dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update documentation (#909)

Browse Source
This commit is contained in:
Clément Oudot 2016-02-10 10:17:35 +00:00
parent 2f91261261
commit b48621b00c
58 changed files with 1376 additions and 672 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/index/alphabetical.html
View File

File diff suppressed because one or more lines are too long

BIN
doc/media/documentation/manager-choice.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
doc/media/documentation/manager-exported-variables.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
doc/media/documentation/manager-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
doc/media/documentation/manager-portal-menu-application.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
doc/media/documentation/manager-portal-menu-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
doc/media/documentation/manager-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
doc/media/documentation/manager-saml-attributes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
doc/media/documentation/manager-saml-metadata.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
doc/media/documentation/manager-saml-signature.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
doc/media/documentation/manager-skin-background.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 136 KiB

BIN
doc/media/documentation/manager-skin-selection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
doc/media/documentation/portal-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

38
doc/pages/documentation/1.9/applications.html
View File

@ -29,11 +29,11 @@
<div class="level2">
<p>
Applications listed bellow are known to be easy to integrate in <abbr title="LemonLDAP::NG">LL::NG</abbr>. As <abbr title="LemonLDAP::NG">LL::NG</abbr> works like classic WebSSO (like Siteminder™), many other applications are easy to integrate.
Applications listed below are known to be easy to integrate in <abbr title="LemonLDAP::NG">LL::NG</abbr>. As <abbr title="LemonLDAP::NG">LL::NG</abbr> works like classic WebSSO (like Siteminder™), many other applications are easy to integrate.
</p>
</div>
<!-- EDIT2 SECTION "Known supported applications" [29-249] -->
<!-- EDIT2 SECTION "Known supported applications" [29-248] -->
<h3 class="sectionedit3" id="mail_agenda_groupware">Mail, Agenda, Groupware</h3>
<div class="level3">
<div class="table sectionedit4"><table class="inline">
@ -46,9 +46,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/obm.html" class="media" title="documentation:1.9:applications:obm"><img src="../../../media/applications/obm_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/applications/sympa.html" class="media" title="documentation:1.9:applications:sympa"><img src="../../../media/applications/sympa_logo.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="../../documentation/1.9/applications/zimbra.html" class="media" title="documentation:1.9:applications:zimbra"><img src="../../../media/applications/zimbra_logo.png" class="media" alt="" /></a> </td><td class="col3 centeralign"> <a href="../../documentation/1.9/applications/roundcube.html" class="media" title="documentation:1.9:applications:roundcube"><img src="../../../media/applications/roundcube_logo.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [285-581] -->
<!-- EDIT4 TABLE [284-580] -->
</div>
<!-- EDIT3 SECTION "Mail, Agenda, Groupware" [250-582] -->
<!-- EDIT3 SECTION "Mail, Agenda, Groupware" [249-581] -->
<h3 class="sectionedit5" id="wiki">Wiki</h3>
<div class="level3">
<div class="table sectionedit6"><table class="inline">
@ -61,9 +61,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/dokuwiki.html" class="media" title="documentation:1.9:applications:dokuwiki"><img src="../../../media/applications/dokuwiki_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/applications/mediawiki.html" class="media" title="documentation:1.9:applications:mediawiki"><img src="../../../media/applications/mediawiki_logo.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [599-765] -->
<!-- EDIT6 TABLE [598-764] -->
</div>
<!-- EDIT5 SECTION "Wiki" [583-766] -->
<!-- EDIT5 SECTION "Wiki" [582-765] -->
<h3 class="sectionedit7" id="cms_portal_ecm">CMS, Portal, ECM</h3>
<div class="level3">
<div class="table sectionedit8"><table class="inline">
@ -76,9 +76,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/drupal.html" class="media" title="documentation:1.9:applications:drupal"><img src="../../../media/applications/drupal_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/applications/liferay.html" class="media" title="documentation:1.9:applications:liferay"><img src="../../../media/applications/liferay_logo.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="../../documentation/1.9/applications/alfresco.html" class="media" title="documentation:1.9:applications:alfresco"><img src="../../../media/applications/alfresco_logo.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [795-1030] -->
<!-- EDIT8 TABLE [794-1029] -->
</div>
<!-- EDIT7 SECTION "CMS, Portal, ECM" [767-1031] -->
<!-- EDIT7 SECTION "CMS, Portal, ECM" [766-1030] -->
<h3 class="sectionedit9" id="bugtracker_service_management">Bugtracker, Service Management</h3>
<div class="level3">
<div class="table sectionedit10"><table class="inline">
@ -91,9 +91,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/bugzilla.html" class="media" title="documentation:1.9:applications:bugzilla"><img src="../../../media/applications/bugzilla_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="https://forge.indepnet.net/projects/glpi/wiki/GLPI-SSO" class="media" title="https://forge.indepnet.net/projects/glpi/wiki/GLPI-SSO" rel="nofollow"><img src="../../../media/applications/glpi_logo.png" class="media" alt="" width="100" /></a> </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [1074-1265] -->
<!-- EDIT10 TABLE [1073-1264] -->
</div>
<!-- EDIT9 SECTION "Bugtracker, Service Management" [1032-1266] -->
<!-- EDIT9 SECTION "Bugtracker, Service Management" [1031-1265] -->
<h3 class="sectionedit11" id="other">Other</h3>
<div class="level3">
<div class="table sectionedit12"><table class="inline">
@ -112,9 +112,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/limesurvey.html" class="media" title="documentation:1.9:applications:limesurvey"><img src="../../../media/applications/limesurvey_logo.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1"> </td><td class="col2"> </td><td class="col3"> </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [1284-1862] -->
<!-- EDIT12 TABLE [1283-1861] -->
</div>
<!-- EDIT11 SECTION "Other" [1267-1863] -->
<!-- EDIT11 SECTION "Other" [1266-1862] -->
<h2 class="sectionedit13" id="frameworks">Frameworks</h2>
<div class="level2">
<div class="table sectionedit14"><table class="inline">
@ -127,9 +127,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/spring.html" class="media" title="documentation:1.9:applications:spring"><img src="../../../media/applications/spring_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/applications/django.html" class="media" title="documentation:1.9:applications:django"><img src="../../../media/applications/django_logo.png" class="media" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [1888-2055] -->
<!-- EDIT14 TABLE [1887-2054] -->
</div>
<!-- EDIT13 SECTION "Frameworks" [1864-2056] -->
<!-- EDIT13 SECTION "Frameworks" [1863-2055] -->
<h2 class="sectionedit15" id="connectors">Connectors</h2>
<div class="level2">
<div class="table sectionedit16"><table class="inline">
@ -150,9 +150,9 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<a href="http://fr.lutece.paris.fr" class="urlextern" title="http://fr.lutece.paris.fr" rel="nofollow">Lutece</a> </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT16 TABLE [2081-2572] -->
<!-- EDIT16 TABLE [2080-2571] -->
</div>
<!-- EDIT15 SECTION "Connectors" [2057-2573] -->
<!-- EDIT15 SECTION "Connectors" [2056-2572] -->
<h2 class="sectionedit17" id="saml_connectors">SAML connectors</h2>
<div class="level2">
@ -163,13 +163,13 @@ Applications listed bellow are known to be easy to integrate in <abbr title="Lem
<div class="table sectionedit18"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Zimbra </th><th class="col2 centeralign"> SAP </th><th class="col3 centeralign"> Cornerstone </th><th class="col4 centeralign"> SalesForce </th>
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Cornerstone </th><th class="col2 centeralign"> SalesForce </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/googleapps.html" class="media" title="documentation:1.9:applications:googleapps"><img src="../../../media/applications/googleapps_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" class="media" title="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" rel="nofollow"><img src="../../../media/applications/zimbra_logo.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" class="media" title="http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" rel="nofollow"><img src="../../../media/applications/saplogo.gif" class="media" title="SAP" alt="SAP" /></a> </td><td class="col3 centeralign"> <a href="../../documentation/1.9/applications/cornerstone.html" class="media" title="documentation:1.9:applications:cornerstone"><img src="../../../media/applications/csod_logo.png" class="media" alt="" /></a> </td><td class="col4 centeralign"> <a href="../../documentation/1.9/applications/salesforce.html" class="media" title="documentation:1.9:applications:salesforce"><img src="../../../media/applications/salesforce-logo.jpg" class="medialeft" align="left" alt="" /></a> </td>
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/googleapps.html" class="media" title="documentation:1.9:applications:googleapps"><img src="../../../media/applications/googleapps_logo.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/applications/cornerstone.html" class="media" title="documentation:1.9:applications:cornerstone"><img src="../../../media/applications/csod_logo.png" class="mediacenter" alt="" /></a> </td><td class="col2 centeralign"> <a href="../../documentation/1.9/applications/salesforce.html" class="media" title="documentation:1.9:applications:salesforce"><img src="../../../media/applications/salesforce-logo.jpg" class="mediacenter" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT18 TABLE [2693-3238] -->
<!-- EDIT18 TABLE [2692-2963] -->
</div>
</div><!-- closes <div class="dokuwiki export">-->

27
doc/pages/documentation/1.9/applications/googleapps.html
View File

@ -103,19 +103,11 @@ Now configure all <abbr title="Security Assertion Markup Language">SAML</abbr> p
<div class="level3">
<p>
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download this file</code>):
For the certificate, you can build it from the signing private key registered in Manager. Select the key, and export it (button <code>Download</code>). This will download the public and the private key.
</p>
<p>
<a href="/_detail/documentation/googleapps-export-priv-key.png?id=documentation%3A1.9%3Aapplications%3Agoogleapps" class="media" title="documentation:googleapps-export-priv-key.png"><img src="../../../../media/documentation/googleapps-export-priv-key.png" class="mediacenter" alt="" /></a>
</p>
<p>
After choosing the file name (for example lemonldapn-ng-priv.key), download the key on your disk.
</p>
<p>
Then use openssl to generate an auto-signed certificate:
Keep the private key in a file, for example lemonldap-ng-priv.key, then use openssl to generate an auto-signed certificate:
</p>
<pre class="code">openssl req -new -key lemonldap-ng-priv.key -out cert.csr
openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out cert.pem</pre>
@ -124,8 +116,13 @@ openssl x509 -req -days 3650 -in cert.csr -signkey lemonldap-ng-priv.key -out ce
You can now the upload the certificate (<code>cert.pem</code>) on Google Apps.
</p>
<p>
<p><div class="notetip">You can also use the certificate instead of public key in <abbr title="Security Assertion Markup Language">SAML</abbr> metadata, see <a href="../../../documentation/1.9/samlservice.html#security_parameters" class="wikilink1" title="documentation:1.9:samlservice">SAML service configuration</a>
</div></p>
</p>
</div>
<!-- EDIT5 SECTION "Certificate" [1672-2290] -->
<!-- EDIT5 SECTION "Certificate" [1672-2407] -->
<h3 class="sectionedit6" id="new_service_provider">New Service Provider</h3>
<div class="level3">
@ -161,7 +158,7 @@ Now we will add Google Apps as a new <abbr title="Security Assertion Markup Lang
</p>
</div>
<!-- EDIT6 SECTION "New Service Provider" [2291-3686] -->
<!-- EDIT6 SECTION "New Service Provider" [2408-3803] -->
<h3 class="sectionedit7" id="application_menu">Application menu</h3>
<div class="level3">
@ -169,10 +166,6 @@ Now we will add Google Apps as a new <abbr title="Security Assertion Markup Lang
You can add a link in <a href="../../../documentation/1.9/portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:1.9:portalmenu">application menu</a> to display Google Apps to users.
</p>
<p>
<a href="/_detail/documentation/googleapps-manager-application.png?id=documentation%3A1.9%3Aapplications%3Agoogleapps" class="media" title="documentation:googleapps-manager-application.png"><img src="../../../../media/documentation/googleapps-manager-application.png" class="mediacenter" alt="" /></a>
</p>
<p>
You need to adapt some parameters:
</p>
@ -189,7 +182,7 @@ You need to adapt some parameters:
</p>
</div>
<!-- EDIT7 SECTION "Application menu" [3687-4258] -->
<!-- EDIT7 SECTION "Application menu" [3804-4317] -->
<h3 class="sectionedit8" id="logout">Logout</h3>
<div class="level3">

72
doc/pages/documentation/1.9/applications/mediawiki.html
View File

@ -44,39 +44,37 @@ Several extensions allows to configure <abbr title="Single Sign On">SSO</abbr> o
</li>
<li class="level1"><div class="li"> <a href="http://www.mediawiki.org/wiki/Extension:Siteminder_Authentication" class="urlextern" title="http://www.mediawiki.org/wiki/Extension:Siteminder_Authentication" rel="nofollow">Siteminder Authentication</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://www.mediawiki.org/wiki/Extension:HttpAuth" class="urlextern" title="http://www.mediawiki.org/wiki/Extension:HttpAuth" rel="nofollow">HTTP Auth</a></div>
</li>
</ul>
<p>
We will explain how to use the latest: <a href="http://www.mediawiki.org/wiki/Extension:HttpAuth" class="urlextern" title="http://www.mediawiki.org/wiki/Extension:HttpAuth" rel="nofollow">HTTP Auth</a>.
We will explain how to use <a href="http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER" class="urlextern" title="http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER" rel="nofollow">Automatic REMOTE_USER</a> extension.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [67-635] -->
<!-- EDIT2 SECTION "Presentation" [67-590] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<div class="level2">
<p>
The HTTP Auth extension is presented here: <a href="http://www.mediawiki.org/wiki/Extension:HttpAuth" class="urlextern" title="http://www.mediawiki.org/wiki/Extension:HttpAuth" rel="nofollow">http://www.mediawiki.org/wiki/Extension:HttpAuth</a>
The extension is presented here: <a href="http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER" class="urlextern" title="http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER" rel="nofollow">http://www.mediawiki.org/wiki/Extension:AutomaticREMOTE_USER</a>
</p>
<p>
You can download the code here: <a href="http://github.com/oremj/mediawiki-http-auth/downloads" class="urlextern" title="http://github.com/oremj/mediawiki-http-auth/downloads" rel="nofollow">http://github.com/oremj/mediawiki-http-auth/downloads</a>
You can download the code here: <a href="https://www.mediawiki.org/wiki/Special:ExtensionDistributor/Auth_remoteuser" class="urlextern" title="https://www.mediawiki.org/wiki/Special:ExtensionDistributor/Auth_remoteuser" rel="nofollow">https://www.mediawiki.org/wiki/Special:ExtensionDistributor/Auth_remoteuser</a>
</p>
<p>
You have to install <code>HttpAuthPlugin.php</code> in the <code>extensions/</code> directory of your MediaWiki installation:
You have to install <code> Auth_remoteuser</code> in the <code>extensions/</code> directory of your MediaWiki installation:
</p>
<pre class="code">cp HttpAuthPlugin.php extenstions/</pre>
<pre class="code">cp -a Auth_remoteuser/ extensions/</pre>
</div>
<!-- EDIT3 SECTION "Installation" [636-1008] -->
<!-- EDIT3 SECTION "Installation" [591-985] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [1009-1035] -->
<!-- EDIT4 SECTION "Configuration" [986-1012] -->
<h3 class="sectionedit5" id="mediwiki_local_configuration">MediWiki local configuration</h3>
<div class="level3">
@ -84,21 +82,43 @@ You have to install <code>HttpAuthPlugin.php</code> in the <code>extensions/</co
Then edit MediaWiki local settings
</p>
<pre class="code">vi LocalSettings.php</pre>
<pre class="code file php"><a href="http://www.php.net/session_start"><span class="kw3">session_start</span></a><span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span>
<pre class="code file php"><span class="kw1">require_once</span> <span class="st0">&quot;<span class="es4">$IP</span>/extensions/Auth_remoteuser/Auth_remoteuser.php&quot;</span><span class="sy0">;</span>
<span class="re0">$wgAuth</span> <span class="sy0">=</span> <span class="kw2">new</span> Auth_remoteuser<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span></pre>
<p>
Add then extension configuration, for example:
</p>
<pre class="code file php"><span class="re0">$wgAuthRemoteuserAuthz</span> <span class="sy0">=</span> <span class="kw4">true</span><span class="sy0">;</span> <span class="coMULTI">/* Your own authorization test */</span>
<span class="re0">$wgAuthRemoteuserName</span> <span class="sy0">=</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st0">&quot;HTTP_AUTH_CN&quot;</span><span class="br0">&#93;</span><span class="sy0">;</span> <span class="coMULTI">/* User's name */</span>
<span class="re0">$wgAuthRemoteuserMail</span> <span class="sy0">=</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st0">&quot;HTTP_AUTH_MAIL&quot;</span><span class="br0">&#93;</span><span class="sy0">;</span> <span class="coMULTI">/* User's Mail */</span>
<span class="re0">$wgAuthRemoteuserNotify</span> <span class="sy0">=</span> <span class="kw4">false</span><span class="sy0">;</span> <span class="coMULTI">/* Do not send mail notifications */</span>
<span class="co1">//$wgAuthRemoteuserDomain = &quot;NETBIOSDOMAIN&quot;; /* Remove NETBIOSDOMAIN\ from the beginning or @NETBIOSDOMAIN at the end of a IWA username */</span>
<span class="coMULTI">/* User's mail domain to append to the user name to make their email address */</span>
<span class="co1">//$wgAuthRemoteuserMailDomain = &quot;example.com&quot;;</span>
&nbsp;
<span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'PHP_AUTH_USER'</span><span class="br0">&#93;</span> <span class="sy0">=</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'REMOTE_USER'</span><span class="br0">&#93;</span><span class="sy0">;</span>
<span class="co1">// see http://www.mediawiki.org/wiki/Manual:Hooks/SpecialPage_initList</span>
<span class="co1">// and http://www.mediawiki.org/w/Manual:Special_pages</span>
<span class="co1">// and http://lists.wikimedia.org/pipermail/mediawiki-l/2009-June/031231.html</span>
<span class="co1">// disable login and logout functions for all users</span>
<span class="kw2">function</span> LessSpecialPages<span class="br0">&#40;</span><span class="sy0">&amp;</span><span class="re0">$list</span><span class="br0">&#41;</span> <span class="br0">&#123;</span>
<a href="http://www.php.net/unset"><span class="kw3">unset</span></a><span class="br0">&#40;</span> <span class="re0">$list</span><span class="br0">&#91;</span><span class="st_h">'Userlogout'</span><span class="br0">&#93;</span> <span class="br0">&#41;</span><span class="sy0">;</span>
<a href="http://www.php.net/unset"><span class="kw3">unset</span></a><span class="br0">&#40;</span> <span class="re0">$list</span><span class="br0">&#91;</span><span class="st_h">'Userlogin'</span><span class="br0">&#93;</span> <span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">return</span> <span class="kw4">true</span><span class="sy0">;</span>
<span class="br0">&#125;</span>
<span class="re0">$wgHooks</span><span class="br0">&#91;</span><span class="st_h">'SpecialPage_initList'</span><span class="br0">&#93;</span><span class="br0">&#91;</span><span class="br0">&#93;</span><span class="sy0">=</span><span class="st_h">'LessSpecialPages'</span><span class="sy0">;</span>
&nbsp;
<span class="kw1">if</span> <span class="br0">&#40;</span><span class="br0">&#40;</span><span class="sy0">!</span><a href="http://www.php.net/empty"><span class="kw3">empty</span></a><span class="br0">&#40;</span><span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'PHP_AUTH_USER'</span><span class="br0">&#93;</span><span class="br0">&#41;</span> <span class="sy0">&amp;&amp;</span> <span class="sy0">!</span><a href="http://www.php.net/empty"><span class="kw3">empty</span></a><span class="br0">&#40;</span><span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'REMOTE_USER'</span><span class="br0">&#93;</span><span class="br0">&#41;</span><span class="br0">&#41;</span> <span class="sy0">||</span> <span class="re0">$_COOKIE</span><span class="br0">&#91;</span><span class="re0">$wgDBserver</span> <span class="sy0">.</span> <span class="st_h">'UserID'</span><span class="br0">&#93;</span><span class="br0">&#41;</span> <span class="br0">&#123;</span>
<span class="kw1">require_once</span><span class="br0">&#40;</span><span class="st0">&quot;<span class="es4">$IP</span>/extensions/HttpAuthPlugin.php&quot;</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="re0">$wgAuth</span> <span class="sy0">=</span> <span class="kw2">new</span> HttpAuthPlugin<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="co2"># For MediaWiki &lt; 1.13
</span> <span class="re0">$wgHooks</span><span class="br0">&#91;</span><span class="st_h">'AutoAuthenticate'</span><span class="br0">&#93;</span><span class="br0">&#91;</span><span class="br0">&#93;</span> <span class="sy0">=</span> <a href="http://www.php.net/array"><span class="kw3">array</span></a><span class="br0">&#40;</span><span class="re0">$wgAuth</span><span class="sy0">,</span><span class="st_h">'autoAuthenticate'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="co2"># For MediaWiki &gt;= 1.13
</span> <span class="co2">#$wgHooks['UserLoadFromSession'][] = array($wgAuth,'autoAuthenticate');
</span><span class="br0">&#125;</span></pre>
<span class="co1">// http://www.mediawiki.org/wiki/Extension:Windows_NTLM_LDAP_Auto_Auth</span>
<span class="co1">// remove login and logout buttons for all users</span>
<span class="kw2">function</span> StripLogin<span class="br0">&#40;</span><span class="sy0">&amp;</span><span class="re0">$personal_urls</span><span class="sy0">,</span> <span class="sy0">&amp;</span><span class="re0">$wgTitle</span><span class="br0">&#41;</span> <span class="br0">&#123;</span>
<a href="http://www.php.net/unset"><span class="kw3">unset</span></a><span class="br0">&#40;</span> <span class="re0">$personal_urls</span><span class="br0">&#91;</span><span class="st0">&quot;login&quot;</span><span class="br0">&#93;</span> <span class="br0">&#41;</span><span class="sy0">;</span>
<a href="http://www.php.net/unset"><span class="kw3">unset</span></a><span class="br0">&#40;</span> <span class="re0">$personal_urls</span><span class="br0">&#91;</span><span class="st0">&quot;logout&quot;</span><span class="br0">&#93;</span> <span class="br0">&#41;</span><span class="sy0">;</span>
<a href="http://www.php.net/unset"><span class="kw3">unset</span></a><span class="br0">&#40;</span> <span class="re0">$personal_urls</span><span class="br0">&#91;</span><span class="st_h">'anonlogin'</span><span class="br0">&#93;</span> <span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">return</span> <span class="kw4">true</span><span class="sy0">;</span>
<span class="br0">&#125;</span>
<span class="re0">$wgHooks</span><span class="br0">&#91;</span><span class="st_h">'PersonalUrls'</span><span class="br0">&#93;</span><span class="br0">&#91;</span><span class="br0">&#93;</span> <span class="sy0">=</span> <span class="st_h">'StripLogin'</span><span class="sy0">;</span></pre>
</div>
<!-- EDIT5 SECTION "MediWiki local configuration" [1036-1672] -->
<!-- EDIT5 SECTION "MediWiki local configuration" [1013-2635] -->
<h3 class="sectionedit6" id="mediawiki_virtual_host_in_apache">MediaWiki virtual host in Apache</h3>
<div class="level3">
@ -120,7 +140,7 @@ Configure MediaWiki virtual host like other <a href="../../../documentation/1.9/
</p>
</div>
<!-- EDIT6 SECTION "MediaWiki virtual host in Apache" [1673-2151] -->
<!-- EDIT6 SECTION "MediaWiki virtual host in Apache" [2636-3114] -->
<h3 class="sectionedit7" id="mediawiki_virtual_host_in_manager">MediaWiki virtual host in Manager</h3>
<div class="level3">
@ -134,7 +154,13 @@ Just configure the <a href="../../../documentation/1.9/writingrulesand_headers.h
<pre class="code">Userlogout =&gt; logout_sso</pre>
<p>
If using <abbr title="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, configure the <code>Auth-User</code> <a href="../../../documentation/1.9/writingrulesand_headers.html#headers" class="wikilink1" title="documentation:1.9:writingrulesand_headers">header</a>, else no headers are needed.
You can create these two headers to fill user name and mail (see extension configuration):
</p>
<pre class="code">Auth-Cn =&gt; $cn
Auth-Mail =&gt; $mail</pre>
<p>
If using <abbr title="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, configure also the <code>Auth-User</code> <a href="../../../documentation/1.9/writingrulesand_headers.html#headers" class="wikilink1" title="documentation:1.9:writingrulesand_headers">header</a>,
</p>
</div>

25
doc/pages/documentation/1.9/applications/nginx.html
View File

@ -20,38 +20,21 @@
<div class="dokuwiki export">
<h1 class="sectionedit1" id="nginx_lua_handler">Nginx LUA Handler</h1>
<h1 class="sectionedit1" id="nginx">Nginx</h1>
<div class="level1">
<p>
<p><div class="noteimportant">This Handler is an alternative for the Perl Nginx Handler provided in the LemonLDAP::NG project.
<p><div class="noteimportant">Nginx is fully supported by LemonLDAP::NG since version 1.9.
</div></p>
</p>
</div>
<!-- EDIT1 SECTION "Nginx LUA Handler" [1-154] -->
<!-- EDIT1 SECTION "Nginx" [1-106] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
Nginx is a very fast web server. The LUA <abbr title="Application Programming Interface">API</abbr> allows to write some hooks.
</p>
<p>
The LUA Handler for LemonLDAP::NG uses SOAP to get configuration and sessions.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [155-334] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<div class="level2">
<p>
The LUA Handler is available on GitHub: <a href="https://github.com/davidcoutadeur/lemonldap-lua-handler" class="urlextern" title="https://github.com/davidcoutadeur/lemonldap-lua-handler" rel="nofollow">https://github.com/davidcoutadeur/lemonldap-lua-handler</a>
</p>
<p>
See the README.md to know how install and configure it.
Nginx is a very fast web server. It can be used to host the portal or the manager through its FastCGI support and can be used to protect applications using the auth_request module (dialing with a FastCGI authorization server). See <a href="../../../documentation/1.9/start.html#installation" class="wikilink1" title="documentation:1.9:start">installation pages</a> to know how install and use it.
</p>
</div>

10
doc/pages/documentation/1.9/authapache.html
View File

@ -64,7 +64,7 @@ In General Parameters &gt; Authentication modules, choose <code>Apache</code> as
<p>
You may want to failback to another authentication backend in case of the Apache authentication fails. Use then the <a href="../../documentation/1.9/authmulti.html" class="wikilink1" title="documentation:1.9:authmulti">Multiple authentication module</a>, for example:
</p>
<pre class="code">Multi Apache;LDAP</pre>
<pre class="code">Apache;LDAP</pre>
<p>
<p><div class="notetip">In this case, the Apache authentication module should not require a valid user and not be authoritative, else Apache server will return an error and not let <abbr title="LemonLDAP::NG">LL::NG</abbr> Portal manage the failback authentication.
@ -72,7 +72,7 @@ You may want to failback to another authentication backend in case of the Apache
</p>
</div>
<!-- EDIT5 SECTION "LL::NG" [491-1036] -->
<!-- EDIT5 SECTION "LL::NG" [491-1029] -->
<h3 class="sectionedit6" id="apache1">Apache</h3>
<div class="level3">
@ -91,12 +91,12 @@ The Apache configuration depends on the module you choose, you need to look at t
</ul>
</div>
<!-- EDIT6 SECTION "Apache" [1037-1371] -->
<!-- EDIT6 SECTION "Apache" [1030-1364] -->
<h2 class="sectionedit7" id="tips">Tips</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "Tips" [1372-1389] -->
<!-- EDIT7 SECTION "Tips" [1365-1382] -->
<h3 class="sectionedit8" id="kerberos">Kerberos</h3>
<div class="level3">
@ -105,7 +105,7 @@ The Kerberos configuration is quite complex. You can find some configuration tip
</p>
</div>
<!-- EDIT8 SECTION "Kerberos" [1390-1519] -->
<!-- EDIT8 SECTION "Kerberos" [1383-1512] -->
<h3 class="sectionedit9" id="compatibility_with_identity_provider_modules">Compatibility with Identity Provider modules</h3>
<div class="level3">

12
doc/pages/documentation/1.9/authchoice.html
View File

@ -88,7 +88,7 @@ In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modu
</p>
<p>
<p><div class="noteimportant">When <code>Choice</code> is selected for authentication, values for Users and Password modules are not used anymore. Also, all backends parameters are displayed.
<p><div class="noteimportant">When <code>Choice</code> is selected for authentication, values for Users and Password modules are also forced to <code>Choice</code>.
</div></p>
</p>
@ -98,23 +98,23 @@ Then, go in <code>Choice Parameters</code>:
<ul>
<li class="level1"><div class="li"> <strong><abbr title="Uniform Resource Locator">URL</abbr> parameter</strong>: parameter name used to set choice value (default: <code>lmAuth</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Allowed modules</strong>: click on <code>New choice</code> to add a choice.</div>
<li class="level1"><div class="li"> <strong>Allowed modules</strong>: click on <code>New chain</code> to add a choice.</div>
</li>
</ul>
<p>
<a href="/_detail/documentation/manager-authchoice.png?id=documentation%3A1.9%3Aauthchoice" class="media" title="documentation:manager-authchoice.png"><img src="../../../media/documentation/manager-authchoice.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-choice.png" class="mediacenter" alt="" />
</p>
<p>
Define here:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Key name</strong>: Text displayed on choice tab.</div>
<li class="level1"><div class="li"> <strong>Name</strong>: Text displayed on choice tab.</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication module</strong></div>
</li>
<li class="level1"><div class="li"> <strong>User module</strong></div>
<li class="level1"><div class="li"> <strong>Users module</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Password module</strong></div>
</li>
@ -123,7 +123,7 @@ Define here:
</ul>
<p>
<p><div class="notetip">You can prefix the key name with a digit to order them. The digit will not be shown on portal page.
<p><div class="notetip">You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces.
</div></p>
</p>

2
doc/pages/documentation/1.9/authgoogle.html
View File

@ -97,7 +97,7 @@ A Google Migration workaround is available since LemonLDAP::NG 1.4.4. It provide
</p>
<p>
<p><div class="noteimportant">This module is not available in version 2.00, you must use instead the OpenID Connect authentication module.
<p><div class="noteimportant">This module is not available in version 1.9 and superior, you must use instead the <a href="../../documentation/1.9/authopenidconnect.html" class="wikilink1" title="documentation:1.9:authopenidconnect">OpenID Connect authentication module</a>.
</div></p>
</p>

6
doc/pages/documentation/1.9/authldap.html
View File

@ -164,6 +164,8 @@ List of attributes to query to fill user session. See also <a href="../../docume
</li>
<li class="level1"><div class="li"> <strong>Mail filter</strong>: Filter to find user from its mail (default: <code>(&amp;(mail=$mail)(objectClass=inetOrgPerson))</code>)</div>
</li>
<li class="level1"><div class="li"> <strong>Alias dereference</strong>: How to manage LDAP aliases. (default: <code>find</code>)</div>
</li>
</ul>
<p>
@ -183,7 +185,7 @@ And the mail filter is:
</p>
</div>
<!-- EDIT8 SECTION "Filters" [2869-3515] -->
<!-- EDIT8 SECTION "Filters" [2869-3590] -->
<h3 class="sectionedit9" id="groups">Groups</h3>
<div class="level3">
<ul>
@ -204,7 +206,7 @@ And the mail filter is:
</ul>
</div>
<!-- EDIT9 SECTION "Groups" [3516-4350] -->
<!-- EDIT9 SECTION "Groups" [3591-4425] -->
<h3 class="sectionedit10" id="password">Password</h3>
<div class="level3">
<ul>

47
doc/pages/documentation/1.9/authmulti.html
View File

@ -48,14 +48,13 @@ This backend allows to chain authentication method, for example to failback to L
<div class="level2">
<p>
You have to use “Multi” as authentication module. This scheme expect a parameter, which is the authentication chain.
You have to use <code>Multiple</code> as authentication modul (this will also force <code>Multiple</code> for the users module). Then go in <code>Multiple parameters</code> to define the modules to chain for authentication and users. Modules are separated by semi-colons/
</p>
<p>
For example:
</p>
<pre class="code">Authentication =&gt; Multi
Multi authentication stack =&gt; CAS;LDAP</pre>
<pre class="code">CAS;LDAP</pre>
<p>
If <abbr title="Central Authentication Service">CAS</abbr> failed, LDAP will be used.
@ -64,20 +63,20 @@ If <abbr title="Central Authentication Service">CAS</abbr> failed, LDAP will be
<p>
You can also add a condition. Example:
</p>
<pre class="code">multiAuthStack =&gt; Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/&#039;</pre>
<pre class="code">Remote $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/&#039;</pre>
<p>
<p><div class="notetip">If Multi is used for authentication and user database, it will try to use the same module. Example, if you have “<abbr title="Database Interface">DBI</abbr>;LDAP and <abbr title="Database Interface">DBI</abbr> failed for authentication, Multi will try first to call LDAP as user database.
<p><div class="notetip">Multiple will try to use the same module for authentication and users. Example, if you have <code><abbr title="Database Interface">DBI</abbr>;LDAP</code> and <abbr title="Database Interface">DBI</abbr> failed for authentication, it will try first to call LDAP as user database.
</div></p>
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [266-916] -->
<!-- EDIT4 SECTION "Configuration" [266-934] -->
<h3 class="sectionedit5" id="advanced_configuration">Advanced configuration</h3>
<div class="level3">
<p>
The “Multi” system can :
The <code>Multiple</code> system can :
</p>
<ul>
<li class="level1"><div class="li"> stack several times the same module with a different name</div>
@ -87,14 +86,14 @@ The “Multi” system can :
</ul>
<p>
<p><div class="notetip">Overloading is not available trough the manager
<p><div class="notetip">Overloading is not available trough the Manager
</div></p>
</p>
<p>
To stack several times the same module, use “#name” with different names. Example:
</p>
<pre class="code">multiAuthStack =&gt; LDAP#Openldap; LDAP#ActiveDirectory</pre>
<pre class="code">LDAP#Openldap; LDAP#ActiveDirectory</pre>
<p>
Then you can have different <a href="../../documentation/1.9/parameterlist.html" class="wikilink1" title="documentation:1.9:parameterlist">parameters</a> for each stored in a Perl hash entry named multi:
@ -111,38 +110,18 @@ Then you can have different <a href="../../documentation/1.9/parameterlist.html"
<span class="br0">&#125;</span><span class="sy0">,</span></pre>
<p>
This key must be stored directly in portal index.pl file or in lemonldap-ng.ini:
This key must be stored directly in lemonldap-ng.ini:
</p>
<ul>
<li class="level1"><div class="li"> for index.pl, set it in new():</div>
</li>
</ul>
<pre class="code perl"><span class="kw1">my</span> <span class="re0">$portal</span> <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">SharedConf</span><span class="sy0">-&gt;</span><span class="kw2">new</span><span class="br0">&#40;</span><span class="br0">&#123;</span>
multi <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'LDAP#Openldap'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapServer'</span> <span class="sy0">=&gt;</span> <span class="st_h">'ldap1.example.com'</span><span class="sy0">,</span>
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=&gt;</span> <span class="st_h">'(uid=$user)'</span><span class="sy0">,</span>
<span class="br0">&#125;</span><span class="sy0">,</span>
<span class="st_h">'LDAP#ActiveDirectory'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapServer'</span> <span class="sy0">=&gt;</span> <span class="st_h">'ldaps://ad.example.com'</span><span class="sy0">,</span>
<span class="st_h">'LDAPFilter'</span> <span class="sy0">=&gt;</span> <span class="st_h">'(&amp;(sAMAccountName=$user)(objectClass=person))'</span><span class="sy0">,</span>
<span class="br0">&#125;</span>
<span class="br0">&#125;</span><span class="sy0">,</span>
<span class="br0">&#125;</span><span class="br0">&#41;</span></pre>
<ul>
<li class="level1"><div class="li"> or to use <code>lemonldap-ng.ini</code>, install it (one line only) in [portal] section:</div>
</li>
</ul>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">multi</span> <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span>'LDAP#Openldap'<span class="sy0">=</span>&gt;<span class="br0">&#123;</span>'ldapServer'<span class="sy0">=</span>&gt;'ldap1.example.com','LDAPFilter'<span class="sy0">=</span>&gt;'<span class="br0">&#40;</span>uid<span class="sy0">=</span>$user<span class="br0">&#41;</span>'<span class="br0">&#125;</span>,'LDAP#ActiveDirectory'<span class="sy0">=</span>&gt;<span class="br0">&#123;</span>'ldapServer'<span class="sy0">=</span>&gt;'ldaps://ad.example.com','LDAPFilter'<span class="sy0">=</span>&gt;'<span class="br0">&#40;</span>&amp;<span class="br0">&#40;</span>sAMAccountName<span class="sy0">=</span>$user<span class="br0">&#41;</span><span class="br0">&#40;</span>objectClass<span class="sy0">=</span>person<span class="br0">&#41;</span><span class="br0">&#41;</span>'<span class="br0">&#125;</span><span class="br0">&#125;</span></span></pre>
</div>
<!-- EDIT5 SECTION "Advanced configuration" [917-2560] -->
<!-- EDIT5 SECTION "Advanced configuration" [935-2056] -->
<h2 class="sectionedit6" id="known_problems">Known problems</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "Known problems" [2561-2588] -->
<!-- EDIT6 SECTION "Known problems" [2057-2084] -->
<h3 class="sectionedit7" id="authapache_authentication">AuthApache authentication</h3>
<div class="level3">
@ -151,11 +130,11 @@ When using this module, <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will be
</p>
<p>
To bypass this, follow the documentation of <a href="../../documentation/1.9/authapache.html#use_kerberos_with_multiple_authentication_backend" class="wikilink1" title="documentation:1.9:authapache">AuthApache module</a>
To bypass this, follow the documentation of <a href="../../documentation/1.9/authapache.html" class="wikilink1" title="documentation:1.9:authapache">AuthApache module</a>
</p>
</div>
<!-- EDIT7 SECTION "AuthApache authentication" [2589-2953] -->
<!-- EDIT7 SECTION "AuthApache authentication" [2085-2399] -->
<h3 class="sectionedit8" id="ssl_authentication">SSL authentication</h3>
<div class="level3">

142
doc/pages/documentation/1.9/authopenidconnect.html
View File

@ -67,14 +67,28 @@ As an RP, <abbr title="LemonLDAP::NG">LL::NG</abbr> supports a lot of OpenID Con
</li>
</ul>
<p>
You can use this authentication module to link your <abbr title="LemonLDAP::NG">LL::NG</abbr> server to any OpenID Connect Provider. Here are some examples, witch their specific documentation:
</p>
<div class="table sectionedit4"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Google </th><th class="col1 centeralign"> France Connect </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="../../documentation/1.9/authopenidconnect_google.html" class="media" title="documentation:1.9:authopenidconnect_google"><img src="../../../media/applications/google_logo.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/authopenidconnect_franceconnect.html" class="media" title="documentation:1.9:authopenidconnect_franceconnect"><img src="../../../media/applications/franceconnect_logo.png" class="mediacenter" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [905-1106] -->
</div>
<!-- EDIT3 SECTION "Presentation" [96-745] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<!-- EDIT3 SECTION "Presentation" [96-1106] -->
<h2 class="sectionedit5" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [746-772] -->
<h3 class="sectionedit5" id="openid_connect_service">OpenID Connect Service</h3>
<!-- EDIT5 SECTION "Configuration" [1107-1133] -->
<h3 class="sectionedit6" id="openid_connect_service">OpenID Connect Service</h3>
<div class="level3">
<p>
@ -82,8 +96,8 @@ See <a href="../../documentation/1.9/openidconnectservice.html" class="wikilink1
</p>
</div>
<!-- EDIT5 SECTION "OpenID Connect Service" [773-881] -->
<h3 class="sectionedit6" id="authentication_and_userdb">Authentication and UserDB</h3>
<!-- EDIT6 SECTION "OpenID Connect Service" [1134-1242] -->
<h3 class="sectionedit7" id="authentication_and_userdb">Authentication and UserDB</h3>
<div class="level3">
<p>
@ -114,8 +128,8 @@ Then in <code>General Parameters</code> &gt; <code>Authentication modules</code>
</ul>
</div>
<!-- EDIT6 SECTION "Authentication and UserDB" [882-1672] -->
<h3 class="sectionedit7" id="register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</h3>
<!-- EDIT7 SECTION "Authentication and UserDB" [1243-2033] -->
<h3 class="sectionedit8" id="register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</h3>
<div class="level3">
<p>
@ -144,8 +158,8 @@ After registration, the OP must give you a client ID and a client secret, that w
</p>
</div>
<!-- EDIT7 SECTION "Register LL::NG to an OpenID Connect Provider" [1673-2387] -->
<h3 class="sectionedit8" id="declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</h3>
<!-- EDIT8 SECTION "Register LL::NG to an OpenID Connect Provider" [2034-2748] -->
<h3 class="sectionedit9" id="declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</h3>
<div class="level3">
<p>
@ -162,7 +176,7 @@ You can then access to the configuration of this OP.
<div class="level4">
<p>
The OP should publish its metadata in a JSON file (see for example <a href="https://accounts.google.com/.well-known/openid-configuration[Google metadata" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration[Google metadata" rel="nofollow">https://accounts.google.com/.well-known/openid-configuration[Google metadata</a>). Copy the content of this file in the textarea.
The OP should publish its metadata in a JSON file (see for example <a href="https://accounts.google.com/.well-known/openid-configuration" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration" rel="nofollow">Google metadata</a>). Copy the content of this file in the textarea.
</p>
<p>
@ -189,6 +203,17 @@ You can also define:
</li>
</ul>
<p>
Example template:
</p>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;issuer&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://auth.example.com/&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;authorization_endpoint&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://auth.example.com/oauth2/authorize&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;token_endpoint&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://auth.example.com/oauth2/token&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;userinfo_endpoint&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://auth.example.com/oauth2/userinfo&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;end_session_endpoint&quot;</span><span class="sy0">:</span><span class="st0">&quot;https://auth.example.com/oauth2/logout&quot;</span>
<span class="br0">&#125;</span></pre>
</div>
<h4 id="jwks_data">JWKS data</h4>
@ -209,13 +234,98 @@ JWKS is a JSON file containing public keys. <abbr title="LemonLDAP::NG">LL::NG</
<div class="level4">
<p>
Define here the mapping between the <abbr title="LemonLDAP::NG">LL::NG</abbr> session content and the fields provided in UserInfo response. The fields are defined in OpenID Connect standards, and depends on the scope requested by <abbr title="LemonLDAP::NG">LL::NG</abbr> (see options in next chapter).
Define here the mapping between the <abbr title="LemonLDAP::NG">LL::NG</abbr> session content and the fields provided in UserInfo response. The fields are defined in <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">OpenID Connect standard</a>, and depends on the scope requested by <abbr title="LemonLDAP::NG">LL::NG</abbr> (see options in next chapter).
</p>
<p>
<p><div class="notetip">See <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims</a> to know the names of standards claims.
</div></p>
</p>
</div>
<div class="plugin_include_content" id="plugin_include__documentation:1.9:openidconnectclaims">
<div class="level1">
<div class="table sectionedit10"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0"> Claim name </th><th class="col1"> Type </th><th class="col2"> Example of corresponding LDAP attribute </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> string </td><td class="col2"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> name </td><td class="col1"> string </td><td class="col2"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> string </td><td class="col2"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> string </td><td class="col2"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> string </td><td class="col2"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> string </td><td class="col2"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> string </td><td class="col2"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> string </td><td class="col2"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> string </td><td class="col2"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> string </td><td class="col2"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> string </td><td class="col2"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> string </td><td class="col2"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> string </td><td class="col2"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> string </td><td class="col2"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> string </td><td class="col2"> co </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [38-861] -->
</div>
</div>
<div class="level4">
<p>
So you can define for example:

106
doc/pages/documentation/1.9/authopenidconnect_franceconnect.html Normal file
View File

@ -0,0 +1,106 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="france_connect">France Connect</h1>
<div class="level1">
<p>
<img src="../../../media/applications/franceconnect_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "France Connect" [1-82] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
<a href="https://doc.integ01.dev-franceconnect.fr/" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/" rel="nofollow">France Connect</a> is an authentication platform made by French government.
</p>
<p>
<p><div class="noteimportant">It is for the moment only in BETA stage. This documentation will explain how to configure <abbr title="LemonLDAP::NG">LL::NG</abbr> with the developer reserved space.
</div></p>
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [83-383] -->
<h2 class="sectionedit3" id="register_on_france_connect">Register on France Connect</h2>
<div class="level2">
<p>
Once <a href="../../documentation/1.9/openidconnectservice.html" class="wikilink1" title="documentation:1.9:openidconnectservice">OpenID Connect service</a> is configured, you need to register to France Connect.
</p>
<p>
Use the following form: <a href="https://doc.integ01.dev-franceconnect.fr/inscription" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/inscription" rel="nofollow">https://doc.integ01.dev-franceconnect.fr/inscription</a>.
</p>
<p>
You need to provide the callback URLs, for example <a href="https://auth.domain.com/?openidcallback=1" class="urlextern" title="https://auth.domain.com/?openidcallback=1" rel="nofollow">https://auth.domain.com/?openidcallback=1</a>.
</p>
<p>
You will then get a <code>client_id</code> and a <code>client_secret</code>.
</p>
</div>
<!-- EDIT3 SECTION "Register on France Connect" [384-770] -->
<h2 class="sectionedit4" id="declare_france_connect_in_your_llng_server">Declare France Connect in your LL::NG server</h2>
<div class="level2">
<p>
Go in Manager and create a new OpenID Connect provider. You can call it <code>france-connect</code> for example.
</p>
<p>
Click on <code>Metadata</code> and set manually the metadata of the service, using <a href="https://doc.integ01.dev-franceconnect.fr/fournisseur-service" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/fournisseur-service" rel="nofollow">France Connect endpoints</a>. For example:
</p>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;issuer&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://fcp.integ01.dev-franceconnect.fr&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;authorization_endpoint&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://fcp.integ01.dev-franceconnect.fr/api/v1/authorize&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;token_endpoint&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://fcp.integ01.dev-franceconnect.fr/api/v1/token&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;userinfo_endpoint&quot;</span><span class="sy0">:</span> <span class="st0">&quot;https://fcp.integ01.dev-franceconnect.fr/api/v1/userinfo&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;end_session_endpoint&quot;</span><span class="sy0">:</span><span class="st0">&quot;https://fcp.integ01.dev-franceconnect.fr/api/v1/logout&quot;</span>
<span class="br0">&#125;</span></pre>
<p>
You can skip JWKS data, they are not provided by France Connect. The security relies on the symmetric key <code>client_secret</code>.
</p>
<p>
Go in <code>Exported attributes</code> to choose which attributes from “identité pivot” you want to collect. See <a href="https://doc.integ01.dev-franceconnect.fr/identite-pivot" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/identite-pivot" rel="nofollow">https://doc.integ01.dev-franceconnect.fr/identite-pivot</a>
</p>
<p>
Now go in <code>Options</code>:
</p>
<ul>
<li class="level1"><div class="li"> In <code>Configuration</code>, register the <code>client_id</code> and <code>client_secret</code> given by France Connect</div>
</li>
<li class="level1"><div class="li"> In <code>Protocol</code>, adapt the <code>scope</code> to the exported attributes you want. See <a href="https://doc.integ01.dev-franceconnect.fr/fs-scopes" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/fs-scopes" rel="nofollow">https://doc.integ01.dev-franceconnect.fr/fs-scopes</a></div>
</li>
<li class="level1"><div class="li"> In <code>Display</code>, you can set the name and the logo</div>
</li>
</ul>
</div>
</div><!-- closes <div class="dokuwiki export">-->

113
doc/pages/documentation/1.9/authopenidconnect_google.html Normal file
View File

@ -0,0 +1,113 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="google">Google</h1>
<div class="level1">
<p>
<img src="../../../media/applications/google_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "Google" [1-67] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
Do you we have to present <a href="http://www.google.com" class="urlextern" title="http://www.google.com" rel="nofollow">Google</a>? The good news is that Google is a standard OpenID Provider, and so you can easily delegate the authentication of <abbr title="LemonLDAP::NG">LL::NG</abbr> to Google: <a href="https://developers.google.com/identity/protocols/OpenIDConnect" class="urlextern" title="https://developers.google.com/identity/protocols/OpenIDConnect" rel="nofollow">https://developers.google.com/identity/protocols/OpenIDConnect</a>
</p>
<p>
<p><div class="noteimportant">Google does not support logout trough OpenID Connect. If you close your session on <abbr title="LemonLDAP::NG">LL::NG</abbr> side, your Google session will still be open.
</div></p>
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [68-507] -->
<h2 class="sectionedit3" id="register_on_google">Register on Google</h2>
<div class="level2">
<p>
You need a Google developer account to access to <a href="https://console.developers.google.com/" class="urlextern" title="https://console.developers.google.com/" rel="nofollow">https://console.developers.google.com/</a>
</p>
<p>
Here you can go in <abbr title="Application Programming Interface">API</abbr> Manager and get new credentials (<code>client_id</code> and <code>client_secret</code>).
</p>
<p>
You need to provide the callback URLs, for example <a href="https://auth.domain.com/?openidcallback=1" class="urlextern" title="https://auth.domain.com/?openidcallback=1" rel="nofollow">https://auth.domain.com/?openidcallback=1</a>.
</p>
</div>
<!-- EDIT3 SECTION "Register on Google" [508-818] -->
<h2 class="sectionedit4" id="declare_google_in_your_llng_server">Declare Google in your LL::NG server</h2>
<div class="level2">
<p>
Go in Manager and create a new OpenID Connect provider. You can call it <code>google</code> for example.
</p>
<p>
Click on <code>Metadata</code>, and use the OpenID Connect configuration <abbr title="Uniform Resource Locator">URL</abbr> to load them: <a href="https://accounts.google.com/.well-known/openid-configuration" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration" rel="nofollow">https://accounts.google.com/.well-known/openid-configuration</a>.
</p>
<p>
You can also load the JWKS data from the <abbr title="Uniform Resource Locator">URL</abbr> <a href="https://www.googleapis.com/oauth2/v3/certs" class="urlextern" title="https://www.googleapis.com/oauth2/v3/certs" rel="nofollow">https://www.googleapis.com/oauth2/v3/certs</a>. But as Google rotate their keys, we will also configure a refresh interval on JKWS data.
</p>
<p>
Go in <code>Exported attributes</code> to choose which attributes you want to collect. Google supports these claims:
</p>
<ul>
<li class="level1"><div class="li"> email</div>
</li>
<li class="level1"><div class="li"> email_verified</div>
</li>
<li class="level1"><div class="li"> family_name</div>
</li>
<li class="level1"><div class="li"> given_name</div>
</li>
<li class="level1"><div class="li"> locale</div>
</li>
<li class="level1"><div class="li"> name</div>
</li>
<li class="level1"><div class="li"> picture</div>
</li>
<li class="level1"><div class="li"> sub</div>
</li>
</ul>
<p>
Now go in <code>Options</code>:
</p>
<ul>
<li class="level1"><div class="li"> In <code>Configuration</code>, register the <code>client_id</code> and <code>client_secret</code> given by Google. Set also the configuration <abbr title="Uniform Resource Identifier">URI</abbr> with <a href="https://accounts.google.com/.well-known/openid-configuration" class="urlextern" title="https://accounts.google.com/.well-known/openid-configuration" rel="nofollow">https://accounts.google.com/.well-known/openid-configuration</a>, and JWKS refresh, for example every day: 86400.</div>
</li>
<li class="level1"><div class="li"> In <code>Protocol</code>, adapt the <code>scope</code> to the exported attributes you want. You can for example use <code>openid profile email</code>.</div>
</li>
<li class="level1"><div class="li"> In <code>Display</code>, you can set the name and the logo</div>
</li>
</ul>
</div>
</div><!-- closes <div class="dokuwiki export">-->

24
doc/pages/documentation/1.9/authsaml.html
View File

@ -108,23 +108,7 @@ They are available at the EntityID <abbr title="Uniform Resource Locator">URL</a
<div class="level3">
<p>
In the Manager, select node <code><abbr title="Security Assertion Markup Language">SAML</abbr> identity providers</code> and click on <code>New identity provider</code>:
</p>
<p>
<a href="/_detail/documentation/manager-saml-idp-new.png?id=documentation%3A1.9%3Aauthsaml" class="media" title="documentation:manager-saml-idp-new.png"><img src="../../../media/documentation/manager-saml-idp-new.png" class="mediacenter" alt="" /></a>
</p>
<p>
The IDP name is asked, enter it and click OK.
</p>
<p>
Now you have access to the IDP parameters list:
</p>
<p>
<a href="/_detail/documentation/manager-saml-idp-list.png?id=documentation%3A1.9%3Aauthsaml" class="media" title="documentation:manager-saml-idp-list.png"><img src="../../../media/documentation/manager-saml-idp-list.png" class="mediacenter" alt="" /></a>
In the Manager, select node <code><abbr title="Security Assertion Markup Language">SAML</abbr> identity providers</code> and click on <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> IDP</code>. The IDP name is asked, enter it and click OK.
</p>
</div>
@ -137,11 +121,11 @@ You must register IDP metadata here. You can do it either by uploading the file,
</p>
<p>
<a href="/_detail/documentation/manager-saml-idp-metadata.png?id=documentation%3A1.9%3Aauthsaml" class="media" title="documentation:manager-saml-idp-metadata.png"><img src="../../../media/documentation/manager-saml-idp-metadata.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-saml-metadata.png" class="mediacenter" alt="" />
</p>
<p>
<p><div class="notetip">You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
<p><div class="notetip">You can also edit the metadata directly in the textarea
</div></p>
</p>
@ -167,7 +151,7 @@ For each attribute, you can set:
</ul>
<p>
<a href="/_detail/documentation/manager-saml-idp-attribute.png?id=documentation%3A1.9%3Aauthsaml" class="media" title="documentation:manager-saml-idp-attribute.png"><img src="../../../media/documentation/manager-saml-idp-attribute.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-saml-attributes.png" class="mediacenter" alt="" />
</p>
</div>

6
doc/pages/documentation/1.9/authslave.html
View File

@ -71,6 +71,10 @@ Then, go in <code>Slave parameters</code>:
</li>
<li class="level1"><div class="li"> <strong>Master&#039;s <abbr title="Internet Protocol">IP</abbr> address</strong>: the <abbr title="Internet Protocol">IP</abbr> addresses of servers which are accredited to authenticate user. This is a security point, to prevent someone to create a session by sending custom headers. You can set one or several <abbr title="Internet Protocol">IP</abbr> addresses, separated by spaces, or let this parameter empty to disable the checking.</div>
</li>
<li class="level1"><div class="li"> <strong>Control header name</strong>: header that contains a value to control. Let this parameter empty to disable the checking.</div>
</li>
<li class="level1"><div class="li"> <strong>Control header content</strong>: value to control. Let this parameter empty to disable the checking.</div>
</li>
</ul>
<p>
@ -89,7 +93,7 @@ You have then to declare HTTP headers exported by the main <abbr title="Single S
<td class="col0 centeralign"> mail </td><td class="col1 centeralign"> User-Email </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [1290-1392] -->
<!-- EDIT5 TABLE [1510-1612] -->
<p>
See also <a href="../../documentation/1.9/exportedvars.html" class="wikilink1" title="documentation:1.9:exportedvars">exported variables configuration</a>.
</p>

174
doc/pages/documentation/1.9/configlocation.html
View File

@ -110,11 +110,11 @@ If you can not access the Manager anymore, you can unprotect it by editing <code
The Manager displays main branches:
</p>
<ul>
<li class="level1"><div class="li"> <strong>General Parameters</strong>: authentication modules, portal, etc.</div>
<li class="level1"><div class="li"> <strong>General Parameters</strong>: 1uthentication modules, portal, etc.</div>
</li>
<li class="level1"><div class="li"> <strong>Variables</strong>: user information, macros and groups used to fill <abbr title="Single Sign On">SSO</abbr> session</div>
<li class="level1"><div class="li"> <strong>Variables</strong>: User information, macros and groups used to fill <abbr title="Single Sign On">SSO</abbr> session</div>
</li>
<li class="level1"><div class="li"> <strong>Virtual Hosts</strong>: access rules, headers, etc.</div>
<li class="level1"><div class="li"> <strong>Virtual Hosts</strong>: Access rules, headers, etc.</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Security Assertion Markup Language">SAML</abbr> 2 Service</strong>: <abbr title="Security Assertion Markup Language">SAML</abbr> metadata administration</div>
</li>
@ -122,17 +122,18 @@ The Manager displays main branches:
</li>
<li class="level1"><div class="li"> <strong><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</strong>: Registered SP</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID Connect Service</strong>: OpenID Connect service configuration</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID Connect Providers</strong>: Registered OP</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID Connect Relying Parties</strong>: Registered RP</div>
</li>
</ul>
<p>
LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.
</p>
<p>
<p><div class="noteimportant">When modifying a value, always click on the <code>Apply</code> button if available, to be sure the value is saved.
</div></p>
</p>
<p>
When all modifications are done, click on <code>Save</code> to store configuration.
</p>
@ -142,34 +143,8 @@ When all modifications are done, click on <code>Save</code> to store configurati
</div></p>
</p>
<p>
You can change the graphical aspect of the Manager, by clicking on the <code>Menu style</code> button. It will open a dialog to choose:
</p>
<ul>
<li class="level1"><div class="li"> Menu organization: tree or accordion</div>
</li>
<li class="level1"><div class="li"> Theme (<a href="http://jqueryui.com/themeroller/" class="urlextern" title="http://jqueryui.com/themeroller/" rel="nofollow">jQuery UI theme</a>).</div>
</li>
</ul>
<p>
<p><div class="notetip">
Menu style preferences are stored in cookies (1 year duration). You can fix default values by editing these values in <code>lemonldap-ng.ini</code>, section <code>manager</code>:
</p>
<ul>
<li class="level1"><div class="li"> managerCss</div>
</li>
<li class="level1"><div class="li"> managerCssTheme</div>
</li>
</ul>
<p>
</div></p>
</p>
</div>
<!-- EDIT3 SECTION "Manager" [1050-3647] -->
<!-- EDIT3 SECTION "Manager" [1050-3236] -->
<h2 class="sectionedit4" id="configuration_text_editor">Configuration text editor</h2>
<div class="level2">
@ -207,7 +182,7 @@ If a modification is done, the configuration is saved with a new configuration n
</p>
</div>
<!-- EDIT4 SECTION "Configuration text editor" [3648-4872] -->
<!-- EDIT4 SECTION "Configuration text editor" [3237-4461] -->
<h2 class="sectionedit5" id="command_line_interface_cli">Command Line Interface (CLI)</h2>
<div class="level2">
@ -256,7 +231,7 @@ To get information abour current configuration:
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli info</pre>
</div>
<!-- EDIT5 SECTION "Command Line Interface (CLI)" [4873-6018] -->
<!-- EDIT5 SECTION "Command Line Interface (CLI)" [4462-5607] -->
<h2 class="sectionedit6" id="apache">Apache</h2>
<div class="level2">
@ -287,7 +262,7 @@ These files must be included in Apache configuration, either with <code>Include<
</p>
</div>
<!-- EDIT6 SECTION "Apache" [6019-6778] -->
<!-- EDIT6 SECTION "Apache" [5608-6367] -->
<h3 class="sectionedit7" id="portal">Portal</h3>
<div class="level3">
@ -366,6 +341,13 @@ In Portal virtual host, you will find several configuration parts:
&lt;<span class="kw3">IfModule</span> mod_rewrite.c&gt;
<span class="kw1">RewriteEngine</span> <span class="kw2">On</span>
<span class="kw1">RewriteRule</span> ^/openidserver/.* /index.pl
&lt;/<span class="kw3">IfModule</span>&gt;
&nbsp;
<span class="co1"># OpenID Connect Issuer</span>
&lt;<span class="kw3">IfModule</span> mod_rewrite.c&gt;
<span class="kw1">RewriteEngine</span> <span class="kw2">On</span>
<span class="kw1">RewriteRule</span> ^/oauth2/.* /index.pl
<span class="kw1">RewriteRule</span> ^/.well-known/openid-configuration$ /openid-configuration.pl
&lt;/<span class="kw3">IfModule</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> Some Perl optimizations:</div>
@ -384,35 +366,54 @@ In Portal virtual host, you will find several configuration parts:
&lt;/Perl&gt;</pre>
</div>
<!-- EDIT7 SECTION "Portal" [6779-9212] -->
<!-- EDIT7 SECTION "Portal" [6368-9028] -->
<h3 class="sectionedit8" id="manager1">Manager</h3>
<div class="level3">
<p>
Manager virtual host is used to serve configuration interface and local documentation.
Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI application:
</p>
<ul>
<li class="level1"><div class="li"> Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see <code>lemonldap-ng.ini</code>):</div>
</li>
</ul>
<pre class="code file apache"> <span class="kw1">DocumentRoot</span> /usr/local/lemonldap-ng/htdocs/manager/
&lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/manager/&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<pre class="code file apache"> <span class="co1"># FASTCGI CONFIGURATION</span>
<span class="co1"># ---------------------</span>
&nbsp;
<span class="co1"># 1) URI management</span>
<span class="kw1">RewriteEngine</span> <span class="kw2">on</span>
&nbsp;
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi&quot;</span> [PT]
<span class="co1"># For performances, you can delete the previous RewriteRule line after</span>
<span class="co1"># puttings html files: simply put the HTML results of differents modules</span>
<span class="co1"># (configuration, sessions, notifications) as manager.html, sessions.html,</span>
<span class="co1"># notifications.html and uncomment the 2 following lines:</span>
<span class="co1"># DirectoryIndex manager.html</span>
<span class="co1"># RewriteCond &quot;%{REQUEST_FILENAME}&quot; &quot;!\.html$&quot;</span>
&nbsp;
<span class="co1"># REST URLs</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:static|doc|fr-doc|lib).*&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi/$1&quot;</span> [PT]
&nbsp;
<span class="kw1">Alias</span> /psgi/ /var/lib/lemonldap-ng/manager/psgi/
&nbsp;
<span class="co1"># 2) FastCGI engine</span>
&nbsp;
<span class="co1"># You can choose any FastCGI system. Here is an example using mod_fcgid</span>
<span class="co1"># mod_fcgid configuration</span>
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/manager/psgi/&gt;
<span class="kw1">SetHandler</span> fcgid-<span class="kw1">script</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Directory</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> Local documentation is open to all:</div>
</li>
</ul>
<pre class="code file apache"> <span class="kw1">Alias</span> /doc/ /usr/local/lemonldap-ng/htdocs/doc/
&lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/doc/&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
&lt;/<span class="kw3">Directory</span>&gt;</pre>
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
<span class="co1"># If you want to use mod_fastcgi, replace lines below by:</span>
<span class="co1">#FastCgiServer /var/lib/lemonldap-ng/manager/psgi/manager-server.fcgi</span>
&nbsp;
<span class="co1"># Or if you prefer to use CGI, use /psgi/manager-server.cgi instead of</span>
<span class="co1"># /psgi/manager-server.fcgi and adapt the rewrite rules.</span></pre>
<p>
Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see <code>lemonldap-ng.ini</code>).
</p>
</div>
<!-- EDIT8 SECTION "Manager" [9213-9897] -->
<!-- EDIT8 SECTION "Manager" [9029-10581] -->
<h3 class="sectionedit9" id="handler">Handler</h3>
<div class="level3">
<ul>
@ -420,12 +421,7 @@ Manager virtual host is used to serve configuration interface and local document
</li>
</ul>
<pre class="code file apache">PerlOptions +GlobalRequest
PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm</pre>
<p>
<p><div class="noteimportant">The Handler must be loaded before any protected virtual host.
</div></p>
</p>
PerlRequire Lemonldap/NG/Handler.pm</pre>
<ul>
<li class="level1"><div class="li"> Catch error pages:</div>
</li>
@ -447,7 +443,7 @@ PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm</pre>
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 127.0.0.0/<span class="nu0">8</span>
PerlHeaderParserHandler Lemonldap::NG::Handler-&gt;refresh
PerlHeaderParserHandler Lemonldap::NG::Handler-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># Uncomment this to activate status module</span>
@ -466,7 +462,7 @@ Then, to protect a standard virtual host, the only configuration line to add is:
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler</pre>
</div>
<!-- EDIT9 SECTION "Handler" [9898-11201] -->
<!-- EDIT9 SECTION "Handler" [10582-11777] -->
<h2 class="sectionedit10" id="configuration_reload">Configuration reload</h2>
<div class="level2">
@ -509,7 +505,7 @@ The <code>reload</code> target is managed in Apache configuration, inside a virt
</p>
</div>
<!-- EDIT10 SECTION "Configuration reload" [11202-12569] -->
<!-- EDIT10 SECTION "Configuration reload" [11778-13145] -->
<h2 class="sectionedit11" id="local_file">Local file</h2>
<div class="level2">
@ -546,47 +542,5 @@ For example, to override configured skin for portal:
</div></p>
</p>
</div>
<!-- EDIT11 SECTION "Local file" [12570-13427] -->
<h2 class="sectionedit12" id="script_files">Script files</h2>
<div class="level2">
<p>
LemonLDAP::NG allows to override any configuration parameter directly in script file. However, it is not advised to edit such files, as they are part of the program, and will be erased at next upgrade.
</p>
<p>
<p><div class="notetip">You also need to know the technical name of configuration parameter to do this. You can refer to <a href="../../documentation/1.9/parameterlist.html" class="wikilink1" title="documentation:1.9:parameterlist">parameter list</a> to find it.
</div></p>
</p>
</div>
<!-- EDIT12 SECTION "Script files" [13428-13816] -->
<h3 class="sectionedit13" id="portal1">Portal</h3>
<div class="level3">
<p>
For example, in portal/index.pl:
</p>
<pre class="code file perl"><span class="kw1">my</span> <span class="re0">$portal</span> <span class="sy0">=</span> Lemonldap<span class="sy0">::</span><span class="me2">NG</span><span class="sy0">::</span><span class="me2">Portal</span><span class="sy0">::</span><span class="me2">SharedConf</span><span class="sy0">-&gt;</span><span class="kw2">new</span><span class="br0">&#40;</span>
<span class="br0">&#123;</span>
portalSkin <span class="sy0">=&gt;</span> <span class="st_h">'dark'</span><span class="sy0">,</span>
<span class="br0">&#125;</span>
<span class="br0">&#41;</span><span class="sy0">;</span></pre>
</div>
<!-- EDIT13 SECTION "Portal" [13817-13987] -->
<h3 class="sectionedit14" id="handler1">Handler</h3>
<div class="level3">
<p>
For example, in handler/MyHandler.pm:
</p>
<pre class="code file perl">__PACKAGE__<span class="sy0">-&gt;</span><span class="me1">init</span><span class="br0">&#40;</span>
<span class="br0">&#123;</span>
domain <span class="sy0">=&gt;</span> <span class="st_h">'acme.com'</span><span class="sy0">,</span>
<span class="br0">&#125;</span>
<span class="br0">&#41;</span><span class="sy0">;</span></pre>
</div>
</div><!-- closes <div class="dokuwiki export">-->

2
doc/pages/documentation/1.9/docker.html
View File

@ -56,7 +56,7 @@ Prerequisites:
<li class="level1"><div class="li"> Add auth.example.com/manager.example.com/test1.example.com/test2.example.com to /etc/hosts on the host</div>
</li>
</ul>
<pre class="code">sudo echo &quot;127.0.0.1 auth.example.com manager.example.com test1.example.com test2.example.com&quot; &gt;&gt; /etc/hosts</pre>
<pre class="code">echo &quot;127.0.0.1 auth.example.com manager.example.com test1.example.com test2.example.com&quot; | sudo tee -a /etc/hosts</pre>
<ul>
<li class="level1"><div class="li"> Map the container port 80 to host port 80 (option -p)</div>
</li>

10
doc/pages/documentation/1.9/exportedvars.html
View File

@ -60,17 +60,17 @@ Examples for <a href="../../documentation/1.9/authldap.html" class="wikilink1" t
You can define exported variables for each module in the module configuration itself. Variables defined in the main <code>Exported variables</code> will be used for each backend. Variables defined in the exported variables node of the module will be used only for that module.
</p>
<p>
<img src="../../../media/documentation/manager-exported-variables.png" class="mediacenter" title="Exported variables in the Manager" alt="Exported variables in the Manager" />
</p>
<p>
<p><div class="notetip">You can define environment variables in <code>Exported variables</code>, this allows to populate user session with some environment values. Environment variables will not be queried in users database.
</div></p>
</p>
<p>
<a href="/_detail/documentation/exportedvars.png?id=documentation%3A1.9%3Aexportedvars" class="media" title="documentation:exportedvars.png"><img src="../../../media/documentation/exportedvars.png" class="mediacenter" title="Exported variables in the Manager" alt="Exported variables in the Manager" width="500" /></a>
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [35-1250] -->
<!-- EDIT2 SECTION "Presentation" [35-1266] -->
<h2 class="sectionedit4" id="extend_variables_using_macros_and_groups">Extend variables using macros and groups</h2>
<div class="level2">

4
doc/pages/documentation/1.9/idpcas.html
View File

@ -39,11 +39,11 @@
</ul>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with the <abbr title="Central Authentication Service">CAS</abbr> protocol <a href="http://www.jasig.org/cas/protocol" class="urlextern" title="http://www.jasig.org/cas/protocol" rel="nofollow">versions 1.0 and 2.0</a>. This protocol does not define any attributes exchange mechanism, so only authentication is managed.
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with the <a href="https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html" class="urlextern" title="https://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html" rel="nofollow">CAS protocol</a> versions 1.0, 2.0 and part of 3.0 (attributes exchange).
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [27-424] -->
<!-- EDIT2 SECTION "Presentation" [27-406] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

95
doc/pages/documentation/1.9/idpopenidconnect.html
View File

@ -210,13 +210,98 @@ You can then access to the configuration of this RP.
<div class="level4">
<p>
You can map here the attribute names from the <abbr title="LemonLDAP::NG">LL::NG</abbr> session to an OpenID Connect claim.
You can map here the attribute names from the <abbr title="LemonLDAP::NG">LL::NG</abbr> session to an <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">OpenID Connect claim</a>.
</p>
<p>
<p><div class="notetip">See <a href="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" class="urlextern" title="http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims" rel="nofollow">http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims</a> to know the names of standards claims.
</div></p>
</p>
</div>
<div class="plugin_include_content" id="plugin_include__documentation:1.9:openidconnectclaims">
<div class="level1">
<div class="table sectionedit8"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0"> Claim name </th><th class="col1"> Type </th><th class="col2"> Example of corresponding LDAP attribute </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> string </td><td class="col2"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> name </td><td class="col1"> string </td><td class="col2"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> string </td><td class="col2"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> string </td><td class="col2"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> string </td><td class="col2"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> string </td><td class="col2"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> string </td><td class="col2"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> string </td><td class="col2"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> string </td><td class="col2"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> string </td><td class="col2"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> string </td><td class="col2"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> string </td><td class="col2"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> string </td><td class="col2"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> string </td><td class="col2"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> string </td><td class="col2"> co </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [38-861] -->
</div>
</div>
<div class="level4">
<p>
So you can define for example:

26
doc/pages/documentation/1.9/idpsaml.html
View File

@ -49,14 +49,14 @@
<div class="table sectionedit3"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Zimbra </th><th class="col2 centeralign"> SAP </th><th class="col3 centeralign"> Cornerstone </th><th class="col4 centeralign"> SalesForce </th>
<th class="col0 centeralign"> Google Apps </th><th class="col1 centeralign"> Cornerstone </th><th class="col2 centeralign"> SalesForce </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/googleapps.html" class="media" title="documentation:1.9:applications:googleapps"><img src="../../../media/applications/googleapps_logo.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" class="media" title="http://blog.zimbra.com/blog/archives/2010/06/using-saml-assertions-to-access-zimbra.html" rel="nofollow"><img src="../../../media/applications/zimbra_logo.png" class="media" alt="" /></a> </td><td class="col2 centeralign"> <a href="http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" class="media" title="http://help.sap.com/saphelp_nw04/helpdata/en/94/695b3ebd564644e10000000a114084/content.htm" rel="nofollow"><img src="../../../media/applications/saplogo.gif" class="media" title="SAP" alt="SAP" /></a> </td><td class="col3 centeralign"> <a href="../../documentation/1.9/applications/cornerstone.html" class="media" title="documentation:1.9:applications:cornerstone"><img src="../../../media/applications/csod_logo.png" class="media" alt="" /></a> </td><td class="col4 centeralign"> <a href="../../documentation/1.9/applications/salesforce.html" class="media" title="documentation:1.9:applications:salesforce"><img src="../../../media/applications/salesforce-logo.jpg" class="medialeft" align="left" alt="" /></a> </td>
<td class="col0 centeralign"> <a href="../../documentation/1.9/applications/googleapps.html" class="media" title="documentation:1.9:applications:googleapps"><img src="../../../media/applications/googleapps_logo.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="../../documentation/1.9/applications/cornerstone.html" class="media" title="documentation:1.9:applications:cornerstone"><img src="../../../media/applications/csod_logo.png" class="mediacenter" alt="" /></a> </td><td class="col2 centeralign"> <a href="../../documentation/1.9/applications/salesforce.html" class="media" title="documentation:1.9:applications:salesforce"><img src="../../../media/applications/salesforce-logo.jpg" class="mediacenter" alt="" /></a> </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [2693-3238] -->
<!-- EDIT3 TABLE [2692-2963] -->
</div>
</div>
<div class="level2">
@ -122,11 +122,7 @@ They are available at the EntityID <abbr title="Uniform Resource Locator">URL</a
<div class="level3">
<p>
In the Manager, select node <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and click on New service provider:
</p>
<p>
<a href="/_detail/documentation/manager-saml-sp-new.png?id=documentation%3A1.9%3Aidpsaml" class="media" title="documentation:manager-saml-sp-new.png"><img src="../../../media/documentation/manager-saml-sp-new.png" class="mediacenter" alt="" /></a>
In the Manager, select node <abbr title="Security Assertion Markup Language">SAML</abbr> service providers and click on <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.
</p>
<p>
@ -147,7 +143,11 @@ You must register SP metadata here. You can do it either by uploading the file,
</p>
<p>
<p><div class="notetip">You can also copy/paste the metadata: just click on the Edit button. When the text is pasted, click on the Apply button to keep the value.
<img src="../../../media/documentation/manager-saml-metadata.png" class="mediacenter" alt="" />
</p>
<p>
<p><div class="notetip">You can also edit the metadata directly in the textarea
</div></p>
</p>
@ -156,18 +156,22 @@ You must register SP metadata here. You can do it either by uploading the file,
<h4 id="exported_attributes">Exported attributes</h4>
<div class="level4">
<p>
<img src="../../../media/documentation/manager-saml-attributes.png" class="mediacenter" alt="" />
</p>
<p>
For each attribute, you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Key name</strong>: name of the key in LemonLDAP::NG session</div>
</li>
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
</li>
<li class="level1"><div class="li"> <strong>Name</strong>: <abbr title="Security Assertion Markup Language">SAML</abbr> attribute name.</div>
</li>
<li class="level1"><div class="li"> <strong>Friendly Name</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute friendly name.</div>
</li>
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to “On”, then this attribute will be sent in authentication response. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
</li>
<li class="level1"><div class="li"> <strong>Format</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute format.</div>
</li>
</ul>

96
doc/pages/documentation/1.9/installrpm.html
View File

@ -20,22 +20,24 @@
<div class="dokuwiki export">
<h1 class="sectionedit1" id="installation_on_redhatcentos">Installation on RedHat/CentOS</h1>
<h1 class="sectionedit1" id="installation_on_red_hatcentos">Installation on Red Hat/CentOS</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Installation on RedHat/CentOS" [1-45] -->
<!-- EDIT1 SECTION "Installation on Red Hat/CentOS" [1-46] -->
<h2 class="sectionedit2" id="organization">Organization</h2>
<div class="level2">
<p>
LemonLDAP::NG provides these packages:
LemonLDAP::NG provides packages for Red Hat/Centos 6 and 7:
</p>
<ul>
<li class="level1"><div class="li"> lemonldap-ng: meta-package, contains no file but dependencies on other packages</div>
</li>
<li class="level1"><div class="li"> lemonldap-ng-doc: contains <abbr title="HyperText Markup Language">HTML</abbr> documentation and project docs (README, etc.)</div>
</li>
<li class="level1"><div class="li"> lemonldap-ng-fr-doc: French translation for documentation</div>
</li>
<li class="level1"><div class="li"> lemonldap-ng-conf: contains default configuration (<abbr title="Domain Name System">DNS</abbr> domain: example.com)</div>
</li>
<li class="level1"><div class="li"> lemonldap-ng-test: contains sample CGI test page</div>
@ -46,6 +48,8 @@ LemonLDAP::NG provides these packages:
</li>
<li class="level1"><div class="li"> lemonldap-ng-portal: contains authentication portal and menu</div>
</li>
<li class="level1"><div class="li"> lemonldap-ng-fastcgi-server: FastCGI server needed to use Nginx</div>
</li>
<li class="level1"><div class="li"> perl-Lemonldap-NG-Common: CPAN - Shared modules</div>
</li>
<li class="level1"><div class="li"> perl-Lemonldap-NG-Handler: CPAN - Handler modules</div>
@ -56,21 +60,13 @@ LemonLDAP::NG provides these packages:
</li>
</ul>
<p>
This schema shows the dependencies between modules:
</p>
<p>
<a href="/_detail/documentation/lemonldap-ng-packages.png?id=documentation%3A1.9%3Ainstallrpm" class="media" title="documentation:lemonldap-ng-packages.png"><img src="../../../media/documentation/lemonldap-ng-packages.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- EDIT2 SECTION "Organization" [46-943] -->
<!-- EDIT2 SECTION "Organization" [47-993] -->
<h2 class="sectionedit3" id="get_the_packages">Get the packages</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Get the packages" [944-973] -->
<!-- EDIT3 SECTION "Get the packages" [994-1023] -->
<h3 class="sectionedit4" id="yum_repository">YUM repository</h3>
<div class="level3">
@ -80,18 +76,13 @@ You can add this YUM repository to get recent packages:
<pre class="code">vi /etc/yum.repos.d/lemonldap-ng.repo</pre>
<pre class="file">[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=http://lemonldap-ng.org/rpm/
baseurl=http://lemonldap-ng.org/rpm6/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2</pre>
<p>
<p><div class="notetip">
Change the base <abbr title="Uniform Resource Locator">URL</abbr> for EL6 packages:
</p>
<pre class="file">baseurl=http://lemonldap-ng.org/rpm6/</pre>
<p>
Change the base <abbr title="Uniform Resource Locator">URL</abbr> for EL7 packages:
</p>
<pre class="file">baseurl=http://lemonldap-ng.org/rpm7/</pre>
@ -114,7 +105,7 @@ You must also install the EPEL repository for non-core dependencies. See <a href
</p>
</div>
<!-- EDIT4 SECTION "YUM repository" [974-1698] -->
<!-- EDIT4 SECTION "YUM repository" [1024-1658] -->
<h3 class="sectionedit5" id="manual_download">Manual download</h3>
<div class="level3">
@ -123,7 +114,7 @@ RPMs are available on the <a href="../../download.html" class="wikilink1" title=
</p>
</div>
<!-- EDIT5 SECTION "Manual download" [1699-1781] -->
<!-- EDIT5 SECTION "Manual download" [1659-1741] -->
<h2 class="sectionedit6" id="package_gpg_signature">Package GPG signature</h2>
<div class="level2">
@ -137,12 +128,12 @@ Install it to trust RPMs:
<pre class="code">rpm --import rpm-gpg-key-ow2</pre>
</div>
<!-- EDIT6 SECTION "Package GPG signature" [1782-1947] -->
<!-- EDIT6 SECTION "Package GPG signature" [1742-1907] -->
<h2 class="sectionedit7" id="install_packages">Install packages</h2>
<div class="level2">
</div>
<!-- EDIT7 SECTION "Install packages" [1948-1977] -->
<!-- EDIT7 SECTION "Install packages" [1908-1937] -->
<h3 class="sectionedit8" id="with_yum">With YUM</h3>
<div class="level3">
@ -164,7 +155,7 @@ You can also use yum on local RPMs file:
<pre class="code">yum localinstall lemonldap-ng-* perl-Lemonldap-NG-*</pre>
</div>
<!-- EDIT8 SECTION "With YUM" [1978-2395] -->
<!-- EDIT8 SECTION "With YUM" [1938-2355] -->
<h3 class="sectionedit9" id="with_rpm">With RPM</h3>
<div class="level3">
@ -188,25 +179,13 @@ Install the package <code>lemonldap-ng-conf</code> on all server which contains
</div></p>
</p>
<p>
<p><div class="notewarning">
If you install packages on 64bits system, create those symbolic links:
</p>
<pre class="code">ln -s /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap /usr/lib64/perl5/
ln -s /usr/lib/perl5/vendor_perl/5.8.8/auto/Lemonldap /usr/lib64/perl5/auto/</pre>
<p>
</div></p>
</p>
</div>
<!-- EDIT9 SECTION "With RPM" [2396-3117] -->
<!-- EDIT9 SECTION "With RPM" [2356-2823] -->
<h2 class="sectionedit10" id="first_configuration_steps">First configuration steps</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "First configuration steps" [3118-3156] -->
<!-- EDIT10 SECTION "First configuration steps" [2824-2862] -->
<h3 class="sectionedit11" id="change_default_dns_domain">Change default DNS domain</h3>
<div class="level3">
@ -216,7 +195,7 @@ By default, <abbr title="Domain Name System">DNS</abbr> domain is <code>example.
<pre class="code shell">sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl</pre>
</div>
<!-- EDIT11 SECTION "Change default DNS domain" [3157-3471] -->
<!-- EDIT11 SECTION "Change default DNS domain" [2863-3177] -->
<h3 class="sectionedit12" id="apache_virtual_host">Apache virtual host</h3>
<div class="level3">
@ -236,7 +215,7 @@ Check Apache configuration and restart:
apachectl restart</pre>
</div>
<!-- EDIT12 SECTION "Apache virtual host" [3472-3866] -->
<!-- EDIT12 SECTION "Apache virtual host" [3178-3572] -->
<h3 class="sectionedit13" id="default_virtual_host">Default virtual host</h3>
<div class="level3">
@ -254,7 +233,7 @@ If you have an apache fresh install, it can be a good idea to completely disable
</p>
</div>
<!-- EDIT13 SECTION "Default virtual host" [3867-4274] -->
<!-- EDIT13 SECTION "Default virtual host" [3573-3980] -->
<h3 class="sectionedit14" id="reload_virtual_host">Reload virtual host</h3>
<div class="level3">
@ -269,7 +248,7 @@ To allow the manager to reload the configuration, register the reload virtual ho
</p>
</div>
<!-- EDIT14 SECTION "Reload virtual host" [4275-4576] -->
<!-- EDIT14 SECTION "Reload virtual host" [3981-4282] -->
<h3 class="sectionedit15" id="upgrade">Upgrade</h3>
<div class="level3">
@ -277,29 +256,8 @@ To allow the manager to reload the configuration, register the reload virtual ho
If you upgraded <abbr title="LemonLDAP::NG">LL::NG</abbr>, check all <a href="../../documentation/1.9/upgrade.html" class="wikilink1" title="documentation:1.9:upgrade">upgrade notes</a>.
</p>
<p>
For apache configuration, you may have to remove the old symbolic link, if not done by the RPM:
</p>
<pre class="code shell">rm -f /etc/httpd/conf.d/z-lemonldap-ng.conf</pre>
<p>
Your old Apache configuration should have been saved, you need to port your specificities in new Apache configuration files:
</p>
<pre class="code shell">vi /etc/lemonldap-ng/apache2.conf.rpmsave</pre>
<p>
The upgrade process will also have migrate old configuration files into <code>/etc/lemonldap-ng/lemonldap-ng.ini</code>. This includes the application list which is now set in the <code>applicationList</code> parameter from <code>[portal]</code> section, for example:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">applicationList</span><span class="sy0">=</span><span class="re2"><span class="br0">&#123;</span> 'Menu' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'category', 'Example' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'category', 'test1' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'application', options <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> name <span class="sy0">=</span>&gt; 'Application Test 1', uri <span class="sy0">=</span>&gt; 'http://test1.example.com/', description <span class="sy0">=</span>&gt; 'A simple application displaying authenticated user', logo <span class="sy0">=</span>&gt; 'wheels.png', display <span class="sy0">=</span>&gt; 'auto', <span class="br0">&#125;</span>, <span class="br0">&#125;</span>,'test2' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'application', options <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> name <span class="sy0">=</span>&gt; 'Application Test 2', uri <span class="sy0">=</span>&gt; 'http://test2.example.com/', description <span class="sy0">=</span>&gt; 'The same simple application displaying authenticated user', logo <span class="sy0">=</span>&gt; 'wheels.png', display <span class="sy0">=</span>&gt; 'auto', <span class="br0">&#125;</span>, <span class="br0">&#125;</span>, <span class="br0">&#125;</span>,'Administration' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'category', 'manager' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'application', options <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> name <span class="sy0">=</span>&gt; 'WebSSO Manager', uri <span class="sy0">=</span>&gt; 'http://manager.example.com/', description <span class="sy0">=</span>&gt; 'Configure LemonLDAP::NG WebSSO', logo <span class="sy0">=</span>&gt; 'tools.png', display <span class="sy0">=</span>&gt; 'on', <span class="br0">&#125;</span>, <span class="br0">&#125;</span>,'sessions' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'application', options <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> name <span class="sy0">=</span>&gt; 'Sessions explorer', uri <span class="sy0">=</span>&gt; 'http://manager.example.com/sessions.pl', description <span class="sy0">=</span>&gt; 'Explore WebSSO sessions', logo <span class="sy0">=</span>&gt; 'tools.png', display <span class="sy0">=</span>&gt; 'on', <span class="br0">&#125;</span>, <span class="br0">&#125;</span>, <span class="br0">&#125;</span>,'Documentation' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'category', 'localdoc' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'application', options <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> name <span class="sy0">=</span>&gt; 'Local documentation', uri <span class="sy0">=</span>&gt; 'http://manager.example.com/doc/', description <span class="sy0">=</span>&gt; 'Documentation supplied with LemonLDAP::NG', logo <span class="sy0">=</span>&gt; 'docs.png', display <span class="sy0">=</span>&gt; 'on', <span class="br0">&#125;</span>, <span class="br0">&#125;</span>,'officialwebsite' <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> type <span class="sy0">=</span>&gt; 'application', options <span class="sy0">=</span>&gt; <span class="br0">&#123;</span> name <span class="sy0">=</span>&gt; 'Offical Website', uri <span class="sy0">=</span>&gt; 'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation', description <span class="sy0">=</span>&gt; 'Official LemonLDAP::NG Website', logo <span class="sy0">=</span>&gt; 'web.png', display <span class="sy0">=</span>&gt; 'on', <span class="br0">&#125;</span>, <span class="br0">&#125;</span>, <span class="br0">&#125;</span>, <span class="br0">&#125;</span>, <span class="br0">&#125;</span></span></pre>
<p>
<p><div class="noteimportant">You should now use the Manager to configure all <a href="../../documentation/1.9/portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:1.9:portalmenu">applications and categories</a>, and then comment or remove the <code>applicationList</code> parameter from <code>/etc/lemonldap-ng/lemonldap-ng.ini</code>.
</div></p>
</p>
</div>
<!-- EDIT15 SECTION "Upgrade" [4577-7086] -->
<!-- EDIT15 SECTION "Upgrade" [4283-4363] -->
<h3 class="sectionedit16" id="dns">DNS</h3>
<div class="level3">
@ -323,7 +281,7 @@ Follow the <a href="../../documentation/1.9/start.html#configuration" class="wik
</p>
</div>
<!-- EDIT16 SECTION "DNS" [7087-7359] -->
<!-- EDIT16 SECTION "DNS" [4364-4636] -->
<h2 class="sectionedit17" id="file_location">File location</h2>
<div class="level2">
<ul>
@ -340,7 +298,7 @@ Follow the <a href="../../documentation/1.9/start.html#configuration" class="wik
</ul>
</div>
<!-- EDIT17 SECTION "File location" [7360-7716] -->
<!-- EDIT17 SECTION "File location" [4637-4993] -->
<h2 class="sectionedit18" id="build_your_packages">Build your packages</h2>
<div class="level2">
@ -354,12 +312,12 @@ If you need it, you can rebuild RPMs:
</li>
<li class="level1"><div class="li"> Put LemonLDAP::NG tarball in %_topdir/SOURCES</div>
</li>
<li class="level1"><div class="li"> Edit ~/.rpmmacros and set your build parameters (example for RHEL5):</div>
<li class="level1"><div class="li"> Edit ~/.rpmmacros and set your build parameters (example for RHEL6):</div>
</li>
</ul>
<pre class="file">%_topdir /home/user/build
%dist .el5
%rhel 5</pre>
%dist .el6
%rhel 6</pre>
<ul>
<li class="level1"><div class="li"> Go to %_topdir</div>
</li>

18
doc/pages/documentation/1.9/installtarball.html
View File

@ -43,7 +43,7 @@ Get the tarball from <a href="../../download.html" class="wikilink1" title="down
<div class="level2">
<p>
Either checkout or export the SVN repository, or extract the SVN tarball to get the SVN files on your disk.
Either checkout or export the <a href="http://forge.ow2.org/plugins/scmsvn/index.php?group_id=274" class="urlextern" title="http://forge.ow2.org/plugins/scmsvn/index.php?group_id=274" rel="nofollow">SVN repository</a>, or extract the SVN tarball to get the SVN files on your disk.
</p>
<p>
@ -61,7 +61,7 @@ The generated tarball is in the current directory.
</p>
</div>
<!-- EDIT3 SECTION "Build the tarball from SVN" [389-695] -->
<!-- EDIT3 SECTION "Build the tarball from SVN" [389-758] -->
<h2 class="sectionedit4" id="extraction">Extraction</h2>
<div class="level2">
@ -71,7 +71,7 @@ Just run the tar command:
<pre class="code">tar zxvf lemonldap-ng-*.tar.gz</pre>
</div>
<!-- EDIT4 SECTION "Extraction" [696-792] -->
<!-- EDIT4 SECTION "Extraction" [759-855] -->
<h2 class="sectionedit5" id="installation">Installation</h2>
<div class="level2">
@ -86,7 +86,11 @@ For full install:
make
make configure
make test
sudo make install</pre>
sudo make install PROD=yes</pre>
<p>
<code>PROD=yes</code> makes web interface use minified versions of <abbr title="Cascading Style Sheets">CSS</abbr> and JS files.
</p>
<p>
<p><div class="notetip">
@ -199,7 +203,7 @@ See also <a href="../../documentation/1.9/installdeb.html" class="wikilink1" tit
</p>
</div>
<!-- EDIT5 SECTION "Installation" [793-3182] -->
<!-- EDIT5 SECTION "Installation" [856-3331] -->
<h2 class="sectionedit6" id="link_apache_configuration">Link Apache configuration</h2>
<div class="level2">
@ -236,7 +240,7 @@ a2ensite test-apache2.conf</pre>
</p>
</div>
<!-- EDIT6 SECTION "Link Apache configuration" [3183-4001] -->
<!-- EDIT6 SECTION "Link Apache configuration" [3332-4150] -->
<h2 class="sectionedit7" id="install_cron_jobs">Install cron jobs</h2>
<div class="level2">
@ -256,7 +260,7 @@ To install them on system:
<pre class="code">sudo ln -s /usr/local/lemonldap-ng/etc/cron.d/* /etc/cron.d/</pre>
</div>
<!-- EDIT7 SECTION "Install cron jobs" [4002-4211] -->
<!-- EDIT7 SECTION "Install cron jobs" [4151-4360] -->
<h2 class="sectionedit8" id="dns">DNS</h2>
<div class="level2">

25
doc/pages/documentation/1.9/ldapconfbackend.html
View File

@ -57,11 +57,7 @@ The configuration will be store under a specific branch, for example <code>ou=co
</p>
<p>
Each configuration will be represented as an entry, which structural objectClass is <code>applicationProcess</code>. This objectClass is included in every core schemas.
</p>
<p>
The configuration name is the same that files, so lmConf-1, lmConf-2, etc. This name is used in entry <abbr title="Distinguished Name">DN</abbr>, for example <code>cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com</code>.
Each configuration will be represented as an entry, which structural objectClass is by default <code>applicationProcess</code>. The configuration name is the same that files, so lmConf-1, lmConf-2, etc. This name is used in entry <abbr title="Distinguished Name">DN</abbr>, for example <code>cn=lmConf-1,ou=conf,ou=applications,dc=example,dc=com</code>.
</p>
<p>
@ -81,17 +77,17 @@ description: {whatToTrace}&#039;$uid&#039;
...</pre>
</div>
<!-- EDIT2 SECTION "Presentation" [43-1400] -->
<!-- EDIT2 SECTION "Presentation" [43-1359] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [1401-1427] -->
<!-- EDIT3 SECTION "Configuration" [1360-1386] -->
<h3 class="sectionedit4" id="ldap_server">LDAP server</h3>
<div class="level3">
<p>
Configuration objects use standard object class: <code>applicationProcess</code>. This objectClass allow attributes <code>cn</code> and <code>description</code>. If your LDAP server do not manage this objectClass, you have to extend your schema.
Configuration objects use standard object class: <code>applicationProcess</code>. This objectClass allow attributes <code>cn</code> and <code>description</code>. If your LDAP server do not manage this objectClass, configure other objectclass and attributes (see below).
</p>
<p>
@ -103,7 +99,7 @@ Next create the configuration branch where you want. Just remember its <abbr tit
</p>
</div>
<!-- EDIT4 SECTION "LDAP server" [1428-1867] -->
<!-- EDIT4 SECTION "LDAP server" [1387-1850] -->
<h3 class="sectionedit5" id="lemonldapng">LemonLDAP::NG</h3>
<div class="level3">
@ -114,7 +110,10 @@ Configure LDAP configuration backend in <code>lemonldap-ng.ini</code>, section <
<span class="re1">ldapServer</span> <span class="sy0">=</span><span class="re2"> ldap://localhost</span>
<span class="re1">ldapConfBase</span> <span class="sy0">=</span><span class="re2"> ou=conf,ou=applications,dc=example,dc=com</span>
<span class="re1">ldapBindDN</span> <span class="sy0">=</span><span class="re2"> cn=manager,dc=example,dc=com</span>
<span class="re1">ldapBindPassword</span> <span class="sy0">=</span><span class="re2"> secret</span></pre>
<span class="re1">ldapBindPassword</span> <span class="sy0">=</span><span class="re2"> secret</span>
<span class="re1">ldapObjectClass</span> <span class="sy0">=</span><span class="re2"> applicationProcess</span>
<span class="re1">ldapAttributeId</span> <span class="sy0">=</span><span class="re2"> cn</span>
<span class="re1">ldapAttributeContent</span> <span class="sy0">=</span><span class="re2"> description</span></pre>
<p>
Parameters:
@ -128,6 +127,12 @@ Parameters:
</li>
<li class="level1"><div class="li"> <strong>ldapBindPassword</strong>: password used to bind LDAP</div>
</li>
<li class="level1"><div class="li"> <strong>ldapObjectClass</strong>: structural objectclass of configuration entry (optional)</div>
</li>
<li class="level1"><div class="li"> <strong>ldapAttributeId</strong>: RDN attribute of configuration entry (optional)</div>
</li>
<li class="level1"><div class="li"> <strong>ldapAttributeContent</strong>: attribute used to store configuration values, must be multivalued (optional)</div>
</li>
</ul>
</div>

10
doc/pages/documentation/1.9/logs.html
View File

@ -43,15 +43,19 @@ The log level can be set with Apache <code>LogLevel</code> parameter. It can be
</p>
<p>
See <a href="http://httpd.apache.org/docs/2.2/mod/core.html#loglevel" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/core.html#loglevel" rel="nofollow">http://httpd.apache.org/docs/2.2/mod/core.html#loglevel</a> for more information.
See <a href="http://httpd.apache.org/docs/current/mod/core.html#loglevel" class="urlextern" title="http://httpd.apache.org/docs/current/mod/core.html#loglevel" rel="nofollow">http://httpd.apache.org/docs/current/mod/core.html#loglevel</a> for more information.
</p>
<p>
To configure the user identifier in access log, go in Manager, <code>General Parameters</code> &gt; <code>Logging</code> &gt; <code>REMOTE_USER</code>.
</p>
<p>
You can also hide sensitive values in logs (session content can be displayed in logs in debug loglevel). Go in Manager, <code>General Parameters</code> &gt; <code>Logging</code> &gt; <code>Hidden attributes</code> and set a list of attributes to hide (space separated).
</p>
</div>
<!-- EDIT2 SECTION "Apache logging" [21-607] -->
<!-- EDIT2 SECTION "Apache logging" [21-850] -->
<h2 class="sectionedit3" id="syslog">Syslog</h2>
<div class="level2">
@ -76,7 +80,7 @@ The messages are stored with the levels :
</ul>
</div>
<!-- EDIT3 SECTION "Syslog" [608-976] -->
<!-- EDIT3 SECTION "Syslog" [851-1219] -->
<h2 class="sectionedit4" id="override_logging_functions">Override logging functions</h2>
<div class="level2">

32
doc/pages/documentation/1.9/mongodbconfbackend.html
View File

@ -24,7 +24,7 @@
<div class="level1">
<p>
<a href="https://www.mongodb.org/" class="urlextern" title="https://www.mongodb.org/" rel="nofollow">MongoDB</a> is a NoSQL database that can be used both for storing configuration and <a href="../../documentation/1.9/mongodbsessionbackend.html" class="wikilink1" title="documentation:1.9:mongodbsessionbackend">sessions</a>.
<a href="https://www.mongodb.org/" class="urlextern" title="https://www.mongodb.org/" rel="nofollow">MongoDB</a> is a NoSQL database that can be used both for storing configuration and <a href="../../documentation/1.9/mongodbsessionbackend.html" class="wikilink1" title="documentation:1.9:mongodbsessionbackend">sessions</a>. You need to install Perl MongoDB module to be able to use this backend.
</p>
<p>
@ -32,8 +32,8 @@ See <a href="../../documentation/1.9/changeconfbackend.html" class="wikilink1" t
</p>
</div>
<!-- EDIT1 SECTION "MongoDB configuration backends" [1-294] -->
<h2 class="sectionedit2" id="lemonldap-ngini_parameters">Lemonldap-ng.ini parameters</h2>
<!-- EDIT1 SECTION "MongoDB configuration backends" [1-366] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
@ -44,7 +44,7 @@ To use a MongoDB backend, configure your <code>lemonldap-ng.ini</code> file (sec
</li>
<li class="level1"><div class="li"> Set dbName and collectionName parameters if different than default values (llConfDB and configuration)</div>
</li>
<li class="level1"><div class="li"> Set host and if needed db_name username, password, ssl and fields as follow.</div>
<li class="level1"><div class="li"> Set host and if needed db_name username, password and ssl fields as follow.</div>
</li>
</ul>
@ -64,7 +64,7 @@ Example :
<div class="table sectionedit3"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign" colspan="3"> Optional parameters (see MongoDB::Client man page) </th>
<th class="col0 centeralign" colspan="3"> Optional parameters (see <a href="http://search.cpan.org/perldoc?MongoDB%3A%3AMongoClient" class="urlextern" title="http://search.cpan.org/perldoc?MongoDB%3A%3AMongoClient" rel="nofollow">MongoDB::MongoClient</a> man page) </th>
</tr>
<tr class="row1 rowodd">
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
@ -92,6 +92,26 @@ Example :
<td class="col0 leftalign"> password </td><td class="col1 leftalign"> Password </td><td class="col2"> llpassword </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [865-1566] -->
<!-- EDIT3 TABLE [922-1688] -->
</div>
<!-- EDIT2 SECTION "Configuration" [367-1689] -->
<h1 class="sectionedit4" id="mini_mongodb_howto">Mini MongoDB howto</h1>
<div class="level1">
<p>
Just some commands needed to create collection and user:
</p>
<pre class="code">$ mongo
connecting to: test
&gt; use configuration
switched to db configuration
&gt; db.createCollection(&quot;configuration&quot;)
...
&gt; db.addUser({user:&quot;lluser&quot;,pwd:&quot;llpassword&quot;,roles:[&quot;readWrite&quot;]})
...
&gt; exit
bye
$</pre>
</div>
</div><!-- closes <div class="dokuwiki export">-->

34
doc/pages/documentation/1.9/mongodbsessionbackend.html
View File

@ -34,7 +34,7 @@
<p>
Install and launch a <a href="https://www.mongodb.org/" class="urlextern" title="https://www.mongodb.org/" rel="nofollow">MongoDB server</a>. Install
<a href="http://search.cpan.org/perldoc?Apache::Session::MongoDB" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::MongoDB" rel="nofollow">Apache::Session::MongoDB</a> Perl module.
<a href="http://search.cpan.org/perldoc?Apache::Session::MongoDB" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::MongoDB" rel="nofollow">Apache::Session::MongoDB</a> Perl module (version ⩾ 0.14 required).
</p>
<p>
@ -43,49 +43,43 @@ In the manager: set <a href="http://search.cpan.org/perldoc?Apache::Session::Mon
<div class="table sectionedit3"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign" colspan="3"> Required parameters </th>
<th class="col0 centeralign" colspan="3"> Optional parameters </th>
</tr>
<tr class="row1 rowodd">
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
</tr>
</thead>
<tr class="row2 roweven">
<td class="col0 leftalign"> <strong>host</strong> </td><td class="col1 leftalign"> MongoDB server </td><td class="col2"> 127.0.0.1:27017 </td>
<td class="col0 leftalign"> <strong>host</strong> </td><td class="col1"> MongoDB server (default: 127.0.0.1:27017) </td><td class="col2"> 127.0.0.1:27017 </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> <strong>dbName</strong> </td><td class="col1 leftalign"> Session database (default: llConfDB) </td><td class="col2 leftalign"> llConfDB </td>
<td class="col0 leftalign"> <strong>db_name</strong> </td><td class="col1 leftalign"> Session database (default: sessions) </td><td class="col2 leftalign"> llconfdb </td>
</tr>
<tr class="row4 roweven">
<td class="col0 leftalign" colspan="3"> </td>
<td class="col0 leftalign"> <strong>collection</strong> </td><td class="col1 leftalign"> Collection (default: sessions) </td><td class="col2 leftalign"> sessions </td>
</tr>
<tr class="row5 rowodd">
<th class="col0 centeralign" colspan="3"> Optional parameters (see MongoDB::Client man page) </th>
<td class="col0 leftalign"> <strong>auth_mechanism</strong> </td><td class="col1 leftalign"> Authentication mechanism </td><td class="col2 leftalign"> PLAIN </td>
</tr>
<tr class="row6 roweven">
<td class="col0 leftalign"> <strong>db_name</strong> </td><td class="col1 leftalign"> Admin database (dafault: admin) </td><td class="col2 leftalign"> admin </td>
<td class="col0"> <strong>auth_mechanism_properties</strong> </td><td class="col1 leftalign"> </td><td class="col2 leftalign"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0 leftalign"> <strong>auth_mechanism</strong> </td><td class="col1 leftalign"> Authentication mechanism </td><td class="col2 leftalign"> PLAIN </td>
<td class="col0 leftalign"> <strong>connect_timeout</strong> </td><td class="col1 leftalign"> Connection timeout </td><td class="col2 leftalign"> 10000 </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> <strong>auth_mechanism_properties</strong> </td><td class="col1 leftalign"> </td><td class="col2 leftalign"> </td>
<td class="col0 leftalign"> <strong>ssl</strong> </td><td class="col1 leftalign"> Boolean or hash ref (default: 0) </td><td class="col2 leftalign"> 1 </td>
</tr>
<tr class="row9 rowodd">
<td class="col0 leftalign"> <strong>connect_timeout</strong> </td><td class="col1 leftalign"> Connection timeout </td><td class="col2 leftalign"> 10000 </td>
<td class="col0 leftalign"> <strong>username</strong> </td><td class="col1 leftalign"> Username to use to connect </td><td class="col2 leftalign"> lluser </td>
</tr>
<tr class="row10 roweven">
<td class="col0 leftalign"> <strong>ssl</strong> </td><td class="col1 leftalign"> Boolean or hash ref (default: 0) </td><td class="col2 leftalign"> 1 </td>
</tr>
<tr class="row11 rowodd">
<td class="col0 leftalign"> <strong>username</strong> </td><td class="col1 leftalign"> Username to use to connect </td><td class="col2 leftalign"> lluser </td>
</tr>
<tr class="row12 roweven">
<td class="col0 leftalign"> <strong>password</strong> </td><td class="col1 leftalign"> Password </td><td class="col2 leftalign"> llpassword </td>
<td class="col0 leftalign"> <strong>password</strong> </td><td class="col1 leftalign"> Password </td><td class="col2 leftalign"> llpassword </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [608-1803] -->
<!-- EDIT3 TABLE [636-1687] -->
</div>
<!-- EDIT2 SECTION "Setup" [163-1804] -->
<!-- EDIT2 SECTION "Setup" [163-1688] -->
<h2 class="sectionedit4" id="security">Security</h2>
<div class="level2">

12
doc/pages/documentation/1.9/notifications.html
View File

@ -284,11 +284,11 @@ Example :
<div class="level3">
<p>
In Manager, click on <code>notifications explorer</code> and then on the <code>Create</code> button.
In Manager, click on <code>Notifications</code> and then on the <code>Create</code> button.
</p>
<p>
<a href="/_detail/screenshots/1.1/manager/notifications_explorer_create.png?id=documentation%3A1.9%3Anotifications" class="media" title="screenshots:1.1:manager:notifications_explorer_create.png"><img src="../../../media/screenshots/1.1/manager/notifications_explorer_create.png" class="mediacenter" alt="" width="600" /></a>
<img src="../../../media/documentation/manager-notification.png" class="mediacenter" alt="" />
</p>
<p>
@ -296,11 +296,11 @@ Then fill all inputs to create the notification. Only the condition is not manda
</p>
<p>
When all is ok, click on <code>Create</code>.
When all is ok, click on <code>Save</code>.
</p>
</div>
<!-- EDIT9 SECTION "Create new notifications with notifications explorer" [6408-6753] -->
<!-- EDIT9 SECTION "Create new notifications with notifications explorer" [6408-6726] -->
<h3 class="sectionedit10" id="notifications_trough_soap">Notifications trough SOAP</h3>
<div class="level3">
@ -383,7 +383,7 @@ You can also delete some notifications with SOAP, once SOAP is activated:
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT10 SECTION "Notifications trough SOAP" [6754-8650] -->
<!-- EDIT10 SECTION "Notifications trough SOAP" [6727-8623] -->
<h3 class="sectionedit11" id="test_notification">Test notification</h3>
<div class="level3">
@ -392,7 +392,7 @@ You&#039;ve simply to insert a notification and connect to the portal using the
</p>
<p>
<a href="/_detail/screenshots/1.1/notifications/sample_notification.png?id=documentation%3A1.9%3Anotifications" class="media" title="screenshots:1.1:notifications:sample_notification.png"><img src="../../../media/screenshots/1.1/notifications/sample_notification.png" class="mediacenter" alt="" width="600" /></a>
<img src="../../../media/documentation/portal-notification.png" class="mediacenter" alt="" />
</p>
<p>

109
doc/pages/documentation/1.9/openidconnectclaims.html Normal file
View File

@ -0,0 +1,109 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="openid_connect_claims">OpenID Connect claims</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0"> Claim name </th><th class="col1"> Type </th><th class="col2"> Example of corresponding LDAP attribute </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> sub </td><td class="col1"> string </td><td class="col2"> uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> name </td><td class="col1"> string </td><td class="col2"> cn </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> given_name </td><td class="col1"> string </td><td class="col2"> givenName </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> family_name </td><td class="col1"> string </td><td class="col2"> sn </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> middle_name </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row6 roweven">
<td class="col0"> nickname </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row7 rowodd">
<td class="col0"> preferred_username </td><td class="col1"> string </td><td class="col2"> displayName </td>
</tr>
<tr class="row8 roweven">
<td class="col0"> profile </td><td class="col1"> string </td><td class="col2"> labeledURI </td>
</tr>
<tr class="row9 rowodd">
<td class="col0"> picture </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row10 roweven">
<td class="col0"> website </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row11 rowodd">
<td class="col0"> email </td><td class="col1"> string </td><td class="col2"> mail </td>
</tr>
<tr class="row12 roweven">
<td class="col0"> email_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0"> gender </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row14 roweven">
<td class="col0"> birthdate </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row15 rowodd">
<td class="col0"> zoneinfo </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row16 roweven">
<td class="col0"> locale </td><td class="col1"> string </td><td class="col2"> preferredLanguage </td>
</tr>
<tr class="row17 rowodd">
<td class="col0"> phone_number </td><td class="col1"> string </td><td class="col2"> telephoneNumber </td>
</tr>
<tr class="row18 roweven">
<td class="col0"> phone_number_verified </td><td class="col1"> boolean </td><td class="col2"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0"> updated_at </td><td class="col1"> string </td><td class="col2"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0"> formatted </td><td class="col1"> string </td><td class="col2"> registeredAddress </td>
</tr>
<tr class="row21 rowodd">
<td class="col0"> street_address </td><td class="col1"> string </td><td class="col2"> street </td>
</tr>
<tr class="row22 roweven">
<td class="col0"> locality </td><td class="col1"> string </td><td class="col2"> l </td>
</tr>
<tr class="row23 rowodd">
<td class="col0"> region </td><td class="col1"> string </td><td class="col2"> st </td>
</tr>
<tr class="row24 roweven">
<td class="col0"> postal_code </td><td class="col1"> string </td><td class="col2"> postalCode </td>
</tr>
<tr class="row25 rowodd">
<td class="col0"> country </td><td class="col1"> string </td><td class="col2"> co </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [38-861] -->
</div>
</div><!-- closes <div class="dokuwiki export">-->

17
doc/pages/documentation/1.9/openidconnectservice.html
View File

@ -119,8 +119,17 @@ You can associate here an authentication context to an authentication level.
</ul>
</div>
<!-- EDIT7 SECTION "Security" [1165-1816] -->
<h2 class="sectionedit8" id="key_rotation_script">Key rotation script</h2>
<!-- EDIT7 SECTION "Security" [1165-1815] -->
<h3 class="sectionedit8" id="sessions">Sessions</h3>
<div class="level3">
<p>
It is recommended to use a separate sessions storage for OpenID Connect sessions, else they will stored in the main sessions storage.
</p>
</div>
<!-- EDIT8 SECTION "Sessions" [1816-1970] -->
<h2 class="sectionedit9" id="key_rotation_script">Key rotation script</h2>
<div class="level2">
<p>
@ -138,8 +147,8 @@ The script is <code>/usr/share/lemonldap-ng/bin/rotateOidcKeys</code>. It can be
</p>
</div>
<!-- EDIT8 SECTION "Key rotation script" [1817-2290] -->
<h2 class="sectionedit9" id="session_management">Session management</h2>
<!-- EDIT9 SECTION "Key rotation script" [1971-2444] -->
<h2 class="sectionedit10" id="session_management">Session management</h2>
<div class="level2">
<p>

60
doc/pages/documentation/1.9/performances.html
View File

@ -158,8 +158,15 @@ The portal is the biggest component of Lemonldap::NG. It is recommended to use M
You can also use a FastCGI server using index.fcgi given in portal examples.
</p>
<p>
<p><div class="notetip">
In production environment for network performance, prefer using minified versions of javascript and css libs: use <code>make install <strong>PROD=yes</strong></code>. This is done by default in RPM/DEB packages.
</div></p>
</p>
</div>
<!-- EDIT7 SECTION "General performances" [3505-3926] -->
<!-- EDIT7 SECTION "General performances" [3505-4135] -->
<h3 class="sectionedit8" id="configuration_access">Configuration access</h3>
<div class="level3">
@ -168,7 +175,7 @@ If you set <code>useLocalConf</code> to 1 in lemonldap-ng.ini (section [Portal])
</p>
</div>
<!-- EDIT8 SECTION "Configuration access" [3927-4229] -->
<!-- EDIT8 SECTION "Configuration access" [4136-4438] -->
<h3 class="sectionedit9" id="starting_performances">Starting performances</h3>
<div class="level3">
@ -186,7 +193,7 @@ To make the portal start faster when the server is relaunched, add those lines i
&lt;/Perl&gt;</pre>
</div>
<!-- EDIT9 SECTION "Starting performances" [4230-4805] -->
<!-- EDIT9 SECTION "Starting performances" [4439-5014] -->
<h3 class="sectionedit10" id="apachesession_performances">Apache::Session performances</h3>
<div class="level3">
@ -244,12 +251,12 @@ Note that Apache::Session::Browseable::MySQL doesn&#039;t use MySQL locks.
</p>
<p>
<p><div class="noteimportant">Some Apache::Session module are not useable by Lemonldap::NG such as Apache::Session::Memcached since this module does not offer capability to browse sessions
<p><div class="noteimportant">Some Apache::Session module are not fully usable by Lemonldap::NG such as Apache::Session::Memcached since this modules do not offer capability to browse sessions. They does not allow to use sessions explorer neither manage one-off sessions.
</div></p>
</p>
</div>
<!-- EDIT10 SECTION "Apache::Session performances" [4806-7075] -->
<!-- EDIT10 SECTION "Apache::Session performances" [5015-7367] -->
<h3 class="sectionedit11" id="ldap_performances">LDAP performances</h3>
<div class="level3">
@ -294,5 +301,48 @@ Now ldapgroups contains “admin su”
</div></p>
</p>
</div>
<!-- EDIT11 SECTION "LDAP performances" [7368-8496] -->
<h2 class="sectionedit12" id="manager_performances">Manager performances</h2>
<div class="level2">
</div>
<!-- EDIT12 SECTION "Manager performances" [8497-8530] -->
<h3 class="sectionedit13" id="disable_unused_modules">Disable unused modules</h3>
<div class="level3">
<p>
In lemonldap-ng.ini, set only modules that you will use. By default, configuration, sessions explorer and notifications explorer are enabled. Example:
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions</span></pre>
</div>
<!-- EDIT13 SECTION "Disable unused modules" [8531-8777] -->
<h3 class="sectionedit14" id="use_static_html_files">Use static HTML files</h3>
<div class="level3">
<p>
Once Manager is installed, browse enabled modules (configuration, sessions, notifications) and save the web pages respectively under <code>manager.html</code>, <code>sessions.html</code> and <code>notifications.html</code> in the <code>DocumentRoot</code> directory. Then replace this in Manager file of Apache configuration:
</p>
<pre class="code apache"><span class="kw1">RewriteRule</span> <span class="st0">&quot;^/$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi&quot;</span> [PT]
<span class="co1"># DirectoryIndex manager.html</span>
<span class="co1"># RewriteCond &quot;%{REQUEST_FILENAME}&quot; &quot;!\.html$&quot;</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:static|doc|fr-doc|lib).*&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi/$1&quot;</span> [PT]</pre>
<p>
by:
</p>
<pre class="code apache"><span class="co1"># RewriteRule &quot;^/$&quot; &quot;/psgi/manager-server.fcgi&quot; [PT]</span>
<span class="kw1">DirectoryIndex</span> manager.html
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!<span class="es0">\.</span>html$&quot;</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:static|doc|fr-doc|lib).*&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi/$1&quot;</span> [PT]</pre>
<p>
So manager <abbr title="HyperText Markup Language">HTML</abbr> templates will be no more generated by Perl but directly given by the web server.
</p>
</div>
</div><!-- closes <div class="dokuwiki export">-->

44
doc/pages/documentation/1.9/portalcustom.html
View File

@ -66,7 +66,7 @@ You can change the default skin in Manager: <code>General Parameters</code> &gt;
</p>
<p>
<a href="/_detail/documentation/manager-2-portalskin.png?id=documentation%3A1.9%3Aportalcustom" class="media" title="documentation:manager-2-portalskin.png"><img src="../../../media/documentation/manager-2-portalskin.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-skin-selection.png" class="mediacenter" alt="" />
</p>
<p>
@ -74,7 +74,7 @@ Select the <code>Custom</code> skin, then set the name of the skin you want to u
</p>
</div>
<!-- EDIT3 SECTION "Default skin" [409-696] -->
<!-- EDIT3 SECTION "Default skin" [409-705] -->
<h3 class="sectionedit4" id="skin_background">Skin background</h3>
<div class="level3">
@ -83,11 +83,11 @@ Go in <code>General Parameters</code> &gt; <code>Portal</code> &gt; <code>Custom
</p>
<p>
<img src="../../../media/documentation/manager-2-skinbackground.png" class="mediacenter" alt="" />
<img src="../../../media/documentation/manager-skin-background.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT4 SECTION "Skin background" [697-999] -->
<!-- EDIT4 SECTION "Skin background" [706-1007] -->
<h3 class="sectionedit5" id="skin_rules">Skin rules</h3>
<div class="level3">
@ -106,7 +106,7 @@ To achieve this, you can create a rule in the Manager: select <code>General Para
</ul>
</div>
<!-- EDIT5 SECTION "Skin rules" [1000-1642] -->
<!-- EDIT5 SECTION "Skin rules" [1008-1650] -->
<h3 class="sectionedit6" id="skin_files">Skin files</h3>
<div class="level3">
@ -129,7 +129,7 @@ A skin will often refer to the <code>common</code> skin, which is not a real ski
</p>
</div>
<!-- EDIT6 SECTION "Skin files" [1643-1977] -->
<!-- EDIT6 SECTION "Skin files" [1651-1985] -->
<h3 class="sectionedit7" id="skin_customization">Skin customization</h3>
<div class="level3">
@ -179,20 +179,36 @@ To configure your new skin in Manager, select the custom skin, and enter your sk
</p>
</div>
<!-- EDIT7 SECTION "Skin customization" [1978-3072] -->
<h3 class="sectionedit8" id="error_messages">Error messages</h3>
<!-- EDIT7 SECTION "Skin customization" [1986-3080] -->
<h3 class="sectionedit8" id="messages">Messages</h3>
<div class="level3">
<p>
Error messages are defined in source code. If they really do not please you, override them! You just need to know the ID of the error (look at Portal/Simple.pm) and then add to <code>lemonldap-ng.ini</code>:
Messages are defined in source code. If they really do not please you, override them! You just need to know the ID of the message (look at Portal/Simple.pm) and then add to <code>lemonldap-ng.ini</code>:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
&nbsp;
# Custom error messages
<span class="re1">error_0</span> <span class="sy0">=</span><span class="re2"> Big brother is watching you, authenticated user</span></pre>
<span class="re1">error_0</span> <span class="sy0">=</span><span class="re2"> Big brother is watching you, authenticated user</span>
&nbsp;
# Custom standard messages
<span class="re1">msg_22</span> <span class="sy0">=</span><span class="re2"> Your last connections</span></pre>
<p>
<p><div class="notetip">
You can alse define messages in several languages:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">error_en_0</span> <span class="sy0">=</span><span class="re2"> Big brother is watching you, authenticated user</span>
<span class="re1">error_fr_0</span> <span class="sy0">=</span><span class="re2"> Souriez vous êtes surveillés !</span></pre>
<p>
</div></p>
</p>
</div>
<!-- EDIT8 SECTION "Error messages" [3073-3410] -->
<!-- EDIT8 SECTION "Messages" [3081-3672] -->
<h3 class="sectionedit9" id="template_parameters">Template parameters</h3>
<div class="level3">
@ -210,7 +226,7 @@ Then you will be able to use it in your template like this:
<pre class="code file html4strict">Hello <span class="sc2">&lt;TMPL_VAR <span class="kw3">NAME</span><span class="sy0">=</span><span class="st0">&quot;myparam&quot;</span>&gt;</span>!</pre>
</div>
<!-- EDIT9 SECTION "Template parameters" [3411-3781] -->
<!-- EDIT9 SECTION "Template parameters" [3673-4043] -->
<h2 class="sectionedit10" id="buttons">Buttons</h2>
<div class="level2">
@ -227,7 +243,7 @@ This node allows to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT10 SECTION "Buttons" [3782-4235] -->
<!-- EDIT10 SECTION "Buttons" [4044-4497] -->
<h2 class="sectionedit11" id="password_management">Password management</h2>
<div class="level2">
<ul>
@ -240,7 +256,7 @@ This node allows to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT11 SECTION "Password management" [4236-4686] -->
<!-- EDIT11 SECTION "Password management" [4498-4948] -->
<h2 class="sectionedit12" id="other_parameters">Other parameters</h2>
<div class="level2">
<ul>

20
doc/pages/documentation/1.9/portalmenu.html
View File

@ -69,26 +69,14 @@ You can use <code>0</code> or <code>1</code> to disable/enable the module, or us
In Manager, you can configure categories and applications in <code>General Parameters</code> &gt; <code>Portal</code> &gt; <code>Menu</code> &gt; <code>Categories and applications</code>.
</p>
<p>
Category parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Key</strong>: category identifier</div>
</li>
<li class="level1"><div class="li"> <strong>Name</strong>: display text</div>
</li>
</ul>
<p>
Application parameters:
</p>
<p>
<a href="/_detail/documentation/manager-menu-application.png?id=documentation%3A1.9%3Aportalmenu" class="media" title="documentation:manager-menu-application.png"><img src="../../../media/documentation/manager-menu-application.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-portal-menu-application.png" class="mediacenter" alt="" />
</p>
<ul>
<li class="level1"><div class="li"> <strong>Key</strong>: application identifier</div>
</li>
<li class="level1"><div class="li"> <strong>Name</strong>: display text</div>
</li>
<li class="level1"><div class="li"> <strong>Address</strong>: <abbr title="Uniform Resource Locator">URL</abbr> of application</div>
@ -110,16 +98,16 @@ Application parameters:
</ul>
<p>
<p><div class="notetip">Category and application key can have a digit as first character, which will allow to display categories in the right order (categories and applications are displayed in alphabetical order).
<p><div class="notetip">Categories and applications are displayed in alphabetical order.
</div></p>
</p>
<p>
<a href="/_detail/documentation/manager-menu-application-logo.png?id=documentation%3A1.9%3Aportalmenu" class="media" title="documentation:manager-menu-application-logo.png"><img src="../../../media/documentation/manager-menu-application-logo.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-portal-menu-icon.png" class="mediacenter" alt="" />
</p>
<p>
<p><div class="notetip">The chosen logo file must be in portal applications logos directory (<code>portal/skins/common/apps/</code>). You can set a custom logo by choosing <code>My logo</code>, set the logo file name, and copy the logo file in portal applications logos directory
<p><div class="notetip">The chosen logo file must be in portal applications logos directory (<code>portal/skins/common/apps/</code>). You can set a custom logo by setting the logo file name directly in the field, and copy the logo file in portal applications logos directory
</div></p>
</p>

54
doc/pages/documentation/1.9/prereq.html
View File

@ -25,29 +25,25 @@
</div>
<!-- EDIT1 SECTION "Prerequisites and dependencies" [1-47] -->
<h2 class="sectionedit2" id="apache">Apache</h2>
<h2 class="sectionedit2" id="web_server">Web Server</h2>
<div class="level2">
<p>
To use LemonLDAP::NG, you have to run an Apache
server compiled with mod-perl
</p>
<p>
<p><div class="noteimportant">You need to use Apache 2 with mod_perl 2, even if some simple configuration can run under Apache 1.3
</div></p>
To use LemonLDAP::NG, you have the choice of the Web Server :
</p>
<ul>
<li class="level1"><div class="li"> Apache 2 with mod_perl</div>
</li>
<li class="level1"><div class="li"> Nginx with fastcgi</div>
</li>
</ul>
<p>
For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-worker works faster and LemonLDAP::NG use the thread system for best performance. If you have to use mpm-prefork (for example if you use PHP), LemonLDAP::NG will work anyway.
</p>
<p>
You can use LemonLDAP::NG in an heterogeneous world: the authentication portal and the manager can work in any version of Apache even if mod_perl is not compiled, with ModPerl::Registry or not,… or behind any web server able to launch CGIs. Only the handler needs mod_perl 2.
</p>
</div>
<!-- EDIT2 SECTION "Apache" [48-806] -->
<!-- EDIT2 SECTION "Web Server" [48-440] -->
<h2 class="sectionedit3" id="perl">Perl</h2>
<div class="level2">
@ -57,7 +53,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</p>
</div>
<!-- EDIT3 SECTION "Perl" [807-1020] -->
<!-- EDIT3 SECTION "Perl" [441-654] -->
<h3 class="sectionedit4" id="core">Core</h3>
<div class="level3">
<ul>
@ -81,6 +77,8 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</li>
<li class="level1"><div class="li"> Regexp::Assemble</div>
</li>
<li class="level1"><div class="li"> Regexp::Common</div>
</li>
<li class="level1"><div class="li"> XML::LibXML</div>
</li>
<li class="level1"><div class="li"> Crypt::Rijndael</div>
@ -99,6 +97,8 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</li>
<li class="level1"><div class="li"> Digest::HMAC</div>
</li>
<li class="level1"><div class="li"> Digest::SHA</div>
</li>
<li class="level1"><div class="li"> Crypt::OpenSSL::RSA</div>
</li>
<li class="level1"><div class="li"> Crypt::OpenSSL::X509</div>
@ -123,10 +123,12 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</li>
<li class="level1"><div class="li"> Plack::Handler</div>
</li>
<li class="level1"><div class="li"> Authen::Captcha</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Core" [1021-1576] -->
<!-- EDIT4 SECTION "Core" [655-1265] -->
<h3 class="sectionedit5" id="saml2">SAML2</h3>
<div class="level3">
<ul>
@ -137,7 +139,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT5 SECTION "SAML2" [1577-1646] -->
<!-- EDIT5 SECTION "SAML2" [1266-1335] -->
<h3 class="sectionedit6" id="cas_authentication_module">CAS (authentication module)</h3>
<div class="level3">
<ul>
@ -146,7 +148,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT6 SECTION "CAS (authentication module)" [1647-1744] -->
<!-- EDIT6 SECTION "CAS (authentication module)" [1336-1433] -->
<h3 class="sectionedit7" id="openid">OpenID</h3>
<div class="level3">
<ul>
@ -157,7 +159,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT7 SECTION "OpenID" [1745-1827] -->
<!-- EDIT7 SECTION "OpenID" [1434-1516] -->
<h3 class="sectionedit8" id="twitter">Twitter</h3>
<div class="level3">
<ul>
@ -166,7 +168,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT8 SECTION "Twitter" [1828-1864] -->
<!-- EDIT8 SECTION "Twitter" [1517-1553] -->
<h3 class="sectionedit9" id="pod_unit_tests">POD unit tests</h3>
<div class="level3">
<ul>
@ -177,7 +179,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT9 SECTION "POD unit tests" [1865-1926] -->
<!-- EDIT9 SECTION "POD unit tests" [1554-1615] -->
<h3 class="sectionedit10" id="smtpreset_password_by_mail">SMTP / Reset password by mail</h3>
<div class="level3">
<ul>
@ -196,7 +198,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT10 SECTION "SMTP / Reset password by mail" [1927-2074] -->
<!-- EDIT10 SECTION "SMTP / Reset password by mail" [1616-1763] -->
<h2 class="sectionedit11" id="other">Other</h2>
<div class="level2">
<ul>
@ -207,18 +209,18 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
</ul>
</div>
<!-- EDIT11 SECTION "Other" [2075-2291] -->
<!-- EDIT11 SECTION "Other" [1764-1980] -->
<h2 class="sectionedit12" id="install_dependencies_on_your_system">Install dependencies on your system</h2>
<div class="level2">
</div>
<!-- EDIT12 SECTION "Install dependencies on your system" [2292-2341] -->
<!-- EDIT12 SECTION "Install dependencies on your system" [1981-2030] -->
<h3 class="sectionedit13" id="apt-get">APT-GET</h3>
<div class="level3">
<pre class="code">apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl libstring-random-perl libemail-date-format-perl libmime-lite-perl libcrypt-openssl-rsa-perl libdigest-hmac-perl libclone-perl libauthen-sasl-perl libnet-cidr-lite-perl libcrypt-openssl-x509-perl libauthcas-perl libtest-pod-perl libtest-mockobject-perl libauthen-captcha-perl libnet-openid-consumer-perl libnet-openid-server-perl libunicode-string-perl libconvert-pem-perl libmouse-perl libplack-perl</pre>
<pre class="code">apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libregexp-common-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl libstring-random-perl libemail-date-format-perl libmime-lite-perl libcrypt-openssl-rsa-perl libdigest-hmac-perl libdigest-sha-perl libclone-perl libauthen-sasl-perl libnet-cidr-lite-perl libcrypt-openssl-x509-perl libauthcas-perl libtest-pod-perl libtest-mockobject-perl libauthen-captcha-perl libnet-openid-consumer-perl libnet-openid-server-perl libunicode-string-perl libconvert-pem-perl libmouse-perl libplack-perl</pre>
</div>
<!-- EDIT13 SECTION "APT-GET" [2342-3152] -->
<!-- EDIT13 SECTION "APT-GET" [2031-2882] -->
<h3 class="sectionedit14" id="yum">YUM</h3>
<div class="level3">
@ -226,7 +228,7 @@ You can use LemonLDAP::NG in an heterogeneous world: the authentication portal a
<p><div class="notetip">You need <a href="http://fedoraproject.org/wiki/EPEL/" class="urlextern" title="http://fedoraproject.org/wiki/EPEL/" rel="nofollow">EPEL</a> repository. See how you can activate this repository: <a href="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse" class="urlextern" title="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse" rel="nofollow">http://fedoraproject.org/wiki/EPEL/FAQ#howtouse</a>
</div></p>
</p>
<pre class="code">yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON perl-Digest-HMAC perl-String-Random perl-MIME-Lite perl-Email-Date-Format perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 perl-Clone perl-Authen-SASL perl-Log-Log4perl perl-Unicode-String perl-Net-CIDR-Lite perl-Cache-Memcached perl-Convert-PEM perl-Mouse perl-Plack</pre>
<pre class="code">yum install httpd mod_perl mod_fcgid perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Regexp-Common perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON perl-Digest-HMAC perl-Digest-SHA perl-String-Random perl-MIME-Lite perl-Email-Date-Format perl-Crypt-OpenSSL-RSA perl-Crypt-OpenSSL-X509 perl-Clone perl-Authen-SASL perl-Log-Log4perl perl-Unicode-String perl-Net-CIDR-Lite perl-Cache-Memcached perl-Convert-PEM perl-Mouse perl-Plack perl-Authen-Captcha</pre>
</div>
</div><!-- closes <div class="dokuwiki export">-->

176
doc/pages/documentation/1.9/rbac.html
View File

@ -33,29 +33,29 @@
</p>
<p>
LemonLDAP::NG allows to use this model. You should use an <a href="../../documentation/1.9/authldap.html#schema_extension" class="wikilink1" title="documentation:1.9:authldap">extended LDAP schema</a> (or any users database extension), but this can works with standard attributes.
As the definition of access rules is free in LemonLDAP::NG, you can implement an RBAC model if you need.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [27-488] -->
<!-- EDIT2 SECTION "Presentation" [27-405] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [489-516] -->
<!-- EDIT3 SECTION "Configuration" [406-433] -->
<h3 class="sectionedit4" id="roles_as_simple_values_of_a_user_attribute">Roles as simple values of a user attribute</h3>
<div class="level3">
<p>
Imagine you&#039;ve set your directory schema to store roles as values of ssoRoles, an attribute of the user. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
Imagine you&#039;ve set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
</p>
<pre class="code">Auth-Roles =&gt; $ssoRoles</pre>
<pre class="code">Auth-Roles =&gt; $description</pre>
<p>
If the user has these values inside its entry:
</p>
<pre class="file">ssoRoles: user
ssoRoles: admin</pre>
<pre class="file">description: user
description: admin</pre>
<p>
Then you got this value inside the Auth-Roles header:
@ -63,96 +63,120 @@ Then you got this value inside the Auth-Roles header:
<pre class="code">user; admin</pre>
</div>
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [517-1069] -->
<!-- EDIT4 SECTION "Roles as simple values of a user attribute" [434-1012] -->
<h3 class="sectionedit5" id="roles_as_entries_in_the_directory">Roles as entries in the directory</h3>
<div class="level3">
<p>
Now imagine the following DIT:
</p>
<p>
<a href="/_detail/documentation/dia_dit_roles.png?id=documentation%3A1.9%3Arbac" class="media" title="documentation:dia_dit_roles.png"><img src="../../../media/documentation/dia_dit_roles.png" class="mediacenter" alt="" /></a>
</p>
<p>
Roles are entries, below branches representing applications. Each user has a ssoRoles attributes, which values are the <abbr title="Distinguished Name">DN</abbr> of the corresponding roles. With this organization, you can set roles to user within specific application.
</p>
<p>
In the schema above, the user has the following values:
</p>
<pre class="file">ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com</pre>
<p>
So he is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.
</p>
<p>
Now we have to send the right role to the right application trough LemonLDAP::NG.
</p>
<p>
First step: create a rule to grant access only if the user has a role in the application:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
<li class="level1"><div class="li"> dc=example,dc=com</div>
<ul>
<li class="level2"><div class="li"> ou=users</div>
<ul>
<li class="level3"><div class="li"> uid=coudot</div>
</li>
</ul>
<pre class="code">default =&gt; $ssoRoles =~ /ou=aaa,ou=roles/</pre>
</li>
<li class="level2"><div class="li"> ou=roles</div>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
<li class="level3"><div class="li"> ou=aaa</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
<li class="level3"><div class="li"> ou=bbb</div>
<ul>
<li class="level4"><div class="li"> cn=admin</div>
</li>
<li class="level4"><div class="li"> cn=user</div>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<pre class="code">default =&gt; $ssoRoles =~ /ou=bbb,ou=roles/</pre>
<p>
Second step: get the role name for the application. We will use the macros to do that. Create two macros (inside <code>Variables</code> » <code>Macros</code>):
Roles are entries, below branches representing applications. We can use the standard LDAP objectClass <code>organizationalRole</code> to maintain roles, for example:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">aaaRole =&gt; ((grep{/ou=aaa/} split(&#039;;&#039;,$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">bbbRole =&gt; ((grep{/ou=bbb/} split(&#039;;&#039;,$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]</pre>
<pre class="code file ldif"><span class="re0">dn</span>:<span class="re1"> cn=admin,ou=aaa,ou=roles,dc=example,dc=com</span>
<span class="re0">objectClass</span>:<span class="re1"> organizationalRole</span>
<span class="re0">objectClass</span>:<span class="re1"> top</span>
<span class="re0">cn</span>:<span class="re1"> admin</span>
<span class="re0">ou</span>:<span class="re1"> aaa</span>
<span class="re0">roleOccupant</span>:<span class="re1"> uid=coudot,ou=users,dc=example,dc=com</span></pre>
<p>
These regular expressions read the &#039;ou&#039; value of the <abbr title="Distinguished Name">DN</abbr> of the role of the concerned application. This works if the user has only one role per application.
A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> is in <code>roleOccupant</code> attribute. We add the attribute <code>ou</code> to allow <abbr title="LemonLDAP::NG">LL::NG</abbr> to know which application is concerned by this role.
</p>
<p>
Third step: provide the role to the application. It is done by creating the correct HTTP header:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; $aaaRoles</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; $bbbRoles</pre>
<p>
Now the protected application can read in the header HTTP_AUTH_ROLES the role of the user.
</p>
<p>
<p><div class="notetip">
If you have more than one role for an application, you can join those roles with a separator (ex: ||):
</p>
<pre class="code">aaaRole =&gt; join(&#039; || &#039;, (map {/uid=(.*),ou=aaa.*/} (grep{/ou=aaa/} split(&#039;;&#039;,$ssoRoles)))</pre>
<p>
</div></p>
So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>”.
</p>
</div>
<h4 id="gather_roles_in_session">Gather roles in session</h4>
<div class="level4">
<p>
Use the <a href="../../documentation/1.9/authldap.html#groups" class="wikilink1" title="documentation:1.9:authldap">LDAP group</a> configuration to store roles as groups in the user session:
</p>
<ul>
<li class="level1"><div class="li"> Base: ou=roles,dc=example,dc=com</div>
</li>
<li class="level1"><div class="li"> Object class: organizationalRole</div>
</li>
<li class="level1"><div class="li"> Target attribute: roleOccupant</div>
</li>
<li class="level1"><div class="li"> Searched attributes: cn ou</div>
</li>
</ul>
</div>
<h4 id="restrict_access_to_application">Restrict access to application</h4>
<div class="level4">
<p>
We configure <abbr title="LemonLDAP::NG">LL::NG</abbr> to authorize people on an application only if they have a role on it. For this, we use the <code>$hGroups</code> variable.
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;aaa&#039;)</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">default =&gt; groupMatch($hGroups, &#039;ou&#039;, &#039;bbb&#039;)</pre>
</div>
<h4 id="send_role_to_application">Send role to application</h4>
<div class="level4">
<p>
It is done by creating the correct HTTP header:
</p>
<ul>
<li class="level1"><div class="li"> For application <abbr title="Authentication Authorization Accounting">AAA</abbr>:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/aaa/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
<ul>
<li class="level1"><div class="li"> For application BBB:</div>
</li>
</ul>
<pre class="code">Auth-Roles =&gt; ((grep{/bbb/} split(&#039;;&#039;,$groups))[0] =~ /([a-zA-Z]+?)/)[0]</pre>
</div>
</div><!-- closes <div class="dokuwiki export">-->

14
doc/pages/documentation/1.9/redirections.html
View File

@ -104,14 +104,12 @@ These parameters can be configured in Manager, in <code>General Parameters</code
<p><div class="noteclassic">If a user is redirected from handler to portal for authentication and once he is authenticated, portal redirects him to the redirection <abbr title="Uniform Resource Locator">URL</abbr>.
</div></p>
</p>
<p>
The redirection from portal can be done either with code 303 (See Other), or with a JavaScript redirection.
</p>
<p>
Often the redirection takes some time because it is user&#039;s first access to the protected app, so a new app session has to be created : JavaScript redirection improves user experience by informing that authentication is performed, and by preventing from clicking again on the button because it is too slow.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Redirection message</strong>: The redirection from portal can be done either with code 303 (See Other), or with a JavaScript redirection. Often the redirection takes some time because it is user&#039;s first access to the protected app, so a new app session has to be created : JavaScript redirection improves user experience by informing that authentication is performed, and by preventing from clicking again on the button because it is too slow.</div>
</li>
<li class="level1"><div class="li"> <strong>Keep redirections for Ajax</strong>: By default, when an Ajax request is done on the portal for an unauthenticated user (after a redirection done by the handler), a 401 code will be sentwith a <code>WWW-Authenticate</code> header containing “<abbr title="Single Sign On">SSO</abbr> &lt;portal-<abbr title="Uniform Resource Locator">URL</abbr>&gt;”. Set this option to 1 to keep the old behavior (return of <abbr title="HyperText Markup Language">HTML</abbr> code).</div>
</li>
</ul>
</div>
</div><!-- closes <div class="dokuwiki export">-->

72
doc/pages/documentation/1.9/samlservice.html
View File

@ -178,9 +178,9 @@ You can define keys for <abbr title="Security Assertion Markup Language">SAML</a
To define keys, you can:
</p>
<ul>
<li class="level1"><div class="li"> import your own private and public keys (<code>Load from a file</code> input)</div>
<li class="level1"><div class="li"> import your own private and public keys (<code>Replace by file</code> input)</div>
</li>
<li class="level1"><div class="li"> generate new public and private keys (<code>Generate</code> button)</div>
<li class="level1"><div class="li"> generate new public and private keys (<code>New keys</code> button)</div>
</li>
</ul>
@ -190,23 +190,34 @@ To define keys, you can:
</p>
<p>
<a href="/_detail/documentation/manager-saml-private-key.png?id=documentation%3A1.9%3Asamlservice" class="media" title="documentation:manager-saml-private-key.png"><img src="../../../media/documentation/manager-saml-private-key.png" class="mediacenter" alt="" /></a>
<img src="../../../media/documentation/manager-saml-signature.png" class="mediacenter" alt="" />
</p>
<p>
<p><div class="notetip">You can import a certificate containing the public key instead the raw public key. However, certificate will not be really validated by other <abbr title="Security Assertion Markup Language">SAML</abbr> components (expiration date, common name, etc.), but will just be a public key wrapper.
You can import a certificate containing the public key instead the raw public key. However, certificate will not be really validated by other <abbr title="Security Assertion Markup Language">SAML</abbr> components (expiration date, common name, etc.), but will just be a public key wrapper.
</p>
<p>
You can force <abbr title="LemonLDAP::NG">LL::NG</abbr> to use this certificate in <abbr title="Security Assertion Markup Language">SAML</abbr> responses by enabling <strong>Use certificate in response</strong> option.
</p>
<p>
<p><div class="notetip">
You can easily generate a certificate to replace your public key by saving the private key in a file, and use <code>openssl</code> commands to issue a self-signed certificate:
</p>
<pre class="code">$ openssl req -new -key private.key -out cert.csr
$ openssl x509 -req -days 3650 -in cert.csr -signkey private.key -out cert.pem</pre>
<p>
</div></p>
</p>
</div>
<!-- EDIT8 SECTION "Security parameters" [2393-3221] -->
<!-- EDIT8 SECTION "Security parameters" [2393-3655] -->
<h3 class="sectionedit9" id="nameid_formats">NameID formats</h3>
<div class="level3">
<p>
<a href="/_detail/documentation/manager-saml-namid-formats.png?id=documentation%3A1.9%3Asamlservice" class="media" title="documentation:manager-saml-namid-formats.png"><img src="../../../media/documentation/manager-saml-namid-formats.png" class="mediacenter" alt="" /></a>
</p>
<p>
<abbr title="Security Assertion Markup Language">SAML</abbr> can use different NameID formats. The NameID is the main user identifier, carried in <abbr title="Security Assertion Markup Language">SAML</abbr> messages. You can configure here which field of <abbr title="LemonLDAP::NG">LL::NG</abbr> session will be associated to a NameID format.
</p>
@ -248,14 +259,10 @@ Other NameID formats are automatically managed:
</ul>
</div>
<!-- EDIT9 SECTION "NameID formats" [3222-4034] -->
<!-- EDIT9 SECTION "NameID formats" [3656-4414] -->
<h3 class="sectionedit10" id="authentication_contexts">Authentication contexts</h3>
<div class="level3">
<p>
<a href="/_detail/documentation/manager-saml-service-authn-contexts.png?id=documentation%3A1.9%3Asamlservice" class="media" title="documentation:manager-saml-service-authn-contexts.png"><img src="../../../media/documentation/manager-saml-service-authn-contexts.png" class="mediacenter" alt="" /></a>
</p>
<p>
Each <abbr title="LemonLDAP::NG">LL::NG</abbr> authentication module has an authentication level, which can be associated to an <a href="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf" class="urlextern" title="http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf" rel="nofollow">SAML authentication context</a>.
</p>
@ -280,7 +287,7 @@ Customizable NameID formats are:
</ul>
</div>
<!-- EDIT10 SECTION "Authentication contexts" [4035-4821] -->
<!-- EDIT10 SECTION "Authentication contexts" [4415-5138] -->
<h3 class="sectionedit11" id="organization">Organization</h3>
<div class="level3">
@ -308,7 +315,7 @@ This concerns all parameters for the Organization metadata section:
</ul>
</div>
<!-- EDIT11 SECTION "Organization" [4822-5333] -->
<!-- EDIT11 SECTION "Organization" [5139-5650] -->
<h3 class="sectionedit12" id="service_provider">Service Provider</h3>
<div class="level3">
@ -356,10 +363,6 @@ For each binding you can set:
</li>
</ul>
<p>
<a href="/_detail/documentation/manager-saml-service-sp-slo.png?id=documentation%3A1.9%3Asamlservice" class="media" title="documentation:manager-saml-service-sp-slo.png"><img src="../../../media/documentation/manager-saml-service-sp-slo.png" class="mediacenter" alt="" /></a>
</p>
<p>
Available bindings are:
</p>
@ -387,10 +390,6 @@ For each binding you can set:
</li>
</ul>
<p>
<a href="/_detail/documentation/manager-saml-service-sp-ac.png?id=documentation%3A1.9%3Asamlservice" class="media" title="documentation:manager-saml-service-sp-ac.png"><img src="../../../media/documentation/manager-saml-service-sp-ac.png" class="mediacenter" alt="" /></a>
</p>
<p>
Available bindings are:
</p>
@ -411,7 +410,7 @@ The only authorized binding is SOAP. This should be set as Default.
</p>
</div>
<!-- EDIT12 SECTION "Service Provider" [5334-6497] -->
<!-- EDIT12 SECTION "Service Provider" [5651-6705] -->
<h3 class="sectionedit13" id="identity_provider">Identity Provider</h3>
<div class="level3">
@ -508,7 +507,7 @@ The only authorized binding is SOAP. This should be set as Default.
</p>
</div>
<!-- EDIT13 SECTION "Identity Provider" [6498-7486] -->
<!-- EDIT13 SECTION "Identity Provider" [6706-7694] -->
<h3 class="sectionedit14" id="attribute_authority">Attribute Authority</h3>
<div class="level3">
@ -539,7 +538,7 @@ Response Location should be empty, as SOAP responses are directly returned (sync
</p>
</div>
<!-- EDIT14 SECTION "Attribute Authority" [7487-7898] -->
<!-- EDIT14 SECTION "Attribute Authority" [7695-8106] -->
<h3 class="sectionedit15" id="advanced">Advanced</h3>
<div class="level3">
@ -605,24 +604,5 @@ Configuration parameters are:
</li>
</ul>
</div>
<!-- EDIT15 SECTION "Advanced" [7899-9925] -->
<h2 class="sectionedit16" id="replace_public_key_by_a_certificate">Replace public key by a certificate</h2>
<div class="level2">
<p>
By default, <abbr title="LemonLDAP::NG">LL::NG</abbr> publish the public key in metadata, which may not fit to your partner SP or IDP. Here is a simple method to replace the public key by a certificate.
</p>
<ul>
<li class="level1"><div class="li"> Create the certificate from the private key as explained in <a href="../../documentation/1.9/applications/googleapps.html#certificate" class="wikilink1" title="documentation:1.9:applications:googleapps">Google Apps tutorial</a>.</div>
</li>
<li class="level1"><div class="li"> Now you have the certificate file, go in the Manager, go in the public key field and lod the certificate file.</div>
</li>
</ul>
<p>
That&#039;s all! If you look at the metadata, the certificate is now published!
</p>
</div>
</div><!-- closes <div class="dokuwiki export">-->

24
doc/pages/documentation/1.9/security.html
View File

@ -122,7 +122,7 @@ The Manager let you define comments in rules, to order them:
</p>
<p>
<a href="/_detail/documentation/manager_access_rule.png?id=documentation%3A1.9%3Asecurity" class="media" title="documentation:manager_access_rule.png"><img src="../../../media/documentation/manager_access_rule.png" class="mediacenter" alt="" /></a>
<a href="/_detail/documentation/manager-rule.png?id=documentation%3A1.9%3Asecurity" class="media" title="documentation:manager-rule.png"><img src="../../../media/documentation/manager-rule.png" class="mediacenter" alt="" /></a>
</p>
<p>
@ -141,7 +141,7 @@ For example, if these rules are used without comments:
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [2551-2661] -->
<!-- EDIT8 TABLE [2544-2654] -->
<p>
Then the second rule will be applied first, so every authenticated user will access to <code>/pub/admin</code> directory.
</p>
@ -162,7 +162,7 @@ Use comment to correct this:
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> 2_pub </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [2806-2930] -->
<!-- EDIT9 TABLE [2799-2923] -->
<p>
<p><div class="notetip">
</p>
@ -179,7 +179,7 @@ Use comment to correct this:
</p>
</div>
<!-- EDIT7 SECTION "Order your rules" [2128-3051] -->
<!-- EDIT7 SECTION "Order your rules" [2128-3044] -->
<h3 class="sectionedit10" id="be_careful_with_url_parameters">Be careful with URL parameters</h3>
<div class="level3">
@ -203,7 +203,7 @@ For example with this rule on the <code>access</code> parameter:
<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [3288-3422] -->
<!-- EDIT11 TABLE [3281-3415] -->
<p>
Then a user that try to access to one of the following <em class="u">will be granted</em> !
</p>
@ -233,7 +233,7 @@ You can use the following rules instead:
<td class="col0"> default </td><td class="col1"> accept </td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [3620-3823] -->
<!-- EDIT12 TABLE [3613-3816] -->
<p>
<p><div class="notetip"><strong>(?i)</strong> means case no sensitive.
</div></p>
@ -245,7 +245,7 @@ You can use the following rules instead:
</p>
</div>
<!-- EDIT10 SECTION "Be careful with URL parameters" [3052-3960] -->
<!-- EDIT10 SECTION "Be careful with URL parameters" [3045-3953] -->
<h3 class="sectionedit13" id="encoded_characters">Encoded characters</h3>
<div class="level3">
@ -254,7 +254,7 @@ Some characters are encoded in URLs by the browser (such as space,…). To avoid
</p>
</div>
<!-- EDIT13 SECTION "Encoded characters" [3961-4214] -->
<!-- EDIT13 SECTION "Encoded characters" [3954-4207] -->
<h2 class="sectionedit14" id="secure_reverse-proxies">Secure reverse-proxies</h2>
<div class="level2">
@ -300,7 +300,7 @@ It is recommended to secure the channel between reverse-proxies and application
</ul>
</div>
<!-- EDIT14 SECTION "Secure reverse-proxies" [4215-5883] -->
<!-- EDIT14 SECTION "Secure reverse-proxies" [4208-5876] -->
<h2 class="sectionedit15" id="configure_security_settings">Configure security settings</h2>
<div class="level2">
@ -312,6 +312,8 @@ Go in Manager, <code>General parameters</code> » <code>Advanced parameters</cod
</li>
<li class="level1"><div class="li"> <strong>Force authentication</strong>: set to &#039;On&#039; to force authentication when user connects to portal, even if he has a valid session</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication interval</strong>: time interval (in seconds) when a authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances, you can increase this value.</div>
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal. Set &#039;*&#039; to accept all.</div>
@ -323,7 +325,7 @@ Go in Manager, <code>General parameters</code> » <code>Advanced parameters</cod
</ul>
</div>
<!-- EDIT15 SECTION "Configure security settings" [5884-6752] -->
<!-- EDIT15 SECTION "Configure security settings" [5877-7010] -->
<h2 class="sectionedit16" id="fail2ban">Fail2ban</h2>
<div class="level2">
@ -375,7 +377,7 @@ Restart fail2ban
</p>
</div>
<!-- EDIT16 SECTION "Fail2ban" [6753-7806] -->
<!-- EDIT16 SECTION "Fail2ban" [7011-8064] -->
<h2 class="sectionedit17" id="sessions_identifier">Sessions identifier</h2>
<div class="level2">

49
doc/pages/documentation/1.9/selinux.html Normal file
View File

@ -0,0 +1,49 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1 class="sectionedit1" id="selinux">SELinux</h1>
<div class="level1">
<p>
To make LemonLDAP::NG work with SELinux, you may need to set up some options.
</p>
</div>
<!-- EDIT1 SECTION "SELinux" [1-102] -->
<h2 class="sectionedit2" id="disk_cache_sessions_an_configuration">Disk cache (sessions an configuration)</h2>
<div class="level2">
<pre class="code">chcon -R -t httpd_sys_rw_content_t /tmp</pre>
</div>
<!-- EDIT2 SECTION "Disk cache (sessions an configuration)" [103-208] -->
<h2 class="sectionedit3" id="memcache">Memcache</h2>
<div class="level2">
<pre class="code">setsebool -P httpd_can_network_memcache 1</pre>
</div>
<!-- EDIT3 SECTION "Memcache" [209-286] -->
<h2 class="sectionedit4" id="proxy_http">Proxy HTTP</h2>
<div class="level2">
<pre class="code">setsebool -P httpd_can_network_relay 1</pre>
</div>
</div><!-- closes <div class="dokuwiki export">-->

22
doc/pages/documentation/1.9/sqlconfbackend.html
View File

@ -79,24 +79,24 @@ Example for MySQL :
<h4 id="rdbi">RDBI</h4>
<div class="level4">
<pre class="code">CREATE TABLE lmConfig (
cfgNum int(11) NOT NULL,
field varchar(255) NOT NULL DEFAULT &#039;&#039;,
value longblob,
PRIMARY KEY (cfgNum,field)
);</pre>
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> lmConfig <span class="br0">&#40;</span>
cfgNum <span class="kw1">INT</span><span class="br0">&#40;</span><span class="nu0">11</span><span class="br0">&#41;</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span><span class="sy0">,</span>
<span class="kw1">FIELD</span> <span class="kw1">VARCHAR</span><span class="br0">&#40;</span><span class="nu0">255</span><span class="br0">&#41;</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span> <span class="kw1">DEFAULT</span> <span class="st0">''</span><span class="sy0">,</span>
<span class="kw1">VALUE</span> longblob<span class="sy0">,</span>
<span class="kw1">PRIMARY</span> <span class="kw1">KEY</span> <span class="br0">&#40;</span>cfgNum<span class="sy0">,</span><span class="kw1">FIELD</span><span class="br0">&#41;</span>
<span class="br0">&#41;</span>;</pre>
</div>
<h4 id="cdbi">CDBI</h4>
<div class="level4">
<pre class="code">CREATE TABLE lmConfig (
cfgNum int not null primary key,
data longblob
);</pre>
<pre class="code sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> lmConfig <span class="br0">&#40;</span>
cfgNum <span class="kw1">INT</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span> <span class="kw1">PRIMARY</span> <span class="kw1">KEY</span><span class="sy0">,</span>
<span class="kw1">DATA</span> longblob
<span class="br0">&#41;</span>;</pre>
</div>
<!-- EDIT4 SECTION "SQL configuration" [1016-1341] -->
<!-- EDIT4 SECTION "SQL configuration" [1016-1349] -->
<h3 class="sectionedit5" id="grant_lemonldapng_access">Grant LemonLDAP::NG access</h3>
<div class="level3">

15
doc/pages/documentation/1.9/sqlsessionbackend.html
View File

@ -55,6 +55,13 @@ SQL session backend can be used with many SQL databases such as:
Your database must have a specific table to host sessions. Here are some examples for main databases servers.
</p>
<p>
<p><div class="noteimportant">
If your database doesn&#039;t accept UTF-8 characters in &#039;text&#039; field, use &#039;blob&#039; instead of &#039;text&#039;.
</div></p>
</p>
</div>
<h4 id="mysql">MySQL</h4>
@ -70,7 +77,7 @@ Create sessions table:
</p>
<pre class="code file sql"><span class="kw1">CREATE</span> <span class="kw1">TABLE</span> sessions <span class="br0">&#40;</span>
id <span class="kw1">CHAR</span><span class="br0">&#40;</span><span class="nu0">32</span><span class="br0">&#41;</span> <span class="kw1">NOT</span> <span class="kw1">NULL</span> <span class="kw1">PRIMARY</span> <span class="kw1">KEY</span><span class="sy0">,</span>
a_session <span class="kw1">BLOB</span>
a_session text
<span class="br0">&#41;</span>;</pre>
<p>
@ -114,7 +121,7 @@ lemonldap-ng=&gt; q</pre>
</p>
</div>
<!-- EDIT3 SECTION "Prepare the database" [488-1947] -->
<!-- EDIT3 SECTION "Prepare the database" [488-2069] -->
<h3 class="sectionedit4" id="manager">Manager</h3>
<div class="level3">
@ -143,7 +150,7 @@ Go in the Manager and set the session module (for example <a href="http://search
<td class="col0 centeralign"> <strong>Commit</strong> </td><td class="col1"> Required for PostgreSQL </td><td class="col2"> 1 </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [2276-2619] -->
<!-- EDIT5 TABLE [2398-2741] -->
<p>
You must read the man page corresponding to your database (<a href="http://search.cpan.org/perldoc?Apache::Session::MySQL" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::MySQL" rel="nofollow">Apache::Session::MySQL</a>, …) to learn more about parameters. You must also install the database connector (<a href="http://search.cpan.org/perldoc?DBD::Oracle" class="urlextern" title="http://search.cpan.org/perldoc?DBD::Oracle" rel="nofollow">DBD::Oracle</a>, <a href="http://search.cpan.org/perldoc?DBD::Pg" class="urlextern" title="http://search.cpan.org/perldoc?DBD::Pg" rel="nofollow">DBD::Pg</a>,…)
</p>
@ -171,7 +178,7 @@ If you choose to use MySQL, read <a href="../../documentation/1.9/performances.h
</p>
</div>
<!-- EDIT4 SECTION "Manager" [1948-3198] -->
<!-- EDIT4 SECTION "Manager" [2070-3320] -->
<h2 class="sectionedit6" id="security">Security</h2>
<div class="level2">

2
doc/pages/documentation/1.9/start.html
View File

@ -464,6 +464,8 @@ Sessions are stored using <a href="http://search.cpan.org/perldoc?Apache::Sessio
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.9/security.html" class="wikilink1" title="documentation:1.9:security">Security</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.9/selinux.html" class="wikilink1" title="documentation:1.9:selinux">SELinux</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.9/status.html" class="wikilink1" title="documentation:1.9:status">Handler status page</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.9/mrtg.html" class="wikilink1" title="documentation:1.9:mrtg">MRTG monitoring</a></div>

111
doc/pages/documentation/1.9/upgrade.html
View File

@ -24,20 +24,40 @@
<div class="level1">
</div>
<!-- EDIT1 SECTION "Upgrade from 1.4 to 1.9" [1-41] -->
<h2 class="sectionedit2" id="file_configuration_backend">File configuration backend</h2>
<!-- EDIT1 SECTION "Upgrade from 1.4 to 1.9" [1-39] -->
<h2 class="sectionedit2" id="json_serialization">JSON serialization</h2>
<div class="level2">
<p>
Configuration is now stored in JSON when using File configuration backend.
From now, LemonLDAP::NG uses JSON serialization to store configuration and sessions instead of <code>Storable::nfreeze</code> Perl function. This permits to have heterogenous servers connected to the same <abbr title="LemonLDAP::NG">LL::NG</abbr> organization <em>(32/64 bits or different Perl versions)</em>. Old format still works but:
</p>
<ul>
<li class="level1"><div class="li"> configuration backends: new format is applied at first configuration save,</div>
</li>
<li class="level1"><div class="li"> sessions storages: new format is applied for each new session or when updating an existing session. You can force LemonLDAP::NG to keep the old serialization method by setting <code>useStorable</code> to 1 in sessions backend options if you have some custom hooks.</div>
</li>
</ul>
<p>
Old format is still working but the new format is applied at first configuration save.
<p><div class="noteimportant">
If you have more than one server and don&#039;t want to stop the <abbr title="Single Sign On">SSO</abbr> service, start upgrading in the following order:
</p>
<ul>
<li class="level1"><div class="li"> servers that have only handlers;</div>
</li>
<li class="level1"><div class="li"> portal servers (all together if your load balancer doesn&#039;t keep state by user or client <abbr title="Internet Protocol">IP</abbr> and if users use the menu);</div>
</li>
<li class="level1"><div class="li"> manager server</div>
</li>
</ul>
<p>
</div></p>
</p>
</div>
<!-- EDIT2 SECTION "File configuration backend" [42-245] -->
<!-- EDIT2 SECTION "JSON serialization" [40-1018] -->
<h2 class="sectionedit3" id="portal_autocomplete_configuration">Portal autocomplete configuration</h2>
<div class="level2">
@ -49,5 +69,86 @@ Modern browsers do not take into account the autocomplete attribute in password
As it was not used anymore, this option is now removed. See <a href="https://jira.ow2.org/browse/LEMONLDAP-824" class="urlextern" title="https://jira.ow2.org/browse/LEMONLDAP-824" rel="nofollow">https://jira.ow2.org/browse/LEMONLDAP-824</a> for more details.
</p>
</div>
<!-- EDIT3 SECTION "Portal autocomplete configuration" [1019-1388] -->
<h2 class="sectionedit4" id="support_for_centosrhel_5_dropped">Support for CentOS/RHEL 5 dropped</h2>
<div class="level2">
<p>
Due to a too old Perl version and some missing modules, <abbr title="LemonLDAP::NG">LL::NG</abbr> is no more available for CentOS/RHEL 5.
</p>
</div>
<!-- EDIT4 SECTION "Support for CentOS/RHEL 5 dropped" [1389-1539] -->
<h2 class="sectionedit5" id="manager_components_protection">Manager components protection</h2>
<div class="level2">
<p>
You can no more set up a different <code>protection</code> parameter for sessions explorer and configuration management. The <code>protection</code> is used for all components, but can use access rules to manage authorizations between configuration, notifications and sessions:
</p>
<pre class="code perl"><span class="sy0">^</span><span class="co2">/(manager\.html|conf/</span><span class="br0">&#41;</span> <span class="sy0">=&gt;</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">&quot;dwho&quot;</span>
default <span class="sy0">=&gt;</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">&quot;dwho&quot;</span> <span class="kw1">or</span> <span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">&quot;rtyler&quot;</span> </pre>
</div>
<!-- EDIT5 SECTION "Manager components protection" [1540-1952] -->
<h2 class="sectionedit6" id="ajax_unauthenticated_requests_in_handler">AJAX unauthenticated requests in handler</h2>
<div class="level2">
<p>
To request for authentication, handlers sent a 302 HTTP code, then portal sent the <abbr title="HyperText Markup Language">HTML</abbr> form even if request was an Ajax one. From now, after being redirected by the Handler, a 401 code will be sent by the portal with a <code>WWW-Authenticate</code> header containing “<abbr title="Single Sign On">SSO</abbr> &lt;portal-<abbr title="Uniform Resource Locator">URL</abbr>&gt;”. This is a little HTTP protocol hook created because browsers follow redirection transparently and we have to respond to JSON queries by JSON.
</p>
<p>
If you want to keep old behavior, set <code>noAjaxHook</code> to 1 (in General Parameters → Advanced → Portal redirections → Keep redirections for Ajax).
</p>
</div>
<!-- EDIT6 SECTION "AJAX unauthenticated requests in handler" [1953-2577] -->
<h2 class="sectionedit7" id="persistent_sessions">Persistent sessions</h2>
<div class="level2">
<p>
Persistent sessions have a new attributes:
</p>
<ul>
<li class="level1"><div class="li"> <code>_session_uid</code>: real user identifier</div>
</li>
<li class="level1"><div class="li"> <code>_utime</code>: creation timestamp</div>
</li>
</ul>
<p>
These attributes allow to browse them in the sessions explorer. Old persistent sessions will automatically get these new attributes at user connexion.
</p>
</div>
<!-- EDIT7 SECTION "Persistent sessions" [2578-2884] -->
<h2 class="sectionedit8" id="multi_backend">Multi backend</h2>
<div class="level2">
<p>
The <a href="../../documentation/1.9/authmulti.html" class="wikilink1" title="documentation:1.9:authmulti">Multi backend</a> configuration has changed. Now the stacks are defined in separate attributes:
</p>
<ul>
<li class="level1"><div class="li"> multiAuthStack</div>
</li>
<li class="level1"><div class="li"> multiUserDBStack</div>
</li>
</ul>
<p>
So an old configuration like this:
</p>
<pre class="file">authentication = Multi LDAP;DBI
userDB = Multi LDAP;DBI</pre>
<p>
Must be replaced by:
</p>
<pre class="file">authentication = Multi
userDB = Multi
multiAuthStack = LDAP;DBI
multiUserDBStack = LDAP;DBI</pre>
</div>
</div><!-- closes <div class="dokuwiki export">-->

36
doc/pages/documentation/1.9/variables.html
View File

@ -279,7 +279,7 @@ Only with UserDB LDAP.
<!-- EDIT20 TABLE [3063-3159] -->
</div>
<!-- EDIT19 SECTION "OpenID" [3043-3160] -->
<h2 class="sectionedit21" id="other">Other</h2>
<h2 class="sectionedit21" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<div class="table sectionedit22"><table class="inline">
<thead>
@ -288,9 +288,39 @@ Only with UserDB LDAP.
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> appsListOrder </td><td class="col1 leftalign"> Order of categories in the menu </td>
<td class="col0 leftalign"> OpenIDConnect_IDToken </td><td class="col1 leftalign"> ID Token </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> OpenIDConnect_OP </td><td class="col1 leftalign"> Configuration key of OP used for authentication </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> OpenIDConnect_access_token </td><td class="col1 leftalign"> OAuth2 Access Token used to get UserInfo data </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> _oidc_consent_scope_<em>rp</em> </td><td class="col1 leftalign"> Scope for which consent was given for RP <em>rp</em> </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> _oidc_consent_time_<em>rp</em> </td><td class="col1 leftalign"> Time when consent was given for RP <em>rp</em> </td>
</tr>
</table></div>
<!-- EDIT22 TABLE [3180-3259] -->
<!-- EDIT22 TABLE [3189-3564] -->
</div>
<!-- EDIT21 SECTION "OpenID Connect" [3161-3565] -->
<h2 class="sectionedit23" id="other">Other</h2>
<div class="level2">
<div class="table sectionedit24"><table class="inline">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> appsListOrder </td><td class="col1 leftalign"> Order of categories in the menu </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> _session_kind </td><td class="col1 leftalign"> Type of session (<abbr title="Single Sign On">SSO</abbr>, Persistent, …) </td>
</tr>
</table></div>
<!-- EDIT24 TABLE [3585-3725] -->
</div>
</div><!-- closes <div class="dokuwiki export">-->

10
doc/pages/documentation/1.9/writingrulesand_headers.html
View File

@ -42,7 +42,7 @@ A rule associates a <a href="http://en.wikipedia.org/wiki/Perl_Compatible_Regula
</p>
<p>
<a href="/_detail/documentation/manager_access_rule.png?id=documentation%3A1.9%3Awritingrulesand_headers" class="media" title="documentation:manager_access_rule.png"><img src="../../../media/documentation/manager_access_rule.png" class="mediacenter" alt="" /></a>
<a href="/_detail/documentation/manager-rule.png?id=documentation%3A1.9%3Awritingrulesand_headers" class="media" title="documentation:manager-rule.png"><img src="../../../media/documentation/manager-rule.png" class="mediacenter" alt="" /></a>
</p>
<p>
@ -73,7 +73,7 @@ Examples:
<td class="col0 leftalign"> Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) </td><td class="col1 centeralign"> default </td><td class="col2 centeralign"> $description&nbsp;eq&nbsp;"LDAP&nbsp;administrator" </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [670-1513] -->
<!-- EDIT3 TABLE [663-1506] -->
<p>
The “<strong>default</strong>” access rule is used if no other access rule match the current <abbr title="Uniform Resource Locator">URL</abbr>.
</p>
@ -112,7 +112,7 @@ Rules can also be used to intercept logout <abbr title="Uniform Resource Locator
<td class="col0 leftalign"> Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ </td><td class="col1 centeralign"> ^/index.php\?logout </td><td class="col2 centeralign"> logout_app_sso&nbsp;http://intranet/ </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [2007-2612] -->
<!-- EDIT4 TABLE [2000-2605] -->
<p>
<p><div class="notetip">By default, user will be redirected on portal if no <abbr title="Uniform Resource Locator">URL</abbr> defined, or on the specified <abbr title="Uniform Resource Locator">URL</abbr> if any.
</div></p>
@ -124,7 +124,7 @@ Rules can also be used to intercept logout <abbr title="Uniform Resource Locator
</p>
</div>
<!-- EDIT2 SECTION "Rules" [441-3040] -->
<!-- EDIT2 SECTION "Rules" [441-3033] -->
<h2 class="sectionedit5" id="headers">Headers</h2>
<div class="level2">
@ -154,7 +154,7 @@ Examples:
<td class="col0 leftalign"> Give a non ascii data </td><td class="col1 centeralign"> Display-Name </td><td class="col2 centeralign"> encode_base64($givenName."&nbsp;".$surName) </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [3224-3557] -->
<!-- EDIT6 TABLE [3217-3550] -->
<p>
As described in <a href="../../documentation/1.9/performances.html#handler_performance" class="wikilink1" title="documentation:1.9:performances">performances chapter</a>, you can use macros, local macros,…
</p>

43
doc/pages/references.html
View File

@ -102,15 +102,24 @@ LemonLDAP::NG used as <abbr title="Security Assertion Markup Language">SAML</abb
<th class="col0"> Nb users </th><td class="col1"> 105.000 </td>
</tr>
<tr class="row1 rowodd">
<th class="col0"> Nb protected applications </th><td class="col1"> ~100 </td>
<th class="col0"> Nb protected applications </th><td class="col1"> ~300 </td>
</tr>
<tr class="row2 roweven">
<th class="col0"> Applications </th><td class="col1"> OBM, RoundCube, Sympa, MediaWiki,…</td>
<th class="col0"> Applications </th><td class="col1"> OBM, RoundCube, Sympa, MediaWiki, SAP,…</td>
</tr>
<tr class="row3 rowodd">
<th class="col0"> Load </th><td class="col1"> More than 25 millions hits/day </td>
</tr>
<tr class="row4 roweven">
<th class="col0"> Backends </th><td class="col1"> All SQL </td>
</tr>
<tr class="row5 rowodd">
<th class="col0"> Arch </th><td class="col1"> Main instance: 4 Portal VMs, 8 reverse-proxy VMs, some isolated handlers </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [712-826] -->
<!-- EDIT9 TABLE [712-980] -->
</div>
<!-- EDIT8 SECTION "Gendarmerie Nationale" [652-827] -->
<!-- EDIT8 SECTION "Gendarmerie Nationale" [652-980] -->
<h2 class="sectionedit10" id="linagora">LINAGORA</h2>
<div class="level2">
@ -131,9 +140,9 @@ LemonLDAP::NG used as <abbr title="Security Assertion Markup Language">SAML</abb
<th class="col0"> Applications </th><td class="col1"> Wordpress, GLPI, OBM, Dokuwiki, … </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [881-1045] -->
<!-- EDIT11 TABLE [1034-1198] -->
</div>
<!-- EDIT10 SECTION "LINAGORA" [828-1046] -->
<!-- EDIT10 SECTION "LINAGORA" [981-1199] -->
<h2 class="sectionedit12" id="ministere_de_la_justice">Ministère de la Justice</h2>
<div class="level2">
@ -152,9 +161,9 @@ LemonLDAP::NG is used to protect access to intranet.
<th class="col0"> Nb protected applications </th><td class="col1"> ~10 </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [1179-1235] -->
<!-- EDIT13 TABLE [1332-1388] -->
</div>
<!-- EDIT12 SECTION "Ministère de la Justice" [1047-1236] -->
<!-- EDIT12 SECTION "Ministère de la Justice" [1200-1389] -->
<h2 class="sectionedit14" id="region_basse-normandie">Région Basse-Normandie</h2>
<div class="level2">
@ -175,9 +184,9 @@ LemonLDAP::NG is used to protect access to intranet.
<th class="col0"> Applications </th><td class="col1"> Outlook Web Access, … </td>
</tr>
</table></div>
<!-- EDIT15 TABLE [1300-1455] -->
<!-- EDIT15 TABLE [1453-1608] -->
</div>
<!-- EDIT14 SECTION "Région Basse-Normandie" [1237-1456] -->
<!-- EDIT14 SECTION "Région Basse-Normandie" [1390-1609] -->
<h2 class="sectionedit16" id="sgs">SGS</h2>
<div class="level2">
@ -192,9 +201,9 @@ LemonLDAP::NG is used to protect access to intranet.
<th class="col0"> Nb protected applications </th><td class="col1"> ~10 </td>
</tr>
</table></div>
<!-- EDIT17 TABLE [1507-1561] -->
<!-- EDIT17 TABLE [1660-1714] -->
</div>
<!-- EDIT16 SECTION "SGS" [1457-1562] -->
<!-- EDIT16 SECTION "SGS" [1610-1715] -->
<h2 class="sectionedit18" id="south_bay_community_network">South Bay Community Network</h2>
<div class="level2">
<div class="table sectionedit19"><table class="inline">
@ -205,7 +214,7 @@ LemonLDAP::NG is used to protect access to intranet.
<th class="col0"> Applications </th><td class="col1"> TikiWiki, … </td>
</tr>
</table></div>
<!-- EDIT19 TABLE [1604-1691] -->
<!-- EDIT19 TABLE [1757-1844] -->
<p>
Protected sites:
</p>
@ -219,7 +228,7 @@ Protected sites:
</ul>
</div>
<!-- EDIT18 SECTION "South Bay Community Network" [1563-1795] -->
<!-- EDIT18 SECTION "South Bay Community Network" [1716-1948] -->
<h2 class="sectionedit20" id="ucanss">UCANSS</h2>
<div class="level2">
@ -237,9 +246,9 @@ Protected sites:
<th class="col0"> Authentication portal </th><td class="col1"> <a href="http://auth.ucanss.fr/" class="urlextern" title="http://auth.ucanss.fr/" rel="nofollow">http://auth.ucanss.fr/</a> </td>
</tr>
</table></div>
<!-- EDIT21 TABLE [1845-1951] -->
<!-- EDIT21 TABLE [1998-2104] -->
</div>
<!-- EDIT20 SECTION "UCANSS" [1796-1952] -->
<!-- EDIT20 SECTION "UCANSS" [1949-2105] -->
<h2 class="sectionedit22" id="universite_de_limoges">Université de Limoges</h2>
<div class="level2">
@ -258,6 +267,6 @@ LemonLDAP::NG used as <abbr title="Central Authentication Service">CAS</abbr> se
<th class="col0"> Authentication portal </th><td class="col1"> <a href="https://cas.unilim.fr/" class="urlextern" title="https://cas.unilim.fr/" rel="nofollow">https://cas.unilim.fr/</a> </td>
</tr>
</table></div>
<!-- EDIT23 TABLE [2049-2121] -->
<!-- EDIT23 TABLE [2202-2274] -->
</div>
</div><!-- closes <div class="dokuwiki export">-->