dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Doc update

Browse Source
This commit is contained in:
Xavier Guimard 2010-11-01 13:02:18 +00:00
parent 3027bed401
commit a1a30f4710
8 changed files with 214 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build/lemonldap-ng/doc/index/alphabetical.html
View File

File diff suppressed because one or more lines are too long

22
build/lemonldap-ng/doc/pages/documentation/1.0/changeconfbackend.html
View File

@ -67,4 +67,24 @@ The <code>convertConfig</code> utility reads 2 <acronym title="LemonLDAP::NG">LL
</ul>
</div>
<!-- SECTION "Let's go" [427-] --></div><!-- closes <div class="dokuwiki export">-->
<!-- SECTION "Let's go" [427-779] -->
<h2><a name="see_also" id="see_also">See also</a></h2>
<div class="level2">
<p>
Documentation is available for configuration backends :
</p>
<ul>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/sqlconfbackend.html" class="wikilink1" title="documentation:1.0:sqlconfbackend">SQL</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/fileconfbackend.html" class="wikilink1" title="documentation:1.0:fileconfbackend">File</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/ldapconfbackend.html" class="wikilink1" title="documentation:1.0:ldapconfbackend">LDAP</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/soapconfbackend.html" class="wikilink1" title="documentation:1.0:soapconfbackend">SOAP proxy mechanism</a></div>
</li>
</ul>
</div>
<!-- SECTION "See also" [780-] --></div><!-- closes <div class="dokuwiki export">-->

27
build/lemonldap-ng/doc/pages/documentation/1.0/configlocation.html
View File

@ -66,8 +66,13 @@ For example, to configure the <code>File</code> configuration backend:
<span class="re1">type</span><span class="sy0">=</span><span class="re2">File</span>
<span class="re1">dirName</span> <span class="sy0">=</span><span class="re2"> /usr/local/lemonldap-ng/data/conf</span></pre>
<p>
<p><div class="notetip">See <a href="../../documentation/1.0/changeconfbackend.html" class="wikilink1" title="documentation:1.0:changeconfbackend">How to change configuration backend</a> to known how to change this.
</div></p>
</p>
</div>
<!-- SECTION "Backends" [39-883] -->
<!-- SECTION "Backends" [39-992] -->
<h2><a name="manager" id="manager">Manager</a></h2>
<div class="level2">
@ -128,7 +133,7 @@ When modifying a value, always click on the <code>Apply</code> button if availab
</p>
</div>
<!-- SECTION "Manager" [884-2513] -->
<!-- SECTION "Manager" [993-2622] -->
<h2><a name="apache" id="apache">Apache</a></h2>
<div class="level2">
@ -161,7 +166,7 @@ These files must be included in Apache configuration, either with <code>Include<
</p>
</div>
<!-- SECTION "Apache" [2514-3273] -->
<!-- SECTION "Apache" [2623-3382] -->
<h3><a name="portal" id="portal">Portal</a></h3>
<div class="level3">
@ -260,7 +265,7 @@ In Portal virtual host, you will find several configuration parts:
&lt;/Perl&gt;</pre>
</div>
<!-- SECTION "Portal" [3274-5867] -->
<!-- SECTION "Portal" [3383-5976] -->
<h3><a name="manager1" id="manager1">Manager</a></h3>
<div class="level3">
@ -291,7 +296,7 @@ Manager virtual host is used to serve configuration interface and local document
&lt;/<span class="kw3">Directory</span>&gt;</pre>
</div>
<!-- SECTION "Manager" [5868-6513] -->
<!-- SECTION "Manager" [5977-6622] -->
<h3><a name="handler" id="handler">Handler</a></h3>
<div class="level3">
<ul>
@ -345,7 +350,7 @@ Then, to protect a standard virutal host, the only configuration line to add is:
<pre class="code file apache">PerlHeaderParserHandler My::Package</pre>
</div>
<!-- SECTION "Handler" [6514-7729] -->
<!-- SECTION "Handler" [6623-7838] -->
<h2><a name="configuration_reload" id="configuration_reload">Configuration reload</a></h2>
<div class="level2">
@ -390,7 +395,7 @@ The <code>reload</code> target is managed in Apache configuration, inside a virt
</p>
</div>
<!-- SECTION "Configuration reload" [7730-9006] -->
<!-- SECTION "Configuration reload" [7839-9115] -->
<h2><a name="local_file" id="local_file">Local file</a></h2>
<div class="level2">
@ -430,7 +435,7 @@ For example, to override configured skin for portal:
</p>
</div>
<!-- SECTION "Local file" [9007-9864] -->
<!-- SECTION "Local file" [9116-9973] -->
<h2><a name="script_files" id="script_files">Script files</a></h2>
<div class="level2">
@ -445,7 +450,7 @@ LemonLDAP::NG allows to override any configuration parameter directly in script
</p>
</div>
<!-- SECTION "Script files" [9865-10253] -->
<!-- SECTION "Script files" [9974-10362] -->
<h3><a name="portal1" id="portal1">Portal</a></h3>
<div class="level3">
@ -460,7 +465,7 @@ For example, in portal/index.pl:
<span class="br0">&#41;</span><span class="sy0">;</span></pre>
</div>
<!-- SECTION "Portal" [10254-10424] -->
<!-- SECTION "Portal" [10363-10533] -->
<h3><a name="handler1" id="handler1">Handler</a></h3>
<div class="level3">
@ -475,4 +480,4 @@ For example, in handler/MyHandler.pm:
<span class="br0">&#41;</span><span class="sy0">;</span></pre>
</div>
<!-- SECTION "Handler" [10425-] --></div><!-- closes <div class="dokuwiki export">-->
<!-- SECTION "Handler" [10534-] --></div><!-- closes <div class="dokuwiki export">-->

19
build/lemonldap-ng/doc/pages/documentation/1.0/error.html
View File

@ -39,11 +39,11 @@
<p>
→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager.
→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager. This message is displayed only when you upgrade from a version older than 1.0
</p>
</div>
<!-- SECTION "Lemonldap::NG::Common" [117-314] -->
<!-- SECTION "Lemonldap::NG::Common" [117-392] -->
<h2><a name="lemonldapnghandler" id="lemonldapnghandler">Lemonldap::NG::Handler</a></h2>
<div class="level2">
<pre class="file">Unable to clear local cache</pre>
@ -70,9 +70,18 @@
→ The specified virtual host was not configured in Manager.
</p>
<pre class="file">mkdir /tmp/MyNamespace/2: Permission denied ...</pre>
<p>
→ The cache has been created by another user than Apache&#039;s user. Restart Apache to purge it.
<p><div class="noteimportant">This can happend when you use lmConfigEditor or launch <strong>cron files</strong> with a different user than Apache process. That is why it is important to set APACHEUSER variable when you launch “make install”
</div></p>
</p>
</div>
<!-- SECTION "Lemonldap::NG::Handler" [315-939] -->
<!-- SECTION "Lemonldap::NG::Handler" [393-1397] -->
<h2><a name="lemonldapngmanager" id="lemonldapngmanager">Lemonldap::NG::Manager</a></h2>
<div class="level2">
<pre class="file">XXXX was not found in tree</pre>
@ -83,7 +92,7 @@
</p>
</div>
<!-- SECTION "Lemonldap::NG::Manager" [940-1065] -->
<!-- SECTION "Lemonldap::NG::Manager" [1398-1523] -->
<h2><a name="lemonldapngportal" id="lemonldapngportal">Lemonldap::NG::Portal</a></h2>
<div class="level2">
<pre class="file">User XXXX was not granted to open session</pre>
@ -118,4 +127,4 @@
</p>
</div>
<!-- SECTION "Lemonldap::NG::Portal" [1066-] --></div><!-- closes <div class="dokuwiki export">-->
<!-- SECTION "Lemonldap::NG::Portal" [1524-] --></div><!-- closes <div class="dokuwiki export">-->

157
build/lemonldap-ng/doc/pages/documentation/1.0/security.html Normal file
View File

@ -0,0 +1,157 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="security" id="security">Security</a></h1>
<div class="level1">
</div>
<!-- SECTION "Security" [1-24] -->
<h2><a name="secure_configuration_access" id="secure_configuration_access">Secure configuration access</a></h2>
<div class="level2">
<p>
Configuration can be stored in several formats (<a href="../../documentation/1.0/sqlconfbackend.html" class="wikilink1" title="documentation:1.0:sqlconfbackend">SQL</a>, <a href="../../documentation/1.0/fileconfbackend.html" class="wikilink1" title="documentation:1.0:fileconfbackend">File</a>, <a href="../../documentation/1.0/ldapconfbackend.html" class="wikilink1" title="documentation:1.0:ldapconfbackend">LDAP</a>) but must be shared over the network if you use more than 1 server. If some of your servers are not in the same (secured) network than the database, it is recommended to use <a href="../../documentation/1.0/soapconfbackend.html" class="wikilink1" title="documentation:1.0:soapconfbackend">SOAP access</a> for those servers.
</p>
<p>
<p><div class="notetip">You can use different type of access: <a href="../../documentation/1.0/sqlconfbackend.html" class="wikilink1" title="documentation:1.0:sqlconfbackend">SQL</a>, <a href="../../documentation/1.0/fileconfbackend.html" class="wikilink1" title="documentation:1.0:fileconfbackend">File</a> or <a href="../../documentation/1.0/ldapconfbackend.html" class="wikilink1" title="documentation:1.0:ldapconfbackend">LDAP</a> for servers in secured network and <a href="../../documentation/1.0/soapconfbackend.html" class="wikilink1" title="documentation:1.0:soapconfbackend">SOAP</a> for remote servers.
</div></p>
</p>
<p>
Next, you have to configure the <acronym title="Simple Object Access Protocol">SOAP</acronym> access as described <a href="../../documentation/1.0/soapconfbackend.html#next_configure_soap_for_your_remote_servers" class="wikilink1" title="documentation:1.0:soapconfbackend">here</a> since <acronym title="Simple Object Access Protocol">SOAP</acronym> access is denied by default.
</p>
</div>
<!-- SECTION "Secure configuration access" [25-794] -->
<h2><a name="manager_protection" id="manager_protection">Manager protection</a></h2>
<div class="level2">
<p>
By default, the manager is restricted to localhost in its Apache configuration file, but no accounting is done. To change this, you can choose one of the following:
</p>
<ul>
<li class="level1"><div class="li"> protect the manager by Apache configuration</div>
</li>
<li class="level1"><div class="li"> protect the manager by Lemonldap::NG</div>
</li>
</ul>
</div>
<!-- SECTION "Manager protection" [795-1081] -->
<h3><a name="protect_the_manager_by_apache" id="protect_the_manager_by_apache">Protect the manager by Apache</a></h3>
<div class="level3">
<p>
You can use any of the mechanisms proposed by Apache: <acronym title="Secure Sockets Layer">SSL</acronym>, Auth-Basic, Kerberos,… Example
</p>
<pre class="code apache">&lt;<span class="kw3">VirtualHost</span> *:443&gt;
<span class="kw1">ServerName</span> manager.example.com
<span class="co1"># SSL parameters</span>
...
<span class="co1"># DocumentRoot</span>
<span class="kw1">DocumentRoot</span> /var/lib/lemonldap-ng/manager/
&lt;<span class="kw3">Location</span> /&gt;
<span class="kw1">AuthType</span> Basic
<span class="kw1">AuthName</span> <span class="st0">&quot;Lemonldap::NG manager&quot;</span>
<span class="kw1">AuthUserFile</span> /usr/local/apache/passwd/passwords
<span class="kw1">Require</span> <span class="kw1">user</span> rbowen
<span class="kw1">Order</span> <span class="kw1">allow</span>,<span class="kw1">deny</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 192.168.142.0/24
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Location</span>&gt;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</div>
<!-- SECTION "Protect the manager by Apache" [1082-1692] -->
<h3><a name="protect_the_manager_by_lemonldapng" id="protect_the_manager_by_lemonldapng">Protect the manager by Lemonldap::NG</a></h3>
<div class="level3">
<p>
To protect the manager by Lemonldap::NG, you just have to set this in lemonldap-ng.ini configuration file (section [manager]):
</p>
<pre class="file">protection = manager</pre>
<p>
<p><div class="noteimportant">Before, you have to create the virtual host manager.your.domain in the manager and set a <a href="../../documentation/1.0/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.0:writingrulesand_headers">rule</a>, else access to the manager will be denied.
</div></p>
</p>
</div>
<!-- SECTION "Protect the manager by Lemonldap::NG" [1693-2097] -->
<h2><a name="write_good_rules" id="write_good_rules">Write good rules</a></h2>
<div class="level2">
<p>
You can write <a href="../../documentation/1.0/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.0:writingrulesand_headers">rules</a> matching any component of <acronym title="Uniform Resource Locator">URL</acronym> to protect including GET parameters, but be careful:
Bad example:
</p>
<pre class="code">
/^index.php\?.*access=admin -&gt; $groups =~ /\badmin\b/
default -&gt; accept
</pre>
<p>
Now, user that try to access to one of the following <em class="u">will be granted</em> !
</p>
<ul>
<li class="level1"><div class="li"> /index.php?access=admin&amp;access=other</div>
</li>
<li class="level1"><div class="li"> /index.php?Access=admin</div>
</li>
</ul>
<p>
You can use the following instead:
</p>
<pre class="code">
# insert a comment 0_bad for this rule:
/^(?i)index.php\?.*access.*access -&gt; deny
# insert a comment 1_admin for this rule
/^(?i)index.php\?.*access=admin -&gt; $groups =~ /\badmin\b/
default -&gt; accept
</pre>
<p>
Note that <strong>(?i)</strong> means case no sensitive
</p>
<p>
<p><div class="notewarning">Remember that rules written on GET parameters must be tested.
</div></p>
</p>
</div>
<!-- SECTION "Write good rules" [2098-] --></div><!-- closes <div class="dokuwiki export">-->

2
build/lemonldap-ng/doc/pages/documentation/1.0/start.html
View File

@ -264,7 +264,7 @@
<ul>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/performances.html" class="wikilink1" title="documentation:1.0:performances">Performances</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/security.html" class="wikilink2" title="documentation:1.0:security" rel="nofollow">Security</a></div>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/security.html" class="wikilink1" title="documentation:1.0:security">Security</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/status.html" class="wikilink1" title="documentation:1.0:status">Handler status page</a></div>
</li>

2
build/lemonldap-ng/doc/pages/start.html
View File

@ -281,6 +281,6 @@ LemonLDAP::NG is the first <acronym title="Single Sign On">SSO</acronym> softwar
<a href="/_detail/icons/clock.png?id=start" class="media" title="icons:clock.png"><img src="../media/icons/clock.png" class="media" alt="" /></a>
</div>
</p>
<ul class="rss"><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1785" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1785" rel="nofollow">Function to load help from wiki</a> by guimard (2010/10/31 09:37)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1784" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1784" rel="nofollow">Missing &quot;require _DBI&quot;</a> by guimard (2010/10/31 06:33)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1783" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1783" rel="nofollow">Share $iniObj between threads</a> by guimard (2010/10/30 21:26)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1782" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1782" rel="nofollow">Share global variables</a> by guimard (2010/10/30 20:25)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1781" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1781" rel="nofollow">Correct typo on gear.png in manager.js</a> by clement_oudot (2010/10/30 16:38)</div></li></ul>
<ul class="rss"><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1800" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1800" rel="nofollow">lmConfigEditor is no longer launchable as root</a> by guimard (2010/11/01 10:14)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1799" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1799" rel="nofollow">If local cache failed, conf must be returned even</a> by guimard (2010/11/01 09:16)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1798" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1798" rel="nofollow">purgeCentralCache was broken by new Apache::Session mechanism</a> by guimard (2010/11/01 09:15)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1797" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1797" rel="nofollow">Doc update</a> by guimard (2010/11/01 08:35)</div></li><li><div class="li"><a href="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1796" class="urlextern" title="http://websvn.ow2.org/revision.php?repname=lemonldap&amp;path=%2F&amp;rev=1796" rel="nofollow">Preserve links in doc</a> by guimard (2010/11/01 08:30)</div></li></ul>
</div>
<!-- SECTION "SVN activity" [3129-] --></div><!-- closes <div class="dokuwiki export">-->

4
modules/lemonldap-ng-common/lemonldap-ng.ini
View File

@ -211,8 +211,10 @@ useRedirectOnError = 1
# When using "SetHandler cgi-script" instead of using ModPerl::Registry,
# Apache LogLevel parameter does not work for LemonLDAP::NG debugging.
# Use the following to modify error output:
# Use one of the following to modify error output:
;hideLogLevels = debug|info
;hideLogLevels = debug
;hideLogLevels =
[sessionsExplorer]
# Sessions explorer inherits from manager section. You can override here