LEMONLDAP::NG : Change in configuration storage format (Closes: #307173) and documentation
This commit is contained in:
parent
d420e2bbb3
commit
5ffac30027
|
@ -19,23 +19,32 @@ portal
|
|||
domain
|
||||
'example.com'
|
||||
|
||||
whatToTrace
|
||||
'$uid'
|
||||
|
||||
groups
|
||||
'$data1 = {};'
|
||||
|
||||
macros
|
||||
'$data1 = {};'
|
||||
|
||||
globalStorage
|
||||
'Apache::Session::File'
|
||||
|
||||
globalStorageOptions
|
||||
'BAcEMTIzNAQEBAgZAAEAAAAXBC90bXACCQAAAERpcmVjdG9yeQ=='
|
||||
'$data1 = {&39;Directory&39; => &39;/tmp&39;};'
|
||||
|
||||
exportedHeaders
|
||||
'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwQkdWlkAgkAAABBdXRoLVVzZXICEAAAAHRlc3QuZXhhbXBsZS5jb20='
|
||||
'$data1 = {&39;test.example.com&39; => {&39;Auth-User&39; => &39;$uid&39;}};'
|
||||
|
||||
exportedVars
|
||||
'BAcEMTIzNAQEBAgZAAMAAAAXA3VpZAIDAAAAdWlkFwJjbgICAAAAY24XBG1haWwCBAAAAG1haWw='
|
||||
'$data1 = {&39;uid&39; => &39;uid&39;,&39;cn&39; => &39;cn&39;,&39;mail&39; => &39;mail&39;};'
|
||||
|
||||
authentication
|
||||
'ldap'
|
||||
|
||||
locationRules
|
||||
'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwZhY2NlcHQCBwAAAGRlZmF1bHQCEAAAAHRlc3QuZXhhbXBsZS5jb20='
|
||||
'$data1 = {&39;test.example.com&39; => {&39;default&39; => &39;accept&39;}};'
|
||||
|
||||
cfgNum
|
||||
1
|
||||
|
|
|
@ -2,13 +2,42 @@ lemonldap-ng for Debian
|
|||
-----------------------
|
||||
|
||||
Topics:
|
||||
1 - Configuration storage
|
||||
1 - Manager installation
|
||||
2 - Portal installation
|
||||
3 - Manager installation
|
||||
4 - Area protection
|
||||
3 - Area protection
|
||||
4 - Configuration storage
|
||||
|
||||
|
||||
I - LEMONLDAP::NG CONFIGURATION STORAGE
|
||||
I - LEMONLDAP::NG MANAGER INSTALLATION
|
||||
----------------------------------------
|
||||
Package: liblemonldap-ng-manager-perl
|
||||
|
||||
liblemonldap-ng-manager-perl installs files named manager-apache.conf and
|
||||
manager-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
|
||||
and configure it (virtual host has to be adapt).
|
||||
|
||||
|
||||
II - LEMONLDAP::NG PORTAL INSTALLATION
|
||||
--------------------------------------
|
||||
Package: liblemonldap-ng-portal-perl
|
||||
|
||||
liblemonldap-ng-portal-perl installs files named portal-apache.conf and
|
||||
portal-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
|
||||
and configure it (virtual host has to be adapt). You can also customize
|
||||
/var/lib/lemonldap-ng/portal/index.pl to adapt it to your site. This file is
|
||||
protected against upgrade.
|
||||
|
||||
|
||||
III - LEMONLDAP::NG AREA PROTECTION
|
||||
----------------------------------
|
||||
Package: liblemonldap-ng-handler-perl
|
||||
|
||||
liblemonldap-ng-handler-perl installs a file named MyHandler.pm in
|
||||
/var/lib/lemonldap-ng/handler/. See handler-apache.conf or handler-apache2.conf
|
||||
in /etc/lemonldap-ng/ to know how to use it.
|
||||
|
||||
|
||||
IV - LEMONLDAP::NG CONFIGURATION STORAGE
|
||||
---------------------------------------
|
||||
Package: liblemonldap-ng-conf-perl
|
||||
|
||||
|
@ -22,33 +51,8 @@ example is given for MySQL in the file
|
|||
/usr/share/doc/liblemonldap-ng-conf-perl/examples/lmConfig.mysql.
|
||||
If you have a running configuration, use this to populate SQL database :
|
||||
|
||||
perl /usr/share/lemonldap-ng/bin/lmConfig_File2MySQL \
|
||||
perl /usr/share/lemonldap-ng/bin/lmConfig_File2MySQL -c \
|
||||
/var/lib/lemonldap-ng/conf/lmConf-<last-number>
|
||||
|
||||
|
||||
II - LEMONLDAP::NG PORTAL INSTALLATION
|
||||
--------------------------------------
|
||||
Package: liblemonldap-ng-portal-perl
|
||||
|
||||
liblemonldap-ng-portal-perl installs files named portal-apache.conf and
|
||||
portal-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
|
||||
and personalize files in /var/lib/lemonldap-ng/portal.
|
||||
|
||||
|
||||
III - LEMONLDAP::NG MANAGER INSTALLATION
|
||||
----------------------------------------
|
||||
Package: liblemonldap-ng-manager-perl
|
||||
|
||||
liblemonldap-ng-manager-perl installs files named manager-apache.conf and
|
||||
manager-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
|
||||
and personalize files in /var/lib/lemonldap-ng/manager.
|
||||
|
||||
|
||||
IV - LEMONLDAP::NG AREA PROTECTION
|
||||
----------------------------------
|
||||
Package: liblemonldap-ng-handler-perl
|
||||
|
||||
liblemonldap-ng-handler-perl installs a file named MyHandler.pm in
|
||||
/var/lib/lemonldap-ng/handler/. See handler-apache.conf or handler-apache2.conf
|
||||
in /usr/share/doc/liblemonldap-ng-handler-perl/examples/ to know how to use it.
|
||||
"-c" options adds "create table" instruction.
|
||||
|
||||
|
|
|
@ -1,3 +1,10 @@
|
|||
lemonldap-ng (0.8.2.3) unstable; urgency=low
|
||||
|
||||
* Change configuration storage format (Storable bug).
|
||||
Closes: #307173/objectweb.org
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Wed, 13 Jun 2007 13:49:27 +0200
|
||||
|
||||
lemonldap-ng (0.8.2.2) unstable; urgency=low
|
||||
|
||||
* Debian packages modifications due to Lintian control.
|
||||
|
|
|
@ -5,7 +5,9 @@
|
|||
# Area protection
|
||||
PerlHeaderParserHandler My::Package
|
||||
|
||||
# Configuration reload mechanism
|
||||
# Configuration reload mechanism (only 1 per physical server is
|
||||
# needed): choose your URL to avoid restarting Apache when
|
||||
# configuration change
|
||||
<Location /reload>
|
||||
Order deny,allow
|
||||
Deny from all
|
||||
|
@ -13,7 +15,7 @@
|
|||
PerlHeaderParserHandler My::Package->refresh
|
||||
</Location>
|
||||
|
||||
# Optional interception of the logout URL
|
||||
# Optional interception of the logout URL => single logout
|
||||
<Location /logout>
|
||||
PerlHeaderParserHandler My::Package->logout
|
||||
</Location>
|
||||
|
|
|
@ -6,7 +6,9 @@ PerlOptions +GlobalRequest
|
|||
# Area protection
|
||||
PerlHeaderParserHandler My::Package
|
||||
|
||||
# Configuration reload mechanism
|
||||
# Configuration reload mechanism (only 1 per physical server is
|
||||
# needed): choose your URL to avoid restarting Apache when
|
||||
# configuration change
|
||||
<Location /reload>
|
||||
Order deny,allow
|
||||
Deny from all
|
||||
|
@ -14,7 +16,7 @@ PerlOptions +GlobalRequest
|
|||
PerlHeaderParserHandler My::Package->refresh
|
||||
</Location>
|
||||
|
||||
# Optional interception of the logout URL
|
||||
# Optional interception of the logout URL => single logout
|
||||
<Location /logout>
|
||||
PerlHeaderParserHandler My::Package->logout
|
||||
</Location>
|
||||
|
|
|
@ -17,6 +17,6 @@ then
|
|||
db_get liblemonldap-ng-conf-perl/$i || true
|
||||
perl -000 -i -pe "s#^$i(\\n\\s+)('?)[^\\n]*?('?)\$#$i\${1}\${2}$RET\${3}#m" $FIRSTCONFFILE
|
||||
done
|
||||
perl -000 -i -pe "s#^(globalStorageOptions\\n\\s+)'[^\\n]*?'\$#\${1}\'BAcEMTIzNAQEBAgDAgAAAAofL3Zhci9saWIvbGVtb25sZGFwLW5nL3Nlc3Npb25zLwkAAABEaXJlY3RvcnkKJC92YXIvbGliL2xlbW9ubGRhcC1uZy9zZXNzaW9ucy9sb2NrLw0AAABMb2NrRGlyZWN0b3J5'#m" $FIRSTCONFFILE
|
||||
perl -000 -i -pe "s#^(globalStorageOptions\\n\\s+)'[^\\n]*?'\$#\${1}\'\\\$data1 = {&39;Directory&39; => &39;/var/lib/lemonldap-ng/sessions/&39;,&39;LockDirectory&39; => &39;/var/lib/lemonldap-ng/sessions/lock/&39;};'#m" $FIRSTCONFFILE
|
||||
fi
|
||||
exit 0
|
||||
|
|
|
@ -306,9 +306,9 @@ __PACKAGE__->init ( {
|
|||
</ol>Pour le deuxième point, la modification est très simple
|
||||
: il faut remplacer <tt>$uid</tt> par <tt>$cn</tt> dans le champ
|
||||
"Paramètres généraux -> Donnée à
|
||||
inscrire dans les journaux d'Apache (et vérifier que cette variable
|
||||
est déclarée dand les attributs à exporter). Le
|
||||
changement de filtre de recherche nécessite la surcharge d'une
|
||||
inscrire dans les journaux d'Apache" (et vérifier que cette
|
||||
variable est déclarée dand les attributs à exporter).
|
||||
Le changement de filtre de recherche nécessite la surcharge d'une
|
||||
méthode dans le portail. Cette modification peut être
|
||||
effectuée comme suit:
|
||||
<pre>
|
||||
|
@ -351,9 +351,7 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
|||
# on peut aussi utiliser mod_rewrite
|
||||
# RewriteEngine On
|
||||
# RewriteRule /(.*)$ <span class="nobr"><a href=
|
||||
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> <a class=
|
||||
"wikicreatelink" href="/xwiki/bin/edit/NG/P?parent=NG.FAQ"><span class=
|
||||
"wikicreatelinktext">P</span><span class="wikicreatelinkqm">?</span></a>
|
||||
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
|
||||
</VirtualHost>
|
||||
</pre>
|
||||
|
||||
|
|
|
@ -0,0 +1,402 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
||||
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
||||
<head>
|
||||
<meta name="generator" content=
|
||||
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
||||
|
||||
<title>FAQ LEMONLDAP::NG</title>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
||||
</head>
|
||||
|
||||
<body>
|
||||
<div class="main-content">
|
||||
<h2 class="heading-1"><span id=
|
||||
"HLemonldap3A3ANGFrequentlyAskedQuestions">Lemonldap::NG Frequently Asked
|
||||
Questions</span></h2>
|
||||
|
||||
<p class="paragraph"></p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<a href="#HGeneralquestions">General questions</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HWhatisaWebSSO3F">What is a Web-SSO ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings
|
||||
Lemonldap::NG compared to the other Web-SSO ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HConfiguration">Configuration</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HWhattypeofconfigurationstoragehastobeused3F">What
|
||||
type of configuration storage has to be used ?</a></li>
|
||||
|
||||
<li><a href="#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The
|
||||
provided example works with HTTP, but not with HTTPS.</a></li>
|
||||
|
||||
<li><a href="#HForwhatisusedthe22https22parameter3F">For what is
|
||||
used the "https" parameter ?</a></li>
|
||||
|
||||
<li><a href="#HWhatisanautoprotectedCGI3F">What is an auto-protected
|
||||
CGI ?</a></li>
|
||||
|
||||
<li><a href="#HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to
|
||||
use Lemonldap::NG with Active-Directory ?</a></li>
|
||||
|
||||
<li><a href="#HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use
|
||||
Lemonldap::NG as reverse-proxy ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HOperation">Operation</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HWithwhatservesthehandlerlocalcache3F">With what
|
||||
serves the handler local cache ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why
|
||||
handlers local cache can not be configured by the manager ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
|
||||
<i class="italic">Cross Domain Authentication</i> (CDA) ?</a></li>
|
||||
|
||||
<li><a href=
|
||||
"#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works
|
||||
the <i class="italic">Cross Domain Authentication</i> (CDA)
|
||||
?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<a href="#HAuthentication">Authentication</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="#HHowtochangeauthenticationscheme3F">How to change
|
||||
authentication scheme ?</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HGeneralquestions">General
|
||||
questions</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HWhatisaWebSSO3F">What is a Web-SSO
|
||||
?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>A SSO <i class="italic">(Single Sign On)</i> is a
|
||||
system that is used to share authentications between many applications.
|
||||
Users authentify themself only one time and is never prompted when he
|
||||
tries to access to another application. Kerberos (used in Active
|
||||
Directory) for example is a SSO. The problem with these systems is that in
|
||||
addition to their heaviness, they apply only to internal networks and to
|
||||
relatively homogeneous machines.
|
||||
|
||||
<p class="paragraph"></p>The Web-SSO is the bearing of this principle
|
||||
restricted with the Web applications. The user is thus authenticated with
|
||||
the first access to a protected Web application and the authentifications
|
||||
are propagated when it changes application. The large advantage is whereas
|
||||
the system is usable on Internet without pre-necessary on the stations
|
||||
customers (they just have to accept session cookies). For example, when a
|
||||
user reaches a Google letter-box, it is not authentified if it reaches the
|
||||
groups management application or any other Google application.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings
|
||||
Lemonldap::NG compared to the other Web-SSO ?</span></h4>
|
||||
|
||||
<ul class="star">
|
||||
<li>Lemonldap::NG like lemonldap run as Perl Apache modules and offer
|
||||
performances which make unperceivable the treatment of the access
|
||||
control.</li>
|
||||
|
||||
<li>One of the other strong points of Lemonldap::NG is its capacity to
|
||||
manage the rights in a centralized way: the standard SSO Kerberos or
|
||||
CASE allow authentication share but delegate management access
|
||||
authorizations to the applications. In the case of Lemonldap::NG,
|
||||
management rights can be centralized completely, partly or at all for
|
||||
each application : Lemonldap::NG provides a system of authorization
|
||||
based on the sorting of the URL by regular expressions associated to
|
||||
rules. It also provides HTTP headers containing any of the user LDAP
|
||||
atributes to the remote application. The remote application can then
|
||||
manage the traceability of the access and possibly authorization (see to
|
||||
it <span class="wikiexternallink"><a href=
|
||||
"http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation#HMC3A9canismesd27authentification2Cd27autorisa%20tionetdetraC3A7abilitC3A9">
|
||||
documentation AAA</a></span>).</li>
|
||||
|
||||
<li>Lemonldap::NG can publish every LDAP attributes or calculated
|
||||
expressions issued from them. So applications can avoid consulting LDAP
|
||||
server.</li>
|
||||
|
||||
<li>Lemonldap::NG treats all the hosted sites independently (virtual or
|
||||
real): every application can so have its personalized HTTP headers.</li>
|
||||
|
||||
<li>Lemonldap::NG provide an web based administration interface simply
|
||||
presenting the configuration, the access policy and the per sites
|
||||
headers (see the <span class="wikiexternallink"><a href=
|
||||
"http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">demonstration</a></span>).
|
||||
A restricted interface can also be used to show only some virtual hosts
|
||||
(for reading and/or writing): the interface of administration can thus
|
||||
be partially delegated.</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HConfiguration">Configuration</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HWhattypeofconfigurationstoragehastobeused3F">What type of configuration
|
||||
storage has to be used ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG provides 3 configuration storage
|
||||
systems:
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">File</strong>: the most simple system, it can
|
||||
be used only if all your servers share a file system. It can be used for
|
||||
example if all virtual hosts are on the same server,</li>
|
||||
|
||||
<li><strong class="strong">DBI</strong>: <span class=
|
||||
"wikiexternallink"><a href=
|
||||
"http://www.linuxmanpages.com/man3/DBI.3pm.php">DBI(3)</a></span> is a
|
||||
database access module for the Perl programming language. Used with
|
||||
Lemonldap::NG, it permits to share configuration between servers that
|
||||
can access to the same database. This is the recommended sheme on a
|
||||
server network.</li>
|
||||
|
||||
<li><strong class="strong">SOAP</strong>: This system is not a real
|
||||
storage system, but permits to a remote server to access to the
|
||||
configuration by a single HTTP(S) connection. The SOAP server use File
|
||||
or DBI to access to the real configuration and act as a proxy.</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
|
||||
works with HTTP, but not with HTTPS.</span></h4>
|
||||
|
||||
<p class="paragraph"></p>In the redirection mechanism to the portal then
|
||||
to the protected site, you have to indicate to the handler if users access
|
||||
by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. This
|
||||
parameter has to be configured directly in the handlers is not accessible
|
||||
by the manager interface:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
<pre>
|
||||
__PACKAGE__->init ( {
|
||||
localStorage => "Cache::FileCache",
|
||||
localStorageOptions => {
|
||||
'namespace' => 'MyNamespace',
|
||||
'default_expires_in' => 600,
|
||||
'directory_umask' => '007',
|
||||
'cache_root' => '/tmp',
|
||||
'cache_depth' => 5,
|
||||
},
|
||||
configStorage => {
|
||||
type => 'File',
|
||||
dirName => '/var/lib/lemonldap-ng/conf',
|
||||
},
|
||||
<strong class="strong">https => 1</strong>,
|
||||
} );
|
||||
</pre>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HForwhatisusedthe22https22parameter3F">For what is used the "https"
|
||||
parameter ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>This parameter is used only in authentication
|
||||
portal redirections. It is just used to indicate to the portal that after
|
||||
authentification, the user must be redirected towards the application
|
||||
using https and not http.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
|
||||
an auto-protected CGI ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>When you have just 1 Perl CGI to protect in a
|
||||
VirtualHost, you can use an auto-protected CGI instead of using a
|
||||
Lemonldap::NG handler:
|
||||
|
||||
<p class="paragraph"></p>
|
||||
<pre>
|
||||
use Lemonldap::NG::Handler::CGI;
|
||||
my $cgi = Lemonldap::NG::Handler::CGI->new ( {
|
||||
# same parameters than a Lemonldap::NG::Handler::SharedConf handler
|
||||
}
|
||||
);
|
||||
$cgi->authenticate;
|
||||
</pre>
|
||||
|
||||
<p class="paragraph"></p>In the example above, $cgi is a CGI(3) object.
|
||||
The only difference is that it has some additional functions:
|
||||
|
||||
<ul class="star">
|
||||
<li>authenticate : to call Lemonldap::NG authentication mechanism,</li>
|
||||
|
||||
<li>autorize : use it if you want to use the manager to manage the
|
||||
access policy,</li>
|
||||
|
||||
<li>user : returns an hash table containing user parameters,</li>
|
||||
|
||||
<li>group : used to validate group permet de valider group
|
||||
membership.</li>
|
||||
</ul>This type of CGI is very usefull when rights can not be distinguish
|
||||
by URL (fields in POST requests for example). See the
|
||||
Lemonldap::NG::Handler::CGI(3) man page for more.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG
|
||||
with Active-Directory ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Active-Directory uses <tt>cn</tt> field instead
|
||||
of <tt>uid</tt> as unique identifier. You have so to modify Lemonldap::NG
|
||||
configuration in 2 points :
|
||||
|
||||
<ol>
|
||||
<li>the field <tt>cn</tt> (or <tt>samAccountName</tt>) has to be used to
|
||||
find the user in the portal,</li>
|
||||
|
||||
<li>Apache has to use this field in logs.</li>
|
||||
</ol>For the second point, you have to replace <tt>$uid</tt> by
|
||||
<tt>$cn</tt> in the field "General Parameters -> Attribute to use in
|
||||
Apache's logs" (and to verify that this variable is an exported
|
||||
attribute). The LDAP filter change needs to overload a subroutine in the
|
||||
portail. This can be done so :
|
||||
|
||||
<p class="paragraph"></p>
|
||||
<pre>
|
||||
#!/usr/bin/perl
|
||||
use Lemonldap::NG::Portal::SharedConf;
|
||||
my $portal = Lemonldap::NG::Portal::SharedConf->new(
|
||||
{
|
||||
configStorage => {
|
||||
type => 'File',
|
||||
dirName => '/var/lib/lemonldap-ng/conf',
|
||||
},
|
||||
<strong class="strong">formateFilter => sub {</strong>
|
||||
my $self = shift;
|
||||
$self->{filter} = "(&(cn=" . $self->{user} . ")(objectClass=person))";
|
||||
PE_OK;
|
||||
} # end of overload
|
||||
}
|
||||
);
|
||||
</pre>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as
|
||||
reverse-proxy ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG protects Apache VirtualHosts. To
|
||||
use it as reverse-proxy, you just have to configure Apache as
|
||||
reverse-proxy :
|
||||
|
||||
<p class="paragraph"></p>
|
||||
<pre>
|
||||
# httpd.conf
|
||||
<VirtualHost *>
|
||||
ServerName MyApplication.com
|
||||
PerlRequire MyFile
|
||||
PerlHeaderParserHandler My::Package
|
||||
ProxyPass / <span class="nobr"><a href=
|
||||
"http://real-server/">http://real-server/</a></span>
|
||||
ProxyPassReverse / <span class="nobr"><a href=
|
||||
"http://real-server/">http://real-server/</a></span>
|
||||
# You can also use mod_rewrite instead of mod_proxy
|
||||
# RewriteEngine On
|
||||
# RewriteRule /(.*)$ <span class="nobr"><a href=
|
||||
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
|
||||
</VirtualHost>
|
||||
</pre>
|
||||
|
||||
<p class="paragraph"></p>If you prefer to use a Perl proxy, Lemonldap::NG
|
||||
provides one (Lemonldap::NG::Handler::Proxy(3))
|
||||
|
||||
<h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HWithwhatservesthehandlerlocalcache3F">With what serves the handler local
|
||||
cache ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>The handler local cache is used for 2 things :
|
||||
|
||||
<ul class="star">
|
||||
<li>share configuration between Apache process : this avoid downloading
|
||||
configuration for each new process. This is required for the reload
|
||||
mechanism system that avoid restarting Apache,</li>
|
||||
|
||||
<li>share sessions between Apache process and threads : this avoid
|
||||
having to request the central sessions storage for each hit. For example
|
||||
with Apache::Session::MySQL, we transform TCP requests in file system
|
||||
requests. This increase performances.</li>
|
||||
</ul>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers
|
||||
local cache can not be configured by the manager ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>The local cache has to be choosed nad configured
|
||||
for each server: for example with the Cache::FileCache module, the storage
|
||||
directory can be different. An other point is that the local storage can
|
||||
not be reloaded without restarting Apache, but all parameters managed by
|
||||
the manager can do it.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
|
||||
<i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>The Lemonldap::NG sessions propagation system is
|
||||
based on cookies, but cookies are attached to a DNS domain. Lemonldap::NG
|
||||
provides a system to bypass this restriction: you just have to use a
|
||||
Lemonldap::NG::Portal::CDA portal and Lemonldap::NG::Handler::CDA handlers
|
||||
in all protected sites outwards the portal DNS domain.
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
|
||||
<i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG::Portal::CDA portal detects if
|
||||
required URL is in the same domain. If not, it adds a parameter to this
|
||||
request. When the user returns to the protected application,
|
||||
Lemonldap::NG::Handler::CDA agent detects this parameter et generate a
|
||||
cookie in its domain.
|
||||
|
||||
<h3 class="heading-1-1"><span id=
|
||||
"HAuthentication">Authentication</span></h3>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id=
|
||||
"HHowtochangeauthenticationscheme3F">How to change authentication scheme
|
||||
?</span></h4>
|
||||
|
||||
<p class="paragraph"></p>Lemonldap::NG provides several authentication
|
||||
modes (to use in the "authentification" field of the administration
|
||||
interface) :
|
||||
|
||||
<ul class="star">
|
||||
<li><strong class="strong">ldap</strong> : this is the default mode :
|
||||
portal tries to connect to the LDAP server with the user
|
||||
credentials,</li>
|
||||
|
||||
<li><strong class="strong">CAS</strong> : Lemonldap::NG portal becomes a
|
||||
simple CAS proxy : if the user is not authenticated, it is redirected to
|
||||
the CAS portal,</li>
|
||||
|
||||
<li><strong class="strong">SSL</strong> : in this scheme, authentication
|
||||
is done by Apache by SSL. This is usefull to replace complete SSL
|
||||
protection: only one SSL negociation is used instead,</li>
|
||||
|
||||
<li><strong class="strong">Apache</strong> : in this scheme,
|
||||
authentication is done by Apache. For example with Kerberos, the Apache
|
||||
Kerberos module protects only the portal. This increases performances
|
||||
because only one Kerberos negociation has to be done for all protected
|
||||
applications.</li>
|
||||
</ul>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -6,6 +6,7 @@ use utf8;
|
|||
|
||||
my $docs = {
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=fr' => 'faq-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=en' => 'faq.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=en' => 'overview.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=fr' => 'overview-fr.html',
|
||||
'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=en' => 'install.html',
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
Revision history for Perl extension Lemonldap::NG::Manager.
|
||||
|
||||
0.7 Tue jun 12 22:20:54 2007
|
||||
- Changing storage format due to a bug in Storable module
|
||||
|
||||
0.66 Tue May 15 19:53:40 2007
|
||||
- Little bug correction: '-' is authorized in domain names
|
||||
|
||||
|
|
|
@ -16,7 +16,7 @@ use MIME::Base64;
|
|||
|
||||
our @ISA = qw(Lemonldap::NG::Manager::Base);
|
||||
|
||||
our $VERSION = '0.66';
|
||||
our $VERSION = '0.7';
|
||||
|
||||
sub new {
|
||||
my ( $class, $args ) = @_;
|
||||
|
|
|
@ -2,11 +2,12 @@ package Lemonldap::NG::Manager::Conf;
|
|||
|
||||
use strict;
|
||||
no strict 'refs';
|
||||
use Storable qw(thaw freeze);
|
||||
use MIME::Base64;
|
||||
use Data::Dumper;
|
||||
use Lemonldap::NG::Manager::Conf::Constants;
|
||||
|
||||
our $VERSION = 0.45;
|
||||
$Data::Dumper::Indent = 0;
|
||||
$Data::Dumper::Varname = "data";
|
||||
our $VERSION = 0.5;
|
||||
our @ISA;
|
||||
|
||||
sub new {
|
||||
|
@ -43,8 +44,9 @@ sub saveConf {
|
|||
my $fields;
|
||||
while ( my ( $k, $v ) = each(%$conf) ) {
|
||||
if ( ref($v) ) {
|
||||
$fields->{$k} = "'" . encode_base64( freeze($v) ) . "'";
|
||||
$fields->{$k} =~ s/[\r\n]//g;
|
||||
$fields->{$k} = Dumper($v);
|
||||
$fields->{$k} =~ s/'/&39;/g;
|
||||
$fields->{$k} = "'$fields->{$k}'";
|
||||
}
|
||||
elsif ( $v =~ /^\d+$/ ) {
|
||||
$fields->{$k} = "$v";
|
||||
|
@ -73,8 +75,21 @@ sub getConf {
|
|||
my $conf;
|
||||
while ( my ( $k, $v ) = each(%$fields) ) {
|
||||
$v =~ s/^'(.*)'$/$1/m;
|
||||
if( $k =~ /^(?:exportedVars|locationRules|groups|exportedHeaders|macros|globalStorageOptions)$/ ) {
|
||||
$conf->{$k} = thaw(decode_base64($v));
|
||||
if( $k =~ /^(?:exportedVars|locationRules|groups|exportedHeaders|macros|globalStorageOptions)$/ ) {
|
||||
my $data1;
|
||||
if ( $v !~ /^\$/ ) {
|
||||
print STDERR "Lemonldap::NG : Warning: configuration is in old format, you've to migrate !\n";
|
||||
eval 'require Storable;require MIME::Base64;';
|
||||
$conf->{$k} = Storable::thaw(MIME::Base64::decode_base64($v));
|
||||
}
|
||||
else {
|
||||
my $data;
|
||||
$v =~ s/^\$([_a-zA-Z][_a-zA-Z0-9]*) *=/\$data =/;
|
||||
eval $v;
|
||||
print STDERR "Lemonldap::NG : Error while reading configuration with $k key: $@\n" if($@);
|
||||
$data =~ s/&39;/'/g;
|
||||
$conf->{$k} = $data;
|
||||
}
|
||||
}
|
||||
else {
|
||||
$conf->{$k} = $v;
|
||||
|
|
|
@ -2,11 +2,10 @@ package Lemonldap::NG::Manager::Conf::DBI;
|
|||
|
||||
use strict;
|
||||
use DBI;
|
||||
use Storable qw(freeze thaw);
|
||||
use MIME::Base64;
|
||||
use Lemonldap::NG::Manager::Conf::Constants;
|
||||
|
||||
our $VERSION = 0.14;
|
||||
our $VERSION = 0.15;
|
||||
|
||||
BEGIN {
|
||||
*Lemonldap::NG::Manager::Conf::dbh = \&dbh;
|
||||
|
|
|
@ -367,7 +367,10 @@ sub store {
|
|||
eval {
|
||||
tie %h, $self->{globalStorage}, undef, $self->{globalStorageOptions};
|
||||
};
|
||||
return PE_APACHESESSIONERROR if ($@);
|
||||
if ( $@ ) {
|
||||
print STDERR "$@\n";
|
||||
return PE_APACHESESSIONERROR;
|
||||
}
|
||||
$self->{id} = $h{_session_id};
|
||||
$h{$_} = $self->{sessionInfo}->{$_}
|
||||
foreach ( keys %{ $self->{sessionInfo} } );
|
||||
|
|
Loading…
Reference in New Issue