diff --git a/doc/pages/documentation/current/applications.html b/doc/pages/documentation/current/applications.html index 015d9c4fd..b9f176369 100644 --- a/doc/pages/documentation/current/applications.html +++ b/doc/pages/documentation/current/applications.html @@ -43,183 +43,150 @@
- -
-

Table of Contents

-
- - -
-
-

Applications

-

Known supported applications

+

How to integrate

-Applications listed below are known to be easy to integrate in LL::NG. As LL::NG works like classic WebSSO (like Siteminder™), many other applications are easy to integrate. +To integrate a Web application in LL::NG, you have the following possibilities:

+ + +

+If none of above methods is available, you can try: +

+
- -

Mail, Agenda, Groupware

-
+ +

Application list

+
- + - - -
OBM Sympa Zimbra RoundCube HTTP headers Specific Handler CAS SAML OpenID Connect
- -
- -

Wiki

-
-
- - - - - - - - -
Dokuwiki Mediawiki
- -
- -

CMS, Portal, ECM

-
-
- - - - - - - - -
Drupal Liferay Alfresco
- -
- -

Bugtracker, Service Management

-
-
- - - - - - - - -
Bugzilla GLPI
- -
- -

Other

-
-
- - - - - - - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
GRR phpLDAPadmin LimeSurvey SAP
LimeSurvey SAP ADFS
FusionDirectory Alfresco
fusiondirectory-logo.jpg logo_amazon_web_services.jpg Amazon Web Services
Bugzilla
Cornerstone
Django
HTTP headers Specific Handler CAS SAML OpenID Connect
Dokuwiki
Drupal
fusiondirectory-logo.jpg FusionDirectory
GLPI
Google Apps
HTTP headers Specific Handler CAS SAML OpenID Connect
GRR
Liferay
LimeSurvey LimeSurvey
Mediawiki
NextCloud
HTTP headers Specific Handler CAS SAML OpenID Connect
OBM
Office 365
phpLDAPAdmin
Roundcube
SalesForce
SAP SAP
simpleSAMLphp
HTTP headers Specific Handler CAS SAML OpenID Connect
Spring
Sympa
Tomcat
Zimbra
HTTP headers Specific Handler CAS SAML OpenID Connect
- +
- -

Frameworks

-
-
- - - - - - - - -
Java (Spring) Python (Django)
- -
- -

Connectors

-
-
- - - - - - - - - - - - - - -
HTTP Auth-Basic Tomcat Nginx
Some applications using it
Outlook Web App
-IBM Lotus iNotes 		Probe
-Lutece
- -
- -

SAML connectors

-
-
This requires to configure LL::NG as an SAML Identity Provider. -
- - - - - - - - - - - - - - -
Google Apps Cornerstone SalesForce simpleSAMLphp
NextCloud ADFS
- -
-
+
diff --git a/doc/pages/documentation/current/applications/alfresco.html b/doc/pages/documentation/current/applications/alfresco.html index 474270c03..a319ff885 100644 --- a/doc/pages/documentation/current/applications/alfresco.html +++ b/doc/pages/documentation/current/applications/alfresco.html @@ -50,10 +50,21 @@

-The first will allow one to configure SSO for the alfresco webapp, and the other for the share webapp. +The first will allow to configure SSO for the alfresco webapp, and the other for the share webapp.

@@ -163,28 +184,389 @@ You need to restart Tomcat to apply changes.

Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to LL::NG.
- +

LL::NG

+
+ +

Headers

+
+

Just set the Auth-User header with the attribute that carries the user login, for example $uid.

+
+ +

Rules

+
+

-You can intercept the logout with this rule: ^/share/page/dologout ⇒ logout_app_sso +Set the default rule to what you need.

-
- -

Other resources

-
+

+Other rules: +

- + +

SAML2

+
+ +
+ +

Alfresco

+
+ +

+Install SAML Alfresco module package: +

+
cp alfresco-saml-repo-1.0.1.amp <ALFRESCO_HOME>/amps
+cp alfresco-saml-share-1.0.1.amp <ALFRESCO_HOME>/amps_share
+./bin/apply_amp.sh
+ +

+Generate SAML certificate: +

+
keytool -genkeypair -alias my-saml-key -keypass change-me -storepass change-me -keystore my-saml.keystore -storetype JCEKS
+ +

+Export the keystore: +

+
mv my-saml.keystore alf_data/keystore
+cat <<EOT > alf_data/keystore/my-saml.keystore-metadata.properties
+aliases=my-saml-key
+keystore.password=change-me
+my-saml-key.password=change-me
+EOT
+cat <<EOT >> tomcat/shared/classes/alfresco-global.properties
+
+saml.keystore.location=\${dir.keystore}/my-saml.keystore
+saml.keystore.keyMetaData.location=\${dir.keystore}/my-saml.keystore-metadata.properties
+EOT
+ +

+Edit then share-config-custom.xml: +

+
    ...
+        <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
+ 
+ 
+ 
+        <!--
+            If using https make a CSRFPolicy with replace="true" and override the properties section.
+            Note, localhost is there to allow local checks to succeed.
+ 
+ 
+ 
+            I.e.
+            <properties>
+                <token>Alfresco-CSRFToken</token>
+                <referer>https://your-domain.com/.*|http://localhost:8080/.*</referer>
+                <origin>https://your-domain.com|http://localhost:8080</origin>
+            </properties>
+        -->
+ 
+ 
+ 
+            <filter>
+ 
+ 
+ 
+                <!-- SAML SPECIFIC CONFIG -  START -->
+ 
+ 
+ 
+                <!--
+                 Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET's to avoid them
+                 having to pass through the remaining rules.
+                 -->
+                <rule>
+                    <request>
+                        <method>GET</method>
+                        <path>/res/.*</path>
+                    </request>
+                </rule>
+ 
+ 
+ 
+                <!-- Incoming posts from IDPs do not require a token -->
+                <rule>
+                    <request>
+                        <method>POST</method>
+                        <path>/page/saml-authnresponse|/page/saml-logoutresponse|/page/saml-logoutrequest</path>
+                    </request>
+                </rule>
+ 
+ 
+ 
+                <!-- SAML SPECIFIC CONFIG -  STOP -->
+ 
+ 
+ 
+                <!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml -->
+ 
+ 
+ 
+                <!--
+                 Certain webscripts shall not be allowed to be accessed directly form the browser.
+                 Make sure to throw an error if they are used.
+                 -->
+                <rule>
+                    <request>
+                        <path>/proxy/alfresco/remoteadm/.*</path>
+                    </request>
+                    <action name="throwError">
+                        <param name="message">It is not allowed to access this url from your browser</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!--
+                 Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.
+                 TODO: Refactor the publishing code so that form that is posted to this URL is a Share webscript with the right tokens.
+                 -->
+                <rule>
+                    <request>
+                        <method>POST</method>
+                        <path>/proxy/alfresco/api/publishing/channels/.+</path>
+                    </request>
+                    <action name="assertReferer">
+                        <param name="referer">{referer}</param>
+                    </action>
+                    <action name="assertOrigin">
+                        <param name="origin">{origin}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!--
+                 Certain Surf POST requests from the WebScript console must be allowed to pass without a token since
+                 the Surf WebScript console code can't be dependent on a Share specific filter.
+                 -->
+                <rule>
+                    <request>
+                        <method>POST</method>
+                        <path>/page/caches/dependency/clear|/page/index|/page/surfBugStatus|/page/modules/deploy|/page/modules/module|/page/api/javascript/debugger|/page/console</path>
+                    </request>
+                    <action name="assertReferer">
+                        <param name="referer">{referer}</param>
+                    </action>
+                    <action name="assertOrigin">
+                        <param name="origin">{origin}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!-- Certain Share POST requests does NOT require a token -->
+                <rule>
+                    <request>
+                        <method>POST</method>
+                        <path>/page/dologin(\?.+)?|/page/site/[^/]+/start-workflow|/page/start-workflow|/page/context/[^/]+/start-workflow</path>
+                    </request>
+                    <action name="assertReferer">
+                        <param name="referer">{referer}</param>
+                    </action>
+                    <action name="assertOrigin">
+                        <param name="origin">{origin}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!-- Assert logout is done from a valid domain, if so clear the token when logging out -->
+                <rule>
+                    <request>
+                        <method>POST</method>
+                        <path>/page/dologout(\?.+)?</path>
+                    </request>
+                    <action name="assertReferer">
+                        <param name="referer">{referer}</param>
+                    </action>
+                    <action name="assertOrigin">
+                        <param name="origin">{origin}</param>
+                    </action>
+                    <action name="clearToken">
+                        <param name="session">{token}</param>
+                        <param name="cookie">{token}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!-- Make sure the first token is generated -->
+                <rule>
+                    <request>
+                        <session>
+                            <attribute name="_alf_USER_ID">.+</attribute>
+                            <attribute name="{token}"/>
+                            <!-- empty attribute element indicates null, meaning the token has not yet been set -->
+                        </session>
+                    </request>
+                    <action name="generateToken">
+                        <param name="session">{token}</param>
+                        <param name="cookie">{token}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!-- Refresh token on new "page" visit when a user is logged in -->
+                <rule>
+                    <request>
+                        <method>GET</method>
+                        <path>/page/.*</path>
+                        <session>
+                            <attribute name="_alf_USER_ID">.+</attribute>
+                            <attribute name="{token}">.+</attribute>
+                        </session>
+                    </request>
+                    <action name="generateToken">
+                        <param name="session">{token}</param>
+                        <param name="cookie">{token}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!--
+                 Verify multipart requests from logged in users contain the token as a parameter
+                 and also correct referer & origin header if available
+                 -->
+                <rule>
+                    <request>
+                        <method>POST</method>
+                        <header name="Content-Type">multipart/.+</header>
+                        <session>
+                            <attribute name="_alf_USER_ID">.+</attribute>
+                        </session>
+                    </request>
+                    <action name="assertToken">
+                        <param name="session">{token}</param>
+                        <param name="parameter">{token}</param>
+                    </action>
+                    <action name="assertReferer">
+                        <param name="referer">{referer}</param>
+                    </action>
+                    <action name="assertOrigin">
+                        <param name="origin">{origin}</param>
+                    </action>
+                </rule>
+ 
+ 
+ 
+                <!--
+                 Verify that all remaining state changing requests from logged in users' requests contains a token in the
+                 header and correct referer & origin headers if available. We "catch" all content types since just setting it to
+                 "application/json.*" since a webscript that doesn't require a json request body otherwise would be
+                 successfully executed using i.e."text/plain".
+                 -->
+                <rule>
+                    <request>
+                        <method>POST|PUT|DELETE</method>
+                        <session>
+                            <attribute name="_alf_USER_ID">.+</attribute>
+                        </session>
+                    </request>
+                    <action name="assertToken">
+                        <param name="session">{token}</param>
+                        <param name="header">{token}</param>
+                    </action>
+                    <action name="assertReferer">
+                        <param name="referer">{referer}</param>
+                    </action>
+                    <action name="assertOrigin">
+                        <param name="origin">{origin}</param>
+                    </action>
+                </rule>
+            </filter>
+        </config>
+    ...
+ +

+Configure SAML service provider using the Alfresco admin console (/alfresco/s/enterprise/admin/admin-saml). +

+ +

+Set the following parameters: +

+ + +

+To finish with Alfresco configuration, tick the “Enable SAML authentication (SSO)” box. +

+ +
+ +

LL::NG

+
+ +

+Configure SAML service and set a certificate as signature public key in metadata. +

+ +

+Export Alfresco SAML Metadata from admin console and import them in LL::NG. +

+ +

+In the authentication response option, set: +

+ + +

+And you can define these exported attributes: +

+ + +
+ +

Other resources

+
+ + +
+ diff --git a/doc/pages/documentation/current/applications/aws.html b/doc/pages/documentation/current/applications/aws.html new file mode 100644 index 000000000..c62b55007 --- /dev/null +++ b/doc/pages/documentation/current/applications/aws.html @@ -0,0 +1,134 @@ + + + + + documentation:2.0:applications:aws + + + + + + + + + + + + + + + + + + + + +
+ +

Amazon Web Services

+
+ +

+Amazon Web Services allows to delegate authentication through SAML2. +

+ +
+ +

SAML

+
+ +
If you have only one role, the configuration is simple. If you have multiple +roles for different people, it is a little trickier. As you will see, the SAML +attributes are not dynamic, so you have to set them in the session when a user +logs in or use a custom function. In this example, I wanted to avoid managing +custom functions on all the servers, so the SAML attributes are set in +the session. We also use LDAP for user information, so I will describe that. +In our LDAP tree, each user has attributes which are used quite heavily for +dynamic groups and authorisation. You will want something +similar, using whatever attribute makes sense to you. For example:
  dn: uid=user,ou=people,dc=your,dc=com
+  ...
+  ou: sysadmin
+  ou: database
+  ou: root
+ +
+ +
+
+ + diff --git a/doc/pages/documentation/current/applications/dokuwiki.html b/doc/pages/documentation/current/applications/dokuwiki.html index 69fd9df0f..0fd8612d4 100644 --- a/doc/pages/documentation/current/applications/dokuwiki.html +++ b/doc/pages/documentation/current/applications/dokuwiki.html @@ -50,10 +50,10 @@ @@ -204,7 +204,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio -
+
diff --git a/doc/pages/documentation/current/applications/img/loader.gif b/doc/pages/documentation/current/applications/img/loader.gif index 3ea2e2357..40a263883 100644 --- a/doc/pages/documentation/current/applications/img/loader.gif +++ b/doc/pages/documentation/current/applications/img/loader.gif @@ -90,7 +90,7 @@ +
    • @@ -204,7 +204,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio -
    +
    diff --git a/doc/pages/documentation/current/applications/limesurvey.html b/doc/pages/documentation/current/applications/limesurvey.html index 0dda4b624..f8bc2bc89 100644 --- a/doc/pages/documentation/current/applications/limesurvey.html +++ b/doc/pages/documentation/current/applications/limesurvey.html @@ -50,7 +50,7 @@

    Rules

    @@ -241,16 +189,16 @@ Go to the Manager and - Logout action=logout$ Logout rule (for example logout_app_sso) + Logout /sa/logout$ Logout rule (for example logout_app_sso) - Admin ^/limesurvey/admin/ Allow only admin and superadmin roles + Admin ^/(index\.php/)?admin Allow only admin and superadmin users Default default Allow only users with a LimeSurvey role -
    You can set the default access to:
    + diff --git a/doc/pages/documentation/current/applications/office365.html b/doc/pages/documentation/current/applications/office365.html new file mode 100644 index 000000000..7e3e5cae3 --- /dev/null +++ b/doc/pages/documentation/current/applications/office365.html @@ -0,0 +1,165 @@ + + + + + documentation:2.0:applications:office365 + + + + + + + + + + + + + + + + + + + + +
    + +
    +

    Table of Contents

    +
    + + +
    +
    + + +

    Office 365

    +
    + +

    + +

    + +
    + +

    Presentation

    +
    + +

    +Office 365 provides online access to Microsoft products like Office, Outlook or Yammer. Authentication is done on https://login.microsoftonline.com/ and can be forwarded to an SAML Identity Provider. +

    + +
    + +

    Configuration

    +
    + +
    + +

    Office 365

    +
    + +

    +You first need to install AzureAD PowerShell to be able to run administrative commands. +

    + +

    +Then run this script: +

    +
    $dom = "mycompany.com"
+$brand = "My Company"
+$url = "https://auth.example.com/saml/singleSignOn"
+$uri = "https://auth.example.com/saml/metadata"
+$logouturl = "https://auth.example.com/?logout=1"
+$cert = "xxxxxxxxxxxxxxxxxxx"
+ 
+Set-MsolDomainAuthentication –DomainName $dom -FederationBrandName $brand -Authentication Federated  -PassiveLogOnUri $url -SigningCertificate $cert -IssuerUri $uri  -LogOffUri $logouturl -PreferredAuthenticationProtocol SAMLP
    + +

    +Where parameters are: +

    + + +

    +If you have several Office365 domains, you can't use the same URLs for each domains. To be able to have a single SAML IDP for several domains, you must add the 'domain' GET parameters at the end of SSO endpoint and metadata URLs, for example: +

    + + +
    + +

    LemonLDAP::NG

    +
    + +

    +Create a new SAML Service Provider and import Microsoft metadata from https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml +

    + +

    +Set the NameID value to persistent, or any immutable value for the user. +

    + +

    +Create a SAML attribute named IDPEmail which contains the user principal name (UPN). +

    + +
    +
    + + diff --git a/doc/pages/documentation/current/applications/sap.html b/doc/pages/documentation/current/applications/sap.html new file mode 100644 index 000000000..d9b322c90 --- /dev/null +++ b/doc/pages/documentation/current/applications/sap.html @@ -0,0 +1,75 @@ + + + + + documentation:2.0:applications:sap + + + + + + + + + + + + + + + + + + + + +
    + +

    SAP

    +
    + +

    +SAP +

    + +
    + +

    HTTP header

    +
    + +

    +Read the following documentation: http://help.sap.com/saphelp_nw70/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm +

    + +
    + +

    SAML

    +
    + +

    +Read the following documentation: https://help.sap.com/saphelp_nw70/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm +

    + +
    +
    + + diff --git a/doc/pages/documentation/current/applications/saplogo.gif_documentation_2.0_applications_sap.html b/doc/pages/documentation/current/applications/saplogo.gif_documentation_2.0_applications_sap.html new file mode 100644 index 000000000..0902d1c4d --- /dev/null +++ b/doc/pages/documentation/current/applications/saplogo.gif_documentation_2.0_applications_sap.html @@ -0,0 +1,103 @@ + + + + + applications:saplogo.gif [LemonLDAP::NG] + + + + + + +/> + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + +

    + applications:saplogo.gif

    + +
    + + saplogo.gif +
    + +
    +
    +

    saplogo.gif

    +
    +
    +
    Date:
    2016/07/19 12:15
    Filename:
    saplogo.gif
    Format:
    GIF
    Size:
    538B
    Width:
    73
    Height:
    36
    +
    + +
    +
    + +

    + +

    + +
    + Back to documentation:2.0:applications:sap
    + +

    + +
    + + + diff --git a/doc/pages/documentation/current/applications/screenshot_dokuwiki_configuration.png_documentation_2.0_applications_dokuwiki.html b/doc/pages/documentation/current/applications/screenshot_dokuwiki_configuration.png_documentation_2.0_applications_dokuwiki.html new file mode 100644 index 000000000..c4b030ad4 --- /dev/null +++ b/doc/pages/documentation/current/applications/screenshot_dokuwiki_configuration.png_documentation_2.0_applications_dokuwiki.html @@ -0,0 +1,103 @@ + + + + + applications:screenshot_dokuwiki_configuration.png [LemonLDAP::NG] + + + + + + +/> + + + + + + + + + + + + + + + + + + + + + + + + + + +
    + + + +

    + applications:screenshot_dokuwiki_configuration.png

    + +
    + + screenshot_dokuwiki_configuration.png +
    + +
    +
    +

    screenshot_dokuwiki_configuration.png

    +
    +
    +
    Date:
    2017/11/23 14:30
    Filename:
    screenshot_dokuwiki_configuration.png
    Format:
    PNG
    Size:
    35KB
    Width:
    898
    Height:
    317
    +
    + +
    +
    + +

    + +

    + +
    + Back to documentation:2.0:applications:dokuwiki
    + +

    + +
    + + + diff --git a/doc/pages/documentation/current/authkerberos.html b/doc/pages/documentation/current/authkerberos.html index a5bed7234..00c5c4d1d 100644 --- a/doc/pages/documentation/current/authkerberos.html +++ b/doc/pages/documentation/current/authkerberos.html @@ -53,6 +53,7 @@
  • LLNG Configuration
    • @@ -81,8 +82,12 @@ Kerberos is a network authentication protocol used to authenticate users based on their desktop session.

    +

    +LL::NG uses GSSAPI module to validate Kerberos ticket against a local keytab. +

    + - +

    LLNG Configuration

    @@ -92,14 +97,18 @@ In Manager, go in General Parameters > Authentication modu
    - +

    Kerberos configuration

    @@ -108,6 +117,31 @@ The Kerberos configuration is quite complex. You can find some configuration tip

    - + +

    Web Server Kerberos module

    +
    + +

    +If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to “enabled” and configure the portal virtual host to launch the module if “kerberos” GET parameter is in the request. +

    + +

    +Example with Apache and mod_auth_kerb: +

    +
      <If "%{QUERY_STRING} =~ /kerberos=/">
+    <IfModule auth_kerb_module>
+      AuthType Kerberos
+      KrbMethodNegotiate On
+      KrbMethodK5Passwd Off
+      KrbAuthRealms EXAMPLE.COM
+      Krb5KeyTab /etc/lemonldap-ng/auth.keytab
+      KrbVerifyKDC On
+      KrbServiceName Any
+      require valid-user
+    </IfModule>
+  </If>
    + +
    + diff --git a/doc/pages/documentation/current/autosignin.html b/doc/pages/documentation/current/autosignin.html new file mode 100644 index 000000000..e34c857a5 --- /dev/null +++ b/doc/pages/documentation/current/autosignin.html @@ -0,0 +1,77 @@ + + + + + documentation:2.0:autosignin + + + + + + + + + + + + + + + + + + + + +
    + +

    Auto Signin Addon

    +
    + +

    +Auto-Signin add-on provides a simple way to bypass authentication based on rules. For example, a TV can be automatically authenticated by its IP address. +

    + +
    + +

    Configuration

    +
    + +

    +This add-on is automatically enabled if a rule is declared. A rule associates a username to a rule. The only variable usable here is $env. Example: +

    +
    + + + + + + + + +
    Key (username) Rule
    dwho $env→{REMOTE_ADDR} == '192.168.42.42'
    +
    Username must exists in the user database. +
    +
    +
    + + diff --git a/doc/pages/documentation/current/configvhost.html b/doc/pages/documentation/current/configvhost.html index f5508cd0f..166b44831 100644 --- a/doc/pages/documentation/current/configvhost.html +++ b/doc/pages/documentation/current/configvhost.html @@ -4,7 +4,7 @@ documentation:2.0:configvhost - + diff --git a/doc/pages/documentation/current/idpsaml.html b/doc/pages/documentation/current/idpsaml.html index d5d1ee46b..b97ecc720 100644 --- a/doc/pages/documentation/current/idpsaml.html +++ b/doc/pages/documentation/current/idpsaml.html @@ -81,43 +81,18 @@ -
    -
    -
    This requires to configure LL::NG as an SAML Identity Provider. -
    - - - - - - - - - - - - - - -
    Google Apps Cornerstone SalesForce simpleSAMLphp
    NextCloud ADFS
    - -
    -
    + +

    Configuration

    - -

    Configuration

    -
    - -
    - -

    SAML Service

    + +

    SAML Service

    @@ -125,8 +100,8 @@ See -

    IssuerDB

    + +

    IssuerDB

    @@ -145,8 +120,8 @@ Go in General Parameters » Issuer modules »

    - -

    Register LemonLDAP::NG on partner Service Provider

    + +

    Register LemonLDAP::NG on partner Service Provider

    @@ -158,8 +133,8 @@ They are available at the EntityID URL

    - -

    Register partner Service Provider on LemonLDAP::NG

    + +

    Register partner Service Provider on LemonLDAP::NG

    @@ -298,6 +273,6 @@ For example:

    +
    diff --git a/doc/pages/documentation/current/installdeb.html b/doc/pages/documentation/current/installdeb.html index 9d1639174..318dd53a8 100644 --- a/doc/pages/documentation/current/installdeb.html +++ b/doc/pages/documentation/current/installdeb.html @@ -99,9 +99,11 @@ LemonLDAP::NG provides these packages:
  • lemonldap-ng-fr-doc: French translation for HTML documentation
    • +
  • lemonldap-ng-handler: Handler files
    +
  • liblemonldap-ng-common-perl: configuration and common files
    • -
  • liblemonldap-ng-handler-perl: Handler files
    +
  • liblemonldap-ng-handler-perl: Handler common libraries
  • liblemonldap-ng-manager-perl: Manager files
    • @@ -110,12 +112,12 @@ LemonLDAP::NG provides these packages: - +

    Get the packages

    - +

    Official repository

    @@ -126,7 +128,7 @@ If you run Debian testing or unstable, the packages are directly installable:
    Packages from Debian repository may not be up to date. Prefer then the other solutions (see below).
    - +

    LL::NG repository

    @@ -153,7 +155,7 @@ You may need to install this package to access HTTPS repositories: 
    apt install apt-transport-https
    - +

    Manual download

    @@ -162,7 +164,7 @@ Packages are available on the +

    Package GPG signature

    @@ -181,18 +183,18 @@ Update cache: 
    apt update
    - +

    Install packages

    - +

    With apt

    apt install lemonldap-ng
    - +

    With dpkg

    @@ -206,12 +208,12 @@ Then: 
    dpkg -i liblemonldap-ng-* lemonldap-ng*
    - +

    First configuration steps

    - +

    Change default DNS domain

    @@ -221,7 +223,7 @@ By default, DNS domain is example. 
    sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json /var/lib/lemonldap-ng/test/index.pl
    - +

    Reload virtual host

    @@ -232,7 +234,7 @@ To allow the manager to reload the configuration, register the reload virtual ho
    Adapt the reload virtual host name to the domain you configured.
    - +

    Upgrade

    @@ -241,7 +243,7 @@ If you upgraded LL::NG, check all +

    DNS

    @@ -257,7 +259,7 @@ Follow the +

    File location

    +
    diff --git a/doc/pages/documentation/current/kerberos.html b/doc/pages/documentation/current/kerberos.html index 6ac276f98..639f952a1 100644 --- a/doc/pages/documentation/current/kerberos.html +++ b/doc/pages/documentation/current/kerberos.html @@ -55,37 +55,25 @@
  • Example values
  • Server time
  • DNS
    • -
  • AD accounts
    • +
  • SSL
  • Web browser configuration
    • -
  • Apache Kerberos module installation
    • -
  • Single LL::NG Server / Single AD domain
    +
  • Single AD domain
    • -
  • LL::NG Cluster / Single AD domain
    +
  • Multiple AD domains
    -
    • -
  • LL::NG Cluster / Two AD domains
    -
  • Other resources
    • @@ -103,28 +91,26 @@

    -This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication to AD domain users to LL::NG. +This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.

    -We will present several architectures: +You can use Kerberos in LL::NG with the following authentication modules:

      -
    • Single LL::NG server linked to one AD domain
      +
    • Kerberos (recommended): use Perl GSSAPI module, compatible with Apache and Nginx
      • -
    • LL::NG cluster linked to one AD domain
      -
      • -
    • LL::NG cluster linked to two AD domains
      +
    • Apache: use mod_auth_kerb or mod_auth_gssapi in Apache
    - +

    Prerequisites

    - +

    Example values

    @@ -138,26 +124,12 @@ We will use the following values in our examples
  • auth.example.com: DNS of the LL::NG portal
    • -
  • authpwd.example.com: DNS of the LL::NG portal (to failback to a form based authentication)
    -
    • -
  • node1.example.com: DNS of the first LL::NG portal server (in cluster mode)
    -
    • -
  • node2.example.com: DNS of the second LL::NG portal server (in cluster mode)
    -
    • -
  • ad.example.com: DNS of First Active Directory
    -
    • -
  • ad.acme.com: DNS of Second Active Directory
    -
    • -
  • KERB_AUTH: AD account to generate the keytab for LL::NG server (in single mode)
    -
    • -
  • KERB_NODE1: AD account to generate the keytab for the first LL::NG server (in cluster mode)
    -
    • -
  • KERB_NODE2: AD account to generate the keytab for the second LL::NG server (in cluster mode)
    +
  • KERB_AUTH: AD account to generate the keytab for LL::NG server
    • - +

    Server time

    @@ -166,26 +138,26 @@ It is mandatory that LL::NG servers and AD se

    - +

    DNS

    -All names must be registered in the DNS server (which is Active Directory). The reverse DNS should also work for all the names. +The auth.example.com must be registered in the DNS server (which is Active Directory). The reverse DNS of auth.example.com must return the portal IP.

    - +
    If you have a SSO cluster, you must setup a Virtual IP in cluster and register this IP in DNS.
    - -

    AD accounts

    +
    + +

    SSL

    -It is recommended to create an AD account for each LL::NG server. Each account will hold the Service Principal Name (SPN) of the LL::NG server. +SSL is not mandatory, but it is strongly recommended. Your portal URL should be https://auth.example.com.

    -
    It should be possible to have the same account for all SPN, but this may require some manipulations on AD (command setspn) that are not documented here. +
    -
    - +

    Web browser configuration

    @@ -212,32 +184,13 @@ Check into security parameters that Kerberos authentication is allowed.

    - -

    Apache Kerberos module installation

    -
    - -

    -On CentOS/RHEL: -

    -
    yum install mod_auth_kerb
    - -

    -On Debian/Ubuntu: -

    -
    apt-get install libapache2-mod-auth-kerb
    - -

    -The module must be loaded by Apache (LoadModule directive). -

    - -
    - -

    Single LL::NG Server / Single AD domain

    + +

    Single AD domain

    - -

    Client Kerberos configuration

    + +

    Client Kerberos configuration

    @@ -284,8 +237,8 @@ You can then close the Kerberos session: 

    kdestroy
    - -

    Obtain keytab file

    + +

    Obtain keytab file

    @@ -366,78 +319,13 @@ The important things to check are:

    - -

    Configuration of LemonLDAP::NG

    -
    - -

    -See Kerberos authentication module or Apache authentication module configuration (deprecated). -

    - -
    - -

    LL::NG Cluster / Single AD domain

    + +

    Multiple AD domains

    - -

    Client Kerberos configuration

    -
    - -

    -The client Kerberos configuration is the same as a single LL::NG server. -

    - -
    - -

    Obtain keytab file

    -
    -
    You need to get a keytab for each LL::NG node. -
    -

    -Commands on Active Directory will be: -

    -
    ktpass -princ HTTP/node1.example.com@EXAMPLE.COM -mapuser KERB_NODE1@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <PASSWORD> -out c:\authnode1.keytab
-ktpass -princ HTTP/node2.example.com@EXAMPLE.COM -mapuser KERB_NODE2@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <PASSWORD> -out c:\authnode2.keytab
    - -

    -Copy the generated keytab on each node (rename it as auth.keytab to have the same Apache configuration on each node). -

    - -

    -Change rights on keytab file: -

    -
    chown apache /etc/lemonldap-ng/auth.keytab
-chmod 600 /etc/lemonldap-ng/auth.keytab
    -
    You can do the same check for the keytab as with the single LL::NG server. Just use node1.example.com and node2.example.com instead of auth.example.com. -
    -
    - -

    Configuration of LemonLDAP::NG

    -
    - -

    -The configuration is the same as a single LL::NG server. -

    - -
    - -

    Configuration of portal virtual host

    -
    - -

    -The only change in Apache configuration is in the KrbServiceName, it should be set to Any: -

    -
        KrbServiceName Any
    - -
    - -

    LL::NG Cluster / Two AD domains

    -
    - -
    - -

    Client Kerberos configuration

    + +

    Client Kerberos configuration

    @@ -479,8 +367,8 @@ klist -e kdestroy

    - -

    Obtain keytab file

    + +

    Obtain keytab file

    @@ -513,26 +401,8 @@ You can then remove the original keytab files and protect the final keytab file: chmod 600 /etc/lemonldap-ng/auth.keytab

    - -

    Configuration of LemonLDAP::NG

    -
    - -

    -The configuration is the same as a single LL::NG server. -

    - -
    - -

    Configuration of portal virtual host

    -
    - -

    -The configuration is the same as with a single AD domain. -

    - -
    - -

    Other resources

    + +

    Other resources

    @@ -546,6 +416,6 @@ You can check these documentations to get more information:

    -
    +
    diff --git a/doc/pages/documentation/current/portalmenu.html b/doc/pages/documentation/current/portalmenu.html index 5506808f0..20a91cc24 100644 --- a/doc/pages/documentation/current/portalmenu.html +++ b/doc/pages/documentation/current/portalmenu.html @@ -113,6 +113,8 @@ Application parameters:
  • off: never display
    • +
  • rule: specify a rule or “sp: <name>” where “name” is the key name of the service provider, the corresponding rule will be applied (available for CAS, SAML or OpenID-Connect)
    +
    • @@ -121,7 +123,7 @@ Application parameters:

    -
    The chosen logo file must be in portal applications logos directory (portal/skins/common/apps/). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory +
    The chosen logo file must be in portal applications logos directory (portal/static/common/apps/). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory
    diff --git a/doc/pages/documentation/current/restserverplugin b/doc/pages/documentation/current/restserverplugin index f8d5b5b6e..304ae7d66 100644 --- a/doc/pages/documentation/current/restserverplugin +++ b/doc/pages/documentation/current/restserverplugin @@ -90,7 +90,7 @@ +
    • @@ -204,7 +204,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio -
    +
    diff --git a/doc/pages/documentation/current/selinux.html b/doc/pages/documentation/current/selinux.html index 986888d6f..9c6d6bb7c 100644 --- a/doc/pages/documentation/current/selinux.html +++ b/doc/pages/documentation/current/selinux.html @@ -71,25 +71,30 @@ To make LemonLDAP::NG work with SELinux, you may need to set up some options. 
    chcon -R -t httpd_sys_rw_content_t /tmp
    -
    - -

    Access to LDAP

    -
    -
    setsebool -P httpd_can_connect_ldap on
    +

    +To persist the rule: +

    +
    semanage fcontext -a -t http_sys_content_t /tmp
    - + +

    Access to LDAP

    +
    +
    setsebool -P httpd_can_connect_ldap 1
    + +
    +

    Memcache

    setsebool -P httpd_can_network_memcache 1
    - +

    Proxy HTTP

    setsebool -P httpd_can_network_relay 1
    -
    + diff --git a/doc/pages/documentation/current/sqlconfbackend.html b/doc/pages/documentation/current/sqlconfbackend.html index c969e2479..c3545aab3 100644 --- a/doc/pages/documentation/current/sqlconfbackend.html +++ b/doc/pages/documentation/current/sqlconfbackend.html @@ -4,7 +4,7 @@ documentation:2.0:sqlconfbackend - + @@ -49,17 +49,31 @@
    + +
  • Connection settings
    • +
  • PostGreSQL
    + +
    • +
  • Connection settings
    • @@ -69,57 +83,59 @@

    -There is 3 types of SQL configuration backends for LemonLDAP::NG : +There is 2 types of SQL configuration backends for LemonLDAP::NG:

      -
    • CDBI : very simple storage
      +
    • CDBI: very simple storage
      • -
    • RDBI : triple store storage
      -
      • -
    • DBI which has been deprecated: it is a read-only backend that exists just for compatibility with older versions of LemonLDAP::NG. See how to change configuration backend.
      +
    • RDBI: triple store storage (recommended)
    +
    You can use any database engine if it provides a Perl Driver. You will find here examples for MySQL and PostGreSQL, but other engines may also work. +
    +

    +See how to change configuration backend. +

    - -

    Lemonldap-ng.ini parameters

    -
    - -

    -To use a SQL backend, configure your lemonldap-ng.ini file (section configuration) : -

    -
      -
    • Choose DBI type (RDBI, CDBI or DBI)
      -
      • -
    • Configure the connection string (see DBI manual page)
      -
      • -
    • Configure user and password
      -
      • -
    • If your table is not named lmConfig, set it's name in dbiTable parameter.
      -
      • -
    - -

    -Example for MySQL : -

    -
    [configuration]
-type = RDBI
-dbiChain    = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
-dbiUser     = lemonldap
-dbiPassword = password
-; optional
-dbiTable    = mytablename
    - -
    - -

    Configure your SQL database

    + +

    MySQL

    - -

    SQL configuration

    + +

    Perl Driver

    +

    +You need DBD::MySQL Perl module: +

    +
      +
    • Debian:
      +
      • +
    +
    apt install libdbd-mysql-perl
    +
      +
    • Red Hat:
      +
      • +
    +
    yum install perl-DBD-MySQL
    + +
    + +

    Database and table creation

    +
    + +

    +Create database: +

    +
    CREATE DATABASE lemonldap-ng CHARACTER SET utf8;
    + +

    +Use database to create table: +

    +
    USE lemonldap-ng
    +

    RDBI

    @@ -127,7 +143,7 @@ Example for MySQL : 
    CREATE TABLE lmConfig (
     cfgNum INT(11) NOT NULL,
     FIELD VARCHAR(255) NOT NULL DEFAULT '',
-    VALUE longblob,
+    VALUE longtext,
     PRIMARY KEY (cfgNum,FIELD)
     );
    @@ -137,18 +153,18 @@ Example for MySQL : 
    CREATE TABLE lmConfig (
     cfgNum INT NOT NULL PRIMARY KEY,
-    DATA longblob
+    DATA longtext
 );
    - -

    Grant LemonLDAP::NG access

    + +

    Grant access

    You have to grant read/write access for the manager component. Other components needs just a read access. You can also use the same user for all.

    -
    You can use different dbiUser strings :
      +
      You can use different dbiUser strings:
      • one with read/write rights for servers hosting the manager
      • one with just read rights for other servers
        @@ -157,14 +173,105 @@ You have to grant read/write access for the manager component. Other components

      -MySQL example (suppose that our servers are in 10.0.0.0/24 network): +For example (suppose that our servers are in 10.0.0.0/24 network): 

      GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES ON lemonldap-ng.lmConfig
-  TO lemonldap-ng@manager.host IDENTIFIED BY 'mypassword';
+  TO lemonldaprw@manager.host IDENTIFIED BY 'mypassword';
 GRANT SELECT ON lemonldap-ng.lmConfig
-  TO lemonldap-ng-USER@'10.0.0.%' IDENTIFIED BY 'myotherpassword';
      + TO lemonldapro@'10.0.0.%' IDENTIFIED BY 'myotherpassword';
    -
    + +

    Connection settings

    +
    + +

    +Change configuration settings in /etc/lemonldap-ng/lemonldap-ng.ini file (section configuration): +

    +
    [configuration]
+type = RDBI
+dbiChain    = DBI:mysql:database=lemonldap-ng;host=1.2.3.4
+dbiUser     = lemonldaprw
+dbiPassword = mypassword
+; optional
+dbiTable    = mytablename
    + +
    + +

    PostGreSQL

    +
    + +
    + +

    Perl Driver

    +
    + +

    +You need DBD::Pg Perl module: +

    +
      +
    • Debian:
      +
      • +
    +
    apt install libdbd-pg-perl
    +
      +
    • Red Hat:
      +
      • +
    +
    yum install perl-DBD-Pg
    + +
    + +

    Database and table creation

    +
    + +

    +Create database: +

    +
    CREATE DATABASE lemonldap-ng;
    + +

    +Use database to create table: +

    +
    USE lemonldap-ng
    + +
    + +

    RDBI

    +
    +
    CREATE TABLE lmconfig (
+    cfgnum INTEGER NOT NULL,
+    FIELD text NOT NULL,
+    VALUE text,
+    PRIMARY KEY (cfgNum,FIELD)
+    );
    + +
    + +

    CDBI

    +
    +
    CREATE TABLE lmConfig (
+    cfgnum INTEGER NOT NULL PRIMARY KEY,
+    DATA text
+);
    + +
    + +

    Connection settings

    +
    + +

    +Change configuration settings in /etc/lemonldap-ng/lemonldap-ng.ini file (section configuration): +

    +
    [configuration]
+type = RDBI
+dbiChain    = DBI:Pg:database=lemonldap-ng;host=1.2.3.4
+dbiUser     = lemonldaprw
+dbiPassword = mypassword
+; optional
+dbiTable    = mytablename
    + +
    + diff --git a/doc/pages/documentation/current/start.html b/doc/pages/documentation/current/start.html index 4b59e184b..f9e8d9a77 100644 --- a/doc/pages/documentation/current/start.html +++ b/doc/pages/documentation/current/start.html @@ -266,7 +266,7 @@ Facebook ✔ ✔ - Kerberos ✔ ✔ ✔ + Kerberos LDAP ✔ ✔ ✔ @@ -343,8 +343,14 @@ External Second Factor (OTP, SMS,…) ✔ + + Auth addons Authentication + + + Auto Signin ✔ + - +

    @@ -388,13 +394,13 @@ Get parameters provider (for poor applications) ✔ - +

    - +

    Handlers

    @@ -435,7 +441,7 @@ Handlers are software control agents to install on your web servers (Nginx, Zimbra PreAuth ✔ ✔
    - +

    (*): Node.js handler has not yet reached the same level of functionality.

    @@ -445,7 +451,7 @@ Handlers are software control agents to install on your web servers (Nginx,

    - +

    LLNG databases

    @@ -491,7 +497,7 @@ Handlers are software control agents to install on your web servers (Nginx, REST ✔ Proxy backend to be used in conjunction with another configuration backend.
    Can be used to secure another backend for remote servers.
    -
    You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one. +
    You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one.

    @@ -546,13 +552,13 @@ Sessions are stored using +

    Applications protection

    @@ -581,7 +587,7 @@ Sessions are stored using +

    Well known compatible applications

    Here is a list of well known applications that are compatible with LL::NG. A full list is available on vendor applications page. @@ -667,7 +673,7 @@ Sessions are stored using +

    Advanced features

    @@ -718,7 +724,7 @@ Sessions are stored using +

    Mini howtos

    @@ -749,7 +755,7 @@ Sessions are stored using +

    Exploitation

    @@ -782,7 +788,7 @@ Sessions are stored using +

    Bug report

    @@ -791,7 +797,7 @@ See How to report a

    - +

    Developer corner

    @@ -856,6 +862,6 @@ To translate this doc (Manager help):
    -
    +
    diff --git a/doc/pages/documentation/current/upgrade.html b/doc/pages/documentation/current/upgrade.html index e7a647d9e..4bd4cf3b2 100644 --- a/doc/pages/documentation/current/upgrade.html +++ b/doc/pages/documentation/current/upgrade.html @@ -49,11 +49,8 @@
    -

    Installation

    +

    Upgrade order from 1.9.*

    +

    +As usual, if you use more than 1 server and don't want to stop the SSO service AND IF YOU HAVE NO INCOMPATIBILITY MENTIONED IN THIS DOCUMENT, upgrade must be done in the following order: +

    +
      +
    1. servers that have only handlers;
      +
      2. +
    2. portal servers (all together if your load balancer doesn't keep state by user or client IP and if users use the menu);
      +
      3. +
    3. manager server
      +
      4. +
    +
    You must revalidate your configuration using the manager.
    - -

    Debian Wheezy

    -
    +
    + +

    Installation

    +

    -To build Debian package with Wheezy, remove debian/lemonldap-ng-doc.maintscript file. +This release of LL::NG requires these minimal versions of GNU/Linux distributions: +

    +
      +
    • Debian 9 (stretch)
      +
      • +
    • Ubuntu 16.04 LTS
      +
      • +
    • CentOS 7
      +
      • +
    • RHEL 7
      +
      • +
    + +

    +For SAML features, we require Lasso 2.5.

    - +

    Configuration

      @@ -103,15 +127,19 @@ To build Debian package with Wheezy, remove debian/lemonldap-ng-doc.maints
    • Apache and Nginx configurations must updated to use the FastCGI portal
      • +
    • URLs for mail reset and register pages have changed, you must update configuration parameters. For example:
      +
    -
    Apache-ModPerl is no longer usable since version 2.4 (many segfaults,…), especially when using mpm-worker. That's why LLNG doesn't use anymore ModPerl::Registry: all is now handle by FastCGI (portal and manager). +
      mailUrl => 'http://auth.example.com/resetpwd',
+  registerUrl => 'http://auth.example.com/register',
    +
    Apache mod_perl has a lot of issues since version 2.4 (many segfaults,…), especially when using mpm-worker. That's why LL::NG doesn't use anymore ModPerl::Registry: all is now handled by FastCGI (portal and manager).

    -For handlers, it is now recommended to migrate to Nginx, but Apache-2.X is still supported +For Handlers, it is now recommended to migrate to Nginx, but Apache 2 is still supported

    - +

    Kerberos or SSL usage

      @@ -122,7 +150,7 @@ To build Debian package with Wheezy, remove debian/lemonldap-ng-doc.maints
    - +

    Logs

      @@ -133,7 +161,7 @@ To build Debian package with Wheezy, remove debian/lemonldap-ng-doc.maints
    - +

    Security

    @@ -148,7 +176,7 @@ LLNG portal now embeds the following features:
    - +

    Handlers

      @@ -159,7 +187,7 @@ LLNG portal now embeds the following features:
    - +

    Rules and headers

      @@ -172,7 +200,7 @@ LLNG portal now embeds the following features:
    - +

    Supported servers

      @@ -181,7 +209,7 @@ LLNG portal now embeds the following features:
    - +

    Ajax requests

    @@ -190,7 +218,7 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302

    - +

    SOAP/REST services

      @@ -206,12 +234,12 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
      AuthBasic Handler uses now REST services instead of SOAP.
    - +

    Developer corner

    - +

    APIs

    @@ -220,7 +248,7 @@ Portal has now many REST features and includes a plugin +

    Portal overview

    @@ -242,7 +270,7 @@ The request is a separated object based on Lemonldap::NG::Portal::Main::Request

    - +

    Handler

    @@ -255,6 +283,6 @@ If you had auto protected CGI, you also need to rewrite them, see
    +
    diff --git a/doc/pages/documentation/current/writingrulesand_headers.html b/doc/pages/documentation/current/writingrulesand_headers.html index 5ab82c33e..e71b6d002 100644 --- a/doc/pages/documentation/current/writingrulesand_headers.html +++ b/doc/pages/documentation/current/writingrulesand_headers.html @@ -4,7 +4,7 @@ documentation:2.0:writingrulesand_headers - +