dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

doc: fix markup

Browse Source
This commit is contained in:
Maxime Besson 2020-05-21 15:13:24 +02:00
parent e9d2ec6fec
commit a98e5c05b4
166 changed files with 656 additions and 748 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sources/admin/applications/adfs.rst
View File

@ -11,7 +11,7 @@ Identity/Service Provider, compatible with several protocols, including
SAML 2.0.
.. important::
.. attention::
This documentation does not explains how to setup ADFS,
but give only tricks to make it works with LL::NG

8
doc/sources/admin/applications/alfresco.rst
View File

@ -47,7 +47,7 @@ the other for the share webapp.
Edit first ``alfresco-global.properties`` and add the following:
.. code:: java
.. code-block:: properties
### SSO ###
authentication.chain=external1:external
@ -62,7 +62,7 @@ the ``<endpoint>``, change ``<connector-id>`` value to
``alfrescoHeader`` and change the ``<userHeader>`` value to
``Auth-User``:
.. code:: xml
.. code-block:: xml
<config evaluator="string-compare" condition="Remote">
<remote>
@ -102,7 +102,7 @@ the ``<endpoint>``, change ``<connector-id>`` value to
You need to restart Tomcat to apply changes.
.. warning::
.. danger::
Now you can log in with a simple HTTP header. You need to
restrict access to Alfresco to LL::NG.
@ -166,7 +166,7 @@ Export the keystore:
Edit then ``share-config-custom.xml``:
.. code:: xml
.. code-block:: xml
...
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">

2
doc/sources/admin/applications/authbasic.rst
View File

@ -7,7 +7,7 @@ Presentation
------------
.. important::
.. attention::
For now, this feature is only supported by Apache
handler.

2
doc/sources/admin/applications/aws.rst
View File

@ -29,7 +29,7 @@ SAML
name so people know which account is which.
.. important::
.. attention::
If you have only one role, the configuration is simple. If you
have multiple roles for different people, it is a little trickier. As

16
doc/sources/admin/applications/awx.rst
View File

@ -75,16 +75,20 @@ This is the entityID for awx, lets put the fqdn : ``awx.example.com``
SAML Service Provider Public Certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Put the content of ``saml-awx.crt`` : ``-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----``
Put the content of ``saml-awx.crt`` ::
-----BEGIN CERTIFICATE-----
cert
-----END CERTIFICATE-----
SAML Service Provider Private Key
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Put the content of ``saml-awx.key`` : ``-----BEGIN RSA PRIVATE KEY-----
key
-----END RSA PRIVATE KEY-----``
Put the content of ``saml-awx.key`` ::
-----BEGIN RSA PRIVATE KEY-----
key
-----END RSA PRIVATE KEY-----
It will be replaced with ``$encrypted$`` after you save the settings.

4
doc/sources/admin/applications/bugzilla.rst
View File

@ -40,7 +40,7 @@ Configure Bugzilla virtual host like other
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName bugzilla.example.com
@ -53,7 +53,7 @@ Configure Bugzilla virtual host like other
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;

4
doc/sources/admin/applications/cornerstone.rst
View File

@ -37,7 +37,7 @@ Now we will add CSOD as a new SAML Service Provider:
#. Select ``Metadata``, and unprotect the field to paste the following
value:
.. code:: xml
.. code-block:: xml
<md:EntityDescriptor entityID="mycompanyid.csod.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
@ -56,7 +56,7 @@ Now we will add CSOD as a new SAML Service Provider:
</md:EntityDescriptor>
.. important::
.. attention::
Change **mycompanyid** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your CSOD company ID and put the

10
doc/sources/admin/applications/dokuwiki.rst
View File

@ -14,10 +14,6 @@ readable outside the Wiki and eases the creation of structured texts.
All data is stored in plain text files no database is required.
.. tip::
LemonLDAP::NG wiki uses Dokuwiki!
HTTP headers
------------
@ -49,7 +45,7 @@ Configure Dokuwiki virtual host like other
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName dokuwiki.example.com
@ -62,7 +58,7 @@ Configure Dokuwiki virtual host like other
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;
@ -115,7 +111,7 @@ Configure the :ref:`headers<headers>`:
- Auth-Groups: encode_base64($groups,"")
.. important::
.. attention::
To allow execution of encode_base64() method, you must
deactivate the :doc:`Safe jail<../safejail>`.

10
doc/sources/admin/applications/drupal.rst
View File

@ -34,7 +34,7 @@ Configure Drupal virtual host like other
:doc:`protected virtual host<../configvhost>`.
.. important::
.. attention::
If you are protecting Drupal with LL::NG as reverse
proxy,
@ -42,7 +42,7 @@ Configure Drupal virtual host like other
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName drupal.example.com
@ -55,7 +55,7 @@ Configure Drupal virtual host like other
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;
@ -110,7 +110,7 @@ With the above solution, all the Drupal site will be protected, so no
anonymous access will be allowed.
.. important::
.. attention::
You cannot use the ``unprotect`` rule because Drupal
navigation is based on query strings (?q=admin, ?q=user, etc.), and
@ -120,7 +120,7 @@ You can create a special virtual host and use `Apache rewrite
module <http://httpd.apache.org/docs/current/mod/mod_rewrite.html>`__ to
switch between open and protected hosts:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName drupal.example.com

12
doc/sources/admin/applications/gitlab.rst
View File

@ -29,7 +29,7 @@ Find the gitlab.rb file and add these settings:
vi /etc/gitlab/gitlab.rb
.. code:: ruby
.. code-block:: ruby
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
@ -64,7 +64,7 @@ Find the gitlab.rb file and add these settings:
You can force SAML by default with this option:
.. code:: ruby
.. code-block:: ruby
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
@ -96,7 +96,7 @@ Register them in LL::NG and send these SAML attributes:
- cn => name
.. important::
.. attention::
The value from LL::NG mail session attribute must be the
email of the user in Gitlab database, in order to associate
@ -108,7 +108,7 @@ Manage groups
You can pass groups to Gitlab. For this, declare groups attribute in
gitlab.rb:
.. code:: ruby
.. code-block:: ruby
...
gitlab_rails['omniauth_providers'] = [
@ -134,7 +134,7 @@ Gitlab configuration
In ``/etc/gitlab/gitlab.rb``
.. code:: ruby
.. code-block:: ruby
...
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
@ -180,7 +180,7 @@ Add an OpenID Connect RP to LemonLDAP::NG
LemonLDAP::NG session is mapped to the ``email`` claim.
.. important::
.. attention::
You need to set a key identifier, or you will get a
*JSON::JWK::Set::KidNotFound* error on Gitlab

2
doc/sources/admin/applications/glpi.rst
View File

@ -26,7 +26,7 @@ http://wiki.glpi-project.org/doku.php?id=en:authautoad
If you use Nginx, you need to add this in configuration:
.. code:: nginx
.. code-block:: nginx
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;

12
doc/sources/admin/applications/googleapps.rst
View File

@ -26,7 +26,7 @@ Google Apps control panel
~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
.. attention::
This part is based on `SimpleSAMLPHP
documentation <http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps>`__.
@ -55,7 +55,7 @@ Now configure all SAML parameters:
Example: http://auth.example.com
.. important::
.. attention::
You must check the option
``Use a specific domain transmitter`` to force Google Apps to send the
@ -102,7 +102,7 @@ Now we will add Google Apps as a new SAML Service Provider:
#. Select ``Metadata``, and unprotect the field to paste the following
value:
.. code:: xml
.. code-block:: xml
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
@ -112,7 +112,7 @@ Now we will add Google Apps as a new SAML Service Provider:
</md:EntityDescriptor>
.. important::
.. attention::
Change **mydomain.org** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your Google Apps domain. Also adapt
@ -134,7 +134,7 @@ You need to adapt some parameters:
``On`` to always display it
.. important::
.. attention::
Change **mydomain.org** into your Google Apps
domain
@ -155,7 +155,7 @@ To manage the other way (LL::NG → Google Apps), you can add a dedicated
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
.. important::
.. attention::
Change **mydomain.org** into your Google Apps
domain

2
doc/sources/admin/applications/guacamole.rst
View File

@ -43,7 +43,7 @@ Your Guacamole configuration directory will look something like this.
└── guacamole.properties
.. warning::
.. danger::
Make sure to rename the JAR in a way that `ensures that it
will be loaded

46
doc/sources/admin/applications/humhub.rst
View File

@ -23,7 +23,7 @@ authenticated by LemonLDAP::NG will be registered in HumHub upon their
first login.
.. warning::
.. danger::
HumHub retrieves a user from his username and the
authentication service he came through. As a result, a former local or
@ -63,9 +63,7 @@ composer :
composer global require hirak/prestissimo
::
* Go to {humhub_home} folder
- Go to ``{humhub_home}`` folder
- Check if composer.json file is present. If not, download it for your
current version:
@ -87,9 +85,7 @@ composer :
If you just need to update the connector, change its version
in composer.json and run the above composer update command.
::
* Edit {humhub_home}/protected/config/common.php with the client configuration :
- Edit `{humhub_home}/protected/config/common.php` with the client configuration :
::
@ -109,9 +105,7 @@ composer :
// ...
]
::
* Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:
- Edit ``{humhub_home}/protected/config/web.php`` to disconnect users from LemonLDAP::NG after they logged out of Humhub:
::
@ -157,10 +151,8 @@ AuthController.onAuthSuccess method needs to be adapted so redirect to
SSO will be bypassed when a registration error occured. This works for
version 1.3.15 :
::
* Go to {humhub_home} folder
* Execute
- Go to ``{humhub_home}`` folder
- Execute
::
@ -176,15 +168,13 @@ Then, configure LemonLDAP::NG to recognize your HumHub instance as a
valid :doc:`new OpenID Connect Relying Party<..//idpopenidconnect>`
using the following parameters:
::
* **Client ID**: the same you set in HumHub configuration
* **Client Secret**: the same you set in HumHub configuration
* Add the following **exported attributes**
* **given_name**: user's givenName attribute
* **family_name**: user's sn attribute
* **email**: user's mail attribute
* **Redirect URIs** containing your Yii2 auth client ID.
* **Client ID**: the same you set in HumHub configuration
* **Client Secret**: the same you set in HumHub configuration
* Add the following **exported attributes**
* **given_name**: user's givenName attribute
* **family_name**: user's sn attribute
* **email**: user's mail attribute
* **Redirect URIs** containing your Yii2 auth client ID.
Configuration sample using CLI:
@ -212,16 +202,12 @@ to LemonLDAP::NG.
Table "user":
::
* Columns "username" and "email" should match exactly OIDC sub and email attributes ;
* If former ldap user, change column "auth_mode" to "local".
* Columns "username" and "email" should match exactly OIDC sub and email attributes ;
* If former ldap user, change column "auth_mode" to "local".
Table "user_auth":
::
* Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :
* Add an entry with user_id, username and "lemonldapng" as source (or the name you chose in your connector configuration) :
::

6
doc/sources/admin/applications/jitsimeet.rst
View File

@ -97,9 +97,7 @@ for Jitsi Meet.
Configure the :ref:`access rules<rules>`.
::
* Don't forget to configure the /logout/ URL
* Don't forget to configure the /logout/ URL
Configure the following :ref:`headers<headers>`.
@ -107,7 +105,7 @@ Configure the following :ref:`headers<headers>`.
- **displayName**: $cn
.. warning::
.. danger::
Jitsi meet expects to find a ``mail`` HTTP header, it
will ignore REMOTE_USER and only use the mail value to identify the

10
doc/sources/admin/applications/liferay.rst
View File

@ -18,7 +18,7 @@ Of course, integration will be full if you use the LDAP directory as
users backend for LL::NG and Liferay.
.. important::
.. attention::
If the user is not created, or can not be created via
LDAP import, the connection to Liferay will be refused. With LDAP,
@ -67,7 +67,7 @@ In ``General``, fill at least the following information:
|image6|
.. important::
.. attention::
You need to activate LDAP authentication, else SSO
authentication will not work. Do this in the control panel or in the
@ -88,7 +88,7 @@ Then use the ``SiteMinder`` tab to configure SSO:
|image7|
.. important::
.. attention::
Do not forget to save your changes!
@ -100,7 +100,7 @@ Configure Liferay virtual host like other
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName liferay.example.com
@ -113,7 +113,7 @@ Configure Liferay virtual host like other
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;

10
doc/sources/admin/applications/limesurvey.rst
View File

@ -19,7 +19,7 @@ To have a stronger integration, we will configure LimeSurvey to
autocreate unknown users and use HTTP headers to fill name and mail.
.. important::
.. attention::
We suppose that LimeSurvey is installed in
/var/www/html/limesurvey
@ -53,7 +53,7 @@ application/config/config.php: The configuration is done in config.php:
vi /var/www/html/limesurvey/application/config/config.php
.. code:: php
.. code-block:: php
'config'=>array(
// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
@ -110,10 +110,8 @@ Default default Allow only users with a LimeSurvey role
You can set the default access to:
::
* **accept**: all authenticated users will access surveys
* **unprotect**: no authentication will be asked to access surveys
* **accept**: all authenticated users will access surveys
* **unprotect**: no authentication will be asked to access surveys

26
doc/sources/admin/applications/mattermost.rst
View File

@ -30,7 +30,7 @@ integrated with LemonLDAP::NG without having to use a
:doc:`Gitlab<gitlab>` server.
.. warning::
.. danger::
The following configuration requires your user database
to expose a unique numeric identifier for every user.
@ -92,21 +92,19 @@ recognize a user.
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
with the following parameters:
::
* **Client ID**: the same you set in Mattermost configuration
* **Client Secret**: the same you set in Mattermost configuration
* Add a new scope in "Extra claims"
* **Key**: ''gitlab''
* **Value**: ''id username name email''
* Add the following exported attributes
* ''username'': set it to the session attribute containing the user login
* ''name'': session attribute containing the user's full name
* ''email'': session attribute containing the user's email
* ''id'': session attribute containing the user's numeric ID
* **Client ID**: the same you set in Mattermost configuration
* **Client Secret**: the same you set in Mattermost configuration
* Add a new scope in "Extra claims"
* **Key**: ``gitlab``
* **Value**: ``id username name email``
* Add the following exported attributes
* ``username``: set it to the session attribute containing the user login
* ``name``: session attribute containing the user's full name
* ``email``: session attribute containing the user's email
* ``id``: session attribute containing the user's numeric ID
.. warning::
.. danger::
Mattermost absolutely needs to receive a numerical value
in the ``id`` claim. If you are using a LDAP server, you could use the

14
doc/sources/admin/applications/mediawiki.rst
View File

@ -48,14 +48,14 @@ Then edit MediaWiki local settings
vi LocalSettings.php
.. code:: php
.. code-block:: php
require_once "$IP/extensions/Auth_remoteuser/Auth_remoteuser.php";
$wgAuth = new Auth_remoteuser();
Add then extension configuration, for example:
.. code:: php
.. code-block:: php
$wgAuthRemoteuserAuthz = true; /* Your own authorization test */
$wgAuthRemoteuserName = $_SERVER["HTTP_AUTH_CN"]; /* User's name */
@ -87,7 +87,7 @@ Add then extension configuration, for example:
$wgHooks['PersonalUrls'][] = 'StripLogin';
.. warning::
.. danger::
In last version of Auth_remoteuser and Mediawiki, empty
passwords are not authorized, so you may need to patch the extension
@ -100,7 +100,7 @@ Add then extension configuration, for example:
sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php
.. warning::
.. danger::
In last version of Auth_remoteuser and Mediawiki,
auto-provisioning requires REMOTE_USER to match the normalized mediawiki
@ -121,7 +121,7 @@ Configure MediaWiki virtual host like other
:doc:`protected virtual host<../configvhost>`.
.. important::
.. attention::
If you are protecting MediaWiki with LL::NG as reverse
proxy,
@ -129,7 +129,7 @@ Configure MediaWiki virtual host like other
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName mediawiki.example.com
@ -142,7 +142,7 @@ Configure MediaWiki virtual host like other
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;

2
doc/sources/admin/applications/nginx.rst
View File

@ -2,7 +2,7 @@ Nginx
=====
.. important::
.. attention::
Nginx is fully supported by LemonLDAP::NG since version
1.9.

18
doc/sources/admin/applications/obm.rst
View File

@ -27,7 +27,7 @@ OBM
To enable LL::NG authentication plugin, go in ``/etc/obm/obm_conf.inc``:
.. code:: php
.. code-block:: php
$auth_kind = 'LemonLDAP';
@ -119,7 +119,7 @@ Edit also OBM configuration to enable LL::NG Handler:
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName obm.example.com
@ -135,7 +135,7 @@ Edit also OBM configuration to enable LL::NG Handler:
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;
@ -191,7 +191,7 @@ To add these attributes, go in Manager, ``Variables`` »
``Exported Variables``.
.. important::
.. attention::
If you plan to forward user's password to OBM, then you
have to :doc:`keep the password in session<../passwordstore>`.
@ -199,12 +199,12 @@ To add these attributes, go in Manager, ``Variables`` »
You may also create these macros to manage OBM administrator account
(``Variables`` » ``Macros``):
===== ====================================================== =============================== == ==============================
===== ============================================================================
field value
===== ====================================================== =============================== == ==============================
uidR ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
mailR %%($uid =~ / admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com" %%
===== ====================================================== =============================== == ==============================
===== ============================================================================
uidR ``($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid``
mailR ``($uid =~ /admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com"``
===== ============================================================================
Virtual host
^^^^^^^^^^^^

2
doc/sources/admin/applications/office365.rst
View File

@ -24,7 +24,7 @@ administrative commands.
Then run this script:
.. code:: bash
.. code-block:: bash
$dom = "mycompany.com"
$brand = "My Company"

8
doc/sources/admin/applications/phpldapadmin.rst
View File

@ -15,7 +15,7 @@ phpLDAPadmin will be protected by LemonLDAP::NG with specific access
rules.
.. warning::
.. danger::
phpLDAPadmin will have no idea of the user connected to
the WebSSO. So a simple user can have admin rights on the LDAP directory
@ -30,7 +30,7 @@ phpLDAPadmin local configuration
Just set the authentication type to ``config`` and indicate DN and
password inside the file ``config.php``:
.. code:: php
.. code-block:: php
$ldapservers->SetValue($i,'server','auth_type','config');
$ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=com');
@ -44,7 +44,7 @@ Configure phpLDAPadmin virtual host like other
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName phpldapadmin.example.com
@ -57,7 +57,7 @@ Configure phpLDAPadmin virtual host like other
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;

4
doc/sources/admin/applications/roundcube.rst
View File

@ -26,7 +26,7 @@ LemonLDAP::NG
- in HTTP headers, you need Auth-User ($mail) and Auth-Pw ($_password).
.. important::
.. attention::
To be able to forward password to RoundCube, see
:doc:`how to store password in session<../passwordstore>`\
@ -42,7 +42,7 @@ RoundCube
- Patch it to replace ``PHP_AUTH_*`` by ``HTTP_AUTH_*``
- enable http_authentication plugin in main.inc.php :
.. code:: php
.. code-block:: php
$rcmail_config['plugins'] = array('http_authentication');

2
doc/sources/admin/applications/salesforce.rst
View File

@ -46,7 +46,7 @@ Finally, just ensure that at least:
match with the correct values. (adapt the domain if necessary)
.. important::
.. attention::
For now, the authentication service parameter has no
domain available. You must come back later to fill this parameter. Once

14
doc/sources/admin/applications/simplesamlphp.rst
View File

@ -39,7 +39,7 @@ First set where certificates are stored:
vi /etc/simplesamlphp/config.php
.. code:: php
.. code-block:: php
'certdir' => '/etc/simplesamlphp/certs/',
@ -57,7 +57,7 @@ Then associate this certificate to the default SP:
vi /etc/simplesamlphp/authsources.php
.. code:: php
.. code-block:: php
'default-sp' => array(
'saml:SP',
@ -108,7 +108,7 @@ internal PHP representation. Copy the ``saml20-idp-remote`` content:
vi /etc/simplesamlphp/metadata/saml20-idp-remote.php
.. code:: php
.. code-block:: php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (
@ -144,7 +144,7 @@ First, you need to activate IDP feature in simpleSAMLphp:
vi /etc/simplesamlphp/config.php
.. code:: php
.. code-block:: php
'enable.saml20-idp' => true,
@ -154,7 +154,7 @@ And create a default IDP configuration:
vi /etc/simplesamlphp/metadata/saml20-idp-hosted.php
.. code:: php
.. code-block:: php
<?php
$metadata['__DYNAMIC:1__'] = array(
@ -183,7 +183,7 @@ And create a default IDP configuration:
?>
.. important::
.. attention::
You need to configure your own certificates and
authentication scheme
@ -217,7 +217,7 @@ internal PHP representation. Copy the ``saml20-sp-remote`` content:
vi /etc/simplesamlphp/metadata/saml20-sp-remote.php
.. code:: php
.. code-block:: php
<?php
$metadata['http://auth.example.com/saml/metadata'] = array (

2
doc/sources/admin/applications/spring.rst
View File

@ -23,7 +23,7 @@ http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth
To summarize, to get the user connected trough the ``Auth-User`` HTTP
Header, use this Sping Security configuration:
.. code:: xml
.. code-block:: xml
<bean id="LemonLDAPNGFilter" class=
"org.springframework.security.web.authentication.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter">

6
doc/sources/admin/applications/symfony.rst
View File

@ -22,7 +22,7 @@ HTTP header.
1. Adapt the app/config/security.yml configuration file as below:
.. code:: yaml
.. code-block:: yaml
security:
@ -57,7 +57,7 @@ HTTP header.
Create the file src/AppBundle/Security/User/HeaderUser.php :
.. code:: php
.. code-block:: php
<?php
@ -128,7 +128,7 @@ Create the file src/AppBundle/Security/User/HeaderUser.php :
Create the file src/AppBundle/Security/User/HeaderUserProvider.php :
.. code:: php
.. code-block:: php
<?php

4
doc/sources/admin/applications/sympa.rst
View File

@ -70,7 +70,7 @@ authentication URL.
- For Apache:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName sympa.example.com
@ -85,7 +85,7 @@ authentication URL.
- For Nginx:
.. code:: nginx
.. code-block:: nginx
server {
listen 80;

8
doc/sources/admin/applications/tomcat.rst
View File

@ -4,7 +4,7 @@ Apache Tomcat
|image0|
.. important::
.. attention::
The Tomcat Valve is only available for tomcat 5.5 or
greater.
@ -22,7 +22,7 @@ authentication to Tomcat.
By default, Tomcat provides a file called ``users.xml`` to manage
authentication:
.. code:: xml
.. code-block:: xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
@ -59,7 +59,7 @@ Configuration
Add on your ``server.xml`` file a new valve entry like this (in host
section):
.. code:: xml
.. code-block:: xml
<Valve className="org.lemonLDAPNG.SSOValve" userKey="AUTH-USER" roleKey="AUTH-ROLE" roleSeparator="," allows="127.0.0.1"/>
@ -100,7 +100,7 @@ Required :
Configure your tomcat home in ``build.properties`` files.
.. important::
.. attention::
Be careful for Windows user, path must contains "/".
Example:

34
doc/sources/admin/applications/wekan.rst
View File

@ -19,19 +19,17 @@ Configuring Wekan
Wekan is mostly configured with environement variables, you need to set
theses :
::
* **OAUTH2_ENABLED**: ''TRUE''
* **OAUTH2_CLIENT_ID**: ''ClientID''
* **OAUTH2_SECRET**: ''Secret''
* **OAUTH2_SERVER_URL**: ''https://auth.example.com/''
* **OAUTH2_AUTH_ENDPOINT**: ''oauth2/authorize''
* **OAUTH2_USERINFO_ENDPOINT**: ''oauth2/userinfo''
* **OAUTH2_TOKEN_ENDPOINT**: ''oauth2/token''
* **OAUTH2_ID_MAP**: ''sub''
* **OAUTH2_ENABLED**: ``TRUE``
* **OAUTH2_CLIENT_ID**: ``ClientID``
* **OAUTH2_SECRET**: ``Secret``
* **OAUTH2_SERVER_URL**: ``https://auth.example.com/``
* **OAUTH2_AUTH_ENDPOINT**: ``oauth2/authorize``
* **OAUTH2_USERINFO_ENDPOINT**: ``oauth2/userinfo``
* **OAUTH2_TOKEN_ENDPOINT**: ``oauth2/token``
* **OAUTH2_ID_MAP**: ``sub``
.. warning::
.. danger::
Be careful to the / in server_url and endpoints, the
complete URL need to be valid, ie auth.example.com/ for url & oauth2/xxx
@ -47,19 +45,17 @@ a user.
Add a :doc:`new OpenID Connect relaying party<..//idpopenidconnect>`
with the following parameters:
::
* **Client ID**: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)
* **Client Secret**: the same you set in Wekan configuration (same as OAUTH2_SECRET)
* Add the following exported attributes
* ''name'': session attribute containing the user's full name
* ''email'': session attribute containing the user's email or _singleMail
* **Client ID**: the same you set in Wekan configuration (same as OAUTH2_CLIENT_ID)
* **Client Secret**: the same you set in Wekan configuration (same as OAUTH2_SECRET)
* Add the following exported attributes
* ``name``: session attribute containing the user's full name
* ``email``: session attribute containing the user's email or _singleMail
\_singleMail Macro
^^^^^^^^^^^^^^^^^^
.. warning::
.. danger::
OIDC login fails when an user as a multi-valued email
attribute, this need to be fixed on wekan's side, we can bypass that by

2
doc/sources/admin/applications/xwiki.rst
View File

@ -30,7 +30,7 @@ You will configure Xwiki virtual host like other
This is an example, with https and speaking to xwiki via AJP.
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName wiki.acme.fr

2
doc/sources/admin/applications/zimbra.rst
View File

@ -77,7 +77,7 @@ Zimbra parameters are the following:
(by default: ^/zimbrasso$)
.. important::
.. attention::
Due to Handler API change in 1.9, you need to set these
attributes in ``lemonldap-ng.ini`` and not in Manager, for example:

2
doc/sources/admin/authad.rst
View File

@ -44,7 +44,7 @@ policy:
specified in LemonLDAP::NG to do so.
.. important::
.. attention::
Note: since AD 2012, each user can have a specific
password expiration policy. Then, the "maximum password age" can have

4
doc/sources/admin/authapache.rst
View File

@ -16,7 +16,7 @@ module <http://httpd.apache.org/docs/current/howto/auth.html>`__, for
example Kerberos, Radius, OTP, etc.
.. important::
.. attention::
To authenticate users using Kerberos, you can now use
the new :doc:`Kerberos authentication module<authkerberos>` which allow
@ -91,7 +91,7 @@ block the request.
In this case, you can add in the Apache authentication module:
.. code:: apache
.. code-block:: apache
Satisfy any
Order allow,deny

2
doc/sources/admin/authcas.rst
View File

@ -47,7 +47,7 @@ and choose CAS for authentication.
password.
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

4
doc/sources/admin/authchoice.rst
View File

@ -40,7 +40,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose Choice for authentication.
.. important::
.. attention::
When ``Choice`` is selected for authentication, values
for Users and Password modules are also forced to ``Choice``.
@ -70,7 +70,7 @@ Define here:
Handler from application ``test1.example.com``, you can set this
condition:
.. code:: perl
.. code-block:: perl
$env->{urldc} =~ /test1\.example\.com/

10
doc/sources/admin/authcombination.rst
View File

@ -66,12 +66,12 @@ DB, you can override the "dbiChain" parameter.
You can also override a complex key like ldapExportedVars, by setting a
JSON value:
.. code:: javascript
.. code-block:: javascript
{"cn" => "cn", "uid" => "sAMAccounName", "mail" => "mail"}
.. important::
.. attention::
If your JSON is corrupted, LLNG will use it as string
and just report a warning in logs.
@ -104,7 +104,7 @@ Example Explanation
======================================= =============================================================================
.. important::
.. attention::
Note that "or" can't be used inside a scheme. If you
think to "[mySSL or myLDAP, myLDAP]", you must write
@ -118,7 +118,7 @@ Example Explanation
================================================== =========================================================
.. important::
.. attention::
You can't use brackets in a boolean expression and "and"
has precedence on "or".
@ -140,7 +140,7 @@ Example
======================================================================================================================= ==============================================================================
.. important::
.. attention::
Note that brackets can't be used except to enclose test.

2
doc/sources/admin/authcustom.rst
View File

@ -39,7 +39,7 @@ site/htdocs/static/common/modules/icon.png
.. important::
.. attention::
Be careful. Don' t use an already attributed name in
configuration.

4
doc/sources/admin/authdbi.rst
View File

@ -105,7 +105,7 @@ Authentication level
The authentication level given to users authenticated with this module.
.. important::
.. attention::
As DBI is a login/password based module, the
authentication level can be:
@ -181,7 +181,7 @@ Password
non-salted schemes" or "Supported salted schemes".
.. important::
.. attention::
The SQL function MUST have hexadecimal values as input
AND output

2
doc/sources/admin/authdemo.rst
View File

@ -14,7 +14,7 @@ This mode allow one to test LemonLDAP::NG without any third-party
software.
.. warning::
.. danger::
This mode must not be used for other purpose than test and
demonstration!

4
doc/sources/admin/authfacebook.rst
View File

@ -56,13 +56,13 @@ variables:
- sn => last_name
.. important::
.. attention::
Do not query user field in exported variables, as it is
already registered by the authentication module in ``$_user``.
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

2
doc/sources/admin/authgithub.rst
View File

@ -41,7 +41,7 @@ Then, go in ``GitHub parameters``:
keys
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

4
doc/sources/admin/authkerberos.rst
View File

@ -36,7 +36,7 @@ and configure the following parameters:
value and remove the '@domain'.
.. important::
.. attention::
@ -66,7 +66,7 @@ request.
Example with Apache and mod_auth_kerb:
.. code:: apache
.. code-block:: apache
<If "%{QUERY_STRING} =~ /kerberos=/">
<IfModule auth_kerb_module>

6
doc/sources/admin/authldap.rst
View File

@ -49,7 +49,7 @@ Authentication level
The authentication level given to users authenticated with this module.
.. important::
.. attention::
As LDAP is a login/password based module, the
authentication level can be:
@ -97,7 +97,7 @@ Connection
documentation).
.. important::
.. attention::
LemonLDAP::NG need anonymous access to LDAP Directory
RootDSE in order to check LDAP connection.
@ -167,7 +167,7 @@ Groups
and ``%hGroups``, as documented :ref:`here<macros_and_groups>`
.. important::
.. attention::
If your LDAP countains over a thousand groups, you
should avoid using group processing, check out

2
doc/sources/admin/authlinkedin.rst
View File

@ -45,7 +45,7 @@ Then, go in ``LinkedIn parameters``:
keys
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

2
doc/sources/admin/authmulti.rst
View File

@ -2,7 +2,7 @@ Multiple backends stack
=======================
.. important::
.. attention::
This module has been removed and replaced by the more
powerful :doc:`Combination of auth schemes<authcombination>`.

4
doc/sources/admin/authopenid.rst
View File

@ -8,7 +8,7 @@ Authentication Users Password
============== ===== ========
.. warning::
.. danger::
OpenID protocol is deprecated. You should now use
:doc:`OpenID Connect<authopenidconnect>`.
@ -79,7 +79,7 @@ define attributes:
See also :doc:`exported variables configuration<exportedvars>`.
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

11
doc/sources/admin/authopenidconnect.rst
View File

@ -46,7 +46,7 @@ Google France Connect
.. |franceconnect| image:: applications/franceconnect_logo.png
:target: authopenidconnect_franceconnect.html
.. important::
.. attention::
OpenID-Connect specification isn't finished for logout
propagation. So logout initiated by relaying-party will be forward to
@ -78,7 +78,7 @@ In ``General Parameters`` > ``Authentication modules``, set:
:ref:`menu password module<portalmenu-menu-modules>`.
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
@ -116,7 +116,7 @@ parameter, for example:
- http://auth.example.com/?lmAuth=oidc&openidcallback=1
.. important::
.. attention::
If you use the :doc:`choice backend<authchoice>`, you
need to add the choice parameter in redirect URL
@ -156,7 +156,7 @@ You can also define:
Example template:
.. code:: javascript
.. code-block:: javascript
{
"issuer": "https://auth.example.com/",
@ -237,6 +237,3 @@ Options
- **Display name**: Name of the application
- **Logo**: Logo of the application
- **Order**: Number to sort buttons
.. |section>openidconnectclaims&noheader| image:: section>openidconnectclaims&noheader

4
doc/sources/admin/authopenidconnect_franceconnect.rst
View File

@ -10,7 +10,7 @@ Presentation
authentication platform made by French government.
.. important::
.. attention::
It is for the moment only in BETA stage. This
documentation will explain how to configure LL::NG with the developer
@ -41,7 +41,7 @@ using `France Connect
endpoints <https://doc.integ01.dev-franceconnect.fr/fournisseur-service>`__.
For example:
.. code:: javascript
.. code-block:: javascript
{
"issuer": "https://fcp.integ01.dev-franceconnect.fr",

2
doc/sources/admin/authopenidconnect_google.rst
View File

@ -12,7 +12,7 @@ delegate the authentication of LL::NG to Google:
https://developers.google.com/identity/protocols/OpenIDConnect
.. important::
.. attention::
Google does not support logout trough OpenID Connect. If
you close your session on LL::NG side, your Google session will still be

4
doc/sources/admin/authpam.rst
View File

@ -24,13 +24,13 @@ You have to install the corresponding Perl module.
For CentOS/RHEL:
.. code:: shell
.. code-block:: shell
yum install perl-Authen-PAM
In Debian/Ubuntu, install the library through apt-get command
.. code:: shell
.. code-block:: shell
apt-get install libauthen-pam-perl

4
doc/sources/admin/authproxy.rst
View File

@ -55,11 +55,11 @@ SOAP compatibility with 1.9 server
If you Proxy is a 2.0.x and your server is a 1.9.x, you should add this
in your lemonldap-ng.ini:
.. code:: ini
.. code-block:: ini
soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
.. important::
.. attention::
This needs LLNG version 2.0.8 at least

4
doc/sources/admin/authradius.rst
View File

@ -27,13 +27,13 @@ You have to install the corresponding Perl module.
For CentOS/RHEL:
.. code:: shell
.. code-block:: shell
yum install perl-Authen-Radius
In Debian/Ubuntu, install the library through apt-get command
.. code:: shell
.. code-block:: shell
apt-get install libauthen-radius-perl

2
doc/sources/admin/authremote.rst
View File

@ -8,7 +8,7 @@ Authentication Users Password
============== ===== ========
.. warning::
.. danger::
This module is a LL::NG specific identity federation
protocol. You may rather use standards protocols like

2
doc/sources/admin/authsaml.rst
View File

@ -36,7 +36,7 @@ SAML Service
See :doc:`SAML service<samlservice>` configuration chapter.
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

2
doc/sources/admin/authslave.rst
View File

@ -68,7 +68,7 @@ Example
- Response for good authentication:
.. code:: javascript
.. code-block:: javascript
{
"result" : 1,

26
doc/sources/admin/authssl.rst
View File

@ -36,7 +36,7 @@ You have to install mod_ssl for Apache.
For CentOS/RHEL:
.. code:: shell
.. code-block:: shell
yum install mod_ssl
@ -58,7 +58,7 @@ Apache SSL global configuration
You can then use this default SSL configuration, for example in the head
of /etc/lemonldap-ng/portal-apache2.conf:
.. code:: apache
.. code-block:: apache
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM
@ -81,7 +81,7 @@ of /etc/lemonldap-ng/portal-apache2.conf:
If you specify port in virtual host, then declare SSL port:
.. code:: apache
.. code-block:: apache
NameVirtualHost *:80
NameVirtualHost *:443
@ -91,7 +91,7 @@ Apache portal SSL configuration
Edit the portal virtual host to enable SSL double authentication:
.. code:: apache
.. code-block:: apache
SSLEngine On
SSLVerifyClient optional
@ -118,7 +118,7 @@ With Nginx
Enable SSL:
.. code:: nginx
.. code-block:: nginx
ssl on;
ssl_verify_client optional;
@ -136,7 +136,7 @@ Enable SSL:
You must also export SSL_CLIENT_S_DN_CN in FastCGI params:
.. code:: nginx
.. code-block:: nginx
# map directive must be set in http context
map $ssl_client_s_dn $ssl_client_s_dn_cn {
@ -149,7 +149,7 @@ You must also export SSL_CLIENT_S_DN_CN in FastCGI params:
Nginx SSL Virtual Host example with uWSGI
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code:: nginx
.. code-block:: nginx
server {
listen 443;
@ -186,7 +186,7 @@ Nginx SSL Virtual Host example with uWSGI
}
.. important::
.. attention::
Nginx 1.11.6 change: format of the $ssl_client_s_dn and
$ssl_client_i_dn variables has been changed to follow RFC 2253 (RFC
@ -228,7 +228,7 @@ limitation.
1. Modify the portal virtual host to match this example:
.. code:: apache
.. code-block:: apache
SSLEngine On
SSLCACertificateFile /etc/apache2/ssl/ca.crt
@ -275,7 +275,7 @@ limitation.
2. Then you need to construct the Ajax page, for example in
/index/bouton.html. It looks like this:
.. code:: html
.. code-block:: html
<body>
<script src="./jquery-2.1.4.min.js" type="text/javascript"> </script>
@ -325,14 +325,14 @@ Nginx server
With Nginx, append those server context directives to force SSL
connexion reset:
.. code:: nginx
.. code-block:: nginx
keepalive_timeout 0 0;
add_header 'Connection' 'close';
ssl_session_timeout 1s;
.. warning::
.. danger::
It is incompatible with authentication combination because
of Apache parameter "SSLVerifyClient", which must have the value
@ -384,7 +384,7 @@ Then you can chain it in a :doc:`combination<authcombination>`.
forceGlobalStorageUpgradeOTT = 1
.. important::
.. attention::
**Content Security Policy** may prevent to
submit Ajax Request. To avoid security warning,

2
doc/sources/admin/authtwitter.rst
View File

@ -36,7 +36,7 @@ and choose Twitter for authentication module.
password.
.. important::
.. attention::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome

2
doc/sources/admin/authwebid.rst
View File

@ -47,7 +47,7 @@ Portal host must be configured to use SSL and must ask for client
certificate. It is recommended to use optional_no_ca since WebID doesn't
use certificate authorities :
.. code:: apache
.. code-block:: apache
<VirtualHost _default_:443>
ServerName auth.example.com

2
doc/sources/admin/authyubikey.rst
View File

@ -2,7 +2,7 @@ Yubikey
=======
.. important::
.. attention::
This module has been replaced by
:doc:`Yubikey Second Factor<yubikey2f>`\

2
doc/sources/admin/autosignin.rst
View File

@ -18,6 +18,6 @@ dwho ''$env->{REMOTE_ADDR} eq '192.168.42.42' ''
============== ===========================================
.. important::
.. attention::
Username must be defined in users database.

8
doc/sources/admin/behindproxyminihowto.rst
View File

@ -33,7 +33,7 @@ uncomment the relevant parts of the configuration file.
- For Nginx:
.. code:: nginx
.. code-block:: nginx
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
@ -46,7 +46,7 @@ uncomment the relevant parts of the configuration file.
- For Apache:
.. code:: apache
.. code-block:: apache
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
@ -59,7 +59,7 @@ uncomment the relevant parts of the configuration file.
enabled in your Apache installation
.. warning::
.. danger::
Both modules need you to specify the address of your
reverse proxy. Using the ``http_real_ip`` or ``mod_remoteip`` module
@ -80,7 +80,7 @@ the PROXY protocol on the reverse proxy side.
Then, on the LemonLDAP::NG side, in the NGINX configuration of your
Portal/Manager/Handler:
.. code:: nginx
.. code-block:: nginx
listen 80 proxy_protocol;
# or

6
doc/sources/admin/browseablesessionbackend.rst
View File

@ -37,7 +37,7 @@ SAML Session \_saml_id
See Apache::Session::Browseable man page to see how use indexes.
.. important::
.. attention::
\ *WHATTOTRACE* must be replaced by the attribute or
macro configured in the What To Trace parameter (REMOTE_USER). By
@ -94,7 +94,7 @@ Database must be prepared exactly like in
except that a field must be added for each data to index.
.. important::
.. attention::
Data written to UNLOGGED tables is not written to the
WAL, which makes them considerably faster than ordinary tables. However,
@ -124,7 +124,7 @@ example:
CREATE INDEX h1 ON sessions (_httpSessionType);
.. important::
.. attention::
For Session Explorer and one-off sessions, it is
recommended to use BTREE or any index method that indexes partial

8
doc/sources/admin/bruteforceprotection.rst
View File

@ -30,7 +30,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
``Incremental lock times`` and set to ``On``. (DISABLED by default) or
in ``lemonldap-ng.ini`` [portal] section:
.. code:: ini
.. code-block:: ini
[portal]
bruteForceProtectionIncrementalTempo = 1
@ -40,7 +40,7 @@ time values ('5 15 60 300 600' seconds by default) or max lock time
value (900 seconds by default) edit ``lemonldap-ng.ini`` in [portal]
section:
.. code:: ini
.. code-block:: ini
[portal]
bruteForceProtectionLockTimes = '5 15 60 300 600'
@ -63,7 +63,7 @@ current and last stored failed login (300 seconds by default) or number
of allowed failed login attempts (3 by default) edit
``lemonldap-ng.ini`` in [portal] section:
.. code:: ini
.. code-block:: ini
[portal]
bruteForceProtectionTempo = 30
@ -71,7 +71,7 @@ of allowed failed login attempts (3 by default) edit
bruteForceProtectionMaxFailed = 3
.. important::
.. attention::
Number of failed login attempts stored in history MUST
be higher than allowed failed logins for this plugin takes effect.

2
doc/sources/admin/captcha.rst
View File

@ -14,7 +14,7 @@ Captchas are available on the following forms:
- Register form: where user enters information to create a new account
.. important::
.. attention::
We use the Perl module GD::SecurityImage to generate
images, you need to install it if you enable Captcha feature.

4
doc/sources/admin/cda.rst
View File

@ -15,13 +15,13 @@ Go in Manager, ``General Parameters`` » ``Cookies`` »
To use this feature only locally, edit ``lemonldap-ng.ini`` in section
[all]:
.. code:: ini
.. code-block:: ini
[all]
cda = 1
.. important::
.. attention::
If your handler is being served by Nginx, you have to
uncomment the following lines in your nginx configuration file:

2
doc/sources/admin/changeconfbackend.rst
View File

@ -21,7 +21,7 @@ Let's go
- Configure your new backend (create SQL database,...)
- Launch that:
.. code:: shell
.. code-block:: shell
convertConfig --current=/etc/lemonldap-ng/lemonldap-ng.ini --new=/new/lemonldap-ng.ini

8
doc/sources/admin/checkuser.rst
View File

@ -52,7 +52,7 @@ Just enable it in the manager (section “plugins”).
it might be useful to not display empty headers.
.. important::
.. attention::
Be careful to not display secret attributes.
@ -61,7 +61,7 @@ Just enable it in the manager (section “plugins”).
append checkUser specific attributes.
.. warning::
.. danger::
This plugin displays ALL user session attributes except
the hidden ones.
@ -78,7 +78,7 @@ To modify persistent sessions attributes ('_loginHistory \_2fDevices
notification\_' by default), edit ``lemonldap-ng.ini`` in [portal]
section:
.. code:: ini
.. code-block:: ini
[portal]
persistentSessionAttributes = _loginHistory _2fDevices notification_
@ -89,7 +89,7 @@ Usage
When enabled, ``/checkuser`` URL path is handled by this plugin.
.. important::
.. attention::
With federated authentication, checkUser plugin works
only if a session can be found in backend.

8
doc/sources/admin/cli_examples.rst
View File

@ -5,7 +5,7 @@ This page shows some examples of LL::NG Command Line Interface. See
:ref:`how to use the command<configlocation-command-line-interface-cli>`.
.. important::
.. attention::
On Debian, the command is located in
``/usr/share/lemonldap-ng/bin`` and on CentOS in
@ -19,13 +19,13 @@ This part requires LLNG 2.0.5 at least.
Save:
.. code:: sh
.. code-block:: sh
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli save >config.json
Restore:
.. code:: shell
.. code-block:: shell
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore config.json
# Or
@ -33,7 +33,7 @@ Restore:
Rollback (restore previous configuration, *since 2.0.8*):
.. code:: shell
.. code-block:: shell
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli rollback

4
doc/sources/admin/configapache.rst
View File

@ -11,7 +11,7 @@ Files
-----
.. important::
.. attention::
Apache Mod Perl has many issues since 2.4 version with
MPM worker and MPM event. No problem for portal and manager since they
@ -24,7 +24,7 @@ in ``/usr/local/lemonldap-ng/etc/``, else they are in
You have to include them in Apache main configuration, for example:
.. code:: apache
.. code-block:: apache
include /usr/local/lemonldap-ng/etc/portal-apache2.conf
include /usr/local/lemonldap-ng/etc/handler-apache2.conf

50
doc/sources/admin/configlocation.rst
View File

@ -8,7 +8,7 @@ LemonLDAP::NG configuration is stored in a backend that allows all
modules to access it.
.. important::
.. attention::
Note that all LL::NG components must have access:
@ -30,7 +30,7 @@ section.
For example, to configure the ``File`` configuration backend:
.. code:: ini
.. code-block:: ini
[configuration]
type=File
@ -53,7 +53,7 @@ By default, Manager is protected to allow only the demonstration user
"dwho".
.. important::
.. attention::
This user will not be available anymore if you configure
a new authentication backend! Remember to change the access rule in
@ -62,7 +62,7 @@ By default, Manager is protected to allow only the demonstration user
If you can not access the Manager anymore, you can unprotect it by
editing ``lemonldap-ng.ini`` and changing the ``protection`` parameter:
.. code:: ini
.. code-block:: ini
[manager]
@ -105,7 +105,7 @@ When all modifications are done, click on ``Save`` to store
configuration.
.. warning::
.. danger::
LemonLDAP::NG will do some checks on configuration and
display errors and warnings if any. Configuration **is not saved** if
@ -142,7 +142,7 @@ See `Manager API
documentation <https://lemonldap-ng.org/manager-api/2.0/>`__.
.. important::
.. attention::
To access Manager API, enable the ``manager-api``
virtual host and change the access rule. You can protect the API through
@ -183,7 +183,7 @@ favorite editor. To change it:
The configuration is displayed as a big Perl Hash, that you can edit:
.. code:: perl
.. code-block:: perl
$VAR1 = {
'ldapAuthnLevel' => '2',
@ -286,7 +286,7 @@ Apache
------
.. important::
.. attention::
LemonLDAP::NG does not manage Apache
configuration
@ -312,7 +312,7 @@ configure some for of authentication on the corresponding URLs in the
By default, access to those URLs is denied:
.. code:: apache
.. code-block:: apache
# REST/SOAP functions for sessions management (disabled by default)
<Location /index.fcgi/adminSessions>
@ -327,7 +327,7 @@ In order to allow configuration reload from a different server (if your
manager is on a different server or if you are using load-balancing),
you need to edit the access rule in **handler-apache2.conf**
.. code:: apache
.. code-block:: apache
<Location /reload>
#CHANGE THIS######
@ -347,14 +347,14 @@ handler, you need to add these directives:
(in a global configuration file)
.. code:: apache
.. code-block:: apache
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::ApacheMP2
- Catch error pages:
.. code:: apache
.. code-block:: apache
ErrorDocument 403 http://auth.example.com/lmerror/403
ErrorDocument 404 http://auth.example.com/lmerror/404
@ -365,7 +365,7 @@ handler, you need to add these directives:
Then, to protect a standard virtual host, the only configuration line to
add is:
.. code:: apache
.. code-block:: apache
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
@ -376,7 +376,7 @@ Nginx
-----
.. important::
.. attention::
LemonLDAP::NG does not manage Nginx configuration
@ -390,7 +390,7 @@ LemonLDAP::NG ships 3 Nginx configuration files:
See :doc:`how to deploy them<confignginx>`.
.. warning::
.. danger::
\ :doc:`LL::NG FastCGI<fastcgiserver>` server must be
enabled and started separately.
@ -406,7 +406,7 @@ configure some for of authentication on the corresponding URLs in the
By default, access to those URLs is denied:
.. code:: nginx
.. code-block:: nginx
location ~ ^/index.psgi/adminSessions {
fastcgi_pass llng_portal_upstream;
@ -422,7 +422,7 @@ In order to allow configuration reload from a different server (if your
manager is on a different server or if you are using load-balancing),
you need to edit the access rule in **handler-nginx.conf**
.. code:: nginx
.. code-block:: nginx
location = /reload {
@ -448,7 +448,7 @@ Nginx handler is provided by the
- Handle errors:
.. code:: nginx
.. code-block:: nginx
error_page 403 http://auth.example.com/lmerror/403;
error_page 404 http://auth.example.com/lmerror/404;
@ -459,7 +459,7 @@ Nginx handler is provided by the
To protect a standard virtual host, you must insert this (or create an
included file):
.. code:: nginx
.. code-block:: nginx
# Insert $_user in logs
include /etc/lemonldap-ng/nginx-lmlog.conf;
@ -533,7 +533,7 @@ You also have a parameter to adjust the timeout used to request reload
URLs, it is be default set to 5 seconds.
.. important::
.. attention::
If "Compact configuration file" option is enabled, all
useless parameters are removed to limit file size. Typically, if SAMLv2
@ -554,13 +554,13 @@ inside a virtual host protected by LemonLDAP::NG Handler (see below
examples in Apache->handler or Nginx->Handler).
.. important::
.. attention::
You must allow access to declared URLs to your Manager
IP.
.. important::
.. attention::
If reload URL is served in HTTPS, to avoid "Error 500
(certificate verify failed)", Go to :
@ -574,7 +574,7 @@ examples in Apache->handler or Nginx->Handler).
**SSL_verify_mode => 0**
.. important::
.. attention::
If you want to use reload mechanism on a portal only
host, you must install a handler in Portal host to be able to refresh
@ -593,7 +593,7 @@ keep only one reload URL (reload.example.com):
You also need to adjust the protection of the reload vhost, for example:
.. code:: apache
.. code-block:: apache
<Location /reload>
Require ip 127 ::1 1.1.1.1 1.1.1.2
@ -623,7 +623,7 @@ parameter from the global configuration.
For example, to override configured skin for portal:
.. code:: ini
.. code-block:: ini
[portal]
portalSkin = dark

2
doc/sources/admin/configplack.rst
View File

@ -10,7 +10,7 @@ want to replace LLNG FastCGI server.
Complete example
----------------
.. code:: perl
.. code-block:: perl
#!/usr/bin/perl

38
doc/sources/admin/configvhost.rst
View File

@ -15,7 +15,7 @@ activated (see
Then you can take any virtual host, and simply add this line to protect
it:
.. code:: apache
.. code-block:: apache
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
@ -24,7 +24,7 @@ Hosted application
Example of a protected virtual host for a local application:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName localsite.example.com
@ -43,7 +43,7 @@ Reverse proxy
Example of a protected virtual host with LemonLDAP::NG as reverse proxy:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName application.example.com
@ -63,7 +63,7 @@ Example of a protected virtual host with LemonLDAP::NG as reverse proxy:
Same with remote server configured with the same host name:
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName application.example.com
@ -102,21 +102,21 @@ Add a floating menu
A little floating menu can be added to application with this simple
Apache configuration:
.. code:: apache
.. code-block:: apache
PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
Pages where this menu is displayed can be restricted, for example:
.. code:: apache
.. code-block:: apache
<Location /var/www/html/index.php>
PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu->run
</Location>
.. important::
.. attention::
You need to disable mod_deflate to use the floating
menu
@ -132,7 +132,7 @@ Then you can take any virtual host and modify it:
- Declare the /lmauth endpoint
.. code:: nginx
.. code-block:: nginx
location = /lmauth {
internal;
@ -152,7 +152,7 @@ Then you can take any virtual host and modify it:
- Protect the application (/ or /path/to/protect):
.. code:: nginx
.. code-block:: nginx
location /path/to/protect {
auth_request /lmauth;
@ -163,16 +163,16 @@ Then you can take any virtual host and modify it:
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
# ...
}
- Use LUA or set manually the headers:
.. code:: nginx
.. code-block:: nginx
location /path/to/protect {
...
# ...
# IF LUA IS SUPPORTED
#include /etc/lemonldap-ng/nginx-lua-headers.conf;
@ -201,7 +201,7 @@ Hosted application
Example of a protected virtual host for a local application:
.. code:: nginx
.. code-block:: nginx
# Log format
include /path/to/lemonldap-ng/nginx-lmlog.conf;
@ -261,7 +261,7 @@ Reverse proxy
\* Example of a protected reverse-proxy:
.. code:: nginx
.. code-block:: nginx
# Log format
include /path/to/lemonldap-ng/nginx-lmlog.conf;
@ -309,7 +309,7 @@ Reverse proxy
\* Example of a Nginx Virtual Host using uWSGI with many URIs protected
by different types of handler :
.. code:: nginx
.. code-block:: nginx
# Log format
include /path/to/lemonldap-ng/nginx-lmlog.conf;
@ -448,7 +448,7 @@ learn how to configure access control and HTTP headers sent to
application by LL::NG.
.. important::
.. attention::
With **Nginx**-based ReverseProxy, header directives can
be appended by a LUA script.
@ -459,7 +459,7 @@ application by LL::NG.
``/etc/nginx/nginx-lua-headers.conf``
.. warning::
.. danger::
\* **Nginx** gets rid of any empty headers. There is no
point of passing along empty values to another server; it would only
@ -500,7 +500,7 @@ Some options are available:
seconds by default. This TTL can be customized for each virtual host.
.. warning::
.. danger::
A same virtual host can serve many locations. Each
location can be protected by a different type of handler :
@ -517,7 +517,7 @@ Some options are available:
authentication level is lower than required level.
.. important::
.. attention::
A negative or null ServiceToken timeout value will be
overloaded by ``handlerServiceTokenTTL`` (30 seconds by default).

6
doc/sources/admin/contextswitching.rst
View File

@ -25,7 +25,7 @@ can be forbidden to assume.
request.
.. warning::
.. danger::
During context switching authentication process, all
plugins are disabled. In other words, all entry points like afterData,
@ -33,7 +33,7 @@ can be forbidden to assume.
notifications by example will not be prompted!
.. important::
.. attention::
ContextSwitching plugin works only with a userDB
backend. You can not switch context with federated authentication.
@ -43,7 +43,7 @@ contextSwitchingPrefix is used to store real user's session Id. You can
set this prefix ('switching' by default) by editing ``lemonldap-ng.ini``
in [portal] section:
.. code:: ini
.. code-block:: ini
[portal]
contextSwitchingPrefix = switching

10
doc/sources/admin/customfunctions.rst
View File

@ -31,7 +31,7 @@ as you want, for example ``SSOExtensions.pm``:
vi /path/to/SSOExtensions.pm
.. code:: perl
.. code-block:: perl
package SSOExtensions;
@ -72,7 +72,7 @@ Old method
^^^^^^^^^^
.. warning::
.. danger::
This method is available but unusable by Portal under
Apache. So if your rule may be used by the menu, use the new
@ -83,7 +83,7 @@ Apache
Your module has to be loaded by Apache (for example after Handler load):
.. code:: apache
.. code-block:: apache
# Perl environment
PerlRequire Lemonldap::NG::Handler
@ -99,7 +99,7 @@ environment variable. Using packages, you just have to modify your
``/etc/default/llng-fastcgi-server`` (or
``/etc/default/lemonldap-ng-fastcgi-server``) file:
.. code:: sh
.. code-block:: sh
# Number of process (default: 7)
#NPROC = 7
@ -128,7 +128,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
SSOExtensions::function1 SSOExtensions::function2
.. important::
.. attention::
If your function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail.

6
doc/sources/admin/customhandlers.rst
View File

@ -16,7 +16,7 @@ Add a new handler type
Wrapper usually look at this:
.. code:: perl
.. code-block:: perl
package Lemonldap::NG::Handler::ApacheMP2::MyType;
@ -67,7 +67,7 @@ If you want to add another, you must write:
Wrapper usually look at this:
.. code:: perl
.. code-block:: perl
package Lemonldap::NG::Handler::MyPlatform::AuthBasic;
@ -79,7 +79,7 @@ Old fashion Nginx handlers
--------------------------
.. important::
.. attention::
There is no need to use this feature now. It is kept for
compatibility.

2
doc/sources/admin/decryptvalue.rst
View File

@ -21,7 +21,7 @@ DecryptValue plugin can be allowed or denied for specific users.
to use internal decrypt function.
.. warning::
.. danger::
Custom functions must be defined into
``Lemonldap::NG::Portal::My::Plugin`` and set:

6
doc/sources/admin/devopshandler.rst
View File

@ -6,12 +6,12 @@ itself not from LL:NG configuration. Rules and headers are set in a
**rules.json** file stored at the website root directory (ie
``http://website/rules.json``). This file looks like:
.. code:: json
.. code-block:: json
{
"rules": {
"^/admin": "$uid eq 'admin'",
"default": "accept'
"default": "accept"
},
"headers": {
"Auth-User": "$uid"
@ -31,7 +31,7 @@ No specific configuration is required except that:
``http://127.0.0.1:<server-port>``
.. important::
.. attention::
Note that DevOps handler will refuse to compile
rules.json if :doc:`Safe Jail<safejail>` isn't enabled.

2
doc/sources/admin/error.rst
View File

@ -62,7 +62,7 @@ configStorageOptionsor file permissions.
→ The cache has been created by another user than Apache's user. Restart
Apache to purge it.
.. important::
.. attention::
This can append when you use
lmConfigEditor or launch **cron files** with a different user than

49
doc/sources/admin/exportedvars.rst
View File

@ -40,10 +40,57 @@ module.
some environment values. Environment variables will not be queried in
users database.
.. _macros_and_groups:
Extend variables using macros and groups
----------------------------------------
:ref:`macros_and_groups`
Macros and groups are calculated during authentication process by the
portal:
- macros are used to extend (or rewrite)
:doc:`exported variables<exportedvars>`. A macro is stored as
attributes: it can contain boolean results or any string
- macros can also be used to import environment variables *(these
variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
- groups are stored as a string with values separated by ''; ''
(default values separator) in the special attribute ``groups``: it
contains the names of groups whose rules were returned true for the
current user. For example:
.. code-block:: perl
$groups = group3; admin
- You can also get groups in ``$hGroups`` which is a Hash Reference of
this form:
.. code-block:: perl
$hGroups = {
'group3' => {
'description' => [
'Service 3',
'Service 3 TEST'
],
'cn' => [
'group3'
],
'name' => 'group3'
},
'admin' => {
'name' => 'admin'
}
}
Example for macros:
.. code-block:: perl
# boolean macro
isAdmin -> $uid eq 'foo' or $uid eq 'bar'
# other macro
displayName -> $givenName." ".$surName
.. |Exported variables in the Manager| image:: /documentation/manager-exported-variables.png
:class: align-center

12
doc/sources/admin/extendedfunctions.rst
View File

@ -155,7 +155,7 @@ basic
~~~~~
.. important::
.. attention::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
@ -180,7 +180,7 @@ unicode2iso
~~~~~~~~~~~
.. important::
.. attention::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
@ -202,7 +202,7 @@ iso2unicode
~~~~~~~~~~~
.. important::
.. attention::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
@ -320,7 +320,7 @@ isInNet6
Function to check if an IPv6 address is in a subnet. Example *check if
IP address is local*:
.. code:: perl
.. code-block:: perl
isInNet6($ipAddr, 'fe80::/10')
@ -332,7 +332,7 @@ Function to check if a variable is in requested URI (Require LL::NG >=
Example *check if $uid is in /check-auth/ URI*:
.. code:: perl
.. code-block:: perl
varIsInUri($ENV{REQUEST_URI}, '/check-auth/', $uid)
@ -342,7 +342,7 @@ Example *check if $uid is in /check-auth/ URI*:
\* You can set "restricted" flag to match exact URI:
.. code:: perl
.. code-block:: perl
varIsInUri($ENV{REQUEST_URI}, '/check-auth/', "$uid/", 1)

2
doc/sources/admin/external2f.rst
View File

@ -38,7 +38,7 @@ All parameters are configured in "General Parameters » Portal Parameters
the choice screen
.. important::
.. attention::
The command line is split in an array and launched with
exec(). So you don't need to enclose arguments in quotes to protect your

2
doc/sources/admin/fastcgi.rst
View File

@ -2,6 +2,6 @@ FastCGI support
===============
.. important::
.. attention::
Since 2.0, all LLNG components run under FastCGI

2
doc/sources/admin/federationproxy.rst
View File

@ -35,7 +35,7 @@ initiated by OpenID-Connect Provider. LLNG will implement it when this
standard will be published.
.. important::
.. attention::
Federation proxy installation can be complex. Don't
hesitate to contact us on lemonldap-ng-users@ow2.org

2
doc/sources/admin/fileconfbackend.rst
View File

@ -21,7 +21,7 @@ Configuration
You just have to configure a directory writable by Apache user and set
it in [configuration] section in your lemonldap-ng.ini file:
.. code:: ini
.. code-block:: ini
[configuration]
type = File

2
doc/sources/admin/filesessionbackend.rst
View File

@ -28,7 +28,7 @@ Security
Restrict access to the directories only to the Apache server. Example:
.. code:: shell
.. code-block:: shell
chmod 750 /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock
chown www-data:www-data /var/lib/lemonldap-ng/sessions /var/lib/lemonldap-ng/sessions/lock

2
doc/sources/admin/forcereauthn.rst
View File

@ -20,7 +20,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
To modify last login interval (5 seconds by default) edit
``lemonldap-ng.ini`` in section [portal]:
.. code:: ini
.. code-block:: ini
[portal]
portalForceAuthnInterval = 5

2
doc/sources/admin/formreplay.rst
View File

@ -9,7 +9,7 @@ filling a HTML POST login form and autosubmitting it, without asking
anything to the user.
.. warning::
.. danger::
This kind of SSO mechanism is not clean, and can lead to
problems, like local password blocking, local session not well closed,

4
doc/sources/admin/handlerauthbasic.rst
View File

@ -46,7 +46,7 @@ see :doc:`REST sessions backend<restsessionbackend>`, enable local cache
to access required locations in Portal Virtual Host.
.. warning::
.. danger::
With AuthBasic handler, you have to disable CSRF token by
setting a special rule based on source IP addresses like this :
@ -66,7 +66,7 @@ to access required locations in Portal Virtual Host.
.. important::
.. attention::
With HTTPS, you may have to set **LWP::UserAgent
object** with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.

8
doc/sources/admin/header_remote_user_conversion.rst
View File

@ -14,7 +14,7 @@ module <http://httpd.apache.org/docs/current/mod/mod_setenvif.html>`__
will let you transform the Auth-User HTTP header in ``REMOTE_USER``
environment variable:
.. code:: apache
.. code-block:: apache
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
@ -25,7 +25,7 @@ two Apache configuration files:
- Apache configuration file on LL::NG reverse proxy (hosting LL::NG
Handler):
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName application.example.com
@ -41,7 +41,7 @@ two Apache configuration files:
- Apache configuration file on application server (hosting the
application):
.. code:: apache
.. code-block:: apache
<VirtualHost *:80>
ServerName application.example.com
@ -73,7 +73,7 @@ Nginx doesn't launch directly PHP pages (or other languages): it dials
with FastCGI servers (like php-fpm). As you can see in examples, it's
easy to map a LLNG header to a fastcgi param. Example:
.. code:: nginx
.. code-block:: nginx
auth_request_set $authuser $upstream_http_auth_user;
fastcgi_param HTTP_MYVAR $authuser;

2
doc/sources/admin/idpcas.rst
View File

@ -113,7 +113,7 @@ Options
left blank, access will be allowed for everyone.
.. important::
.. attention::
If the access control policy is set to ``none``, this
rule will be ignored

4
doc/sources/admin/idpopenid.rst
View File

@ -2,7 +2,7 @@ OpenID server
=============
.. warning::
.. danger::
OpenID protocol is deprecated, you should now use
:doc:`OpenID Connect<idpopenidconnect>`\
@ -120,7 +120,7 @@ Security
encryption key.
.. important::
.. attention::
Note that :doc:`SAML<idpsaml>` protocol is more secured
than OpenID, so when your partners are known, prefer

11
doc/sources/admin/idpopenidconnect.rst
View File

@ -80,7 +80,7 @@ http://auth.example.com/.well-known/openid-configuration
An example of its content:
.. code:: javascript
.. code-block:: javascript
{
"end_session_endpoint" : "http://auth.example.com/oauth2/logout",
@ -173,7 +173,7 @@ So you can define for example:
- email => mail
.. important::
.. attention::
The specific ``sub`` attribute is not defined here, but
in User attribute parameter (see below).
@ -182,7 +182,7 @@ Extra Claims
^^^^^^^^^^^^
.. important::
.. attention::
By default, only claims that are part of standard OpenID
Connect scopes will be sent to a client. If you want to send a claim
@ -202,7 +202,7 @@ be able to read the ``rebirth_count`` and ``bloodline`` claims from the
Userinfo endpoint.
.. warning::
.. danger::
Any Claim defined in this section must be mapped to a
LemonLDAP::NG session attribute in the **Exported Attributes**
@ -289,6 +289,3 @@ Display
- **Display name**: Name of the RP application
- **Logo**: Logo of the RP application
.. |section>openidconnectclaims&noheader| image:: section>openidconnectclaims&noheader

8
doc/sources/admin/idpsaml.rst
View File

@ -117,7 +117,7 @@ Authentication response
authentication time, to define sessionNotOnOrAfter value in SAML
response (``<AuthnStatement>``):
.. code:: xml
.. code-block:: xml
<saml:AuthnStatement AuthnInstant="2014-07-21T11:47:08Z"
SessionIndex="loVvqZX+Vja2dtgt/N+AymTmckGyITyVt+UJ6vUFSFkE78S8zg+aomXX7oZ9qX1UxOEHf6Q4DUstewSJh1uK1Q=="
@ -127,19 +127,19 @@ Authentication response
time, to define notOnOrAfter value in SAML response (``<Condtions>``
and ``<SubjectConfirmationData>``):
.. code:: xml
.. code-block:: xml
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-21T12:47:08Z"
Recipient="http://simplesamlphp.example.com/simplesamlphp/module.php/saml/sp/saml2-acs.php/default-sp"
InResponseTo="_3cfa896ab05730ac81f413e1e13cc42aa529eceea1"/>
.. code:: xml
.. code-block:: xml
<saml:Conditions NotBefore="2014-07-21T11:46:08Z"
NotOnOrAfter="2014-07-21T12:48:08Z">
.. important::
.. attention::
There is a time tolerance of 60 seconds in
``<Conditions>``\

20
doc/sources/admin/impersonation.rst
View File

@ -7,7 +7,7 @@ choose another profile to appear as. This feature can be especially
useful for training/learning or development platforms.
.. important::
.. attention::
This plugin should not be used on production instance,
prefer :doc:`ContextSwitching plugin<contextswitching>`.
@ -38,40 +38,38 @@ protected from being impersonated.
``su; admins; anonymous``
.. warning::
.. danger::
You HAVE TO modify **REMOTE_USER** to log both real AND
spoofed uid.
Set a macro like this :
'' \_whatToTrace -> $real__user ? "$real__user/$_user" : "$_user/$_user"
''
``_whatToTrace`` -> ``$real__user ? "$real__user/$_user" : "$_user/$_user"``
and set ``Genaral Parameters > Logs > REMOTE_USER`` with ''
\_whatToTrace ''
and set ``General Parameters > Logs > REMOTE_USER`` with ``_whatToTrace``
.. important::
.. attention::
Both spoofed and real session attributes can be used to
set access rules, groups or macros.
By example : ``$real_uid eq 'dwho``' or ``$real_groups =~ /\bsu\b/``
By example : ``$real_uid eq 'dwho'`` or ``$real_groups =~ /\bsu\b/``
Keep in mind that real session is computed first. Afterward, if access
is granted, impersonated session is computed with real and spoofed
session attributes if Impersonation is allowed.
.. important::
.. attention::
By example, to prevent impersonation as 'dwho' set
**Identities use rule** like :
'' $uid ne 'dwho' ''
``$uid ne 'dwho'``
@ -79,7 +77,7 @@ impersonationPrefix is used to rename user's real profile attributes.
You can set real attributes prefix ('real\_' by default) by editing
``lemonldap-ng.ini`` in section [portal]:
.. code:: ini
.. code-block:: ini
[portal]
impersonationPrefix = real_

6
doc/sources/admin/installdeb.rst
View File

@ -47,7 +47,7 @@ installable:
`Here is the list of Debian versions <https://lemonldap-ng.org/documentation/#packaged_versions>`__.
.. warning::
.. danger::
LLNG Ubuntu packages are not in the "universe" but in the
"multiverse". This means they are not security-maintained. If you use
@ -114,7 +114,7 @@ Install packages
----------------
.. important::
.. attention::
By default packages will require Nginx. If you want to
use Apache2, install it first with mod_perl:
@ -152,7 +152,7 @@ Change default DNS domain
By default, DNS domain is ``example.com``. You can change it quick with
a sed command. For example, we change it to ``ow2.org``:
.. code:: shell
.. code-block:: shell
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json

10
doc/sources/admin/installrpm.rst
View File

@ -2,7 +2,7 @@ Installation on Red Hat/CentOS
==============================
.. important::
.. attention::
LL::NG requires at least Red Hat/CentOS 7
@ -31,7 +31,7 @@ LemonLDAP::NG provides packages for Red Hat/Centos 7:
- perl-Lemonldap-NG-Portal: CPAN - Portal modules
.. warning::
.. danger::
The package lemonldap-ng-nginx requires the nginx
community package. If you use openrestry or Nginx plus, you must ignore
@ -90,7 +90,7 @@ Run this to update packages cache:
yum update
.. warning::
.. danger::
You must also install the EPEL repository for non-core
dependencies. See :ref:`prerequisites and dependencies<prereq-yum>`
@ -120,7 +120,7 @@ With YUM
If the packages are stored in a yum repository:
.. code:: shell
.. code-block:: shell
yum install lemonldap-ng
@ -160,7 +160,7 @@ Change default DNS domain
By default, DNS domain is ``example.com``. You can change it quick with
a sed command. For example, we change it to ``ow2.org``:
.. code:: shell
.. code-block:: shell
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json /etc/nginx/conf.d/* /etc/httpd/conf.d/*

10
doc/sources/admin/installsles.rst
View File

@ -2,7 +2,7 @@ Installation on Suse Linux
==========================
.. important::
.. attention::
LL::NG requires at least SLES 12 SP1 or
equivalent
@ -110,11 +110,11 @@ With ZYPPER
If the packages are stored in a repository:
.. code:: shell
.. code-block:: shell
zypper install lemonldap-ng
.. code:: shell
.. code-block:: shell
59 new packages to install.
Total download size: 13.5 MiB. Already cached : 0 B. After operation, 30.7 MiB of supplementary disk space will be used.
@ -183,13 +183,13 @@ Change default DNS domain
By default, DNS domain is ``example.com``. You can change it quick with
a sed command. For example, we change it to ``ow2.org``:
.. code:: shell
.. code-block:: shell
sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/{*.conf,*.ini,for_etc_hosts} /var/lib/lemonldap-ng/conf/lmConf-1
Check Apache configuration and restart:
.. code:: shell
.. code-block:: shell
apachectl configtest
apachectl restart

2
doc/sources/admin/installtarball.rst
View File

@ -8,7 +8,7 @@ Get the tarball from :doc:`download page</download>`. You can also find
on this page the SVN tarball if you want to test latest features.
.. important::
.. attention::
The content of the SVN tarball is not the same as the
official tarball. Please see the next chapter to learn how build an

Some files were not shown because too many files have changed in this diff Show More