2.0 to master doc patch
This commit is contained in:
parent
3d92ab15dd
commit
c487efc7da
|
@ -228,16 +228,3 @@ SSL authentication
|
|||
|
||||
To chain SSL, you have to set "SSLRequire optional" in Apache
|
||||
configuration, else users will be authenticated by SSL only.
|
||||
|
||||
Migrating from Multi
|
||||
--------------------
|
||||
|
||||
Old :doc:`Multiple backends stack<authmulti>`
|
||||
implemented only \`if\` and \`or\` keywords. Examples:
|
||||
|
||||
================================================================ =====================================================
|
||||
Multi expressions Combination
|
||||
================================================================ =====================================================
|
||||
``LDAP;DBI`` ``[myLDAP] or [myDBI]``
|
||||
``DBI $ENV{REMOTE_ADDR}=~/^192/;LDAP $ENV{REMOTE_ADDR}!~/^192/`` ``if $env->{REMOTE_ADDR} then [myDBI] else [myLDAP]``
|
||||
================================================================ =====================================================
|
||||
|
|
|
@ -172,7 +172,7 @@ Groups
|
|||
If your LDAP countains over a thousand groups, you
|
||||
should avoid using group processing, check out
|
||||
:ref:`the performance page<performances-ldap-performances>` for
|
||||
alternatives
|
||||
alternatives
|
||||
|
||||
Password
|
||||
~~~~~~~~
|
||||
|
|
|
@ -30,8 +30,6 @@ Then, go in ``LinkedIn parameters``:
|
|||
- **Authentication level**: authentication level for this module.
|
||||
- **Client ID**: the application ID you get
|
||||
- **Client secret**: the corresponding secret
|
||||
- **Searched fields** (deprecated): Fields requested on People endpoint
|
||||
in v1, no more used in v2 API
|
||||
- **Field containing user identifier**: Field that will be used as main
|
||||
user identifier in LL::NG, usually ``id`` (LinkedIn numeric
|
||||
identifer) or ``emailAddress``.
|
||||
|
|
|
@ -13,6 +13,11 @@ Presentation
|
|||
LL::NG is able to transfer (trough REST or SOAP) authentication
|
||||
credentials to another LL::NG portal, like a proxy.
|
||||
|
||||
|
||||
.. warning::
|
||||
|
||||
SOAP support may be removed in LLNG 3.0
|
||||
|
||||
The difference with :doc:`remote authentication<authremote>` is that the
|
||||
client will never be redirect to the main LL::NG portal. This
|
||||
configuration is usable if you want to expose your internal SSO portal
|
||||
|
@ -59,7 +64,3 @@ in your lemonldap-ng.ini:
|
|||
|
||||
soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
|
||||
|
||||
|
||||
.. attention::
|
||||
|
||||
This needs LLNG version 2.0.8 at least
|
||||
|
|
|
@ -15,8 +15,6 @@ This page shows some examples of LL::NG Command Line Interface. See
|
|||
Save/restore configuration
|
||||
--------------------------
|
||||
|
||||
This part requires LLNG 2.0.5 at least.
|
||||
|
||||
Save:
|
||||
|
||||
.. code-block:: sh
|
||||
|
@ -31,7 +29,7 @@ Restore:
|
|||
# Or
|
||||
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore - <config.json
|
||||
|
||||
Rollback (restore previous configuration, *since 2.0.8*):
|
||||
Rollback (restore previous configuration):
|
||||
|
||||
.. code-block:: shell
|
||||
|
||||
|
@ -287,15 +285,6 @@ these commands;
|
|||
|
||||
openssl req -new -newkey rsa:4096 -keyout saml.key -nodes -out saml.pem -x509 -days 3650
|
||||
|
||||
Fix the certificate key format (you can skip this step if you are
|
||||
running >= 2.0.6)
|
||||
|
||||
::
|
||||
|
||||
sed -e "s/END PRIVATE/END RSA PRIVATE/" \
|
||||
-e "s/BEGIN PRIVATE/BEGIN RSA PRIVATE/" \
|
||||
-i saml.key
|
||||
|
||||
Import them in configuration and activate the SAML issuer
|
||||
|
||||
::
|
||||
|
|
|
@ -132,7 +132,7 @@ configuration.
|
|||
Manager API
|
||||
-----------
|
||||
|
||||
Since 2.0.8, a Manager API is available for:
|
||||
Manager API is available for:
|
||||
|
||||
- Second factors management for users
|
||||
- OpenID Connect RP management
|
||||
|
|
|
@ -50,20 +50,8 @@ You have to include them in Nginx main configuration.
|
|||
Debian/Ubuntu
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
- Install log format *(automatically loaded when linked in this place)*
|
||||
|
||||
::
|
||||
|
||||
ln -s /etc/lemonldap-ng/nginx-lmlog.conf /etc/nginx/conf.d/llng-lmlog.conf
|
||||
|
||||
- Install snippet for vhost configuration files:
|
||||
|
||||
::
|
||||
|
||||
ln -s /etc/lemonldap-ng/nginx-lua-headers.conf /etc/nginx/snippets/llng-lua-headers.conf
|
||||
|
||||
- Link LLNG components configuration file into ``sites-available``
|
||||
directory (should already have been done if you used packages):
|
||||
Link files into ``sites-available`` directory (should already have been
|
||||
done if you used packages):
|
||||
|
||||
::
|
||||
|
||||
|
|
|
@ -95,16 +95,17 @@ Import Project and using Git
|
|||
git checkout master # go to master branch
|
||||
git remote add upstream https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng.git # to connect to remote branch
|
||||
git fetch upstream # import branch
|
||||
git checkout v2.0 # to change branch
|
||||
git checkout v2.1 # to change branch
|
||||
git fetch upstream
|
||||
|
||||
*import version branch* *on linux station :*
|
||||
|
||||
::
|
||||
|
||||
git checkout v2.0
|
||||
git fetch upstream
|
||||
git rebase upstream/v2.0 # to align to parent project remote branch
|
||||
git checkout v2.1
|
||||
git fetch upstream --all
|
||||
git rebase upstream/v2.1 # to align to parent project remote branch
|
||||
git push # to push to working remote branch
|
||||
|
||||
*on gitlab, create working branch, one per thematic* *on linux station
|
||||
:*
|
||||
|
@ -116,9 +117,9 @@ Import Project and using Git
|
|||
git status
|
||||
git commit -am "explanations (#number gitlab ticket)"
|
||||
git commit --amend file(s) # to modify a commit
|
||||
git rebase v2.0 # align local working branch to local 2.0
|
||||
git rebase v2.1 # align local working branch to local 2.1
|
||||
git checkout -- file(s) # revert
|
||||
git push # to send on remote working branch ! Only after doing some commits !
|
||||
git push # to send on remote working branch
|
||||
|
||||
On gitlab, submit merge request when tests are corrects.
|
||||
|
||||
|
|
|
@ -23,7 +23,7 @@ from a version older than 1.0
|
|||
Can't locate /usr/share/lemonldap-ng/configStorage.pl
|
||||
|
||||
→ When you upgrade from Debian Lenny with customized index.pl files, you
|
||||
must upgrade them.
|
||||
must upgrade them.
|
||||
|
||||
Lemonldap::NG::Handler
|
||||
----------------------
|
||||
|
|
|
@ -53,36 +53,13 @@ portal:
|
|||
attributes: it can contain boolean results or any string
|
||||
- macros can also be used to import environment variables *(these
|
||||
variables are in CGI format)*. Example: ``$ENV{HTTP_COOKIE}``
|
||||
- groups are stored as a string with values separated by ''; ''
|
||||
(default values separator) in the special attribute ``groups``: it
|
||||
contains the names of groups whose rules were returned true for the
|
||||
current user. For example:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
$groups = group3; admin
|
||||
|
||||
- You can also get groups in ``$hGroups`` which is a Hash Reference of
|
||||
this form:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
$hGroups = {
|
||||
'group3' => {
|
||||
'description' => [
|
||||
'Service 3',
|
||||
'Service 3 TEST'
|
||||
],
|
||||
'cn' => [
|
||||
'group3'
|
||||
],
|
||||
'name' => 'group3'
|
||||
},
|
||||
'admin' => {
|
||||
'name' => 'admin'
|
||||
}
|
||||
}
|
||||
|
||||
- You can check for group membership of a particular user with the
|
||||
``inGroup`` function, see examples below.
|
||||
- If you need more advanced processing of the group list (filtering,
|
||||
rewriting) you may use ``$groups``, a flat list of all the user's
|
||||
groups, separated by ''; '' (default values separator). Or the
|
||||
``$hGroups`` variable which is a perl hash whose keys are the group
|
||||
names.
|
||||
|
||||
Example for macros:
|
||||
|
||||
|
@ -107,6 +84,42 @@ Defining a group for admins
|
|||
|
||||
Using groups in a rule
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
^/admin -> inGroup('admin')
|
||||
|
||||
# Advanced usage
|
||||
^/admin -> defined $hGroups->{'admin'}
|
||||
^/admin -> $groups =~ /\badmin\b/
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
Groups are computed after macros, so a group rule may involve a
|
||||
macro value.
|
||||
|
||||
.. warning::
|
||||
|
||||
Macros and groups are computed in alphanumeric order,
|
||||
that is, in the order they are displayed in the manager. For example,
|
||||
macro "macro1" will be computed before macro "macro2": so, expression of
|
||||
macro2 may involve value of macro1. As same for groups: a group rule may
|
||||
involve another, previously computed group.
|
||||
|
||||
# Use a boolean macro in a rule
|
||||
^/admin -> $isAdmin
|
||||
# Use a string macro in a HTTP header
|
||||
Display-Name -> $displayName
|
||||
|
||||
Defining a group for admins
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
# group
|
||||
admin -> $uid eq 'foo' or $uid eq 'bar'
|
||||
|
||||
Using groups in a rule
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
^/admin -> $groups =~ /\badmin\b/
|
||||
|
|
|
@ -32,8 +32,8 @@ Inside this jail, you can access to:
|
|||
* unicode2iso_
|
||||
* iso2unicode_
|
||||
* groupMatch_
|
||||
* listMatch_ (|new| *since 2.0.7*)
|
||||
* inGroup_ (|new| *since 2.0.8*)
|
||||
* listMatch_
|
||||
* inGroup_
|
||||
* encrypt_
|
||||
* token_
|
||||
* isInNet6_
|
||||
|
@ -243,8 +243,6 @@ Simple usage example:
|
|||
listMatch
|
||||
~~~~~~~~~
|
||||
|
||||
(|image0| since 2.0.7)
|
||||
|
||||
This function lets you test if a particular value can be found with a
|
||||
multi-valued session attribute.
|
||||
|
||||
|
@ -271,8 +269,6 @@ found.
|
|||
inGroup
|
||||
~~~~~~~
|
||||
|
||||
(|image1| since 2.0.8)
|
||||
|
||||
This function lets you test if the user is in a given group. It is
|
||||
case-insensitive.
|
||||
|
||||
|
@ -327,10 +323,8 @@ IP address is local*:
|
|||
varIsInUri
|
||||
~~~~~~~~~~
|
||||
|
||||
Function to check if a variable is in requested URI (Require LL::NG >=
|
||||
2.0.7).
|
||||
|
||||
Example *check if $uid is in /check-auth/ URI*:
|
||||
Function to check if a variable is in requested URI. Example *check if
|
||||
$uid is in /check-auth/ URI*:
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
|
@ -350,7 +344,3 @@ Example *check if $uid is in /check-auth/ URI*:
|
|||
https://test1.example.com/check-auth/rtyler/api -> false
|
||||
https://test1.example.com/check-auth/rtyler -> false
|
||||
|
||||
.. |image0| image:: /documentation/new.png
|
||||
:width: 35px
|
||||
.. |image1| image:: /documentation/new.png
|
||||
:width: 35px
|
||||
|
|
|
@ -11,6 +11,16 @@ Handlers are build on rows of modules:
|
|||
- library types if needed *(may inherits from Main)*
|
||||
- Main: the main handler library
|
||||
|
||||
Since version 2.1, wrappers are autogenerated when undefined. Generated
|
||||
code is simply:
|
||||
|
||||
.. code:: perl
|
||||
|
||||
package Lemonldap::NG::Handler::Platform::Type;
|
||||
use base 'Lemonldap::NG::Handler::Lib::Type',
|
||||
'Lemonldap::NG::Handler::Platform::Main';
|
||||
1;
|
||||
|
||||
Overview of Handler packages
|
||||
----------------------------
|
||||
|
||||
|
|
|
@ -6,4 +6,4 @@ Standard SSO protocols
|
|||
|
||||
samlservice
|
||||
openidconnectservice
|
||||
|
||||
|
||||
|
|
|
@ -95,8 +95,7 @@ Then, add the official LL::NG repository
|
|||
version
|
||||
- Use the ``testing`` repository to get packages from next major
|
||||
version
|
||||
- Use the ``2.0`` repository to avoid upgrade to next major version
|
||||
|
||||
- Use the ``2.1`` repository to avoid upgrade to next major version
|
||||
|
||||
|
||||
Finally update your APT cache:
|
||||
|
|
|
@ -94,7 +94,7 @@ Run this to update packages cache:
|
|||
|
||||
You must also install the EPEL repository for non-core
|
||||
dependencies. See :ref:`prerequisites and dependencies<prereq-yum>`
|
||||
chapter for more.
|
||||
chapter for more.
|
||||
|
||||
Manual download
|
||||
~~~~~~~~~~~~~~~
|
||||
|
|
|
@ -5,7 +5,7 @@ Each time you save a configuration, Manager launch a lot of tests:
|
|||
|
||||
- unit tests for each key: they are declared in
|
||||
Lemonldap::NG::Manager::Attributes *(source
|
||||
Lemonldap::NG::Manager::Build::Attributes)*
|
||||
Lemonldap::NG::Manager::Build::Attributes)*
|
||||
- more advanced tests declared in Lemonldap::NG::Manager::Conf::Tests
|
||||
|
||||
In some case *(conf overridden in INI file,...)*, you may have to ignore
|
||||
|
|
|
@ -356,7 +356,7 @@ Available options:
|
|||
|
||||
- **Server**: Enable/Disable notification server
|
||||
- **Default condition**: Condition appended to ALL notifications
|
||||
inserted by notification server (JSON format only)
|
||||
inserted by notification server
|
||||
- **Notification parameters to send**: Notifications parameters
|
||||
returned by ``GET`` method
|
||||
- **HTTP methods**: Enable/Disable HTTP methods
|
||||
|
|
|
@ -111,17 +111,10 @@ Create for example the MyPlugin module:
|
|||
Configuration
|
||||
~~~~~~~~~~~~~
|
||||
|
||||
Declare the plugin in lemonldap-ng.ini:
|
||||
Declare the plugin in Manager, in General Parameters > Plugins > Custom
|
||||
Plugins.
|
||||
|
||||
::
|
||||
|
||||
vi /etc/lemonldap-ng/lemonldap-ng.ini
|
||||
|
||||
.. code-block:: perl
|
||||
|
||||
[portal]
|
||||
customPlugins = Lemonldap::NG::Portal::MyPlugin
|
||||
;customPlugins = Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2, ...
|
||||
|
||||
Since 2.0.7, it can also be configured in Manager, in General Parameters
|
||||
> Plugins > Custom Plugins.
|
||||
- Modules list: for example
|
||||
``Lemonldap::NG::Portal::MyPlugin1, Lemonldap::NG::Portal::MyPlugin2``
|
||||
- Additional parameters: parameters that will be available in
|
||||
``customPluginsParams`` configuration key
|
||||
|
|
|
@ -334,11 +334,6 @@ General
|
|||
Password Policy
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
|
||||
.. tip::
|
||||
|
||||
Available since version 2.0.6
|
||||
|
||||
- **Minimal size**: leave 0 to bypass the check
|
||||
- **Minimal lower characters**: leave 0 to bypass the check
|
||||
- **Minimal upper characters**: leave 0 to bypass the check
|
||||
|
|
|
@ -65,8 +65,8 @@ Core
|
|||
- Regexp::Common
|
||||
- SOAP::Lite *(optional)*
|
||||
- String::Random
|
||||
- Text::Unidecode *(Since LemonLDAP::NG 2.0.5)*
|
||||
- Unicode::String
|
||||
- Text::Unidecode
|
||||
- URI
|
||||
- URI::Escape
|
||||
|
||||
|
@ -135,11 +135,11 @@ SMTP & Reset password/certificate by mail
|
|||
Unit tests
|
||||
~~~~~~~~~~
|
||||
|
||||
- Authen::U2F::Tester
|
||||
- Crypt::U2F::Server
|
||||
- Test::MockObject
|
||||
- Test::Output
|
||||
- Test::POD
|
||||
- Test::MockObject
|
||||
- Crypt::U2F::Server
|
||||
- Authen::U2F::Tester
|
||||
- Test::Output
|
||||
- Time::Fake
|
||||
- YAML
|
||||
|
||||
|
|
|
@ -5,8 +5,6 @@ This plugin appends an endpoint to refresh sessions by user. It provides
|
|||
``https://portal/refreshsession`` endpoint. Protect it by webserver
|
||||
configuration.
|
||||
|
||||
This plugin is available with LLNG ≥ 2.0.7.
|
||||
|
||||
Usage
|
||||
-----
|
||||
|
||||
|
|
|
@ -33,10 +33,6 @@ attribute you see there can be used in a rule!
|
|||
|
||||
$groups =~ /\b(?:admins|su)\b/ # admins OR su
|
||||
$groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a
|
||||
|
||||
defined $hGroups{'administrators'}
|
||||
|
||||
# 2.0.8 and higher only
|
||||
inGroup('administrators')
|
||||
|
||||
- Combining multiple expressions
|
||||
|
|
|
@ -1,2 +1,4 @@
|
|||
.. include:: upgrade_2_1_x.rst
|
||||
.. include:: upgrade_2_1.rst
|
||||
.. include:: upgrade_2_0_x.rst
|
||||
.. include:: upgrade_2_0.rst
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
Upgrade from 2.0 to 2.1
|
||||
=======================
|
||||
|
||||
SOAP deprecation
|
||||
----------------
|
||||
|
||||
LLNG 2.1.x will be the last major version supporting SOAP services.
|
||||
Please start migration to :doc:`REST services<restservices>` *(available
|
||||
since 2.0.0)*.
|
|
@ -0,0 +1,10 @@
|
|||
Upgrade from 2.1.x to 2.1.y
|
||||
===========================
|
||||
|
||||
Update from one minor version to another does not require any particular
|
||||
action. Please apply general caution as you would with any software:
|
||||
have backups and a rollback plan ready!
|
||||
|
||||
Do not forget to read the release notes of the version you are about to
|
||||
install for any specific instructions.
|
||||
|
|
@ -132,12 +132,11 @@ There are three ways to impose users a higher authentication level:
|
|||
|
||||
- writing a rule based on authentication level:
|
||||
``$authenticationLevel > 3``
|
||||
- since 2.0, set a minimum level in virtual host options (default value
|
||||
for ALL access rules)
|
||||
- since 2.0.7, a minimum authentication level can be set for each URI
|
||||
access rule. Useful if URI are protected by different types of
|
||||
handler (AuthBasic -> level 2, Main -> level set by authentication
|
||||
backend).
|
||||
- set a minimum level in virtual host options (default value for ALL
|
||||
access rules)
|
||||
- a minimum authentication level can be set for each URI access rule.
|
||||
Useful if URI are protected by different types of handler (AuthBasic
|
||||
-> level 2, Main -> level set by authentication backend).
|
||||
|
||||
|
||||
.. tip::
|
||||
|
@ -146,6 +145,24 @@ There are three ways to impose users a higher authentication level:
|
|||
to a form that explain that a higher level is required and propose to
|
||||
reauthenticate himself.
|
||||
|
||||
Using regexp capture in rules
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If URL regexp captures something *(using parenthesis)*, you can use them
|
||||
in the corresponding rule using ``$_rulematch[1]``. Example: only user
|
||||
can access to its personal area:
|
||||
|
||||
- Regexp: ``/^public_html/(\w+)(/.*)?$``
|
||||
- Rule: ``$uid eq $_rulematch[1]``
|
||||
|
||||
$_rulematch is an array that contains all captured strings. First index
|
||||
is 1.
|
||||
|
||||
|
||||
.. warning::
|
||||
|
||||
This feature requires Perl ≥ 5.25.7
|
||||
|
||||
.. _headers:
|
||||
|
||||
Headers
|
||||
|
@ -209,8 +226,8 @@ headers:
|
|||
Wildcards in hostnames
|
||||
----------------------
|
||||
|
||||
|image1| Since 2.0, a wildcard can be used in virtualhost name (not in
|
||||
aliases !): ``*.example.com`` matches all hostnames that belong to
|
||||
Since 2.0, a wildcard can be used in virtualhost name (not in aliases
|
||||
!): ``*.example.com`` matches all hostnames that belong to
|
||||
``example.com`` domain. Version 2.0.9 improves this and allows better
|
||||
wildcards such as ``test-*.example.com`` or ``test-%.example.com``. The
|
||||
``%`` wilcard doesn't match subdomains.
|
||||
|
|
Loading…
Reference in New Issue