LEMONLDAP::NG : branch trunk/build/lemonldap-ng
This commit is contained in:
parent
cf4f11b7a0
commit
d7d14bf782
|
@ -0,0 +1,280 @@
|
|||
LEMONLDAP::NG INSTALLATION
|
||||
|
||||
Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the application.
|
||||
It manages both authentication and authorization and provides headers for
|
||||
accounting. So you can have a full AAA protection.
|
||||
|
||||
See README file to known how it works.
|
||||
|
||||
------------------------
|
||||
I - EXAMPLE INSTALLATION
|
||||
------------------------
|
||||
|
||||
The proposed example use a protected site named test.example.com. Non
|
||||
authenticated users are redirected to auth.example.com.
|
||||
|
||||
1.1 - PREREQ
|
||||
------------
|
||||
|
||||
1.1.1 - Software
|
||||
|
||||
To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||
Apache proposed with your Linux distribution match, but some distributions used
|
||||
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||
package for Debian works fine).
|
||||
|
||||
1.1.2 - Perl prereq
|
||||
|
||||
Perl modules:
|
||||
Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
|
||||
DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)
|
||||
|
||||
With Debian:
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
|
||||
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
|
||||
libxml-simple-perl
|
||||
# If you want to use SOAP with the manager:
|
||||
apt-get install libsoap-lite-perl
|
||||
|
||||
1.2 - BUILDING
|
||||
--------------
|
||||
|
||||
1.2.1 - Complete install
|
||||
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
$ make example
|
||||
|
||||
1.2.2 - Install on Debian
|
||||
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ debuild
|
||||
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||
|
||||
1.3 - EXAMPLE CONFIGURATION
|
||||
---------------------------
|
||||
|
||||
After build, you have a new file named example/apache.conf. You just have to
|
||||
include this file in Apache configuration:
|
||||
|
||||
# in httpd.conf (with Apache1)
|
||||
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||
# or in apache2.conf (with Apache2)
|
||||
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||
|
||||
Modify your /etc/hosts file to include:
|
||||
|
||||
127.0.0.2 auth.example.com
|
||||
127.0.0.3 test.example.com
|
||||
127.0.0.4 manager.example.com
|
||||
|
||||
Edit /path/to/lemonldap-ng/source/example/conf/lmConfig-1 and specify your LDAP
|
||||
settings. If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||
use an anonymous bind to find user dn.
|
||||
(Debian users: /usr/share/doc/lemonldap-ng/example/conf/lmConfig-1)
|
||||
WARNINGS:
|
||||
* only few parameters can be set by hand in the configuration file. You have
|
||||
to use the manager to change configuration, but since the example is yet
|
||||
configured, you can edit directly the file
|
||||
* each new configuration is saved by the manager in a new file (or a new
|
||||
record with DBI) so you can recover an old configuration by removing
|
||||
|
||||
Next, restart Apache use your prefered browser and try to connect to
|
||||
http://test.example.com/. You'll be redirect to auth.example.com. Try
|
||||
to authenticate yourself with a valid account and the protected page will
|
||||
appear. You will find other explanations on this page.
|
||||
|
||||
Configuration can be modified by connecting your browser to
|
||||
http://manager.example.com/
|
||||
|
||||
-------------------------
|
||||
2 - ADVANCED INSTALLATION
|
||||
-------------------------
|
||||
|
||||
2.1 - PREREQ
|
||||
|
||||
2.1.1 - Apache
|
||||
|
||||
To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||
Apache proposed with your Linux distribution match, but some distributions used
|
||||
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||
package for Debian works fine).
|
||||
|
||||
For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
|
||||
faster and Lemonldap::NG use the thread system for best performance. If you
|
||||
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
|
||||
anyway.
|
||||
|
||||
You can use Lemonldap::NG in an heterogene world: the authentication portal and
|
||||
the manager can work in any version of Apache 1.3 or more even if mod_perl is
|
||||
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
|
||||
need mod_perl. The different handlers can run on different servers with
|
||||
different versions of Apache/mod_perl.
|
||||
|
||||
2.1.2 - Perl prereq
|
||||
|
||||
Warning: Handler and Portal parts both need Lemonldap::NG::Manager components
|
||||
to access to configuration.
|
||||
|
||||
Manager:
|
||||
-------
|
||||
CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)
|
||||
|
||||
With Debian:
|
||||
apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
|
||||
# If you want to use SOAP
|
||||
apt-get install libsoap-lite-perl
|
||||
|
||||
Portal:
|
||||
------
|
||||
Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager
|
||||
|
||||
With Debian:
|
||||
apt-get install libapache-session-perl libnet-ldap-perl perl-modules
|
||||
|
||||
Handler:
|
||||
-------
|
||||
Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager
|
||||
|
||||
With Debian:
|
||||
apt-get install libapache-session-perl libwww-perl libcache-cache-perl
|
||||
|
||||
2.2 - SOFTWARE INSTALLATION
|
||||
---------------------------
|
||||
|
||||
If you just want to install a handler or a portal or a manager:
|
||||
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
||||
$ perl Makefile.PL && make && make test
|
||||
$ sudo make install
|
||||
|
||||
else for a complete install:
|
||||
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
|
||||
See prereq in §1.1.2
|
||||
|
||||
2.3 - LEMONLDAP INSTALLATION
|
||||
----------------------------
|
||||
|
||||
2.3.1 - Database configuration
|
||||
|
||||
2.3.1.1 - Lemonldap::NG Configuration database
|
||||
|
||||
If you use DBI or another system to share Lemonldap::NG configuration, you have
|
||||
to initialize the database. An example is given in example/lmConfig.mysql for
|
||||
MySQL.
|
||||
|
||||
2.3.1.2 - Apache::Session database
|
||||
|
||||
The choice of Apache::Session::* module is free. See Apache::Session::Store::*
|
||||
or Apache::Session::* to know how to configure the module. For example, if you
|
||||
want to use Apache::Session::MySQL, you can create the database like this:
|
||||
|
||||
CREATE DATABASE sessions (
|
||||
id char(32),
|
||||
a_session text
|
||||
);
|
||||
|
||||
2.3.2 - Manager configuration
|
||||
|
||||
Copy example/manager.cgi and personalize it if you want (see
|
||||
Lemonldap::NG::Manager). You have to set in particular configStorage. For
|
||||
example with MySQL:
|
||||
|
||||
$my $manager = Lemonldap::NG::Manager->new ( {
|
||||
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
|
||||
dbiUser => "lemonldap-ng",
|
||||
dbiPassword => "mypass",
|
||||
} );
|
||||
|
||||
Securise Manager access with Apache: Lemonldap does not securise the manager
|
||||
itself yet:
|
||||
|
||||
SSLEngine On
|
||||
Order Deny, Allow
|
||||
Deny from all
|
||||
Allow from admin-network/netmask
|
||||
AuthType Basic
|
||||
...
|
||||
|
||||
After configuration, you can also protect the manager with an Lemonldap::NG
|
||||
handler.
|
||||
|
||||
2.3.3 - Configuration edition
|
||||
|
||||
Connect to the manager with your browser start configure your Web-SSO. You have
|
||||
to set at least some parameters:
|
||||
|
||||
a) General parameters :
|
||||
|
||||
* Authentication parameters -> portal : URL to access to the authentication
|
||||
portal
|
||||
* Domain : the cookie domain. All protected VirtualHosts have to be under it
|
||||
|
||||
* LDAP parameters -> LDAP Server
|
||||
|
||||
* LDAP parameters -> LDAP Accout and password : required only if anonymous
|
||||
binds are not accepted
|
||||
|
||||
* Session Storage -> Apache::Session module : how to store user sessions.
|
||||
You can use all module that
|
||||
inherit from Apache::Session
|
||||
like Apache::Session::MySQL
|
||||
|
||||
* Session Storage -> Apache::Session Module parameters :
|
||||
see Apache::Session::<Choosen module>
|
||||
|
||||
b) User groups :
|
||||
|
||||
Use the "New Group" button to add your first group. On the left, set the
|
||||
keyword which will be used later and set on the right the corresponding rule:
|
||||
you can use :
|
||||
|
||||
* an LDAP filter (it will be tested with the user uid)
|
||||
|
||||
or
|
||||
|
||||
* a Perl condition enclosed with {}. All variables declared in "General
|
||||
parameters -> LDAP attributes" can be used with a "$". For example:
|
||||
MyGroup / { $uid eq "foo" or $uid eq "bar" }
|
||||
|
||||
c) Virtual hosts
|
||||
|
||||
You have to create a virtual host for each Apache host (virtual or real)
|
||||
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
|
||||
user who want to access to the protected area will be rejected with a "500
|
||||
Internal Server Error" message and the apache logs will explain the problem.
|
||||
|
||||
Each virtual host has 2 groups of parameters:
|
||||
|
||||
* Headers: the headers added to the apache request. Default :
|
||||
Auth-User => $uid
|
||||
* Rules: subdivised in 2 categories:
|
||||
* default : the default rule
|
||||
* personalized rules: association of a Perl regular expression and
|
||||
a condition. For example:
|
||||
^/restricted.*$ / $groups =~ /\bMyGroup\b/
|
||||
|
||||
|
||||
-------------
|
||||
3 - DEBUGGING
|
||||
-------------
|
||||
|
||||
Lemonldap::NG uses simply the Apache log system. So use LogLevel to choose
|
||||
information to display.
|
||||
|
|
@ -0,0 +1,153 @@
|
|||
#!/usr/bin/make
|
||||
|
||||
VERSION=0.9beta
|
||||
HANDLERDIR=lemonldap-ng-handler
|
||||
PORTALDIR=lemonldap-ng-portal
|
||||
MANAGERDIR=lemonldap-ng-manager
|
||||
EXAMPLEDIRBUILD=`pwd`/example/
|
||||
EXAMPLEDIR=$(EXAMPLEDIRBUILD)
|
||||
EXAMPLELANG=en
|
||||
|
||||
all: handler manager portal
|
||||
|
||||
handler: handler_conf
|
||||
$(MAKE) -C ${HANDLERDIR}
|
||||
touch handler
|
||||
|
||||
portal: portal_conf
|
||||
$(MAKE) -C ${PORTALDIR}
|
||||
touch portal
|
||||
|
||||
manager: manager_conf
|
||||
$(MAKE) -C ${MANAGERDIR}
|
||||
touch manager
|
||||
|
||||
configure: handler_conf portal_conf manager_conf
|
||||
|
||||
handler_conf:
|
||||
cd ${HANDLERDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS)
|
||||
touch handler_conf
|
||||
|
||||
portal_conf:
|
||||
cd ${PORTALDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS)
|
||||
touch portal_conf
|
||||
|
||||
manager_conf:
|
||||
cd ${MANAGERDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS)
|
||||
touch manager_conf
|
||||
|
||||
test: manager_test handler_test portal_test
|
||||
|
||||
manager_test: manager
|
||||
$(MAKE) -C ${MANAGERDIR} test
|
||||
|
||||
handler_test: handler
|
||||
$(MAKE) -C ${HANDLERDIR} test INST_ARCHLIB=../${MANAGERDIR}/blib/lib/
|
||||
|
||||
portal_test: portal
|
||||
$(MAKE) -C ${PORTALDIR} test INST_ARCHLIB=../${MANAGERDIR}/blib/lib/
|
||||
|
||||
install: handler_install portal_install manager_install
|
||||
|
||||
handler_install: handler
|
||||
$(MAKE) -C ${HANDLERDIR} install
|
||||
touch handler_install
|
||||
|
||||
portal_install: portal
|
||||
$(MAKE) -C ${PORTALDIR} install
|
||||
touch portal_install
|
||||
|
||||
manager_install: manager
|
||||
$(MAKE) -C ${MANAGERDIR} install
|
||||
touch manager_install
|
||||
|
||||
distclean: clean
|
||||
|
||||
clean: handler_clean portal_clean manager_clean
|
||||
rm -rf example
|
||||
find . -name '*.gz' -exec rm -vf {} \;
|
||||
|
||||
handler_clean:
|
||||
- $(MAKE) -C ${HANDLERDIR} distclean
|
||||
rm -vf handler*
|
||||
|
||||
portal_clean:
|
||||
- $(MAKE) -C ${PORTALDIR} distclean
|
||||
rm -vf portal*
|
||||
|
||||
manager_clean:
|
||||
- $(MAKE) -C ${MANAGERDIR} distclean
|
||||
rm -vf manager*
|
||||
|
||||
example: all
|
||||
mkdir -p example/portal example/manager example/handler example/conf
|
||||
chmod 1777 example/conf
|
||||
cp -a ${HANDLERDIR}/example/* example/handler
|
||||
cp -a ${PORTALDIR}/example/* example/portal
|
||||
cp -a ${MANAGERDIR}/example/* example/manager
|
||||
cp -a _example/* example
|
||||
find ${EXAMPLEDIRBUILD} -type f -exec perl -i -pe 's#__DIR__/?#'${EXAMPLEDIR}'#g' {} \;
|
||||
@echo
|
||||
@echo "Example is ready."
|
||||
@echo
|
||||
@echo "1 - Add this in your Apache configuration file:"
|
||||
@echo " with Apache-1.3.x"
|
||||
@echo
|
||||
@echo " include ${EXAMPLEDIR}apache.conf"
|
||||
@echo
|
||||
@echo " or with Apache-2.x:"
|
||||
@echo
|
||||
@echo " include ${EXAMPLEDIR}apache2.conf"
|
||||
@echo
|
||||
@echo "2 - Add test.example.com and auth.example.com in yout /etc/hosts :"
|
||||
@echo
|
||||
@echo " cat example/for_etc_hosts >> /etc/hosts"
|
||||
@echo
|
||||
@echo "3 - edit ${EXAMPLEDIR}/conf/lmConf-1 and set ldapServer and ldapBase."
|
||||
@echo " or use the manager at http://manager.example.com/ (after apache restart)"
|
||||
@echo
|
||||
@echo "4 - Restart Apache (or Apache2)"
|
||||
@echo
|
||||
@echo "5 - Try to connect to http://test.example.com/"
|
||||
|
||||
uninstall: configure handler_uninstall portal_uninstall manager_uninstall
|
||||
|
||||
handler_uninstall: handler
|
||||
$(MAKE) -C ${HANDLERDIR} uninstall
|
||||
rm -vf handler_uninstall
|
||||
|
||||
portal_uninstall: portal
|
||||
$(MAKE) -C ${PORTALDIR} uninstall
|
||||
rm -vf portal_uninstall
|
||||
|
||||
manager_uninstall: manager
|
||||
$(MAKE) -C ${MANAGERDIR} uninstall
|
||||
rm -vf manager_uninstall
|
||||
|
||||
dist:
|
||||
- $(MAKE) clean
|
||||
mkdir -p lemonldap-ng-$(VERSION)
|
||||
- cp -a * lemonldap-ng-$(VERSION)
|
||||
rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION)
|
||||
tar czf lemonldap-ng-$(VERSION).tar.gz lemonldap-ng-$(VERSION)
|
||||
rm -rf lemonldap-ng-$(VERSION)
|
||||
|
||||
cpan: configure handler_cpan portal_cpan manager_cpan
|
||||
|
||||
handler_cpan: handler_conf
|
||||
$(MAKE) -C ${HANDLERDIR} dist
|
||||
mv ${HANDLERDIR}/Lemonldap*.gz .
|
||||
|
||||
portal_cpan: portal_conf
|
||||
$(MAKE) -C ${PORTALDIR} dist
|
||||
mv ${PORTALDIR}/Lemonldap*.gz .
|
||||
|
||||
manager_cpan: manager_conf
|
||||
$(MAKE) -C ${MANAGERDIR} dist
|
||||
mv ${MANAGERDIR}/Lemonldap*.gz .
|
||||
|
||||
static_example: example
|
||||
mkdir -p example/static
|
||||
cd example/static/;ln -s ../manager/imgs;cd -
|
||||
scripts/make_static_example.pl example/manager/index.pl example/static/index.html $(EXAMPLELANG)
|
||||
|
|
@ -0,0 +1,194 @@
|
|||
Lemonldap-NG
|
||||
====================
|
||||
|
||||
Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the application.
|
||||
It manages both authentication and authorization and provides headers for
|
||||
accounting. So you can have a full AAA protection for your web space as
|
||||
described below.
|
||||
|
||||
1 - Installation
|
||||
2 - Authentication, Authorization and Accounting mechanisms
|
||||
2.1 - Authentication
|
||||
2.2 - Authorization
|
||||
2.3 - Accounting
|
||||
3 - Session storage system
|
||||
4 - Author
|
||||
5 - Copyright and licence
|
||||
|
||||
1 - INSTALLATION
|
||||
================
|
||||
|
||||
Lemonldap::NG is a different project than Lemonldap and contains all you need
|
||||
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
||||
work with Lemonldap::NG.
|
||||
|
||||
The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
||||
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
||||
act as CGI, so they can work everywhere.
|
||||
|
||||
See INSTALL file in the source tree for a complete installation documentation.
|
||||
|
||||
2 - AUTHENTICATION, AUTHORIZATION AND ACCOUNTING MECHANISMS
|
||||
===========================================================
|
||||
|
||||
Warning: Lemonldap::NG configuration has to be edited using the manager unless
|
||||
you know exactly what you are doing. The parameters discussed here are all in
|
||||
the configuration tree.
|
||||
|
||||
2.1 - Authentication
|
||||
|
||||
If a user isn't authenticated and attemps to connect to an area protected by a
|
||||
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
||||
authenticates user with a ldap bind by default, but you can also use another
|
||||
authentication sheme like using x509 user certificates (see
|
||||
Lemonldap::NG::Portal::AuthSSL(3) for more).
|
||||
|
||||
Lemonldap use session cookies generated by Apache::Session so as secure as a
|
||||
128-bit random cookie. You may use the securedCookie options to avoid session
|
||||
hijacking.
|
||||
|
||||
You have to manage life of sessions by yourself since Lemonldap::NG knows
|
||||
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
||||
using a simple cron script because Lemonldap::NG::Portal stores the start
|
||||
time in the _utime field.
|
||||
By default, a session stay 10 minutes in the local storage, so in the worth
|
||||
case, a user is authorized 10 minutes after he lost his rights.
|
||||
|
||||
2.2 - Authorization
|
||||
|
||||
Authorization is controled only by handlers because the portal knows nothing
|
||||
about the way the user will choose. When configuring your Web-SSO, you have to:
|
||||
|
||||
* choose the ldap attributes you want to use to manage accounting and
|
||||
authorization.
|
||||
* create Perl expressions to define user groups (using ldap attributes)
|
||||
* create an array foreach virtual host associating URI regular expressions and
|
||||
Perl expressions to use to grant access.
|
||||
|
||||
Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored
|
||||
|
||||
* Exported variables :
|
||||
|
||||
# Custom-Name => LDAP attribute
|
||||
cn => cn
|
||||
departmentUID => departmentUID
|
||||
login => uid
|
||||
|
||||
* User groups :
|
||||
|
||||
# Custom-Name => group definition
|
||||
group1 => { $departmentUID eq "unit1" or $login = "xavier.guimard" }
|
||||
|
||||
* Area protection:
|
||||
|
||||
# Each VirtualHost has its own configuration
|
||||
# associating URL regexp to Perl expression
|
||||
* www1.domain.com :
|
||||
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||
default => accept
|
||||
},
|
||||
* www2.domain.com => {
|
||||
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
||||
^/(js|css) => accept
|
||||
default => deny
|
||||
},
|
||||
},
|
||||
|
||||
2.2.1 - Performance
|
||||
|
||||
You can use Perl expressions as complicated as you want and you can use all
|
||||
the exported LDAP attributes (and create your own attributes: with 'macros'
|
||||
mechanism) in groups evaluations, area protections or custom HTTP headers
|
||||
(you just have to call them with a "$").
|
||||
|
||||
You have to be careful when choosing your expressions:
|
||||
|
||||
* groups and macros are evaluated each time a user is redirected to the portal
|
||||
* virtual host rules and exported headers are evaluated for each request on a
|
||||
protected area.
|
||||
|
||||
It is also recommanded to use the groups mechanism to avoid having to evaluate
|
||||
a long expression at each HTTP request:
|
||||
|
||||
# Virtual hosts :
|
||||
...
|
||||
www1.domain.com :
|
||||
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||
|
||||
You can also use LDAP filters, or Perl expression or mixed expressions in
|
||||
groups definitions. Perl expressions has to be enclosed with {}:
|
||||
|
||||
* group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
|
||||
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
|
||||
|
||||
It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
||||
server more than 2 times per authentication.
|
||||
|
||||
2.3 - Accounting
|
||||
|
||||
2.3.1 - Logging portal access>
|
||||
|
||||
Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
||||
overload log method for normal portal access.
|
||||
|
||||
2.3.2 - Logging application access
|
||||
|
||||
Because a Web-SSO knows nothing about the protected application, it can't do
|
||||
more than logging URL. As Apache does this fine, L<Lemonldap::NG::Handler>
|
||||
gives it the name to used in logs. The whatToTrace parameter indicates
|
||||
which variable Apache has to use ($uid by default).
|
||||
|
||||
The real accounting has to be done by the application itself which knows the
|
||||
result of SQL transaction for example.
|
||||
|
||||
Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
||||
directly the application. By default, the Auth-User field is used but you can
|
||||
change it using the exportedHeaders parameters (in the Manager, each virtual
|
||||
host as custom headers branch). This parameters contains an associative array
|
||||
per virtual host:
|
||||
|
||||
* keys are the names of the choosen headers
|
||||
* values are Perl expressions where you can use user datas stored in the
|
||||
global storage.
|
||||
|
||||
Example:
|
||||
|
||||
* www1.domain.com :
|
||||
Auth-User => $uid
|
||||
Unit => $ou
|
||||
* www2.domain.com :
|
||||
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
||||
Remote-IP => $ip
|
||||
|
||||
3 - SESSION STORAGE SYSTEM
|
||||
|
||||
Lemonldap::NG use 3 levels of cache for authenticated users:
|
||||
|
||||
* an Apache::Session::* module used by lemonldap::NG::Portal to store
|
||||
authenticated user parameters,
|
||||
* a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
||||
users between Apache's threads or processus and of course between virtual
|
||||
hosts on the same machine
|
||||
* Lemonldap::NG::Handler variables : if the same user use the same thread or
|
||||
processus a second time, no request are needed to grant or refuse access.
|
||||
This is very efficient with HTTP/1.1 Keep-Alive system.
|
||||
|
||||
So the number of request to the central storage is limited to 1 per active
|
||||
user each 10 minutes.
|
||||
|
||||
Lemonldap::NG is very fast, but you can increase performance using a
|
||||
Cache::Cache module that does not use disk access.
|
||||
|
||||
4 - AUTHOR
|
||||
|
||||
Xavier Guimard, x.guimard@free.fr
|
||||
|
||||
5 - COPYRIGHT AND LICENSE
|
||||
|
||||
Copyright (C) 2005-2007 by Xavier Guimard x.guimard@free.fr
|
||||
|
||||
This library is free software; you can redistribute it and/or modify
|
||||
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
||||
at your option, any later version of Perl 5 you may have available.
|
|
@ -0,0 +1,3 @@
|
|||
* Help english
|
||||
* Help generalParameters
|
||||
* Help in Static
|
|
@ -0,0 +1,5 @@
|
|||
CREATE TABLE sessions (
|
||||
id char(32) not null primary key,
|
||||
a_session text
|
||||
);
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
include __DIR__/handler/lmH-apache.conf
|
||||
#Listen 127.0.0.2:80
|
||||
<VirtualHost 127.0.0.2:*>
|
||||
ServerName auth.example.com
|
||||
|
||||
# DocumentRoot
|
||||
DocumentRoot __DIR__/portal
|
||||
<Directory __DIR__/portal>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Options +ExecCGI
|
||||
</Directory>
|
||||
|
||||
# Portal and Manager must be interpreted by Perl
|
||||
<Files *.pl>
|
||||
SetHandler perl-script
|
||||
PerlHandler Apache::Registry
|
||||
</Files>
|
||||
|
||||
<IfModule mod_dir.c>
|
||||
DirectoryIndex index.pl index.html
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
||||
#Listen 127.0.0.4:80
|
||||
<VirtualHost 127.0.0.4:*>
|
||||
ServerName manager.example.com
|
||||
|
||||
# DocumentRoot
|
||||
DocumentRoot __DIR__/manager
|
||||
<Directory __DIR__/manager>
|
||||
Order deny,allow
|
||||
Deny from all
|
||||
Allow from 127.0.0.0/8
|
||||
Options +ExecCGI
|
||||
</Directory>
|
||||
|
||||
# Portal and Manager must be interpreted by Perl
|
||||
<Files *.pl>
|
||||
SetHandler perl-script
|
||||
PerlHandler Apache::Registry
|
||||
</Files>
|
||||
|
||||
<IfModule mod_dir.c>
|
||||
DirectoryIndex index.pl index.html
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
|
@ -0,0 +1,49 @@
|
|||
include __DIR__/handler/lmH-apache2.conf
|
||||
PerlOptions +GlobalRequest
|
||||
#Listen 127.0.0.2:80
|
||||
<VirtualHost 127.0.0.2:*>
|
||||
ServerName auth.example.com
|
||||
|
||||
# DocumentRoot
|
||||
DocumentRoot __DIR__/portal
|
||||
<Directory __DIR__/portal>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
Options +ExecCGI
|
||||
</Directory>
|
||||
|
||||
# Portal and Manager must be interpreted by Perl
|
||||
<Files *.pl>
|
||||
SetHandler perl-script
|
||||
PerlResponseHandler ModPerl::Registry
|
||||
</Files>
|
||||
|
||||
<IfModule mod_dir.c>
|
||||
DirectoryIndex index.pl index.html
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
||||
#Listen 127.0.0.4:80
|
||||
<VirtualHost 127.0.0.4:*>
|
||||
ServerName manager.example.com
|
||||
|
||||
# DocumentRoot
|
||||
DocumentRoot __DIR__/manager
|
||||
<Directory __DIR__/manager>
|
||||
Order deny,allow
|
||||
Deny from all
|
||||
Allow from 127.0.0.0/8
|
||||
Options +ExecCGI
|
||||
</Directory>
|
||||
|
||||
# Portal and Manager must be interpreted by Perl
|
||||
<Files *.pl>
|
||||
SetHandler perl-script
|
||||
PerlResponseHandler ModPerl::Registry
|
||||
</Files>
|
||||
|
||||
<IfModule mod_dir.c>
|
||||
DirectoryIndex index.pl index.html
|
||||
</IfModule>
|
||||
|
||||
</VirtualHost>
|
|
@ -0,0 +1,48 @@
|
|||
ldapServer
|
||||
'localhost'
|
||||
|
||||
ldapBase
|
||||
'dc=example,dc=com'
|
||||
|
||||
ldapPort
|
||||
389
|
||||
|
||||
managerDn
|
||||
''
|
||||
|
||||
managerPassword
|
||||
''
|
||||
|
||||
portal
|
||||
'http://auth.example.com/'
|
||||
|
||||
domain
|
||||
'example.com'
|
||||
|
||||
globalStorage
|
||||
'Apache::Session::File'
|
||||
|
||||
globalStorageOptions
|
||||
'BAcEMTIzNAQEBAgZAAEAAAAXBC90bXACCQAAAERpcmVjdG9yeQ=='
|
||||
|
||||
exportedHeaders
|
||||
'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwQkdWlkAgkAAABBdXRoLVVzZXICEAAAAHRlc3QuZXhhbXBsZS5jb20='
|
||||
|
||||
exportedVars
|
||||
'BAcEMTIzNAQEBAgZAAMAAAAXA3VpZAIDAAAAdWlkFwJjbgICAAAAY24XBG1haWwCBAAAAG1haWw='
|
||||
|
||||
authentication
|
||||
'ldap'
|
||||
|
||||
locationRules
|
||||
'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwZhY2NlcHQCBwAAAGRlZmF1bHQCEAAAAHRlc3QuZXhhbXBsZS5jb20='
|
||||
|
||||
cfgNum
|
||||
1
|
||||
|
||||
cookieName
|
||||
'lemonldap'
|
||||
|
||||
securedCookie
|
||||
0
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
127.0.0.2 auth.example.com
|
||||
127.0.0.3 test.example.com
|
||||
127.0.0.4 manager.example.com
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
use CGI;
|
||||
|
||||
my $cgi=CGI->new;
|
||||
|
||||
print $cgi->header;
|
||||
print $cgi->start_html( 'Page protected by Lemonldap::NG' );
|
||||
my($headers, $env)=({},{});
|
||||
use Data::Dumper;
|
||||
print "<pre>";
|
||||
foreach(keys %ENV) {
|
||||
if($_ =~ /^HTTP_/) {
|
||||
($a=$_) =~ s/^HTTP_//i;
|
||||
#$a =~ s/_/ /g;
|
||||
#$a = ucfirst(lc($a));
|
||||
#$a =~ s/ /-/g;
|
||||
$a = join '-', map {ucfirst(lc)} split '_',$a;
|
||||
$headers->{$a} = $_;
|
||||
}
|
||||
else {
|
||||
$env->{$_} = $ENV{$_};
|
||||
}
|
||||
}
|
||||
print "</pre>";
|
||||
print qq#<h1>Authentication succeed</h1>
|
||||
<a href="/logout">logout</a>
|
||||
<p>Authenticated user : $ENV{HTTP_AUTH_USER}</p>
|
||||
<p>To know who is connected in your applications, you can read HTTP headers :</p>
|
||||
<table border=1 style="font-size: small;">\n
|
||||
<tr><th>Header</th><th>Perl CGI</th><th>PHP script</th><th>Value</th></tr>
|
||||
#;
|
||||
foreach(keys %$headers) {
|
||||
$style = $_ eq 'Auth-User' ? 'style="background-color: #FFEEEE;font-weight: bold;"' : '';
|
||||
print "<tr>
|
||||
<td $style>$_</td>
|
||||
<td $style>\$ENV{$headers->{$_}}</td>
|
||||
<td $style>\$_SERVER{$headers->{$_}}</td>
|
||||
<td $style> $ENV{$headers->{$_}}</td>
|
||||
</tr>\n"
|
||||
}
|
||||
print '</table>
|
||||
<p>Note that lemonldap cookie is hidden. So that application developpers can
|
||||
not spoof sessions.</p>
|
||||
<p>You can access to any information (IP address or LDAP attribute) by customizing
|
||||
exported headers with the
|
||||
<a href="http://manager.example.com/">Lemonldap::NG Management interface</a></p>
|
||||
<hr>';
|
||||
|
||||
print qq#<h2>Environment for Perl CGI :</h2>
|
||||
<p>Be carefull, the \$ENV{REMOTE_USER} is set only if your script is in the
|
||||
same server than Lemonldap::NG handler (\$whatToTrace parameter). If you use
|
||||
it on a reverse-proxy, \$ENV{REMOTE_USER} is not set.</p>
|
||||
<table border=0 style="font-size: small;">\n#;
|
||||
print "<tr><td>$_</td><td>=> $ENV{$_}</td></tr>\n" foreach(keys %ENV);
|
||||
print '</table>';
|
||||
print $cgi->end_html;
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
CREATE TABLE lmConfig (
|
||||
cfgNum int not null primary key,
|
||||
locationRules text,
|
||||
exportedHeaders text,
|
||||
globalStorage text,
|
||||
globalStorageOptions text,
|
||||
macros text,
|
||||
groups text,
|
||||
portal text,
|
||||
domain text,
|
||||
ldapServer text,
|
||||
ldapPort int,
|
||||
ldapBase text,
|
||||
securedCookie int,
|
||||
cookieName text,
|
||||
authentication text,
|
||||
exportedVars text,
|
||||
managerDn text,
|
||||
managerPassword text,
|
||||
whatToTrace text
|
||||
);
|
|
@ -0,0 +1 @@
|
|||
debian/changelog
|
|
@ -0,0 +1,4 @@
|
|||
lemonldap-ng for Debian
|
||||
-----------------------
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 17 Dec 2006 17:46:47 +0100
|
|
@ -0,0 +1,163 @@
|
|||
lemonldap-ng (0.8.1) unstable; urgency=low
|
||||
|
||||
* New features :
|
||||
- Logout system
|
||||
- Configuration check before saving in Manager
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 15 Apr 2007 19:18:29 +0200
|
||||
|
||||
lemonldap-ng (0.8.0.7) unstable; urgency=low
|
||||
|
||||
* Bug fix in manager javascript (Closes: #306776 ?)
|
||||
* Display bug fix in manager
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 15 Apr 2007 13:21:43 +0200
|
||||
|
||||
lemonldap-ng (0.8.0.6) unstable; urgency=low
|
||||
|
||||
* Little bug fix in unprotect function
|
||||
* Bug fix in authentication scheme different than default
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Thu, 12 Apr 2007 07:03:51 +0200
|
||||
|
||||
lemonldap-ng (0.8.0.5) unstable; urgency=low
|
||||
|
||||
* i18n bug: Lemonldap::NG works does not fall in english but creates a bug
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Wed, 28 Mar 2007 21:26:16 +0200
|
||||
|
||||
lemonldap-ng (0.8.0.4) unstable; urgency=low
|
||||
|
||||
* Multi-valued attributes in HTTP headers (Closes: #306792 /
|
||||
forge.objectweb.org)
|
||||
* Warning in Manager/Conf.pm: the same type of storage has to be used for
|
||||
all Lemonldap::NG parts in a same server.
|
||||
* Apache-1.3 configuration reload (Closes: #306761 / forge.objectweb.org)
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Thu, 22 Mar 2007 22:42:23 +0100
|
||||
|
||||
lemonldap-ng (0.8.0.3) unstable; urgency=low
|
||||
|
||||
* New feature in Manager : "Delete VHost" button (Closes: #306761)
|
||||
* Typo correction in Makefile : (Closes: #306775)
|
||||
* Correction of build-depends : (Closes: #306773)
|
||||
* Bug correction : existingSessions was not called in Portal.pm
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Tue, 13 Mar 2007 07:55:42 +0100
|
||||
|
||||
lemonldap-ng (0.8.0.2) unstable; urgency=low
|
||||
|
||||
* Bug correction: lock doesn't work with File.pm (Closes: #306760 /
|
||||
forge.objectweb.org)
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 11 Mar 2007 21:08:38 +0100
|
||||
|
||||
lemonldap-ng (0.8.0.1) unstable; urgency=medium
|
||||
|
||||
* Closes: #306756 / forge.objectweb.org
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Fri, 10 Mar 2007 08:49:01 +0100
|
||||
|
||||
lemonldap-ng (0.8) unstable; urgency=low
|
||||
|
||||
* Release 0.8:
|
||||
- corrects differents little bugs issued from test in real life.
|
||||
- on line documentation in english
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Fri, 9 Mar 2007 20:29:01 +0100
|
||||
|
||||
lemonldap-ng (0.7b12) unstable; urgency=low
|
||||
|
||||
* New features:
|
||||
- session access via SOAP
|
||||
- authentication via CAS
|
||||
- 'apply changes' button in Manager used to reload configuration in
|
||||
handlers (by calling reload sub via HTTP) (Closes: #306565 /
|
||||
forge.objectweb.org)
|
||||
- i18n module in portal (for displaying errors)
|
||||
- lock in DBI configuration system (NOT YET TESTED)
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 4 Mar 2007 15:50:38 +0100
|
||||
|
||||
lemonldap-ng (0.7b11) unstable; urgency=low
|
||||
|
||||
* New features:
|
||||
- Cross Domain Authentication
|
||||
- SOAP configuration access
|
||||
- READMEs and documentation update
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Tue, 27 Feb 2007 15:01:09 +0100
|
||||
|
||||
lemonldap-ng (0.7b10) unstable; urgency=low
|
||||
|
||||
* Corrections in Manager issued from the first test in real life:
|
||||
- Close #306573 / forge.objectweb.org
|
||||
- Close #306574 / forge.objectweb.org
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Wed, 17 Jan 2007 20:57:33 +0100
|
||||
|
||||
lemonldap-ng (0.7b9) unstable; urgency=low
|
||||
|
||||
* Internationalization of javascripts (close #306564 / forge.objectweb.org)
|
||||
* Help in "General Parameters"
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 14 Jan 2007 21:50:39 +0100
|
||||
|
||||
lemonldap-ng (0.7b8) unstable; urgency=low
|
||||
|
||||
* Correction of the use of Safe in portal: &share doesn't work with a
|
||||
variable declared with my.
|
||||
* New system in the configuration: 'macro' section can be used to add
|
||||
custom exported variables. So configuration is more simple in heavy case.
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sat, 13 Jan 2007 20:19:19 +0100
|
||||
|
||||
lemonldap-ng (0.7b7) unstable; urgency=low
|
||||
|
||||
* Correction of a bug in internal redirections: now internal
|
||||
redirections are not examined: for example,http://test.example.com/ is
|
||||
internaly redirected to /index.pl, but only the first request (/) is
|
||||
tested.
|
||||
* Help in french
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Fri, 5 Jan 2007 18:22:32 +0100
|
||||
|
||||
lemonldap-ng (0.7b6) unstable; urgency=low
|
||||
|
||||
* Help system skeleton
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Thu, 4 Jan 2007 09:04:05 +0100
|
||||
|
||||
lemonldap-ng (0.7b5) unstable; urgency=low
|
||||
|
||||
* Localization in Manager interface (only fr and en)
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 31 Dec 2006 16:39:06 +0100
|
||||
|
||||
lemonldap-ng (0.7b4) unstable; urgency=low
|
||||
|
||||
* Safe jail runs now
|
||||
* example runs now
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 31 Dec 2006 14:00:08 +0100
|
||||
|
||||
lemonldap-ng (0.7b3) unstable; urgency=low
|
||||
|
||||
* Replacement of eval by Safe for external expressions
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sat, 30 Dec 2006 22:23:22 +0100
|
||||
|
||||
lemonldap-ng (0.7b) unstable; urgency=low
|
||||
|
||||
* Corrections in example
|
||||
* Example installation in debian
|
||||
* Revision in documentation
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 17 Dec 2006 18:37:39 +0100
|
||||
|
||||
lemonldap-ng (0.6) unstable; urgency=low
|
||||
|
||||
* Initial release built starting from the three modules of the CPAN.
|
||||
|
||||
-- Xavier Guimard <x.guimard@free.fr> Sun, 17 Dec 2006 17:46:47 +0100
|
||||
|
|
@ -0,0 +1 @@
|
|||
4
|
|
@ -0,0 +1,17 @@
|
|||
Source: lemonldap-ng
|
||||
Section: perl
|
||||
Priority: extra
|
||||
Maintainer: Xavier Guimard <x.guimard@free.fr>
|
||||
Build-Depends: debhelper (>= 4), libapache-session-perl, libnet-ldap-perl, libdbi-perl, libwww-perl, libcache-cache-perl, libxml-simple-perl
|
||||
Standards-Version: 3.7.2
|
||||
|
||||
Package: lemonldap-ng
|
||||
Architecture: all
|
||||
Depends: libapache-session-perl, libnet-ldap-perl, libdbi-perl, libwww-perl, libcache-cache-perl, libxml-simple-perl
|
||||
Provides: liblemonldap-ng-manager-perl, liblemonldap-ng-portal-perl, liblemonldap-ng-manager-perl
|
||||
Conflicts: liblemonldap-ng-manager-perl, liblemonldap-ng-portal-perl, liblemonldap-ng-manager-perl
|
||||
Recommends: libsoap-lite-perl, liblasso-perl
|
||||
Description: Lemonldap::NG Web-SSO system
|
||||
Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies
|
||||
or directly on application apache servers.
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
This package was debianized by Xavier Guimard <x.guimard@free.fr> on
|
||||
Sun, 17 Dec 2006 17:46:47 +0100.
|
||||
|
||||
Copyright:
|
||||
|
||||
Copyright 2004, 2005, 2006 by Xavier Guimard
|
||||
|
||||
Licence:
|
||||
|
||||
Perl is distributed under your choice of the GNU General Public License
|
||||
or the Artistic License. On Debian GNU/Linux systems, the copyright terms
|
||||
for Perl itself are located in `/usr/share/doc/perl/copyright'. On Debian
|
||||
GNU/Linux systems, the complete text of the GNU General Public License can
|
||||
be found in `/usr/share/common-licenses/GPL' and the Artistic Licence in
|
||||
`/usr/share/common-licenses/Artistic'.
|
||||
|
|
@ -0,0 +1 @@
|
|||
usr/share
|
|
@ -0,0 +1,3 @@
|
|||
doc/*
|
||||
README
|
||||
INSTALL
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
# Maintainer: #DEBHELPER#
|
||||
|
||||
if [ "$1" = "configure" ]
|
||||
then
|
||||
chown -R www-data /usr/share/doc/lemonldap-ng/examples/conf
|
||||
fi
|
|
@ -0,0 +1,93 @@
|
|||
#!/usr/bin/make -f
|
||||
# -*- makefile -*-
|
||||
# Sample debian/rules that uses debhelper.
|
||||
# This file was originally written by Joey Hess and Craig Small.
|
||||
# As a special exception, when this file is copied by dh-make into a
|
||||
# dh-make output file, you may use that output file without restriction.
|
||||
# This special exception was added by Craig Small in version 0.37 of dh-make.
|
||||
|
||||
# Uncomment this to turn on verbose mode.
|
||||
#export DH_VERBOSE=1
|
||||
|
||||
export PERL_MM_USE_DEFAULT=1
|
||||
|
||||
|
||||
configure: configure-stamp
|
||||
configure-stamp:
|
||||
dh_testdir
|
||||
# Add here commands to configure the package.
|
||||
|
||||
touch configure-stamp
|
||||
|
||||
|
||||
build: build-stamp
|
||||
|
||||
build-stamp: configure-stamp
|
||||
dh_testdir
|
||||
|
||||
# Add here commands to compile the package.
|
||||
$(MAKE) INSTALLDIRS=vendor
|
||||
#docbook-to-man debian/lemonldap-ng.sgml > lemonldap-ng.1
|
||||
|
||||
touch $@
|
||||
|
||||
clean:
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
rm -f build-stamp configure-stamp
|
||||
|
||||
# Add here commands to clean up after the build process.
|
||||
-$(MAKE) clean
|
||||
|
||||
dh_clean
|
||||
|
||||
install: build
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
dh_clean -k
|
||||
dh_installdirs
|
||||
|
||||
# Add here commands to install the package into debian/lemonldap-ng.
|
||||
$(MAKE) test
|
||||
$(MAKE) install DESTDIR=$(CURDIR)/debian/lemonldap-ng PREFIX=/usr
|
||||
$(MAKE) example EXAMPLEDIR=/usr/share/doc/lemonldap-ng/examples/
|
||||
|
||||
|
||||
# Build architecture-independent files here.
|
||||
binary-indep: build install
|
||||
# We have nothing to do by default.
|
||||
|
||||
# Build architecture-dependent files here.
|
||||
binary-arch: build install
|
||||
dh_testdir
|
||||
dh_testroot
|
||||
dh_installchangelogs
|
||||
dh_installdocs
|
||||
dh_installexamples example/*
|
||||
# dh_install
|
||||
# dh_installmenu
|
||||
# dh_installdebconf
|
||||
# dh_installlogrotate
|
||||
# dh_installemacsen
|
||||
# dh_installpam
|
||||
# dh_installmime
|
||||
# dh_python
|
||||
# dh_installinit
|
||||
# dh_installcron
|
||||
# dh_installinfo
|
||||
dh_installman
|
||||
dh_link
|
||||
dh_strip
|
||||
dh_compress
|
||||
gunzip $(CURDIR)/debian/lemonldap-ng/usr/share/doc/lemonldap-ng/examples/manager/lemonldap-ng-manager.js.gz
|
||||
dh_fixperms
|
||||
# dh_perl
|
||||
# dh_makeshlibs
|
||||
dh_installdeb
|
||||
dh_shlibdeps
|
||||
dh_gencontrol
|
||||
dh_md5sums
|
||||
dh_builddeb
|
||||
|
||||
binary: binary-indep binary-arch
|
||||
.PHONY: build clean binary-indep binary-arch binary install configure
|
|
@ -0,0 +1,377 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Lemonldap::NG</title>
|
||||
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<meta name="DESCRIPTION" content="Lemonldap::NG installation">
|
||||
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG, INSTALLATION">
|
||||
<style>
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<h1 style="text-align: center;">Lemonldap::NG Installation</h1>
|
||||
<p>Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the application.
|
||||
It manages both authentication and authorization and provides headers for
|
||||
accounting. So you can have a full AAA protection.</p>
|
||||
|
||||
<p>See <a href=overview.html>README file</a> to known how it works.</p>
|
||||
|
||||
<ol type="I">
|
||||
<li><a href="#example">Example installation</a>
|
||||
<ol type="1">
|
||||
<li><a href="#prereq1">Prereq</a></li>
|
||||
<li><a href="#ebuilding">Building</a></li>
|
||||
<li><a href="#econf">Example configuration</a></li>
|
||||
</ol>
|
||||
</li>
|
||||
<li><a href="#advanced">Advanced installation</a>
|
||||
<ol type="1">
|
||||
<li><a href="#prereq2">Prereq</a></li>
|
||||
<li><a href="#softInst">Software installation</a></li>
|
||||
<li><a href="#lmInst">Lemonldap::NG installation</a></li>
|
||||
</ol>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
|
||||
<ol type="I">
|
||||
|
||||
<h2><li><a name="example">Example installation</a></li></h2>
|
||||
|
||||
<p>The proposed example use a protected site named test.example.com. Non
|
||||
authenticated users are redirected to auth.example.com.</p>
|
||||
|
||||
<ol type="1">
|
||||
|
||||
<h3><li><a name="prereq1">Prereq</a></li></h3>
|
||||
|
||||
<ol type="a">
|
||||
<h4><li>Software</li></h4>
|
||||
|
||||
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||
Apache proposed with your Linux distribution match, but some distributions used
|
||||
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||
package for Debian works fine).</p>
|
||||
|
||||
<h4><li>Perl prereq</li></h4>
|
||||
|
||||
<dl>
|
||||
<dt><b>Perl modules :</b></dt>
|
||||
<dd>
|
||||
<p>Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
|
||||
DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)</p>
|
||||
</dd>
|
||||
|
||||
<dt><b>With Debian :</b></dt>
|
||||
<dd>
|
||||
<pre>
|
||||
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
|
||||
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
|
||||
libxml-simple-perl
|
||||
</pre>
|
||||
<p>If you want to use SOAP with the manager :</p>
|
||||
<pre>
|
||||
apt-get install libsoap-lite-perl
|
||||
</pre>
|
||||
</dd>
|
||||
</dl>
|
||||
</ol>
|
||||
|
||||
<h3><li><a name="ebuilding">Building</a></li></h3>
|
||||
|
||||
<ol type="a">
|
||||
|
||||
<h4><li>Complete installation</li></h4>
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
$ make example
|
||||
</pre>
|
||||
|
||||
<h4><li>Installation on Debian</li></h4>
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ debuild # or fakeroot dpkg-buildpackage
|
||||
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||
</pre>
|
||||
|
||||
</ol>
|
||||
|
||||
<h3><li><a name="econf">Example configuration</a></li></h3>
|
||||
|
||||
<p>After build, you have new files in the example/ directory
|
||||
(<code>/usr/share/doc/lemonldap-ng/example</code> with Debian). You just have
|
||||
to include this file in Apache configuration :</p>
|
||||
|
||||
<ul>
|
||||
<li>in httpd.conf (with Apache-1.3.x)
|
||||
<pre>
|
||||
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||
</pre>
|
||||
</li>
|
||||
|
||||
<li>or with Apache2
|
||||
<pre>
|
||||
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||
</pre>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p>Modify your /etc/hosts file to include :</p>
|
||||
|
||||
<pre>
|
||||
127.0.0.2 auth.example.com
|
||||
127.0.0.3 test.example.com
|
||||
127.0.0.4 manager.example.com
|
||||
</pre>
|
||||
|
||||
<p>and restart Apache.</p>
|
||||
|
||||
<p>Before the example works, you have to set your LDAP settings. There are two
|
||||
ways to do it :
|
||||
|
||||
<ul>
|
||||
<li>Connect to <a href="http://manager.example.com/">http://manager.example.com/</a>
|
||||
and edit the corresponding parameters in "general parameters"</li>
|
||||
|
||||
<li>Edit <code>/path/to/lemonldap-ng/source/example/conf/lmConfig-1</code> and
|
||||
specify your LDAP settings.</li>
|
||||
</ul>
|
||||
|
||||
<p>If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||
use an anonymous bind to find user dn.</p>
|
||||
|
||||
<p>WARNINGS :</p>
|
||||
|
||||
<ul>
|
||||
<li> only few parameters can be set by hand in the configuration file. You have
|
||||
to use the manager to change configuration, but since the example is yet
|
||||
configured, you can edit directly the file</li>
|
||||
<li> each new configuration is saved by the manager in a new file (or a new
|
||||
record with DBI) so you can recover an old configuration by removing</li>
|
||||
</ul>
|
||||
|
||||
<p>Next, try to connect to <a href="http://test.example.com/">http://test.example.com/</a>.
|
||||
You'll be redirect to auth.example.com. Try to authenticate yourself with a
|
||||
valid account and the protected page will appear. You will find other
|
||||
explanations on this page.</p>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2><li><a name="advanced">Advanced installation</a></li></h2>
|
||||
|
||||
<ol type="1">
|
||||
|
||||
<h3><li><a name="prereq2">Prereq</a></li></h3>
|
||||
|
||||
<ol type="a">
|
||||
|
||||
<h4><li>Apache</li></h4>
|
||||
|
||||
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||
Apache proposed with your Linux distribution match, but some distributions used
|
||||
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||
package for Debian works fine).</p>
|
||||
|
||||
<p>For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
|
||||
faster and Lemonldap::NG use the thread system for best performance. If you
|
||||
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
|
||||
anyway.</p>
|
||||
|
||||
<p>You can use Lemonldap::NG in an heterogene world : the authentication portal and
|
||||
the manager can work in any version of Apache 1.3 or more even if mod_perl is
|
||||
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
|
||||
need mod_perl. The different handlers can run on different servers with
|
||||
different versions of Apache/mod_perl.</p>
|
||||
|
||||
<h4><li>Perl Prereq</li></h4>
|
||||
|
||||
<p>Warning : Handler and Portal parts both need Lemonldap::NG::Manager components
|
||||
to access to configuration.</p>
|
||||
|
||||
<dl>
|
||||
<dt>Manager :</dt>
|
||||
<dd><p>CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)</p>
|
||||
|
||||
<p>With Debian :</p>
|
||||
<pre>
|
||||
# apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
|
||||
</pre>
|
||||
<p>And if you want to use SOAP :</p>
|
||||
<pre>
|
||||
# apt-get install libsoap-lite-perl
|
||||
</pre>
|
||||
</dd>
|
||||
|
||||
<dt>Portal :</dt>
|
||||
<dd><p>Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager</p>
|
||||
|
||||
<p>With Debian :</p>
|
||||
<pre>
|
||||
# apt-get install libapache-session-perl libnet-ldap-perl perl-modules
|
||||
</pre>
|
||||
</dd>
|
||||
|
||||
<dt>Handler :</dt>
|
||||
<dd><p>Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager</p>
|
||||
|
||||
<p>With Debian :</p>
|
||||
<pre>
|
||||
# apt-get install libapache-session-perl libwww-perl libcache-cache-perl
|
||||
</pre>
|
||||
</dd>
|
||||
</dl>
|
||||
</ol>
|
||||
|
||||
<h3><li><a name="softInst">Software installation</a></li></h3>
|
||||
|
||||
<p>If you just want to install a handler or a portal or a manager :</p>
|
||||
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
||||
$ perl Makefile.PL && make && make test
|
||||
$ sudo make install
|
||||
</pre>
|
||||
|
||||
<p>else for a complete install :</p>
|
||||
<pre>
|
||||
$ tar xzf lemonldap-ng-*.tar.gz
|
||||
$ cd lemonldap-ng-*
|
||||
$ make && make test
|
||||
$ sudo make install
|
||||
</pre>
|
||||
|
||||
<p>See prereq in Exeample installation</p>
|
||||
|
||||
<h3><li><a name="lmInst">Lemonldap::NG installation</a></li></h3>
|
||||
|
||||
<ol type="a">
|
||||
|
||||
<h4><li>Databases configuration</li></h4>
|
||||
|
||||
<h5>Lemonldap::NG Configuration database</h5>
|
||||
|
||||
<p>If you use DBI or another system to share Lemonldap::NG configuration, you have
|
||||
to initialize the database. An example is given in example/lmConfig.mysql for
|
||||
MySQL.</p>
|
||||
<!-- TODO: File -->
|
||||
|
||||
<h5>Apache::Session database</h5>
|
||||
|
||||
<p>The choice of Apache::Session::* module is free. See Apache::Session::Store::*
|
||||
or Apache::Session::* to know how to configure the module. For example, if you
|
||||
want to use Apache::Session::MySQL, you can create the database like this :</p>
|
||||
|
||||
<pre>
|
||||
CREATE DATABASE sessions (
|
||||
id char(32),
|
||||
a_session text
|
||||
);
|
||||
</pre>
|
||||
|
||||
<h4><li>Manager configuration</li></h4>
|
||||
|
||||
<p>Copy example/manager.cgi and personalize it if you want (see
|
||||
Lemonldap::NG::Manager). You have to set in particular configStorage. For
|
||||
example with MySQL :</p>
|
||||
|
||||
<pre>
|
||||
$my $manager = Lemonldap::NG::Manager->new ( {
|
||||
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
|
||||
dbiUser => "lemonldap-ng",
|
||||
dbiPassword => "mypass",
|
||||
} );
|
||||
</pre>
|
||||
|
||||
<p>You can securise Manager access with Lemonldap::NG like any other site (after
|
||||
configuring it) or with Apache. Example :</p>
|
||||
|
||||
<pre>
|
||||
SSLEngine On
|
||||
Order Deny, Allow
|
||||
Deny from all
|
||||
Allow from admin-network/netmask
|
||||
AuthType Basic
|
||||
...
|
||||
</pre>
|
||||
|
||||
<h4><li>Configuration edition</li></h4>
|
||||
|
||||
<p>Connect to the manager with your browser start configure your Web-SSO. You have
|
||||
to set at least some parameters :</p>
|
||||
|
||||
<h5>General parameters</h5>
|
||||
|
||||
<p>Main parameters :</p>
|
||||
<ul>
|
||||
<li> <b>Authentication parameters -> portal</b> : URL to access to the authentication portal</li>
|
||||
<li> <b>Domain</b> : the cookie domain. Unless some protected VirtualHosts
|
||||
are not under it, you have to use Lemonldap::NG::Portal::CDA and
|
||||
Lemonldap::NG::Handler::CDA </li>
|
||||
<li> <b>LDAP parameters -> LDAP Server</b></li>
|
||||
<li> <b>LDAP parameters -> LDAP Accout and password</b> : required only if anonymous binds are not accepted</li>
|
||||
<li> <b>Session Storage -> Apache::Session module</b> : how to store user sessions. You can use all module that inherit
|
||||
from Apache::Session like Apache::Session::MySQL</li>
|
||||
<li> <b>Session Storage -> Apache::Session Module parameters</b> : see Apache::Session::<Choosen module></li>
|
||||
</ul>
|
||||
|
||||
<h5>User groups</h5>
|
||||
|
||||
<p>Use the "New Group" button to add your first group. On the left, set the
|
||||
keyword which will be used later and set on the right the corresponding rule.
|
||||
you can use :</p>
|
||||
|
||||
<ul>
|
||||
<li> an LDAP filter (it will be tested with the user uid)</li>
|
||||
<li> or a Perl condition enclosed with <b>{}</b>. All variables declared in
|
||||
"General parameters -> LDAP attributes" or "macros"
|
||||
can be used with a "<b>$</b>". For example :
|
||||
<pre>
|
||||
MyGroup => { $uid eq "foo" or $uid eq "bar" }
|
||||
</pre>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h5>Virtual hosts</h5>
|
||||
|
||||
<p>You have to create a virtual host for each Apache host (virtual or real)
|
||||
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
|
||||
user who want to access to the protected area will be rejected with a "500
|
||||
Internal Server Error" message and the apache logs will explain the problem.</p>
|
||||
|
||||
<p>Each virtual host has 2 groups of parameters :</p>
|
||||
|
||||
<ul>
|
||||
<li> Headers : the headers added to the apache request. Default :
|
||||
<pre>
|
||||
Auth-User => $uid
|
||||
</pre>
|
||||
</li>
|
||||
<li> Rules : subdivised in 2 categories :
|
||||
<ul>
|
||||
<li><b>default</b> : the default rule</li>
|
||||
<li>personalized rules : association of a Perl regular expression and a
|
||||
condition. For example :
|
||||
<pre>
|
||||
^/restricted.*$ / $groups =~ /\bMyGroup\b/
|
||||
</pre>
|
||||
</li>
|
||||
</ul>
|
||||
</ol>
|
||||
</ol>
|
||||
</ol>
|
||||
</body>
|
||||
</html>
|
||||
|
|
@ -0,0 +1,247 @@
|
|||
<html>
|
||||
<head>
|
||||
<title>Lemonldap::NG</title>
|
||||
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||
<meta name="DESCRIPTION" content="Lemonldap::NG overview">
|
||||
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<h1 style="text-align: center;">Lemonldap::NG</h1>
|
||||
|
||||
<p> Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||
simplifies the build of a protected area with a few changes in the application.
|
||||
It manages both authentication and authorization and provides headers for
|
||||
accounting. So you can have a full AAA protection for your web space as
|
||||
described below.</p>
|
||||
|
||||
<ol type="1">
|
||||
<li><a href="#aaa">Authentication, Authorization and Accounting mechanisms</a></li>
|
||||
<li><a href="#inst">Installation</a></li>
|
||||
<li><a href="#storage">Session storage system</a></li>
|
||||
<li><a href="#logout">Logout system</a></li>
|
||||
<li><a href="#author">Author</a></li>
|
||||
<li><a href="#copyright">Copyright and licence</a></li>
|
||||
</ol>
|
||||
|
||||
<ol type="I">
|
||||
<h2><li><a name="aaa">Authentication, Authorization and Accounting mechanisms</a></li></h2>
|
||||
|
||||
<ol type="1">
|
||||
<h3><li>Authentication</li></h3>
|
||||
|
||||
<p>If a user isn't authenticated and attemps to connect to an area protected by a
|
||||
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
||||
authenticates user with a ldap bind by default, but you can also use another
|
||||
authentication sheme like using x509 user certificates (see
|
||||
Lemonldap::NG::Portal::AuthSSL(3) for more).</p>
|
||||
|
||||
<p>Lemonldap use session cookies generated by Apache::Session so as secure as a
|
||||
128-bit random cookie. You may use the securedCookie options to avoid session
|
||||
hijacking.</p>
|
||||
|
||||
<p>You have to manage life of sessions by yourself since Lemonldap::NG knows
|
||||
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
||||
using a simple cron script because Lemonldap::NG::Portal stores the start
|
||||
time in the _utime field.<br>
|
||||
By default, a session stay 10 minutes in the local storage, so in the worth
|
||||
case, a user is authorized 10 minutes after he lost his rights.</p>
|
||||
|
||||
<h3><li>Authorization</li></h3>
|
||||
|
||||
<p>Authorization is controled only by handlers because the portal knows nothing
|
||||
about the way the user will choose. When configuring your Web-SSO, you have to:</p>
|
||||
|
||||
<ul type="disc">
|
||||
<li> choose the ldap attributes you want to use to manage accounting and
|
||||
authorization.</li>
|
||||
<li> create Perl expressions to define user groups (using ldap attributes)</li>
|
||||
<li> create an array foreach virtual host associating URI regular expressions and
|
||||
Perl expressions to use to grant access.</li>
|
||||
</ul>
|
||||
|
||||
<p>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored) :</p>
|
||||
|
||||
<ul>
|
||||
<li> Exported variables :
|
||||
<pre>
|
||||
# Custom-Name => LDAP attribute
|
||||
cn => cn
|
||||
departmentUID => departmentUID
|
||||
login => uid
|
||||
</pre></li>
|
||||
|
||||
<li> User groups :
|
||||
<pre>
|
||||
# Custom-Name => group definition
|
||||
group1 => { $departmentUID eq "unit1" or $login = "user1" }
|
||||
</pre></li>
|
||||
|
||||
<li> Area protection:
|
||||
<pre>
|
||||
# Each VirtualHost has its own configuration
|
||||
# associating URL regexp to Perl expression
|
||||
* www1.domain.com :
|
||||
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||
default => accept
|
||||
},
|
||||
* www2.domain.com :
|
||||
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
||||
^/(js|css) => accept
|
||||
default => deny
|
||||
</pre></li>
|
||||
</ul>
|
||||
|
||||
<ol type="a">
|
||||
<h4><li>Performance</li></h4>
|
||||
|
||||
<p>You can use Perl expressions as complicated as you want and you can use all
|
||||
the exported LDAP attributes (and create your own attributes: with 'macros'
|
||||
mechanism) in groups evaluations, area protections or custom HTTP headers
|
||||
(you just have to call them with a "$").</p>
|
||||
|
||||
<p>You have to be careful when choosing your expressions:</p>
|
||||
|
||||
<ul>
|
||||
<li> groups and macros are evaluated each time a user is redirected to the portal,</li>
|
||||
<li> virtual host rules and exported headers are evaluated for each request on a
|
||||
protected area.</li>
|
||||
</ul>
|
||||
|
||||
<p>It is also recommanded to use the groups mechanism to avoid having to evaluate
|
||||
a long expression at each HTTP request :</p>
|
||||
|
||||
<pre>
|
||||
# Virtual hosts :
|
||||
...
|
||||
www1.domain.com :
|
||||
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||
</pre>
|
||||
|
||||
<p>You can also use LDAP filters, or Perl expression or mixed expressions in
|
||||
groups definitions. Perl expressions has to be enclosed with {} :</p>
|
||||
|
||||
<pre>
|
||||
* group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
|
||||
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
|
||||
</pre>
|
||||
|
||||
<p>It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
||||
server more than 2 times per authentication.</p>
|
||||
|
||||
</ol>
|
||||
<h3><li>Accounting</li></h3>
|
||||
|
||||
<ol type="a">
|
||||
<h4><li>Logging portal access</li></h4>
|
||||
|
||||
<p>Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
||||
overload log method for normal portal access.</p>
|
||||
|
||||
<h4><li>Logging application access</li></h4>
|
||||
|
||||
<p>Because a Web-SSO knows nothing about the protected application, it can't do
|
||||
more than logging URL. As Apache does this fine, Lemonldap::NG::Handler(3)
|
||||
gives it the name to used in logs. The whatToTrace parameter indicates
|
||||
which variable Apache has to use ($uid by default).</p>
|
||||
|
||||
<p>The real accounting has to be done by the application itself which knows the
|
||||
result of SQL transaction for example.</p>
|
||||
|
||||
<p>Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
||||
directly the application. By default, the Auth-User field is used but you can
|
||||
change it using the exportedHeaders parameters (in the Manager, each virtual
|
||||
host as custom headers branch). This parameters contains an associative array
|
||||
per virtual host :</p>
|
||||
|
||||
<ul>
|
||||
<li> keys are the names of the choosen headers,</li>
|
||||
<li> values are Perl expressions where you can use user datas stored in the
|
||||
global storage.</li>
|
||||
</ul>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<pre>
|
||||
* www1.domain.com :
|
||||
Auth-User => $uid
|
||||
Unit => $ou
|
||||
* www2.domain.com :
|
||||
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
||||
Remote-IP => $ip
|
||||
</pre>
|
||||
</ol>
|
||||
</ol>
|
||||
|
||||
<h2><li><a name="inst">Installation</a></li></h2>
|
||||
|
||||
<p><b>Warnings :</b></p>
|
||||
<ul>
|
||||
<li><p> Lemonldap::NG is a different project than Lemonldap and contains all you need
|
||||
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
||||
work with Lemonldap::NG.</p></li>
|
||||
|
||||
<li><p>The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
||||
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
||||
act as CGI, so they can work everywhere.</p></li>
|
||||
<li><p>Lemonldap::NG configuration has to be edited using the manager unless
|
||||
you know exactly what you are doing. The parameters discussed below are all in
|
||||
the configuration tree.</p></li>
|
||||
</ul>
|
||||
|
||||
<p>See <a href="install.html">INSTALL file</a> for a complete installation documentation.</p>
|
||||
|
||||
<h2><li><a name="storage">Session storage system</a></li></h2>
|
||||
|
||||
<p>Lemonldap::NG use 3 levels of cache for authenticated users :</p>
|
||||
|
||||
<ul>
|
||||
<li> an Apache::Session::* module used by lemonldap::NG::Portal to store
|
||||
authenticated user parameters,</li>
|
||||
<li> a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
||||
users between Apache's threads or processus and of course between virtual
|
||||
hosts on the same machine,</li>
|
||||
<li> Lemonldap::NG::Handler variables : if the same user use the same thread or
|
||||
processus a second time, no request are needed to grant or refuse access.
|
||||
This is very efficient with HTTP/1.1 Keep-Alive system.</li>
|
||||
</ul>
|
||||
|
||||
<p>So the number of request to the central storage is limited to 1 per active
|
||||
user each 10 minutes.</p>
|
||||
|
||||
<p>Lemonldap::NG is very fast, but you can increase performance using a
|
||||
Cache::Cache module that does not use disk access.</p>
|
||||
|
||||
<h2><li><a name="logout">Logout system</a></li></h2>
|
||||
|
||||
<p>Lemonldap::NG provides a single logout system : you can use it by
|
||||
adding a link to the portal with "logout=1" parameter in the portal (See
|
||||
Lemonldap::NG::Portal(3)) and/or by configuring handler to intercept some URL
|
||||
(See Lemonldap::NG::Handler(3)). The logout system:
|
||||
|
||||
<ul>
|
||||
<li> delete session in the global session storage,</li>
|
||||
<li> replace Lemonldap::NG cookie by '',</li>
|
||||
<li> delete handler caches only if logout action was started from a
|
||||
protected application and only in the current Apache server. So in other
|
||||
servers, session is still in cache for 10 minutes maximum if the user was
|
||||
connected on it in the last 10 minutes.</li>
|
||||
</ul>
|
||||
|
||||
<h2><li><a name="author">Author</a></li></h2>
|
||||
|
||||
<p>Xavier Guimard, <x.guimard@free.fr>
|
||||
|
||||
<h2><li><a name="copyright">Copyright and licence</a></li></h2>
|
||||
|
||||
<p>Copyright © 2005-2007 by Xavier Guimard <x.guimard@free.fr></p>
|
||||
|
||||
<p>This library is free software; you can redistribute it and/or modify
|
||||
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
||||
at your option, any later version of Perl 5 you may have available.</p>
|
||||
|
||||
</ol>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1 @@
|
|||
../../modules/lemonldap-ng-handler/
|
|
@ -0,0 +1 @@
|
|||
../../modules/lemonldap-ng-manager/
|
|
@ -0,0 +1 @@
|
|||
../../modules/lemonldap-ng-portal/
|
|
@ -0,0 +1,65 @@
|
|||
#!/usr/bin/perl
|
||||
|
||||
use strict;
|
||||
|
||||
die "usage: static.pl script.pl index.html" unless (@ARGV);
|
||||
|
||||
my $script = $ARGV[0];
|
||||
my $dir = `pwd`;
|
||||
chomp $dir;
|
||||
our $lib = "$dir/lemonldap-ng-manager/blib/lib/";
|
||||
$script = "$dir/$script" unless ( $script =~ m#^/# );
|
||||
my $file = $ARGV[1];
|
||||
my $lang = $ARGV[2] || "en";
|
||||
$file =~ s#^.*/##;
|
||||
$dir = $&;
|
||||
`mkdir -p $dir` unless ( -d $dir );
|
||||
chdir $dir;
|
||||
|
||||
&scan( $script, $file, '' );
|
||||
|
||||
sub scan {
|
||||
my ( $script, $filename, $args ) = @_;
|
||||
print STDERR "$filename\n";
|
||||
my ( $IN, $OUT );
|
||||
open $IN, "HTTP_ACCEPT_LANGUAGE=$lang SCRIPT_NAME=__SCRIPTNAME__ SCRIPT_FILENAME=$script perl -I$lib $script '$args'|";
|
||||
open $OUT, ">$filename";
|
||||
my $ind = 0;
|
||||
local ( $_, $1 );
|
||||
while (<$IN>) {
|
||||
s/\r//g;
|
||||
if (/lmQuery/) {
|
||||
if (s/__SCRIPTNAME__\?lmQuery=([^"']*)js/$1.js/) {
|
||||
scan( $script, "$1.js", "lmQuery=$1js" );
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=upload/#/) {
|
||||
# Nothing to do here
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=conf/conf.xml/) {
|
||||
scan( $script, "conf.xml", "lmQuery=conf" );
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=([^"']*)css/style$1.css/) {
|
||||
scan( $script, "style$1.css", "lmQuery=$1css" );
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=help&help="\+s/help_"+s+".html"/) {
|
||||
# Nothing to do here
|
||||
}
|
||||
elsif (s/__SCRIPTNAME__\?lmQuery=([^"'&]*)&?[^"']*/$1/) {
|
||||
scan( $script, "$1", "lmQuery=$1" );
|
||||
}
|
||||
s/["']help["']\+s/"help"/;
|
||||
}
|
||||
elsif (/help\((['"])(\w+)\1/) {
|
||||
scan( $script, "help_$2.html", "lmQuery=help&help=$2" );
|
||||
}
|
||||
# but+=button('$text{saveConf}','saveConf',nodeId);
|
||||
elsif (s/(but\+=)button\((['"])([^'"]*)\2,'saveConf.*$/$1'<input type=button value="$3" onclick="alert(\\'This is a demo\\');saveConf;"> ';/) {
|
||||
# '<input type=button value="'+text+'" onclick="'+func+'('+"'"+nodeId+"'"+')"> '
|
||||
# Nothing to do here
|
||||
}
|
||||
s#tree.setImagePath\(["'][^"']*["']\);#tree.setImagePath("imgs/")#;
|
||||
print $OUT $_ if ($ind);
|
||||
$ind++ if /^$/;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue