Doc update
This commit is contained in:
parent
3027bed401
commit
a1a30f4710
File diff suppressed because one or more lines are too long
|
@ -67,4 +67,24 @@ The <code>convertConfig</code> utility reads 2 <acronym title="LemonLDAP::NG">LL
|
|||
</ul>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Let's go" [427-] --></div><!-- closes <div class="dokuwiki export">-->
|
||||
<!-- SECTION "Let's go" [427-779] -->
|
||||
<h2><a name="see_also" id="see_also">See also</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
<p>
|
||||
|
||||
Documentation is available for configuration backends :
|
||||
</p>
|
||||
<ul>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/sqlconfbackend.html" class="wikilink1" title="documentation:1.0:sqlconfbackend">SQL</a></div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/fileconfbackend.html" class="wikilink1" title="documentation:1.0:fileconfbackend">File</a></div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/ldapconfbackend.html" class="wikilink1" title="documentation:1.0:ldapconfbackend">LDAP</a></div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/soapconfbackend.html" class="wikilink1" title="documentation:1.0:soapconfbackend">SOAP proxy mechanism</a></div>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "See also" [780-] --></div><!-- closes <div class="dokuwiki export">-->
|
|
@ -66,8 +66,13 @@ For example, to configure the <code>File</code> configuration backend:
|
|||
<span class="re1">type</span><span class="sy0">=</span><span class="re2">File</span>
|
||||
<span class="re1">dirName</span> <span class="sy0">=</span><span class="re2"> /usr/local/lemonldap-ng/data/conf</span></pre>
|
||||
|
||||
<p>
|
||||
<p><div class="notetip">See <a href="../../documentation/1.0/changeconfbackend.html" class="wikilink1" title="documentation:1.0:changeconfbackend">How to change configuration backend</a> to known how to change this.
|
||||
</div></p>
|
||||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Backends" [39-883] -->
|
||||
<!-- SECTION "Backends" [39-992] -->
|
||||
<h2><a name="manager" id="manager">Manager</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
|
@ -128,7 +133,7 @@ When modifying a value, always click on the <code>Apply</code> button if availab
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Manager" [884-2513] -->
|
||||
<!-- SECTION "Manager" [993-2622] -->
|
||||
<h2><a name="apache" id="apache">Apache</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
|
@ -161,7 +166,7 @@ These files must be included in Apache configuration, either with <code>Include<
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Apache" [2514-3273] -->
|
||||
<!-- SECTION "Apache" [2623-3382] -->
|
||||
<h3><a name="portal" id="portal">Portal</a></h3>
|
||||
<div class="level3">
|
||||
|
||||
|
@ -260,7 +265,7 @@ In Portal virtual host, you will find several configuration parts:
|
|||
</Perl></pre>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Portal" [3274-5867] -->
|
||||
<!-- SECTION "Portal" [3383-5976] -->
|
||||
<h3><a name="manager1" id="manager1">Manager</a></h3>
|
||||
<div class="level3">
|
||||
|
||||
|
@ -291,7 +296,7 @@ Manager virtual host is used to serve configuration interface and local document
|
|||
</<span class="kw3">Directory</span>></pre>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Manager" [5868-6513] -->
|
||||
<!-- SECTION "Manager" [5977-6622] -->
|
||||
<h3><a name="handler" id="handler">Handler</a></h3>
|
||||
<div class="level3">
|
||||
<ul>
|
||||
|
@ -345,7 +350,7 @@ Then, to protect a standard virutal host, the only configuration line to add is:
|
|||
<pre class="code file apache">PerlHeaderParserHandler My::Package</pre>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Handler" [6514-7729] -->
|
||||
<!-- SECTION "Handler" [6623-7838] -->
|
||||
<h2><a name="configuration_reload" id="configuration_reload">Configuration reload</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
|
@ -390,7 +395,7 @@ The <code>reload</code> target is managed in Apache configuration, inside a virt
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Configuration reload" [7730-9006] -->
|
||||
<!-- SECTION "Configuration reload" [7839-9115] -->
|
||||
<h2><a name="local_file" id="local_file">Local file</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
|
@ -430,7 +435,7 @@ For example, to override configured skin for portal:
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Local file" [9007-9864] -->
|
||||
<!-- SECTION "Local file" [9116-9973] -->
|
||||
<h2><a name="script_files" id="script_files">Script files</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
|
@ -445,7 +450,7 @@ LemonLDAP::NG allows to override any configuration parameter directly in script
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Script files" [9865-10253] -->
|
||||
<!-- SECTION "Script files" [9974-10362] -->
|
||||
<h3><a name="portal1" id="portal1">Portal</a></h3>
|
||||
<div class="level3">
|
||||
|
||||
|
@ -460,7 +465,7 @@ For example, in portal/index.pl:
|
|||
<span class="br0">)</span><span class="sy0">;</span></pre>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Portal" [10254-10424] -->
|
||||
<!-- SECTION "Portal" [10363-10533] -->
|
||||
<h3><a name="handler1" id="handler1">Handler</a></h3>
|
||||
<div class="level3">
|
||||
|
||||
|
@ -475,4 +480,4 @@ For example, in handler/MyHandler.pm:
|
|||
<span class="br0">)</span><span class="sy0">;</span></pre>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Handler" [10425-] --></div><!-- closes <div class="dokuwiki export">-->
|
||||
<!-- SECTION "Handler" [10534-] --></div><!-- closes <div class="dokuwiki export">-->
|
|
@ -39,11 +39,11 @@
|
|||
|
||||
<p>
|
||||
|
||||
→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager.
|
||||
→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager. This message is displayed only when you upgrade from a version older than 1.0
|
||||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Lemonldap::NG::Common" [117-314] -->
|
||||
<!-- SECTION "Lemonldap::NG::Common" [117-392] -->
|
||||
<h2><a name="lemonldapnghandler" id="lemonldapnghandler">Lemonldap::NG::Handler</a></h2>
|
||||
<div class="level2">
|
||||
<pre class="file">Unable to clear local cache</pre>
|
||||
|
@ -70,9 +70,18 @@
|
|||
|
||||
→ The specified virtual host was not configured in Manager.
|
||||
</p>
|
||||
<pre class="file">mkdir /tmp/MyNamespace/2: Permission denied ...</pre>
|
||||
|
||||
<p>
|
||||
|
||||
→ The cache has been created by another user than Apache's user. Restart Apache to purge it.
|
||||
<p><div class="noteimportant">This can happend when you use lmConfigEditor or launch <strong>cron files</strong> with a different user than Apache process. That is why it is important to set APACHEUSER variable when you launch “make install”
|
||||
|
||||
</div></p>
|
||||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Lemonldap::NG::Handler" [315-939] -->
|
||||
<!-- SECTION "Lemonldap::NG::Handler" [393-1397] -->
|
||||
<h2><a name="lemonldapngmanager" id="lemonldapngmanager">Lemonldap::NG::Manager</a></h2>
|
||||
<div class="level2">
|
||||
<pre class="file">XXXX was not found in tree</pre>
|
||||
|
@ -83,7 +92,7 @@
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Lemonldap::NG::Manager" [940-1065] -->
|
||||
<!-- SECTION "Lemonldap::NG::Manager" [1398-1523] -->
|
||||
<h2><a name="lemonldapngportal" id="lemonldapngportal">Lemonldap::NG::Portal</a></h2>
|
||||
<div class="level2">
|
||||
<pre class="file">User XXXX was not granted to open session</pre>
|
||||
|
@ -118,4 +127,4 @@
|
|||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Lemonldap::NG::Portal" [1066-] --></div><!-- closes <div class="dokuwiki export">-->
|
||||
<!-- SECTION "Lemonldap::NG::Portal" [1524-] --></div><!-- closes <div class="dokuwiki export">-->
|
157
build/lemonldap-ng/doc/pages/documentation/1.0/security.html
Normal file
157
build/lemonldap-ng/doc/pages/documentation/1.0/security.html
Normal file
|
@ -0,0 +1,157 @@
|
|||
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
|
||||
lang="en" dir="ltr">
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||||
<title></title>
|
||||
<!-- metadata -->
|
||||
<meta name="generator" content="Offline" />
|
||||
<meta name="version" content="Offline 0.1" />
|
||||
<!-- style sheet links -->
|
||||
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
|
||||
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
|
||||
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
|
||||
|
||||
</head>
|
||||
<body>
|
||||
<div class="dokuwiki export">
|
||||
|
||||
|
||||
|
||||
|
||||
<h1><a name="security" id="security">Security</a></h1>
|
||||
<div class="level1">
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Security" [1-24] -->
|
||||
<h2><a name="secure_configuration_access" id="secure_configuration_access">Secure configuration access</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
<p>
|
||||
|
||||
Configuration can be stored in several formats (<a href="../../documentation/1.0/sqlconfbackend.html" class="wikilink1" title="documentation:1.0:sqlconfbackend">SQL</a>, <a href="../../documentation/1.0/fileconfbackend.html" class="wikilink1" title="documentation:1.0:fileconfbackend">File</a>, <a href="../../documentation/1.0/ldapconfbackend.html" class="wikilink1" title="documentation:1.0:ldapconfbackend">LDAP</a>) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use <a href="../../documentation/1.0/soapconfbackend.html" class="wikilink1" title="documentation:1.0:soapconfbackend">SOAP access</a> for those servers.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
<p><div class="notetip">You can use different type of access: <a href="../../documentation/1.0/sqlconfbackend.html" class="wikilink1" title="documentation:1.0:sqlconfbackend">SQL</a>, <a href="../../documentation/1.0/fileconfbackend.html" class="wikilink1" title="documentation:1.0:fileconfbackend">File</a> or <a href="../../documentation/1.0/ldapconfbackend.html" class="wikilink1" title="documentation:1.0:ldapconfbackend">LDAP</a> for servers in secured network and <a href="../../documentation/1.0/soapconfbackend.html" class="wikilink1" title="documentation:1.0:soapconfbackend">SOAP</a> for remote servers.
|
||||
</div></p>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
Next, you have to configure the <acronym title="Simple Object Access Protocol">SOAP</acronym> access as described <a href="../../documentation/1.0/soapconfbackend.html#next_configure_soap_for_your_remote_servers" class="wikilink1" title="documentation:1.0:soapconfbackend">here</a> since <acronym title="Simple Object Access Protocol">SOAP</acronym> access is denied by default.
|
||||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Secure configuration access" [25-794] -->
|
||||
<h2><a name="manager_protection" id="manager_protection">Manager protection</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
<p>
|
||||
|
||||
By default, the manager is restricted to localhost in its Apache configuration file, but no accounting is done. To change this, you can choose one of the following:
|
||||
</p>
|
||||
<ul>
|
||||
<li class="level1"><div class="li"> protect the manager by Apache configuration</div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> protect the manager by Lemonldap::NG</div>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Manager protection" [795-1081] -->
|
||||
<h3><a name="protect_the_manager_by_apache" id="protect_the_manager_by_apache">Protect the manager by Apache</a></h3>
|
||||
<div class="level3">
|
||||
|
||||
<p>
|
||||
|
||||
You can use any of the mechanisms proposed by Apache: <acronym title="Secure Sockets Layer">SSL</acronym>, Auth-Basic, Kerberos,… Example
|
||||
|
||||
</p>
|
||||
<pre class="code apache"><<span class="kw3">VirtualHost</span> *:443>
|
||||
<span class="kw1">ServerName</span> manager.example.com
|
||||
<span class="co1"># SSL parameters</span>
|
||||
...
|
||||
<span class="co1"># DocumentRoot</span>
|
||||
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/manager/
|
||||
<<span class="kw3">Location</span> />
|
||||
<span class="kw1">AuthType</span> Basic
|
||||
<span class="kw1">AuthName</span> <span class="st0">"Lemonldap::NG manager"</span>
|
||||
<span class="kw1">AuthUserFile</span> /usr/local/apache/passwd/passwords
|
||||
<span class="kw1">Require</span> <span class="kw1">user</span> rbowen
|
||||
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
|
||||
<span class="kw1">Deny</span> from <span class="kw2">all</span>
|
||||
<span class="kw1">Allow</span> from 192.168.142.0/24
|
||||
<span class="kw1">Options</span> +ExecCGI
|
||||
</<span class="kw3">Location</span>>
|
||||
</<span class="kw3">VirtualHost</span>></pre>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Protect the manager by Apache" [1082-1692] -->
|
||||
<h3><a name="protect_the_manager_by_lemonldapng" id="protect_the_manager_by_lemonldapng">Protect the manager by Lemonldap::NG</a></h3>
|
||||
<div class="level3">
|
||||
|
||||
<p>
|
||||
|
||||
To protect the manager by Lemonldap::NG, you just have to set this in lemonldap-ng.ini configuration file (section [manager]):
|
||||
|
||||
</p>
|
||||
<pre class="file">protection = manager</pre>
|
||||
|
||||
<p>
|
||||
|
||||
<p><div class="noteimportant">Before, you have to create the virtual host manager.your.domain in the manager and set a <a href="../../documentation/1.0/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.0:writingrulesand_headers">rule</a>, else access to the manager will be denied.
|
||||
</div></p>
|
||||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Protect the manager by Lemonldap::NG" [1693-2097] -->
|
||||
<h2><a name="write_good_rules" id="write_good_rules">Write good rules</a></h2>
|
||||
<div class="level2">
|
||||
|
||||
<p>
|
||||
|
||||
You can write <a href="../../documentation/1.0/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.0:writingrulesand_headers">rules</a> matching any component of <acronym title="Uniform Resource Locator">URL</acronym> to protect including GET parameters, but be careful:
|
||||
Bad example:
|
||||
</p>
|
||||
<pre class="code">
|
||||
/^index.php\?.*access=admin -> $groups =~ /\badmin\b/
|
||||
default -> accept
|
||||
</pre>
|
||||
|
||||
<p>
|
||||
Now, user that try to access to one of the following <em class="u">will be granted</em> !
|
||||
</p>
|
||||
<ul>
|
||||
<li class="level1"><div class="li"> /index.php?access=admin&access=other</div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> /index.php?Access=admin</div>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p>
|
||||
|
||||
You can use the following instead:
|
||||
</p>
|
||||
<pre class="code">
|
||||
# insert a comment 0_bad for this rule:
|
||||
/^(?i)index.php\?.*access.*access -> deny
|
||||
# insert a comment 1_admin for this rule
|
||||
/^(?i)index.php\?.*access=admin -> $groups =~ /\badmin\b/
|
||||
default -> accept
|
||||
</pre>
|
||||
|
||||
<p>
|
||||
Note that <strong>(?i)</strong> means case no sensitive
|
||||
</p>
|
||||
|
||||
<p>
|
||||
<p><div class="notewarning">Remember that rules written on GET parameters must be tested.
|
||||
</div></p>
|
||||
|
||||
</p>
|
||||
|
||||
</div>
|
||||
<!-- SECTION "Write good rules" [2098-] --></div><!-- closes <div class="dokuwiki export">-->
|
|
@ -264,7 +264,7 @@
|
|||
<ul>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/performances.html" class="wikilink1" title="documentation:1.0:performances">Performances</a></div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/security.html" class="wikilink2" title="documentation:1.0:security" rel="nofollow">Security</a></div>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/security.html" class="wikilink1" title="documentation:1.0:security">Security</a></div>
|
||||
</li>
|
||||
<li class="level1"><div class="li"> <a href="../../documentation/1.0/status.html" class="wikilink1" title="documentation:1.0:status">Handler status page</a></div>
|
||||
</li>
|
||||
|
|
|
@ -281,6 +281,6 @@ LemonLDAP::NG is the first <acronym title="Single Sign On">SSO</acronym> softwar
|
|||
<a href="/_detail/icons/clock.png?id=start" class="media" title="icons:clock.png"><img src="../media/icons/clock.png" class="media" alt="" /></a>
|
||||
</div>
|
||||
</p>
|
||||
<ul class="rss"><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1785" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1785" rel="nofollow">Function to load help from wiki</a> by guimard (2010/10/31 09:37)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1784" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1784" rel="nofollow">Missing "require _DBI"</a> by guimard (2010/10/31 06:33)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1783" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1783" rel="nofollow">Share $iniObj between threads</a> by guimard (2010/10/30 21:26)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1782" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1782" rel="nofollow">Share global variables</a> by guimard (2010/10/30 20:25)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1781" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1781" rel="nofollow">Correct typo on gear.png in manager.js</a> by clement_oudot (2010/10/30 16:38)</div></li></ul>
|
||||
<ul class="rss"><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1800" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1800" rel="nofollow">lmConfigEditor is no longer launchable as root</a> by guimard (2010/11/01 10:14)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1799" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1799" rel="nofollow">If local cache failed, conf must be returned even</a> by guimard (2010/11/01 09:16)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1798" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1798" rel="nofollow">purgeCentralCache was broken by new Apache::Session mechanism</a> by guimard (2010/11/01 09:15)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1797" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1797" rel="nofollow">Doc update</a> by guimard (2010/11/01 08:35)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1796" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&path=%2F&rev=1796" rel="nofollow">Preserve links in doc</a> by guimard (2010/11/01 08:30)</div></li></ul>
|
||||
</div>
|
||||
<!-- SECTION "SVN activity" [3129-] --></div><!-- closes <div class="dokuwiki export">-->
|
|
@ -211,8 +211,10 @@ useRedirectOnError = 1
|
|||
|
||||
# When using "SetHandler cgi-script" instead of using ModPerl::Registry,
|
||||
# Apache LogLevel parameter does not work for LemonLDAP::NG debugging.
|
||||
# Use the following to modify error output:
|
||||
# Use one of the following to modify error output:
|
||||
;hideLogLevels = debug|info
|
||||
;hideLogLevels = debug
|
||||
;hideLogLevels =
|
||||
|
||||
[sessionsExplorer]
|
||||
# Sessions explorer inherits from manager section. You can override here
|
||||
|
|
Loading…
Reference in New Issue
Block a user