From 80b84613844c517a45c1d4e0b5a223b78db351dd Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Sun, 12 Dec 2010 21:29:56 +0000 Subject: [PATCH] Update trunk doc to 1.1 --- build/lemonldap-ng/Makefile | 2 +- .../lemonldap-ng/doc/index/alphabetical.html | 2 +- .../lemonldap-ng/doc/pages/documentation.html | 12 +- .../1.1/activedirectoryminihowto.html | 70 ++ .../pages/documentation/1.1/applications.html | 145 ++++ .../1.1/applications/authbasic.html | 100 +++ .../1.1/applications/bugzilla.html | 129 ++++ .../1.1/applications/dokuwiki.html | 125 ++++ .../1.1/applications/drupal.html | 159 +++++ .../1.1/applications/googleapps.html | 233 +++++++ .../1.1/applications/liferay.html | 199 ++++++ .../1.1/applications/mediawiki.html | 159 +++++ .../documentation/1.1/applications/obm.html | 330 +++++++++ .../1.1/applications/phpldapadmin.html | 108 +++ .../1.1/applications/spring.html | 78 +++ .../documentation/1.1/applications/sympa.html | 214 ++++++ .../1.1/applications/tomcat.html | 179 +++++ .../1.1/applications/zimbra.html | 153 +++++ .../pages/documentation/1.1/authapache.html | 230 +++++++ .../doc/pages/documentation/1.1/authcas.html | 166 +++++ .../pages/documentation/1.1/authchoice.html | 135 ++++ .../doc/pages/documentation/1.1/authdbi.html | 265 ++++++++ .../doc/pages/documentation/1.1/authldap.html | 305 +++++++++ .../pages/documentation/1.1/authmulti.html | 178 +++++ .../doc/pages/documentation/1.1/authnull.html | 78 +++ .../pages/documentation/1.1/authopenid.html | 128 ++++ .../pages/documentation/1.1/authproxy.html | 88 +++ .../pages/documentation/1.1/authremote.html | 179 +++++ .../doc/pages/documentation/1.1/authsaml.html | 284 ++++++++ .../pages/documentation/1.1/authslave.html | 90 +++ .../doc/pages/documentation/1.1/authssl.html | 189 +++++ .../pages/documentation/1.1/authtwitter.html | 84 +++ .../1.1/browseablesessionbackend.html | 108 +++ .../doc/pages/documentation/1.1/cda.html | 78 +++ .../documentation/1.1/changeconfbackend.html | 90 +++ .../documentation/1.1/configlocation.html | 511 ++++++++++++++ .../pages/documentation/1.1/configvhost.html | 182 +++++ .../documentation/1.1/customfunctions.html | 111 +++ .../doc/pages/documentation/1.1/error.html | 164 +++++ .../pages/documentation/1.1/exportedvars.html | 113 +++ .../documentation/1.1/extendedfunctions.html | 292 ++++++++ .../documentation/1.1/federationproxy.html | 69 ++ .../documentation/1.1/fileconfbackend.html | 62 ++ .../documentation/1.1/filesessionbackend.html | 72 ++ .../pages/documentation/1.1/formreplay.html | 159 +++++ .../1.1/header_remote_user_conversion.html | 86 +++ .../documentation/1.1/highavailability.html | 57 ++ .../doc/pages/documentation/1.1/idpcas.html | 117 ++++ .../pages/documentation/1.1/idpopenid.html | 197 ++++++ .../doc/pages/documentation/1.1/idpsaml.html | 234 +++++++ .../pages/documentation/1.1/installdeb.html | 268 ++++++++ .../pages/documentation/1.1/installrpm.html | 359 ++++++++++ .../documentation/1.1/installtarball.html | 318 +++++++++ .../documentation/1.1/ldapconfbackend.html | 142 ++++ .../documentation/1.1/ldapminihowto.html | 66 ++ .../documentation/1.1/ldapsessionbackend.html | 100 +++ .../documentation/1.1/logoutforward.html | 71 ++ .../doc/pages/documentation/1.1/logs.html | 101 +++ .../documentation/1.1/managerprotection.html | 136 ++++ .../1.1/memcachedsessionbackend.html | 80 +++ .../doc/pages/documentation/1.1/mrtg.html | 67 ++ .../documentation/1.1/mysqlminihowto.html | 72 ++ .../1.1/nosqlsessionbackend.html | 71 ++ .../documentation/1.1/notifications.html | 184 +++++ .../documentation/1.1/parameterlist.html | 552 +++++++++++++++ .../documentation/1.1/passwordstore.html | 88 +++ .../pages/documentation/1.1/performances.html | 261 +++++++ .../doc/pages/documentation/1.1/portal.html | 138 ++++ .../pages/documentation/1.1/portalcustom.html | 152 +++++ .../pages/documentation/1.1/portalmenu.html | 135 ++++ .../doc/pages/documentation/1.1/prereq.html | 226 ++++++ .../doc/pages/documentation/1.1/rbac.html | 192 ++++++ .../pages/documentation/1.1/redirections.html | 103 +++ .../documentation/1.1/resetpassword.html | 115 ++++ .../pages/documentation/1.1/samlservice.html | 643 ++++++++++++++++++ .../doc/pages/documentation/1.1/security.html | 333 +++++++++ .../1.1/selfmadeapplication.html | 149 ++++ .../doc/pages/documentation/1.1/sessions.html | 76 +++ .../documentation/1.1/soapconfbackend.html | 86 +++ .../documentation/1.1/soapminihowto.html | 70 ++ .../pages/documentation/1.1/soapservices.html | 128 ++++ .../documentation/1.1/soapsessionbackend.html | 130 ++++ .../documentation/1.1/sqlconfbackend.html | 142 ++++ .../documentation/1.1/sqlsessionbackend.html | 184 +++++ .../pages/documentation/1.1/ssocookie.html | 110 +++ .../doc/pages/documentation/1.1/start.html | 401 +++++++++++ .../doc/pages/documentation/1.1/status.html | 114 ++++ .../doc/pages/documentation/1.1/upgrade.html | 41 ++ .../1.1/writingrulesand_headers.html | 195 ++++++ .../doc/pages/documentation/latest | 2 +- build/lemonldap-ng/doc/pages/start.html | 2 +- 91 files changed, 14292 insertions(+), 9 deletions(-) create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/activedirectoryminihowto.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/authbasic.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/bugzilla.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/dokuwiki.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/drupal.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/googleapps.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/liferay.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/mediawiki.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/obm.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/phpldapadmin.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/spring.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/sympa.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/tomcat.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/applications/zimbra.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authapache.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authcas.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authchoice.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authdbi.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authldap.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authmulti.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authnull.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authopenid.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authproxy.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authremote.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authsaml.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authslave.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authssl.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/authtwitter.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/browseablesessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/cda.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/changeconfbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/configlocation.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/configvhost.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/customfunctions.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/error.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/exportedvars.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/extendedfunctions.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/federationproxy.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/fileconfbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/filesessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/formreplay.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/header_remote_user_conversion.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/highavailability.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/idpcas.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/idpopenid.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/idpsaml.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/installdeb.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/installrpm.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/installtarball.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/ldapconfbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/ldapminihowto.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/ldapsessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/logoutforward.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/logs.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/managerprotection.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/memcachedsessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/mrtg.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/mysqlminihowto.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/nosqlsessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/notifications.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/parameterlist.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/passwordstore.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/performances.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/portal.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/portalcustom.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/portalmenu.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/prereq.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/rbac.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/redirections.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/resetpassword.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/samlservice.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/security.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/selfmadeapplication.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/sessions.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/soapconfbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/soapminihowto.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/soapservices.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/soapsessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/sqlconfbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/sqlsessionbackend.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/ssocookie.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/start.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/status.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/upgrade.html create mode 100644 build/lemonldap-ng/doc/pages/documentation/1.1/writingrulesand_headers.html diff --git a/build/lemonldap-ng/Makefile b/build/lemonldap-ng/Makefile index 464b0f638..5fbaedd20 100644 --- a/build/lemonldap-ng/Makefile +++ b/build/lemonldap-ng/Makefile @@ -502,7 +502,7 @@ manager_cpan: manager_conf documentation: @rm -f doc/pages/documentation/latest @cd doc/ && ../scripts/doc.pl - @rm -rf doc/pages/documentation/latest doc/pages/wiki doc/pages/playground + @rm -rf doc/pages/documentation/{latest,1.0} doc/pages/wiki doc/pages/playground @ln -s $$(perl -e '$$h{sprintf("%03d\.%03d\.%03d",split/\./,$$_)}=$$_ foreach(@ARGV); \ foreach(sort keys %h){$$last="$$h{$$_}\n"};print $$last;' \ $$(find doc/pages/documentation/ -maxdepth 1 -mindepth 1 -type d ! \ diff --git a/build/lemonldap-ng/doc/index/alphabetical.html b/build/lemonldap-ng/doc/index/alphabetical.html index 6f856afe3..ef2b109d9 100644 --- a/build/lemonldap-ng/doc/index/alphabetical.html +++ b/build/lemonldap-ng/doc/index/alphabetical.html @@ -16,4 +16,4 @@ -

Alphabetical Index

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

Back to main index

A

activedirectoryminihowto
applications
authapache
authbasic
authcas
authchoice
authdbi
authldap
authmulti
authnull
authopenid
authproxy
authremote
authsaml
authssl
authtwitter

B

browseablesessionbackend
bugzilla

C

cda
changeconfbackend
conferences
configlocation
configvhost
contact
customfunctions

D

default_sidebar
documentation
dokuwiki
download
drupal

E

error
exportedvars
extendedfunctions

F

features
federationproxy
fileconfbackend
filesessionbackend
formreplay

G

googleapps

H

header_remote_user_conversion
highavailability

I

idpcas
idpopenid
idpsaml
installdeb
installrpm
installtarball

L

ldapconfbackend
ldapminihowto
ldapsessionbackend
liferay
logoutforward
logs

M

mediawiki
memcachedsessionbackend
menu1
mrtg
mysqlminihowto

N

nosqlsessionbackend
notifications

O

obm

P

parameterlist
passwordstore
performances
phpldapadmin
playground
portal
portalcustom
portalmenu
prereq
presentation

Q

quickstart

R

rbac
redirections
references
resetpassword

S

samlservice
screenshots
security
selfmadeapplication
sessions
soapconfbackend
soapminihowto
soapservices
soapsessionbackend
spring
sqlconfbackend
sqlsessionbackend
ssocookie
start
status
sympa
syntax

T

tomcat
translations

U

upgrade

W

writingrulesand_headers

Z

zimbra


Back to main index

\ No newline at end of file +

Alphabetical Index

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

Back to main index

A

activedirectoryminihowto
applications
authapache
authbasic
authcas
authchoice
authdbi
authldap
authmulti
authnull
authopenid
authproxy
authremote
authsaml
authslave
authssl
authtwitter

B

browseablesessionbackend
bugzilla

C

cda
changeconfbackend
conferences
configlocation
configvhost
contact
customfunctions

D

default_sidebar
documentation
dokuwiki
download
drupal

E

error
exportedvars
extendedfunctions

F

features
federationproxy
fileconfbackend
filesessionbackend
formreplay

G

googleapps

H

header_remote_user_conversion
highavailability

I

idpcas
idpopenid
idpsaml
installdeb
installrpm
installtarball

L

ldapconfbackend
ldapminihowto
ldapsessionbackend
liferay
logoutforward
logs

M

managerprotection
mediawiki
memcachedsessionbackend
menu1
mrtg
mysqlminihowto

N

nosqlsessionbackend
notifications

O

obm

P

parameterlist
passwordstore
performances
phpldapadmin
playground
portal
portalcustom
portalmenu
prereq
presentation

Q

quickstart

R

rbac
redirections
references
resetpassword

S

samlservice
screenshots
security
selfmadeapplication
sessions
soapconfbackend
soapminihowto
soapservices
soapsessionbackend
spring
sqlconfbackend
sqlsessionbackend
ssocookie
start
status
sympa
syntax

T

tomcat
translations

U

upgrade

W

writingrulesand_headers

Z

zimbra


Back to main index

\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation.html b/build/lemonldap-ng/doc/pages/documentation.html index cf6217283..6953e5db8 100644 --- a/build/lemonldap-ng/doc/pages/documentation.html +++ b/build/lemonldap-ng/doc/pages/documentation.html @@ -60,7 +60,7 @@

-

+
@@ -68,6 +68,8 @@
- +

Development

@@ -114,7 +116,7 @@
- +

Translators

@@ -124,7 +126,7 @@ See translati

- +

Other

@@ -143,4 +145,4 @@ See translati
-
\ No newline at end of file +
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/activedirectoryminihowto.html b/build/lemonldap-ng/doc/pages/documentation/1.1/activedirectoryminihowto.html new file mode 100644 index 000000000..507a66a7f --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/activedirectoryminihowto.html @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Using Lemonldap::NG with Active-Directory

+
+ +
+ +

Using Active-Directory as authentication backend

+
+ +

+ +To use Active-Directory as LDAP backend, you must change few things in the manager : +

+
    +
  • Use “LDAP” as authentication and userDB backends,
    +
    • +
  • Configure authentication filter (“General Parameters » Authentication modules » LDAP parameters » Filters”) with:
    +
    • +
+
+(&(sAMAccountName=$user)(objectClass=person))
+
+
    +
  • Export sAMAccountName in a variable declared in exported variables
    +
    • +
  • Change the user attribute to store in Apache logs (“General Parameters » Logs » REMOTE_USER”): use the variable declared above
    +
    • +
+ +
+ +

Using Kerberos

+
+ +

+ +Two steps here: +

+
    +
  • Choose “Apache” as authentication module (“General Parameters » Authentication modules » Authentication module”)
    +
    • +
  • Configure the Apache server that host the portal
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications.html new file mode 100644 index 000000000..eebb4fa48 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications.html @@ -0,0 +1,145 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Applications

+
+ +
+ +

Known supported applications

+
+ +

+ +Applications listed bellow are known to be easy to integrate in LL::NG. As LL::NG works like classic WebSSO (like Siteminder™), many other applications are easy to integrate. +

+ +
+ +

Mail, Agenda, Groupware

+
+ + + + + + + +
OBM Sympa Zimbra
+ +
+ +

Wiki

+
+ + + + + + + +
Dokuwiki Mediawiki
+ +
+ +

CMS, Portal

+
+ + + + + + + +
Drupal Liferay
+ +
+ +

Bugtracker, Service Management

+
+ + + + + + + +
Bugzilla GLPI
+ +
+ +

Other

+
+ + + + + + + +
GRR phpLDAPadmin LinShare SAP
SAP
+ +
+ +

Connectors

+
+ + + + + + + + + + + + + +
HTTP Auth-Basic Spring (ACEGI) Tomcat
Some applications using it
Outlook Web App
+IBM Lotus iNotes 		Probe
+Lutece
+ +
+ +

SAML connectors

+
+ +

+ +

This requires to configure LL::NG as an SAML Identity Provider. +

+ +

+ + + + + + + +
Google Apps Zimbra SAP
SAP
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/authbasic.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/authbasic.html new file mode 100644 index 000000000..b7dee9975 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/authbasic.html @@ -0,0 +1,100 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

HTTP Basic Authentication

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Extract from the Wikipedia article: +

+ +

+

+In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request. +

+ +

+Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings “on the fly”. +

+

+ +

+So HTTP Basic Autentication is managed trough an HTTP header (Authorization), that can be forged by LL::NG, with this precautions: +

+
    +
  • Data should not contains accents or special characters, as HTTP protocol only allow ASCII values in header (but depending on the HTTP server, you can use ISO encoded values)
    +
    • +
  • You need to forward the password, which can be the user main password (if password is stored in session, or any user attribute (if you keep secondary passwords in users database).
    +
    • +
+ +
+ +

Configuration

+
+ +

+ +The Basic Authentication relies on a specific HTTP header, as described above. So you have just to declare this header for the virtual host in Manager. +

+ +

+For example, to forward login ($uid) and password ($_password if password is stored in session): + +

+
+Authorization => "Basic ".encode_base64("$uid:$_password")
+
+ +

+LL::NG provides a special function named basic to build this header. +

+ +

+So the above example can also be written like this: + +

+
+Authorization => basic($uid,$_password)
+
+ +

+

The basic function will also force conversion from UTF-8 to ISO-8859-1, which should be accepted by most of HTTP servers. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/bugzilla.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/bugzilla.html new file mode 100644 index 000000000..8bd19d8af --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/bugzilla.html @@ -0,0 +1,129 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Bugzilla

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Bugzilla is server software designed to help you manage software development. +

+ +

+Bugzilla can authenticate a user with HTTP headers, and auto-create its account with a few information: +

+
    +
  • User ID
    +
    • +
  • Email
    +
    • +
  • Real name
    +
    • +
+ +
+ +

Configuration

+
+ +
+ +

Bugzilla administration

+
+ +

+ +In Bugzilla administration interface, go in Parameters » User authentication +

+ +

+Then set: +

+
    +
  • auth_env_id: HTTP_AUTH_USER
    +
    • +
  • auth_env_email: HTTP_AUTH_MAIL
    +
    • +
  • auth_env_realname: HTTP_AUTH_CN
    +
    • +
  • user_info_class: Env or Env,CGI
    +
    • +
+ +
+ +

Bugzilla virtual host in Apache

+
+ +

+ +Configure Bugzilla virtual host like other protected virtual host. +

+
<VirtualHost *:80>
+       ServerName bugzilla.example.com
+ 
+       PerlHeaderParserHandler My::Package
+ 
+       ...
+ 
+</VirtualHost>
+ +
+ +

Bugzilla virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Bugzilla. +

+ +

+Configure the access rules. +

+ +

+Configure the following headers. +

+
    +
  • Auth-User: $uid
    +
    • +
  • Auth-Mail: $mail
    +
    • +
  • Auth-Cn: $cn
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/dokuwiki.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/dokuwiki.html new file mode 100644 index 000000000..d75fbbf3b --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/dokuwiki.html @@ -0,0 +1,125 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Dokuwiki

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the data files remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files – no database is required. +

+ +

+

LemonLDAP::NG wiki uses Dokuwiki! +

+

+ +

+You will need to install a Dokuwiki plugin, available on download page. The plugin will check the REMOTE_USER environment variable to get the connected user. +

+ +
+ +

Installation

+
+ +

+ +Download the plugin and copy the files in dokuwiki inc/auth/ directory: + +

+
+cp lemonldap.class.php inc/auth/
+cp lemonldapuserdatabackend.class.php inc/auth/
+
+ +
+ +

Configuration

+
+ +
+ +

Dokuwiki local configuration

+
+ +

+ +Edit Dokuwiki local configuration (conf/local.php) and set lemonldap as authentication type: +

+
$conf[authtype] = lemonldap;
+ +
+ +

Dokuwiki virtual host in Apache

+
+ +

+ +Configure Dokuwiki virtual host like other protected virtual host. +

+
<VirtualHost *:80>
+       ServerName dokuwiki.example.com
+ 
+       PerlHeaderParserHandler My::Package
+ 
+       ...
+ 
+</VirtualHost>
+ +

+

If you are protecting Dokuwiki with LL::NG as reverse proxy, convert header into REMOTE_USER environment variable. +

+

+ +
+ +

Dokuwiki virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Dokuwiki. +

+ +

+Just configure the access rules. +

+ +

+If using LL::NG as reverse proxy, configure the Auth-User header, else no headers are needed. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/drupal.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/drupal.html new file mode 100644 index 000000000..02f47519a --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/drupal.html @@ -0,0 +1,159 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Drupal

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Drupal is a CMS written in PHP. It can works with external modules to extends its functionalities. One of this module can be used to delegate authentication server to the web server: Webserver Auth. +

+ +
+ +

Installation

+
+ +

+ +Install Webserver Auth module, by downloading it, and unarchive it in the drupal modules/ directory. +

+ +
+ +

Configuration

+
+ +
+ +

Drupal module activation

+
+ +

+ +Go on Drupal administration interface and enable the Webserver Auth module. +

+ +
+ +

Drupal virtual host in Apache

+
+ +

+ +Configure Drupal virtual host like other protected virtual host. +

+
<VirtualHost *:80>
+       ServerName drupal.example.com
+ 
+       PerlHeaderParserHandler My::Package
+ 
+       ...
+ 
+</VirtualHost>
+ +

+

If you are protecting Drupal with LL::NG as reverse proxy, convert header into REMOTE_USER environment variable. +

+

+ +
+ +

Drupal virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Drupal. +

+ +

+Just configure the access rules. +

+ +

+If using LL::NG as reverse proxy, configure the Auth-User header, else no headers are needed. +

+ +
+ +

Protect only the administration pages

+
+ +

+ +With the above solution, all the Drupal site will be protected, so no anonymous access will be allowed. +

+ +

+

You cannot use the unprotect rule because Drupal navigation is based on query strings (?q=admin, ?q=user, etc.), and unprotect rule only works on URL patterns. +

+

+ +

+You can create a special virtual host and use Apache rewrite module to switch between open and protected hosts: +

+
<VirtualHost *:80>
+    ServerName drupal.example.com
+ 
+    # DocumentRoot
+    DocumentRoot /var/www/html/drupal/
+    DirectoryIndex index.php
+ 
+    # Redirect admin pages
+    RewriteEngine On
+    RewriteCond  %{QUERY_STRING} q=(admin|user)
+    RewriteRule ^/(.*)$ http://admindrupal.example.com/$1 [R]
+ 
+    LogLevel warn
+    ErrorLog /var/log/httpd/drupal-error.log
+    CustomLog /var/log/httpd/drupal-access.log combined
+</VirtualHost>
+<VirtualHost *:80>
+    ServerName admindrupal.example.com
+ 
+    # SSO protection
+    PerlHeaderParserHandler My::Package
+ 
+    # DocumentRoot
+    DocumentRoot /var/www/html/drupal/
+    DirectoryIndex index.php
+ 
+    LogLevel warn
+    ErrorLog /var/log/httpd/admindrupal-error.log
+    CustomLog /var/log/httpd/admindrupal-access.log combined
+</VirtualHost>
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/googleapps.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/googleapps.html new file mode 100644 index 000000000..ecb5f0e9c --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/googleapps.html @@ -0,0 +1,233 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Google Apps

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Google Apps can use SAML to authenticate users, behaving as an SAML service provider, as explained here. +

+ +

+To work with LL::NG it requires: +

+ + +
+ +

Configuration

+
+ +
+ +

Google Apps control panel

+
+ +

+ +

This part is based on SimpleSAMLPHP documentation. +

+

+ +

+As administrator, go in Google Apps control panel and click on Advanced tools: +

+ +

+ +

+ +

+Then select Set up single sign-on (SSO): +

+ +

+ +

+ +

+Now configure all SAML parameters: +

+ +

+ + +

+
    +
  • Enable Single Sign-On: check the box. Uncheck it to disable SAML authentication (for example, if your Identity Provider is down).
    +
    • +
  • Sign-in page URL: SSO access point (HTTP-Redirect binding). Example: http://auth.example.com/saml/singleSignOn
    +
    • +
  • Sign-out page URL: this in not the SLO access point (Google Apps does not support SLO), but the main logout page. Example: http://auth.example.com/?logout=1
    +
    • +
  • Change password URL: where users can change their password. Example: http://auth.example.com
    +
    • +
+ +
+ +

Certificate

+
+ +

+ +For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button Download this file): +

+ +

+ +

+ +

+After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk. +

+ +

+Then use openssl to generate an auto-signed certificate: + +

+
+openssl req -new -key lemonldap-ng-priv.key -out cert.csr
+openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem
+
+ +

+You can now the upload the certificate (cert.pem) on Google Apps. +

+ +
+ +

New Service Provider

+
+ +

+ +You should have configured LL::NG as an SAML Identity Provider, +

+ +

+Now we will add Google Apps as a new SAML Service Provider: +

+
    +
  1. In Manager, click on SAML service providers and the button New service provider.
    +
    2. +
  2. Set GoogleApps as Service Provider name.
    +
    3. +
  3. Set Email in Options » Authentication Response » Default NameID format
    +
    4. +
  4. Disable all signature flags in Options » Signature, except Sign SSO message which should be to On
    +
    5. +
  5. Select Metadata, and unprotect the field to paste the following value:
    +
    6. +
+
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+  <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/mydomain.org/acs" index="1" />
+    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
+  </SPSSODescriptor>
+</md:EntityDescriptor>
+ +

+

Change mydomain.org (in AssertionConsumerService markup, parameter Location) into your Google Apps domain. +

+

+ +
+ +

Application menu

+
+ +

+ +You can add a link in application menu to display Google Apps to users. +

+ +

+ +

+ +

+You need to adapt some parameters: +

+ + +

+ +

Change mydomain.org into your Google Apps domain +

+

+ +
+ +

Logout

+
+ +

+ +Google Apps does not support Single Logout (SLO). +

+ +

+Google Apps has a configuration parameter to redirect user on a specific URL after Google Apps logout (see Google Apps control panel). +

+ +

+To manage the other way (LL::NG → Google Apps), you can add a dedicated logout forward rule: + +

+
+GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
+
+ +

+

Change mydomain.org into your Google Apps domain +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/liferay.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/liferay.html new file mode 100644 index 000000000..d86d4fe6c --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/liferay.html @@ -0,0 +1,199 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Liferay

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Liferay is an enterprise portal. +

+ +

+Liferay can use LL::NG as an SSO provider but you have to manage how users are created: +

+
    +
  • By hand in Liferay administration screens
    +
    • +
  • Imported from an LDAP directory
    +
    • +
+ +

+ +Of course, integration will be full if you use the LDAP directory as users backend for LL::NG and Liferay. +

+ +

+

If the user is not created, or can not be created via LDAP import, the connection to Liferay will be refused. With LDAP, login, mail, first name and last name are required attributes. If one is missing, the user is not created. +

+

+ +

+This documentation just explains how to set up the SSO part. Please refer to Liferay documentation to enable LDAP provisionning. +

+ +
+ +

Configuration

+
+ +
+ +

Liferay administration

+
+ +

+ +Access to Liferay (first time): +

+ +

+ +

+ +

+Login as administrator: +

+ +

+ +

+ +

+Go to My Account: +

+ +

+ +

+ +

+Go to Portal » Settings: +

+ +

+ +

+ +

+Go to Configuration » Authentication: +

+ +

+ +

+ +

+In General, fill at least the following information: +

+
    +
  • How do users authenticate?: by login
    +
    • +
+ +

+ +

We advice to deactivate other options, cause users will use LL::NG portal to modify or reset their password. +

+

+ +

+ +

+ +

+Then use the SiteMinder tab to configure SSO: +

+
    +
  • Enabled: Yes
    +
    • +
  • Import from LDAP: Yes (see presentation)
    +
    • +
  • User Header: Auth-User (case sensitive)
    +
    • +
+ +

+ + +

+ +

+

Do not forget to save your changes! +

+

+ +
+ +

Liferay virtual host in Apache

+
+ +

+ +Configure Liferay virtual host like other protected virtual host. +

+
<VirtualHost *:80>
+       ServerName liferay.example.com
+ 
+       PerlHeaderParserHandler My::Package
+ 
+       ...
+ 
+</VirtualHost>
+ +
+ +

Liferay virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Liferay. +

+ +

+Just configure the access rules. You can add a rule for logout: + +

+
+ ^/c/portal/logout => logout_sso
+
+ +

+Configure the Auth-User header. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/mediawiki.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/mediawiki.html new file mode 100644 index 000000000..5ed8e59cb --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/mediawiki.html @@ -0,0 +1,159 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

MediaWiki

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +MediaWiki is a wiki software, used by the well known Wikipedia. +

+ +

+Several extensions allows to configure SSO on MediaWiki: +

+ + +

+ +We will explain how to use the latest: HTTP Auth. +

+ +
+ +

Installation

+
+ +

+ +The HTTP Auth extension is presented here: http://www.mediawiki.org/wiki/Extension:HttpAuth +

+ +

+You can download the code here: http://github.com/oremj/mediawiki-http-auth/downloads +

+ +

+You have to install HttpAuthPlugin.php in the extensions/ directory of your MediaWiki installation: + +

+
+cp HttpAuthPlugin.php extenstions/
+
+ +
+ +

Configuration

+
+ +
+ +

MediWiki local configuration

+
+ +

+ +Then edit MediaWiki local settings + +

+
+vi LocalSettings.php
+
+
session_start();
+ 
+$_SERVER['PHP_AUTH_USER'] = $_SERVER['REMOTE_USER'];
+ 
+if ((!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['REMOTE_USER'])) || $_COOKIE[$wgDBserver . 'UserID']) {
+        require_once("$IP/extensions/HttpAuthPlugin.php");
+        $wgAuth = new HttpAuthPlugin();
+        # For MediaWiki < 1.13
+        $wgHooks['AutoAuthenticate'][] = array($wgAuth,'autoAuthenticate');
+        # For MediaWiki >= 1.13
+        #$wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate');
+}
+ +
+ +

MediaWiki virtual host in Apache

+
+ +

+ +Configure MediaWiki virtual host like other protected virtual host. +

+
<VirtualHost *:80>
+       ServerName mediawiki.example.com
+ 
+       PerlHeaderParserHandler My::Package
+ 
+       ...
+ 
+</VirtualHost>
+ +

+

If you are protecting MediaWiki with LL::NG as reverse proxy, convert header into REMOTE_USER environment variable. +

+

+ +
+ +

MediaWiki virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for MediaWiki. +

+ +

+Just configure the access rules. You can also add a rule for logout: + +

+
+Userlogout => logout_sso
+
+ +

+If using LL::NG as reverse proxy, configure the Auth-User header, else no headers are needed. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/obm.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/obm.html new file mode 100644 index 000000000..44b0c10e2 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/obm.html @@ -0,0 +1,330 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

OBM

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +OBM is enterprise-class messaging and collaboration platform for workgroup or enterprises with many thousands users. OBM includes Groupware, messaging server, CRM, LDAP, Windows Domain, smartphone and PDA synchronization… +

+ +

+OBM is shipped with a LL::NG plugin with these features: +

+
    +
  • SSO on OBM web interface
    +
    • +
  • Logout
    +
    • +
  • User provisioning (account auto creation at first connection)
    +
    • +
+ +
+ +

Configuration

+
+ +
+ +

OBM

+
+ +

+ +To enable LL::NG authentication plugin, go in /etc/obm/obm_conf.inc: +

+
$auth_kind = 'LemonLDAP';
+ 
+$lemonldap_config = Array(
+                "auto_update"           => true,
+                "auto_update_force_user" => true,
+                "auto_update_force_group" => false,
+                "url_logout"            => "https://OBMURL/logout",
+                "server_ip_address"     => "localhost",
+                "server_ip_check"       => false,
+                "debug_level"           => "NONE",
+//                "debug_header_name"     => "HTTP_OBM_UID",
+//                "group_header_name"     => "HTTP_OBM_GROUPS",
+                "headers_map"           => Array(
+                        //"userobm_gid"                   => "HTTP_OBM_GID",
+                        //"userobm_domain_id"           => ,
+                        "userobm_login"                 => "HTTP_OBM_UID",
+                        "userobm_password"              => "HTTP_OBM_USERPASSWORD",
+                        //"userobm_password_type"       => ,
+                        "userobm_perms"                 => "HTTP_OBM_PERMS",
+                        //"userobm_kind"                => ,
+                        "userobm_lastname"              => "HTTP_OBM_SN",
+                        "userobm_firstname"             => "HTTP_OBM_GIVENNAME",
+//                        "userobm_title"                 => "HTTP_OBM_TITLE",
+                        "userobm_email"                 => "HTTP_OBM_MAIL",
+                        "userobm_datebegin"             => "HTTP_OBM_DATEBEGIN",
+                        //"userobm_account_dateexp"     => ,
+                        //"userobm_delegation_target"   => ,
+                        //"userobm_delegation"          => ,
+                        "userobm_description"           => "HTTP_OBM_DESCRIPTION",
+                        //"userobm_archive"             => ,
+                        //"userobm_hidden"              => ,
+                        //"userobm_status"              => ,
+                        //"userobm_local"               => ,
+                        //"userobm_photo_id"            => ,
+                        "userobm_phone"                 => "HTTP_OBM_TELEPHONENUMBER",
+                        //"userobom_phone2"             => ,
+                        //"userobm_mobile"              => ,
+                        "userobm_fax"                   => "HTTP_OBM_FACSIMILETELEPHONENUMBER",
+                        //"userobm_fax2"                => ,
+                        "userobm_company"               => "HTTP_OBM_O",
+                        //"userobm_direction"           => ,
+                        "userobm_service"               => "HTTP_OBM_OU",
+                        "userobm_address1"              => "HTTP_OBM_POSTALADDRESS",
+                        //"userobm_address2"            => ,
+                        //"userobm_address3"            => ,
+                        "userobm_zipcode"               => "HTTP_OBM_POSTALCODE",
+                        "userobm_town"                  => "HTTP_OBM_L",
+                        "userobm_zipcode"               => "HTTP_OBM_POSTALCODE",
+                        "userobm_town"                  => "HTTP_OBM_L",
+                        //"userobm_expresspostal"       => ,
+                        //"userobm_host_id"             => ,
+                        //"userobm_web_perms"           => ,
+                        //"userobm_web_list"            => ,
+                        //"userobm_web_all"             => ,
+                        //"userobm_mail_perms"          => ,
+                        //"userobm_mail_ext_perms"      => ,
+                        //"userobm_mail_server_id"      => ,
+                        //"userobm_mail_server_hostname" => ,
+                        "userobm_mail_quota"            => "HTTP_OBM_MAILQUOTA",
+                        //"userobm_nomade_perms"        => ,
+                        //"userobm_nomade_enable"       => ,
+                        //"userobm_nomade_local_copy"   => ,
+                        //"userobm_email_nomade"        => ,
+                        //"userobm_vacation_enable"     => ,
+                        //"userobm_vacation_datebegin"  => ,
+                        //"userobm_vacation_dateend"    => ,
+                        //"userobm_vacation_message"    => ,
+                        //"userobm_samba_perms"         => ,
+                        //"userobm_samba_home"          => ,
+                        //"userobm_samba_home_drive"    => ,
+                        //"userobm_samba_logon_script"  => ,
+                        // ---- Unused values ? ----
+                        "userobm_ext_id"                => "HTTP_OBM_SERIALNUMBER",
+                        //"userobm_system"              => ,
+                        //"userobm_nomade_datebegin"    => ,
+                        //"userobm_nomade_dateend"      => ,
+                        //"userobm_location"            => ,
+                        //"userobm_education"           => ,
+                        ),
+        );
+ +

+Parameters: +

+
    +
  • url_logout: URL used by OBM to logout, will be caught by LL::NG
    +
    • +
  • headers_map: map OBM internal field to LL::NG header
    +
    • +
+ +

+ +Edit also OBM Apache configuration to enable LL::NG Handler: +

+
<VirtualHost *:80>
+    ServerName obm.example.com
+ 
+    # SSO protection
+    PerlHeaderParserHandler My::Package
+ 
+    DocumentRoot /usr/share/obm/php
+ 
+    ...
+ 
+</VirtualHost>
+ +

+

OBM Apache configuration must be loaded after LL::NG Apache configuration. +

+

+ +
+ +

LL::NG

+
+ +
+ +

Attributes and macros

+
+ +

+ +You will need to collect all attributes needed to create a user in OBM, this includes: +

+
    +
  • First name
    +
    • +
  • Last name
    +
    • +
  • Login
    +
    • +
  • Mail
    +
    • +
  • +
    • +
+ +

+ +To add these attributes, go in Manager, Variables » Exported Variables. +

+ +

+

If you plan to forward user's password to OBM, then you have to keep the password in session. +

+

+ +

+You may also create these macros to manage OBM administrator account (Variables » Macros): +

+ + + + + + + + + + +
field value
uidR ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
mailR ($uid =~ /^admin0/i)[0] ? "" : ($mail =~ /^([^@]+)/)[0] . "\@example.com"
+ +
+ +

Virtual host

+
+ +

+ +Create OBM virtual host (for example obm.example.com) in LL::NG configuration: Virtual Hosts » New virtual host. +

+ +

+Then edit rules and headers. +

+ +
+ +
Rules
+
+ +

+ +Define at least: +

+
    +
  • Default rule: who can access to the application
    +
    • +
  • Logout rule: catch OBM logout
    +
    • +
  • Exceptions: allow anonymous access for specific URLs (connectors, etc.)
    +
    • +
+ + + + + + + + + + + + + + + + + + + + + + +
field value
^/logoutlogout_sso
^/obm-syncunprotect
^/minigunprotect
^/Microsoft-Server-ActiveSyncunprotect
^/caldavunprotect
defaultaccept (or whatever you want)
+ +
+ +
Headers
+
+ +

+ +Define headers used in OBM mapping, for example: +

+ + + + + + + + + + + + + + + + + + + +
field valeur
OBM_GIVENNAME$givenName
OBM_GROUPS$groups
OBM_UID$uidR
OBM_MAIL$mailR
OBM_USERPASSWORD$_password
+ +
+ +

Other

+
+ +

+ +Do not forget to add OBM in applications menu. + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/phpldapadmin.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/phpldapadmin.html new file mode 100644 index 000000000..ea3f880f7 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/phpldapadmin.html @@ -0,0 +1,108 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

phpLDAPadmin

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +phpLDAPadmin is an LDAP administration tool written in PHP. +

+ +

+phpLDAPadmin will connect to the directory with a static DN and password, and so will not request authentication anymore. The access to phpLDAPadmin will be protected by LemonLDAP::NG with specific access rules. +

+ +

+

phpLDAPadmin will have no idea of the user connected to the WebSSO. So a simple user can have admin rights on the LDAP directory if your access rules are too lazy. +

+

+ +
+ +

Configuration

+
+ +
+ +

phpLDAPadmin local configuration

+
+ +

+ +Just set the authentication type to config and indicate DN and password inside the file config.php: +

+
$ldapservers->SetValue($i,'server','auth_type','config');
+$ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=com');
+$ldapservers->SetValue($i,'login','pass','secret');
+ +
+ +

phpLDAPadmin virtual host in Apache

+
+ +

+ +Configure phpLDAPadmin virtual host like other protected virtual host. +

+
<VirtualHost *:80>
+       ServerName phpldapadmin.example.com
+ 
+       PerlHeaderParserHandler My::Package
+ 
+       ...
+ 
+</VirtualHost>
+ +
+ +

phpLDAPadmin virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for phpLDAPadmin. +

+ +

+Just configure the access rules. +

+ +

+No headers are required. + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/spring.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/spring.html new file mode 100644 index 000000000..029fe4eac --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/spring.html @@ -0,0 +1,78 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Spring Security (ACEGI)

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+Spring Security is the new ACEGI name. This is a well known security framework for J2EE applications. +

+ +

+Spring Security provides a default pre-authentication mechanism that can be used to connect your J2EE application to LL::NG. +

+ +
+ +

Configuration

+
+ +

+ +You can find all suitable information here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html +

+ +

+To summarize, to get the user connected trough the Auth-User HTTP Header, use this Sping Security configuration: +

+
<bean id="LemonLDAPNGFilter" class=
+"org.springframework.security.web.authentication.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
+    <security:custom-filter position="PRE_AUTH_FILTER" />
+    <property name="principalRequestHeader" value="Auth-User"/>
+    <property name="authenticationManager" ref="authenticationManager" />
+</bean>
+ 
+<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
+  <security:custom-authentication-provider />
+    <property name="preAuthenticatedUserDetailsService">
+    <bean id="userDetailsServiceWrapper" class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
+      <property name="userDetailsService" ref="userDetailsService"/>
+    </bean>
+  </property>
+</bean>
+ 
+<security:authentication-manager alias="authenticationManager" />
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/sympa.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/sympa.html new file mode 100644 index 000000000..a13645330 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/sympa.html @@ -0,0 +1,214 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Sympa

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Sympa is a mailing list manager. +

+ +

+There are two ways to configure SSO with Sympa: +

+
    +
  • Auto login: a special LL::NG Handler will generate Sympa cookie
    +
    • +
  • Magic authentication: a special SSO URL is protected by LL::NG, Sympa will display a button for users who wants to use this feature.
    +
    • +
+ +

+ +

+How to choose? Here are some advices: +

+
    +
  • Auto login is very secure, as Sympa cookie is only exchanged between LL::NG Handler and Sympa (user cannot see it)
    +
    • +
  • Magic authentication allows to mix standard Sympa authentication and SSO
    +
    • +
+ +

+ +

+

+ +
+ +

Configuration

+
+ +

+ +Choose one of the following method: +

+ +
+ +

Auto login

+
+ +
+ +

Sympa virtual host in Apache

+
+ +

+ +Configure Sympa virtual host like other protected virtual host but use Sympa Handler instead of default Handler. +

+
<VirtualHost *:80>
+       ServerName sympa.example.com
+ 
+       # Load Sympa Handler
+       PerlRequire __HANDLERDIR__/MyHandlerSympa.pm
+       PerlHeaderParserHandler My::Sympa
+ 
+       ...
+ 
+</VirtualHost>
+ +
+ +

Sympa virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Sympa. +

+ +

+Just configure the access rules. +

+ +
+ +

Sympa Handler parameters

+
+ +

+ +Go in Manager, Default parameters » Advanced parameters » Special handlers » Sympa, and edit the different keys: +

+
    +
  • Shared key: correspond to the cookie parameter of sympa.conf
    +
    • +
  • Mail session key: session field where to find user mail (by default: mail)
    +
    • +
+ +
+ +

Magic authentication

+
+ +
+ +

Sympa configuration

+
+ +

+ +Edit the file “auth.conf”, for example: + +

+
+vi /etc/sympa/auth.conf
+
+ +

+And fill it: + +

+
+generic_sso
+        service_name                   LemonLDAP::NG
+        service_id                          lemonldapng
+        email_http_header            HTTP_MAIL
+        netid_http_header             HTTP_AUTH_USER
+        internal_email_by_netid    1
+        logout_url                          http://sympa.example.com/wws/logout
+
+ +
+ +

Sympa virtual host in Apache

+
+ +

+ +Configure Sympa virtual host like other protected virtual host but protect only magic authentication URL. +

+
<VirtualHost *:80>
+       ServerName sympa.example.com
+ 
+       <Location /wws/sso_login/lemonldapng>
+       PerlHeaderParserHandler My::Package
+       </Location>
+ 
+       ...
+ 
+</VirtualHost>
+ +

+

The location URL is based on the service_id defined in Sympa apache configuration. +

+

+ +
+ +

Sympa virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Sympa. +

+ +

+Configure the access rules and define the following headers: +

+
    +
  • Auth-User
    +
    • +
  • Mail
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/tomcat.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/tomcat.html new file mode 100644 index 000000000..69e7784cb --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/tomcat.html @@ -0,0 +1,179 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Apache Tomcat

+
+ +

+ + +

+ +

+

The Tomcat Valve is only available for tomcat 5.5 or greater. +

+

+ +
+ +

Presentation

+
+ +

+ +Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. +

+ +

+As J2EE servlet container, Tomcat provides standard security feature, like authentication: the application deployed in Tomcat can delegate its authentication to Tomcat. +

+ +

+By default, Tomcat provides a file called users.xml to manage authentication: + +

+
<?xml version='1.0' encoding='utf-8'?>
+<tomcat-users>
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="tomcat" roles="tomcat"/>
+  <user username="role1" password="tomcat" roles="role1"/>
+  <user username="both" password="tomcat" roles="tomcat,role1"/>
+</tomcat-users>
+ +

+LL::NG provides a valve, available on download page. This valve will check an HTTP header to set the authenticated user on the J2EE container. +

+ +
+ +

Installation

+
+ +

+ +Copy ValveLemonLDAPNG.jar in <TOMCAT_HOME>/server/lib: + +

+
+cp ValveLemonLDAPNG.jar server/lib/
+
+ +

+

If needed, you can recompile the valve from the sources. +

+

+ +
+ +

Configuration

+
+ +

+ +Add on your server.xml file a new valve entry like this (in host section): + +

+
<Valve className="org.lemonLDAPNG.SSOValve" userKey="AUTH-USER" roleKey="AUTH-ROLE" roleSeparator="," allows="127.0.0.1"/>
+ +

+Configure attributes: +

+
    +
  • userKey: key in the HTTP header containing user login.
    +
    • +
  • roleKey: key in the HTTP header containing roles. If LL::NG send some roles split by some commas, configure roleSeparator.
    +
    • +
  • roleSeparator (optional): role values separator.
    +
    • +
  • allows (optional): Define allowed remote IP (use ”,” separator for multiple IP). Just set the LL::NG Handler IP on this attribute in order to add more security. If this attribute is missed all hosts are allowed.
    +
    • +
  • passThrough (optional): Allow anonymous access or not. When it takes “false”, HTTP headers have to be sent by LL::NG to make authentication. So, if the user is not recognized or HTTP headers not present, a 403 error is sent.
    +
    • +
+ +

+ +

For debugging, this valve can print some helpful information in debug level. See how configure logging in Tomcat . +

+

+ +
+ +

Compilation

+
+ +

+ +The sources are available on download page. +

+ +

+Required : +

+
    +
  • ant
    +
    • +
  • jre > 1.4
    +
    • +
  • tomcat >= 5.5
    +
    • +
+ +

+ +Configure your tomcat home in build.properties files. +

+ +

+

+Be careful for Windows user, path must contains ”/”. Example: + +

+
+c:/my hardisk/tomcat/
+
+ +

+ + +

+

+ +

+Next run ant command: + +

+
+ant
+
+ +

+ValveLemonLDAPNG.jar is created under /dist directory. + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/applications/zimbra.html b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/zimbra.html new file mode 100644 index 000000000..57a92f0ad --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/applications/zimbra.html @@ -0,0 +1,153 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Zimbra

+
+ +

+ + +

+ +
+ +

Presentation

+
+ +

+ +Zimbra is open source server software for email and collaboration - email, group calendar, contacts, instant messaging, file storage and web document management. The Zimbra email and calendar server is available for Linux, Mac OS X and virtualization platforms. Zimbra syncs to smartphones (iPhone, BlackBerry) and desktop clients like Outlook and Thunderbird. Zimbra also features archiving and discovery for compliance. Zimbra can be deployed on-premises or as a hosted email solution. +

+ +

+Zimbra use a specific preauthentication protocol to provide SSO on its application. This protocol is implementated in an LL::NG specific Handler. +

+ +

+

Zimbra can also be connected to LL::NG via SAML protocol (see Zimbra blog). +

+

+ +
+ +

Configuration

+
+ +

+ +The integration with LL::NG is the following: +

+
    +
  • A special URL is declared in application menu (like http://zimbra.example.com/zimbrasso)
    +
    • +
  • A Zimbra Handler is called
    +
    • +
  • Handler build the preauth request and redirect user on Zimbra preauth URL
    +
    • +
  • Then Zimbra do the SSO by setting a cookie in user's browser
    +
    • +
+ +
+ +

Zimbra preauth key

+
+ +

+ +You need to get a preauth key from Zimbra server. +

+ +

+See how to do this on Zimbra wiki. +

+ +
+ +

Zimbra application in menu

+
+ +

+ +Choose for example http://zimbra.example.com/zimbrasso as SSO URL and set it in application menu. +

+ +
+ +

Zimbra virtual host in Apache

+
+ +

+ +You will configure Zimbra virtual host like other protected virtual host but you will use Zimbra Handler instead of default Handler. +

+
<VirtualHost *>
+        ServerName zimbra.example.com
+ 
+       # Load Zimbra Handler
+       PerlRequire __HANDLERDIR__/MyHandlerZimbra.pm
+       PerlHeaderParserHandler My::Zimbra
+ 
+       ...
+ 
+</VirtualHost>
+ +
+ +

Zimbra virtual host in Manager

+
+ +

+ +Go to the Manager and create a new virtual host for Zimbra. +

+ +

+Just configure the access rules. +

+ +
+ +

Zimbra Handler parameters

+
+ +

+ +Go in Manager, Default parameters » Advanced parameters » Special handlers » Zimbra, and edit the different keys: +

+
    +
  • Preauthentication key: the one you grab from zmprov command
    +
    • +
  • Account session key: session field used as Zimbra user account (by default: uid)
    +
    • +
  • Account type: for Zimbra this can be name, id or foreignKey (by default: id)
    +
    • +
  • Preauthentication URL: Zimbra preauthentication URL, either with full URL (ex: http://zimbra.lan/service/preauth), either only with path (ex: /service/preauth) (by default: /service/preauth)
    +
    • +
  • Local SSO URL pattern: regular expression to match the SSO URL (by default: ^/zimbrasso$)
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authapache.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authapache.html new file mode 100644 index 000000000..d33da8967 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authapache.html @@ -0,0 +1,230 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Apache

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG can delegate authentication to Apache, so it is possible to use any Apache authentication module, for example: +

+ + +

+ +

Apache authentication module will set the REMOTE_USER environment variable, which will be used by LL::NG to get authenticated user. +

+

+ +

+

This documentation will focus on Kerberos authentication module, that can allow for example to set transparent authentication for Active Directory users (as Active Directory is a Kerberos server). +

+

+ +

+The following sample parameters will be used: +

+
    +
  • EXAMPLE.COM: Kerberos realm
    +
    • +
  • HTTP: Service name
    +
    • +
  • auth.example.com: DNS of the portal
    +
    • +
  • ad.example.com: DNS of Active Directory
    +
    • +
  • cn=ssokerberos,cn=users,dc=example,dc=com: DN of AD technical account
    +
    • +
  • complicatedpassword: Password of AD technical account
    +
    • +
+ +
+ +

Configuration

+
+ +
+ +

Apache Kerberos module

+
+ +

+ +The module can be found here. +

+ +

+On CentOS/RHEL: + +

+
yum install mod_auth_kerb
+ +

+On Debian/Ubuntu: + +

+
apt-get install libapache2-mod-auth-kerb
+ +

+The module must be loaded by Apache (LoadModule directive). +

+ +
+ +

Kerberos client for Linux

+
+ +

+ +Edit /etc/krb5.conf: +

+
+[libdefaults]
+ default_realm = EXAMPLE.COM
+
+[realms]
+ EXAMPLE.COM = {
+  kdc = ad.example.com
+  admin_server = ad.example.com
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM
+
+ +
+ +

Connection between Linux and Active Directory

+
+ +

+ +You have to run this command on Active Directory: +

+
+ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser EXAMPLE.COM\ssokerberos -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set +DesOnly -pass complicatedpassword -out c:\auth.keytab
+
+ +

+The file auth.keytab should then be copied (with a secure media) to the Linux server (for example in /etc/lemonldap-ng). +

+ +

+Then on Linux server: +

+
kinit HTTP/auth.example.com
+kvno HTTP/auth.example.com@EXAMPLE.COM
+klist -e
+kinit -k -t /etc/lemonldap-ng/auth.keytab HTTP/auth.example.com
+ +
+ +

Configuration of LemonLDAP::NG

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose Apache for authentication. +

+ +

+

You can then choose any other module for users and password. +

+

+ +

+You can also configure the authentication level for this module. +

+ +
+ +

Configuration of Apache virtual host

+
+ +

+ +Modify the portal virtual host: +

+
<VirtualHost *>
+    ServerName auth.example.com
+ 
+   DocumentRoot /var/lib/lemonldap-ng/portal/
+ 
+  <Directory /var/lib/lemonldap-ng/portal/>
+    Order allow,deny
+    Allow from all
+    Options +ExecCGI
+ 
+    <IfModule auth_kerb_module>
+      AuthType Kerberos
+      KrbMethodNegotiate On
+      KrbMethodK5Passwd Off
+      KrbAuthRealms EXAMPLE.COM
+      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
+      KrbVerifyKDC Off
+      KrbServiceName HTTP
+      require valid-user
+    </IfModule>
+ 
+  </Directory>
+ 
+</VirtualHost>
+ +
+ +

Time to test

+
+ +

+ +Configure IE or Firefox to trust http://auth.example.com, and then it should work! + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authcas.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authcas.html new file mode 100644 index 000000000..f98b2c138 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authcas.html @@ -0,0 +1,166 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

CAS

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG can delegate authentication to a CAS server. This requires Perl CAS module. +

+ +

+

LL::NG can also act as CAS server, that allows to interconnect two LL::NG systems. +

+

+ +

+LL::NG can also request proxy tickets for its protected services. Proxy tickets will be collected at authentication phase and stored in user session under the form: +

+ +

+_casPTserviceID = Proxy ticket value +

+ +

+They can then be forwarded to applications trough HTTP headers. +

+ +

+

CAS authentication will automatically add a logout forward rule on CAS server logout URL in order to close CAS session on LL::NG logout. +

+

+ +
+ +

Perl-CAS module installation

+
+ +

+ +Download the latest version: + +

+
+wget https://sourcesup.cru.fr/frs/download.php/2476/AuthCAS-1.4.tar.gz
+
+ +

+Extract and build the module: + +

+
+tar zxvf AuthCAS-1.4.tar.gz 
+cd AuthCAS-1.4/
+perl Makefile.PL
+make
+make test
+
+ +

+Install the module: + +

+
+sudo make install
+
+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose CAS for authentication. +

+ +

+

You can then choose any other module for users and password. +

+

+ +

+Then, go in CAS parameters: +

+
    +
  • Authentication level: authentication level for this module.
    +
    • +
  • Server URL: CAS server URL (must use https://)
    +
    • +
  • CA file: CA certificate used to validate CAS server certificate
    +
    • +
  • Renew authentication: force authentication renewal on CAS server
    +
    • +
  • Gateways authentication: force transparent authentication on CAS server
    +
    • +
  • PGT file: temporary file where proxy tickets are stored (by default, /tmp/pgt.txt)
    +
    • +
  • Proxied services: list of services for which a proxy ticket is requested:
    +
      +
    • Key: Service ID
      +
      • +
    • Value Service URL (CAS service identifier)
      +
      • +
    +
    • +
+ +

+ +

If no proxied services defined, CAS authentication will not activate the CAS proxy mode. +

+

+ +

+

+If you activate proxy mode, you must create the PGT file on your system, for example: + +

+
+touch /tmp/pgt.txt
+
+ +

+ + +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authchoice.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authchoice.html new file mode 100644 index 000000000..fb3266365 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authchoice.html @@ -0,0 +1,135 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Backend choice by users

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +By default, only the configured authentication backend is available for users. +

+ +

+Contrary to multiple backend stacking, backend choice will present all available authentication methods to users, who will choose the one they want. +

+ +

+The choice will concern three backends: +

+
    +
  • Authentication
    +
    • +
  • Users
    +
    • +
  • Password
    +
    • +
+ +

+ +The choosen backends will be registered in session: +

+
    +
  • $_auth
    +
    • +
  • $_userDB
    +
    • +
  • $_passwordDB
    +
    • +
+ +

+ +Authentication choice will also be registered in session: +

+
    +
  • $_authChoice
    +
    • +
+ +
+ +

Configuration

+
+ +

+In Manager, go in General Parameters > Authentication modules and choose Choice for authentication. +

+ +

+

When Choice is selected for authentication, values for Users and Password modules are not used anymore. Also, all backends parameters are displayed. +

+

+ +

+Then, go in Choice Parameters: +

+
    +
  • URL parameter: parameter name used to set choice value (default: lmAuth)
    +
    • +
  • Allowed modules: click on New choice to add a choice.
    +
    • +
+ +

+ + +

+ +

+Define here: +

+
    +
  • Key name: Text displayed on choice tab.
    +
    • +
  • Authentication module
    +
    • +
  • User module
    +
    • +
  • Password module
    +
    • +
+ +

+ +

You can prefix the key name with a digit to order them. The digit will not be shown on portal page. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authdbi.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authdbi.html new file mode 100644 index 000000000..f6580b0f0 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authdbi.html @@ -0,0 +1,265 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Databases

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +
+ +

Drivers

+
+ +

+ +LL::NG can use a lot of databases as authentication, users and password backend: +

+
    +
  • MySQL
    +
    • +
  • PostGreSQL
    +
    • +
  • Oracle
    +
    • +
  • +
    • +
+ +

+ +Indeed, any Perl DBD driver can be used. +

+ +
+ +

Schema

+
+ +

+ +LL::NG can use two tables: +

+
    +
  • Authentication table: where login and password are stored
    +
    • +
  • User table: where user data are stored (mail, name, etc.)
    +
    • +
+ +

+ +

Authentication table and user table can be the same. +

+

+ +

+The password can be in plain text, or encoded with a standard SQL method: +

+
    +
  • SHA
    +
    • +
  • SHA1
    +
    • +
  • MD5
    +
    • +
+ +
+ +

Example 1: two tables

+
+ +
+ +
Authentication table
+
+ + + + + + + + + + + + + +
id login password
0 coudot 1f777a6581e478499f4284e54fe2d4a4e513dfff
1 xguimard a15a18c8bb17e6f67886a9af1898c018b9f5a072
2 tchemineau 1f777a6581e478499f4284e54fe2d4a4e513dfff
+ +
+ +
User table
+
+ + + + + + + + + + + + + +
id user name mail
0 coudot Clément OUDOT coudot@example.com
1 tchemineau Thomas CHEMINEAU tchemineau@example.com
2 xguimard Xavier GUIMARD xguimard@example.com
+ +
+ +

Example 2: single table

+
+ + + + + + + + + + + + + +
id user password name mail
0 coudot 1f777a6581e478499f4284e54fe2d4a4e513dfff Clément OUDOT coudot@example.com
1 tchemineau 1f777a6581e478499f4284e54fe2d4a4e513dfff Thomas CHEMINEAU tchemineau@example.com
2 xguimard a15a18c8bb17e6f67886a9af1898c018b9f5a072 Xavier GUIMARD xguimard@example.com
+ +
+ +

SQL

+
+ +

+ +LL::NG will operate some SQL queries: +

+
    +
  • Authentication: select row in authentication table matching user and password
    +
    • +
  • Search user: select row in user table matching user
    +
    • +
  • Change password: update password column in authentication table matching user
    +
    • +
+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose Database (DBI) for authentication, users and/or password modules. +

+ +
+ +

Authentication level

+
+ +

+ +The authentication level given to users authenticated with this module. +

+ +

+

+As DBI is a login/password based module, the authentication level can be: +

+
    +
  • increased (+1) if portal is protected by SSL (HTTPS)
    +
    • +
  • decreased (-1) if the portal autocompletion is allowed (see portal customization)
    +
    • +
+ +

+ +

+

+ +
+ +

Connection

+
+ +

+ +

Connection settings can be configured differently for authentication process and user process. This allows to use different databases for these process. By default, if user process connection settings are empty, authentication process connection settings will be used. +

+ +

+
    +
  • Chain: DBI chain, including database driver name and database name (for example: dbi:mysql:database=lemonldapng;host=localhost).
    +
    • +
  • User: Connection user
    +
    • +
  • Password: Connection password
    +
    • +
+ +
+ +

Schema

+
+
    +
  • Authentication table: authentication table name
    +
    • +
  • User table: user table name
    +
    • +
  • Login field name: name of authentication table column hosting login
    +
    • +
  • Password field name: name of authentication table column hosting password
    +
    • +
  • Mail field name: name of authentication table column hosting mail (for password reset)
    +
    • +
  • Login field name in user table: name of user table column hosting login
    +
    • +
+ +
+ +

Password

+
+
    +
  • Hash schema: SQL method for hashing password. Can be left blank for plain text passwords.
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authldap.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authldap.html new file mode 100644 index 000000000..88343478d --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authldap.html @@ -0,0 +1,305 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

LDAP

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG can use an LDAP directory to: +

+
    +
  • authenticate user
    +
    • +
  • get user attributes
    +
    • +
  • get groups where user is registered
    +
    • +
  • change password (with server side password policy management)
    +
    • +
+ +

+ +This works with every LDAP v2 or v3 server, including Active Directory. +

+ +

+LL::NG is compatible with LDAP password policy: +

+
    +
  • LDAP server can check password strength, and LL::NG portal will display correct errors (password too short, password in history, etc.)
    +
    • +
  • LDAP sever can block brute-force attacks, and LL::NG will display that account is locked
    +
    • +
  • LDAP server can force password change on first connection, and LL::NG portal will display a password change form before opening SSO session
    +
    • +
+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose LDAP for authentication, users and/or password modules. +

+ +
+ +

Authentication level

+
+ +

+ +The authentication level given to users authenticated with this module. +

+ +

+

+As LDAP is a login/password based module, the authentication level can be: +

+
    +
  • increased (+1) if portal is protected by SSL (HTTPS)
    +
    • +
  • decreased (-1) if the portal autocompletion is allowed (see portal customization)
    +
    • +
+ +

+ +

+

+ +
+ +

Connection

+
+
    +
  • Server host: LDAP server hostname or URI (by default: localhost). Accept some specificities:
    +
      +
    • More than one server can be set here separated by spaces or commas. They will be tested in the specified order.
      +
      • +
    • To use TLS, set ldap+tls://server and to use LDAPS, set ldaps://server instead of server name.
      +
      • +
    • If you use TLS, you can set any of the Net::LDAP start_tls() sub like ldap+tls://server/verify=none&capath=/etc/ssl. You can also use caFile and caPath parameters.
      +
      • +
    +
    • +
  • Server port: TCP port used by LDAP server. Can be overridden by an LDAP URI in server host.
    +
    • +
  • Users search base: Base of search in the LDAP directory.
    +
    • +
  • Account: DN used to connect to LDAP server. By default, anonymous bind is used.
    +
    • +
  • Password: password to used to connect to LDAP server. By default, anonymous bind is used.
    +
    • +
  • Timeout: server idle timeout.
    +
    • +
  • Version: LDAP protocol version.
    +
    • +
  • Binary attributes: regular expression matching binary attributes (see Net::LDAP documentation).
    +
    • +
+ +
+ +

Filters

+
+ +

+ +

In LDAP filters, $user is replaced by user login, and $mail by user email. +

+ +

+
    +
  • Default filter: default LDAP fitler for searches, should not be modified.
    +
    • +
  • Authentication filter: Filter to find user from its login (default: (&(uid=$user)(objectClass=inetOrgPerson)))
    +
    • +
  • Mail filter: Filter to find user from its mail (default: (&(mail=$mail)(objectClass=inetOrgPerson)))
    +
    • +
+ +

+ +

+For Active Directory, use this as authentication filter: + +

+
+(&(sAMAccountName=$user)(objectClass=person))
+
+ +

+ +And this as mail filter: + +

+
+(&(mail=$mail)(objectClass=person))
+
+ +

+ + +

+

+ +
+ +

Groups

+
+
    +
  • Search base: DN of groups branch. If no value, disable group searching.
    +
    • +
  • Object class: objectClass of the groups (default: groupOfNames).
    +
    • +
  • Target attribute: name of the attribute in the groups storing the link to the user (default: member).
    +
    • +
  • User source attribute: name of the attribute in users entries used in the link (default: dn).
    +
    • +
  • Searched attributes: name(s) of the attribute storing the name of the group, spaces separated (default: cn).
    +
    • +
  • Recursive: activate recursive group functionality (default: 0). If enabled, if the user group is a member of another group (group of groups), all parents groups will be stored as user's groups.
    +
    • +
  • Group source attribute: name of the attribute in groups entries used in the link, for recursive group search (default: dn).
    +
    • +
+ +
+ +

Password

+
+
    +
  • Password policy control: enable to use LDAP password policy. This requires at least Net::LDAP 0.38.
    +
    • +
  • Password modify extended operation: enable to use the LDAP extended operation password modify instead of standard modify operation.
    +
    • +
  • Change as user: enable to perform password modification with credentials of connected user. This requires to request user old password (see portal customization).
    +
    • +
  • LDAP password encoding: can allow to manage old LDAP servers using specific encoding for passwords (default: utf-8).
    +
    • +
+ +
+ +

Schema extension

+
+ +

+ +Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers. +

+ +

+But sometimes other data are needed (in particular to use extended functions): +

+
    +
  • An application name (to allow access by applications and not by group of users)
    +
    • +
  • A start date and an end date (to open or close the service even the entry already exists)
    +
    • +
  • A time profile (allowed hours and day of the week)
    +
    • +
  • One or more roles (to send to the protected applications)
    +
    • +
+ +

+ +Of course, standard LDAP attributes can be used to store these data, but LL::NG also provides an LDAP schema extension to manage them. +

+ +
+ +

OID prefix

+
+ +

+Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2. +

+ +

+The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA (See http://www.iana.org/assignments/enterprise-numbers). +

+ +
+ +

OpenLDAP schema

+
+ +

+ +Just add this file to OpenLDAP schemas by including it in slapd.conf: + +

+
+include /usr/share/lemonldap-ng/ressources/sso.schema
+
+ +

+This will provide the auxiliary object class ssoUser with attributes: +

+
    +
  • ssoName
    +
    • +
  • ssoRoles
    +
    • +
  • ssoLogonHours
    +
    • +
  • ssoStartDate
    +
    • +
  • ssoEndDate
    +
    • +
+ +

+ +You can add this object class to any entry of your directory. +

+ +

+

To get attributes values in session, declare them in exported variables +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authmulti.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authmulti.html new file mode 100644 index 000000000..a9472c2df --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authmulti.html @@ -0,0 +1,178 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Stack multiple backends (AuthMulti)

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +This backend allows to chain authentication method, for example to failback to LDAP authentication if Remote authentication failed… +

+ +
+ +

Configuration

+
+ +

+ +You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain. +

+ +

+For example: + +

+
+Multi CAS;LDAP
+
+ +

+If CAS failed, LDAP will be used. +

+ +

+You can also add a condition. Example: +

+
+Multi Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/'
+
+ +

+

If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “DBI;LDAP” and DBI failed for authentication, Multi will try first to call LDAP as user database. +

+

+ +
+ +

Advanced configuration

+
+ +

+ +The “Multi” system can : +

+
    +
  • stack several times the same module with a different name
    +
    • +
  • overload any LL::NG parameter when a specific backend is used
    +
    • +
+ +

+ +

Overloading is not available trough the manager +

+

+ +

+To stack several times the same module, use ”#name” with different names. Example: + +

+
+Multi LDAP#Openldap; LDAP#ActiveDirectory
+
+ +

+Then you can have different parameters for each stored in a Perl hash entry named multi: + +

+
multi => {
+    'LDAP#Openldap' => {
+      ldapServer => 'ldap1.example.com',
+      LDAPFilter => '(uid=$user)',
+    },
+    'LDAP#ActiveDirectory' => {
+      ldapServer => 'ldaps://ad.example.com',
+      LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))',
+    }
+},
+ +

+This key must be stored directly in portal index.pl file or in lemonldap-ng.ini: +

+
    +
  • for index.pl, set it in new():
    +
    • +
+
my $portal = Lemonldap::NG::Portal::SharedConf->new({
+multi => {
+    'LDAP#Openldap' => {
+      ldapServer => 'ldap1.example.com',
+      LDAPFilter => '(uid=$user)',
+    },
+    'LDAP#ActiveDirectory' => {
+      ldapServer => 'ldaps://ad.example.com',
+      LDAPFilter => '(&(sAMAccountName=$user)(objectClass=person))',
+    }
+},
+})
+
    +
  • or to use lemonldap-ng.ini, install it (one line only) in [portal] section:
    +
    • +
+
[portal]
+multi = {'LDAP#Openldap'=>{ldapServer=>'ldap1.example.com',LDAPFilter=>'(uid=$user)'},'LDAP#ActiveDirectory'=>{ldapServer=>'ldaps://ad.example.com',LDAPFilter=>'(&(sAMAccountName=$user)(objectClass=person))'}}
+ +
+ +

Known problems

+
+ +
+ +

AuthApache authentication

+
+ +

+ +When using this module, LL::NG portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. We're studying a future solution for this… +

+ +
+ +

SSL authentication

+
+ +

+ +To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only. + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authnull.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authnull.html new file mode 100644 index 000000000..548af96ba --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authnull.html @@ -0,0 +1,78 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Null

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG Null backend is a transparent backend: +

+
    +
  • Authentication: will create session without prompting any credentials (but will register client IP and creation date)
    +
    • +
  • Users: will not collect any data (but you can still register environment variables in session)
    +
    • +
  • Password: will not change any password
    +
    • +
+ +

+ +You can use Null backend to bypass some authentication process steps. +

+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose Null for authentication, users or password module. +

+ +

+Then, go in Null parameters: +

+
    +
  • Authentication level: authentication level for this module.
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authopenid.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authopenid.html new file mode 100644 index 000000000..4fcf1a4b0 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authopenid.html @@ -0,0 +1,128 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

OpenID

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG can delegate authentication to an OpenID server. This requires Perl OpenID consumer module with at least version 1.0. +

+ +

+

LL::NG can also act as OpenID server, that allows to interconnect two LL::NG systems. +

+

+ +

+LL::NG will then display a form with an OpenID input, wher users will type their OpenID login. +

+ +

+

OpenID authentication can proposed as an alternate authentication scheme using the authentication choice method. +

+

+ +

+LL::NG can use a white list or a black list to filter allowed OpenID domains. +

+ +

+If OpenID is used as users database, attributes will be requested to the server with SREG extention. +

+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose OpenID for authentication and/or users. +

+ +

+Then, go in OpenID parameters: +

+
    +
  • Authentication level: authentication level for this module.
    +
    • +
  • Secret token: used to check integrity of OpenID response.
    +
    • +
  • Authorizated domain:
    +
      +
    • List type: choose white list to define allowed domains or black list to define forbidden domains
      +
      • +
    • List: domains list (comma separated values)
      +
      • +
    +
    • +
+ +

+ +To configure requested attributes, go in Variables > Exported variables and define attributes: +

+
    +
  • Key: internal session key, can be prefixed by ! to make the attribute required
    +
    • +
  • Value: SREG attribute name:
    +
      +
    • fullname
      +
      • +
    • nickname
      +
      • +
    • language
      +
      • +
    • postcode
      +
      • +
    • timezone
      +
      • +
    • country
      +
      • +
    • gender
      +
      • +
    • email
      +
      • +
    • dob
      +
      • +
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authproxy.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authproxy.html new file mode 100644 index 000000000..585691621 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authproxy.html @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Proxy

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG is able to transfer (trough SOAP) authentication credentials to another LL::NG portal, like a proxy. +

+ +

+The difference with remote authentication is that the client will never be redirect to the main LL::NG portal. This configuration is usable if you want to expose your internal SSO portal to another network (DMZ). +

+ +
+ +

Configuration

+
+ +
+ +

External portal

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose Proxy for authentication and users. +

+ +

+Then, go in Proxy parameters: +

+
    +
  • Portal URL: URL of internal portal
    +
    • +
  • Cookie name (optional): name of the cookie of internal portal, if different from external portal
    +
    • +
  • SOAP sessions end point (optional): SOAP end point, if not based on internal portal URL with index.pl/sessions suffix
    +
    • +
+ +
+ +

Internal portal

+
+ +

+ +The portal must be configured to accept SOAP authentication requests. See SOAP session backend documentation. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authremote.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authremote.html new file mode 100644 index 000000000..0f8e18df5 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authremote.html @@ -0,0 +1,179 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Remote

+
+ + + + + + + +
Authentication Users Password
+ +

+ +

This module is a LL::NG specific identity federation protocol. You may rather use standards protocols like SAML, OpenID or CAS. +

+

+ +
+ +

Presentation

+
+
    +
  • The main portal is configured to use CDA. The secondary portal is declared in the Manager of the main LL::NG structure (else user will be rejected).
    +
    • +
  • The portal of the secondary LL::NG structure is configured to delegate authentication to a remote portal. A request to the main session database is done (trough SOAP session backend) to be sure that the session exists.
    +
    • +
  • If exportedAttr is set, only those attributes are copied in the session database of the secondary LL::NG structure. Else, all data are copied in the session database.
    +
    • +
+ +

+ + + +

+
    +
  1. User tries to access to an application in the secondary LL::NG structure without having a session in this area
    +
    2. +
  2. Redirection to the portal of the secondary area (transparent)
    +
    3. +
  3. Redirection to the portal of the main area and normal authentication (if not done before)
    +
    4. +
  4. Redirection to the portal of the secondary area (transparent)
    +
    5. +
  5. Secondary portal check if remote session is available. It can be done via direct access to the session database or using SOAP access. Then it creates the session (with attribute filter)
    +
    6. +
  6. User can now access to the protected application
    +
    7. +
+ +

+ +

Note that if the user is already authenticated on the first portal, all redirections are transparent. +

+

+ +
+ +

Configuration

+
+ +
+ +

Main LL::NG structure

+
+ +

+ +Go in Manager, and: +

+
    +
  • activate CDA in General Parameters » Cookies » Multiple domains
    +
    • +
  • declare secondary portal in General Parameters » Advanced Parameters » Security » Trusted domains
    +
    • +
+ +
+ +

Secondary LL::NG structure

+
+ +

+ +Configure the portal to use the remote LL::NG structure. +

+ +

+In Manager, go in General Parameters » Authentication modules and choose Proxy for authentication and users. +

+ +

+Then, go in Remote parameters: +

+
    +
  • Portal URL: remote portal URL
    +
    • +
  • Cookie name (optional): name of the cookie of primary portal, if different from secondary portal
    +
    • +
  • Sessions module: set Lemonldap::NG::Common::Apache::Session::SOAP for SOAP session backend.
    +
    • +
  • Sessions module options:
    + +
    • +
+ +
+ +

Example: interoperability between 2 organizations

+
+ +

+ +Using this, we can do a very simple interoperability system between 2 organizations using two LL::NG structures: +

+
    +
  • each area has 2 portals:
    +
      +
    • One standard portal
      +
      • +
    • One remote portal that delegates authentication to the second organization (just an other file on the same server)
      +
      • +
    +
    • +
  • The normal portal has a link included in the authentication form pointing to the remote portal for the users of the other organization
    +
    • +
+ +

+ +So on each main portal, internal users can access normally, and users issued from the other organization have just to click on the link: +

+ +

+ + +

+
    +
  1. One user tries to access to the portal
    +
    2. +
  2. External user clicks to be redirected to the remote type portal
    +
    3. +
  3. After redirection, normal authentication in the remote portal
    +
    4. +
  4. Redirection to the remote type portal
    +
    5. +
  5. Validation of the session: external user has now a local session
    +
    6. +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authsaml.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authsaml.html new file mode 100644 index 000000000..4a763d394 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authsaml.html @@ -0,0 +1,284 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SAML

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG can use SAML2 to get user identity and grab some attributes defined in user profile on its Identity Provider (IDP). In this case, LL::NG acts like an SAML2 Service Provider (SP). +

+ +

+Several IDPs are allowed, in this case the user will choose the IDP he wants. You can preselect IDP with an IDP resolution rule. +

+ +

+For each IDP, you can configure attributes that are collected. Some can be mandatory, so if they are not returned by IDP, the session will not open. +

+ +

+

LL::NG can also act as SAML IDP, that allows to interconnect two LL::NG systems. +

+

+ +
+ +

Configuration

+
+ +
+ +

SAML Service

+
+ +

+ +See SAML service configuration chapter. +

+ +
+ +

Authentication and UserDB

+
+ +

+ +In General Parameters > Authentication modules, set: +

+
    +
  • Authentication module: SAML
    +
    • +
  • Users module: SAML
    +
    • +
+ +

+ +

As passwords will not be managed by LL::NG, you can disable menu password module. +

+

+ +
+ +

Register LemonLDAP::NG on partner Identity Provider

+
+ +

+ +After configuring SAML Service, you can export metadata to your partner Identity Provider. +

+ +

+They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata. +

+ +
+ +

Register partner Identity Provider on LemonLDAP::NG

+
+ +

+ +In the Manager, select node SAML identity providers and click on New identity provider: +

+ +

+ +

+ +

+The IDP name is asked, enter it and click OK. +

+ +

+Now you have access to the IDP parameters list: +

+ +

+ +

+ +
+ +

Metadata

+
+ +

+ +You must register IDP metadata here. You can do it either by uploading the file, or get it from IDP metadata URL (this require a network link between your server and the IDP): +

+ +

+ +

+ +

+

You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value. +

+

+ +
+ +

Exported attributes

+
+ +

+ +For each attribute, you can set: +

+
    +
  • Key name: name of the key in LemonLDAP::NG session (for example “uid” will then be used as $uid in access rules)
    +
    • +
  • Mandatory: if set to On, then session will not open if this attribute is not given by IDP.
    +
    • +
  • Name: SAML attribute name.
    +
    • +
  • Friendly Name: optional, SAML attribute friendly name.
    +
    • +
  • Format (optional): SAML attribute format.
    +
    • +
+ +

+ + +

+ +
+ +

Options

+
+ +
+ +
General options
+
+
    +
  • Resolution Rule: rule that will be applied to preselect an IDP for a user. You have access to all environment variable, like user IP address.
    +
    • +
+ +

+ +For example, to preselect this IDP for users coming from 129.168.0.0/16 network: + +

+
+$ENV{REMOTE_ADDR} =~ /^192\.168/
+
+ +
+ +
Authentication request
+
+
    +
  • NameID format: force NameID format here (email, persistent, transient, etc.). If no value, will use first NameID Format activated in metadata.
    +
    • +
  • Force authentication: set ForceAuthn flag in authentication request
    +
    • +
  • Passive authentication: set IsPassive flag in authentication request
    +
    • +
  • Allow proxied authentication: allow an authentication response to be issued from another IDP that the one we register (proxy IDP). If you disallow this, you should also disallow direct login form IDP, because proxy restriction is set in authentication requests.
    +
    • +
  • Allow login from IDP: allow a user to connect directly from an IDP link. In this case, authentication is not a response to an issued authentication request, and we have less control on conditions.
    +
    • +
  • Requested authentication context: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped ton an internal authentication level (see how configure the mapping), that you can check to allow or deny session creation.
    +
    • +
+ +
+ +
Session
+
+
    +
  • Adapt session lifetime: session lifetime will be adapted from SessionNotOnOrAfter value found in authentication response. It means that if the IDP propose to close session earlier than the default LemonLDAP::NG timeout, the session _utime will be modified so that session is erased at the date indicated by the IDP.
    +
    • +
  • Force UTF-8: this will force UTF-8 conversion of attributes values collected from IDP.
    +
    • +
+ +
+ +
Signature
+
+ +

+ +These options override service signature options (see SAML service configuration). +

+
    +
  • Sign SSO message: sign SSO message
    +
    • +
  • Check SSO message signature: check SSO message signature
    +
    • +
  • Sign SLO message: sign SLO message
    +
    • +
  • Check SLO message signature: check SLO message signature
    +
    • +
+ +
+ +
Binding
+
+
    +
  • SSO binding: force binding to use for SSO (http-redirect, http-post, etc.)
    +
    • +
  • SLO binding: force binding to use for SLO (http-redirect, http-post, etc.)
    +
    • +
+ +

+ +

If no binding defined, the default binding in IDP metadata will be used. +

+

+ +
+ +
Security
+
+
    +
  • Encryption mode: set the encryption mode for this IDP (None, NameID or Assertion).
    +
    • +
  • Check conditions: set to Off to disable conditions checking on authentication responses. Use with caution.
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authslave.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authslave.html new file mode 100644 index 000000000..09cab4c22 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authslave.html @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Slave

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG Slave backend is a transparent backend to used when LL::NG portal is protected by another SSO: +

+
    +
  • Authentication: will create session without prompting any credentials (but will register client IP and creation date)
    +
    • +
  • Users: collect datas transfered by HTTP headers by the main SSO system
    +
    • +
+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose Null for authentication, users or password module. +

+ +

+Then, go in Slave parameters: +

+
    +
  • Authentication level: authentication level for this module.
    +
    • +
  • User attribute: LL::NG key to use as $_user (see bellow)
    +
    • +
+ +

+ +You have then to declare HTTP headers exported by the main SSO in “Variable » Exported Variables”. Example: + +

+ + + + + + + + + + +
Key (LL::NG name) Value (HTTP header name)
uid Auth-User
mail User-Email
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authssl.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authssl.html new file mode 100644 index 000000000..c53066969 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authssl.html @@ -0,0 +1,189 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SSL

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +LL::NG uses Apache SSL module, like any other Apache authentication module, with extra features: +

+
    +
  • Choice of any certificate attribute as user main login
    +
    • +
  • Allow no certificate to chain with other authentication methods
    +
    • +
+ +
+ +

Configuration

+
+ +
+ +

Enable SSL in Apache

+
+ +

+ +You have to install mod_ssl for Apache. +

+ +

+For CentOS/RHEL: + +

+
yum install mod_ssl
+ +

+In Debian/Ubuntu mod_ssl is already shipped in apache2.2-common package. +

+ +

+

For CentOS/RHEL, We advice to disable the default SSL virtual host configured in /etc/httpd/conf.d/ssl.conf. +

+

+ +
+ +

Apache SSL global configuration

+
+ +

+ +You can then use this default SSL configuration, for example in the head of /etc/lemonldap-ng/portal-apache2.conf: +

+
SSLProtocol all -SSLv2
+SSLCipherSuite HIGH:MEDIUM
+SSLCertificateFile /etc/httpd/certs/ow2.cert
+SSLCertificateKeyFile /etc/httpd/certs/ow2.key
+SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
+ +

+

+Put your own files instead of ow2.cert, ow2.key, ow2-ca.cert: +

+
    +
  • SSLCertificateFile: Server certificate
    +
    • +
  • SSLCertificateKeyFile: Server private key
    +
    • +
  • SSLCACertificateFile: CA certificate to validate client certificates
    +
    • +
+ +

+ +

+

+ +

+If you specify port in virtual host, then declare SSL port: +

+
NameVirtualHost *:80
+NameVirtualHost *:443
+ +
+ +

Apache portal SSL configuration

+
+ +

+ +Edit the portal virtual host to enable SSL double authentication: +

+
SSLEngine On
+SSLVerifyClient optional
+SSLVerifyDepth 10
+SSLOptions +StdEnvVars
+SSLUserName SSL_CLIENT_S_DN_CN
+ +

+All SSL options are documented in Apache mod_ssl page. +

+ +

+Here are the main options used by LL::NG: +

+
    +
  • SSLVerifyClient: set to optional to allow user with a bad certificate to access to LL::NG portal page (to display error or use another authentication method)
    +
    • +
  • SSLOptions: set to +StdEnvVars to get certificate fields in environment variables
    +
    • +
  • SSLUserName (optional): certificate field that will be used to identify user in LL::NG portal virtual host
    +
    • +
+ +
+ +

Configuration of LemonLDAP::NG

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose SSL for authentication. +

+ +

+ +

You can then choose any other module for users and password. +

+

+ +

+Then, go in SSL parameters: +

+
    +
  • Authentication level: authentication level for this module
    +
    • +
  • Extracted certificate field: field of the certificate affected to $user internal variable
    +
    • +
  • LDAP attribute used in filter: attribute in LDAP directory to use in mapping
    +
    • +
  • SSL Required: if true, do not allow other authentication method if SSL certificate authentication fails (false by default).
    +
    • +
+ +

+ +

LDAP attribute used in filter is not required if you do not use LDAP users database. In this case, the extracted certificate field value will be used to match the user. +

+

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/authtwitter.html b/build/lemonldap-ng/doc/pages/documentation/1.1/authtwitter.html new file mode 100644 index 000000000..741938356 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/authtwitter.html @@ -0,0 +1,84 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Twitter

+
+ + + + + + + +
Authentication Users Password
+ +
+ +

Presentation

+
+ +

+ +Twitter is a famous short messaging server. Twitter use OAuth protocol to allow applications to reuse its own authentication process (it means, if your are connected to Twitter, other applications can trust Twitter and let you in). +

+ +

+You need Net::Twitter package, with a very recent version (>3). +

+ +

+You need to register a new application on Twitter to get API key and API secret. See Twitter FAQ on how to do that:. +

+ +
+ +

Configuration

+
+ +

+ +In Manager, go in General Parameters > Authentication modules and choose Twitter for authentication module. +

+ +

+

You can then choose any other module for users and password. +

+

+ +

+Then, go in Twitter parameters: +

+
    +
  • Authentication level: authentication level for this module.
    +
    • +
  • API key: API key from Twitter
    +
    • +
  • API secret: API secret from Twitter
    +
    • +
  • Application name (optional): Application name (visible in Twitter)
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/browseablesessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/browseablesessionbackend.html new file mode 100644 index 000000000..1b46070b2 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/browseablesessionbackend.html @@ -0,0 +1,108 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Browseable session backend

+
+ +

+ +Browseable session backend (Apache::Session::Browseable) works exactly like Apache::Session::* corresponding module but add indexes that increase session explorer and session restrictions performances. +

+ +
+ +

Setup

+
+ +
+ +

Prepare database

+
+ +

+ +Database must be prepared exactly like in SQL session backend except that a field must be added for each data to index. Example with MySQL and index set to uid+ipAddr (recommended) +

+
CREATE TABLE sessions (
+    id char(32) NOT NULL PRIMARY KEY,
+    a_session blob,
+    uid varchar(255),
+    ipAddr varchar(15),
+    KEY uid (uid),
+    KEY ipAddr (ipAddr)
+    );
+ +
+ +

Manager

+
+ +

+ +Go in the Manager and set the session module (for example Apache::Session::Browseable::MySQL for MySQL) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): + +

+ + + + + + + + + + + + + + + + + + + +
Required parameters
Name Comment Example
DataSource The DBI string dbi:mysql:dbname=sessions
UserName The database username lemonldapng
Password The database password mysuperpassword
Index Index uid ipAddr
+ +

+ +

Apache::Session::Browseable::MySQL doesn't use locks so performances are keeped. +

+

+ +
+ +

Security

+
+ +

+ +Restrict network access to the database. +

+ +

+You can also use different user/password for your servers by overriding parameters globalStorage and globalStorageOptions in lemonldap-ng.ini file. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/cda.html b/build/lemonldap-ng/doc/pages/documentation/1.1/cda.html new file mode 100644 index 000000000..6828116b8 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/cda.html @@ -0,0 +1,78 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Cross Domain Authentication

+
+ +
+ +

Presentation

+
+
+
+ +

+ +

For security reason, a cookie provided for a domain cannot be sent to another domain. To extend SSO on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG. +

+ +

+
    +
  1. User owns SSO cookies on the main domain (see Login kinematics)
    +
    2. +
  2. User tries to access a protected application in a different domain
    +
    3. +
  3. Handler does not see SSO cookies (because it is not in main domain) and redirects user on Portal
    +
    4. +
  4. Portal recognizes the user with its SSO cookies, and see he is coming from a different domain
    +
    5. +
  5. Portal redirects user on protected application with his session ID as URL parameter
    +
    6. +
  6. Handler detects URL parameter and create a SSO cookies on its domain, with session ID as value
    +
    7. +
+ +
+
+
+ +
+ +

Configuration

+
+ +

+ +Go in Manager, General Parameters » Cookies » Multiple domains and set to On. +

+ +

+To use this feature only locally, edit lemonldap-ng.ini in section [all]: + +

+
[all]
+cda = 1
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/changeconfbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/changeconfbackend.html new file mode 100644 index 000000000..14147356f --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/changeconfbackend.html @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

How to change configuration backend

+
+ +

+ +LemonLDAP::NG provides a script to change configuration backend easily keeping history. It is set in LemonLDAP::NG utilities directory (convertConfig). +

+ +
+ +

How it works

+
+ +

+ +The convertConfig utility reads 2 LL::NG configuration files (lemonldap-ng.ini): +

+
    +
  • Current: to extract all configuration history
    +
    • +
  • New: to write all configuration history
    +
    • +
+ +
+ +

Let's go

+
+
    +
  • Prepare your new lemonldap-ng.ini file
    +
    • +
  • Configure your new backend (create SQL database,…)
    +
    • +
  • Launch that:
    +
    • +
+
convertConfig --current=/etc/lemonldap-ng/lemonldap-ng.ini --new=/new/lemonldap-ng.ini
+
    +
  • Install the new lemonldap-ng.ini file in all LL::NG components
    +
    • +
  • Restart all your Apache servers
    +
    • +
+ +
+ +

See also

+
+ +

+ +Documentation is available for configuration backends : +

+ + +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/configlocation.html b/build/lemonldap-ng/doc/pages/documentation/1.1/configlocation.html new file mode 100644 index 000000000..430605d0f --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/configlocation.html @@ -0,0 +1,511 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Configuration overview

+
+ +
+ +

Backends

+
+ +

+ +LemonLDAP::NG configuration is stored in a backend that allows all modules to access it. +

+ +

+

Note that all LL::NG components must have access : +

+
    +
  • to the configuration backend
    +
    • +
  • to the sessions storage backend
    +
    • +
+ +

+ +Detailled configuration backends documentation is available here. +

+

+ +

+By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory. +

+ +

+Configuration backend can be set in the local configuration file, in configuration section. +

+ +

+For example, to configure the File configuration backend: +

+
[configuration]
+type=File
+dirName = /usr/local/lemonldap-ng/data/conf
+ +

+

See How to change configuration backend to known how to change this. +

+

+ +
+ +

Manager

+
+ +

+ +Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com). +

+ +

+By default, Manager is protected to allow only localhost. This can be changed in etc/manager-apache2.conf: +

+
    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/8
+        Options +ExecCGI
+    </Directory>
+ +

+

See Manager protection documentation to know how to use Apache modules or LL::NG to manage access to Manager. +

+

+ +

+The Manager displays main branches: +

+
    +
  • General Parameters: authentication modules, portal, etc.
    +
    • +
  • Variables: user information, macros and groups used to fill SSO session
    +
    • +
  • Virtual Hosts: access rules, headers, etc.
    +
    • +
  • SAML 2 Service: SAML metadata administration
    +
    • +
  • SAML identity providers: Registered IDP
    +
    • +
  • SAML service providers: Registered SP
    +
    • +
+ +

+ +LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value. +

+ +

+

When modifying a value, always click on the Apply button if available, to be sure the value is saved. +

+

+ +

+When all modifications are done, click on Save to store configuration. +

+ +

+

LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration is not saved if errors occur. +

+

+ +

+You can change the graphical aspect of the Manager, by clicking on the Menu style button. It will open a dialog to choose: +

+ + +

+ +

+Menu style preferences are stored in cookies (1 year duration). You can fix default values by editing these values in lemonldap-ng.ini, section manager: +

+
    +
  • managerCss
    +
    • +
  • managerCssTheme
    +
    • +
+ +

+ +

+

+ +
+ +

Apache

+
+ +

+ +

LemonLDAP::NG does not manage Apache configuration +

+

+ +

+LemonLDAP::NG ships 3 Apache configuration files: +

+
    +
  • portal-apache2.conf: Portal virtual host, with SOAP and Issuer end points
    +
    • +
  • manager-apache2.conf: Manager virtual host
    +
    • +
  • handler-apache2.conf : Handler declaration, reload and sample virtual hosts
    +
    • +
+ +

+ +These files must be included in Apache configuration, either with Include directives in httpd.conf (see quick start example), or with symbolic links in Apache configuration directory (like /etc/httpd/conf.d). +

+ +

+

Mod Perl must be loaded before LemonLDAP::NG, so include configuration after the mod_perl LoadModule directive. +

+

+ +
+ +

Portal

+
+ +

+ +In Portal virtual host, you will find several configuration parts: + +

+
    +
  • Standard virtual host directives, to serve portal pages:
    +
    • +
+
    ServerName auth.example.com
+ 
+    # DocumentRoot
+    DocumentRoot /usr/local/lemonldap-ng/htdocs/portal/
+    <Directory /usr/local/lemonldap-ng/htdocs/portal/>
+        Order allow,deny
+        Allow from all
+        Options +ExecCGI
+    </Directory>
+ 
+    # Perl script
+    <Files *.pl>
+        SetHandler perl-script
+        PerlResponseHandler ModPerl::Registry
+    </Files>
+ 
+    # Directory index
+    <IfModule mod_dir.c>
+        DirectoryIndex index.pl index.html
+    </IfModule>
+
    +
  • SOAP end points (inactivated by default):
    +
    • +
+
    # SOAP functions for sessions management (disabled by default)
+    <Location /index.pl/adminSessions>
+        Order deny,allow
+        Deny from all
+    </Location>
+ 
+    # SOAP functions for sessions access (disabled by default)
+    <Location /index.pl/sessions>
+        Order deny,allow
+        Deny from all
+    </Location>
+ 
+    # SOAP functions for configuration access (disabled by default)
+    <Location /index.pl/config>
+        Order deny,allow
+        Deny from all
+    </Location>
+ 
+    # SOAP functions for notification insertion (disabled by default)
+    <Location /index.pl/notification>
+        Order deny,allow
+        Deny from all
+    </Location>
+
    +
  • Issuer rewrite rules (requires mod_rewrite):
    +
    • +
+
    # SAML2 Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/saml/metadata /metadata.pl
+        RewriteRule ^/saml/.* /index.pl
+    </IfModule>
+ 
+    # CAS Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/cas/.* /index.pl
+    </IfModule>
+ 
+    # OpenID Issuer
+    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/openidserver/.* /index.pl
+    </IfModule>
+
    +
  • Some Perl optimizations:
    +
    • +
+
# Best performance under ModPerl::Registry
+# Uncomment this to increase performance of Portal
+<Perl>
+    require Lemonldap::NG::Portal::SharedConf;
+    Lemonldap::NG::Portal::SharedConf->compile(
+        qw(delete header cache read_from_client cookie redirect unescapeHTML));
+    # Uncomment this line if you use Lemonldap::NG menu
+    require Lemonldap::NG::Portal::Menu;
+    # Uncomment this line if you use portal SOAP capabilities
+    require SOAP::Lite;
+</Perl>
+ +
+ +

Manager

+
+ +

+ +Manager virtual host is used to serve configuration interface and local documentation. + +

+
    +
  • Configuration interface access is protected:
    +
    • +
+
    DocumentRoot /usr/local/lemonldap-ng/htdocs/manager/
+    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/8
+        Options +ExecCGI
+    </Directory>
+
    +
  • Local documentation is open to all:
    +
    • +
+
    Alias /doc/ /usr/local/lemonldap-ng/htdocs/doc/
+    <Directory /usr/local/lemonldap-ng/htdocs/doc/>
+        Order deny,allow
+        Allow from all
+    </Directory>
+ +
+ +

Handler

+
+
    +
  • Load Handler in Apache memory:
    +
    • +
+
PerlOptions +GlobalRequest
+PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm
+ +

+

The Handler must be loaded before any protected virtual host. +

+ +

+
    +
  • Catch error pages:
    +
    • +
+
ErrorDocument 403 http://auth.example.com/?lmError=403
+ErrorDocument 500 http://auth.example.com/?lmError=500
+
    +
  • Reload virtual host:
    +
    • +
+
<VirtualHost *:80>
+    ServerName reload.example.com
+ 
+    # Configuration reload mechanism (only 1 per physical server is
+    # needed): choose your URL to avoid restarting Apache when
+    # configuration change
+    <Location /reload>
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/8
+        PerlHeaderParserHandler My::Package->refresh
+    </Location>
+ 
+    # Uncomment this to activate status module
+    #<Location /status>
+    #    Order deny,allow
+    #    Deny from all
+    #    Allow from 127.0.0.0/8
+    #    PerlHeaderParserHandler My::Package->status
+    #</Location>
+ 
+</VirtualHost>
+ +

+Then, to protect a standard virutal host, the only configuration line to add is: +

+
PerlHeaderParserHandler My::Package
+ +
+ +

Configuration reload

+
+ +

+ +

As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them trough an HTTP request. Configuration reload will then be effective in less than 10 minutes. +

+

+ +

+After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers. This can be configured in LemonLDAP::NG ini file, in the section apply: +

+
[apply]
+ 
+# URL used to reload configuration
+reload.example.com=http://reload.example.com/reload
+;reloaddist.example.com=http://reloaddist.example.com/reload
+ +

+

You only need a reload URL per physical servers, as Handlers share the same configuration cache on each physical server. +

+

+ +

+The reload target is managed in Apache configuration, inside a virtual host protected by LemonLDAP::NG Handler, for example: +

+
<VirtualHost *:80>
+    ServerName reload.example.com
+ 
+    <Location /reload>
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/8
+        PerlHeaderParserHandler My::Package->refresh
+    </Location>
+ 
+</VirtualHost>
+ +

+

You must allow access to Manager IP. +

+

+ +
+ +

Local file

+
+ +

+ +LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini and has the following sections: +

+
    +
  • configuration: where configuration is stored
    +
    • +
  • apply: reload URL for distant Hanlders
    +
    • +
  • all: parameters for all modules
    +
    • +
  • portal: parameters only for Portal
    +
    • +
  • manager: parameters only for Manager
    +
    • +
  • handler: parameters only for Handler
    +
    • +
+ +

+ +When you set a parameter in lemonldap-ng.ini, it will override the parameter from the global configuration. +

+ +

+For example, to override configured skin for portal: +

+
[portal]
+portalSkin = dark
+ +

+

You need to know the technical name of configuration parameter to do this. You can refer to parameter list to find it. +

+

+ +
+ +

Script files

+
+ +

+ +LemonLDAP::NG allows to override any configuration parameter directly in script file. However, it is not advised to edit such files, as they are part of the program, and will be erased at next upgrade. +

+ +

+

You also need to know the technical name of configuration parameter to do this. You can refer to parameter list to find it. +

+

+ +
+ +

Portal

+
+ +

+ +For example, in portal/index.pl: +

+
my $portal = Lemonldap::NG::Portal::SharedConf->new(
+    {
+        portalSkin => 'dark',
+    }
+);
+ +
+ +

Handler

+
+ +

+ +For example, in handler/MyHandler.pm: +

+
__PACKAGE__->init(
+    {
+        domain => 'acme.com',
+    }
+);
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/configvhost.html b/build/lemonldap-ng/doc/pages/documentation/1.1/configvhost.html new file mode 100644 index 000000000..ab03d3bab --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/configvhost.html @@ -0,0 +1,182 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Manage virtual hosts

+
+ +

+ +LemonLDAP::NG configuration is build around Apache virtual hosts. Each virtual host is a protected resource, with access rules, headers, POST data and options. +

+ +
+ +

Apache configuration

+
+ +

+ +To protect a virtual host in Apache, the LemonLDAP::NG Handler must be activated (see Apache global configuration). +

+ +

+Then you can take any virtual host, and simply add this line to protect it: +

+
PerlHeaderParserHandler My::Package
+ +

+For example, a protected virtual host for a local application: +

+
<VirtualHost *:80>
+        ServerName localsite.example.com
+ 
+        PerlHeaderParserHandler My::Package
+ 
+        DocumentRoot /var/www/localsite
+ 
+        ErrorLog /var/log/apache2/localsite_error.log
+        CustomLog /var/log/apache2/localsite_access.log combined
+ 
+</VirtualHost>
+ +

+And a protected virtual host with LemonLDAP::NG as reverse proxy: +

+
<VirtualHost *:80>
+        ServerName application.example.com
+ 
+        PerlHeaderParserHandler My::Package
+ 
+        # Reverse-Proxy
+        ProxyPass / http://private-name/
+        # Change "Location" header in redirections
+        ProxyPassReverse / http://private-name/
+        # Change domain cookies
+        ProxyPassReverseCookieDomain private-name application.example.com
+ 
+        ErrorLog /var/log/apache2/proxysite_error.log
+        CustomLog /var/log/apache2/proxysite_access.log combined
+</VirtualHost>
+ +

+ +Same with remote server configured with the same host name: +

+
<VirtualHost *:80>
+        ServerName application.example.com
+ 
+        PerlHeaderParserHandler My::Package
+ 
+        # Reverse-Proxy
+        ProxyPass / http://APPLICATION_IP/
+ 
+        ProxyPreserveHost on
+ 
+        ErrorLog /var/log/apache2/proxysite_error.log
+        CustomLog /var/log/apache2/proxysite_access.log combined
+</VirtualHost>
+ +

+

The ProxyPreserveHost directive will forward the Host header to the protected application.
+To learn more about using Apache as reverse-proxy, see Apache documentation. + +

+

+ +

+

Some applications need the REMOTE_USER environment variable to get the connected user, which is not set in reverse-proxy mode. In this case, see how convert header into environment variable. +

+

+ +
+ +

LemonLDAP::NG configuration

+
+ +

+ +An apache virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration. +

+ +

+To do this, use the Manager, and go in Virtual Hosts branch. You can add, delete or modify a virtual host here. +

+ +

+A virtual host contains: +

+
    +
  • Access rules: check user's right on URL patterns
    +
    • +
  • HTTP headers: forge information sent to protected applications
    +
    • +
  • POST data: use form replay
    +
    • +
  • Options: redirection port and protocol
    +
    • +
+ +
+ +

Access rules and HTTP headers

+
+ +

+ +See Writing rules and headers to learn how to configure access control and HTTP headers sent to application by LL::NG. +

+ +
+ +

POST data

+
+ +

+ +See Form replay to learn how to configure form replay to POST data on protected applications. +

+ +
+ +

Options

+
+ +

+ +Two options are available: +

+
    +
  • Port
    +
    • +
  • HTTPS
    +
    • +
+ +

+ +These options are used to build redirection URL (when user is not logged, or for CDA requests). By default, default values are used. These options are only here to override default values. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/customfunctions.html b/build/lemonldap-ng/doc/pages/documentation/1.1/customfunctions.html new file mode 100644 index 000000000..f9fb881a1 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/customfunctions.html @@ -0,0 +1,111 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Custom functions

+
+ +

+ +Custom functions allow to extend LL::NG, they can be used in headers, rules or form replay data. +

+ +
+ +

Write custom functions library

+
+ +

+ +Create your Perl module with custom functions. You can name your module as you want, for example SSOExtensions.pm: +

+
+vi /root/SSOExtensions.pm
+
+
package SSOExtensions;
+ 
+sub function1 {
+  my $portal = shift;
+  my $param = shift;
+ 
+  # Your nice code here
+ 
+  return $param
+}
+ 
+1;
+ +

+

The first parameter passed to the custom function is the LL::NG portal object. +

+

+ +
+ +

Import custom functions in LemonLDAP::NG

+
+ +
+ +

Declare module in Apache configuration

+
+ +

+ +Your module has to be loaded by Apache (for example after Handler load): +

+
# Perl environment
+PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
+PerlRequire /root/SSOExtensions.pm
+PerlOptions +GlobalRequest
+ +
+ +

Declare custom functions

+
+ +

+ +Go in Manager, General Parameters » Advanced Parameters » Custom functions and set: + +

+
+SSOExtensions::function1
+
+ +
+ +

Use it

+
+ +

+ +You can now use your function in a macro, an header or an access rule, for example: + +

+
+Custom-Header => function1($uid)
+
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/error.html b/build/lemonldap-ng/doc/pages/documentation/1.1/error.html new file mode 100644 index 000000000..f5e9a8ede --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/error.html @@ -0,0 +1,164 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Error messages

+
+ +

+ +

This page do not reference all error messages, but only the frequentest +

+

+ +
+ +

Lemonldap::NG::Common

+
+
Warning: key is not defined, set it in the manager !
+ +

+ +→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager. This message is displayed only when you upgrade from a version older than 1.0 +

+
Can't locate /usr/share/lemonldap-ng/configStorage.pl
+ +

+ +→ When you upgrade from Debian Lenny with customized index.pl files, you must upgrade them. See Debian Lenny upgrade. +

+ +
+ +

Lemonldap::NG::Handler

+
+
Unable to clear local cache
+ +

+ +→ Local cache cannot be cleard, check the localStorage and localStorageOptions or file permissions +

+
Status module can not be loaded without localStorage parameter
+ +

+ +→ You tried to activate Status module without localStorage. Configure local cache first. +

+
No configuration found
+ +

+ +→ The configuration cannot be loaded. Check configStorage and configStorageOptionsor file permissions. +

+
User rejected because VirtualHost XXXX has no configuration
+ +

+ +→ The specified virtual host was not configured in Manager. +

+
mkdir /tmp/MyNamespace/2: Permission denied ...
+ +

+ +→ The cache has been created by another user than Apache's user. Restart Apache to purge it. +

This can happend when you use lmConfigEditor or launch cron files with a different user than Apache process. That is why it is important to set APACHEUSER variable when you launch “make install” + +

+

+
Lemonldap::NG::Handler::SharedConf: No cookie found
+ +

+ +→ User does not have Lemonldap::NG cookie, handler redirect it to the portal +

+
The cookie $id isn't yet available: Object does not exist in the data store
+ +

+ +→ User session has expired or handler does not have access to the same Apache::Session database than the portal +

+
Firefox has detected that the server is redirecting the request for this address in a way that will never complete
+ +

+ +→ Your browser loops between portal and handler, it is probably a cookie problem. Verify that: +

+
    +
  • the portal is in the declared domain
    +
    • +
  • CDA is set if the handler is not in the same domain
    +
    • +
  • portal is in a https virtualhost if securedCookie is set
    +
    • +
  • you've restart all Apache server after having change cookie name or domain
    +
    • +
+ +
+ +

Lemonldap::NG::Manager

+
+
XXXX was not found in tree
+ +

+ +→ The specified node is not the uploaded tree. +

+ +
+ +

Lemonldap::NG::Portal

+
+
User XXXX was not granted to open session
+ +

+ +→ Check grantSessionRule parameter. +

+
XML menu configuration is deprecated. Please use lmMigrateConfFiles2ini to migrate your menu configuration
+ +

+ +→ You do not use the new configuration syntax for application list. XML file is no more accepted. +

+
Apache is not configured to authenticate users !
+ +

+ +→ You use the Apache authentication backend, but Apache is not or bad configured (no REMOTE_USER send to LemonLDAP::NG). +

+
URL contains a non protected host
+ +

+ +→ The host is not known by LemonLDAP::NG. Add it to trustedDomains (or set * in trustedDomains to accept all). +

+
XSS attack detected
+ +

+ +→ Some URL parameters contain forbidden characters. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/exportedvars.html b/build/lemonldap-ng/doc/pages/documentation/1.1/exportedvars.html new file mode 100644 index 000000000..effe2d98f --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/exportedvars.html @@ -0,0 +1,113 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Exported variables

+
+ +
+ +

Presentation

+
+ +

+ +Exported variables are the variables available to write rules and headers. They are extracted from the users database by the users module. +

+ +

+To create a variable, you've just to map a user attributes in LL::NG using Variables » Exported variables. For each variable, The first field is the name which will be used in rules, macros or headers and the second field is the name of the user database field. +

+ +

+Examples for LDAP: +

+ + + + + + + + + + + + + +
Variable name LDAP attribute
uid uid
number employeeNumber
name sn
+ +

+ +Exported variables in the Manager +

+ +
+ +

Extend variables using macros and groups

+
+
+
+ +

+ +Macros and groups are calculated during authentication process by the portal: +

+
    +
  • macros are used to extend (or rewrite) exported variables. A macro is stored as attributes: it can contain boolean results or any string
    +
    • +
  • groups are stored as space-separated strings in the special attribute “groups”: it contains the names of groups whose rules were returned true for the current user
    +
    • +
+ +

+ +Example for macros: + +

+
# boolean macro
+isAdmin -> $uid eq 'foo' or $uid eq 'bar'
+# other macro 
+displayName -> $givenName." ".$surName
+ 
+# Use a boolean macro in a rule
+^/admin -> $isAdmin
+# Use a string macro in a HTTP header
+Display-Name -> $displayName
+ +

+Example for groups: + +

+
# group
+admin -> $uid eq 'foo' or $uid eq 'bar'
+ 
+# Use a group in a rule
+^/admin -> $groups =~ /\badmin\b/
+ +
+
+
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/extendedfunctions.html b/build/lemonldap-ng/doc/pages/documentation/1.1/extendedfunctions.html new file mode 100644 index 000000000..8c9f4ba5b --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/extendedfunctions.html @@ -0,0 +1,292 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Extended functions

+
+ +
+ +

Presentation

+
+ +

+ +When writing rules and headers, you can use Perl expressions that will be evaluated in a jail, to prevent bad code execution. +

+ +

+This is also true for: +

+ + +

+ +Inside this jail, you can access to: +

+ + +

+ +

To know more about the jail, check Safe module documentation. +

+

+ +
+ +

Functions list

+
+ +
+ +

checkLogonHours

+
+ +

+ +This function will check the day and the hour of current request, and compare it to allowed days and hours. It returns 1 if this match, 0 else. +

+ +

+By default, the allowed days and hours is an hexadecimal value, representing each hour of the week. A day has 24 hours, and a week 7 days, so the value contains 168 bits, converted into 42 hexadecimal characters. Sunday is the first day. +

+ +

+For example, for a full access, excepted week-end: + +

+
+000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000
+
+ +

+

The LDAP schema extension can be used to store this value. You can also use the binary value from the logonHours attribute of Active Directory +

+

+ +

+Functions parameters: +

+
    +
  • logon_hours: string representing allowed logon hours (GMT)
    +
    • +
  • syntax (optional): hexadecimal (default) or octetstring
    +
    • +
  • time_correction (optional): hours to add or to subtract
    +
    • +
  • default_access (optional): what result to return if logon_hours is empty
    +
    • +
+ +

+ +Simple usage example: + +

+
+checkLogonHours($ssoLogonHours)
+
+ +

+If you use the binary value (Active Directory), use this: + +

+
+checkLogonHours($ssoLogonHours, 'octetstring')
+
+ +

+You can also configure jetlag (if all of your users use the same timezone): + +

+
+checkLogonHours($ssoLogonHours, '', '+2')
+
+ +

+If you manage different timezones, you have to take the jetlag into account in ssoLogonHours values, or use the $_timezone parameter. This parameter is set by the portal and use javascript to get the connected user timezone. It should works on every browser: + +

+
+checkLogonHours($ssoLogonHours, '', $_timezone)
+
+ +

+You can modify the default behavior for people without value in ssoLogonHours. Indeed, by default, users without logon hours values are rejected. You can allow these users instead of reject them: + +

+
+checkLogonHours($ssoLogonHours, '', '', '1')
+
+ +
+ +

checkDate

+
+ +

+ +This function will check the date of current request, and compare it to a start date and an end date. It returns 1 if this match, 0 else. +

+ +

+

The LDAP schema extension can be used to store these values +

+

+ +

+The date format is the LDAP date syntax, for example for the 1st March 2009: + +

+
+20090301000000Z
+
+ +

+Functions parameters: +

+
    +
  • start: Start date (GMT)
    +
    • +
  • end: End date (GMT)
    +
    • +
  • default_access (optional): what result to return if start and end are empty
    +
    • +
+ +

+ +Simple usage example: + +

+
+checkDate($ssoStartDate, $ssoEndDate)
+
+ +
+ +

basic

+
+ +

+ +This function builds the Authorization HTTP header used in HTTP Basic authentication scheme. It will force conversion from UTF-8 to ISO-8859-1 of user and password data. +

+ +

+Functions parameters: +

+
    +
  • user
    +
    • +
  • password
    +
    • +
+ +

+ +Simple usage example: + +

+
+basic($uid,$_password)
+
+ +
+ +

unicode2iso

+
+ +

+ +This function convert a string from UTF-8 to ISO-8859-1. +

+ +

+Functions parameters: +

+
    +
  • string
    +
    • +
+ +

+ +Simple usage example: + +

+
+unicode2iso($name)
+
+ +
+ +

iso2unicode

+
+ +

+ +This function convert a string from ISO-8859-1 to UTF-8. +

+ +

+Functions parameters: +

+
    +
  • string
    +
    • +
+ +

+ +Simple usage example: + +

+
+iso2unicode($name)
+
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/federationproxy.html b/build/lemonldap-ng/doc/pages/documentation/1.1/federationproxy.html new file mode 100644 index 000000000..8c16dd714 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/federationproxy.html @@ -0,0 +1,69 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

LL::NG as federation protocol proxy

+
+ +

+LL::NG can use federation protocols (SAML, CAS, OpenID) independently to: +

+
    +
  • authenticate users
    +
    • +
  • provide identities to other systems
    +
    • +
+ +

+ +So you can configure it to authenticate users using a federation protocol and simultaneously to provide identities using other(s) federation protocols. +

+ +

+For example, a LL::NG server can be: +

+ + +

+ +See the following chapters: +

+ + +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/fileconfbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/fileconfbackend.html new file mode 100644 index 000000000..66f736e44 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/fileconfbackend.html @@ -0,0 +1,62 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

File configuration backend

+
+ +

+ +This is the default configuration backend. Datas are stored as key/values (no-strings values are serialized). +

+ +

+

This configuration storage can be shared between different hosts using: +

+ + +

+ +

+

+ +
+ +

Configuration

+
+ +

+ +You just have to configure a directory writable by Apache user and set it in [configuration] section in your lemonldap-ng.ini file: +

+
[configuration]
+type  = File
+dirName = /var/lib/lemonldap-ng/conf
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/filesessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/filesessionbackend.html new file mode 100644 index 000000000..3efb0eeec --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/filesessionbackend.html @@ -0,0 +1,72 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

File session backend

+
+ +

+ +File session backend is the more simple session database. Sessions are stored as files in a single directory. Lock files are stored in another directory. It can not be used to share sessions between different servers except if you share directories (with NFS,…). +

+ +
+ +

Setup

+
+ +

+ +In the manager: set ”Apache::Session::File” in “General parameters » Sessions » Session storage » Apache::Session module” and add the following parameters (case sensitive): + +

+ + + + + + + + + + + + + +
Required parameters
Name Comment Example
Directory The path to the main directory /var/lib/lemonldap-ng/sessions
LockDirectory The path to the lock directory /var/lib/lemonldap-ng/sessions/lock
+ +
+ +

Security

+
+ +

+ +Restrict access to the directories only to the Apache server. Example: + +

+
chmod 750 /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock
+chown www-data:www-data /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/formreplay.html b/build/lemonldap-ng/doc/pages/documentation/1.1/formreplay.html new file mode 100644 index 000000000..04a1cc9bc --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/formreplay.html @@ -0,0 +1,159 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Form replay

+
+ +
+ +

Presentation

+
+ +

+ +Form replay allows you to open a session on a protected application by replaying the form POST without asking anything to the user. +

+ +

+

+This kind of SSO mechanism is not clean, and can lead to problems, like local password blocking, local session not well closed, etc. +

+ +

+Please always try to find another solution to protect your application with LL::NG. At least, check if it is not a known application, or try to adapt its source code. + +

+

+ +

+If you configure form replay with LL::NG, the Handler will catch configured POST URL and send a POST query to the target page (which can be different of the caught page). Each field can be filled with static values or data from user's session. +

+ +

+

+To post user's password, you must enable password storing. In this case you will be able to use $_password to fill any password POST field. +

+

+ +

+LL::NG can catch a GET request and transform it internally in a POST request. All this work is transparent for the user, he cannot see what data are posted by LL::NG. +

+ +
+ +

Configuration

+
+ +

+ +You should grab some informations: +

+
    +
  • URI of the page which contains the form
    +
    • +
  • URI of the page which receive POST data (optional if it is the same as the page holding the form)
    +
    • +
  • All fields name and values
    +
    • +
+ +

+ +For example: +

+
    +
  • Form page URI: /login.php
    +
    • +
  • POST data URI: /process.php
    +
    • +
  • Fields:
    +
      +
    • login: $uid (uid of the user)
      +
      • +
    • password: $_password (password of the user)
      +
      • +
    • static: 'StaticValue' (a static value)
      +
      • +
    • remember: '1' (checked box)
      +
      • +
    +
    • +
+ +

+ +Then go in Manager, Virtual Hosts » virtualhost » Form replay and click on Add POST URL. +

+ +

+ +

+ +

+Fill values here: +

+
    +
  • POST URL: /login.php
    +
    • +
  • Target URL: /process.php
    +
    • +
+ +

+ +Then click on New POST data and add all data with their values, for example: +

+ +

+ +

+ +

+

You can define more than one form replay URL per virtual host. +

+

+ +
+ +

Form replay with Apache mod_proxy

+
+ +

+ +Due to a conflict between LL::NG form replay and Apache mod_proxy (see issue), you cannot use form replay on proxied applications, unless you use LL::NG internal proxy (based on Perl LWP): +

+
<VirtualHost>
+  ServerName test2.example.com
+ 
+  PerlHeaderParserHandler My::Package
+ 
+  PerlModule Lemonldap::NG::Handler::Proxy
+  SetHandler perl-script
+  PerlHandler Lemonldap::NG::Handler::Proxy
+  PerlSetVar LmProxyPass http://APPLICATION/
+  PerlSetVar LmLocationToReplace http://APPLICATION/,http://test2.example.com
+</VirtualHost>
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/header_remote_user_conversion.html b/build/lemonldap-ng/doc/pages/documentation/1.1/header_remote_user_conversion.html new file mode 100644 index 000000000..3d5eb99b3 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/header_remote_user_conversion.html @@ -0,0 +1,86 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Convert HTTP header into environment variable

+
+ +

+ +Using LL::NG in reverse proxy mode, you will not have the REMOTE_USER environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed. +

+ +

+Apache SetEnvIf module will let you transform the Auth-User HTTP header in REMOTE_USER environment variable: +

+
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
+ +

+This can be used to protect applications relying on REMOTE_USER environment variable in reverse proxy mode. In this case you will have two Apache configuration files: + +

+
    +
  • Apache configuration file on LL::NG reverse proxy (hosting LL::NG Handler):
    +
    • +
+
<VirtualHost *:80>
+        ServerName application.example.com
+ 
+        PerlHeaderParserHandler My::Package
+ 
+        ProxyPreserveHost on
+        ProxyPass / http://APPLICATION_IP/
+        ProxyPassReverse / http://APPLICATION_IP/
+ 
+</VirtualHost>
+
    +
  • Apache configuration file on application server (hosting the application):
    +
    • +
+
<VirtualHost *:80>
+        ServerName application.example.com
+ 
+        SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
+ 
+        DocumentRoot /var/www/application
+ 
+</VirtualHost>
+ +

+

+Sometimes, PHP applications also check the PHP_AUTH_USER and PHP_AUHT_PW environment variables. You can set them the same way: + +

+
SetEnvIfNoCase Auth-User "(.*)" PHP_AUTH_USER=$1
+SetEnvIfNoCase Auth-Password "(.*)" PHP_AUTH_PW=$1
+ +

+ +Of course, you need to store password in session to fill PHP_AUTH_PW. + +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/highavailability.html b/build/lemonldap-ng/doc/pages/documentation/1.1/highavailability.html new file mode 100644 index 000000000..3fd421915 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/highavailability.html @@ -0,0 +1,57 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

High availability

+
+ +

+ +LemonLDAP::NG is highly scalable, so easy to insert behind a load-balancer: +

+
    +
  • Portal does not store any data outside the session database, so you can have many portal servers using the same HTTP host name
    +
    • +
  • All handlers download the whole configuration, so many servers can serve the same virtual hosts
    +
    • +
+ +

+ +You can for example set up a fail-over cluster with Heartbeat and HAproxy, like this: +

+ +

+ +

+ +

+You just have to share configuration and sessions databases between those servers: +

+ +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/idpcas.html b/build/lemonldap-ng/doc/pages/documentation/1.1/idpcas.html new file mode 100644 index 000000000..2c98806b3 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/idpcas.html @@ -0,0 +1,117 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

CAS server

+
+ +
+ +

Presentation

+
+ +

+ +LL::NG can act as an CAS server, that can allow to federate LL::NG with: +

+ + +

+ +LL::NG is compatible with the CAS protocol versions 1.0 and 2.0. This protocol does not define any attributes exchange mechanism, so only authentication is managed. +

+ +
+ +

Configuration

+
+ +

+ +In the Manager, go in General Parameters » Issuer modules » CAS and configure: +

+
    +
  • Activation: set to On.
    +
    • +
  • Path: keep ^/cas/ unless you have change Apache portal configuration file.
    +
    • +
  • Use rule: a rule to allow user to use this module, set to 1 to always allow.
    +
    • +
+ +

+ +

+For example, to allow only users with a strong authentication level: + +

+
+$authenticationLevel > 2
+
+ +

+ + +

+

+ +

+

+Apache rewrite rules must have been activated in Apache portal configuration: + +

+
    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/cas/.* /index.pl
+    </IfModule>
+ +

+ + +

+

+ +

+Then go in Options to define: +

+
    +
  • CAS login: the session key used to fill user login (value will be transmitted to CAS clients).
    +
    • +
  • CAS session module name and options: choose a specific module if you do not want to mix CAS sessions and normal sessions (see why).
    +
    • +
+ +

+ +

If CAS login is not set, it uses General Parameters » Logs » REMOTE_USER data, which is set to uid by default +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/idpopenid.html b/build/lemonldap-ng/doc/pages/documentation/1.1/idpopenid.html new file mode 100644 index 000000000..da14f20fb --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/idpopenid.html @@ -0,0 +1,197 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

OpenID server

+
+ +
+ +

Presentation

+
+ +

+ +LL::NG can act as an OpenID 2.0 Server, that can allow to federate LL::NG with: +

+ + +

+ +LL::NG is compatible with the OpenID Authentication protocol version 2.0 and version 1.0. It can be used just to share authentication or to share user's attributes following the OpenID Simple Registration Extension 1.0 (SREG) specification. +

+ +

+When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where: +

+
    +
  • [PORTAL] is the portal URL
    +
    • +
  • [login] is the user login (or any other session information, see below)
    +
    • +
+ +

+ +Example: + +

+
+http://auth.example.com/openidserver/foo.bar
+
+ +
+ +

Configuration

+
+ +

+ +In the Manager, go in General Parameters » Issuer modules » OpenID and configure: +

+
    +
  • Activation: set to On
    +
    • +
  • Path: keep ^/openidserver/ unless you have change Apache portal configuration file.
    +
    • +
  • Use rule: a rule to allow user to use this module, set to 1 to always allow.
    +
    • +
+ +

+ +

+For example, to allow only users with a strong authentication level: + +

+
+$authenticationLevel > 2
+
+ +

+ + +

+

+ +

+

+Apache rewrite rules must have been activated in Apache portal configuration: + +

+
    <IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/openidserver/.* /index.pl
+    </IfModule>
+ +

+ + +

+

+ +

+Then go in Options to define: +

+
    +
  • Secret token: a secret token used to secure transmissions between OpenID client and server (see below).
    +
    • +
  • OpenID login: the session key used to match OpenID login.
    +
    • +
  • Authorized domains: white list or black list of OpenID client domains (see below).
    +
    • +
  • SREG mapping: link between SREG attributes and session keys (see below).
    +
    • +
+ +

+ +

If OpenID login is not set, it uses General Parameters » Logs » REMOTE_USER data, which is set to uid by default +

+

+ +
+ +

Shared attributes (SREG)

+
+ +

+ +SREG permit the share of 8 attributes: +

+
    +
  • Nick name
    +
    • +
  • Email
    +
    • +
  • Full name
    +
    • +
  • Date of birth
    +
    • +
  • Gender
    +
    • +
  • Postal code
    +
    • +
  • Country
    +
    • +
  • Language
    +
    • +
  • Timezone
    +
    • +
+ +

+ +Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute. +

+ +

+

If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing. +

+

+ +
+ +

Security

+
+
    +
  • LL::NG can be configured to restrict OpenID exchange using a white or a black list of domains.
    +
    • +
  • If not set, the secret token is calculated using the general encryption key.
    +
    • +
+ +

+ +

Note that SAML protocol is more secured than OpenID, so when your partners are known, prefer SAML. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/idpsaml.html b/build/lemonldap-ng/doc/pages/documentation/1.1/idpsaml.html new file mode 100644 index 000000000..3f4ccf415 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/idpsaml.html @@ -0,0 +1,234 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SAML Identity Provider

+
+ +
+ +

Presentation

+
+ +

+ +LL::NG can act as an SAML 2.0 Identity Provider, that can allow to federate LL::NG with: +

+
    +
  • Another LL::NG system configured with SAML authentication
    +
    • +
  • Any SAML Service Provider, for example:
    +
    • +
+
+
+ +

+ +

This requires to configure LL::NG as an SAML Identity Provider. +

+ +

+ + + + + + + +
Google Apps Zimbra SAP
SAP
+ +
+
+
+ +
+ +

Configuration

+
+ +
+ +

SAML Service

+
+ +

+ +See SAML service configuration chapter. +

+ +
+ +

IssuerDB

+
+ +

+ +Go in General Parameters » Issuer modules » SAML and configure: +

+
    +
  • Activation: set to On.
    +
    • +
  • Path: keep ^/saml/ unless you have change SAML end points suffix in SAML service configuration.
    +
    • +
  • Use rule: a rule to allow user to use this module, set to 1 to always allow.
    +
    • +
+ +

+ +

+For example, to allow only users with a strong authentication level: + +

+
+$authenticationLevel > 2
+
+ +

+ + +

+

+ +
+ +

Register LemonLDAP::NG on partner Service Provider

+
+ +

+ +After configuring SAML Service, you can export metadata to your partner Service Provider. +

+ +

+They are available at the EntityID URL, by default: http://auth.example.com/saml/metadata. +

+ +
+ +

Register partner Service Provider on LemonLDAP::NG

+
+ +

+ +In the Manager, select node SAML service providers and click on New service provider: +

+ +

+ +

+ +

+The SP name is asked, enter it and click OK. +

+ +

+Now you have access to the SP parameters list. +

+ +
+ +

Metadata

+
+ +

+ +You must register SP metadata here. You can do it either by uploading the file, or get it from SP metadata URL (this require a network link between your server and the SP). +

+ +

+

You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value. +

+

+ +
+ +

Exported attributes

+
+ +

+ +For each attribute, you can set: +

+
    +
  • Key name: name of the key in LemonLDAP::NG session
    +
    • +
  • Mandatory: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.
    +
    • +
  • Name: SAML attribute name.
    +
    • +
  • Friendly Name: optional, SAML attribute friendly name.
    +
    • +
  • Format: optional, SAML attribute format.
    +
    • +
+ +
+ +

Options

+
+ +
+ +
Authentication response
+
+
    +
  • Default NameID format: if no NameID format is requested, or the NameID format undefined, this NameID format will be used. If no value, the default NameID format is Email.
    +
    • +
  • One Time Use: set the OneTimeUse flag in authentication response.
    +
    • +
+ +
+ +
Signature
+
+ +

+ +These options override service signature options (see SAML service configuration). + +

+
    +
  • Sign SSO message: sign SSO message
    +
    • +
  • Check SSO message signature: check SSO message signature
    +
    • +
  • Sign SLO message: sign SLO message
    +
    • +
  • Check SLO message signature: check SLO message signature
    +
    • +
+ +
+ +
Security
+
+
    +
  • Encryption mode: set the encryption mode for this IDP (None, NameID or Assertion).
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/installdeb.html b/build/lemonldap-ng/doc/pages/documentation/1.1/installdeb.html new file mode 100644 index 000000000..9e34e972c --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/installdeb.html @@ -0,0 +1,268 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Installation on Debian/Ubuntu with packages

+
+ +
+ +

Organization

+
+ +

+ +LemonLDAP::NG provides these packages: +

+
    +
  • lemonldap-ng: meta-package, contains no file but dependencies on other packages
    +
    • +
  • lemonldap-ng-doc: contains HTML documentation and project docs (README, etc.)
    +
    • +
  • liblemonldap-ng-conf-perl: configuration and common files
    +
    • +
  • liblemonldap-ng-handler-perl: Handler files
    +
    • +
  • liblemonldap-ng-manager-perl: Manager files
    +
    • +
  • liblemonldap-ng-portal-perl: Portal files
    +
    • +
+ +
+ +

Get the packages

+
+ +
+ +

Official repository

+
+ +

+ +If you run Debian testing or unstable, the packages are directly installable: + +

+
+apt-cache search lemonldap-ng
+
+ +

+

Packages from Debian repository may not be up to date. Prefer then the other solutions (see below). +

+

+ +
+ +

LL::NG repository

+
+ +

+ +You can add this repository to have recent packages: + +

+
+vi /etc/apt/sources.list.d/lemonldap-ng.list
+
+
+# LemonLDAP::NG repository
+deb     http://lemonldap-ng.org/deb squeeze main
+deb-src http://lemonldap-ng.org/deb squeeze main
+
+ +

+Run this to update packages cache: + +

+
+apt-get update
+
+ +
+ +

Manual download

+
+ +

+ +Packages are available on the Download page. +

+ +
+ +

Install packages

+
+ +
+ +

With apt-get

+
+
+apt-get install lemonldap-ng
+
+ +
+ +

With dpkg

+
+ +

+ +Before installing the packages, install dependencies. +

+ +

+Then: + +

+
+dpkg -i liblemonldap-ng-* lemonldap-ng*
+
+ +
+ +

First configuration steps

+
+ +
+ +

Change default DNS domain

+
+ +

+ +By default, DNS domain is example.com. You can change it quick with a sed command. For example, we change it to ow2.org: +

+
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl
+ +
+ +

Enable LL::NG sites

+
+ +

+ +Enable LL::NG sites in Apache: + +

+
a2ensite portal-apache2.conf
+a2ensite manager-apache2.conf
+ +

+ +Restart Apache: + +

+
apache2ctl configtest
+apache2ctl restart
+ +
+ +

Upgrade

+
+ +

+ +If you upgraded LL::NG, check all upgrade notes. +

+ +

+The upgrade process will also have migrate old configuration files into /etc/lemonldap-ng/lemonldap-ng.ini. This includes the application list which is now set in the applicationList parameter from [portal] section, for example: + +

+
[portal]
+applicationList={ 'Menu' => { type => 'category', 'Example' => { type => 'category', 'test1' => { type => 'application', options => { name => 'Application Test 1', uri => 'http://test1.example.com/', description => 'A simple application displaying authenticated user', logo => 'wheels.png', display => 'auto',  }, },'test2' => { type => 'application', options => { name => 'Application Test 2', uri => 'http://test2.example.com/', description => 'The same simple application displaying authenticated user', logo => 'wheels.png', display => 'auto',  }, }, },'Administration' => { type => 'category', 'manager' => { type => 'application', options => { name => 'WebSSO Manager', uri => 'http://manager.example.com/', description => 'Configure LemonLDAP::NG WebSSO', logo => 'tools.png', display => 'on',  }, },'sessions' => { type => 'application', options => { name => 'Sessions explorer', uri => 'http://manager.example.com/sessions.pl', description => 'Explore WebSSO sessions', logo => 'tools.png', display => 'on',  }, }, },'Documentation' => { type => 'category', 'localdoc' => { type => 'application', options => { name => 'Local documentation', uri => 'http://manager.example.com/doc/', description => 'Documentation supplied with LemonLDAP::NG', logo => 'docs.png', display => 'on',  }, },'officialwebsite' => { type => 'application', options => { name => 'Offical Website', uri => 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation', description => 'Official LemonLDAP::NG Website', logo => 'web.png', display => 'on',  }, }, }, }, }
+ +

+

You should now use the Manager to configure all applications and categories, and then comment or remove the applicationList parameter from /etc/lemonldap-ng/lemonldap-ng.ini. +

+

+ +
+ +

DNS

+
+ +

+ +Configure your DNS server to resolve names with your server IP. +

+ +

+

+For tests with example.com, launch the following : + +

+
cat /etc/lemonldap-ng/for_etc_hosts >> /etc/hosts
+ +

+ + +

+

+ +

+Follow the next steps +

+ +
+ +

File location

+
+
    +
  • Configuration is in /etc/lemonldap-ng
    +
    • +
  • LemonLDAP::NG configuration (edited by the Manager) is in /var/lib/lemonldap-ng/conf/
    +
    • +
  • All Perl modules are in the VENDOR perl directory (/usr/share/perl5/)
    +
    • +
  • All Perl scripts/pages are in /var/lib/lemonldap-ng/
    +
    • +
  • All lemonldap-ng tools are in /usr/share/lemonldap-ng/bin/
    +
    • +
  • All static content (examples, CSS, images, etc.) is in /usr/share/lemonldap-ng/
    +
    • +
  • Apache configuration files are in /etc/lemonldap-ng and linked in /etc/apache2/sites-available
    +
    • +
+ +
+ +

Build your packages

+
+ +

+ +You can also get the LemonLDAP::NG archive and make the package yourself: + +

+
+tar xzf lemonldap-ng-*.tar.gz
+cd lemonldap-ng-*
+make debian-packages
+
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/installrpm.html b/build/lemonldap-ng/doc/pages/documentation/1.1/installrpm.html new file mode 100644 index 000000000..62f7c86ca --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/installrpm.html @@ -0,0 +1,359 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Installation on RedHat/CentOS

+
+ +
+ +

Organization

+
+ +

+ +LemonLDAP::NG provides these packages: +

+
    +
  • lemonldap-ng: meta-package, contains no file but dependencies on other packages
    +
    • +
  • lemonldap-ng-doc: contains HTML documentation and project docs (README, etc.)
    +
    • +
  • lemonldap-ng-conf: contains default configuration (DNS domain: example.com)
    +
    • +
  • lemonldap-ng-test: contains sample CGI test page
    +
    • +
  • lemonldap-ng-handler: contains Apache Handler implementation (agent)
    +
    • +
  • lemonldap-ng-manager: contains administration interface and session explorer
    +
    • +
  • lemonldap-ng-portal: contains authentication portal and menu
    +
    • +
  • perl-Lemonldap-NG-Common: CPAN - Shared modules
    +
    • +
  • perl-Lemonldap-NG-Handler: CPAN - Handler modules
    +
    • +
  • perl-Lemonldap-NG-Manager: CPAN - Manager modules
    +
    • +
  • perl-Lemonldap-NG-Portal: CPAN - Portal modules
    +
    • +
+ +

+ +This schema shows the dependencies between modules: +

+ +

+ +

+ +
+ +

Get the packages

+
+ +
+ +

YUM repository

+
+ +

+ +You can add this YUM repository to get recent packages: + +

+
+vi /etc/yum.repos.d/lemonldap-ng.repo
+
+
+[lemonldap-ng]
+name=LemonLDAP::NG packages
+baseurl=http://lemonldap-ng.org/rpm/
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
+
+ +

+Run this to update packages cache: + +

+
+yum update
+
+ +

+

+You must also install a repository for non-core dependencies. Example with EPEL: + +

+
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
+ +

+See prerequisites and dependencies chapter for more. + +

+

+ +
+ +

Manual download

+
+ +

+ +RPMs are available on the Download page. +

+ +
+ +

Package GPG signature

+
+ +

+ +The GPG key can be downloaded here: rpm-gpg-key-ow2 +

+ +

+Install it to trust RPMs: +

+
+rpm --import rpm-gpg-key-ow2
+
+ +
+ +

Install packages

+
+ +
+ +

With YUM

+
+ +

+ +If the packages are stored in a yum repository: + +

+
yum install lemonldap-ng
+
Transaction Summary
+===================================================
+Install      82 Package(s)
+Upgrade       0 Package(s)
+ 
+Total download size: 18 M
+Is this ok [y/N]: y
+ +

+You can also use yum on local RPMs file: + +

+
+yum localinstall lemonldap-ng-* perl-Lemonldap-NG-*
+
+ +
+ +

With RPM

+
+ +

+ +Before installing the packages, install all dependencies. +

+ +

+You have then to install all the downloaded packages: + +

+
+rpm -Uvh lemonldap-ng-* perl-Lemonldap-NG-*
+
+ +

+ +

+You can choose to install only one component by choosing the package lemonldap-ng-portal, lemonldap-ng-handler or lemonldap-ng-manager. +

+ +

+Install the package lemonldap-ng-conf only on the server which stores configuration. + +

+

+ +
+ +

First configuration steps

+
+ +
+ +

Change default DNS domain

+
+ +

+ +By default, DNS domain is example.com. You can change it quick with a sed command. For example, we change it to ow2.org: +

+
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl
+ +
+ +

Apache virtual host

+
+ +

+ +If LL::NG is the only software installed in Apache, the virtual host feature may not have already been activated. +

+ +

+To do it, uncomment the NameVirtualHost line in /etc/httpd/conf.d/z-lemonldap-ng-handler.conf: +

+
NameVirtualHost *:80
+ +

+Check Apache configuration and restart: + +

+
apachectl configtest
+apachectl restart
+ +
+ +

Upgrade

+
+ +

+ +If you upgraded LL::NG, check all upgrade notes. +

+ +

+For apache configuration, you may have to remove the old symbolic link, if not done by the RPM: + +

+
rm -f /etc/httpd/conf.d/z-lemonldap-ng.conf
+ +

+Your old Apache configuration should have been saved, you need to port your specificities in new Apache configuration files: + +

+
vi /etc/lemonldap-ng/apache2.conf.rpmsave
+ +

+The upgrade process will also have migrate old configuration files into /etc/lemonldap-ng/lemonldap-ng.ini. This includes the application list which is now set in the applicationList parameter from [portal] section, for example: + +

+
[portal]
+applicationList={ 'Menu' => { type => 'category', 'Example' => { type => 'category', 'test1' => { type => 'application', options => { name => 'Application Test 1', uri => 'http://test1.example.com/', description => 'A simple application displaying authenticated user', logo => 'wheels.png', display => 'auto',  }, },'test2' => { type => 'application', options => { name => 'Application Test 2', uri => 'http://test2.example.com/', description => 'The same simple application displaying authenticated user', logo => 'wheels.png', display => 'auto',  }, }, },'Administration' => { type => 'category', 'manager' => { type => 'application', options => { name => 'WebSSO Manager', uri => 'http://manager.example.com/', description => 'Configure LemonLDAP::NG WebSSO', logo => 'tools.png', display => 'on',  }, },'sessions' => { type => 'application', options => { name => 'Sessions explorer', uri => 'http://manager.example.com/sessions.pl', description => 'Explore WebSSO sessions', logo => 'tools.png', display => 'on',  }, }, },'Documentation' => { type => 'category', 'localdoc' => { type => 'application', options => { name => 'Local documentation', uri => 'http://manager.example.com/doc/', description => 'Documentation supplied with LemonLDAP::NG', logo => 'docs.png', display => 'on',  }, },'officialwebsite' => { type => 'application', options => { name => 'Offical Website', uri => 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation', description => 'Official LemonLDAP::NG Website', logo => 'web.png', display => 'on',  }, }, }, }, }
+ +

+

You should now use the Manager to configure all applications and categories, and then comment or remove the applicationList parameter from /etc/lemonldap-ng/lemonldap-ng.ini. +

+

+ +
+ +

DNS

+
+ +

+ +Configure your DNS server to resolve names with your server IP. +

+ +

+

+For tests with example.com, launch the following : + +

+
cat /etc/lemonldap-ng/for_etc_hosts >> /etc/hosts
+ +

+ + +

+

+ +

+Follow the next steps +

+ +
+ +

File location

+
+
    +
  • Configuration is in /etc/lemonldap-ng
    +
    • +
  • LemonLDAP::NG configuration (edited by the Manager) is in /var/lib/lemonldap-ng/conf/
    +
    • +
  • All Perl modules are in the VENDOR perl directory
    +
    • +
  • All Perl scripts/pages are in /var/lib/lemonldap-ng/
    +
    • +
  • All static content (examples, CSS, images, etc.) is in /usr/share/lemonldap-ng/
    +
    • +
+ +
+ +

Build your packages

+
+ +

+ +If you need it, you can rebuild RPMs: +

+
    +
  • Install rpm-build package
    +
    • +
  • Install all build dependencies (see BuildRequires in lemonldap-ng.spec)
    +
    • +
  • Put LemonLDAP::NG tarball in %_topdir/SOURCES
    +
    • +
  • Edit ~/.rpmmacros and set your build parameters (example for RHEL5):
    +
    • +
+
+%_topdir /home/user/build
+%dist .el5
+%rhel 5
+
+
    +
  • Go to %_topdir
    +
    • +
  • Build:
    +
    • +
+
+rpmbuild -ta SOURCES/lemonldap-ng-VERSION.tar.gz
+
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/installtarball.html b/build/lemonldap-ng/doc/pages/documentation/1.1/installtarball.html new file mode 100644 index 000000000..a220f83ec --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/installtarball.html @@ -0,0 +1,318 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Installation from the tarball

+
+ +
+ +

Get the tarball

+
+ +

+ +Get the tarball from download page. You can also find on this page the SVN tarball if you want to test latest features. +

+ +

+

The content of the SVN tarball is not the same as the official tarball. Please see the next chapter to learn how build an official tarball from SVN files. +

+

+ +
+ +

Build the tarball from SVN

+
+ +

+ +Either checkout or export the SVN repository, or extract the SVN tarball to get the SVN files on your disk. +

+ +

+Then go to build directory: + +

+
+cd trunk/build/lemonldap-ng
+
+ +

+And run the “dist” target: + +

+
+make dist
+
+ +

+The generated tarball is in the current directory. +

+ +
+ +

Extraction

+
+ +

+ +Just run the tar command: + +

+
+tar zxvf lemonldap-ng-*.tar.gz
+
+ +
+ +

Installation

+
+ +

+ +First check and install the prerequisites. +

+ +

+For full install: +

+
+cd lemonldap-ng-*
+make
+make configure
+make test
+sudo make install
+
+ +

+You can modify location of default storage configuration file in configure target: + +

+
+sudo make configure STORAGECONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini
+
+ +

+You can choose other Makefile targets: +

+
    +
  • Perl libraries install :
    +
      +
    • install_libs (all Perl libraries)
      +
      • +
    • install_portal_libs
      +
      • +
    • install_manager_libs
      +
      • +
    • install_handler_libs
      +
      • +
    +
    • +
  • Binaries install :
    +
      +
    • install_bin (/usr/local/lemonldap-ng/bin)
      +
      • +
    +
    • +
  • Web sites install :
    +
      +
    • install_site (all sites including install_doc_site)
      +
      • +
    • install_portal_site (/usr/local/lemonldap-ng/htdocs/portal)
      +
      • +
    • install_manager_site (/usr/local/lemonldap-ng/htdocs/manager)
      +
      • +
    • install_handler_site (/usr/local/lemonldap-ng/handler)
      +
      • +
    +
    • +
  • Documentation install :
    +
      +
    • install_doc_site (/usr/local/lemonldap-ng/htdocs/doc)
      +
      • +
    • install_examples_site (/usr/local/lemonldap-ng/examples)
      +
      • +
    +
    • +
+ +

+ +You can also pass parameters to the make install command, with this syntax: + +

+
+sudo make install PARAM=VALUE PARAM=VALUE ...
+
+ +

+Available parameters are: +

+
    +
  • ERASECONFIG: set to 0 if you want to keep your configuration files (default: 1)
    +
    • +
  • DESTDIR: only for packaging, install the product in a jailroot (default: ””)
    +
    • +
  • PREFIX: installation directory (default: /usr/local)
    +
    • +
  • STORAGECONFFILE: location of default storage configuration file (default: /usr/local/lemonldap-ng/etc/lemonldap-ng.ini)
    +
    • +
  • CRONDIR: Cronfile directory (default: $PREFIX/etc/lemonldap-ng/cron.d)
    +
    • +
  • APACHEUSER: user running Apache
    +
    • +
  • APACHEGROUP: group running Apache
    +
    • +
  • DNSDOMAIN: Main DNS domain (default: example.com)
    +
    • +
  • LDAPHOST: LDAP server (default: localhost)
    +
    • +
  • LDAPPORT: LDAP port (default: 389)
    +
    • +
  • LDAPSUFFIX: LDAP suffix (default: dc=example,dc=com)
    +
    • +
  • APACHEVERSION: Apache major version (default: 2)
    +
    • +
  • VHOSTLISTEN: how listen parameter is configured for virtual hosts in Apache (default: *:80)
    +
    • +
+ +

+ +

+For Debian/Ubuntu, you can use: + +

+
+make debian-install
+
+ +

+ +or: + +

+
+make ubuntu-install
+
+ +

+ +See also Debian/Ubuntu installation documentation. + +

+

+ +
+ +

Link Apache configuration

+
+ +

+ +By default, Apache configuration files will be installed in /usr/local/lemonldap-ng/etc/. You have to include them in Apache main configuration, for example: +

+
include /usr/local/lemonldap-ng/etc/portal-apache2.conf
+include /usr/local/lemonldap-ng/etc/handler-apache2.conf
+include /usr/local/lemonldap-ng/etc/manager-apache2.conf
+ +

+

+

+
    +
  • You can also use symbolic links in conf.d Apache directory.
    +
    • +
  • If you have run the Debian/Ubuntu install command, just use:
    +
    • +
+
+a2ensite manager-apache2.conf
+a2ensite portal-apache2.conf
+
+ +

+ + +

+

+ +

+

Mod Perl must be loaded before LL::NG Apache configuration. +

+

+ +
+ +

Install cron jobs

+
+ +

+ +LL::NG use cron jobs to: +

+
    +
  • purge old sessions
    +
    • +
  • clean Handler cache
    +
    • +
+ +

+ +To install them on system: +

+
+sudo ln -s /usr/local/lemonldap-ng/etc/cron.d/* /etc/cron.d/
+
+ +
+ +

DNS

+
+ +

+ +Configure your DNS server to resolve names with your server IP. +

+ +

+

+For tests with the configured domain, launch the following : + +

+
cat /usr/local/lemonldap-ng/etc/lemonldap-ng/for_etc_hosts >> /etc/hosts
+ +

+ + +

+

+ +

+Follow the next steps. + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/ldapconfbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/ldapconfbackend.html new file mode 100644 index 000000000..433401a82 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/ldapconfbackend.html @@ -0,0 +1,142 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

LDAP configuration backend

+
+ +
+ +

Presentation

+
+ +

+ +You can choose to store LemonLDAP::NG configuration in an LDAP directory. +

+ +

+ +

+ +

+Advantages: +

+
    +
  • Easy to share between servers with remote LDAP access
    +
    • +
  • Easy to duplicate with LDAP synchronization services (like SyncRepl in OpenLDAP)
    +
    • +
  • Security with SSL/TLS
    +
    • +
  • Access control possible by creating one user for Manager (write) and another for portal and handlers (read)
    +
    • +
  • Easy import/export through LDIF files
    +
    • +
+ +

+ +The configuration will be store under a specific branch, for example ou=conf,ou=applications,dc=example,dc=com. +

+ +

+Each configuration will be represented as an entry, which structural objectClass is applicationProcess. This objectClass is included in every core schemas. +

+ +

+The configuration name is the same that files, so lmConf-1, lmConf-2, etc. This name is used in entry DN, for example cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com. +

+ +

+Then each parameter is one value of the attribute description, prefixed by its key. For example {ldapPort}389. +

+ +

+The LDIF view of such entry can be: +

+
+dn: cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com
+objectClass: top
+objectClass: applicationProcess
+cn: lmConf-1
+description: {globalStorage}'Apache::Session::File'
+description: {cookieName}'lemonldap'
+description: {whatToTrace}'$uid'
+...
+
+ +
+ +

Configuration

+
+ +
+ +

LDAP server

+
+ +

+ +Configuration objects use standard object class: applicationProcess. This objectClass allow attributes cn and description. If your LDAP server do not manage this objectClass, you have to extend your schema. +

+ +

+We advice to create a specific LDAP account with write access on configuration branch. +

+ +

+Next create the configuration branch where you want. Just remember its DN for LemonLDAP::NG configuration. +

+ +
+ +

LemonLDAP::NG

+
+ +

+ +Configure LDAP configuration backend in lemonldap-ng.ini, section [configuration]: +

+
type = LDAP
+ldapServer = ldap://localhost
+ldapConfBase = ou=conf,ou=applications,dc=example,dc=com
+ldapBindDN = cn=manager,dc=example,dc=com
+ldapBindPassword = secret
+ +

+Parameters: +

+
    +
  • ldapServer: LDAP URI of the server
    +
    • +
  • ldapConfBase: DN of configuration branch
    +
    • +
  • ldapBindDN: DN used to bind LDAP
    +
    • +
  • ldapBindPassword: password used to bind LDAP
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/ldapminihowto.html b/build/lemonldap-ng/doc/pages/documentation/1.1/ldapminihowto.html new file mode 100644 index 000000000..b54432b46 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/ldapminihowto.html @@ -0,0 +1,66 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Configure LemonLDAP::NG to use LDAP as main database

+
+ +

+ +LL::NG use 2 internal databases to store its configuration and sessions. +

+ +
+ +

Use LDAP for configuration

+
+ +

+ +Steps: +

+ + +
+ +

Use LDAP for sessions

+
+ +

+ +Steps: +

+ + +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/ldapsessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/ldapsessionbackend.html new file mode 100644 index 000000000..312737a0a --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/ldapsessionbackend.html @@ -0,0 +1,100 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

LDAP session backend

+
+ +

+ +An Apache session module was created by LL::NG team to store sessions in an LDAP directory. +

+ +

+

This module is not part of LL::NG distibution, and can be found on CPAN: Apache::Session::LDAP. +

+

+ +

+

This module is also available in the contribs directory of LL::NG subversion repository. +

+

+ +

+Sessions will be stored as LDAP entries, like this: +

+
+dn: cn=6fb7c4a170a04668771f03b0a4747f46,ou=sessions,dc=example,dc=com
+objectClass: top
+objectClass: applicationProcess
+cn: 6fb7c4a170a04668771f03b0a4747f46
+description: [serialized data]
+
+ +
+ +

Setup

+
+ +

+ +Go in the Manager and set the LDAP session module (Apache::Session::LDAP) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): + +

+ + + + + + + + + + + + + + + + + + + +
Required parameters
Name Comment Example
ldapServer URI of the server ldap://localhost
ldapConfBase DN of sessions branch ou=sessions,dc=example,dc=com
ldapBindDN Connection login cn=admin,dc=example,dc=password
ldapBindPassword Connection password secret
+ +
+ +

Security

+
+ +

+ +Restrict network access to the LDAP directory, and add specific ACL to session branch. +

+ +

+You can also use different user/password for your servers by overriding parameters globalStorage and globalStorageOptions in lemonldap-ng.ini file. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/logoutforward.html b/build/lemonldap-ng/doc/pages/documentation/1.1/logoutforward.html new file mode 100644 index 000000000..1e49041b0 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/logoutforward.html @@ -0,0 +1,71 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Logout forward

+
+ +
+ +

Presentation

+
+ +

+ +Even if LL:NG can catch logout URL trough virtual host rules, you can have the need to forward a logout to other applications, to close their local sessions. +

+ +

+LL::NG has a logout forward mechanism, that will add a step in logout process, to send logout requests (indeed, GET requests on application logout URL) inside hidden iframes. +

+ +

+

The logout request will be sent even if the user did not use the application. +

+

+ +
+ +

Configuration

+
+ +

+ +Go in Manager, General parameters » Advanced parameters » Logout forward and click on Add a key, then fill: +

+
    +
  • Key: application name
    +
    • +
  • Value: application logout URL
    +
    • +
+ +

+ +

The request on logout URL will be sent after user is disconnected, so you should unprotect this URL if it is protected by an LL::NG Handler. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/logs.html b/build/lemonldap-ng/doc/pages/documentation/1.1/logs.html new file mode 100644 index 000000000..a22214fc0 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/logs.html @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Logs

+
+ +
+ +

Apache logging

+
+ +

+ +By default, LemonLDAP::NG uses Apache logs to store user actions and other messages: +

+
    +
  • Error log: all messages emitted by the program, depending on the configured log level
    +
    • +
  • Access log: the issuer of each request is identified
    +
    • +
+ +

+ +The log level can be set with Apache LogLevel parameter. It can be configured globally, or inside a virtual host. +

+ +

+See http://httpd.apache.org/docs/2.2/mod/core.html#loglevel for more information. +

+ +

+To configure the user identifier in access log, go in Manager, General Parameters > Logging > REMOTE_USER. +

+ +
+ +

Syslog

+
+ +

+ +LemonLDAP::NG can also use syslog (only for user actions). +

+ +

+In Manager, set syslog facility in General Parameters > Logging > Syslog facility. +

+ +

+The messages are stored with the facilities : +

+
    +
  • info for user actions
    +
    • +
  • notice for good authentications or external exchange (SAML, OpenID,…)
    +
    • +
  • warn for failed authentications
    +
    • +
+ +
+ +

Override logging functions

+
+ +

+ +You can customize logs by redefining userNotice() and userError() methods, directly in lemonldap-ng.ini +

+ +

+Example: +

+
[portal]
+userError = sub { my ($self, $message) = @_; ... }
+userNotice = sub { my ($self, $message) = @_; ... }
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/managerprotection.html b/build/lemonldap-ng/doc/pages/documentation/1.1/managerprotection.html new file mode 100644 index 000000000..d96981b0a --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/managerprotection.html @@ -0,0 +1,136 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Manager protection

+
+ +

+ +When installing LL::NG, the Manager can only be accessed from localhost, for security reasons. This How To explains how change this default behavior to protect Manager with Apache or directly with LL::NG. +

+ +
+ +

Apache based protection

+
+ +

+ +The configuration can be changed in etc/manager-apache2.conf: +

+ +

+By default, the protection rule is to only accept clients from localhost: + +

+
    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/8
+        Options +ExecCGI
+    </Directory>
+ +

+You can change this to allow other specific IP, for example: + +

+
    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/8 192.168.100.0/32
+        Options +ExecCGI
+    </Directory>
+ +

+But you will rather prefer to use an Apache authentication module, like for example LDAP authentication module: + +

+
    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
+        AuthzLDAPAuthoritative On
+        AuthName "LL::NG Manager"
+        AuthType Basic
+        AuthBasicProvider ldap
+        AuthLDAPBindDN "ou=websso,ou=applications,dc=example,dc=com"
+        AuthLDAPBindPassword "secret"
+        AuthLDAPURL ldap://localhost:389/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS
+        Require ldap-user coudot xguimard tchemineau
+        Options +ExecCGI
+    </Directory>
+ +
+ +

LL::NG based protection

+
+ +

+ +

Before enabling Manager protection by LL::NG, you must have configured how users authenticate on Portal, and test that you can log in without difficulties. Else, you will lock access to Manager and will never access it anymore. +

+

+ +

+Go on Manager, and declare Manager as a new virtual host, for example manager.example.com. You can then set the access rule. No headers are needed. +

+ +

+Save the configuration and exit the Manager. +

+ +

+

The next time you will access Manager, it will be trough LL::NG. +

+

+ +

+Enable protection on Manager, by editing lemonldap-ng.ini: + +

+
[manager]
+protection = manager
+ +

+Remove Apache access control: + +

+
    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
+        Order deny,allow
+        Allow from all
+        Options +ExecCGI
+    </Directory>
+ +

+Restart Apache and try to log on Manager. You should be redirected to LL::NG Portal. +

+ +

+You can then add the Manager as an application in the menu. +

+ +

+

If for an obscur reason, the WebSSO is not working and you want to access the Manager, remove the protection in lemonldap-ng.ini and reconfigure Apache access control. +

+

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/memcachedsessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/memcachedsessionbackend.html new file mode 100644 index 000000000..ef918b83b --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/memcachedsessionbackend.html @@ -0,0 +1,80 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Memcached session backend

+
+ +

+ +

Memcached can be used with LL::NG, but some features will not work since Memcached doesn't provide any parsing system: +

+ + +

+ +To keep Memcached performance level and LL::NG features, you can replace Memcached by Redis using NoSQL session backend. + +

+

+ +
+ +

Setup

+
+ +

+ +Install and launch a Memcached server. +

+ +

+In the manager: set Apache::Session::Memcached in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): + +

+ + + + + + + + + + +
Required parameters
Name Comment Example
Servers Memcached servers 10.0.0.1:20000 10.0.0.2:20000
+ +

+ +See Apache::Session::Memcached for optional parameters. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/mrtg.html b/build/lemonldap-ng/doc/pages/documentation/1.1/mrtg.html new file mode 100644 index 000000000..f8e950e6e --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/mrtg.html @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

MRTG monitoring

+
+ +

+ +The status page can be read by MRTG using the script lmng-mrtg that can be found in manager example directory. +

+ +

+MRTG configuration example: +

+
######################################################################
+# Multi Router Traffic Grapher -- Sample Configuration File
+######################################################################
+# This file is for use with mrtg-2.5.4c
+ 
+# Global configuration
+WorkDir: /var/www/mrtg
+WriteExpires: Yes
+ 
+Title[^]: Traffic Analysis for
+ 
+# 128K leased line
+# ----------------
+#Title[leased]: a 128K leased line
+#PageTop[leased]: <H1>Our 128K link to the outside world</H1>
+#Target[leased]: 1:public@router.localnet
+#MaxBytes[leased]: 16000
+Target[test.example.com]: `/etc/mrtg/lmng-mrtg 172.16.1.2 https://test.example.com/status OK OK`
+Options[test.example.com]: nopercent, growright, nobanner, perminute
+PageTop[test.example.com]: <h1>Requests OK from test.example.com</h1>
+MaxBytes[test.example.com]: 1000000
+YLegend[test.example.com]: hits/minute
+ShortLegend[test.example.com]: &nbsp; hits/mn
+LegendO[test.example.com]: Hits:
+LegendI[test.example.com]: Hits:
+Legend2[test.example.com]: Hits per minute
+Legend4[test.example.com]: Hits max per minute
+Title[test.example.com]: Hits per minute
+WithPeak[test.example.com]: wmy
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/mysqlminihowto.html b/build/lemonldap-ng/doc/pages/documentation/1.1/mysqlminihowto.html new file mode 100644 index 000000000..29907b38d --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/mysqlminihowto.html @@ -0,0 +1,72 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Configure LemonLDAP::NG to use MySQL as main database

+
+ +

+ +LL::NG use 2 internal databases to store its configuration and sessions. +

+ +
+ +

Use MySQL for Lemonldap::NG configuration

+
+ +

+ +Steps: +

+ + +
+ +

Use MySQL for Lemonldap::NG sessions

+
+ +

+ +Steps: +

+ + +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/nosqlsessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/nosqlsessionbackend.html new file mode 100644 index 000000000..22ed6ef1a --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/nosqlsessionbackend.html @@ -0,0 +1,71 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Redis session backend

+
+ +

+Apache::Session::Redis is the faster shareable session backend +

+ +
+ +

Setup

+
+ +

+ +Install and launch a Redis server. Install +Apache::Session::Redis Perl module. +

+ +

+In the manager: set Apache::Session::Redis in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): + +

+ + + + + + + + + + +
Required parameters
Name Comment Example
server Redis server 127.0.0.1:6379
+ +
+ +

Security

+
+ +

+ +Restrict network access to the redis server. For remote servers, you can use SOAP session backend in cunjunction to increase security for remote server that access through an unsecure network + +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/notifications.html b/build/lemonldap-ng/doc/pages/documentation/1.1/notifications.html new file mode 100644 index 000000000..04c8fccfe --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/notifications.html @@ -0,0 +1,184 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Notifications system

+
+ +

+ +Since version 0.9.4, Lemonldap::NG can be used to notify some messages to users: if a user has a message, the message will be displayed when he will access to the portal. If the message contains checkboxes, the user has to check all of them else he can not access to the portal and get his session cookie. +

+ +
+ +

Installation

+
+ +
+ +

Activation

+
+ +

+ +You just have to set “notification” to “activate” in the manager (or notification=1 in lemonldap-ng.ini, section “PORTAL”). +

+ +
+ +

Storage

+
+ +

+ +By default, notifications will be stored in the same database as configuration: +* if you use “File” system and your “dirName” is set to /usr/local/lemonldap-ng/conf/, the notifications will be stored in /usr/local/lemonldap-ng/notifications/ +* if you use “DBI” system, the notifications will be stored in the same database as configuration and in a table called “notifications”. You have to create the table by yourself&nbsp; + +

+
CREATE TABLE 'notifications' (
+  'date' datetime NOT NULL,
+  'uid' varchar(255) NOT NULL,
+  'ref' varchar(255) NOT NULL,
+  'xml' longblob NOT NULL,
+  'done' datetime DEFAULT NULL,
+  PRIMARY KEY  ('date','uid','ref')
+)
+ +

+You can change default parameters using the “notificationStorage” parameter with the same syntax as configStorage. +

+ +
+ +

Using notification system

+
+ +
+ +

Insert new notifications

+
+ +

+ +New notifications can be insert using SOAP request (described in the WSDL file generated by buildPortalWSDL tool). +

+ +
+ +

Notification format

+
+ +

+ +Notifications are XML files containing: +

+
    +
  • ”<notification>” element(s) :
    +
      +
    • required attributes :
      +
        +
      • “date” in format YYYY-MM-DD
        +
        • +
      • “ref” : a reference that can be used later to know what has been notified and when
        +
        • +
      • “uid” : the user (it must correspond to the attibute set in whatToTrace parameter : uid by default)
        +
        • +
      +
      • +
    • sub-elements :
      +
        +
      • <text> : paragraph to display : will be inserted in HTML page enclosed in <p class=“notifText”>…</p>
        +
        • +
      • <check> : paragraph to display with a checkbox : will be inserted in HTML page enclosed in <p class=“notifCheck”><input type=“checkbox/>…</p>
        +
        • +
      +
      • +
    +
    • +
+ +

+ +All other elements will be removed including HTML elements like <b>; +

+ +

+Example : + +

+
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<root>
+<notification uid="foo.bar" date="2009-01-27" reference="ABC">
+<text> You have been granted to access to appli-1 </text>
+<text> You have been granted to access to appli-2 </text>
+<check> I know that I can acces to appli-1 </check>
+<check> I know that I can acces to appli-2 </check>
+</notification>
+</root>
+ +
+ +

Insertion example in Perl

+
+
#!/usr/bin/perl
+ 
+use SOAP::Lite;
+use utf8;
+ 
+my $lite = SOAP::Lite
+        ->uri('urn:Lemonldap::NG::Common::CGI::SOAPService')
+        ->proxy('http://auth.example.com/index.pl/notification');
+ 
+ 
+$r = $lite->newNotification('<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<root>
+<notification uid="foo.bar" date="2009-01-27" reference="ABC">
+<text> You have been granted to access to appli-1 </text>
+<text> You have been granted to access to appli-2 </text>
+<check> I know that I can acces to appli-1 </check>
+<check> I know that I can acces to appli-2 </check>
+</notification>
+</root>');
+ 
+if ( $r->fault ) {
+    print STDERR "SOAP Error: " . $r->fault->{faultstring};
+}
+else {
+    my $res = $r->result();
+    print "$res notification(s) have been inserted\";
+}
+ +
+ +

Test notification

+
+ +

+ +You've simply to insert a notification and connect to the portal using the same UID. You will be prompted. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/parameterlist.html b/build/lemonldap-ng/doc/pages/documentation/1.1/parameterlist.html new file mode 100644 index 000000000..6336efb84 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/parameterlist.html @@ -0,0 +1,552 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Parameter list

+
+ +

+ +

+Click on a column header to sort table. +The attribute key name can be used directly in lemonldap-ng.ini or in Perl scripts to override configuration parameters (see configuration location). + +

+

+ +
+ +

Main parameters

+
+ +

+ +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Full name Key name Portal Handler Manager
Activate auto accept timer activeTimer
Apache authentication level apacheAuthnLevel
Choice modules authChoiceModules
Choice URL parameter authChoiceParam
Authentication backend authentication
LDAP authentication search filter AuthLDAPFilter
CAS authentication level CAS_authnLevel
CAS CA file CAS_CAFile
CAS force gateway authentication CAS_gateway
CAS PGT temporary file CAS_pgtFile
CAS proxied services CAS_proxiedServices
CAS force authentication renewal CAS_renew
CAS server URL CAS_url
CAS Session backend casStorage
CAS Session backend options casStorageOptions
CDA activation cda
Configuration backend configStorage
Cookie expiration cookieExpiration
Name of the cookie cookieName
Custom functions customFunctions
Custom SOAP Services CustomSOAPServices
DBI Connection chain dbiAuthChain
DBI Login column dbiAuthLoginCol
DBI authentication level dbiAuthnLevel
DBI Connection password dbiAuthPassword
DBI Password column dbiAuthPasswordCol
DBI Password hash dbiAuthPasswordHash
DBI Authentication table dbiAuthTable
DBI Connection user dbiAuthUser
DBI Mail column dbiPasswordMailCol
DBI UserDB connection chain dbiUserChain
DBI UserDB connection password dbiUserPassword
DBI UserDB table dbiUserTable
DBI UserDB connection user dbiUserUser
Main DNS domain domain
Attributes exported in SOAP exportedAttr
Headers sent exportedHeaders
Attributes from user backend exportedVars
Session backend globalStorage
Session backend options globalStorageOptions
Rule for session granting grantSessionRule
Local groups groups
Force HTTPS in redirection https
LDAP authentication level ldapAuthnLevel
LDAP search base ldapBase
LDAP change password as user ldapChangePasswordAsUser
LDAP main search filter LDAPFilter
LDAP groups member attribute ldapGroupAttributeName
LDAP group link attribute name ldapGroupAttributeNameGroup
LDAP groups name attribute ldapGroupAttributeNameSearch
LDAP groups member link value ldapGroupAttributeNameUser
LDAP groups base ldapGroupBase
LDAP groups objectClass ldapGroupObjectClass
LDAP activate recursive groups ldapGroupRecursive
LDAP Port ldapPort
LDAP password policy control ldapPpolicyControl
LDAP password encoding ldapPwdEnc
LDAP binary attributes ldapRaw
LDAP server or Net::LDAP connexion string ldapServer
LDAP extended SetPassword modify ldapSetPassword
LDAP timeout ldapTimeout
LDAP version ldapVersion
Cache backend localStorage
Local cache localStorage
Cache backend options localStorageOptions
Local cache parameters localStorageOptions
Access rules locationRules
Macros macros
Body for password mail mailBody
Body for confirmation mail mailConfirmBody
Subject for confirmation mail mailConfirmSubject
Mail From address mailFrom
LDAP mail search filter mailLDAPFilter
Subject for password mail mailSubject
URL for mail reset mailUrl
Manager menu organization managerCss
Manager theme managerCssTheme
LDAP Bind DN managerDn
LDAP Bind Password managerPassword
Manager skin managerSkin
Manager tree autoClose managerTreeAutoClose
Manager tree JQuery CSS file managerTreeJqueryCss
Multi overridden parameters multi
Multi values separator multiValuesSeparator
Notification activation notification
Notification backend notificationStorage
Notification backend options notificationStorageOptions
Display deleted sessions notifyDeleted
Display other sessions notifyOther
Null authentication level nullAuthnLevel
OpenID authentication level openIdAuthnLevel
OpenID allowed domains openIdIDPList
OpenID secret token openIdSecret
Password backend passwordDB
Force port in redirection port
Portal URL portal
Anti frame protection portalAntiFrame
Allow form autocompletion portalAutocomplete
Display applications list portalDisplayAppslist
Display change password module portalDisplayChangePassword
Display logout module portalDisplayLogout
Display reset password form portalDisplayResetPassword
Open links in new window portalOpenLinkInNewWindow
Require old password (change) portalRequireOldPassword
Skin name portalSkin
User name session field portalUserAttr
Protection scheme protection
Regular expression for random password randomPasswordRegexp
Delay between check of local configuration reloadTime
Remote cookie name remoteCookieName
Proxy cookie name remoteCookieName
Remote Session backend remoteGlobalStorage
Remote Session backend options remoteGlobalStorageOptions
Remote portal remotePortal
SAML Session backend samlStorage
SAML Session backend options samlStorageOptions
Cookie security securedCookie
Delete other session if IP differs singleIP
Delete other session singleSession
Do not allow several users for 1 IP singleUserByIP
SMTP server SMTPServer
SOAP activation Soap
Proxy portal URL soapAuthService
Proxy session SOAP end point soapSessionService
SSL authentication level SSLAuthnLevel
SSL map with LDAP attribute SSLLDAPField
SSL force SSL authentication SSLRequire
SSL user field in certificate SSLVar
Status module activation status
Store password in session storePassword
Sympa mail session key sympaMailKey
Sympa shared secret sympaSecret
Syslog facility syslog
Session lifetime for cronjob timeout
Trusted domains trustedDomains
Twitter application name twitterAppName
Twitter authentication level twitterAuthnLevel
Twitter application key twitterKey
Twitter application secret twitterSecret
User backend userDB
Use redirect on error useRedirectOnError
DBI Pivot from user table userPivot
Use XForwardedFor for IP useXForwardedForIP
Data to store as REMOTE_USER (used also in Apache logs) whatToTrace
Zimbra account session key zimbraAccountKey
Zimbra account type zimbraBy
Zimbra preauthentication key zimbraPreAuthKey
Zimbra local SSO URL pattern zimbraSsoUrl
Zimbra preauthentication URL zimbraUrl
+
+

+ +
+ +

Configuration backend parameters

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Full name Key name Configuration backend
DBI connection string dbiChain CDBI / RDBI
DBI user dbiUser
DBI password dbiPassword
DBI table name dbiTable
Storage directory dirName File
LDAP server ldapServer LDAP
LDAP port ldapPort
LDAP base ldapConfBase
LDAP bind dn ldapBindDN
LDAP bind password ldapBindPassword
Certificate authorities file caFile
Certificate authorities directory caPath
SOAP server location (URL) proxy SOAP
LWP::UserAgent parameters proxyOptions
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/passwordstore.html b/build/lemonldap-ng/doc/pages/documentation/1.1/passwordstore.html new file mode 100644 index 000000000..66327a22b --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/passwordstore.html @@ -0,0 +1,88 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Store user password in session

+
+ +
+ +

Presentation

+
+ +

+ +Password is not a common attribute. Indeed, in most of the cases, it is not stored in clear text in the backend (LDAP or database). +

+ +

+So, to keep user password in session, you cannot just export the password variable in session. To bypass this, LL::NG can remember what password was given by user on authentication phase. +

+ +

+

+

+
    +
  • As this may be a security hole, password store in session is not activated by default
    +
    • +
  • This mechanism can only work with authentication backends using a login/password form (LDAP, DBI, …)
    +
    • +
+ +

+ +

+

+ +
+ +

Configuration

+
+ +

+ +Go in Manager, General Parameters » Sessions » Store user password in session data and set to On. +

+ +
+ +

Usage

+
+ +

+ +User password is now available in $_password variable. For example, to send it in an header: + +

+
+Auth-Password => $_password
+
+ +

+

For security reasons, the password is not shown in sessions explorer. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/performances.html b/build/lemonldap-ng/doc/pages/documentation/1.1/performances.html new file mode 100644 index 000000000..af62b8633 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/performances.html @@ -0,0 +1,261 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Performances

+
+ +

+ +Lemonldap::NG is designed to be very performant. In particular, it use Apache2 threads capabilities so to optimize performances, prefer using mpm-worker. +

+ +
+ +

Handler performance

+
+ +

+ +Handlers check rights and calculate headers for each HTTP hit. So to improve performances, avoid too complex rules by using the macro or the groups or local macros. +

+ +
+ +

Macros and groups

+
+ +

+ +Macros and groups are calculated during authentication process by the portal: +

+
    +
  • macros are used to extend (or rewrite) exported variables. A macro is stored as attributes: it can contain boolean results or any string
    +
    • +
  • groups are stored as space-separated strings in the special attribute “groups”: it contains the names of groups whose rules were returned true for the current user
    +
    • +
+ +

+ +Example for macros: + +

+
# boolean macro
+isAdmin -> $uid eq 'foo' or $uid eq 'bar'
+# other macro 
+displayName -> $givenName." ".$surName
+ 
+# Use a boolean macro in a rule
+^/admin -> $isAdmin
+# Use a string macro in a HTTP header
+Display-Name -> $displayName
+ +

+Example for groups: + +

+
# group
+admin -> $uid eq 'foo' or $uid eq 'bar'
+ 
+# Use a group in a rule
+^/admin -> $groups =~ /\badmin\b/
+ +
+ +

Local macros

+
+ +

+ +Macros and groups are stored in session database. Local macros is a special feature of handler that permit to have macros useable localy only. Those macros are calculated only at the first usage and stored in the local session cache (only for this server) and only if the user access to the related applications. This avoid to have to many datas stored. +

+
# rule
+admin -> $admin ||= ($uid eq 'foo' or $uid eq 'bar')
+# header
+Display-Name -> $displayName ||= $givenName." ".$surName
+ +

+

Note that this feature is interesting only for the Lemonldap::NG systems protecting a high number of applications +

+

+ +
+ +

Portal performances

+
+ +
+ +

General performances

+
+ +

+ +The portal is the biggest component of Lemonldap::NG. It is recommended to use ModPerl::Registry instead of using cgi-script as described in Apache configuration file example (portal-apache2.conf): + +

+
<Files *.pl>
+    SetHandler perl-script
+    PerlResponseHandler ModPerl::Registry
+</Files>
+ +
+ +

Starting performances

+
+ +

+ +To make the portal start faster when the server is relaunched, add those lines in Apache configuration file (as described in portal-apache2.conf): + +

+
<Perl>
+    require Lemonldap::NG::Portal::SharedConf;
+    Lemonldap::NG::Portal::SharedConf->compile(
+        qw(delete header cache read_from_client cookie redirect unescapeHTML));
+    # Uncomment this line if you use Lemonldap::NG menu
+    require Lemonldap::NG::Portal::Menu;
+    # Uncomment this line if you use portal SOAP capabilities
+    require SOAP::Lite;
+</Perl>
+ +
+ +

Apache::Session performances

+
+ +

+ +Lemonldap::NG handlers use a local cache to store sessions (for 10 minutes). So Apache::Session module is not a problem for handlers. It can be a brake for the portal: +

+
    +
  1. When you use the multiple sessions restriction parameters, sessions are parsed for each authentication unless you use an Apache::Session::Browseable module.
    +
    2. +
  2. Since MySQL does not have always transaction feature, Apache::Session::MySQL has been designed to use MySQL locks. Since MySQL performances are very bad using this, if you want to store sessions in a MySQL database, prefer one of the following
    +
    3. +
+ +
+ +

Replace MySQL by Apache::Session::Flex

+
+ +

+ +In “Apache::Session module” field, set ”Apache::Session::Flex” and use the following parameters: + +

+
+Store      -> MySQL
+Lock       -> Null
+Generate   -> MD5
+Serialize  -> Storable
+DataSource -> dbi:mysql:sessions;host=...
+UserName   -> ...
+Password   -> ...
+
+ +
+ +

Use Apache::Session::Browseable

+
+ +

+ +Apache::Session::Browseable is a wrapper for other Apache::Session modules that add the capability to manage indexes. To use it (with MySQL for example), choose “Apache::Session::Browseable::MySQL” as “Apache::Session module” and use the following parameters: + +

+
+DataSource -> dbi:mysql:sessions;host=...
+UserName   -> user
+Password   -> password
+Index      -> ipAddr uid
+
+ +

+Note that Apache::Session::Browseable::MySQL doesn't use MySQL locks. +

+ +

+

A Apache::Session::Browseable::Redis has been created, it is the faster +

+

+ +

+

Some Apache::Session module are not useable by Lemonldap::NG such as Apache::Session::Memcached since this module does not offer capability to browse sessions +

+

+ +
+ +

LDAP performances

+
+ +

+ +LDAP server can be a brake when you use LDAP groups recovery. You can avoid this by setting “memberOf” fields in your LDAP scheme: + +

+
dn: uid=foo,dmdName=people,dc=example,dc=com
+...
+memberOf: cn=admin,dmdName=groups,dc=example,dc=com
+memberOf: cn=su,dmdName=groups,dc=example,dc=com
+ +

+So instead of using LDAP groups recovery, you just have to store “memberOf” field in your exported variables. With OpenLDAP, you can use the memberof overlay to do it automaticaly. +

+ +

+

Don't forget to create an index on the field used to find users (uid by default) +

+

+ +

+

To avoid having group dn stored in sessions datas, you can use a macro to rewrite memberOf: +

+
    +
  • Exported variables
    +
    • +
+
+ldapgroups -> memberOf
+
+
+ For now, ldapgroups contains “cn=admin,dmdName=groups,dc=example,dc=com cn=su,dmdName=groups,dc=example,dc=com”
+
    +
  • A little macro:
    +
    • +
+
ldapgroups -> join(" ",($ldapgroups =~ /cn=(.*?),/g))
+
+ Now ldapgroups contains “admin su”
+ +

+ +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/portal.html b/build/lemonldap-ng/doc/pages/documentation/1.1/portal.html new file mode 100644 index 000000000..ce3e5397d --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/portal.html @@ -0,0 +1,138 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

The portal

+
+ +

+ +The portal is the main component of LL::NG. It provides many features: +

+
    +
  • Authentication service of course
    + +
    • +
  • Identity provider: LL::NG is able to provide identity service using:
    + +
    • +
  • Identity provider proxy: LL::NG can be used as proxy translator between systems talking SAML, OpenID, CAS, …
    +
    • +
  • Internal SOAP server used by SOAP configuration backend and usable for specific development (see SOAP services for more)
    +
    • +
  • Interactive management of user passwords:
    +
      +
    • Password change form (in menu)
      +
      • +
    • Self service reset (send a mail to the user with a to change the password)
      +
      • +
    • Force password change with LDAP password policy password reset flag
      +
      • +
    +
    • +
  • Application menu: display authorized applications in categories
    +
    • +
  • Notifications: prompt users with a message if found in the notification database
    +
    • +
+ +
+ +

Functioning

+
+ +

+ +LL::NG portal is a modular component. It needs 4 modules to work: +

+ + +

+ +

Each module can be disabled using the Null backend. +

+

+ +
+ +

Kinematics

+
+
    +
  1. Check if URL asked is valid
    +
    2. +
  2. Check if user is already authenticated
    +
      +
    • If not authenticated (or authentication is forced) try to find it (userDB module) and to authenticate it (auth module), create session, calculate groups and macros and store them
      +
      • +
    +
    3. +
  3. Modify password if asked
    +
    4. +
  4. Provides identity if asked
    +
    5. +
  5. Build cookie(s)
    +
    6. +
  6. Redirect user to the asked URL or display menu
    +
    7. +
+ +

+ +

See also general kinematics presentation. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/portalcustom.html b/build/lemonldap-ng/doc/pages/documentation/1.1/portalcustom.html new file mode 100644 index 000000000..1d3eee830 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/portalcustom.html @@ -0,0 +1,152 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Portal customization

+
+ +

+ +

The portal is the visible part of LemonLDAP::NG, all user interactions are displayed on it. +

+

+ +
+ +

Skin

+
+ +

+ +LemonLDAP::NG is shipped with 3 skins: +

+
    +
  • pastel
    +
    • +
  • impact
    +
    • +
  • dark
    +
    • +
+ +

+ +You can change the skin in Manager: General Parameters > Portal > Customization > Skin. +

+ +

+ +

+ +
+ +

Skin files

+
+ +

+ +A skin is composed of different files: +

+
    +
  • .tpl: Perl HTML::Template files, for HTML content
    +
    • +
  • .css: CSS (styles)
    +
    • +
  • .js: Javascript
    +
    • +
  • images and other media files
    +
    • +
+ +

+ +A skin will often refer to the common skin, which is not a real skin, but shared skin objects (like scripts, images and CSS). +

+ +
+ +

Skin customization

+
+ +

+ +

If you modify directly the skin files, your modifications will certainly be erased on the next upgrade. +

+

+ +

+To customize a skin, the simplest way is to create a new skin folder: + +

+
+cd portal/skins
+mkdir myskin
+mkdir myskin/css
+mkdir myskin/images
+
+ +

+Then create symbolic links on template files, as you might not want to rewrite all HTML code (else, do as you want). + +

+
+cd myskin
+ln -s ../pastel/*.tpl .
+
+ +

+Then you only have to write myskin/css/styles.css and add your media to myskin/images. +

+ +

+To configure your new skin in Manager, select the custom skin, and enter your skin name in the configuration field. +

+ +
+ +

Other parameters

+
+
    +
  • Reset password: display a link to reset a password (for password based authentication backends)
    +
    • +
  • Auto complete: allow the browser to remember the password (for password based authentication backends)
    +
    • +
  • Require old password: used only in the password changing module of the menu, will check the old password before updating it
    +
    • +
  • User attribute: which session attribute will be used to display Connected as in the menu
    +
    • +
  • New window: open menu links in new window
    +
    • +
  • Anti iframe protection: will kill parent frames to avoid some well known attacks
    +
    • +
+ +

+ +

If you enable auto completion, authentication level will be decreased (-1) as you do not ask the user to type its password (it could be in browser passwords wallet). +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/portalmenu.html b/build/lemonldap-ng/doc/pages/documentation/1.1/portalmenu.html new file mode 100644 index 000000000..fccf35388 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/portalmenu.html @@ -0,0 +1,135 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Portal menu

+
+ +

+ +

The menu is displayed if authentication is successful. +

+

+ +
+ +

Menu modules

+
+ +

+ +LemonLDAP::NG portal menu has 3 modules: +

+
    +
  • Application list: display categories and applications allowed for the user
    +
    • +
  • Password change: form to change the password
    +
    • +
  • Logout: logout button
    +
    • +
+ +

+ +Each module can be activated trough a rule, using user session information. These rules can be set trough Manager: General Parameters > Portal > Menu > Modules activation. +

+ +

+You can use 0 or 1 to disable/enable the module, or use a more complex rule. For example, to display the password change form only for user authenticated trough LDAP or DBI: +

+
$_auth eq LDAP or $_auth eq DBI
+ +
+ +

Categories and applications

+
+ +

+ +Configuring the virtual hosts is not sufficient to display an application in the menu. Indeed, a virtual host can contain several applications (http://vhost.example.com/appli1, http://vhost.example.com/appli2). +

+ +

+In Manager, you can configure categories and applications in General Parameters > Portal > Menu > Categories and applications. +

+ +

+Category parameters: +

+
    +
  • Key: category identifier
    +
    • +
  • Name: display text
    +
    • +
+ +

+ +Application parameters: +

+ +

+ + +

+
    +
  • Key: application identifier
    +
    • +
  • Name: display text
    +
    • +
  • Address: URL of application
    +
    • +
  • Description
    +
    • +
  • Logo: file name to use as logo
    +
    • +
  • Display:
    +
      +
    • auto: display only if the user can access it
      +
      • +
    • on: always display
      +
      • +
    • off: never display
      +
      • +
    +
    • +
+ +

+ +

Category and application key can have a digit as first character, which will allow to display categories in the right order (categories and applications are displayed in alphabetical order). +

+

+ +

+ +

+ +

+

The chosen logo file must be in portal applications logos directory (portal/skins/common/apps/). You can set a custom logo by choosing My logo, set the logo file name, and copy the logo file in portal applications logos directory +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/prereq.html b/build/lemonldap-ng/doc/pages/documentation/1.1/prereq.html new file mode 100644 index 000000000..ee6e8ebef --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/prereq.html @@ -0,0 +1,226 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Prerequisites and dependencies

+
+ +
+ +

Apache

+
+ +

+ +To use LemonLDAP::NG, you have to run an Apache +server compiled with mod-perl (version 1.3 or 2.x). +

+ +

+

In most of cases, the version of Apache proposed with your Linux distribution match, but some distributions used an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does not work with LemonLDAP::NG. With such distributions (like Debian-3.1), you have to use Apache-1.3 or to use a mod_perl backport (www.backports.org package for Debian works fine). +

+

+ +

+For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works faster and LemonLDAP::NG use the thread system for best performance. If you have to use mpm-prefork (for example if you use PHP), LemonLDAP::NG will work anyway. +

+ +

+You can use LemonLDAP::NG in an heterogeneous world: the authentication portal and the manager can work in any version of Apache 1.3 or more even if mod_perl is not compiled, with ModPerl::Registry or not… Only the handler +need mod_perl. The different handlers can run on different servers with +different versions of Apache/mod_perl. +

+ +
+ +

Perl

+
+ +

+ +

Here is the list of Perl modules used in LemonLDAP::NG. Core modules must be installed on the system. Other modules must be installed only if you planned to use the related feature. +

+

+ +
+ +

Core

+
+
    +
  • Apache::Session
    +
    • +
  • Net::LDAP
    +
    • +
  • MIME::Base64
    +
    • +
  • CGI
    +
    • +
  • LWP::UserAgent
    +
    • +
  • Cache::Cache
    +
    • +
  • DBI
    +
    • +
  • XML::Simple
    +
    • +
  • CGI::Session
    +
    • +
  • Regexp::Assemble
    +
    • +
  • XML::LibXML
    +
    • +
  • Crypt::Rijndael
    +
    • +
  • IO::String
    +
    • +
  • XML::LibXSLT
    +
    • +
  • HTML::Template
    +
    • +
  • SOAP::Lite
    +
    • +
  • Config::IniFiles
    +
    • +
  • JSON
    +
    • +
  • Digest::HMAC
    +
    • +
+ +
+ +

Reset password by mail

+
+
    +
  • String::Random
    +
    • +
  • MIME::Lite
    +
    • +
  • Email::Date::Format
    +
    • +
+ +
+ +

SAML2

+
+
    +
  • Lasso
    +
    • +
  • GLib
    +
    • +
  • Crypt::OpenSSL::RSA
    +
    • +
  • Crypt::OpenSSL::X509
    +
    • +
  • Convert::PEM
    +
    • +
+ +
+ +

CAS

+
+ + +
+ +

OpenID

+
+
    +
  • Net::OpenID::Consumer > 1.00
    +
    • +
  • Net::OpenID::Server > 1.00
    +
    • +
+ +
+ +

Twitter

+
+
    +
  • Net::Twitter
    +
    • +
+ +
+ +

POD unit tests

+
+
    +
  • Test::POD
    +
    • +
+ +
+ +

Other

+
+
    +
  • Jquery (javascript framework) is included in tarball and RPMs, but is a dependency on Debian
    +
    • +
+ +
+ +

Install dependencies on your system

+
+ +
+ +

APT-GET

+
+
+apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl  libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl libstring-random-perl libemail-date-format-perl libmime-lite-perl libcrypt-openssl-rsa-perl libdigest-hmac-perl
+
+ +
+ +

YUM

+
+ +

+ +Choose a repository which hosted Perl dependencies, for example: +

+ + +

+ +

We recommend using EPEL repository. +

+

+
+yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON perl-Digest-HMAC perl-String-Random perl-MIME-Lite perl-Email-Date-Format perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509
+
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/rbac.html b/build/lemonldap-ng/doc/pages/documentation/1.1/rbac.html new file mode 100644 index 000000000..c0bfc602b --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/rbac.html @@ -0,0 +1,192 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

RBAC model

+
+ +
+ +

Presentation

+
+ +

+ +RBAC stands for Role Based Access Control. It means that you manage authorizations to access applications by checking the role(s) of the user, and provide this role to the application. +

+ +

+LemonLDAP::NG allows to use this model. You should use an extended LDAP schema (or any users database extension), but this can works with standard attributes. +

+ +
+ +

Configuration

+
+ +
+ +

Roles as simple values of a user attribute

+
+ +

+ +Imagine you've set your directory schema to store roles as values of ssoRoles, an attribute of the user. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (';' is the concatenation string): + +

+
+Auth-Roles => $ssoRoles
+
+ +

+If the user has these values inside its entry: + +

+
+ssoRoles: user
+ssoRoles: admin
+
+ +

+Then you got this value inside the Auth-Roles header: + +

+
+user; admin
+
+ +
+ +

Roles as entries in the directory

+
+ +

+ +Now imagine the following DIT: +

+ +

+ +

+ +

+Roles are entries, below branches representing applications. Each user has a ssoRoles attributes, which values are the DN of the corresponding roles. With this organization, you can set roles to user within specific application. +

+ +

+In the schema above, the user has the following values: + +

+
+ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
+ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
+
+ +

+So he is “user” on application “BBB” and “admin” on application “AAA”. +

+ +

+Now we have to send to right role to the right application trough LemonLDAP::NG. +

+ +

+First step: create a rule to grant access only if the user has a role in the application: +

+
    +
  • For application AAA:
    +
    • +
+
+default => $ssoRoles =~ /ou=aaa,ou=roles/
+
+
    +
  • For application BBB:
    +
    • +
+
+default => $ssoRoles =~ /ou=bbb,ou=roles/
+
+ +

+Second step: get the role name for the application. We will use the macros to do that. Create two macros (inside Variablles » Macros): +

+
    +
  • For application AAA:
    +
    • +
+
+aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]
+
+
    +
  • For application BBB:
    +
    • +
+
+bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]
+
+ +

+These regular expressions read the 'ou' value of the DN of the role of the concerned application. This works if the user has only one role per application. +

+ +

+Third step: provide the role to the application. It is done by creating the correct HTTP header: +

+
    +
  • For application AAA:
    +
    • +
+
+Auth-Roles => $aaaRoles
+
+
    +
  • For application BBB:
    +
    • +
+
+Auth-Roles => $bbbRoles
+
+ +

+Now the protected application can read in the header HTTP_AUTH_ROLES the role of the user. +

+ +

+

+If you have more than one role for an application, you can join those roles with a separator (ex: ||): + +

+
+aaaRole => join(' || ', (map {/uid=(.*),ou=aaa.*/} (grep{/ou=aaa/} split(';',$ssoRoles)))
+
+ +

+ + +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/redirections.html b/build/lemonldap-ng/doc/pages/documentation/1.1/redirections.html new file mode 100644 index 000000000..ef3764813 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/redirections.html @@ -0,0 +1,103 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Redirections

+
+ +

+ +

When a user access a Handler without a cookie, he is redirected on portal, and the target URL is encoded in redirection URL (to redirect user after authentication process). +

+

+ +
+ +

Protocol and port

+
+ +

+ +To encode the redirection URL, the will use some Apache environment variables and also configuration settings: +

+
    +
  • HTTPS: use https as protocol
    +
    • +
  • Port: port of the application (by default, 80 for http, 443 for https)
    +
    • +
+ +

+ +These parameters can be configured in Manager, in General Parameters > Advanced parameters > Handler redirections. +

+ +

+

These settings can be overriden per virtual host, see virtual host management. +

+

+ +
+ +

Forbidden and Server error

+
+ +

+ +Handler use the default Apache error code for the following cases: +

+
    +
  • User has no access authorization: FORBIDDEN (403)
    +
    • +
  • An error occurs on server side: SERVER_ERROR (500)
    +
    • +
+ +

+ +These errors can be catch trough Apache ErrorDocument directive, to redirect user on a specific page: +

+
# Common error page and security parameters
+ErrorDocument 403 http://auth.example.com/?lmError=403
+ErrorDocument 500 http://auth.example.com/?lmError=500
+ +

+It is also possible to redirect the user without using ErrorDocument: the Handler will not return 403 or 500 code, but code 302 (REDIRECT). +

+ +

+The user will be redirected on portal URL with error in the lmError URL parameter. +

+ +

+These parameters can be configured in Manager, in General Parameters > Advanced parameters > Handler redirections: +

+
    +
  • Redirect on forbidden: use 302 instead 403
    +
    • +
  • Redirect on error: use 302 instead 500
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/resetpassword.html b/build/lemonldap-ng/doc/pages/documentation/1.1/resetpassword.html new file mode 100644 index 000000000..dd045c734 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/resetpassword.html @@ -0,0 +1,115 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Reset password by mail

+
+ +
+ +

Presentation

+
+ +

+ +LL::NG can propose a password reset form, for users who loose their password (this kind of application is also called a self service password interface). +

+ +

+Kinematics: +

+
    +
  1. User enters his email in the password reset form
    +
    2. +
  2. LL::NG try to find the user in users database
    +
    3. +
  3. A mail with a token is sent to user
    +
    4. +
  4. The user click on the link in the mail
    +
    5. +
  5. LL::NG validate the token and set a random password
    +
    6. +
  6. The random password is sent to user
    +
    7. +
+ +

+ +

If LDAP backend is used, and LDAP password policy is enabled, the pwdReset flag is set to TRUE, so that the user is forced to change his password on next connection. +

+

+ +
+ +

Configuration

+
+ +

+ +The reset password link must be activated, see portal customization. +

+ +

+Then go in Manager, General Parameters » Advanced Parameters » Password management: +

+
    +
  • SMTP Server: IP or hostname of the SMTP server (default: localhost)
    +
    • +
  • Page URL: URL of password reset page (default: [PORTAL]/mail.pl)
    +
    • +
  • Mail sender: address seen in the “From” field (default: noreply@[DOMAIN])
    +
    • +
  • Success mail subject: Subject of mail sent when password is changed (default: [LemonLDAP::NG] Your new password)
    +
    • +
  • Success mail content (optional): Content of mail sent when password is changed
    +
    • +
  • Confirmation mail subject: Subject of mail sent when password change is asked (default: [LemonLDAP::NG] Password reset confirmation)
    +
    • +
  • Confirmation mail content (optional): Content of mail sent when password change is asked
    +
    • +
  • Regexp for password generation: Regular expression used to generate the password (default: [A-Z]{3}[a-z]{5}.\d{2})
    +
    • +
+ +

+ +

+By default, mail content are empty in order to use HTML templates: +

+
    +
  • portal/skins/common/mail_confirm.tpl
    +
    • +
  • portal/skins/common/mail_password.tpl
    +
    • +
+ +

+ +If you define mail contents in Manager, HTML templates will not be used. + +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/samlservice.html b/build/lemonldap-ng/doc/pages/documentation/1.1/samlservice.html new file mode 100644 index 000000000..9a1e4e8e1 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/samlservice.html @@ -0,0 +1,643 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SAML service configuration

+
+ +

+ +

SAML service configuration is a common step to configure LL::NG as SAML SP or SAML IDP. +

+

+ +
+ +

Presentation

+
+ +

+ +This documentation explains how configure SAML service in LL::NG, in particular: +

+
    +
  • Install prerequisites
    +
    • +
  • Import or generate security keys
    +
    • +
  • Set SAML end points
    +
    • +
+ +

+ +

Service configuration will be used to generate LL::NG SAML metadata, that will be shared with other providers. It means that if you modify some settings here, you will have to share again the metadata with other providers. In other words, take the time to configure this part before sharing metadata. +

+

+ +
+ +

Prerequisites

+
+ +
+ +

Lasso

+
+ +

+ + +

+ +

+SAML2 implementation is based on Lasso. You will need a very recent version of Lasso (>= 2.3.0). +

+ +
+ +

Debian/Ubuntu

+
+ +

+ +There are packages available here: http://deb.entrouvert.org/. +

+ +

+You will only need to install liblasso3-perl package: +

+
+sudo apt-get install liblasso3-perl
+
+ +
+ +

RHEL/CentOS/Fedora

+
+ +

+ +Packages should be available soon. +

+ +
+ +

Other

+
+ +

+ +Download the Lasso tarball and compile it on your system. +

+ +
+ +

Apache rewrite rules

+
+ +

+ +Be sure that mod_rewrite is installed and that SAML2 rewrite rules are activated in Apache portal configuration: +

+
<IfModule mod_rewrite.c>
+        RewriteEngine On
+        RewriteRule ^/saml/metadata /metadata.pl
+        RewriteRule ^/saml/.* /index.pl
+</IfModule>
+ +
+ +

Service configuration

+
+ +

+ +Go in Manager and click on SAML 2 Service node. +

+ +

+

You can use #PORTAL# in values to replace the portal URL. +

+

+ +
+ +

Entry Identifier

+
+ +

+ +Your EntityID, often use as metadata URL, by default #PORTAL#/saml/metadata. +

+ +

+

+The value will be use in metadata main markup: + +

+
<EntityDescriptor entityID="http://auth.example.com/saml/metadata">
+  ...
+</EntityDescriptor>
+ +

+ + +

+

+ +

+

If you modify /saml/metadata suffix you have to change corresponding Apache rewrite rule. +

+

+ +
+ +

Security parameters

+
+ +

+ +You can define keys for SAML message signature and encryption. If no encryption keys are defined, signature keys are used for signature and encryption. +

+ +

+To define keys, you can: +

+
    +
  • import your own private and public keys (Load from a file input)
    +
    • +
  • generate new public and private keys (Generate button)
    +
    • +
+ +

+ +

You can enter a password to protect private key with a password. It will be prompted if you generate keys, else you can set it in the Private key password. +

+

+ +

+ +

+ +

+

You can import a certificate containing the public key instead the raw public key. However, certificate will not be really validated by other SAML components (expiration date, common name, etc.), but will just be a public key wrapper. +

+

+ +
+ +

NameID formats

+
+ +

+ + +

+ +

+SAML can use different NameID formats. The NameID is the main user identifier, carried in SAML messages. You can configure here which field of LL::NG session will be associated to a NameID format. +

+ +

+

This parameter is used by SAML IDP to fill the NameID in authentication responses. +

+

+ +

+Customizable NameID formats are: +

+
    +
  • Email
    +
    • +
  • X509
    +
    • +
  • Windows
    +
    • +
  • Kerberos
    +
    • +
+ +

+ +

For example, if you are using AD as authentication backend, you can use sAMAccountName for the Windows NameID format. +

+

+ +

+Other NameID formats are automatically managed: +

+
    +
  • Transient: NameID is generated
    +
    • +
  • Persistent: NameID is restored from previous sessions
    +
    • +
  • Undefined: Default NameID format is used
    +
    • +
+ +
+ +

Authentication contexts

+
+ +

+ + +

+ +

+Each LL::NG authentication module has an authentication level, which can be associated to an SAML authentication context. +

+ +

+

This parameter is used by SAML IDP to fill the authentication context in authentication responses. It will use the authentication level registered in user session to match the SAML authentication context. It is also used by SAML SP to fill the authentication level in user session, based on authentication response authentication context. +

+

+ +

+Customizable NameID formats are: +

+
    +
  • Password
    +
    • +
  • Password protected transport
    +
    • +
  • TLS client
    +
    • +
  • Kerberos
    +
    • +
+ +
+ +

Organization

+
+ +

+ +

+This concerns all parameters for the Organization metadata section: + +

+
<Organization>
+  <OrganizationName xml:lang="en">Example</OrganizationName>
+  <OrganizationDisplayName xml:lang="en">Example</OrganizationDisplayName>
+  <OrganizationURL xml:lang="en">http://www.example.com</OrganizationURL>
+</Organization>
+ +

+ + +

+ +

+
    +
  • Display Name: should be displayed on IDP, this is often your society name
    +
    • +
  • Name: internal name
    +
    • +
  • URL: URL of your society
    +
    • +
+ +
+ +

Service Provider

+
+ +

+ +

+This concerns all parameters for the Service Provider metadata section: + +

+
<SPSSODescriptor>
+  ...
+</SPSSODescriptor>
+ +

+ + +

+

+ +
+ +

General options

+
+
    +
  • Signed Authentication Request: set to On to always sign authentication request.
    +
    • +
  • Want Assertions Signed: set to On to require that received assertions are signed.
    +
    • +
+ +

+ +

These options can then be overridden for each Identity Provider. +

+

+ +
+ +

Single Logout

+
+ +

+ +For each binding you can set: +

+
    +
  • Location: Access Point for SLO request.
    +
    • +
  • Response Location: Access Point for SLO response.
    +
    • +
+ +

+ + +

+ +

+Available bindings are: +

+
    +
  • HTTP Redirect
    +
    • +
  • HTTP POST
    +
    • +
  • HTTP SOAP
    +
    • +
+ +
+ +

Assertion Consumer

+
+ +

+ +For each binding you can set: +

+
    +
  • Default: will this binding be used by default for authentication response.
    +
    • +
  • Location: Access Point for SSO request and response.
    +
    • +
+ +

+ + +

+ +

+Available bindings are: +

+
    +
  • HTTP Artifact
    +
    • +
  • HTTP POST
    +
    • +
+ +
+ +

Artifact Resolution

+
+ +

+ +The only authorized binding is SOAP. This should be set as Default. +

+ +
+ +

Identity Provider

+
+ +

+ +

+This concerns all parameters for the Service Provider metadata section: + +

+
<IDPSSODescriptor>
+  ...
+</IDPSSODescriptor>
+ +

+ + +

+

+ +
+ +

General parameters

+
+
    +
  • Want Authentication Request Signed: set to On to require that received authentication request are signed.
    +
    • +
+ +

+ +

This option can then be overridden for each Service Provider. +

+

+ +
+ +

Single Sign On

+
+ +

+ +For each binding you can set: +

+
    +
  • Location: Access Point for SSO request.
    +
    • +
  • Response Location: Access Point for SSO response.
    +
    • +
+ +

+ +Available bindings are: +

+
    +
  • HTTP Redirect
    +
    • +
  • HTTP POST
    +
    • +
  • HTTP Artifact
    +
    • +
  • HTTP SOAP
    +
    • +
+ +
+ +

Single Logout

+
+ +

+ +For each binding you can set: +

+
    +
  • Location: Access Point for SLO request.
    +
    • +
  • Response Location: Access Point for SLO response.
    +
    • +
+ +

+ +Available bindings are: +

+
    +
  • HTTP Redirect
    +
    • +
  • HTTP POST
    +
    • +
  • HTTP SOAP
    +
    • +
+ +
+ +

Artifact Resolution

+
+ +

+ +The only authorized binding is SOAP. This should be set as Default. +

+ +
+ +

Attribute Authority

+
+ +

+ +

+This concerns all parameters for the Attribute Authority metadata section + +

+
<AttributeAuthorityDescriptor>
+  ...
+</AttributeAuthorityDescriptor>
+ +

+ + +

+

+ +
+ +

Attribute Service

+
+ +

+ +This is the only service to configure, and it accept only the SOAP binding. +

+ +

+Response Location should be empty, as SOAP responses are directly returned (synchronous binding). +

+ +
+ +

Advanced

+
+ +

+ +These parameters are not mandatory to run SAML service, but can help to customize it: +

+
    +
  • IDP resolution cookie name: by default, it's the LL::NG cookie name suffixed by idp, for example: lemonldapidp.
    +
    • +
  • UTF8 metadata conversion: set to On to force partner's metadata conversion.
    +
    • +
+ +
+ +

SAML sessions module name and options

+
+ +

+ +By default, the main session module is used to store SAML temporary data (like relay-states), but SAML sessions need to use a session module compatible with the sessions restrictions feature. +

+ +

+This is not the case of Memcached for example. In this case, you can choose a different module to manage SAML sessions. +

+ +

+

You can also choose a different session module to split SSO sessions and SAML sessions. +

+

+ +
+ +

Common Domain Cookie

+
+ +

+ +

Common Domain Cookie is also know as WAYF Service. +

+

+ +

+The common domain is used by SAML SP to find an Identity Provider for the user, and by SAML IDP to register itself in user's IDP list. +

+ +

+Configuration parameters are: +

+
    +
  • Activation: Set to On to enable Common Domain Cookie support.
    +
    • +
  • Common domain: Name of the common domain (where common cookie is available).
    +
    • +
  • Reader URL: URL used by SAML SP to read the cookie. Leave blank to deactivate the feature.
    +
    • +
  • Writer URL: URL used by SAML IDP to write the cookie. Leave blank to deactivate the feature.
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/security.html b/build/lemonldap-ng/doc/pages/documentation/1.1/security.html new file mode 100644 index 000000000..3dbf122b7 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/security.html @@ -0,0 +1,333 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Security recommendation

+
+ +
+ +

Secure configuration access

+
+ +

+ +Configuration can be stored in several formats (SQL, File, LDAP) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use SOAP access for those servers. +

+ +

+

You can use different type of access: SQL, File or LDAP for servers in secured network and SOAP for remote servers. +

+

+ +

+Next, you have to configure the SOAP access as described here since SOAP access is denied by default. +

+ +
+ +

Protect the Manager

+
+ +

+ +By default, the manager is restricted to localhost in its Apache configuration file, but no accounting is done. To change this, you can choose one of the following: +

+
    +
  • protect the manager by Apache configuration
    +
    • +
  • protect the manager by LL::NG
    +
    • +
+ +
+ +

Protect the Manager by Apache

+
+ +

+ +You can use any of the mechanisms proposed by Apache: SSL, Auth-Basic, Kerberos,… Example + +

+
<VirtualHost *:443>
+    ServerName manager.example.com
+    # SSL parameters
+    ...
+    # DocumentRoot
+    DocumentRoot /var/lib/lemonldap-ng/manager/
+    <Location />
+        AuthType Basic
+        AuthName "Lemonldap::NG manager"
+        AuthUserFile /usr/local/apache/passwd/passwords
+        Require user rbowen
+        Order allow,deny
+        Deny from all
+        Allow from 192.168.142.0/24
+        Options +ExecCGI
+    </Location>
+</VirtualHost>
+ +
+ +

Protect the Manager by LL::NG

+
+ +

+ +To protect the manager by LL::NG, you just have to set this in lemonldap-ng.ini configuration file (section [manager]): + +

+
[manager]
+protection = manager
+ +

+

Before, you have to create the virtual host manager.your.domain in the manager and set a rules, else access to the manager will be denied. +

+

+ +
+ +

Write good rules

+
+ +
+ +

Order your rules

+
+ +

+ +Rules are applied in alphabetical order (comment and regular expression). The first rule that matches is applied. +

+ +

+

The “default” rule is only applied if no other rule match +

+

+ +

+The Manager let you define comments in rules, to order them: +

+ +

+ +

+ +

+For example, if these rules are used without comments: +

+ + + + + + + + + + +
Regular expression Rule Comment
^/pub/admin/ $uid eq “root”
^/pub/ accept
+ +

+ +Then the second rule will be applied first, so every authenticated user will access to /pub/admin directory. +

+ +

+Use comment to correct this: +

+ + + + + + + + + + +
Regular expression Rule Comment
^/pub/admin/ $uid eq “root” 1_pub
^/pub/ accept 2_admin
+ +

+ +

+

+
    +
  • Reload the Manager to see the order that will be used
    +
    • +
  • Use rule comments to order your rules
    +
    • +
+ +

+ +

+

+ +
+ +

Be careful with URL parameters

+
+ +

+ +You can write rules matching any component of URL to protect including GET parameters, but be careful. +

+ +

+For example with this rule on the access parameter: +

+ + + + + + + + + + +
Regular expression Rule Comment
^/index.php\?.*access=admin $groups =~ /\badmin\b/
default accept
+ +

+ +Then a user that try to access to one of the following will be granted ! +

+
    +
  • /index.php?access=admin&access=other
    +
    • +
  • /index.php?Access=admin
    +
    • +
+ +

+ +You can use the following rules instead: +

+ + + + + + + + + + + + + +
Regular expression Rule Comment
^/(?i)index.php\?.*access.*access deny 0_bad
^/(?i)index.php\?.*access=admin $groups =~ /\badmin\b/ 1_admin
default accept
+ +

+ +

(?i) means case no sensitive. +

+

+ +

+

Remember that rules written on GET parameters must be tested. +

+

+ +
+ +

Encoded characters

+
+ +

+ +Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, LL::NG decode them using http://search.cpan.org/perldoc?Apache2::URI#unescape_url. So write your rules using normal characters. +

+ +
+ +

Secure reverse-proxies

+
+ +

+ +LL::NG can protect any Apache hosted application including Apache reverse-proxy mechanism. Example: +

+
PerlOptions +GlobalRequest
+PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
+<VirtualHost *:443>
+    SSLEngine On
+    ... other SSL parameters ...
+    PerlInitHandler My::Handler
+    ServerName appl1.example.com
+    ProxyPass / http://hiddenappl1.example.com/
+    ProxyPassReverse / http://hiddenappl1.example.com/
+    ProxyPassReverseCookieDomain / http://hiddenappl1.example.com/
+</VirtualHost>
+ +

+See mod_proxy and mod_rewrite documentation for more about configuring Apache reverse-proxies. +

+ +

+Such configuration can have some security problems: +

+
    +
  • if a user can access directly to the hidden application, it can bypass LL::NG protection
    +
    • +
  • if many hidden applications are on the same private network, if one is corrupted (by SQL injection, or another attack), the hacker will be able to access to other applications without using reverse-proxies so it can bypass LL::NG protection
    +
    • +
+ +

+ +It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the LL::NG protected reverse-proxies are allowed. You can use one or a combination of: +

+
    +
  • firewalls (but be careful if more than 1 server is behind the firewall)
    +
    • +
  • server based restriction (like Apache “allow/deny” mechanism)
    +
    • +
  • SSL client certificate for the reverse-proxy (see SSLProxy* parameters in mod_ssl documentation)
    +
    • +
+ +
+ +

Configure security settings

+
+ +

+ +Go in Manager, General parameters » Advanced parameters » Security: +

+
    +
  • Username control: Regular expression used to check user login syntax.
    +
    • +
  • Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session
    +
    • +
  • Encryption key: key used to crypt some data, should not be known by other applications
    +
    • +
  • Trusted domains: domains on which the user can be redirected after login on portal. Set '*' to accept all.
    +
    • +
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/selfmadeapplication.html b/build/lemonldap-ng/doc/pages/documentation/1.1/selfmadeapplication.html new file mode 100644 index 000000000..7ad8bc512 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/selfmadeapplication.html @@ -0,0 +1,149 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Protect your application

+
+ +
+ +

Presentation

+
+ +

+ +Your application can know the connected user using: +

+
    +
  • REMOTE_USER environment variable (with local Handler or SetEnvIf trick)
    +
    • +
  • HTTP header (in all cases)
    +
    • +
+ +

+ +To get more information on user (name, mail, etc.), you have to read HTTP headers. +

+ +

+

+If your application is based on Perl CGI package, you can simply replace CGI by Lemonldap::NG::Handler::CGI + +

+

+ +
+ +

Code snippet

+
+ +

+ +Examples with a configured header named 'Auth-User': +

+ +
+ +

Perl

+
+
print "Connected user: ".$ENV{HTTP_AUTH_USER};
+ +
+ +

PHP

+
+
print "Connected user: ".$_SERVER{HTTP_AUTH_USER};
+ +
+ +

Perl auto-protected CGI

+
+ +

+ +Using this feature, you don't have to use virtual host protection: protection is embedded in Lemonldap::NG::Handler::CGI. +

+ +

+Lemonldap::NG::Handler::CGI adds some functions to CGI: +

+
    +
  • authenticate: check if user is authenticated; if not, redirect it to the portal
    +
    • +
  • authorize: check if user is authorizated to access to this URL
    +
    • +
+ +

+ +Example: +

+
    +
  • Code to replace:
    +
    • +
+
my $cgi = new CGI;
+...
+
    +
  • New code:
    +
    • +
+
my $cgi = Lemonldap::NG::Handler::CGI->new ({});
+$cgi->authenticate();
+$cgi->authorize();
+...
+ +

+ +Then you can access to user datas + +

+
# Get attributes (or macros)
+my $cn = $cgi->user->{cn}
+ 
+# Test if user is member of a Lemonldap::NG group (or LDAP mapped group)
+if( $cgi->group('admin') ) {
+  # special html code for admins
+}
+else {
+  # another HTML code
+}
+ +

+You can test any URL to see if it's protected using testUri(). It returns: +

+
    +
  • 1 if user is authorizated to access to it
    +
    • +
  • 0 if not
    +
    • +
  • -1 if this URL is not known by LL::NG configuration
    +
    • +
+
if($cgi->testUri('http://test3.example.com/') {
+  print '<a href="http://test3.example.com/">click here</a>';
+}
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/sessions.html b/build/lemonldap-ng/doc/pages/documentation/1.1/sessions.html new file mode 100644 index 000000000..1e792b766 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/sessions.html @@ -0,0 +1,76 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Sessions

+
+ +

+ +LL::NG rely on a session mechanism with the session ID as a shared secret between the user (in SSO cookie) and the session database. +

+ +

+To configure sessions, go in Manager, General Parameters » Sessions: +

+
    +
  • Opening conditions: a rule that will be evaluated to grant session to a user.
    +
    • +
  • Store user password in session data: see password store documentation.
    +
    • +
  • Sessions timeout: Maximum lifetime of a session. Old sessions are deleted by a cron script.
    +
    • +
  • Sessions activity timeout: Maximum inactivity duration.
    +
    • +
+ +

+

Session activity timeout requires Handlers to have a write access to sessions database. +

+

+
    +
  • Sessions Storage: see sessions database configuration.
    +
    • +
  • Multiple sessions, you can restrict the number of open sessions:
    +
      +
    • One session only by user: a user can not open 2 sessions with the same account.
      +
      • +
    • One IP only by user: a user can not open 2 sessions with the same IP.
      +
      • +
    • One user by IP address: 2 users can not open a session with the same IP.
      +
      • +
    • Display deleted sessions: display deleted sessions on authentication phase.
      +
      • +
    • Display other sessions : display other sessions on authentication phase, with a link to delete them.
      +
      • +
    +
    • +
+ +

+

Note that since HTTP protocol is not connected, restrictions are not applied to the new session: the oldest are destroyed. +

+

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/soapconfbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/soapconfbackend.html new file mode 100644 index 000000000..d1658c5e3 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/soapconfbackend.html @@ -0,0 +1,86 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SOAP configuration backend

+
+ +

+ +You can share your configuration over the network using SOAP proxy system. +

+ +

+

Note that SOAP is not a real configuration backend, but just a proxy system to access to your configuration over the network +

+

+ +
+ +

Configuration

+
+ +
+ +

First, configure your real backend

+
+
    +
  • On your main server, configure a File, SQL or LDAP backend
    +
    • +
  • Set SOAP parameter to true in the configuration using the manager: the portal will become a SOAP server
    +
    • +
  • Configure Apache to allow remote access: in portal-apache2.conf, remote SOAP access is disabled by default. Change it:
    +
    • +
+
# SOAP functions for configuration access (disabled by default)
+<Location /index.pl/config>
+    Order deny,allow
+    Deny from all
+    Allow from 192.168.2.0/24
+</Location>
+ +
+ +

Next, configure SOAP for your remote servers

+
+ +

+ +Change configuration in lemonldap-ng.ini : + +

+
type         = SOAP
+proxy        = https://auth.example.com/index.pl/config
+ +

+ +You can also add some other parameters + +

+
User         = lemonldap
+Password     = mypassword
+# LWP::UserAgent parameters
+proxyOptions = { timeout => 5 }
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/soapminihowto.html b/build/lemonldap-ng/doc/pages/documentation/1.1/soapminihowto.html new file mode 100644 index 000000000..8f1620a5b --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/soapminihowto.html @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Configure LemonLDAP::NG to use SOAP proxy mechanism

+
+ +

+ +LL::NG use 2 internal databases to store its configuration and sessions. It can be configured to use SOAP instead of direct access to those databases (for remote servers). +

This mechanism can be used to secure access for remote servers that cross an unsecured network to access to LL::NG databases. +

+

+ +
+ +

Use SOAP for Lemonldap::NG configuration

+
+ +

+ +Steps: +

+ + +
+ +

Use SOAP for Lemonldap::NG sessions

+
+ +

+ +Steps: +

+ + +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/soapservices.html b/build/lemonldap-ng/doc/pages/documentation/1.1/soapservices.html new file mode 100644 index 000000000..ae3cc5cef --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/soapservices.html @@ -0,0 +1,128 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SOAP services

+
+ +

+ +Lemonldap::NG provides 2 SOAP servers : +

+
    +
  • the portal
    +
    • +
  • the manager (for internal use only)
    +
    • +
+ +
+ +

Portal SOAP services

+
+ +

+ +SOAP functions are not accessible by network by default. SOAP functions are protected by Apache, you can change this in Apache portal configuration: +

+
    # SOAP functions for sessions management (disabled by default)
+    <Location /index.pl/adminSessions>
+        Order deny,allow
+        Allow from all
+    </Location>
+ 
+    # SOAP functions for sessions access (disabled by default)
+    <Location /index.pl/sessions>
+        Order deny,allow
+        Allow from all
+    </Location>
+ 
+    # SOAP functions for configuration access (disabled by default)
+    <Location /index.pl/config>
+        Order deny,allow
+        Allow from all
+    </Location>
+ 
+    # SOAP functions for notification insertion (disabled by default)
+    <Location /index.pl/notification>
+        Order deny,allow
+        Allow from all
+    </Location>
+ +

+

You can create a SOAP only portal by setting “soapOnly = 1” in lemonldap-ng.ini (section PORTAL) +

+ +

+
    +
  • Read-only functions (index.pl/sessions or index.pl/adminSessions paths):
    +
      +
    • getCookies(user,password): authentication system. Returns cookie(s) name and values
      +
      • +
    • getAttributes(cookieValue): get elements stored in session
      +
      • +
    • isAuthorizedURI(cookieValue,url): check if user is granted to access to the function
      +
      • +
    • getMenuApplications(cookieValue): return a list of authorizated applications (based on menu calculation)
      +
      • +
    +
    • +
  • Read/Write functions (index.pl/adminSessions paths):
    +
      +
    • setAttributes(cookieValue,hashtable): update a session
      +
      • +
    • newSession: create a session (return attributes)
      +
      • +
    • deleteSession: delete a session
      +
      • +
    • get_key_from_all_sessions: list all sessions and return asked keys
      +
      • +
    +
    • +
  • Notification send function (index.pl/notification):
    +
      +
    • newNotification(xmlString): insert a notification for a user (see Notifications system for more)
      +
      • +
    +
    • +
+ +

+ +

When you use SOAP sessions backend, it is recommended to use read-only URL (http://portal/index.pl/sessions). Write session path is needed only if you use a remote session explorer or a remote portal + +

+

+ +
+ +

WSDL file

+
+ +

+ +When portal is installed, a file named portal.wsdl is created. It can be upgraded using buildPortalWSDL script. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/soapsessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/soapsessionbackend.html new file mode 100644 index 000000000..a1fa3cfc1 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/soapsessionbackend.html @@ -0,0 +1,130 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SOAP session backend

+
+ +

+ +LL::NG portal provides SOAP end points for sessions management: +

+
    +
  • sessions/: read only access to sessions (enough for distant Handlers)
    +
    • +
  • adminSessions/: read/write access to sessions (required for distant Portal or distant Manager)
    +
    • +
+ +

+ +This session backend can be used to share sessions stored in a non-network backend (like file session backend) or in a network backend protected with a firewall that only accepts HTTP flows. +

+ +

+Most of the time, SOAP session backend is used by Handlers installed on external servers. +

+ +

+To configure it, SOAP session backend will be set trough Manager in global configuration (used by all Hanlders), and the real session backend will be configured for local components in lemonldap-ng.ini. +

+ +
+ +

Setup

+
+ +
+ +

Manager

+
+ +

+ +First, active SOAP in General parameters » Advanced parameters » SOAP. +

+ +

+Then, set Lemonldap::NG::Common::Apache::Session::SOAP in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): + +

+ + + + + + + + + + +
Required parameters
Name Comment Example
proxy URL of sessions SOAP end point http://auth.example.com/index.pl/sessions
+ +
+ +

Apache

+
+ +

+ +Sessions SOAP end points access must be allowed in Apache portal configuration (for example, access by IP range): +

+
# SOAP functions for sessions management (disabled by default)
+<Location /index.pl/adminSessions>
+    Order deny,allow
+    Deny from all
+    Allow from 192.168.2.0/24
+</Location>
+ 
+# SOAP functions for sessions access (disabled by default)
+<Location /index.pl/sessions>
+    Order deny,allow
+    Deny from all
+    Allow from 192.168.2.0/24
+</Location>
+ +
+ +

Real session backend

+
+ +

+ +Real session backend will be configured in lemonldap-ng.ini, in portal section (the portal hosts the SOAP service for sessions, and will do the link between SOAP requests and real sessions). +

+ +

+For example, if real sessions are stored in files: +

+
[portal]
+globalStorage = Apache::Session::File
+globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }
+ +

+

If your sessions explorer is on the same server that the portal, either use the adminSessions end point in Manager configuration, or override the globalStorage and globalStorageOptions parameters in section all (and not portal) of lemonldap-ng.ini. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/sqlconfbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/sqlconfbackend.html new file mode 100644 index 000000000..eb8e0373e --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/sqlconfbackend.html @@ -0,0 +1,142 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SQL configuration backends

+
+ +

+ +There is 3 types of SQL configuration backends for LemonLDAP::NG : +

+
    +
  • CDBI : very simple storage
    +
    • +
  • RDBI : triple store storage
    +
    • +
  • DBI which has been deprecated: it is a read-only backend that exists just for compatibility with older versions of LemonLDAP::NG. See how to change configuration backend.
    +
    • +
+ +
+ +

Lemonldap-ng.ini parameters

+
+ +

+ +To use a SQL backend, configure your lemonldap-ng.ini file (section configuration) : +

+
    +
  • Choose DBI type (RDBI, CDBI or DBI)
    +
    • +
  • Configure the connection string (see DBI manual page)
    +
    • +
  • Configure user and password
    +
    • +
  • If your table is not named lmConfig, set it's name in dbiTable parameter.
    +
    • +
+ +

+Example for MySQL : + +

+
[configuration]
+type = RDBI
+dbiChain    = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
+dbiUser     = lemonldap
+dbiPassword = password
+; optional
+dbiTable    = mytablename
+ +
+ +

Configure your SQL database

+
+ +
+ +

SQL configuration

+
+ +
+ +

RDBI

+
+
+CREATE TABLE lmConfig (
+    cfgNum int(11) NOT NULL,
+    field varchar(255) NOT NULL DEFAULT '',
+    value longblob,
+    PRIMARY KEY (cfgNum,field)
+    );
+
+ +
+ +

CDBI

+
+
+CREATE TABLE lmConfig (
+    cfgNum int not null primary key,
+    data longblob
+);
+
+ +
+ +

Grant LemonLDAP::NG access

+
+ +

+ +You have to grant read/write access for the manager component. Other components needs just a read access. You can also use the same user for all. +

+ +

+

You can use different dbiUser strings : +

+
    +
  • one with read/write rights for servers hosting the manager
    +
    • +
  • one with just read rights for other servers
    +
    • +
+ +

+ +

+

+ +

+MySQL example (suppose that our servers are in 10.0.0.0/24 network): + +

+
GRANT SELECT,INSERT,UPDATE,LOCK TABLES ON lmConfig.*
+  TO lemonldap-ng@manager.host IDENTIFIED BY 'mypassword';
+GRANT SELECT ON lmConfig.*
+  TO lemonldap-ng-user@'10.0.0.%' IDENTIFIED BY 'myotherpassword';
+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/sqlsessionbackend.html b/build/lemonldap-ng/doc/pages/documentation/1.1/sqlsessionbackend.html new file mode 100644 index 000000000..f735d8566 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/sqlsessionbackend.html @@ -0,0 +1,184 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

SQL session backend

+
+ +

+ +SQL session backend can be used with many SQL databases such as: +

+ + +
+ +

Setup

+
+ +
+ +

Prepare the database

+
+ +

+ +Your database must have a specific table to host sessions. Here are some examples for main databases servers. +

+ +
+ +

MySQL

+
+ +

+ +Create a database if necessary: + +

+
+mysqladmin create lemonldapng
+
+ +

+Create sessions table: + +

+
CREATE TABLE sessions (
+    id char(32) NOT NULL PRIMARY KEY,
+    a_session blob
+    );
+ +
+ +

PostgreSQL

+
+ +

+ +Create user and role: + +

+
+su - postgres
+createuser lemonldap-ng -P
+
+
+Entrez le mot de passe pour le nouveau rôle : <PASSWORD>
+Entrez-le de nouveau : <PASSWORD>
+Le nouveau rôle est-il un super-utilisateur ? (o/n) n
+Le nouveau rôle doit-il être autorisé à créer des bases de données ? (o/n) n
+Le nouveau rôle doit-il être autorisé à créer de nouveaux rôles ? (o/n) n
+
+ +

+Create database: + +

+
+createdb -O lemonldap-ng lemonldap-ng
+
+ +

+Create table: + +

+
+psql -h 127.0.0.1 -U lemonldap-ng -W lemonldap-ng
+
+
+Mot de passe pour l'utilisateur lemonldap-ng :
+[...]
+lemonldap-ng=> create table sessions ( id char(32) not null primary key, a_session text );
+lemonldap-ng=> q
+
+ +
+ +

Manager

+
+ +

+ +Go in the Manager and set the session module (for example Apache::Session::Postgres for PostgreSQL) in General parameters » Sessions » Session storage » Apache::Session module and add the following parameters (case sensitive): + +

+ + + + + + + + + + + + + + + + + + + +
Required parameters
Name Comment Example
DataSource The DBI string dbi:Pg:dbname=sessions;host=10.2.3.1
UserName The database username lemonldapng
Password The database password mysuperpassword
Commit Required for PostgreSQL 1
+ +

+ +You must read the man page corresponding to your database (Apache::Session::MySQL, …) to learn more about parameters. You must also install the database connector (DBD::Oracle, DBD::Pg,…) +

+ +

+If you choose to use MySQL, read how to increase MySQL performances. +

+ +
+ +

Security

+
+ +

+ +Restrict network access to the database. +

+ +

+You can also use different user/password for your servers by overriding parameters globalStorage and globalStorageOptions in lemonldap-ng.ini file. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/ssocookie.html b/build/lemonldap-ng/doc/pages/documentation/1.1/ssocookie.html new file mode 100644 index 000000000..bba866ab6 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/ssocookie.html @@ -0,0 +1,110 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Single Sign On cookie, domain and portal URL

+
+ +
+ +

SSO cookie

+
+ +

+ +The SSO cookie is build by the portal (as described in the login kinematic), or by the Handler for cross domain authentication (see CDA kinematic). +

+ +

+To edit SSO cookie parameters, go in Manager, General Parameters > Cookies: +

+
    +
  • Cookie name: name of the cookie, can be changed to avoid conflicts with other LemonLDAP::NG installations
    +
    • +
  • Domain: validity domain for the cookie (the cookie will not be sent on other domains)
    +
    • +
  • Multiple domains: enable cross domain mechanism (without this, you cannot extend SSO to other domains)
    +
    • +
  • Secured cookie: 3 options:
    +
      +
    • Non secured cookie: the cookie can be sent over HTTP and HTTPS connections
      +
      • +
    • Secured cookie: the cookie can only be sent over HTTPS
      +
      • +
    • Double cookie: two cookies are built, one for HTTP, the other for HTTPS only
      +
      • +
    +
    • +
  • Cookie expiration time: by default, SSO cookie is a session cookie, which mean it will be destroyed when the browser is closed. You can change this behavior and set a cookie duration, for example:
    +
      +
    • +30s: 30 seconds from session creation
      +
      • +
    • +10m: ten minutes from session creation
      +
      • +
    • +1h: one hour from session creation
      +
      • +
    • +3M: three months from session creation
      +
      • +
    • +10y: ten years from session creation
      +
      • +
    • Thursday, 25-Apr-1999 00:40:33 GMT: at the indicated time and date (but this is probably a bad idea)
      +
      • +
    +
    • +
+ +

+ +

When you change cookie expiration time, it is written on the user hard disk unlike session cookie +

+

+ +

+

Changing the domain value will not update other configuration parameters, like virtual host names, portal URL, etc. You have to update them by yourself. +

+

+ +
+ +

Portal URL

+
+ +

+ +Portal URL is the address used to redirect users on the authentication portal by: +

+
    +
  • Handler: user is redirected if he has no SSO cookie (or in CDA mode)
    +
    • +
  • Portal: the portal redirect on itself in many cases (credentials POST, SAML, etc.)
    +
    • +
+ +

+ +

The portal URL must be inside SSO domain. If secured cookie is enabled, the portal URL must be HTTPS. +

+

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/start.html b/build/lemonldap-ng/doc/pages/documentation/1.1/start.html new file mode 100644 index 000000000..1c672ef58 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/start.html @@ -0,0 +1,401 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Documentation for LemonLDAP::NG 1.1

+
+ +
+ +

Installation

+
+ +

+ +

+ +
+ +

+ + +
+ +

Configuration

+
+ +
+ +

First steps

+
+ +

+ +

+ +
+ +

+ + +
+ +

Portal

+
+ +

+ +

+ +
+ +

+ + +
+ +

Authentication, users and password databases

+
+ +

+ +

+ +
+ +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Backend Authentication Users Password
LDAP (including Active Directory)
Databases (DBI)
Apache (Kerberos, NTLM, OTP, ...)
SSL
CAS
OpenID
Twitter
SAML 2.0 / Shibboleth
Null
Slave
Proxy LL::NG
Remote LL::NG
Stack multiple backends
Backend choice by users
+ +
+ +

Configuration database

+
+ +

+ +

+ +
+

+ +

+LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one of the following: + +

+ + + + + + + + + + + + + + + + +
Backend Shareable Comment
File configuration backend Not shareable between servers except if used in conjunction with SOAP configuration backend or with a shared file system (NFS,…). Selected by default during installation.
SQL configuration backend (called RDBI or CDBI)
LDAP configuration backend
SOAP configuration backend Proxy backend to be used in conjunction with another configuration backend.
Can be used to secure another backend for remote servers.
+ +

+ +

You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one. +

+

+ +
+ +

Sessions database

+
+ +

+ +

+ +
+

+ +

+Sessions are stored using Apache::Session modules family. All Apache::Session style modules are useable except for some features. + +

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Backend Shareable Session explorer Session restrictions Session expiration Comment
File Not shareable between servers except if used in conjunction with SOAP session backend or with a shared file system (NFS,…). Selected by default during installation.
SQL Unoptimized for session explorer and single session features.
LDAP
Memcached Must be secured by network access control.
NoSQL (Redis) The faster. Must be secured by network access control.
Browseable (SQL, Redis or LDAP) Optimized for session explorer and single session features.
SOAP Proxy backend to be used in conjunction with another session backend.
Can be used to secure another backend for remote servers.
+ +
+ +

Identity provider

+
+ +

+ +

+ +
+ +

+ + +

+ +

+

+ + +

+ +

+

+ +
+ +

Applications protection

+
+ +

+ +

+ +
+ +

+ + +
+ +

Advanced features

+
+ +

+ +

+ +
+ +

+ + +
+ +

Mini howtos

+
+ +

+ +

+ +
+ +

+ + +
+ +

Exploitation

+
+ +

+ +

+ +
+ +

+ + +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/status.html b/build/lemonldap-ng/doc/pages/documentation/1.1/status.html new file mode 100644 index 000000000..658d8ff9c --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/status.html @@ -0,0 +1,114 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Handler Status

+
+ +
+ +

Presentation

+
+ +

+ +When status feature is activated, Handlers and portal will collect statistics and save them in their local cache. This means that if several Handlers are deployed, each will manage its own statistics. +

+ +

+

+This page can be browsed for example by MRTG using the MRTG monitoring script. + +

+

+ +

+The statistics are collected trough a daemon launched by the Handler. It can be seen in system processes, for example: + +

+
+perl -MLemonldap::NG::Handler::Status -I/etc/perl -I/usr/local/lib/perl/5.10.1 -I/usr/local/share/perl/5.10.1 -I/usr/lib/perl5 -I/usr/share/perl5 -I/usr/lib/perl/5.10 -I/usr/share/perl/5.10 -I/usr/local/lib/site_perl -I. -I/etc/apache2 -e &Lemonldap::NG::Handler::Status::run(Cache::FileCache,{?          'cache_depth' => 5,?          'cache_root' => '/tmp',?          'directory_umask' => '007',?          'default_expires_in' => 600,?          'namespace' => 'MyNamespace'?        }?);
+
+ +

+Statistics are displayed when calling the status path on an Handler (for example: http://test1.example.com/status). +

+ +

+Example of status page: +

+ +

+ +

+ +
+ +

Configuration

+
+ +
+ +

Apache

+
+ +

+ +You need to give access to status path in the Handler Apache configuration: +

+
    # Uncomment this to activate status module
+    <Location /status>
+        Order deny,allow
+        Allow from 127.0.0.0/8
+        PerlHeaderParserHandler My::Package->status
+    </Location>
+ +

+Then restart Apache. +

+ +

+

You should change the Allow directive to match administration IP, or use another Apache protection mean. +

+

+ +
+ +

LemonLDAP::NG

+
+ +

+ +Edit lemonldap-ng.ini, and activate status in the handler section: +

+
[handler]
+# Set status to 1 if you want to have the report of activity (used for
+# example to inform MRTG)
+status = 1
+ +

+Then restart Apache. +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/upgrade.html b/build/lemonldap-ng/doc/pages/documentation/1.1/upgrade.html new file mode 100644 index 000000000..8dd2e73cf --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/upgrade.html @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Upgrade from 1.0 to 1.1

+
+ +

+ +

If you are using packages, they should have done the upgrade process for you, but you can check here that all is in order. +

+

+ +

+

If you upgrade from older versions, please follow first upgrade documentation from previous release. +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/1.1/writingrulesand_headers.html b/build/lemonldap-ng/doc/pages/documentation/1.1/writingrulesand_headers.html new file mode 100644 index 000000000..4112e8935 --- /dev/null +++ b/build/lemonldap-ng/doc/pages/documentation/1.1/writingrulesand_headers.html @@ -0,0 +1,195 @@ + + + + + + + + + + + + + + + + + +
+ + + + +

Writing rules and headers

+
+ +

+ +Lemonldap::NG manage applications by their hostname (Apache's virtualHosts). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,…). +

+ +

+

Note that variables designed by $xx correspond to the name of the exported variables or macro names. +

+

+ +
+ +

Rules

+
+ +

+ +A rule associates a regular expression to a Perl boolean expression or a keyword. +

+ +

+ +

+ +

+Examples: + +

+ + + + + + + + + + + + + + + + + + + +
Goal Regular expression Rule
Restrict /admin/ directory to user bart.simpson ^/admin/ $uid eq "bart.simpson"
Restrict /js/ and /css/ directory to authenticated users ^/(css|js)/ accept
Deny access to /config/ directory ^/config/ deny
Authorize non authenticated users to access to /pub/ directory ^/pub/ unprotect
Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) default $description eq "LDAP administrator"
+ +

+ +The “default” access rule is used if no other access rule match the current URL. +

+ +

+

+

+
    +
  • Comments can be used to order your rules: rules are applied in the alphabetical order of comment (or regexp in there is no comment). See security chapter to learn more about writing good rules.
    +
    • +
  • See performances to know how to use macros and groups in rules.
    +
    • +
+ +

+ +

+

+ +

+Rules can also be used to intercept logout URL: + +

+ + + + + + + + + + + + + +
Goal Regular expression Rule
Logout user from Lemonldap::NG and redirect it to http://intranet/ ^/index.php\?logout logout_sso http://intranet/
Logout user from current application and redirect it to the menu ^/index.php\?logout logout_app https://auth.example.com/
Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ ^/index.php\?logout logout_app_sso http://intranet/
+ +

+ +

By default, user will be redirected on portal if no URL defined, or on the specified URL if any. +

+

+ +

+

Only current application is concerned by logout_app* targets. Be careful with some applications which doesn't verify Lemonldap::NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect. +

+

+ +
+ +

Headers

+
+ +

+ +Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user datas to the application. +

+ +

+Examples: + +

+ + + + + + + + + + + + + + + + +
Goal Header name Header value
Give the uid (for accounting) Auth-User $uid
Give a static value Some-Thing “static-value”
Give display name Display-Name $givenName.” ”.$surName
Give a non ascii data Display-Name encode_base64($givenName." ".$surName)
+ +

+ +As described in performances chapter, you can use macros, local macros,… +

+ +

+

+

+
    +
  • Since many HTTP servers refuse non ascii headers, it is recommended to use encode_base64() function to transmit those headers
    +
    • +
  • Header names must contain only letters and ”-” character
    +
    • +
+ +

+ +

+

+ +

+

By default, SSO cookie is hidden, so protected applications cannot get SSO session key. But you can forward this key if it is really needed: + +

+
+Session-ID => $_session_id
+
+ +

+ + +

+ +

+ +
+
\ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/documentation/latest b/build/lemonldap-ng/doc/pages/documentation/latest index 9f8e9b69a..b123147e2 120000 --- a/build/lemonldap-ng/doc/pages/documentation/latest +++ b/build/lemonldap-ng/doc/pages/documentation/latest @@ -1 +1 @@ -1.0 \ No newline at end of file +1.1 \ No newline at end of file diff --git a/build/lemonldap-ng/doc/pages/start.html b/build/lemonldap-ng/doc/pages/start.html index 45fdd05fa..2d97d9230 100644 --- a/build/lemonldap-ng/doc/pages/start.html +++ b/build/lemonldap-ng/doc/pages/start.html @@ -283,6 +283,6 @@ LemonLDAP::NG is the first SSO softwar

- +
\ No newline at end of file