From 621afef56b64dc65390ed8a4749a55c199f8bb1a Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Sun, 22 Jul 2007 20:30:27 +0000 Subject: [PATCH] LEMONLDAP::NG : New features : * new logout system: URL interception can now be configured in Manager interface * TLS can now be used in LDAP connexions --- build/lemonldap-ng/_example/index.pl | 6 +- build/lemonldap-ng/debian/changelog | 4 +- build/lemonldap-ng/debian/handler-apache.conf | 1 + .../lemonldap-ng/debian/handler-apache2.conf | 1 + .../lemonldap-ng/debian/lemonldap-ng.examples | 2 + build/lemonldap-ng/debian/rules | 2 + .../scripts/make_static_example.pl | 3 +- modules/lemonldap-ng-handler/Changes | 4 + modules/lemonldap-ng-handler/MANIFEST | 12 +-- modules/lemonldap-ng-handler/README | 3 +- .../lib/Lemonldap/NG/Handler.pm | 8 +- .../lib/Lemonldap/NG/Handler/Simple.pm | 92 +++++++++++++++--- ...ple.t => 01-Lemonldap-NG-Handler-Simple.t} | 0 ...host.t => 05-Lemonldap-NG-Handler-Vhost.t} | 0 ...t => 10-Lemonldap-NG-Handler-SharedConf.t} | 0 ...er-CDA.t => 20-Lemonldap-NG-Handler-CDA.t} | 0 ...er-CGI.t => 30-Lemonldap-NG-Handler-CGI.t} | 0 ...roxy.t => 40-Lemonldap-NG-Handler-Proxy.t} | 0 modules/lemonldap-ng-manager/Changes | 4 + .../lib/Lemonldap/NG/Manager.pm | 4 +- .../lib/Lemonldap/NG/Manager/Help.pm | 94 +++++++++++++++---- modules/lemonldap-ng-portal/Changes | 4 + .../lib/Lemonldap/NG/Portal.pm | 6 +- .../lib/Lemonldap/NG/Portal/Simple.pm | 42 ++++++++- 24 files changed, 239 insertions(+), 53 deletions(-) rename modules/lemonldap-ng-handler/t/{Lemonldap-NG-Handler-Simple.t => 01-Lemonldap-NG-Handler-Simple.t} (100%) rename modules/lemonldap-ng-handler/t/{Lemonldap-NG-Handler-Vhost.t => 05-Lemonldap-NG-Handler-Vhost.t} (100%) rename modules/lemonldap-ng-handler/t/{Lemonldap-NG-Handler-SharedConf.t => 10-Lemonldap-NG-Handler-SharedConf.t} (100%) rename modules/lemonldap-ng-handler/t/{Lemonldap-NG-Handler-CDA.t => 20-Lemonldap-NG-Handler-CDA.t} (100%) rename modules/lemonldap-ng-handler/t/{Lemonldap-NG-Handler-CGI.t => 30-Lemonldap-NG-Handler-CGI.t} (100%) rename modules/lemonldap-ng-handler/t/{Lemonldap-NG-Handler-Proxy.t => 40-Lemonldap-NG-Handler-Proxy.t} (100%) diff --git a/build/lemonldap-ng/_example/index.pl b/build/lemonldap-ng/_example/index.pl index 5a85d4148..90e51e29b 100755 --- a/build/lemonldap-ng/_example/index.pl +++ b/build/lemonldap-ng/_example/index.pl @@ -9,7 +9,7 @@ print $cgi->start_html( 'Page protected by Lemonldap::NG' ); my($headers, $env)=({},{}); use Data::Dumper; print "
";
-foreach(keys %ENV) {
+foreach(sort keys %ENV) {
     if($_ =~ /^HTTP_/) {
         ($a=$_) =~ s/^HTTP_//i;
         #$a =~ s/_/ /g;
@@ -30,7 +30,7 @@ print qq#
Authentication succeed

 \n
 
 #;
-foreach(keys %$headers) {
+foreach(sort keys %$headers) {
     $style = $_ eq 'Auth-User' ? 'style="background-color: #FFEEEE;font-weight: bold;"' : '';
     print "
@@ -52,7 +52,7 @@ print qq#
Environment for Perl CGI :

 same server than Lemonldap::NG handler (\$whatToTrace parameter). If you use
 it on a reverse-proxy, \$ENV{REMOTE_USER} is not set.
HeaderPerl CGIPHP scriptValue

     $_
 
\n#;
-foreach(keys %ENV) {
+foreach(sort keys %ENV) {
     my $tmp = $ENV{$_};
     $tmp =~ s/&/&/g;
     $tmp =~ s/>/>/g;
diff --git a/build/lemonldap-ng/debian/changelog b/build/lemonldap-ng/debian/changelog
index d9d636b6a..42c09bd50 100644
--- a/build/lemonldap-ng/debian/changelog
+++ b/build/lemonldap-ng/debian/changelog
@@ -3,8 +3,10 @@ lemonldap-ng (0.8.3) unstable; urgency=high
   * Syntax errors in configuration are now displayed
   * Security fix: authentication could be replayed with another uid
   * Debian package uses po-debconf
+  * TLS is now supported in LDAP connections (thanks to Baptiste Grenier)
+  * New logout system: logout urls can be now intercepted in Manager
 
- -- Xavier Guimard   Sun, 08 Jul 2007 15:47:16 +0200
+ -- Xavier Guimard   Sun, 22 Jul 2007 21:01:35 +0200
 
 lemonldap-ng (0.8.2.4) unstable; urgency=low
 
diff --git a/build/lemonldap-ng/debian/handler-apache.conf b/build/lemonldap-ng/debian/handler-apache.conf
index ba5a78188..914c52150 100644
--- a/build/lemonldap-ng/debian/handler-apache.conf
+++ b/build/lemonldap-ng/debian/handler-apache.conf
@@ -16,6 +16,7 @@
 	
 
 	# Optional interception of the logout URL => single logout
+	# if not done in configuration interface
 	
 		PerlHeaderParserHandler My::Package->logout
 	
diff --git a/build/lemonldap-ng/debian/handler-apache2.conf b/build/lemonldap-ng/debian/handler-apache2.conf
index c4d99fbba..85fa72bbe 100644
--- a/build/lemonldap-ng/debian/handler-apache2.conf
+++ b/build/lemonldap-ng/debian/handler-apache2.conf
@@ -17,6 +17,7 @@ PerlOptions +GlobalRequest
 	
 
 	# Optional interception of the logout URL => single logout
+	# if not done in configuration interface
 	
 		PerlHeaderParserHandler My::Package->logout
 	
diff --git a/build/lemonldap-ng/debian/lemonldap-ng.examples b/build/lemonldap-ng/debian/lemonldap-ng.examples
index 9cfb2c667..e9909d630 100644
--- a/build/lemonldap-ng/debian/lemonldap-ng.examples
+++ b/build/lemonldap-ng/debian/lemonldap-ng.examples
@@ -1 +1,3 @@
 debian/tmp/var/lib/lemonldap-ng/test.pl
+debian/tmp/var/lib/lemonldap-ng/apache-protected-area.conf
+debian/tmp/var/lib/lemonldap-ng/apache2-protected-area.conf
diff --git a/build/lemonldap-ng/debian/rules b/build/lemonldap-ng/debian/rules
index 593ef5fde..70e504b83 100755
--- a/build/lemonldap-ng/debian/rules
+++ b/build/lemonldap-ng/debian/rules
@@ -53,6 +53,8 @@ install: build
 	$(MAKE) example EXAMPLEDIRBUILD=debian/tmp/var/lib/lemonldap-ng EXAMPLEDIR=/var/lib/lemonldap-ng/ EXAMPLECONFDIR=/var/lib/lemonldap-ng/conf
 	cp debian/tmp/var/lib/lemonldap-ng/handler/MyHandler.pm debian/tmp/var/lib/lemonldap-ng/handler/MyHandler-Debian.pm
 	mv debian/tmp/var/lib/lemonldap-ng/index.pl debian/tmp/var/lib/lemonldap-ng/test.pl
+	mv debian/tmp/var/lib/lemonldap-ng/handler/lmH-apache.conf debian/tmp/var/lib/lemonldap-ng/apache-protected-area.conf
+	mv debian/tmp/var/lib/lemonldap-ng/handler/lmH-apache2.conf debian/tmp/var/lib/lemonldap-ng/apache2-protected-area.conf
 	perl -000 -i -pe 's/(new\s*\(\s*){[^}]+}/$$1\$$Lemonldap::NG::Conf::configStorage/; s#^use#\nrequire "/usr/share/lemonldap-ng/configStorage.pm";\nuse#m;' \
 			debian/tmp/var/lib/lemonldap-ng/manager/scripts/lmConfigEditor \
 			debian/tmp/var/lib/lemonldap-ng/handler/MyHandler-Debian.pm
diff --git a/build/lemonldap-ng/scripts/make_static_example.pl b/build/lemonldap-ng/scripts/make_static_example.pl
index dedbb8e8b..231661693 100755
--- a/build/lemonldap-ng/scripts/make_static_example.pl
+++ b/build/lemonldap-ng/scripts/make_static_example.pl
@@ -29,6 +29,7 @@ sub scan {
     while (<$IN>) {
         s/\r//g;
         if (/lmQuery/) {
+            s/__SCRIPTNAME__\?lmQuery=conf&cfgNum="\+n/conf.xml"/;
             if (s/__SCRIPTNAME__\?lmQuery=([^"']*)js/$1.js/) {
                 scan( $script, "$1.js", "lmQuery=$1js" );
             }
@@ -36,7 +37,7 @@ sub scan {
                 # Nothing to do here
             }
             elsif (s/__SCRIPTNAME__\?lmQuery=conf/conf.xml/) {
-                scan( $script, "conf.xml", "lmQuery=conf" );
+                scan( $script, "conf.xml", "lmQuery=conf&cfgNum=0" );
             }
             elsif (s/__SCRIPTNAME__\?lmQuery=([^"']*)css/style$1.css/) {
                 scan( $script, "style$1.css", "lmQuery=$1css" );
diff --git a/modules/lemonldap-ng-handler/Changes b/modules/lemonldap-ng-handler/Changes
index 432ea9bfe..8c487386e 100644
--- a/modules/lemonldap-ng-handler/Changes
+++ b/modules/lemonldap-ng-handler/Changes
@@ -1,5 +1,9 @@
 Revision history for Perl extension Lemonldap::NG::Handler.
 
+0.83  Sun Jul 22 22:19:12 2007
+	- New logout system : URL can now be declared in Manager
+	  interface
+
 0.82  Fri Jun 1 6:52:43 2007
 	- Little bug: SharedConf.pm needs Manager::Conf and not Manager
 
diff --git a/modules/lemonldap-ng-handler/MANIFEST b/modules/lemonldap-ng-handler/MANIFEST
index da2551ad0..b3eef799c 100644
--- a/modules/lemonldap-ng-handler/MANIFEST
+++ b/modules/lemonldap-ng-handler/MANIFEST
@@ -14,9 +14,9 @@ Makefile.PL
 MANIFEST
 META.yml			Module meta-data (added by MakeMaker)
 README
-t/Lemonldap-NG-Handler-CDA.t
-t/Lemonldap-NG-Handler-CGI.t
-t/Lemonldap-NG-Handler-Proxy.t
-t/Lemonldap-NG-Handler-SharedConf.t
-t/Lemonldap-NG-Handler-Simple.t
-t/Lemonldap-NG-Handler-Vhost.t
+t/01-Lemonldap-NG-Handler-Simple.t
+t/05-Lemonldap-NG-Handler-Vhost.t
+t/10-Lemonldap-NG-Handler-SharedConf.t
+t/20-Lemonldap-NG-Handler-CDA.t
+t/30-Lemonldap-NG-Handler-CGI.t
+t/40-Lemonldap-NG-Handler-Proxy.t
diff --git a/modules/lemonldap-ng-handler/README b/modules/lemonldap-ng-handler/README
index 56fcf3151..79a6742ec 100644
--- a/modules/lemonldap-ng-handler/README
+++ b/modules/lemonldap-ng-handler/README
@@ -196,7 +196,8 @@ Cache::Cache module that does not use disk access.
 Lemonldap::NG provides a single logout system: you can use it by adding a link
 to the portal with "logout=1" parameter in the portal (See
 Lemonldap::NG::Portal) and/or by configuring handler to intercept some URL
-(See Lemonldap::NG::Handler). The logout system:
+(See Lemonldap::NG::Handler) directly in the manager interface or in apache
+configuration file. The logout system:
  * delete session in the global session storage,
  * replace Lemonldap::NG cookie by '',
  * delete handler caches only if logout action was started from a protected
diff --git a/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm b/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm
index 167a47b13..3c74d70d6 100644
--- a/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm
+++ b/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm
@@ -2,7 +2,7 @@ package Lemonldap::NG::Handler;
 
 print STDERR
 "See Lemonldap::NG::Handler(3) to know which Lemonldap::NG::Handler::* module to use.";
-our $VERSION = "0.82";
+our $VERSION = "0.83";
 
 1;
 
@@ -68,7 +68,8 @@ You can also unprotect an URI
     PerlHeaderParserHandler My::Package->unprotect
   
 
-If your application has a "logout" URL, configure it:
+If your application has a "logout" URL, you can configure it directly in Apache
+configuration file (or in the manager interface) :
 
   
     PerlHeaderParserHandler My::Package->logout
@@ -295,6 +296,9 @@ connected on it in the last 10 minutes.
 
 =back
 
+You can also configure rules in the Manager interface to intercept logout URL.
+See L and L for more.
+
 =head1 USING LEMONLDAP::NG::HANDLER FOR DEVELOPMENT
 
 Lemonldap::NG::Handler provides different modules:
diff --git a/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Simple.pm b/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Simple.pm
index 419bd575d..9ae66e854 100644
--- a/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Simple.pm
+++ b/modules/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Simple.pm
@@ -7,7 +7,7 @@ use Exporter 'import';
 use Safe;
 require POSIX;
 
-our $VERSION = '0.81';
+our $VERSION = '0.83';
 
 our %EXPORT_TAGS = (
     localStorage =>
@@ -17,6 +17,7 @@ our %EXPORT_TAGS = (
         qw(
           $locationCondition $defaultCondition $locationCount
           $locationRegexp $apacheRequest $datas $safe $portal
+          $logout
           )
     ],
     import  => [ qw( import @EXPORT_OK @EXPORT %EXPORT_TAGS ) ],
@@ -55,6 +56,7 @@ our (
     $globalStorage,       $globalStorageOptions, $localStorage,
     $localStorageOptions, $whatToTrace,          $https,
     $refLocalStorage,     $safe,                 $cookieSecured,
+    $logout,
 );
 
 ##########################################
@@ -127,13 +129,14 @@ BEGIN {
         ';
     }
     *handler = ( MP() == 2 ) ? \&handler_mp2 : \&handler_mp1;
+    *logout = ( MP() == 2 ) ? \&logout_mp2 : \&logout_mp1;
 }
 
 sub handler_mp1 ($$) { shift->run(@_) }
+sub handler_mp2 : method { shift->run(@_); }
 
-sub handler_mp2 : method {
-    shift->run(@_);
-}
+sub logout_mp1 ($$) { shift->unlog(@_) }
+sub logout_mp2 : method { shift->unlog(@_); }
 
 sub lmLog {
     my ( $class, $mess, $level ) = @_;
@@ -320,6 +323,36 @@ sub conditionSub {
       if ( $cond =~ /^accept$/i );
     return sub { 0 }
       if ( $cond =~ /^deny$/i );
+    if ( $cond =~ /^logout(?:_sso)?(?:\s+(.*))?$/i ) {
+        my $url = $1 || $class->encodeUrl ( "/" );
+        return sub { $logout = $url; return 0 }
+    }
+    if( MP() == 2 ) {
+        if ( $cond =~ /^logout_app(?:\s+(.*))?$/i ) {
+            my $u = $1;
+            eval 'use Apache2::Filter' unless($INC{"Apache2/Filter.pm"});
+            return sub {
+                $apacheRequest->add_output_filter(sub {
+                        return $class->redirectFilter( $u, @_ );
+                    }
+                );
+                1;
+            };
+        }
+        elsif ( $cond =~ /^logout_app_sso(?:\s+(.*))?$/i ) {
+            eval 'use Apache2::Filter' unless($INC{"Apache2/Filter.pm"});
+            my $u = encode_base64($1);
+            $u =~ s/[\r\n]//g;
+            return sub {
+                $class->localUnlog;
+                $apacheRequest->add_output_filter(sub {
+                        return $class->redirectFilter( "$portal?url=$u&logout=1", @_ );
+                    }
+                );
+                1;
+            };
+        }
+    }
     $cond =~ s/\$date/&POSIX::strftime("%Y%m%d%H%M%S",localtime())/e;
     $cond =~ s/\$(\w+)/\$datas->{$1}/g;
     my $sub;
@@ -408,8 +441,12 @@ sub grant {
 # forbidden : used to reject non authorizated requests
 sub forbidden {
     my $class = shift;
-
-    # We use Apache::Log here
+    if( $logout ) {
+        $apacheRequest->headers_out->set(
+                'Location' => "$portal?url=$logout"
+        );
+        return REDIRECT;
+    }
     $class->lmLog(
         'The user "' . $datas->{$whatToTrace} . '" was reject when he tried to access to ' . shift,
         'notice'
@@ -426,27 +463,33 @@ sub hideCookie {
     lmSetHeaderIn( $apacheRequest, 'Cookie' => $tmp );
 }
 
-# Redirect non-authenticated users to the portal
-sub goToPortal() {
-    my ( $class, $url, $arg ) = @_;
+sub encodeUrl {
+    my ( $class, $url ) = @_;
     my $port = $apacheRequest->get_server_port();
     $port =
         (  $https && $port == 443 ) ? ''
       : ( !$https && $port == 80 )  ? ''
       :                               ':' . $apacheRequest->get_server_port();
-    my $urlc_init =
+    my $u =
       encode_base64( "http"
           . ( $https ? "s" : "" ) . "://"
           . $apacheRequest->get_server_name()
           . $port
           . $url );
-    $urlc_init =~ s/[\n\s]//sg;
+    $u =~ s/[\r\n\s]//sg;
+    return $u;
+}
+
+# Redirect non-authenticated users to the portal
+sub goToPortal() {
+    my ( $class, $url, $arg ) = @_;
     $class->lmLog(
         "Redirect "
           . $apacheRequest->connection->remote_ip
           . " to portal (url was $url)",
         'debug'
     );
+    my $urlc_init = $class->encodeUrl ( $url );
     $apacheRequest->headers_out->set(
         'Location' => "$portal?url=$urlc_init" . ( $arg ? "&$arg" : "" )
     );
@@ -551,9 +594,8 @@ sub unprotect {
     OK;
 }
 
-sub logout ($$) {
-    my $class;
-    ($class, $apacheRequest ) = @_;
+sub localUnlog {
+    my $class = shift;
     if( my $id = $class->fetchId ) {
         # Delete Apache thread datas
         if ( $id eq $datas->{_session_id} ) {
@@ -564,9 +606,31 @@ sub logout ($$) {
             $refLocalStorage->remove($id);
         }
     }
+}
+
+sub unlog ($$) {
+    my $class;
+    $logout = 0;
+    ($class, $apacheRequest ) = @_;
+    $class->localUnlog;
     return $class->goToPortal( '/', 'logout=1' );
 }
 
+sub redirectFilter {
+    my $class = shift;
+    my $url   = shift;
+    my $f     = shift;
+    unless ($f->ctx) {
+        $f->r->status(REDIRECT);
+        $f->r->status_line("302 Temporary Moved");
+        $f->r->err_headers_out->set('Location' => $url);
+        $f->ctx(1);
+    }
+    while ($f->read(my $buffer, 1024)) {
+    }
+    return REDIRECT;
+}
+
 1;
 __END__
 
diff --git a/modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-Simple.t b/modules/lemonldap-ng-handler/t/01-Lemonldap-NG-Handler-Simple.t
similarity index 100%
rename from modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-Simple.t
rename to modules/lemonldap-ng-handler/t/01-Lemonldap-NG-Handler-Simple.t
diff --git a/modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-Vhost.t b/modules/lemonldap-ng-handler/t/05-Lemonldap-NG-Handler-Vhost.t
similarity index 100%
rename from modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-Vhost.t
rename to modules/lemonldap-ng-handler/t/05-Lemonldap-NG-Handler-Vhost.t
diff --git a/modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-SharedConf.t b/modules/lemonldap-ng-handler/t/10-Lemonldap-NG-Handler-SharedConf.t
similarity index 100%
rename from modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-SharedConf.t
rename to modules/lemonldap-ng-handler/t/10-Lemonldap-NG-Handler-SharedConf.t
diff --git a/modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-CDA.t b/modules/lemonldap-ng-handler/t/20-Lemonldap-NG-Handler-CDA.t
similarity index 100%
rename from modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-CDA.t
rename to modules/lemonldap-ng-handler/t/20-Lemonldap-NG-Handler-CDA.t
diff --git a/modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-CGI.t b/modules/lemonldap-ng-handler/t/30-Lemonldap-NG-Handler-CGI.t
similarity index 100%
rename from modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-CGI.t
rename to modules/lemonldap-ng-handler/t/30-Lemonldap-NG-Handler-CGI.t
diff --git a/modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-Proxy.t b/modules/lemonldap-ng-handler/t/40-Lemonldap-NG-Handler-Proxy.t
similarity index 100%
rename from modules/lemonldap-ng-handler/t/Lemonldap-NG-Handler-Proxy.t
rename to modules/lemonldap-ng-handler/t/40-Lemonldap-NG-Handler-Proxy.t
diff --git a/modules/lemonldap-ng-manager/Changes b/modules/lemonldap-ng-manager/Changes
index 9d95b5312..861ca81d0 100644
--- a/modules/lemonldap-ng-manager/Changes
+++ b/modules/lemonldap-ng-manager/Changes
@@ -1,5 +1,9 @@
 Revision history for Perl extension Lemonldap::NG::Manager.
 
+0.82 Sat jul 21 15:21:32 2007
+	- TLS support in LDAP
+	- Help for new logout system
+
 0.8   Sat jun 23 21:54:27 2007
 	- New feature: syntax errors are now displayed in the manager interface
 
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
index dda1292b6..f84582c40 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
@@ -17,7 +17,7 @@ use MIME::Base64;
 
 our @ISA = qw(Lemonldap::NG::Manager::Base);
 
-our $VERSION = '0.8';
+our $VERSION = '0.82';
 
 sub new {
     my ( $class, $args ) = @_;
@@ -522,7 +522,7 @@ sub checkConf {
                 }
             }
             # Test boolean expressions
-            unless ( $v eq 'deny' or $v eq 'accept' ) {
+            unless ( $v =~ /^(?:accept$|deny$|logout)/ ) {
                 # "=" may be a fault (but not "==")
                 if ( $v =~ /(?<=[^=<\?])=(?!=)/ ) {
                     $response->warning( &txt_rule . " $vh -> \"$reg\" : " . &txt_containsAnAssignment );
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Help.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Help.pm
index ca54e6be2..cbadf1e85 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Help.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Help.pm
@@ -190,11 +190,25 @@ authentication is done by another system (SSL for example).

    base). Example :
   
   dc=example, dc=com 

   
  • LDAP server port : 389 by default ;
    • 
-  
  • LDAP server : Name (or IP address) of the LDAP server. To use LDAPS, set
-   here :
-    
       ldaps://server/
    
-   and don't forget to change port (636 for example). You can specify more than
-   one server separated by commas. They will be tried in the specified order.
+  
  • LDAP server : Name(s) (or IP address(es)) of the LDAP server(s).
+   You can specify more than one server separated by commas and/or spaces,
+   they will be tried in the specified order.
+   You can also use encrypted connections :
+   
      
+    
    • LDAPS : instead of a server name, use :
+     
         ldaps://server/
      
+     and don't forget to change port (636 for example).
+    
      • 
+    
    • TLS : instead of a server name, use :
+     
         ldap+tls://server/
      
+     you can also set any of the parameters needed by Net::LDAP start_tls
+     function :
+     
         ldap+tls://server/?verify=none&capath=/etc/ssl
      
+     See Net::LDAP(3) manual page to know all available parameters.
+     You can also set caPath or caFile parameters in the new() function when
+     building the portal (because they should depend on local file system).
+    
      • 
+   
    
   
    • 
   
  • LDAP account : optional, must be set if anonymous connection cannot
    access to the wanted LDAP attributes. This account is used before LDAP
@@ -216,13 +230,28 @@ réalisée par un autre moyen (SSL par exemple).
    
   accepte les requêtes sans base). Exemple :
   
       dc=example, dc=com 
    • 
   
  • Port du serveur LDAP : 389 par défaut ;
    • 
-  
  • Serveur LDAP : Nom (ou adresse IP) du serveur LDAP. Pour une connexion
-      LDAPS, indiquez ici :
-      
       ldaps://server/
    
-      et n'oubliez pas de changer le port (636 en général). Vous
-    pouvez indiquer plusieurs serveurs ici séparés par des virgules. Ils seront
-    testés dans l'ordre indiqué.
-   
    • 
+  
  • Serveur LDAP : Nom(s) (ou adresse(s) IP) du(des) serveur(s) LDAP.
+   Vous pouvez indiquer plusieurs serveurs ici séparés par des
+   virgules et/ou des espaces. Ils seront testés dans l'ordre indiqué.
+   Vous pouvez également utiliser des connexions chiffrées :
+   
      
+    
    • LDAPS : au lieu de noms de serveurs, indiquez ici :
+     
         ldaps://serveur/
      
+     et n'oubliez pas de changer le port (636 en général).
+    
      • 
+    
    • TLS : au lieu de noms de serveurs, indiquez ici :
+     
         ldap+tls://serveur/
      
+     vous pouvez également y ajouter tous les paramètres
+     demandés par la fonction start_tls de Net::LDAP :
+     
         ldap+tls://serveur/?verify=none&capath=/etc/ssl
      
+     Reportez-vous à la page de manuel de Net::LDAP(3) pour
+     connaître les paramètres disponibles.
+     Vous pouvez également utiliser les paramètres caPath ou
+     caFile lors de la construction du portail dans la fonction new() (car
+     ils peuvent dépendre du système de fichier local).
+    
      • 
+   
    
+  
    • 
   
  • Compte de connexion LDAP : optionnel, à renseigner si les attributs LDAP
     utilisés ne sont pas accessibles par une session anonyme. Ce compte est
     utilisé avant l'authentification pour trouver le dn de l'utilisateur ;
@@ -404,6 +433,21 @@ users member of 'group1'. You can also use 'accept' and 'deny' keywords.
 
     If URL doesn't match any regular expression, 'default' rule is called to
 grant or not.
    
 
+
     Logout 
    
+
+You can also write Logout rules to intercept application logout url using the
+reserved words :
+
      
+ 
    • logout_sso URL : the request generates a redirection to the portal to call
+  logout mechanism. The request is not given to the application so its logout
+  function is not called. After logout, the user is redirected to the URL,
      • 
+ 
    • logout_app URL : the request is transmitted to the application, but the
+  result is not displayed : the user is redirected to the URL,
      • 
+ 
    • logout_app_sso URL : the request is transmitted to the application and
+  then, the user is redirected to the portal with the logout call and then,
+  he is redirected to the given URL.
      • 
+
    
+
 
     Headers 
    
 
 
     Headers are used to inform the remote application on the connected user.
@@ -452,6 +496,24 @@ tous les utilisateurs authentifiés peuvent accéder.
    
 droit d'accès est calculé à partir de l'expression booléenne définie dans
 la règle par défaut (default).
    
 
+
     Logout 
    
+
+Vous pouvez également écrire des règles pour intercepter
+les URL de déconnexions des applications en utilisant les mots-clefs :
+
      
+ 
    • logout_sso URL : la requête entraine une redirection vers le portail
+  avec l'appel au système de déloguage. La requête n'est
+  pas transmise à l'applicationthe. Après déloguage,
+  l'utilisateur est renvoyé vers l'URL,
      • 
+ 
    • logout_app URL : la requête est transmise à l'applications
+  mais le résultat n'est pas affiché : l'utilisateur est
+  redirigé vers l'URL,
      • 
+ 
    • logout_app_sso URL : la requête est transmise à l'application
+  et ensuite, l'utilisateur est redirigé vers le portail avec appel au
+  système de déloguage. Il est ensuite redirigé vers
+  l'URL.
      • 
+
    
+
 
     En-têtes
    
 
 
     Les en-têtes servant à l'application à savoir qui est connecté se déclarent
@@ -478,9 +540,9 @@ EOT
 
 sub help_whatToTrace_fr {
     print <Donnée à journaliser dans Apache
-
     Indiquez ici le nom de la variable (attribut) ou de la macro qui doit être
-utilisée pour alimenter les journaux Apache des applications protégées
-(n'oubliez pas le "\$"). Par défaut : \$uid
    
+
    Donnée à journaliser dans Apache
    
+
     Indiquez ici le nom de la variable (attribut) ou de la macro qui doit être
+utilisée pour alimenter les journaux Apache des applications protégées
+(n'oubliez pas le "\$"). Par défaut : \$uid
    
 EOT
 }
diff --git a/modules/lemonldap-ng-portal/Changes b/modules/lemonldap-ng-portal/Changes
index 7438d0309..e0df387a6 100644
--- a/modules/lemonldap-ng-portal/Changes
+++ b/modules/lemonldap-ng-portal/Changes
@@ -1,5 +1,9 @@
 Revision history for Perl extension Lemonldap::NG::Portal.
 
+0.76  Sat Jul 21 15:21:57 2007
+	- LDAP+TLS support (thanks to Baptiste Grenier)
+	- New logout system: URL can now be declared in Manager interface
+
 0.75  Tue Jul 3 20:42:09 2007
 	- Security fix: authentication could be replayed with another uid
 
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
index 953474c18..4b84048ff 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal.pm
@@ -2,7 +2,7 @@ package Lemonldap::NG::Portal;
 
 print STDERR
 "See Lemonldap::NG::Portal(3) to know which Lemonldap::NG::Portal::* module to use.";
-our $VERSION = "0.75";
+our $VERSION = "0.76";
 
 1;
 
@@ -259,8 +259,8 @@ L module that does not use disk access.
 
 Lemonldap::NG provides a single logout system: you can use it by adding a link
 to the portal with "logout=1" parameter (See Synopsis) and/or by configuring
-Handler to intercept some URL (See L). The logout
-system:
+Handler to intercept some URL directly in the manager interface and/or in
+Apache configuration file (See L). The logout system:
 
 =over
 
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
index 126fdf70c..f1b108c98 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
@@ -13,7 +13,7 @@ use CGI::Cookie;
 require POSIX;
 use Lemonldap::NG::Portal::_i18n;
 
-our $VERSION = '0.75';
+our $VERSION = '0.76';
 
 our @ISA = qw(CGI Exporter);
 
@@ -199,6 +199,14 @@ sub controlExistingSession {
             # Delete cookie
             $self->{id} = "";
             $self->buildCookie();
+            if( $self->{urldc} ) {
+                if( $self->{autoRedirect} ) {
+                    &{ $self->{autoRedirect} }($self);
+                }
+                else {
+                    $self->autoRedirect();
+                }
+            }
             return PE_FIRSTACCESS;
         }
         $self->{id} = $id;
@@ -265,7 +273,17 @@ sub formateFilter {
 sub connectLDAP {
     my $self = shift;
     return PE_OK if ( $self->{ldap} );
+    my $useTls = 0;
+    my $tlsParam;
     foreach my $server ( split /[\s,]+/, $self->{ldapServer} ) {
+        if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
+            $useTls   = 1;
+            $server   = $1;
+            $tlsParam = $2 || "";
+        }
+        else {
+            $useTls = 0;
+        }
         last if $self->{ldap} = Net::LDAP->new(
             $server,
             port    => $self->{ldapPort},
@@ -273,6 +291,13 @@ sub connectLDAP {
         );
     }
     return PE_LDAPCONNECTFAILED unless ( $self->{ldap} );
+    if ($useTls) {
+      my %h = split( /[&=]/, $tlsParam );
+      $h{cafile} = $self->{caFile} if( $self->{caFile} );
+      $h{capath} = $self->{caPath} if( $self->{caPath} );
+      my $mesg = $self->{ldap}->start_tls(%h);
+      $mesg->code && return PE_LDAPCONNECTFAILED;
+    }
     PE_OK;
 }
 
@@ -510,6 +535,11 @@ Lemonldap::Portal::* libraries.
 =item * ldapServer: server(s) used to retrive session informations and to valid
 credentials (localhost by default). More than one server can be set here
 separated by commas. The servers will be tested in the specifies order.
+To use TLS, set "ldap+tls://server" and to use LDAPS, set "ldaps://server"
+instead of server name. If you use TLS, you can set any of the
+Net::LDAP->start_tls() sub like this:
+  "ldap/tls://server/verify=none&capath=/etc/ssl"
+You can also use caFile and caPath parameters.
 
 =item * ldapPort: tcp port used by ldap server.
 
@@ -521,15 +551,15 @@ bind is used.
 =item * managerPassword: password to used to connect to ldap server. By
 default, anonymous bind is used.
 
-=item * securedCookie: set it to 1 if you want to protect user cookies
+=item * securedCookie: set it to 1 if you want to protect user cookies.
 
-=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default)
+=item * cookieName: name of the cookie used by Lemonldap::NG (lemon by default).
 
 =item * domain: cookie domain. You may have to give it else the SSO will work
 only on your server.
 
 =item * globalStorage: required: L library to used to store
-session informations
+session informations.
 
 =item * globalStorageOptions: parameters to bind to L module
 
@@ -542,6 +572,10 @@ be set to:
 
 =back
 
+=item * caPath, caFile: if you use ldap+tls you can overwrite cafile or capath
+options with those parameters. This is usefull if you use a shared
+configuration.
+
 =back
 
 =head2 Methods that can be overloaded