-- EDIT6 SECTION "Configuration" [1114-3016] -->
<h3 class="sectionedit7" id="advanced">Advanced</h3>
<div class="level3">
<ol>
@ -227,6 +225,6 @@ Then restart webserver.
</ol>
</div>
<!-- EDIT7 SECTION "Advanced" [3030-] --></div>
<!-- EDIT7 SECTION "Advanced" [3017-] --></div>
</body>
</html>

285
doc/pages/documentation/current/stayconnected
View File

@ -1,285 +0,0 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>documentation:2.0:stayconnected [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="/lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="/lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<link type="text/css" rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootswatch/3.3.4/flatly/bootstrap.min.css" />
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,follow"/>
<meta name="keywords" content="documentation,2.0,stayconnected"/>
<link rel="search" type="application/opensearchdescription+xml" href="/lib/exe/opensearch.php" title="LemonLDAP::NG"/>
<link rel="start" href="/"/>
<link rel="contents" href="/documentation/2.0/stayconnected?do=index" title="Sitemap"/>
<link rel="alternate" type="application/rss+xml" title="Recent changes" href="/feed.php"/>
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/stayconnected"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/stayconnected"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:stayconnected","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
</style>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script type="text/javascript" src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script type="text/javascript" src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body class="flatly page-on-panel">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__site" class="container">
<div id="dokuwiki__top" class="site dokuwiki mode_show tpl_bootstrap3 notFound hasSidebar">
<!-- header -->
<div id="dokuwiki__header">
<nav class="navbar navbar-default" role="navigation">
<div class="container-fluid">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/start" accesskey="h" title="[H]" class="navbar-brand"><img src="/_media/wiki/logo.png" alt="LemonLDAP::NG" class="pull-left" id="dw__logo" width="20" height="20" /> <span id="dw__title" >LemonLDAP::NG</span></a>
</div>
<div class="collapse navbar-collapse">
<ul class="nav navbar-nav" id="dw__navbar">
<!-- <li>
<a href="/start" ><i class="glyphicon glyphicon-home"></i> Home</a></li> -->
<li>
<a href="/download" ><i class="glyphicon glyphicon-download"></i> Download</a></li>
<li>
<a href="/documentation" ><i class="glyphicon glyphicon-book"></i> Documentation</a></li>
<li>
<a href="/screenshots" ><i class="glyphicon glyphicon-picture"></i> Screenshots</a></li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-question-sign"></span> Contact <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/contact" ><i class="glyphicon glyphicon-envelope"></i> Mails, IRC and more</a></li>
<li><a href="/team" ><i class="glyphicon glyphicon-user"></i> The team</a></li>
<li><a href="/professionalservices" ><i class="glyphicon glyphicon-briefcase"></i> Professional Services</a></li>
<li><a href="/references" ><i class="glyphicon glyphicon-sunglasses"></i> References</a></li>
<li><a href="/sponsors" ><i class="glyphicon glyphicon-piggy-bank"></i> Sponsors</a></li>
</ul>
</li>
</ul>
<div class="navbar-right">
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/stayconnected?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
</div>
</div>
</nav>
</div>
<!-- /header -->
<div id="dw__breadcrumbs">
<hr/>
<div class="breadcrumb"><span class="bchead">You are here: </span><span class="home"><bdi><a href="/start" class="wikilink1" title="start">start</a></bdi></span> » <bdi><a href="/documentation" class="wikilink1" title="documentation">documentation</a></bdi> » <bdi><a href="/documentation/2.0/start" class="wikilink1" title="documentation:2.0:start">2.0</a></bdi> » <bdi><span class="curid"><a href="/documentation/2.0/stayconnected" class="wikilink2" title="documentation:2.0:stayconnected" rel="nofollow">stayconnected</a></span></bdi></div>
<hr/>
</div>
<p class="pageId text-right">
<span class="label label-default">documentation:2.0:stayconnected</span>
</p>
<div id="dw__msgarea">
</div>
<main class="main row" role="main">
<!-- ********** CONTENT ********** -->
<article id="dokuwiki__content" class="col-sm-9 col-md-10 " >
<div class="panel panel-default" >
<div class="page group panel-body">
<div class="pull-right hidden-print" data-spy="affix" data-offset-top="150" style="z-index:1024; top:10px; right:10px;">
</div>
<!-- wikipage start -->
<h1 class="sectionedit1" id="this_topic_does_not_exist_yet">This topic does not exist yet</h1>
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
<!-- wikipage stop -->
</div>
</div>
</article>
<!-- ********** ASIDE ********** -->
<aside id="dokuwiki__aside" class="dw__sidebar col-sm-3 col-md-2 hidden-print">
<div class="content">
<div class="toogle hidden-lg hidden-md hidden-sm" data-toggle="collapse" data-target="#dokuwiki__aside .collapse">
<i class="glyphicon glyphicon-th-list"></i> Sidebar </div>
<div class="collapse in">
<p>
<div class="text-center">
</p>
<h3 class="sectionedit1" id="social_networks">Social networks</h3>
<div class="level3">
<p>
<p><a href="https://twitter.com/lemonldapng/" class="btn btn-large btn-info"><i class="glyphicon glyphicon-retweet"></i> Twitter</a></p>
<p><a href="https://www.facebook.com/lemonldapng/" class="btn btn-large btn-primary"><i class="glyphicon glyphicon-thumbs-up"></i> Facebook</a></p>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT1 SECTION "Social networks" [41-433] -->
<h3 class="sectionedit2" id="hosted_by">Hosted by</h3>
<div class="level3">
<p>
<a href="http://www.ow2.org" class="media" title="http://www.ow2.org" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT2 SECTION "Hosted by" [434-568] -->
<h3 class="sectionedit3" id="certifications">Certifications</h3>
<div class="level3">
<p>
<a href="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" class="media" title="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" rel="nofollow"><img src="/_media/applications/franceconnect_logo.png" class="mediacenter" alt="" /></a>
<strong>France Connect</strong>
</p>
<p>
<a href="https://fusioniam.org" class="media" title="https://fusioniam.org" rel="nofollow"><img src="/_media/logos/fusioniam_logo_icon_dragon_circle.png" class="mediacenter" alt="" /></a>
<strong>FusionIAM projet member</strong>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT3 SECTION "Certifications" [569-928] -->
<h3 class="sectionedit4" id="awards">Awards</h3>
<div class="level3">
<p>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
<p>
<script type="text/javascript" src="http://www.openhub.net/p/12421/widgets/project_users.js?style=blue"></script>
</div>
</p>
<script type='text/javascript'>
var ab_h = '321e562442494652658acbc3fd84ec80';
var ab_s = '6ca5df30810665e075f684a87e742175';
</script>
<script type='text/javascript' src='http://cdn1.adbard.net/js/ab1.js'></script>
</div>
<!-- EDIT4 SECTION "Awards" [929-] --> </div>
</div>
</aside>
</main>
<footer id="dokuwiki__footer" class="small hidden-print">
<a href="javascript:void(0)" class="back-to-top hidden-print btn btn-default btn-sm" title="skip to content>" id="back-to-top"><i class="glyphicon glyphicon-chevron-up"></i></a>
<div class="text-center">
<p id="dw__license">
<div class="license">Except where otherwise noted, content on this wiki is licensed under the following license: <bdi><a href="http://creativecommons.org/licenses/by-nc-sa/3.0/" rel="license" class="urlextern">CC Attribution-Noncommercial-Share Alike 3.0 Unported</a></bdi></div> </p>
</div>
</footer>
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Astayconnected&amp;1576942870" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
<span class="visible-md"></span>
<span class="visible-lg"></span>
</div>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

23
doc/pages/documentation/current/u2f.html
View File

@ -78,12 +78,21 @@ LLNG can propose to users to register their keys. When done, 2F registered users
<div class="level2">
<p>
This feature uses <a href="https://metacpan.org/pod/Crypt::U2F::Server::Simple" class="urlextern" title="https://metacpan.org/pod/Crypt::U2F::Server::Simple" rel="nofollow">Crypt::U2F::Server::Simple</a> that is only available on CPAN repository for now. Before compiling it, you must install Yubico&#039;s C library headers (called libu2f-server-dev on Debian).
This feature uses <a href="https://metacpan.org/pod/Crypt::U2F::Server::Simple" class="urlextern" title="https://metacpan.org/pod/Crypt::U2F::Server::Simple" rel="nofollow">Crypt::U2F::Server::Simple</a>.
</p>
<p>
It is available as package on Debian:
</p>
<pre class="code">apt install libcrypt-u2f-server-perl</pre>
<p>
For other systems, use CPAN. Before compiling it, you must install Yubico&#039;s C library headers.
</p>
<div class="noteimportant">An HTTPS portal is required to use U2F
</div>
</div>
<!-- EDIT2 SECTION "Prerequisites and dependencies" [530-891] -->
<!-- EDIT2 SECTION "Prerequisites and dependencies" [530-925] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
@ -109,7 +118,7 @@ In the manager (second factors), you just have to enable it:
<div class="noteimportant">If you want to use a custom rule for &quot;activation&quot; and enable self-registration, you have to include this in your rule: <code>$_2fDevices =~ /&quot;type&quot;:\s*&quot;U2F&quot;/s</code>, else U2F will be required even if users are not registered. This is automatically done when &quot;activation&quot; is set to &quot;on&quot;.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [892-2150] -->
<!-- EDIT3 SECTION "Configuration" [926-2184] -->
<h2 class="sectionedit4" id="browser_compatibility">Browser compatibility</h2>
<div class="level2">
<ul>
@ -130,7 +139,7 @@ In the manager (second factors), you just have to enable it:
</ul>
</div>
<!-- EDIT4 SECTION "Browser compatibility" [2151-2591] -->
<!-- EDIT4 SECTION "Browser compatibility" [2185-2625] -->
<h2 class="sectionedit5" id="enrollment">Enrollment</h2>
<div class="level2">
@ -139,7 +148,7 @@ If you have enabled self registration, users can register their U2F keys using <
</p>
</div>
<!-- EDIT5 SECTION "Enrollment" [2592-2722] -->
<!-- EDIT5 SECTION "Enrollment" [2626-2756] -->
<h2 class="sectionedit6" id="assistance">Assistance</h2>
<div class="level2">
@ -150,7 +159,7 @@ If a user loses its key, you can delete it from the manager Second Factor module
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT6 SECTION "Assistance" [2723-3030] -->
<!-- EDIT6 SECTION "Assistance" [2757-3064] -->
<h2 class="sectionedit7" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -165,6 +174,6 @@ Note that both &quot;origin&quot; and &quot;appId&quot; are fixed to portal <abb
</p>
</div>
<!-- EDIT7 SECTION "Developer corner" [3031-] --></div>
<!-- EDIT7 SECTION "Developer corner" [3065-] --></div>
</body>
</html>

134
doc/pages/documentation/current/upgrade.html
View File

@ -49,6 +49,7 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#section208">2.0.8</a></div></li>
<li class="level1"><div class="li"><a href="#section207">2.0.7</a></div></li>
<li class="level1"><div class="li"><a href="#section206">2.0.6</a></div></li>
<li class="level1"><div class="li"><a href="#section205">2.0.5</a></div></li>
@ -65,6 +66,7 @@
<li class="level1"><div class="li"><a href="#security">Security</a></div></li>
<li class="level1"><div class="li"><a href="#handlers">Handlers</a></div></li>
<li class="level1"><div class="li"><a href="#rules_and_headers">Rules and headers</a></div></li>
<li class="level1"><div class="li"><a href="#opening_conditions">Opening conditions</a></div></li>
<li class="level1"><div class="li"><a href="#supported_servers">Supported servers</a></div></li>
<li class="level1"><div class="li"><a href="#ajax_requests">Ajax requests</a></div></li>
<li class="level1"><div class="li"><a href="#soaprest_services">SOAP/REST services</a></div></li>
@ -90,7 +92,32 @@ Please apply general caution as you would with any software: have backups and a
</div>
</div>
<!-- EDIT1 SECTION "Upgrade from 2.0.x to 2.0.y" [1-527] -->
<h2 class="sectionedit2" id="section207">2.0.7</h2>
<h2 class="sectionedit2" id="section208">2.0.8</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> New dependency: Perl module Time::Fake is now required to run unit test and build packages, but should not be mandatory to run the software.</div>
</li>
<li class="level1"><div class="li"> Nginx configuration: some changes are required to allow IPv6, see <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2152" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2152" rel="nofollow">#2152</a></div>
</li>
<li class="level1"><div class="li"> Option <code>singleSessionUserByIP</code> was removed, see <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2159" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/2159" rel="nofollow">#2159</a></div>
</li>
<li class="level1"><div class="li"> A memory leak was found in perl-fcgi with Perl &lt; 5.18, a workaround is possible with Apache and llng-fastcgi-server, see <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1314" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1314" rel="nofollow">#1314</a></div>
<ul>
<li class="level2"><div class="li"> With Apache: set <code>FcgidMaxRequestsPerProcess 500</code> in portal virtual host</div>
</li>
<li class="level2"><div class="li"> With llng-fastcgi-server: set <code>PM_MAX_REQUESTS=500</code> in llng-fastcgi-server service configuration</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Cookie <code>SameSite</code> value: to avoid problems with recent browsers, <abbr title="Security Assertion Markup Language">SAML</abbr> POST binding, LLNG cookies are now tagged as &quot;<strong>SameSite=None</strong>&quot;. You can change this value using manager, &quot;<strong>SameSite=Lax</strong>&quot; is best for installations without federations. <strong>Important note</strong>: if you&#039;re using an unsecured connection <em>(http:// instead of https://)</em>, &quot;SameSite=None&quot; will be ignored by browsers and users that already have a valid session might be prompted to login again.</div>
</li>
<li class="level1"><div class="li"> OAuth2.0 Handler: a VHost protected by the OAuth2.0 handler will now return a 401 when called without an Access Token, instead of redirecting to the portal, as specified by <a href="https://tools.ietf.org/html/rfc6750" class="urlextern" title="https://tools.ietf.org/html/rfc6750" rel="nofollow">RFC6750</a></div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "2.0.8" [528-2048] -->
<h2 class="sectionedit3" id="section207">2.0.7</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Security:</div>
@ -102,8 +129,12 @@ Please apply general caution as you would with any software: have backups and a
</ul>
</li>
</ul>
<pre class="code">portal-apache2.conf</pre>
<pre class="code file apache"> <span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_URI}&quot;</span> <span class="st0">&quot;!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi(?:/.*)?)$&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/index.fcgi/$1&quot;</span> [PT]</pre>
<pre class="code">manager-apache2.conf</pre>
<pre class="code file apache"> <span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_URI}&quot;</span> <span class="st0">&quot;!^/(?:static|doc|lib|javascript|favicon).*&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/manager.fcgi/$1&quot;</span> [PT]</pre>
<ul>
<li class="level1"><div class="li"> Other:</div>
<ul>
@ -111,11 +142,17 @@ Please apply general caution as you would with any software: have backups and a
</li>
</ul>
</li>
<li class="level1"><div class="li"> Removed parameters:</div>
<ul>
<li class="level2"><div class="li"> <code>samlIdPResolveCookie</code></div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "2.0.7" [528-1651] -->
<h2 class="sectionedit3" id="section206">2.0.6</h2>
<!-- EDIT3 SECTION "2.0.7" [2049-3443] -->
<h2 class="sectionedit4" id="section206">2.0.6</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Option was added to display generate password box in <a href="resetpassword.html" class="wikilink1" title="documentation:2.0:resetpassword">password reset by mail plugin</a>. If you use this feature, you must enable this option, which is disabled by default.</div>
@ -132,8 +169,8 @@ Please apply general caution as you would with any software: have backups and a
sed &#039;s,/usr/share/fonts/default/Type1/,/usr/share/X11/fonts/urw-fonts/,g&#039; -i /etc/ImageMagick/type-ghostscript.xml</pre>
</div>
<!-- EDIT3 SECTION "2.0.6" [1652-2845] -->
<h2 class="sectionedit4" id="section205">2.0.5</h2>
<!-- EDIT4 SECTION "2.0.6" [3444-4637] -->
<h2 class="sectionedit5" id="section205">2.0.5</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> The Text::Unidecode perl module becomes a requirement <em>(it will be automatically installed if you upgrade from from the deb or RPM repositories)</em></div>
@ -147,14 +184,14 @@ sed &#039;s,/usr/share/fonts/default/Type1/,/usr/share/X11/fonts/urw-fonts/,g&#0
</ul>
</div>
<!-- EDIT4 SECTION "2.0.5" [2846-3836] -->
<h1 class="sectionedit5" id="upgrade_from_19_to_20">Upgrade from 1.9 to 2.0</h1>
<!-- EDIT5 SECTION "2.0.5" [4638-5628] -->
<h1 class="sectionedit6" id="upgrade_from_19_to_20">Upgrade from 1.9 to 2.0</h1>
<div class="level1">
<div class="noteimportant">2.0 is a major release, lot of things have been changed. You must read this document before upgrade.
</div>
</div>
<!-- EDIT5 SECTION "Upgrade from 1.9 to 2.0" [3837-4000] -->
<h2 class="sectionedit6" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<!-- EDIT6 SECTION "Upgrade from 1.9 to 2.0" [5629-5792] -->
<h2 class="sectionedit7" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<div class="level2">
<p>
@ -171,8 +208,8 @@ As usual, if you use more than 1 server and don&#039;t want to stop <abbr title=
<div class="noteimportant">You must revalidate your configuration using the manager.
</div>
</div>
<!-- EDIT6 SECTION "Upgrade order from 1.9.*" [4001-4475] -->
<h2 class="sectionedit7" id="installation">Installation</h2>
<!-- EDIT7 SECTION "Upgrade order from 1.9.*" [5793-6267] -->
<h2 class="sectionedit8" id="installation">Installation</h2>
<div class="level2">
<div class="noteimportant">French documentation is no more available. Only English version of this documentation is maintained now.
</div>
@ -195,8 +232,8 @@ For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we re
</p>
</div>
<!-- EDIT7 SECTION "Installation" [4476-4861] -->
<h2 class="sectionedit8" id="configuration">Configuration</h2>
<!-- EDIT8 SECTION "Installation" [6268-6653] -->
<h2 class="sectionedit9" id="configuration">Configuration</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>lemonldap-ng.ini</strong> requires some new fields in portal section. Update yours using the one given installed by default. New requires fields are:</div>
@ -233,8 +270,8 @@ For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we re
</div>
</div>
<!-- EDIT8 SECTION "Configuration" [4862-6689] -->
<h3 class="sectionedit9" id="configuration_refresh">Configuration refresh</h3>
<!-- EDIT9 SECTION "Configuration" [6654-8481] -->
<h3 class="sectionedit10" id="configuration_refresh">Configuration refresh</h3>
<div class="level3">
<p>
@ -243,8 +280,8 @@ Now portal has the same behavior than handlers: it looks to configuration stored
<div class="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
</div>
</div>
<!-- EDIT9 SECTION "Configuration refresh" [6690-7111] -->
<h2 class="sectionedit10" id="ldap_connection">LDAP connection</h2>
<!-- EDIT10 SECTION "Configuration refresh" [8482-8903] -->
<h2 class="sectionedit11" id="ldap_connection">LDAP connection</h2>
<div class="level2">
<p>
@ -252,8 +289,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</p>
</div>
<!-- EDIT10 SECTION "LDAP connection" [7112-7295] -->
<h2 class="sectionedit11" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<!-- EDIT11 SECTION "LDAP connection" [8904-9087] -->
<h2 class="sectionedit12" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> A new <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
@ -263,8 +300,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</ul>
</div>
<!-- EDIT11 SECTION "Kerberos or SSL usage" [7296-7804] -->
<h2 class="sectionedit12" id="logs">Logs</h2>
<!-- EDIT12 SECTION "Kerberos or SSL usage" [9088-9596] -->
<h2 class="sectionedit13" id="logs">Logs</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>Syslog</strong>: logs are now configured in <code>lemonldap-ng.ini</code> file only. If you use Syslog, you must reconfigure it. See <a href="logs.html" class="wikilink1" title="documentation:2.0:logs">logs</a> for more.</div>
@ -276,8 +313,8 @@ Now LDAP connections are kept open to improve performances. To allow that, <abbr
</ul>
</div>
<!-- EDIT12 SECTION "Logs" [7805-8386] -->
<h2 class="sectionedit13" id="security">Security</h2>
<!-- EDIT13 SECTION "Logs" [9597-10178] -->
<h2 class="sectionedit14" id="security">Security</h2>
<div class="level2">
<p>
@ -291,8 +328,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT13 SECTION "Security" [8387-8954] -->
<h2 class="sectionedit14" id="handlers">Handlers</h2>
<!-- EDIT14 SECTION "Security" [10179-10746] -->
<h2 class="sectionedit15" id="handlers">Handlers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>Apache only</strong>:</div>
@ -310,8 +347,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT14 SECTION "Handlers" [8955-10040] -->
<h2 class="sectionedit15" id="rules_and_headers">Rules and headers</h2>
<!-- EDIT15 SECTION "Handlers" [10747-11832] -->
<h2 class="sectionedit16" id="rules_and_headers">Rules and headers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
@ -323,8 +360,17 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT15 SECTION "Rules and headers" [10041-10359] -->
<h2 class="sectionedit16" id="supported_servers">Supported servers</h2>
<!-- EDIT16 SECTION "Rules and headers" [11833-12151] -->
<h2 class="sectionedit17" id="opening_conditions">Opening conditions</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Rule and message fields have been swaped. You have to modifiy and validate again your access rules.</div>
</li>
</ul>
</div>
<!-- EDIT17 SECTION "Opening conditions" [12152-12287] -->
<h2 class="sectionedit18" id="supported_servers">Supported servers</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Apache-1.3 files are not provided now. You can build them yourself by looking at Apache-2 configuration files</div>
@ -332,8 +378,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT16 SECTION "Supported servers" [10360-10505] -->
<h2 class="sectionedit17" id="ajax_requests">Ajax requests</h2>
<!-- EDIT18 SECTION "Supported servers" [12288-12433] -->
<h2 class="sectionedit19" id="ajax_requests">Ajax requests</h2>
<div class="level2">
<p>
@ -341,8 +387,8 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
</p>
</div>
<!-- EDIT17 SECTION "Ajax requests" [10506-10703] -->
<h2 class="sectionedit18" id="soaprest_services">SOAP/REST services</h2>
<!-- EDIT19 SECTION "Ajax requests" [12434-12631] -->
<h2 class="sectionedit20" id="soaprest_services">SOAP/REST services</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
@ -357,8 +403,8 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
<div class="noteimportant"><a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
</div>
</div>
<!-- EDIT18 SECTION "SOAP/REST services" [10704-11301] -->
<h2 class="sectionedit19" id="cas">CAS</h2>
<!-- EDIT20 SECTION "SOAP/REST services" [12632-13229] -->
<h2 class="sectionedit21" id="cas">CAS</h2>
<div class="level2">
<p>
@ -370,13 +416,13 @@ Before 2.0, an Ajax query launched after session timeout received a 302 code. No
</p>
</div>
<!-- EDIT19 SECTION "CAS" [11302-11679] -->
<h2 class="sectionedit20" id="developer_corner">Developer corner</h2>
<!-- EDIT21 SECTION "CAS" [13230-13607] -->
<h2 class="sectionedit22" id="developer_corner">Developer corner</h2>
<div class="level2">
</div>
<!-- EDIT20 SECTION "Developer corner" [11680-11709] -->
<h3 class="sectionedit21" id="apis">APIs</h3>
<!-- EDIT22 SECTION "Developer corner" [13608-13637] -->
<h3 class="sectionedit23" id="apis">APIs</h3>
<div class="level3">
<p>
@ -384,8 +430,8 @@ Portal has now many REST features and includes an <abbr title="Application Progr
</p>
</div>
<!-- EDIT21 SECTION "APIs" [11710-11871] -->
<h3 class="sectionedit22" id="portal_overview">Portal overview</h3>
<!-- EDIT23 SECTION "APIs" [13638-13799] -->
<h3 class="sectionedit24" id="portal_overview">Portal overview</h3>
<div class="level3">
<p>
@ -406,8 +452,8 @@ Requests are independent objects based on Lemonldap::NG::Portal::Main::Request w
</p>
</div>
<!-- EDIT22 SECTION "Portal overview" [11872-12347] -->
<h3 class="sectionedit23" id="handler">Handler</h3>
<!-- EDIT24 SECTION "Portal overview" [13800-14275] -->
<h3 class="sectionedit25" id="handler">Handler</h3>
<div class="level3">
<p>
@ -419,6 +465,6 @@ If you used self protected CGI, you also need to rewrite them, see <a href="self
</p>
</div>
<!-- EDIT23 SECTION "Handler" [12348-] --></div>
<!-- EDIT25 SECTION "Handler" [14276-] --></div>
</body>
</html>

20
doc/pages/documentation/current/writingrulesand_headers.html
View File

@ -151,7 +151,9 @@ Examples:
<p>
The &quot;<strong>default</strong>&quot; access rule is used if no other access rule match the current <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
<div class="notetip"><ul>
<div class="notetip">See <a href="rules_examples.html" class="wikilink1" title="documentation:2.0:rules_examples">the rules examples page</a> for a few common use cases
</div><div class="notetip"><ul>
<li class="level1"><div class="li"> Comments can be used to order your rules: rules are applied in the alphabetical order of comment (or regexp in there is no comment). See <strong><a href="security.html#write_good_rules" class="wikilink1" title="documentation:2.0:security">security chapter</a></strong> to learn more about writing good rules.</div>
</li>
<li class="level1"><div class="li"> See <a href="performances.html#handler_performance" class="wikilink1" title="documentation:2.0:performances">performances</a> to know how to use macros and groups in rules.</div>
@ -178,7 +180,7 @@ Rules can also be used to intercept logout <abbr title="Uniform Resource Locator
<td class="col0"> Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ <strong><em>(Apache only)</em></strong> </td><td class="col1 centeralign"> ^/index.php\?logout </td><td class="col2 centeralign"> logout_app_sso&nbsp;http://intranet/ </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [2798-3446] --><div class="notewarning"><code>logout_app</code> and <code>logout_app_sso</code> rules are not available on Nginx, only on Apache.
<!-- EDIT5 TABLE [2892-3540] --><div class="notewarning"><code>logout_app</code> and <code>logout_app_sso</code> rules are not available on Nginx, only on Apache.
</div>
<p>
By default, user will be redirected on portal if no <abbr title="Uniform Resource Locator">URL</abbr> defined, or on the specified <abbr title="Uniform Resource Locator">URL</abbr> if any.
@ -186,7 +188,7 @@ By default, user will be redirected on portal if no <abbr title="Uniform Resourc
<div class="noteimportant">Only current application is concerned by logout_app* targets. Be careful with some applications which doesn&#039;t verify Lemonldap::NG headers after having created their own cookies. If so, you can redirect users to a <abbr title="HyperText Markup Language">HTML</abbr> page that explain that it is safe to close browser after disconnect.
</div>
</div>
<!-- EDIT3 SECTION "Rules" [1239-3967] -->
<!-- EDIT3 SECTION "Rules" [1239-4061] -->
<h3 class="sectionedit6" id="rules_based_on_authentication_level">Rules based on authentication level</h3>
<div class="level3">
@ -222,12 +224,12 @@ There are three ways to impose users a higher authentication level:
<div class="notetip">Instead of returning a 403 code, &quot;minimum level&quot; returns user to a form that explain that a higher level is required and propose to reauthenticate himself.
</div>
</div>
<!-- EDIT6 SECTION "Rules based on authentication level" [3968-5088] -->
<!-- EDIT6 SECTION "Rules based on authentication level" [4062-5182] -->
<h2 class="sectionedit7" id="headers">Headers</h2>
<div class="level2">
<p>
Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user datas to the application.
Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user data to the application.
</p>
<p>
@ -252,7 +254,7 @@ Examples:
<td class="col0 leftalign"> Give a non ascii data </td><td class="col1 centeralign"> Display-Name </td><td class="col2 centeralign"> encode_base64($givenName."&nbsp;".$surName,"") </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [5272-5608] -->
<!-- EDIT8 TABLE [5364-5700] -->
<p>
As described in <a href="performances.html#handler_performance" class="wikilink1" title="documentation:2.0:performances">performances chapter</a>, you can use macros, local macros,...
</p>
@ -270,7 +272,7 @@ As described in <a href="performances.html#handler_performance" class="wikilink1
</div>
</div>
<!-- EDIT7 SECTION "Headers" [5089-6281] -->
<!-- EDIT7 SECTION "Headers" [5183-6373] -->
<h2 class="sectionedit9" id="available_functions">Available functions</h2>
<div class="level2">
@ -285,7 +287,7 @@ In addition to macros and name, you can use some functions in rules and headers:
</ul>
</div>
<!-- EDIT9 SECTION "Available functions" [6282-6492] -->
<!-- EDIT9 SECTION "Available functions" [6374-6584] -->
<h2 class="sectionedit10" id="wildcards_in_hostnames">Wildcards in hostnames</h2>
<div class="level2">
@ -308,6 +310,6 @@ Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is
</ol>
</div>
<!-- EDIT10 SECTION "Wildcards in hostnames" [6493-] --></div>
<!-- EDIT10 SECTION "Wildcards in hostnames" [6585-] --></div>
</body>
</html>

23
doc/pages/manager-api/.swagger-codegen-ignore Normal file
View File

@ -0,0 +1,23 @@
# Swagger Codegen Ignore
# Generated by swagger-codegen https://github.com/swagger-api/swagger-codegen
# Use this file to prevent files from being overwritten by the generator.
# The patterns follow closely to .gitignore or .dockerignore.
# As an example, the C# client generator defines ApiClient.cs.
# You can make changes and tell Swagger Codgen to ignore just this file by uncommenting the following line:
#ApiClient.cs
# You can match any string of characters against a directory, file or extension with a single asterisk (*):
#foo/*/qux
# The above matches foo/bar/qux and foo/baz/qux, but not foo/bar/baz/qux
# You can recursively match patterns against a directory, file or extension with a double asterisk (**):
#foo/**/qux
# This matches foo/bar/qux, foo/baz/qux, and foo/bar/baz/qux
# You can also negate patterns with an exclamation (!).
# For example, you can ignore all files in a docs folder with the file extension .md:
#docs/*.md
# Then explicitly reverse the ignore rule for a single file:
#!docs/README.md

1
doc/pages/manager-api/.swagger-codegen/VERSION Normal file
View File

@ -0,0 +1 @@
3.0.18

10265
doc/pages/manager-api/index.html Normal file
View File

File diff suppressed because one or more lines are too long

5
doc/sources/manager-api/config-codegen.json Normal file
View File

@ -0,0 +1,5 @@
{ "appName": "LemonLDAP::NG",
"infoUrl": "https://lemonldap-ng.org/",
"infoEmail": ""
}

785
doc/sources/manager-api/openapi-spec.yaml Normal file
View File

@ -0,0 +1,785 @@
openapi: 3.0.1
info:
title: LemonLDAP::NG Manager API
description: The Manager API allows an administrator to modify the LemonLDAP::NG configuration programmatically. It is not meant to be accessed by end users. The client libraries mentionned in examples can be generated from doc/sources/manager-api/openapi-spec.yaml
version: 2.0.8
servers:
- url: /api/v1
tags:
- name: samlsp
description: SAML Service Providers
- name: oidcrp
description: OpenID Connect Relaying Parties
- name: 2fa
description: Registered Second Factors
paths:
/api/v1/providers/saml/sp:
post:
tags:
- samlsp
summary: Create a new SAML Service provider
operationId: addsamlsp
requestBody:
description: SAML Service provider to add
content:
application/json:
schema:
$ref: '#/components/schemas/SamlSp'
required: true
responses:
201:
$ref: '#/components/responses/Created'
400:
$ref: '#/components/responses/Error'
409:
$ref: '#/components/responses/Conflict'
/api/v1/providers/saml/sp/findByConfKey:
get:
tags:
- samlsp
summary: Finds SAML Service providers by configuration key
description: Takes a search pattern to be tested against existing service providers
operationId: findSamlSpByConfKey
parameters:
- name: pattern
in: query
description: Search pattern
required: true
schema:
type: "string"
examples:
any:
summary: Any value
value: "*"
prefix:
summary: Given prefix
value: "zone1-*"
anywhere:
summary: Substring
value: "something"
responses:
200:
$ref: '#/components/responses/ManySamlSp'
400:
$ref: '#/components/responses/Error'
/api/v1/providers/saml/sp/findByEntityId:
get:
tags:
- samlsp
summary: Finds SAML Service Provider by Entity ID
operationId: findSamlSpByEntityId
parameters:
- name: entityId
in: query
description: Entity ID to search
required: true
schema:
type: "string"
example: http://mysp.example.com/saml/metadata
responses:
200:
$ref: '#/components/responses/OneSamlSp'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
/api/v1/providers/saml/sp/{confKey}:
get:
tags:
- samlsp
summary: Get SAML Service Provider by configuration key
description: Returns a single Service Provider
operationId: getSamlSpByConfKey
parameters:
- name: confKey
in: path
description: Configuration key of SAML Service Provider
required: true
schema:
$ref: '#/components/schemas/confKey'
responses:
200:
$ref: '#/components/responses/OneSamlSp'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
put:
tags:
- samlsp
summary: Replaces a SAML Service
operationId: replaceSamlSp
parameters:
- name: confKey
in: path
description: Configuration key of SAML Service Provider that needs to be replaced
required: true
schema:
$ref: '#/components/schemas/confKey'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SamlSp'
responses:
204:
$ref: '#/components/responses/NoContent'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
409:
$ref: '#/components/responses/Conflict'
patch:
tags:
- samlsp
summary: Updates a SAML Service.
operationId: updateSamlSp
parameters:
- name: confKey
in: path
description: Configuration key of SAML Service Provider that needs to be updated
required: true
schema:
$ref: '#/components/schemas/confKey'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SamlSpUpdate'
responses:
204:
$ref: '#/components/responses/NoContent'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
409:
$ref: '#/components/responses/Conflict'
delete:
tags:
- samlsp
summary: Deletes a SAML Service Provider
operationId: deleteSamlSp
parameters:
- name: confKey
in: path
description: Configuration key of SAML Service Provider to delete
required: true
schema:
$ref: '#/components/schemas/confKey'
responses:
204:
$ref: '#/components/responses/NoContent'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
/api/v1/providers/oidc/rp:
post:
tags:
- oidcrp
summary: Create a new OpenID Connect Relaying Party
operationId: addoidcrp
requestBody:
description: OpenID Connect Relaying Party to add
content:
application/json:
schema:
$ref: '#/components/schemas/OidcRp'
required: true
responses:
201:
$ref: '#/components/responses/Created'
400:
$ref: '#/components/responses/Error'
409:
$ref: '#/components/responses/Conflict'
/api/v1/providers/oidc/rp/findByConfKey:
get:
tags:
- oidcrp
summary: Finds OpenID Connect Relaying Partys by configuration key
description: Takes a search pattern to be tested against existing service providers
operationId: findOidcRpByConfKey
parameters:
- name: pattern
in: query
description: Search pattern
required: true
schema:
$ref: '#/components/schemas/confKey'
examples:
any:
summary: Any value
value: "*"
prefix:
summary: Given prefix
value: "zone1-*"
anywhere:
summary: Substring
value: "something"
responses:
200:
$ref: '#/components/responses/ManyOidcRp'
400:
$ref: '#/components/responses/Error'
/api/v1/providers/oidc/rp/findByClientId:
get:
tags:
- oidcrp
summary: Finds OpenID Connect Relaying Party by Client ID
operationId: findOidcRpByClientId
parameters:
- name: clientId
in: query
description: Client ID to search
required: true
schema:
type: "string"
example: my_client_id
responses:
200:
$ref: '#/components/responses/OneOidcRp'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
/api/v1/providers/oidc/rp/{confKey}:
get:
tags:
- oidcrp
summary: Get OpenID Connect Relaying Party by configuration key
description: Returns a single Service Provider
operationId: getOidcRpByConfKey
parameters:
- name: confKey
in: path
description: Configuration key of OpenID Connect Relaying Party
required: true
schema:
$ref: '#/components/schemas/confKey'
responses:
200:
$ref: '#/components/responses/OneOidcRp'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
patch:
tags:
- oidcrp
summary: Updates an OpenID Connect Relaying Party
operationId: updateOidcRp
parameters:
- name: confKey
in: path
description: Configuration key of OpenID Connect Relaying Party that needs to be updated
required: true
schema:
$ref: '#/components/schemas/confKey'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OidcRpUpdate'
responses:
204:
$ref: '#/components/responses/NoContent'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
409:
$ref: '#/components/responses/Conflict'
put:
tags:
- oidcrp
summary: Replaces an OpenID Connect Relaying Party
operationId: replaceOidcRp
parameters:
- name: confKey
in: path
description: Configuration key of OpenID Connect Relaying Party that needs to be replaced
required: true
schema:
$ref: '#/components/schemas/confKey'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OidcRp'
responses:
204:
$ref: '#/components/responses/NoContent'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
409:
$ref: '#/components/responses/Conflict'
delete:
tags:
- oidcrp
summary: Deletes a OpenID Connect Relaying Party
operationId: deleteOidcRp
parameters:
- name: confKey
in: path
description: Configuration key of OpenID Connect Relaying Party to delete
required: true
schema:
$ref: '#/components/schemas/confKey'
responses:
204:
$ref: '#/components/responses/NoContent'
400:
$ref: '#/components/responses/Error'
404:
$ref: '#/components/responses/NotFound'
'/api/v1/secondFactor/{uid}':
description: Second factors for a particular user
parameters:
- name: uid
in: path
required: true
schema:
type: string
get:
summary: List second factors for a user
description: ''
tags:
- 2fa
operationId: getSecondFactors
responses:
200:
$ref: '#/components/responses/SecondFactors'
404:
$ref: '#/components/responses/NotFound'
delete:
summary: Delete all second factors for a user
description: ''
tags:
- 2fa
operationId: deleteSecondFactors
responses:
204:
$ref: '#/components/responses/NoContent'
404:
$ref: '#/components/responses/NotFound'
'/api/v1/secondFactor/{uid}/type/{type}':
description: Second factors of a given type for a particular user
parameters:
- name: uid
in: path
required: true
schema:
type: string
- name: type
in: path
required: true
schema:
type: string
get:
summary: List second factors for a user given its type
description: ''
tags:
- 2fa
operationId: getSecondFactorsByType
responses:
200:
$ref: '#/components/responses/SecondFactors'
404:
$ref: '#/components/responses/NotFound'
delete:
summary: Delete all second factors of a given type for a user
description: ''
tags:
- 2fa
operationId: deleteSecondFactorsByType
responses:
204:
$ref: '#/components/responses/NoContent'
404:
$ref: '#/components/responses/NotFound'
'/api/v1/secondFactor/{uid}/id/{id}':
description: Second factors of a given id for a particular user
parameters:
- name: uid
in: path
required: true
schema:
type: string
- name: id
in: path
required: true
schema:
type: string
get:
summary: Get second factors for a user given its ID
description: ''
tags:
- 2fa
operationId: getSecondFactorsById
responses:
200:
$ref: '#/components/responses/SecondFactors'
404:
$ref: '#/components/responses/NotFound'
delete:
summary: Delete a second factors for a user
description: ''
tags:
- 2fa
operationId: deleteSecondFactorsById
responses:
204:
$ref: '#/components/responses/NoContent'
404:
$ref: '#/components/responses/NotFound'
components:
schemas:
confKey:
type: string
pattern: '^\w[\w\.\-]*$'
Error:
type: object
properties:
error:
type: string
required:
- error
SamlSp:
required:
- confKey
- metadata
type: object
properties:
confKey:
$ref: '#/components/schemas/confKey'
metadata:
type: string
example: '<?xml version="1.0"?><EntityDescriptor...'
exportedAttributes:
type: object
items:
$ref: '#/components/schemas/samlAttribute'
macros:
type: object
example:
myMacroName: "$macro(rule)"
options:
$ref: '#/components/schemas/samlOptions'
SamlSpUpdate:
type: object
properties:
metadata:
type: string
example: '<?xml version="1.0"?><EntityDescriptor...'
macros:
type: object
example:
myMacroName: "$macro(rule)"
exportedAttributes:
type: object
items:
$ref: '#/components/schemas/samlAttribute'
options:
$ref: '#/components/schemas/samlOptions'
samlOptions:
type: object
properties:
checkSSOMessageSignature:
type: boolean
default: 1
sessionNotOnOrAfterTimeout:
type: integer
default: 72000
signSLOMessage:
type: integer
minimum: -1
maximum: 1
default: -1
enableIDPInitiatedURL:
type: boolean
oneTimeUse:
type: boolean
checkSLOMessageSignature:
type: boolean
default: 1
encryptionMode:
type: string
enum:
- none
- nameid
- assertion
default: none
notOnOrAfterTimeout:
type: integer
default: 72000
rule:
type: string
forceUTF8:
type: boolean
default: 1
signSSOMessage:
type: integer
minimum: -1
maximum: 1
default: -1
nameIDSessionKey:
type: string
nameIDFormat:
type: string
enum:
- unspecified
- email
- x509
- windows
- kerberos
- entity
- persistent
- transient
- encrypted
samlAttribute:
type: object
properties:
mandatory:
type: boolean
friendlyName:
type: string
format:
type: string
example: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
OidcRp:
required:
- confKey
- clientId
- redirectUris
type: object
properties:
confKey:
$ref: '#/components/schemas/confKey'
clientId:
type: string
redirectUris:
type: array
items:
type: string
minItems: 1
format: "uri"
exportedVars:
type: object
example:
email: mail
family_name: sn
name: cn
extraClaims:
type: object
example:
myscope: "myattr1 myattr2 myattr3"
macros:
type: object
example:
myMacroName: "$macro(rule)"
options:
$ref: '#/components/schemas/OidcOptions'
OidcOptions:
type: object
properties:
logoutUrl:
type: string
format: url
clientSecret:
type: string
format: password
displayName:
type: string
allowOffline:
type: boolean
rule:
type: string
IDTokenSignAlg:
type: string
enum:
- none
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
default: HS512
refreshToken:
type: boolean
public:
type: boolean
postLogoutRedirectUris:
type: string
logoutType:
type: string
enum:
- front
- back
default: front
accessTokenExpiration:
type: integer
IDTokenForceClaims:
type: boolean
requirePKCE:
type: boolean
offlineSessionExpiration:
type: integer
redirectUris:
type: array
items:
type: string
bypassConsent:
type: boolean
logoutSessionRequired:
type: boolean
clientId:
type: string
IDTokenExpiration:
type: integer
authorizationCodeExpiration:
type: integer
icon:
type: string
userIDAttr:
type: string
OidcRpUpdate:
type: object
properties:
clientId:
type: string
exportedVars:
type: object
example:
email: mail
family_name: sn
name: cn
extraClaims:
type: object
example:
myscope: "myattr1 myattr2 myattr3"
macros:
type: object
example:
myMacroName: "$macro(rule)"
options:
$ref: '#/components/schemas/OidcOptions'
SecondFactor:
type: object
required:
- type
- id
properties:
id:
type: string
description: "An opaque idenfifier for this particular token"
type:
type: string
description: "The type of token in use"
example: "TOTP, U2F, UBK (Yubikey)"
name:
type: string
description: "A user-set description of the token"
SecondFactors:
type: array
items:
$ref: "#/components/schemas/SecondFactor"
responses:
NoContent:
description: Successful modification
Created:
description: Successful creation
OneOidcRp:
description: Return an OpenID Connect Provider
content:
application/json:
schema:
$ref: '#/components/schemas/OidcRp'
OneSamlSp:
description: Return a SAML Provider
content:
application/json:
schema:
$ref: '#/components/schemas/SamlSp'
ManyOidcRp:
description: Return a list of OpenID Connect Providers
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/OidcRp'
ManySamlSp:
description: Return a list of SAML Providers
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/SamlSp'
NotFound:
description: The specified resource was not found
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
Conflict:
description: The specified object could not be created because its configuration key, client_id or entityID already exists
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
Error:
description: An error was encountered when processing the request
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
SecondFactor:
description: Return a second factor
content:
application/json:
schema:
$ref: "#/components/schemas/SecondFactor"
SecondFactors:
description: Return a list of second factors
content:
application/json:
schema:
$ref: "#/components/schemas/SecondFactors"

4
fastcgi-server/man/llng-fastcgi-server.8p
View File

@ -133,7 +133,11 @@
.\" ========================================================================
.\"
.IX Title "llng-fastcgi-server 8"
<<<<<<< HEAD
.TH llng-fastcgi-server 8 "2020-04-12" "perl v5.30.0" "User Contributed Perl Documentation"
=======
.TH llng-fastcgi-server 8 "2020-05-05" "perl v5.30.0" "User Contributed Perl Documentation"
>>>>>>> v2.0
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l

3
lemonldap-ng-common/MANIFEST
View File

@ -10,6 +10,7 @@ lib/Lemonldap/NG/Common/Apache/Session/Serialize/JSON.pm
lib/Lemonldap/NG/Common/Apache/Session/SOAP.pm
lib/Lemonldap/NG/Common/Apache/Session/Store.pm
lib/Lemonldap/NG/Common/Cli.pm
lib/Lemonldap/NG/Common/CliSessions.pm
lib/Lemonldap/NG/Common/Combination/Parser.pm
lib/Lemonldap/NG/Common/Conf.pm
lib/Lemonldap/NG/Common/Conf/AccessLib.pm
@ -74,6 +75,7 @@ scripts/convertConfig
scripts/convertSessions
scripts/importMetadata
scripts/lemonldap-ng-cli
scripts/lemonldap-ng-sessions
scripts/lmMigrateConfFiles2ini
scripts/rotateOidcKeys
t/01-Common-Conf.t
@ -87,6 +89,7 @@ t/36-Common-Regexp.t
t/40-Common-Session.t
t/50-Combination-Parser.t
t/60-Common-IO-Filter.t
t/60-Session-Cli.t
t/99-pod.t
t/inc.tpl
t/test.tpl

1
lemonldap-ng-common/META.json
View File

@ -24,6 +24,7 @@
"requires" : {
"IO::String" : "0",
"Net::LDAP" : "0",
"String::Random" : "0",
"Test::Pod" : "1"
}
},

1
lemonldap-ng-common/META.yml
View File

@ -5,6 +5,7 @@ author:
build_requires:
IO::String: '0'
Net::LDAP: '0'
String::Random: '0'
Test::Pod: '1'
configure_requires:
ExtUtils::MakeMaker: '0'

10
lemonldap-ng-common/Makefile.PL
View File

@ -24,9 +24,10 @@ WriteMakefile(
VERSION_FROM => 'lib/Lemonldap/NG/Common.pm', # finds $VERSION
LICENSE => 'gpl',
BUILD_REQUIRES => {
'IO::String' => 0,
'Net::LDAP' => 0,
'Test::Pod' => 1.00,
'IO::String' => 0,
'Net::LDAP' => 0,
'String::Random' => 0,
'Test::Pod' => 1.00,
},
META_MERGE => {
'recommends' => {
@ -90,7 +91,8 @@ WriteMakefile(
},
MAN1PODS => {
'scripts/convertConfig' => 'blib/man1/convertConfig.1p',
'scripts/convertSessions' => 'blib/man1/convertSessions.1p',
'scripts/convertSessions' => 'blib/man1/convertSessions.1p',
'scripts/lemonldap-ng-cli' => 'blib/man1/lemonldap-ng-cli.1p',
'scripts/lemonldap-ng-sessions' => 'blib/man1/lemonldap-ng-sessions.1p',
},
);

2
lemonldap-ng-common/lemonldap-ng.ini
View File

@ -377,7 +377,7 @@ staticPrefix = __MANAGERSTATICDIR__
templateDir = __MANAGERTEMPLATESDIR__
; languages: available languages for manager interface
languages = fr, en, it, vi, ar, tr
languages = fr, en, it, vi, ar, tr, pl
; Manager modules enabled
; Set here the list of modules you want to see in manager interface

404
lemonldap-ng-common/lib/Lemonldap/NG/Common/CliSessions.pm Normal file
View File

@ -0,0 +1,404 @@
package Lemonldap::NG::Common::CliSessions;
use strict;
use Mouse;
use JSON;
use Digest::MD5 qw(md5_hex);
use MIME::Base64;
use Lemonldap::NG::Common::Conf;
use Lemonldap::NG::Common::Logger::Std;
use Lemonldap::NG::Common::Apache::Session;
use Lemonldap::NG::Common::Session;
our $VERSION = '2.0.8';
has opts => ( is => 'rw' );
has stdout => (
is => 'ro',
default => *STDOUT,
);
has stderr => (
is => 'ro',
default => *STDERR,
);
has conf => (
is => 'ro',
default => sub {
my $res = Lemonldap::NG::Common::Conf->new( { (
ref $_[0] && $_[0]->{iniFile}
? ( confFile => $_[0]->{iniFile} )
: ()
)
}
);
die $Lemonldap::NG::Common::Conf::msg unless ($res);
return $res->getConf();
},
);
sub _to_json {
my $self = shift;
my $obj = shift;
return to_json( $obj, { pretty => 1, canonical => 1 } );
}
sub _search {
my ($self) = shift;
my $backendStorage =
( lc( $self->opts->{backend} || 'global' ) ) . "Storage";
# Handle --persistent
if ( $self->opts->{persistent} ) {
$backendStorage = "persistentStorage";
}
$backendStorage = "globalStorage" unless $self->conf->{$backendStorage};
my $args = $self->conf->{"${backendStorage}Options"};
$args->{backend} = $self->conf->{$backendStorage};
my @fields = @{ $self->opts->{select} || [] };
if ( $self->opts->{idonly} ) {
@fields = ('_session_id');
}
my $res;
if ( $self->opts->{where} ) {
# TODO fix regexp?
if ( $self->opts->{where} =~ /^(\w+)\s*=\s*(.*)/ ) {
my ( $selectField, $value ) = ( $1, $2 );
$res = Lemonldap::NG::Common::Apache::Session->searchOn( $args,
$selectField, $value, @fields );
}
else {
die "Invalid --where option" . $self->opts->{where};
}
}
else {
$res =
Lemonldap::NG::Common::Apache::Session->get_key_from_all_sessions(
$args, ( @fields ? [@fields] : () ) );
}
return $res;
}
sub search {
my ($self) = shift;
my $res = $self->_search();
my $o = $self->stdout;
if ( $self->opts->{idonly} ) {
print $o map { $res->{$_}->{_session_id} . "\n" } keys %{$res};
}
else {
print $o $self->_to_json( [ values %{$res} ] );
}
return 0;
}
# Returns the session object, so we can modify it
sub _get_one_session {
my ( $self, $id, $backend ) = @_;
# Lookup backend storage from CLI options
my $backendStorage =
( lc( $self->opts->{backend} || 'global' ) ) . "Storage";
# allow argument to overwrite the backend
if ($backend) {
$backendStorage = $backend . "Storage";
}
# Handle --persistent
elsif ( $self->opts->{persistent} ) {
$backendStorage = "persistentStorage";
$id = $self->_md5hash($id);
}
# In any case, fall back to global storage if we couldn't find the backend
$backendStorage = "globalStorage" unless $self->conf->{$backendStorage};
my $as = Lemonldap::NG::Common::Session->new( {
storageModule => $self->conf->{$backendStorage},
storageModuleOptions => $self->conf->{"${backendStorage}Options"},
id => $id,
}
);
if ( $as->error ) {
my $e = $self->stderr;
print $e $as->error;
return undef;
}
else {
return $as;
}
}
# Returns only session data
sub _get_one_data {
my ( $self, $id ) = @_;
my $as = $self->_get_one_session($id);
if ($as) {
my $new;
# Filter
if ( ( ref( $self->opts->{select} ) eq 'ARRAY' )
and ( scalar @{ $self->opts->{select} } > 0 ) )
{
for ( @{ $self->opts->{select} } ) {
$new->{$_} = $as->data->{$_} if defined $as->data->{$_};
}
}
else {
$new = $as->data;
}
return $new;
}
return undef;
}
sub delete {
my ($self) = shift;
my $result = 0;
my @result;
for my $id (@_) {
my $as = $self->_get_one_session($id);
if ($as) {
unless ( $as->remove ) {
my $e = $self->stderr;
print $e $as->error;
$result = 1;
}
}
}
return $result;
}
sub get {
my $self = shift;
my $o = $self->stdout;
my @result;
for my $id (@_) {
my $new = $self->_get_one_data($id);
push @result, $new if $new;
}
print $o $self->_to_json( \@result );
return 0;
}
# Return md5(s)
# TODO factor with portal function
sub _md5hash {
my ( $self, $s ) = @_;
return substr( Digest::MD5::md5_hex($s), 0, 32 );
}
# TODO factor with manager API function
sub _genId2F {
my ( $self, $device ) = @_;
return encode_base64( "$device->{epoch}::$device->{type}::$device->{name}",
"" );
}
sub _get_psession {
my ( $self, $uid ) = @_;
my $psession_id = $self->_md5hash($uid);
my $res = $self->_get_one_session( $psession_id, 'persistent' );
die "Could not get psession for user $uid" unless $res;
return $res;
}
sub _get_psession_data {
my ( $self, $uid ) = @_;
my $ps = $self->_get_psession($uid);
return $ps->data;
}
# This method takes a special psession key (oidcConsents, 2fDevices..)
# and returns the expected JSON object
# idBuilder is a sub that gets applied to every object in the array, yielding the key of
# this object in the resulting hash
sub _get_psession_special {
my ( $self, $target, $keyName, $idBuilder ) = @_;
my $psession = $self->_get_psession_data($target);
my $res = {};
my $special = $psession->{$keyName} || "[]";
$special = from_json($special);
die "Expecting JSON array in $keyName" unless ref($special) eq "ARRAY";
for my $item ( @{$special} ) {
my $id = $idBuilder->($item);
$res->{$id} = $item;
}
return $res;
}
# This method deletes all matching items from an array psession key (oidcConsents, 2fDevices..)
# keyBuilder is a sub that gets applied to every object in the array, yielding the value to be
# compared against
sub _del_psession_special {
my ( $self, $target, $specialKeyName, $itemKeyBuilder, @todelete ) = @_;
my $psession = $self->_get_psession($target);
my $data = $psession->data;
my $deleted = 0;
my $special = $data->{$specialKeyName} || "[]";
$special = from_json($special);
die "Expecting JSON array in $specialKeyName"
unless ref($special) eq "ARRAY";
my @new;
for my $item ( @{$special} ) {
my $id = $itemKeyBuilder->($item);
if ( $id and grep { $_ eq $id } @todelete ) {
$deleted = $deleted + 1;
}
else {
push @new, $item;
}
}
if ($deleted) {
$data->{$specialKeyName} = to_json( [@new] );
}
$psession->update($data);
}
sub consents_get {
my $self = shift;
my $target = shift;
my $o = $self->stdout;
my $consents = $self->_get_psession_special( $target, '_oidcConsents',
sub { $_[0]->{rp} } );
print $o $self->_to_json($consents);
return 0;
}
sub secondfactors_get {
my $self = shift;
my $target = shift;
my $o = $self->stdout;
my $consents = $self->_get_psession_special( $target, '_2fDevices',
sub { $self->_genId2F( $_[0] ) } );
print $o $self->_to_json($consents);
return 0;
}
sub consents_delete {
my $self = shift;
my $target = shift;
my @ids = @_;
return unless @ids;
$self->_del_psession_special( $target, '_oidcConsents',
sub { $_[0]->{rp} }, @ids );
return 0;
}
sub secondfactors_delete {
my $self = shift;
my $target = shift;
my @ids = @_;
return unless @ids;
$self->_del_psession_special( $target, '_2fDevices',
sub { $self->_genId2F( $_[0] ) }, @ids );
return 0;
}
sub secondfactors_delType {
my $self = shift;
my $target = shift;
my @types = @_;
return unless @types;
$self->_del_psession_special( $target, '_2fDevices', sub { $_[0]->{type} },
@types );
return 0;
}
sub setKey {
my $self = shift;
my $id = shift;
die "Unever number of arguments" unless ( @_ % 2 ) == 0;
my %newvalues = (@_);
die "Session ID and new values not provided" unless $id and %newvalues;
my $as = $self->_get_one_session($id);
die unless $as;
my $data = $as->data;
for ( keys %newvalues ) {
$data->{$_} = $newvalues{$_};
}
$as->update($data);
return 0;
}
sub delKey {
my $self = shift;
my $id = shift;
my @todelete = @_;
die "Session ID and key names not provided" unless $id and @todelete;
my $as = $self->_get_one_session($id);
die unless $as;
my $data = $as->data;
for (@todelete) {
# Weird, I know. But that's how
# Lemonldap::NG::Common::Session::update works
$data->{$_} = undef;
}
$as->update($data);
return 0;
}
sub run {
my $self = shift;
my $action = shift;
my $opts = shift;
unless ( ref $self ) {
$self = $self->new;
}
unless ($action) {
die 'nothing to do, aborting';
}
$self->opts($opts);
# Simple commands
if ( $action =~ /^(?:get|search|delete|setKey|delKey)$/ ) {
return $self->$action(@_);
}
# Subcommands and target
elsif ( $action =~ /^(?:secondfactors|consents)$/ ) {
my $subcommand = shift;
unless ( $subcommand and @_ ) {
die "Missing subcommand and target for $action";
}
my $func = "${action}_${subcommand}";
if ( $self->can($func) ) {
return $self->$func(@_);
}
else {
die "Unknown subcommand $subcommand for action $action";
}
}
else {
die "unknown action $action. Only get or search are allowed";
}
}
1;

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -24,7 +24,7 @@ use constant MANAGERSECTION => "manager";
use constant SESSIONSEXPLORERSECTION => "sessionsExplorer";
use constant APPLYSECTION => "apply";
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|facebook|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|ombModule)s)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|a(?:ut(?:hChoiceMod|oSigninR)ules|pplicationList)|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|RequireOldPassword|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|re(?:st(?:(?:Session|Config)Server|ExportSecretKeys)|freshSessions)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|kipRenewConfirmation|fRemovedUseNotif|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:Allow(?:PasswordGrant|Offline)|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|GeneratePassword|PasswordPolicy)|ErrorOn(?:ExpiredSession|MailNotFound)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|l(?:dap(?:(?:Group(?:DecodeSearchedValu|Recursiv)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|c(?:a(?:ptcha_(?:register|login|mail)_enabled|sSrvMetaDataOptions(?:Gateway|Renew))|o(?:ntextSwitchingStopWithLogout|mpactConf|rsEnabled)|heck(?:State|User|XSS)|da)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|to(?:tp2f(?:UserCan(?:Chang|Remov)eKey|DisplayExistingSecret)|kenUseGlobalStorage)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|d(?:isablePersistentStorage|biDynamicHashEnabled)|g(?:roupsBeforeMacros|lobalLogoutTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|(?:activeTim|wsdlServ)er|krb(?:RemoveDomain|ByJs))$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

4
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -246,7 +246,8 @@ sub defaultValues {
'portalDisplayGeneratePassword' => 1,
'portalDisplayLoginHistory' => 1,
'portalDisplayLogout' => 1,
'portalDisplayOidcConsents' => '$_oidcConnectedRP',
'portalDisplayOidcConsents' => '$_oidcConsents',
'portalDisplayRefreshMyRights' => 1,
'portalDisplayRegister' => 1,
'portalErrorOnExpiredSession' => 1,
'portalForceAuthnInterval' => 5,
@ -325,6 +326,7 @@ sub defaultValues {
'samlSPSSODescriptorWantAssertionsSigned' => 1,
'securedCookie' => 0,
'sfEngine' => '::2F::Engines::Default',
'sfManagerRule' => 1,
'sfRemovedMsgRule' => 0,
'sfRemovedNotifMsg' =>
'_removedSF_ expired second factor(s) has/have been removed!',

7
lemonldap-ng-common/lib/Lemonldap/NG/Common/Session/REST.pm
View File

@ -219,16 +219,11 @@ sub _session {
my $apacheSession = $self->getApacheSession( $mod, $id )
or return $self->sendError( $req, undef, 400 );
my %session = %{ $apacheSession->data };
my %session = %{ $apacheSession->data };
unless ($raw) {
my $separator = $self->separator();
foreach my $k ( keys %session ) {
$session{$k} = '**********'
if ( $self->hAttr =~ /\b$k\b/ );
if ( $session{$k} =~ /$separator/ ) {
$self->logger->debug("Convert \"$k\" value to array");
$session{$k} = [ split /$separator/, $session{$k} ];
}
}
}

348
lemonldap-ng-common/scripts/lemonldap-ng-sessions Executable file
View File

@ -0,0 +1,348 @@
#!/usr/bin/perl
use warnings;
use strict;
use POSIX;
use Lemonldap::NG::Common::CliSessions;
use strict;
use Getopt::Long;
use Pod::Usage;
our $VERSION = "2.0.9";
# Options
my $opts = {};
my $help;
GetOptions(
'help|h' => \$help,
'select|s=s@' => \$opts->{select},
'where|w=s' => \$opts->{where},
'backend|b=s' => \$opts->{backend},
'persistent|p' => \$opts->{persistent},
'id-only|i' => \$opts->{idonly},
) or pod2usage( -exitcode => 1, -verbose => 0 );
pod2usage( -exitcode => 0, -verbose => 2 ) if $help;
eval {
POSIX::setgid( scalar( getgrnam('__APACHEGROUP__') ) );
POSIX::setuid( scalar( getpwnam('__APACHEUSER__') ) );
};
my $action = shift @ARGV;
unless ($action) {
pod2usage( -exitcode => 1, -verbose => 0 );
}
if ( $action eq "get" ) {
unless ( @ARGV >= 1 ) {
pod2usage(
-exitval => 1,
-verbose => 99,
-sections => "COMMANDS/Get"
);
}
}
if ( $action eq "delete" ) {
unless ( @ARGV >= 1 ) {
pod2usage(
-exitval => 1,
-verbose => 99,
-sections => "COMMANDS/Delete"
);
}
}
if ( $action eq "delKey" ) {
unless ( @ARGV >= 2 ) {
pod2usage(
-exitval => 1,
-verbose => 99,
-sections => "COMMANDS/Delete Key"
);
}
}
if ( $action eq "setKey" ) {
unless ( @ARGV >= 3 ) {
pod2usage(
-exitval => 1,
-verbose => 99,
-sections => "COMMANDS/Set Key"
);
}
}
if ( $action eq "secondfactors" ) {
unless ( @ARGV >= 2 ) {
pod2usage(
-exitval => 1,
-verbose => 99,
-sections => "COMMANDS/Second Factors"
);
}
}
if ( $action eq "consents" ) {
unless ( @ARGV >= 2 ) {
pod2usage(
-exitval => 1,
-verbose => 99,
-sections => "COMMANDS/Consents"
);
}
}
exit Lemonldap::NG::Common::CliSessions->run( $action, $opts, @ARGV );
__END__
=encoding UTF-8
=head1 NAME
lemonldap-ng-sessions - Scripting CLI for LemonLDAP::NG sessions
=head1 SYNOPSIS
lemonldap-ng-sessions [<options>] <command> [<arguments> ...]
Commands:
get get one or several session from known IDs
search search for sessions
delete delete existing sessions
setKey add/change key in existing session
delKey delete key from existing session
secondfactors manage second factors
consents manage OIDC user consents
Options:
--help Show full help
--select Select which fields to print
--backend Specify session backend
--persistent Search in persistent sessions
--where Set search filter (search only)
--id-only Only return IDs (search only)
=head1 COMMANDS
=head2 Get
lemonldap-ng-sessions get <id> [<id> ...]
This command lets you read the content of a session.
You must pass one or several session IDs as parameters.
Exemples
lemonldap-ng-sessions get 9684dd2a6489bf2be2fbdd799a8028e3
lemonldap-ng-sessions get --persistent dwho
=head2 Search
lemonldap-ng-sessions search [<options>]
This command lets you search for sessions.
It can be used to find the session IDs that other commands need.
You can restrict the search with options. See L</OPTIONS>
Examples
lemonldap-ng-sessions search
lemonldap-ng-sessions search --backend persistent
lemonldap-ng-sessions search --where uid=dwho
lemonldap-ng-sessions search --where uid=dwho \
--id-only
lemonldap-ng-sessions search --where uid=dwho \
--select authenticationLevel
=head2 Delete
lemonldap-ng-sessions delete <id> [<id> ...]
This command lets you delete a session.
You may give it one or several session IDs to remove.
Exemples:
lemonldap-ng-sessions delete 9684dd2a6489bf2be2fbdd799a8028e3
lemonldap-ng-sessions delete --persistent dwho
=head2 Set Key
lemonldap-ng-sessions setKey <id> <key> <value> [<key> <value> ...]
This command allows you to modify one or several keys from an existing session.
Examples:
lemonldap-ng-sessions setKey 9684dd2a6489bf2be2fbdd799a8028e3 \
authenticationLevel 1
=head2 Delete Key
lemonldap-ng-sessions delKey <id> <key> [<key> ...]
This command lets you remove a key from an existing session.
You must specify a session ID, and one of several session keys
to remove.
Examples:
lemonldap-ng-sessions delKey --persistent dwho _oidcConsents
=head2 Second Factors
lemonldap-ng-sessions secondfactors <command> <user> [<id> ... ]
Commands:
show <user>
show all second factors for a user
delete <user> <id> [<id> ...]
delete second factors for a user. The ID must match one of the
IDs returned by the "show" command.
delType <user> <type> [<type> ...]
delete all second factors of a given type for a user
=head2 Consents
lemonldap-ng-sessions consents <command> <user> [<id> ... ]
Commands:
show <user>
show all OIDC consents for a user
delete <user> <id> [<id> ...]
delete OIDC consents for a user
=head1 OPTIONS
=over
=item B<--select>,B<-s>
Lets you select which fields to output in the JSON result.
This option can be set multiple times
=item B<--where>,B<-w>
This option lets you filter your session search according to a filter.
For now, only one filter can be set.
Only exact matches are supported
Examples:
--search uid=dwho
--search _sessionType=OIDC
=item B<--backend>,B<-b>
This option lets you specify which session backend to use.
You only need it when you configured multiple session backends in your
LemonLDAP::NG installation (for Persistent, SAML, CAS or OIDC sessions)
Examples:
--backend persistent
--backend saml
--backend oidc
--backend cas
=item B<--persistent>,B<-p>
This options is a shortcut for specifying --backend persistent and using
the UID hash as a session ID
Example:
lemonldap-ng-sessions --backend persistent \
get 5efe8af397fc3577e05b483aca964f1b
is the same as
lemonldap-ng-sessions get --persistent dwho
=item B<--id-only>,B<-i>
This option replace the standard JSON output format with a simpler format of
one session ID per line.
This allows some intersting combos using xargs. For example, if you want to
remove all sessions started by "dwho"
lemonldap-ng-sessions search --where uid=dwho --id-only | \
xargs lemonldap-ng-sessions delete
=back
=head1 SEE ALSO
L<http://lemonldap-ng.org/>
=head1 AUTHORS
=over
=item Maxime Besson, E<lt>maxime.besson@worteks.comE<gt>
=back
=head1 BUG REPORT
Use OW2 system to report bug or ask for features:
L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 COPYRIGHT AND LICENSE
=over
=item Copyright (C) 2016 by Xavier Guimard, E<lt>x.guimard@free.frE<gt>
=item Copyright (C) 2016 by Clément Oudot, E<lt>clem.oudot@gmail.comE<gt>
=back
This library is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see L<http://www.gnu.org/licenses/>.
=cut

290
lemonldap-ng-common/t/60-Session-Cli.t Normal file
View File

@ -0,0 +1,290 @@
# Before `make install' is performed this script should be runnable with
# `make test'. After `make install' it should work as `perl Lemonldap-NG-Manager.t'
#########################
# change 'tests => 1' to 'tests => last_test_to_print';
use Test::More;
use Test::Output;
use File::Path;
use JSON;
BEGIN {
use_ok('Lemonldap::NG::Common::Session');
use_ok('Lemonldap::NG::Common::CliSessions');
}
#########################
# Insert your test code below, the Test::More module is used here so read
# its man page ( perldoc Test::More ) for help writing this test script.
use File::Temp;
my $dir = File::Temp::tempdir();
my $sessionsdir = "$dir/sessions";
my $psessionsdir = "$dir/psessions";
mkdir $sessionsdir;
mkdir $psessionsdir;
my $cli = Lemonldap::NG::Common::CliSessions->new(
conf => {
globalStorage => "Apache::Session::File",
globalStorageOptions => {
Directory => $sessionsdir,
LockDirectory => $sessionsdir,
},
persistentStorage => "Apache::Session::File",
persistentStorageOptions => {
Directory => $psessionsdir,
LockDirectory => $psessionsdir,
},
}
);
# Provision test sessions
my @sessionsOpts = (
storageModule => "Apache::Session::File",
storageModuleOptions => {
Directory => $sessionsdir,
LockDirectory => $sessionsdir,
},
kind => 'SSO',
force => 1,
);
my @psessionsOpts = (
storageModule => "Apache::Session::File",
storageModuleOptions => {
Directory => $psessionsdir,
LockDirectory => $psessionsdir,
},
kind => 'Persistent',
force => 1,
);
Lemonldap::NG::Common::Session->new( {
@sessionsOpts,
id => "1b3231655cebb7a1f783eddf27d254ca",
info => {
"uid" => "rtyler",
}
}
);
Lemonldap::NG::Common::Session->new( {
@sessionsOpts,
id => "9684dd2a6489bf2be2fbdd799a8028e3",
info => {
"uid" => "dwho",
}
}
);
Lemonldap::NG::Common::Session->new( {
@sessionsOpts,
id => "f90f597566f5cce47d9641377776c0c2",
info => {
"uid" => "dwho",
"deleteme" => 1,
}
}
);
Lemonldap::NG::Common::Session->new( {
@psessionsOpts,
id => "5efe8af397fc3577e05b483aca964f1b",
force => 1,
info => {
"_2fDevices" => to_json( [ {
'type' => 'UBK',
'epoch' => 1588691690,
'_yubikey' => 'cccccceijfnf',
'name' => 'Imported automatically'
},
{
'name' => 'MyU2F',
'type' => 'U2F',
'epoch' => 1588691728
},
{
'_secret' => 'mnxkiirpswuojr47kkrty7ax34fy2ix7',
'name' => 'MyTOTP',
'type' => 'TOTP',
'epoch' => 1588691728
}
]
),
"_oidcConsents" => to_json( [ {
'scope' => 'openid email',
'rp' => 'rp-example',
'epoch' => 1589288341
},
{
'scope' => 'openid email',
'epoch' => 1589291482,
'rp' => 'rp-example2'
}
]
),
"_session_uid" => "dwho",
}
}
);
Lemonldap::NG::Common::Session->new( {
@psessionsOpts,
id => "8d3bc3b0e14ea2a155f275aa7c07ebee",
force => 1,
info => {
"_session_uid" => "rtyler",
}
}
);
sub getJson {
my @args = @_;
my ($str) = Test::Output::output_from( sub { $cli->run(@args); } );
return from_json($str);
}
sub getLines {
my @args = @_;
my ($str) = Test::Output::output_from( sub { $cli->run(@args); } );
return [ split /\n/, $str ];
}
my $res;
# Test get
$res = getJson( "get", {}, "f90f597566f5cce47d9641377776c0c2" );
is( @{$res}, 1, "Found one session" );
is(
$res->[0]->{_session_id},
"f90f597566f5cce47d9641377776c0c2",
"Found correct session ID"
);
is( $res->[0]->{deleteme}, 1, "Found deleteme session key" );
# Change backend
$res = getJson(
"get",
{ backend => 'persistent' },
"5efe8af397fc3577e05b483aca964f1b"
);
is( @{$res}, 1, "Found one session" );
is( $res->[0]->{_session_uid}, 'dwho', "Found correct session" );
# Persistent mode
$res = getJson( "get", { persistent => 1 }, "dwho" );
is( @{$res}, 1, "Found one session" );
is( $res->[0]->{_session_uid}, 'dwho', "Found correct session" );
# Test output field selection
$res = getJson(
"get",
{ select => [ "uid", "_session_id" ] },
"f90f597566f5cce47d9641377776c0c2"
);
is( keys %{ $res->[0] }, 2, "Only selected fields returned" );
is( $res->[0]->{uid}, "dwho", "Found correct UID" );
is(
$res->[0]->{_session_id},
"f90f597566f5cce47d9641377776c0c2",
"Found correct session ID"
);
# Test search
$res = getJson( "search", {} );
is( @{$res}, 3, "Found 3 sessions" );
# Test search with different backend
$res = getJson( "search", { backend => 'persistent' } );
is( @{$res}, 2, "Found 2 psessions" );
# Persistent mode
$res = getJson( "search", { persistent => 1 } );
is( @{$res}, 2, "Found 2 psessions" );
# Test search with where
$res = getJson( "search", { where => "uid=dwho" } );
is( @{$res}, 2, "Found 2 sessions" );
is( ( grep { $_->{uid} eq "dwho" } @{$res} ), 2, "Both sessions are dwho" );
# Test search with where and field selection
$res = getJson( "search",
{ where => "uid=dwho", select => [ "uid", "_session_id" ] } );
is( @{$res}, 2, "Found 2 sessions" );
is( keys %{ $res->[0] }, 2, "Only selected fields returned" );
# Test search with ID output
$res = getLines( "search", { where => "uid=dwho", idonly => 1 } );
is( @{$res}, 2, "Got two lines" );
is(
( join ':', sort @{$res} ),
"9684dd2a6489bf2be2fbdd799a8028e3:f90f597566f5cce47d9641377776c0c2",
"Correct session IDs"
);
# Delete session
$cli->run( 'delete', {}, "9684dd2a6489bf2be2fbdd799a8028e3" );
$cli->run( 'delete', { persistent => 1 }, "rtyler" );
$res = getJson( "get", {}, "9684dd2a6489bf2be2fbdd799a8028e3" );
is( @{$res}, 0, "Session was removed" );
$res = getJson(
"get",
{ backend => 'persistent' },
"8d3bc3b0e14ea2a155f275aa7c07ebee"
);
is( @{$res}, 0, "Session was removed" );
# Set key
$cli->run( "setKey", {}, "f90f597566f5cce47d9641377776c0c2",
"key1", "value1", "deleteme", "newvalue" );
$res = getJson( "get", {}, "f90f597566f5cce47d9641377776c0c2" );
is( $res->[0]->{key1}, "value1", "New key was set" );
is( $res->[0]->{deleteme}, "newvalue", "Existing key was changed" );
# Delete key
$cli->run( "delKey", {}, "f90f597566f5cce47d9641377776c0c2",
"key1", "deleteme", "missing" );
$res = getJson( "get", {}, "f90f597566f5cce47d9641377776c0c2" );
is( $res->[0]->{key1}, undef, "Key was removed" );
is( $res->[0]->{deleteme}, undef, "Key was removed" );
# Show 2FA
$res = getJson( "secondfactors", {}, "get", "dwho" );
is( ( keys %{$res} ), 3, "Found two second factors" );
is( ( grep { $_->{type} eq "UBK" } values %{$res} ), 1, "Found one Yubikey" );
is( ( grep { $_->{type} eq "TOTP" } values %{$res} ), 1, "Found one TOTP" );
is( ( grep { $_->{type} eq "U2F" } values %{$res} ), 1, "Found one U2F" );
# Delete 2FA
$cli->run( "secondfactors", {}, "delete", "dwho",
"MTU4ODY5MTY5MDo6VUJLOjpJbXBvcnRlZCBhdXRvbWF0aWNhbGx5" );
$res = getJson( "secondfactors", {}, "get", "dwho" );
is( ( keys %{$res} ), 2, "Found two second factors" );
is( ( grep { $_->{type} eq "UBK" } values %{$res} ), 0, "Yubikey was removed" );
# Delete 2FA by type
$cli->run( "secondfactors", {}, "delType", "dwho", "U2F" );
$res = getJson( "secondfactors", {}, "get", "dwho" );
is( ( keys %{$res} ), 1, "Found one second factors" );
is( ( grep { $_->{type} eq "U2F" } values %{$res} ), 0, "U2F was removed" );
is( ( grep { $_->{type} eq "TOTP" } values %{$res} ), 1, "TOTP survived" );
# Show consents
$res = getJson( "consents", {}, "get", "dwho" );
is( ( keys %{$res} ), 2, "Found two consents" );
# Delete consents
$cli->run( "consents", {}, "delete", "dwho", "rp-example" );
$res = getJson( "consents", {}, "get", "dwho" );
is( ( keys %{$res} ), 1, "Found one consent" );
is( $res->{'rp-example'}, undef, "Consent for test-rp removed" );
ok( $res->{'rp-example2'}, "Consent for test-rp2 still present" );
rmtree $dir;
done_testing();

3
lemonldap-ng-handler/MANIFEST
View File

@ -59,8 +59,9 @@ t/67-Lemonldap-NG-Handler-PSGI-vhostoptions.t
t/68-Lemonldap-NG-Handler-PSGI-Zimbra.t
t/69-Lemonldap-NG-Handler-PSGI-SecureToken.t
t/70-Lemonldap-NG-Handler-PSGI-AuthBasic.t
t/71-Lemonldap-NG-Handler-PSGI-OAuth2.t
t/99-pod.t
t/lmConf-1.json
t/sessions/lock/Apache-Session-f5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545.lock
t/sessions/lock/.exists
t/test-psgi-lib.pm
t/test.pm

4
lemonldap-ng-handler/META.json
View File

@ -24,9 +24,11 @@
"requires" : {
"Cwd" : "0",
"Digest::HMAC_SHA1" : "0",
"Env" : "0",
"IO::Pipe" : "0",
"Test::MockObject" : "0",
"Test::Pod" : "0"
"Test::Pod" : "0",
"Time::Fake" : "0"
}
},
"configure" : {

2
lemonldap-ng-handler/META.yml
View File

@ -5,9 +5,11 @@ author:
build_requires:
Cwd: '0'
Digest::HMAC_SHA1: '0'
Env: '0'
IO::Pipe: '0'
Test::MockObject: '0'
Test::Pod: '0'
Time::Fake: '0'
configure_requires:
ExtUtils::MakeMaker: '0'
dynamic_config: 1

2
lemonldap-ng-handler/Makefile.PL
View File

@ -10,9 +10,11 @@ WriteMakefile(
PMLIBDIRS => ['lib'],
BUILD_REQUIRES => {
'Digest::HMAC_SHA1' => 0,
'Env' => 0,
'IO::Pipe' => 0,
'Test::MockObject' => 0,
'Test::Pod' => 0,
'Time::Fake' => 0,
'Cwd' => 0,
},
META_MERGE => {

20
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
View File

@ -88,7 +88,11 @@ sub fetchId {
return "O-$_session_id";
}
return $class->Lemonldap::NG::Handler::Main::fetchId($req);
my $value = $class->Lemonldap::NG::Handler::Main::fetchId($req);
unless ($value) {
$req->data->{oauth2_error} = 'invalid_token';
}
return $value;
}
## @rmethod protected hash getOIDCInfos(id)
@ -123,4 +127,18 @@ sub getOIDCInfos {
return $infos;
}
## The OAuth2 handler does not redirect, we simply return a 401 with relevant
# information as described in https://tools.ietf.org/html/rfc6750#section-3
sub goToPortal {
my ( $class, $req, $url, $arg, $path ) = @_;
my $oauth2_error = '';
if ( $req->data->{oauth2_error} ) {
$oauth2_error = ' error="' . $req->data->{oauth2_error} . '"';
}
$class->set_header_out( $req,
'WWW-Authenticate' => "Bearer" . $oauth2_error );
return $class->HTTP_UNAUTHORIZED;
}
1;

24
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
View File

@ -276,9 +276,23 @@ sub locationRulesInit {
my ( $class, $conf, $orules ) = @_;
$orules ||= $conf->{locationRules};
$class->tsv->{vhostReg} = [];
my @lastReg;
foreach my $vhost ( keys %$orules ) {
my $rules = $orules->{$vhost};
if ( $vhost =~ /[\%\*]/ ) {
my $expr = join '[^\.]*', map {
my $elt = $_;
join '.*', map { quotemeta $_ } split /\*/, $elt;
} split /\%/, $vhost;
if ($expr) {
push @{ $class->tsv->{vhostReg} }, [ qr/^$expr$/, $vhost ];
}
else {
push @lastReg, [ qr/.+/, $vhost ];
}
}
$class->tsv->{locationCount}->{$vhost} = 0;
$class->tsv->{locationCondition}->{$vhost} = [];
$class->tsv->{locationProtection}->{$vhost} = [];
@ -322,6 +336,16 @@ sub locationRulesInit {
$class->tsv->{defaultProtection}->{$vhost} = 0;
}
}
@{ $class->tsv->{vhostReg} } = sort {
my $av = $a->[1];
my $bv = $b->[1];
return 1 if $av =~ /^\*/ and $bv !~ /^\*/;
return -1 if $bv =~ /^\*/ and $av !~ /^\*/;
return 1 if $av =~ /^\%/ and $bv !~ /^\%/;
return -1 if $bv =~ /^\%/ and $av !~ /^\%/;
return length($bv) <=> length($av) || $av cmp $bv;
} @{ $class->tsv->{vhostReg} } if @{ $class->tsv->{vhostReg} };
push @{ $class->tsv->{vhostReg} }, @lastReg if @lastReg;
return 1;
}

10
lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
View File

@ -403,7 +403,7 @@ sub hideCookie {
sub encodeUrl {
my ( $class, $req, $url ) = @_;
$url = $class->_buildUrl( $req, $url ) if ( $url !~ m#^https?://# );
return encode_base64( $url, '' );
return uri_escape( encode_base64( $url, '' ) );
}
## @rmethod protected int goToPortal(string url, string arg)
@ -452,7 +452,7 @@ sub fetchId {
my $value =
$lookForHttpCookie
? ( $t =~ /${cn}http=([^,; ]+)/o ? $1 : 0 )
: ( $t =~ /$cn=([^,; ]+)/o ? $1 : 0 );
: ( $t =~ /$cn=([^,; ]+)/o ? $1 : 0 );
if ( $value && $lookForHttpCookie && $class->tsv->{securedCookie} == 3 ) {
$value = $class->tsv->{cipher}->decryptHex( $value, "http" );
@ -731,10 +731,8 @@ sub resolveAlias {
return $class->tsv->{vhostAlias}->{$vhost}
if ( $class->tsv->{vhostAlias}->{$vhost} );
return $vhost if ( $class->tsv->{defaultCondition}->{$vhost} );
my $v = $vhost;
while ( $v =~ s/[\w\-]+/\*/ ) {
return $v if ( $class->tsv->{defaultCondition}->{$v} );
$v =~ s/^\*\.*//;
foreach ( @{ $class->tsv->{vhostReg} } ) {
return $_->[1] if $vhost =~ $_->[0];
}
return $vhost;
}

117
lemonldap-ng-handler/t/60-Lemonldap-NG-Handler-PSGI.t
View File

@ -2,6 +2,7 @@ use Test::More;
use JSON;
use MIME::Base64;
use Data::Dumper;
use URI::Escape;
require 't/test-psgi-lib.pm';
@ -14,17 +15,17 @@ my $SKIPUSER = 0;
# --------------------
ok( $res = $client->_get('/'), 'Unauthentified query' );
ok( ref($res) eq 'ARRAY', 'Response is an array' ) or explain( $res, 'array' );
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res->[0], 302 );
my %h = @{ $res->[1] };
ok(
$h{Location} eq 'http://auth.example.com/?url='
. encode_base64( 'http://test1.example.com/', '' ),
. uri_escape( encode_base64( 'http://test1.example.com/', '' ) ),
'Redirection points to portal'
)
or explain(
\%h,
'Location => http://auth.example.com/?url='
. encode_base64( 'http://test1.example.com/', '' )
. uri_escape( encode_base64( 'http://test1.example.com/', '' ) )
);
count(4);
@ -33,7 +34,7 @@ count(4);
# Authorized query
ok( $res = $client->_get( '/', undef, undef, "lemonldap=$sessionId" ),
'Authentified query' );
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
@ -87,7 +88,7 @@ count(2);
# Denied query
ok( $res = $client->_get( '/deny', undef, undef, "lemonldap=$sessionId" ),
'Denied query' );
ok( $res->[0] == 403, 'Code is 403' ) or explain( $res->[0], 403 );
ok( $res->[0] == 403, ' Code is 403' ) or explain( $res->[0], 403 );
count(2);
# Required "timelords" group
@ -96,7 +97,7 @@ ok(
$client->_get( '/fortimelords', undef, undef, "lemonldap=$sessionId" ),
'Require Timelords group'
);
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
# Required "dalek" group
@ -104,13 +105,13 @@ ok(
$res = $client->_get( '/fordaleks', undef, undef, "lemonldap=$sessionId" ),
'Require Dalek group'
);
ok( $res->[0] == 403, 'Code is 403' ) or explain( $res, 403 );
ok( $res->[0] == 403, ' Code is 403' ) or explain( $res, 403 );
count(2);
# Required AuthnLevel = 1
ok( $res = $client->_get( '/AuthWeak', undef, undef, "lemonldap=$sessionId" ),
'Weak Authentified query' );
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
SKIP: {
@ -127,17 +128,18 @@ ok(
$res = $client->_get( '/AuthStrong', undef, undef, "lemonldap=$sessionId" ),
'Strong Authentified query'
);
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
%h = @{ $res->[1] };
ok(
$h{Location} eq 'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test1.example.com/AuthStrong', '' ),
. uri_escape(
encode_base64( 'http://test1.example.com/AuthStrong', '' ) ),
'Redirection points to http://test1.example.com/AuthStrong'
)
or explain(
\%h,
'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test1.example.com/AuthStrong', '' )
. uri_escape( encode_base64( 'http://test1.example.com/AuthStrong', '' ) )
);
count(3);
@ -151,7 +153,7 @@ ok(
),
'Bad cookie'
);
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res->[0], 302 );
unlink(
't/sessions/lock/Apache-Session-e5eec18ebb9bc96352595e2d8ce962e8ecf7af7c9a98cb9a43f9cd181cf4b545.lock'
);
@ -164,7 +166,7 @@ ok(
),
'Weak Authentified query'
);
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
# Required AuthnLevel = 5
@ -173,29 +175,108 @@ ok(
$client->_get( '/', undef, 'test2.example.com', "lemonldap=$sessionId" ),
'Default Authentified query'
);
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
%h = @{ $res->[1] };
ok(
$h{Location} eq 'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test2.example.com/', '' ),
. uri_escape( encode_base64( 'http://test2.example.com/', '' ) ),
'Redirection points to http://test2.example.com/'
)
or explain(
\%h,
'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test2.example.com/', '' )
. uri_escape( encode_base64( 'http://test2.example.com/', '' ) )
);
count(3);
ok( $res = $client->_get( '/skipif/za', undef, 'test1.example.com' ),
'Test skip() rule 1' );
ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
$SKIPUSER = 1;
ok( $res = $client->_get( '/skipif/zz', undef, 'test1.example.com' ),
'Test skip() rule 2' );
ok( $res->[0] == 200, 'Code is 200' ) or explain( $res, 200 );
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(4);
# Wildcards
ok(
$res =
$client->_get( '/', undef, 'foo.example.org', "lemonldap=$sessionId" ),
'Accept "*.example.org"'
);
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
ok(
$res =
$client->_get( '/', undef, 'foo.example.fr', "lemonldap=$sessionId" ),
'Reject "foo.example.fr"'
);
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
count(2);
ok(
$res = $client->_get(
'/orgdeny', undef, 'foo.example.org', "lemonldap=$sessionId"
),
'Reject "foo.example.org/orgdeny"'
);
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
count(2);
ok(
$res = $client->_get(
'/orgdeny', undef, 'afoo.example.org', "lemonldap=$sessionId"
),
'Accept "afoo.example.org/orgdeny"'
);
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
ok(
$res = $client->_get(
'/orgdeny', undef, 'abfoo.example.org', "lemonldap=$sessionId"
),
'Reject "abfoo.example.org/orgdeny"'
);
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
count(2);
ok(
$res = $client->_get(
'/', undef, 'abfoo.a.example.org', "lemonldap=$sessionId"
),
'Accept "abfoo.a.example.org/"'
);
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
ok(
$res = $client->_get(
'/orgdeny', undef, 'abfoo.a.example.org', "lemonldap=$sessionId"
),
'Accept "abfoo.a.example.org/orgdeny"'
);
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
ok(
$res =
$client->_get( '/', undef, 'abfoo.example.org', "lemonldap=$sessionId" ),
'Reject "abfoo.example.org/"'
);
ok( $res->[0] == 302, ' Code is 302' ) or explain( $res, 302 );
count(2);
ok(
$res = $client->_get(
'/', undef, 'test-foo.example.fr', "lemonldap=$sessionId"
),
'Accept "test*.example.fr"'
);
ok( $res->[0] == 200, ' Code is 200' ) or explain( $res, 200 );
count(2);
done_testing( count() );
clean();

14
lemonldap-ng-handler/t/61-Lemonldap-NG-Handler-PSGI-Server.t
View File

@ -1,6 +1,7 @@
use Test::More;
use JSON;
use MIME::Base64;
use URI::Escape;
require 't/test-psgi-lib.pm';
@ -16,13 +17,13 @@ ok( $res->[0] == 302, 'Code is 302' ) or explain( $res->[0], 302 );
my %h = @{ $res->[1] };
ok(
$h{Location} eq 'http://auth.example.com/?url='
. encode_base64( 'http://test1.example.com/', '' ),
. uri_escape( encode_base64( 'http://test1.example.com/', '' ) ),
'Redirection points to portal'
)
or explain(
\%h,
'Location => http://auth.example.com/?url='
. encode_base64( 'http://test1.example.com/', '' )
. uri_escape( encode_base64( 'http://test1.example.com/', '' ) )
);
count(4);
@ -113,13 +114,14 @@ ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
%h = @{ $res->[1] };
ok(
$h{Location} eq 'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test1.example.com/AuthStrong', '' ),
. uri_escape(
encode_base64( 'http://test1.example.com/AuthStrong', '' ) ),
'Redirection points to http://test1.example.com/AuthStrong'
)
or explain(
\%h,
'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test1.example.com/AuthStrong', '' )
. uri_escape( encode_base64( 'http://test1.example.com/AuthStrong', '' ) )
);
count(3);
@ -159,13 +161,13 @@ ok( $res->[0] == 302, 'Code is 302' ) or explain( $res, 302 );
%h = @{ $res->[1] };
ok(
$h{Location} eq 'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test2.example.com/', '' ),
. uri_escape( encode_base64( 'http://test2.example.com/', '' ) ),
'Redirection points to http://test2.example.com/'
)
or explain(
\%h,
'http://auth.example.com//upgradesession?url='
. encode_base64( 'http://test2.example.com/', '' )
. uri_escape( encode_base64( 'http://test2.example.com/', '' ) )
);
count(3);

Some files were not shown because too many files have changed in this diff Show More