diff --git a/build/lemonldap-ng/Makefile b/build/lemonldap-ng/Makefile index 464b0f638..5fbaedd20 100644 --- a/build/lemonldap-ng/Makefile +++ b/build/lemonldap-ng/Makefile @@ -502,7 +502,7 @@ manager_cpan: manager_conf documentation: @rm -f doc/pages/documentation/latest @cd doc/ && ../scripts/doc.pl - @rm -rf doc/pages/documentation/latest doc/pages/wiki doc/pages/playground + @rm -rf doc/pages/documentation/{latest,1.0} doc/pages/wiki doc/pages/playground @ln -s $$(perl -e '$$h{sprintf("%03d\.%03d\.%03d",split/\./,$$_)}=$$_ foreach(@ARGV); \ foreach(sort keys %h){$$last="$$h{$$_}\n"};print $$last;' \ $$(find doc/pages/documentation/ -maxdepth 1 -mindepth 1 -type d ! \ diff --git a/build/lemonldap-ng/doc/index/alphabetical.html b/build/lemonldap-ng/doc/index/alphabetical.html index 6f856afe3..ef2b109d9 100644 --- a/build/lemonldap-ng/doc/index/alphabetical.html +++ b/build/lemonldap-ng/doc/index/alphabetical.html @@ -16,4 +16,4 @@
--
+ +To use Active-Directory as LDAP backend, you must change few things in the manager : +
++(&(sAMAccountName=$user)(objectClass=person)) ++
+ +Two steps here: +
++ +Applications listed bellow are known to be easy to integrate in LL::NG. As LL::NG works like classic WebSSO (like Siteminder™), many other applications are easy to integrate. +
+ +HTTP Auth-Basic | Spring (ACEGI) | Tomcat | +
---|---|---|
![]() | ![]() | ![]() |
+
Some applications using it | +||
Outlook Web App +IBM Lotus iNotes | Probe +Lutece |
+
+ +
Google Apps | Zimbra | SAP | +
---|---|---|
![]() | ![]() | ![]() |
+
+ +Extract from the Wikipedia article: +
+ ++
+In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request. + + ++ + ++Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings “on the fly”. +
+So HTTP Basic Autentication is managed trough an HTTP header (Authorization
), that can be forged by LL::NG, with this precautions:
+
+ +The Basic Authentication relies on a specific HTTP header, as described above. So you have just to declare this header for the virtual host in Manager. +
+ +
+For example, to forward login ($uid
) and password ($_password
if password is stored in session):
+
+
+Authorization => "Basic ".encode_base64("$uid:$_password") ++ +
+LL::NG provides a special function named basic to build this header. +
+ ++So the above example can also be written like this: + +
++Authorization => basic($uid,$_password) ++ +
+
basic
function will also force conversion from UTF-8 to ISO-8859-1, which should be accepted by most of HTTP servers.
++ +Bugzilla is server software designed to help you manage software development. +
+ ++Bugzilla can authenticate a user with HTTP headers, and auto-create its account with a few information: +
+
+
+In Bugzilla administration interface, go in Parameters
» User authentication
+
+Then set: +
++ +Configure Bugzilla virtual host like other protected virtual host. +
+<VirtualHost *:80> + ServerName bugzilla.example.com + + PerlHeaderParserHandler My::Package + + ... + +</VirtualHost>+ +
+ +Go to the Manager and create a new virtual host for Bugzilla. +
+ ++Configure the access rules. +
+ ++Configure the following headers. +
++ +DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the data files remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files – no database is required. +
+ ++
+You will need to install a Dokuwiki plugin, available on download page. The plugin will check the REMOTE_USER
environment variable to get the connected user.
+
+
+Download the plugin and copy the files in dokuwiki inc/auth/
directory:
+
+
+cp lemonldap.class.php inc/auth/ +cp lemonldapuserdatabackend.class.php inc/auth/ ++ +
+
+Edit Dokuwiki local configuration (conf/local.php
) and set lemonldap
as authentication type:
+
$conf[authtype] = lemonldap;+ +
+ +Configure Dokuwiki virtual host like other protected virtual host. +
+<VirtualHost *:80> + ServerName dokuwiki.example.com + + PerlHeaderParserHandler My::Package + + ... + +</VirtualHost>+ +
+
+ +Go to the Manager and create a new virtual host for Dokuwiki. +
+ ++Just configure the access rules. +
+ +
+If using LL::NG as reverse proxy, configure the Auth-User
header, else no headers are needed.
+
+ +Drupal is a CMS written in PHP. It can works with external modules to extends its functionalities. One of this module can be used to delegate authentication server to the web server: Webserver Auth. +
+ ++ +Install Webserver Auth module, by downloading it, and unarchive it in the drupal modules/ directory. +
+ ++ +Go on Drupal administration interface and enable the Webserver Auth module. +
+ ++ +Configure Drupal virtual host like other protected virtual host. +
+<VirtualHost *:80> + ServerName drupal.example.com + + PerlHeaderParserHandler My::Package + + ... + +</VirtualHost>+ +
+
+ +Go to the Manager and create a new virtual host for Drupal. +
+ ++Just configure the access rules. +
+ +
+If using LL::NG as reverse proxy, configure the Auth-User
header, else no headers are needed.
+
+ +With the above solution, all the Drupal site will be protected, so no anonymous access will be allowed. +
+ ++
unprotect
rule because Drupal navigation is based on query strings (?q=admin, ?q=user, etc.), and unprotect rule only works on URL patterns.
++You can create a special virtual host and use Apache rewrite module to switch between open and protected hosts: +
+<VirtualHost *:80> + ServerName drupal.example.com + + # DocumentRoot + DocumentRoot /var/www/html/drupal/ + DirectoryIndex index.php + + # Redirect admin pages + RewriteEngine On + RewriteCond %{QUERY_STRING} q=(admin|user) + RewriteRule ^/(.*)$ http://admindrupal.example.com/$1 [R] + + LogLevel warn + ErrorLog /var/log/httpd/drupal-error.log + CustomLog /var/log/httpd/drupal-access.log combined +</VirtualHost> +<VirtualHost *:80> + ServerName admindrupal.example.com + + # SSO protection + PerlHeaderParserHandler My::Package + + # DocumentRoot + DocumentRoot /var/www/html/drupal/ + DirectoryIndex index.php + + LogLevel warn + ErrorLog /var/log/httpd/admindrupal-error.log + CustomLog /var/log/httpd/admindrupal-access.log combined +</VirtualHost>+ +
+ +Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here. +
+ ++To work with LL::NG it requires: +
++ +
+As administrator, go in Google Apps control panel and click on Advanced tools: +
+ + + +
+Then select Set up single sign-on (SSO)
:
+
+Now configure all SAML parameters: +
+ + +
+
+For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download this file
):
+
+After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk. +
+ ++Then use openssl to generate an auto-signed certificate: + +
++openssl req -new -key lemonldap-ng-priv.key -out cert.csr +openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem ++ +
+You can now the upload the certificate (cert.pem
) on Google Apps.
+
+ +You should have configured LL::NG as an SAML Identity Provider, +
+ ++Now we will add Google Apps as a new SAML Service Provider: +
+New service provider
.Email
in Options
» Authentication Response
» Default NameID format
Options
» Signature
, except Sign SSO message
which should be to On
Metadata
, and unprotect the field to paste the following value:<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> + <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> + <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" /> + <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> + </SPSSODescriptor> +</md:EntityDescriptor>+ +
+
AssertionConsumerService
markup, parameter Location
) into your Google Apps domain.
++ +You can add a link in application menu to display Google Apps to users. +
+ + + ++You need to adapt some parameters: +
+On
to always display it+ +
+ +Google Apps does not support Single Logout (SLO). +
+ ++Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel). +
+ ++To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule: + +
++GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout ++ +
+
+ +Liferay is an enterprise portal. +
+ ++Liferay can use LL::NG as an SSO provider but you have to manage how users are created: +
++ +Of course, integration will be full if you use the LDAP directory as users backend for LL::NG and Liferay. +
+ ++
+This documentation just explains how to set up the SSO part. Please refer to Liferay documentation to enable LDAP provisionning. +
+ ++ +Access to Liferay (first time): +
+ + + ++Login as administrator: +
+ + + +
+Go to My Account
:
+
+Go to Portal
» Settings
:
+
+Go to Configuration
» Authentication
:
+
+In General
, fill at least the following information:
+
+ +
+Then use the SiteMinder
tab to configure SSO:
+
+
+ +Configure Liferay virtual host like other protected virtual host. +
+<VirtualHost *:80> + ServerName liferay.example.com + + PerlHeaderParserHandler My::Package + + ... + +</VirtualHost>+ +
+ +Go to the Manager and create a new virtual host for Liferay. +
+ ++Just configure the access rules. You can add a rule for logout: + +
++ ^/c/portal/logout => logout_sso ++ +
+Configure the Auth-User
header.
+
+ +MediaWiki is a wiki software, used by the well known Wikipedia. +
+ ++Several extensions allows to configure SSO on MediaWiki: +
++ +We will explain how to use the latest: HTTP Auth. +
+ ++ +The HTTP Auth extension is presented here: http://www.mediawiki.org/wiki/Extension:HttpAuth +
+ ++You can download the code here: http://github.com/oremj/mediawiki-http-auth/downloads +
+ +
+You have to install HttpAuthPlugin.php
in the extensions/
directory of your MediaWiki installation:
+
+
+cp HttpAuthPlugin.php extenstions/ ++ +
+ +Then edit MediaWiki local settings + +
++vi LocalSettings.php ++
session_start(); + +$_SERVER['PHP_AUTH_USER'] = $_SERVER['REMOTE_USER']; + +if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE[$wgDBserver . 'UserID']) { + require_once("$IP/extensions/HttpAuthPlugin.php"); + $wgAuth = new HttpAuthPlugin(); + # For MediaWiki < 1.13 + $wgHooks['AutoAuthenticate'][] = array($wgAuth,'autoAuthenticate'); + # For MediaWiki >= 1.13 + #$wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate'); +}+ +
+ +Configure MediaWiki virtual host like other protected virtual host. +
+<VirtualHost *:80> + ServerName mediawiki.example.com + + PerlHeaderParserHandler My::Package + + ... + +</VirtualHost>+ +
+
+ +Go to the Manager and create a new virtual host for MediaWiki. +
+ ++Just configure the access rules. You can also add a rule for logout: + +
++Userlogout => logout_sso ++ +
+If using LL::NG as reverse proxy, configure the Auth-User
header, else no headers are needed.
+
+ +OBM is enterprise-class messaging and collaboration platform for workgroup or enterprises with many thousands users. OBM includes Groupware, messaging server, CRM, LDAP, Windows Domain, smartphone and PDA synchronization… +
+ ++OBM is shipped with a LL::NG plugin with these features: +
+
+
+To enable LL::NG authentication plugin, go in /etc/obm/obm_conf.inc
:
+
$auth_kind = 'LemonLDAP'; + +$lemonldap_config = Array( + "auto_update" => true, + "auto_update_force_user" => true, + "auto_update_force_group" => false, + "url_logout" => "https://OBMURL/logout", + "server_ip_address" => "localhost", + "server_ip_check" => false, + "debug_level" => "NONE", +// "debug_header_name" => "HTTP_OBM_UID", +// "group_header_name" => "HTTP_OBM_GROUPS", + "headers_map" => Array( + //"userobm_gid" => "HTTP_OBM_GID", + //"userobm_domain_id" => , + "userobm_login" => "HTTP_OBM_UID", + "userobm_password" => "HTTP_OBM_USERPASSWORD", + //"userobm_password_type" => , + "userobm_perms" => "HTTP_OBM_PERMS", + //"userobm_kind" => , + "userobm_lastname" => "HTTP_OBM_SN", + "userobm_firstname" => "HTTP_OBM_GIVENNAME", +// "userobm_title" => "HTTP_OBM_TITLE", + "userobm_email" => "HTTP_OBM_MAIL", + "userobm_datebegin" => "HTTP_OBM_DATEBEGIN", + //"userobm_account_dateexp" => , + //"userobm_delegation_target" => , + //"userobm_delegation" => , + "userobm_description" => "HTTP_OBM_DESCRIPTION", + //"userobm_archive" => , + //"userobm_hidden" => , + //"userobm_status" => , + //"userobm_local" => , + //"userobm_photo_id" => , + "userobm_phone" => "HTTP_OBM_TELEPHONENUMBER", + //"userobom_phone2" => , + //"userobm_mobile" => , + "userobm_fax" => "HTTP_OBM_FACSIMILETELEPHONENUMBER", + //"userobm_fax2" => , + "userobm_company" => "HTTP_OBM_O", + //"userobm_direction" => , + "userobm_service" => "HTTP_OBM_OU", + "userobm_address1" => "HTTP_OBM_POSTALADDRESS", + //"userobm_address2" => , + //"userobm_address3" => , + "userobm_zipcode" => "HTTP_OBM_POSTALCODE", + "userobm_town" => "HTTP_OBM_L", + "userobm_zipcode" => "HTTP_OBM_POSTALCODE", + "userobm_town" => "HTTP_OBM_L", + //"userobm_expresspostal" => , + //"userobm_host_id" => , + //"userobm_web_perms" => , + //"userobm_web_list" => , + //"userobm_web_all" => , + //"userobm_mail_perms" => , + //"userobm_mail_ext_perms" => , + //"userobm_mail_server_id" => , + //"userobm_mail_server_hostname" => , + "userobm_mail_quota" => "HTTP_OBM_MAILQUOTA", + //"userobm_nomade_perms" => , + //"userobm_nomade_enable" => , + //"userobm_nomade_local_copy" => , + //"userobm_email_nomade" => , + //"userobm_vacation_enable" => , + //"userobm_vacation_datebegin" => , + //"userobm_vacation_dateend" => , + //"userobm_vacation_message" => , + //"userobm_samba_perms" => , + //"userobm_samba_home" => , + //"userobm_samba_home_drive" => , + //"userobm_samba_logon_script" => , + // ---- Unused values ? ---- + "userobm_ext_id" => "HTTP_OBM_SERIALNUMBER", + //"userobm_system" => , + //"userobm_nomade_datebegin" => , + //"userobm_nomade_dateend" => , + //"userobm_location" => , + //"userobm_education" => , + ), + );+ +
+Parameters: +
++ +Edit also OBM Apache configuration to enable LL::NG Handler: +
+<VirtualHost *:80> + ServerName obm.example.com + + # SSO protection + PerlHeaderParserHandler My::Package + + DocumentRoot /usr/share/obm/php + + ... + +</VirtualHost>+ +
+
+ +You will need to collect all attributes needed to create a user in OBM, this includes: +
+
+
+To add these attributes, go in Manager, Variables
» Exported Variables
.
+
+
+You may also create these macros to manage OBM administrator account (Variables
» Macros
):
+
field | value | +
---|---|
uidR | ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid | +
mailR | ($uid =~ /^admin0/i)[0] ? "" : ($mail =~ /^([^@]+)/)[0] . "\@example.com" | +
+
+Create OBM virtual host (for example obm.example.com) in LL::NG configuration: Virtual Hosts
» New virtual host
.
+
+Then edit rules and headers. +
+ ++ +Define at least: +
+field | value | +
---|---|
^/logout | logout_sso | +
^/obm-sync | unprotect | +
^/minig | unprotect | +
^/Microsoft-Server-ActiveSync | unprotect | +
^/caldav | unprotect | +
default | accept (or whatever you want) | +
+ +Define headers used in OBM mapping, for example: +
+field | valeur | +
---|---|
OBM_GIVENNAME | $givenName | +
OBM_GROUPS | $groups | +
OBM_UID | $uidR | +
OBM_MAIL | $mailR | +
OBM_USERPASSWORD | $_password | +
+ +Do not forget to add OBM in applications menu. + +
+ ++ +phpLDAPadmin is an LDAP administration tool written in PHP. +
+ ++phpLDAPadmin will connect to the directory with a static DN and password, and so will not request authentication anymore. The access to phpLDAPadmin will be protected by LemonLDAP::NG with specific access rules. +
+ ++
+
+Just set the authentication type to config
and indicate DN and password inside the file config.php
:
+
$ldapservers->SetValue($i,'server','auth_type','config'); +$ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=com'); +$ldapservers->SetValue($i,'login','pass','secret');+ +
+ +Configure phpLDAPadmin virtual host like other protected virtual host. +
+<VirtualHost *:80> + ServerName phpldapadmin.example.com + + PerlHeaderParserHandler My::Package + + ... + +</VirtualHost>+ +
+ +Go to the Manager and create a new virtual host for phpLDAPadmin. +
+ ++Just configure the access rules. +
+ ++No headers are required. + +
+ ++Spring Security is the new ACEGI name. This is a well known security framework for J2EE applications. +
+ +
+Spring Security provides a default pre-authentication
mechanism that can be used to connect your J2EE application to LL::NG.
+
+ +You can find all suitable information here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html +
+ +
+To summarize, to get the user connected trough the Auth-User
HTTP Header, use this Sping Security configuration:
+
<bean id="LemonLDAPNGFilter" class= +"org.springframework.security.web.authentication.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter"> + <security:custom-filter position="PRE_AUTH_FILTER" /> + <property name="principalRequestHeader" value="Auth-User"/> + <property name="authenticationManager" ref="authenticationManager" /> +</bean> + +<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> + <security:custom-authentication-provider /> + <property name="preAuthenticatedUserDetailsService"> + <bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper"> + <property name="userDetailsService" ref="userDetailsService"/> + </bean> + </property> +</bean> + +<security:authentication-manager alias="authenticationManager" />+ +
+ +Sympa is a mailing list manager. +
+ ++There are two ways to configure SSO with Sympa: +
++ +
+ +
+ +Choose one of the following method: +
+ ++ +Configure Sympa virtual host like other protected virtual host but use Sympa Handler instead of default Handler. +
+<VirtualHost *:80> + ServerName sympa.example.com + + # Load Sympa Handler + PerlRequire __HANDLERDIR__/MyHandlerSympa.pm + PerlHeaderParserHandler My::Sympa + + ... + +</VirtualHost>+ +
+ +Go to the Manager and create a new virtual host for Sympa. +
+ ++Just configure the access rules. +
+ +
+
+Go in Manager, Default parameters
» Advanced parameters
» Special handlers
» Sympa
, and edit the different keys:
+
+ +Edit the file “auth.conf”, for example: + +
++vi /etc/sympa/auth.conf ++ +
+And fill it: + +
++generic_sso + service_name LemonLDAP::NG + service_id lemonldapng + email_http_header HTTP_MAIL + netid_http_header HTTP_AUTH_USER + internal_email_by_netid 1 + logout_url http://sympa.example.com/wws/logout ++ +
+ +Configure Sympa virtual host like other protected virtual host but protect only magic authentication URL. +
+<VirtualHost *:80> + ServerName sympa.example.com + + <Location /wws/sso_login/lemonldapng> + PerlHeaderParserHandler My::Package + </Location> + + ... + +</VirtualHost>+ +
+
service_id
defined in Sympa apache configuration.
++ +Go to the Manager and create a new virtual host for Sympa. +
+ ++Configure the access rules and define the following headers: +
++ +Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. +
+ ++As J2EE servlet container, Tomcat provides standard security feature, like authentication: the application deployed in Tomcat can delegate its authentication to Tomcat. +
+ +
+By default, Tomcat provides a file called users.xml
to manage authentication:
+
+
<?xml version='1.0' encoding='utf-8'?> +<tomcat-users> + <role rolename="tomcat"/> + <role rolename="role1"/> + <user username="tomcat" password="tomcat" roles="tomcat"/> + <user username="role1" password="tomcat" roles="role1"/> + <user username="both" password="tomcat" roles="tomcat,role1"/> +</tomcat-users> ++ +
+LL::NG provides a valve, available on download page. This valve will check an HTTP header to set the authenticated user on the J2EE container. +
+ +
+
+Copy ValveLemonLDAPNG.jar
in <TOMCAT_HOME>/server/lib
:
+
+
+cp ValveLemonLDAPNG.jar server/lib/ ++ +
+
+
+Add on your server.xml
file a new valve entry like this (in host section):
+
+
<Valve className="org.lemonLDAPNG.SSOValve" userKey="AUTH-USER" roleKey="AUTH-ROLE" roleSeparator="," allows="127.0.0.1"/>
+
++Configure attributes: +
++ +
+ +The sources are available on download page. +
+ ++Required : +
+
+
+Configure your tomcat home in build.properties
files.
+
+
+c:/my hardisk/tomcat/ ++ +
+ + +
+Next run ant command: + +
++ant ++ +
+ValveLemonLDAPNG.jar
is created under /dist
directory.
+
+
+ +Zimbra is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management. The Zimbra email and calendar server is available for Linux, Mac OS X and virtualization platforms. Zimbra syncs to smartphones (iPhone, BlackBerry) and desktop clients like Outlook and Thunderbird. Zimbra also features archiving and discovery for compliance. Zimbra can be deployed on-premises or as a hosted email solution. +
+ ++Zimbra use a specific preauthentication protocol to provide SSO on its application. This protocol is implementated in an LL::NG specific Handler. +
+ ++
+ +The integration with LL::NG is the following: +
++ +You need to get a preauth key from Zimbra server. +
+ ++See how to do this on Zimbra wiki. +
+ ++ +Choose for example http://zimbra.example.com/zimbrasso as SSO URL and set it in application menu. +
+ ++ +You will configure Zimbra virtual host like other protected virtual host but you will use Zimbra Handler instead of default Handler. +
+<VirtualHost *> + ServerName zimbra.example.com + + # Load Zimbra Handler + PerlRequire __HANDLERDIR__/MyHandlerZimbra.pm + PerlHeaderParserHandler My::Zimbra + + ... + +</VirtualHost>+ +
+ +Go to the Manager and create a new virtual host for Zimbra. +
+ ++Just configure the access rules. +
+ +
+
+Go in Manager, Default parameters
» Advanced parameters
» Special handlers
» Zimbra
, and edit the different keys:
+
Authentication | Users | Password | +
---|---|---|
✔ | + |
+ +LL::NG can delegate authentication to Apache, so it is possible to use any Apache authentication module, for example: +
++ +
REMOTE_USER
environment variable, which will be used by LL::NG to get authenticated user.
++
+The following sample parameters will be used: +
++ +The module can be found here. +
+ ++On CentOS/RHEL: + +
+yum install mod_auth_kerb+ +
+On Debian/Ubuntu: + +
+apt-get install libapache2-mod-auth-kerb+ +
+The module must be loaded by Apache (LoadModule directive). +
+ +
+
+Edit /etc/krb5.conf
:
+
+[libdefaults] + default_realm = EXAMPLE.COM + +[realms] + EXAMPLE.COM = { + kdc = ad.example.com + admin_server = ad.example.com + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM ++ +
+ +You have to run this command on Active Directory: +
++ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab ++ +
+The file auth.keytab
should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng
).
+
+Then on Linux server: +
+kinit HTTP/auth.example.com +kvno HTTP/auth.example.com@EXAMPLE.COM +klist -e +kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com+ +
+
+In Manager, go in General Parameters
> Authentication modules
and choose Apache for authentication.
+
+
+You can also configure the authentication level for this module. +
+ ++ +Modify the portal virtual host: +
+<VirtualHost *> + ServerName auth.example.com + + DocumentRoot /var/lib/lemonldap-ng/portal/ + + <Directory /var/lib/lemonldap-ng/portal/> + Order allow,deny + Allow from all + Options +ExecCGI + + <IfModule auth_kerb_module> + AuthType Kerberos + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/lemonldap-ng/auth.keytab + KrbVerifyKDC Off + KrbServiceName HTTP + require valid-user + </IfModule> + + </Directory> + +</VirtualHost>+ +
+
+Configure IE or Firefox to trust http://auth.example.com
, and then it should work!
+
+
Authentication | Users | Password | +
---|---|---|
✔ | + |
+ +LL::NG can delegate authentication to a CAS server. This requires Perl CAS module. +
+ ++
+LL::NG can also request proxy tickets for its protected services. Proxy tickets will be collected at authentication phase and stored in user session under the form: +
+ +
+_casPT
serviceID = Proxy ticket value
+
+They can then be forwarded to applications trough HTTP headers. +
+ ++
+ +Download the latest version: + +
++wget https://sourcesup.cru.fr/frs/download.php/2476/AuthCAS-1.4.tar.gz ++ +
+Extract and build the module: + +
++tar zxvf AuthCAS-1.4.tar.gz +cd AuthCAS-1.4/ +perl Makefile.PL +make +make test ++ +
+Install the module: + +
++sudo make install ++ +
+
+In Manager, go in General Parameters
> Authentication modules
and choose CAS for authentication.
+
+
+Then, go in CAS parameters
:
+
/tmp/pgt.txt
)+ +
+
+touch /tmp/pgt.txt ++ +
+ + +
Authentication | Users | Password | +
---|---|---|
✔ | ✔ | ✔ | +
+ +By default, only the configured authentication backend is available for users. +
+ ++Contrary to multiple backend stacking, backend choice will present all available authentication methods to users, who will choose the one they want. +
+ ++The choice will concern three backends: +
++ +The choosen backends will be registered in session: +
+$_auth
$_userDB
$_passwordDB
+ +Authentication choice will also be registered in session: +
+$_authChoice
+In Manager, go in General Parameters
> Authentication modules
and choose Choice for authentication.
+
+
Choice
is selected for authentication, values for Users and Password modules are not used anymore. Also, all backends parameters are displayed.
+
+Then, go in Choice Parameters
:
+
lmAuth
)New choice
to add a choice.+Define here: +
++ +
Authentication | Users | Password | +
---|---|---|
✔ | ✔ | ✔ | +
+ +LL::NG can use a lot of databases as authentication, users and password backend: +
++ +Indeed, any Perl DBD driver can be used. +
+ ++ +LL::NG can use two tables: +
++ +
+The password can be in plain text, or encoded with a standard SQL method: +
+id | login | password | +
---|---|---|
0 | coudot | 1f777a6581e478499f4284e54fe2d4a4e513dfff | +
1 | xguimard | a15a18c8bb17e6f67886a9af1898c018b9f5a072 | +
2 | tchemineau | 1f777a6581e478499f4284e54fe2d4a4e513dfff | +
id | user | name | |
---|---|---|---|
0 | coudot | Clément OUDOT | coudot@example.com | +
1 | tchemineau | Thomas CHEMINEAU | tchemineau@example.com | +
2 | xguimard | Xavier GUIMARD | xguimard@example.com | +
id | user | password | name | |
---|---|---|---|---|
0 | coudot | 1f777a6581e478499f4284e54fe2d4a4e513dfff | Clément OUDOT | coudot@example.com | +
1 | tchemineau | 1f777a6581e478499f4284e54fe2d4a4e513dfff | Thomas CHEMINEAU | tchemineau@example.com | +
2 | xguimard | a15a18c8bb17e6f67886a9af1898c018b9f5a072 | Xavier GUIMARD | xguimard@example.com | +
+ +LL::NG will operate some SQL queries: +
+
+
+In Manager, go in General Parameters
> Authentication modules
and choose Database (DBI) for authentication, users and/or password modules.
+
+ +The authentication level given to users authenticated with this module. +
+ ++
+ +
+ +
Authentication | Users | Password | +
---|---|---|
✔ | ✔ | ✔ | +
+ +LL::NG can use an LDAP directory to: +
++ +This works with every LDAP v2 or v3 server, including Active Directory. +
+ ++LL::NG is compatible with LDAP password policy: +
+
+
+In Manager, go in General Parameters
> Authentication modules
and choose LDAP for authentication, users and/or password modules.
+
+ +The authentication level given to users authenticated with this module. +
+ ++
+ +
ldap+tls://server
and to use LDAPS, set ldaps://server
instead of server name.ldap+tls://server/verify=none&capath=/etc/ssl
. You can also use caFile and caPath parameters.+ +
(&(uid=$user)(objectClass=inetOrgPerson))
)(&(mail=$mail)(objectClass=inetOrgPerson))
)+ +
+(&(sAMAccountName=$user)(objectClass=person)) ++ +
+ +And this as mail filter: + +
++(&(mail=$mail)(objectClass=person)) ++ +
+ + +
password modify
instead of standard modify operation.+ +Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers. +
+ ++But sometimes other data are needed (in particular to use extended functions): +
++ +Of course, standard LDAP attributes can be used to store these data, but LL::NG also provides an LDAP schema extension to manage them. +
+ ++Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2. +
+ ++The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA (See http://www.iana.org/assignments/enterprise-numbers). +
+ +
+
+Just add this file to OpenLDAP schemas by including it in slapd.conf
:
+
+
+include /usr/share/lemonldap-ng/ressources/sso.schema ++ +
+This will provide the auxiliary object class ssoUser
with attributes:
+
+ +You can add this object class to any entry of your directory. +
+ ++
Authentication | Users | Password | +
---|---|---|
✔ | ✔ | + |
+ +This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed… +
+ ++ +You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain. +
+ ++For example: + +
++Multi CAS;LDAP ++ +
+If CAS failed, LDAP will be used. +
+ ++You can also add a condition. Example: +
++Multi Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/' ++ +
+
+ +The “Multi” system can : +
++ +
+To stack several times the same module, use ”#name” with different names. Example: + +
++Multi LDAP#Openldap; LDAP#ActiveDirectory ++ +
+Then you can have different parameters for each stored in a Perl hash entry named multi: + +
+multi => { + 'LDAP#Openldap' => { + ldapServer => 'ldap1.example.com', + LDAPFilter => '(uid=$user)', + }, + 'LDAP#ActiveDirectory' => { + ldapServer => 'ldaps://ad.example.com', + LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))', + } +},+ +
+This key must be stored directly in portal index.pl file or in lemonldap-ng.ini: +
+my $portal = Lemonldap::NG::Portal::SharedConf->new({ +multi => { + 'LDAP#Openldap' => { + ldapServer => 'ldap1.example.com', + LDAPFilter => '(uid=$user)', + }, + 'LDAP#ActiveDirectory' => { + ldapServer => 'ldaps://ad.example.com', + LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))', + } +}, +})+
[portal] +multi = {'LDAP#Openldap'=>{ldapServer=>'ldap1.example.com',LDAPFilter=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{ldapServer=>'ldaps://ad.example.com',LDAPFilter=>'(&(sAMAccountName=$user)(objectClass=person))'}}+ +
+ +When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. We're studying a future solution for this… +
+ ++ +To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only. + +
+ +Authentication | Users | Password | +
---|---|---|
✔ | ✔ | ✔ | +
+ +LL::NG Null backend is a transparent backend: +
++ +You can use Null backend to bypass some authentication process steps. +
+ +
+
+In Manager, go in General Parameters
> Authentication modules
and choose Null for authentication, users or password module.
+
+Then, go in Null parameters
:
+
Authentication | Users | Password | +
---|---|---|
✔ | ✔ | + |
+ +LL::NG can delegate authentication to an OpenID server. This requires Perl OpenID consumer module with at least version 1.0. +
+ ++
+LL::NG will then display a form with an OpenID input, wher users will type their OpenID login. +
+ ++
+LL::NG can use a white list or a black list to filter allowed OpenID domains. +
+ ++If OpenID is used as users database, attributes will be requested to the server with SREG extention. +
+ +
+
+In Manager, go in General Parameters
> Authentication modules
and choose OpenID for authentication and/or users.
+
+Then, go in OpenID parameters
:
+
+
+To configure requested attributes, go in Variables
> Exported variables
and define attributes:
+
!
to make the attribute requiredAuthentication | Users | Password | +
---|---|---|
✔ | ✔ | + |
+ +LL::NG is able to transfer (trough SOAP) authentication credentials to another LL::NG portal, like a proxy. +
+ ++The difference with remote authentication is that the client will never be redirect to the main LL::NG portal. This configuration is usable if you want to expose your internal SSO portal to another network (DMZ). +
+ +
+
+In Manager, go in General Parameters
> Authentication modules
and choose Proxy for authentication and users.
+
+Then, go in Proxy parameters
:
+
index.pl/sessions
suffix+ +The portal must be configured to accept SOAP authentication requests. See SOAP session backend documentation. +
+ +Authentication | Users | Password | +
---|---|---|
✔ | ✔ | + |
+ +
+ + +exportedAttr
is set, only those attributes are copied in the session database of the secondary LL::NG structure. Else, all data are copied in the session database.+ +
+ +Go in Manager, and: +
+General Parameters
» Cookies
» Multiple domains
General Parameters
» Advanced Parameters
» Security
» Trusted domains
+ +Configure the portal to use the remote LL::NG structure. +
+ +
+In Manager, go in General Parameters
» Authentication modules
and choose Proxy for authentication and users.
+
+Then, go in Remote parameters
:
+
Lemonldap::NG::Common::Apache::Session::SOAP
for SOAP session backend.+ +Using this, we can do a very simple interoperability system between 2 organizations using two LL::NG structures: +
++ +So on each main portal, internal users can access normally, and users issued from the other organization have just to click on the link: +
+ + +Authentication | Users | Password | +
---|---|---|
✔ | ✔ | + |
+ +LL::NG can use SAML2 to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LL::NG acts like an SAML2 Service Provider (SP). +
+ ++Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule. +
+ ++For each IDP, you can configure attributes that are collected. Some can be mandatory, so if they are not returned by IDP, the session will not open. +
+ ++
+ +See SAML service configuration chapter. +
+ +
+
+In General Parameters
> Authentication modules
, set:
+
+ +
+ +After configuring SAML Service, you can export metadata to your partner Identity Provider. +
+ ++They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata. +
+ +
+
+In the Manager, select node SAML identity providers
and click on New identity provider
:
+
+The IDP name is asked, enter it and click OK. +
+ ++Now you have access to the IDP parameters list: +
+ + + ++ +You must register IDP metadata here. You can do it either by uploading the file, or get it from IDP metadata URL (this require a network link between your server and the IDP): +
+ + + ++
+ +For each attribute, you can set: +
++ +For example, to preselect this IDP for users coming from 129.168.0.0/16 network: + +
++$ENV{REMOTE_ADDR} =~ /^192\.168/ ++ +
SessionNotOnOrAfter
value found in authentication response. It means that if the IDP propose to close session earlier than the default LemonLDAP::NG timeout, the session _utime will be modified so that session is erased at the date indicated by the IDP.+ +These options override service signature options (see SAML service configuration). +
++ +
Authentication | Users | Password | +
---|---|---|
✔ | ✔ | + |
+ +LL::NG Slave backend is a transparent backend to used when LL::NG portal is protected by another SSO: +
+
+
+In Manager, go in General Parameters
> Authentication modules
and choose Null for authentication, users or password module.
+
+Then, go in Slave parameters
:
+
+ +You have then to declare HTTP headers exported by the main SSO in “Variable » Exported Variables”. Example: + +
+Key (LL::NG name) | Value (HTTP header name) | +
---|---|
uid | Auth-User | +
User-Email | +
Authentication | Users | Password | +
---|---|---|
✔ | + |
+ +LL::NG uses Apache SSL module, like any other Apache authentication module, with extra features: +
++ +You have to install mod_ssl for Apache. +
+ ++For CentOS/RHEL: + +
+yum install mod_ssl+ +
+In Debian/Ubuntu mod_ssl is already shipped in apache2.2-common
package.
+
+
+ +You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf: +
+SSLProtocol all -SSLv2 +SSLCipherSuite HIGH:MEDIUM +SSLCertificateFile /etc/httpd/certs/ow2.cert +SSLCertificateKeyFile /etc/httpd/certs/ow2.key +SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert+ +
+
ow2.cert
, ow2.key
, ow2-ca.cert
:
+
++ +
+If you specify port in virtual host, then declare SSL port: +
+NameVirtualHost *:80 +NameVirtualHost *:443+ +
+ +Edit the portal virtual host to enable SSL double authentication: +
+SSLEngine On +SSLVerifyClient optional +SSLVerifyDepth 10 +SSLOptions +StdEnvVars +SSLUserName SSL_CLIENT_S_DN_CN+ +
+All SSL options are documented in Apache mod_ssl page. +
+ ++Here are the main options used by LL::NG: +
+optional
to allow user with a bad certificate to access to LL::NG portal page (to display error or use another authentication method)+StdEnvVars
to get certificate fields in environment variables
+
+In Manager, go in General Parameters
> Authentication modules
and choose SSL for authentication.
+
+ +
+Then, go in SSL parameters
:
+
+ +
Authentication | Users | Password | +
---|---|---|
✔ | + |
+ +Twitter is a famous short messaging server. Twitter use OAuth protocol to allow applications to reuse its own authentication process (it means, if your are connected to Twitter, other applications can trust Twitter and let you in). +
+ ++You need Net::Twitter package, with a very recent version (>3). +
+ ++You need to register a new application on Twitter to get API key and API secret. See Twitter FAQ on how to do that:. +
+ +
+
+In Manager, go in General Parameters
> Authentication modules
and choose Twitter for authentication module.
+
+
+Then, go in Twitter parameters
:
+
+ +Browseable session backend (Apache::Session::Browseable) works exactly like Apache::Session::* corresponding module but add indexes that increase session explorer and session restrictions performances. +
+ ++ +Database must be prepared exactly like in SQL session backend except that a field must be added for each data to index. Example with MySQL and index set to uid+ipAddr (recommended) +
+CREATE TABLE sessions ( + id char(32) NOT NULL PRIMARY KEY, + a_session blob, + uid varchar(255), + ipAddr varchar(15), + KEY uid (uid), + KEY ipAddr (ipAddr) + );+ +
+
+Go in the Manager and set the session module (for example Apache::Session::Browseable::MySQL for MySQL) in General parameters
» Sessions
» Session storage
» Apache::Session module
and add the following parameters (case sensitive):
+
+
Required parameters | +||
---|---|---|
Name | Comment | Example | +
DataSource | The DBI string | dbi:mysql:dbname=sessions | +
UserName | The database username | lemonldapng | +
Password | The database password | mysuperpassword | +
Index | Index | uid ipAddr | +
+ +
+ +Restrict network access to the database. +
+ +
+You can also use different user/password for your servers by overriding parameters globalStorage
and globalStorageOptions
in lemonldap-ng.ini file.
+
+ +
+
+Go in Manager, General Parameters
» Cookies
» Multiple domains
and set to On
.
+
+To use this feature only locally, edit lemonldap-ng.ini
in section [all]:
+
+
[all] +cda = 1+ +
+
+LemonLDAP::NG provides a script to change configuration backend easily keeping history. It is set in LemonLDAP::NG utilities directory (convertConfig
).
+
+
+The convertConfig
utility reads 2 LL::NG configuration files (lemonldap-ng.ini
):
+
convertConfig --current=/etc/lemonldap-ng/lemonldap-ng.ini --new=/new/lemonldap-ng.ini+
+ +Documentation is available for configuration backends : +
++ +LemonLDAP::NG configuration is stored in a backend that allows all modules to access it. +
+ ++
+ +Detailled configuration backends documentation is available here. +
+By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory. +
+ +
+Configuration backend can be set in the local configuration file, in configuration
section.
+
+For example, to configure the File
configuration backend:
+
[configuration] +type=File +dirName = /usr/local/lemonldap-ng/data/conf+ +
+
+ +Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com). +
+ +
+By default, Manager is protected to allow only localhost. This can be changed in etc/manager-apache2.conf
:
+
<Directory /usr/local/lemonldap-ng/htdocs/manager/> + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + Options +ExecCGI + </Directory>+ +
+
+The Manager displays main branches: +
++ +LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value. +
+ ++
Apply
button if available, to be sure the value is saved.
+
+When all modifications are done, click on Save
to store configuration.
+
+
+You can change the graphical aspect of the Manager, by clicking on the Menu style
button. It will open a dialog to choose:
+
+ +
lemonldap-ng.ini
, section manager
:
+
++ +
+ +
+LemonLDAP::NG ships 3 Apache configuration files: +
+
+
+These files must be included in Apache configuration, either with Include
directives in httpd.conf
(see quick start example), or with symbolic links in Apache configuration directory (like /etc/httpd/conf.d
).
+
+
LoadModule
directive.
++ +In Portal virtual host, you will find several configuration parts: + +
+ServerName auth.example.com + + # DocumentRoot + DocumentRoot /usr/local/lemonldap-ng/htdocs/portal/ + <Directory /usr/local/lemonldap-ng/htdocs/portal/> + Order allow,deny + Allow from all + Options +ExecCGI + </Directory> + + # Perl script + <Files *.pl> + SetHandler perl-script + PerlResponseHandler ModPerl::Registry + </Files> + + # Directory index + <IfModule mod_dir.c> + DirectoryIndex index.pl index.html + </IfModule>+
# SOAP functions for sessions management (disabled by default) + <Location /index.pl/adminSessions> + Order deny,allow + Deny from all + </Location> + + # SOAP functions for sessions access (disabled by default) + <Location /index.pl/sessions> + Order deny,allow + Deny from all + </Location> + + # SOAP functions for configuration access (disabled by default) + <Location /index.pl/config> + Order deny,allow + Deny from all + </Location> + + # SOAP functions for notification insertion (disabled by default) + <Location /index.pl/notification> + Order deny,allow + Deny from all + </Location>+
mod_rewrite
):# SAML2 Issuer + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteRule ^/saml/metadata /metadata.pl + RewriteRule ^/saml/.* /index.pl + </IfModule> + + # CAS Issuer + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteRule ^/cas/.* /index.pl + </IfModule> + + # OpenID Issuer + <IfModule mod_rewrite.c> + RewriteEngine On + RewriteRule ^/openidserver/.* /index.pl + </IfModule>+
# Best performance under ModPerl::Registry +# Uncomment this to increase performance of Portal +<Perl> + require Lemonldap::NG::Portal::SharedConf; + Lemonldap::NG::Portal::SharedConf->compile( + qw(delete header cache read_from_client cookie redirect unescapeHTML)); + # Uncomment this line if you use Lemonldap::NG menu + require Lemonldap::NG::Portal::Menu; + # Uncomment this line if you use portal SOAP capabilities + require SOAP::Lite; +</Perl>+ +
+ +Manager virtual host is used to serve configuration interface and local documentation. + +
+DocumentRoot /usr/local/lemonldap-ng/htdocs/manager/ + <Directory /usr/local/lemonldap-ng/htdocs/manager/> + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + Options +ExecCGI + </Directory>+
Alias /doc/ /usr/local/lemonldap-ng/htdocs/doc/ + <Directory /usr/local/lemonldap-ng/htdocs/doc/> + Order deny,allow + Allow from all + </Directory>+ +
PerlOptions +GlobalRequest +PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm+ +
+
ErrorDocument 403 http://auth.example.com/?lmError=403 +ErrorDocument 500 http://auth.example.com/?lmError=500+
<VirtualHost *:80> + ServerName reload.example.com + + # Configuration reload mechanism (only 1 per physical server is + # needed): choose your URL to avoid restarting Apache when + # configuration change + <Location /reload> + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + PerlHeaderParserHandler My::Package->refresh + </Location> + + # Uncomment this to activate status module + #<Location /status> + # Order deny,allow + # Deny from all + # Allow from 127.0.0.0/8 + # PerlHeaderParserHandler My::Package->status + #</Location> + +</VirtualHost>+ +
+Then, to protect a standard virutal host, the only configuration line to add is: +
+PerlHeaderParserHandler My::Package+ +
+ +
+After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers. This can be configured in LemonLDAP::NG ini file, in the section apply
:
+
[apply] + +# URL used to reload configuration +reload.example.com=http://reload.example.com/reload +;reloaddist.example.com=http://reloaddist.example.com/reload+ +
+
+The reload
target is managed in Apache configuration, inside a virtual host protected by LemonLDAP::NG Handler, for example:
+
<VirtualHost *:80> + ServerName reload.example.com + + <Location /reload> + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + PerlHeaderParserHandler My::Package->refresh + </Location> + +</VirtualHost>+ +
+
+
+LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini
and has the following sections:
+
+
+When you set a parameter in lemonldap-ng.ini
, it will override the parameter from the global configuration.
+
+For example, to override configured skin for portal: +
+[portal] +portalSkin = dark+ +
+
+ +LemonLDAP::NG allows to override any configuration parameter directly in script file. However, it is not advised to edit such files, as they are part of the program, and will be erased at next upgrade. +
+ ++
+ +For example, in portal/index.pl: +
+my $portal = Lemonldap::NG::Portal::SharedConf->new( + { + portalSkin => 'dark', + } +);+ +
+ +For example, in handler/MyHandler.pm: +
+__PACKAGE__->init( + { + domain => 'acme.com', + } +);+ +
+ +LemonLDAP::NG configuration is build around Apache virtual hosts. Each virtual host is a protected resource, with access rules, headers, POST data and options. +
+ ++ +To protect a virtual host in Apache, the LemonLDAP::NG Handler must be activated (see Apache global configuration). +
+ ++Then you can take any virtual host, and simply add this line to protect it: +
+PerlHeaderParserHandler My::Package+ +
+For example, a protected virtual host for a local application: +
+<VirtualHost *:80> + ServerName localsite.example.com + + PerlHeaderParserHandler My::Package + + DocumentRoot /var/www/localsite + + ErrorLog /var/log/apache2/localsite_error.log + CustomLog /var/log/apache2/localsite_access.log combined + +</VirtualHost>+ +
+And a protected virtual host with LemonLDAP::NG as reverse proxy: +
+<VirtualHost *:80> + ServerName application.example.com + + PerlHeaderParserHandler My::Package + + # Reverse-Proxy + ProxyPass / http://private-name/ + # Change "Location" header in redirections + ProxyPassReverse / http://private-name/ + # Change domain cookies + ProxyPassReverseCookieDomain private-name application.example.com + + ErrorLog /var/log/apache2/proxysite_error.log + CustomLog /var/log/apache2/proxysite_access.log combined +</VirtualHost>+ +
+ +Same with remote server configured with the same host name: +
+<VirtualHost *:80> + ServerName application.example.com + + PerlHeaderParserHandler My::Package + + # Reverse-Proxy + ProxyPass / http://APPLICATION_IP/ + + ProxyPreserveHost on + + ErrorLog /var/log/apache2/proxysite_error.log + CustomLog /var/log/apache2/proxysite_access.log combined +</VirtualHost>+ +
+
ProxyPreserveHost
directive will forward the Host header to the protected application.+
REMOTE_USER
environment variable to get the connected user, which is not set in reverse-proxy mode. In this case, see how convert header into environment variable.
++ +An apache virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration. +
+ +
+To do this, use the Manager, and go in Virtual Hosts
branch. You can add, delete or modify a virtual host here.
+
+A virtual host contains: +
++ +See Writing rules and headers to learn how to configure access control and HTTP headers sent to application by LL::NG. +
+ ++ +See Form replay to learn how to configure form replay to POST data on protected applications. +
+ ++ +Two options are available: +
++ +These options are used to build redirection URL (when user is not logged, or for CDA requests). By default, default values are used. These options are only here to override default values. +
+ ++ +Custom functions allow to extend LL::NG, they can be used in headers, rules or form replay data. +
+ +
+
+Create your Perl module with custom functions. You can name your module as you want, for example SSOExtensions.pm
:
+
+vi /root/SSOExtensions.pm ++
package SSOExtensions; + +sub function1 { + my $portal = shift; + my $param = shift; + + # Your nice code here + + return $param +} + +1;+ +
+
+ +Your module has to be loaded by Apache (for example after Handler load): +
+# Perl environment
+PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
+PerlRequire /root/SSOExtensions.pm
+PerlOptions +GlobalRequest
+
+
+
+Go in Manager, General Parameters
» Advanced Parameters
» Custom functions
and set:
+
+
+SSOExtensions::function1 ++ +
+ +You can now use your function in a macro, an header or an access rule, for example: + +
++Custom-Header => function1($uid) ++ +
+ +
Warning: key is not defined, set it in the manager !+ +
+ +→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager. This message is displayed only when you upgrade from a version older than 1.0 +
+Can't locate /usr/share/lemonldap-ng/configStorage.pl+ +
+ +→ When you upgrade from Debian Lenny with customized index.pl files, you must upgrade them. See Debian Lenny upgrade. +
+ +Unable to clear local cache+ +
+ +→ Local cache cannot be cleard, check the localStorage and localStorageOptions or file permissions +
+Status module can not be loaded without localStorage parameter+ +
+ +→ You tried to activate Status module without localStorage. Configure local cache first. +
+No configuration found+ +
+ +→ The configuration cannot be loaded. Check configStorage and configStorageOptionsor file permissions. +
+User rejected because VirtualHost XXXX has no configuration+ +
+ +→ The specified virtual host was not configured in Manager. +
+mkdir /tmp/MyNamespace/2: Permission denied ...+ +
+ +→ The cache has been created by another user than Apache's user. Restart Apache to purge it. +
Lemonldap::NG::Handler::SharedConf: No cookie found+ +
+ +→ User does not have Lemonldap::NG cookie, handler redirect it to the portal +
+The cookie $id isn't yet available: Object does not exist in the data store+ +
+ +→ User session has expired or handler does not have access to the same Apache::Session database than the portal +
+Firefox has detected that the server is redirecting the request for this address in a way that will never complete+ +
+ +→ Your browser loops between portal and handler, it is probably a cookie problem. Verify that: +
+XXXX was not found in tree+ +
+ +→ The specified node is not the uploaded tree. +
+ +User XXXX was not granted to open session+ +
+ +→ Check grantSessionRule parameter. +
+XML menu configuration is deprecated. Please use lmMigrateConfFiles2ini to migrate your menu configuration+ +
+ +→ You do not use the new configuration syntax for application list. XML file is no more accepted. +
+Apache is not configured to authenticate users !+ +
+ +→ You use the Apache authentication backend, but Apache is not or bad configured (no REMOTE_USER send to LemonLDAP::NG). +
+URL contains a non protected host+ +
+
+→ The host is not known by LemonLDAP::NG. Add it to trustedDomains (or set *
in trustedDomains to accept all).
+
XSS attack detected+ +
+ +→ Some URL parameters contain forbidden characters. +
+ ++ +Exported variables are the variables available to write rules and headers. They are extracted from the users database by the users module. +
+ +
+To create a variable, you've just to map a user attributes in LL::NG using Variables
» Exported variables
. For each variable, The first field is the name which will be used in rules, macros or headers and the second field is the name of the user database field.
+
+Examples for LDAP: +
+Variable name | LDAP attribute | +
---|---|
uid | uid | +
number | employeeNumber | +
name | sn | +
+ +Macros and groups are calculated during authentication process by the portal: +
++ +Example for macros: + +
+# boolean macro +isAdmin -> $uid eq 'foo' or $uid eq 'bar' +# other macro +displayName -> $givenName." ".$surName + +# Use a boolean macro in a rule +^/admin -> $isAdmin +# Use a string macro in a HTTP header +Display-Name -> $displayName+ +
+Example for groups: + +
+# group +admin -> $uid eq 'foo' or $uid eq 'bar' + +# Use a group in a rule +^/admin -> $groups =~ /\badmin\b/+ +
+ +When writing rules and headers, you can use Perl expressions that will be evaluated in a jail, to prevent bad code execution. +
+ ++This is also true for: +
++ +Inside this jail, you can access to: +
++ +
+ +This function will check the day and the hour of current request, and compare it to allowed days and hours. It returns 1 if this match, 0 else. +
+ ++By default, the allowed days and hours is an hexadecimal value, representing each hour of the week. A day has 24 hours, and a week 7 days, so the value contains 168 bits, converted into 42 hexadecimal characters. Sunday is the first day. +
+ ++For example, for a full access, excepted week-end: + +
++000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000 ++ +
+
+Functions parameters: +
+hexadecimal
(default) or octetstring
+ +Simple usage example: + +
++checkLogonHours($ssoLogonHours) ++ +
+If you use the binary value (Active Directory), use this: + +
++checkLogonHours($ssoLogonHours, 'octetstring') ++ +
+You can also configure jetlag (if all of your users use the same timezone): + +
++checkLogonHours($ssoLogonHours, '', '+2') ++ +
+If you manage different timezones, you have to take the jetlag into account in ssoLogonHours values, or use the $_timezone parameter. This parameter is set by the portal and use javascript to get the connected user timezone. It should works on every browser: + +
++checkLogonHours($ssoLogonHours, '', $_timezone) ++ +
+You can modify the default behavior for people without value in ssoLogonHours. Indeed, by default, users without logon hours values are rejected. You can allow these users instead of reject them: + +
++checkLogonHours($ssoLogonHours, '', '', '1') ++ +
+ +This function will check the date of current request, and compare it to a start date and an end date. It returns 1 if this match, 0 else. +
+ ++
+The date format is the LDAP date syntax, for example for the 1st March 2009: + +
++20090301000000Z ++ +
+Functions parameters: +
++ +Simple usage example: + +
++checkDate($ssoStartDate, $ssoEndDate) ++ +
+
+This function builds the Authorization
HTTP header used in HTTP Basic authentication scheme. It will force conversion from UTF-8 to ISO-8859-1 of user and password data.
+
+Functions parameters: +
++ +Simple usage example: + +
++basic($uid,$_password) ++ +
+ +This function convert a string from UTF-8 to ISO-8859-1. +
+ ++Functions parameters: +
++ +Simple usage example: + +
++unicode2iso($name) ++ +
+ +This function convert a string from ISO-8859-1 to UTF-8. +
+ ++Functions parameters: +
++ +Simple usage example: + +
++iso2unicode($name) ++ +
+LL::NG can use federation protocols (SAML, CAS, OpenID) independently to: +
++ +So you can configure it to authenticate users using a federation protocol and simultaneously to provide identities using other(s) federation protocols. +
+ ++For example, a LL::NG server can be: +
++ +See the following chapters: +
++ +This is the default configuration backend. Datas are stored as key/values (no-strings values are serialized). +
+ ++
+ +
+ +You just have to configure a directory writable by Apache user and set it in [configuration] section in your lemonldap-ng.ini file: +
+[configuration] +type = File +dirName = /var/lib/lemonldap-ng/conf+ +
+ +File session backend is the more simple session database. Sessions are stored as files in a single directory. Lock files are stored in another directory. It can not be used to share sessions between different servers except if you share directories (with NFS,…). +
+ ++ +In the manager: set ”Apache::Session::File” in “General parameters » Sessions » Session storage » Apache::Session module” and add the following parameters (case sensitive): + +
+Required parameters | +||
---|---|---|
Name | Comment | Example | +
Directory | The path to the main directory | /var/lib/lemonldap-ng/sessions | +
LockDirectory | The path to the lock directory | /var/lib/lemonldap-ng/sessions/lock | +
+ +Restrict access to the directories only to the Apache server. Example: + +
+chmod 750 /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock +chown www-data:www-data /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock+ +
+ +Form replay allows you to open a session on a protected application by replaying the form POST without asking anything to the user. +
+ ++
+Please always try to find another solution to protect your application with LL::NG. At least, check if it is not a known application, or try to adapt its source code. + +
+If you configure form replay with LL::NG, the Handler will catch configured POST URL and send a POST query to the target page (which can be different of the caught page). Each field can be filled with static values or data from user's session. +
+ ++
$_password
to fill any password POST field.
++LL::NG can catch a GET request and transform it internally in a POST request. All this work is transparent for the user, he cannot see what data are posted by LL::NG. +
+ ++ +You should grab some informations: +
++ +For example: +
+
+
+Then go in Manager, Virtual Hosts
» virtualhost » Form replay
and click on Add POST URL
.
+
+Fill values here: +
+
+
+Then click on New POST data
and add all data with their values, for example:
+
+
+ +Due to a conflict between LL::NG form replay and Apache mod_proxy (see issue), you cannot use form replay on proxied applications, unless you use LL::NG internal proxy (based on Perl LWP): +
+<VirtualHost> + ServerName test2.example.com + + PerlHeaderParserHandler My::Package + + PerlModule Lemonldap::NG::Handler::Proxy + SetHandler perl-script + PerlHandler Lemonldap::NG::Handler::Proxy + PerlSetVar LmProxyPass http://APPLICATION/ + PerlSetVar LmLocationToReplace http://APPLICATION/,http://test2.example.com +</VirtualHost>+ +
+
+Using LL::NG in reverse proxy mode, you will not have the REMOTE_USER
environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.
+
+Apache SetEnvIf module will let you transform the Auth-User HTTP header in REMOTE_USER
environment variable:
+
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1+ +
+This can be used to protect applications relying on REMOTE_USER
environment variable in reverse proxy mode. In this case you will have two Apache configuration files:
+
+
<VirtualHost *:80> + ServerName application.example.com + + PerlHeaderParserHandler My::Package + + ProxyPreserveHost on + ProxyPass / http://APPLICATION_IP/ + ProxyPassReverse / http://APPLICATION_IP/ + +</VirtualHost>+
<VirtualHost *:80> + ServerName application.example.com + + SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1 + + DocumentRoot /var/www/application + +</VirtualHost>+ +
+
SetEnvIfNoCase Auth-User "(.*)" PHP_AUTH_USER=$1 +SetEnvIfNoCase Auth-Password "(.*)" PHP_AUTH_PW=$1+ +
+ +Of course, you need to store password in session to fill PHP_AUTH_PW. + +
+ +LemonLDAP::NG is highly scalable, so easy to insert behind a load-balancer: +
++ +You can for example set up a fail-over cluster with Heartbeat and HAproxy, like this: +
+ + + ++You just have to share configuration and sessions databases between those servers: +
+ + + ++ +LL::NG can act as an CAS server, that can allow to federate LL::NG with: +
++ +LL::NG is compatible with the CAS protocol versions 1.0 and 2.0. This protocol does not define any attributes exchange mechanism, so only authentication is managed. +
+ +
+
+In the Manager, go in General Parameters
» Issuer modules
» CAS
and configure:
+
On
.^/cas/
unless you have change Apache portal configuration file.+ +
+$authenticationLevel > 2 ++ +
+ + +
+
<IfModule mod_rewrite.c> + RewriteEngine On + RewriteRule ^/cas/.* /index.pl + </IfModule>+ +
+ + +
+Then go in Options
to define:
+
+ +
CAS login
is not set, it uses General Parameters
» Logs
» REMOTE_USER
data, which is set to uid
by default
++ +LL::NG can act as an OpenID 2.0 Server, that can allow to federate LL::NG with: +
++ +LL::NG is compatible with the OpenID Authentication protocol version 2.0 and version 1.0. It can be used just to share authentication or to share user's attributes following the OpenID Simple Registration Extension 1.0 (SREG) specification. +
+ ++When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where: +
++ +Example: + +
++http://auth.example.com/openidserver/foo.bar ++ +
+
+In the Manager, go in General Parameters
» Issuer modules
» OpenID
and configure:
+
On
^/openidserver/
unless you have change Apache portal configuration file.+ +
+$authenticationLevel > 2 ++ +
+ + +
+
<IfModule mod_rewrite.c> + RewriteEngine On + RewriteRule ^/openidserver/.* /index.pl + </IfModule>+ +
+ + +
+Then go in Options
to define:
+
+ +
OpenID login
is not set, it uses General Parameters
» Logs
» REMOTE_USER
data, which is set to uid
by default
++ +SREG permit the share of 8 attributes: +
++ +Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute. +
+ ++
+ +LL::NG can act as an SAML 2.0 Identity Provider, that can allow to federate LL::NG with: +
++ +
Google Apps | Zimbra | SAP | +
---|---|---|
![]() | ![]() | ![]() |
+
+ +See SAML service configuration chapter. +
+ +
+
+Go in General Parameters
» Issuer modules
» SAML
and configure:
+
On
.^/saml/
unless you have change SAML end points suffix in SAML service configuration.1
to always allow.+ +
+$authenticationLevel > 2 ++ +
+ + +
+ +After configuring SAML Service, you can export metadata to your partner Service Provider. +
+ ++They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata. +
+ ++ +In the Manager, select node SAML service providers and click on New service provider: +
+ + + ++The SP name is asked, enter it and click OK. +
+ ++Now you have access to the SP parameters list. +
+ ++ +You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP). +
+ ++
+ +For each attribute, you can set: +
++ +These options override service signature options (see SAML service configuration). + +
++ +LemonLDAP::NG provides these packages: +
++ +If you run Debian testing or unstable, the packages are directly installable: + +
++apt-cache search lemonldap-ng ++ +
+
+ +You can add this repository to have recent packages: + +
++vi /etc/apt/sources.list.d/lemonldap-ng.list ++
+# LemonLDAP::NG repository +deb http://lemonldap-ng.org/deb squeeze main +deb-src http://lemonldap-ng.org/deb squeeze main ++ +
+Run this to update packages cache: + +
++apt-get update ++ +
+ +Packages are available on the Download page. +
+ ++apt-get install lemonldap-ng ++ +
+ +Before installing the packages, install dependencies. +
+ ++Then: + +
++dpkg -i liblemonldap-ng-* lemonldap-ng* ++ +
+
+By default, DNS domain is example.com
. You can change it quick with a sed command. For example, we change it to ow2.org
:
+
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl+ +
+ +Enable LL::NG sites in Apache: + +
+a2ensite portal-apache2.conf +a2ensite manager-apache2.conf+ +
+ +Restart Apache: + +
+apache2ctl configtest +apache2ctl restart+ +
+ +If you upgraded LL::NG, check all upgrade notes. +
+ +
+The upgrade process will also have migrate old configuration files into /etc/lemonldap-ng/lemonldap-ng.ini
. This includes the application list which is now set in the applicationList
parameter from [portal]
section, for example:
+
+
[portal] +applicationList={ 'Menu' => { type => 'category', 'Example' => { type => 'category', 'test1' => { type => 'application', options => { name => 'Application Test 1', uri => 'http://test1.example.com/', description => 'A simple application displaying authenticated user', logo => 'wheels.png', display => 'auto', }, },'test2' => { type => 'application', options => { name => 'Application Test 2', uri => 'http://test2.example.com/', description => 'The same simple application displaying authenticated user', logo => 'wheels.png', display => 'auto', }, }, },'Administration' => { type => 'category', 'manager' => { type => 'application', options => { name => 'WebSSO Manager', uri => 'http://manager.example.com/', description => 'Configure LemonLDAP::NG WebSSO', logo => 'tools.png', display => 'on', }, },'sessions' => { type => 'application', options => { name => 'Sessions explorer', uri => 'http://manager.example.com/sessions.pl', description => 'Explore WebSSO sessions', logo => 'tools.png', display => 'on', }, }, },'Documentation' => { type => 'category', 'localdoc' => { type => 'application', options => { name => 'Local documentation', uri => 'http://manager.example.com/doc/', description => 'Documentation supplied with LemonLDAP::NG', logo => 'docs.png', display => 'on', }, },'officialwebsite' => { type => 'application', options => { name => 'Offical Website', uri => 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation', description => 'Official LemonLDAP::NG Website', logo => 'web.png', display => 'on', }, }, }, }, }+ +
+
applicationList
parameter from /etc/lemonldap-ng/lemonldap-ng.ini
.
++ +Configure your DNS server to resolve names with your server IP. +
+ ++
example.com
, launch the following :
+
+
+cat /etc/lemonldap-ng/for_etc_hosts >> /etc/hosts+ +
+ + +
+Follow the next steps +
+ ++ +You can also get the LemonLDAP::NG archive and make the package yourself: + +
++tar xzf lemonldap-ng-*.tar.gz +cd lemonldap-ng-* +make debian-packages ++ +
+ +LemonLDAP::NG provides these packages: +
++ +This schema shows the dependencies between modules: +
+ + + ++ +You can add this YUM repository to get recent packages: + +
++vi /etc/yum.repos.d/lemonldap-ng.repo ++
+[lemonldap-ng] +name=LemonLDAP::NG packages +baseurl=http://lemonldap-ng.org/rpm/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2 ++ +
+Run this to update packages cache: + +
++yum update ++ +
+
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm+ +
+See prerequisites and dependencies chapter for more. + +
+ +RPMs are available on the Download page. +
+ ++ +The GPG key can be downloaded here: rpm-gpg-key-ow2 +
+ ++Install it to trust RPMs: +
++rpm --import rpm-gpg-key-ow2 ++ +
+ +If the packages are stored in a yum repository: + +
+yum install lemonldap-ng+
Transaction Summary +=================================================== +Install 82 Package(s) +Upgrade 0 Package(s) + +Total download size: 18 M +Is this ok [y/N]: y+ +
+You can also use yum on local RPMs file: + +
++yum localinstall lemonldap-ng-* perl-Lemonldap-NG-* ++ +
+ +Before installing the packages, install all dependencies. +
+ ++You have then to install all the downloaded packages: + +
++rpm -Uvh lemonldap-ng-* perl-Lemonldap-NG-* ++ +
+ +
lemonldap-ng-portal
, lemonldap-ng-handler
or lemonldap-ng-manager
.
+
+
+
+Install the package lemonldap-ng-conf
only on the server which stores configuration.
+
+
+
+By default, DNS domain is example.com
. You can change it quick with a sed command. For example, we change it to ow2.org
:
+
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl+ +
+ +If LL::NG is the only software installed in Apache, the virtual host feature may not have already been activated. +
+ +
+To do it, uncomment the NameVirtualHost
line in /etc/httpd/conf.d/z-lemonldap-ng-handler.conf
:
+
NameVirtualHost *:80+ +
+Check Apache configuration and restart: + +
+apachectl configtest +apachectl restart+ +
+ +If you upgraded LL::NG, check all upgrade notes. +
+ ++For apache configuration, you may have to remove the old symbolic link, if not done by the RPM: + +
+rm -f /etc/httpd/conf.d/z-lemonldap-ng.conf+ +
+Your old Apache configuration should have been saved, you need to port your specificities in new Apache configuration files: + +
+vi /etc/lemonldap-ng/apache2.conf.rpmsave+ +
+The upgrade process will also have migrate old configuration files into /etc/lemonldap-ng/lemonldap-ng.ini
. This includes the application list which is now set in the applicationList
parameter from [portal]
section, for example:
+
+
[portal] +applicationList={ 'Menu' => { type => 'category', 'Example' => { type => 'category', 'test1' => { type => 'application', options => { name => 'Application Test 1', uri => 'http://test1.example.com/', description => 'A simple application displaying authenticated user', logo => 'wheels.png', display => 'auto', }, },'test2' => { type => 'application', options => { name => 'Application Test 2', uri => 'http://test2.example.com/', description => 'The same simple application displaying authenticated user', logo => 'wheels.png', display => 'auto', }, }, },'Administration' => { type => 'category', 'manager' => { type => 'application', options => { name => 'WebSSO Manager', uri => 'http://manager.example.com/', description => 'Configure LemonLDAP::NG WebSSO', logo => 'tools.png', display => 'on', }, },'sessions' => { type => 'application', options => { name => 'Sessions explorer', uri => 'http://manager.example.com/sessions.pl', description => 'Explore WebSSO sessions', logo => 'tools.png', display => 'on', }, }, },'Documentation' => { type => 'category', 'localdoc' => { type => 'application', options => { name => 'Local documentation', uri => 'http://manager.example.com/doc/', description => 'Documentation supplied with LemonLDAP::NG', logo => 'docs.png', display => 'on', }, },'officialwebsite' => { type => 'application', options => { name => 'Offical Website', uri => 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation', description => 'Official LemonLDAP::NG Website', logo => 'web.png', display => 'on', }, }, }, }, }+ +
+
applicationList
parameter from /etc/lemonldap-ng/lemonldap-ng.ini
.
++ +Configure your DNS server to resolve names with your server IP. +
+ ++
example.com
, launch the following :
+
+
+cat /etc/lemonldap-ng/for_etc_hosts >> /etc/hosts+ +
+ + +
+Follow the next steps +
+ ++ +If you need it, you can rebuild RPMs: +
++%_topdir /home/user/build +%dist .el5 +%rhel 5 ++
+rpmbuild -ta SOURCES/lemonldap-ng-VERSION.tar.gz ++ +
+ +Get the tarball from download page. You can also find on this page the SVN tarball if you want to test latest features. +
+ ++
+ +Either checkout or export the SVN repository, or extract the SVN tarball to get the SVN files on your disk. +
+ ++Then go to build directory: + +
++cd trunk/build/lemonldap-ng ++ +
+And run the “dist” target: + +
++make dist ++ +
+The generated tarball is in the current directory. +
+ ++ +Just run the tar command: + +
++tar zxvf lemonldap-ng-*.tar.gz ++ +
+ +First check and install the prerequisites. +
+ ++For full install: +
++cd lemonldap-ng-* +make +make configure +make test +sudo make install ++ +
+You can modify location of default storage configuration file in configure target: + +
++sudo make configure STORAGECONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini ++ +
+You can choose other Makefile targets: +
++ +You can also pass parameters to the make install command, with this syntax: + +
++sudo make install PARAM=VALUE PARAM=VALUE ... ++ +
+Available parameters are: +
++ +
+make debian-install ++ +
+ +or: + +
++make ubuntu-install ++ +
+ +See also Debian/Ubuntu installation documentation. + +
+
+By default, Apache configuration files will be installed in /usr/local/lemonldap-ng/etc/
. You have to include them in Apache main configuration, for example:
+
include /usr/local/lemonldap-ng/etc/portal-apache2.conf +include /usr/local/lemonldap-ng/etc/handler-apache2.conf +include /usr/local/lemonldap-ng/etc/manager-apache2.conf+ +
+
conf.d
Apache directory.+a2ensite manager-apache2.conf +a2ensite portal-apache2.conf ++ +
+ + +
+
+ +LL::NG use cron jobs to: +
++ +To install them on system: +
++sudo ln -s /usr/local/lemonldap-ng/etc/cron.d/* /etc/cron.d/ ++ +
+ +Configure your DNS server to resolve names with your server IP. +
+ ++
cat /usr/local/lemonldap-ng/etc/lemonldap-ng/for_etc_hosts >> /etc/hosts+ +
+ + +
+Follow the next steps. + +
+ ++ +You can choose to store LemonLDAP::NG configuration in an LDAP directory. +
+ + + ++Advantages: +
+
+
+The configuration will be store under a specific branch, for example ou=conf,ou=applications,dc=example,dc=com
.
+
+Each configuration will be represented as an entry, which structural objectClass is applicationProcess
. This objectClass is included in every core schemas.
+
+The configuration name is the same that files, so lmConf-1, lmConf-2, etc. This name is used in entry DN, for example cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com
.
+
+Then each parameter is one value of the attribute description
, prefixed by its key. For example {ldapPort}389
.
+
+The LDIF view of such entry can be: +
++dn: cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com +objectClass: top +objectClass: applicationProcess +cn: lmConf-1 +description: {globalStorage}'Apache::Session::File' +description: {cookieName}'lemonldap' +description: {whatToTrace}'$uid' +... ++ +
+
+Configuration objects use standard object class: applicationProcess
. This objectClass allow attributes cn
and description
. If your LDAP server do not manage this objectClass, you have to extend your schema.
+
+We advice to create a specific LDAP account with write access on configuration branch. +
+ ++Next create the configuration branch where you want. Just remember its DN for LemonLDAP::NG configuration. +
+ +
+
+Configure LDAP configuration backend in lemonldap-ng.ini
, section [configuration]
:
+
type = LDAP +ldapServer = ldap://localhost +ldapConfBase = ou=conf,ou=applications,dc=example,dc=com +ldapBindDN = cn=manager,dc=example,dc=com +ldapBindPassword = secret+ +
+Parameters: +
++ +LL::NG use 2 internal databases to store its configuration and sessions. +
+ ++ +Steps: +
++ +Steps: +
++ +An Apache session module was created by LL::NG team to store sessions in an LDAP directory. +
+ ++
+
contribs
directory of LL::NG subversion repository.
++Sessions will be stored as LDAP entries, like this: +
++dn: cn=6fb7c4a170a04668771f03b0a4747f46,ou=sessions,dc=example,dc=com +objectClass: top +objectClass: applicationProcess +cn: 6fb7c4a170a04668771f03b0a4747f46 +description: [serialized data] ++ +
+
+Go in the Manager and set the LDAP session module (Apache::Session::LDAP) in General parameters
» Sessions
» Session storage
» Apache::Session module
and add the following parameters (case sensitive):
+
+
Required parameters | +||
---|---|---|
Name | Comment | Example | +
ldapServer | URI of the server | ldap://localhost | +
ldapConfBase | DN of sessions branch | ou=sessions,dc=example,dc=com | +
ldapBindDN | Connection login | cn=admin,dc=example,dc=password | +
ldapBindPassword | Connection password | secret | +
+ +Restrict network access to the LDAP directory, and add specific ACL to session branch. +
+ +
+You can also use different user/password for your servers by overriding parameters globalStorage
and globalStorageOptions
in lemonldap-ng.ini file.
+
+ +Even if LL:NG can catch logout URL trough virtual host rules, you can have the need to forward a logout to other applications, to close their local sessions. +
+ ++LL::NG has a logout forward mechanism, that will add a step in logout process, to send logout requests (indeed, GET requests on application logout URL) inside hidden iframes. +
+ ++
+
+Go in Manager, General parameters
» Advanced parameters
» Logout forward
and click on Add a key
, then fill:
+
+ +
+ +By default, LemonLDAP::NG uses Apache logs to store user actions and other messages: +
+
+
+The log level can be set with Apache LogLevel
parameter. It can be configured globally, or inside a virtual host.
+
+See http://httpd.apache.org/docs/2.2/mod/core.html#loglevel for more information. +
+ +
+To configure the user identifier in access log, go in Manager, General Parameters
> Logging
> REMOTE_USER
.
+
+ +LemonLDAP::NG can also use syslog (only for user actions). +
+ +
+In Manager, set syslog facility in General Parameters
> Logging
> Syslog facility
.
+
+The messages are stored with the facilities : +
+
+
+You can customize logs by redefining userNotice() and userError() methods, directly in lemonldap-ng.ini
+
+Example: +
+[portal] +userError = sub { my ($self, $message) = @_; ... } +userNotice = sub { my ($self, $message) = @_; ... }+ +
+ +When installing LL::NG, the Manager can only be accessed from localhost, for security reasons. This How To explains how change this default behavior to protect Manager with Apache or directly with LL::NG. +
+ +
+
+The configuration can be changed in etc/manager-apache2.conf
:
+
+By default, the protection rule is to only accept clients from localhost: + +
+<Directory /usr/local/lemonldap-ng/htdocs/manager/> + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + Options +ExecCGI + </Directory>+ +
+You can change this to allow other specific IP, for example: + +
+<Directory /usr/local/lemonldap-ng/htdocs/manager/> + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 192.168.100.0/32 + Options +ExecCGI + </Directory>+ +
+But you will rather prefer to use an Apache authentication module, like for example LDAP authentication module: + +
+<Directory /usr/local/lemonldap-ng/htdocs/manager/> + AuthzLDAPAuthoritative On + AuthName "LL::NG Manager" + AuthType Basic + AuthBasicProvider ldap + AuthLDAPBindDN "ou=websso,ou=applications,dc=example,dc=com" + AuthLDAPBindPassword "secret" + AuthLDAPURL ldap://localhost:389/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS + Require ldap-user coudot xguimard tchemineau + Options +ExecCGI + </Directory>+ +
+ +
+Go on Manager, and declare Manager as a new virtual host, for example manager.example.com
. You can then set the access rule. No headers are needed.
+
+Save the configuration and exit the Manager. +
+ ++
+Enable protection on Manager, by editing lemonldap-ng.ini
:
+
+
[manager] +protection = manager+ +
+Remove Apache access control: + +
+<Directory /usr/local/lemonldap-ng/htdocs/manager/> + Order deny,allow + Allow from all + Options +ExecCGI + </Directory>+ +
+Restart Apache and try to log on Manager. You should be redirected to LL::NG Portal. +
+ ++You can then add the Manager as an application in the menu. +
+ ++
lemonldap-ng.ini
and reconfigure Apache access control.
++ +
+ +To keep Memcached performance level and LL::NG features, you can replace Memcached by Redis using NoSQL session backend. + +
+ +Install and launch a Memcached server. +
+ +
+In the manager: set Apache::Session::Memcached in General parameters
» Sessions
» Session storage
» Apache::Session module
and add the following parameters (case sensitive):
+
+
Required parameters | +||
---|---|---|
Name | Comment | Example | +
Servers | Memcached servers | 10.0.0.1:20000 10.0.0.2:20000 | +
+ +See Apache::Session::Memcached for optional parameters. +
+ ++ +The status page can be read by MRTG using the script lmng-mrtg that can be found in manager example directory. +
+ ++MRTG configuration example: +
+###################################################################### +# Multi Router Traffic Grapher -- Sample Configuration File +###################################################################### +# This file is for use with mrtg-2.5.4c + +# Global configuration +WorkDir: /var/www/mrtg +WriteExpires: Yes + +Title[^]: Traffic Analysis for + +# 128K leased line +# ---------------- +#Title[leased]: a 128K leased line +#PageTop[leased]: <H1>Our 128K link to the outside world</H1> +#Target[leased]: 1:public@router.localnet +#MaxBytes[leased]: 16000 +Target[test.example.com]: `/etc/mrtg/lmng-mrtg 172.16.1.2 https://test.example.com/status OK OK` +Options[test.example.com]: nopercent, growright, nobanner, perminute +PageTop[test.example.com]: <h1>Requests OK from test.example.com</h1> +MaxBytes[test.example.com]: 1000000 +YLegend[test.example.com]: hits/minute +ShortLegend[test.example.com]: hits/mn +LegendO[test.example.com]: Hits: +LegendI[test.example.com]: Hits: +Legend2[test.example.com]: Hits per minute +Legend4[test.example.com]: Hits max per minute +Title[test.example.com]: Hits per minute +WithPeak[test.example.com]: wmy+ +
+ +LL::NG use 2 internal databases to store its configuration and sessions. +
+ ++ +Steps: +
++ +Steps: +
++Apache::Session::Redis is the faster shareable session backend +
+ ++ +Install and launch a Redis server. Install +Apache::Session::Redis Perl module. +
+ +
+In the manager: set Apache::Session::Redis in General parameters
» Sessions
» Session storage
» Apache::Session module
and add the following parameters (case sensitive):
+
+
Required parameters | +||
---|---|---|
Name | Comment | Example | +
server | Redis server | 127.0.0.1:6379 | +
+ +Restrict network access to the redis server. For remote servers, you can use SOAP session backend in cunjunction to increase security for remote server that access through an unsecure network + +
+ ++ +Since version 0.9.4, Lemonldap::NG can be used to notify some messages to users: if a user has a message, the message will be displayed when he will access to the portal. If the message contains checkboxes, the user has to check all of them else he can not access to the portal and get his session cookie. +
+ ++ +You just have to set “notification” to “activate” in the manager (or notification=1 in lemonldap-ng.ini, section “PORTAL”). +
+ ++ +By default, notifications will be stored in the same database as configuration: +* if you use “File” system and your “dirName” is set to /usr/local/lemonldap-ng/conf/, the notifications will be stored in /usr/local/lemonldap-ng/notifications/ +* if you use “DBI” system, the notifications will be stored in the same database as configuration and in a table called “notifications”. You have to create the table by yourself + +
+CREATE TABLE 'notifications' ( + 'date' datetime NOT NULL, + 'uid' varchar(255) NOT NULL, + 'ref' varchar(255) NOT NULL, + 'xml' longblob NOT NULL, + 'done' datetime DEFAULT NULL, + PRIMARY KEY ('date','uid','ref') +)+ +
+You can change default parameters using the “notificationStorage” parameter with the same syntax as configStorage. +
+ ++ +New notifications can be insert using SOAP request (described in the WSDL file generated by buildPortalWSDL tool). +
+ ++ +Notifications are XML files containing: +
++ +All other elements will be removed including HTML elements like <b>; +
+ ++Example : + +
+<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<root> +<notification uid="foo.bar" date="2009-01-27" reference="ABC"> +<text> You have been granted to access to appli-1 </text> +<text> You have been granted to access to appli-2 </text> +<check> I know that I can acces to appli-1 </check> +<check> I know that I can acces to appli-2 </check> +</notification> +</root>+ +
#!/usr/bin/perl + +use SOAP::Lite; +use utf8; + +my $lite = SOAP::Lite + ->uri('urn:Lemonldap::NG::Common::CGI::SOAPService') + ->proxy('http://auth.example.com/index.pl/notification'); + + +$r = $lite->newNotification('<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<root> +<notification uid="foo.bar" date="2009-01-27" reference="ABC"> +<text> You have been granted to access to appli-1 </text> +<text> You have been granted to access to appli-2 </text> +<check> I know that I can acces to appli-1 </check> +<check> I know that I can acces to appli-2 </check> +</notification> +</root>'); + +if ( $r->fault ) { + print STDERR "SOAP Error: " . $r->fault->{faultstring}; +} +else { + my $res = $r->result(); + print "$res notification(s) have been inserted\"; +}+ +
+ +You've simply to insert a notification and connect to the portal using the same UID. You will be prompted. +
+ ++ +
lemonldap-ng.ini
or in Perl scripts to override configuration parameters (see configuration location).
+
++ +
Full name | Key name | Portal | Handler | Manager | +
---|---|---|---|---|
Activate auto accept timer | activeTimer | ✔ | + | |
Apache authentication level | apacheAuthnLevel | ✔ | + | |
Choice modules | authChoiceModules | ✔ | + | |
Choice URL parameter | authChoiceParam | ✔ | + | |
Authentication backend | authentication | ✔ | + | |
LDAP authentication search filter | AuthLDAPFilter | ✔ | + | |
CAS authentication level | CAS_authnLevel | ✔ | + | |
CAS CA file | CAS_CAFile | ✔ | + | |
CAS force gateway authentication | CAS_gateway | ✔ | + | |
CAS PGT temporary file | CAS_pgtFile | ✔ | + | |
CAS proxied services | CAS_proxiedServices | ✔ | + | |
CAS force authentication renewal | CAS_renew | ✔ | + | |
CAS server URL | CAS_url | ✔ | + | |
CAS Session backend | casStorage | ✔ | + | |
CAS Session backend options | casStorageOptions | ✔ | + | |
CDA activation | cda | ✔ | ✔ | + |
Configuration backend | configStorage | ✔ | ✔ | ✔ | +
Cookie expiration | cookieExpiration | ✔ | ✔ | + |
Name of the cookie | cookieName | ✔ | ✔ | + |
Custom functions | customFunctions | ✔ | ✔ | ✔ | +
Custom SOAP Services | CustomSOAPServices | ✔ | + | |
DBI Connection chain | dbiAuthChain | ✔ | + | |
DBI Login column | dbiAuthLoginCol | ✔ | + | |
DBI authentication level | dbiAuthnLevel | ✔ | + | |
DBI Connection password | dbiAuthPassword | ✔ | + | |
DBI Password column | dbiAuthPasswordCol | ✔ | + | |
DBI Password hash | dbiAuthPasswordHash | ✔ | + | |
DBI Authentication table | dbiAuthTable | ✔ | + | |
DBI Connection user | dbiAuthUser | ✔ | + | |
DBI Mail column | dbiPasswordMailCol | ✔ | + | |
DBI UserDB connection chain | dbiUserChain | ✔ | + | |
DBI UserDB connection password | dbiUserPassword | ✔ | + | |
DBI UserDB table | dbiUserTable | ✔ | + | |
DBI UserDB connection user | dbiUserUser | ✔ | + | |
Main DNS domain | domain | ✔ | ✔ | + |
Attributes exported in SOAP | exportedAttr | ✔ | + | |
Headers sent | exportedHeaders | ✔ | + | |
Attributes from user backend | exportedVars | ✔ | + | |
Session backend | globalStorage | ✔ | ✔ | + |
Session backend options | globalStorageOptions | ✔ | ✔ | + |
Rule for session granting | grantSessionRule | ✔ | + | |
Local groups | groups | ✔ | + | |
Force HTTPS in redirection | https | ✔ | + | |
LDAP authentication level | ldapAuthnLevel | ✔ | + | |
LDAP search base | ldapBase | ✔ | + | |
LDAP change password as user | ldapChangePasswordAsUser | ✔ | + | |
LDAP main search filter | LDAPFilter | ✔ | + | |
LDAP groups member attribute | ldapGroupAttributeName | ✔ | + | |
LDAP group link attribute name | ldapGroupAttributeNameGroup | ✔ | + | |
LDAP groups name attribute | ldapGroupAttributeNameSearch | ✔ | + | |
LDAP groups member link value | ldapGroupAttributeNameUser | ✔ | + | |
LDAP groups base | ldapGroupBase | ✔ | + | |
LDAP groups objectClass | ldapGroupObjectClass | ✔ | + | |
LDAP activate recursive groups | ldapGroupRecursive | ✔ | + | |
LDAP Port | ldapPort | ✔ | + | |
LDAP password policy control | ldapPpolicyControl | ✔ | + | |
LDAP password encoding | ldapPwdEnc | ✔ | + | |
LDAP binary attributes | ldapRaw | ✔ | + | |
LDAP server or Net::LDAP connexion string | ldapServer | ✔ | + | |
LDAP extended SetPassword modify | ldapSetPassword | ✔ | + | |
LDAP timeout | ldapTimeout | ✔ | + | |
LDAP version | ldapVersion | ✔ | + | |
Cache backend | localStorage | ✔ | ✔ | ✔ | +
Local cache | localStorage | ✔ | ✔ | ✔ | +
Cache backend options | localStorageOptions | ✔ | ✔ | ✔ | +
Local cache parameters | localStorageOptions | ✔ | ✔ | ✔ | +
Access rules | locationRules | ✔ | + | |
Macros | macros | ✔ | + | |
Body for password mail | mailBody | ✔ | + | |
Body for confirmation mail | mailConfirmBody | ✔ | + | |
Subject for confirmation mail | mailConfirmSubject | ✔ | + | |
Mail From address | mailFrom | ✔ | + | |
LDAP mail search filter | mailLDAPFilter | ✔ | + | |
Subject for password mail | mailSubject | ✔ | + | |
URL for mail reset | mailUrl | ✔ | + | |
Manager menu organization | managerCss | ✔ | +||
Manager theme | managerCssTheme | ✔ | +||
LDAP Bind DN | managerDn | ✔ | + | |
LDAP Bind Password | managerPassword | ✔ | + | |
Manager skin | managerSkin | ✔ | +||
Manager tree autoClose | managerTreeAutoClose | ✔ | +||
Manager tree JQuery CSS file | managerTreeJqueryCss | ✔ | +||
Multi overridden parameters | multi | ✔ | + | |
Multi values separator | multiValuesSeparator | ✔ | ✔ | ✔ | +
Notification activation | notification | ✔ | + | |
Notification backend | notificationStorage | ✔ | + | |
Notification backend options | notificationStorageOptions | ✔ | + | |
Display deleted sessions | notifyDeleted | ✔ | + | |
Display other sessions | notifyOther | ✔ | + | |
Null authentication level | nullAuthnLevel | ✔ | + | |
OpenID authentication level | openIdAuthnLevel | ✔ | + | |
OpenID allowed domains | openIdIDPList | ✔ | + | |
OpenID secret token | openIdSecret | ✔ | + | |
Password backend | passwordDB | ✔ | + | |
Force port in redirection | port | ✔ | + | |
Portal URL | portal | ✔ | ✔ | + |
Anti frame protection | portalAntiFrame | ✔ | + | |
Allow form autocompletion | portalAutocomplete | ✔ | + | |
Display applications list | portalDisplayAppslist | ✔ | + | |
Display change password module | portalDisplayChangePassword | ✔ | + | |
Display logout module | portalDisplayLogout | ✔ | + | |
Display reset password form | portalDisplayResetPassword | ✔ | + | |
Open links in new window | portalOpenLinkInNewWindow | ✔ | + | |
Require old password (change) | portalRequireOldPassword | ✔ | + | |
Skin name | portalSkin | ✔ | + | |
User name session field | portalUserAttr | ✔ | + | |
Protection scheme | protection | ✔ | ✔ | +|
Regular expression for random password | randomPasswordRegexp | ✔ | + | |
Delay between check of local configuration | reloadTime | ✔ | + | |
Remote cookie name | remoteCookieName | ✔ | + | |
Proxy cookie name | remoteCookieName | ✔ | + | |
Remote Session backend | remoteGlobalStorage | ✔ | + | |
Remote Session backend options | remoteGlobalStorageOptions | ✔ | + | |
Remote portal | remotePortal | ✔ | + | |
SAML Session backend | samlStorage | ✔ | + | |
SAML Session backend options | samlStorageOptions | ✔ | + | |
Cookie security | securedCookie | ✔ | ✔ | + |
Delete other session if IP differs | singleIP | ✔ | + | |
Delete other session | singleSession | ✔ | + | |
Do not allow several users for 1 IP | singleUserByIP | ✔ | + | |
SMTP server | SMTPServer | ✔ | + | |
SOAP activation | Soap | ✔ | + | |
Proxy portal URL | soapAuthService | ✔ | + | |
Proxy session SOAP end point | soapSessionService | ✔ | + | |
SSL authentication level | SSLAuthnLevel | ✔ | + | |
SSL map with LDAP attribute | SSLLDAPField | ✔ | + | |
SSL force SSL authentication | SSLRequire | ✔ | + | |
SSL user field in certificate | SSLVar | ✔ | + | |
Status module activation | status | ✔ | + | |
Store password in session | storePassword | ✔ | + | |
Sympa mail session key | sympaMailKey | ✔ | + | |
Sympa shared secret | sympaSecret | ✔ | + | |
Syslog facility | syslog | ✔ | + | |
Session lifetime for cronjob | timeout | ✔ | + | |
Trusted domains | trustedDomains | ✔ | + | |
Twitter application name | twitterAppName | ✔ | + | |
Twitter authentication level | twitterAuthnLevel | ✔ | + | |
Twitter application key | twitterKey | ✔ | + | |
Twitter application secret | twitterSecret | ✔ | + | |
User backend | userDB | ✔ | + | |
Use redirect on error | useRedirectOnError | ✔ | + | |
DBI Pivot from user table | userPivot | ✔ | + | |
Use XForwardedFor for IP | useXForwardedForIP | ✔ | ✔ | +|
Data to store as REMOTE_USER (used also in Apache logs) | whatToTrace | ✔ | ✔ | + |
Zimbra account session key | zimbraAccountKey | ✔ | + | |
Zimbra account type | zimbraBy | ✔ | + | |
Zimbra preauthentication key | zimbraPreAuthKey | ✔ | + | |
Zimbra local SSO URL pattern | zimbraSsoUrl | ✔ | + | |
Zimbra preauthentication URL | zimbraUrl | ✔ | + |
Full name | Key name | Configuration backend | +
---|---|---|
DBI connection string | dbiChain | CDBI / RDBI | +
DBI user | dbiUser | +|
DBI password | dbiPassword | +|
DBI table name | dbiTable | +|
Storage directory | dirName | File | +
LDAP server | ldapServer | LDAP | +
LDAP port | ldapPort | +|
LDAP base | ldapConfBase | +|
LDAP bind dn | ldapBindDN | +|
LDAP bind password | ldapBindPassword | +|
Certificate authorities file | caFile | +|
Certificate authorities directory | caPath | +|
SOAP server location (URL) | proxy | SOAP | +
LWP::UserAgent parameters | proxyOptions | +
+ +Password is not a common attribute. Indeed, in most of the cases, it is not stored in clear text in the backend (LDAP or database). +
+ ++So, to keep user password in session, you cannot just export the password variable in session. To bypass this, LL::NG can remember what password was given by user on authentication phase. +
+ ++
+ + +
+
+Go in Manager, General Parameters
» Sessions
» Store user password in session data
and set to On
.
+
+
+User password is now available in $_password
variable. For example, to send it in an header:
+
+
+Auth-Password => $_password ++ +
+
+ +Lemonldap::NG is designed to be very performant. In particular, it use Apache2 threads capabilities so to optimize performances, prefer using mpm-worker. +
+ ++ +Handlers check rights and calculate headers for each HTTP hit. So to improve performances, avoid too complex rules by using the macro or the groups or local macros. +
+ ++ +Macros and groups are calculated during authentication process by the portal: +
++ +Example for macros: + +
+# boolean macro +isAdmin -> $uid eq 'foo' or $uid eq 'bar' +# other macro +displayName -> $givenName." ".$surName + +# Use a boolean macro in a rule +^/admin -> $isAdmin +# Use a string macro in a HTTP header +Display-Name -> $displayName+ +
+Example for groups: + +
+# group +admin -> $uid eq 'foo' or $uid eq 'bar' + +# Use a group in a rule +^/admin -> $groups =~ /\badmin\b/+ +
+ +Macros and groups are stored in session database. Local macros is a special feature of handler that permit to have macros useable localy only. Those macros are calculated only at the first usage and stored in the local session cache (only for this server) and only if the user access to the related applications. This avoid to have to many datas stored. +
+# rule +admin -> $admin ||= ($uid eq 'foo' or $uid eq 'bar') +# header +Display-Name -> $displayName ||= $givenName." ".$surName+ +
+
+ +The portal is the biggest component of Lemonldap::NG. It is recommended to use ModPerl::Registry instead of using cgi-script as described in Apache configuration file example (portal-apache2.conf): + +
+<Files *.pl> + SetHandler perl-script + PerlResponseHandler ModPerl::Registry +</Files>+ +
+ +To make the portal start faster when the server is relaunched, add those lines in Apache configuration file (as described in portal-apache2.conf): + +
+<Perl> + require Lemonldap::NG::Portal::SharedConf; + Lemonldap::NG::Portal::SharedConf->compile( + qw(delete header cache read_from_client cookie redirect unescapeHTML)); + # Uncomment this line if you use Lemonldap::NG menu + require Lemonldap::NG::Portal::Menu; + # Uncomment this line if you use portal SOAP capabilities + require SOAP::Lite; +</Perl>+ +
+ +Lemonldap::NG handlers use a local cache to store sessions (for 10 minutes). So Apache::Session module is not a problem for handlers. It can be a brake for the portal: +
++ +In “Apache::Session module” field, set ”Apache::Session::Flex” and use the following parameters: + +
++Store -> MySQL +Lock -> Null +Generate -> MD5 +Serialize -> Storable +DataSource -> dbi:mysql:sessions;host=... +UserName -> ... +Password -> ... ++ +
+ +Apache::Session::Browseable is a wrapper for other Apache::Session modules that add the capability to manage indexes. To use it (with MySQL for example), choose “Apache::Session::Browseable::MySQL” as “Apache::Session module” and use the following parameters: + +
++DataSource -> dbi:mysql:sessions;host=... +UserName -> user +Password -> password +Index -> ipAddr uid ++ +
+Note that Apache::Session::Browseable::MySQL doesn't use MySQL locks. +
+ ++
+
+ +LDAP server can be a brake when you use LDAP groups recovery. You can avoid this by setting “memberOf” fields in your LDAP scheme: + +
+dn: uid=foo,dmdName=people,dc=example,dc=com +... +memberOf: cn=admin,dmdName=groups,dc=example,dc=com +memberOf: cn=su,dmdName=groups,dc=example,dc=com+ +
+So instead of using LDAP groups recovery, you just have to store “memberOf” field in your exported variables. With OpenLDAP, you can use the memberof overlay to do it automaticaly. +
+ ++
+
+ldapgroups -> memberOf ++
++ For now, ldapgroups contains “cn=admin,dmdName=groups,dc=example,dc=com cn=su,dmdName=groups,dc=example,dc=com”
ldapgroups -> join(" ",($ldapgroups =~ /cn=(.*?),/g))+
+ ++ Now ldapgroups contains “admin su”
+ +
+ +The portal is the main component of LL::NG. It provides many features: +
++ +LL::NG portal is a modular component. It needs 4 modules to work: +
++ +
Null
backend.
++ +
+ +
+ +LemonLDAP::NG is shipped with 3 skins: +
+
+
+You can change the skin in Manager: General Parameters
> Portal
> Customization
> Skin
.
+
+ +A skin is composed of different files: +
+
+
+A skin will often refer to the common
skin, which is not a real skin, but shared skin objects (like scripts, images and CSS).
+
+ +
+To customize a skin, the simplest way is to create a new skin folder: + +
++cd portal/skins +mkdir myskin +mkdir myskin/css +mkdir myskin/images ++ +
+Then create symbolic links on template files, as you might not want to rewrite all HTML code (else, do as you want). + +
++cd myskin +ln -s ../pastel/*.tpl . ++ +
+Then you only have to write myskin/css/styles.css
and add your media to myskin/images
.
+
+To configure your new skin in Manager, select the custom skin, and enter your skin name in the configuration field. +
+ +Connected as
in the menu+ +
+ +
+ +LemonLDAP::NG portal menu has 3 modules: +
+
+
+Each module can be activated trough a rule, using user session information. These rules can be set trough Manager: General Parameters
> Portal
> Menu
> Modules activation
.
+
+You can use 0
or 1
to disable/enable the module, or use a more complex rule. For example, to display the password change form only for user authenticated trough LDAP or DBI:
+
$_auth eq LDAP or $_auth eq DBI+ +
+ +Configuring the virtual hosts is not sufficient to display an application in the menu. Indeed, a virtual host can contain several applications (http://vhost.example.com/appli1, http://vhost.example.com/appli2). +
+ +
+In Manager, you can configure categories and applications in General Parameters
> Portal
> Menu
> Categories and applications
.
+
+Category parameters: +
++ +Application parameters: +
+ + ++ +
+
portal/skins/common/apps/
). You can set a custom logo by choosing My logo
, set the logo file name, and copy the logo file in portal applications logos directory
++ +To use LemonLDAP::NG, you have to run an Apache +server compiled with mod-perl (version 1.3 or 2.x). +
+ ++
+For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works faster and LemonLDAP::NG use the thread system for best performance. If you have to use mpm-prefork (for example if you use PHP), LemonLDAP::NG will work anyway. +
+ ++You can use LemonLDAP::NG in an heterogeneous world: the authentication portal and the manager can work in any version of Apache 1.3 or more even if mod_perl is not compiled, with ModPerl::Registry or not… Only the handler +need mod_perl. The different handlers can run on different servers with +different versions of Apache/mod_perl. +
+ ++ +
+apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl libstring-random-perl libemail-date-format-perl libmime-lite-perl libcrypt-openssl-rsa-perl libdigest-hmac-perl ++ +
+ +Choose a repository which hosted Perl dependencies, for example: +
++ +
+yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON perl-Digest-HMAC perl-String-Random perl-MIME-Lite perl-Email-Date-Format perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 ++ +
+ +RBAC stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application. +
+ ++LemonLDAP::NG allows to use this model. You should use an extended LDAP schema (or any users database extension), but this can works with standard attributes. +
+ ++ +Imagine you've set your directory schema to store roles as values of ssoRoles, an attribute of the user. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (';' is the concatenation string): + +
++Auth-Roles => $ssoRoles ++ +
+If the user has these values inside its entry: + +
++ssoRoles: user +ssoRoles: admin ++ +
+Then you got this value inside the Auth-Roles header: + +
++user; admin ++ +
+ +Now imagine the following DIT: +
+ + + ++Roles are entries, below branches representing applications. Each user has a ssoRoles attributes, which values are the DN of the corresponding roles. With this organization, you can set roles to user within specific application. +
+ ++In the schema above, the user has the following values: + +
++ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com +ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com ++ +
+So he is “user” on application “BBB” and “admin” on application “AAA”. +
+ ++Now we have to send to right role to the right application trough LemonLDAP::NG. +
+ ++First step: create a rule to grant access only if the user has a role in the application: +
++default => $ssoRoles =~ /ou=aaa,ou=roles/ ++
+default => $ssoRoles =~ /ou=bbb,ou=roles/ ++ +
+Second step: get the role name for the application. We will use the macros to do that. Create two macros (inside Variablles
» Macros
):
+
+aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0] ++
+bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0] ++ +
+These regular expressions read the 'ou' value of the DN of the role of the concerned application. This works if the user has only one role per application. +
+ ++Third step: provide the role to the application. It is done by creating the correct HTTP header: +
++Auth-Roles => $aaaRoles ++
+Auth-Roles => $bbbRoles ++ +
+Now the protected application can read in the header HTTP_AUTH_ROLES the role of the user. +
+ ++
+aaaRole => join(' || ', (map {/uid=(.*),ou=aaa.*/} (grep{/ou=aaa/} split(';',$ssoRoles))) ++ +
+ + +
+ +
+ +To encode the redirection URL, the will use some Apache environment variables and also configuration settings: +
+
+
+These parameters can be configured in Manager, in General Parameters
> Advanced parameters
> Handler redirections
.
+
+
+ +Handler use the default Apache error code for the following cases: +
+
+
+These errors can be catch trough Apache ErrorDocument
directive, to redirect user on a specific page:
+
# Common error page and security parameters +ErrorDocument 403 http://auth.example.com/?lmError=403 +ErrorDocument 500 http://auth.example.com/?lmError=500+ +
+It is also possible to redirect the user without using ErrorDocument
: the Handler will not return 403 or 500 code, but code 302 (REDIRECT).
+
+The user will be redirected on portal URL with error in the lmError
URL parameter.
+
+These parameters can be configured in Manager, in General Parameters
> Advanced parameters
> Handler redirections
:
+
+ +LL::NG can propose a password reset form, for users who loose their password (this kind of application is also called a self service password interface). +
+ ++Kinematics: +
++ +
pwdReset
flag is set to TRUE, so that the user is forced to change his password on next connection.
++ +The reset password link must be activated, see portal customization. +
+ +
+Then go in Manager, General Parameters
» Advanced Parameters
» Password management
:
+
+ +
+ +If you define mail contents in Manager, HTML templates will not be used. + +
+ +
+ + ++ +This documentation explains how configure SAML service in LL::NG, in particular: +
++ +
+SAML2 implementation is based on Lasso. You will need a very recent version of Lasso (>= 2.3.0). +
+ ++ +There are packages available here: http://deb.entrouvert.org/. +
+ ++You will only need to install liblasso3-perl package: +
++sudo apt-get install liblasso3-perl ++ +
+ +Packages should be available soon. +
+ ++ +Download the Lasso tarball and compile it on your system. +
+ ++ +Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in Apache portal configuration: +
+<IfModule mod_rewrite.c> + RewriteEngine On + RewriteRule ^/saml/metadata /metadata.pl + RewriteRule ^/saml/.* /index.pl +</IfModule>+ +
+
+Go in Manager and click on SAML 2 Service
node.
+
+
+ +Your EntityID, often use as metadata URL, by default #PORTAL#/saml/metadata. +
+ ++
<EntityDescriptor entityID="http://auth.example.com/saml/metadata"> + ... +</EntityDescriptor>+ +
+ + +
+
/saml/metadata
suffix you have to change corresponding Apache rewrite rule.
++ +You can define keys for SAML message signature and encryption. If no encryption keys are defined, signature keys are used for signature and encryption. +
+ ++To define keys, you can: +
+Load from a file
input)Generate
button)+ +
Private key password
.
++
+SAML can use different NameID formats. The NameID is the main user identifier, carried in SAML messages. You can configure here which field of LL::NG session will be associated to a NameID format. +
+ ++
+Customizable NameID formats are: +
++ +
+Other NameID formats are automatically managed: +
++Each LL::NG authentication module has an authentication level, which can be associated to an SAML authentication context. +
+ ++
+Customizable NameID formats are: +
++ +
<Organization> + <OrganizationName xml:lang="en">Example</OrganizationName> + <OrganizationDisplayName xml:lang="en">Example</OrganizationDisplayName> + <OrganizationURL xml:lang="en">http://www.example.com</OrganizationURL> +</Organization>+ +
+ + +
+ +
<SPSSODescriptor> + ... +</SPSSODescriptor>+ +
+ + +
+ +
+ +For each binding you can set: +
++Available bindings are: +
++ +For each binding you can set: +
++Available bindings are: +
++ +The only authorized binding is SOAP. This should be set as Default. +
+ ++ +
<IDPSSODescriptor> + ... +</IDPSSODescriptor>+ +
+ + +
+ +
+ +For each binding you can set: +
++ +Available bindings are: +
++ +For each binding you can set: +
++ +Available bindings are: +
++ +The only authorized binding is SOAP. This should be set as Default. +
+ ++ +
<AttributeAuthorityDescriptor> + ... +</AttributeAuthorityDescriptor>+ +
+ + +
+ +This is the only service to configure, and it accept only the SOAP binding. +
+ ++Response Location should be empty, as SOAP responses are directly returned (synchronous binding). +
+ ++ +These parameters are not mandatory to run SAML service, but can help to customize it: +
+idp
, for example: lemonldapidp
.+ +By default, the main session module is used to store SAML temporary data (like relay-states), but SAML sessions need to use a session module compatible with the sessions restrictions feature. +
+ ++This is not the case of Memcached for example. In this case, you can choose a different module to manage SAML sessions. +
+ ++
+ +
+The common domain is used by SAML SP to find an Identity Provider for the user, and by SAML IDP to register itself in user's IDP list. +
+ ++Configuration parameters are: +
++ +Configuration can be stored in several formats (SQL, File, LDAP) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use SOAP access for those servers. +
+ ++
+Next, you have to configure the SOAP access as described here since SOAP access is denied by default. +
+ ++ +By default, the manager is restricted to localhost in its Apache configuration file, but no accounting is done. To change this, you can choose one of the following: +
++ +You can use any of the mechanisms proposed by Apache: SSL, Auth-Basic, Kerberos,… Example + +
+<VirtualHost *:443> + ServerName manager.example.com + # SSL parameters + ... + # DocumentRoot + DocumentRoot /var/lib/lemonldap-ng/manager/ + <Location /> + AuthType Basic + AuthName "Lemonldap::NG manager" + AuthUserFile /usr/local/apache/passwd/passwords + Require user rbowen + Order allow,deny + Deny from all + Allow from 192.168.142.0/24 + Options +ExecCGI + </Location> +</VirtualHost>+ +
+
+To protect the manager by LL::NG, you just have to set this in lemonldap-ng.ini
configuration file (section [manager]):
+
+
[manager] +protection = manager+ +
+
manager.your.domain
in the manager and set a rules, else access to the manager will be denied.
++ +Rules are applied in alphabetical order (comment and regular expression). The first rule that matches is applied. +
+ ++
+The Manager let you define comments in rules, to order them: +
+ + + ++For example, if these rules are used without comments: +
+Regular expression | Rule | Comment | +
---|---|---|
^/pub/admin/ | $uid eq “root” | + |
^/pub/ | accept | + |
+
+Then the second rule will be applied first, so every authenticated user will access to /pub/admin
directory.
+
+Use comment to correct this: +
+Regular expression | Rule | Comment | +
---|---|---|
^/pub/admin/ | $uid eq “root” | 1_pub | +
^/pub/ | accept | 2_admin | +
+ +
+ +
+ +You can write rules matching any component of URL to protect including GET parameters, but be careful. +
+ +
+For example with this rule on the access
parameter:
+
Regular expression | Rule | Comment | +
---|---|---|
^/index.php\?.*access=admin | $groups =~ /\badmin\b/ | + |
default | accept | + |
+ +Then a user that try to access to one of the following will be granted ! +
++ +You can use the following rules instead: +
+Regular expression | Rule | Comment | +
---|---|---|
^/(?i)index.php\?.*access.*access | deny | 0_bad | +
^/(?i)index.php\?.*access=admin | $groups =~ /\badmin\b/ | 1_admin | +
default | accept | + |
+ +
+
+ +Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, LL::NG decode them using http://search.cpan.org/perldoc?Apache2::URI#unescape_url. So write your rules using normal characters. +
+ ++ +LL::NG can protect any Apache hosted application including Apache reverse-proxy mechanism. Example: +
+PerlOptions +GlobalRequest +PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm +<VirtualHost *:443> + SSLEngine On + ... other SSL parameters ... + PerlInitHandler My::Handler + ServerName appl1.example.com + ProxyPass / http://hiddenappl1.example.com/ + ProxyPassReverse / http://hiddenappl1.example.com/ + ProxyPassReverseCookieDomain / http://hiddenappl1.example.com/ +</VirtualHost>+ +
+See mod_proxy and mod_rewrite documentation for more about configuring Apache reverse-proxies. +
+ ++Such configuration can have some security problems: +
++ +It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the LL::NG protected reverse-proxies are allowed. You can use one or a combination of: +
+
+
+Go in Manager, General parameters
» Advanced parameters
» Security
:
+
+ +Your application can know the connected user using: +
++ +To get more information on user (name, mail, etc.), you have to read HTTP headers. +
+ ++
+ +Examples with a configured header named 'Auth-User': +
+ +print "Connected user: ".$ENV{HTTP_AUTH_USER};+ +
print "Connected user: ".$_SERVER{HTTP_AUTH_USER};+ +
+ +Using this feature, you don't have to use virtual host protection: protection is embedded in Lemonldap::NG::Handler::CGI. +
+ ++Lemonldap::NG::Handler::CGI adds some functions to CGI: +
++ +Example: +
+my $cgi = new CGI; +...+
my $cgi = Lemonldap::NG::Handler::CGI->new ({}); +$cgi->authenticate(); +$cgi->authorize(); +...+ +
+ +Then you can access to user datas + +
+# Get attributes (or macros) +my $cn = $cgi->user->{cn} + +# Test if user is member of a Lemonldap::NG group (or LDAP mapped group) +if( $cgi->group('admin') ) { + # special html code for admins +} +else { + # another HTML code +}+ +
+You can test any URL to see if it's protected using testUri(). It returns: +
+if($cgi->testUri('http://test3.example.com/') { + print '<a href="http://test3.example.com/">click here</a>'; +}+ +
+ +LL::NG rely on a session mechanism with the session ID as a shared secret between the user (in SSO cookie) and the session database. +
+ +
+To configure sessions, go in Manager, General Parameters
» Sessions
:
+
+
+
+ +You can share your configuration over the network using SOAP proxy system. +
+ ++
portal-apache2.conf
, remote SOAP access is disabled by default. Change it:# SOAP functions for configuration access (disabled by default) +<Location /index.pl/config> + Order deny,allow + Deny from all + Allow from 192.168.2.0/24 +</Location>+ +
+ +Change configuration in lemonldap-ng.ini : + +
+type = SOAP +proxy = https://auth.example.com/index.pl/config+ +
+ +You can also add some other parameters + +
+User = lemonldap +Password = mypassword +# LWP::UserAgent parameters +proxyOptions = { timeout => 5 }+ +
+ +LL::NG use 2 internal databases to store its configuration and sessions. It can be configured to use SOAP instead of direct access to those databases (for remote servers). +
+ +Steps: +
++ +Steps: +
++ +Lemonldap::NG provides 2 SOAP servers : +
++ +SOAP functions are not accessible by network by default. SOAP functions are protected by Apache, you can change this in Apache portal configuration: +
+# SOAP functions for sessions management (disabled by default) + <Location /index.pl/adminSessions> + Order deny,allow + Allow from all + </Location> + + # SOAP functions for sessions access (disabled by default) + <Location /index.pl/sessions> + Order deny,allow + Allow from all + </Location> + + # SOAP functions for configuration access (disabled by default) + <Location /index.pl/config> + Order deny,allow + Allow from all + </Location> + + # SOAP functions for notification insertion (disabled by default) + <Location /index.pl/notification> + Order deny,allow + Allow from all + </Location>+ +
+
+ +
+ +When portal is installed, a file named portal.wsdl is created. It can be upgraded using buildPortalWSDL script. +
+ ++ +LL::NG portal provides SOAP end points for sessions management: +
++ +This session backend can be used to share sessions stored in a non-network backend (like file session backend) or in a network backend protected with a firewall that only accepts HTTP flows. +
+ ++Most of the time, SOAP session backend is used by Handlers installed on external servers. +
+ ++To configure it, SOAP session backend will be set trough Manager in global configuration (used by all Hanlders), and the real session backend will be configured for local components in lemonldap-ng.ini. +
+ +
+
+First, active SOAP in General parameters
» Advanced parameters
» SOAP
.
+
+Then, set Lemonldap::NG::Common::Apache::Session::SOAP
in General parameters
» Sessions
» Session storage
» Apache::Session module
and add the following parameters (case sensitive):
+
+
Required parameters | +||
---|---|---|
Name | Comment | Example | +
proxy | URL of sessions SOAP end point | http://auth.example.com/index.pl/sessions | +
+ +Sessions SOAP end points access must be allowed in Apache portal configuration (for example, access by IP range): +
+# SOAP functions for sessions management (disabled by default) +<Location /index.pl/adminSessions> + Order deny,allow + Deny from all + Allow from 192.168.2.0/24 +</Location> + +# SOAP functions for sessions access (disabled by default) +<Location /index.pl/sessions> + Order deny,allow + Deny from all + Allow from 192.168.2.0/24 +</Location>+ +
+
+Real session backend will be configured in lemonldap-ng.ini
, in portal
section (the portal hosts the SOAP service for sessions, and will do the link between SOAP requests and real sessions).
+
+For example, if real sessions are stored in files: +
+[portal] +globalStorage = Apache::Session::File +globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }+ +
+
globalStorage
and globalStorageOptions
parameters in section all (and not portal) of lemonldap-ng.ini
.
++ +There is 3 types of SQL configuration backends for LemonLDAP::NG : +
+
+
+To use a SQL backend, configure your lemonldap-ng.ini
file (section configuration) :
+
dbiTable
parameter.+Example for MySQL : + +
+[configuration] +type = RDBI +dbiChain = DBI:mysql:database=lemonldap-ng;host=1.2.3.4 +dbiUser = lemonldap +dbiPassword = password +; optional +dbiTable = mytablename+ +
+CREATE TABLE lmConfig ( + cfgNum int(11) NOT NULL, + field varchar(255) NOT NULL DEFAULT '', + value longblob, + PRIMARY KEY (cfgNum,field) + ); ++ +
+CREATE TABLE lmConfig ( + cfgNum int not null primary key, + data longblob +); ++ +
+ +You have to grant read/write access for the manager component. Other components needs just a read access. You can also use the same user for all. +
+ ++
+ +
+MySQL example (suppose that our servers are in 10.0.0.0/24 network): + +
+GRANT SELECT,INSERT,UPDATE,LOCK TABLES ON lmConfig.* + TO lemonldap-ng@manager.host IDENTIFIED BY 'mypassword'; +GRANT SELECT ON lmConfig.* + TO lemonldap-ng-user@'10.0.0.%' IDENTIFIED BY 'myotherpassword';+ +
+ +SQL session backend can be used with many SQL databases such as: +
++ +Your database must have a specific table to host sessions. Here are some examples for main databases servers. +
+ ++ +Create a database if necessary: + +
++mysqladmin create lemonldapng ++ +
+Create sessions table: + +
+CREATE TABLE sessions ( + id char(32) NOT NULL PRIMARY KEY, + a_session blob + );+ +
+ +Create user and role: + +
++su - postgres +createuser lemonldap-ng -P ++
+Entrez le mot de passe pour le nouveau rôle : <PASSWORD> +Entrez-le de nouveau : <PASSWORD> +Le nouveau rôle est-il un super-utilisateur ? (o/n) n +Le nouveau rôle doit-il être autorisé à créer des bases de données ? (o/n) n +Le nouveau rôle doit-il être autorisé à créer de nouveaux rôles ? (o/n) n ++ +
+Create database: + +
++createdb -O lemonldap-ng lemonldap-ng ++ +
+Create table: + +
++psql -h 127.0.0.1 -U lemonldap-ng -W lemonldap-ng ++
+Mot de passe pour l'utilisateur lemonldap-ng : +[...] +lemonldap-ng=> create table sessions ( id char(32) not null primary key, a_session text ); +lemonldap-ng=> q ++ +
+
+Go in the Manager and set the session module (for example Apache::Session::Postgres for PostgreSQL) in General parameters
» Sessions
» Session storage
» Apache::Session module
and add the following parameters (case sensitive):
+
+
Required parameters | +||
---|---|---|
Name | Comment | Example | +
DataSource | The DBI string | dbi:Pg:dbname=sessions;host=10.2.3.1 | +
UserName | The database username | lemonldapng | +
Password | The database password | mysuperpassword | +
Commit | Required for PostgreSQL | 1 | +
+ +You must read the man page corresponding to your database (Apache::Session::MySQL, …) to learn more about parameters. You must also install the database connector (DBD::Oracle, DBD::Pg,…) +
+ ++If you choose to use MySQL, read how to increase MySQL performances. +
+ ++ +Restrict network access to the database. +
+ +
+You can also use different user/password for your servers by overriding parameters globalStorage
and globalStorageOptions
in lemonldap-ng.ini file.
+
+ +The SSO cookie is build by the portal (as described in the login kinematic), or by the Handler for cross domain authentication (see CDA kinematic). +
+ +
+To edit SSO cookie parameters, go in Manager, General Parameters
> Cookies
:
+
+ +
+
+ +Portal URL is the address used to redirect users on the authentication portal by: +
++ +
+ +
+ + ++ +
+ + ++ +
+ + +Backend | Authentication | Users | Password | +
---|---|---|---|
LDAP (including Active Directory) | ✔ | ✔ | ✔ | +
Databases (DBI) | ✔ | ✔ | ✔ | +
Apache (Kerberos, NTLM, OTP, ...) | ✔ | + | |
SSL | ✔ | + | |
CAS | ✔ | + | |
OpenID | ✔ | ✔ | + |
✔ | + | ||
SAML 2.0 / Shibboleth | ✔ | ✔ | + |
Null | ✔ | ✔ | ✔ | +
Slave | ✔ | ✔ | ✔ | +
Proxy LL::NG | ✔ | ✔ | + |
Remote LL::NG | ✔ | ✔ | + |
Stack multiple backends | ✔ | ✔ | + |
Backend choice by users | ✔ | ✔ | ✔ | +
+ +
+ + ++LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one of the following: + +
+Backend | Shareable | Comment | +
---|---|---|
File configuration backend | Not shareable between servers except if used in conjunction with SOAP configuration backend or with a shared file system (NFS,…). Selected by default during installation. | +|
SQL configuration backend (called RDBI or CDBI) | ✔ | + |
LDAP configuration backend | ✔ | + |
SOAP configuration backend | ✔ | Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers. |
+
+ +
+ +
+ + ++Sessions are stored using Apache::Session modules family. All Apache::Session style modules are useable except for some features. + +
+Backend | Shareable | Session explorer | Session restrictions | Session expiration | Comment | +
---|---|---|---|---|---|
File | ✔ | ✔ | ✔ | Not shareable between servers except if used in conjunction with SOAP session backend or with a shared file system (NFS,…). Selected by default during installation. | +|
SQL | ✔ | ✔ | ✔ | ✔ | Unoptimized for session explorer and single session features. | +
LDAP | ✔ | ✔ | ✔ | ✔ | +|
Memcached | ✔ | Must be secured by network access control. | +|||
NoSQL (Redis) | ✔ | ✔ | ✔ | ✔ | The faster. Must be secured by network access control. | +
Browseable (SQL, Redis or LDAP) | ✔ | ✔ | ✔ | ✔ | Optimized for session explorer and single session features. | +
SOAP | ✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. Can be used to secure another backend for remote servers. |
+
+ +
+ + ++ +
+ +
+ +
+ + ++ +
+ + ++ +
+ + ++ +
+ + ++ +When status feature is activated, Handlers and portal will collect statistics and save them in their local cache. This means that if several Handlers are deployed, each will manage its own statistics. +
+ ++
+The statistics are collected trough a daemon launched by the Handler. It can be seen in system processes, for example: + +
++perl -MLemonldap::NG::Handler::Status -I/etc/perl -I/usr/local/lib/perl/5.10.1 -I/usr/local/share/perl/5.10.1 -I/usr/lib/perl5 -I/usr/share/perl5 -I/usr/lib/perl/5.10 -I/usr/share/perl/5.10 -I/usr/local/lib/site_perl -I. -I/etc/apache2 -e &Lemonldap::NG::Handler::Status::run(Cache::FileCache,{? 'cache_depth' => 5,? 'cache_root' => '/tmp',? 'directory_umask' => '007',? 'default_expires_in' => 600,? 'namespace' => 'MyNamespace'? }?); ++ +
+Statistics are displayed when calling the status path on an Handler (for example: http://test1.example.com/status). +
+ ++Example of status page: +
+ + + ++ +You need to give access to status path in the Handler Apache configuration: +
+# Uncomment this to activate status module + <Location /status> + Order deny,allow + Allow from 127.0.0.0/8 + PerlHeaderParserHandler My::Package->status + </Location>+ +
+Then restart Apache. +
+ ++
Allow
directive to match administration IP, or use another Apache protection mean.
+
+
+Edit lemonldap-ng.ini
, and activate status in the handler
section:
+
[handler] +# Set status to 1 if you want to have the report of activity (used for +# example to inform MRTG) +status = 1+ +
+Then restart Apache. +
+ ++ +
+
+ +Lemonldap::NG manage applications by their hostname (Apache's virtualHosts). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,…). +
+ ++
+ +A rule associates a regular expression to a Perl boolean expression or a keyword. +
+ + + ++Examples: + +
+Goal | Regular expression | Rule | +
---|---|---|
Restrict /admin/ directory to user bart.simpson | ^/admin/ | $uid eq "bart.simpson" | +
Restrict /js/ and /css/ directory to authenticated users | ^/(css|js)/ | accept | +
Deny access to /config/ directory | ^/config/ | deny | +
Authorize non authenticated users to access to /pub/ directory | ^/pub/ | unprotect | +
Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) | default | $description eq "LDAP administrator" | +
+ +The “default” access rule is used if no other access rule match the current URL. +
+ ++
+ +
+Rules can also be used to intercept logout URL: + +
+Goal | Regular expression | Rule | +
---|---|---|
Logout user from Lemonldap::NG and redirect it to http://intranet/ | ^/index.php\?logout | logout_sso http://intranet/ | +
Logout user from current application and redirect it to the menu | ^/index.php\?logout | logout_app https://auth.example.com/ | +
Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ | ^/index.php\?logout | logout_app_sso http://intranet/ | +
+ +
+
+ +Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user datas to the application. +
+ ++Examples: + +
+Goal | Header name | Header value | +
---|---|---|
Give the uid (for accounting) | Auth-User | $uid | +
Give a static value | Some-Thing | “static-value” | +
Give display name | Display-Name | $givenName.” ”.$surName | +
Give a non ascii data | Display-Name | encode_base64($givenName." ".$surName) | +
+ +As described in performances chapter, you can use macros, local macros,… +
+ ++
+ +
+
+Session-ID => $_session_id ++ +
+ + +