dani
/
lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'v2.0'

This commit is contained in:
Xavier 2019-09-24 21:03:55 +02:00
parent 9ec3ef8cfe e5fb911e65
commit cc79680b89
121 changed files with 2986 additions and 1182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_example/test/index.pl
View File

@ -124,7 +124,7 @@ foreach ( sort keys %$headers ) {
print "</tbody></table>\n";
print "</div><p></p>\n";
print
"<div class=\"alert alert-warning\">Note that LemonLDAP::NG cookie is hidden. So that application developpers can not spoof sessions.</div>\n";
"<div class=\"alert alert-warning\">Note that LemonLDAP::NG cookie is hidden. So that application developers can not spoof sessions.</div>\n";
print
"<div class=\"alert alert-info\">You can access to any information (IP address or LDAP attribute) by customizing exported headers with the <a href=\"$manager_url\">LemonLDAP::NG Management interface</a>.</div>\n";
print "</div>\n";

88
changelog
View File

@ -1,3 +1,91 @@
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:
* #1834: Use base64 URL for JWT generation
* #1838: Return claims from scope values in ID token if no access token requested
* #1852: SAML request lost after notification
* #1853: Adding a second notification with same reference is not refused
* #1856: Unable to validate more than one notification (JSON format)
* #1857: Message "session is expired" if a notification is refused
* #1861: Persistent data and notification validation
* #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
* #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
* #1865: Dependencies missing in RPM
* #1866: Skin parameter is lost in second factor choice
* #1867: Bad error template with Combination and OTT timeout
* #1868: Yubikey enrolment failed on Internet Explorer
* #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
* #1874: OTT not regenerated after submitting TOTP form with an expired OTT
* #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
* #1876: $_ no longer works in macros, rules and headers since 2.0
* #1878: Pdata cookie not cleared after cross domain Auth request
* #1880: [Security:low] Restricted users can edit conf by using default route
* #1881: [Security:high] oidc authorization codes are not tied to their RP
* #1883: Infinite loop when displaying sessions by IP address
* #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
* #1890: LinkedIn v1 API is not available anymore
* #1891: GET parameter "cancel" with Choice and CAS authentication
* #1897: Emails are sometimes sent in the wrong language
* #1898: Handler SecureToken is not working anymore
* #1901: Handler error if a header definition is empty
* #1903: Mail password reset and Combination with LDAP does not work
* #1906: Missing MAIN_LOGO variable in redirect.tpl
* #1910: Issue with "force password change on next login" feature with LDAP
* #1915: Skin selected by rule is lost in 2FA process
* #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
* #1925: AuthBasic handler does not work with AuthChoice
* #1933: [Security:low] nginx portal example file does not filter REST urls
* #1935: [Security:medium] AuthSlave does not check credential headers
* New features:
* #993: Define a local password policy
* #1783: ContextSwitching plugin
* #1843: OAuth2 introspection endpoint
* #1847: Radius 2F module
* #1860: Multiple instances of 2F modules
* Improvements:
* #1619: Support IBM Tivoli Directory Server (ITDS)
* #1702: Improve log generated by lemonldap
* #1825: Possibility to disable persistent sessions
* #1829: Redirection lost between SSL/Ajax and SAML
* #1831: Warning in lemonldap-ng-cli
* #1832: Add save/restore in CLI help message and control restore parameters
* #1833: Show cli errors on file access
* #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
* #1842: Merge userLogger notice with logger debug
* #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
* #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
* #1849: CDA is not compatible with Handler::PSGI::Try
* #1850: No "Session granted" log if grantSession plugin not enabled
* #1851: Append notification REST services
* #1862: When displaying notifications, sort them by date and references
* #1870: REST Api endpoint "error"
* #1873: Labels for 2FA choices
* #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
* #1882: Confusing default OIDC issuer setting
* #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
* #1885: Append an option to log an extra parameter
* #1888: Javascript error on textContent method with .Net framework and WPF
* #1896: Add _session_kind to default SOAP/REST exported attributes
* #1899: Fix portal and manager display for Internet Explorer
* #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
* #1908: Complete blackout probably due to uncontroled SQL connexion timeout
* #1913: Append an option to allow / forbid browsers to store users password
* #1916: Issuer OTT timeout
* #1919: Customizable error message when a required SAML attribute is missing
* #1923: REST ression server is too intolerant of clock drift
* #1927: Implement CORS preflight request
* #1928: Option to hide password generation checkbox in mail password reset plugin
* #1929: Custom functions are not imported into Safe Jail
* #1930: Display password change form after a password policy error in mail reset password plugin
* #1931: Disable password input field until font is fully downloaded by browser
* #1932: REST session server should return both session and _httpSession id
* #1936: Append an option to display Slave logo
* #1938: CheckUser plugin : include search parameters
-- Clément <clem.oudot@gmail.com> Tue, 24 Sep 2019 11:13:39 +0200
lemonldap-ng (2.0.5) stable; urgency=medium
* Bugs:

7
debian/changelog vendored
View File

@ -1,3 +1,10 @@
lemonldap-ng (2.0.6-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Tue, 24 Sep 2019 14:00:00 +0100
lemonldap-ng (2.0.5-1) unstable; urgency=medium
* New release. See changes on our website:

96
debian/control vendored
View File

@ -5,53 +5,53 @@ Section: perl
Priority: optional
Build-Depends: debhelper (>= 10),
po-debconf
Build-Depends-Indep: libapache-session-perl,
libauthen-oath-perl,
libcache-cache-perl,
libclone-perl,
libconfig-inifiles-perl,
libconvert-base32-perl,
libconvert-pem-perl,
libcrypt-openssl-rsa-perl,
libcrypt-openssl-x509-perl,
libcrypt-urandom-perl,
libcrypt-rijndael-perl,
libdatetime-format-rfc3339-perl,
libdbd-sqlite3-perl,
libdbi-perl,
libdigest-hmac-perl,
libemail-sender-perl,
libgd-securityimage-perl,
libglib-perl,
libgssapi-perl,
libhtml-template-perl,
libimage-magick-perl,
libio-string-perl,
libipc-run-perl,
libjson-perl,
liblasso-perl,
libmime-tools-perl,
libmouse-perl,
libnet-cidr-lite-perl,
libnet-ldap-perl,
libnet-openid-consumer-perl,
libnet-openid-server-perl,
libplack-perl,
libregexp-assemble-perl,
libregexp-common-perl,
libsoap-lite-perl,
libstring-random-perl,
libtest-mockobject-perl,
libtest-pod-perl,
libtext-unidecode-perl,
libunicode-string-perl,
liburi-perl,
libwww-perl,
libxml-libxml-perl,
libxml-libxslt-perl,
libxml-simple-perl,
Build-Depends-Indep: libapache-session-perl <!nocheck>,
libauthen-oath-perl <!nocheck>,
libcache-cache-perl <!nocheck>,
libclone-perl <!nocheck>,
libconfig-inifiles-perl <!nocheck>,
libconvert-base32-perl <!nocheck>,
libconvert-pem-perl <!nocheck>,
libcrypt-openssl-rsa-perl <!nocheck>,
libcrypt-openssl-x509-perl <!nocheck>,
libcrypt-urandom-perl <!nocheck>,
libcrypt-rijndael-perl <!nocheck>,
libdatetime-format-rfc3339-perl <!nocheck>,
libdbd-sqlite3-perl <!nocheck>,
libdbi-perl <!nocheck>,
libdigest-hmac-perl <!nocheck>,
libemail-sender-perl <!nocheck>,
libgd-securityimage-perl <!nocheck>,
libglib-perl <!nocheck>,
libgssapi-perl <!nocheck>,
libhtml-template-perl <!nocheck>,
libimage-magick-perl <!nocheck>,
libio-string-perl <!nocheck>,
libipc-run-perl <!nocheck>,
libjson-perl <!nocheck>,
liblasso-perl <!nocheck>,
libmime-tools-perl <!nocheck>,
libmouse-perl <!nocheck>,
libnet-cidr-lite-perl <!nocheck>,
libnet-ldap-perl <!nocheck>,
libnet-openid-consumer-perl <!nocheck>,
libnet-openid-server-perl <!nocheck>,
libplack-perl <!nocheck>,
libregexp-assemble-perl <!nocheck>,
libregexp-common-perl <!nocheck>,
libsoap-lite-perl <!nocheck>,
libstring-random-perl <!nocheck>,
libtest-mockobject-perl <!nocheck>,
libtest-pod-perl <!nocheck>,
libtext-unidecode-perl <!nocheck>,
libunicode-string-perl <!nocheck>,
liburi-perl <!nocheck>,
libwww-perl <!nocheck>,
libxml-libxml-perl <!nocheck>,
libxml-libxslt-perl <!nocheck>,
libxml-simple-perl <!nocheck>,
perl
Standards-Version: 4.3.0
Standards-Version: 4.4.0
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/
@ -101,6 +101,7 @@ Description: Lemonldap::NG Web-SSO system documentation
Package: lemonldap-ng-fastcgi-server
Architecture: all
Section: web
Pre-Depends: ${misc:Pre-Depends}
Depends: ${misc:Depends},
${perl:Depends},
lsb-base,
@ -280,7 +281,8 @@ Recommends: libcrypt-openssl-bignum-perl,
libmime-tools-perl,
libnet-ldap-perl,
libunicode-string-perl
Suggests: libcrypt-u2f-server-perl,
Suggests: gpg,
libcrypt-u2f-server-perl,
libdatetime-format-rfc3339-perl,
libdbi-perl,
libglib-perl,

285
doc/pages/documentation/current/AuthChoice_with_Slave_and_Secured_cookie_gt/double_cookies_for_a_single_session Normal file
View File

@ -0,0 +1,285 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>authchoice_with_slave_and_secured_cookie_gt:double_cookies_for_a_single_session [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="/lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="/lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<link type="text/css" rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootswatch/3.3.4/flatly/bootstrap.min.css" />
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,follow"/>
<meta name="keywords" content="authchoice_with_slave_and_secured_cookie_gt,double_cookies_for_a_single_session"/>
<link rel="search" type="application/opensearchdescription+xml" href="/lib/exe/opensearch.php" title="LemonLDAP::NG"/>
<link rel="start" href="/"/>
<link rel="contents" href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=index" title="Sitemap"/>
<link rel="alternate" type="application/rss+xml" title="Recent changes" href="/feed.php"/>
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=authchoice_with_slave_and_secured_cookie_gt"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='authchoice_with_slave_and_secured_cookie_gt';var JSINFO = {"id":"authchoice_with_slave_and_secured_cookie_gt:double_cookies_for_a_single_session","namespace":"authchoice_with_slave_and_secured_cookie_gt"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
</style>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script type="text/javascript" src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script type="text/javascript" src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
</head>
<body class="flatly page-on-panel">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__site" class="container">
<div id="dokuwiki__top" class="site dokuwiki mode_show tpl_bootstrap3 notFound hasSidebar">
<!-- header -->
<div id="dokuwiki__header">
<nav class="navbar navbar-default" role="navigation">
<div class="container-fluid">
<div class="navbar-header">
<button class="navbar-toggle" type="button" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/start" accesskey="h" title="[H]" class="navbar-brand"><img src="/_media/wiki/logo.png" alt="LemonLDAP::NG" class="pull-left" id="dw__logo" width="20" height="20" /> <span id="dw__title" >LemonLDAP::NG</span></a>
</div>
<div class="collapse navbar-collapse">
<ul class="nav navbar-nav" id="dw__navbar">
<!-- <li>
<a href="/start" ><i class="glyphicon glyphicon-home"></i> Home</a></li> -->
<li>
<a href="/download" ><i class="glyphicon glyphicon-download"></i> Download</a></li>
<li>
<a href="/documentation" ><i class="glyphicon glyphicon-book"></i> Documentation</a></li>
<li>
<a href="/screenshots" ><i class="glyphicon glyphicon-picture"></i> Screenshots</a></li>
<li class="dropdown ">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-question-sign"></span> Contact <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/contact" ><i class="glyphicon glyphicon-envelope"></i> Mails, IRC and more</a></li>
<li><a href="/team" ><i class="glyphicon glyphicon-user"></i> The team</a></li>
<li><a href="/professionalservices" ><i class="glyphicon glyphicon-briefcase"></i> Professional Services</a></li>
<li><a href="/references" ><i class="glyphicon glyphicon-sunglasses"></i> References</a></li>
<li><a href="/sponsors" ><i class="glyphicon glyphicon-piggy-bank"></i> Sponsors</a></li>
</ul>
</li>
</ul>
<div class="navbar-right">
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
</div>
</div>
</nav>
</div>
<!-- /header -->
<div id="dw__breadcrumbs">
<hr/>
<div class="breadcrumb"><span class="bchead">You are here: </span><span class="home"><bdi><a href="/start" class="wikilink1" title="start">start</a></bdi></span> » <bdi><a href="/authchoice_with_slave_and_secured_cookie_gt/start" class="wikilink2" title="authchoice_with_slave_and_secured_cookie_gt:start" rel="nofollow">authchoice_with_slave_and_secured_cookie_gt</a></bdi> » <bdi><span class="curid"><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session" class="wikilink2" title="authchoice_with_slave_and_secured_cookie_gt:double_cookies_for_a_single_session" rel="nofollow">double_cookies_for_a_single_session</a></span></bdi></div>
<hr/>
</div>
<p class="pageId text-right">
<span class="label label-default">authchoice_with_slave_and_secured_cookie_gt:double_cookies_for_a_single_session</span>
</p>
<div id="dw__msgarea">
</div>
<main class="main row" role="main">
<!-- ********** CONTENT ********** -->
<article id="dokuwiki__content" class="col-sm-9 col-md-10 " >
<div class="panel panel-default" >
<div class="page group panel-body">
<div class="pull-right hidden-print" data-spy="affix" data-offset-top="150" style="z-index:1024; top:10px; right:10px;">
</div>
<!-- wikipage start -->
<h1 class="sectionedit1" id="this_topic_does_not_exist_yet">This topic does not exist yet</h1>
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
<!-- wikipage stop -->
</div>
</div>
</article>
<!-- ********** ASIDE ********** -->
<aside id="dokuwiki__aside" class="dw__sidebar col-sm-3 col-md-2 hidden-print">
<div class="content">
<div class="toogle hidden-lg hidden-md hidden-sm" data-toggle="collapse" data-target="#dokuwiki__aside .collapse">
<i class="glyphicon glyphicon-th-list"></i> Sidebar </div>
<div class="collapse in">
<p>
<div class="text-center">
</p>
<h3 class="sectionedit1" id="social_networks">Social networks</h3>
<div class="level3">
<p>
<p><a href="https://twitter.com/lemonldapng/" class="btn btn-large btn-info"><i class="glyphicon glyphicon-retweet"></i> Twitter</a></p>
<p><a href="https://www.facebook.com/lemonldapng/" class="btn btn-large btn-primary"><i class="glyphicon glyphicon-thumbs-up"></i> Facebook</a></p>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT1 SECTION "Social networks" [41-433] -->
<h3 class="sectionedit2" id="hosted_by">Hosted by</h3>
<div class="level3">
<p>
<a href="http://www.ow2.org" class="media" title="http://www.ow2.org" rel="nofollow"><img src="/_media/logos/ow2.png?w=150&amp;tok=b7af43" class="mediacenter" alt="" width="150" /></a>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT2 SECTION "Hosted by" [434-568] -->
<h3 class="sectionedit3" id="certifications">Certifications</h3>
<div class="level3">
<p>
<a href="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" class="media" title="https://partenaires.franceconnect.gouv.fr/references#LogicielslibresFranceConnectables" rel="nofollow"><img src="/_media/applications/franceconnect_logo.png" class="mediacenter" alt="" /></a>
<strong>France Connect</strong>
</p>
<p>
<a href="https://fusioniam.org" class="media" title="https://fusioniam.org" rel="nofollow"><img src="/_media/logos/fusioniam_logo_icon_dragon_circle.png" class="mediacenter" alt="" /></a>
<strong>FusionIAM projet member</strong>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
</div>
<!-- EDIT3 SECTION "Certifications" [569-928] -->
<h3 class="sectionedit4" id="awards">Awards</h3>
<div class="level3">
<p>
<a href="/_detail/logos/ow2_awards.png?id=default_sidebar" class="media" title="logos:ow2_awards.png"><img src="/_media/logos/ow2_awards.png?w=150&amp;tok=b33854" class="mediacenter" alt="" width="150" /></a>
</p>
<p>
<a href="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" class="urlextern" title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&amp;event=OW2con14" rel="nofollow">OW2con&#039;14 Community Award</a>
</p>
<p>
<a href="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" class="urlextern" title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&amp;event=OW2con18" rel="nofollow">OW2con&#039;18 Community Award</a>
</p>
<p>
</div>
</p>
<hr />
<p>
<div class="text-center">
</p>
<p>
<script type="text/javascript" src="http://www.openhub.net/p/12421/widgets/project_users.js?style=blue"></script>
</div>
</p>
<script type='text/javascript'>
var ab_h = '321e562442494652658acbc3fd84ec80';
var ab_s = '6ca5df30810665e075f684a87e742175';
</script>
<script type='text/javascript' src='http://cdn1.adbard.net/js/ab1.js'></script>
</div>
<!-- EDIT4 SECTION "Awards" [929-] --> </div>
</div>
</aside>
</main>
<footer id="dokuwiki__footer" class="small hidden-print">
<a href="javascript:void(0)" class="back-to-top hidden-print btn btn-default btn-sm" title="skip to content>" id="back-to-top"><i class="glyphicon glyphicon-chevron-up"></i></a>
<div class="text-center">
<p id="dw__license">
<div class="license">Except where otherwise noted, content on this wiki is licensed under the following license: <bdi><a href="http://creativecommons.org/licenses/by-nc-sa/3.0/" rel="license" class="urlextern">CC Attribution-Noncommercial-Share Alike 3.0 Unported</a></bdi></div> </p>
</div>
</footer>
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1569271173" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
<span class="visible-md"></span>
<span class="visible-lg"></span>
</div>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

6
doc/pages/documentation/current/activedirectoryminihowto.html
View File

@ -56,11 +56,11 @@
To use Active Directory as LDAP backend, you must change few things in the manager :
</p>
<ul>
<li class="level1"><div class="li"> Use “Active Directory” as authentication, userDB and passwordDBbackends,</div>
<li class="level1"><div class="li"> Use &quot;Active Directory&quot; as authentication, userDB and passwordDBbackends,</div>
</li>
<li class="level1"><div class="li"> Export sAMAccountName in a variable declared in <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables</a></div>
</li>
<li class="level1"><div class="li"> Change the user attribute to store in Apache logs <em>(“General Parameters » Logs » REMOTE_USER”)</em>: use the variable declared above</div>
<li class="level1"><div class="li"> Change the user attribute to store in Apache logs <em>(&quot;General Parameters » Logs » REMOTE_USER&quot;)</em>: use the variable declared above</div>
</li>
</ul>
@ -69,7 +69,7 @@ To use Active Directory as LDAP backend, you must change few things in the manag
<h2 class="sectionedit3" id="authentication_with_kerberos">Authentication with Kerberos</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Choose “Apache” as authentication module <em>(“General Parameters » Authentication modules » Authentication module”)</em></div>
<li class="level1"><div class="li"> Choose &quot;Apache&quot; as authentication module <em>(&quot;General Parameters » Authentication modules » Authentication module&quot;)</em></div>
</li>
<li class="level1"><div class="li"> <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Configure the Apache server</a> that host the portal to use the Apache Kerberos authentication module</div>
</li>

81
doc/pages/documentation/current/applications.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,applications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="applications.html"/>
@ -56,7 +56,7 @@
To integrate a Web application in <abbr title="LemonLDAP::NG">LL::NG</abbr>, you have the following possibilities:
</p>
<ul>
<li class="level1"><div class="li"> Protect the application with the Handler, and push user identity trough HTTP headers. This is how main Access Manager products, like CA SiteMinder, are working. This also how Apache authentication modules are working, so if your application is compatible with Apache authentication (often called “external authentifcation”), then you can use the Handler.</div>
<li class="level1"><div class="li"> Protect the application with the Handler, and push user identity trough HTTP headers. This is how main Access Manager products, like CA SiteMinder, are working. This also how Apache authentication modules are working, so if your application is compatible with Apache authentication (often called &quot;external authentifcation&quot;), then you can use the Handler.</div>
</li>
<li class="level1"><div class="li"> Specific Handler: some applications can require a specific Handler, to manage preauthentication process for example.</div>
</li>
@ -122,7 +122,7 @@ If none of above methods is available, you can try:
<td class="col0 centeralign"> <a href="applications/fusiondirectory.html" class="media" title="documentation:2.0:applications:fusiondirectory"><img src="icons/kmultiple.png" class="media" title="fusiondirectory-logo.jpg" alt="fusiondirectory-logo.jpg" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/fusiondirectory.html" class="wikilink1" title="documentation:2.0:applications:fusiondirectory">FusionDirectory</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row12 roweven">
<td class="col0 centeralign"> <a href="applications/gitlab.html" class="media" title="documentation:2.0:applications:gitlab"><img src="icons/kmultiple.png" class="mediacenter" alt="" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/gitlab.html" class="wikilink1" title="documentation:2.0:applications:gitlab">Gitlab</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/gitlab.html" class="media" title="documentation:2.0:applications:gitlab"><img src="icons/kmultiple.png" class="mediacenter" alt="" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/gitlab.html" class="wikilink1" title="documentation:2.0:applications:gitlab">Gitlab</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6 centeralign"> </td>
</tr>
<tr class="row13 rowodd">
<td class="col0 centeralign"> <a href="applications/glpi.html" class="media" title="documentation:2.0:applications:glpi"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/glpi.html" class="wikilink1" title="documentation:2.0:applications:glpi">GLPI</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
@ -140,76 +140,79 @@ If none of above methods is available, you can try:
<td class="col0 centeralign"> <a href="applications/guacamole.html" class="media" title="documentation:2.0:applications:guacamole"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/guacamole.html" class="wikilink1" title="documentation:2.0:applications:guacamole">Apache Guacamole</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4 centeralign"></td><td class="col5 leftalign"> </td><td class="col6 centeralign"></td>
</tr>
<tr class="row18 roweven">
<td class="col0 centeralign"> <a href="applications/jitsimet" class="media" title="documentation:2.0:applications:jitsimet"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/jitsimeet.html" class="wikilink1" title="documentation:2.0:applications:jitsimeet">Jitsi Meet</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/humhub.html" class="media" title="documentation:2.0:applications:humhub"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/humhub.html" class="wikilink1" title="documentation:2.0:applications:humhub">HumHub</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row19 rowodd">
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
<td class="col0 centeralign"> <a href="applications/jitsimet" class="media" title="documentation:2.0:applications:jitsimet"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/jitsimeet.html" class="wikilink1" title="documentation:2.0:applications:jitsimeet">Jitsi Meet</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row20 roweven">
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
<td class="col0 centeralign"> <a href="applications/liferay.html" class="media" title="documentation:2.0:applications:liferay"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/liferay.html" class="wikilink1" title="documentation:2.0:applications:liferay">Liferay</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row21 rowodd">
<td class="col0 centeralign"> <a href="applications/mattermost.html" class="media" title="documentation:2.0:applications:mattermost"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mattermost.html" class="wikilink1" title="documentation:2.0:applications:mattermost">Mattermost</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"></td>
<td class="col0 centeralign"> <a href="applications/limesurvey.html" class="media" title="documentation:2.0:applications:limesurvey"><img src="icons/kmultiple.png" class="media" title="LimeSurvey" alt="LimeSurvey" width="120" /></a> </td><td class="col1 centeralign"> <a href="applications/limesurvey.html" class="wikilink1" title="documentation:2.0:applications:limesurvey">LimeSurvey</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"></td>
</tr>
<tr class="row22 roweven">
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/mattermost.html" class="media" title="documentation:2.0:applications:mattermost"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mattermost.html" class="wikilink1" title="documentation:2.0:applications:mattermost">Mattermost</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6 centeralign"> </td>
</tr>
<tr class="row23 rowodd">
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/mediawiki.html" class="media" title="documentation:2.0:applications:mediawiki"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/mediawiki.html" class="wikilink1" title="documentation:2.0:applications:mediawiki">Mediawiki</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row24 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
<td class="col0 centeralign"> <a href="applications/nextcloud.html" class="media" title="documentation:2.0:applications:nextcloud"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/nextcloud.html" class="wikilink1" title="documentation:2.0:applications:nextcloud">NextCloud</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row25 rowodd">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row26 roweven">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row27 rowodd">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row31 rowodd">
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row32 roweven">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row26 roweven">
<td class="col0 centeralign"> <a href="applications/obm.html" class="media" title="documentation:2.0:applications:obm"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/obm.html" class="wikilink1" title="documentation:2.0:applications:obm">OBM</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row27 rowodd">
<td class="col0 centeralign"> <a href="applications/office365.html" class="media" title="documentation:2.0:applications:office365"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/office365.html" class="wikilink1" title="documentation:2.0:applications:office365">Office 365</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row28 roweven">
<td class="col0 centeralign"> <a href="applications/phpldapadmin.html" class="media" title="documentation:2.0:applications:phpldapadmin"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/phpldapadmin.html" class="wikilink1" title="documentation:2.0:applications:phpldapadmin">phpLDAPAdmin</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row29 rowodd">
<td class="col0 centeralign"> <a href="applications/roundcube.html" class="media" title="documentation:2.0:applications:roundcube"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/roundcube.html" class="wikilink1" title="documentation:2.0:applications:roundcube">Roundcube</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row30 roweven">
<td class="col0 centeralign"> <a href="applications/salesforce.html" class="media" title="documentation:2.0:applications:salesforce"><img src="icons/kmultiple.png" class="mediacenter" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/salesforce.html" class="wikilink1" title="documentation:2.0:applications:salesforce">SalesForce</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row31 rowodd">
<td class="col0 centeralign"> <a href="applications/sap.html" class="media" title="documentation:2.0:applications:sap"><img src="icons/kmultiple.png" class="media" title="SAP" alt="SAP" /></a> </td><td class="col1 centeralign"> <a href="applications/sap.html" class="wikilink1" title="documentation:2.0:applications:sap">SAP</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row32 roweven">
<td class="col0 centeralign"> <a href="applications/simplesamlphp.html" class="media" title="documentation:2.0:applications:simplesamlphp"><img src="icons/kmultiple.png" class="media" alt="" width="200" /></a> </td><td class="col1 centeralign"> <a href="applications/simplesamlphp.html" class="wikilink1" title="documentation:2.0:applications:simplesamlphp">simpleSAMLphp</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5 centeralign"></td><td class="col6"> </td>
</tr>
<tr class="row33 rowodd">
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
<tr class="row34 roweven">
<td class="col0 centeralign"> <a href="applications/symfony.html" class="media" title="documentation:2.0:applications:symfony"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/symfony.html" class="wikilink1" title="documentation:2.0:applications:symfony">Symfony</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/spring.html" class="media" title="documentation:2.0:applications:spring"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/spring.html" class="wikilink1" title="documentation:2.0:applications:spring">Spring</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row35 rowodd">
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/symfony.html" class="media" title="documentation:2.0:applications:symfony"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/symfony.html" class="wikilink1" title="documentation:2.0:applications:symfony">Symfony</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row36 roweven">
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/sympa.html" class="media" title="documentation:2.0:applications:sympa"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/sympa.html" class="wikilink1" title="documentation:2.0:applications:sympa">Sympa</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row37 rowodd">
<td class="col0 centeralign"> <a href="applications/wordpress.html" class="media" title="documentation:2.0:applications:wordpress"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/wordpress.html" class="wikilink1" title="documentation:2.0:applications:wordpress">Wordpress</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4 centeralign"></td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/tomcat.html" class="media" title="documentation:2.0:applications:tomcat"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/tomcat.html" class="wikilink1" title="documentation:2.0:applications:tomcat">Tomcat</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row38 roweven">
<td class="col0 centeralign"> <a href="applications/xwiki.html" class="media" title="documentation:2.0:applications:xwiki"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/xwiki.html" class="wikilink1" title="documentation:2.0:applications:xwiki">XWiki</a> </td><td class="col2 centeralign"></td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/wordpress.html" class="media" title="documentation:2.0:applications:wordpress"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/wordpress.html" class="wikilink1" title="documentation:2.0:applications:wordpress">Wordpress</a> </td><td class="col2"> </td><td class="col3"> </td><td class="col4 centeralign"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row39 rowodd">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"></td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
<td class="col0 centeralign"> <a href="applications/xwiki.html" class="media" title="documentation:2.0:applications:xwiki"><img src="icons/kmultiple.png" class="media" alt="" width="100" /></a> </td><td class="col1 centeralign"> <a href="applications/xwiki.html" class="wikilink1" title="documentation:2.0:applications:xwiki">XWiki</a> </td><td class="col2 centeralign"> </td><td class="col3"> </td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row40 roweven">
<td class="col0 centeralign"> <a href="applications/zimbra.html" class="media" title="documentation:2.0:applications:zimbra"><img src="icons/kmultiple.png" class="media" alt="" /></a> </td><td class="col1 centeralign"> <a href="applications/zimbra.html" class="wikilink1" title="documentation:2.0:applications:zimbra">Zimbra</a> </td><td class="col2"> </td><td class="col3 centeralign"></td><td class="col4"> </td><td class="col5"> </td><td class="col6"> </td>
</tr>
<tr class="row41 rowodd">
<th class="col0 leftalign"> </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> HTTP headers </th><th class="col3 centeralign"> Specific Handler </th><th class="col4 centeralign"> <abbr title="Central Authentication Service">CAS</abbr> </th><th class="col5 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> </th><th class="col6 centeralign"> OpenID Connect </th>
</tr>
</table></div>
<!-- EDIT4 TABLE [1223-6153] -->
<!-- EDIT4 TABLE [1223-6276] -->
</div>
<!-- EDIT3 SECTION "Application list" [1192-] --></div>
</body>

2
doc/pages/documentation/current/applications/authbasic.html
View File

@ -67,7 +67,7 @@ In the context of an HTTP transaction, the basic access authentication is a meth
</p>
<p>
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings “on the fly”.
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings &quot;on the fly&quot;.
</blockquote>
</p>

4
doc/pages/documentation/current/applications/aws.html
View File

@ -96,11 +96,11 @@ similar, using whatever attribute makes sense to you. For example:<pre class="c
</li>
<li class="level1"><div class="li"> Now go to *Variables -&gt; Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -&gt; <code>$ou =~ sysadmin ? “arn:aws...” : “arn:...”</code></div>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -&gt; <code>$ou =~ sysadmin ? &quot;arn:aws...&quot; : &quot;arn:...&quot;</code></div>
</li>
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters -&gt; Advanced Parameters -&gt; Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -&gt; <code>join(“; ”, $role_name1, $role_name2, ...)</code></div>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -&gt; <code>join(&quot;; &quot;, $role_name1, $role_name2, ...)</code></div>
</li>
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>

72
doc/pages/documentation/current/applications/gitlab.html
View File

@ -55,6 +55,12 @@
<li class="level2"><div class="li"><a href="#gitlab_configuration">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration">LL::NG configuration</a></div></li>
<li class="level2"><div class="li"><a href="#manage_groups">Manage groups</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#openid_connect">OpenID Connect</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#gitlab_configuration1">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration1">LL::NG configuration</a></div></li>
</ul></li>
</ul>
</div>
@ -191,6 +197,70 @@ And in <abbr title="LemonLDAP::NG">LL::NG</abbr>, export the groups attribute:
</ul>
</div>
<!-- EDIT6 SECTION "Manage groups" [2526-] --></div>
<!-- EDIT6 SECTION "Manage groups" [2526-2818] -->
<h2 class="sectionedit7" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<p>
<strong>Alternatively</strong> to <abbr title="Security Assertion Markup Language">SAML</abbr>, you can choose to configure Gitlab to use OpenID Connect.
</p>
</div>
<!-- EDIT7 SECTION "OpenID Connect" [2819-2932] -->
<h3 class="sectionedit8" id="gitlab_configuration1">Gitlab configuration</h3>
<div class="level3">
<p>
In <code>/etc/gitlab/gitlab.rb</code>
</p>
<pre class="code file ruby">...
<span class="me1">gitlab_rails</span><span class="br0">&#91;</span><span class="st0">'omniauth_allow_single_sign_on'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span><span class="st0">'openid_connect'</span><span class="br0">&#93;</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_block_auto_created_users'</span><span class="br0">&#93;</span> = <span class="kw2">false</span>
&nbsp;
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
<span class="br0">&#123;</span> <span class="st0">'name'</span> <span class="sy0">=&gt;</span> <span class="st0">'openid_connect'</span>,
<span class="st0">'label'</span> <span class="sy0">=&gt;</span> <span class="st0">'LemonLDAP::NG'</span>,
<span class="st0">'args'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st0">'name'</span> <span class="sy0">=&gt;</span> <span class="st0">'openid_connect'</span>,
<span class="st0">'issuer'</span> <span class="sy0">=&gt;</span> <span class="st0">'https://auth.example.com'</span>,
<span class="st0">'scope'</span> <span class="sy0">=&gt;</span> <span class="br0">&#91;</span><span class="st0">'openid'</span>, <span class="st0">'profile'</span>, <span class="st0">'email'</span><span class="br0">&#93;</span>,
<span class="st0">'response_type'</span> <span class="sy0">=&gt;</span> <span class="st0">'code'</span>,
<span class="st0">'client_auth_method'</span> <span class="sy0">=&gt;</span> <span class="st0">'client_secret_post'</span>,
<span class="st0">'discovery'</span> <span class="sy0">=&gt;</span> <span class="kw2">true</span>,
<span class="st0">'uid_field'</span> <span class="sy0">=&gt;</span> <span class="st0">'sub'</span>,
<span class="st0">'client_options'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st0">'redirect_uri'</span> <span class="sy0">=&gt;</span> <span class="st0">'http://gitlab.example.com/users/auth/openid_connect/callback'</span>,
<span class="st0">'identifier'</span> <span class="sy0">=&gt;</span> <span class="st0">'LEMONLDAP_CLIENT_ID'</span>,
<span class="st0">'secret'</span> <span class="sy0">=&gt;</span> <span class="st0">'LEMONLDAP_CLIENT_SECRET'</span>,
<span class="br0">&#125;</span>
<span class="br0">&#125;</span>
<span class="br0">&#125;</span>
<span class="br0">&#93;</span>;
&nbsp;
...</pre>
</div>
<!-- EDIT8 SECTION "Gitlab configuration" [2933-3771] -->
<h3 class="sectionedit9" id="llng_configuration1">LL::NG configuration</h3>
<div class="level3">
<p>
Add an OpenID Connect RP to LemonLDAP::NG
</p>
<ul>
<li class="level1"><div class="li"> Chose a client ID and a client secret, and write the same values in the <code>gitlab.rb</code> file above</div>
</li>
<li class="level1"><div class="li"> You need to chose an asymetrical signature algorithm for the ID Token (RS256 or above)</div>
</li>
<li class="level1"><div class="li"> You also need to set a key identifier on your LemonLDAP::NG server in <code>OpenID Connect service</code> » <code>Security</code> » <code>Signing key ID</code> (use something like <code>default</code> as the value). </div>
</li>
<li class="level1"><div class="li"> Make sure the attribute containing the user email in the LemonLDAP::NG session is mapped to the <code>email</code> claim.</div>
</li>
</ul>
<div class="noteclassic">You need to set a key identifier, or you will get a <em>JSON::JWK::Set::KidNotFound</em> error on Gitlab
</div>
</div>
<!-- EDIT9 SECTION "LL::NG configuration" [3772-] --></div>
</body>
</html>

210
doc/pages/documentation/current/applications/humhub.html Normal file
View File

@ -0,0 +1,210 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:humhub</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,applications,humhub"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="humhub.html"/>
<link rel="contents" href="humhub.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:humhub","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Présentation</a></div></li>
<li class="level1"><div class="li"><a href="#openid_connect">OpenID Connect</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_humhub">Configuring HumHub</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li>
<li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="humhub">HumHub</h1>
<div class="level1">
<p>
<img src="humhub_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "HumHub" [1-67] -->
<h2 class="sectionedit2" id="presentation">Présentation</h2>
<div class="level2">
<p>
<a href="https://humhub.org/" class="urlextern" title="https://humhub.org/" rel="nofollow">HumHub</a> is a free and open-source social network written on top of the <a href="https://www.yiiframework.com/" class="urlextern" title="https://www.yiiframework.com/" rel="nofollow">Yii2 PHP framework</a> that provides an easy to use toolkit for creating and launching your own social network.
</p>
<p>
Unauthenticated users may connect using a login form against HumHub local database or a LDAP directory, or choose which authentication service they want to use.
</p>
<p>
Administrator can configure one or several OAuth, OAuth2 or OIDC authentication services to be displayed as buttons on the login page.
</p>
<p>
With <a href="#openid_connect" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
</p>
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service.
</div>
</div>
<!-- EDIT2 SECTION "Présentation" [68-1041] -->
<h2 class="sectionedit3" id="openid_connect">OpenID Connect</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "OpenID Connect" [1042-1069] -->
<h3 class="sectionedit4" id="configuring_humhub">Configuring HumHub</h3>
<div class="level3">
<p>
First disable LDAP (Administration &gt; Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users.
</p>
<p>
Then install and configure the <a href="https://github.com/Worteks/humhub-auth-oidc" class="urlextern" title="https://github.com/Worteks/humhub-auth-oidc" rel="nofollow"> OIDC connector for humhub </a> extension using composer :
</p>
<ul>
<li class="level1"><div class="li"> Install composer and php-tokenizer.</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Consider using prestissimo, to speed up composer update command (4x faster):</div>
</li>
</ul>
<pre class="code">composer global require hirak/prestissimo</pre>
<ul>
<li class="level1"><div class="li"> Go to {humhumb_home} folder (containing humhub&#039;s composer.json file) and execute</div>
</li>
</ul>
<pre class="code">composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhumb_home}/protected/config/common.php with the client configuration :</div>
</li>
</ul>
<pre class="code">&#039;components&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;clients&#039; =&gt; [
// ...
&#039;lemonldapng&#039; =&gt; [
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
],
],
],
// ...
]</pre>
</div>
<!-- EDIT4 SECTION "Configuring HumHub" [1070-2515] -->
<h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3">
<p>
If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice.html" class="wikilink1" title="documentation:2.0:openidconnectservice"> OpenID Connect service</a>.
</p>
<p>
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> using the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in HumHub configuration</div>
</li>
<li class="level2"><div class="li"> <strong>Client Secret</strong>: the same you set in HumHub configuration</div>
</li>
<li class="level2"><div class="li"> Add the following <strong>exported attributes</strong></div>
<ul>
<li class="level4"><div class="li"> <strong>given_name</strong>: user&#039;s givenName attribute</div>
</li>
<li class="level4"><div class="li"> <strong>family_name</strong>: user&#039;s sn attribute</div>
</li>
<li class="level4"><div class="li"> <strong>email</strong>: user&#039;s mail attribute</div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> <strong>Redirect URIs</strong> containing your Yii2 auth client ID.</div>
</li>
</ul>
<p>
Configuration sample using CLI:
</p>
<pre class="code"> $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataExportedVars/humhub given_name givenName \
oidcRPMetaDataExportedVars/humhub family_name sn \
oidcRPMetaDataExportedVars/humhub email mail \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientID myClientId \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientSecret myClientSecret \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsRedirectUris &#039;https://humhub.example.com/user/auth/external?authclient=lemonldapng&#039; \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsPostLogoutRedirectUris &#039;https://humhub.example.com&#039; \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenExpiration 3600 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 &amp;&amp; \</pre>
</div>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [2516-4258] -->
<h3 class="sectionedit6" id="troubleshooting">Troubleshooting</h3>
<div class="level3">
<p>
If LemonLDAP login page freezes because of a browser security blockage, adapt security&#039;s CSP Form Action to allow HumHub host :
</p>
<pre class="code"> $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
cspFormAction &quot;&#039;self&#039; https://*.example.com&quot;</pre>
</div>
<!-- EDIT6 SECTION "Troubleshooting" [4259-] --></div>
</body>
</html>

10
doc/pages/documentation/current/applications/img/icons.png
View File

@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0:applications:img"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/applications/img/icons.png"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/applications/img/icons.png"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications:img';var JSINFO = {"id":"documentation:2.0:applications:img:icons.png","namespace":"documentation:2.0:applications:img"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1561840284" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1569271147" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

10
doc/pages/documentation/current/applications/img/loader.gif
View File

@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0:applications:img"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/applications/img/loader.gif"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/applications/img/loader.gif"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications:img';var JSINFO = {"id":"documentation:2.0:applications:img:loader.gif","namespace":"documentation:2.0:applications:img"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1561840284" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1569271147" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

10
doc/pages/documentation/current/applications/jitsimet
View File

@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0:applications"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/applications/jitsimet"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/applications/jitsimet"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:jitsimet","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1561840300" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1569271166" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

2
doc/pages/documentation/current/applications/mattermost.html
View File

@ -161,7 +161,7 @@ Add a <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:
</li>
<li class="level2"><div class="li"> <strong>Client Secret</strong>: the same you set in Mattermost configuration</div>
</li>
<li class="level2"><div class="li"> Add a new scope in “Extra claims”</div>
<li class="level2"><div class="li"> Add a new scope in &quot;Extra claims&quot;</div>
<ul>
<li class="level4"><div class="li"> <strong>Key</strong>: <code>gitlab</code></div>
</li>

6
doc/pages/documentation/current/applications/mediawiki.html
View File

@ -159,17 +159,17 @@ Add then extension configuration, for example:
<span class="br0">&#125;</span>
<span class="re0">$wgHooks</span><span class="br0">&#91;</span><span class="st_h">'PersonalUrls'</span><span class="br0">&#93;</span><span class="br0">&#91;</span><span class="br0">&#93;</span> <span class="sy0">=</span> <span class="st_h">'StripLogin'</span><span class="sy0">;</span></pre>
<div class="notewarning">In last version of Auth_remoteuser and Mediawiki, empty passwords are not authorized, so you may need to patch the extension code if you get the error:
“Unexpected REMOTE_USER authentication failure. Login Error was:EmptyPass”.
&quot;Unexpected REMOTE_USER authentication failure. Login Error was:EmptyPass&quot;.
</div>
<p>
If necessary, use the code below to patch the extension:
</p>
<pre class="code">sed -i &quot;s/&#039;wpPassword&#039; =&gt; &#039;&#039;/&#039;wpPassword&#039; =&gt; &#039;none&#039;/&quot; extensions/Auth_remoteuser/Auth_remoteuser.body.php</pre>
<div class="notewarning">In last version of Auth_remoteuser and Mediawiki, auto-provisioning requires REMOTE_USER to match the normalized mediawiki username (for example: john_doe -&gt; john doe), so you may need to patch the extension code if you get the error:
“Unexpected REMOTE_USER authentication failure. Login Error was:WrongPluginPass”
&quot;Unexpected REMOTE_USER authentication failure. Login Error was:WrongPluginPass&quot;
</div>
<p>
You can use the code below for normalizing logins containing “_” in the extension:
You can use the code below for normalizing logins containing &quot;_&quot; in the extension:
</p>
<pre class="code">sed -i &#039;/$usertest = $this-&gt;getRemoteUsername();/a\ $usertest = str_replace( &quot;_&quot;,&quot; &quot;, $usertest );&#039; extensions/Auth_remoteuser/Auth_remoteuser.body.php</pre>

10
doc/pages/documentation/current/applications/nextcloud.html
View File

@ -104,7 +104,7 @@ Consider changing the configuration of NextCloud to force the domain, in <strong
</div>
<p>
You also need to enable the <abbr title="Security Assertion Markup Language">SAML</abbr> authentication plugin in your NextCloud.
You also need to enable the &quot;<abbr title="Security Assertion Markup Language">SAML</abbr> authentication&quot; plugin in your NextCloud.
</p>
<pre class="code"> + Apps -&gt; Not enabled -&gt; SAML authentication</pre>
@ -159,7 +159,7 @@ You first need to create a pair of SSH Keys in LL:NG:
<pre class="code">SAML 2 Service -&gt; Security Parameters -&gt; Signature</pre>
<p>
and click “New keys”
and click &quot;New keys&quot;
<img src="nextcloud_certificate_keys.png" class="mediacenter" alt="" />
</p>
@ -170,7 +170,7 @@ Take the private key in a private.key file, and run the following:
openssl x509 -req -days 3650 -in cert.csr -signkey private.key -out cert.pem</pre>
<p>
Copy/Paste the content of your new cert.pem in the “Public X.509 certificate of the IdP” field of your NextCloud.
Copy/Paste the content of your new cert.pem in the &quot;Public X.509 certificate of the IdP&quot; field of your NextCloud.
</p>
<p>
@ -192,7 +192,7 @@ We now have to define a service provider (e.g our nextcloud) in LL:NG.
</p>
<p>
Go to <abbr title="Security Assertion Markup Language">SAML</abbr> service providers”, click on “Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP and name it as you want (example : &#039;NextCloud&#039;)
Go to &quot;<abbr title="Security Assertion Markup Language">SAML</abbr> service providers&quot;, click on &quot;Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP&quot; and name it as you want (example : &#039;NextCloud&#039;)
</p>
<p>
@ -204,7 +204,7 @@ In the new subtree &#039;NextCloud&#039;, open &#039;Metadata&#039; and paste th
</p>
<p>
Now go in “Exported attributes” and add, at least, the &#039;uid&#039;
Now go in &quot;Exported attributes&quot; and add, at least, the &#039;uid&#039;
</p>
<p>

10
doc/pages/documentation/current/applications/symfony.html
View File

@ -74,7 +74,7 @@
</p>
<p>
Symfony provides many methods conventions to authenticate users (basic, ldap,...) and to load external user sources (ldap, database). The method presented here relies on the “remote_user” method. (in security firewall)
Symfony provides many methods conventions to authenticate users (basic, ldap,...) and to load external user sources (ldap, database). The method presented here relies on the &quot;remote_user&quot; method. (in security firewall)
</p>
</div>
@ -83,7 +83,7 @@ Symfony provides many methods conventions to authenticate users (basic, ldap,...
<div class="level2">
<p>
Follow these step to protect your application using the “REMOTE_USER” HTTP header.
Follow these step to protect your application using the &quot;REMOTE_USER&quot; HTTP header.
</p>
<p>
@ -113,7 +113,7 @@ Follow these step to protect your application using the “REMOTE_USER” HTTP h
</li>
<li class="level1"><div class="li"> providers : define the user providers (even virtual)</div>
</li>
<li class="level1"><div class="li"> remote_user : define the authentication method to “assume the user is already authenticated and get an http variable to know his username”</div>
<li class="level1"><div class="li"> remote_user : define the authentication method to &quot;assume the user is already authenticated and get an http variable to know his username&quot;</div>
</li>
<li class="level1"><div class="li"> user : define the HTTP header containing the username</div>
</li>
@ -122,7 +122,7 @@ Follow these step to protect your application using the “REMOTE_USER” HTTP h
</ul>
<p>
2. Define a “header user” class
2. Define a &quot;header user&quot; class
</p>
<p>
@ -194,7 +194,7 @@ Create the file src/AppBundle/Security/User/HeaderUser.php :
<span class="sy1">?&gt;</span></pre>
<p>
3. Define a “header user provider” class relying on the previous class
3. Define a &quot;header user provider&quot; class relying on the previous class
</p>
<p>

4
doc/pages/documentation/current/applications/sympa.html
View File

@ -94,7 +94,7 @@ To configure <abbr title="Single Sign On">SSO</abbr> with Sympa, use <strong>Mag
<div class="level3">
<p>
Edit the file “auth.conf”, for example:
Edit the file &quot;auth.conf&quot;, for example:
</p>
<pre class="code">vi /etc/sympa/auth.conf</pre>
@ -115,7 +115,7 @@ Note that if you use FastCGI, you must restart Apache to enable changes.
</div>
<p>
You can also use &lt;portal&gt;?logout=1 as logout_url to remove LemonLDAP::NG session when “disconnect” is chosen.
You can also use &lt;portal&gt;?logout=1 as logout_url to remove LemonLDAP::NG session when &quot;disconnect&quot; is chosen.
</p>
</div>

6
doc/pages/documentation/current/applications/tomcat.html
View File

@ -127,9 +127,9 @@ Configure attributes:
</li>
<li class="level1"><div class="li"> <strong>roleSeparator</strong> (optional): role values separator.</div>
</li>
<li class="level1"><div class="li"> <strong>allows</strong> (optional): Define allowed remote <abbr title="Internet Protocol">IP</abbr> (use “,” separator for multiple <abbr title="Internet Protocol">IP</abbr>). Just set the <abbr title="LemonLDAP::NG">LL::NG</abbr> Handler <abbr title="Internet Protocol">IP</abbr> on this attribute in order to add more security. If this attribute is missed all hosts are allowed.</div>
<li class="level1"><div class="li"> <strong>allows</strong> (optional): Define allowed remote <abbr title="Internet Protocol">IP</abbr> (use &quot;,&quot; separator for multiple <abbr title="Internet Protocol">IP</abbr>). Just set the <abbr title="LemonLDAP::NG">LL::NG</abbr> Handler <abbr title="Internet Protocol">IP</abbr> on this attribute in order to add more security. If this attribute is missed all hosts are allowed.</div>
</li>
<li class="level1"><div class="li"> <strong>passThrough</strong> (optional): Allow anonymous access or not. When it takes “false”, HTTP headers have to be sent by <abbr title="LemonLDAP::NG">LL::NG</abbr> to make authentication. So, if the user is not recognized or HTTP headers not present, a 403 error is sent.</div>
<li class="level1"><div class="li"> <strong>passThrough</strong> (optional): Allow anonymous access or not. When it takes &quot;false&quot;, HTTP headers have to be sent by <abbr title="LemonLDAP::NG">LL::NG</abbr> to make authentication. So, if the user is not recognized or HTTP headers not present, a 403 error is sent.</div>
</li>
</ul>
<div class="notetip">For debugging, this valve can print some helpful information in debug level. See <a href="http://tomcat.apache.org/tomcat-5.5-doc/logging.html" class="urlextern" title="http://tomcat.apache.org/tomcat-5.5-doc/logging.html" rel="nofollow">how configure logging in Tomcat</a> .
@ -158,7 +158,7 @@ Required :
<p>
Configure your tomcat home in <code>build.properties</code> files.
</p>
<div class="noteimportant">Be careful for Windows user, path must contains “/”. Example:
<div class="noteimportant">Be careful for Windows user, path must contains &quot;/&quot;. Example:
<pre class="code">c:/my hardisk/tomcat/</pre>
</div>

2
doc/pages/documentation/current/applications/wekan.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications:wekan</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,wekan"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="wekan.html"/>

2
doc/pages/documentation/current/applications/zimbra.html
View File

@ -130,7 +130,7 @@ Choose for example <a href="http://zimbra.example.com/zimbrasso" class="urlexter
<div class="level3">
<p>
You just have to set “Type: ZimbraPreAuth” in virtualhost options and reload configuration in this handler.
You just have to set &quot;Type: ZimbraPreAuth&quot; in virtualhost options and reload configuration in this handler.
</p>
</div>

4
doc/pages/documentation/current/authad.html
View File

@ -110,10 +110,10 @@ LemonLDAP::NG implements partially the policy:
</li>
<li class="level1"><div class="li"> when computed virtual attribute &#039;msDS-User-Account-Control-Computed&#039; as 6th flag set to 8, the password is considered expired (support from Windows Server 2003). It is too late for the user to do anything. He must contact his administrator.</div>
</li>
<li class="level1"><div class="li"> a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration). However it as no reality in LDAP referential. A “password warning time before password expiration” variable can be specified in LemonLDAP::NG to do so.</div>
<li class="level1"><div class="li"> a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration). However it as no reality in LDAP referential. A &quot;password warning time before password expiration&quot; variable can be specified in LemonLDAP::NG to do so.</div>
</li>
</ul>
<div class="noteimportant">Note: since AD 2012, each user can have a specific password expiration policy. Then, the “maximum password age” can have different values. This is currently unsupported in LemonLDAP::NG because every policy must be computed with their precedence to know which maximum password age to apply.
<div class="noteimportant">Note: since AD 2012, each user can have a specific password expiration policy. Then, the &quot;maximum password age&quot; can have different values. This is currently unsupported in LemonLDAP::NG because every policy must be computed with their precedence to know which maximum password age to apply.
</div>
<p>
To configure warning before password expiration, you must set two variables in Active Directory parameters in Manager:

5
doc/pages/documentation/current/authchoice.html
View File

@ -143,7 +143,10 @@ Define here:
<li class="level1"><div class="li"> <strong>Condition</strong>: optional, can be used to evaluate an expression to display the tab.</div>
</li>
</ul>
<div class="notetip">You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces.
<div class="noteclassic">Authentication request to an another <abbr title="Uniform Resource Locator">URL</abbr> than Portal <abbr title="Uniform Resource Locator">URL</abbr> can lead to a persistent loop between Portal and a redirection <abbr title="Uniform Resource Locator">URL</abbr> (pdata is not removed because domains mismatch). To avoid this, you have to set pdata cookie domain by editing <code>lemonldap-ng.ini</code> in section [portal]:<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">pdataDomain</span> <span class="sy0">=</span><span class="re2"> example.com</span></pre>
</div><div class="notetip">You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces.
</div><div class="notetip">You can also override some LLNG parameters for each chain. See <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">Parameter list</a> to have the key names to use
</div>
</div>

24
doc/pages/documentation/current/authcombination.html
View File

@ -105,7 +105,7 @@ This backend allows one to chain authentication method, for example to failback
<div class="level2">
<p>
You have to use <code>Combination</code> as authentication module (users module must be set to “Same”). Then go in <code>Combination parameters</code> to :
You have to use <code>Combination</code> as authentication module (users module must be set to &quot;Same&quot;). Then go in <code>Combination parameters</code> to :
</p>
<ul>
<li class="level1"><div class="li"> declare the modules that will be used</div>
@ -156,7 +156,7 @@ For example:
<td class="col0"> DB1 </td><td class="col1"> <abbr title="Database Interface">DBI</abbr> </td><td class="col2"> Auth only </td><td class="col3"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> DB2 </td><td class="col1"> <abbr title="Database Interface">DBI</abbr> </td><td class="col2"> User DB only </td><td class="col3"> dbiAuthChain =&gt; “mysql:...” </td>
<td class="col0"> DB2 </td><td class="col1"> <abbr title="Database Interface">DBI</abbr> </td><td class="col2"> User DB only </td><td class="col3"> dbiAuthChain =&gt; &quot;mysql:...&quot; </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [1133-1256] -->
@ -165,7 +165,7 @@ Usually, you can&#039;t declare two modules of the same type if they don&#039;t
</p>
<p>
For example, if <abbr title="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
For example, if <abbr title="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the &quot;dbiChain&quot; parameter.
</p>
<p>
@ -224,8 +224,8 @@ Remember that schemes in rules are the names declared above.
<td class="col0 leftalign"> <code>[mySSL and myLDAP, myLDAP ]</code> </td><td class="col1"> Use mySSL and myLDAP to authentify, myLDAP to get user </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [2472-2903] --><div class="noteimportant">Note that “or” can&#039;t be used inside a scheme.
If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code>
<!-- EDIT8 TABLE [2472-2903] --><div class="noteimportant">Note that &quot;or&quot; can&#039;t be used inside a scheme.
If you think to &quot;[mySSL or myLDAP, myLDAP]&quot;, you must write <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code>
</div><div class="table sectionedit9"><table class="inline table table-bordered table-striped">
<thead>
@ -240,9 +240,9 @@ If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, my
<td class="col0"> <code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code> </td><td class="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [3076-3320] --><div class="noteimportant">You can&#039;t use brackets in a boolean expression and “and” has precedence on “or”.
<!-- EDIT9 TABLE [3076-3320] --><div class="noteimportant">You can&#039;t use brackets in a boolean expression and &quot;and&quot; has precedence on &quot;or&quot;.
<p>
If you think to “( [myLDAP] or [myDBI1] ) and [myDBI2]”, you must write <code>[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]</code>
If you think to &quot;( [myLDAP] or [myDBI1] ) and [myDBI2]&quot;, you must write <code>[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]</code>
</p>
</div>
@ -297,7 +297,7 @@ Imagine you want to authenticate users either by SSL or LDAP+U2F, you can&#039;t
<ul>
<li class="level1"><div class="li"> use this combination rule: <code>[SSL,LDAP] or [LDAP]</code></div>
</li>
<li class="level1"><div class="li"> enable U2F with this rule: <code>$_auth eq “LDAP”</code> or <code>$_authenticationLevel &lt; 4</code> <em>(and adapt U2F authentication level)</em></div>
<li class="level1"><div class="li"> enable U2F with this rule: <code>$_auth eq &quot;LDAP&quot;</code> or <code>$_authenticationLevel &lt; 4</code> <em>(and adapt U2F authentication level)</em></div>
</li>
</ul>
@ -307,7 +307,7 @@ Now if you want to authenticate users either by LDAP or LDAP+U2F <em>(to have 2
<ul>
<li class="level1"><div class="li"> configure 2 portals and overwrite U2F activation in the second</div>
</li>
<li class="level1"><div class="li"> Modify login template to propose the choice <em>(add a “submit” button that points to the second portal)</em></div>
<li class="level1"><div class="li"> Modify login template to propose the choice <em>(add a &quot;submit&quot; button that points to the second portal)</em></div>
</li>
</ul>
@ -333,7 +333,7 @@ Combination module returns the form corresponding to the first authentication sc
<div class="level3">
<p>
<a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML</a>, <a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS</a> or <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">old OpenID</a> can&#039;t be chained with a “and” for authentication part. So “[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP] isn&#039;t valid. This is because their authentication kinematic don&#039;t use the same steps.
<a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML</a>, <a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS</a> or <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">old OpenID</a> can&#039;t be chained with a &quot;and&quot; for authentication part. So &quot;[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP]&quot; isn&#039;t valid. This is because their authentication kinematic don&#039;t use the same steps.
</p>
<div class="table sectionedit15"><table class="inline table table-bordered table-striped">
<thead>
@ -355,7 +355,7 @@ Combination module returns the form corresponding to the first authentication sc
<div class="level3">
<p>
When using this module, <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. So it can be used only with a “and” boolean expression.
When using this module, <abbr title="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return &quot;401 Authentication required&quot;, but this is not the Apache behaviour: if the auth module fails, Apache returns 401. So it can be used only with a &quot;and&quot; boolean expression.
</p>
<div class="notetip">The new <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos authentication module</a> solve this for Kerberos: you just have to use it instead of Apache and enable authentication by Ajax in Kerberos parameters.
</div>
@ -373,7 +373,7 @@ To bypass this, follow the documentation of <a href="authapache.html" class="wik
<div class="level3">
<p>
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.
To chain SSL, you have to set &quot;SSLRequire optional&quot; in Apache configuration, else users will be authenticated by SSL only.
</p>
</div>

2
doc/pages/documentation/current/authcustom.html
View File

@ -78,7 +78,7 @@ In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modu
</p>
<p>
Then, you just have to define class names of your custom modules in “Custom module names”. Custom parameters can be set in “Additional parameters”. Full path must be specify.
Then, you just have to define class names of your custom modules in &quot;Custom module names&quot;. Custom parameters can be set in &quot;Additional parameters&quot;. Full path must be specify.
</p>
<p>

4
doc/pages/documentation/current/authdbi.html
View File

@ -306,9 +306,9 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
</li>
<li class="level1"><div class="li"> <strong>Supported non-salted schemes</strong>: List of whitespace separated hash schemes. Every hash scheme MUST match a non-salted hash function in the database. LemonLDAP::NG relies on this hashing function for computing user password hashes. These hashes MUST NOT be salted (no random data used in conjunction with the password).</div>
</li>
<li class="level1"><div class="li"> <strong>Supported salted schemes</strong>: List of whitespace separated salted hash schemes, of the form <strong>s</strong>scheme, where scheme MUST match a non-salted hash function in the database. LemonLDAP::NG relies on this hashing function for computing user password hashes. Salted and non-salted scheme lists are not necessarily equivalent. (for example: non-salted=“sha256” and salted=“ssha ssha512” is valid)</div>
<li class="level1"><div class="li"> <strong>Supported salted schemes</strong>: List of whitespace separated salted hash schemes, of the form &quot;<strong>s</strong>scheme&quot;, where scheme MUST match a non-salted hash function in the database. LemonLDAP::NG relies on this hashing function for computing user password hashes. Salted and non-salted scheme lists are not necessarily equivalent. (for example: non-salted=&quot;sha256&quot; and salted=&quot;ssha ssha512&quot; is valid)</div>
</li>
<li class="level1"><div class="li"> <strong>Dynamic hash scheme for new passwords</strong>: LemonLDAP::NG is able to store new passwords in the database (while modifying or reinitializing the password). You can choose a salted or non salted dynamic hashed password. The value must be an element of “Supported non-salted schemes” or “Supported salted schemes”.</div>
<li class="level1"><div class="li"> <strong>Dynamic hash scheme for new passwords</strong>: LemonLDAP::NG is able to store new passwords in the database (while modifying or reinitializing the password). You can choose a salted or non salted dynamic hashed password. The value must be an element of &quot;Supported non-salted schemes&quot; or &quot;Supported salted schemes&quot;.</div>
</li>
</ul>
<div class="noteimportant">The SQL function MUST have hexadecimal values as input AND output

2
doc/pages/documentation/current/authfacebook.html
View File

@ -101,7 +101,7 @@ Then, go in <code>Facebook parameters</code>:
If you use Facebook as user database, declare values in exported variables:
</p>
<ul>
<li class="level1"><div class="li"> use any key name you want. If you want to refuse access when a data is missing, just add a “!” before the key name</div>
<li class="level1"><div class="li"> use any key name you want. If you want to refuse access when a data is missing, just add a &quot;!&quot; before the key name</div>
</li>
<li class="level1"><div class="li"> in the value field, set the field name. You can show them using <a href="https://developers.facebook.com/tools/explorer" class="urlextern" title="https://developers.facebook.com/tools/explorer" rel="nofollow">Facebook Graph API explorer</a> and have a list of supported fields in the <a href="https://developers.facebook.com/docs/graph-api/reference/user/" class="urlextern" title="https://developers.facebook.com/docs/graph-api/reference/user/" rel="nofollow">Graph API User reference</a>. For example:</div>
<ul>

10
doc/pages/documentation/current/authkerberos.html
View File

@ -92,18 +92,18 @@
<div class="level2">
<p>
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose Kerberos for authentication. Then go to “Kerberos parameters” and configure the following parameters:
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose Kerberos for authentication. Then go to &quot;Kerberos parameters&quot; and configure the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>keytab file</strong> (required): the Kerberos keytab file</div>
</li>
<li class="level1"><div class="li"> <strong>Use Ajax request</strong>: set to “enabled” if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">combination</a></strong></div>
<li class="level1"><div class="li"> <strong>Use Ajax request</strong>: set to &quot;enabled&quot; if you want to use an Ajax request instead of a direct Kerberos attempt. <strong>This is required if you want to chain Kerberos in a <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">combination</a></strong></div>
</li>
<li class="level1"><div class="li"> <strong>Kerberos authentication level</strong>: default to 3</div>
</li>
<li class="level1"><div class="li"> <strong>Use Web Server Kerberos module</strong>: set to “enabled” to use the Web Server module (for example Apache mod_auth_kerb) instead of Perl Kerberos code to validate Kerberos ticket</div>
<li class="level1"><div class="li"> <strong>Use Web Server Kerberos module</strong>: set to &quot;enabled&quot; to use the Web Server module (for example Apache mod_auth_kerb) instead of Perl Kerberos code to validate Kerberos ticket</div>
</li>
<li class="level1"><div class="li"> <strong>Remove domain in username</strong>: set to “enabled” to strip username value and remove the &#039;@domain&#039;.</div>
<li class="level1"><div class="li"> <strong>Remove domain in username</strong>: set to &quot;enabled&quot; to strip username value and remove the &#039;@domain&#039;.</div>
</li>
</ul>
<div class="noteimportant"><ul>
@ -129,7 +129,7 @@ The Kerberos configuration is quite complex. You can find some configuration tip
<div class="level3">
<p>
If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to “enabled” and configure the portal virtual host to launch the module if “kerberos” GET parameter is in the request.
If you want to let Web Server Kerberos module validates the Kerberos ticket, set the according option to &quot;enabled&quot; and configure the portal virtual host to launch the module if &quot;kerberos&quot; GET parameter is in the request.
</p>
<p>

2
doc/pages/documentation/current/authldap.html
View File

@ -247,6 +247,8 @@ And the mail filter is:
</li>
<li class="level1"><div class="li"> <strong>Allow a user to reset his expired password</strong>: if activated, the user will be prompted to change password if his password is expired (default: 0)</div>
</li>
<li class="level1"><div class="li"> <strong>IBM Tivoli DS support</strong>: enable this option if you use ITDS. <abbr title="LemonLDAP::NG">LL::NG</abbr> will then scan error message to return a more precise error to the user.</div>
</li>
</ul>
<p>

6
doc/pages/documentation/current/authlinkedin.html
View File

@ -89,11 +89,11 @@ Then, go in <code>LinkedIn parameters</code>:
</li>
<li class="level1"><div class="li"> <strong>Client secret</strong>: the corresponding secret</div>
</li>
<li class="level1"><div class="li"> <strong>Searched fields</strong>: Fields requested on People endpoint</div>
<li class="level1"><div class="li"> <strong>Searched fields</strong> (deprecated): Fields requested on People endpoint in v1, no more used in v2 <abbr title="Application Programming Interface">API</abbr></div>
</li>
<li class="level1"><div class="li"> <strong>Field containing user identifier</strong>: Field that will be used as main user identifier in <abbr title="LemonLDAP::NG">LL::NG</abbr></div>
<li class="level1"><div class="li"> <strong>Field containing user identifier</strong>: Field that will be used as main user identifier in <abbr title="LemonLDAP::NG">LL::NG</abbr>, usually <code>id</code> (LinkedIn numeric identifer) or <code>emailAddress</code>.</div>
</li>
<li class="level1"><div class="li"> <strong>Scope</strong>: OAuth 2.0 scopes</div>
<li class="level1"><div class="li"> <strong>Scope</strong>: OAuth 2.0 scopes, use <code>r_liteprofile</code> to get first name and last name, and <code>r_emailaddress</code> to get email.</div>
</li>
</ul>
<div class="notetip">Collected fields are stored in session in <code>linkedIn_</code> keys

2
doc/pages/documentation/current/authopenid.html
View File

@ -98,7 +98,7 @@ Then, go in <code>OpenID parameters</code>:
</li>
<li class="level1"><div class="li"> <strong>Secret token</strong>: used to check integrity of OpenID response.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorized domain</strong>:</div>
<li class="level1"><div class="li"> <strong>Authorizated domain</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>List type</strong>: choose white list to define allowed domains or black list to define forbidden domains</div>
</li>

4
doc/pages/documentation/current/authopenidconnect.html
View File

@ -210,7 +210,7 @@ After registration, the OP must give you a client ID and a client secret, that w
<div class="level3">
<p>
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like “sample-op”;
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like &quot;sample-op&quot;;
</p>
<p>
@ -248,6 +248,8 @@ You can also define:
</li>
<li class="level1"><div class="li"> endsession_endpoint</div>
</li>
<li class="level1"><div class="li"> introspection_endpoint</div>
</li>
</ul>
<p>

2
doc/pages/documentation/current/authopenidconnect_franceconnect.html
View File

@ -120,7 +120,7 @@ You can skip JWKS data, they are not provided by France Connect. The security re
</p>
<p>
Go in <code>Exported attributes</code> to choose which attributes from “identité pivot” you want to collect. See <a href="https://doc.integ01.dev-franceconnect.fr/identite-pivot" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/identite-pivot" rel="nofollow">https://doc.integ01.dev-franceconnect.fr/identite-pivot</a>
Go in <code>Exported attributes</code> to choose which attributes from &quot;identité pivot&quot; you want to collect. See <a href="https://doc.integ01.dev-franceconnect.fr/identite-pivot" class="urlextern" title="https://doc.integ01.dev-franceconnect.fr/identite-pivot" rel="nofollow">https://doc.integ01.dev-franceconnect.fr/identite-pivot</a>
</p>
<p>

4
doc/pages/documentation/current/authproxy.html
View File

@ -106,13 +106,13 @@ Then, go in <code>Proxy parameters</code>:
<ul>
<li class="level1"><div class="li"> <strong>Internal portal <abbr title="Uniform Resource Locator">URL</abbr></strong>: <abbr title="Uniform Resource Locator">URL</abbr> of internal portal</div>
</li>
<li class="level1"><div class="li"> <strong>Session service <abbr title="Uniform Resource Locator">URL</abbr></strong> (optional): Session service <abbr title="Uniform Resource Locator">URL</abbr> (default: same as previous for SOAP, same with “/session/my” for REST)</div>
<li class="level1"><div class="li"> <strong>Session service <abbr title="Uniform Resource Locator">URL</abbr></strong> (optional): Session service <abbr title="Uniform Resource Locator">URL</abbr> (default: same as previous for SOAP, same with &quot;/session/my&quot; for REST)</div>
</li>
<li class="level1"><div class="li"> <strong>Cookie name</strong> (optional): name of the cookie of internal portal, if different from external portal</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: level given to this authentication</div>
</li>
<li class="level1"><div class="li"> <strong>Use SOAP instead of REST</strong>: use a deprecated SOAP server instead of a REST one (you must set it if internal portal version is &lt; 2.0). In this case, Portal <abbr title="Uniform Resource Locator">URL</abbr> parameter must contains SOAP endpoint (generally <a href="http://auth.example.com/index.pl/sessions" class="urlextern" title="http://auth.example.com/index.pl/sessions" rel="nofollow">http://auth.example.com/index.pl/sessions</a> for 1.9 and earlier, <a href="http://auth.example.com/sessions" class="urlextern" title="http://auth.example.com/sessions" rel="nofollow">http://auth.example.com/sessions</a> for 2.0)</div>
<li class="level1"><div class="li"> <strong>Use SOAP instead of REST</strong>: use a deprecated SOAP server instead of a REST one (you must set it if internal portal version is &lt; 2.0). In this case, &quot;Portal <abbr title="Uniform Resource Locator">URL</abbr>&quot; parameter must contains SOAP endpoint (generally <a href="http://auth.example.com/index.pl/sessions" class="urlextern" title="http://auth.example.com/index.pl/sessions" rel="nofollow">http://auth.example.com/index.pl/sessions</a> for 1.9 and earlier, <a href="http://auth.example.com/sessions" class="urlextern" title="http://auth.example.com/sessions" rel="nofollow">http://auth.example.com/sessions</a> for 2.0)</div>
</li>
</ul>

20
doc/pages/documentation/current/authrest.html
View File

@ -121,7 +121,15 @@ Then, go in <code>REST parameters</code> and you just have to set REST <abbr tit
<div class="level2">
<p>
REST web services have just to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).
LemonLDAP::NG will call the endpoints you declared at various steps during the login process.
</p>
<p>
The request performed by LemonLDAP::NG is a POST on the <abbr title="Uniform Resource Locator">URL</abbr> you specified, the content of the POST is a JSON document (<code>Content-Type: application/json</code>).
</p>
<p>
REST web services must respond with a success HTTP code (200), and the response must be a JSON document containing a <code>result</code> key. Auth/UserDB endpoints can add an <code>info</code> array that will be stored in session data (without reading &quot;Exported variables&quot;).
</p>
<div class="table sectionedit7"><table class="inline table table-bordered table-striped">
<thead>
@ -130,19 +138,19 @@ REST web services have just to respond with a “result” key in a JSON file. A
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> Authentication <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user,“password”:$password}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false,“info”:{...}}</code> </td>
<td class="col0 centeralign"> Authentication <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> <code>{&quot;user&quot;:$user,&quot;password&quot;:$password}</code> </td><td class="col2"> <code>{&quot;result&quot;:true/false,&quot;info&quot;:{...}}</code> </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> User data <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false,“info”:{“uid”:“dwho”,...}}</code> </td>
<td class="col0 centeralign"> User data <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> <code>{&quot;user&quot;:$user}</code> </td><td class="col2"> <code>{&quot;result&quot;:true/false,&quot;info&quot;:{&quot;uid&quot;:&quot;dwho&quot;,...}}</code> </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> Password confirmation <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user,“password”:$password}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false}</code> </td>
<td class="col0 centeralign"> Password confirmation <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> <code>{&quot;user&quot;:$user,&quot;password&quot;:$password}</code> </td><td class="col2"> <code>{&quot;result&quot;:true/false}</code> </td>
</tr>
<tr class="row4 roweven">
<td class="col0 centeralign"> Password change <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user,“password”:$password}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false}</code> </td>
<td class="col0 centeralign"> Password change <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> <code>{&quot;user&quot;:$user,&quot;password&quot;:$password}</code> </td><td class="col2"> <code>{&quot;result&quot;:true/false}</code> </td>
</tr>
</table></div>
<!-- EDIT7 TABLE [1025-1546] --><div class="notetip">To have just one call, you can only set REST authentication, set datas in “info” key response and set Null as User Database.
<!-- EDIT7 TABLE [1348-1781] --><div class="notetip">To have only one REST call during the login process, you can set REST only as an Authentication backend, configure Null as your User Database, and make sure the REST authentication <abbr title="Uniform Resource Locator">URL</abbr> send all your user attributes in the <code>info</code> response key
</div>
</div>
<!-- EDIT6 SECTION "REST Dialog" [812-] --></div>

8
doc/pages/documentation/current/authsaml.html
View File

@ -183,7 +183,7 @@ You must register IDP metadata here. You can do it either by uploading the file,
For each attribute, you can set:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Key name</strong>: name of the key in LemonLDAP::NG session (for example “uid” will then be used as $uid in access rules)</div>
<li class="level1"><div class="li"> <strong>Key name</strong>: name of the key in LemonLDAP::NG session (for example &quot;uid&quot; will then be used as $uid in access rules)</div>
</li>
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to On, then session will not open if this attribute is not given by IDP.</div>
</li>
@ -214,7 +214,7 @@ For each attribute, you can set:
</ul>
<p>
For example, to preselect this IDP for users coming from 129.168.0.0/16 network and member of “admin” group:
For example, to preselect this IDP for users coming from 129.168.0.0/16 network and member of &quot;admin&quot; group:
</p>
<pre class="code">$ENV{REMOTE_ADDR} =~ /^192\.168/ and $groups =~ /\badmin\b/</pre>
@ -250,7 +250,7 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
</li>
<li class="level1"><div class="li"> <strong>Store <abbr title="Security Assertion Markup Language">SAML</abbr> Token</strong>: allows one to keep <abbr title="Security Assertion Markup Language">SAML</abbr> token (assertion) inside user session. Don&#039;t enable it unless you need to replay this token on an application.</div>
</li>
<li class="level1"><div class="li"> <strong>Attribute containing user identifier</strong>: set the value of <abbr title="Security Assertion Markup Language">SAML</abbr> attribute (“Name”) that should be used as user main identifier ($user). If empty, the NameID content is used.</div>
<li class="level1"><div class="li"> <strong>Attribute containing user identifier</strong>: set the value of <abbr title="Security Assertion Markup Language">SAML</abbr> attribute (&quot;Name&quot;) that should be used as user main identifier ($user). If empty, the NameID content is used.</div>
</li>
</ul>
@ -314,7 +314,7 @@ Used only if you have more than 1 <abbr title="Security Assertion Markup Languag
<li class="level1"><div class="li"> <strong>Order</strong>: Number to sort IDP display</div>
</li>
</ul>
<div class="notetip">The chosen logo must be in Portal icons directory (<code>portal/static/common/icons/</code>). You can set a custom icon by setting the icon file name directly in the field and copy the logo file in portal icons directory
<div class="notetip">The chosen logo must be in Portal icons directory (<code>portal/static/common/</code>). You can set a custom icon by setting the icon file name directly in the field and copy the logo file in portal icons directory
</div>
</div>
<!-- EDIT8 SECTION "Register partner Identity Provider on LemonLDAP::NG" [1807-] --></div>

53
doc/pages/documentation/current/authslave.html
View File

@ -43,6 +43,21 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#example">Example</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="slave">Slave</h1>
<div class="level1">
@ -68,7 +83,7 @@
<ul>
<li class="level1"><div class="li"> Authentication: will check user login in a header and create session without prompting any credentials (but will register client <abbr title="Internet Protocol">IP</abbr> and creation date)</div>
</li>
<li class="level1"><div class="li"> Users: collect data transferred in HTTP headers by the “master”.</div>
<li class="level1"><div class="li"> Users: collect data transferred in HTTP headers by the &quot;master&quot;.</div>
</li>
</ul>
@ -77,7 +92,7 @@ It allows one to put <abbr title="LemonLDAP::NG">LL::NG</abbr>::portal behind an
</p>
</div>
<!-- EDIT3 SECTION "Presentation" [86-558] -->
<!-- EDIT3 SECTION "Presentation" [86-559] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
@ -99,6 +114,8 @@ Then, go in <code>Slave parameters</code>:
</li>
<li class="level1"><div class="li"> <strong>Control header content</strong>: value to control. Let this parameter empty to disable the checking.</div>
</li>
<li class="level1"><div class="li"> <strong>Display authentication logo</strong>: display Slave logo.</div>
</li>
</ul>
<p>
@ -117,12 +134,40 @@ You have then to declare HTTP headers exported by the main <abbr title="Single S
<td class="col0 centeralign"> mail </td><td class="col1 centeralign"> User-Email </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [1515-1617] -->
<!-- EDIT5 TABLE [1573-1675] -->
</div>
<!-- EDIT4 SECTION "Configuration" [560-1676] -->
<h3 class="sectionedit6" id="example">Example</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> Request with curl ="AuthChoice_with_Slave_and_Secured_cookie_gt/double_cookies_for_a_single_session":</div>
</li>
</ul>
<p>
<strong>Control header name</strong>: control
</p>
<p>
<strong>Control header content</strong>: password
</p>
<pre class="code">curl -k https://127.0.0.1:19876 -H &#039;CN: dwho&#039; -H &#039;Host: auth.example.com&#039; -H &#039;Accept: application/json&#039; -H &#039;control: password&#039; -d &quot;lmAuth=2_Slave&quot; | json_pp</pre>
<ul>
<li class="level1"><div class="li"> Response for good authentication:</div>
</li>
</ul>
<pre class="code javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;result&quot;</span> <span class="sy0">:</span> <span class="nu0">1</span><span class="sy0">,</span>
<span class="st0">&quot;error&quot;</span> <span class="sy0">:</span> <span class="nu0">0</span><span class="sy0">,</span>
<span class="st0">&quot;id_http&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;5237ce20290d6110915a05d62f52618955b5f71b6dd3424481372ad419a5b122&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;id&quot;</span> <span class="sy0">:</span> <span class="st0">&quot;16fec9bd7a0523328568ca919ee0a6d6e329832f6c302bf36b106db92b5ec23d&quot;</span>
<span class="br0">&#125;</span></pre>
<p>
See also <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables configuration</a>.
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [559-] --></div>
<!-- EDIT6 SECTION "Example" [1677-] --></div>
</body>
</html>

27
doc/pages/documentation/current/authssl.html
View File

@ -108,7 +108,7 @@
<div class="level2">
<p>
By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG <em>(compatible with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>)</em>, you can activate “SSL by Ajax request” in the manager. See <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a> below.
By default, SSL is required before the portal is displayed (handled by webserver). If you want to display a button to connect to LLNG <em>(compatible with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>)</em>, you can activate &quot;SSL by Ajax request&quot; in the manager. See <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a> below.
</p>
</div>
@ -386,7 +386,7 @@ $('.enteteBouton').click( function (e) {
});
<span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/script.html"><span class="kw2">script</span></a>&gt;</span>
<span class="sc2">&lt;<span class="sy0">/</span><a href="http://december.com/html/4/element/body.html"><span class="kw2">body</span></a>&gt;</span></pre>
<div class="notewarning">It is incompatible with authentication combination because of Apache parameter “SSLVerifyClient”, which must have the value “require”. To enable SSL with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>, use <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a>
<div class="notewarning">It is incompatible with authentication combination because of Apache parameter &quot;SSLVerifyClient&quot;, which must have the value &quot;require&quot;. To enable SSL with <a href="authcombination.html" class="wikilink1" title="documentation:2.0:authcombination">Combination</a>, use <a href="#ssl_by_ajax" title="documentation:2.0:authssl ↵" class="wikilink1">SSL by Ajax</a>
</div>
</div>
<!-- EDIT8 SECTION "Auto reloading SSL Certificates" [5086-8349] -->
@ -408,6 +408,19 @@ then declare the second <abbr title="Uniform Resource Locator">URL</abbr> in SSL
</p>
<div class="noteclassic">With <a href="authchoice.html" class="wikilink1" title="documentation:2.0:authchoice">choice</a>, the second <abbr title="Uniform Resource Locator">URL</abbr> should be also declared in module <abbr title="Uniform Resource Locator">URL</abbr> parameter to redirect user to Portal menu.
</div><div class="noteclassic">Ajax authentication request can be sent to an another <abbr title="Uniform Resource Locator">URL</abbr> than Portal <abbr title="Uniform Resource Locator">URL</abbr>.
<p>
To avoid a persistent loop between Portal and a redirection <abbr title="Uniform Resource Locator">URL</abbr> (pdata is not removed because domains mismatch), you have to set pdata cookie domain by editing <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">pdataDomain</span> <span class="sy0">=</span><span class="re2"> example.com</span></pre>
<p>
To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens be stored into Global Storage by editing <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">forceGlobalStorageUpgradeOTT</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
</div><div class="noteimportant"><strong>Content Security Policy</strong> may prevent to submit Ajax Request.
To avoid security warning,
<p>
@ -419,15 +432,19 @@ and set :
</p>
<p>
<strong>Default value</strong> =&gt; &#039;self&#039; Ajax request <abbr title="Uniform Resource Locator">URL</abbr>
<strong>Default value</strong> =&gt; &#039;self&#039; &quot;Ajax request <abbr title="Uniform Resource Locator">URL</abbr>&quot;
</p>
<p>
<strong>Form destinations</strong> =&gt; &#039;self&#039; Ajax request <abbr title="Uniform Resource Locator">URL</abbr>
<strong>Form destinations</strong> =&gt; &#039;self&#039; &quot;Ajax request <abbr title="Uniform Resource Locator">URL</abbr>&quot;
</p>
<p>
<strong>Ajax destinations</strong> =&gt; &#039;self&#039; “Ajax request <abbr title="Uniform Resource Locator">URL</abbr>
<strong>Ajax destinations</strong> =&gt; &#039;self&#039; &quot;Ajax request <abbr title="Uniform Resource Locator">URL</abbr>&quot;
</p>
<p>
<strong>Script source</strong> =&gt; &#039;self&#039; &quot;Ajax request <abbr title="Uniform Resource Locator">URL</abbr>&quot;
</p>
</div>

2
doc/pages/documentation/current/authwebid.html
View File

@ -110,7 +110,7 @@ Then, go in <code>WebID parameters</code>:
If you use WebID as user database, declare values in <strong>exported variables</strong> :
</p>
<ul>
<li class="level1"><div class="li"> use any key name you want. If you want to refuse access when a data is missing, just add a “!” before the key name</div>
<li class="level1"><div class="li"> use any key name you want. If you want to refuse access when a data is missing, just add a &quot;!&quot; before the key name</div>
</li>
<li class="level1"><div class="li"> in the value field, set the field name. Take a look at <a href="http://xmlns.com/foaf/spec/#sec-crossref" class="urlextern" title="http://xmlns.com/foaf/spec/#sec-crossref" rel="nofollow">http://xmlns.com/foaf/spec/#sec-crossref</a>. Example :<pre class="code">name =&gt; foaf:name</pre>
</div>

8
doc/pages/documentation/current/browseablesessionbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:browseablesessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,browseablesessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="browseablesessionbackend.html"/>
@ -184,9 +184,9 @@ CREATE INDEX h1 ON sessions (_httpSessionType);</pre>
<div class="noteimportant">For Session Explorer and one-off sessions, it is recommended to use BTREE or any index method that indexes partial content.
</div>
<p>
“id” fieds is set to <code>varchar(64)</code> (instead of char(32)) to use the now recommended SHA256 hash algorithm. See <a href="documentation/latest/sessions.html" class="wikilink1" title="documentation:latest:sessions">Sessions</a> for more details.
&quot;id&quot; fieds is set to <code>varchar(64)</code> (instead of char(32)) to use the now recommended SHA256 hash algorithm. See <a href="documentation/latest/sessions.html" class="wikilink1" title="documentation:latest:sessions">Sessions</a> for more details.
</p>
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don&#039;t need to declare indexes in <code>CREATE TABLE</code> since “json” and “hstore” type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don&#039;t need to declare indexes in <code>CREATE TABLE</code> since &quot;json&quot; and &quot;hstore&quot; type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
</div>
</div>
<!-- EDIT7 SECTION "Prepare database" [2519-4234] -->
@ -223,7 +223,7 @@ Go in the Manager and set the session module (<a href="https://metacpan.org/pod/
</table></div>
<!-- EDIT9 TABLE [4557-4978] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<p>
For databases like PostgreSQL, don&#039;t forget to add “Commit” with a value of 1
For databases like PostgreSQL, don&#039;t forget to add &quot;Commit&quot; with a value of 1
</p>
</div>

2
doc/pages/documentation/current/cda.html
View File

@ -116,7 +116,7 @@ add_header Set-Cookie $cookie_value;</pre>
<div class="level3">
<p>
Choose <abbr title="Cross Domain Authentication">CDA</abbr> as type for each virtualHost concerned by <abbr title="Cross Domain Authentication">CDA</abbr> <em>(ie not in main domain)</em>.
Choose &quot;<abbr title="Cross Domain Authentication">CDA</abbr>&quot; as type for each virtualHost concerned by <abbr title="Cross Domain Authentication">CDA</abbr> <em>(ie not in main domain)</em>.
</p>
</div>

2
doc/pages/documentation/current/checkstate.html
View File

@ -57,7 +57,7 @@ This plugin can be used to check if portal instance is ready. This can be a heal
<div class="level2">
<p>
Just enable it in the manager (section “plugins”). You <em class="u">must</em> also set a shared secret.
Just enable it in the manager (section &quot;plugins&quot;). You <em class="u">must</em> also set a shared secret.
</p>
</div>

10
doc/pages/documentation/current/checkuser.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:checkuser</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,checkuser"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="checkuser.html"/>
@ -64,8 +64,12 @@ Just enable it in the manager (section “plugins”).
<ul>
<li class="level2"><div class="li"> <strong>Activation</strong>: Enable / Disable this plugin</div>
</li>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which profiles can be displayed (by example: <code>!$anonymous</code>)</div>
</li>
<li class="level2"><div class="li"> <strong>Hidden attributes</strong>: Attributes not displayed</div>
</li>
<li class="level2"><div class="li"> <strong>Attributes used for searching sessions</strong>: User&#039;s attributes used for searching sessions in Data Base. Let it blank to search by <code>whatToTrace</code></div>
</li>
<li class="level2"><div class="li"> <strong>Display persistent session</strong>: Display persistent session attributes</div>
</li>
<li class="level2"><div class="li"> <strong>Display empty value</strong>: Display ALL attributes even empty ones</div>
@ -101,7 +105,7 @@ By example: <code>$groups =~ /\bsu\b/</code>
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [265-1147] -->
<!-- EDIT2 SECTION "Configuration" [265-1407] -->
<h2 class="sectionedit3" id="usage">Usage</h2>
<div class="level2">
@ -110,6 +114,6 @@ When enabled, <code>/checkuser</code> <abbr title="Uniform Resource Locator">URL
</p>
</div>
<!-- EDIT3 SECTION "Usage" [1148-] --></div>
<!-- EDIT3 SECTION "Usage" [1408-] --></div>
</body>
</html>

6
doc/pages/documentation/current/cli_examples.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:cli_examples</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,cli_examples"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="cli_examples.html"/>
@ -496,7 +496,7 @@ In this example we have:
<div class="level2">
<p>
Create the category “applications”:
Create the category &quot;applications&quot;:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
@ -504,7 +504,7 @@ Create the category “applications”:
applicationList/applications catname Applications</pre>
<p>
Create the application “sample” inside category “applications”:
Create the application &quot;sample&quot; inside category &quot;applications&quot;:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \

11
doc/pages/documentation/current/configlocation.html
View File

@ -123,7 +123,7 @@ Most of configuration can be done trough LemonLDAP::NG Manager (by default <a hr
</p>
<p>
By default, Manager is protected to allow only the demonstration user “dwho”.
By default, Manager is protected to allow only the demonstration user &quot;dwho&quot;.
</p>
<div class="noteimportant">This user will not be available anymore if you configure a new authentication backend! Remember to change the access rule in Manager virtual host to allow new administrators.
</div>
@ -733,7 +733,8 @@ After configuration is saved by Manager, LemonLDAP::NG will try to reload config
<p>
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
</p>
<div class="noteimportant">Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable &quot;Don &#039;t compact configuration file&quot; option.
</div>
<p>
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
</p>
@ -743,7 +744,7 @@ These parameters can be overwritten in LemonLDAP::NG ini file, in the section <c
The <code>reload</code> target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache-&gt;handler or Nginx-&gt;Handler).
</p>
<div class="noteimportant">You must allow access to declared URLs to your Manager <abbr title="Internet Protocol">IP</abbr>.
</div><div class="noteimportant">If reload <abbr title="Uniform Resource Locator">URL</abbr> is served in HTTPS, to avoid “Error 500 (certificate verify failed)”, Go to :
</div><div class="noteimportant">If reload <abbr title="Uniform Resource Locator">URL</abbr> is served in HTTPS, to avoid &quot;Error 500 (certificate verify failed)&quot;, Go to :
<p>
<code>General Parameters &gt; Advanced Parameters &gt; Security &gt; SSL options for server requests</code>
</p>
@ -779,7 +780,7 @@ You also need to adjust the protection of the reload vhost, for example:
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT14 SECTION "Configuration reload" [18212-20768] -->
<!-- EDIT14 SECTION "Configuration reload" [18212-21062] -->
<h2 class="sectionedit15" id="local_file">Local file</h2>
<div class="level2">
@ -813,6 +814,6 @@ For example, to override configured skin for portal:
<div class="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">parameter list</a> to find it.
</div>
</div>
<!-- EDIT15 SECTION "Local file" [20769-] --></div>
<!-- EDIT15 SECTION "Local file" [21063-] --></div>
</body>
</html>

30
doc/pages/documentation/current/confignginx.html
View File

@ -118,25 +118,35 @@ You have to include them in Nginx main configuration.
<!-- EDIT5 SECTION "Files" [640-862] -->
<h3 class="sectionedit6" id="debianubuntu1">Debian/Ubuntu</h3>
<div class="level3">
<p>
Link files into <code>sites-available</code> directory (should already have been done if you used packages):
</p>
<ul>
<li class="level1"><div class="li"> Install log format <em>(automatically loaded when linked in this place)</em></div>
</li>
</ul>
<pre class="code">ln -s /etc/lemonldap-ng/nginx-lmlog.conf /etc/nginx/conf.d/llng-lmlog.conf</pre>
<ul>
<li class="level1"><div class="li"> Install snippet for vhost configuration files:</div>
</li>
</ul>
<pre class="code">ln -s /etc/lemonldap-ng/nginx-lua-headers.conf /etc/nginx/snippets/llng-lua-headers.conf</pre>
<ul>
<li class="level1"><div class="li"> Link LLNG components configuration file into <code>sites-available</code> directory (should already have been done if you used packages):</div>
</li>
</ul>
<pre class="code">ln -s /etc/lemonldap-ng/handler-nginx.conf /etc/nginx/sites-available/
ln -s /etc/lemonldap-ng/manager-nginx.conf /etc/nginx/sites-available/
ln -s /etc/lemonldap-ng/portal-nginx.conf /etc/nginx/sites-available/
ln -s /etc/lemonldap-ng/test-nginx.conf /etc/nginx/sites-available/</pre>
<p>
Enable sites:
</p>
<ul>
<li class="level1"><div class="li"> Enable sites:</div>
</li>
</ul>
<pre class="code">ln -s /etc/nginx/sites-available/handler-nginx.conf /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/manager-nginx.conf /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/portal-nginx.conf /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/test-nginx.conf /etc/nginx/sites-enabled/</pre>
</div>
<!-- EDIT6 SECTION "Debian/Ubuntu" [863-1621] -->
<!-- EDIT6 SECTION "Debian/Ubuntu" [863-1978] -->
<h3 class="sectionedit7" id="red_hatcentos1">Red Hat/CentOS</h3>
<div class="level3">
@ -149,6 +159,6 @@ ln -s /etc/lemonldap-ng/portal-nginx.conf /etc/nginx/conf.d/
ln -s /etc/lemonldap-ng/test-nginx.conf /etc/nginx/conf.d/</pre>
</div>
<!-- EDIT7 SECTION "Red Hat/CentOS" [1622-] --></div>
<!-- EDIT7 SECTION "Red Hat/CentOS" [1979-] --></div>
</body>
</html>

4
doc/pages/documentation/current/configvhost.html
View File

@ -433,7 +433,7 @@ Some options are available:
</li>
<li class="level1"><div class="li"> Aliases: list of aliases for this virtual host <em>(avoid to rewrite rules,...)</em></div>
</li>
<li class="level1"><div class="li"> Type: handler type <em>(normal, <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>,...)</em></div>
<li class="level1"><div class="li"> Type: handler type <em>(normal, <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">ServiceToken Handler</a>, <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>,...)</em></div>
</li>
<li class="level1"><div class="li"> Authentication level required: this options avoid to reject user with a rule based on <code>$_authenticationLevel</code>. When user hasn&#039;t the required level, he is redirected to an upgrade page in the portal</div>
</li>
@ -444,7 +444,7 @@ Some options are available:
</div>
<p>
“Port” and “HTTPS” options are used to build redirection <abbr title="Uniform Resource Locator">URL</abbr> <em>(when user is not logged, or for <abbr title="Cross Domain Authentication">CDA</abbr> requests)</em>. By default, default values are used. These options are only here to override default values.
&quot;Port&quot; and &quot;HTTPS&quot; options are used to build redirection <abbr title="Uniform Resource Locator">URL</abbr> <em>(when user is not logged, or for <abbr title="Cross Domain Authentication">CDA</abbr> requests)</em>. By default, default values are used. These options are only here to override default values.
</p>
</div>

88
doc/pages/documentation/current/contextswitching.html Normal file
View File

@ -0,0 +1,88 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:contextswitching</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,contextswitching"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="contextswitching.html"/>
<link rel="contents" href="contextswitching.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:contextswitching","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="contextswitching_plugin">ContextSwitching plugin</h1>
<div class="level1">
<p>
This plugin allows certain users to switch context other user. This may be useful when providing assistance or when testing privileges. Enter the uid of the user you&#039;d like to switch context to.
</p>
</div>
<!-- EDIT1 SECTION "ContextSwitching plugin" [1-235] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
Just enable it in the Manager (section “plugins”) by setting a rule. ContextSwitching can be allowed or denied for specific users. Furthermore, specific identities like administrators or anonymous users can be forbidden to assume.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Parameters</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>Use rule</strong>: Select which users may use this plugin</div>
</li>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.</div>
</li>
<li class="level2"><div class="li"> <strong>Stop by logout</strong>: Stop context switching by sending a logout request.</div>
</li>
</ul>
</li>
</ul>
<div class="notewarning">During context switching authentication process, all plugins are disabled. In other words, all entry points like afterData, endAuth and so on are skipped. Therefore, second factors or notifications by example will not be prompted!
</div><div class="noteimportant">ContextSwitching plugin works only with a userDB backend. You can not switch context with federated authentication.
</div>
<p>
impersonationPrefix is used to store real user&#039;s session Id. You can set this prefix (&#039;real_&#039; by default) by editing <code>lemonldap-ng.ini</code> in [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">impersonationPrefix</span> <span class="sy0">=</span><span class="re2"> real_</span></pre>
</div>
<!-- EDIT2 SECTION "Configuration" [236-] --></div>
</body>
</html>

60
doc/pages/documentation/current/contribute.html
View File

@ -75,8 +75,28 @@
<h1 class="sectionedit1" id="contribute_to_project">Contribute to Project</h1>
<div class="level1">
<p>
LemonLDAP::NG is mostly written in Perl and Javascript. Community applies the following rules:
</p>
<ul>
<li class="level1"><div class="li"> Perl:</div>
<ul>
<li class="level2"><div class="li"> code must be written in modern object-oriented code (using <a href="https://metacpan.org/pod/Mouse" class="urlextern" title="https://metacpan.org/pod/Mouse" rel="nofollow">Mouse</a>) <em>(except handler and Apache::Session inheritance)</em></div>
</li>
<li class="level2"><div class="li"> code must be formatted using <a href="https://metacpan.org/pod/distribution/Perl-Tidy/bin/perltidy" class="urlextern" title="https://metacpan.org/pod/distribution/Perl-Tidy/bin/perltidy" rel="nofollow">perltidy</a> version 20181120 <em>(from Debian/buster)</em></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Javascript:</div>
<ul>
<li class="level2"><div class="li"> code must be written in <a href="http://coffeescript.org/" class="urlextern" title="http://coffeescript.org/" rel="nofollow">CoffeeScript</a> <em>(in <code>&lt;component&gt;/site/coffee</code>)</em>: <code>make minify</code> will generate JS files</div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT1 SECTION "Contribute to Project" [59-95] -->
<!-- EDIT1 SECTION "Contribute to Project" [59-677] -->
<h2 class="sectionedit2" id="configure_ssh">Configure SSH</h2>
<div class="level2">
@ -92,7 +112,7 @@ Go to your gitlab account :
<pre class="code">cat ~/.ssh/id_rsa.pub</pre>
<p>
copy id_rsa.pub content to key section and enter a name into “Title” tans “Add key” button
copy id_rsa.pub content to key section and enter a name into &quot;Title&quot; tans &quot;Add key&quot; button
Test ssh connexion :
</p>
<pre class="code">ssh -T git@gitlab.com</pre>
@ -102,7 +122,7 @@ accept messages
</p>
</div>
<!-- EDIT2 SECTION "Configure SSH" [96-447] -->
<!-- EDIT2 SECTION "Configure SSH" [678-1029] -->
<h2 class="sectionedit3" id="install_basic_tools">Install basic tools</h2>
<div class="level2">
@ -115,7 +135,7 @@ accept messages
<em>root :</em>
</p>
<pre class="code">apt install aptitude
aptitude install vim make devscripts yui-compressor git git-gui libjs-uglify coffeescript cpanminus
aptitude install vim make devscripts yui-compressor git git-gui libjs-uglify coffeescript cpanminus autopkgtest pkg-perl-autopkgtest
aptitude install libauth-yubikey-webclient-perl libnet-smtp-server-perl
cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple
@ -142,7 +162,7 @@ git config --global color.ui true
git config --list</pre>
</div>
<!-- EDIT3 SECTION "Install basic tools" [448-1239] -->
<!-- EDIT3 SECTION "Install basic tools" [1030-1854] -->
<h3 class="sectionedit4" id="import_project_and_using_git">Import Project and using Git</h3>
<div class="level3">
@ -186,13 +206,13 @@ On gitlab, submit merge request when tests are corrects.
</p>
</div>
<!-- EDIT4 SECTION "Import Project and using Git" [1240-2290] -->
<!-- EDIT4 SECTION "Import Project and using Git" [1855-2905] -->
<h2 class="sectionedit5" id="install_dependencies">Install dependencies</h2>
<div class="level2">
<pre class="code">aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl
<pre class="code">aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
aptitude install apache2 libapache2-mod-fcgid libapache2-mod-perl2 # install Apache
aptitude install nginx nginx-extras # install Nginx
aptitude install perltidy</pre>
cpanm perltidy@20181120</pre>
<p>
<abbr title="Security Assertion Markup Language">SAML</abbr> :
@ -200,16 +220,23 @@ aptitude install perltidy</pre>
<pre class="code">aptitude install liblasso-perl libglib-perl </pre>
</div>
<!-- EDIT5 SECTION "Install dependencies" [2291-3191] -->
<!-- EDIT5 SECTION "Install dependencies" [2906-3814] -->
<h2 class="sectionedit6" id="working_project">Working Project</h2>
<div class="level2">
<pre class="code">make test # or manager_test, portal_test, ... to launch unit tests
# Doing one unit test :
## Go to parent test directory
<pre class="code">## Launch unit tests:
make test # or manager_test, portal_test, ... to launch unit tests
## Same tests launched on a simulated install
make autopkgtest # or autopkg_portal, autopkg_manager, ... to launch unit tests
## Execute an unit test :
# Building project
cd ~/lemonldap-ng/; make
# Go to parent test directory
cd ~/lemonldap-ng/lemonldap-ng-portal
## and execute the test :
# and execute the unit test:
prove -v t/67-CheckUser.t
# Using local platform :
## Using local platform :
make start_web_server # TESTUSESSL=1 to enable SSL engine (only available for Apache)
make start_web_server TESTWEBSERVER=nginx # to use Nginx web server
make stop_web_server
@ -218,10 +245,9 @@ make clean # to clean test files
make minify # to minify and compile coffeescript
make json # to build conf and manager tree
make manifest # to update manifest
make tidy # to magnify perl files (perl best pratices)
cd lemonldap-ng-portal &amp;&amp; prove t/XXXX # To launch specific unit test</pre>
make tidy # to magnify perl files (perl best pratices)</pre>
</div>
<!-- EDIT6 SECTION "Working Project" [3192-] --></div>
<!-- EDIT6 SECTION "Working Project" [3815-] --></div>
</body>
</html>

8
doc/pages/documentation/current/customhandlers.html
View File

@ -94,7 +94,7 @@ Wrapper usually look at this:
<div class="level3">
<p>
Your wrappers must be named “Lemonldap::NG::Handler::&lt;platform&gt;::&lt;type&gt; where &lt;platform&gt; is the target (ApacheMP2 or Server) and &lt;type&gt; is the name you&#039;ve chosen.
Your wrappers must be named &quot;Lemonldap::NG::Handler::&lt;platform&gt;::&lt;type&gt;&quot; where &lt;platform&gt; is the target (ApacheMP2 or Server) and &lt;type&gt; is the name you&#039;ve chosen.
</p>
<p>
@ -105,7 +105,7 @@ You can enable it either:
</li>
<li class="level1"><div class="li"> by setting a <code>fastcgi_param VHOSTTYPE &lt;type&gt;</code> in the Nginx configuration file</div>
</li>
<li class="level1"><div class="li"> by adding it to the menu: add its name in <code>vhostType</code> “select” declaration (file <code>lemonldap-ng-manager/lib/Lemonldap/NG/Build/Attributes</code>) and rebuild LLNG</div>
<li class="level1"><div class="li"> by adding it to the menu: add its name in <code>vhostType</code> &quot;select&quot; declaration (file <code>lemonldap-ng-manager/lib/Lemonldap/NG/Build/Attributes</code>) and rebuild LLNG</div>
</li>
</ul>
@ -138,7 +138,7 @@ If you want to add another, you must write:
</li>
<li class="level1"><div class="li"> write the main platform file (<code>Lemonldap::NG::Handler::MyPlatform::Main</code>) that provides required method <em>(see <code>lemonldap-ng-handler/lib/Lemonldap/NG/Handler/*/Main</code> for examples)</em> and inherits from <code>Lemonldap::NG::Handler::Main</code></div>
</li>
<li class="level1"><div class="li"> write the “type” wrapper files (AuthBasic,...).</div>
<li class="level1"><div class="li"> write the &quot;type&quot; wrapper files (AuthBasic,...).</div>
</li>
</ul>
@ -161,7 +161,7 @@ Wrapper usually look at this:
Three actions are needed:
</p>
<ul>
<li class="level1"><div class="li"> declare your own module in the manager General Parameters &gt;&gt; Advanced Parameters &gt;&gt; Custom handlers (Nginx). Key is the name that will be used below and value is the name of the custom package,</div>
<li class="level1"><div class="li"> declare your own module in the manager &quot;General Parameters &gt;&gt; Advanced Parameters &gt;&gt; Custom handlers (Nginx)&quot;. Key is the name that will be used below and value is the name of the custom package,</div>
</li>
<li class="level1"><div class="li"> in your Nginx configuration file, add <code>LLTYPE=&lt;name&gt;;</code> in the <code>location = /lmauth {...}</code> paragraph</div>
</li>

2
doc/pages/documentation/current/devopshandler.html
View File

@ -64,7 +64,7 @@ This handler is designed to read vhost configuration from the website itself not
</dd></dl>
<p>
If this file is not found, the default rule “accept” is applied and just “Auth-User” header is sent (Auth-User =&gt; $uid).
If this file is not found, the default rule &quot;accept&quot; is applied and just &quot;Auth-User&quot; header is sent (Auth-User =&gt; $uid).
</p>
<p>

BIN
doc/pages/documentation/current/documentation/devops.0fea6a13c52b4d4725368f24b045ca84.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

1
doc/pages/documentation/current/documentation/devops.8248cd9eb49eb331fd5178118cf810c6.png Symbolic link
View File

@ -0,0 +1 @@
devops.0fea6a13c52b4d4725368f24b045ca84.png

1
doc/pages/documentation/current/documentation/devops.png Symbolic link
View File

@ -0,0 +1 @@
devops.0fea6a13c52b4d4725368f24b045ca84.png

103
doc/pages/documentation/current/documentation/devops.png_documentation_2.0_ssoaas.html Normal file
View File

@ -0,0 +1,103 @@
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr" class="no-js">
<head>
<meta charset="UTF-8" />
<title>documentation:devops.png [LemonLDAP::NG]</title>
<script>(function(H){H.className=H.className.replace(/\bno-js\b/,'js')})(document.documentElement)</script>
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="shortcut icon" href="../lib/tpl/bootstrap3/images/favicon.ico" />
<link rel="apple-touch-icon" href="../lib/tpl/bootstrap3/images/apple-touch-icon.png" />
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->/>
<script type="text/javascript">/*<![CDATA[*/
var TPL_CONFIG = {"tableFullWidth":1};
/*!]]>*/</script>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="../ssoaas.html"/>
<link rel="contents" href="../ssoaas.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='';var JSINFO = null;
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
<script type="text/javascript" src="/javascript/bootstrap/js/bootstrap.min.js"></script>
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<![endif]-->
</head>
<body class="container">
<!--[if lte IE 7 ]><div id="IE7"><![endif]--><!--[if IE 8 ]><div id="IE8"><![endif]-->
<div id="dokuwiki__detail" class="dokuwiki mode_ tpl_bootstrap3 ">
<h1 class="page-header">
<i class="glyphicon glyphicon-picture"></i> documentation:devops.png </h1>
<div class="content">
<a href="devops.0fea6a13c52b4d4725368f24b045ca84.png" title="View original file"><img width="737" height="625" class="img_detail" alt="devops.png" title="devops.png" src="devops.8248cd9eb49eb331fd5178118cf810c6.png"/></a>
<div class="img_detail">
<div class="panel panel-default">
<div class="panel-heading">
<h2 class="panel-title"><i class="glyphicon glyphicon-info-sign text-info"></i> devops.png</h2>
</div>
<div class="panel-body">
<dl><dt>Date:</dt><dd>2019/08/07 12:24</dd><dt>Filename:</dt><dd>devops.png</dd><dt>Format:</dt><dd>PNG</dd><dt>Size:</dt><dd>87KB</dd><dt>Width:</dt><dd>737</dd><dt>Height:</dt><dd>625</dd></dl> </div>
</div>
</div>
</div><!-- /.content -->
<p class="back">
<hr/>
<div class="btn-group">
<a href="../ssoaas.html" class="action img_backto" accesskey="b" rel="nofollow" title="Back to documentation:2.0:ssoaas [B]">Back to documentation:2.0:ssoaas</a> </div>
</p>
</div>
<!--[if ( lte IE 7 | IE 8 ) ]></div><![endif]-->
</body>
</html>

BIN
doc/pages/documentation/current/documentation/manager-notification.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 25 KiB

10
doc/pages/documentation/current/dos
View File

@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/dos"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/dos"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:dos","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1561840344" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1569271210" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

2
doc/pages/documentation/current/error.html
View File

@ -106,7 +106,7 @@
<p>
→ The cache has been created by another user than Apache&#039;s user. Restart Apache to purge it.
</p>
<div class="noteimportant">This can append when you use lmConfigEditor or launch <strong>cron files</strong> with a different user than Apache process. That is why it is important to set APACHEUSER variable when you launch “make install”
<div class="noteimportant">This can append when you use lmConfigEditor or launch <strong>cron files</strong> with a different user than Apache process. That is why it is important to set APACHEUSER variable when you launch &quot;make install&quot;
</div><pre class="file">Lemonldap::NG::Handler::SharedConf: No cookie found</pre>

10
doc/pages/documentation/current/exploit
View File

@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/exploit"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/exploit"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:exploit","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1561840344" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1569271210" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

4
doc/pages/documentation/current/exportedvars.html
View File

@ -106,7 +106,7 @@ Macros and groups are calculated during authentication process by the portal:
</li>
<li class="level1"><div class="li"> macros can also be used to import environment variables <em>(these variables are in CGI format)</em>. Example: <code>$ENV{HTTP_COOKIE}</code></div>
</li>
<li class="level1"><div class="li"> groups are stored as space-separated strings in the special attribute “groups”: it contains the names of groups whose rules were returned true for the current user</div>
<li class="level1"><div class="li"> groups are stored as space-separated strings in the special attribute &quot;groups&quot;: it contains the names of groups whose rules were returned true for the current user</div>
</li>
<li class="level1"><div class="li"> You can also get groups in <code>$hGroups</code> which is a Hash Reference of this form:</div>
</li>
@ -152,7 +152,7 @@ admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="
<span class="co1"># Or with hGroups</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/defined.html"><span class="kw3">defined</span></a> <span class="re0">$hGroups</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span><span class="st_h">'admin'</span><span class="br0">&#125;</span></pre>
<div class="noteclassic">Groups are computed after macros, so a group rule may involve a macro value.
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro &quot;macro1&quot; will be computed before macro &quot;macro2&quot;: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>
</div>
<!-- EDIT6 PLUGIN_INCLUDE_END "documentation:2.0:performances" [0-] --></div>

8
doc/pages/documentation/current/external2f.html
View File

@ -83,7 +83,7 @@ Commands receive arguments on command line and must return a 0 code if succeed,
<div class="level3">
<p>
All parameters are configured in “General Parameters » Portal Parameters » Extensions » External 2nd Factor”.
All parameters are configured in &quot;General Parameters » Portal Parameters » Extensions » External 2nd Factor&quot;.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong></div>
@ -94,12 +94,14 @@ All parameters are configured in “General Parameters » Portal Parameters » E
</li>
<li class="level1"><div class="li"> <strong>Validation command</strong>: Required ONLY if you delegate code Generation / Verification to an external provider. You must also use <em>$code</em> which is the value entered by user; Example: <code>/usr/local/bin/verify --uid $uid --code $code</code></div>
</li>
<li class="level1"><div class="li"> <strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
<li class="level1"><div class="li"> <strong>Authentication level</strong> (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
<li class="level1"><div class="li"> <strong>Logo</strong> (Optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
</li>
<li class="level1"><div class="li"> <strong>Label</strong> (Optional): label that should be displayed to the user on the choice screen</div>
</li>
</ul>
<div class="noteimportant">The command line is split in an array and launched with exec(). So you don&#039;t need to enclose arguments in “” and this feature protects your system against shell injection. However, you can not use any space except to separate arguments.
<div class="noteimportant">The command line is split in an array and launched with exec(). So you don&#039;t need to enclose arguments in &quot;&quot; and this feature protects your system against shell injection. However, you can not use any space except to separate arguments.
</div>
</div>

2
doc/pages/documentation/current/filesessionbackend.html
View File

@ -57,7 +57,7 @@ File session backend is the more simple session database. Sessions are stored as
<div class="level2">
<p>
In the manager: set <a href="http://search.cpan.org/perldoc?Apache::Session::File" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::File" rel="nofollow">Apache::Session::File</a>” in “General parameters » Sessions » Session storage » Apache::Session module” and add the following parameters (case sensitive):
In the manager: set &quot;<a href="http://search.cpan.org/perldoc?Apache::Session::File" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::File" rel="nofollow">Apache::Session::File</a>&quot; in &quot;General parameters » Sessions » Session storage » Apache::Session module&quot; and add the following parameters (case sensitive):
</p>
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
<thead>

6
doc/pages/documentation/current/formreplay.html
View File

@ -94,7 +94,7 @@ You should grab some information:
</ul>
<p>
If you don&#039;t know jQuery selector, just be aware that they are similar to css selectors: for example, button#foo points to the html button whose id is “foo”, and .bar points to all html elements of css class “bar”.
If you don&#039;t know jQuery selector, just be aware that they are similar to css selectors: for example, button#foo points to the html button whose id is &quot;foo&quot;, and .bar points to all html elements of css class &quot;bar&quot;.
</p>
<p>
@ -109,7 +109,7 @@ For example:
</li>
<li class="level1"><div class="li"> jQuery form selector: #loginForm (if you let this parameter empty, browser will fill and submit any html form)</div>
</li>
<li class="level1"><div class="li"> jQuery button selector: button.validate (if you let this parameter empty, the form will be submitted but no button will be clicked; if you set it to “none”, no button will be clicked and the form will be filled but not submitted)</div>
<li class="level1"><div class="li"> jQuery button selector: button.validate (if you let this parameter empty, the form will be submitted but no button will be clicked; if you set it to &quot;none&quot;, no button will be clicked and the form will be filled but not submitted)</div>
</li>
<li class="level1"><div class="li"> Fields:</div>
<ul>
@ -124,7 +124,7 @@ For example:
</ul>
<p>
Go in Manager, “Virtual Hosts” » <em>virtualhost</em> » “Form replay” and click on “New form replay”.
Go in Manager, &quot;Virtual Hosts&quot; » <em>virtualhost</em> » &quot;Form replay&quot; and click on &quot;New form replay&quot;.
</p>
<p>

14
doc/pages/documentation/current/handlerarch.html
View File

@ -53,7 +53,7 @@ Handlers are build on rows of modules:
<ul>
<li class="level1"><div class="li"> Applications or launchers that get the request and choose the right type <em>(Main, AuthBasic, ZimbraPreAuth,...)</em> and launch it <em>(may not inherits from other Handler::* modules)</em></div>
</li>
<li class="level1"><div class="li"> Wrappers that call “type” library and platform “Main” <em>(may all inherits from Platform::Main)</em></div>
<li class="level1"><div class="li"> Wrappers that call &quot;type&quot; library and platform &quot;Main&quot; <em>(may all inherits from Platform::Main)</em></div>
</li>
<li class="level1"><div class="li"> library types if needed <em>(may inherits from Main)</em></div>
</li>
@ -93,11 +93,19 @@ Types are:
</li>
<li class="level1"><div class="li"> <a href="handlerauthbasic.html" class="wikilink1" title="documentation:2.0:handlerauthbasic">AuthBasic</a></div>
</li>
<li class="level1"><div class="li"> <a href="documentation/latest/applications/zimbra.html" class="wikilink1" title="documentation:latest:applications:zimbra">ZimbraPreAuth</a> <em>(not available for PSGI)</em></div>
<li class="level1"><div class="li"> <a href="cda.html" class="wikilink1" title="documentation:2.0:cda">CDA</a></div>
</li>
<li class="level1"><div class="li"> <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps</a></div>
</li>
<li class="level1"><div class="li"> <a href="devopssthandler.html" class="wikilink1" title="documentation:2.0:devopssthandler">DevOps+ServiceToken</a></div>
</li>
<li class="level1"><div class="li"> <a href="oauth2handler.html" class="wikilink1" title="documentation:2.0:oauth2handler">OAuth2</a></div>
</li>
<li class="level1"><div class="li"> <a href="securetoken.html" class="wikilink1" title="documentation:2.0:securetoken">SecureToken</a> <em>(not available for PSGI)</em></div>
</li>
<li class="level1"><div class="li"> <a href="cda.html" class="wikilink1" title="documentation:2.0:cda">CDA</a></div>
<li class="level1"><div class="li"> <a href="servertoserver.html" class="wikilink1" title="documentation:2.0:servertoserver">Service Token</a> <em>(server to server)</em></div>
</li>
<li class="level1"><div class="li"> <a href="documentation/latest/applications/zimbra.html" class="wikilink1" title="documentation:latest:applications:zimbra">ZimbraPreAuth</a> <em>(not available for PSGI)</em></div>
</li>
</ul>

33
doc/pages/documentation/current/handlerauthbasic.html
View File

@ -101,11 +101,11 @@ This feature can be useful to allow a third party application to access a virtua
<div class="level3">
<p>
You just have to set “Type: AuthBasic” in the virtualHost options in the manager.
You just have to set &quot;Type: AuthBasic&quot; in the virtualHost options in the manager.
</p>
<p>
If you want to protect only a virtualHost part, keep type on “Main” and set type in your configuration file:
If you want to protect only a virtualHost part, keep type on &quot;Main&quot; and set type in your configuration file:
</p>
<ul>
<li class="level1"><div class="li"> Apache: use simply a <code>PerlSetVar VHOSTTYPE AuthBasic</code></div>
@ -120,13 +120,38 @@ If you want to protect only a virtualHost part, keep type on “Main” and set
<div class="level3">
<p>
No parameters needed. But you have to allow REST sessions web services, see <a href="restsessionbackend.html" class="wikilink1" title="documentation:2.0:restsessionbackend">REST sessions backend</a> and to enable local cache (enabled by default in lemonldap-ng.ini).
No parameters needed. But you have to allow REST sessions web services, see <a href="restsessionbackend.html" class="wikilink1" title="documentation:2.0:restsessionbackend">REST sessions backend</a>, enable local cache (enabled by default in lemonldap-ng.ini) and allow source <abbr title="Internet Protocol">IP</abbr> addresses to access required locations in Portal Virtual Host.
</p>
<div class="notewarning">With AuthBasic handler, you have to disable CSRF token by setting a special rule based on callers <abbr title="Internet Protocol">IP</abbr> address like this :
<div class="notewarning">With AuthBasic handler, you have to disable CSRF token by setting a special rule based on source <abbr title="Internet Protocol">IP</abbr> addresses like this :
<p>
requireToken =&gt; $env-&gt;{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
</p>
<p>
With AutChoice, you have to declare which authentication module is requested by handler to create global session.
</p>
<p>
Go to: <code>General Parameters &gt; Authentication parameters &gt; Choice parameters</code>
</p>
<p>
and set authentication module&#039;s name :
</p>
<p>
<strong>AuthBasic handler parameter</strong> =&gt; 2_LDAP (by example)
</p>
</div><div class="noteimportant">With HTTPS, you may have to set <strong>LWP::UserAgent object</strong> with <code>verify_hostname =&gt; 0</code> and <code>SSL_verify_mode =&gt; 0</code>.
<p>
Go to:
</p>
<p>
<code>General Parameters &gt; Advanced Parameters &gt; Security &gt; Choice parameters &gt; SSL options for server requests</code>
</p>
</div>
</div>
<!-- EDIT6 SECTION "Handler parameters" [1116-] --></div>

2
doc/pages/documentation/current/idpcas.html
View File

@ -150,7 +150,7 @@ If an access control policy other than <code>none</code> is specified, applicati
</p>
<p>
Go to <code><abbr title="Central Authentication Service">CAS</abbr> Applications</code> and then <code>Add <abbr title="Central Authentication Service">CAS</abbr> Application</code>. Give a technical name (no spaces, no special characters), like “app-example”.
Go to <code><abbr title="Central Authentication Service">CAS</abbr> Applications</code> and then <code>Add <abbr title="Central Authentication Service">CAS</abbr> Application</code>. Give a technical name (no spaces, no special characters), like &quot;app-example&quot;.
</p>
<p>

2
doc/pages/documentation/current/idpopenidconnect.html
View File

@ -160,7 +160,7 @@ Each Relying Party has its own configuration way. <abbr title="LemonLDAP::NG">LL
</p>
<p>
The metadata can be found at the standard “Well Known” <abbr title="Uniform Resource Locator">URL</abbr>: <a href="http://auth.example.com/.well-known/openid-configuration" class="urlextern" title="http://auth.example.com/.well-known/openid-configuration" rel="nofollow">http://auth.example.com/.well-known/openid-configuration</a>
The metadata can be found at the standard &quot;Well Known&quot; <abbr title="Uniform Resource Locator">URL</abbr>: <a href="http://auth.example.com/.well-known/openid-configuration" class="urlextern" title="http://auth.example.com/.well-known/openid-configuration" rel="nofollow">http://auth.example.com/.well-known/openid-configuration</a>
</p>
<p>

18
doc/pages/documentation/current/idpsaml.html
View File

@ -132,11 +132,19 @@ After configuring <abbr title="Security Assertion Markup Language">SAML</abbr> S
</p>
<p>
They are available at the EntityID <abbr title="Uniform Resource Locator">URL</abbr>, by default: <a href="http://auth.example.com/saml/metadata" class="urlextern" title="http://auth.example.com/saml/metadata" rel="nofollow">http://auth.example.com/saml/metadata</a>. You can also use <a href="http://auth.example.com/saml/metadata/idp" class="urlextern" title="http://auth.example.com/saml/metadata/idp" rel="nofollow">http://auth.example.com/saml/metadata/idp</a> to have only IDP related metadata.
They are available at the Metadata <abbr title="Uniform Resource Locator">URL</abbr>, by default: <a href="http://auth.example.com/saml/metadata" class="urlextern" title="http://auth.example.com/saml/metadata" rel="nofollow">http://auth.example.com/saml/metadata</a>.
</p>
<p>
You can also use <a href="http://auth.example.com/saml/metadata/idp" class="urlextern" title="http://auth.example.com/saml/metadata/idp" rel="nofollow">http://auth.example.com/saml/metadata/idp</a> to have only IDP related metadata.
</p>
<p>
In both cases, the entityID of the LemonLDAP::NG server is <a href="http://auth.example.com/saml/metadata" class="urlextern" title="http://auth.example.com/saml/metadata" rel="nofollow">http://auth.example.com/saml/metadata</a>
</p>
</div>
<!-- EDIT6 SECTION "Register LemonLDAP::NG on partner Service Provider" [848-1186] -->
<!-- EDIT6 SECTION "Register LemonLDAP::NG on partner Service Provider" [848-1286] -->
<h3 class="sectionedit7" id="register_partner_service_provider_on_lemonldapng">Register partner Service Provider on LemonLDAP::NG</h3>
<div class="level3">
@ -185,7 +193,7 @@ For each attribute, you can set:
</li>
<li class="level1"><div class="li"> <strong>Friendly Name</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute friendly name.</div>
</li>
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to “On”, then this attribute is required to build the <abbr title="Security Assertion Markup Language">SAML</abbr> response, an error will displayed if there is no value for it. Optional attribute will be sent only if there is a value associated. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
<li class="level1"><div class="li"> <strong>Mandatory</strong>: if set to &quot;On&quot;, then this attribute is required to build the <abbr title="Security Assertion Markup Language">SAML</abbr> response, an error will displayed if there is no value for it. Optional attribute will be sent only if there is a value associated. Else it just will be sent trough an attribute response, if explicitly requested in an attribute request.</div>
</li>
<li class="level1"><div class="li"> <strong>Format</strong>: optional, <abbr title="Security Assertion Markup Language">SAML</abbr> attribute format.</div>
</li>
@ -276,7 +284,7 @@ For example: <a href="http://auth.example.com/saml/singleSignOn?IDPInitiated=1&a
</div>
</div>
<!-- EDIT7 SECTION "Register partner Service Provider on LemonLDAP::NG" [1187-4922] -->
<!-- EDIT7 SECTION "Register partner Service Provider on LemonLDAP::NG" [1287-5022] -->
<h2 class="sectionedit8" id="known_issues">Known issues</h2>
<div class="level2">
@ -285,6 +293,6 @@ Using both Issuer::<abbr title="Security Assertion Markup Language">SAML</abbr>
</p>
</div>
<!-- EDIT8 SECTION "Known issues" [4923-] --></div>
<!-- EDIT8 SECTION "Known issues" [5023-] --></div>
</body>
</html>

19
doc/pages/documentation/current/impersonation.html
View File

@ -48,11 +48,12 @@
<div class="level1">
<p>
This plugin allows certain users to assume the identity of another user. A privileged User first logs in with their real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
This plugin allows certain users to assume the identity of another user. A privileged user first logs in with its real account and can then choose another profile to appear as. This feature can be especially useful for training/learning or development platforms.
</p>
<div class="noteimportant">This plugin should not be used on production instance, prefer <a href="contextswitching.html" class="wikilink1" title="documentation:2.0:contextswitching">ContextSwitching plugin</a>.
</div>
<!-- EDIT1 SECTION "Impersonation plugin" [1-303] -->
</div>
<!-- EDIT1 SECTION "Impersonation plugin" [1-432] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
@ -66,13 +67,11 @@ Just enable it in the Manager (section “plugins”) by setting a rule. Imperso
</li>
<li class="level2"><div class="li"> <strong>Identities use rule</strong>: Rule to define which identities can be assumed. Useful to prevent impersonation of certain sensitive identities like CEO, administrators or anonymous/protected users.</div>
</li>
<li class="level2"><div class="li"> <strong>Real attributes prefix</strong>: Prefix use to rename user real profile attributes.</div>
</li>
<li class="level2"><div class="li"> <strong>Hidden attributes</strong>: Attributes not displayed</div>
</li>
<li class="level2"><div class="li"> <strong>Skip empty values</strong>: Do not use empty profile attributes</div>
</li>
<li class="level2"><div class="li"> <strong>Merge spoofed and real <abbr title="Single Sign On">SSO</abbr> groups</strong>: Can be useful for administrators to keep higher privileges. “Special rule” field can be used to set <abbr title="Single Sign On">SSO</abbr> groups to merge if exist in real session. Multivalue <code>separator</code> is used. By example : <code>su; admins; anonymous</code></div>
<li class="level2"><div class="li"> <strong>Merge spoofed and real <abbr title="Single Sign On">SSO</abbr> groups</strong>: Can be useful for administrators to keep higher privileges. &quot;Special rule&quot; field can be used to set <abbr title="Single Sign On">SSO</abbr> groups to merge if exist in real session. Multivalue <code>separator</code> is used. By example : <code>su; admins; anonymous</code></div>
</li>
</ul>
</li>
@ -105,7 +104,13 @@ Keep in mind that real session is computed first. Afterward, if access is grante
</p>
</div>
<p>
impersonationPrefix is used to rename user&#039;s real profile attributes. You can set real attributes prefix (&#039;real_&#039; by default) by editing <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">impersonationPrefix</span> <span class="sy0">=</span><span class="re2"> real_</span></pre>
</div>
<!-- EDIT2 SECTION "Configuration" [304-] --></div>
<!-- EDIT2 SECTION "Configuration" [433-] --></div>
</body>
</html>

33
doc/pages/documentation/current/installdeb.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:installdeb</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,installdeb"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="installdeb.html"/>
@ -118,13 +118,14 @@ LemonLDAP::NG provides these packages:
<div class="level3">
<p>
If you run Debian testing or unstable, the packages are directly installable:
If you run Debian stable, testing or unstable, the packages are directly installable:
</p>
<pre class="code">apt-cache search lemonldap-ng</pre>
<div class="noteimportant">Packages from <a href="http://packages.debian.org/search?keywords=lemonldap-ng" class="urlextern" title="http://packages.debian.org/search?keywords=lemonldap-ng" rel="nofollow">Debian repository</a> may not be up to date. Prefer then the other solutions (see below).
<pre class="code">apt-get install lemonldap-ng</pre>
<div class="notetip">Packages from <a href="http://packages.debian.org/search?keywords=lemonldap-ng" class="urlextern" title="http://packages.debian.org/search?keywords=lemonldap-ng" rel="nofollow">Debian repository</a> may not be up to date but are <strong>security-maintained</strong> by <a href="https://security-team.debian.org/" class="urlextern" title="https://security-team.debian.org/" rel="nofollow">Debian Security Team</a> for &quot;stable&quot; release and <a href="https://www.debian.org/lts/" class="urlextern" title="https://www.debian.org/lts/" rel="nofollow">LTS team</a> for &quot;oldstable&quot; release. Then if you don&#039;t need some new features or aren&#039;t concerned by a bug fixed earlier, <strong>this is a good choice</strong>. You can also use <a href="https://backports.debian.org/" class="urlextern" title="https://backports.debian.org/" rel="nofollow">Debian backports</a> or &quot;testing&quot;/&quot;unstable&quot; packages, team maintained. <a href="documentation.html#packaged_versions" class="wikilink1" title="documentation">Here is the list of Debian versions</a>.
</div><div class="notewarning">LLNG Ubuntu packages are not in the &quot;universe&quot; but in the &quot;multiverse&quot;. This means they are not security-maintained. If you use them, you should follow our security advisories on lemonldap-ng-users@ow2.org.
</div>
</div>
<!-- EDIT4 SECTION "Official repository" [645-983] -->
<!-- EDIT4 SECTION "Official repository" [645-1657] -->
<h3 class="sectionedit5" id="llng_repository">LL::NG repository</h3>
<div class="level3">
@ -165,7 +166,7 @@ Finally update your APT cache:
<pre class="code">apt update</pre>
</div>
<!-- EDIT5 SECTION "LL::NG repository" [984-1895] -->
<!-- EDIT5 SECTION "LL::NG repository" [1658-2569] -->
<h3 class="sectionedit6" id="manual_download">Manual download</h3>
<div class="level3">
@ -174,7 +175,7 @@ Packages are available on the <a href="download.html" class="wikilink1" title="d
</p>
</div>
<!-- EDIT6 SECTION "Manual download" [1896-1982] -->
<!-- EDIT6 SECTION "Manual download" [2570-2656] -->
<h2 class="sectionedit7" id="install_packages">Install packages</h2>
<div class="level2">
<div class="noteimportant">By default packages will require Nginx. If you want to use Apache2, install it first with mod_perl:
@ -182,13 +183,13 @@ Packages are available on the <a href="download.html" class="wikilink1" title="d
</div>
</div>
<!-- EDIT7 SECTION "Install packages" [1983-2191] -->
<!-- EDIT7 SECTION "Install packages" [2657-2865] -->
<h3 class="sectionedit8" id="with_apt">With apt</h3>
<div class="level3">
<pre class="code">apt install lemonldap-ng</pre>
</div>
<!-- EDIT8 SECTION "With apt" [2192-2252] -->
<!-- EDIT8 SECTION "With apt" [2866-2926] -->
<h3 class="sectionedit9" id="with_dpkg">With dpkg</h3>
<div class="level3">
@ -202,12 +203,12 @@ Then:
<pre class="code">dpkg -i liblemonldap-ng-* lemonldap-ng*</pre>
</div>
<!-- EDIT9 SECTION "With dpkg" [2253-2401] -->
<!-- EDIT9 SECTION "With dpkg" [2927-3075] -->
<h2 class="sectionedit10" id="first_configuration_steps">First configuration steps</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "First configuration steps" [2402-2440] -->
<!-- EDIT10 SECTION "First configuration steps" [3076-3114] -->
<h3 class="sectionedit11" id="change_default_dns_domain">Change default DNS domain</h3>
<div class="level3">
@ -217,7 +218,7 @@ By default, <abbr title="Domain Name System">DNS</abbr> domain is <code>example.
<pre class="code shell">sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1.json</pre>
</div>
<!-- EDIT11 SECTION "Change default DNS domain" [2441-2724] -->
<!-- EDIT11 SECTION "Change default DNS domain" [3115-3398] -->
<h3 class="sectionedit12" id="upgrade">Upgrade</h3>
<div class="level3">
@ -226,7 +227,7 @@ If you upgraded <abbr title="LemonLDAP::NG">LL::NG</abbr>, check all <a href="up
</p>
</div>
<!-- EDIT12 SECTION "Upgrade" [2725-2805] -->
<!-- EDIT12 SECTION "Upgrade" [3399-3479] -->
<h3 class="sectionedit13" id="dns">DNS</h3>
<div class="level3">
@ -247,7 +248,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</p>
</div>
<!-- EDIT13 SECTION "DNS" [2806-3110] -->
<!-- EDIT13 SECTION "DNS" [3480-3784] -->
<h2 class="sectionedit14" id="file_location">File location</h2>
<div class="level2">
<ul>
@ -268,7 +269,7 @@ Follow the <a href="start.html#configuration" class="wikilink1" title="documenta
</ul>
</div>
<!-- EDIT14 SECTION "File location" [3111-3678] -->
<!-- EDIT14 SECTION "File location" [3785-4352] -->
<h2 class="sectionedit15" id="build_your_packages">Build your packages</h2>
<div class="level2">
@ -280,6 +281,6 @@ cd lemonldap-ng-*
make debian-packages</pre>
</div>
<!-- EDIT15 SECTION "Build your packages" [3679-] --></div>
<!-- EDIT15 SECTION "Build your packages" [4353-] --></div>
</body>
</html>

2
doc/pages/documentation/current/installsles.html
View File

@ -346,7 +346,7 @@ ls SPECS/ SOURCES/</pre>
<pre class="code">rpmbuild -ba SPECS/lemonldap-ng.spec</pre>
<p>
Alternatively, you can use the automatic script “create-lemonldap-packages.sh”, available in rpm-sles directory in the <a href="download.html#getting_sources_from_svn_repository" class="wikilink1" title="download">lemonldap svn repository</a>. The automatic script can also generate intermediate dependencies. See README file in the same directory for more information.
Alternatively, you can use the automatic script &quot;create-lemonldap-packages.sh&quot;, available in rpm-sles directory in the <a href="download.html#getting_sources_from_svn_repository" class="wikilink1" title="download">lemonldap svn repository</a>. The automatic script can also generate intermediate dependencies. See README file in the same directory for more information.
</p>
</div>

4
doc/pages/documentation/current/installtarball.html
View File

@ -88,7 +88,7 @@ Then go to trunk directory:
<pre class="code">cd trunk</pre>
<p>
And run the “dist” target:
And run the &quot;dist&quot; target:
</p>
<pre class="code">make dist</pre>
@ -192,7 +192,7 @@ Available parameters are:
<ul>
<li class="level1"><div class="li"> <strong>ERASECONFIG</strong>: set to 0 if you want to keep your configuration files (default: 1)</div>
</li>
<li class="level1"><div class="li"> <strong>DESTDIR</strong>: only for packaging, install the product in a jailroot (default: “”)</div>
<li class="level1"><div class="li"> <strong>DESTDIR</strong>: only for packaging, install the product in a jailroot (default: &quot;&quot;)</div>
</li>
<li class="level1"><div class="li"> <strong>PREFIX</strong>: installation directory (default: /usr/local)</div>
</li>

38
doc/pages/documentation/current/logs.html
View File

@ -73,6 +73,18 @@
<h1 class="sectionedit1" id="logs">Logs</h1>
<div class="level1">
<p>
<strong>REMOTE_USER</strong> : session attribute used for logging user access.
</p>
<p>
<strong>REMOTE_CUSTOM</strong> : can be used for logging a second user attribute (optionnal)
</p>
<p>
<strong>Hidden attributes</strong> : session attributes never displayed or sent
</p>
<p>
LemonLDAP::NG provides 5 levels of error and has two kind of logs:
</p>
@ -120,7 +132,7 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</p>
</div>
<!-- EDIT1 SECTION "Logs" [1-1571] -->
<!-- EDIT1 SECTION "Logs" [1-1787] -->
<h2 class="sectionedit2" id="default_loggers">Default loggers</h2>
<div class="level2">
<ul>
@ -133,12 +145,12 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</ul>
</div>
<!-- EDIT2 SECTION "Default loggers" [1572-1891] -->
<!-- EDIT2 SECTION "Default loggers" [1788-2107] -->
<h2 class="sectionedit3" id="log_levels">Log levels</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Log levels" [1892-1915] -->
<!-- EDIT3 SECTION "Log levels" [2108-2131] -->
<h3 class="sectionedit4" id="technical_log_levels">Technical log levels</h3>
<div class="level3">
<ul>
@ -155,13 +167,13 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</ul>
</div>
<!-- EDIT4 SECTION "Technical log levels" [1916-2325] -->
<!-- EDIT4 SECTION "Technical log levels" [2132-2541] -->
<h3 class="sectionedit5" id="log_levels_for_user_actions">Log levels for user actions</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>error</strong> is used to log bad user actions that looks malicious</div>
</li>
<li class="level1"><div class="li"> <strong>warn</strong> is used to log some errors like “bad password”</div>
<li class="level1"><div class="li"> <strong>warn</strong> is used to log some errors like &quot;bad password&quot;</div>
</li>
<li class="level1"><div class="li"> <strong>notice</strong> is used for actions that must be kept in logs for accounting (connections, logout)</div>
</li>
@ -172,12 +184,12 @@ Therefore, LLNG provides a username that can be used by webservers in their acce
</ul>
</div>
<!-- EDIT5 SECTION "Log levels for user actions" [2326-2719] -->
<!-- EDIT5 SECTION "Log levels for user actions" [2542-2935] -->
<h2 class="sectionedit6" id="logger_configuration">Logger configuration</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "Logger configuration" [2720-2753] -->
<!-- EDIT6 SECTION "Logger configuration" [2936-2969] -->
<h3 class="sectionedit7" id="std_logger">Std logger</h3>
<div class="level3">
@ -186,7 +198,7 @@ Nothing to configure except logLevel.
</p>
</div>
<!-- EDIT7 SECTION "Std logger" [2754-2814] -->
<!-- EDIT7 SECTION "Std logger" [2970-3030] -->
<h3 class="sectionedit8" id="apache2_logger">Apache2 logger</h3>
<div class="level3">
@ -199,7 +211,7 @@ See <a href="http://httpd.apache.org/docs/current/mod/core.html#loglevel" class=
</p>
</div>
<!-- EDIT8 SECTION "Apache2 logger" [2815-3050] -->
<!-- EDIT8 SECTION "Apache2 logger" [3031-3266] -->
<h3 class="sectionedit9" id="syslog">Syslog</h3>
<div class="level3">
@ -210,7 +222,7 @@ You can choose facility in lemonldap-ng.ini file. Default values:
<span class="re1">userSyslogFacility</span> <span class="sy0">=</span><span class="re2"> auth</span></pre>
</div>
<!-- EDIT9 SECTION "Syslog" [3051-3209] -->
<!-- EDIT9 SECTION "Syslog" [3267-3425] -->
<h3 class="sectionedit10" id="log4perl">Log4perl</h3>
<div class="level3">
@ -222,7 +234,7 @@ You can indicate the Log4perl configuration file and the classes to use. Default
<span class="re1">log4perlUserLogger</span> <span class="sy0">=</span><span class="re2"> LLNG.user</span></pre>
</div>
<!-- EDIT10 SECTION "Log4perl" [3210-3436] -->
<!-- EDIT10 SECTION "Log4perl" [3426-3652] -->
<h3 class="sectionedit11" id="sentry">Sentry</h3>
<div class="level3">
@ -233,7 +245,7 @@ You just have to give your DSN:
<div class="noteimportant">This experimental logger requires <a href="https://metacpan.org/pod/Sentry::Raven" class="urlextern" title="https://metacpan.org/pod/Sentry::Raven" rel="nofollow">Sentry::Raven</a> Perl module.
</div>
</div>
<!-- EDIT11 SECTION "Sentry" [3437-3658] -->
<!-- EDIT11 SECTION "Sentry" [3653-3874] -->
<h3 class="sectionedit12" id="dispatch">Dispatch</h3>
<div class="level3">
@ -251,6 +263,6 @@ Use it to use more than one logger. Example:
<div class="noteimportant">At least <code>logDispatchError</code> <em>(or <code>userLogDispatchError</code> for user logs)</em> must be defined. All sub level will be dispatched on it, until another lever is declared. In the above example, Sentry collects <code>error</code> and <code>warn</code> levels and all user actions, while syslog stores technical <code>notice</code>, <code>info</code> and <code>debug</code> logs.
</div>
</div>
<!-- EDIT12 SECTION "Dispatch" [3659-] --></div>
<!-- EDIT12 SECTION "Dispatch" [3875-] --></div>
</body>
</html>

8
doc/pages/documentation/current/mail2f.html
View File

@ -64,11 +64,11 @@ And of course, if the user&#039;s email account is also protected by LemonLDAP::
<div class="level3">
<p>
Before configuring this module, make sure the user&#039;s email address is correctly fetched from your UserDB plugin and appears in the session browser. If you want to store the user e-mail in a different session field than <code>mail</code>, go to “General Parameters » Advanced parameters » SMTP” and set the “Session key containing mail address” parameter.
Before configuring this module, make sure the user&#039;s email address is correctly fetched from your UserDB plugin and appears in the session browser. If you want to store the user e-mail in a different session field than <code>mail</code>, go to &quot;General Parameters » Advanced parameters » SMTP&quot; and set the &quot;Session key containing mail address&quot; parameter.
</p>
<p>
All parameters are configured in “General Parameters » Second factors » Mail second factor”.
All parameters are configured in &quot;General Parameters » Second factors » Mail second factor&quot;.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: Set to <code>On</code> to activate this module. If a user does not have an email address, they will encounter an error on login. If you want to use this plugin only for users who have an email address, use <code>$mail</code> (or whatever your e-mail session key is) as the activation rule.</div>
@ -81,10 +81,12 @@ All parameters are configured in “General Parameters » Second factors » Mail
</li>
<li class="level1"><div class="li"> <strong>Mail body</strong>: The plain text content of the email the user will receive. If you leave it blank, the <code>mail_2fcode</code> <abbr title="HyperText Markup Language">HTML</abbr> template will be used. The one-time code is stored in the <code>$code</code> variable</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
<li class="level1"><div class="li"> <strong>Authentication level</strong> (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
<li class="level1"><div class="li"> <strong>Logo</strong> (Optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
</li>
<li class="level1"><div class="li"> <strong>Label</strong> (Optional): label that should be displayed to the user on the choice screen</div>
</li>
</ul>
</div>

10
doc/pages/documentation/current/mitm
View File

@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/mitm"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/mitm"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:mitm","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/mitm?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1561840344" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Amitm&amp;1569271210" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>

11
doc/pages/documentation/current/mongodbconfbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:mongodbconfbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,mongodbconfbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="mongodbconfbackend.html"/>
@ -79,7 +79,10 @@ Example :
<span class="re1">type</span> <span class="sy0">=</span><span class="re2"> MongoDB</span>
<span class="re1">dbName</span> <span class="sy0">=</span><span class="re2"> llConfDB</span>
<span class="re1">collectionName</span> <span class="sy0">=</span><span class="re2"> configuration</span>
<span class="co0">; using a single server</span>
<span class="re1">host</span> <span class="sy0">=</span><span class="re2"> 127.0.0.1:27017</span>
<span class="co0">; using a replicaSet</span>
<span class="co0">; host = mongodb://mongo1.example.com,mongo2.example.com/?replicaSet=myset</span>
<span class="re1">ssl</span> <span class="sy0">=</span><span class="re2"> 1</span>
<span class="co0">; authentication parameters</span>
<span class="re1">db_name</span> <span class="sy0">=</span><span class="re2"> admin</span>
@ -116,9 +119,9 @@ Example :
<td class="col0 leftalign"> password </td><td class="col1 leftalign"> Password </td><td class="col2"> llpassword </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [922-1688] -->
<!-- EDIT3 TABLE [1042-1808] -->
</div>
<!-- EDIT2 SECTION "Configuration" [367-1689] -->
<!-- EDIT2 SECTION "Configuration" [367-1809] -->
<h1 class="sectionedit4" id="mini_mongodb_howto">Mini MongoDB howto</h1>
<div class="level1">
@ -138,6 +141,6 @@ bye
$</pre>
</div>
<!-- EDIT4 SECTION "Mini MongoDB howto" [1690-] --></div>
<!-- EDIT4 SECTION "Mini MongoDB howto" [1810-] --></div>
</body>
</html>

14
doc/pages/documentation/current/mongodbsessionbackend.html
View File

@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:mongodbsessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,mongodbsessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="mongodbsessionbackend.html"/>
@ -75,7 +75,7 @@ In the manager: set <a href="http://search.cpan.org/perldoc?Apache::Session::Mon
</tr>
</thead>
<tr class="row2 roweven">
<td class="col0 leftalign"> <strong>host</strong> </td><td class="col1"> MongoDB server (default: 127.0.0.1:27017) </td><td class="col2"> 127.0.0.1:27017 </td>
<td class="col0 leftalign"> <strong>host</strong> </td><td class="col1 leftalign"> <a href="https://metacpan.org/pod/MongoDB::MongoClient#CONNECTION-STRING-URI" class="urlextern" title="https://metacpan.org/pod/MongoDB::MongoClient#CONNECTION-STRING-URI" rel="nofollow">MongoDB server URI</a> </td><td class="col2"> 127.0.0.1:27017 </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> <strong>db_name</strong> </td><td class="col1 leftalign"> Session database (default: sessions) </td><td class="col2 leftalign"> llconfdb </td>
@ -102,9 +102,13 @@ In the manager: set <a href="http://search.cpan.org/perldoc?Apache::Session::Mon
<td class="col0 leftalign"> <strong>password</strong> </td><td class="col1 leftalign"> Password </td><td class="col2 leftalign"> llpassword </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [861-1912] -->
<!-- EDIT3 TABLE [861-1984] -->
<p>
Advanced connection parameters (Replica Sets, timeouts...) may be specified in the <code>host</code> parameter. <a href="https://metacpan.org/pod/MongoDB::MongoClient#CONNECTION-STRING-URI" class="urlextern" title="https://metacpan.org/pod/MongoDB::MongoClient#CONNECTION-STRING-URI" rel="nofollow">Refer to the perl MongoDB documentation for details</a>
</p>
</div>
<!-- EDIT2 SECTION "Setup" [253-1913] -->
<!-- EDIT2 SECTION "Setup" [253-2212] -->
<h2 class="sectionedit4" id="security">Security</h2>
<div class="level2">
@ -113,6 +117,6 @@ Restrict network access to the MongoDB server. For remote servers, you can use <
</p>
</div>
<!-- EDIT4 SECTION "Security" [1914-] --></div>
<!-- EDIT4 SECTION "Security" [2213-] --></div>
</body>
</html>

2
doc/pages/documentation/current/monitoring.html
View File

@ -49,7 +49,7 @@ Handler can be monitored by using MRTG. See <a href="mrtg.html" class="wikilink1
</p>
<p>
Portal can also publish its status using REST. To enable it, go to the manager, general parameters, plugins. Then enable “publish portal status” option.
Portal can also publish its status using REST. To enable it, go to the manager, general parameters, plugins. Then enable &quot;publish portal status&quot; option.
</p>
<p>

16
doc/pages/documentation/current/nodehandler.html
View File

@ -68,7 +68,7 @@
<div class="level1">
<p>
Since version 2.0, a beta Node.js handler is available on <a href="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler" class="urlextern" title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler" rel="nofollow">GitHub</a> and <a href="https://www.npmjs.com/package/node-lemonldap-ng-handler" class="urlextern" title="https://www.npmjs.com/package/node-lemonldap-ng-handler" rel="nofollow">NPMJS</a>.
Since version 2.0, a beta Node.js handler is available on <a href="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler" class="urlextern" title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler" rel="nofollow">GitHub</a> and <a href="https://www.npmjs.com/package/lemonldap-ng-handler" class="urlextern" title="https://www.npmjs.com/package/lemonldap-ng-handler" rel="nofollow">NPMJS</a>.
</p>
<p>
@ -76,7 +76,7 @@ Up-to-date documentation is available on GitHub.
</p>
</div>
<!-- EDIT1 SECTION "Node.js handler" [1-279] -->
<!-- EDIT1 SECTION "Node.js handler" [1-274] -->
<h2 class="sectionedit2" id="examples">Examples</h2>
<div class="level2">
@ -84,7 +84,7 @@ Up-to-date documentation is available on GitHub.
<strong>Important things</strong>:
</p>
<ul>
<li class="level1"><div class="li"> Rules and headers must be written in javascript for these hosts <em>(example <code>$uid eq “dwho”</code> becomes <code>$uid === “dwho”</code>)</em></div>
<li class="level1"><div class="li"> Rules and headers must be written in javascript for these hosts <em>(example <code>$uid eq &quot;dwho&quot;</code> becomes <code>$uid === &quot;dwho&quot;</code>)</em></div>
</li>
<li class="level1"><div class="li"> Multi-lines are not supported in lemonldap-ng.ini</div>
</li>
@ -96,7 +96,7 @@ Up-to-date documentation is available on GitHub.
<span class="re1">nodeVhosts</span> <span class="sy0">=</span><span class="re2"> test.example.com, test2.example.com</span></pre>
</div>
<!-- EDIT2 SECTION "Examples" [280-801] -->
<!-- EDIT2 SECTION "Examples" [275-796] -->
<h3 class="sectionedit3" id="use_it_as_fastcgi_server_application_protection_only">Use it as FastCGI server (application protection only)</h3>
<div class="level3">
@ -106,7 +106,7 @@ Up-to-date documentation is available on GitHub.
<div class="level4">
<dl class="file">
<dt><a href="_export/code/documentation/2.0/nodehandler/codeblock.1.code" title="Download Snippet" class="mediafile mf_js">server.js</a></dt>
<dd><pre class="code file javascript"><span class="kw1">var</span> handler <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'node-lemonldap-ng-handler'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<dd><pre class="code file javascript"><span class="kw1">var</span> handler <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'lemonldap-ng-handler'</span><span class="br0">&#41;</span><span class="sy0">;</span>
&nbsp;
handler.<span class="me1">init</span><span class="br0">&#40;</span><span class="br0">&#123;</span>
configStorage<span class="sy0">:</span> <span class="br0">&#123;</span>
@ -158,7 +158,7 @@ handler.<span class="me1">nginxServer</span><span class="br0">&#40;</span><span
</dd></dl>
</div>
<!-- EDIT3 SECTION "Use it as FastCGI server (application protection only)" [802-1982] -->
<!-- EDIT3 SECTION "Use it as FastCGI server (application protection only)" [797-1972] -->
<h3 class="sectionedit4" id="use_it_to_protect_an_express_app">Use it to protect an express app</h3>
<div class="level3">
<dl class="file">
@ -166,7 +166,7 @@ handler.<span class="me1">nginxServer</span><span class="br0">&#40;</span><span
<dd><pre class="code file javascript"><span class="co1">// Variables</span>
<span class="kw1">var</span> express <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'express'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">var</span> app <span class="sy0">=</span> express<span class="br0">&#40;</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">var</span> handler <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'node-lemonldap-ng-handler'</span><span class="br0">&#41;</span><span class="sy0">;</span>
<span class="kw1">var</span> handler <span class="sy0">=</span> require<span class="br0">&#40;</span><span class="st0">'lemonldap-ng-handler'</span><span class="br0">&#41;</span><span class="sy0">;</span>
&nbsp;
<span class="co1">// initialize handler (optional args)</span>
handler.<span class="me1">init</span><span class="br0">&#40;</span><span class="br0">&#123;</span>
@ -188,6 +188,6 @@ app.<span class="me1">listen</span><span class="br0">&#40;</span><span class="nu
</dd></dl>
</div>
<!-- EDIT4 SECTION "Use it to protect an express app" [1983-] --></div>
<!-- EDIT4 SECTION "Use it to protect an express app" [1973-] --></div>
</body>
</html>

179
doc/pages/documentation/current/notifications.html
View File

@ -72,9 +72,8 @@
<li class="level2"><div class="li"><a href="#create_new_notifications_with_notifications_explorer">Create new notifications with notifications explorer</a></div></li>
<li class="level2"><div class="li"><a href="#notification_server">Notification server</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#json_notifications_through_rest">JSON notifications through REST</a></div></li>
<li class="level3"><div class="li"><a href="#xml_notifications_trough_soap">XML notifications trough SOAP</a></div></li>
<li class="level3"><div class="li"><a href="#deletion_example_in_perl">Deletion example in Perl</a></div></li>
<li class="level3"><div class="li"><a href="#json_notifications_trough_rest">JSON notifications trough REST</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#test_notification">Test notification</a></div></li>
@ -88,31 +87,31 @@
<div class="level1">
<p>
Since version 0.9.4, LemonLDAP::NG can be used to notify some messages to users: if a user has a message, the message will be displayed when he will access to the portal. If the message contains check boxes, the user has to check all of them else he can not access to the portal and get his session cookie.
Since version 0.9.4, LemonLDAP::NG can be used to notify some messages to users: if a user has got messages, they will be displayed when he access to the portal. If a message contains some check boxes, the user has to check all of them else he can not access to the portal and retrieves his session cookie.
</p>
<p>
Since 1.1.0, a notification explorer is available in Manager, and notifications can be done for all users, with the possibility to display conditions. When the user accept the notification, the reference is stored in his persistent session.
Since 1.1.0, a notification explorer is available in Manager, and notifications can be set for all users, with possibility to use display conditions. When the user accept the notification, notification reference is stored in his persistent session.
</p>
</div>
<!-- EDIT1 SECTION "Notifications system" [1-586] -->
<!-- EDIT1 SECTION "Notifications system" [1-594] -->
<h2 class="sectionedit2" id="installation">Installation</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Installation" [587-612] -->
<!-- EDIT2 SECTION "Installation" [595-620] -->
<h3 class="sectionedit3" id="activation">Activation</h3>
<div class="level3">
<p>
You just have to activate Notifications in the Manager (General Parameters &gt; Advanced Parameters &gt; Notifications &gt; Activation) or in lemonldap-ng.ini:
You just have to activate Notifications in the Manager (General Parameters &gt; Advanced Parameters &gt; Notifications &gt; Activation) or in <code>lemonldap-ng.ini</code> [portal] section:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">notification</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
</div>
<!-- EDIT3 SECTION "Activation" [613-831] -->
<!-- EDIT3 SECTION "Activation" [621-860] -->
<h3 class="sectionedit4" id="storage">Storage</h3>
<div class="level3">
@ -120,16 +119,16 @@ You just have to activate Notifications in the Manager (General Parameters &gt;
By default, notifications will be stored in the same database as configuration:
</p>
<ul>
<li class="level1"><div class="li"> if you use “File” system and your “dirName” is set to /usr/local/lemonldap-ng/conf/, the notifications will be stored in /usr/local/lemonldap-ng/notifications/</div>
<li class="level1"><div class="li"> if you use &quot;File&quot; system and your &quot;dirName&quot; is set to /usr/local/lemonldap-ng/conf/, the notifications will be stored in /usr/local/lemonldap-ng/notifications/</div>
</li>
<li class="level1"><div class="li"> if you use “CDBI” or “RDBI” system, the notifications will be stored in the same database as configuration and in a table called “notifications”.</div>
<li class="level1"><div class="li"> if you use &quot;CDBI&quot; or &quot;RDBI&quot; system, the notifications will be stored in the same database as configuration and in a table called &quot;notifications&quot;.</div>
</li>
<li class="level1"><div class="li"> if you use “LDAP” system, the notifications will be stored in the same directory as configuration and in a branch called “notifications”.</div>
<li class="level1"><div class="li"> if you use &quot;LDAP&quot; system, the notifications will be stored in the same directory as configuration and in a branch called &quot;notifications&quot;.</div>
</li>
</ul>
<p>
You can change default parameters using the “notificationStorage” and “notificationStorageOptions” parameters with the same syntax as configuration storage parameters. To do this in Manager, go in General Parameters &gt; Advanced Parameters &gt; Notifications.
You can change default parameters using the &quot;notificationStorage&quot; and &quot;notificationStorageOptions&quot; parameters with the same syntax as configuration storage parameters. To do this in Manager, go in General Parameters &gt; Advanced Parameters &gt; Notifications.
</p>
</div>
@ -215,7 +214,7 @@ To summary available options:
</ul>
</div>
<!-- EDIT4 SECTION "Storage" [832-3329] -->
<!-- EDIT4 SECTION "Storage" [861-3358] -->
<h3 class="sectionedit5" id="wildcard">Wildcard</h3>
<div class="level3">
@ -232,13 +231,13 @@ Then creating a notification for <code>alluserscustom</code> will display the no
</p>
</div>
<!-- EDIT5 SECTION "Wildcard" [3330-3800] -->
<!-- EDIT5 SECTION "Wildcard" [3359-3829] -->
<h2 class="sectionedit6" id="using_notification_system">Using notification system</h2>
<div class="level2">
<div class="noteimportant">Since version 2.0, notifications are now stored in JSON format. If you want to keep old format, select “use old format” in the manager. Note that the server for inserting notifications is paired with the chosen format: REST for JSON and SOAP for XML.
<div class="noteimportant">Since version 2.0, notifications are now stored in JSON format. If you want to keep old format, select &quot;use old format&quot; in the Manager. Note that notification server depends on chosen format: REST for JSON and SOAP for XML.
</div>
</div>
<!-- EDIT6 SECTION "Using notification system" [3801-4114] -->
<!-- EDIT6 SECTION "Using notification system" [3830-4116] -->
<h3 class="sectionedit7" id="notification_format">Notification format</h3>
<div class="level3">
@ -266,13 +265,13 @@ Notifications are JSON (default) or XML files containing:
</li>
<li class="level2"><div class="li"> Sub elements:</div>
<ul>
<li class="level3"><div class="li"> &lt;title&gt;: title to display: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;h2 class=“notifText”&gt;...&lt;/h2&gt;</div>
<li class="level3"><div class="li"> &lt;title&gt;: title to display: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;h2 class=&quot;notifText&quot;&gt;...&lt;/h2&gt;</div>
</li>
<li class="level3"><div class="li"> &lt;subtitle&gt;: subtitle to display: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;h2 class=“notifText”&gt;...&lt;/h2&gt;</div>
<li class="level3"><div class="li"> &lt;subtitle&gt;: subtitle to display: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;h2 class=&quot;notifText&quot;&gt;...&lt;/h2&gt;</div>
</li>
<li class="level3"><div class="li"> &lt;text&gt;: paragraph to display: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;p class=“notifText”&gt;...&lt;/p&gt;</div>
<li class="level3"><div class="li"> &lt;text&gt;: paragraph to display: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;p class=&quot;notifText&quot;&gt;...&lt;/p&gt;</div>
</li>
<li class="level3"><div class="li"> &lt;check&gt;: paragraph to display with a checkbox: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;p class=“notifCheck”&gt;&lt;input type=“checkbox” /&gt;...&lt;/p&gt;</div>
<li class="level3"><div class="li"> &lt;check&gt;: paragraph to display with a checkbox: will be inserted in <abbr title="HyperText Markup Language">HTML</abbr> page enclosed in &lt;p class=&quot;notifCheck&quot;&gt;&lt;input type=&quot;checkbox&quot; /&gt;...&lt;/p&gt;</div>
</li>
</ul>
</li>
@ -291,17 +290,18 @@ Notifications are JSON (default) or XML files containing:
<h5 id="json">JSON</h5>
<div class="level5">
<pre class="code file json">{
&quot;uid&quot;: &quot;foo.bar&quot;,
&quot;date&quot;: &quot;2009-01-27&quot;,
&quot;reference&quot;; &quot;ABC&quot;,
&quot;title&quot;: &quot;You have new authorizations&quot;,
&quot;subtitle&quot;: &quot;Application 1&quot;,
&quot;text&quot;: &quot;You have been granted to access to appli-1&quot;,
&quot;check&quot;: [
&quot;I aggree&quot;,
&quot;Yes, I'm sure&quot;
]</pre>
<pre class="code file javascript"><span class="br0">&#123;</span>
<span class="st0">&quot;uid&quot;</span><span class="sy0">:</span> <span class="st0">&quot;foo.bar&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;date&quot;</span><span class="sy0">:</span> <span class="st0">&quot;2009-01-27&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;reference&quot;</span><span class="sy0">:</span> <span class="st0">&quot;ABC&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;title&quot;</span><span class="sy0">:</span> <span class="st0">&quot;You have new authorizations&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;subtitle&quot;</span><span class="sy0">:</span> <span class="st0">&quot;Application 1&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;text&quot;</span><span class="sy0">:</span> <span class="st0">&quot;You have been granted to access to appli-1&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;check&quot;</span><span class="sy0">:</span> <span class="br0">&#91;</span>
<span class="st0">&quot;I agree&quot;</span><span class="sy0">,</span>
<span class="st0">&quot;Yes, I'm sure&quot;</span>
<span class="br0">&#93;</span>
<span class="br0">&#125;</span></pre>
</div>
@ -325,9 +325,10 @@ Notifications are JSON (default) or XML files containing:
<span class="sc3"><span class="re1">&lt;check<span class="re2">&gt;</span></span></span>Of course I am not evil!<span class="sc3"><span class="re1">&lt;/check<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/notification<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/root<span class="re2">&gt;</span></span></span></pre>
<div class="notetip">JSON format notifications are displayed sorted by date and reference
</div>
<!-- EDIT7 SECTION "Notification format" [4115-6513] -->
</div>
<!-- EDIT7 SECTION "Notification format" [4117-6608] -->
<h3 class="sectionedit8" id="create_new_notifications_with_notifications_explorer">Create new notifications with notifications explorer</h3>
<div class="level3">
@ -348,33 +349,33 @@ When all is ok, click on <code>Save</code>.
</p>
</div>
<!-- EDIT8 SECTION "Create new notifications with notifications explorer" [6514-6832] -->
<!-- EDIT8 SECTION "Create new notifications with notifications explorer" [6609-6927] -->
<h3 class="sectionedit9" id="notification_server">Notification server</h3>
<div class="level3">
<p>
New JSON notifications can be inserted using REST or SOAP server. If enabled, the server <abbr title="Uniform Resource Locator">URL</abbr> is <a href="https://auth.your.domain/notifications" class="urlextern" title="https://auth.your.domain/notifications" rel="nofollow">https://auth.your.domain/notifications</a>.
LemonLDAP::NG provides two notification servers : SOAP and REST depending on format.
</p>
<p>
If enabled, the server <abbr title="Uniform Resource Locator">URL</abbr> is <a href="https://auth.your.domain/notifications" class="urlextern" title="https://auth.your.domain/notifications" rel="nofollow">https://auth.your.domain/notifications</a>.
</p>
<div class="noteimportant">If notification server is enabled, you have to protect this <abbr title="Uniform Resource Locator">URL</abbr> using the webserver because there is no authentication required to use it.
</div>
<p>
Example:
</p>
<pre class="code file apache"><span class="co1"># SOAP functions for notification insertion (disabled by default)</span>
<pre class="code file apache"><span class="co1"># REST/SOAP functions for insert/delete/list notifications (disabled by default)</span>
&lt;<span class="kw3">LocationMatch</span> ^/(index\.fcgi/)?notifications&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 192.168.2.0/<span class="nu0">24</span>
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<h4 id="json_notifications_through_rest">JSON notifications through REST</h4>
<div class="level4">
<p>
Using JSON, you just have to POST json files.
</p>
&lt;<span class="kw3">IfVersion</span> &gt;= <span class="nu0">2.3</span>&gt;
<span class="kw1">Require</span> ip 192.168.2.0/<span class="nu0">24</span>
&lt;/<span class="kw3">IfVersion</span>&gt;
&lt;<span class="kw3">IfVersion</span> &lt; <span class="nu0">2.3</span>&gt;
<span class="kw1">Order</span> <span class="kw1">Deny</span>,<span class="kw1">Allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 192.168.2.0/<span class="nu0">24</span>
&lt;/<span class="kw3">IfVersion</span>&gt;
&lt;/<span class="kw3">LocationMatch</span>&gt;</pre>
</div>
@ -382,12 +383,12 @@ Using JSON, you just have to POST json files.
<div class="level4">
<p>
If you use old XML format, new notifications can be inserted using SOAP request.
If you use old XML format, new notifications can be inserted or deleted by using SOAP request, once SOAP is activated:
</p>
</div>
<h5 id="insertion_example_in_perl">Insertion example in Perl</h5>
<h5 id="insertion_example_in_perl">* Insertion example in Perl</h5>
<div class="level5">
<pre class="code perl"><span class="co1">#!/usr/bin/perl</span>
&nbsp;
@ -419,14 +420,10 @@ If you use old XML format, new notifications can be inserted using SOAP request.
<a href="http://perldoc.perl.org/functions/print.html"><span class="kw3">print</span></a> <span class="st0">&quot;$res notification(s) have been inserted<span class="es0">\n</span>&quot;</span><span class="sy0">;</span>
<span class="br0">&#125;</span></pre>
<p>
You can also delete some notifications with SOAP, once SOAP is activated:
</p>
</div>
<h4 id="deletion_example_in_perl">Deletion example in Perl</h4>
<div class="level4">
<h5 id="deletion_example_in_perl">* Deletion example in Perl</h5>
<div class="level5">
<pre class="code perl"><span class="co1">#!/usr/bin/perl</span>
&nbsp;
<span class="kw2">use</span> SOAP<span class="sy0">::</span><span class="me2">Lite</span><span class="sy0">;</span>
@ -448,12 +445,72 @@ You can also delete some notifications with SOAP, once SOAP is activated:
<span class="br0">&#125;</span></pre>
</div>
<!-- EDIT9 SECTION "Notification server" [6833-8968] -->
<h4 id="json_notifications_trough_rest">JSON notifications trough REST</h4>
<div class="level4">
<p>
REST server provides three <abbr title="Application Programming Interface">API</abbr> to insert (POST), delete (DELETE) or list (GET) notification(s).
HTTP methods can enabled/disabled in Manager, <code>General Parameters</code> » <code>Plugins</code> » <code>Notifications</code> » <code>Server</code> » <code>HTTP methods</code>.
</p>
<p>
Notifications parameters returned by <code>GET</code> method can be specfied in Manager, <code>General Parameters</code> » <code>Plugins</code> » <code>Notifications</code> » <code>Server</code> » <code>Notifications parameters to send</code>. By default: &#039;uid reference date title subtitle text check&#039;
</p>
</div>
<h5 id="insertion_example_with_rest_api">* Insertion example with REST API</h5>
<div class="level5">
<p>
Using JSON, you just have to POST json files.
</p>
<p>
For example with curl:
</p>
<pre class="code">curl -X POST -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; -d @notif.json http://auth.example.com/notifications</pre>
</div>
<h5 id="deletion_example_with_rest_api">* Deletion example with REST API</h5>
<div class="level5">
<p>
DELETE <abbr title="Application Programming Interface">API</abbr> is available with LLNG ≥ 2.0.6
</p>
<p>
For example with curl:
</p>
<pre class="code">curl -X DELETE -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/&lt;uid&gt;/&lt;reference&gt;</pre>
</div>
<h5 id="list_example_with_rest_api">* List example with REST API</h5>
<div class="level5">
<p>
GET <abbr title="Application Programming Interface">API</abbr> is available with LLNG ≥ 2.0.6
</p>
<p>
For example with curl:
</p>
<pre class="code">curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/&lt;uid&gt;
curl -X GET -H &quot;Content-Type: application/json&quot; -H &quot;Accept: application/json&quot; http://auth.example.com/notifications/&lt;uid&gt;/&lt;reference&gt;</pre>
</div>
<!-- EDIT9 SECTION "Notification server" [6928-10646] -->
<h3 class="sectionedit10" id="test_notification">Test notification</h3>
<div class="level3">
<p>
You&#039;ve simply to insert a notification and connect to the portal using the same UID. You will be prompted.
You&#039;ve just to insert a notification and connect to the portal using the same UID. You will be prompted.
</p>
<p>
@ -461,10 +518,10 @@ You&#039;ve simply to insert a notification and connect to the portal using the
</p>
<p>
Try also to create a global notification (to the uid “allusers”), and connect with any user, the message will be prompted.
Try also to create a global notification (to the uid &quot;allusers&quot;), and connect with any user, the message will be prompted.
</p>
</div>
<!-- EDIT10 SECTION "Test notification" [8969-] --></div>
<!-- EDIT10 SECTION "Test notification" [10647-] --></div>
</body>
</html>

1161
doc/pages/documentation/current/parameterlist.html
View File

File diff suppressed because it is too large Load Diff

79
doc/pages/documentation/current/performances.html
View File

@ -76,6 +76,7 @@
</ul>
</li>
<li class="level2"><div class="li"><a href="#ldap_performances">LDAP performances</a></div></li>
<li class="level2"><div class="li"><a href="#nginx_performances">NGINX performances</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#manager_performances">Manager performances</a></div>
@ -118,7 +119,7 @@ LLNG uses different cache systems to avoid querying to many the databases:
</tr>
</thead>
<tr class="row2 roweven">
<th class="col0 centeralign"> Configuration </th><td class="col1 centeralign"> <code>checkTime</code> </td><td class="col2 centeralign"> 10 minutes </td><td class="col3 leftalign"> </td><td class="col4 centeralign"> Until “reload” order </td><td class="col5 centeralign"></td>
<th class="col0 centeralign"> Configuration </th><td class="col1 centeralign"> <code>checkTime</code> </td><td class="col2 centeralign"> 10 minutes </td><td class="col3 leftalign"> </td><td class="col4 centeralign"> Until &quot;reload&quot; order </td><td class="col5 centeralign"></td>
</tr>
<tr class="row3 rowodd">
<th class="col0 centeralign"> Session </th><td class="col1 centeralign"> <code>handlerInternalCache</code> </td><td class="col2 centeralign"> 15 seconds </td><td class="col3 centeralign"> <code>default_expires_in</code>(*) </td><td class="col4 centeralign"> 10 minutes </td><td class="col5 centeralign"></td>
@ -175,7 +176,7 @@ For Nginx, you can use another auth server instead of llng-fastcgi-server. See:
</p>
<p>
To increase handler performance, you can disable “Sessions activity timeout” to prevent it from writing to the session database.
To increase handler performance, you can disable &quot;Sessions activity timeout&quot; to prevent it from writing to the session database.
</p>
<p>
@ -195,7 +196,7 @@ Macros and groups are calculated during authentication process by the portal:
</li>
<li class="level1"><div class="li"> macros can also be used to import environment variables <em>(these variables are in CGI format)</em>. Example: <code>$ENV{HTTP_COOKIE}</code></div>
</li>
<li class="level1"><div class="li"> groups are stored as space-separated strings in the special attribute “groups”: it contains the names of groups whose rules were returned true for the current user</div>
<li class="level1"><div class="li"> groups are stored as space-separated strings in the special attribute &quot;groups&quot;: it contains the names of groups whose rules were returned true for the current user</div>
</li>
<li class="level1"><div class="li"> You can also get groups in <code>$hGroups</code> which is a Hash Reference of this form:</div>
</li>
@ -241,7 +242,7 @@ admin <span class="sy0">-&gt;</span> <span class="re0">$uid</span> <span class="
<span class="co1"># Or with hGroups</span>
<span class="sy0">^/</span>admin <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/defined.html"><span class="kw3">defined</span></a> <span class="re0">$hGroups</span><span class="sy0">-&gt;</span><span class="br0">&#123;</span><span class="st_h">'admin'</span><span class="br0">&#125;</span></pre>
<div class="noteclassic">Groups are computed after macros, so a group rule may involve a macro value.
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div><div class="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro &quot;macro1&quot; will be computed before macro &quot;macro2&quot;: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>
</div>
<!-- EDIT8 SECTION "Macros and groups" [2377-4471] -->
@ -307,7 +308,7 @@ Lemonldap::NG handlers use a local cache to store sessions (for 10 minutes). So
<div class="level4">
<p>
In “Apache::Session module” field, set “<a href="https://metacpan.org/module/Apache::Session::Flex" class="urlextern" title="https://metacpan.org/module/Apache::Session::Flex" rel="nofollow">Apache::Session::Flex</a> and use the following parameters:
In &quot;Apache::Session module&quot; field, set &quot;<a href="https://metacpan.org/module/Apache::Session::Flex" class="urlextern" title="https://metacpan.org/module/Apache::Session::Flex" rel="nofollow">Apache::Session::Flex</a>&quot; and use the following parameters:
</p>
<pre class="code">Store -&gt; MySQL
Lock -&gt; Null
@ -324,7 +325,7 @@ Password -&gt; ...</pre>
<div class="level4">
<p>
<a href="https://metacpan.org/module/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable" rel="nofollow">Apache::Session::Browseable</a> is a wrapper for other Apache::Session modules that add the capability to manage indexes. Prefer versions ≥ 1.2.5 for better performances in DB cleaning. To use it (with PostgreSQL for example), choose “Apache::Session::Browseable::Postgres” as “Apache::Session module” and use the following parameters:
<a href="https://metacpan.org/module/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable" rel="nofollow">Apache::Session::Browseable</a> is a wrapper for other Apache::Session modules that add the capability to manage indexes. Prefer versions ≥ 1.2.5 for better performances in DB cleaning. To use it (with PostgreSQL for example), choose &quot;Apache::Session::Browseable::Postgres&quot; as &quot;Apache::Session module&quot; and use the following parameters:
</p>
<pre class="code">DataSource -&gt; dbi:Pg:database=sessions;host=...
UserName -&gt; user
@ -347,7 +348,7 @@ Look at <a href="browseablesessionbackend.html" class="wikilink1" title="documen
<div class="notetip">A <a href="https://metacpan.org/module/Apache::Session::Browseable::Redis" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable::Redis" rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the fastest (except for session explorer, defeated by Apache::Session::Browseable::<a href="https://metacpan.org/module/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable" rel="nofollow">DBI</a>/<a href="https://metacpan.org/module/Apache::Session::Browseable::LDAP" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable::LDAP" rel="nofollow">LDAP</a>])
</div>
<p>
This test isn&#039;t an “only-backend” test but embedded some LLNG methods, so real differences between engines are mitigate here.
This test isn&#039;t an &quot;only-backend&quot; test but embedded some LLNG methods, so real differences between engines are mitigate here.
</p>
<div class="table sectionedit13"><table class="inline table table-bordered table-striped">
<thead>
@ -399,9 +400,9 @@ This test isn&#039;t an “only-backend” test but embedded some LLNG methods,
</tr>
</table></div>
<!-- EDIT13 TABLE [8945-10848] --><ul>
<li class="level1"><div class="li"> <em><strong>(1) :</strong> “purge” test is done with Apache::Session::Browseable-1.2.5 and LLG-2.0. Earlier results are not so good.</em></div>
<li class="level1"><div class="li"> <em><strong>(1) :</strong> &quot;purge&quot; test is done with Apache::Session::Browseable-1.2.5 and LLG-2.0. Earlier results are not so good.</em></div>
</li>
<li class="level1"><div class="li"> <em><strong>(2) :</strong> “purge” test is done with Apache::Session::Browseable-1.2.6 and LLG-2.0.</em></div>
<li class="level1"><div class="li"> <em><strong>(2) :</strong> &quot;purge&quot; test is done with Apache::Session::Browseable-1.2.6 and LLG-2.0.</em></div>
</li>
</ul>
@ -409,9 +410,9 @@ This test isn&#039;t an “only-backend” test but embedded some LLNG methods,
Analysis:
</p>
<ul>
<li class="level1"><div class="li"> LDAP servers are “write-once-read-many”, so write performances are very bad. Don&#039;t use this on heavy load if “Session activity timeout” is enabled <em>(if set, handler “write” sessions)</em></div>
<li class="level1"><div class="li"> LDAP servers are &quot;write-once-read-many&quot;, so write performances are very bad. Don&#039;t use this on heavy load if &quot;Session activity timeout&quot; is enabled <em>(if set, handler &quot;write&quot; sessions)</em></div>
</li>
<li class="level1"><div class="li"> MySQL/MariaDB is better to read than to write. Prefer PostgreSQL if you use “Session activity timeout”</div>
<li class="level1"><div class="li"> MySQL/MariaDB is better to read than to write. Prefer PostgreSQL if you use &quot;Session activity timeout&quot;</div>
</li>
<li class="level1"><div class="li"> Logged tables decrease a lot insert performances with PostgreSQL, so use unlogged tables for sessions except for persistent sessions</div>
</li>
@ -427,7 +428,7 @@ Analysis:
<div class="level3">
<p>
LDAP server can slow you down when you use LDAP groups retrieval. You can avoid this by setting “memberOf” fields in your LDAP scheme:
LDAP server can slow you down when you use LDAP groups retrieval. You can avoid this by setting &quot;memberOf&quot; fields in your LDAP scheme:
</p>
<pre class="code ldif"><span class="re0">dn</span>:<span class="re1"> uid=foo,dmdName=people,dc=example,dc=com</span>
...
@ -435,7 +436,7 @@ LDAP server can slow you down when you use LDAP groups retrieval. You can avoid
<span class="re0">memberOf</span>:<span class="re1"> cn=su,dmdName=groups,dc=example,dc=com</span></pre>
<p>
So instead of using LDAP groups retrieval, you just have to store “memberOf” field in your exported variables. With OpenLDAP, you can use the <a href="http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance" class="urlextern" title="http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance" rel="nofollow">memberof overlay</a> to do it automatically.
So instead of using LDAP groups retrieval, you just have to store &quot;memberOf&quot; field in your exported variables. With OpenLDAP, you can use the <a href="http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance" class="urlextern" title="http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance" rel="nofollow">memberof overlay</a> to do it automatically.
</p>
<div class="noteimportant">Don&#039;t forget to create an index on the field used to find users (uid by default)
</div><div class="notetip">To avoid having group dn stored in sessions datas, you can use a macro to rewrite memberOf:<ul>
@ -445,7 +446,7 @@ So instead of using LDAP groups retrieval, you just have to store “memberOf”
<pre class="code">ldapgroups -&gt; memberOf</pre>
<p>
For now, ldapgroups contains “cn=admin,dmdName=groups,dc=example,dc=com cn=su,dmdName=groups,dc=example,dc=com”
For now, ldapgroups contains &quot;cn=admin,dmdName=groups,dc=example,dc=com cn=su,dmdName=groups,dc=example,dc=com&quot;
</p>
<ul>
<li class="level1"><div class="li"> A little macro:</div>
@ -454,18 +455,54 @@ For now, ldapgroups contains “cn=admin,dmdName=groups,dc=example,dc=com cn=su,
<pre class="code perl">ldapgroups <span class="sy0">-&gt;</span> <a href="http://perldoc.perl.org/functions/join.html"><span class="kw3">join</span></a><span class="br0">&#40;</span><span class="st0">&quot; &quot;</span><span class="sy0">,</span><span class="br0">&#40;</span><span class="re0">$ldapgroups</span> <span class="sy0">=~</span> <span class="co2">/cn=(.*?),/g</span><span class="br0">&#41;</span><span class="br0">&#41;</span></pre>
<p>
Now ldapgroups contains “admin su”
Now ldapgroups contains &quot;admin su&quot;
</p>
</div>
</div>
<!-- EDIT14 SECTION "LDAP performances" [11627-12761] -->
<h2 class="sectionedit15" id="manager_performances">Manager performances</h2>
<h3 class="sectionedit15" id="nginx_performances">NGINX performances</h3>
<div class="level3">
<p>
To increase launch by web browser, for example to load js, css, or fonts, Gzip compression can be activated.
</p>
<p>
Edit file /etc/nginx/mime.types
Check those lines or add :
</p>
<pre class="code perl">application<span class="sy0">/</span>vnd<span class="sy0">.</span>ms<span class="sy0">-</span>fontobject eot<span class="sy0">;</span>
application<span class="sy0">/</span>x<span class="sy0">-</span>font<span class="sy0">-</span>ttf ttf<span class="sy0">;</span>
application<span class="sy0">/</span>font<span class="sy0">-</span>woff woff<span class="sy0">;</span>
font<span class="sy0">/</span>opentype ott<span class="sy0">;</span></pre>
<p>
Edit file /etc/nginx/nginx.conf
</p>
<pre class="code perl">gzip on<span class="sy0">;</span> <span class="co1"># active la compression Gzip</span>
gzip_disable <span class="st0">&quot;msie6&quot;</span><span class="sy0">;</span>
&nbsp;
gzip_vary on<span class="sy0">;</span>
gzip_proxied any<span class="sy0">;</span>
gzip_comp_level <span class="nu0">6</span><span class="sy0">;</span>
gzip_buffers <span class="nu0">16</span> 8k<span class="sy0">;</span>
gzip_http_version <span class="nu0">1.1</span><span class="sy0">;</span>
gzip_min_length <span class="nu0">128</span><span class="sy0">;</span>
gzip_types text<span class="sy0">/</span>plain text<span class="sy0">/</span>css application<span class="sy0">/</span>json application<span class="sy0">/</span>javascript application<span class="sy0">/</span>x<span class="sy0">-</span>javascript text<span class="sy0">/</span>xml application<span class="sy0">/</span>xml application<span class="sy0">/</span>rss<span class="sy0">+</span>xml text<span class="sy0">/</span>javascript application<span class="sy0">/</span>vnd<span class="sy0">.</span>ms<span class="sy0">-</span>fontobject application<span class="sy0">/</span>x<span class="sy0">-</span>font<span class="sy0">-</span>ttf font<span class="sy0">/</span>opentype image<span class="sy0">/</span>jpeg image<span class="sy0">/</span>png image<span class="sy0">/</span>svg<span class="sy0">+</span>xml image<span class="sy0">/</span>x<span class="sy0">-</span>icon<span class="sy0">;</span></pre>
<p>
Restart NGINX and watch web-browser console.
</p>
</div>
<!-- EDIT15 SECTION "NGINX performances" [12762-13684] -->
<h2 class="sectionedit16" id="manager_performances">Manager performances</h2>
<div class="level2">
</div>
<!-- EDIT15 SECTION "Manager performances" [12762-12795] -->
<h3 class="sectionedit16" id="disable_unused_modules">Disable unused modules</h3>
<!-- EDIT16 SECTION "Manager performances" [13685-13718] -->
<h3 class="sectionedit17" id="disable_unused_modules">Disable unused modules</h3>
<div class="level3">
<p>
@ -475,8 +512,8 @@ In lemonldap-ng.ini, set only modules that you will use. By default, configurati
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions</span></pre>
</div>
<!-- EDIT16 SECTION "Disable unused modules" [12796-13057] -->
<h3 class="sectionedit17" id="use_static_html_files">Use static HTML files</h3>
<!-- EDIT17 SECTION "Disable unused modules" [13719-13980] -->
<h3 class="sectionedit18" id="use_static_html_files">Use static HTML files</h3>
<div class="level3">
<p>
@ -502,6 +539,6 @@ So manager <abbr title="HyperText Markup Language">HTML</abbr> templates will be
</p>
</div>
<!-- EDIT17 SECTION "Use static HTML files" [13058-] --></div>
<!-- EDIT18 SECTION "Use static HTML files" [13981-] --></div>
</body>
</html>

6
doc/pages/documentation/current/plugincustom.html
View File

@ -74,13 +74,13 @@ You can now write a custom portal plugin that will hook in the authentication pr
<ul>
<li class="level1"><div class="li"> <code>beforeAuth</code>: method called before authentication process</div>
</li>
<li class="level1"><div class="li"> <code>betweenAuthAndData</code>: method called after authentication and before setting “sessionInfo” provisionning</div>
<li class="level1"><div class="li"> <code>betweenAuthAndData</code>: method called after authentication and before setting &quot;sessionInfo&quot; provisionning</div>
</li>
<li class="level1"><div class="li"> <code>afterData</code>: method called after “sessionInfo” provisionning</div>
<li class="level1"><div class="li"> <code>afterData</code>: method called after &quot;sessionInfo&quot; provisionning</div>
</li>
<li class="level1"><div class="li"> <code>endAuth</code>: method called when session is validated (after cookie build)</div>
</li>
<li class="level1"><div class="li"> <code>authCancel</code>: method called when user click on “cancel” during auth process</div>
<li class="level1"><div class="li"> <code>authCancel</code>: method called when user click on &quot;cancel&quot; during auth process</div>
</li>
<li class="level1"><div class="li"> <code>forAuthUser</code>: method called for already authenticated users</div>
</li>

62
doc/pages/documentation/current/portalcustom.html
View File

@ -62,6 +62,8 @@
<li class="level2"><div class="li"><a href="#template_parameters">Template parameters</a></div></li>
<li class="level1"><div class="li"><a href="#buttons">Buttons</a></div></li>
<li class="level1"><div class="li"><a href="#password_management">Password management</a></div></li>
<li class="level2"><div class="li"><a href="#general">General</a></div></li>
<li class="level2"><div class="li"><a href="#password_policy">Password Policy</a></div></li>
<li class="level1"><div class="li"><a href="#other_parameters">Other parameters</a></div></li>
</ul>
</div>
@ -147,8 +149,19 @@ Go in <code>General Parameters</code> &gt; <code>Portal</code> &gt; <code>Custom
<img src="documentation/manager-skin-background.png" class="mediacenter" alt="" />
</p>
<p>
To set your own background, copy your file in <code>/usr/share/lemonldap-ng/portal/htdocs/skins/common/backgrounds/</code> and register it in <code>/etc/lemonldap-ng/lemonldap-ng.ini</code>:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">portalSkinBackground</span> <span class="sy0">=</span><span class="re2"> file.png</span></pre>
<p>
You can also use <code>lemonldap-ng-cli</code>:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set portalSkinBackground file.png</pre>
</div>
<!-- EDIT6 SECTION "Skin background" [1193-1494] -->
<!-- EDIT6 SECTION "Skin background" [1193-1862] -->
<h3 class="sectionedit7" id="skin_rules">Skin rules</h3>
<div class="level3">
@ -157,7 +170,7 @@ You might want to display different skin depending on the <abbr title="Uniform R
</p>
<p>
To achieve this, you can create a rule in the Manager: select <code>General Parameters</code> &gt; <code>Portal</code> &gt; <code>Customization</code> &gt; <code>Skin display rules</code> on click on “New key”. Then fill the two fields;
To achieve this, you can create a rule in the Manager: select <code>General Parameters</code> &gt; <code>Portal</code> &gt; <code>Customization</code> &gt; <code>Skin display rules</code> on click on &quot;New key&quot;. Then fill the two fields;
</p>
<ul>
<li class="level1"><div class="li"> <strong>Rule</strong>: a Perl expression (you can use %ENV hash to get environment variables, or $_url to get <abbr title="Uniform Resource Locator">URL</abbr> called before redirection, or $ipAddr to use user <abbr title="Internet Protocol">IP</abbr> address). If the rule evaluation is true, the corresponding skin is applied.</div>
@ -167,7 +180,7 @@ To achieve this, you can create a rule in the Manager: select <code>General Para
</ul>
</div>
<!-- EDIT7 SECTION "Skin rules" [1495-2137] -->
<!-- EDIT7 SECTION "Skin rules" [1863-2505] -->
<h3 class="sectionedit8" id="skin_files">Skin files</h3>
<div class="level3">
@ -190,7 +203,7 @@ A skin will often refer to the <code>common</code> skin, which is not a real ski
</p>
</div>
<!-- EDIT8 SECTION "Skin files" [2138-2472] -->
<!-- EDIT8 SECTION "Skin files" [2506-2840] -->
<h3 class="sectionedit9" id="skin_customization">Skin customization</h3>
<div class="level3">
<div class="noteimportant">If you modify directly the skin files, your modifications will certainly be erased on the next upgrade. The best is to create your own skin, based on an existing skin.
@ -263,7 +276,7 @@ To configure your new skin in Manager, select the custom skin, and enter your sk
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set portalSkin &#039;myskin&#039; portalSkinBackground &#039;&#039;</pre>
</div>
<!-- EDIT9 SECTION "Skin customization" [2473-4450] -->
<!-- EDIT9 SECTION "Skin customization" [2841-4818] -->
<h3 class="sectionedit10" id="messages">Messages</h3>
<div class="level3">
@ -314,7 +327,7 @@ You can also create a file called <code>all.json</code> to override messages in
</p>
</div>
<!-- EDIT10 SECTION "Messages" [4451-5587] -->
<!-- EDIT10 SECTION "Messages" [4819-5955] -->
<h3 class="sectionedit11" id="menu_tabs">Menu tabs</h3>
<div class="level3">
@ -330,7 +343,7 @@ This will allow one to display the tab directly with this <abbr title="Uniform R
</p>
</div>
<!-- EDIT11 SECTION "Menu tabs" [5588-5894] -->
<!-- EDIT11 SECTION "Menu tabs" [5956-6262] -->
<h3 class="sectionedit12" id="template_parameters">Template parameters</h3>
<div class="level3">
@ -358,7 +371,7 @@ You can also display environment variables, with the prefix <code>env_</code>:
<pre class="code file html4strict">Your IP is <span class="sc2">&lt;TMPL_VAR <span class="kw3">NAME</span><span class="sy0">=</span><span class="st0">&quot;env_REMOTE_ADDR&quot;</span>&gt;</span></pre>
</div>
<!-- EDIT12 SECTION "Template parameters" [5895-6542] -->
<!-- EDIT12 SECTION "Template parameters" [6263-6910] -->
<h2 class="sectionedit13" id="buttons">Buttons</h2>
<div class="level2">
@ -375,9 +388,14 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT13 SECTION "Buttons" [6543-7059] -->
<!-- EDIT13 SECTION "Buttons" [6911-7427] -->
<h2 class="sectionedit14" id="password_management">Password management</h2>
<div class="level2">
</div>
<!-- EDIT14 SECTION "Password management" [7428-7460] -->
<h3 class="sectionedit15" id="general">General</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Require old password</strong>: used only in the password changing module of the menu, will check the old password before updating it</div>
</li>
@ -388,8 +406,26 @@ This node allows one to enable/disable buttons on the login page:
</ul>
</div>
<!-- EDIT14 SECTION "Password management" [7060-7510] -->
<h2 class="sectionedit15" id="other_parameters">Other parameters</h2>
<!-- EDIT15 SECTION "General" [7461-7896] -->
<h3 class="sectionedit16" id="password_policy">Password Policy</h3>
<div class="level3">
<div class="notetip">Available since version 2.0.6
</div><ul>
<li class="level1"><div class="li"> <strong>Minimal size</strong>: leave 0 to bypass the check</div>
</li>
<li class="level1"><div class="li"> <strong>Minimal lower characters</strong>: leave 0 to bypass the check</div>
</li>
<li class="level1"><div class="li"> <strong>Minimal upper characters</strong>: leave 0 to bypass the check</div>
</li>
<li class="level1"><div class="li"> <strong>Minimal digit characters</strong>: leave 0 to bypass the check</div>
</li>
<li class="level1"><div class="li"> <strong>Display policy in password form</strong>: enable this to display an information message about password policy constraints</div>
</li>
</ul>
</div>
<!-- EDIT16 SECTION "Password Policy" [7897-8329] -->
<h2 class="sectionedit17" id="other_parameters">Other parameters</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> <strong>User attribute</strong>: which session attribute will be used to display <code>Connected as</code> in the menu</div>
@ -400,13 +436,13 @@ This node allows one to enable/disable buttons on the login page:
</li>
<li class="level1"><div class="li"> <strong>Ping interval</strong>: Number of milliseconds between each ping (Ajax request) on the portal menu. Set to 0 to dismiss checks.</div>
</li>
<li class="level1"><div class="li"> <strong>Show error on expired session</strong>: Display the error “Session expired”, which stops the authentication process. This is enabled by default but can be disabled to prevent transparent authentication (like SSL or Kerberos) to be stopped.</div>
<li class="level1"><div class="li"> <strong>Show error on expired session</strong>: Display the error &quot;Session expired&quot;, which stops the authentication process. This is enabled by default but can be disabled to prevent transparent authentication (like SSL or Kerberos) to be stopped.</div>
</li>
<li class="level1"><div class="li"> <strong>Show error on mail not found</strong>: Display error if provided mail is not found in password reset by mail process. Disabled by default to prevent mail enumeration from this page.</div>
</li>
</ul>
</div>
<!-- EDIT15 SECTION "Other parameters" [7511-] --></div>
<!-- EDIT17 SECTION "Other parameters" [8330-] --></div>
</body>
</html>

2
doc/pages/documentation/current/portalmenu.html
View File

@ -113,7 +113,7 @@ Application parameters:
</li>
<li class="level2"><div class="li"> <strong>off</strong>: never display</div>
</li>
<li class="level2"><div class="li"> <strong>rule</strong>: specify a <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rule</a> or “sp: &lt;name&gt;” where “name” is the key name of the service provider, the corresponding rule will be applied <em>(available for <abbr title="Central Authentication Service">CAS</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect)</em></div>
<li class="level2"><div class="li"> <strong>rule</strong>: specify a <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">rule</a> or &quot;sp: &lt;name&gt;&quot; where &quot;name&quot; is the key name of the service provider, the corresponding rule will be applied <em>(available for <abbr title="Central Authentication Service">CAS</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect)</em></div>
</li>
</ul>
</li>

129
doc/pages/documentation/current/radius2f.html Normal file
View File

@ -0,0 +1,129 @@
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:radius2f</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,radius2f"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="radius2f.html"/>
<link rel="contents" href="radius2f.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:radius2f","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#prerequisites_and_dependencies">Prerequisites and dependencies</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuration1">Configuration</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="radius_as_second_factor">Radius as Second Factor</h1>
<div class="level1">
<p>
Some proprietary, OTP-based second factor implementations expose a Radius server that allow an authenticating application (such as LemonLDAP::NG) to verify the validity of an OTP using the standard Radius protocol.
</p>
<div class="notetip">This page is about using Radius to connect to an external 2FA system for the <em>second factor only</em>. If your 2FA system works by concatenating the user&#039;s password and their OTP (LinOTP), you should probably be using <a href="authradius.html" class="wikilink1" title="documentation:2.0:authradius">regular Radius authentication</a> instead
</div>
<p>
After choosing the Radius second factor type, the user is prompted with a code that will be checked against the Radius server.
</p>
</div>
<!-- EDIT1 SECTION "Radius as Second Factor" [1-672] -->
<h2 class="sectionedit2" id="prerequisites_and_dependencies">Prerequisites and dependencies</h2>
<div class="level2">
<p>
This feature uses <code>Authen::Radius</code>. Before enable it, on Debian you must install it :
</p>
<p>
For CentOS/RHEL:
</p>
<pre class="code shell">yum install perl-Authen-Radius</pre>
<p>
In Debian/Ubuntu, install the library through apt-get command
</p>
<pre class="code shell">apt-get install libauthen-radius-perl</pre>
</div>
<!-- EDIT2 SECTION "Prerequisites and dependencies" [673-998] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [999-1025] -->
<h3 class="sectionedit4" id="configuration1">Configuration</h3>
<div class="level3">
<p>
All parameters are configured in &quot;General Parameters » Second factors » Mail second factor&quot;.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: Set to <code>On</code> to activate this module, or use a specific rule to select which users may use this type of second factor</div>
</li>
<li class="level1"><div class="li"> <strong>Server hostname</strong>: The hostname of the Radius server</div>
</li>
<li class="level1"><div class="li"> <strong>Shared secret</strong>: The secret key shared with the Radius server</div>
</li>
<li class="level1"><div class="li"> <strong>Session key containing login</strong> (Optional): When verifying the OTP code against the Radius server, use this attribute as the login and the OTP code as password. By default, the attribute designated as <code>whatToTrace</code> is used.</div>
</li>
<li class="level1"><div class="li"> <strong>Authentication timeout</strong> (Optional) : </div>
</li>
<li class="level1"><div class="li"> <strong>Authentication level</strong> (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
<li class="level1"><div class="li"> <strong>Logo</strong> (Optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
</li>
<li class="level1"><div class="li"> <strong>Label</strong> (Optional): label that should be displayed to the user on the choice screen</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Configuration" [1026-] --></div>
</body>
</html>

4
doc/pages/documentation/current/rbac.html
View File

@ -92,7 +92,7 @@ As the definition of access rules is free in LemonLDAP::NG, you can implement an
<div class="level3">
<p>
Imagine you&#039;ve set your directory schema to store roles as values of an attribute of the user, for example “description”. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
Imagine you&#039;ve set your directory schema to store roles as values of an attribute of the user, for example &quot;description&quot;. This is simple because you can send the role to the application by creating a HTTP header (for example Auth-Role) with the concatenated values (&#039;;&#039; is the concatenation string):
</p>
<pre class="code">Auth-Roles =&gt; $description</pre>
@ -163,7 +163,7 @@ A user is attached to a role if its <abbr title="Distinguished Name">DN</abbr> i
</p>
<p>
So imagine the user coudot is “user” on application “BBB” and “admin” on application “<abbr title="Authentication Authorization Accounting">AAA</abbr>.
So imagine the user coudot is &quot;user&quot; on application &quot;BBB&quot; and &quot;admin&quot; on application &quot;<abbr title="Authentication Authorization Accounting">AAA</abbr>&quot;.
</p>
</div>

2
doc/pages/documentation/current/redirections.html
View File

@ -145,7 +145,7 @@ These parameters can be configured in Manager, in <code>General Parameters</code
</div><ul>
<li class="level1"><div class="li"> <strong>Redirection message</strong>: The redirection from portal can be done either with code 303 (See Other), or with a JavaScript redirection. Often the redirection takes some time because it is user&#039;s first access to the protected app, so a new app session has to be created : JavaScript redirection improves user experience by informing that authentication is performed, and by preventing from clicking again on the button because it is too slow.</div>
</li>
<li class="level1"><div class="li"> <strong>Keep redirections for Ajax</strong>: By default, when an Ajax request is done on the portal for an unauthenticated user (after a redirection done by the handler), a 401 code will be sentwith a <code>WWW-Authenticate</code> header containing <abbr title="Single Sign On">SSO</abbr> &lt;portal-<abbr title="Uniform Resource Locator">URL</abbr>&gt;. Set this option to 1 to keep the old behavior (return of <abbr title="HyperText Markup Language">HTML</abbr> code).</div>
<li class="level1"><div class="li"> <strong>Keep redirections for Ajax</strong>: By default, when an Ajax request is done on the portal for an unauthenticated user (after a redirection done by the handler), a 401 code will be sentwith a <code>WWW-Authenticate</code> header containing &quot;<abbr title="Single Sign On">SSO</abbr> &lt;portal-<abbr title="Uniform Resource Locator">URL</abbr>&gt;&quot;. Set this option to 1 to keep the old behavior (return of <abbr title="HyperText Markup Language">HTML</abbr> code).</div>
</li>
<li class="level1"><div class="li"> <strong>Skip re-auth confirmation</strong>: by default, when re-authentication is needed, a confirmation screen is displayed to let user accept the re-authentication. If you enable this option, user will be directly redirected to login page.</div>
</li>

4
doc/pages/documentation/current/register.html
View File

@ -56,7 +56,7 @@
This feature is a page that allows a user to create an account. The steps are the following:
</p>
<ol>
<li class="level1"><div class="li"> User click on the button “Create a new account”</div>
<li class="level1"><div class="li"> User click on the button &quot;Create a new account&quot;</div>
</li>
<li class="level1"><div class="li"> He enters first name, last name and email</div>
</li>
@ -74,7 +74,7 @@ This feature is a page that allows a user to create an account. The steps are th
<div class="level2">
<p>
You can enable the “Create your account” button in <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization parameters</a>.
You can enable the &quot;Create your account&quot; button in <a href="portalcustom.html" class="wikilink1" title="documentation:2.0:portalcustom">portal customization parameters</a>.
</p>
<p>

2
doc/pages/documentation/current/renater.html
View File

@ -188,7 +188,7 @@ Go to <a href="https://federation.renater.fr/registry" class="urlextern" title="
<p>
Configure <abbr title="LemonLDAP::NG">LL::NG</abbr> as <abbr title="Security Assertion Markup Language">SAML</abbr> Identity Provider with this <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">documentation</a>. You don&#039;t need to declare any SP for the moment.
</p>
<div class="noteimportant">If your <abbr title="LemonLDAP::NG">LL::NG</abbr> server will act as SP and IDP inside Renater federation, you need to set the advanced parameter “Override Entity ID for IDP”. Indeed, Renater do not allow to register a SP and an IDP with the same entityID.
<div class="noteimportant">If your <abbr title="LemonLDAP::NG">LL::NG</abbr> server will act as SP and IDP inside Renater federation, you need to set the advanced parameter &quot;Override Entity ID for IDP&quot;. Indeed, Renater do not allow to register a SP and an IDP with the same entityID.
</div>
</div>
<!-- EDIT8 SECTION "LL::NG configuration" [3791-4198] -->

2
doc/pages/documentation/current/resetpassword.html
View File

@ -128,6 +128,8 @@ If you define mail contents in Manager, <abbr title="HyperText Markup Language">
</li>
<li class="level2"><div class="li"> <strong>Validity time of a password reset request</strong>: number of seconds for password reset request validity. During this period, user can ask the confirmation mail to be resent (default: session timeout value)</div>
</li>
<li class="level2"><div class="li"> <strong>Display generate password box</strong>: display a checkbox to allow user to generate a new password instead of choosing one (default: disabled)</div>
</li>
<li class="level2"><div class="li"> <strong>Regexp for password generation</strong>: Regular expression used to generate the password (default: [A-Z]{3}[a-z]{5}.\d{2})</div>
</li>
</ul>

22
doc/pages/documentation/current/rest2f.html
View File

@ -70,7 +70,7 @@ This plugin can be used to append a second factor authentication device like SMS
<div class="level3">
<p>
All parameters are set in “General Parameters » Portal Parameters » Second Factors » REST 2nd Factor”.
All parameters are set in &quot;General Parameters » Portal Parameters » Second Factors » REST 2nd Factor&quot;.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong></div>
@ -83,14 +83,16 @@ All parameters are set in “General Parameters » Portal Parameters » Second F
</li>
<li class="level1"><div class="li"> <strong>Verify arguments</strong>: list of arguments to send <em>(see below)</em></div>
</li>
<li class="level1"><div class="li"> <strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here a new authentication level. Example: 5</div>
<li class="level1"><div class="li"> <strong>Authentication level</strong> (Optional): if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
<li class="level1"><div class="li"> <strong>Logo</strong> (optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
<li class="level1"><div class="li"> <strong>Logo</strong> (Optional): logo file <em>(in static/&lt;skin&gt; directory)</em></div>
</li>
<li class="level1"><div class="li"> <strong>Label</strong> (Optional): label that should be displayed to the user on the choice screen</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Configuration" [199-908] -->
<!-- EDIT2 SECTION "Configuration" [199-1010] -->
<h2 class="sectionedit3" id="arguments">Arguments</h2>
<div class="level2">
@ -100,12 +102,12 @@ Arguments are a list of key/value. Key is the name of JSON entry, value is attri
<div class="noteimportant">For Verify <abbr title="Uniform Resource Locator">URL</abbr>, you should send $code at least
</div>
</div>
<!-- EDIT3 SECTION "Arguments" [909-1103] -->
<!-- EDIT3 SECTION "Arguments" [1011-1205] -->
<h2 class="sectionedit4" id="rest_dialog">REST Dialog</h2>
<div class="level2">
<p>
REST web services have just to reply with a “result” key in a JSON file. Auth/UserDB can add an “info” array. It will be stored in session data (without reading “Exported variables”).
REST web services have just to reply with a &quot;result&quot; key in a JSON file. Auth/UserDB can add an &quot;info&quot; array. It will be stored in session data (without reading &quot;Exported variables&quot;).
</p>
<div class="table sectionedit5"><table class="inline table table-bordered table-striped">
<thead>
@ -114,14 +116,14 @@ REST web services have just to reply with a “result” key in a JSON file. Aut
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> Init <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user,...}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false}</code> </td>
<td class="col0 centeralign"> Init <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{&quot;user&quot;:$user,...}</code> </td><td class="col2"> JSON file: <code>{&quot;result&quot;:true/false}</code> </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> Verify <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{“user”:$user,“code”:“$code”,...}</code> </td><td class="col2"> JSON file: <code>{“result”:true/false}</code> </td>
<td class="col0 centeralign"> Verify <abbr title="Uniform Resource Locator">URL</abbr> </td><td class="col1"> JSON file: <code>{&quot;user&quot;:$user,&quot;code&quot;:&quot;$code&quot;,...}</code> </td><td class="col2"> JSON file: <code>{&quot;result&quot;:true/false}</code> </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [1314-1543] -->
<!-- EDIT5 TABLE [1416-1645] -->
</div>
<!-- EDIT4 SECTION "REST Dialog" [1104-] --></div>
<!-- EDIT4 SECTION "REST Dialog" [1206-] --></div>
</body>
</html>

20
doc/pages/documentation/current/restconfbackend.html
View File

@ -75,15 +75,27 @@ You can share your configuration over the network using REST proxy system:
<li class="level1"><div class="li"> GET /config/&lt;latest|cfgNum&gt;?full: get the full configuration</div>
</li>
</ul>
<p>
You can retrieve &quot;human readable&quot; error messages:
</p>
<ul>
<li class="level1"><div class="li"> GET /error/&lt;lang&gt;/&lt;errNum&gt;: get &lt;errNum&gt; error reference and &lt;lang&gt; errors file.</div>
</li>
</ul>
<p>
If no &lt;lang&gt; provided, &#039;en&#039; errors file is returned.
</p>
<div class="notetip">Note that REST is not a real configuration backend, but just a proxy system to access to your configuration over the network
</div>
</div>
<!-- EDIT1 SECTION "REST configuration backend" [1-504] -->
<!-- EDIT1 SECTION "REST configuration backend" [1-694] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Configuration" [505-531] -->
<!-- EDIT2 SECTION "Configuration" [695-721] -->
<h3 class="sectionedit3" id="first_configure_your_real_backend">First, configure your real backend</h3>
<div class="level3">
<ul>
@ -112,7 +124,7 @@ location /index.psgi/config {
}</pre>
</div>
<!-- EDIT3 SECTION "First, configure your real backend" [532-1312] -->
<!-- EDIT3 SECTION "First, configure your real backend" [722-1502] -->
<h3 class="sectionedit4" id="next_configure_rest_for_your_remote_servers">Next, configure REST for your remote servers</h3>
<div class="level3">
@ -134,6 +146,6 @@ You can also add some other parameters
<span class="re1">proxyOptions</span> <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span> timeout <span class="sy0">=</span>&gt; 5 <span class="br0">&#125;</span></span></pre>
</div>
<!-- EDIT4 SECTION "Next, configure REST for your remote servers" [1313-] --></div>
<!-- EDIT4 SECTION "Next, configure REST for your remote servers" [1503-] --></div>
</body>
</html>

20
doc/pages/documentation/current/restsessionbackend.html
View File

@ -63,6 +63,10 @@
<h1 class="sectionedit1" id="rest_session_backend">REST session backend</h1>
<div class="level1">
<p>
Session &lt;type&gt; can be &#039;global&#039; for <abbr title="Single Sign On">SSO</abbr> sessions or &#039;persistent&#039; for persistent sessions.
</p>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> portal provides REST end points for sessions management:
</p>
@ -97,7 +101,7 @@ Sessions for connected users <em>(used by <a href="authproxy.html" class="wikili
Authorizations for connected users (always enabled):
</p>
<ul>
<li class="level1"><div class="li"> GET /mysession/?authorizationfor=&lt;base64-encoded-url&gt;: ask if url is authorized</div>
<li class="level1"><div class="li"> GET /mysession/?authorizationfor=&lt;base64-encoded-url&gt;: ask if url is authorizated</div>
</li>
</ul>
@ -114,12 +118,12 @@ To configure it, REST session backend will be set trough Manager in global confi
</p>
</div>
<!-- EDIT1 SECTION "REST session backend" [1-1432] -->
<!-- EDIT1 SECTION "REST session backend" [1-1522] -->
<h2 class="sectionedit2" id="setup">Setup</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Setup" [1433-1451] -->
<!-- EDIT2 SECTION "Setup" [1523-1541] -->
<h3 class="sectionedit3" id="manager">Manager</h3>
<div class="level3">
@ -152,10 +156,10 @@ Then, set <code>Lemonldap::NG::Common::Apache::Session::REST</code> in <code>Gen
<td class="col0 centeralign"> <strong>password</strong> </td><td class="col1"> Password to use for auth basic mechanism </td><td class="col2 leftalign"> </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [1790-2116] --><div class="noteimportant">By default, user password and other secret keys are hidden by LLNG REST server. You can force REST server to export their real values by selecting “Export secret attributes in REST” in the manager. This less secure option is disabled by default.
<!-- EDIT4 TABLE [1880-2206] --><div class="noteimportant">By default, user password and other secret keys are hidden by LLNG REST server. You can force REST server to export their real values by selecting &quot;Export secret attributes in REST&quot; in the manager. This less secure option is disabled by default.
</div>
</div>
<!-- EDIT3 SECTION "Manager" [1452-2386] -->
<!-- EDIT3 SECTION "Manager" [1542-2476] -->
<h3 class="sectionedit5" id="apache">Apache</h3>
<div class="level3">
@ -168,7 +172,7 @@ Sessions REST end points access must be allowed in Apache portal configuration (
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT5 SECTION "Apache" [2387-2677] -->
<!-- EDIT5 SECTION "Apache" [2477-2767] -->
<h3 class="sectionedit6" id="real_session_backend">Real session backend</h3>
<div class="level3">
@ -182,7 +186,7 @@ For example, if real sessions are stored in <a href="filesessionbackend.html" cl
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">globalStorage</span> <span class="sy0">=</span><span class="re2"> Apache::Session::File</span>
<span class="re1">globalStorageOptions</span> <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span> 'Directory' <span class="sy0">=</span>&gt; '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' <span class="sy0">=</span>&gt; '/var/lib/lemonldap-ng/sessions/lock/', <span class="br0">&#125;</span></span></pre>
<div class="notetip">Session explorer and “single session” features can&#039;t be used using this backend. Session explorer and portal must be launched with real backend.
<div class="notetip">Session explorer and &quot;single session&quot; features can&#039;t be used using this backend. Session explorer and portal must be launched with real backend.
</div>
<p>
By default, only few sessions keys are shared by REST (authenticationLevel, groups, ipAddr, _startTime, _utime, _lastSeen, _session_id), you need to define which other keys you want to share in <code>General parameters</code> » <code>Plugins</code> » <code>Portal servers</code> » <code>SOAP/REST exported attributes</code>.
@ -199,6 +203,6 @@ To share only the listed attributes:
<pre class="code">authenticationLevel groups ipAddr _startTime _utime _lastSeen _session_id uid cn mail</pre>
</div>
<!-- EDIT6 SECTION "Real session backend" [2678-] --></div>
<!-- EDIT6 SECTION "Real session backend" [2768-] --></div>
</body>
</html>

10
doc/pages/documentation/current/samlservice.html
View File

@ -162,7 +162,7 @@ You will only need to install liblasso-perl package:
<div class="level4">
<p>
RPMs are available in <abbr title="LemonLDAP::NG">LL::NG</abbr> RPM “extras” repository (see <a href="installrpm.html#yum_repository" class="wikilink1" title="documentation:2.0:installrpm">yum_repository</a>)
RPMs are available in <abbr title="LemonLDAP::NG">LL::NG</abbr> RPM &quot;extras&quot; repository (see <a href="installrpm.html#yum_repository" class="wikilink1" title="documentation:2.0:installrpm">yum_repository</a>)
</p>
<p>
@ -451,8 +451,6 @@ Available bindings are:
</li>
<li class="level1"><div class="li"> HTTP Artifact</div>
</li>
<li class="level1"><div class="li"> HTTP SOAP</div>
</li>
</ul>
</div>
@ -492,7 +490,7 @@ The only authorized binding is SOAP. This should be set as Default.
</p>
</div>
<!-- EDIT12 SECTION "Identity Provider" [6526-7514] -->
<!-- EDIT12 SECTION "Identity Provider" [6526-7500] -->
<h3 class="sectionedit13" id="attribute_authority">Attribute Authority</h3>
<div class="level3">
<div class="noteclassic">This concerns all parameters for the Attribute Authority metadata section
@ -515,7 +513,7 @@ Response Location should be empty, as SOAP responses are directly returned (sync
</p>
</div>
<!-- EDIT13 SECTION "Attribute Authority" [7515-7926] -->
<!-- EDIT13 SECTION "Attribute Authority" [7501-7912] -->
<h3 class="sectionedit14" id="advanced">Advanced</h3>
<div class="level3">
@ -598,6 +596,6 @@ Configuration parameters are:
</ul>
</div>
<!-- EDIT14 SECTION "Advanced" [7927-] --></div>
<!-- EDIT14 SECTION "Advanced" [7913-] --></div>
</body>
</html>

18
doc/pages/documentation/current/secondfactor.html
View File

@ -93,12 +93,18 @@ Since 2.0, LLNG provides some second factor plugins that can be used to complete
</li>
<li class="level1"><div class="li"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External 2F</a> <em>(to call an external command)</em> </div>
</li>
<li class="level1"><div class="li"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-Mail 2F</a> <em>(Send a code to an email address)</em> </div>
</li>
</ul>
<p>
The E-Mail, External and REST 2F modules <a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">may be declared multiple times</a> with different sets of parameters.
</p>
<div class="notetip">If you want to force a 2F registration on first login, you can use &#039;Require 2FA&#039;. You can also use a rule to force 2FA registration only for some users.
</div><div class="notetip">You can display a message if an expired second factor has been removed by enabling &#039;Display a message if an expired SF is removed&#039; option or setting a rule.
</div>
</div>
<!-- EDIT1 SECTION "Second Factors" [1-1339] -->
<!-- EDIT1 SECTION "Second Factors" [1-1523] -->
<h2 class="sectionedit2" id="providing_tokens_from_an_external_source">Providing tokens from an external source</h2>
<div class="level2">
@ -108,25 +114,25 @@ If you don&#039;t want to use self-registration features for U2F, TOTP and so on
<pre class="code json">[ {&quot;type&quot; : &quot;TOTP&quot;, &quot;name&quot; : &quot;MyTOTP&quot;, …}, {&lt;other_token&gt;}, …]</pre>
</div>
<!-- EDIT2 SECTION "Providing tokens from an external source" [1340-1733] -->
<!-- EDIT2 SECTION "Providing tokens from an external source" [1524-1917] -->
<h3 class="sectionedit3" id="u2f_tokens">U2F Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyU2FKey&quot; , &quot;type&quot; : &quot;U2F&quot; , &quot;_userKey&quot; : &quot;########&quot; , &quot;_keyHandle&quot;:&quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}</pre>
</div>
<!-- EDIT3 SECTION "U2F Tokens" [1734-1891] -->
<!-- EDIT3 SECTION "U2F Tokens" [1918-2075] -->
<h3 class="sectionedit4" id="totp_tokens">TOTP Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyTOTP&quot; , &quot;type&quot; : &quot;TOTP&quot; , &quot;_secret&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817955&quot;}</pre>
</div>
<!-- EDIT4 SECTION "TOTP Tokens" [1892-2024] -->
<!-- EDIT4 SECTION "TOTP Tokens" [2076-2208] -->
<h3 class="sectionedit5" id="yubikey_tokens">Yubikey Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyYubikey&quot; , &quot;type&quot; : &quot;UBK&quot; , &quot;_yubikey&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817715&quot;}</pre>
</div>
<!-- EDIT5 SECTION "Yubikey Tokens" [2025-2163] -->
<!-- EDIT5 SECTION "Yubikey Tokens" [2209-2347] -->
<h2 class="sectionedit6" id="developer_corner">Developer corner</h2>
<div class="level2">
@ -143,6 +149,6 @@ To enable manager Second Factor Administration Module, set <code>enabledModules<
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>
</div>
<!-- EDIT6 SECTION "Developer corner" [2164-] --></div>
<!-- EDIT6 SECTION "Developer corner" [2348-] --></div>
</body>
</html>

4
doc/pages/documentation/current/securetoken.html
View File

@ -91,11 +91,11 @@ Install Cache::Memcached dependency.
<div class="level3">
<p>
You just have to set “Type: SecureToken” in the VirtualHost options in the manager.
You just have to set &quot;Type: SecureToken&quot; in the VirtualHost options in the manager.
</p>
<p>
If you want to protect only a virtualHost part, keep type on “Main” and set type in your configuration file:
If you want to protect only a virtualHost part, keep type on &quot;Main&quot; and set type in your configuration file:
</p>
<ul>
<li class="level1"><div class="li"> Apache: use simply a <code>PerlSetVar VHOSTTYPE AuthBasic</code></div>

26
doc/pages/documentation/current/security.html
View File

@ -164,7 +164,7 @@ LLNG portal now embeds the following features:
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Content_Security_Policy" class="urlextern" title="https://en.wikipedia.org/wiki/Content_Security_Policy" rel="nofollow">Content-Security-Policy</a> header: portal builds dynamically this header. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Content-Security-Policy)</em></div>
</li>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="nofollow">Cross-Origin Resource Sharing</a> headers: CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain “cross-domain” requests, notably Ajax requests, are forbidden by default by the same-origin security policy. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Cross-Origin Resource Sharing)</em></div>
<li class="level1"><div class="li"> <a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" class="urlextern" title="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" rel="nofollow">Cross-Origin Resource Sharing</a> headers: CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain &quot;cross-domain&quot; requests, notably Ajax requests, are forbidden by default by the same-origin security policy. You can modify default values in the manager <em>(General parameters » Advanced parameters » Security » Cross-Origin Resource Sharing)</em></div>
</li>
</ul>
<div class="noteimportant"><ul>
@ -197,7 +197,7 @@ If you use <a href="soapsessionbackend.html" class="wikilink1" title="documentat
<p>
<a href="writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Rules</a> are applied in alphabetical order (comment and regular expression). The first matching rule is applied.
</p>
<div class="noteimportant">The “default” rule is only applied if no other rule matchs
<div class="noteimportant">The &quot;default&quot; rule is only applied if no other rule matchs
</div>
<p>
The Manager let you define comments in rules, to order them:
@ -217,7 +217,7 @@ For example, if these rules are used without comments:
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq “root” </td><td class="col2"> </td>
<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq &quot;root&quot; </td><td class="col2"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> </td>
@ -238,7 +238,7 @@ Use comment to correct this:
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq “root” </td><td class="col2"> 1_admin </td>
<td class="col0"> ^/pub/admin/ </td><td class="col1"> $uid eq &quot;root&quot; </td><td class="col2"> 1_admin </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> ^/pub/ </td><td class="col1"> accept </td><td class="col2"> 2_pub </td>
@ -365,7 +365,7 @@ It is recommended to secure the channel between reverse-proxies and application
<ul>
<li class="level1"><div class="li"> firewalls (but be careful if more than 1 server is behind the firewall)</div>
</li>
<li class="level1"><div class="li"> server based restriction (like Apache “allow/deny” mechanism)</div>
<li class="level1"><div class="li"> server based restriction (like Apache &quot;allow/deny&quot; mechanism)</div>
</li>
<li class="level1"><div class="li"> SSL client certificate for the reverse-proxy (see SSLProxy* parameters in <a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html" class="urlextern" title="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html" rel="nofollow">mod_ssl documentation</a>)</div>
</li>
@ -382,9 +382,11 @@ Go in Manager, <code>General parameters</code> » <code>Advanced parameters</cod
<ul>
<li class="level1"><div class="li"> <strong>Username control</strong>: Regular expression used to check user login syntax.</div>
</li>
<li class="level1"><div class="li"> <strong>Avoid browsers to store users password</strong>: Enable this option to prevent browsers from prompting users to save passwords.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication</strong>: set to &#039;On&#039; to force authentication when user connects to portal, even if he has a valid session.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication interval</strong>: time interval (in seconds) when a authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances, you can increase this value.</div>
<li class="level1"><div class="li"> <strong>Force authentication interval</strong>: time interval (in seconds) when an authentication renewal cannot be forced, used to prevent to loose the current authentication during the main process. If you experience slow network performances, you can increase this value.</div>
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
@ -408,7 +410,7 @@ Go in Manager, <code>General parameters</code> » <code>Advanced parameters</cod
</li>
<li class="level1"><div class="li"> <strong>Use global storage</strong>: Local cache is used by default for one time tokens. To use global storage, set it to &#039;On&#039;</div>
</li>
<li class="level1"><div class="li"> <strong>LWP::UserAgent and SSL options</strong>: insert here options to pass to LWP::UserAgent object (used by <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect to query partners). Example: <code>verify_hostname =&gt; 0</code>, <code>SSL_verify_mode =&gt; 0</code></div>
<li class="level1"><div class="li"> <strong>LWP::UserAgent and SSL options</strong>: insert here options to pass to LWP::UserAgent object (used by <abbr title="Security Assertion Markup Language">SAML</abbr> or OpenID-Connect to query partners and AuthSSL or AuthBasic handler to request Portal <abbr title="Uniform Resource Locator">URL</abbr>). Example: <code>verify_hostname =&gt; 0</code>, <code>SSL_verify_mode =&gt; 0</code></div>
</li>
<li class="level1"><div class="li"> <strong>Content Security Policy</strong>: Portal builds dynamically this header. You can modify default values. Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does). Administrators may have to modify <code>formAction</code> value with wildcard likes *.</div>
</li>
@ -422,12 +424,12 @@ requireToken =&gt; $env-&gt;{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
</div><div class="notewarning">Enable global storage for one time tokens will downgrade Portal performance!!!
<p>
Must be use ONLY with outdated or low performance Load Balancer.
Must ONLY be use with outdated or low performance Load Balancer.
</p>
</div>
</div>
<!-- EDIT18 SECTION "Configure security settings" [8149-11184] -->
<!-- EDIT18 SECTION "Configure security settings" [8149-11367] -->
<h2 class="sectionedit19" id="fail2ban">Fail2ban</h2>
<div class="level2">
@ -479,7 +481,7 @@ Restart fail2ban
</p>
</div>
<!-- EDIT19 SECTION "Fail2ban" [11185-12239] -->
<!-- EDIT19 SECTION "Fail2ban" [11368-12422] -->
<h2 class="sectionedit20" id="sessions_identifier">Sessions identifier</h2>
<div class="level2">
@ -492,7 +494,7 @@ We recommend to use : <code>Lemonldap::NG::Common::Apache::Session::Generate::SH
</p>
</div>
<!-- EDIT20 SECTION "Sessions identifier" [12240-12502] -->
<!-- EDIT20 SECTION "Sessions identifier" [12423-12685] -->
<h2 class="sectionedit21" id="saml">SAML</h2>
<div class="level2">
@ -501,6 +503,6 @@ See <a href="samlservice.html#security_parameters" class="wikilink1" title="docu
</p>
</div>
<!-- EDIT21 SECTION "SAML" [12503-] --></div>
<!-- EDIT21 SECTION "SAML" [12686-] --></div>
</body>
</html>

4
doc/pages/documentation/current/servertoserver.html
View File

@ -60,7 +60,7 @@ In modern applications, web application may need to request some other web appli
</ul>
<p>
The “Bad” method consists to give the token (cookie value) to WebApp1 which uses it as cookie header in its request. Since 2.0 version, <abbr title="LemonLDAP::NG">LL::NG</abbr> gives a better way (the Good !) to do this by using limited scope tokens.
The &quot;Bad&quot; method consists to give the token (cookie value) to WebApp1 which uses it as cookie header in its request. Since 2.0 version, <abbr title="LemonLDAP::NG">LL::NG</abbr> gives a better way (the Good !) to do this by using limited scope tokens.
</p>
<p>
@ -80,7 +80,7 @@ Tokens are time limited (30 seconds by default) and <abbr title="Uniform Resourc
Select <strong>Main</strong> handler type to protect WebApp1 and
insert a header named <strong>X-Llng-Token</strong> filled with this value:
</p>
<pre class="code file perl">token<span class="br0">&#40;</span> <span class="re0">$_session_id</span><span class="sy0">,</span> <span class="st_h">'webapp2.example.com'</span><span class="sy0">,</span> <span class="st_h">'webapp3.example.com'</span><span class="sy0">,</span> <span class="st_h">'serviceHeader1=webapp1.example.com'</span><span class="sy0">,</span> <span class="st_h">'testHeader=$uid'</span> <span class="br0">&#41;</span></pre>
<pre class="code file perl">token<span class="br0">&#40;</span> <span class="re0">$_session_id</span><span class="sy0">,</span> <span class="st_h">'webapp2.example.com'</span><span class="sy0">,</span> <span class="st_h">'webapp3.example.com'</span><span class="sy0">,</span> <span class="st_h">'serviceHeader1=webapp1.example.com'</span><span class="sy0">,</span> <span class="st0">&quot;testHeader=$uid&quot;</span> <span class="br0">&#41;</span></pre>
<p>
WebApp1 can read this header and use it in its requests by setting the <code>X-Llng-Token</code> header. The token is built by using the session ID and authorized virtualhosts list. By default, the Service Token is only available during 30 seconds and for specified virtualhosts. The token can be use to send service headers to webapp2 like origin host by example.

Some files were not shown because too many files have changed in this diff Show More