dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update documentation

Browse Source
This commit is contained in:
Clément OUDOT 2018-01-26 10:35:45 +01:00
parent 0b4172f47a
commit 82878a3419
25 changed files with 1710 additions and 644 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

273
doc/pages/documentation/current/applications.html
View File

@ -43,183 +43,150 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#known_supported_applications">Known supported applications</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#mail_agenda_groupware">Mail, Agenda, Groupware</a></div></li>
<li class="level2"><div class="li"><a href="#wiki">Wiki</a></div></li>
<li class="level2"><div class="li"><a href="#cms_portal_ecm">CMS, Portal, ECM</a></div></li>
<li class="level2"><div class="li"><a href="#bugtracker_service_management">Bugtracker, Service Management</a></div></li>
<li class="level2"><div class="li"><a href="#other">Other</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#frameworks">Frameworks</a></div></li>
<li class="level1"><div class="li"><a href="#connectors">Connectors</a></div></li>
<li class="level1"><div class="li"><a href="#saml_connectors">SAML connectors</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="applications">Applications</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Applications" [1-28] -->
<h2 class="sectionedit2" id="known_supported_applications">Known supported applications</h2>
<h2 class="sectionedit2" id="how_to_integrate">How to integrate</h2>
<div class="level2">
<p>
Applications listed below are known to be easy to integrate in <abbr title="LemonLDAP::NG">LL::NG</abbr>. As <abbr title="LemonLDAP::NG">LL::NG</abbr> works like classic WebSSO (like Siteminder™), <strong>many other applications are easy to integrate</strong>.
To integrate a Web application in <abbr title="LemonLDAP::NG">LL::NG</abbr>, you have the following possibilities:
</p>
<ul>
<li class="level1"><div class="li"> Protect the application with the Handler, and push user identity trough HTTP headers. This is how main Access Manager products, like CA SiteMinder, are working. This also how Apache authentication modules are working, so if your application is compatible with Apache authentication (often called “external authentifcation”), then you can use the Handler.</div>
</li>
<li class="level1"><div class="li"> Specific Handler: some applications can require a specific Handler, to manage preauthentication process for example.</div>
</li>
<li class="level1"><div class="li"> <abbr title="Central Authentication Service">CAS</abbr>: your application is a <abbr title="Central Authentication Service">CAS</abbr> client, you can configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as a <a href="idpcas.html" class="wikilink1" title="documentation:2.0:idpcas">CAS server</a>.</div>
</li>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr>: your application is a <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider, you can configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as a <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a>.</div>
</li>
<li class="level1"><div class="li"> OpenID Connect: your application is a OpenID Connect Relying Party, you can configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as a <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect Provider</a>.</div>
</li>
</ul>
<p>
If none of above methods is available, you can try:
</p>
<ul>
<li class="level1"><div class="li"> <a href="applications/authbasic.html" class="wikilink1" title="documentation:2.0:applications:authbasic">HTTP Auth-Basic</a>: replay Auth Basic authentication</div>
</li>
<li class="level1"><div class="li"> <a href="formreplay.html" class="wikilink1" title="documentation:2.0:formreplay">Form replay</a>: replay form based authentication</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Known supported applications" [29-252] -->
<h3 class="sectionedit3" id="mail_agenda_groupware">Mail, Agenda, Groupware</h3>
<div class="level3">
<!-- EDIT2 SECTION "How to integrate" [29-1191] -->
<h2 class="sectionedit3" id="application_list">Application list</h2>
<div class="level2">
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> OBM </th><th class="col1 centeralign"> Sympa </th><th class="col2 centeralign"> Zimbra </th><th class="col3 centeralign"> RoundCube </th>
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col3 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [288-584] -->
</div>
<!-- EDIT3 SECTION "Mail, Agenda, Groupware" [253-585] -->
<h3 class="sectionedit5" id="wiki">Wiki</h3>
<div class="level3">
<div class="table sectionedit6"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Dokuwiki </th><th class="col1 centeralign"> Mediawiki </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/dokuwiki.html" class="media" title="documentation:2.0:applications:dokuwiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [602-768] -->
</div>
<!-- EDIT5 SECTION "Wiki" [586-769] -->
<h3 class="sectionedit7" id="cms_portal_ecm">CMS, Portal, ECM</h3>
<div class="level3">
<div class="table sectionedit8"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Drupal </th><th class="col1 centeralign"> Liferay </th><th class="col2 centeralign"> Alfresco </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/drupal.html" class="media" title="documentation:2.0:applications:drupal"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="applications/alfresco.html" class="media" title="documentation:2.0:applications:alfresco"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [798-1033] -->
</div>
<!-- EDIT7 SECTION "CMS, Portal, ECM" [770-1034] -->
<h3 class="sectionedit9" id="bugtracker_service_management">Bugtracker, Service Management</h3>
<div class="level3">
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Bugzilla </th><th class="col1 centeralign"> GLPI </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/bugzilla.html" class="media" title="documentation:2.0:applications:bugzilla"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/glpi.html" class="media" title="documentation:2.0:applications:glpi"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [1077-1233] -->
</div>
<!-- EDIT9 SECTION "Bugtracker, Service Management" [1035-1234] -->
<h3 class="sectionedit11" id="other">Other</h3>
<div class="level3">
<div class="table sectionedit12"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> GRR </th><th class="col1 centeralign"> phpLDAPadmin </th><th class="col2 centeralign"> LimeSurvey </th><th class="col3 centeralign"> SAP </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/grr.html" class="media" title="documentation:2.0:applications:grr"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col3 centeralign"> <a href="http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm" class="media" title="http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm" rel="nofollow"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td>
<td class="col0 centeralign"> <a href="applications/adfs.html" class="media" title="documentation:2.0:applications:adfs"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/adfs.html" class="wikilink1" title="documentation:2.0:applications:adfs">ADFS</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row2 roweven">
<th class="col0 centeralign"> FusionDirectory </th><th class="col1"> </th><th class="col2"> </th><th class="col3"> </th>
<td class="col0 centeralign"> <a href="applications/alfresco.html" class="media" title="documentation:2.0:applications:alfresco"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/alfresco.html" class="wikilink1" title="documentation:2.0:applications:alfresco">Alfresco</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <a href="applications/fusiondirectory.html" class="media" title="documentation:2.0:applications:fusiondirectory"><img src="icons/kmultiple.png" class="media" title="fusiondirectory-logo.jpg" alt="fusiondirectory-logo.jpg" width="120" /></a> </td><td class="col1"> </td><td class="col2"> </td><td class="col3"> </td>
<td class="col0 centeralign"> <a href="applications/aws.html" class="media" title="documentation:2.0:applications:aws"><img src="icons/kmultiple.png" class="media" title="logo_amazon_web_services.jpg" alt="logo_amazon_web_services.jpg" /></a> </td><td class="col1 centeralign"> <a href="applications/aws.html" class="wikilink1" title="documentation:2.0:applications:aws">Amazon Web Services</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row4 roweven">
<td class="col0 centeralign"> <a href="applications/bugzilla.html" class="media" title="documentation:2.0:applications:bugzilla"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/bugzilla.html" class="wikilink1" title="documentation:2.0:applications:bugzilla">Bugzilla</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 centeralign"> <a href="applications/cornerstone.html" class="media" title="documentation:2.0:applications:cornerstone"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/cornerstone.html" class="wikilink1" title="documentation:2.0:applications:cornerstone">Cornerstone</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0 centeralign"> <a href="applications/django.html" class="media" title="documentation:2.0:applications:django"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/django.html" class="wikilink1" title="documentation:2.0:applications:django">Django</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row7 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row8 roweven">
<td class="col0 centeralign"> <a href="applications/dokuwiki.html" class="media" title="documentation:2.0:applications:dokuwiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/dokuwiki.html" class="wikilink1" title="documentation:2.0:applications:dokuwiki">Dokuwiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row9 rowodd">
<td class="col0 centeralign"> <a href="applications/drupal.html" class="media" title="documentation:2.0:applications:drupal"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/drupal.html" class="wikilink1" title="documentation:2.0:applications:drupal">Drupal</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0 centeralign"> <a href="applications/fusiondirectory.html" class="media" title="documentation:2.0:applications:fusiondirectory"><img src="icons/kmultiple.png" class="media" title="fusiondirectory-logo.jpg" alt="fusiondirectory-logo.jpg" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/fusiondirectory.html" class="wikilink1" title="documentation:2.0:applications:fusiondirectory">FusionDirectory</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0 centeralign"> <a href="applications/glpi.html" class="media" title="documentation:2.0:applications:glpi"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/glpi.html" class="wikilink1" title="documentation:2.0:applications:glpi">GLPI</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row12 roweven">
<td class="col0 centeralign"> <a href="applications/googleapps.html" class="media" title="documentation:2.0:applications:googleapps"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/googleapps.html" class="wikilink1" title="documentation:2.0:applications:googleapps">Google Apps</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row13 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row14 roweven">
<td class="col0 centeralign"> <a href="applications/grr.html" class="media" title="documentation:2.0:applications:grr"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/grr.html" class="wikilink1" title="documentation:2.0:applications:grr">GRR</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row16 roweven">
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row17 rowodd">
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row18 roweven">
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row19 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row20 roweven">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row21 rowodd">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row22 roweven">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row23 rowodd">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row24 roweven">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row25 rowodd">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row26 roweven">
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row27 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row31 rowodd">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"></td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row32 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
</table></div>
<!-- EDIT12 TABLE [1252-1777] -->
<!-- EDIT4 TABLE [1223-5126] -->
</div>
<!-- EDIT11 SECTION "Other" [1235-1777] -->
<h2 class="sectionedit13" id="frameworks">Frameworks</h2>
<div class="level2">
<div class="table sectionedit14"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Java (Spring) </th><th class="col1 centeralign"> Python (Django) </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/django.html" class="media" title="documentation:2.0:applications:django"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [1802-1969] -->
</div>
<!-- EDIT13 SECTION "Frameworks" [1778-1970] -->
<h2 class="sectionedit15" id="connectors">Connectors</h2>
<div class="level2">
<div class="table sectionedit16"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> HTTP Auth-Basic </th><th class="col1 centeralign"> Tomcat </th><th class="col2 centeralign"> Nginx </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/authbasic.html" class="media" title="documentation:2.0:applications:authbasic"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="applications/nginx.html" class="media" title="documentation:2.0:applications:nginx"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td>
</tr>
<tr class="row2 roweven">
<th class="col0 centeralign" colspan="3"> Some applications using it </th>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <a href="http://en.wikipedia.org/wiki/Outlook_Web_App" class="urlextern" title="http://en.wikipedia.org/wiki/Outlook_Web_App" rel="nofollow">Outlook Web App</a> <br/>
<a href="http://en.wikipedia.org/wiki/IBM_Lotus_iNotes" class="urlextern" title="http://en.wikipedia.org/wiki/IBM_Lotus_iNotes" rel="nofollow">IBM Lotus iNotes</a> </td><td class="col1 centeralign"> <a href="http://www.lambdaprobe.org" class="urlextern" title="http://www.lambdaprobe.org" rel="nofollow">Probe</a> <br/>
<a href="http://fr.lutece.paris.fr" class="urlextern" title="http://fr.lutece.paris.fr" rel="nofollow">Lutece</a> </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT16 TABLE [1995-2486] -->
</div>
<!-- EDIT15 SECTION "Connectors" [1971-2487] -->
<h2 class="sectionedit17" id="saml_connectors">SAML connectors</h2>
<div class="level2">
<div class="noteclassic">This requires to configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as an <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a>.
</div><div class="table sectionedit18"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Cornerstone </th><th class="col2 centeralign"> SalesForce </th><th class="col3 centeralign"> simpleSAMLphp </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/googleapps.html" class="media" title="documentation:2.0:applications:googleapps"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/cornerstone.html" class="media" title="documentation:2.0:applications:cornerstone"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col2 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col3 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td>
</tr>
<tr class="row2 roweven">
<th class="col0 centeralign"> NextCloud </th><th class="col1 centeralign"> ADFS </th><th class="col2 leftalign"> </th><th class="col3 leftalign"> </th>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/adfs.html" class="media" title="documentation:2.0:applications:adfs"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT18 TABLE [2607-3149] -->
</div>
<!-- EDIT17 SECTION "SAML connectors" [2488-] --></div>
<!-- EDIT3 SECTION "Application list" [1192-] --></div>
</body>
</html>

412
doc/pages/documentation/current/applications/alfresco.html
View File

@ -50,10 +50,21 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<li class="level1"><div class="li"><a href="#http_headers">HTTP headers</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#alfresco1">Alfresco</a></div></li>
<li class="level2"><div class="li"><a href="#llng">LL::NG</a></div></li>
<li class="level2"><div class="li"><a href="#llng">LL::NG</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#headers">Headers</a></div></li>
<li class="level3"><div class="li"><a href="#rules">Rules</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#saml2">SAML2</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#alfresco2">Alfresco</a></div></li>
<li class="level2"><div class="li"><a href="#llng1">LL::NG</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
@ -81,15 +92,25 @@
<p>
Since 4.0 release, it offers an easy way to configure <abbr title="Single Sign On">SSO</abbr> thanks to authentication subsystems.
</p>
<div class="noteimportant">If you use an older version, you need to refer to the following documentation: <a href="https://wiki.alfresco.com/wiki/SSO" class="urlextern" title="https://wiki.alfresco.com/wiki/SSO" rel="nofollow">https://wiki.alfresco.com/wiki/SSO</a>
<p>
Authentication against <abbr title="LemonLDAP::NG">LL::NG</abbr> can be done trough:
</p>
<ul>
<li class="level1"><div class="li"> HTTP headers (<abbr title="LemonLDAP::NG">LL::NG</abbr> Handler)</div>
</li>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> 2 (<abbr title="LemonLDAP::NG">LL::NG</abbr> as SAML2 IDP)</div>
</li>
</ul>
<div class="notetip">Alfresco now recommends SAML2 method
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [72-395] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<!-- EDIT2 SECTION "Presentation" [72-430] -->
<h2 class="sectionedit3" id="http_headers">HTTP headers</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [396-422] -->
<!-- EDIT3 SECTION "HTTP headers" [431-456] -->
<h3 class="sectionedit4" id="alfresco1">Alfresco</h3>
<div class="level3">
<div class="notetip">The official documentation can be found here: <a href="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" class="urlextern" title="http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html" rel="nofollow">http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html</a>
@ -105,7 +126,7 @@ You need to find the following files in your Alfresco installation:
</ul>
<p>
The first will allow one to configure <abbr title="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp.
The first will allow to configure <abbr title="Single Sign On">SSO</abbr> for the alfresco webapp, and the other for the share webapp.
</p>
<p>
@ -163,28 +184,389 @@ You need to restart Tomcat to apply changes.
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT4 SECTION "Alfresco" [423-3123] -->
<!-- EDIT4 SECTION "Alfresco" [457-3153] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">
</div>
<h4 id="headers">Headers</h4>
<div class="level4">
<p>
Just set the <code>Auth-User</code> header with the attribute that carries the user login, for example <code>$uid</code>.
</p>
</div>
<h4 id="rules">Rules</h4>
<div class="level4">
<p>
You can intercept the logout with this rule: <code>^/share/page/dologout ⇒ logout_app_sso</code>
Set the default rule to what you need.
</p>
</div>
<!-- EDIT5 SECTION "LL::NG" [3124-3336] -->
<h2 class="sectionedit6" id="other_resources">Other resources</h2>
<div class="level2">
<p>
Other rules:
</p>
<ul>
<li class="level1"><div class="li"> <a href="https://www.youtube.com/watch?v=5tS0XrC_-rw" class="urlextern" title="https://www.youtube.com/watch?v=5tS0XrC_-rw" rel="nofollow">DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki</a></div>
<li class="level1"><div class="li"> Unprotect access to some resources: <code>^/share/res ⇒ unprotect</code></div>
</li>
<li class="level1"><div class="li"> Catch logout: <code>^/share/page/dologout ⇒ logout_app_sso</code></div>
</li>
</ul>
</div>
<!-- EDIT6 SECTION "Other resources" [3337-] --></div>
<!-- EDIT5 SECTION "LL::NG" [3154-3493] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "SAML2" [3494-3513] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3">
<p>
Install <abbr title="Security Assertion Markup Language">SAML</abbr> Alfresco module package:
</p>
<pre class="code">cp alfresco-saml-repo-1.0.1.amp &lt;ALFRESCO_HOME&gt;/amps
cp alfresco-saml-share-1.0.1.amp &lt;ALFRESCO_HOME&gt;/amps_share
./bin/apply_amp.sh</pre>
<p>
Generate <abbr title="Security Assertion Markup Language">SAML</abbr> certificate:
</p>
<pre class="code">keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS</pre>
<p>
Export the keystore:
</p>
<pre class="code">mv my-saml.keystore alf_data/keystore
cat &lt;&lt;EOT &gt; alf_data/keystore/my-saml.keystore-metadata.properties
aliases=my-saml-key
keystore.password=change-me
my-saml-key.password=change-me
EOT
cat &lt;&lt;EOT &gt;&gt; tomcat/shared/classes/alfresco-global.properties
saml.keystore.location=\${dir.keystore}/my-saml.keystore
saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
EOT</pre>
<p>
Edit then <code>share-config-custom.xml</code>:
</p>
<pre class="code file xml"> ...
<span class="sc3"><span class="re1">&lt;config</span> <span class="re0">evaluator</span>=<span class="st0">&quot;string-compare&quot;</span> <span class="re0">condition</span>=<span class="st0">&quot;CSRFPolicy&quot;</span> <span class="re0">replace</span>=<span class="st0">&quot;true&quot;</span><span class="re2">&gt;</span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> If using https make a CSRFPolicy with replace=&quot;true&quot; and override the properties section.</span>
<span class="sc-1"> Note, localhost is there to allow local checks to succeed.</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1"> I.e.</span>
<span class="sc-1"> &lt;properties&gt;</span>
<span class="sc-1"> &lt;token&gt;Alfresco-CSRFToken&lt;/token&gt;</span>
<span class="sc-1"> &lt;referer&gt;https://your-domain.com/.*|http://localhost:8080/.*&lt;/referer&gt;</span>
<span class="sc-1"> &lt;origin&gt;https://your-domain.com|http://localhost:8080&lt;/origin&gt;</span>
<span class="sc-1"> &lt;/properties&gt;</span>
<span class="sc-1"> --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc3"><span class="re1">&lt;filter<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- SAML SPECIFIC CONFIG - START --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Since we have added the CSRF filter with filter-mapping of &quot;/*&quot; we will catch all public GET's to avoid them</span>
<span class="sc-1"> having to pass through the remaining rules.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>GET<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/res/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Incoming posts from IDPs do not require a token --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- SAML SPECIFIC CONFIG - STOP --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml --&gt;</span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Certain webscripts shall not be allowed to be accessed directly form the browser.</span>
<span class="sc-1"> Make sure to throw an error if they are used.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/proxy/alfresco/remoteadm/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;throwError&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;message&quot;</span><span class="re2">&gt;</span></span>It is not allowed to access this url from your browser<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.</span>
<span class="sc-1"> TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/proxy/alfresco/api/publishing/channels/.+<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Certain Surf POST requests from the WebScript console must be allowed to pass without a token since</span>
<span class="sc-1"> the Surf WebScript console code can't be dependent on a Share specific filter.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Certain Share POST requests does NOT require a token --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Assert logout is done from a valid domain, if so clear the token when logging out --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/dologout(\?.+)?<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;clearToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Make sure the first token is generated --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;{token}&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc-1">&lt;!-- empty attribute element indicates null, meaning the token has not yet been set --&gt;</span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;generateToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!-- Refresh token on new &quot;page&quot; visit when a user is logged in --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>GET<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;path<span class="re2">&gt;</span></span></span>/page/.*<span class="sc3"><span class="re1">&lt;/path<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;{token}&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;generateToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;cookie&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Verify multipart requests from logged in users contain the token as a parameter</span>
<span class="sc-1"> and also correct referer &amp; origin header if available</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;header</span> <span class="re0">name</span>=<span class="st0">&quot;Content-Type&quot;</span><span class="re2">&gt;</span></span>multipart/.+<span class="sc3"><span class="re1">&lt;/header<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;parameter&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
&nbsp;
&nbsp;
&nbsp;
<span class="sc-1">&lt;!--</span>
<span class="sc-1"> Verify that all remaining state changing requests from logged in users' requests contains a token in the</span>
<span class="sc-1"> header and correct referer &amp; origin headers if available. We &quot;catch&quot; all content types since just setting it to</span>
<span class="sc-1"> &quot;application/json.*&quot; since a webscript that doesn't require a json request body otherwise would be</span>
<span class="sc-1"> successfully executed using i.e.&quot;text/plain&quot;.</span>
<span class="sc-1"> --&gt;</span>
<span class="sc3"><span class="re1">&lt;rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;method<span class="re2">&gt;</span></span></span>POST|PUT|DELETE<span class="sc3"><span class="re1">&lt;/method<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;attribute</span> <span class="re0">name</span>=<span class="st0">&quot;_alf_USER_ID&quot;</span><span class="re2">&gt;</span></span>.+<span class="sc3"><span class="re1">&lt;/attribute<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/session<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/request<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertToken&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;session&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;header&quot;</span><span class="re2">&gt;</span></span>{token}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertReferer&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;referer&quot;</span><span class="re2">&gt;</span></span>{referer}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;action</span> <span class="re0">name</span>=<span class="st0">&quot;assertOrigin&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;param</span> <span class="re0">name</span>=<span class="st0">&quot;origin&quot;</span><span class="re2">&gt;</span></span>{origin}<span class="sc3"><span class="re1">&lt;/param<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/action<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/rule<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/filter<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/config<span class="re2">&gt;</span></span></span>
...</pre>
<p>
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml).
</p>
<p>
Set the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> Enable <abbr title="Security Assertion Markup Language">SAML</abbr> Authentication (<abbr title="Single Sign On">SSO</abbr>): on</div>
</li>
<li class="level1"><div class="li"> Authentication service <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleSignOn" class="urlextern" title="https://auth.example.com/saml/singleSignOn" rel="nofollow">https://auth.example.com/saml/singleSignOn</a></div>
</li>
<li class="level1"><div class="li"> Single Logout <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogout" class="urlextern" title="https://auth.example.com/saml/singleLogout" rel="nofollow">https://auth.example.com/saml/singleLogout</a></div>
</li>
<li class="level1"><div class="li"> Single logout return <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://auth.example.com/saml/singleLogoutReturn" class="urlextern" title="https://auth.example.com/saml/singleLogoutReturn" rel="nofollow">https://auth.example.com/saml/singleLogoutReturn</a></div>
</li>
<li class="level1"><div class="li"> Entity identification: <a href="http://alfresco.myecm.org:8080/share" class="urlextern" title="http://alfresco.myecm.org:8080/share" rel="nofollow">http://alfresco.myecm.org:8080/share</a></div>
</li>
<li class="level1"><div class="li"> User ID mapping: Subject/NameID</div>
</li>
</ul>
<p>
To finish with Alfresco configuration, tick the “Enable <abbr title="Security Assertion Markup Language">SAML</abbr> authentication (<abbr title="Single Sign On">SSO</abbr>)” box.
</p>
</div>
<!-- EDIT7 SECTION "Alfresco" [3514-14172] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3">
<p>
Configure <abbr title="Security Assertion Markup Language">SAML</abbr> service and set a certificate as signature public key in metadata.
</p>
<p>
Export Alfresco <abbr title="Security Assertion Markup Language">SAML</abbr> Metadata from admin console and import them in <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</p>
<p>
In the authentication response option, set:
</p>
<ul>
<li class="level1"><div class="li"> Default NameID Format: Unspecified</div>
</li>
<li class="level1"><div class="li"> Force NameID session key: uid</div>
</li>
</ul>
<p>
And you can define these exported attributes:
</p>
<ul>
<li class="level1"><div class="li"> GivenName</div>
</li>
<li class="level1"><div class="li"> Surname</div>
</li>
<li class="level1"><div class="li"> Email</div>
</li>
</ul>
</div>
<!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <a href="https://www.youtube.com/watch?v=5tS0XrC_-rw" class="urlextern" title="https://www.youtube.com/watch?v=5tS0XrC_-rw" rel="nofollow">DevCon 2012: Unlocking the Secrets of Alfresco Authentication, Mehdi Belmekki</a></div>
</li>
<li class="level1"><div class="li"> <a href="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" class="urlextern" title="https://community.alfresco.com/blogs/alfresco-premier-services/2017/08/03/setting-up-alfresco-saml-authentication-lemonldapng" rel="nofollow">Setting up Alfresco SAML authentication with LemonLDAP::NG</a></div>
</li>
</ul>
</div>
<!-- EDIT9 SECTION "Other resources" [14552-] --></div>
</body>
</html>

134
doc/pages/documentation/current/applications/aws.html Normal file
View File

@ -0,0 +1,134 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:aws</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,aws"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="aws.html"/>
<link rel="contents" href="aws.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:aws","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="amazon_web_services">Amazon Web Services</h1>
<div class="level1">
<p>
<a href="https://aws.amazon.com" class="urlextern" title="https://aws.amazon.com" rel="nofollow">Amazon Web Services</a> allows to delegate authentication through SAML2.
</p>
</div>
<!-- EDIT1 SECTION "Amazon Web Services" [1-132] -->
<h2 class="sectionedit2" id="saml">SAML</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Make sure you have followed the steps <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" class="urlextern" title="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" rel="nofollow">here</a>.</div>
</li>
<li class="level1"><div class="li"> Go to <a href="https://your.portal.com/saml/metadata" class="urlextern" title="https://your.portal.com/saml/metadata" rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
</li>
<li class="level1"><div class="li"> In each AWS account, go to IAM → Identity providers → Create Provider.</div>
</li>
<li class="level1"><div class="li"> Select <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
</li>
<li class="level1"><div class="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
</li>
<li class="level1"><div class="li"> Looking again at the links on the left side of the page, go to Roles → Create role</div>
</li>
<li class="level1"><div class="li"> Choose <code><abbr title="Security Assertion Markup Language">SAML</abbr> / Saml 2.0 federation</code></div>
</li>
<li class="level1"><div class="li"> Select the provider you just configured, click <code>Allow programmatic and AWSManagement Console access</code> which will fill in the rest of the form for you, then click next.</div>
</li>
<li class="level1"><div class="li"> Set whatever permissions you need to and then click <code>Review</code>.</div>
</li>
<li class="level1"><div class="li"> Choose a name for the role. These will shown to people when they log in, so make them descriptive. We have different accounts for different regions of the world, so I put the region into the role name so people know which account is which.</div>
</li>
</ul>
<div class="noteclassic">If you have only one role, the configuration is simple. If you have multiple
roles for different people, it is a little trickier. As you will see, the <abbr title="Security Assertion Markup Language">SAML</abbr>
attributes are not dynamic, so you have to set them in the session when a user
logs in or use a custom function. In this example, I wanted to avoid managing
custom functions on all the servers, so the <abbr title="Security Assertion Markup Language">SAML</abbr> attributes are set in
the session. We also use LDAP for user information, so I will describe that.
In our LDAP tree, each user has attributes which are used quite heavily for
dynamic groups and authorisation. You will want something
similar, using whatever attribute makes sense to you. For example:<pre class="code file ldif"> <span class="re0">dn</span>:<span class="re1"> uid=user,ou=people,dc=your,dc=com</span>
...
<span class="re0">ou</span>:<span class="re1"> sysadmin</span>
<span class="re0">ou</span>:<span class="re1"> database</span>
<span class="re0">ou</span>:<span class="re1"> root</span></pre>
</div><ul>
<li class="level1"><div class="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters → Authentication parameters → LDAP parameters → Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
</li>
<li class="level1"><div class="li"> Now go to *Variables → Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code><code>$ou =~ sysadmin ? “arn:aws…” : “arn:…”</code></div>
</li>
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters → Advanced Parameters → Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code><code>join(“; ”, $role_name1, $role_name2, …)</code></div>
</li>
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
<li class="level1"><div class="li"> Enter a name, click ok, then select it on the left. Select <code>Metadata</code>, then enter `<a href="https://signin.aws.amazon.com/static/saml-metadata.xml" class="urlextern" title="https://signin.aws.amazon.com/static/saml-metadata.xml" rel="nofollow">https://signin.aws.amazon.com/static/saml-metadata.xml</a>` in the <code><abbr title="Uniform Resource Locator">URL</abbr></code> field, then click load.</div>
</li>
<li class="level1"><div class="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user&#039;s session:</div>
<ul>
<li class="level2"><div class="li"> <code>_whatToTrace</code><code><a href="https://aws.amazon.com/SAML/Attributes/RoleSessionName" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/RoleSessionName" rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
</li>
<li class="level2"><div class="li"> <code>z_aws_roles</code> (the macro name you defined above) → <code><a href="https://aws.amazon.com/SAML/Attributes/Role" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/Role" rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> On the left, select Options → Security → Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr> → On</div>
</li>
<li class="level1"><div class="li"> Select General Parameters → Portal → Menu → Categories and applications</div>
</li>
<li class="level1"><div class="li"> Select a category or create a new one if you need to. Then click <code>New application</code>. </div>
</li>
<li class="level1"><div class="li"> Enter a name etc. For the <abbr title="Uniform Resource Locator">URL</abbr>, use <code><a href="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" class="urlextern" title="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" rel="nofollow">https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices</a></code></div>
</li>
<li class="level1"><div class="li"> Display application should be set to <code>Enabled</code></div>
</li>
<li class="level1"><div class="li"> Go to your portal, click on the link, and check that it works!</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "SAML" [133-] --></div>
</body>
</html>

75
doc/pages/documentation/current/applications/dokuwiki.html
View File

@ -50,10 +50,10 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#installation">Installation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<li class="level1"><div class="li"><a href="#http_headers">HTTP headers</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#dokuwiki_local_configuration">Dokuwiki local configuration</a></div></li>
<li class="level2"><div class="li"><a href="#plugin_installation">Plugin installation</a></div></li>
<li class="level2"><div class="li"><a href="#dokuwiki_configuration">Dokuwiki configuration</a></div></li>
<li class="level2"><div class="li"><a href="#dokuwiki_virtual_host">Dokuwiki virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#dokuwiki_virtual_host_in_manager">Dokuwiki virtual host in Manager</a></div></li>
</ul></li>
@ -79,46 +79,52 @@
</p>
<div class="notetip">LemonLDAP::NG wiki uses Dokuwiki!
</div>
<p>
You will need to install a Dokuwiki plugin, available on <a href="../download.html#contributions" class="wikilink1" title="download">download page</a>. The plugin will check the <code>REMOTE_USER</code> environment variable to get the connected user.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [65-750] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<!-- EDIT2 SECTION "Presentation" [65-559] -->
<h2 class="sectionedit3" id="http_headers">HTTP headers</h2>
<div class="level2">
<p>
<a href="../download.html#contributions" class="wikilink1" title="download">Download</a> the plugin and copy the files in dokuwiki <code>inc/auth/</code> directory:
You need to install a Dokuwiki plugin, available on <a href="https://www.dokuwiki.org/plugins" class="urlextern" title="https://www.dokuwiki.org/plugins" rel="nofollow">Dokuwiki plugins registry</a>: <a href="https://www.dokuwiki.org/plugin:authlemonldap" class="urlextern" title="https://www.dokuwiki.org/plugin:authlemonldap" rel="nofollow">https://www.dokuwiki.org/plugin:authlemonldap</a>
</p>
<pre class="code">cp lemonldap.class.php inc/auth/
cp lemonldapuserdatabackend.class.php inc/auth/</pre>
</div>
<!-- EDIT3 SECTION "Installation" [751-977] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [978-1004] -->
<h3 class="sectionedit5" id="dokuwiki_local_configuration">Dokuwiki local configuration</h3>
<!-- EDIT3 SECTION "HTTP headers" [560-748] -->
<h3 class="sectionedit4" id="plugin_installation">Plugin installation</h3>
<div class="level3">
<p>
Edit Dokuwiki local configuration (<code>conf/local.php</code>) and set <code>lemonldap</code> as authentication type:
Install the plugin using the <a href="https://www.dokuwiki.org/plugin:plugin" class="urlextern" title="https://www.dokuwiki.org/plugin:plugin" rel="nofollow">Plugin Manager</a>.
</p>
<pre class="code file php"><span class="re0">$conf</span><span class="br0">&#91;</span>authtype<span class="br0">&#93;</span> <span class="sy0">=</span> lemonldap<span class="sy0">;</span></pre>
</div>
<!-- EDIT5 SECTION "Dokuwiki local configuration" [1005-1194] -->
<!-- EDIT4 SECTION "Plugin installation" [749-868] -->
<h3 class="sectionedit5" id="dokuwiki_configuration">Dokuwiki configuration</h3>
<div class="level3">
<p>
As administrator, go in Dokuwiki parameters and set:
</p>
<ul>
<li class="level1"><div class="li"> Authentication backend: authlemonldap</div>
</li>
<li class="level1"><div class="li"> Manager: set which users and/or groups will be admin</div>
</li>
</ul>
<p>
<a href="screenshot_dokuwiki_configuration.png_documentation_2.0_applications_dokuwiki.html" class="media" title="applications:screenshot_dokuwiki_configuration.png"><img src="screenshot_dokuwiki_configuration.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- EDIT5 SECTION "Dokuwiki configuration" [869-1114] -->
<h3 class="sectionedit6" id="dokuwiki_virtual_host">Dokuwiki virtual host</h3>
<div class="level3">
<p>
Configure Dokuwiki virtual host like other <a href="../configvhost.html" class="wikilink1" title="documentation:2.0:configvhost">protected virtual host</a>.
</p>
<div class="noteimportant">If you are protecting Dokuwiki with <abbr title="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, <a href="../header_remote_user_conversion.html" class="wikilink1" title="documentation:2.0:header_remote_user_conversion">convert header into REMOTE_USER environment variable</a>.
</div><ul>
<ul>
<li class="level1"><div class="li"> For Apache:</div>
</li>
</ul>
@ -170,7 +176,7 @@ Configure Dokuwiki virtual host like other <a href="../configvhost.html" class="
}</pre>
</div>
<!-- EDIT6 SECTION "Dokuwiki virtual host" [1195-2630] -->
<!-- EDIT6 SECTION "Dokuwiki virtual host" [1115-2376] -->
<h3 class="sectionedit7" id="dokuwiki_virtual_host_in_manager">Dokuwiki virtual host in Manager</h3>
<div class="level3">
@ -179,14 +185,25 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</p>
<p>
Just configure the <a href="../writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">access rules</a>.
Configure the <a href="../writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">access rules</a>.
</p>
<p>
If using <abbr title="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, configure the <code>Auth-User</code> <a href="../writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">header</a>, else no headers are needed.
Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">headers</a>:
</p>
<ul>
<li class="level1"><div class="li"> Auth-User $uid</div>
</li>
<li class="level1"><div class="li"> Auth-Cn: $cn</div>
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&#039;&#039;)</div>
</li>
</ul>
<div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
</div>
<!-- EDIT7 SECTION "Dokuwiki virtual host in Manager" [2631-] --></div>
</div>
<!-- EDIT7 SECTION "Dokuwiki virtual host in Manager" [2377-] --></div>
</body>
</html>

72
doc/pages/documentation/current/applications/grr.html
View File

@ -43,6 +43,22 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#http_header">HTTP header</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level2"><div class="li"><a href="#grr_virtual_host_in_llng">GRR virtual host in LL::NG</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="grr">GRR</h1>
<div class="level1">
@ -62,14 +78,64 @@
</div>
<!-- EDIT2 SECTION "Presentation" [62-150] -->
<h3 class="sectionedit3" id="configuration">Configuration</h3>
<h2 class="sectionedit3" id="http_header">HTTP header</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "HTTP header" [151-175] -->
<h3 class="sectionedit4" id="configuration">Configuration</h3>
<div class="level3">
<p>
GRR has a <abbr title="Single Sign On">SSO</abbr> configuration page in its administration panel. You just need to choose if the authenticated user will be a “user” or a “guest”.
GRR has a <abbr title="Single Sign On">SSO</abbr> configuration page in its administration panel.
</p>
<p>
Do not use Lemonldap mode, which is for a very old Lemonldap version, but HTTP authentication.
</p>
<p>
Set the default profile of connected users and which headers contains surname, firstname and mail.
</p>
<p>
<img src="screenshot_grr_configuration.png" class="mediacenter" alt="" />
</p>
<p>
GRR will check the username in REMOTE_USER, so use <a href="../header_remote_user_conversion.html" class="wikilink1" title="documentation:2.0:header_remote_user_conversion">remote header conversion</a> if you are in proxy mode.
</p>
</div>
<!-- EDIT3 SECTION "Configuration" [151-] --></div>
<!-- EDIT4 SECTION "Configuration" [176-660] -->
<h3 class="sectionedit5" id="grr_virtual_host_in_llng">GRR virtual host in LL::NG</h3>
<div class="level3">
<p>
Access rules:
</p>
<ul>
<li class="level1"><div class="li"> ^/index.php ⇒ accept</div>
</li>
<li class="level1"><div class="li"> default ⇒ unprotect</div>
</li>
</ul>
<p>
Headers:
</p>
<ul>
<li class="level1"><div class="li"> Auth-User $uid</div>
</li>
<li class="level1"><div class="li"> Auth-Sn: $sn</div>
</li>
<li class="level1"><div class="li"> Auth-GivenName: $givenName</div>
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "GRR virtual host in LL::NG" [661-] --></div>
</body>
</html>

4
doc/pages/documentation/current/applications/img/icons.png
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=fa0cc1a85fc0d1baf3a61bfee1cba736" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=df00727bb453bdfe152489fdb4e33ed5" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1508842909" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1516959167" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/applications/img/loader.gif
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=fa0cc1a85fc0d1baf3a61bfee1cba736" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=df00727bb453bdfe152489fdb4e33ed5" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1508842909" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1516959167" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

164
doc/pages/documentation/current/applications/limesurvey.html
View File

@ -50,7 +50,7 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<li class="level1"><div class="li"><a href="#http_headers">HTTP Headers</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#limesurvey_configuration">LimeSurvey configuration</a></div></li>
<li class="level2"><div class="li"><a href="#limesurvey_virtual_host">LimeSurvey virtual host</a></div></li>
@ -78,123 +78,78 @@
<div class="level2">
<p>
<a href="http://www.limesurvey.org" class="urlextern" title="http://www.limesurvey.org" rel="nofollow">LimeSurvey</a> is a web survey software written in PHP. LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
<a href="http://www.limesurvey.org" class="urlextern" title="http://www.limesurvey.org" rel="nofollow">LimeSurvey</a> is a web survey software written in PHP.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [71-180] -->
<h2 class="sectionedit3" id="http_headers">HTTP Headers</h2>
<div class="level2">
<p>
LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
</p>
<p>
To have a stronger integration, we will configure LimeSurvey to autocreate unknown users and use HTTP headers to fill name, mail and roles. For example, we will use 3 roles:
To have a stronger integration, we will configure LimeSurvey to autocreate unknown users and use HTTP headers to fill name and mail.
</p>
<ul>
<li class="level1"><div class="li"> User: can answer to surveys</div>
</li>
<li class="level1"><div class="li"> Admin: can create surveys</div>
</li>
<li class="level1"><div class="li"> Superadmin: no one can stop him!</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [71-561] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<div class="noteclassic">We suppose that LimeSurvey is installed in /var/www/html/limesurvey
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [562-670] -->
<!-- EDIT3 SECTION "HTTP Headers" [181-531] -->
<h3 class="sectionedit4" id="limesurvey_configuration">LimeSurvey configuration</h3>
<div class="level3">
<p>
In Administration panel, go in Configuration &gt; Parameters &gt; Extensions manager. Select the WebServer module and configure it.
</p>
<p>
<img src="screenshot_limesurvey_configuration.png" class="mediacenter" title="
" alt="
" />
</p>
<p>
This is enough for the authentication part.
</p>
<div class="notetip">If you are blocked, you can deactivate the plugin with this request in database:
<pre class="code">update lime_plugins SET active=0 where name=&quot;Authwebserver&quot;;</pre>
</div>
<p>
To configure account autocreation, you need to edit application/config/config.php:
The configuration is done in config.php:
</p>
<pre class="code">vi /var/www/html/limesurvey/config.php</pre>
<pre class="code file php"><span class="co1">//==================================</span>
<span class="co1">// WebSSO</span>
<span class="co1">//==================================</span>
&nbsp;
<span class="re0">$useWebserverAuth</span> <span class="sy0">=</span> <span class="kw4">true</span><span class="sy0">;</span>
<span class="re0">$WebserverAuth_autocreateUser</span> <span class="sy0">=</span> <span class="kw4">true</span><span class="sy0">;</span>
<span class="re0">$WebserverAuth_autouserprofile</span> <span class="sy0">=</span> <a href="http://www.php.net/array"><span class="kw3">Array</span></a><span class="br0">&#40;</span>
<span class="st_h">'full_name'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_CN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'email'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_MAIL'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'lang'</span> <span class="sy0">=&gt;</span> <span class="st_h">'en'</span><span class="sy0">,</span>
<span class="st_h">'htmleditormode'</span> <span class="sy0">=&gt;</span> <span class="st_h">'inline'</span><span class="sy0">,</span>
<span class="st_h">'templatelist'</span> <span class="sy0">=&gt;</span> <span class="st_h">'default,basic,MyOrgTemplate'</span><span class="sy0">,</span>
<span class="st_h">'create_survey'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_ADMIN'</span><span class="br0">&#93;</span> <span class="sy0">||</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'create_user'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'delete_user'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'superadmin'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'configurator'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'manage_template'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'manage_label'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span>
<span class="br0">&#41;</span><span class="sy0">;</span></pre>
<div class="notetip">We directly use HTTP headers to fill default user profile.
<pre class="code">vi /var/www/html/limesurvey/application/config/config.php</pre>
<pre class="code file php"> <span class="st_h">'config'</span><span class="sy0">=&gt;</span><a href="http://www.php.net/array"><span class="kw3">array</span></a><span class="br0">&#40;</span>
<span class="co1">// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this</span>
<span class="co1">// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory</span>
<span class="co1">// on your webspace.</span>
<span class="co1">// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates</span>
<span class="st_h">'debug'</span><span class="sy0">=&gt;</span><span class="nu0">0</span><span class="sy0">,</span>
<span class="st_h">'debugsql'</span><span class="sy0">=&gt;</span><span class="nu0">0</span><span class="sy0">,</span> <span class="co1">// Set this to 1 to enanble sql logging, only active when debug = 2</span>
<span class="co1">// Update default LimeSurvey config here</span>
<span class="st_h">'auth_webserver_autocreate_user'</span> <span class="sy0">=&gt;</span> <span class="kw4">true</span><span class="sy0">,</span>
<span class="st_h">'auth_webserver_autocreate_profile'</span> <span class="sy0">=&gt;</span> <a href="http://www.php.net/array"><span class="kw3">Array</span></a><span class="br0">&#40;</span><span class="st_h">'full_name'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_CN'</span><span class="br0">&#93;</span><span class="sy0">,</span><span class="st_h">'email'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_MAIL'</span><span class="br0">&#93;</span><span class="sy0">,</span><span class="st_h">'lang'</span><span class="sy0">=&gt;</span><span class="st_h">'en'</span><span class="br0">&#41;</span><span class="sy0">,</span>
<span class="st_h">'auth_webserver_autocreate_permissions'</span> <span class="sy0">=&gt;</span> <a href="http://www.php.net/array"><span class="kw3">Array</span></a><span class="br0">&#40;</span><span class="st_h">'surveys'</span> <span class="sy0">=&gt;</span> <a href="http://www.php.net/array"><span class="kw3">array</span></a><span class="br0">&#40;</span><span class="st_h">'create'</span><span class="sy0">=&gt;</span><span class="kw4">true</span><span class="sy0">,</span><span class="st_h">'read'</span><span class="sy0">=&gt;</span><span class="kw4">false</span><span class="sy0">,</span><span class="st_h">'update'</span><span class="sy0">=&gt;</span><span class="kw4">false</span><span class="sy0">,</span><span class="st_h">'delete'</span><span class="sy0">=&gt;</span><span class="kw4">false</span><span class="br0">&#41;</span><span class="br0">&#41;</span><span class="sy0">,</span>
<span class="br0">&#41;</span></pre>
<p>
See also <a href="https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import" class="urlextern" title="https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import" rel="nofollow">https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import</a>
</p>
</div>
</div>
<!-- EDIT4 SECTION "LimeSurvey configuration" [671-1676] -->
<!-- EDIT4 SECTION "LimeSurvey configuration" [532-2298] -->
<h3 class="sectionedit5" id="limesurvey_virtual_host">LimeSurvey virtual host</h3>
<div class="level3">
<p>
Configure LimeSurvey virtual host like other <a href="../configvhost.html" class="wikilink1" title="documentation:2.0:configvhost">protected virtual host</a>.
</p>
<ul>
<li class="level1"><div class="li"> For Apache:</div>
</li>
</ul>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> limesurvey.example.com
&nbsp;
PerlHeaderParserHandler Lemonldap::NG::Handler
&nbsp;
<span class="kw1">SetEnvIfNoCase</span> Auth-<span class="kw1">User</span> <span class="st0">&quot;(.*)&quot;</span> PHP_AUTH_USER=$1
&nbsp;
<span class="kw1">Alias</span> /limesurvey /var/www/html/limesurvey
<span class="kw1">DocumentRoot</span> /var/www/html/limesurvey
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<div class="noteimportant">You need to set the PHP_AUTH_USER variable to have the Webserver authentication mode working.
</div><ul>
<li class="level1"><div class="li"> For Nginx:</div>
</li>
</ul>
<pre class="code file nginx">server {
listen 80;
server_name limesurvey.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH &quot;&quot;;
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
&nbsp;
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
&nbsp;
...
&nbsp;
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
try_files $uri $uri/ =404;
}
}</pre>
</div>
<!-- EDIT5 SECTION "LimeSurvey virtual host" [1677-3196] -->
<!-- EDIT5 SECTION "LimeSurvey virtual host" [2299-2422] -->
<h3 class="sectionedit6" id="limesurvey_virtual_host_in_manager">LimeSurvey virtual host in Manager</h3>
<div class="level3">
@ -221,15 +176,8 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
<tr class="row3 rowodd">
<td class="col0 centeralign"> Auth-Mail </td><td class="col1 centeralign"> user email </td>
</tr>
<tr class="row4 roweven">
<td class="col0 centeralign"> Auth-Admin </td><td class="col1 centeralign"> 1 if user is admin </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 centeralign"> Auth-SuperAdmin </td><td class="col1 centeralign"> 1 if user is superadmin </td>
</tr>
</table></div>
<!-- EDIT7 TABLE [3369-3587] --><div class="notetip">You can manage roles with the <a href="../rbac.html" class="wikilink1" title="documentation:2.0:rbac">RBAC model</a> or by using groups.
</div>
<!-- EDIT7 TABLE [2595-2723] -->
</div>
<h4 id="rules">Rules</h4>
@ -241,16 +189,16 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> Logout </td><td class="col1 centeralign"> action=logout$ </td><td class="col2 centeralign"> Logout rule (for example logout_app_sso) </td>
<td class="col0 centeralign"> Logout </td><td class="col1 centeralign"> /sa/logout$ </td><td class="col2 centeralign"> Logout rule (for example logout_app_sso) </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> Admin </td><td class="col1 centeralign"> ^/limesurvey/admin/ </td><td class="col2 centeralign"> Allow only admin and superadmin roles </td>
<td class="col0 centeralign"> Admin </td><td class="col1 centeralign"> ^/(index\.php/)?admin </td><td class="col2 centeralign"> Allow only admin and superadmin users </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> Default </td><td class="col1 centeralign"> default </td><td class="col2 centeralign"> Allow only users with a LimeSurvey role </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [3694-3979] --><div class="notetip">You can set the default access to:<ul>
<!-- EDIT8 TABLE [2740-3024] --><div class="notetip">You can set the default access to:<ul>
<li class="level1"><div class="li"> <strong>accept</strong>: all authenticated users will access surveys</div>
</li>
<li class="level1"><div class="li"> <strong>unprotect</strong>: no authentication will be asked to access surveys </div>
@ -259,6 +207,6 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</div>
</div>
<!-- EDIT6 SECTION "LimeSurvey virtual host in Manager" [3197-] --></div>
<!-- EDIT6 SECTION "LimeSurvey virtual host in Manager" [2423-] --></div>
</body>
</html>

165
doc/pages/documentation/current/applications/office365.html Normal file
View File

@ -0,0 +1,165 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:office365</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,office365"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="office365.html"/>
<link rel="contents" href="office365.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:office365","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#office_3651">Office 365</a></div></li>
<li class="level2"><div class="li"><a href="#lemonldapng">LemonLDAP::NG</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="office_365">Office 365</h1>
<div class="level1">
<p>
<img src="logo_office_365.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Office 365" [1-74] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://en.wikipedia.org/wiki/Office_365" class="urlextern" title="https://en.wikipedia.org/wiki/Office_365" rel="nofollow">Office 365</a> provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on <a href="https://login.microsoftonline.com/" class="urlextern" title="https://login.microsoftonline.com/" rel="nofollow">https://login.microsoftonline.com/</a> and can be forwarded to an <abbr title="Security Assertion Markup Language">SAML</abbr> Identity Provider.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [75-346] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [347-373] -->
<h3 class="sectionedit4" id="office_3651">Office 365</h3>
<div class="level3">
<p>
You first need to install AzureAD PowerShell to be able to run administrative commands.
</p>
<p>
Then run this script:
</p>
<pre class="code bash"><span class="re1">$dom</span> = <span class="st0">&quot;mycompany.com&quot;</span>
<span class="re1">$brand</span> = <span class="st0">&quot;My Company&quot;</span>
<span class="re1">$url</span> = <span class="st0">&quot;https://auth.example.com/saml/singleSignOn&quot;</span>
<span class="re1">$uri</span> = <span class="st0">&quot;https://auth.example.com/saml/metadata&quot;</span>
<span class="re1">$logouturl</span> = <span class="st0">&quot;https://auth.example.com/?logout=1&quot;</span>
<span class="re1">$cert</span> = <span class="st0">&quot;xxxxxxxxxxxxxxxxxxx&quot;</span>
&nbsp;
Set-MsolDomainAuthentication DomainName <span class="re1">$dom</span> <span class="re5">-FederationBrandName</span> <span class="re1">$brand</span> <span class="re5">-Authentication</span> Federated <span class="re5">-PassiveLogOnUri</span> <span class="re1">$url</span> <span class="re5">-SigningCertificate</span> <span class="re1">$cert</span> <span class="re5">-IssuerUri</span> <span class="re1">$uri</span> <span class="re5">-LogOffUri</span> <span class="re1">$logouturl</span> <span class="re5">-PreferredAuthenticationProtocol</span> SAMLP</pre>
<p>
Where parameters are:
</p>
<ul>
<li class="level1"><div class="li"> dom: Your Office 365 domain</div>
</li>
<li class="level1"><div class="li"> brand: Simple label</div>
</li>
<li class="level1"><div class="li"> url: The <abbr title="Security Assertion Markup Language">SAML</abbr> <abbr title="Single Sign On">SSO</abbr> endpoint</div>
</li>
<li class="level1"><div class="li"> uri: The <abbr title="Security Assertion Markup Language">SAML</abbr> metadata endpoint</div>
</li>
<li class="level1"><div class="li"> logouturl: Logout <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
<li class="level1"><div class="li"> cert: The <abbr title="Security Assertion Markup Language">SAML</abbr> certificate containing the signature public key</div>
</li>
</ul>
<p>
If you have several Office365 domains, you can&#039;t use the same URLs for each domains. To be able to have a single <abbr title="Security Assertion Markup Language">SAML</abbr> IDP for several domains, you must add the &#039;domain&#039; GET parameters at the end of <abbr title="Single Sign On">SSO</abbr> endpoint and metadata URLs, for example:
</p>
<ul>
<li class="level1"><div class="li"> domain &#039;mycompany.com&#039;:</div>
<ul>
<li class="level2"><div class="li"> url: <a href="https://auth.example.com/saml/singleSignOn?domain=mycompany" class="urlextern" title="https://auth.example.com/saml/singleSignOn?domain=mycompany" rel="nofollow">https://auth.example.com/saml/singleSignOn?domain=mycompany</a></div>
</li>
<li class="level2"><div class="li"> uri: <a href="https://auth.example.com/saml/metadata?domain=mycompany" class="urlextern" title="https://auth.example.com/saml/metadata?domain=mycompany" rel="nofollow">https://auth.example.com/saml/metadata?domain=mycompany</a></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> domain &#039;myfirm.com&#039;:</div>
<ul>
<li class="level2"><div class="li"> url: <a href="https://auth.example.com/saml/singleSignOn?domain=myfirm" class="urlextern" title="https://auth.example.com/saml/singleSignOn?domain=myfirm" rel="nofollow">https://auth.example.com/saml/singleSignOn?domain=myfirm</a></div>
</li>
<li class="level2"><div class="li"> uri: <a href="https://auth.example.com/saml/metadata?domain=myfirm" class="urlextern" title="https://auth.example.com/saml/metadata?domain=myfirm" rel="nofollow">https://auth.example.com/saml/metadata?domain=myfirm</a></div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Office 365" [374-1788] -->
<h3 class="sectionedit5" id="lemonldapng">LemonLDAP::NG</h3>
<div class="level3">
<p>
Create a new <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider and import Microsoft metadata from <a href="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml" class="urlextern" title="https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml" rel="nofollow">https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml</a>
</p>
<p>
Set the NameID value to persistent, or any immutable value for the user.
</p>
<p>
Create a <abbr title="Security Assertion Markup Language">SAML</abbr> attribute named IDPEmail which contains the user principal name (UPN).
</p>
</div>
<!-- EDIT5 SECTION "LemonLDAP::NG" [1789-] --></div>
</body>
</html>

75
doc/pages/documentation/current/applications/sap.html Normal file
View File

@ -0,0 +1,75 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:sap</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,sap"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="sap.html"/>
<link rel="contents" href="sap.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:sap","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="sap">SAP</h1>
<div class="level1">
<p>
<a href="saplogo.gif_documentation_2.0_applications_sap.html" class="media" title="applications:saplogo.gif"><img src="saplogo.gif" class="mediacenter" title="SAP" alt="SAP" /></a>
</p>
</div>
<!-- EDIT1 SECTION "SAP" [1-56] -->
<h2 class="sectionedit2" id="http_header">HTTP header</h2>
<div class="level2">
<p>
Read the following documentation: <a href="http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm" class="urlextern" title="http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm" rel="nofollow">http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm</a>
</p>
</div>
<!-- EDIT2 SECTION "HTTP header" [57-208] -->
<h2 class="sectionedit3" id="saml">SAML</h2>
<div class="level2">
<p>
Read the following documentation: <a href="https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" class="urlextern" title="https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" rel="nofollow">https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm</a>
</p>
</div>
<!-- EDIT3 SECTION "SAML" [209-] --></div>
</body>
</html>

103
doc/pages/documentation/current/applications/saplogo.gif_documentation_2.0_applications_sap.html Normal file
View File

@ -0,0 +1,103 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<title>applications:saplogo.gif [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="../lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="../lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->/>
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="sap.html"/>
<link rel="contents" href="sap.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = null;
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
<script type="text/javascript" src="/javascript/bootstrap/js/bootstrap.min.js"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<![endif]-->
</head>
<body class="container">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__detail" class="dokuwiki mode_ tpl_bootstrap3 ">
<h1 class="page-header">
<i class="glyphicon glyphicon-picture"></i> applications:saplogo.gif </h1>
<div class="content">
<a href="saplogo.0fea6a13c52b4d4725368f24b045ca84.gif" title="View original file"><img width="73" height="36" class="img_detail" alt="saplogo.gif" title="saplogo.gif" src="saplogo.951291dc5d49a61fed6af1b6c94c5cf5.gif"/></a>
<div class="img_detail">
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> saplogo.gif</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2016/07/19 12:15</dd><dt>Filename:</dt><dd>saplogo.gif</dd><dt>Format:</dt><dd>GIF</dd><dt>Size:</dt><dd>538B</dd><dt>Width:</dt><dd>73</dd><dt>Height:</dt><dd>36</dd></dl> </div>
</div>
</div>
</div><!-- /.content -->
<p class="back">
<hr/>
<div class="btn-group">
<a href="sap.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:applications:sap [B]">Back to documentation:2.0:applications:sap</a> </div>
</p>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

103
doc/pages/documentation/current/applications/screenshot_dokuwiki_configuration.png_documentation_2.0_applications_dokuwiki.html Normal file
View File

@ -0,0 +1,103 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<title>applications:screenshot_dokuwiki_configuration.png [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="../lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="../lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->/>
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="dokuwiki.html"/>
<link rel="contents" href="dokuwiki.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = null;
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
<script type="text/javascript" src="/javascript/bootstrap/js/bootstrap.min.js"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<![endif]-->
</head>
<body class="container">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__detail" class="dokuwiki mode_ tpl_bootstrap3 ">
<h1 class="page-header">
<i class="glyphicon glyphicon-picture"></i> applications:screenshot_dokuwiki_configuration.png </h1>
<div class="content">
<a href="screenshot_dokuwiki_configuration.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="898" height="317" class="img_detail" alt="screenshot_dokuwiki_configuration.png" title="screenshot_dokuwiki_configuration.png" src="screenshot_dokuwiki_configuration.5c3b7e8bd8174c47fa38d992a5bf5a62.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> screenshot_dokuwiki_configuration.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2017/11/23 14:30</dd><dt>Filename:</dt><dd>screenshot_dokuwiki_configuration.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>35KB</dd><dt>Width:</dt><dd>898</dd><dt>Height:</dt><dd>317</dd></dl> </div>
</div>
</div>
</div><!-- /.content -->
<p class="back">
<hr/>
<div class="btn-group">
<a href="dokuwiki.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:applications:dokuwiki [B]">Back to documentation:2.0:applications:dokuwiki</a> </div>
</p>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

42
doc/pages/documentation/current/authkerberos.html
View File

@ -53,6 +53,7 @@
<li class="level1"><div class="li"><a href="#llng_configuration">LLNG Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#kerberos_configuration">Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#web_server_kerberos_module">Web Server Kerberos module</a></div></li>
</ul></li>
</ul>
</div>
@ -81,8 +82,12 @@
<a href="https://en.wikipedia.org/wiki/Kerberos_(protocol)" class="urlextern" title="https://en.wikipedia.org/wiki/Kerberos_(protocol)" rel="nofollow">Kerberos</a> is a network authentication protocol used to authenticate users based on their desktop session.
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> uses GSSAPI module to validate Kerberos ticket against a local keytab.
</p>
</div>
<!-- EDIT3 SECTION "Presentation" [83-268] -->
<!-- EDIT3 SECTION "Presentation" [83-347] -->
<h2 class="sectionedit4" id="llng_configuration">LLNG Configuration</h2>
<div class="level2">
@ -92,14 +97,18 @@ In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modu
<ul>
<li class="level1"><div class="li"> <strong>keytab file</strong> (required): the Kerberos keytab file</div>
</li>
<li class="level1"><div class="li"> <strong> Use Ajax request</strong>: set to “enabled” if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">combination</a></strong></div>
<li class="level1"><div class="li"> <strong>Use Ajax request</strong>: set to “enabled” if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">combination</a></strong></div>
</li>
<li class="level1"><div class="li"> <strong>Kerberos authentication level</strong>: default to 3</div>
</li>
<li class="level1"><div class="li"> <strong>Use Web Server Kerberos module</strong>: set to “enabled” to use the Web Server module (for example Apache mod_auth_kerb) instead of Perl Kerberos code to validate Kerberos ticket</div>
</li>
<li class="level1"><div class="li"> <strong>Remove domain in username</strong>: set to “enabled” to strip username value and remove the &#039;@domain&#039;.</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "LLNG Configuration" [269-799] -->
<!-- EDIT4 SECTION "LLNG Configuration" [348-1158] -->
<h3 class="sectionedit5" id="kerberos_configuration">Kerberos configuration</h3>
<div class="level3">
@ -108,6 +117,31 @@ The Kerberos configuration is quite complex. You can find some configuration tip
</p>
</div>
<!-- EDIT5 SECTION "Kerberos configuration" [800-] --></div>
<!-- EDIT5 SECTION "Kerberos configuration" [1159-1302] -->
<h3 class="sectionedit6" id="web_server_kerberos_module">Web Server Kerberos module</h3>
<div class="level3">
<p>
If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to “enabled” and configure the portal virtual host to launch the module if “kerberos” GET parameter is in the request.
</p>
<p>
Example with Apache and mod_auth_kerb:
</p>
<pre class="code file apache"> &lt;If <span class="st0">&quot;%{QUERY_STRING} =~ /kerberos=/&quot;</span>&gt;
&lt;<span class="kw3">IfModule</span> auth_kerb_module&gt;
<span class="kw1">AuthType</span> Kerberos
KrbMethodNegotiate <span class="kw2">On</span>
KrbMethodK5Passwd <span class="kw2">Off</span>
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/lemonldap-ng/auth.keytab
KrbVerifyKDC <span class="kw2">On</span>
KrbServiceName Any
<span class="kw1">require</span> valid-<span class="kw1">user</span>
&lt;/<span class="kw3">IfModule</span>&gt;
&lt;/If&gt;</pre>
</div>
<!-- EDIT6 SECTION "Web Server Kerberos module" [1303-] --></div>
</body>
</html>

77
doc/pages/documentation/current/autosignin.html Normal file
View File

@ -0,0 +1,77 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:autosignin</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,autosignin"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="autosignin.html"/>
<link rel="contents" href="autosignin.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:autosignin","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="auto_signin_addon">Auto Signin Addon</h1>
<div class="level1">
<p>
Auto-Signin add-on provides a simple way to bypass authentication based on rules. For example, a TV can be automatically authenticated by its <abbr title="Internet Protocol">IP</abbr> address.
</p>
</div>
<!-- EDIT1 SECTION "Auto Signin Addon" [1-188] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
This add-on is automatically enabled if a rule is declared. A rule associates a username to a rule. The only variable usable here is <code>$env</code>. Example:
</p>
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0"> Key (username) </th><th class="col1"> Rule </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> dwho </td><td class="col1"> $env→{REMOTE_ADDR} == &#039;192.168.42.42&#039; </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [369-444] --><div class="noteimportant">Username must exists in the user database.
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [189-] --></div>
</body>
</html>

2
doc/pages/documentation/current/configvhost.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:configvhost</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,configvhost"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="configvhost.html"/>

49
doc/pages/documentation/current/idpsaml.html
View File

@ -81,43 +81,18 @@
<ul>
<li class="level1"><div class="li"> Another <abbr title="LemonLDAP::NG">LL::NG</abbr> system configured with <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML authentication</a></div>
</li>
<li class="level1"><div class="li"> Any <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider, for example:</div>
<li class="level1"><div class="li"> Any <abbr title="Security Assertion Markup Language">SAML</abbr> Service Provider</div>
</li>
</ul>
</div>
<!-- EDIT3 PLUGIN_INCLUDE_START_NOREDIRECT "documentation:2.0:applications" [0-] --><div class="plugin_include_content plugin_include__documentation:2.0:applications">
<div class="level2">
<div class="noteclassic">This requires to configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as an <span class="curid"><a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML Identity Provider</a></span>.
</div><div class="table sectionedit5"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Cornerstone </th><th class="col2 centeralign"> SalesForce </th><th class="col3 centeralign"> simpleSAMLphp </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="applications/googleapps.html" class="media" title="documentation:2.0:applications:googleapps"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/cornerstone.html" class="media" title="documentation:2.0:applications:cornerstone"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col2 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col3 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td>
</tr>
<tr class="row2 roweven">
<th class="col0 centeralign"> NextCloud </th><th class="col1 centeralign"> ADFS </th><th class="col2 leftalign"> </th><th class="col3 leftalign"> </th>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/adfs.html" class="media" title="documentation:2.0:applications:adfs"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [2607-3149] -->
</div>
<!-- EDIT4 PLUGIN_INCLUDE_END "documentation:2.0:applications" [0-] --></div>
<!-- EDIT2 SECTION "Presentation" [39-263] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Presentation" [39-327] -->
<h2 class="sectionedit6" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "Configuration" [328-354] -->
<h3 class="sectionedit7" id="saml_service">SAML Service</h3>
<!-- EDIT3 SECTION "Configuration" [264-290] -->
<h3 class="sectionedit4" id="saml_service">SAML Service</h3>
<div class="level3">
<p>
@ -125,8 +100,8 @@ See <a href="samlservice.html" class="wikilink1" title="documentation:2.0:samlse
</p>
</div>
<!-- EDIT7 SECTION "SAML Service" [355-435] -->
<h3 class="sectionedit8" id="issuerdb">IssuerDB</h3>
<!-- EDIT4 SECTION "SAML Service" [291-371] -->
<h3 class="sectionedit5" id="issuerdb">IssuerDB</h3>
<div class="level3">
<p>
@ -145,8 +120,8 @@ Go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><a
</div>
</div>
<!-- EDIT8 SECTION "IssuerDB" [436-911] -->
<h3 class="sectionedit9" id="register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</h3>
<!-- EDIT5 SECTION "IssuerDB" [372-847] -->
<h3 class="sectionedit6" id="register_lemonldapng_on_partner_service_provider">Register LemonLDAP::NG on partner Service Provider</h3>
<div class="level3">
<p>
@ -158,8 +133,8 @@ They are available at the EntityID <abbr title="Uniform Resource Locator">URL</a
</p>
</div>
<!-- EDIT9 SECTION "Register LemonLDAP::NG on partner Service Provider" [912-1156] -->
<h3 class="sectionedit10" id="register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</h3>
<!-- EDIT6 SECTION "Register LemonLDAP::NG on partner Service Provider" [848-1092] -->
<h3 class="sectionedit7" id="register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</h3>
<div class="level3">
<p>
@ -298,6 +273,6 @@ For example: <a href="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&a
</div>
</div>
<!-- EDIT10 SECTION "Register partner Service Provider on LemonLDAP::NG" [1157-] --></div>
<!-- EDIT7 SECTION "Register partner Service Provider on LemonLDAP::NG" [1093-] --></div>
</body>
</html>

36
doc/pages/documentation/current/installdeb.html
View File

@ -99,9 +99,11 @@ LemonLDAP::NG provides these packages:
</li>
<li class="level1"><div class="li"> lemonldap-ng-fr-doc: French translation for <abbr title="HyperText Markup Language">HTML</abbr> documentation</div>
</li>
<li class="level1"><div class="li"> lemonldap-ng-handler: Handler files</div>
</li>
<li class="level1"><div class="li"> liblemonldap-ng-common-perl: configuration and common files</div>
</li>
<li class="level1"><div class="li"> liblemonldap-ng-handler-perl: Handler files</div>
<li class="level1"><div class="li"> liblemonldap-ng-handler-perl: Handler common libraries</div>
</li>
<li class="level1"><div class="li"> liblemonldap-ng-manager-perl: Manager files</div>
</li>
@ -110,12 +112,12 @@ LemonLDAP::NG provides these packages:
</ul>
</div>
<!-- EDIT2 SECTION "Organization" [60-630] -->
<!-- EDIT2 SECTION "Organization" [60-681] -->
<h2 class="sectionedit3" id="get_the_packages">Get the packages</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Get the packages" [631-660] -->
<!-- EDIT3 SECTION "Get the packages" [682-711] -->
<h3 class="sectionedit4" id="official_repository">Official repository</h3>
<div class="level3">
@ -126,7 +128,7 @@ If you run Debian testing or unstable, the packages are directly installable:
<div class="noteimportant">Packages from <a href="http://packages.debian.org/search?keywords=lemonldap-ng" class="urlextern" title="http://packages.debian.org/search?keywords=lemonldap-ng" rel="nofollow">Debian repository</a> may not be up to date. Prefer then the other solutions (see below).
</div>
</div>
<!-- EDIT4 SECTION "Official repository" [661-999] -->
<!-- EDIT4 SECTION "Official repository" [712-1050] -->
<h3 class="sectionedit5" id="llng_repository">LL::NG repository</h3>
<div class="level3">
@ -153,7 +155,7 @@ You may need to install this package to access HTTPS repositories:
<pre class="code">apt install apt-transport-https</pre>
</div>
<!-- EDIT5 SECTION "LL::NG repository" [1000-1644] -->
<!-- EDIT5 SECTION "LL::NG repository" [1051-1695] -->
<h3 class="sectionedit6" id="manual_download">Manual download</h3>
<div class="level3">
@ -162,7 +164,7 @@ Packages are available on the <a href="download.html" class="wikilink1" title="d
</p>
</div>
<!-- EDIT6 SECTION "Manual download" [1645-1731] -->
<!-- EDIT6 SECTION "Manual download" [1696-1782] -->
<h2 class="sectionedit7" id="package_gpg_signature">Package GPG signature</h2>
<div class="level2">
@ -181,18 +183,18 @@ Update cache:
<pre class="code">apt update</pre>
</div>
<!-- EDIT7 SECTION "Package GPG signature" [1732-1986] -->
<!-- EDIT7 SECTION "Package GPG signature" [1783-2037] -->
<h2 class="sectionedit8" id="install_packages">Install packages</h2>
<div class="level2">
</div>
<!-- EDIT8 SECTION "Install packages" [1987-2016] -->
<!-- EDIT8 SECTION "Install packages" [2038-2067] -->
<h3 class="sectionedit9" id="with_apt">With apt</h3>
<div class="level3">
<pre class="code">apt install lemonldap-ng</pre>
</div>
<!-- EDIT9 SECTION "With apt" [2017-2077] -->
<!-- EDIT9 SECTION "With apt" [2068-2128] -->
<h3 class="sectionedit10" id="with_dpkg">With dpkg</h3>
<div class="level3">
@ -206,12 +208,12 @@ Then:
<pre class="code">dpkg -i liblemonldap-ng-* lemonldap-ng*</pre>
</div>
<!-- EDIT10 SECTION "With dpkg" [2078-2226] -->
<!-- EDIT10 SECTION "With dpkg" [2129-2277] -->
<h2 class="sectionedit11" id="first_configuration_steps">First configuration steps</h2>
<div class="level2">
</div>
<!-- EDIT11 SECTION "First configuration steps" [2227-2265] -->
<!-- EDIT11 SECTION "First configuration steps" [2278-2316] -->
<h3 class="sectionedit12" id="change_default_dns_domain">Change default DNS domain</h3>
<div class="level3">
@ -221,7 +223,7 @@ By default, <abbr title="Domain Name System">DNS</abbr> domain is <code>example.
<pre class="code shell">sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json /var/lib/lemonldap-ng/test/index.pl</pre>
</div>
<!-- EDIT12 SECTION "Change default DNS domain" [2266-2585] -->
<!-- EDIT12 SECTION "Change default DNS domain" [2317-2636] -->
<h3 class="sectionedit13" id="reload_virtual_host">Reload virtual host</h3>
<div class="level3">
@ -232,7 +234,7 @@ To allow the manager to reload the configuration, register the reload virtual ho
<div class="notetip">Adapt the reload virtual host name to the domain you configured.
</div>
</div>
<!-- EDIT13 SECTION "Reload virtual host" [2586-2887] -->
<!-- EDIT13 SECTION "Reload virtual host" [2637-2938] -->
<h3 class="sectionedit14" id="upgrade">Upgrade</h3>
<div class="level3">
@ -241,7 +243,7 @@ If you upgraded <abbr title="LemonLDAP::NG">LL::NG</abbr>, check all <a href="up
</p>
</div>
<!-- EDIT14 SECTION "Upgrade" [2888-2968] -->
<!-- EDIT14 SECTION "Upgrade" [2939-3019] -->
<h3 class="sectionedit15" id="dns">DNS</h3>
<div class="level3">
@ -257,7 +259,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</p>
</div>
<!-- EDIT15 SECTION "DNS" [2969-3241] -->
<!-- EDIT15 SECTION "DNS" [3020-3292] -->
<h2 class="sectionedit16" id="file_location">File location</h2>
<div class="level2">
<ul>
@ -278,7 +280,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</ul>
</div>
<!-- EDIT16 SECTION "File location" [3242-3778] -->
<!-- EDIT16 SECTION "File location" [3293-3829] -->
<h2 class="sectionedit17" id="build_your_packages">Build your packages</h2>
<div class="level2">
@ -290,6 +292,6 @@ cd lemonldap-ng-*
make debian-packages</pre>
</div>
<!-- EDIT17 SECTION "Build your packages" [3779-] --></div>
<!-- EDIT17 SECTION "Build your packages" [3830-] --></div>
</body>
</html>

200
doc/pages/documentation/current/kerberos.html
View File

@ -55,37 +55,25 @@
<li class="level2"><div class="li"><a href="#example_values">Example values</a></div></li>
<li class="level2"><div class="li"><a href="#server_time">Server time</a></div></li>
<li class="level2"><div class="li"><a href="#dns">DNS</a></div></li>
<li class="level2"><div class="li"><a href="#ad_accounts">AD accounts</a></div></li>
<li class="level2"><div class="li"><a href="#ssl">SSL</a></div></li>
<li class="level2"><div class="li"><a href="#web_browser_configuration">Web browser configuration</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#firefox">Firefox</a></div></li>
<li class="level3"><div class="li"><a href="#internet_explorer">Internet Explorer</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#apache_kerberos_module_installation">Apache Kerberos module installation</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#single_llng_serversingle_ad_domain">Single LL::NG Server / Single AD domain</a></div>
<li class="level1"><div class="li"><a href="#single_ad_domain">Single AD domain</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#client_kerberos_configuration">Client Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#obtain_keytab_file">Obtain keytab file</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng">Configuration of LemonLDAP::NG</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#llng_clustersingle_ad_domain">LL::NG Cluster / Single AD domain</a></div>
<li class="level1"><div class="li"><a href="#multiple_ad_domains">Multiple AD domains</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#client_kerberos_configuration1">Client Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#obtain_keytab_file1">Obtain keytab file</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng1">Configuration of LemonLDAP::NG</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_portal_virtual_host">Configuration of portal virtual host</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#llng_clustertwo_ad_domains">LL::NG Cluster / Two AD domains</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#client_kerberos_configuration2">Client Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#obtain_keytab_file2">Obtain keytab file</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_lemonldapng2">Configuration of LemonLDAP::NG</a></div></li>
<li class="level2"><div class="li"><a href="#configuration_of_portal_virtual_host1">Configuration of portal virtual host</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
@ -103,28 +91,26 @@
<div class="level2">
<p>
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication to AD domain users to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.
</p>
<p>
We will present several architectures:
You can use Kerberos in <abbr title="LemonLDAP::NG">LL::NG</abbr> with the following authentication modules:
</p>
<ul>
<li class="level1"><div class="li"> Single <abbr title="LemonLDAP::NG">LL::NG</abbr> server linked to one AD domain</div>
<li class="level1"><div class="li"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> (recommended): use Perl GSSAPI module, compatible with Apache and Nginx</div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> cluster linked to one AD domain</div>
</li>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> cluster linked to two AD domains</div>
<li class="level1"><div class="li"> <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache</a>: use mod_auth_kerb or mod_auth_gssapi in Apache</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [25-376] -->
<!-- EDIT2 SECTION "Presentation" [25-454] -->
<h2 class="sectionedit3" id="prerequisites">Prerequisites</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Prerequisites" [377-403] -->
<!-- EDIT3 SECTION "Prerequisites" [455-481] -->
<h3 class="sectionedit4" id="example_values">Example values</h3>
<div class="level3">
@ -138,26 +124,12 @@ We will use the following values in our examples
</li>
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the <abbr title="LemonLDAP::NG">LL::NG</abbr> portal</div>
</li>
<li class="level1"><div class="li"> <strong>authpwd.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the <abbr title="LemonLDAP::NG">LL::NG</abbr> portal (to failback to a form based authentication)</div>
</li>
<li class="level1"><div class="li"> <strong>node1.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the first <abbr title="LemonLDAP::NG">LL::NG</abbr> portal server (in cluster mode)</div>
</li>
<li class="level1"><div class="li"> <strong>node2.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the second <abbr title="LemonLDAP::NG">LL::NG</abbr> portal server (in cluster mode)</div>
</li>
<li class="level1"><div class="li"> <strong>ad.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of First Active Directory</div>
</li>
<li class="level1"><div class="li"> <strong>ad.acme.com</strong>: <abbr title="Domain Name System">DNS</abbr> of Second Active Directory</div>
</li>
<li class="level1"><div class="li"> <strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbr title="LemonLDAP::NG">LL::NG</abbr> server (in single mode)</div>
</li>
<li class="level1"><div class="li"> <strong>KERB_NODE1</strong>: AD account to generate the keytab for the first <abbr title="LemonLDAP::NG">LL::NG</abbr> server (in cluster mode)</div>
</li>
<li class="level1"><div class="li"> <strong>KERB_NODE2</strong>: AD account to generate the keytab for the second <abbr title="LemonLDAP::NG">LL::NG</abbr> server (in cluster mode)</div>
<li class="level1"><div class="li"> <strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbr title="LemonLDAP::NG">LL::NG</abbr> server</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Example values" [404-1263] -->
<!-- EDIT4 SECTION "Example values" [482-751] -->
<h3 class="sectionedit5" id="server_time">Server time</h3>
<div class="level3">
@ -166,26 +138,26 @@ It is mandatory that <abbr title="LemonLDAP::NG">LL::NG</abbr> servers and AD se
</p>
</div>
<!-- EDIT5 SECTION "Server time" [1264-1399] -->
<!-- EDIT5 SECTION "Server time" [752-887] -->
<h3 class="sectionedit6" id="dns">DNS</h3>
<div class="level3">
<p>
All names must be registered in the <abbr title="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbr title="Domain Name System">DNS</abbr> should also work for all the names.
The auth.example.com must be registered in the <abbr title="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbr title="Domain Name System">DNS</abbr> of auth.example.com <strong>must</strong> return the portal <abbr title="Internet Protocol">IP</abbr>.
</p>
<div class="notetip">If you have a <abbr title="Single Sign On">SSO</abbr> cluster, you must setup a Virtual <abbr title="Internet Protocol">IP</abbr> in cluster and register this <abbr title="Internet Protocol">IP</abbr> in <abbr title="Domain Name System">DNS</abbr>.
</div>
<!-- EDIT6 SECTION "DNS" [1400-1543] -->
<h3 class="sectionedit7" id="ad_accounts">AD accounts</h3>
</div>
<!-- EDIT6 SECTION "DNS" [888-1170] -->
<h3 class="sectionedit7" id="ssl">SSL</h3>
<div class="level3">
<p>
It is recommended to create an AD account for each <abbr title="LemonLDAP::NG">LL::NG</abbr> server. Each account will hold the Service Principal Name (SPN) of the <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
SSL is not mandatory, but it is strongly recommended. Your portal <abbr title="Uniform Resource Locator">URL</abbr> should be <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a>.
</p>
<div class="notetip">It should be possible to have the same account for all SPN, but this may require some manipulations on AD (command setspn) that are not documented here.
</div>
</div>
<!-- EDIT7 SECTION "AD accounts" [1544-1884] -->
<!-- EDIT7 SECTION "SSL" [1171-1292] -->
<h3 class="sectionedit8" id="web_browser_configuration">Web browser configuration</h3>
<div class="level3">
@ -212,32 +184,13 @@ Check into security parameters that Kerberos authentication is allowed.
</p>
</div>
<!-- EDIT8 SECTION "Web browser configuration" [1885-2244] -->
<h3 class="sectionedit9" id="apache_kerberos_module_installation">Apache Kerberos module installation</h3>
<div class="level3">
<p>
On CentOS/RHEL:
</p>
<pre class="code shell">yum install mod_auth_kerb</pre>
<p>
On Debian/Ubuntu:
</p>
<pre class="code shell">apt-get install libapache2-mod-auth-kerb</pre>
<p>
The module must be loaded by Apache (LoadModule directive).
</p>
</div>
<!-- EDIT9 SECTION "Apache Kerberos module installation" [2245-2497] -->
<h2 class="sectionedit10" id="single_llng_serversingle_ad_domain">Single LL::NG Server / Single AD domain</h2>
<!-- EDIT8 SECTION "Web browser configuration" [1293-1652] -->
<h2 class="sectionedit9" id="single_ad_domain">Single AD domain</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "Single LL::NG Server / Single AD domain" [2498-2550] -->
<h3 class="sectionedit11" id="client_kerberos_configuration">Client Kerberos configuration</h3>
<!-- EDIT9 SECTION "Single AD domain" [1653-1682] -->
<h3 class="sectionedit10" id="client_kerberos_configuration">Client Kerberos configuration</h3>
<div class="level3">
<p>
@ -284,8 +237,8 @@ You can then close the Kerberos session:
<pre class="code">kdestroy</pre>
</div>
<!-- EDIT11 SECTION "Client Kerberos configuration" [2551-3552] -->
<h3 class="sectionedit12" id="obtain_keytab_file">Obtain keytab file</h3>
<!-- EDIT10 SECTION "Client Kerberos configuration" [1683-2684] -->
<h3 class="sectionedit11" id="obtain_keytab_file">Obtain keytab file</h3>
<div class="level3">
<p>
@ -366,78 +319,13 @@ The important things to check are:
</ul>
</div>
<!-- EDIT12 SECTION "Obtain keytab file" [3553-5681] -->
<h3 class="sectionedit13" id="configuration_of_lemonldapng">Configuration of LemonLDAP::NG</h3>
<div class="level3">
<p>
See <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos authentication module</a> <em>or <a href="authapache.html#llng" class="wikilink1" title="documentation:2.0:authapache">Apache authentication module configuration</a> (deprecated)</em>.
</p>
</div>
<!-- EDIT13 SECTION "Configuration of LemonLDAP::NG" [5682-5861] -->
<h2 class="sectionedit14" id="llng_clustersingle_ad_domain">LL::NG Cluster / Single AD domain</h2>
<!-- EDIT11 SECTION "Obtain keytab file" [2685-4814] -->
<h2 class="sectionedit12" id="multiple_ad_domains">Multiple AD domains</h2>
<div class="level2">
</div>
<!-- EDIT14 SECTION "LL::NG Cluster / Single AD domain" [5862-5908] -->
<h3 class="sectionedit15" id="client_kerberos_configuration1">Client Kerberos configuration</h3>
<div class="level3">
<p>
The client Kerberos configuration is the same as a single <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
</p>
</div>
<!-- EDIT15 SECTION "Client Kerberos configuration" [5909-6023] -->
<h3 class="sectionedit16" id="obtain_keytab_file1">Obtain keytab file</h3>
<div class="level3">
<div class="noteimportant">You need to get a keytab for each <abbr title="LemonLDAP::NG">LL::NG</abbr> node.
</div>
<p>
Commands on Active Directory will be:
</p>
<pre class="code">ktpass -princ HTTP/node1.example.com@EXAMPLE.COM -mapuser KERB_NODE1@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass &lt;PASSWORD&gt; -out c:\authnode1.keytab
ktpass -princ HTTP/node2.example.com@EXAMPLE.COM -mapuser KERB_NODE2@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass &lt;PASSWORD&gt; -out c:\authnode2.keytab</pre>
<p>
Copy the generated keytab on each node (rename it as auth.keytab to have the same Apache configuration on each node).
</p>
<p>
Change rights on keytab file:
</p>
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
<div class="notetip">You can do the same check for the keytab as with the single <abbr title="LemonLDAP::NG">LL::NG</abbr> server. Just use node1.example.com and node2.example.com instead of auth.example.com.
</div>
</div>
<!-- EDIT16 SECTION "Obtain keytab file" [6024-6957] -->
<h3 class="sectionedit17" id="configuration_of_lemonldapng1">Configuration of LemonLDAP::NG</h3>
<div class="level3">
<p>
The configuration is the same as a single <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
</p>
</div>
<!-- EDIT17 SECTION "Configuration of LemonLDAP::NG" [6958-7058] -->
<h3 class="sectionedit18" id="configuration_of_portal_virtual_host">Configuration of portal virtual host</h3>
<div class="level3">
<p>
The only change in Apache configuration is in the <code>KrbServiceName</code>, it should be set to Any:
</p>
<pre class="code file apache"> KrbServiceName Any</pre>
</div>
<!-- EDIT18 SECTION "Configuration of portal virtual host" [7059-7247] -->
<h2 class="sectionedit19" id="llng_clustertwo_ad_domains">LL::NG Cluster / Two AD domains</h2>
<div class="level2">
</div>
<!-- EDIT19 SECTION "LL::NG Cluster / Two AD domains" [7248-7292] -->
<h3 class="sectionedit20" id="client_kerberos_configuration2">Client Kerberos configuration</h3>
<!-- EDIT12 SECTION "Multiple AD domains" [4815-4847] -->
<h3 class="sectionedit13" id="client_kerberos_configuration1">Client Kerberos configuration</h3>
<div class="level3">
<p>
@ -479,8 +367,8 @@ klist -e
kdestroy</pre>
</div>
<!-- EDIT20 SECTION "Client Kerberos configuration" [7293-8037] -->
<h3 class="sectionedit21" id="obtain_keytab_file2">Obtain keytab file</h3>
<!-- EDIT13 SECTION "Client Kerberos configuration" [4848-5592] -->
<h3 class="sectionedit14" id="obtain_keytab_file1">Obtain keytab file</h3>
<div class="level3">
<p>
@ -513,26 +401,8 @@ You can then remove the original keytab files and protect the final keytab file:
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
</div>
<!-- EDIT21 SECTION "Obtain keytab file" [8038-8699] -->
<h3 class="sectionedit22" id="configuration_of_lemonldapng2">Configuration of LemonLDAP::NG</h3>
<div class="level3">
<p>
The configuration is the same as a single <abbr title="LemonLDAP::NG">LL::NG</abbr> server.
</p>
</div>
<!-- EDIT22 SECTION "Configuration of LemonLDAP::NG" [8700-8800] -->
<h3 class="sectionedit23" id="configuration_of_portal_virtual_host1">Configuration of portal virtual host</h3>
<div class="level3">
<p>
The configuration is the same as with a single AD domain.
</p>
</div>
<!-- EDIT23 SECTION "Configuration of portal virtual host" [8801-8907] -->
<h2 class="sectionedit24" id="other_resources">Other resources</h2>
<!-- EDIT14 SECTION "Obtain keytab file" [5593-6254] -->
<h2 class="sectionedit15" id="other_resources">Other resources</h2>
<div class="level2">
<p>
@ -546,6 +416,6 @@ You can check these documentations to get more information:
</ul>
</div>
<!-- EDIT24 SECTION "Other resources" [8908-] --></div>
<!-- EDIT15 SECTION "Other resources" [6255-] --></div>
</body>
</html>

4
doc/pages/documentation/current/portalmenu.html
View File

@ -113,6 +113,8 @@ Application parameters:
</li>
<li class="level2"><div class="li"> <strong>off</strong>: never display</div>
</li>
<li class="level2"><div class="li"> <strong>rule</strong>: specify a <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rule</a> or “sp: &lt;name&gt;” where “name” is the key name of the service provider, the corresponding rule will be applied <em>(available for <abbr title="Central Authentication Service">CAS</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect)</em></div>
</li>
</ul>
</li>
</ul>
@ -121,7 +123,7 @@ Application parameters:
<p>
<img src="documentation/manager-portal-menu-icon.png" class="mediacenter" alt="" />
</p>
<div class="notetip">The chosen logo file must be in portal applications logos directory (<code>portal/skins/common/apps/</code>). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory
<div class="notetip">The chosen logo file must be in portal applications logos directory (<code>portal/static/common/apps/</code>). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory
</div>
</div>
<!-- EDIT3 SECTION "Categories and applications" [828-] --></div>

4
doc/pages/documentation/current/restserverplugin
View File

@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/restserverplugin?do=login&amp;sectok=fa0cc1a85fc0d1baf3a61bfee1cba736" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/restserverplugin?do=login&amp;sectok=df00727bb453bdfe152489fdb4e33ed5" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Arestserverplugin&amp;1508842926" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Arestserverplugin&amp;1516959187" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

21
doc/pages/documentation/current/selinux.html
View File

@ -71,25 +71,30 @@ To make LemonLDAP::NG work with SELinux, you may need to set up some options.
<div class="level2">
<pre class="code">chcon -R -t httpd_sys_rw_content_t /tmp</pre>
</div>
<!-- EDIT2 SECTION "Disk cache (sessions an configuration)" [103-208] -->
<h2 class="sectionedit3" id="access_to_ldap">Access to LDAP</h2>
<div class="level2">
<pre class="code">setsebool -P httpd_can_connect_ldap on</pre>
<p>
To persist the rule:
</p>
<pre class="code">semanage fcontext -a -t http_sys_content_t /tmp</pre>
</div>
<!-- EDIT3 SECTION "Access to LDAP" [209-289] -->
<!-- EDIT2 SECTION "Disk cache (sessions an configuration)" [103-290] -->
<h2 class="sectionedit3" id="access_to_ldap">Access to LDAP</h2>
<div class="level2">
<pre class="code">setsebool -P httpd_can_connect_ldap 1</pre>
</div>
<!-- EDIT3 SECTION "Access to LDAP" [291-370] -->
<h2 class="sectionedit4" id="memcache">Memcache</h2>
<div class="level2">
<pre class="code">setsebool -P httpd_can_network_memcache 1</pre>
</div>
<!-- EDIT4 SECTION "Memcache" [290-367] -->
<!-- EDIT4 SECTION "Memcache" [371-448] -->
<h2 class="sectionedit5" id="proxy_http">Proxy HTTP</h2>
<div class="level2">
<pre class="code">setsebool -P httpd_can_network_relay 1</pre>
</div>
<!-- EDIT5 SECTION "Proxy HTTP" [368-] --></div>
<!-- EDIT5 SECTION "Proxy HTTP" [449-] --></div>
</body>
</html>

215
doc/pages/documentation/current/sqlconfbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:sqlconfbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,sqlconfbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="sqlconfbackend.html"/>
@ -49,17 +49,31 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#lemonldap-ngini_parameters">Lemonldap-ng.ini parameters</a></div></li>
<li class="level1"><div class="li"><a href="#configure_your_sql_database">Configure your SQL database</a></div>
<li class="level1"><div class="li"><a href="#mysql">MySQL</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#sql_configuration">SQL configuration</a></div>
<li class="level2"><div class="li"><a href="#perl_driver">Perl Driver</a></div></li>
<li class="level2"><div class="li"><a href="#database_and_table_creation">Database and table creation</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#rdbi">RDBI</a></div></li>
<li class="level3"><div class="li"><a href="#cdbi">CDBI</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#grant_lemonldapng_access">Grant LemonLDAP::NG access</a></div></li>
</ul></li>
<li class="level2"><div class="li"><a href="#grant_access">Grant access</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#connection_settings">Connection settings</a></div></li>
<li class="level1"><div class="li"><a href="#postgresql">PostGreSQL</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#perl_driver1">Perl Driver</a></div></li>
<li class="level2"><div class="li"><a href="#database_and_table_creation1">Database and table creation</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#rdbi1">RDBI</a></div></li>
<li class="level3"><div class="li"><a href="#cdbi1">CDBI</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#connection_settings1">Connection settings</a></div></li>
</ul>
</div>
</div>
@ -69,57 +83,59 @@
<div class="level1">
<p>
There is 3 types of SQL configuration backends for LemonLDAP::NG :
There is 2 types of SQL configuration backends for LemonLDAP::NG:
</p>
<ul>
<li class="level1"><div class="li"> <strong>CDBI</strong> : very simple storage</div>
<li class="level1"><div class="li"> <strong>CDBI</strong>: very simple storage</div>
</li>
<li class="level1"><div class="li"> <strong>RDBI</strong> : triple store storage</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Database Interface">DBI</abbr></strong> which has been deprecated: it is a read-only backend that exists just for compatibility with older versions of LemonLDAP::NG. See <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a>.</div>
<li class="level1"><div class="li"> <strong>RDBI</strong>: triple store storage (recommended)</div>
</li>
</ul>
<div class="notetip">You can use any database engine if it provides a Perl Driver. You will find here examples for MySQL and PostGreSQL, but other engines may also work.
</div>
<p>
See <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a>.
</p>
</div>
<!-- EDIT1 SECTION "SQL configuration backends" [1-382] -->
<h2 class="sectionedit2" id="lemonldap-ngini_parameters">Lemonldap-ng.ini parameters</h2>
<div class="level2">
<p>
To use a SQL backend, configure your <code>lemonldap-ng.ini</code> file (section configuration) :
</p>
<ul>
<li class="level1"><div class="li"> Choose <abbr title="Database Interface">DBI</abbr> type (RDBI, CDBI or <abbr title="Database Interface">DBI</abbr>)</div>
</li>
<li class="level1"><div class="li"> Configure the connection string (see <a href="http://search.cpan.org/perldoc?DBI" class="urlextern" title="http://search.cpan.org/perldoc?DBI" rel="nofollow">DBI manual page</a>)</div>
</li>
<li class="level1"><div class="li"> Configure user and password</div>
</li>
<li class="level1"><div class="li"> If your table is not named lmConfig, set it&#039;s name in <code>dbiTable</code> parameter.</div>
</li>
</ul>
<p>
Example for MySQL :
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>configuration<span class="br0">&#93;</span></span>
<span class="re1">type</span> <span class="sy0">=</span><span class="re2"> RDBI</span>
<span class="re1">dbiChain</span> <span class="sy0">=</span><span class="re2"> DBI:mysql:database=lemonldap-ng</span><span class="co0">;host=1.2.3.4</span>
<span class="re1">dbiUser</span> <span class="sy0">=</span><span class="re2"> lemonldap</span>
<span class="re1">dbiPassword</span> <span class="sy0">=</span><span class="re2"> password</span>
<span class="co0">; optional</span>
<span class="re1">dbiTable</span> <span class="sy0">=</span><span class="re2"> mytablename</span></pre>
</div>
<!-- EDIT2 SECTION "Lemonldap-ng.ini parameters" [383-974] -->
<h2 class="sectionedit3" id="configure_your_sql_database">Configure your SQL database</h2>
<!-- EDIT1 SECTION "SQL configuration backends" [1-423] -->
<h2 class="sectionedit2" id="mysql">MySQL</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configure your SQL database" [975-1015] -->
<h3 class="sectionedit4" id="sql_configuration">SQL configuration</h3>
<!-- EDIT2 SECTION "MySQL" [424-442] -->
<h3 class="sectionedit3" id="perl_driver">Perl Driver</h3>
<div class="level3">
<p>
You need DBD::MySQL Perl module:
</p>
<ul>
<li class="level1"><div class="li"> Debian:</div>
</li>
</ul>
<pre class="code">apt install libdbd-mysql-perl</pre>
<ul>
<li class="level1"><div class="li"> Red Hat:</div>
</li>
</ul>
<pre class="code">yum install perl-DBD-MySQL</pre>
</div>
<!-- EDIT3 SECTION "Perl Driver" [443-611] -->
<h3 class="sectionedit4" id="database_and_table_creation">Database and table creation</h3>
<div class="level3">
<p>
Create database:
</p>
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">DATABASE</span> lemonldap<span class="sy0">-</span>ng <span class="kw1">CHARACTER</span> <span class="kw1">SET</span> utf8;</pre>
<p>
Use database to create table:
</p>
<pre class="code sql"><span class="kw1">USE</span> lemonldap<span class="sy0">-</span>ng</pre>
</div>
<h4 id="rdbi">RDBI</h4>
@ -127,7 +143,7 @@ Example for MySQL :
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> lmConfig <span class="br0">&#40;</span>
cfgNum <span class="kw1">INT</span><span class="br0">&#40;</span><span class="nu0">11</span><span class="br0">&#41;</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span><span class="sy0">,</span>
<span class="kw1">FIELD</span> <span class="kw1">VARCHAR</span><span class="br0">&#40;</span><span class="nu0">255</span><span class="br0">&#41;</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span> <span class="kw1">DEFAULT</span> <span class="st0">''</span><span class="sy0">,</span>
<span class="kw1">VALUE</span> longblob<span class="sy0">,</span>
<span class="kw1">VALUE</span> longtext<span class="sy0">,</span>
<span class="kw1">PRIMARY</span> <span class="kw1">KEY</span> <span class="br0">&#40;</span>cfgNum<span class="sy0">,</span><span class="kw1">FIELD</span><span class="br0">&#41;</span>
<span class="br0">&#41;</span>;</pre>
@ -137,18 +153,18 @@ Example for MySQL :
<div class="level4">
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> lmConfig <span class="br0">&#40;</span>
cfgNum <span class="kw1">INT</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span> <span class="kw1">PRIMARY</span> <span class="kw1">KEY</span><span class="sy0">,</span>
<span class="kw1">DATA</span> longblob
<span class="kw1">DATA</span> longtext
<span class="br0">&#41;</span>;</pre>
</div>
<!-- EDIT4 SECTION "SQL configuration" [1016-1349] -->
<h3 class="sectionedit5" id="grant_lemonldapng_access">Grant LemonLDAP::NG access</h3>
<!-- EDIT4 SECTION "Database and table creation" [612-1104] -->
<h3 class="sectionedit5" id="grant_access">Grant access</h3>
<div class="level3">
<p>
You have to grant read/write access for the manager component. Other components needs just a read access. You can also use the same user for all.
</p>
<div class="notetip">You can use different dbiUser strings :<ul>
<div class="notetip">You can use different dbiUser strings:<ul>
<li class="level1"><div class="li"> one with read/write rights for servers hosting the manager</div>
</li>
<li class="level1"><div class="li"> one with just read rights for other servers</div>
@ -157,14 +173,105 @@ You have to grant read/write access for the manager component. Other components
</div>
<p>
MySQL example (suppose that our servers are in 10.0.0.0/24 network):
For example (suppose that our servers are in 10.0.0.0/24 network):
</p>
<pre class="code sql"><span class="kw1">GRANT</span> <span class="kw1">SELECT</span><span class="sy0">,</span><span class="kw1">INSERT</span><span class="sy0">,</span><span class="kw1">UPDATE</span><span class="sy0">,</span><span class="kw1">DELETE</span><span class="sy0">,</span><span class="kw1">LOCK</span> <span class="kw1">TABLES</span> <span class="kw1">ON</span> lemonldap<span class="sy0">-</span>ng<span class="sy0">.</span>lmConfig
<span class="kw1">TO</span> lemonldap<span class="sy0">-</span>ng@manager<span class="sy0">.</span>host <span class="kw1">IDENTIFIED</span> <span class="kw1">BY</span> <span class="st0">'mypassword'</span>;
<span class="kw1">TO</span> lemonldaprw@manager<span class="sy0">.</span>host <span class="kw1">IDENTIFIED</span> <span class="kw1">BY</span> <span class="st0">'mypassword'</span>;
<span class="kw1">GRANT</span> <span class="kw1">SELECT</span> <span class="kw1">ON</span> lemonldap<span class="sy0">-</span>ng<span class="sy0">.</span>lmConfig
<span class="kw1">TO</span> lemonldap<span class="sy0">-</span>ng<span class="sy0">-</span><span class="kw1">USER</span>@<span class="st0">'10.0.0.%'</span> <span class="kw1">IDENTIFIED</span> <span class="kw1">BY</span> <span class="st0">'myotherpassword'</span>;</pre>
<span class="kw1">TO</span> lemonldapro@<span class="st0">'10.0.0.%'</span> <span class="kw1">IDENTIFIED</span> <span class="kw1">BY</span> <span class="st0">'myotherpassword'</span>;</pre>
</div>
<!-- EDIT5 SECTION "Grant LemonLDAP::NG access" [1350-] --></div>
<!-- EDIT5 SECTION "Grant access" [1105-1759] -->
<h2 class="sectionedit6" id="connection_settings">Connection settings</h2>
<div class="level2">
<p>
Change configuration settings in <code>/etc/lemonldap-ng/lemonldap-ng.ini</code> file (section configuration):
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>configuration<span class="br0">&#93;</span></span>
<span class="re1">type</span> <span class="sy0">=</span><span class="re2"> RDBI</span>
<span class="re1">dbiChain</span> <span class="sy0">=</span><span class="re2"> DBI:mysql:database=lemonldap-ng</span><span class="co0">;host=1.2.3.4</span>
<span class="re1">dbiUser</span> <span class="sy0">=</span><span class="re2"> lemonldaprw</span>
<span class="re1">dbiPassword</span> <span class="sy0">=</span><span class="re2"> mypassword</span>
<span class="co0">; optional</span>
<span class="re1">dbiTable</span> <span class="sy0">=</span><span class="re2"> mytablename</span></pre>
</div>
<!-- EDIT6 SECTION "Connection settings" [1760-2090] -->
<h2 class="sectionedit7" id="postgresql">PostGreSQL</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "PostGreSQL" [2091-2114] -->
<h3 class="sectionedit8" id="perl_driver1">Perl Driver</h3>
<div class="level3">
<p>
You need DBD::Pg Perl module:
</p>
<ul>
<li class="level1"><div class="li"> Debian:</div>
</li>
</ul>
<pre class="code">apt install libdbd-pg-perl</pre>
<ul>
<li class="level1"><div class="li"> Red Hat:</div>
</li>
</ul>
<pre class="code">yum install perl-DBD-Pg</pre>
</div>
<!-- EDIT8 SECTION "Perl Driver" [2115-2274] -->
<h3 class="sectionedit9" id="database_and_table_creation1">Database and table creation</h3>
<div class="level3">
<p>
Create database:
</p>
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">DATABASE</span> lemonldap<span class="sy0">-</span>ng;</pre>
<p>
Use database to create table:
</p>
<pre class="code sql"><span class="kw1">USE</span> lemonldap<span class="sy0">-</span>ng</pre>
</div>
<h4 id="rdbi1">RDBI</h4>
<div class="level4">
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> lmconfig <span class="br0">&#40;</span>
cfgnum <span class="kw1">INTEGER</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span><span class="sy0">,</span>
<span class="kw1">FIELD</span> text <span class="kw1">NOT</span> <span class="kw1">NULL</span><span class="sy0">,</span>
<span class="kw1">VALUE</span> text<span class="sy0">,</span>
<span class="kw1">PRIMARY</span> <span class="kw1">KEY</span> <span class="br0">&#40;</span>cfgNum<span class="sy0">,</span><span class="kw1">FIELD</span><span class="br0">&#41;</span>
<span class="br0">&#41;</span>;</pre>
</div>
<h4 id="cdbi1">CDBI</h4>
<div class="level4">
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> lmConfig <span class="br0">&#40;</span>
cfgnum <span class="kw1">INTEGER</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span> <span class="kw1">PRIMARY</span> <span class="kw1">KEY</span><span class="sy0">,</span>
<span class="kw1">DATA</span> text
<span class="br0">&#41;</span>;</pre>
</div>
<!-- EDIT9 SECTION "Database and table creation" [2275-2725] -->
<h2 class="sectionedit10" id="connection_settings1">Connection settings</h2>
<div class="level2">
<p>
Change configuration settings in <code>/etc/lemonldap-ng/lemonldap-ng.ini</code> file (section configuration):
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>configuration<span class="br0">&#93;</span></span>
<span class="re1">type</span> <span class="sy0">=</span><span class="re2"> RDBI</span>
<span class="re1">dbiChain</span> <span class="sy0">=</span><span class="re2"> DBI:Pg:database=lemonldap-ng</span><span class="co0">;host=1.2.3.4</span>
<span class="re1">dbiUser</span> <span class="sy0">=</span><span class="re2"> lemonldaprw</span>
<span class="re1">dbiPassword</span> <span class="sy0">=</span><span class="re2"> mypassword</span>
<span class="co0">; optional</span>
<span class="re1">dbiTable</span> <span class="sy0">=</span><span class="re2"> mytablename</span></pre>
</div>
<!-- EDIT10 SECTION "Connection settings" [2726-] --></div>
</body>
</html>

38
doc/pages/documentation/current/start.html
View File

@ -266,7 +266,7 @@
<td class="col0"> <a href="authfacebook.html" class="wikilink1" title="documentation:2.0:authfacebook">Facebook</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> <a href="new.png" class="media" title="documentation:2.0:new.png"><img src="new.edf565b3f89a0ad56df9a5e7a31a6de8.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"> </td><td class="col3 centeralign"> </td>
<td class="col0"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> <a href="new.png" class="media" title="documentation:2.0:new.png"><img src="new.edf565b3f89a0ad56df9a5e7a31a6de8.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> <a href="authldap.html" class="wikilink1" title="documentation:2.0:authldap">LDAP</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"></td>
@ -343,8 +343,14 @@
<tr class="row32 roweven">
<td class="col0"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External Second Factor</a> <em>(OTP, SMS,…)</em> <a href="new.png" class="media" title="documentation:2.0:new.png"><img src="new.edf565b3f89a0ad56df9a5e7a31a6de8.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row33 rowodd">
<th class="col0"> Auth addons </th><th class="col1 centeralign"> Authentication </th><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row34 roweven">
<td class="col0"> <a href="autosignin.html" class="wikilink1" title="documentation:2.0:autosignin">Auto Signin</a> <a href="new.png" class="media" title="documentation:2.0:new.png"><img src="new.edf565b3f89a0ad56df9a5e7a31a6de8.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
</table></div>
<!-- EDIT9 TABLE [2221-4140] -->
<!-- EDIT9 TABLE [2221-4231] -->
<p>
</div></div>
</p>
@ -388,13 +394,13 @@
<td class="col0"> <a href="issuerdbget.html" class="wikilink1" title="documentation:2.0:issuerdbget">Get parameters provider</a> <em>(for poor applications)</em> </td><td class="col1 leftalign"> </td><td class="col2 centeralign"></td>
</tr>
</table></div>
<!-- EDIT10 TABLE [4486-4847] -->
<!-- EDIT10 TABLE [4577-4938] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT8 SECTION "Portal" [1685-4875] -->
<!-- EDIT8 SECTION "Portal" [1685-4966] -->
<h3 class="sectionedit11" id="handlers">Handlers</h3>
<div class="level3">
@ -435,7 +441,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<td class="col0"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra PreAuth</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td><td class="col4 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [5114-5947] -->
<!-- EDIT12 TABLE [5205-6038] -->
<p>
<em>(*): <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> has not yet reached the same level of functionality.</em>
</p>
@ -445,7 +451,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
</p>
</div>
<!-- EDIT11 SECTION "Handlers" [4876-6070] -->
<!-- EDIT11 SECTION "Handlers" [4967-6161] -->
<h3 class="sectionedit13" id="llng_databases">LLNG databases</h3>
<div class="level3">
@ -491,7 +497,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<td class="col0 centeralign"> <a href="restconfbackend.html" class="wikilink1" title="documentation:2.0:restconfbackend">REST</a> <a href="new.png" class="media" title="documentation:2.0:new.png"><img src="new.edf565b3f89a0ad56df9a5e7a31a6de8.png" class="media" alt="" width="35" /></a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> Proxy backend to be used in conjunction with another configuration backend. <br/><strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [6369-7351] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
<!-- EDIT14 TABLE [6460-7442] --><div class="notetip">You can not start with an empty configuration, so read <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">how to change configuration backend</a> to convert your existing configuration into another one.
</div>
<p>
</div></div>
@ -546,13 +552,13 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
<strong>Can be used to secure another backend</strong> for remote servers. </td>
</tr>
</table></div>
<!-- EDIT15 TABLE [8216-9895] -->
<!-- EDIT15 TABLE [8307-9986] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT13 SECTION "LLNG databases" [6071-9923] -->
<!-- EDIT13 SECTION "LLNG databases" [6162-10014] -->
<h2 class="sectionedit16" id="applications_protection">Applications protection</h2>
<div class="level2">
@ -581,7 +587,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT16 SECTION "Applications protection" [9924-10414] -->
<!-- EDIT16 SECTION "Applications protection" [10015-10505] -->
<h3 class="sectionedit17" id="well_known_compatible_applications">Well known compatible applications</h3>
<div class="level3">
<div class="noteclassic">Here is a list of well known applications that are compatible with <abbr title="LemonLDAP::NG">LL::NG</abbr>. A full list is available on <a href="applications.html" class="wikilink1" title="documentation:2.0:applications">vendor applications page</a>.
@ -667,7 +673,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT17 SECTION "Well known compatible applications" [10415-12353] -->
<!-- EDIT17 SECTION "Well known compatible applications" [10506-12444] -->
<h2 class="sectionedit18" id="advanced_features">Advanced features</h2>
<div class="level2">
@ -718,7 +724,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT18 SECTION "Advanced features" [12354-13291] -->
<!-- EDIT18 SECTION "Advanced features" [12445-13382] -->
<h2 class="sectionedit19" id="mini_howtos">Mini howtos</h2>
<div class="level2">
@ -749,7 +755,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT19 SECTION "Mini howtos" [13292-13961] -->
<!-- EDIT19 SECTION "Mini howtos" [13383-14052] -->
<h2 class="sectionedit20" id="exploitation">Exploitation</h2>
<div class="level2">
@ -782,7 +788,7 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</p>
</div>
<!-- EDIT20 SECTION "Exploitation" [13962-14382] -->
<!-- EDIT20 SECTION "Exploitation" [14053-14473] -->
<h2 class="sectionedit21" id="bug_report">Bug report</h2>
<div class="level2">
@ -791,7 +797,7 @@ See <a href="bugreport.html" class="wikilink1" title="bugreport">How to report a
</p>
</div>
<!-- EDIT21 SECTION "Bug report" [14383-14447] -->
<!-- EDIT21 SECTION "Bug report" [14474-14538] -->
<h2 class="sectionedit22" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -856,6 +862,6 @@ To translate this doc (Manager help):
</ul>
</div>
<!-- EDIT22 SECTION "Developer corner" [14448-] --></div>
<!-- EDIT22 SECTION "Developer corner" [14539-] --></div>
</body>
</html>

80
doc/pages/documentation/current/upgrade.html
View File

@ -49,11 +49,8 @@
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#installation">Installation</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#debian_wheezy">Debian Wheezy</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#upgrade_order_from_19">Upgrade order from 1.9.*</a></div></li>
<li class="level1"><div class="li"><a href="#installation">Installation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level1"><div class="li"><a href="#kerberos_or_ssl_usage">Kerberos or SSL usage</a></div></li>
<li class="level1"><div class="li"><a href="#logs">Logs</a></div></li>
@ -80,20 +77,47 @@
</div>
</div>
<!-- EDIT1 SECTION "Upgrade from 1.9 to 2.0" [1-162] -->
<h2 class="sectionedit2" id="installation">Installation</h2>
<h2 class="sectionedit2" id="upgrade_order_from_19">Upgrade order from 1.9.*</h2>
<div class="level2">
<p>
As usual, if you use more than 1 server and don&#039;t want to stop the <abbr title="Single Sign On">SSO</abbr> service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order:
</p>
<ol>
<li class="level1"><div class="li"> servers that have only handlers;</div>
</li>
<li class="level1"><div class="li"> portal servers <em>(all together if your load balancer doesn&#039;t keep state by user or client <abbr title="Internet Protocol">IP</abbr> and if users use the menu)</em>;</div>
</li>
<li class="level1"><div class="li"> manager server</div>
</li>
</ol>
<div class="noteimportant">You must revalidate your configuration using the manager.
</div>
<!-- EDIT2 SECTION "Installation" [163-188] -->
<h3 class="sectionedit3" id="debian_wheezy">Debian Wheezy</h3>
<div class="level3">
</div>
<!-- EDIT2 SECTION "Upgrade order from 1.9.*" [163-653] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<div class="level2">
<p>
To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maintscript</code> file.
This release of <abbr title="LemonLDAP::NG">LL::NG</abbr> requires these minimal versions of GNU/Linux distributions:
</p>
<ul>
<li class="level1"><div class="li"> Debian 9 (stretch)</div>
</li>
<li class="level1"><div class="li"> Ubuntu 16.04 LTS</div>
</li>
<li class="level1"><div class="li"> CentOS 7</div>
</li>
<li class="level1"><div class="li"> RHEL 7</div>
</li>
</ul>
<p>
For <abbr title="Security Assertion Markup Language">SAML</abbr> features, we require Lasso 2.5.
</p>
</div>
<!-- EDIT3 SECTION "Debian Wheezy" [189-304] -->
<!-- EDIT3 SECTION "Installation" [654-872] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<ul>
@ -103,15 +127,19 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
</li>
<li class="level1"><div class="li"> Apache and Nginx configurations must updated to use the FastCGI portal</div>
</li>
<li class="level1"><div class="li"> URLs for mail reset and register pages have changed, you must update configuration parameters. For example:</div>
</li>
</ul>
<div class="noteimportant">Apache-ModPerl is no longer usable since version 2.4 <em>(many segfaults,…)</em>, especially when using mpm-worker. That&#039;s why LLNG doesn&#039;t use anymore ModPerl::Registry: all is now handle by FastCGI <em>(portal and manager)</em>.
<pre class="code :perl"> mailUrl <span class="sy0">=&gt;</span> <span class="st_h">'http://auth.example.com/resetpwd'</span><span class="sy0">,</span>
registerUrl <span class="sy0">=&gt;</span> <span class="st_h">'http://auth.example.com/register'</span><span class="sy0">,</span></pre>
<div class="noteimportant">Apache mod_perl has a lot of issues since version 2.4 <em>(many segfaults,…)</em>, especially when using mpm-worker. That&#039;s why <abbr title="LemonLDAP::NG">LL::NG</abbr> doesn&#039;t use anymore ModPerl::Registry: all is now handled by FastCGI <em>(portal and manager)</em>.
<p>
<strong>For handlers, it is now recommended to migrate to Nginx</strong>, but Apache-2.X is still supported
<strong>For Handlers, it is now recommended to migrate to Nginx</strong>, but Apache 2 is still supported
</p>
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [305-1090] -->
<!-- EDIT4 SECTION "Configuration" [873-1894] -->
<h2 class="sectionedit5" id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<div class="level2">
<ul>
@ -122,7 +150,7 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
</ul>
</div>
<!-- EDIT5 SECTION "Kerberos or SSL usage" [1091-1599] -->
<!-- EDIT5 SECTION "Kerberos or SSL usage" [1895-2403] -->
<h2 class="sectionedit6" id="logs">Logs</h2>
<div class="level2">
<ul>
@ -133,7 +161,7 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
</ul>
</div>
<!-- EDIT6 SECTION "Logs" [1600-2012] -->
<!-- EDIT6 SECTION "Logs" [2404-2816] -->
<h2 class="sectionedit7" id="security">Security</h2>
<div class="level2">
@ -148,7 +176,7 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT7 SECTION "Security" [2013-2580] -->
<!-- EDIT7 SECTION "Security" [2817-3384] -->
<h2 class="sectionedit8" id="handlers">Handlers</h2>
<div class="level2">
<ul>
@ -159,7 +187,7 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT8 SECTION "Handlers" [2581-3242] -->
<!-- EDIT8 SECTION "Handlers" [3385-4046] -->
<h2 class="sectionedit9" id="rules_and_headers">Rules and headers</h2>
<div class="level2">
<ul>
@ -172,7 +200,7 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT9 SECTION "Rules and headers" [3243-3561] -->
<!-- EDIT9 SECTION "Rules and headers" [4047-4365] -->
<h2 class="sectionedit10" id="supported_servers">Supported servers</h2>
<div class="level2">
<ul>
@ -181,7 +209,7 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT10 SECTION "Supported servers" [3562-3707] -->
<!-- EDIT10 SECTION "Supported servers" [4366-4511] -->
<h2 class="sectionedit11" id="ajax_requests">Ajax requests</h2>
<div class="level2">
@ -190,7 +218,7 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
</p>
</div>
<!-- EDIT11 SECTION "Ajax requests" [3708-3927] -->
<!-- EDIT11 SECTION "Ajax requests" [4512-4731] -->
<h2 class="sectionedit12" id="soaprest_services">SOAP/REST services</h2>
<div class="level2">
<ul>
@ -206,12 +234,12 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
<div class="noteimportant"><a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
</div>
</div>
<!-- EDIT12 SECTION "SOAP/REST services" [3928-4526] -->
<!-- EDIT12 SECTION "SOAP/REST services" [4732-5330] -->
<h2 class="sectionedit13" id="developer_corner">Developer corner</h2>
<div class="level2">
</div>
<!-- EDIT13 SECTION "Developer corner" [4527-4556] -->
<!-- EDIT13 SECTION "Developer corner" [5331-5360] -->
<h3 class="sectionedit14" id="apis">APIs</h3>
<div class="level3">
@ -220,7 +248,7 @@ Portal has now many REST features and includes a plugin <abbr title="Application
</p>
</div>
<!-- EDIT14 SECTION "APIs" [4557-4714] -->
<!-- EDIT14 SECTION "APIs" [5361-5518] -->
<h3 class="sectionedit15" id="portal_overview">Portal overview</h3>
<div class="level3">
@ -242,7 +270,7 @@ The request is a separated object based on Lemonldap::NG::Portal::Main::Request
</p>
</div>
<!-- EDIT15 SECTION "Portal overview" [4715-5162] -->
<!-- EDIT15 SECTION "Portal overview" [5519-5966] -->
<h3 class="sectionedit16" id="handler">Handler</h3>
<div class="level3">
@ -255,6 +283,6 @@ If you had auto protected CGI, you also need to rewrite them, see <a href="selfm
</p>
</div>
<!-- EDIT16 SECTION "Handler" [5163-] --></div>
<!-- EDIT16 SECTION "Handler" [5967-] --></div>
</body>
</html>

2
doc/pages/documentation/current/writingrulesand_headers.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:writingrulesand_headers</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,writingrulesand_headers"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="writingrulesand_headers.html"/>