|
|
|
|
@ -1,193 +1,6 @@
|
|
|
|
|
Lemonldap-NG
|
|
|
|
|
====================
|
|
|
|
|
|
|
|
|
|
Go to http://lemonldap-ng.org/ to get the up-to-date documentation.
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
|
|
|
|
simplifies the build of a protected area with a few changes in the application.
|
|
|
|
|
It manages both authentication and authorization and provides headers for
|
|
|
|
|
accounting. So you can have a full AAA protection for your web space as
|
|
|
|
|
described below.
|
|
|
|
|
|
|
|
|
|
1 - Installation
|
|
|
|
|
2 - Authentication, Authorization and Accounting mechanisms
|
|
|
|
|
2.1 - Authentication
|
|
|
|
|
2.2 - Authorization
|
|
|
|
|
2.3 - Accounting
|
|
|
|
|
3 - Session storage system
|
|
|
|
|
4 - Authors
|
|
|
|
|
5 - Copyright and licence
|
|
|
|
|
|
|
|
|
|
1 - INSTALLATION
|
|
|
|
|
================
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG is a different project than Lemonldap and contains all you need
|
|
|
|
|
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
|
|
|
|
work with Lemonldap::NG.
|
|
|
|
|
|
|
|
|
|
The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
|
|
|
|
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
|
|
|
|
act as CGI, so they can work everywhere.
|
|
|
|
|
|
|
|
|
|
See INSTALL file in the source tree for a complete installation documentation.
|
|
|
|
|
|
|
|
|
|
2 - AUTHENTICATION, AUTHORIZATION AND ACCOUNTING MECHANISMS
|
|
|
|
|
===========================================================
|
|
|
|
|
|
|
|
|
|
Warning: Lemonldap::NG configuration has to be edited using the manager unless
|
|
|
|
|
you know exactly what you are doing. The parameters discussed here are all in
|
|
|
|
|
the configuration tree.
|
|
|
|
|
|
|
|
|
|
2.1 - Authentication
|
|
|
|
|
|
|
|
|
|
If a user isn't authenticated and attemps to connect to an area protected by a
|
|
|
|
|
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
|
|
|
|
authenticates user with a ldap bind by default, but you can also use another
|
|
|
|
|
authentication sheme like using x509 user certificates (see
|
|
|
|
|
Lemonldap::NG::Portal::AuthSSL(3) for more).
|
|
|
|
|
|
|
|
|
|
Lemonldap use session cookies generated by Apache::Session so as secure as a
|
|
|
|
|
128-bit random cookie. You may use the securedCookie options to avoid session
|
|
|
|
|
hijacking.
|
|
|
|
|
|
|
|
|
|
You have to manage life of sessions by yourself since Lemonldap::NG knows
|
|
|
|
|
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
|
|
|
|
using a simple cron script because Lemonldap::NG::Portal stores the start
|
|
|
|
|
time in the _utime field.
|
|
|
|
|
By default, a session stay 10 minutes in the local storage, so in the worth
|
|
|
|
|
case, a user is authorized 10 minutes after he lost his rights.
|
|
|
|
|
|
|
|
|
|
2.2 - Authorization
|
|
|
|
|
|
|
|
|
|
Authorization is controled only by handlers because the portal knows nothing
|
|
|
|
|
about the way the user will choose. When configuring your Web-SSO, you have to:
|
|
|
|
|
|
|
|
|
|
* choose the ldap attributes you want to use to manage accounting and
|
|
|
|
|
authorization.
|
|
|
|
|
* create Perl expressions to define user groups (using ldap attributes)
|
|
|
|
|
* create an array foreach virtual host associating URI regular expressions and
|
|
|
|
|
Perl expressions to use to grant access.
|
|
|
|
|
|
|
|
|
|
Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored
|
|
|
|
|
|
|
|
|
|
* Exported variables :
|
|
|
|
|
|
|
|
|
|
# Custom-Name => LDAP attribute
|
|
|
|
|
cn => cn
|
|
|
|
|
departmentUID => departmentUID
|
|
|
|
|
login => uid
|
|
|
|
|
|
|
|
|
|
* User groups :
|
|
|
|
|
|
|
|
|
|
# Custom-Name => group definition
|
|
|
|
|
group1 => { $departmentUID eq "unit1" or $login = "foo.bar" }
|
|
|
|
|
|
|
|
|
|
* Area protection:
|
|
|
|
|
|
|
|
|
|
# Each VirtualHost has its own configuration
|
|
|
|
|
# associating URL regexp to Perl expression
|
|
|
|
|
* www1.domain.com :
|
|
|
|
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
|
|
|
|
default => accept
|
|
|
|
|
},
|
|
|
|
|
* www2.domain.com => {
|
|
|
|
|
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
|
|
|
|
^/(js|css) => accept
|
|
|
|
|
default => deny
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
2.2.1 - Performance
|
|
|
|
|
|
|
|
|
|
You can use Perl expressions as complicated as you want and you can use all
|
|
|
|
|
the exported LDAP attributes (and create your own attributes: with 'macros'
|
|
|
|
|
mechanism) in groups evaluations, area protections or custom HTTP headers
|
|
|
|
|
(you just have to call them with a "$").
|
|
|
|
|
|
|
|
|
|
You have to be careful when choosing your expressions:
|
|
|
|
|
|
|
|
|
|
* groups and macros are evaluated each time a user is redirected to the portal
|
|
|
|
|
* virtual host rules and exported headers are evaluated for each request on a
|
|
|
|
|
protected area.
|
|
|
|
|
|
|
|
|
|
It is also recommanded to use the groups mechanism to avoid having to evaluate
|
|
|
|
|
a long expression at each HTTP request:
|
|
|
|
|
|
|
|
|
|
# Virtual hosts :
|
|
|
|
|
...
|
|
|
|
|
www1.domain.com :
|
|
|
|
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
|
|
|
|
|
|
|
|
|
You can also use LDAP filters, or Perl expression or mixed expressions in
|
|
|
|
|
groups definitions. Perl expressions has to be enclosed with {}:
|
|
|
|
|
|
|
|
|
|
* group1 => (|(uid=foo.bar)(ou=unit1))
|
|
|
|
|
* group1 => {$uid eq "foo.bar" or $ou eq "unit1"}
|
|
|
|
|
* group1 => (|(uid=foo.bar){$ou eq "unit1"})
|
|
|
|
|
|
|
|
|
|
It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
|
|
|
|
server more than 2 times per authentication.
|
|
|
|
|
|
|
|
|
|
2.3 - Accounting
|
|
|
|
|
|
|
|
|
|
2.3.1 - Logging portal access>
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
|
|
|
|
overload log method for normal portal access.
|
|
|
|
|
|
|
|
|
|
2.3.2 - Logging application access
|
|
|
|
|
|
|
|
|
|
Because a Web-SSO knows nothing about the protected application, it can't do
|
|
|
|
|
more than logging URL. As Apache does this fine, L<Lemonldap::NG::Handler>
|
|
|
|
|
gives it the name to used in logs. The whatToTrace parameter indicates
|
|
|
|
|
which variable Apache has to use ($uid by default).
|
|
|
|
|
|
|
|
|
|
The real accounting has to be done by the application itself which knows the
|
|
|
|
|
result of SQL transaction for example.
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
|
|
|
|
directly the application. By default, the Auth-User field is used but you can
|
|
|
|
|
change it using the exportedHeaders parameters (in the Manager, each virtual
|
|
|
|
|
host as custom headers branch). This parameters contains an associative array
|
|
|
|
|
per virtual host:
|
|
|
|
|
|
|
|
|
|
* keys are the names of the choosen headers
|
|
|
|
|
* values are Perl expressions where you can use user datas stored in the
|
|
|
|
|
global storage.
|
|
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
|
|
* www1.domain.com :
|
|
|
|
|
Auth-User => $uid
|
|
|
|
|
Unit => $ou
|
|
|
|
|
* www2.domain.com :
|
|
|
|
|
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
|
|
|
|
Remote-IP => $ip
|
|
|
|
|
|
|
|
|
|
3 - SESSION STORAGE SYSTEM
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG use 3 levels of cache for authenticated users:
|
|
|
|
|
|
|
|
|
|
* an Apache::Session::* module used by lemonldap::NG::Portal to store
|
|
|
|
|
authenticated user parameters,
|
|
|
|
|
* a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
|
|
|
|
users between Apache's threads or processus and of course between virtual
|
|
|
|
|
hosts on the same machine
|
|
|
|
|
* Lemonldap::NG::Handler variables : if the same user use the same thread or
|
|
|
|
|
processus a second time, no request are needed to grant or refuse access.
|
|
|
|
|
This is very efficient with HTTP/1.1 Keep-Alive system.
|
|
|
|
|
|
|
|
|
|
So the number of request to the central storage is limited to 1 per active
|
|
|
|
|
user each 10 minutes.
|
|
|
|
|
|
|
|
|
|
Lemonldap::NG is very fast, but you can increase performance using a
|
|
|
|
|
Cache::Cache module that does not use disk access.
|
|
|
|
|
|
|
|
|
|
4 - AUTHORS
|
|
|
|
|
|
|
|
|
|
See AUTHORS
|
|
|
|
|
|
|
|
|
|
5 - COPYRIGHT AND LICENSE
|
|
|
|
|
|
|
|
|
|
See COPYING
|
|
|
|
|
Go to http://lemonldap-ng.org/ to get the up-to-date documentation or use
|
|
|
|
|
local documentation in doc/ directory.
|
|
|
|
|
|
|
|
|
|
|
Xavier Guimard