doc: fix markup
This commit is contained in:
parent
e9d2ec6fec
commit
a98e5c05b4
|
@ -11,7 +11,7 @@ Identity/Service Provider, compatible with several protocols, including
|
|||
SAML 2.0.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This documentation does not explains how to setup ADFS,
|
||||
but give only tricks to make it works with LL::NG
|
||||
|
|
|
@ -47,7 +47,7 @@ the other for the share webapp.
|
|||
|
||||
Edit first ``alfresco-global.properties`` and add the following:
|
||||
|
||||
.. code:: java
|
||||
.. code-block:: properties
|
||||
|
||||
### SSO ###
|
||||
authentication.chain=external1:external
|
||||
|
@ -62,7 +62,7 @@ the ``<endpoint>``, change ``<connector-id>`` value to
|
|||
``alfrescoHeader`` and change the ``<userHeader>`` value to
|
||||
``Auth-User``:
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<config evaluator="string-compare" condition="Remote">
|
||||
<remote>
|
||||
|
@ -102,7 +102,7 @@ the ``<endpoint>``, change ``<connector-id>`` value to
|
|||
You need to restart Tomcat to apply changes.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Now you can log in with a simple HTTP header. You need to
|
||||
restrict access to Alfresco to LL::NG.
|
||||
|
@ -166,7 +166,7 @@ Export the keystore:
|
|||
|
||||
Edit then ``share-config-custom.xml``:
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
...
|
||||
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
|
||||
|
|
|
@ -7,7 +7,7 @@ Presentation
|
|||
------------
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
For now, this feature is only supported by Apache
|
||||
handler.
|
||||
|
|
|
@ -29,7 +29,7 @@ SAML
|
|||
name so people know which account is which.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If you have only one role, the configuration is simple. If you
|
||||
have multiple roles for different people, it is a little trickier. As
|
||||
|
|
|
@ -75,16 +75,20 @@ This is the entityID for awx, lets put the fqdn : ``awx.example.com``
|
|||
SAML Service Provider Public Certificate
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Put the content of ``saml-awx.crt`` : ``-----BEGIN CERTIFICATE-----
|
||||
cert
|
||||
-----END CERTIFICATE-----``
|
||||
Put the content of ``saml-awx.crt`` ::
|
||||
|
||||
-----BEGIN CERTIFICATE-----
|
||||
cert
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
SAML Service Provider Private Key
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Put the content of ``saml-awx.key`` : ``-----BEGIN RSA PRIVATE KEY-----
|
||||
key
|
||||
-----END RSA PRIVATE KEY-----``
|
||||
Put the content of ``saml-awx.key`` ::
|
||||
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
key
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
It will be replaced with ``$encrypted$`` after you save the settings.
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ Configure Bugzilla virtual host like other
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName bugzilla.example.com
|
||||
|
@ -53,7 +53,7 @@ Configure Bugzilla virtual host like other
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
|
|
@ -37,7 +37,7 @@ Now we will add CSOD as a new SAML Service Provider:
|
|||
#. Select ``Metadata``, and unprotect the field to paste the following
|
||||
value:
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
|
||||
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||
|
@ -56,7 +56,7 @@ Now we will add CSOD as a new SAML Service Provider:
|
|||
</md:EntityDescriptor>
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Change **mycompanyid** (in ``AssertionConsumerService``
|
||||
markup, parameter ``Location``) into your CSOD company ID and put the
|
||||
|
|
|
@ -14,10 +14,6 @@ readable outside the Wiki and eases the creation of structured texts.
|
|||
All data is stored in plain text files – no database is required.
|
||||
|
||||
|
||||
.. tip::
|
||||
|
||||
LemonLDAP::NG wiki uses Dokuwiki!
|
||||
|
||||
HTTP headers
|
||||
------------
|
||||
|
||||
|
@ -49,7 +45,7 @@ Configure Dokuwiki virtual host like other
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName dokuwiki.example.com
|
||||
|
@ -62,7 +58,7 @@ Configure Dokuwiki virtual host like other
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -115,7 +111,7 @@ Configure the :ref:`headers<headers>`:
|
|||
- Auth-Groups: encode_base64($groups,"")
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
To allow execution of encode_base64() method, you must
|
||||
deactivate the :doc:`Safe jail<../safejail>`.
|
||||
|
|
|
@ -34,7 +34,7 @@ Configure Drupal virtual host like other
|
|||
:doc:`protected virtual host<../configvhost>`.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If you are protecting Drupal with LL::NG as reverse
|
||||
proxy,
|
||||
|
@ -42,7 +42,7 @@ Configure Drupal virtual host like other
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName drupal.example.com
|
||||
|
@ -55,7 +55,7 @@ Configure Drupal virtual host like other
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -110,7 +110,7 @@ With the above solution, all the Drupal site will be protected, so no
|
|||
anonymous access will be allowed.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You cannot use the ``unprotect`` rule because Drupal
|
||||
navigation is based on query strings (?q=admin, ?q=user, etc.), and
|
||||
|
@ -120,7 +120,7 @@ You can create a special virtual host and use `Apache rewrite
|
|||
module <http://httpd.apache.org/docs/current/mod/mod_rewrite.html>`__ to
|
||||
switch between open and protected hosts:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName drupal.example.com
|
||||
|
|
|
@ -29,7 +29,7 @@ Find the gitlab.rb file and add these settings:
|
|||
|
||||
vi /etc/gitlab/gitlab.rb
|
||||
|
||||
.. code:: ruby
|
||||
.. code-block:: ruby
|
||||
|
||||
gitlab_rails['omniauth_enabled'] = true
|
||||
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
|
||||
|
@ -64,7 +64,7 @@ Find the gitlab.rb file and add these settings:
|
|||
|
||||
You can force SAML by default with this option:
|
||||
|
||||
.. code:: ruby
|
||||
.. code-block:: ruby
|
||||
|
||||
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
|
||||
|
||||
|
@ -96,7 +96,7 @@ Register them in LL::NG and send these SAML attributes:
|
|||
- cn => name
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
The value from LL::NG mail session attribute must be the
|
||||
email of the user in Gitlab database, in order to associate
|
||||
|
@ -108,7 +108,7 @@ Manage groups
|
|||
You can pass groups to Gitlab. For this, declare groups attribute in
|
||||
gitlab.rb:
|
||||
|
||||
.. code:: ruby
|
||||
.. code-block:: ruby
|
||||
|
||||
...
|
||||
gitlab_rails['omniauth_providers'] = [
|
||||
|
@ -134,7 +134,7 @@ Gitlab configuration
|
|||
|
||||
In ``/etc/gitlab/gitlab.rb``
|
||||
|
||||
.. code:: ruby
|
||||
.. code-block:: ruby
|
||||
|
||||
...
|
||||
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
|
||||
|
@ -180,7 +180,7 @@ Add an OpenID Connect RP to LemonLDAP::NG
|
|||
LemonLDAP::NG session is mapped to the ``email`` claim.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You need to set a key identifier, or you will get a
|
||||
*JSON::JWK::Set::KidNotFound* error on Gitlab
|
||||
|
|
|
@ -26,7 +26,7 @@ http://wiki.glpi-project.org/doku.php?id=en:authautoad
|
|||
|
||||
If you use Nginx, you need to add this in configuration:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
|
|
|
@ -26,7 +26,7 @@ Google Apps control panel
|
|||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This part is based on `SimpleSAMLPHP
|
||||
documentation <http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps>`__.
|
||||
|
@ -55,7 +55,7 @@ Now configure all SAML parameters:
|
|||
Example: http://auth.example.com
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You must check the option
|
||||
``Use a specific domain transmitter`` to force Google Apps to send the
|
||||
|
@ -102,7 +102,7 @@ Now we will add Google Apps as a new SAML Service Provider:
|
|||
#. Select ``Metadata``, and unprotect the field to paste the following
|
||||
value:
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
|
||||
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
|
||||
|
@ -112,7 +112,7 @@ Now we will add Google Apps as a new SAML Service Provider:
|
|||
</md:EntityDescriptor>
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Change **mydomain.org** (in ``AssertionConsumerService``
|
||||
markup, parameter ``Location``) into your Google Apps domain. Also adapt
|
||||
|
@ -134,7 +134,7 @@ You need to adapt some parameters:
|
|||
``On`` to always display it
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Change **mydomain.org** into your Google Apps
|
||||
domain
|
||||
|
@ -155,7 +155,7 @@ To manage the other way (LL::NG → Google Apps), you can add a dedicated
|
|||
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Change **mydomain.org** into your Google Apps
|
||||
domain
|
||||
|
|
|
@ -43,7 +43,7 @@ Your Guacamole configuration directory will look something like this.
|
|||
└── guacamole.properties
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Make sure to rename the JAR in a way that `ensures that it
|
||||
will be loaded
|
||||
|
|
|
@ -23,7 +23,7 @@ authenticated by LemonLDAP::NG will be registered in HumHub upon their
|
|||
first login.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
HumHub retrieves a user from his username and the
|
||||
authentication service he came through. As a result, a former local or
|
||||
|
@ -63,9 +63,7 @@ composer :
|
|||
|
||||
composer global require hirak/prestissimo
|
||||
|
||||
::
|
||||
|
||||
* Go to {humhub_home} folder
|
||||
- Go to ``{humhub_home}`` folder
|
||||
|
||||
- Check if composer.json file is present. If not, download it for your
|
||||
current version:
|
||||
|
@ -87,9 +85,7 @@ composer :
|
|||
If you just need to update the connector, change its version
|
||||
in composer.json and run the above composer update command.
|
||||
|
||||
::
|
||||
|
||||
* Edit {humhub_home}/protected/config/common.php with the client configuration :
|
||||
- Edit `{humhub_home}/protected/config/common.php` with the client configuration :
|
||||
|
||||
::
|
||||
|
||||
|
@ -109,9 +105,7 @@ composer :
|
|||
// ...
|
||||
]
|
||||
|
||||
::
|
||||
|
||||
* Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:
|
||||
- Edit ``{humhub_home}/protected/config/web.php`` to disconnect users from LemonLDAP::NG after they logged out of Humhub:
|
||||
|
||||
::
|
||||
|
||||
|
@ -157,10 +151,8 @@ AuthController.onAuthSuccess method needs to be adapted so redirect to
|
|||
SSO will be bypassed when a registration error occured. This works for
|
||||
version 1.3.15 :
|
||||
|
||||
::
|
||||
|
||||
* Go to {humhub_home} folder
|
||||
* Execute
|
||||
- Go to ``{humhub_home}`` folder
|
||||
- Execute
|
||||
|
||||
::
|
||||
|
||||
|
@ -176,15 +168,13 @@ Then, configure LemonLDAP::NG to recognize your HumHub instance as a
|
|||
valid :doc:`new OpenID Connect Relying Party<..//idpopenidconnect>`
|
||||
using the following parameters:
|
||||
|
||||
::
|
||||
|
||||
* **Client ID**: the same you set in HumHub configuration
|
||||
* **Client Secret**: the same you set in HumHub configuration
|
||||
* Add the following **exported attributes**
|
||||
* **given_name**: user's givenName attribute
|
||||
* **family_name**: user's sn attribute
|
||||
* **email**: user's mail attribute
|
||||
* **Redirect URIs** containing your Yii2 auth client ID.
|
||||
* **Client ID**: the same you set in HumHub configuration
|
||||
* **Client Secret**: the same you set in HumHub configuration
|
||||
* Add the following **exported attributes**
|
||||
* **given_name**: user's givenName attribute
|
||||
* **family_name**: user's sn attribute
|
||||
* **email**: user's mail attribute
|
||||
* **Redirect URIs** containing your Yii2 auth client ID.
|
||||
|
||||
Configuration sample using CLI:
|
||||
|
||||
|
@ -212,16 +202,12 @@ to LemonLDAP::NG.
|
|||
|
||||
Table "user":
|
||||
|
||||
::
|
||||
|
||||
* Columns "username" and "email" should match exactly OIDC sub and email attributes ;
|
||||
* If former ldap user, change column "auth_mode" to "local".
|
||||
* Columns "username" and "email" should match exactly OIDC sub and email attributes ;
|
||||
* If former ldap user, change column "auth_mode" to "local".
|
||||
|
||||
Table "user_auth":
|
||||
|
||||
::
|
||||
|
||||
* Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :
|
||||
* Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :
|
||||
|
||||
::
|
||||
|
||||
|
|
|
@ -97,9 +97,7 @@ for Jitsi Meet.
|
|||
|
||||
Configure the :ref:`access rules<rules>`.
|
||||
|
||||
::
|
||||
|
||||
* Don't forget to configure the /logout/ URL
|
||||
* Don't forget to configure the /logout/ URL
|
||||
|
||||
Configure the following :ref:`headers<headers>`.
|
||||
|
||||
|
@ -107,7 +105,7 @@ Configure the following :ref:`headers<headers>`.
|
|||
- **displayName**: $cn
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Jitsi meet expects to find a ``mail`` HTTP header, it
|
||||
will ignore REMOTE_USER and only use the mail value to identify the
|
||||
|
|
|
@ -18,7 +18,7 @@ Of course, integration will be full if you use the LDAP directory as
|
|||
users backend for LL::NG and Liferay.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If the user is not created, or can not be created via
|
||||
LDAP import, the connection to Liferay will be refused. With LDAP,
|
||||
|
@ -67,7 +67,7 @@ In ``General``, fill at least the following information:
|
|||
|image6|
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You need to activate LDAP authentication, else SSO
|
||||
authentication will not work. Do this in the control panel or in the
|
||||
|
@ -88,7 +88,7 @@ Then use the ``SiteMinder`` tab to configure SSO:
|
|||
|image7|
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Do not forget to save your changes!
|
||||
|
||||
|
@ -100,7 +100,7 @@ Configure Liferay virtual host like other
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName liferay.example.com
|
||||
|
@ -113,7 +113,7 @@ Configure Liferay virtual host like other
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
|
|
@ -19,7 +19,7 @@ To have a stronger integration, we will configure LimeSurvey to
|
|||
autocreate unknown users and use HTTP headers to fill name and mail.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
We suppose that LimeSurvey is installed in
|
||||
/var/www/html/limesurvey
|
||||
|
@ -53,7 +53,7 @@ application/config/config.php: The configuration is done in config.php:
|
|||
|
||||
vi /var/www/html/limesurvey/application/config/config.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
'config'=>array(
|
||||
// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
|
||||
|
@ -110,10 +110,8 @@ Default default Allow only users with a LimeSurvey role
|
|||
|
||||
You can set the default access to:
|
||||
|
||||
::
|
||||
|
||||
* **accept**: all authenticated users will access surveys
|
||||
* **unprotect**: no authentication will be asked to access surveys
|
||||
* **accept**: all authenticated users will access surveys
|
||||
* **unprotect**: no authentication will be asked to access surveys
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -30,7 +30,7 @@ integrated with LemonLDAP::NG without having to use a
|
|||
:doc:`Gitlab<gitlab>` server.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
The following configuration requires your user database
|
||||
to expose a unique numeric identifier for every user.
|
||||
|
@ -92,21 +92,19 @@ recognize a user.
|
|||
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
|
||||
with the following parameters:
|
||||
|
||||
::
|
||||
|
||||
* **Client ID**: the same you set in Mattermost configuration
|
||||
* **Client Secret**: the same you set in Mattermost configuration
|
||||
* Add a new scope in "Extra claims"
|
||||
* **Key**: ''gitlab''
|
||||
* **Value**: ''id username name email''
|
||||
* Add the following exported attributes
|
||||
* ''username'': set it to the session attribute containing the user login
|
||||
* ''name'': session attribute containing the user's full name
|
||||
* ''email'': session attribute containing the user's email
|
||||
* ''id'': session attribute containing the user's numeric ID
|
||||
* **Client ID**: the same you set in Mattermost configuration
|
||||
* **Client Secret**: the same you set in Mattermost configuration
|
||||
* Add a new scope in "Extra claims"
|
||||
* **Key**: ``gitlab``
|
||||
* **Value**: ``id username name email``
|
||||
* Add the following exported attributes
|
||||
* ``username``: set it to the session attribute containing the user login
|
||||
* ``name``: session attribute containing the user's full name
|
||||
* ``email``: session attribute containing the user's email
|
||||
* ``id``: session attribute containing the user's numeric ID
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Mattermost absolutely needs to receive a numerical value
|
||||
in the ``id`` claim. If you are using a LDAP server, you could use the
|
||||
|
|
|
@ -48,14 +48,14 @@ Then edit MediaWiki local settings
|
|||
|
||||
vi LocalSettings.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
|
||||
$wgAuth = new Auth_remoteuser();
|
||||
|
||||
Add then extension configuration, for example:
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
$wgAuthRemoteuserAuthz = true; /* Your own authorization test */
|
||||
$wgAuthRemoteuserName = $_SERVER["HTTP_AUTH_CN"]; /* User's name */
|
||||
|
@ -87,7 +87,7 @@ Add then extension configuration, for example:
|
|||
$wgHooks['PersonalUrls'][] = 'StripLogin';
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
In last version of Auth_remoteuser and Mediawiki, empty
|
||||
passwords are not authorized, so you may need to patch the extension
|
||||
|
@ -100,7 +100,7 @@ Add then extension configuration, for example:
|
|||
sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
In last version of Auth_remoteuser and Mediawiki,
|
||||
auto-provisioning requires REMOTE_USER to match the normalized mediawiki
|
||||
|
@ -121,7 +121,7 @@ Configure MediaWiki virtual host like other
|
|||
:doc:`protected virtual host<../configvhost>`.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If you are protecting MediaWiki with LL::NG as reverse
|
||||
proxy,
|
||||
|
@ -129,7 +129,7 @@ Configure MediaWiki virtual host like other
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName mediawiki.example.com
|
||||
|
@ -142,7 +142,7 @@ Configure MediaWiki virtual host like other
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
|
|
@ -2,7 +2,7 @@ Nginx
|
|||
=====
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Nginx is fully supported by LemonLDAP::NG since version
|
||||
1.9.
|
||||
|
|
|
@ -27,7 +27,7 @@ OBM
|
|||
|
||||
To enable LL::NG authentication plugin, go in ``/etc/obm/obm_conf.inc``:
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
$auth_kind = 'LemonLDAP';
|
||||
|
||||
|
@ -119,7 +119,7 @@ Edit also OBM configuration to enable LL::NG Handler:
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName obm.example.com
|
||||
|
@ -135,7 +135,7 @@ Edit also OBM configuration to enable LL::NG Handler:
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
@ -191,7 +191,7 @@ To add these attributes, go in Manager, ``Variables`` »
|
|||
``Exported Variables``.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If you plan to forward user's password to OBM, then you
|
||||
have to :doc:`keep the password in session<../passwordstore>`.
|
||||
|
@ -199,12 +199,12 @@ To add these attributes, go in Manager, ``Variables`` »
|
|||
You may also create these macros to manage OBM administrator account
|
||||
(``Variables`` » ``Macros``):
|
||||
|
||||
===== ====================================================== =============================== == ==============================
|
||||
===== ============================================================================
|
||||
field value
|
||||
===== ====================================================== =============================== == ==============================
|
||||
uidR ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
|
||||
mailR %%($uid =~ / admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com" %%
|
||||
===== ====================================================== =============================== == ==============================
|
||||
===== ============================================================================
|
||||
uidR ``($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid``
|
||||
mailR ``($uid =~ /admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com"``
|
||||
===== ============================================================================
|
||||
|
||||
Virtual host
|
||||
^^^^^^^^^^^^
|
||||
|
|
|
@ -24,7 +24,7 @@ administrative commands.
|
|||
|
||||
Then run this script:
|
||||
|
||||
.. code:: bash
|
||||
.. code-block:: bash
|
||||
|
||||
$dom = "mycompany.com"
|
||||
$brand = "My Company"
|
||||
|
|
|
@ -15,7 +15,7 @@ phpLDAPadmin will be protected by LemonLDAP::NG with specific access
|
|||
rules.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
phpLDAPadmin will have no idea of the user connected to
|
||||
the WebSSO. So a simple user can have admin rights on the LDAP directory
|
||||
|
@ -30,7 +30,7 @@ phpLDAPadmin local configuration
|
|||
Just set the authentication type to ``config`` and indicate DN and
|
||||
password inside the file ``config.php``:
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
$ldapservers->SetValue($i,'server','auth_type','config');
|
||||
$ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=com');
|
||||
|
@ -44,7 +44,7 @@ Configure phpLDAPadmin virtual host like other
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName phpldapadmin.example.com
|
||||
|
@ -57,7 +57,7 @@ Configure phpLDAPadmin virtual host like other
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
|
|
@ -26,7 +26,7 @@ LemonLDAP::NG
|
|||
- in HTTP headers, you need Auth-User ($mail) and Auth-Pw ($_password).
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
To be able to forward password to RoundCube, see
|
||||
:doc:`how to store password in session<../passwordstore>`\
|
||||
|
@ -42,7 +42,7 @@ RoundCube
|
|||
- Patch it to replace ``PHP_AUTH_*`` by ``HTTP_AUTH_*``
|
||||
- enable http_authentication plugin in main.inc.php :
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
$rcmail_config['plugins'] = array('http_authentication');
|
||||
|
||||
|
|
|
@ -46,7 +46,7 @@ Finally, just ensure that at least:
|
|||
match with the correct values. (adapt the domain if necessary)
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
For now, the authentication service parameter has no
|
||||
domain available. You must come back later to fill this parameter. Once
|
||||
|
|
|
@ -39,7 +39,7 @@ First set where certificates are stored:
|
|||
|
||||
vi /etc/simplesamlphp/config.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
'certdir' => '/etc/simplesamlphp/certs/',
|
||||
|
||||
|
@ -57,7 +57,7 @@ Then associate this certificate to the default SP:
|
|||
|
||||
vi /etc/simplesamlphp/authsources.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
'default-sp' => array(
|
||||
'saml:SP',
|
||||
|
@ -108,7 +108,7 @@ internal PHP representation. Copy the ``saml20-idp-remote`` content:
|
|||
|
||||
vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
<?php
|
||||
$metadata['http://auth.example.com/saml/metadata'] = array (
|
||||
|
@ -144,7 +144,7 @@ First, you need to activate IDP feature in simpleSAMLphp:
|
|||
|
||||
vi /etc/simplesamlphp/config.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
'enable.saml20-idp' => true,
|
||||
|
||||
|
@ -154,7 +154,7 @@ And create a default IDP configuration:
|
|||
|
||||
vi /etc/simplesamlphp/metadata/saml20-idp-hosted.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
<?php
|
||||
$metadata['__DYNAMIC:1__'] = array(
|
||||
|
@ -183,7 +183,7 @@ And create a default IDP configuration:
|
|||
?>
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You need to configure your own certificates and
|
||||
authentication scheme
|
||||
|
@ -217,7 +217,7 @@ internal PHP representation. Copy the ``saml20-sp-remote`` content:
|
|||
|
||||
vi /etc/simplesamlphp/metadata/saml20-sp-remote.php
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
<?php
|
||||
$metadata['http://auth.example.com/saml/metadata'] = array (
|
||||
|
|
|
@ -23,7 +23,7 @@ http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth
|
|||
To summarize, to get the user connected trough the ``Auth-User`` HTTP
|
||||
Header, use this Sping Security configuration:
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<bean id="LemonLDAPNGFilter" class=
|
||||
"org.springframework.security.web.authentication.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">
|
||||
|
|
|
@ -22,7 +22,7 @@ HTTP header.
|
|||
|
||||
1. Adapt the app/config/security.yml configuration file as below:
|
||||
|
||||
.. code:: yaml
|
||||
.. code-block:: yaml
|
||||
|
||||
security:
|
||||
|
||||
|
@ -57,7 +57,7 @@ HTTP header.
|
|||
|
||||
Create the file src/AppBundle/Security/User/HeaderUser.php :
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
<?php
|
||||
|
||||
|
@ -128,7 +128,7 @@ Create the file src/AppBundle/Security/User/HeaderUser.php :
|
|||
|
||||
Create the file src/AppBundle/Security/User/HeaderUserProvider.php :
|
||||
|
||||
.. code:: php
|
||||
.. code-block:: php
|
||||
|
||||
<?php
|
||||
|
||||
|
|
|
@ -70,7 +70,7 @@ authentication URL.
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName sympa.example.com
|
||||
|
@ -85,7 +85,7 @@ authentication URL.
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
|
|
|
@ -4,7 +4,7 @@ Apache Tomcat
|
|||
|image0|
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
The Tomcat Valve is only available for tomcat 5.5 or
|
||||
greater.
|
||||
|
@ -22,7 +22,7 @@ authentication to Tomcat.
|
|||
By default, Tomcat provides a file called ``users.xml`` to manage
|
||||
authentication:
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<tomcat-users>
|
||||
|
@ -59,7 +59,7 @@ Configuration
|
|||
Add on your ``server.xml`` file a new valve entry like this (in host
|
||||
section):
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<Valve className="org.lemonLDAPNG.SSOValve" userKey="AUTH-USER" roleKey="AUTH-ROLE" roleSeparator="," allows="127.0.0.1"/>
|
||||
|
||||
|
@ -100,7 +100,7 @@ Required :
|
|||
Configure your tomcat home in ``build.properties`` files.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Be careful for Windows user, path must contains "/".
|
||||
Example:
|
||||
|
|
|
@ -19,19 +19,17 @@ Configuring Wekan
|
|||
Wekan is mostly configured with environement variables, you need to set
|
||||
theses :
|
||||
|
||||
::
|
||||
|
||||
* **OAUTH2_ENABLED**: ''TRUE''
|
||||
* **OAUTH2_CLIENT_ID**: ''ClientID''
|
||||
* **OAUTH2_SECRET**: ''Secret''
|
||||
* **OAUTH2_SERVER_URL**: ''https://auth.example.com/''
|
||||
* **OAUTH2_AUTH_ENDPOINT**: ''oauth2/authorize''
|
||||
* **OAUTH2_USERINFO_ENDPOINT**: ''oauth2/userinfo''
|
||||
* **OAUTH2_TOKEN_ENDPOINT**: ''oauth2/token''
|
||||
* **OAUTH2_ID_MAP**: ''sub''
|
||||
* **OAUTH2_ENABLED**: ``TRUE``
|
||||
* **OAUTH2_CLIENT_ID**: ``ClientID``
|
||||
* **OAUTH2_SECRET**: ``Secret``
|
||||
* **OAUTH2_SERVER_URL**: ``https://auth.example.com/``
|
||||
* **OAUTH2_AUTH_ENDPOINT**: ``oauth2/authorize``
|
||||
* **OAUTH2_USERINFO_ENDPOINT**: ``oauth2/userinfo``
|
||||
* **OAUTH2_TOKEN_ENDPOINT**: ``oauth2/token``
|
||||
* **OAUTH2_ID_MAP**: ``sub``
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Be careful to the / in server_url and endpoints, the
|
||||
complete URL need to be valid, ie auth.example.com/ for url & oauth2/xxx
|
||||
|
@ -47,19 +45,17 @@ a user.
|
|||
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
|
||||
with the following parameters:
|
||||
|
||||
::
|
||||
|
||||
* **Client ID**: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)
|
||||
* **Client Secret**: the same you set in Wekan configuration (same as OAUTH2_SECRET)
|
||||
* Add the following exported attributes
|
||||
* ''name'': session attribute containing the user's full name
|
||||
* ''email'': session attribute containing the user's email or _singleMail
|
||||
* **Client ID**: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)
|
||||
* **Client Secret**: the same you set in Wekan configuration (same as OAUTH2_SECRET)
|
||||
* Add the following exported attributes
|
||||
* ``name``: session attribute containing the user's full name
|
||||
* ``email``: session attribute containing the user's email or _singleMail
|
||||
|
||||
\_singleMail Macro
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
OIDC login fails when an user as a multi-valued email
|
||||
attribute, this need to be fixed on wekan's side, we can bypass that by
|
||||
|
|
|
@ -30,7 +30,7 @@ You will configure Xwiki virtual host like other
|
|||
|
||||
This is an example, with https and speaking to xwiki via AJP.
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName wiki.acme.fr
|
||||
|
|
|
@ -77,7 +77,7 @@ Zimbra parameters are the following:
|
|||
(by default: ^/zimbrasso$)
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Due to Handler API change in 1.9, you need to set these
|
||||
attributes in ``lemonldap-ng.ini`` and not in Manager, for example:
|
||||
|
|
|
@ -44,7 +44,7 @@ policy:
|
|||
specified in LemonLDAP::NG to do so.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Note: since AD 2012, each user can have a specific
|
||||
password expiration policy. Then, the "maximum password age" can have
|
||||
|
|
|
@ -16,7 +16,7 @@ module <http://httpd.apache.org/docs/current/howto/auth.html>`__, for
|
|||
example Kerberos, Radius, OTP, etc.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
To authenticate users using Kerberos, you can now use
|
||||
the new :doc:`Kerberos authentication module<authkerberos>` which allow
|
||||
|
@ -91,7 +91,7 @@ block the request.
|
|||
|
||||
In this case, you can add in the Apache authentication module:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
Satisfy any
|
||||
Order allow,deny
|
||||
|
|
|
@ -47,7 +47,7 @@ and choose CAS for authentication.
|
|||
password.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -40,7 +40,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
|
|||
and choose Choice for authentication.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
When ``Choice`` is selected for authentication, values
|
||||
for Users and Password modules are also forced to ``Choice``.
|
||||
|
@ -70,7 +70,7 @@ Define here:
|
|||
Handler from application ``test1.example.com``, you can set this
|
||||
condition:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
$env->{urldc} =~ /test1\.example\.com/
|
||||
|
||||
|
|
|
@ -66,12 +66,12 @@ DB, you can override the "dbiChain" parameter.
|
|||
You can also override a complex key like ldapExportedVars, by setting a
|
||||
JSON value:
|
||||
|
||||
.. code:: javascript
|
||||
.. code-block:: javascript
|
||||
|
||||
{"cn" => "cn", "uid" => "sAMAccounName", "mail" => "mail"}
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If your JSON is corrupted, LLNG will use it as string
|
||||
and just report a warning in logs.
|
||||
|
@ -104,7 +104,7 @@ Example Explanation
|
|||
======================================= =============================================================================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Note that "or" can't be used inside a scheme. If you
|
||||
think to "[mySSL or myLDAP, myLDAP]", you must write
|
||||
|
@ -118,7 +118,7 @@ Example Explanation
|
|||
================================================== =========================================================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You can't use brackets in a boolean expression and "and"
|
||||
has precedence on "or".
|
||||
|
@ -140,7 +140,7 @@ Example
|
|||
======================================================================================================================= ==============================================================================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Note that brackets can't be used except to enclose test.
|
||||
|
||||
|
|
|
@ -39,7 +39,7 @@ site/htdocs/static/common/modules/icon.png
|
|||
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Be careful. Don' t use an already attributed name in
|
||||
configuration.
|
||||
|
|
|
@ -105,7 +105,7 @@ Authentication level
|
|||
The authentication level given to users authenticated with this module.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
As DBI is a login/password based module, the
|
||||
authentication level can be:
|
||||
|
@ -181,7 +181,7 @@ Password
|
|||
non-salted schemes" or "Supported salted schemes".
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
The SQL function MUST have hexadecimal values as input
|
||||
AND output
|
||||
|
|
|
@ -14,7 +14,7 @@ This mode allow one to test LemonLDAP::NG without any third-party
|
|||
software.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
This mode must not be used for other purpose than test and
|
||||
demonstration!
|
||||
|
|
|
@ -56,13 +56,13 @@ variables:
|
|||
- sn => last_name
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Do not query user field in exported variables, as it is
|
||||
already registered by the authentication module in ``$_user``.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -41,7 +41,7 @@ Then, go in ``GitHub parameters``:
|
|||
keys
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -36,7 +36,7 @@ and configure the following parameters:
|
|||
value and remove the '@domain'.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
|
||||
|
||||
|
@ -66,7 +66,7 @@ request.
|
|||
|
||||
Example with Apache and mod_auth_kerb:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<If "%{QUERY_STRING} =~ /kerberos=/">
|
||||
<IfModule auth_kerb_module>
|
||||
|
|
|
@ -49,7 +49,7 @@ Authentication level
|
|||
The authentication level given to users authenticated with this module.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
As LDAP is a login/password based module, the
|
||||
authentication level can be:
|
||||
|
@ -97,7 +97,7 @@ Connection
|
|||
documentation).
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
LemonLDAP::NG need anonymous access to LDAP Directory
|
||||
RootDSE in order to check LDAP connection.
|
||||
|
@ -167,7 +167,7 @@ Groups
|
|||
and ``%hGroups``, as documented :ref:`here<macros_and_groups>`
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If your LDAP countains over a thousand groups, you
|
||||
should avoid using group processing, check out
|
||||
|
|
|
@ -45,7 +45,7 @@ Then, go in ``LinkedIn parameters``:
|
|||
keys
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -2,7 +2,7 @@ Multiple backends stack
|
|||
=======================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This module has been removed and replaced by the more
|
||||
powerful :doc:`Combination of auth schemes<authcombination>`.
|
||||
|
|
|
@ -8,7 +8,7 @@ Authentication Users Password
|
|||
============== ===== ========
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
OpenID protocol is deprecated. You should now use
|
||||
:doc:`OpenID Connect<authopenidconnect>`.
|
||||
|
@ -79,7 +79,7 @@ define attributes:
|
|||
See also :doc:`exported variables configuration<exportedvars>`.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -46,7 +46,7 @@ Google France Connect
|
|||
.. |franceconnect| image:: applications/franceconnect_logo.png
|
||||
:target: authopenidconnect_franceconnect.html
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
OpenID-Connect specification isn't finished for logout
|
||||
propagation. So logout initiated by relaying-party will be forward to
|
||||
|
@ -78,7 +78,7 @@ In ``General Parameters`` > ``Authentication modules``, set:
|
|||
:ref:`menu password module<portalmenu-menu-modules>`.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
@ -116,7 +116,7 @@ parameter, for example:
|
|||
- http://auth.example.com/?lmAuth=oidc&openidcallback=1
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If you use the :doc:`choice backend<authchoice>`, you
|
||||
need to add the choice parameter in redirect URL
|
||||
|
@ -156,7 +156,7 @@ You can also define:
|
|||
|
||||
Example template:
|
||||
|
||||
.. code:: javascript
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"issuer": "https://auth.example.com/",
|
||||
|
@ -237,6 +237,3 @@ Options
|
|||
- **Display name**: Name of the application
|
||||
- **Logo**: Logo of the application
|
||||
- **Order**: Number to sort buttons
|
||||
|
||||
.. |section>openidconnectclaims&noheader| image:: section>openidconnectclaims&noheader
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ Presentation
|
|||
authentication platform made by French government.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
It is for the moment only in BETA stage. This
|
||||
documentation will explain how to configure LL::NG with the developer
|
||||
|
@ -41,7 +41,7 @@ using `France Connect
|
|||
endpoints <https://doc.integ01.dev-franceconnect.fr/fournisseur-service>`__.
|
||||
For example:
|
||||
|
||||
.. code:: javascript
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"issuer": "https://fcp.integ01.dev-franceconnect.fr",
|
||||
|
|
|
@ -12,7 +12,7 @@ delegate the authentication of LL::NG to Google:
|
|||
https://developers.google.com/identity/protocols/OpenIDConnect
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Google does not support logout trough OpenID Connect. If
|
||||
you close your session on LL::NG side, your Google session will still be
|
||||
|
|
|
@ -24,13 +24,13 @@ You have to install the corresponding Perl module.
|
|||
|
||||
For CentOS/RHEL:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
yum install perl-Authen-PAM
|
||||
|
||||
In Debian/Ubuntu, install the library through apt-get command
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
apt-get install libauthen-pam-perl
|
||||
|
||||
|
|
|
@ -55,11 +55,11 @@ SOAP compatibility with 1.9 server
|
|||
If you Proxy is a 2.0.x and your server is a 1.9.x, you should add this
|
||||
in your lemonldap-ng.ini:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This needs LLNG version 2.0.8 at least
|
||||
|
|
|
@ -27,13 +27,13 @@ You have to install the corresponding Perl module.
|
|||
|
||||
For CentOS/RHEL:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
yum install perl-Authen-Radius
|
||||
|
||||
In Debian/Ubuntu, install the library through apt-get command
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
apt-get install libauthen-radius-perl
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ Authentication Users Password
|
|||
============== ===== ========
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
This module is a LL::NG specific identity federation
|
||||
protocol. You may rather use standards protocols like
|
||||
|
|
|
@ -36,7 +36,7 @@ SAML Service
|
|||
See :doc:`SAML service<samlservice>` configuration chapter.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -68,7 +68,7 @@ Example
|
|||
|
||||
- Response for good authentication:
|
||||
|
||||
.. code:: javascript
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"result" : 1,
|
||||
|
|
|
@ -36,7 +36,7 @@ You have to install mod_ssl for Apache.
|
|||
|
||||
For CentOS/RHEL:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
yum install mod_ssl
|
||||
|
||||
|
@ -58,7 +58,7 @@ Apache SSL global configuration
|
|||
You can then use this default SSL configuration, for example in the head
|
||||
of /etc/lemonldap-ng/portal-apache2.conf:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
SSLProtocol all -SSLv2
|
||||
SSLCipherSuite HIGH:MEDIUM
|
||||
|
@ -81,7 +81,7 @@ of /etc/lemonldap-ng/portal-apache2.conf:
|
|||
|
||||
If you specify port in virtual host, then declare SSL port:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
NameVirtualHost *:80
|
||||
NameVirtualHost *:443
|
||||
|
@ -91,7 +91,7 @@ Apache portal SSL configuration
|
|||
|
||||
Edit the portal virtual host to enable SSL double authentication:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
SSLEngine On
|
||||
SSLVerifyClient optional
|
||||
|
@ -118,7 +118,7 @@ With Nginx
|
|||
|
||||
Enable SSL:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
ssl on;
|
||||
ssl_verify_client optional;
|
||||
|
@ -136,7 +136,7 @@ Enable SSL:
|
|||
|
||||
You must also export SSL_CLIENT_S_DN_CN in FastCGI params:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
# map directive must be set in http context
|
||||
map $ssl_client_s_dn $ssl_client_s_dn_cn {
|
||||
|
@ -149,7 +149,7 @@ You must also export SSL_CLIENT_S_DN_CN in FastCGI params:
|
|||
Nginx SSL Virtual Host example with uWSGI
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
server {
|
||||
listen 443;
|
||||
|
@ -186,7 +186,7 @@ Nginx SSL Virtual Host example with uWSGI
|
|||
}
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Nginx 1.11.6 change: format of the $ssl_client_s_dn and
|
||||
$ssl_client_i_dn variables has been changed to follow RFC 2253 (RFC
|
||||
|
@ -228,7 +228,7 @@ limitation.
|
|||
|
||||
1. Modify the portal virtual host to match this example:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
SSLEngine On
|
||||
SSLCACertificateFile /etc/apache2/ssl/ca.crt
|
||||
|
@ -275,7 +275,7 @@ limitation.
|
|||
2. Then you need to construct the Ajax page, for example in
|
||||
/index/bouton.html. It looks like this:
|
||||
|
||||
.. code:: html
|
||||
.. code-block:: html
|
||||
|
||||
<body>
|
||||
<script src="./jquery-2.1.4.min.js" type="text/javascript"> </script>
|
||||
|
@ -325,14 +325,14 @@ Nginx server
|
|||
With Nginx, append those server context directives to force SSL
|
||||
connexion reset:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
keepalive_timeout 0 0;
|
||||
add_header 'Connection' 'close';
|
||||
ssl_session_timeout 1s;
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
It is incompatible with authentication combination because
|
||||
of Apache parameter "SSLVerifyClient", which must have the value
|
||||
|
@ -384,7 +384,7 @@ Then you can chain it in a :doc:`combination<authcombination>`.
|
|||
forceGlobalStorageUpgradeOTT = 1
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
**Content Security Policy** may prevent to
|
||||
submit Ajax Request. To avoid security warning,
|
||||
|
|
|
@ -36,7 +36,7 @@ and choose Twitter for authentication module.
|
|||
password.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Browser implementations of formAction directive are
|
||||
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
|
||||
|
|
|
@ -47,7 +47,7 @@ Portal host must be configured to use SSL and must ask for client
|
|||
certificate. It is recommended to use optional_no_ca since WebID doesn't
|
||||
use certificate authorities :
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost _default_:443>
|
||||
ServerName auth.example.com
|
||||
|
|
|
@ -2,7 +2,7 @@ Yubikey
|
|||
=======
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This module has been replaced by
|
||||
:doc:`Yubikey Second Factor<yubikey2f>`\
|
||||
|
|
|
@ -18,6 +18,6 @@ dwho ''$env->{REMOTE_ADDR} eq '192.168.42.42' ''
|
|||
============== ===========================================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Username must be defined in users database.
|
||||
|
|
|
@ -33,7 +33,7 @@ uncomment the relevant parts of the configuration file.
|
|||
|
||||
- For Nginx:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
set_real_ip_from 127.0.0.1;
|
||||
real_ip_header X-Forwarded-For;
|
||||
|
@ -46,7 +46,7 @@ uncomment the relevant parts of the configuration file.
|
|||
|
||||
- For Apache:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
RemoteIPHeader X-Forwarded-For
|
||||
RemoteIPInternalProxy 127.0.0.1
|
||||
|
@ -59,7 +59,7 @@ uncomment the relevant parts of the configuration file.
|
|||
enabled in your Apache installation
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Both modules need you to specify the address of your
|
||||
reverse proxy. Using the ``http_real_ip`` or ``mod_remoteip`` module
|
||||
|
@ -80,7 +80,7 @@ the PROXY protocol on the reverse proxy side.
|
|||
Then, on the LemonLDAP::NG side, in the NGINX configuration of your
|
||||
Portal/Manager/Handler:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
listen 80 proxy_protocol;
|
||||
# or
|
||||
|
|
|
@ -37,7 +37,7 @@ SAML Session \_saml_id
|
|||
See Apache::Session::Browseable man page to see how use indexes.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
\ *WHATTOTRACE* must be replaced by the attribute or
|
||||
macro configured in the What To Trace parameter (REMOTE_USER). By
|
||||
|
@ -94,7 +94,7 @@ Database must be prepared exactly like in
|
|||
except that a field must be added for each data to index.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Data written to UNLOGGED tables is not written to the
|
||||
WAL, which makes them considerably faster than ordinary tables. However,
|
||||
|
@ -124,7 +124,7 @@ example:
|
|||
CREATE INDEX h1 ON sessions (_httpSessionType);
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
For Session Explorer and one-off sessions, it is
|
||||
recommended to use BTREE or any index method that indexes partial
|
||||
|
|
|
@ -30,7 +30,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
|
|||
``Incremental lock times`` and set to ``On``. (DISABLED by default) or
|
||||
in ``lemonldap-ng.ini`` [portal] section:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
bruteForceProtectionIncrementalTempo = 1
|
||||
|
@ -40,7 +40,7 @@ time values ('5 15 60 300 600' seconds by default) or max lock time
|
|||
value (900 seconds by default) edit ``lemonldap-ng.ini`` in [portal]
|
||||
section:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
bruteForceProtectionLockTimes = '5 15 60 300 600'
|
||||
|
@ -63,7 +63,7 @@ current and last stored failed login (300 seconds by default) or number
|
|||
of allowed failed login attempts (3 by default) edit
|
||||
``lemonldap-ng.ini`` in [portal] section:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
bruteForceProtectionTempo = 30
|
||||
|
@ -71,7 +71,7 @@ of allowed failed login attempts (3 by default) edit
|
|||
bruteForceProtectionMaxFailed = 3
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Number of failed login attempts stored in history MUST
|
||||
be higher than allowed failed logins for this plugin takes effect.
|
||||
|
|
|
@ -14,7 +14,7 @@ Captchas are available on the following forms:
|
|||
- Register form: where user enters information to create a new account
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
We use the Perl module GD::SecurityImage to generate
|
||||
images, you need to install it if you enable Captcha feature.
|
||||
|
|
|
@ -15,13 +15,13 @@ Go in Manager, ``General Parameters`` » ``Cookies`` »
|
|||
To use this feature only locally, edit ``lemonldap-ng.ini`` in section
|
||||
[all]:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[all]
|
||||
cda = 1
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If your handler is being served by Nginx, you have to
|
||||
uncomment the following lines in your nginx configuration file:
|
||||
|
|
|
@ -21,7 +21,7 @@ Let's go
|
|||
- Configure your new backend (create SQL database,...)
|
||||
- Launch that:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
convertConfig --current=/etc/lemonldap-ng/lemonldap-ng.ini --new=/new/lemonldap-ng.ini
|
||||
|
||||
|
|
|
@ -52,7 +52,7 @@ Just enable it in the manager (section “plugins”).
|
|||
it might be useful to not display empty headers.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Be careful to not display secret attributes.
|
||||
|
||||
|
@ -61,7 +61,7 @@ Just enable it in the manager (section “plugins”).
|
|||
append checkUser specific attributes.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
This plugin displays ALL user session attributes except
|
||||
the hidden ones.
|
||||
|
@ -78,7 +78,7 @@ To modify persistent sessions attributes ('_loginHistory \_2fDevices
|
|||
notification\_' by default), edit ``lemonldap-ng.ini`` in [portal]
|
||||
section:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
persistentSessionAttributes = _loginHistory _2fDevices notification_
|
||||
|
@ -89,7 +89,7 @@ Usage
|
|||
When enabled, ``/checkuser`` URL path is handled by this plugin.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
With federated authentication, checkUser plugin works
|
||||
only if a session can be found in backend.
|
||||
|
|
|
@ -5,7 +5,7 @@ This page shows some examples of LL::NG Command Line Interface. See
|
|||
:ref:`how to use the command<configlocation-command-line-interface-cli>`.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
On Debian, the command is located in
|
||||
``/usr/share/lemonldap-ng/bin`` and on CentOS in
|
||||
|
@ -19,13 +19,13 @@ This part requires LLNG 2.0.5 at least.
|
|||
|
||||
Save:
|
||||
|
||||
.. code:: sh
|
||||
.. code-block:: sh
|
||||
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli save >config.json
|
||||
|
||||
Restore:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore config.json
|
||||
# Or
|
||||
|
@ -33,7 +33,7 @@ Restore:
|
|||
|
||||
Rollback (restore previous configuration, *since 2.0.8*):
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli rollback
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ Files
|
|||
-----
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Apache Mod Perl has many issues since 2.4 version with
|
||||
MPM worker and MPM event. No problem for portal and manager since they
|
||||
|
@ -24,7 +24,7 @@ in ``/usr/local/lemonldap-ng/etc/``, else they are in
|
|||
|
||||
You have to include them in Apache main configuration, for example:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
include /usr/local/lemonldap-ng/etc/portal-apache2.conf
|
||||
include /usr/local/lemonldap-ng/etc/handler-apache2.conf
|
||||
|
|
|
@ -8,7 +8,7 @@ LemonLDAP::NG configuration is stored in a backend that allows all
|
|||
modules to access it.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Note that all LL::NG components must have access:
|
||||
|
||||
|
@ -30,7 +30,7 @@ section.
|
|||
|
||||
For example, to configure the ``File`` configuration backend:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[configuration]
|
||||
type=File
|
||||
|
@ -53,7 +53,7 @@ By default, Manager is protected to allow only the demonstration user
|
|||
"dwho".
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This user will not be available anymore if you configure
|
||||
a new authentication backend! Remember to change the access rule in
|
||||
|
@ -62,7 +62,7 @@ By default, Manager is protected to allow only the demonstration user
|
|||
If you can not access the Manager anymore, you can unprotect it by
|
||||
editing ``lemonldap-ng.ini`` and changing the ``protection`` parameter:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[manager]
|
||||
|
||||
|
@ -105,7 +105,7 @@ When all modifications are done, click on ``Save`` to store
|
|||
configuration.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
LemonLDAP::NG will do some checks on configuration and
|
||||
display errors and warnings if any. Configuration **is not saved** if
|
||||
|
@ -142,7 +142,7 @@ See `Manager API
|
|||
documentation <https://lemonldap-ng.org/manager-api/2.0/>`__.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
To access Manager API, enable the ``manager-api``
|
||||
virtual host and change the access rule. You can protect the API through
|
||||
|
@ -183,7 +183,7 @@ favorite editor. To change it:
|
|||
|
||||
The configuration is displayed as a big Perl Hash, that you can edit:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
$VAR1 = {
|
||||
'ldapAuthnLevel' => '2',
|
||||
|
@ -286,7 +286,7 @@ Apache
|
|||
------
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
LemonLDAP::NG does not manage Apache
|
||||
configuration
|
||||
|
@ -312,7 +312,7 @@ configure some for of authentication on the corresponding URLs in the
|
|||
|
||||
By default, access to those URLs is denied:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
# REST/SOAP functions for sessions management (disabled by default)
|
||||
<Location /index.fcgi/adminSessions>
|
||||
|
@ -327,7 +327,7 @@ In order to allow configuration reload from a different server (if your
|
|||
manager is on a different server or if you are using load-balancing),
|
||||
you need to edit the access rule in **handler-apache2.conf**
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<Location /reload>
|
||||
#CHANGE THIS######
|
||||
|
@ -347,14 +347,14 @@ handler, you need to add these directives:
|
|||
|
||||
(in a global configuration file)
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
PerlOptions +GlobalRequest
|
||||
PerlModule Lemonldap::NG::Handler::ApacheMP2
|
||||
|
||||
- Catch error pages:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
ErrorDocument 403 http://auth.example.com/lmerror/403
|
||||
ErrorDocument 404 http://auth.example.com/lmerror/404
|
||||
|
@ -365,7 +365,7 @@ handler, you need to add these directives:
|
|||
Then, to protect a standard virtual host, the only configuration line to
|
||||
add is:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
|
||||
|
||||
|
@ -376,7 +376,7 @@ Nginx
|
|||
-----
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
LemonLDAP::NG does not manage Nginx configuration
|
||||
|
||||
|
@ -390,7 +390,7 @@ LemonLDAP::NG ships 3 Nginx configuration files:
|
|||
See :doc:`how to deploy them<confignginx>`.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
\ :doc:`LL::NG FastCGI<fastcgiserver>` server must be
|
||||
enabled and started separately.
|
||||
|
@ -406,7 +406,7 @@ configure some for of authentication on the corresponding URLs in the
|
|||
|
||||
By default, access to those URLs is denied:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
location ~ ^/index.psgi/adminSessions {
|
||||
fastcgi_pass llng_portal_upstream;
|
||||
|
@ -422,7 +422,7 @@ In order to allow configuration reload from a different server (if your
|
|||
manager is on a different server or if you are using load-balancing),
|
||||
you need to edit the access rule in **handler-nginx.conf**
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
location = /reload {
|
||||
|
||||
|
@ -448,7 +448,7 @@ Nginx handler is provided by the
|
|||
|
||||
- Handle errors:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
error_page 403 http://auth.example.com/lmerror/403;
|
||||
error_page 404 http://auth.example.com/lmerror/404;
|
||||
|
@ -459,7 +459,7 @@ Nginx handler is provided by the
|
|||
To protect a standard virtual host, you must insert this (or create an
|
||||
included file):
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
# Insert $_user in logs
|
||||
include /etc/lemonldap-ng/nginx-lmlog.conf;
|
||||
|
@ -533,7 +533,7 @@ You also have a parameter to adjust the timeout used to request reload
|
|||
URLs, it is be default set to 5 seconds.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If "Compact configuration file" option is enabled, all
|
||||
useless parameters are removed to limit file size. Typically, if SAMLv2
|
||||
|
@ -554,13 +554,13 @@ inside a virtual host protected by LemonLDAP::NG Handler (see below
|
|||
examples in Apache->handler or Nginx->Handler).
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You must allow access to declared URLs to your Manager
|
||||
IP.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If reload URL is served in HTTPS, to avoid "Error 500
|
||||
(certificate verify failed)", Go to :
|
||||
|
@ -574,7 +574,7 @@ examples in Apache->handler or Nginx->Handler).
|
|||
**SSL_verify_mode => 0**
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If you want to use reload mechanism on a portal only
|
||||
host, you must install a handler in Portal host to be able to refresh
|
||||
|
@ -593,7 +593,7 @@ keep only one reload URL (reload.example.com):
|
|||
|
||||
You also need to adjust the protection of the reload vhost, for example:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<Location /reload>
|
||||
Require ip 127 ::1 1.1.1.1 1.1.1.2
|
||||
|
@ -623,7 +623,7 @@ parameter from the global configuration.
|
|||
|
||||
For example, to override configured skin for portal:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
portalSkin = dark
|
||||
|
|
|
@ -10,7 +10,7 @@ want to replace LLNG FastCGI server.
|
|||
Complete example
|
||||
----------------
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
#!/usr/bin/perl
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ activated (see
|
|||
Then you can take any virtual host, and simply add this line to protect
|
||||
it:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
|
||||
|
||||
|
@ -24,7 +24,7 @@ Hosted application
|
|||
|
||||
Example of a protected virtual host for a local application:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName localsite.example.com
|
||||
|
@ -43,7 +43,7 @@ Reverse proxy
|
|||
|
||||
Example of a protected virtual host with LemonLDAP::NG as reverse proxy:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName application.example.com
|
||||
|
@ -63,7 +63,7 @@ Example of a protected virtual host with LemonLDAP::NG as reverse proxy:
|
|||
|
||||
Same with remote server configured with the same host name:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName application.example.com
|
||||
|
@ -102,21 +102,21 @@ Add a floating menu
|
|||
A little floating menu can be added to application with this simple
|
||||
Apache configuration:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
|
||||
PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
|
||||
|
||||
Pages where this menu is displayed can be restricted, for example:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<Location /var/www/html/index.php>
|
||||
PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
|
||||
</Location>
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
You need to disable mod_deflate to use the floating
|
||||
menu
|
||||
|
@ -132,7 +132,7 @@ Then you can take any virtual host and modify it:
|
|||
|
||||
- Declare the /lmauth endpoint
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
location = /lmauth {
|
||||
internal;
|
||||
|
@ -152,7 +152,7 @@ Then you can take any virtual host and modify it:
|
|||
|
||||
- Protect the application (/ or /path/to/protect):
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
location /path/to/protect {
|
||||
auth_request /lmauth;
|
||||
|
@ -163,16 +163,16 @@ Then you can take any virtual host and modify it:
|
|||
error_page 401 $lmlocation;
|
||||
try_files $uri $uri/ =404;
|
||||
|
||||
...
|
||||
# ...
|
||||
}
|
||||
|
||||
- Use LUA or set manually the headers:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
location /path/to/protect {
|
||||
|
||||
...
|
||||
# ...
|
||||
|
||||
# IF LUA IS SUPPORTED
|
||||
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
|
||||
|
@ -201,7 +201,7 @@ Hosted application
|
|||
|
||||
Example of a protected virtual host for a local application:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
# Log format
|
||||
include /path/to/lemonldap-ng/nginx-lmlog.conf;
|
||||
|
@ -261,7 +261,7 @@ Reverse proxy
|
|||
|
||||
\* Example of a protected reverse-proxy:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
# Log format
|
||||
include /path/to/lemonldap-ng/nginx-lmlog.conf;
|
||||
|
@ -309,7 +309,7 @@ Reverse proxy
|
|||
\* Example of a Nginx Virtual Host using uWSGI with many URIs protected
|
||||
by different types of handler :
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
# Log format
|
||||
include /path/to/lemonldap-ng/nginx-lmlog.conf;
|
||||
|
@ -448,7 +448,7 @@ learn how to configure access control and HTTP headers sent to
|
|||
application by LL::NG.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
With **Nginx**-based ReverseProxy, header directives can
|
||||
be appended by a LUA script.
|
||||
|
@ -459,7 +459,7 @@ application by LL::NG.
|
|||
``/etc/nginx/nginx-lua-headers.conf``
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
\* **Nginx** gets rid of any empty headers. There is no
|
||||
point of passing along empty values to another server; it would only
|
||||
|
@ -500,7 +500,7 @@ Some options are available:
|
|||
seconds by default. This TTL can be customized for each virtual host.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
A same virtual host can serve many locations. Each
|
||||
location can be protected by a different type of handler :
|
||||
|
@ -517,7 +517,7 @@ Some options are available:
|
|||
authentication level is lower than required level.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
A negative or null ServiceToken timeout value will be
|
||||
overloaded by ``handlerServiceTokenTTL`` (30 seconds by default).
|
||||
|
|
|
@ -25,7 +25,7 @@ can be forbidden to assume.
|
|||
request.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
During context switching authentication process, all
|
||||
plugins are disabled. In other words, all entry points like afterData,
|
||||
|
@ -33,7 +33,7 @@ can be forbidden to assume.
|
|||
notifications by example will not be prompted!
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
ContextSwitching plugin works only with a userDB
|
||||
backend. You can not switch context with federated authentication.
|
||||
|
@ -43,7 +43,7 @@ contextSwitchingPrefix is used to store real user's session Id. You can
|
|||
set this prefix ('switching' by default) by editing ``lemonldap-ng.ini``
|
||||
in [portal] section:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
contextSwitchingPrefix = switching
|
||||
|
|
|
@ -31,7 +31,7 @@ as you want, for example ``SSOExtensions.pm``:
|
|||
|
||||
vi /path/to/SSOExtensions.pm
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
package SSOExtensions;
|
||||
|
||||
|
@ -72,7 +72,7 @@ Old method
|
|||
^^^^^^^^^^
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
This method is available but unusable by Portal under
|
||||
Apache. So if your rule may be used by the menu, use the new
|
||||
|
@ -83,7 +83,7 @@ Apache
|
|||
|
||||
Your module has to be loaded by Apache (for example after Handler load):
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
# Perl environment
|
||||
PerlRequire Lemonldap::NG::Handler
|
||||
|
@ -99,7 +99,7 @@ environment variable. Using packages, you just have to modify your
|
|||
``/etc/default/llng-fastcgi-server`` (or
|
||||
``/etc/default/lemonldap-ng-fastcgi-server``) file:
|
||||
|
||||
.. code:: sh
|
||||
.. code-block:: sh
|
||||
|
||||
# Number of process (default: 7)
|
||||
#NPROC = 7
|
||||
|
@ -128,7 +128,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
|
|||
SSOExtensions::function1 SSOExtensions::function2
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If your function is not compliant with
|
||||
:doc:`Safe jail<safejail>`, you will need to disable the jail.
|
||||
|
|
|
@ -16,7 +16,7 @@ Add a new handler type
|
|||
|
||||
Wrapper usually look at this:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
package Lemonldap::NG::Handler::ApacheMP2::MyType;
|
||||
|
||||
|
@ -67,7 +67,7 @@ If you want to add another, you must write:
|
|||
|
||||
Wrapper usually look at this:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
package Lemonldap::NG::Handler::MyPlatform::AuthBasic;
|
||||
|
||||
|
@ -79,7 +79,7 @@ Old fashion Nginx handlers
|
|||
--------------------------
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
There is no need to use this feature now. It is kept for
|
||||
compatibility.
|
||||
|
|
|
@ -21,7 +21,7 @@ DecryptValue plugin can be allowed or denied for specific users.
|
|||
to use internal decrypt function.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Custom functions must be defined into
|
||||
``Lemonldap::NG::Portal::My::Plugin`` and set:
|
||||
|
|
|
@ -6,12 +6,12 @@ itself not from LL:NG configuration. Rules and headers are set in a
|
|||
**rules.json** file stored at the website root directory (ie
|
||||
``http://website/rules.json``). This file looks like:
|
||||
|
||||
.. code:: json
|
||||
.. code-block:: json
|
||||
|
||||
{
|
||||
"rules": {
|
||||
"^/admin": "$uid eq 'admin'",
|
||||
"default": "accept'
|
||||
"default": "accept"
|
||||
},
|
||||
"headers": {
|
||||
"Auth-User": "$uid"
|
||||
|
@ -31,7 +31,7 @@ No specific configuration is required except that:
|
|||
``http://127.0.0.1:<server-port>``
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Note that DevOps handler will refuse to compile
|
||||
rules.json if :doc:`Safe Jail<safejail>` isn't enabled.
|
||||
|
|
|
@ -62,7 +62,7 @@ configStorageOptionsor file permissions.
|
|||
→ The cache has been created by another user than Apache's user. Restart
|
||||
Apache to purge it.
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This can append when you use
|
||||
lmConfigEditor or launch **cron files** with a different user than
|
||||
|
|
|
@ -40,10 +40,57 @@ module.
|
|||
some environment values. Environment variables will not be queried in
|
||||
users database.
|
||||
|
||||
.. _macros_and_groups:
|
||||
|
||||
Extend variables using macros and groups
|
||||
----------------------------------------
|
||||
|
||||
:ref:`macros_and_groups`
|
||||
Macros and groups are calculated during authentication process by the
|
||||
portal:
|
||||
|
||||
- macros are used to extend (or rewrite)
|
||||
:doc:`exported variables<exportedvars>`. A macro is stored as
|
||||
attributes: it can contain boolean results or any string
|
||||
- macros can also be used to import environment variables *(these
|
||||
variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
|
||||
- groups are stored as a string with values separated by ''; ''
|
||||
(default values separator) in the special attribute ``groups``: it
|
||||
contains the names of groups whose rules were returned true for the
|
||||
current user. For example:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
$groups = group3; admin
|
||||
|
||||
- You can also get groups in ``$hGroups`` which is a Hash Reference of
|
||||
this form:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
$hGroups = {
|
||||
'group3' => {
|
||||
'description' => [
|
||||
'Service 3',
|
||||
'Service 3 TEST'
|
||||
],
|
||||
'cn' => [
|
||||
'group3'
|
||||
],
|
||||
'name' => 'group3'
|
||||
},
|
||||
'admin' => {
|
||||
'name' => 'admin'
|
||||
}
|
||||
}
|
||||
|
||||
Example for macros:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
# boolean macro
|
||||
isAdmin -> $uid eq 'foo' or $uid eq 'bar'
|
||||
# other macro
|
||||
displayName -> $givenName." ".$surName
|
||||
|
||||
.. |Exported variables in the Manager| image:: /documentation/manager-exported-variables.png
|
||||
:class: align-center
|
||||
|
|
|
@ -155,7 +155,7 @@ basic
|
|||
~~~~~
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This function is not compliant with
|
||||
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
|
||||
|
@ -180,7 +180,7 @@ unicode2iso
|
|||
~~~~~~~~~~~
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This function is not compliant with
|
||||
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
|
||||
|
@ -202,7 +202,7 @@ iso2unicode
|
|||
~~~~~~~~~~~
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This function is not compliant with
|
||||
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
|
||||
|
@ -320,7 +320,7 @@ isInNet6
|
|||
Function to check if an IPv6 address is in a subnet. Example *check if
|
||||
IP address is local*:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
isInNet6($ipAddr, 'fe80::/10')
|
||||
|
||||
|
@ -332,7 +332,7 @@ Function to check if a variable is in requested URI (Require LL::NG >=
|
|||
|
||||
Example *check if $uid is in /check-auth/ URI*:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
varIsInUri($ENV{REQUEST_URI}, '/check-auth/', $uid)
|
||||
|
||||
|
@ -342,7 +342,7 @@ Example *check if $uid is in /check-auth/ URI*:
|
|||
|
||||
\* You can set "restricted" flag to match exact URI:
|
||||
|
||||
.. code:: perl
|
||||
.. code-block:: perl
|
||||
|
||||
varIsInUri($ENV{REQUEST_URI}, '/check-auth/', "$uid/", 1)
|
||||
|
||||
|
|
|
@ -38,7 +38,7 @@ All parameters are configured in "General Parameters » Portal Parameters
|
|||
the choice screen
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
The command line is split in an array and launched with
|
||||
exec(). So you don't need to enclose arguments in quotes to protect your
|
||||
|
|
|
@ -2,6 +2,6 @@ FastCGI support
|
|||
===============
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Since 2.0, all LLNG components run under FastCGI
|
||||
|
|
|
@ -35,7 +35,7 @@ initiated by OpenID-Connect Provider. LLNG will implement it when this
|
|||
standard will be published.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Federation proxy installation can be complex. Don't
|
||||
hesitate to contact us on lemonldap-ng-users@ow2.org
|
||||
|
|
|
@ -21,7 +21,7 @@ Configuration
|
|||
You just have to configure a directory writable by Apache user and set
|
||||
it in [configuration] section in your lemonldap-ng.ini file:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[configuration]
|
||||
type = File
|
||||
|
|
|
@ -28,7 +28,7 @@ Security
|
|||
|
||||
Restrict access to the directories only to the Apache server. Example:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
chmod 750 /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock
|
||||
chown www-data:www-data /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock
|
||||
|
|
|
@ -20,7 +20,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
|
|||
To modify last login interval (5 seconds by default) edit
|
||||
``lemonldap-ng.ini`` in section [portal]:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
portalForceAuthnInterval = 5
|
||||
|
|
|
@ -9,7 +9,7 @@ filling a HTML POST login form and autosubmitting it, without asking
|
|||
anything to the user.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
This kind of SSO mechanism is not clean, and can lead to
|
||||
problems, like local password blocking, local session not well closed,
|
||||
|
|
|
@ -46,7 +46,7 @@ see :doc:`REST sessions backend<restsessionbackend>`, enable local cache
|
|||
to access required locations in Portal Virtual Host.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
With AuthBasic handler, you have to disable CSRF token by
|
||||
setting a special rule based on source IP addresses like this :
|
||||
|
@ -66,7 +66,7 @@ to access required locations in Portal Virtual Host.
|
|||
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
With HTTPS, you may have to set **LWP::UserAgent
|
||||
object** with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
|
||||
|
|
|
@ -14,7 +14,7 @@ module <http://httpd.apache.org/docs/current/mod/mod_setenvif.html>`__
|
|||
will let you transform the Auth-User HTTP header in ``REMOTE_USER``
|
||||
environment variable:
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
|
||||
|
||||
|
@ -25,7 +25,7 @@ two Apache configuration files:
|
|||
- Apache configuration file on LL::NG reverse proxy (hosting LL::NG
|
||||
Handler):
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName application.example.com
|
||||
|
@ -41,7 +41,7 @@ two Apache configuration files:
|
|||
- Apache configuration file on application server (hosting the
|
||||
application):
|
||||
|
||||
.. code:: apache
|
||||
.. code-block:: apache
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName application.example.com
|
||||
|
@ -73,7 +73,7 @@ Nginx doesn't launch directly PHP pages (or other languages): it dials
|
|||
with FastCGI servers (like php-fpm). As you can see in examples, it's
|
||||
easy to map a LLNG header to a fastcgi param. Example:
|
||||
|
||||
.. code:: nginx
|
||||
.. code-block:: nginx
|
||||
|
||||
auth_request_set $authuser $upstream_http_auth_user;
|
||||
fastcgi_param HTTP_MYVAR $authuser;
|
||||
|
|
|
@ -113,7 +113,7 @@ Options
|
|||
left blank, access will be allowed for everyone.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
If the access control policy is set to ``none``, this
|
||||
rule will be ignored
|
||||
|
|
|
@ -2,7 +2,7 @@ OpenID server
|
|||
=============
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
OpenID protocol is deprecated, you should now use
|
||||
:doc:`OpenID Connect<idpopenidconnect>`\
|
||||
|
@ -120,7 +120,7 @@ Security
|
|||
encryption key.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Note that :doc:`SAML<idpsaml>` protocol is more secured
|
||||
than OpenID, so when your partners are known, prefer
|
||||
|
|
|
@ -80,7 +80,7 @@ http://auth.example.com/.well-known/openid-configuration
|
|||
|
||||
An example of its content:
|
||||
|
||||
.. code:: javascript
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"end_session_endpoint" : "http://auth.example.com/oauth2/logout",
|
||||
|
@ -173,7 +173,7 @@ So you can define for example:
|
|||
- email => mail
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
The specific ``sub`` attribute is not defined here, but
|
||||
in User attribute parameter (see below).
|
||||
|
@ -182,7 +182,7 @@ Extra Claims
|
|||
^^^^^^^^^^^^
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
By default, only claims that are part of standard OpenID
|
||||
Connect scopes will be sent to a client. If you want to send a claim
|
||||
|
@ -202,7 +202,7 @@ be able to read the ``rebirth_count`` and ``bloodline`` claims from the
|
|||
Userinfo endpoint.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
Any Claim defined in this section must be mapped to a
|
||||
LemonLDAP::NG session attribute in the **Exported Attributes**
|
||||
|
@ -289,6 +289,3 @@ Display
|
|||
|
||||
- **Display name**: Name of the RP application
|
||||
- **Logo**: Logo of the RP application
|
||||
|
||||
.. |section>openidconnectclaims&noheader| image:: section>openidconnectclaims&noheader
|
||||
|
||||
|
|
|
@ -117,7 +117,7 @@ Authentication response
|
|||
authentication time, to define sessionNotOnOrAfter value in SAML
|
||||
response (``<AuthnStatement>``):
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
|
||||
SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
|
||||
|
@ -127,19 +127,19 @@ Authentication response
|
|||
time, to define notOnOrAfter value in SAML response (``<Condtions>``
|
||||
and ``<SubjectConfirmationData>``):
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
|
||||
Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
|
||||
InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>
|
||||
|
||||
.. code:: xml
|
||||
.. code-block:: xml
|
||||
|
||||
<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
|
||||
NotOnOrAfter="2014-07-21T12:48:08Z">
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
There is a time tolerance of 60 seconds in
|
||||
``<Conditions>``\
|
||||
|
|
|
@ -7,7 +7,7 @@ choose another profile to appear as. This feature can be especially
|
|||
useful for training/learning or development platforms.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
This plugin should not be used on production instance,
|
||||
prefer :doc:`ContextSwitching plugin<contextswitching>`.
|
||||
|
@ -38,40 +38,38 @@ protected from being impersonated.
|
|||
``su; admins; anonymous``
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
You HAVE TO modify **REMOTE_USER** to log both real AND
|
||||
spoofed uid.
|
||||
|
||||
Set a macro like this :
|
||||
|
||||
'' \_whatToTrace -> $real__user ? "$real__user/$_user" : "$_user/$_user"
|
||||
''
|
||||
``_whatToTrace`` -> ``$real__user ? "$real__user/$_user" : "$_user/$_user"``
|
||||
|
||||
and set ``Genaral Parameters > Logs > REMOTE_USER`` with ''
|
||||
\_whatToTrace ''
|
||||
and set ``General Parameters > Logs > REMOTE_USER`` with ``_whatToTrace``
|
||||
|
||||
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
Both spoofed and real session attributes can be used to
|
||||
set access rules, groups or macros.
|
||||
|
||||
By example : ``$real_uid eq 'dwho``' or ``$real_groups =~ /\bsu\b/``
|
||||
By example : ``$real_uid eq 'dwho'`` or ``$real_groups =~ /\bsu\b/``
|
||||
|
||||
Keep in mind that real session is computed first. Afterward, if access
|
||||
is granted, impersonated session is computed with real and spoofed
|
||||
session attributes if Impersonation is allowed.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
By example, to prevent impersonation as 'dwho' set
|
||||
**Identities use rule** like :
|
||||
|
||||
'' $uid ne 'dwho' ''
|
||||
``$uid ne 'dwho'``
|
||||
|
||||
|
||||
|
||||
|
@ -79,7 +77,7 @@ impersonationPrefix is used to rename user's real profile attributes.
|
|||
You can set real attributes prefix ('real\_' by default) by editing
|
||||
``lemonldap-ng.ini`` in section [portal]:
|
||||
|
||||
.. code:: ini
|
||||
.. code-block:: ini
|
||||
|
||||
[portal]
|
||||
impersonationPrefix = real_
|
||||
|
|
|
@ -47,7 +47,7 @@ installable:
|
|||
`Here is the list of Debian versions <https://lemonldap-ng.org/documentation/#packaged_versions>`__.
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
LLNG Ubuntu packages are not in the "universe" but in the
|
||||
"multiverse". This means they are not security-maintained. If you use
|
||||
|
@ -114,7 +114,7 @@ Install packages
|
|||
----------------
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
By default packages will require Nginx. If you want to
|
||||
use Apache2, install it first with mod_perl:
|
||||
|
@ -152,7 +152,7 @@ Change default DNS domain
|
|||
By default, DNS domain is ``example.com``. You can change it quick with
|
||||
a sed command. For example, we change it to ``ow2.org``:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ Installation on Red Hat/CentOS
|
|||
==============================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
LL::NG requires at least Red Hat/CentOS 7
|
||||
|
||||
|
@ -31,7 +31,7 @@ LemonLDAP::NG provides packages for Red Hat/Centos 7:
|
|||
- perl-Lemonldap-NG-Portal: CPAN - Portal modules
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
The package lemonldap-ng-nginx requires the nginx
|
||||
community package. If you use openrestry or Nginx plus, you must ignore
|
||||
|
@ -90,7 +90,7 @@ Run this to update packages cache:
|
|||
yum update
|
||||
|
||||
|
||||
.. warning::
|
||||
.. danger::
|
||||
|
||||
You must also install the EPEL repository for non-core
|
||||
dependencies. See :ref:`prerequisites and dependencies<prereq-yum>`
|
||||
|
@ -120,7 +120,7 @@ With YUM
|
|||
|
||||
If the packages are stored in a yum repository:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
yum install lemonldap-ng
|
||||
|
||||
|
@ -160,7 +160,7 @@ Change default DNS domain
|
|||
By default, DNS domain is ``example.com``. You can change it quick with
|
||||
a sed command. For example, we change it to ``ow2.org``:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json /etc/nginx/conf.d/* /etc/httpd/conf.d/*
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@ Installation on Suse Linux
|
|||
==========================
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
LL::NG requires at least SLES 12 SP1 or
|
||||
equivalent
|
||||
|
@ -110,11 +110,11 @@ With ZYPPER
|
|||
|
||||
If the packages are stored in a repository:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
zypper install lemonldap-ng
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
59 new packages to install.
|
||||
Total download size: 13.5 MiB. Already cached : 0 B. After operation, 30.7 MiB of supplementary disk space will be used.
|
||||
|
@ -183,13 +183,13 @@ Change default DNS domain
|
|||
By default, DNS domain is ``example.com``. You can change it quick with
|
||||
a sed command. For example, we change it to ``ow2.org``:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/{*.conf,*.ini,for_etc_hosts} /var/lib/lemonldap-ng/conf/lmConf-1
|
||||
|
||||
Check Apache configuration and restart:
|
||||
|
||||
.. code:: shell
|
||||
.. code-block:: shell
|
||||
|
||||
apachectl configtest
|
||||
apachectl restart
|
||||
|
|
|
@ -8,7 +8,7 @@ Get the tarball from :doc:`download page</download>`. You can also find
|
|||
on this page the SVN tarball if you want to test latest features.
|
||||
|
||||
|
||||
.. important::
|
||||
.. attention::
|
||||
|
||||
The content of the SVN tarball is not the same as the
|
||||
official tarball. Please see the next chapter to learn how build an
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user