dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Yadd 2022-01-05 20:20:39 +01:00
parent 79bb915716 065119da14
commit 9834e182f5
361 changed files with 7570 additions and 1846 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.gitlab-ci.yml
View File

@ -12,7 +12,7 @@
.debian_build_job:
extends: .build_job
script:
- apt-get update && apt-get -y dist-upgrade
- apt-get update --allow-releaseinfo-change && apt-get -y dist-upgrade
- DEBIAN_FRONTEND=noninteractive apt-get -y install tzdata
- ci-build-pkg
before_script:
@ -49,6 +49,10 @@ build_buster:
extends: .debian_build_job
image: buildpkg/debian:buster
build_bullseye:
extends: .debian_build_job
image: buildpkg/debian:bullseye
#build_xenial:
# extends: .debian_build_job
# image: buildpkg/ubuntu:xenial
@ -64,6 +68,7 @@ build_centos_7:
script:
- rm -f /etc/yum.repos.d/CentOS-Sources.repo
- yum -y install epel-release
- scripts/ci-install-lasso-centos
- make dist
- ci-build-pkg
@ -74,11 +79,12 @@ build_centos_8:
- yum-config-manager --enable PowerTools
- yum-config-manager --enable AppStream
- yum -y install epel-release
- scripts/ci-install-lasso-centos
- make dist
- ci-build-pkg
sign:
image: buildpkg/debian:stretch
image: buildpkg/debian:bullseye
stage: sign
# variables:
# SIGN_USER: firstname.lastname@orange.com
@ -87,8 +93,9 @@ sign:
- cd $CI_PROJECT_DIR
- ci-sign-pkg
dependencies:
- build_stretch
- build_buster
- build_bullseye
# - build_xenial
- build_bionic
- build_centos_7
- build_centos_8
@ -100,7 +107,7 @@ sign:
- master
pages:
image: buildpkg/debian:stretch
image: buildpkg/debian:bullseye
stage: deploy
variables:
# Default page dir

27
changelog
View File

@ -1,3 +1,26 @@
lemonldap-ng (2.0.13) focal; urgency=medium
* Bugs:
* #2428: Correctly report the number of purged sessions when using deleteIfLowerThan
* #2566: No configuration available in fresh LemonLDAP 2.0.12
* #2567: CORS headers not sent in userinfo endpoint error response
* #2568: SafeJail does not report errors correctly
* #2573: convertConfig does not work when target backend is empty
* #2589: FindUser plugin: minor improvements and several issues
* Improvements:
* #2558: Add a new portal error code for Auth::OIDC issues
* #2564: Missing options to use text emails for some features
* #2585: RGAA: to use autocomplete when possible
* #2589: FindUser plugin: minor improvements and several issues
* #2592: Bad error reporting during portal init
* Templates:
* #2585: RGAA: to use autocomplete when possible
* #2589: FindUser plugin: minor improvements and several issues
-- Clément <clem.oudot@gmail.com> Fri, 20 Aug 2021 18:30:23 +0200
lemonldap-ng (2.0.12) focal; urgency=medium
* Bugs:
@ -2018,7 +2041,7 @@ lemonldap-ng (1.0.6) stable; urgency=low
* [LEMONLDAP-304] - Cannot use spaces between values of Multi
authentication
parameter
* [LEMONLDAP-305] - Parameters are not overriden in the first Multi module
* [LEMONLDAP-305] - Parameters are not overridden in the first Multi module
* [LEMONLDAP-307] - Base64 encoded IDs can contain more than one "/", but
only the first is escaped
@ -2026,7 +2049,7 @@ lemonldap-ng (1.0.5) stable; urgency=low
* [LEMONLDAP-292] - Application menu is not well displayed with multiple
users having differents rights
* [LEMONLDAP-294] - Subroutines can not be overriden in lemonldap-ng.ini
* [LEMONLDAP-294] - Subroutines can not be overridden in lemonldap-ng.ini
* [LEMONLDAP-293] - Password Manager - Sending Mail
lemonldap-ng (1.0.4) stable; urgency=low

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.13-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Fri, 20 Aug 2021 22:00:00 +0100
lemonldap-ng (2.0.12-1) unstable; urgency=medium
* New release. See changes on our website:

6
debian/control vendored
View File

@ -9,6 +9,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
libapache-session-perl <!nocheck>,
libauth-yubikey-webclient-perl <!nocheck>,
libauthen-oath-perl <!nocheck>,
libauthen-radius-perl <!nocheck>,
libcache-cache-perl <!nocheck>,
libclone-perl <!nocheck>,
libconfig-inifiles-perl <!nocheck>,
@ -37,6 +38,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
libmouse-perl <!nocheck>,
libnet-cidr-lite-perl <!nocheck>,
libnet-ldap-perl <!nocheck>,
libio-socket-timeout-perl <!nocheck>,
libnet-openid-consumer-perl <!nocheck>,
libnet-openid-server-perl <!nocheck>,
libplack-perl <!nocheck>,
@ -59,7 +61,7 @@ Build-Depends-Indep: gsfonts <!nocheck>,
python3-sphinx,
python3-sphinx-bootstrap-theme,
perl
Standards-Version: 4.5.1
Standards-Version: 4.6.0
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/
@ -281,6 +283,7 @@ Depends: ${misc:Depends},
liblemonldap-ng-handler-perl (= ${binary:Version}),
libtext-unidecode-perl,
libregexp-assemble-perl,
liblist-moreutils-perl,
libemail-date-format-perl
Recommends: gsfonts,
libcrypt-openssl-bignum-perl,
@ -306,6 +309,7 @@ Suggests: gpg,
libnet-oauth-perl,
libsoap-lite-perl,
libweb-id-perl,
libauthen-radius-perl,
slapd
Pre-Depends: debconf
Description: Lemonldap::NG authentication portal part

2
debian/lemonldap-ng-fastcgi-server.install vendored
View File

@ -1 +1 @@
/usr/sbin/llng-fastcgi-server
usr/sbin/llng-fastcgi-server

12
debian/lemonldap-ng-handler.install vendored
View File

@ -1,6 +1,6 @@
/etc/lemonldap-ng/nginx*
/etc/lemonldap-ng/handler-apache2.conf
/etc/lemonldap-ng/handler-nginx.conf
/etc/lemonldap-ng/test-apache2.conf
/etc/lemonldap-ng/test-nginx.conf
/var/lib/lemonldap-ng/test
etc/lemonldap-ng/nginx*
etc/lemonldap-ng/handler-apache2.conf
etc/lemonldap-ng/handler-nginx.conf
etc/lemonldap-ng/test-apache2.conf
etc/lemonldap-ng/test-nginx.conf
var/lib/lemonldap-ng/test

2
debian/lemonldap-ng-uwsgi-app.install vendored
View File

@ -1 +1 @@
/etc/uwsgi/apps-available/llng-server.yaml
etc/uwsgi/apps-available/llng-server.yaml

35
debian/liblemonldap-ng-common-perl.install vendored
View File

@ -1,17 +1,18 @@
/etc/lemonldap-ng/lemonldap-ng.ini
/etc/lemonldap-ng/for_etc_hosts
/usr/share/man/man1/convertConfig.1p
/usr/share/man/man1/convertSessions.1p
/usr/share/man/man1/lemonldap-ng-cli.1p
/usr/share/man/man1/lemonldap-ng-sessions.1p
/usr/share/man/man3/Lemonldap::NG::Common*
/usr/share/perl5/auto/Lemonldap/NG/Common
/usr/share/perl5/Lemonldap/NG/Common*
/usr/share/lemonldap-ng/ressources
/usr/share/lemonldap-ng/bin/convertConfig
/usr/share/lemonldap-ng/bin/convertSessions
/usr/share/lemonldap-ng/bin/importMetadata
/usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
/usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
/usr/share/lemonldap-ng/bin/rotateOidcKeys
/var/lib/lemonldap-ng/conf/
etc/lemonldap-ng/lemonldap-ng.ini
etc/lemonldap-ng/for_etc_hosts
usr/share/man/man1/convertConfig.1p
usr/share/man/man1/convertSessions.1p
usr/share/man/man1/importMetadata.1p
usr/share/man/man1/lemonldap-ng-cli.1p
usr/share/man/man1/lemonldap-ng-sessions.1p
usr/share/man/man3/Lemonldap::NG::Common*
usr/share/perl5/auto/Lemonldap/NG/Common
usr/share/perl5/Lemonldap/NG/Common*
usr/share/lemonldap-ng/ressources
usr/share/lemonldap-ng/bin/convertConfig
usr/share/lemonldap-ng/bin/convertSessions
usr/share/lemonldap-ng/bin/importMetadata
usr/share/lemonldap-ng/bin/lemonldap-ng-sessions
usr/share/lemonldap-ng/bin/lmMigrateConfFiles2ini
usr/share/lemonldap-ng/bin/rotateOidcKeys
var/lib/lemonldap-ng/conf/

14
debian/liblemonldap-ng-handler-perl.install vendored
View File

@ -1,7 +1,7 @@
/usr/share/perl5/Lemonldap/NG/Handler*
/usr/share/perl5/auto/Lemonldap/NG/Handler*
/usr/share/perl5/Plack/*
/usr/share/man/man3/Lemonldap::NG::Handler*
/usr/share/man/man3/Plack::Middleware::Auth::LemonldapNG*
/usr/share/lemonldap-ng/bin/purgeLocalCache
/usr/share/lemonldap-ng/llng-server/llng-server.psgi
usr/share/perl5/Lemonldap/NG/Handler*
usr/share/perl5/auto/Lemonldap/NG/Handler*
usr/share/perl5/Plack/*
usr/share/man/man3/Lemonldap::NG::Handler*
usr/share/man/man3/Plack::Middleware::Auth::LemonldapNG*
usr/share/lemonldap-ng/bin/purgeLocalCache
usr/share/lemonldap-ng/llng-server/llng-server.psgi

3
debian/liblemonldap-ng-handler-perl.maintscript vendored
View File

@ -1,3 +0,0 @@
# Conf files have moved to lemonldap-ng-handler package
rm_conffile /etc/lemonldap-ng/handler-nginx.conf 1.9.1-2~
rm_conffile /etc/lemonldap-ng/handler-apache2.X.conf 1.9.1-2~

20
debian/liblemonldap-ng-manager-perl.install vendored
View File

@ -1,10 +1,10 @@
/etc/lemonldap-ng/api-apache2.conf
/etc/lemonldap-ng/api-nginx.conf
/etc/lemonldap-ng/manager-apache2.conf
/etc/lemonldap-ng/manager-nginx.conf
/usr/share/man/man3/Lemonldap::NG::Manager*
/usr/share/perl5/Lemonldap/NG/Manager*
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli
/usr/share/lemonldap-ng/manager
/usr/share/lemonldap-ng/bin/lmConfigEditor
/usr/share/lemonldap-ng/bin/llngDeleteSession
etc/lemonldap-ng/api-apache2.conf
etc/lemonldap-ng/api-nginx.conf
etc/lemonldap-ng/manager-apache2.conf
etc/lemonldap-ng/manager-nginx.conf
usr/share/man/man3/Lemonldap::NG::Manager*
usr/share/perl5/Lemonldap/NG/Manager*
usr/share/lemonldap-ng/bin/lemonldap-ng-cli
usr/share/lemonldap-ng/manager
usr/share/lemonldap-ng/bin/lmConfigEditor
usr/share/lemonldap-ng/bin/llngDeleteSession

12
debian/liblemonldap-ng-portal-perl.install vendored
View File

@ -1,6 +1,6 @@
/usr/share/lemonldap-ng/bin/purgeCentralCache
/usr/share/man/man3/Lemonldap::NG::Portal*
/usr/share/perl5/Lemonldap/NG/Portal*
/usr/share/lemonldap-ng/portal
/etc/lemonldap-ng/portal-apache2.conf
/etc/lemonldap-ng/portal-nginx.conf
usr/share/lemonldap-ng/bin/purgeCentralCache
usr/share/man/man3/Lemonldap::NG::Portal*
usr/share/perl5/Lemonldap/NG/Portal*
usr/share/lemonldap-ng/portal
etc/lemonldap-ng/portal-apache2.conf
etc/lemonldap-ng/portal-nginx.conf

6
doc/sources/admin/applications.rst
View File

@ -17,6 +17,7 @@ Applications
applications/drupal
applications/fusiondirectory
applications/gerrit
applications/gitea
applications/gitlab
applications/glpi
applications/googleapps
@ -28,11 +29,13 @@ Applications
applications/jitsimeet
applications/liferay
applications/limesurvey
applications/matrix
applications/mattermost
applications/mediawiki
applications/mobilizon
applications/nextcloud
applications/obm
applications/odoo
applications/office365
applications/publik
applications/phpldapadmin
@ -99,6 +102,7 @@ Application Configuration
.. image:: applications/fusiondirectory-logo.jpg :doc:`FusionDirectory<applications/fusiondirectory>`
.. image:: applications/gerrit_logo.png :doc:`Gerrit<applications/gerrit>`
.. image:: applications/gitlab_logo.png :doc:`Gitlab<applications/gitlab>` ✔ ✔
.. image:: applications/gitea_logo.png :doc:`Gitea<applications/gitea>`
.. image:: applications/glpi_logo.png :doc:`GLPI<applications/glpi>`
.. image:: applications/googleapps_logo.png :doc:`Google Apps<applications/googleapps>`
.. image:: applications/grafana_logo.png :doc:`Grafana<applications/grafana>`
@ -109,11 +113,13 @@ Application Configuration
.. image:: applications/logo-jitsimeet.png :doc:`Jitsi Meet<applications/jitsimeet>`
.. image:: applications/liferay_logo.png :doc:`Liferay<applications/liferay>`
.. image:: applications/limesurvey_logo.png :doc:`LimeSurvey<applications/limesurvey>`
.. image:: applications/matrix_logo.png :doc:`Matrix<applications/matrix>`
.. image:: applications/mattermost_logo.png :doc:`Mattermost<applications/mattermost>`
.. image:: applications/mediawiki_logo.png :doc:`Mediawiki<applications/mediawiki>`
.. image:: applications/mobilizon_logo.jpg :doc:`Mobilizon<applications/mobilizon>`
.. image:: applications/nextcloud-logo.png :doc:`NextCloud<applications/nextcloud>`
.. image:: applications/obm_logo.png :doc:`OBM<applications/obm>`
.. image:: applications/odoo_logo.png :doc:`Odoo<applications/odoo>`
.. image:: applications/logo_office_365.png :doc:`Office 365<applications/office365>`
.. image:: applications/logo-publik.png :doc:`Publik<applications/publik>`
.. image:: applications/phpldapadmin_logo.png :doc:`phpLDAPAdmin<applications/phpldapadmin>`

67
doc/sources/admin/applications/gitea.rst Normal file
View File

@ -0,0 +1,67 @@
Gitea
=====
|logo|
Presentation
------------
`Gitea <https://gitea.io/>`__ is a community managed lightweight
code hosting solution written in Go. It is published under the MIT license.
It can be configured to authenticate users with :doc:`OpenID Connect <../idpopenidconnect>`.
Configuration
--------------
LL:NG
~~~~~
Make sure you have already
:doc:`enabled OpenID Connect<../idpopenidconnect>` on your LemonLDAP::NG
server
Make sure you have generated a set of signing keys in
``OpenID Connect Service`` » ``Security`` » ``Keys``
You also need to set a Signing key ID to a non-empty value of your choice.
Then, add a Relaying Party with the following configuration:
- Options » Basic » Client ID : choose a client ID, such as ``gitea``
- Options » Basic » Client Secret : choose a client secret, such as ``xxxx``
- Options » Basic » Allowed redirection address : ``https://git.example.com/user/oauth2/NAME/callback``
- Options » ID Token Signature Algorithm : ``RS256``
- No Exported Attributes needed
.. note::
The redirection address is built like this: ``<Gitea service URL>`` ``/user/oauth2/`` ``<Name of the OIDC authentication source in Gitea>`` ``/callback``
Gitea
~~~~~
Go in administration panel and create a new authentication source:
|screenshot_admin|
Configure settings:
- Authentication name: set here the value used for the redirection address
- OAuth2 Provider: set OpenID Connect
- Client ID: the Client ID configured on LL::NG side
- Client Secret: the Client Secret configured on LL::NG side
- OpenID Connect Auto Discovery URL: use the default OIDC configuration URL of your LL::NG server
- Enable the authentication source
Usage
-----
In Gitea login screen, a new OpenID logo appears at the bottom. Click on it to authenticate.
At first connection, the user must associate his account to an existing one (local or LDAP). The assocation is then remembered for further connections.
.. |logo| image:: /applications/gitea_logo.png
:class: align-center
.. |screenshot_admin| image:: /applications/gitea_oidc_config.png
:class: align-center

BIN
doc/sources/admin/applications/gitea_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
doc/sources/admin/applications/gitea_oidc_config.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

4
doc/sources/admin/applications/grafana.rst
View File

@ -54,9 +54,9 @@ Then, add a Relaying Party with the following configuration:
If you want to transmit extra user attributes to Grafana, you also need to configure:
- Extra Claims »
- Scope values content »
- add a key named ``profile``
- add a key named ``profile`` to override the default claim list
- set a value of ``name username display_name upn``
- Exported Attributes (not all of them are mandatory)

56
doc/sources/admin/applications/matrix.rst Normal file
View File

@ -0,0 +1,56 @@
Synapse Matrix home server
==========================
|image0|
Presentation
------------
Synapse is the reference implementation of a Matrix home server, written in Python.
Configuring Synapse
-------------------
See `The official Synapse documentation <https://matrix-org.github.io/synapse/latest/openid.html>`__ for details
.. code:: yaml
oidc_providers:
- idp_id: lemonldap
idp_name: lemonldap
discover: true
issuer: "https://auth.example.com/" # TO BE FILLED: replace with your domain
client_id: "your client id" # TO BE FILLED
client_secret: "your client secret" # TO BE FILLED
scopes:
- "openid"
- "profile"
- "email"
user_mapping_provider:
config:
localpart_template: "{{ user.preferred_username }}}"
# TO BE FILLED: If your users have names in LemonLDAP::NG and you want those in Synapse, this should be replaced with user.name|capitalize or any valid filter.
display_name_template: "{{ user.preferred_username|capitalize }}"
Configuring LemonLDAP
~~~~~~~~~~~~~~~~~~~~~
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
with the following parameters:
* **Options/Basic**
* **Client ID**: same as ``client_id`` configuration in Synapse
* **Client Secret**: same as ``client_secret`` configuration in Synapse
* **Allowed redirection addresses**: ``[synapse public baseurl]/_synapse/client/oidc/callback``
* **Options/Security**
* **ID Token signature algorithm**:: ``RS256``
* **Exported Attributes**
* ``preferred_username``: ``uid``
(adjust if you don't store your username attribute in the ``uid`` session variable
.. |image0| image:: /applications/matrix_logo.png
:class: align-center

BIN
doc/sources/admin/applications/matrix_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.8 KiB

88
doc/sources/admin/applications/odoo.rst Normal file
View File

@ -0,0 +1,88 @@
Odoo
====
|image0|
Presentation
------------
Odoo is a suite of business management software tools including, for example, CRM, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management.
Requirements
------------
This guide explains how to authenticate your Odoo users using LemonLDAP::NG 's SAML provider.
Make sure you have :doc:`set up LemonLDAP::NG a SAML IDP <../samlservice>`
.. warning::
Odoo requires your public SAML Signature key to be in `BEGIN CERTIFICATE`
format, if this is not the case, you need to :ref:`convert your SAML key to
a certificate<samlservice-convert-certificate>`)
.. warning::
Odoo requires LemonLDAP::NG 2.0.14 in order to handle RelayState correctly
Configuring Odoo
----------------
Pre-requisites
~~~~~~~~~~~~~~
On the Odoo side, you need to install the ``auth_saml`` module from OCA:
* https://github.com/OCA/server-auth/tree/14.0/auth_saml
* https://odoo-community.org/shop/product/saml2-authentication-3211
This module requires the ``pysaml2`` and ``xmlsec1`` python dependencies.
Configuration
~~~~~~~~~~~~~
After installing the module, you will see two new menus in the Odoo admin:
* Settings » Users & Companies » SAML Providers
* And a new *SAML* tab in Settings » Users & Companies » Users
Creating a new SAML Provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Create a new SAML provider in Settings » Users & Companies » SAML Providers
* Choose a name
* Copy the metadata from https://auth.example.com/saml/metadata/idp in the *Identity Provider Metadata* field
* Import a certificate and a private key in the *Odoo Public Certificate* and *Odoo Private Key* fields
To generate a key/certificate pair, you can run the following command::
openssl req -x509 -newkey rsa:4096 -keyout odoo-key.pem -out odoo-cert.pem -sha256 -days 3650 -nodes
* Select a signature method in the *Signature Algorithm*, such as *SIG_RSA_SHA256*
* If you do not want to use the email address to match between LLNG and Odoo accounts, set the *Identity Provider matching attribute* to a different value
* All other fields may be left to default values
Configuring users
~~~~~~~~~~~~~~~~~
For each user you want to enable SAML on, you need to edit them in Settings » Users & Companies » Users
In the *SAML* tab, set the SAML provider you just created, and their email address as the identifier.
Configuring LemonLDAP
---------------------
Add a new :ref:`new SAML Service Provider to the LemonLDAP::NG configuration<samlidp-register-sp>`
with the following parameters:
* **Metadata**
* Copy the Metadata found at the URL referenced in Odoo's Settings » Users & Companies » SAML Providers menu » Your provider » Metadata URL
* **Exported Attributes**
* Declare the attribute that you set in Odoo's *Identity Provider matching attribute*
* If you are using the email, you don't need to declare anything
.. |image0| image:: /applications/odoo_logo.png
:class: align-center

BIN
doc/sources/admin/applications/odoo_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
doc/sources/admin/applications/prosanteconnect_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

28
doc/sources/admin/authopenidconnect.rst
View File

@ -31,7 +31,7 @@ As an RP, LL::NG supports a lot of OpenID Connect features:
- Logout on EndSession end point
You can use this authentication module to link your LL::NG server to any
OpenID Connect Provider. Here are some examples, witch their specific
OpenID Connect Provider. Here are some examples, with their specific
documentation:
@ -40,13 +40,14 @@ documentation:
authopenidconnect_google
authopenidconnect_franceconnect
authopenidconnect_prosanteconnect
=============== ==================
Google France Connect
=============== ==================
|google| |franceconnect|
=============== ==================
=============== ================== ==================
Google France Connect Pro Santé Connect
=============== ================== ==================
|google| |franceconnect| |prosanteconnect|
=============== ================== ==================
.. |google| image:: applications/google_logo.png
:target: authopenidconnect_google.html
@ -54,11 +55,14 @@ Google France Connect
.. |franceconnect| image:: applications/franceconnect_logo.png
:target: authopenidconnect_franceconnect.html
.. |prosanteconnect| image:: applications/prosanteconnect_logo.png
:target: authopenidconnect_prosanteconnect.html
.. attention::
OpenID-Connect specification is not finished for logout
OpenID Connect specification is not finished for logout
propagation. So logout initiated by relaying-party will be forward to
OpenID-Connect provider but logout initiated by the provider (or another
OpenID Connect provider but logout initiated by the provider (or another
RP) will not be propagated. LLNG will implement this when spec will be
published.
@ -68,7 +72,7 @@ Configuration
OpenID Connect Service
~~~~~~~~~~~~~~~~~~~~~~
See :doc:`OpenIDConnect service<openidconnectservice>` configuration
See :doc:`OpenID Connect service<openidconnectservice>` configuration
chapter.
Authentication and UserDB
@ -115,11 +119,11 @@ Register LL::NG to an OpenID Connect Provider
To register LL::NG, you will need to give some information like
application name or logo.
You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidcallback=1`` parameter to the Portal URL.
You will be asked to provide a *Redirect URI* for LemonLDAP::NG, which is constructed by appending the ``openidconnectcallback=1`` parameter to the Portal URL.
For example:
- https://auth.example.com/?openidcallback=1
- https://auth.example.com/?openidconnectcallback=1
.. attention::
@ -198,8 +202,6 @@ standard <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`_
and depends on the scope requested by LL::NG (see options in next
chapter).
.. include:: openidconnectclaims.rst
So you can define for example:
- cn => name

2
doc/sources/admin/authopenidconnect_franceconnect.rst
View File

@ -26,7 +26,7 @@ Use the following form:
https://doc.integ01.dev-franceconnect.fr/inscription.
You need to provide the callback URLs, for example
https://auth.domain.com/?openidcallback=1.
https://auth.domain.com/?openidconnectcallback=1.
You will then get a ``client_id`` and a ``client_secret``.

2
doc/sources/admin/authopenidconnect_google.rst
View File

@ -28,7 +28,7 @@ Here you can go in API Manager and get new credentials (``client_id``
and ``client_secret``).
You need to provide the callback URLs, for example
https://auth.domain.com/?openidcallback=1.
https://auth.domain.com/?openidconnectcallback=1.
Declare Google in your LL::NG server
------------------------------------

209
doc/sources/admin/authopenidconnect_prosanteconnect.rst Normal file
View File

@ -0,0 +1,209 @@
Pro Santé Connect
=================
|logo|
Presentation
------------
`Pro Santé Connect <https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/presentation-generale>`__ is
a French identity provider for healthcare professionals. It relies on OpenID Connect protocol.
Register on Pro Santé Connect
-----------------------------
Once :doc:`OpenID Connect service<openidconnectservice>` is configured,
you need to register to Pro Santé Connect.
Go on https://integrateurs-cps.asipsante.fr.
You need to provide the callback URLs, for example
https://auth.domain.com/?openidconnectcallback=1.
And also a logout URL, for example
https://auth.domain.com/?logout=1.
You will then get a ``client_id`` and a ``client_secret``.
Declare Pro Santé Connect in your LL::NG server
-----------------------------------------------
Go in Manager and create a new OpenID Connect provider. You can call it
``psc-connect`` for example.
Click on ``Metadata`` and set manually the metadata of the service.
For the sandbox server:
.. code-block:: javascript
{
"issuer": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet",
"authorization_endpoint": "https://wallet.bas.esw.esante.gouv.fr/auth",
"token_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token",
"introspection_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/userinfo",
"end_session_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/logout",
"jwks_uri": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs",
"check_session_iframe": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/login-status-iframe.html",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"id_token_encryption_alg_values_supported": [
"RSA-OAEP",
"RSA1_5"
],
"id_token_encryption_enc_values_supported": [
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"request_object_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512",
"none"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/clients-registrations/openid-connect",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"tls_client_auth",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email",
"acr"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"scopes_supported": [
"openid",
"address",
"email",
"identity",
"microprofile-jwt",
"offline_access",
"phone",
"profile",
"roles",
"scope_1",
"scope_2",
"scope_all",
"web-origins",
"eidas2"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true
}
You should alos import JWKS data from https://auth.bas.esw.esante.gouv.fr/auth/realms/esante-wallet/protocol/openid-connect/certs
directly in configuration to avoid requests to reload them.
Go in ``Exported attributes`` to choose which attributes you want to collect.
Read the technical documentation to know available attributes:
https://tech.esante.gouv.fr/outils-services/pro-sante-connect-e-cps/documentation-technique
Now go in ``Options``:
- Register the ``client_id`` and ``client_secret`` given by Pro Santé Connect
- In ``Scopes`` set ``openid scope_all``
- In ``ACR values`` set ``eidas2``
- You can also set the name and the logo
.. |logo| image:: /applications/prosanteconnect_logo.png
:class: align-center

21
doc/sources/admin/authproxy.rst
View File

@ -34,17 +34,25 @@ and choose Proxy for authentication and users.
Then, go in ``Proxy parameters``:
- **Internal portal URL**: URL of internal portal
- **Session service URL** (optional): Session service URL (default:
same as previous for SOAP, same with "/session/my" for REST)
- **Cookie name** (optional): name of the cookie of internal portal, if
different from external portal
- **Authentication level**: authentication level for Proxy module
- **Use SOAP instead of REST**: use a deprecated SOAP server instead of
a REST one (you must set it if internal portal version is < 2.0). In
this case, "Portal URL" parameter must contain SOAP endpoint
(generally http://auth.example.com/index.pl/sessions for 1.9 and
earlier, http://auth.example.com/sessions for 2.0)
- **URL**: URL of internal portal
- **Session service URL** (optional): session service URL (default:
same as previous for SOAP, same with "/session/my" for REST)
- **Choice parameter** (optional): choice parameter of the internal portal if applicable
- **Choice value** (optional): value of the choice parameter of the internal portal
- **Cookie name** (optional): internal portal cookie name, if
different from external portal
- **Impersonation** (optional) : can be enabled if the internal portal provides impersonation
.. note::
If the internal portal uses :doc:`Choice Authentication<authchoice>`, you must specify 'Internal portal choice parameter' and 'Internal portal choice value' depending on its configuration.
This feature needs at least LL::NG version 2.0.14
Internal portal
~~~~~~~~~~~~~~~
@ -64,3 +72,6 @@ in your lemonldap-ng.ini:
soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
.. attention::
This feature needs at least LL::NG version 2.0.8

18
doc/sources/admin/authsaml.rst
View File

@ -18,8 +18,8 @@ Several IDPs are allowed, in this case the user will choose the IDP he
wants. You can preselect IDP with an IDP resolution rule.
For each IDP, you can configure attributes that are collected. Some can
be mandatory, so if they are not returned by IDP, the session will not
open.
be mandatory, so if they are not returned by IDP, the session will not be
opened.
.. tip::
@ -91,7 +91,7 @@ between your server and the IDP):
.. tip::
You can also edit the metadata directly in the textarea
You can also edit the metadata directly in the textarea.
Exported attributes
^^^^^^^^^^^^^^^^^^^
@ -102,8 +102,8 @@ For each attribute, you can set:
"uid" will then be used as $uid in access rules
- **Attribute name**: name of the SAML attribute coming from the remote IDP
- **Friendly Name**: optional, SAML attribute friendly name.
- **Mandatory**: if set to On, then session will not open if this
attribute is not given by IDP.
- **Mandatory**: if set to On, session will not be created if this
attribute is not sent by IDP.
- **Format** (optional): SAML attribute format.
|image1|
@ -192,8 +192,8 @@ Binding
.. note::
If no binding defined, the default binding in IDP metadata will be
used.
If no binding is defined, the default binding in IDP metadata
will be used.
Security
''''''''
@ -208,11 +208,11 @@ Security
Display
'''''''
Used only if you have more than 1 SAML Identity Provider declared
Used only if at least 2 SAML Identity Providers are declared
- **Display name**: Name of the IDP
- **Logo**: Logo of the IDP
- **Order**: Number to sort IDP display
- **Order**: Number used for sorting IDP display
.. tip::

15
doc/sources/admin/bruteforceprotection.rst
View File

@ -34,6 +34,8 @@ set to ``On``.
- **Allowed failed login**: Number of failed login attempts allowed before account is locked
- **Incremental lock**: Enable/disable incremental lock times
- **Incremental lock times**: List of comma separated lock time values in seconds
- **Maximum lock time**: Lock time values can not be higher than max lock time
- **Maximum age**: Delta between current and last stored failed login
Incremental lock time enabled
@ -70,17 +72,8 @@ Lock time increases between each failed login attempt after allowed failed login
Incremental lock time disabled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After allowed failed login attempts, user must
wait the lock time before trying to log in again.
To modify delta (MaxAge) between current and last stored
failed login (300 seconds by default) edit ``lemonldap-ng.ini`` in [portal] section:
.. code-block:: ini
[portal]
bruteForceProtectionTempo = 30
bruteForceProtectionMaxAge = 300
bruteForceProtectionMaxFailed = 3
After allowed failed login attempts, user must wait
the lock time before trying to log in again.
.. attention::

16
doc/sources/admin/checkdevops.rst
View File

@ -11,15 +11,19 @@ Just enable it in the manager (section “plugins”).
- **Parameters**:
- **Activation**: Enable / Disable this plugin
- **Download file**: Allow users to download DevOps file from a remote server by
providing an URL (By example: http://myapp.example.com:8080). Plugin will
try to retrieve remote file by sending a request (i.e.
http://myapp.example.com:8080/rules.json)
- **Download file**: Allow users to download DevOps file from a
remote server by providing an URL
(By example: http://myapp.example.com:8080). Plugin will
try to retrieve remote file by sending a request
(i.e. http://myapp.example.com:8080/rules.json)
- **Display normalized headers**: Display headers as they are sent
- **Check session attributes**: Check if used attributes are existing
Usage
-----
When enabled, ``/checkdevops`` URL path is handled by this plugin.
Then, you can paste a file to test your rules and headers.
Then, you can paste a file to test your rules and headers or
provide an URL to download the ``rules.json`` file.
Example
~~~~~~~
@ -48,7 +52,7 @@ access rules and headers:
By example: ``$groups =~ /\bdevops\b/``
.. attention::
.. danger::
Be careful to not display secret attributes.

17
doc/sources/admin/checkstate.rst
View File

@ -25,6 +25,23 @@ GET Parameter Need Value
``password`` optional
============= ======== ============================================================
Response
--------
The plugin will respond to the HTTP request with:
* HTTP code 500 if something went wrong
* HTTP code 200 and the following JSON content if something went right
```
{"result":1,"version":"2.0.14"}
```
.. versionadded:: 2.0.14
The *version* key is returned
Example
~~~~~~~

23
doc/sources/admin/checkuser.rst
View File

@ -17,29 +17,30 @@ Just enable it in the manager (section “plugins”).
- **Identities use rule**: Rule to define which profiles can be
displayed (by example: ``!$anonymous``)
- **Unrestricted users rule**: Rule to define which users can check
ALL users. ``Identities use rule`` is bypassed.
- **Hidden attributes**: Session attributes not displayed
ALL users and attributes.
- **Hidden attributes**: Session attributes not displayed except for unrestricted users
- **Attributes used for searching sessions**: User's attributes used
for searching sessions in backend if ``whatToTrace`` fails. Useful
to look for sessions by mail or givenName. Let it blank to search
by ``whatToTrace`` only
- **Hidden headers**: Sent headers whose value is masked except for unrestricted users.
Key is a Virtualhost name and value represents a space-separated headers list.
A blank value obfuscates ALL relative Virtualhost sent headers.
Key is a VirtualHost name and value represents a space-separated headers list.
A blank value obfuscates ALL relative VirtualHost sent headers.
Note that just valued hearders are masked.
- **Display**:
- **Computed sessions**: Rule to define which users can display a
computed session if no SSO session is found
- **Empty headers**: Rule to define which users can display ALL headers
appended by LemonLDAP::NG including empty ones
- **Normalized headers**: Rule to define which users can see headers name sent by
the web server (see RFC3875)
- **Empty values**: Rule to define which users can display ALL attributes
even empty ones
- **Persistent session data**: Rule to define which users can display
persistent session data
- **Normalized headers**: Rule to define which users can see headers name sent by
the web server (see RFC3875)
- **Empty headers**: Rule to define which users can display ALL headers
sent by LemonLDAP::NG including empty ones
- **Empty values**: Rule to define which users can display empty values
- **Hidden attributes**: Rule to define which users can display hidden attributes
- **History**: Rule to define which users can display logins history
.. note::
@ -57,7 +58,7 @@ Just enable it in the manager (section “plugins”).
By example:
\* Search attributes => ``mail uid givenName``
\* Search attributes => ``mail, uid, givenName``
If ``whatToTrace`` fails, sessions are searched by ``mail``, next
``uid`` if none session is found and so on...

3
doc/sources/admin/conf.py
View File

@ -174,6 +174,9 @@ html_css_files = [
'css/custom.css',
]
html_favicon = 'logos/favicon.ico'
html_logo = 'logos/lemonldap-ng-logo.png'
# Add any extra paths that contain custom files (such as robots.txt or
# .htaccess) here, relative to this directory. These files are copied
# directly to the root of the documentation.

2
doc/sources/admin/configvhost.rst
View File

@ -515,6 +515,8 @@ Some options are available:
required level, he is redirected to an upgrade page in the portal.
This default level is required for ALL locations relative to this virtual host.
It can be overrided for each locations.
- **DevOps rules file URL**: option to define URL to retreive DevOps rules file.
This option can be overridden with ``uwsgi_param/fastcgi_param RULES_URL`` parameter.
- **ServiceToken timeout**: by default, ServiceToken is just valid during 30
seconds. This TTL can be customized for each virtual host.

14
doc/sources/admin/customfunctions.rst
View File

@ -12,14 +12,14 @@ Custom functions allow one to extend LL::NG, they can be used in
Implementation
--------------
Your perl custom function must be declared on appropriate server when
separating :
Your perl custom functions must be declared on appropriate server when
separating:
portal type : declare custom function here when using it in rules,
macros, menu
**Portal type**: declare custom functions here when using it in rules,
macros or menu.
reverse-proxy type : declare custom function here when using it in
headers
**Reverse-proxy type**: declare custom functions here when using it in
headers.
Write custom functions library
------------------------------
@ -125,7 +125,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
::
SSOExtensions::function1 SSOExtensions::function2
SSOExtensions::function1, SSOExtensions::function2
.. attention::

12
doc/sources/admin/devopshandler.rst
View File

@ -1,8 +1,8 @@
DevOps Handler
==============
This handler is designed to read vhost configuration from the website
itself not from LL:NG configuration. Rules and headers are set in a
This Handler is designed to retrieve vhost configuration from the website
itself, not from LL:NG configuration. Rules and headers are set in a
**rules.json** file stored at the website root directory (ie
``http://website/rules.json``). This file looks like:
@ -24,7 +24,7 @@ If this file is not found, the default rule "accept" is applied and just
No specific configuration is required except that:
- you have to choose this specific handler (directly by using
``VHOSTTYPE`` environment variable)
``VHOSTTYPE`` environment variable or in VHost options)
- you can set the loopback URL needed by the DevOps handler to get
``/rules.json`` or use ``RULES_URL`` parameter to set JSON file path
(see :doc:`SSO as a Service<ssoaas>`). Default to
@ -33,7 +33,7 @@ No specific configuration is required except that:
.. attention::
Note that DevOps handler will refuse to compile
rules.json if :doc:`Safe Jail<safejail>` isn't enabled.
Note that DevOps handler will not compile
rules.json if :doc:`Safe Jail<safejail>` is not enabled.
See :doc:`SSO as a Service<ssoaas>` for more
See :doc:`SSO as a Service<ssoaas>` for more.

2
doc/sources/admin/extendedfunctions.rst
View File

@ -267,7 +267,7 @@ Simple usage example:
groupMatch
~~~~~~~~~~
this function allows one to parse the ``$hGroups`` variable to check if
This function allows one to parse the ``$hGroups`` variable to check if
a value is present inside a group attribute.
Function parameter:

4
doc/sources/admin/external2f.rst
View File

@ -19,7 +19,7 @@ All parameters are configured in "General Parameters » Portal Parameters
» Extensions » External 2nd Factor".
- **Activation**
- **Code RegEx**: regular expression to create an OTP code. Let this
- **Code regex**: regular expression to create an OTP code. Let this
option blank to delegate code Generation / Verification to an
external provider
- **Send command**: define your command using *$attribute* like in
@ -33,9 +33,9 @@ All parameters are configured in "General Parameters » Portal Parameters
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
- **Logo** (Optional): logo file (in static/<skin> directory)
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file (in static/<skin> directory)
.. attention::

30
doc/sources/admin/finduser.rst
View File

@ -19,9 +19,16 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
- **Character used as wildcard**: Character that can be used by users as wildcard. An empty value disable wildcarded search requests
- **Parameters control**: Regular expression used for checking searching values syntax
- **User accounts URL**: User database URL to search on if REST backend is used. Let it blank to use default user data URL.
- **Searching attributes**: For each attribute, you have to set a key (attribute as defined in UserBD) and a value that will be display in login form (placeholder). A value can be a multivalued list separated by multiValuesSeparator parameter (General Parameters > Advanced parameters > Separator). See note below.
- **Searching attributes**: For each attribute, you have to set a key (attribute as defined in UserBD) and a value that will be display in login form (placeholder). A value can be a multivalued list separated by multiValuesSeparator parameter (General Parameters > Advanced parameters > Separator). Attibutes can be sorted by adding ``#_`` before their name (where ``#`` is a number). See note below.
- **Excluding attributes**: You can defined here attributes used for excluding accounts. Set keys corresponding to UserBD attributes and values to exclude. A value can be a multivalued list separated by multiValuesSeparator parameter (General Parameters > Advanced parameters > Separator)
.. note::
By default, simple searching attributes are mandatory to restrict the number of entries to return. To set an attribute as optional,
you can use the following syntax ::
uid##1 => UID
.. note::
You can provide a 'multiValuesSeparator' separated list of allowed searching values that will be displayed as an HTML <select> list ::
@ -34,11 +41,9 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
uid#Identity#1 => dwho; Dr Who; rtyler; Rose Tyler (allow empty value)
Entries are sorted by alphabetical order.
1_uid#Identity#1 => 2_dwho; Dr Who; 1_rtyler; Rose Tyler; dalek; Dalek
(The attributes will be sorted by number, those without a number will appear at the end of the list)
.. attention::
LDAP filter works only if an objectClass is set.
.. attention::
@ -46,15 +51,18 @@ Just enable it in the Manager (section “plugins”). Then, set searching attri
request => searchAttr1=value && searchAttr2=value && not excludeAttr1=value && not excludeAttr2=value
.. attention::
In some cases (like Choice authentication with SSL and Ajax), FindUser Ajax request can be blocked by Content Security Policy.
You may have to allow <Portal>/finduser in CSP ``General Parameters > Advanced Parameters > Security > Content security policy``
.. danger::
This plugin works only with a users backend and of course if the searching or excluding attributes are existing.
.. danger::
With AuthChoice, you must set which module will be called by this plugin (:doc:`Backend choice by users<authchoice>`).
.. |image0| image:: /documentation/beta.png
:width: 100px
With AuthChoice, you must set which module will be called by this plugin (:doc:`Backend choice by users<authchoice>`).

4
doc/sources/admin/handlerarch.rst
View File

@ -6,9 +6,9 @@ Handlers are build on rows of modules:
- Applications or launchers that get the request and choose the right
type *(Main, AuthBasic, ZimbraPreAuth,...)* and launch it *(may not
inherits from other Handler::\* modules)*
- Wrappers that call "type" library and platform "Main" //(may all
- Wrappers that call "type" library and platform "Main" (may all
inherits from Platform::Main
- library types if needed *(may inherits from Main)*
- Library types if needed *(may inherit from Main)*
- Main: the main handler library
Since version 2.1, wrappers are autogenerated when undefined. Generated

4
doc/sources/admin/handlerauthbasic.rst
View File

@ -48,13 +48,13 @@ to access required locations in Portal Virtual Host.
.. danger::
With AuthBasic handler, you have to disable CSRF token by
With AuthBasic Handler, you have to disable CSRF token by
setting a special rule based on source IP addresses like this :
requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
With :doc:`authchoice`, you have to declare which authentication module is
requested by handler to create global session.
requested by the AuthBasic Handler to create global session.
Go to:
``General Parameters > Authentication parameters > Choice parameters``

16
doc/sources/admin/hooks.rst
View File

@ -1,6 +1,8 @@
Available plugin hooks
======================
This page shows the list of hooks that you can use in your :doc:`custom plugins <plugincustom>`. Read the :doc:`plugincustom` page for full details on how to create and enable custom plugins.
OpenID Connect Issuer hooks
---------------------------
@ -94,7 +96,7 @@ Sample code::
};
sub addClaimToUserInfo {
my ( $self, $req, $userinfo ) = @_;
my ( $self, $req, $userinfo, $rp) = @_;
$userinfo->{"userinfo_hook"} = 1;
return PE_OK;
}
@ -192,7 +194,7 @@ Sample code::
};
sub gotRequest {
my ( $self, $res, $login ) = @_;
my ( $self, $req, $login ) = @_;
# Your code here
}
@ -213,7 +215,7 @@ Sample code::
};
sub buildResponse {
my ( $self, $res, $login ) = @_;
my ( $self, $req, $login ) = @_;
# Your code here
}
@ -234,7 +236,7 @@ Sample code::
};
sub gotLogout {
my ( $self, $res, $logout ) = @_;
my ( $self, $req, $logout ) = @_;
# Your code here
}
@ -255,7 +257,7 @@ Sample code::
};
sub gotLogoutResponse {
my ( $self, $res, $logout ) = @_;
my ( $self, $req, $logout ) = @_;
# Your code here
}
@ -276,7 +278,7 @@ Sample code::
};
sub buildLogoutResponse {
my ( $self, $res, $logout ) = @_;
my ( $self, $req, $logout ) = @_;
# Your code here
}
@ -416,6 +418,6 @@ Sample code::
sub logPasswordChange {
my ( $self, $req, $user, $password, $old ) = @_;
$old ||= "";
$self->userLogger->info("Password changed for $user: $old -> $password")
$self->userLogger->info("Password changed for $user: $old -> $password");
return PE_OK;
}

2
doc/sources/admin/idpcas.rst
View File

@ -47,7 +47,7 @@ Configuring the CAS Service
Then go in ``CAS Service`` to define:
- **CAS login**: the session key transmitted to CAS client as the main
identifier (CAS Principal). This setting can be overriden
identifier (CAS Principal). This setting can be overridden
per-application.
- **Access control policy**: define if access control should be done on
CAS service. Three options:

95
doc/sources/admin/idpopenidconnect.rst
View File

@ -30,12 +30,11 @@ As an OP, LL::NG supports a lot of OpenID Connect features:
- Session management
- FrontChannel Logout
- BackChannel Logout
- PKCE (Since ``2.0.4``) - See `RFC
7636 <https://tools.ietf.org/html/rfc7636>`__
- Introspection endpoint (Since ``2.0.6``) - See `RFC
7662 <https://tools.ietf.org/html/rfc7662>`__
- PKCE (Since ``2.0.4``) - See :rfc:`7636`
- Introspection endpoint (Since ``2.0.6``) - See :rfc:`7662`
- Offline access (Since ``2.0.7``)
- Refresh Tokens (Since ``2.0.7``)
- Optional JWT Access Tokens (Since ``2.0.12``) - See :rfc:`9068`
Configuration
-------------
@ -156,22 +155,20 @@ spaces, no special characters), like “sample-rp”;
You can then access to the configuration of this RP.
.. _oidcexportedattr:
Exported attributes
^^^^^^^^^^^^^^^^^^^
You can map here the attribute names from the LL::NG session to an
`OpenID Connect
claim <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__.
.. warning::
.. include:: openidconnectclaims.rst
By default, only `standard OpenID Connect claims <http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>`__ are visible to applications. If you want to add non-standard attributes, you must create a new scope in the *Scope values content* section and make your application request it
.. _oidcexportedattr:
For each OpenID Connect attribute you want to release to applications, you can define:
For each OpenID Connect claim you want to release to applications, you can define:
* **Claim name**: the name of the claim as it will appear in Userinfo responses
* **Variable name**: the name of the LemonLDAP::NG session variable containing the claim value
* **Type**: the data type of the attribute. By default, a string. Choosing integer or boolean will make the claim appear as the corresponding JSON type.
* **Claim name**: the name of the attribute as it will appear in Userinfo responses
* **Variable name**: the name of the LemonLDAP::NG session variable containing the attribute value
* **Type**: the data type of the attribute. By default, a string. Choosing integer or boolean will make the attribute appear as the corresponding JSON type.
* **Array**: choose how to process multi-valued attributes
* **Auto**: If the session key contains a single value, it will be released as a JSON number, string or boolean, depending on the previously specified type. If the session key contains multiple values, it will be released as an array of numbers, strings or booleans.
@ -187,36 +184,47 @@ For each OpenID Connect claim you want to release to applications, you can defin
.. _oidcextraclaims:
Extra Claims
^^^^^^^^^^^^
Scope values content
^^^^^^^^^^^^^^^^^^^^
By default, LemonLDAP::NG already defines the following scope-to-attribute map:
.. attention::
.. csv-table::
:header: "Scope value", "Attribute list"
:delim: ;
:widths: auto
By default, only claims that are part of standard OpenID
Connect scopes will be sent to a client. If you want to send a claim
that is not in the OpenID Connect specification, you need to declare it
in the Extra Claims section
profile; name family_name given_name middle_name nickname preferred_username profile picture website gender birthdate zoneinfo locale updated_at
email; email email_verified
address; street_address locality region postal_code country
phone; phone_number phone_number_verified
If you want to make custom claims visible to OpenID Connect clients, you
need to declare them in a scope.
If you want to make custom attribute visible to OpenID Connect clients, you
need to declare them in a new scope in this section.
Add your additional scope as the **Key**, and a space-separated list of
claims as the **Value**:
attribute as the **Value**:
- timelord => rebirth_count bloodline
- `employment_info` => `position company`
In this example, an OpenID Client asking for the ``timelord`` scope will
be able to read the ``rebirth_count`` and ``bloodline`` claims from the
In this example, an OpenID Client asking for the ``employment_info`` scope will
be able to read the ``company`` and ``position`` attribute from the
Userinfo endpoint.
.. important::
.. danger::
Any Claim defined in this section must be mapped to a
LemonLDAP::NG session attribute in the **Exported Attributes**
Any attribute defined in this section must be mapped to a
LemonLDAP::NG session variable in the **Exported Attributes**
section
.. important::
Your custom attributes will only be visible if the application requests the
corresponding scope value
.. _oidcscoperules:
Scope Rules
@ -318,7 +326,7 @@ Options
return it as a JWT, using one of the available signature algorithms.
- **Require PKCE** (since version ``2.0.4``): a code challenge is
required at token endpoint (see
`RFC7636 <https://tools.ietf.org/html/rfc7636>`__)
:rfc:`7636`)
- **Allow offline access** (since version ``2.0.7``): After enabling
this feature, an application may request the **offline_access**
scope, and will obtain a Refresh Token that persists even after
@ -333,10 +341,21 @@ Options
- **Logout**
- **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ``post_logout_redirect_uri``)
- **URL**: Specify the relying party's logout URL
- **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
- **Session required**: Whether to send the Session ID in the logout request
- **Allowed redirection addresses for logout**: A space separated list of
URLs that this client can redirect the user to once the logout is done
(through ``post_logout_redirect_uri``)
- **URL**: Specify the relying party's logout URL
- **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
- **Session required**: Whether to send the Session ID in the logout request
Access Rule extra variables
^^^^^^^^^^^^^^^^^^^^^^^^^^^
When writing your access rules, you can additionally use the following variables:
* ``$_oidc_grant_type`` (since version ``2.0.14``): the grant type being used to
access this service. Possible values: ``authorizationcode``,
``implicit``, ``hybrid``, ``clientcredentials``, ``password``
.. _resource-owner-password-grant:
@ -351,7 +370,7 @@ The Resource Owner Password Credentials Grant allows you to exchange a user's lo
.. seealso::
`Specification for the Resource Owner Password Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.3>`__
Specification for the Resource Owner Password Credentials Grant: :rfc:`6749#section-4.3`
.. _client-credentials-grant:
@ -379,7 +398,7 @@ mapped to Exported Attributes and Extra Claims
.. seealso::
`Specification for the Client Credentials Grant <https://tools.ietf.org/html/rfc6749#section-4.4>`__
Specification for the Client Credentials Grant: :rfc:`6749#section-4.4`
Macros
^^^^^^

2
doc/sources/admin/idpsaml.rst
View File

@ -58,6 +58,8 @@ IDP related metadata.
In both cases, the entityID of the LemonLDAP::NG server is
http://auth.example.com/saml/metadata
.. _samlidp-register-sp:
Register partner Service Provider on LemonLDAP::NG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1
doc/sources/admin/index_handler.rst
View File

@ -7,7 +7,6 @@ Handlers
handlerauthbasic
cda
ssoaas
servertoserver
oauth2handler
securetoken
servertoserver

1
doc/sources/admin/index_protection.rst
View File

@ -5,4 +5,5 @@ Attacks and Protection
:maxdepth: 1
bruteforceprotection
newlocationwarning
safejail

5
doc/sources/admin/installdeb.rst
View File

@ -68,7 +68,7 @@ repositories:
apt install apt-transport-https
You will need to trust the following GPG key : |image0|
You will need to trust the `DEB signing key <https://lemonldap-ng.org/_media/rpm-gpg-key-ow2>`__ :
::
@ -196,6 +196,3 @@ the package yourself:
tar xzf lemonldap-ng-*.tar.gz
cd lemonldap-ng-*
make debian-packages
.. |image0| image:: /rpm-gpg-key-ow2

4
doc/sources/admin/installrpm.rst
View File

@ -105,9 +105,8 @@ RPMs are available on the :doc:`Download page</download>`.
Package GPG signature
---------------------
The GPG key can be downloaded here: |image0|
Install it to trust RPMs:
Get the `RPM signing key <https://lemonldap-ng.org/_media/rpm-gpg-key-ow2>`__ onto your LemonLDAP::NG server:
::
@ -219,5 +218,4 @@ If you need it, you can rebuild RPMs:
rpmbuild -ta SOURCES/lemonldap-ng-VERSION.tar.gz
.. |image0| image:: /rpm-gpg-key-ow2

8
doc/sources/admin/installsles.rst
View File

@ -94,12 +94,11 @@ RPMs are available on the :doc:`Download page<download>`.
Package GPG signature
---------------------
The GPG key can be downloaded here: |image0|
Install it to trust RPMs:
Install the `RPM signing key <https://lemonldap-ng.org/_media/rpm-gpg-key-ow2>`__ to trust RPMs:
::
wget https://lemonldap-ng.org/_media/rpm-gpg-key-ow2
rpm --import rpm-gpg-key-ow2
Install packages
@ -243,6 +242,3 @@ Alternatively, you can use the automatic script
:ref:`lemonldap svn repository<download-getting-sources-from-svn-repository>`.
The automatic script can also generate intermediate dependencies. See
README file in the same directory for more information.
.. |image0| image:: /rpm-gpg-key-ow2

14
doc/sources/admin/loginhistory.rst
View File

@ -26,12 +26,14 @@ not allowed to open a session. In other cases which result on
impossibility to authenticate user, to retrieve data or to create a
session, nothing is stored.
By default, login time and IP address are stored in history, and the
error message prompted to the user for failed logins. It is possible to
store any additional session data. For example to store authentication
mode, you can set in ``Session data to store`` a new key ``_auth`` with
value ``Authentication mode``. The value will be used to display the
data.
* **Max successful logins count**: How many successful logins should be remembered in the history
* **Max failed logins count**: How many failed logins should be remembered in the history
* **Session data to store**: additional session variables to store in the history. *Key* is the variable (or macro) name, *Value* is the title of the column used when displaying the field. Use ``__hidden__`` to store a variables without displaying it to the user.
By default, login time and IP address are stored in history, and the error
message prompted to the user for failed logins. It is possible to store any
additional session data. For example to store authentication, add a new key
``_auth`` with value ``Authentication mode``.
To allow the Login History tab in Menu, configure it in
``General Parameters`` > ``Portal`` > ``Menu`` > ``Modules`` (see

BIN
doc/sources/admin/logos/favicon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
doc/sources/admin/logos/lemonldap-ng-logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.7 KiB

BIN
doc/sources/admin/logos/logo_llng_600px.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

6
doc/sources/admin/logs.rst
View File

@ -6,10 +6,10 @@ Presentation
Main settings:
- **REMOTE_USER** : session attribute used for logging user access
- **REMOTE_CUSTOM** : can be used for logging an another user attribute or a macro
- **REMOTE_USER**: session attribute used for logging user access
- **REMOTE_CUSTOM**: can be used for logging an another user attribute or a macro
(optional)
- **Hidden attributes** : session attributes never displayed or sent
- **Hidden attributes**: session attributes never displayed or sent
LemonLDAP::NG provides 5 levels of error and has two kind of logs:

2
doc/sources/admin/mail2f.rst
View File

@ -48,6 +48,6 @@ Mail second factor".
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*

55
doc/sources/admin/newlocationwarning.rst Normal file
View File

@ -0,0 +1,55 @@
|image0|
New Location Warning Plugin
===========================
Presentation
------------
This plugin allows LL::NG to send a warning message to the user's email
address when their account connects from a new location.
By default, the location is the IP address. Meaning that any connection from a
different IP address will send a warning. If this is not what you want, you can
change the way location is computed (see below).
Following steps are performed when the user logs in
#. Extract the location from session info (by default, the IP address is used)
#. Compare the current location to the previous locations saved in history
#. If it is a new location, send an email to warn the user
#. On the next login, the location will no longer be considered as new
The very first time a user logs in (empty login history), no email is sent.
Configuration
-------------
Just enable it in the Manager (section ``General Parameters`` > ``Advanced parameters`` > ``Security`` > ``New location warning``:
- **Activation**: Enable this plugin *(default: disabled)*
- **Session attribute containing location**: Indicate the session attribute you are using to store the location. You can use `ipAddr`, or a custom macro.
- **Session attribute to display**: By default, the raw value of the location session attribute is displayed in the warning email. If you want to use a different session attribute in the warning email, you can specify it here.
- **Maximum number of locations to consider**: By default, all previous value of the location are checked
- **Session mail attribute**: Session key containing mail address *(default: mail)*
- **Warning mail subject**: Subject of the email containing the warning
- **Warning mail content**: Content of the email containing the warning
.. warning::
If you use a macro instead of ``ipAddr`` as the location value, be sure to add the name of this macro to
General Parameters » Plugins » Login History » Session data to store
Otherwise, the value of the macro will not be remembered across logins
Email body variables
~~~~~~~~~~~~~~~~~~~~
Following variables are available in the Warning email body:
* ``$location``: the location value, from **Session attribute to display**
* ``$date``: the date of login
* ``$ua``: the full user agent string
.. |image0| image:: /documentation/beta.png
:width: 100px

6
doc/sources/admin/oauth2handler.rst
View File

@ -48,6 +48,10 @@ The OAuth2 handler defines a few extra variables that you can use in
* ``$_clientId``: client ID of the application which requested the Access Token
* ``$_clientConfKey``: configuration key of the application which requested the
Access Token
* ``$_oidc_grant_type`` (since *2.0.14*): the grant type used to generate the Access Token. If
Refresh Tokens are used, this is the grant type of the first emitted Access
Token. Possible values: ``authorizationcode``, ``implicit``, ``hybrid``,
``clientcredentials``, ``password``
* ``$_scope``: list of space-separated scopes granted by the Access Token
For example, to grant access to access tokens containing the ``write`` scope,
@ -68,7 +72,7 @@ Define access rules and headers. Then in ``Options`` > ``Type``, choose
Reference
---------
`RFC6750 <https://tools.ietf.org/html/rfc6750>`__
:rfc:`6750`
.. |image0| image:: /documentation/oauth-retina-preview.jpg
:class: align-center

32
doc/sources/admin/openidconnectclaims.rst
View File

@ -1,32 +0,0 @@
OpenID Connect claims
~~~~~~~~~~~~~~~~~~~~~
===================== ================ ======= =======================================
Claim name Associated scope Type Example of corresponding LDAP attribute
===================== ================ ======= =======================================
sub openid string uid
name profile string cn
given_name profile string givenName
family_name profile string sn
middle_name profile string
nickname profile string
preferred_username profile string displayName
profile profile string labeledURI
picture profile string
website profile string
email email string mail
email_verified email boolean
gender profile string
birthdate profile string
zoneinfo profile string
locale profile string preferredLanguage
phone_number phone string telephoneNumber
phone_number_verified phone boolean
updated_at profile string
formatted address string registeredAddress
street_address address string street
locality address string l
region address string st
postal_code address string postalCode
country address string co
===================== ================ ======= =======================================

2
doc/sources/admin/openidconnectservice.rst
View File

@ -51,7 +51,7 @@ Security
- **Only allow declared scopes**: By default, LemonLDAP::NG will grant all requested scopes. When this option is in use, LemonLDAP will only grant:
- Standard OIDC scopes (``openid`` ``profile`` ``email`` ``address`` ``phone``)
- Scopes declared in :ref:`Extra Claims <oidcextraclaims>`
- Scopes declared in :ref:`Scope values content <oidcextraclaims>`
- Scopes declared in :ref:`Scope Rules <oidcscoperules>` (if they match the rule)
- **Authorization Code flow**: Set to 1 to allow Authorization Code

2
doc/sources/admin/parameterlist.rst
View File

@ -444,8 +444,10 @@ radiusServer
randomPasswordRegexp Regular expression to create a random password ✔
redirectFormMethod HTTP method for redirect page form ✔
refreshSessions Refresh sessions plugin ✔
registerConfirmBody Mail body for register confirmation ✔
registerConfirmSubject Mail subject for register confirmation ✔
registerDB Register module ✔
registerDoneBody Mail body when register is done ✔
registerDoneSubject Mail subject when register is done ✔
registerTimeout Register session timeout ✔
registerUrl URL of register page ✔

145
doc/sources/admin/plugincustom.rst
View File

@ -4,8 +4,22 @@ Write a custom plugin
Presentation
------------
Standard entry points
~~~~~~~~~~~~~~~~~~~~~
Portal plugins let you customize LemonLDAP::NG's behavior.
Common use cases for plugins are:
* Looking up session information in an additional backend
* Implementing additional controls or steps during login
* Adjusting the behavior of SAML, OIDC or CAS protocols to work around application bugs
Creating a plugin can be as simple as writing a short Perl module file and
declaring it in your configuration. See below for an example.
Plugin API
----------
Authentication entry points
~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can now write a custom portal plugin that will hook in the
authentication process:
@ -21,8 +35,8 @@ authentication process:
- ``forAuthUser``: method called for already authenticated users
- ``beforeLogout``: method called before logout
Extended entry points
~~~~~~~~~~~~~~~~~~~~~
Generic entry points
~~~~~~~~~~~~~~~~~~~~
If you need to call a method just after any standard method in
authentication process, then use ``afterSub``, for example:
@ -75,51 +89,147 @@ The plugin can also define new routes and call actions on them.
See also ``Lemonldap::NG::Portal::Main::Plugin`` man page.
Configuration
~~~~~~~~~~~~~
The current LemonLDAP::NG configuration can be accessed in the ``$self->conf`` hash. This variable is only meant to be read. Don't try changing its content, or *Bad Things* may happen.
You can set your own parameters in ``General Parameters`` » ``Plugins`` » ``Custom plugins`` » ``Additional parameters``
and reach them through ``customPluginsParams``
.. code-block:: perl
sub my_function {
my ($self, $req) = @_;
# Get a standard LLNG option
my $llng_logo = $self->conf->{portalMainLogo};
# Get your custom LLNG option
my $myvar = $self->conf->{customPluginsParams}->{myvar};
}
Logs
~~~~
You can use the ``$self->logger`` and ``$self->userLogger`` objects to log information during your plugin execution. Use ``logger`` for technical logs and ``userLogger`` for accounting and tracability events.
.. code-block:: perl
sub my_function {
my ($self, $req) = @_;
$self->logger->debug("Debug message");
if (my_custom_test($req->user)) {
$self->userLogger->debug("User ". $req->user .
" is not allowed because XXX");
return PE_ERROR;
}
return PE_OK;
}
Remembering data
~~~~~~~~~~~~~~~~
In order to remember data between different steps, you can use the ``$req->data`` hash.
Data will not be remembered in between requests, only in between methods that process the same HTTP request.
History management
~~~~~~~~~~~~~~~~~~
Plugins may declare additional session fields to be stored in the :doc:`loginhistory`.
.. code:: perl
sub init {
my ($self) = @_;
$self->addSessionDataToRemember({
# This field will be hidden from the user
_language => '__hidden__',
# This field will be displayed on the portal. The column name
# is treated like a message and can be internationalized
authenticationLevel => "Human friendly column name",
});
return 1;
}
Column names can be translated by :ref:`overriding the corresponding message <intlmessages>`
Example
-------
Plugin Perl module
~~~~~~~~~~~~~~~~~~
Create for example the MyPlugin module:
This example creates a ``Lemonldap::NG::Portal::MyPlugin`` plugin that
showcases some features of the plugin system.
::
First, create a file to contain the plugin code ::
vi /usr/share/perl5/Lemonldap/NG/Portal/MyPlugin.pm
.. tip::
If you do not want to mix files from the distribution with
your own work, put your own code in
``/usr/local/lib/site_perl/Lemonldap/NG/Portal/MyPlugin.pm``\
``/usr/local/lib/site_perl/Lemonldap/NG/Portal/MyPlugin.pm``.
Or you can use your own namespace such as ``ACME::Corp::MyPlugin``.
.. code-block:: perl
# The package name must match the file path
# This file must be in Lemonldap/NG/Portal/MyPlugin.pm
package Lemonldap::NG::Portal::MyPlugin;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants;
extends 'Lemonldap::NG::Portal::Main::Plugin';
# Declare when LemonLDAP::NG must call your functions
use constant beforeAuth => 'verifyIP';
use constant hook => { passwordAfterChange => 'logPasswordChange' };
sub init {
my ($self) = @_;
$self->addUnauthRoute( mypath => 'hello', [ 'GET', 'PUT' ] );
$self->addAuthRoute( mypath => 'welcome', [ 'GET', 'PUT' ] );
return 1;
}
# This function will be called at the "beforeAuth" login step
sub verifyIP {
my ($self, $req) = @_;
return PE_ERROR if($req->address !~ /^10/);
return PE_OK;
}
# This function will be called when changing passwords
sub logPasswordChange {
my ( $self, $req, $user, $password, $old ) = @_;
$self->userLogger->info("Password changed for $user");
return PE_OK;
}
# You can define your custom initialization in the
# init method.
# Before LemonLDAP::NG 2.0.14, this function was mandatory
sub init {
my ($self) = @_;
# This is how you declare HTTP routes
$self->addUnauthRoute( mypath => 'hello', [ 'GET', 'PUT' ] );
$self->addAuthRoute( mypath => 'welcome', [ 'GET', 'PUT' ] );
# The function can return 0 to indicate failure
return 1;
}
# This method will be called to handle unauthenticated requests to /mypath
sub hello {
my ($self, $req) = @_;
...
return $self->p->sendJSONresponse($req, { hello => 1 });
}
# This method will be called to handle authenticated requests to /mypath
sub welcome {
my ($self, $req) = @_;
@ -129,10 +239,13 @@ Create for example the MyPlugin module:
...
return $self->p->sendHtml($req, 'template', params => { WELCOME => 1 });
}
# Your file must return 1, or Perl will complain.
1;
Configuration
~~~~~~~~~~~~~
Enabling your plugin
~~~~~~~~~~~~~~~~~~~~
Declare the plugin in Manager, in General Parameters > Plugins > Custom
Plugins.

71
doc/sources/admin/portalcustom.rst
View File

@ -11,9 +11,9 @@ Main Logo
~~~~~~~~~
You can change the default Main Logo in Manager: General Parameters >
Portal > Customization > Main Logo.
Portal > Customization > Main logo.
A blank value disables Main Logo display.
A blank value disables Main logo display.
.. tip::
@ -44,14 +44,14 @@ Custom CSS file
~~~~~~~~~~~~~~~
You can define a custom CSS file, for example ``custom.css``, which will
be loaded after default CSS files. This file needs to be created in the
be loaded after default CSS files. This file must be created in the
static repository
(``/usr/share/lemonldap-ng/portal/htdocs/static/bootstrap/css``).
Then set this value in Custom CSS parameter :
Then set this value in Custom CSS parameter:
``bootstrap/css/custom.css``.
Sample CSS file, to remove white background of main logo:
CSS file example to remove white background of main logo:
.. code-block:: css
@ -65,9 +65,9 @@ Sample CSS file, to remove white background of main logo:
Skin
----
LemonLDAP::NG is shipped with bootstrap skin.
LemonLDAP::NG is shipped with a bootstrap skin.
But you can make your own. See Skin customization below.
But you can provide your own. See Skin customization below.
Default skin
~~~~~~~~~~~~
@ -83,8 +83,7 @@ Skin background
Go in ``General Parameters`` > ``Portal`` > ``Customization`` >
``Skin background``. You can define a background by selecting one of the
available image. Use ``None`` to use the default skin background
configuration.
available image. Select ``None`` to use the default skin background configuration.
|image0|
@ -112,7 +111,7 @@ user.
To achieve this, you can create a rule in the Manager: select
``General Parameters`` > ``Portal`` > ``Customization`` >
``Skin display rules`` on click on "New key". Then fill the two fields;
``Skin display rules`` and click on "New entry". Then fill the two fields;
- **Key**: a Perl expression (you can use ``%ENV`` hash to get environment
variables, or ``$_url`` to get URL called before redirection, or ``$ipAddr``
@ -131,7 +130,7 @@ Skin files
A skin is composed of different files:
- **.tpl**: Perl HTML::Template files, for HTML content
- **.tpl**: Perl `HTML::Template <https://metacpan.org/pod/HTML::Template>`__ files, for HTML content
- **.css**: CSS (styles)
- **.js**: Javascript
- images and other media files
@ -213,12 +212,18 @@ lemonldap-ng-cli:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portalSkin 'myskin' portalSkinBackground ''
You can find additional documentation on the syntax of template files in the
`official documentation of the HTML::Template module
<https://metacpan.org/pod/HTML::Template>`__
.. _intlmessages:
Messages
~~~~~~~~
Messages are defined in source code. If they really do not please you,
Messages are defined in source code. If they really do not suit you,
override them! You just need to know the ID of the message (look at
Portal/Simple.pm).
Portal/Main/Constants.pm).
There are two methods to do this:
@ -240,7 +245,7 @@ boxes by using the bareword ``_hide_`` :
.. code-block:: ini
error_en_0 = Big brother is watching you, authenticated user
error_fr_0 = Souriez vous êtes surveillés !
error_fr_0 = Souriez, vous êtes surveillés !
msg_fr_lastLogins = Dernières connexions
error_9 = _hide_
@ -309,28 +314,26 @@ You can also display environment variables, with the prefix ``env_``:
Your IP is <TMPL_VAR NAME="env_REMOTE_ADDR">
Buttons
-------
Buttons on login page
---------------------
This node allows one to enable/disable buttons on the login page:
- **Check last logins**: display a checkbox on login form, allowing
user to check his login history right after opening session
- **Register new account**: display a link to :doc:`register page<register>` (for
password based authentication backends)
- **Reset your certificate**: display a link to :doc:`reset certificate page<resetcertificate>` (for
password based authentication backends)
- **Reset password**: display a link to
:doc:`reset your password page<resetpassword>` (for password based
authentication backends). Number of allowed retries can be set (3
times by default)
- **Register**: display a link to :doc:`register page<register>` (for
password based authentication backends)
- **Reset certificate**: display a link to :doc:`reset certificate page<resetcertificate>` (for
password based authentication backends)
- **Max reset password retries**: number of retries allowed for resetting password
Password management
-------------------
General
~~~~~~~
- **Require old password**: used only in the password changing module
of the menu, will check the old password before updating it
- **Hide old password**: used only if the password need to be reset by
@ -343,21 +346,26 @@ General
revealed. Disabled by default.
Password Policy
~~~~~~~~~~~~~~~
.. tip::
Available since version 2.0.6
- **Activation**: enable/disable password policy. You can set a rule
to enable policy for specific users only
- **Display policy in password form**: enable this option to display an
information message about password policy constraints
- **Minimal size**: leave 0 to bypass the check
- **Minimal lower characters**: leave 0 to bypass the check
- **Minimal upper characters**: leave 0 to bypass the check
- **Minimal digit characters**: leave 0 to bypass the check
- **Minimal special characters**: leave 0 to bypass the check
- **Allowed special characters**: set '__ALL__' value to allow ALL special characters. A blanck value forbids ALL special characters (Note that ``_`` is not a special character)
- **Display policy in password form**: enable this to display an
information message about password policy constraints
.. _portalcustom-other-parameters:
Other parameters
----------------
Other
-----
- **User attribute**: which session attribute will be used to display
``Connected as`` in the menu
@ -365,15 +373,16 @@ Other parameters
- **Anti iframe protection**: Set ``X-Frame-Options`` and CSP
``frame-ancestors`` headers (see `Browser
compatibility <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility>`__)
- **Ping interval**: Number of milliseconds between each ping (Ajax
- **Ping interval**: number of milliseconds between each ping (Ajax
request) on the portal menu. Set to 0 to dismiss checks.
- **Show error on expired session**: Display the error "Session
- **Show error on expired session**: display the error "Session
expired", which stops the authentication process. This is enabled by
default but can be disabled to prevent transparent authentication
(like SSL or Kerberos) to be stopped.
- **Show error on mail not found**: Display error if provided mail is
- **Show error on mail not found**: display error if provided mail is
not found in password reset by mail process. Disabled by default to
prevent mail enumeration from this page.
- **Display rights refresh link**: enable/disable link in Portal menu to allow users to refresh their rights
.. |image0| image:: /documentation/manager-skin-background.png
:class: align-center

4
doc/sources/admin/radius2f.rst
View File

@ -56,13 +56,13 @@ Mail second factor".
code against the Radius server, use this attribute as the login and
the OTP code as password. By default, the attribute designated as
``whatToTrace`` is used.
- **Authentication timeout** (Optional) :
- **Authentication timeout** (Optional): Allowed time to perform authentication
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*
Vendor specific
~~~~~~~~~~~~~~~

43
doc/sources/admin/register.rst
View File

@ -4,30 +4,43 @@ Register a new account
Presentation
------------
This feature is a page that allows a user to create an account. The
steps are the following:
This feature is a page that allows a user to create an account.
Following steps are performed:
#. User click on the button "Create a new account"
#. He enters first name, last name and email
#. He gets a mail with a confirmation link
#. After clicking, his entry is added
#. He gets a mail with his login and his password
#. They enter first name, last name and email
#. They receive an email with a confirmation link
#. After clicking, their account is created
#. An email with his login and password is sent
Configuration
-------------
You can enable the "Create your account" button in
:doc:`portal customization parameters<portalcustom>`.
The "Create your account" button can be enabled in
:doc:`Portal customization parameters<portalcustom>`.
Then, go in ``Portal`` > ``Advanced parameters`` >
``Register new account``:
Then, go in ``General Parameters`` > ``Plugins`` > ``Register new account``:
- **Module**: Choose the backend to use to create the new account.
- **Module**: Backend used for creating new account.
- **Page URL**: URL of register page
- **Validity time of a register request**: duration in seconds of a new
- **Validity time of a register request**: Duration in seconds of a new
account request. The request will be deleted after this time if user
do not click on the link.
- **Subject for confirmation mail**: Subject of the mail containing the
- **Subject for confirmation mail**: Subject of the email containing the
confirmation link
- **Subject for done mail**: Subject of the mail giving login and
password
- **Body for confirmation mail**: The plain text content of the confirmation email the user will
receive. If you leave it blank, the ``mail_register_confirm`` HTML template will be used.
Confirmation link is stored in the ``$url`` variable
- **Subject for done mail**: Subject of the email providing login and password.
- **Body for done mail**: The plain text content of the done email the user will
receive. If you leave it blank, the ``mail_register_done`` HTML template will be used.
Login and generated password are stored in the corresponding ``$login`` and ``$password`` variables
.. note::
Following variables are available in:
\* Register email body => ``$expMailDate``, ``$expMailTime``, ``$url``, ``$mail``, ``$firstname``, ``$lastname`` and ``$ipAddr``
\* Done email body => ``$login``, ``$password`` and ``$url``

2
doc/sources/admin/renater.rst
View File

@ -98,7 +98,7 @@ The script provide the following options
* -h (--help): print this message
* -m (--metadata): URL of metadata document
* -s (--spconfprefix): Prefix used to set SP configuration key
* --ignore-sp: ignore SP maching this entityID (can be specified multiple times)
* --ignore-sp: ignore SP matching this entityID (can be specified multiple times)
* --ignore-idp: ignore IdP matching this entityID (can be specified multiple times)
* -a (--nagios): output statistics in Nagios format
* -n (--dry-run): print statistics but do not apply changes

2
doc/sources/admin/rest2f.rst
View File

@ -20,9 +20,9 @@ Second Factors » REST 2nd Factor".
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*
Arguments
---------

30
doc/sources/admin/rpm-gpg-key-ow2
View File

@ -1,30 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
mQGiBEpOEcERBACHzHP7ICtjmsG4YgwlstQw0ubp6154i57BN45siMoovioQ1nP5
kXNR+fZjEW5BRqtJExQoWLdXTFL1gvsdW5V+zx7B7DIlP6H+oz1PFh8hGXUmnqb9
pL1A0WUrhbye6nlzpxt9jhGn6ymbilAi8iIWSrFxC09GONGwBGCLwbbp5wCg/75n
DHecwFtSwEt7o3YV5B6k9WcD/RcPtY3mwa3RfaC+rsGdaqmni/jy6P1OrgmQX59C
Zm813j/JnXYoeV+xIdCs144xPvzrCH+k/czVFBjvcA3xr2F/kuW7Kn8F+u8Ma3lb
EghlG6CdJpCeXwiou5lPfPURIM7n7TDi2zVktRxGUnIa3fyBC9Orar/HbWgDGSYR
1R+vBACEcHOknp09FT8UB2YY/98cG4n5RaiBiUb6Znwd6MrEtdBC0x8PdR6PPrWf
ujUZ1dgUlKUtTN2V7OC8Ql3fls8TlxLY3L2ql6PrjuF5/zhC/1lEl7QzS+tCHAzU
FlDMbb3F5o+EZwxxK3Lrdf+SbmKiYq7gqv79+BJbPiLkQvLfTbQqQ2xlbWVudCBP
VURPVCAoT1cyKSA8Y2xlbS5vdWRvdEBnbWFpbC5jb20+iGAEExECACAFAkpOEcEC
GwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBUixe/gfGOej2rAKD/mzoSicDh
f2fhAEA3t+8qkJlwgACgvLUn30yj81bNjOo84p3NjEzpt6W5Ag0ESk4RwhAIAILk
DF6M5GglCqysxF6gmO4RB24nkJELOmYAfknM0qmZPED3f//wgWFfYC3t2Hsic1HM
9Dq1fQc9ziFfL7Ntt2oCu0YDoT4lrRL7eWwRn+H5sPmBisyfpTohZlObnNDOuGUZ
jWZDP+7bIiNuj32TuR1Gl9q9hygm5rzjg/7d0eQfgMMSJ5D1x8FAcDRIgtF9dfQ0
XLXF1SBuPqp6E7Q92rNxWlryifnGBIcOvVIYgayyxqgLf4+hkCOi47GDVlS+E4FQ
Xc5DVHuhH8JJrMsBAd14m435c1uM9gTYhOtmpgDPocPUr5APSOd/zhV+b/8t+PDm
ySa5qHVmShC/NFziyY8AAwUH/jBiZQ+qOyXaanAgIz2/uiqpJxO1MR+S6m+cazvk
X4nXD9N8rsUYKnXxU6bNX731t6P2StG8kfkV84xkaPBTkssDBfQIFSwYFUuyBr/m
6V8ulebig/6XHp7dVJ96DvQu8HHiLZ8YXeOVImCoEXp5fa8HgyhxVSLbVsAENYOd
IEY7G4Lh/RAyrkRaLSGZuHnwXk3ioNQHCHB4m48q8tmQ2v4U8FJhXhxCmyKPKAru
PPIKQ9kjPzX92NADmZc+n8RxzyBa9fppQ3z0v8mJ9SjoJ3qAO9ks+yQADLiZ8HsN
jNS3Nf35jqQ5bKFF/uAygMLPzhi8iQtcBF1Q+3NDk/DRFfSISQQYEQIACQUCSk4R
wgIbDAAKCRBUixe/gfGOekmNAKC4jduVjzzfeLDyH3Hnkz3G0MIFsACffY2Wv6ef
bH9spStkLDt2jxvJ42Y=
=6pG1
-----END PGP PUBLIC KEY BLOCK-----

5
doc/sources/admin/samlservice.rst
View File

@ -144,7 +144,7 @@ To define keys, you can:
.. versionchanged:: 2.0.10
The signature method can now be overriden for a SP or IDP. This will only work
The signature method can now be overridden for a SP or IDP. This will only work
if you are using a certificate for signature instead of a public key.
@ -153,6 +153,9 @@ To define keys, you can:
If you are running a version under 2.0.10, the choice of a signature
algorithm will affect all SP and IDP.
.. _samlservice-convert-certificate:
Converting a RSA public key to a certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

37
doc/sources/admin/secondfactor.rst
View File

@ -29,6 +29,14 @@ The E-Mail, External and REST 2F modules
parameters.
Self-care on Portal
-------------------
User may register second factors themselves on the Portal by using the 2FA Manager.
The link will be displayed if at least one SFA module is enabled. You can set a
rule to display or not the link.
Registration on first use
-------------------------
@ -38,21 +46,6 @@ If you want to force a 2F registration on first login, you can use the *Force
You can use a `rule<writingrulesand_headers>` to enable this behavior only for
some users.
Second factor expiration
------------------------
You can display a message if an expired second factor has been removed by
enabling *Display a message if an expired SF is removed* option or setting a
rule.
Self-care on Portal
-------------------
User may register second factors themselves on the Portal by using the 2FA Manager.
The link will be displayed if at least one SFA module is enabled. You can set a
rule to display or not the link.
Session upgrade through 2FA
---------------------------
@ -68,6 +61,20 @@ of doing a complete reauthentication.
.. |beta| image:: /documentation/beta.png
Registration timeout
--------------------
Allowed time to register a TOTP.
Second factor expiration
------------------------
You can display a message if an expired second factor has been removed by
enabling *Display a message if an expired SF is removed* option or setting a
rule.
SF name(s) or number of removed SF can be displayed in message BODY by using
`_nameSF_` or `_removedSF_` respectively.
Providing tokens from an external source
----------------------------------------

10
doc/sources/admin/securetoken.rst
View File

@ -44,15 +44,15 @@ Handler parameters
SecureToken parameters are the following:
- **Memcached servers**: addresses of Memcached servers, separated with
spaces.
spaces
- **Token expiration**: time in seconds for token expiration (remove
from Memcached server).
- **Attribute to store**: the session key that will be stored in
Memcached.
from Memcached server)
- **Attribute to store**: session key that will be stored in
Memcached
- **Protected URLs**: Regexp of URLs for which the secure token will be
sent, separated by spaces
- **Header name**: name of the HTTP header carrying by the secure
token.
token
- **Allow requests in error**: allow a request that has generated an
error in token generation to be forwarded to the protected
application without secure token (default: yes)

18
doc/sources/admin/sessions.rst
View File

@ -9,13 +9,13 @@ To configure sessions, go in Manager, ``General Parameters`` »
``Sessions``:
- **Store user password in session data**: see
:doc:`password store documentation<passwordstore>`.
- **Display session identifier**: Should the session ID be displayed in the manager's session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators.
- **Sessions timeout**: Maximum lifetime of a session. Old sessions are
deleted by a cron script.
- **Sessions activity timeout**: Maximum inactivity duration.
- **Sessions update interval**: Minimum interval used to update session
when activity timeout is set.
:doc:`password store documentation<passwordstore>`
- **Display session identifier**: should the session ID be displayed in the manager's session explorer. The session ID is a sensitive information that should only be shown to highly trusted administrators
- **Sessions timeout**: maximum lifetime of a session. Old sessions are
deleted by a cron script
- **Sessions activity timeout**: maximum inactivity duration
- **Sessions update interval**: minimum interval used to update session
when activity timeout is set
.. danger::
@ -56,13 +56,13 @@ To configure sessions, go in Manager, ``General Parameters`` »
disable persistent sessions storage to avoid too many database
tuples.
- **Disable storage**: Do not store user persitent sessions.
- **Disable storage**: do not store user persitent sessions
.. attention::
Note that since HTTP protocol is not connected,
restrictions are not applied to the new session: the oldest are
restrictions are not applied to the new session. The oldest are
destroyed.
Command-line tools

26
doc/sources/admin/start.rst
View File

@ -1,6 +1,11 @@
Documentation for LemonLDAP::NG 3.0
===================================
.. image:: logos/logo_llng_600px.png
:alt: LL::NG logo
:align: center
:target: https://www.lemonldap-ng.org
.. toctree::
Documentation index<documentation>
@ -285,12 +290,13 @@ Name Description
:doc:`Grant Sessions<grantsession>` Rules to apply before allowing a user to open a session
:doc:`Impersonation<impersonation>` [11]_\ |new| Allow users to use another identity
:doc:`Find user<finduser>` [12]_\ |new| Search for user account
:doc:`Notifications system<notifications>` DIsplay a message during log in process
:doc:`NewLocationWarning<newlocationwarning>` [13]_\ |beta| Send an email when user sign in from a new location
:doc:`Notifications system<notifications>` Display a message during log in process
:doc:`Portal Status<status>` Experimental portal status page
:doc:`Public pages<public_pages>` Enable public pages system
:doc:`Refresh session API<refreshsessionapi>` [13]_ Plugin that provides an API to refresh a user session
:doc:`Refresh session API<refreshsessionapi>` [14]_ Plugin that provides an API to refresh a user session
:doc:`Reset password by mail<resetpassword>` Send a mail to reset its password
:doc:`Reset certificate by mail<resetcertificate>` [14]_\ |new| Allow users to reset their certificate
:doc:`Reset certificate by mail<resetcertificate>` [15]_\ |new| Allow users to reset their certificate
:doc:`REST services<restservices>` |new| REST server for :doc:`Proxy<authproxy>`
:doc:`SOAP services<soapservices>` |deprecated| SOAP server for :doc:`Proxy<authproxy>`
:doc:`Stay connected<stayconnected>` |new| Enable persistent connection on same browser
@ -308,12 +314,12 @@ Handlers are software control agents to be installed on your web servers
==================================================================== ========== ============================================================= =========================================== ================================================================================== =============================================== ======================================================================================================================
Handler type Apache LLNG FastCGI/uWSGI server (Nginx, or :doc:`SSOaaS<ssoaas>`) `Plack servers <https://plackperl.org>`__ Node.js ( `express apps <http://expressjs.com/>`__\ or :doc:`SSOaaS<ssoaas>`) :doc:`Self protected apps<selfmadeapplication>` Comment
==================================================================== ========== ============================================================= =========================================== ================================================================================== =============================================== ======================================================================================================================
Main *(default handler)* ✔ ✔ ✔ :doc:`Partial<nodehandler>` ** [15]_ ** ✔
Main *(default handler)* ✔ ✔ ✔ :doc:`Partial<nodehandler>` ** [16]_ ** ✔
:doc:`AuthBasic<handlerauthbasic>` ✔ ✔ ✔ ✔ Designed for some server-to-server applications
:doc:`CDA<cda>` ✔ ✔ ✔ ✔ For Cross Domain Authentication
:doc:`DevOps<devopshandler>` (:doc:`SSOaaS<ssoaas>`) |new| ✔ ✔ ✔ ✔ Allows application developers to define their own rules and headers inside their applications
:doc:`DevOpsST<devopssthandler>` (:doc:`SSOaaS<ssoaas>`) |new| ✔ ✔ ✔ ✔ Enables both :doc:`DevOps<devopshandler>` and :doc:`Service Token<servertoserver>`
:doc:`OAuth2<oauth2handler>` [16]_\ |new| ✔ ✔ ✔ ✔ Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services
:doc:`OAuth2<oauth2handler>` [17]_\ |new| ✔ ✔ ✔ ✔ Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services
:doc:`Secure Token<securetoken>` ✔ ✔ ✔ Designed to secure exchanges between a LLNG reverse-proxy and a remote app
:doc:`Service Token<servertoserver>` |new| *(Server-to-Server)* ✔ ✔ ✔ ✔ ✔ Designed to permit underlying requests *(API-Based Infrastructure)*
:doc:`Zimbra PreAuth<applications/zimbra>` ✔ ✔ ✔
@ -598,18 +604,22 @@ by your language code):
2.0.11
.. [13]
:doc:`NewLocationWarning<newlocationwarning>` is available
with LLNG ≥ 2.0.14
.. [14]
:doc:`Refresh session API plugin<refreshsessionapi>` is available
with LLNG ≥ 2.0.7
.. [14]
.. [15]
:doc:`Reset certificate by mail plugin<resetcertificate>` is
available with LLNG ≥ 2.0.7
.. [15]
.. [16]
:doc:`Node.js handler<nodehandler>` has not yet reached the same
level of functionalities
.. [16]
.. [17]
:doc:`OAuth2 Handler<oauth2handler>` is available with LLNG ≥ 2.0.4
.. |image0| image:: /icons/kthememgr.png

1
doc/sources/admin/stayconnected.rst
View File

@ -12,5 +12,6 @@ Just enable it in the manager (section “plugins”).
- **Parameters**:
- **Activation**: Enable / Disable this plugin
- **Do not check fingerprint**: Enable / Disable browser fingerprint checking
- **Expiration time**: Persistent session connection and cookie timeout
- **Cookie name**: Persistent connection cookie name

71
doc/sources/admin/testopenidconnect.rst
View File

@ -8,9 +8,9 @@ We use in this example a public OIDC provider based on LL::NG: `<https://oidctes
Authentication
--------------
The first step is to obtain a valid SSO session on the portal. Several solutions:
* Use a web browser and log into the portal, then get the value of the SSO cookie
* Use portal REST API, and adapt the `requireToken` configuration to get cookie value in JSON response (see :doc:`REST services<restservices>`)
The first step is to obtain a valid SSO session on the portal. The standard solution is to use a web browser and log into the portal, then get the value of the SSO cookie.
In our case, to be able to use only command lines, we will use portal REST API (which requires to adapt the `requireToken` configuration to get cookie value in JSON response (see :doc:`REST services<restservices>`). This should not be what you will on a production service.
Example of REST service usage, with credentials `dwho`/`dwho`:
@ -130,3 +130,68 @@ JSON response:
"preferred_username" : "dwho",
"sub" : "dwho"
}
Introspection
-------------
You can the validity of the access token with the introspection endpoint.
Parameters needed:
* Client ID and Client Secret, used as basic authorization
* Access token, sent as POST data
.. code-block:: shell
curl -u private:tardis -X POST -d 'token=a88b8dde538719e55c3cb8fbd14d06ed77853c685a62abf6ecb88d86228a9c64' 'https://oidctest.wsweet.org/oauth2/introspect' | json_pp
JSON response:
.. code-block:: javascript
{
"active" : true,
"client_id" : "private",
"exp" : 1630684115,
"iss" : "https://oidctest.wsweet.org/",
"scope" : "openid profile email",
"sub" : "dwho"
}
Refresh an access token
-----------------------
If the access token has expired, you can get a new one with the refresh token.
Parameters needed:
* Grant type: we use here `refresh_token`, sent as POST data
* Refresh token, sent as POST data
* Client ID and Client Secret, used as basic authorization
.. code-block:: shell
curl -X POST -d grant_type=refresh_token -d refresh_token=19434440ed4da2803e8ba9d91cb2eabd5b8bd12af2609429bda03ed487e6ef57 -u 'private:tardis' 'https://oidctest.wsweet.org/oauth2/token' | json_pp
JSON response:
.. code-block:: javascript
{
"access_token" : "78929118546b1a11a2e3b607f607d0ccb73d72bbd95c59d0b03ae69ffa17f41a",
"expires_in" : 3600,
"id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6Im9pZGN0ZXN0IiwidHlwIjoiSldUIn0.eyJhdXRoX3RpbWUiOjE2MTQxNjAwMDYsImlhdCI6MTYxNDE2MzIxOCwiaXNzIjoiaHR0cHM6Ly9vaWRjdGVzdC53c3dlZXQub3JnLyIsImF0X2hhc2giOiJIVGswOVNjSjRObEFua3k5SGFFX2VRIiwiYWNyIjoibG9hLTIiLCJleHAiOjE2MTQxNjY4MTgsInN1YiI6ImR3aG8iLCJhenAiOiJwcml2YXRlIiwiYXVkIjpbInByaXZhdGUiXX0.N3TNufjKLzKM3qiIitA7JHUei4L572XjF6AcVl7UAFB6efdGUCiAL7amlUl0FgjZfzW9bzvulBVDidoYSicIaysIdI4KkjmjpVN0Z3gOSu0ecuk5p8fD1KbX6-tmA3txeR18nzfhdckq-S-6Lx7wrWpPNyrzGx-FImbOaUPN2yeVhKPXhdyHJbzI0RqJETxnBkyW-CLEzAJyq3rCUVX-D8kHADvg6a42QQyPdxvBuGrdBfyDDDb_Py13H1qhn40NnuFknR1wSahsY6U97uUooyk-0_U4J3XJAHySjCtivtSeP0fM_5eblMuh6WdVjrfnUF0xnCTbCa2gYRlTS38BkqcsWY26PXoRAOo31a1cmB5sMSZyPtRF9UZcmGiNBIymMMdFgVAJONb6uliiTS5j9-nkmHOqVC-XJ6tuiU3ZSBQ8nCRyNW2LaCzpJ5c3ytP9yYQtyT8HmhN0VnXob3K1uJEA_Xcu4sADjtrm-LbrGiwaVMkfu-C6YIrbuC9riOW6TneV2gAzAjXPOW_UZeXrCrx66GHIJPsJIq29UfbTN5Pxo9SH2yKw6PSfxevkZhBIhEXCOMaIUHrlWz2jDBBzPIWeiSRbK_MRtejQmdRUs8nqdq-McVwnFiUMDt1KZXxqScTtMDF_Lo9oK2RaCijEJ7MSPEscr_YOyp3KIq2FLVg",
"token_type" : "Bearer"
}
Logout
------
To kill SSO session, call the OIDC logout endpoint. By default a confirmation is requested, but you can bypass it by adding `confirm=1` to URL.
Parameters needed:
* SSO session id (will be passed in `lemonldap` cookie)
.. code-block:: shell
curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/logout?confirm=1'
The session is deleted on server side and the cookie is destroyed in the browser. You can use the introspection endpoint to verify that the access token is no longer valid.

23
doc/sources/admin/totp2f.rst
View File

@ -43,24 +43,23 @@ In the manager (advanced parameters), you just have to enable it:
- **Activation**: set it to "on"
- **Self registration**: set it to "on" if users are authorized to
generate themselves a TOTP secret
- **Allow users to remove TOTP**: If enabled, users can unregister
TOTP
- **Issuer name** (Optional): default to portal hostname
- **Interval**: interval for TOTP algorithm (default: 30)
- **Range of attempts**: number of additional intervals to test (default: 1)
- **Number of digits**: number of digit by codes (default: 6)
- **Authentication level**: you can overwrite here auth level for TOTP
registered users. Leave it blank keeps auth level provided by first
authentication module *(default: 2 for user/password based modules)*.
**It is recommended to set an higher value here if you want to give
access to some apps only to users enrolled**
- **Issuer**: default to portal hostname
- **Interval**: interval for TOTP algorithm (default: 30)
- **Range**: number of additional intervals to test (default: 1)
- **Digits**: number of digit by codes (default: 6)
- **Allow users to remove TOTP**: If enabled, users can unregister
TOTP.
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative TOTP is removed.
- **Logo** (Optional): logo file *(in static/<skin> directory)*
access to some apps only for enrolled users**
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Lifetime** (Optional): Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative TOTP is removed.
.. attention::

13
doc/sources/admin/u2f.rst
View File

@ -43,20 +43,19 @@ In the manager (second factors), you just have to enable it:
- **Activation**: set it to "on"
- **Self registration**: set it to "on" if users are authorized to
register their keys
- **Allow users to remove U2F key**: If enabled, users can unregister
enrolled U2F device
- **Authentication level**: you can overwrite here auth level for U2F
registered users. Leave it blank keeps auth level provided by first
authentication module *(default: 2 for user/password based modules)*.
**It is recommended to set an higher value here if you want to give
access to some apps only for enrolled users**
- **Allow users to remove U2F key**: If enabled, users can unregister
enrolled U2F device.
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative 2F device is removed.
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Lifetime** (Optional): Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative 2F device is removed.
.. attention::

86
doc/sources/admin/upgrade_2_0_x.rst
View File

@ -26,6 +26,90 @@ Known regressions in the latest released version
None
2.0.14
------
LemonLDAP::NG version is returned by the CheckState plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you use the `/checkstate` URL to monitor LemonLDAP::NG, you may notice a slight change in the output format:
*2.0.13* :
```
{"result":1}
```
*2.0.14* :
```
{"result":1,"version":"2.0.14"}
```
Depending on your load balancer or monitoring configuration, this can cause false negatives.
This plugin is disabled by default, and you may use a shared secret to hide this information to regular users and bots, please check the :doc:`checkstate` documentation for more information.
Empty scopes now rejected in OAuth2.0 grants
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Previously, it was possible to be granted an empty scope, or an automatic
``openid`` scope when doing :ref:`OAuth2.0 Password Grant
<resource-owner-password-grant>` or :ref:`Client Credentials Grant
<client-credentials-grant>`.
Starting with *2.0.14*, empty scopes are no longer allowed (:rfc:`6749#section-3.3`).
You need to either add a `scope` parameter to your request, or define a default
scope in your Relying Party's :ref:`Scope Rules <oidcscoperules>`.
Portal templates changes
~~~~~~~~~~~~~~~~~~~~~~~~
If you defined the "Register page URL" or the password "Reset page URL" to an external application, you need to fix the ``standardform.tpl`` template by applying the following patch:
.. code:: diff
diff --git a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
index 3a6256e59..d5192f0ce 100644
--- a/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
+++ b/lemonldap-ng-portal/site/templates/bootstrap/standardform.tpl
@@ -48,14 +48,14 @@
<div class="actions">
<TMPL_IF NAME="DISPLAY_RESETPASSWORD">
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAIL_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAIL_URL"><TMPL_UNLESS NAME="MAIL_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
<span class="fa fa-info-circle"></span>
<span trspan="resetPwd">Reset my password</span>
</a>
</TMPL_IF>
<TMPL_IF NAME="DISPLAY_UPDATECERTIF">
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAILCERTIF_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="MAILCERTIF_URL"><TMPL_UNLESS NAME="MAILCERTIF_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
<span class="fa fa-refresh"></span>
<span trspan="certificateReset">Reset my certificate</span>
</a>
@@ -69,7 +69,7 @@
</TMPL_IF>
<TMPL_IF NAME="DISPLAY_REGISTER">
- <a class="btn btn-secondary" href="<TMPL_VAR NAME="REGISTER_URL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF>">
+ <a class="btn btn-secondary" href="<TMPL_VAR NAME="REGISTER_URL"><TMPL_UNLESS NAME="REGISTER_URL_EXTERNAL">?skin=<TMPL_VAR NAME="SKIN"><TMPL_IF NAME="key">&<TMPL_VAR NAME="CHOICE_PARAM">=<TMPL_VAR NAME="key"></TMPL_IF><TMPL_IF NAME="AUTH_URL">&url=<TMPL_VAR NAME="AUTH_URL"></TMPL_IF></TMPL_UNLESS>">
<span class="fa fa-plus-circle"></span>
<span trspan="createAccount">Create an account</span>
</a>
2.0.13
------
Portal templates changes
~~~~~~~~~~~~~~~~~~~~~~~~
Some ``autocomplete`` attributes have been added to improve accessibility in the following files: ``checkdevops.tpl``, ``checkuser.tpl``, ``register.tpl``, ``ext2fcheck.tpl``, ``totp2fcheck.tpl``, ``utotp2fcheck.tpl``.
2.0.12
------
@ -357,7 +441,7 @@ Please note that it is HIGHLY recommended to set certificate validation to `requ
- OAuth2.0 Handler: a VHost protected by the OAuth2.0 handler will now
return a 401 when called without an Access Token, instead of
redirecting to the portal, as specified by
`RFC6750 <https://tools.ietf.org/html/rfc6750>`__
:rfc:`6750#section-3`.
- If you encounter the following issue:

2
doc/sources/admin/utotp2f.rst
View File

@ -21,9 +21,9 @@ In the manager (second factors), you just have to enable it:
authentication module (By default: 2 for user/password based
modules). It is recommended to set an higher value here if you want
to give access to apps just for enrolled users.
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*
.. tip::

7
doc/sources/admin/webserviceprotection.rst
View File

@ -58,10 +58,9 @@ For example:
Introspection
~~~~~~~~~~~~~
Introspection endpoint is defined in `RFC
7662 <https://tools.ietf.org/html/rfc7662>`__. It requires an
authentication (same as the authentication for the token endpoint) and
takes to access token as parameter.
Introspection endpoint is defined in :rfc:`7662`. It requires an authentication
(same as the authentication for the token endpoint) and takes to access token
as parameter.
For example:

BIN
doc/sources/admin/wiki/logo.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 12 KiB

30
doc/sources/admin/yubikey2f.rst
View File

@ -23,27 +23,27 @@ In the manager (second factors), you just have to enable it:
- **Activation**: set it to "on"
- **Self registration**: set it to "on" if users are authorized to
register their keys
- **Allow users to remove Yubikey**: If enabled, users can unregister
Yubikey device.
- **API client ID**: given by Yubico or another service
- **API secret key**: given by Yubico or another service
- **Nonce** (optional): if any
- **Service URL**: service URL (leave it blank to use Yubico cloud services)
- **OTP public ID part size**: leave it to default (12) unless you know
what you are doing
- **Get Yubikey ID from session attribute**: if non-empty, the Yubikey ID will
be read from this session attribute. This allows external provisionning of Yubikeys.
- **Authentication level**: you can overwrite here auth level for
Yubikey registered users. Leave it blank keeps auth level provided by
first authentication module *(default: 2 for user/password based
modules)*. **It is recommended to set an higher value here if you
want to give access to some apps only to enrolled users**
- **Client ID**: given by Yubico or another service
- **API secret key**: given by Yubico or another service
- **Nonce (optional)**: if any
- **URL**: Url of service (leave blank to use Yubico cloud services)
- **OTP public ID part size**: leave it to default (12) unless you know
what you are doing
- **Allow users to remove Yubikey**: If enabled, users can unregister
Yubikey device.
- **Get Yubikey ID from session attribute**: If non-empty, the Yubikey ID will
be read from this session attribute. This allows external provisionning of Yubikeys.
- **Lifetime**: Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative Yubikey is removed.
- **Logo** (Optional): logo file *(in static/<skin> directory)*
want to give access to some apps only for enrolled users**
- **Label** (Optional): label that should be displayed to the user on
the choice screen
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Lifetime** (Optional): Unlimited by default. Set a Time To Live in seconds.
TTL is checked at each login process if set. If TTL is expired,
relative Yubikey is removed.
.. attention::

2
e2e-tests/lemonldap-ng-ldap.ini
View File

@ -16,7 +16,7 @@ ldapBindPassword = admin
checkXSS = 0
portalSkin = bootstrap
staticPrefix = /static
languages = fr, en, vi, it, ar, tr
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW, pt_BR, he
templateDir = __pwd__/lemonldap-ng-portal/site/templates
portalStatus = 1
;totp2fActivation = 1

2
e2e-tests/lemonldap-ng-sql.ini
View File

@ -13,7 +13,7 @@ dbiChain = dbi:SQLite:dbname=__pwd__/e2e-tests/conf/config.db
checkXSS = 0
portalSkin = bootstrap
staticPrefix = /static
languages = fr, en, vi, it, ar, tr
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW, pt_BR, he
templateDir = __pwd__/lemonldap-ng-portal/site/templates
portalStatus = 1
;totp2fActivation = 1

2
e2e-tests/lemonldap-ng.ini
View File

@ -22,7 +22,7 @@ dirName=__pwd__/e2e-tests/conf
checkXSS = 1
portalSkin = bootstrap
staticPrefix = /static
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW
languages = fr, en, vi, it, ar, de, zh, nl, es, pt, ro, tr, zh_TW, pt_BR, he
templateDir = __pwd__/lemonldap-ng-portal/site/templates
portalStatus = 1
totp2fActivation = 1

1
e2e-tests/lmConf-1.json
View File

@ -143,6 +143,7 @@
"locationRules": {
"auth.example.com" : {
"(?#checkUser)^/checkuser": "$uid eq \"dwho\"",
"(?#checkDevOps)^/checkdevops": "$uid eq \"dwho\"",
"(?#errors)^/lmerror/": "accept",
"default" : "accept"
},

2
fastcgi-server/man/llng-fastcgi-server.8p
View File

@ -231,7 +231,7 @@ Use \s-1OW2\s0 system to report bug or ask for features:
.SH "DOWNLOAD"
.IX Header "DOWNLOAD"
Lemonldap::NG is available at
<http://forge.objectweb.org/project/showfiles.php?group_id=274>
<https://lemonldap-ng.org/download>
.SH "COPYRIGHT AND LICENSE"
.IX Header "COPYRIGHT AND LICENSE"
.IP "Copyright (C) 2008\-2016 by Xavier Guimard, <x.guimard@free.fr>" 4

2
fastcgi-server/sbin/llng-fastcgi-server
View File

@ -290,7 +290,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
L<https://lemonldap-ng.org/download>
=head1 COPYRIGHT AND LICENSE

2
lemonldap-ng-common/META.json
View File

@ -35,7 +35,7 @@
},
"runtime" : {
"recommends" : {
"Apache::Session::Browseable" : "0",
"Apache::Session::Browseable" : "v1.3.9",
"Convert::Base32" : "0",
"Cookie::Baker::XS" : "0",
"Crypt::URandom" : "0",

2
lemonldap-ng-common/META.yml
View File

@ -21,7 +21,7 @@ no_index:
- t
- inc
recommends:
Apache::Session::Browseable: '0'
Apache::Session::Browseable: v1.3.9
Convert::Base32: '0'
Cookie::Baker::XS: '0'
Crypt::URandom: '0'

3
lemonldap-ng-common/Makefile.PL
View File

@ -43,7 +43,7 @@ WriteMakefile(
},
META_MERGE => {
'recommends' => {
'Apache::Session::Browseable' => 0,
'Apache::Session::Browseable' => '1.3.9',
'Convert::Base32' => 0,
'Cookie::Baker::XS' => 0,
'Crypt::URandom' => 0,
@ -106,5 +106,6 @@ WriteMakefile(
'scripts/convertSessions' => 'blib/man1/convertSessions.1p',
'scripts/lemonldap-ng-cli' => 'blib/man1/lemonldap-ng-cli.1p',
'scripts/lemonldap-ng-sessions' => 'blib/man1/lemonldap-ng-sessions.1p',
'scripts/importMetadata' => 'blib/man1/importMetadata.1p',
},
);

2
lemonldap-ng-common/lemonldap-ng.ini
View File

@ -196,7 +196,7 @@ staticPrefix = __PORTALSTATICDIR__
templateDir = __PORTALTEMPLATESDIR__
; languages: available languages for portal interface
languages = en, fr, vi, it, ar, de, fi, tr, pl, zh_TW, es
languages = en, fr, vi, it, ar, de, fi, tr, pl, zh_TW, es, pt_BR, he
; II - Optional parameters (overwrite configuration)

2
lemonldap-ng-common/lib/Lemonldap/NG/Common.pm
View File

@ -38,7 +38,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
L<https://lemonldap-ng.org/download>
=head1 COPYRIGHT AND LICENSE

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/REST.pm
View File

@ -397,7 +397,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
L<https://lemonldap-ng.org/download>
=head1 COPYRIGHT AND LICENSE

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/SOAP.pm
View File

@ -418,7 +418,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
L<https://lemonldap-ng.org/download>
=head1 COPYRIGHT AND LICENSE

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Serialize/JSON.pm
View File

@ -95,7 +95,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
L<https://lemonldap-ng.org/download>
=head1 COPYRIGHT AND LICENSE

13
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf.pm
View File

@ -107,6 +107,7 @@ sub new {
$self->{localStorage}->new( $self->{localStorageOptions} );
}
}
return $self;
}
@ -119,7 +120,6 @@ sub saveConf {
my ( $self, $conf, %args ) = @_;
my $last = $self->lastCfg;
return UNKNOWN_ERROR if $last < 1;
# If configuration was modified, return an error
if ( not $args{force} ) {
@ -190,6 +190,7 @@ sub getConf {
eval { $r = $self->{refLocalStorage}->get('conf') }
if ( $> and not $args->{noCache} );
$msg .= "Warn: $@" if ($@);
if ( ref($r)
and $r->{cfgNum}
and $args->{cfgNum}
@ -241,7 +242,11 @@ sub getConf {
return $res;
}
# Set default values
## @method hashRef setDefault(hashRef conf, hashRef localPrm)
# Set default params
# @param $conf Lemonldap::NG configuration hashRef
# @param $localPrm Local parameters
# @return conf
sub setDefault {
my ( $self, $conf, $localPrm ) = @_;
if ( defined $localPrm ) {
@ -415,7 +420,7 @@ sub _launch {
alarm 0;
die $@ if $@;
};
if($@) {
if ($@) {
$msg .= $@;
print STDERR "MSG $msg\n";
return undef;
@ -601,7 +606,7 @@ L<https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues>
=head1 DOWNLOAD
Lemonldap::NG is available at
L<http://forge.objectweb.org/project/showfiles.php?group_id=274>
L<https://lemonldap-ng.org/download>
=head1 COPYRIGHT AND LICENSE

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Constants.pm
View File

@ -31,7 +31,7 @@ use constant DEFAULTCONFBACKENDOPTIONS => (
);
our $hashParameters = qr/^(?:(?:l(?:o(?:ca(?:lSessionStorageOption|tionRule)|goutService)|dapExportedVar|wp(?:Ssl)?Opt)|(?:(?:d(?:emo|bi)|webID)ExportedVa|exported(?:Heade|Va)|issuerDBGetParamete)r|f(?:indUser(?:Exclud|Search)ingAttribute|acebookExportedVar)|re(?:moteGlobalStorageOption|st2f(?:Verify|Init)Arg|loadUrl)|g(?:r(?:antSessionRule|oup)|lobalStorageOption)|n(?:otificationStorageOption|ginxCustomHandler)|macro)s|o(?:idc(?:S(?:ervice(?:DynamicRegistrationEx(?:portedVar|traClaim)s|MetaDataAuthnContext)|torageOptions)|RPMetaData(?:(?:Option(?:sExtraClaim)?|ExportedVar|ScopeRule|Macro)s|Node)|OPMetaData(?:(?:ExportedVar|Option)s|J(?:SON|WKS)|Node))|penIdExportedVars)|c(?:as(?:A(?:ppMetaData(?:(?:ExportedVar|Option|Macro)s|Node)|ttributes)|S(?:rvMetaData(?:(?:ExportedVar|Option)s|Node)|torageOptions))|(?:ustom(?:Plugins|Add)Param|heckUserHiddenHeader|ombModule)s)|s(?:aml(?:S(?:PMetaData(?:(?:ExportedAttribute|Option|Macro)s|Node|XML)|torageOptions)|IDPMetaData(?:(?:ExportedAttribute|Option)s|Node|XML))|essionDataToRemember|laveExportedVars|fExtra)|a(?:(?:daptativeAuthenticationLevelR|ut(?:hChoiceMod|oSigninR))ules|pplicationList)|p(?:ersistentStorageOptions|o(?:rtalSkinRules|st))|v(?:hostOptions|irtualHost)|S(?:MTPTLSOpts|SLVarIf))$/;
our $arrayParameters = qr/^mySessionAuthorizedRWKeys$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|t(?:ayConnecte|orePasswor)d|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxyUseSoap)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|heck(?:DevOps(?:Download)?|State|User|XSS)|rowdsec|da)|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|no(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|to(?:tp2fUserCanRemoveKey|kenUseGlobalStorage)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|(?:wsdlServ|findUs)er)$/;
our $boolKeys = qr/^(?:s(?:aml(?:IDP(?:MetaDataOptions(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|IsPassiv)e|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Force(?:Authn|UTF8)|StoreSAMLToken|RelayStateURL)|SSODescriptorWantAuthnRequestsSigned)|S(?:P(?:MetaDataOptions(?:(?:CheckS[LS]OMessageSignatur|OneTimeUs)e|EnableIDPInitiatedURL|ForceUTF8)|SSODescriptor(?:WantAssertion|AuthnRequest)sSigned)|erviceUseCertificateInResponse)|DiscoveryProtocol(?:Activation|IsPassive)|CommonDomainCookieActivation|UseQueryStringSpecific|MetadataForceUTF8)|t(?:ayConnected(?:BypassFG)?|orePassword)|f(?:RemovedUseNotif|OnlyUpgrade)|kip(?:Upgrade|Renew)Confirmation|oap(?:Session|Config)Server|laveDisplayLogo|howLanguages|slByAjax)|o(?:idc(?:RPMetaDataOptions(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Claims|JWT))|Re(?:freshToken|quirePKCE)|LogoutSessionRequired|IDTokenForceClaims|BypassConsent|Public)|ServiceAllow(?:(?:AuthorizationCode|Implicit|Hybrid)Flow|DynamicRegistration|OnlyDeclaredScopes)|OPMetaDataOptions(?:(?:CheckJWTSignatur|UseNonc)e|StoreIDToken))|ldNotifFormat)|c(?:a(?:sS(?:rvMetaDataOptions(?:Gateway|Renew)|trictMatching)|ptcha_(?:register|login|mail)_enabled)|heck(?:DevOps(?:D(?:isplayNormalizedHeaders|ownload)|CheckSessionAttributes)?|State|User|XSS)|o(?:ntextSwitching(?:Allowed2fModifications|StopWithLogout)|mpactConf|rsEnabled)|rowdsec|da)|p(?:ortal(?:Display(?:Re(?:freshMyRights|setPassword|gister)|CertificateResetByMail|GeneratePassword|PasswordPolicy)|E(?:rrorOn(?:ExpiredSession|MailNotFound)|nablePasswordDisplay)|(?:CheckLogin|Statu)s|OpenLinkInNewWindow|ForceAuthn|AntiFrame)|roxy(?:AuthServiceImpersonation|UseSoap))|l(?:dap(?:(?:G(?:roup(?:DecodeSearchedValu|Recursiv)|etUserBeforePasswordChang)|UsePasswordResetAttribut)e|(?:AllowResetExpired|Set)Password|ChangePasswordAsUser|PpolicyControl|ITDS)|oginHistoryEnabled)|n(?:o(?:tif(?:ication(?:Server(?:(?:POS|GE)T|DELETE)?|sExplorer)?|y(?:Deleted|Other))|AjaxHook)|ewLocationWarning)|i(?:ssuerDB(?:OpenID(?:Connect)?|SAML|CAS|Get)Activation|mpersonationSkipEmptyValues)|u(?:se(?:RedirectOn(?:Forbidden|Error)|SafeJail)|2fUserCanRemoveKey|pgradeSession)|re(?:st(?:(?:Password|Session|Config|Auth)Server|ExportSecretKeys)|freshSessions)|br(?:uteForceProtection(?:IncrementalTempo)?|owsersDontStorePassword)|d(?:is(?:ablePersistentStorage|playSessionId)|biDynamicHashEnabled)|(?:mai(?:lOnPasswordChang|ntenanc)|vhostMaintenanc)e|to(?:tp2fUserCanRemoveKey|kenUseGlobalStorage)|g(?:roupsBeforeMacros|lobalLogoutTimer)|a(?:voidAssignment|ctiveTimer)|h(?:ideOldPassword|ttpOnly)|yubikey2fUserCanRemoveKey|krb(?:RemoveDomain|ByJs)|(?:wsdlServ|findUs)er)$/;
our @sessionTypes = ( 'remoteGlobal', 'global', 'localSession', 'persistent', 'saml', 'oidc', 'cas' );

120
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
View File

@ -18,37 +18,41 @@ sub defaultValues {
'authChoiceParam' => 'lmAuth',
'authentication' => 'Demo',
'available2F' => 'UTOTP,TOTP,U2F,REST,Mail2F,Ext2F,Yubikey,Radius',
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
'bruteForceProtectionLockTimes' => '15, 30, 60, 300, 600',
'bruteForceProtectionMaxAge' => 300,
'bruteForceProtectionMaxFailed' => 3,
'bruteForceProtectionMaxLockTime' => 900,
'bruteForceProtectionTempo' => 30,
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'certificateResetByMailCeaAttribute' => 'description',
'available2FSelfRegistration' => 'TOTP,U2F,Yubikey',
'bruteForceProtectionLockTimes' => '15, 30, 60, 300, 600',
'bruteForceProtectionMaxAge' => 300,
'bruteForceProtectionMaxFailed' => 3,
'bruteForceProtectionMaxLockTime' => 900,
'bruteForceProtectionTempo' => 30,
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'certificateResetByMailCeaAttribute' => 'description',
'certificateResetByMailCertificateAttribute' =>
'userCertificate;binary',
'certificateResetByMailURL' =>
'http://auth.example.com/certificateReset',
'certificateResetByMailValidityDelay' => 0,
'checkDevOpsCheckSessionAttributes' => 1,
'checkDevOpsDisplayNormalizedHeaders' => 1,
'checkDevOpsDownload' => 1,
'checkTime' => 600,
'checkUserDisplayComputedSession' => 1,
'checkUserDisplayEmptyHeaders' => 0,
'checkUserDisplayEmptyValues' => 0,
'checkUserDisplayHiddenAttributes' => 0,
'checkUserDisplayHistory' => 0,
'checkUserDisplayNormalizedHeaders' => 0,
'checkUserDisplayPersistentInfo' => 0,
'checkUserHiddenAttributes' => '_loginHistory _session_id hGroups',
'checkUserIdRule' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'contextSwitchingIdRule' => 1,
'contextSwitchingPrefix' => 'switching',
'contextSwitchingRule' => 0,
'checkUserHiddenAttributes' => '_loginHistory, _session_id, hGroups',
'checkUserIdRule' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'contextSwitchingIdRule' => 1,
'contextSwitchingPrefix' => 'switching',
'contextSwitchingRule' => 0,
'contextSwitchingStopWithLogout' => 1,
'cookieName' => 'lemonldap',
'corsAllow_Credentials' => 'true',
@ -97,7 +101,7 @@ sub defaultValues {
'globalLogoutTimer' => 1,
'globalStorage' => 'Apache::Session::File',
'globalStorageOptions' => {
'Directory' => '/var/lib/lemonldap-ng/sessions/',
'Directory' => '/var/lib/lemonldap-ng/sessions/',
'generateModule' =>
'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
@ -108,10 +112,10 @@ sub defaultValues {
'groups' => {},
'handlerInternalCache' => 15,
'handlerServiceTokenTTL' => 30,
'hiddenAttributes' => '_password _2fDevices',
'hiddenAttributes' => '_password, _2fDevices',
'httpOnly' => 1,
'https' => -1,
'impersonationHiddenAttributes' => '_2fDevices _loginHistory',
'impersonationHiddenAttributes' => '_2fDevices, _loginHistory',
'impersonationIdRule' => 1,
'impersonationMergeSSOgroups' => 0,
'impersonationPrefix' => 'real_',
@ -170,25 +174,28 @@ sub defaultValues {
'locationRules' => {
'default' => 'deny'
},
'logoutServices' => {},
'macros' => {},
'mail2fActivation' => 0,
'mail2fCodeRegex' => '\\d{6}',
'mailCharset' => 'utf-8',
'mailFrom' => 'noreply@example.com',
'mailSessionKey' => 'mail',
'mailTimeout' => 0,
'mailUrl' => 'http://auth.example.com/resetpwd',
'managerDn' => '',
'managerPassword' => '',
'max2FDevices' => 10,
'max2FDevicesNameLength' => 20,
'multiValuesSeparator' => '; ',
'logoutServices' => {},
'macros' => {},
'mail2fActivation' => 0,
'mail2fCodeRegex' => '\\d{6}',
'mailCharset' => 'utf-8',
'mailFrom' => 'noreply@example.com',
'mailSessionKey' => 'mail',
'mailTimeout' => 0,
'mailUrl' => 'http://auth.example.com/resetpwd',
'managerDn' => '',
'managerPassword' => '',
'max2FDevices' => 10,
'max2FDevicesNameLength' => 20,
'multiValuesSeparator' => '; ',
'mySessionAuthorizedRWKeys' =>
[ '_appsListOrder', '_oidcConnectedRP', '_oidcConsents' ],
'notificationDefaultCond' => '',
'notificationServerPOST' => 1,
'notificationServerSentAttributes' =>
'newLocationWarningLocationAttribute' => 'ipAddr',
'newLocationWarningLocationDisplayAttribute' => '',
'newLocationWarningMaxValues' => '0',
'notificationDefaultCond' => '',
'notificationServerPOST' => 1,
'notificationServerSentAttributes' =>
'uid reference date title subtitle text check',
'notificationsMaxRetrieve' => 3,
'notificationStorage' => 'File',
@ -242,7 +249,7 @@ sub defaultValues {
'passwordPolicyMinUpper' => 0,
'passwordPolicySpecialChar' => '__ALL__',
'passwordResetAllowedRetries' => 3,
'persistentSessionAttributes' =>
'persistentSessionAttributes' =>
'_loginHistory _2fDevices notification_',
'port' => -1,
'portal' => 'http://auth.example.com/',
@ -254,7 +261,7 @@ sub defaultValues {
'portalDisplayGeneratePassword' => 1,
'portalDisplayLoginHistory' => 1,
'portalDisplayLogout' => 1,
'portalDisplayOidcConsents' =>
'portalDisplayOidcConsents' =>
'$_oidcConsents && $_oidcConsents =~ /\\w+/',
'portalDisplayRefreshMyRights' => 1,
'portalDisplayRegister' => 1,
@ -266,6 +273,7 @@ sub defaultValues {
'portalSkin' => 'bootstrap',
'portalUserAttr' => '_user',
'proxyAuthnLevel' => 2,
'proxyAuthServiceChoiceParam' => 'lmAuth',
'radius2fActivation' => 0,
'radius2fTimeout' => 20,
'radiusAuthnLevel' => 3,
@ -281,11 +289,11 @@ sub defaultValues {
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
'proxy' => 'http://auth.example.com/sessions'
},
'requireToken' => 1,
'rest2fActivation' => 0,
'restAuthnLevel' => 2,
'restClockTolerance' => 15,
'sameSite' => '',
'requireToken' => 1,
'rest2fActivation' => 0,
'restAuthnLevel' => 2,
'restClockTolerance' => 15,
'sameSite' => '',
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4,
@ -322,10 +330,10 @@ sub defaultValues {
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' =>
'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
'samlSPSSODescriptorSingleLogoutServiceHTTPPost' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' =>
@ -337,7 +345,7 @@ sub defaultValues {
'sfEngine' => '::2F::Engines::Default',
'sfManagerRule' => 1,
'sfRemovedMsgRule' => 0,
'sfRemovedNotifMsg' =>
'sfRemovedNotifMsg' =>
'_removedSF_ expired second factor(s) has/have been removed (_nameSF_)!',
'sfRemovedNotifRef' => 'RemoveSF',
'sfRemovedNotifTitle' => 'Second factor notification',
@ -377,12 +385,12 @@ sub defaultValues {
'useRedirectOnError' => 1,
'useSafeJail' => 1,
'utotp2fActivation' => 0,
'viewerHiddenKeys' => 'samlIDPMetaDataNodes samlSPMetaDataNodes',
'webIDAuthnLevel' => 1,
'webIDExportedVars' => {},
'whatToTrace' => 'uid',
'yubikey2fActivation' => 0,
'yubikey2fPublicIDSize' => 12,
'viewerHiddenKeys' => 'samlIDPMetaDataNodes, samlSPMetaDataNodes',
'webIDAuthnLevel' => 1,
'webIDExportedVars' => {},
'whatToTrace' => 'uid',
'yubikey2fActivation' => 0,
'yubikey2fPublicIDSize' => 12,
'yubikey2fSelfRegistration' => 0,
'yubikey2fUserCanRemoveKey' => 1
};

6
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
View File

@ -16,7 +16,7 @@ our $specialNodeHash = {
samlIDPMetaDataNodes => [qw(samlIDPMetaDataXML samlIDPMetaDataExportedAttributes samlIDPMetaDataOptions)],
samlSPMetaDataNodes => [qw(samlSPMetaDataXML samlSPMetaDataExportedAttributes samlSPMetaDataOptions samlSPMetaDataMacros)],
oidcOPMetaDataNodes => [qw(oidcOPMetaDataJSON oidcOPMetaDataJWKS oidcOPMetaDataOptions oidcOPMetaDataExportedVars)],
oidcRPMetaDataNodes => [qw(oidcRPMetaDataOptions oidcRPMetaDataExportedVars oidcRPMetaDataOptionsExtraClaims oidcRPMetaDataMacros)],
oidcRPMetaDataNodes => [qw(oidcRPMetaDataOptions oidcRPMetaDataExportedVars oidcRPMetaDataOptionsExtraClaims oidcRPMetaDataMacros oidcRPMetaDataScopeRules)],
casSrvMetaDataNodes => [qw(casSrvMetaDataOptions casSrvMetaDataExportedVars)],
casAppMetaDataNodes => [qw(casAppMetaDataOptions casAppMetaDataExportedVars casAppMetaDataMacros)],
};
@ -30,7 +30,7 @@ our $oidcOPMetaDataNodeKeys = 'oidcOPMetaData(?:Options(?:C(?:lient(?:Secret|ID)
our $oidcRPMetaDataNodeKeys = 'oidcRPMetaData(?:Options(?:A(?:llow(?:(?:ClientCredentials|Password)Grant|Offline)|ccessToken(?:Expiration|SignAlg|Claims|JWT)|uth(?:orizationCodeExpiration|nLevel)|dditionalAudiences)|I(?:DToken(?:ForceClaims|Expiration|SignAlg)|con)|R(?:e(?:directUris|freshToken|quirePKCE)|ule)|Logout(?:SessionRequired|Type|Url)|P(?:ostLogoutRedirectUris|ublic)|UserI(?:nfoSignAlg|DAttr)|OfflineSessionExpiration|Client(?:Secret|ID)|BypassConsent|DisplayName|ExtraClaims)|(?:ExportedVar|ScopeRule|Macro)s)';
our $samlIDPMetaDataNodeKeys = 'samlIDPMetaData(?:Options(?:(?:Check(?:S[LS]OMessageSignatur|Audienc|Tim)|EncryptionMod|UserAttribut|DisplayNam)e|S(?:ign(?:S[LS]OMessage|atureMethod)|toreSAMLToken|[LS]OBinding|ortNumber)|A(?:llow(?:LoginFromIDP|ProxiedAuthn)|daptSessionUtime)|Re(?:questedAuthnContext|solutionRule|layStateURL)|Force(?:Authn|UTF8)|I(?:sPassive|con)|NameIDFormat)|ExportedAttributes|XML)';
our $samlSPMetaDataNodeKeys = 'samlSPMetaData(?:Options(?:S(?:ign(?:S[LS]OMessage|atureMethod)|essionNotOnOrAfterTimeout)|N(?:ameID(?:SessionKey|Format)|otOnOrAfterTimeout)|(?:CheckS[LS]OMessageSignatur|OneTimeUs|Rul)e|En(?:ableIDPInitiatedURL|cryptionMode)|AuthnLevel|ForceUTF8)|(?:ExportedAttribute|Macro)s|XML)';
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|Https|Port)|(?:exportedHeader|locationRule)s|post)';
our $virtualHostKeys = '(?:vhost(?:A(?:ccessToTrace|uthnLevel|liases)|(?:Maintenanc|Typ)e|ServiceTokenTTL|DevOpsRulesUrl|Https|Port)|(?:exportedHeader|locationRule)s|post)';
our $authParameters = {
adParams => [qw(ADPwdMaxAge ADPwdExpireWarning)],
@ -51,7 +51,7 @@ our $authParameters = {
oidcParams => [qw(oidcAuthnLevel oidcRPCallbackGetParam oidcRPStateTimeout)],
openidParams => [qw(openIdAuthnLevel openIdExportedVars openIdSecret openIdIDPList)],
pamParams => [qw(pamAuthnLevel pamService)],
proxyParams => [qw(proxyAuthnLevel proxyAuthService proxySessionService remoteCookieName proxyUseSoap)],
proxyParams => [qw(proxyAuthnLevel proxyUseSoap proxyAuthService proxySessionService proxyAuthServiceChoiceParam proxyAuthServiceChoiceValue proxyCookieName proxyAuthServiceImpersonation)],
radiusParams => [qw(radiusAuthnLevel radiusSecret radiusServer)],
remoteParams => [qw(remotePortal remoteCookieName remoteGlobalStorage remoteGlobalStorageOptions)],
restParams => [qw(restAuthnLevel restAuthUrl restUserDBUrl restPwdConfirmUrl restPwdModifyUrl)],

Some files were not shown because too many files have changed in this diff Show More