From d7d14bf7829866fca7d47082cf0b576ee8151fa1 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Sun, 15 Apr 2007 17:26:34 +0000 Subject: [PATCH] LEMONLDAP::NG : branch trunk/build/lemonldap-ng --- build/lemonldap-ng/INSTALL | 280 +++++++++++++ build/lemonldap-ng/Makefile | 153 +++++++ build/lemonldap-ng/README | 194 +++++++++ build/lemonldap-ng/TODO | 3 + .../_example/apache-session-mysql.sql | 5 + build/lemonldap-ng/_example/apache.conf | 48 +++ build/lemonldap-ng/_example/apache2.conf | 49 +++ build/lemonldap-ng/_example/conf/lmConf-1 | 48 +++ build/lemonldap-ng/_example/for_etc_hosts | 4 + build/lemonldap-ng/_example/index.pl | 58 +++ build/lemonldap-ng/_example/lmConfig.mysql | 21 + build/lemonldap-ng/changelog | 1 + build/lemonldap-ng/debian/README.Debian | 4 + build/lemonldap-ng/debian/changelog | 163 ++++++++ build/lemonldap-ng/debian/compat | 1 + build/lemonldap-ng/debian/control | 17 + build/lemonldap-ng/debian/copyright | 16 + build/lemonldap-ng/debian/dirs | 1 + build/lemonldap-ng/debian/docs | 0 build/lemonldap-ng/debian/lemonldap-ng.docs | 3 + build/lemonldap-ng/debian/postinst | 7 + build/lemonldap-ng/debian/rules | 93 +++++ build/lemonldap-ng/doc/install.html | 377 ++++++++++++++++++ build/lemonldap-ng/doc/overview.html | 247 ++++++++++++ build/lemonldap-ng/lemonldap-ng-handler | 1 + build/lemonldap-ng/lemonldap-ng-manager | 1 + build/lemonldap-ng/lemonldap-ng-portal | 1 + .../scripts/make_static_example.pl | 65 +++ 28 files changed, 1861 insertions(+) create mode 100644 build/lemonldap-ng/INSTALL create mode 100644 build/lemonldap-ng/Makefile create mode 100644 build/lemonldap-ng/README create mode 100644 build/lemonldap-ng/TODO create mode 100644 build/lemonldap-ng/_example/apache-session-mysql.sql create mode 100644 build/lemonldap-ng/_example/apache.conf create mode 100644 build/lemonldap-ng/_example/apache2.conf create mode 100644 build/lemonldap-ng/_example/conf/lmConf-1 create mode 100644 build/lemonldap-ng/_example/for_etc_hosts create mode 100755 build/lemonldap-ng/_example/index.pl create mode 100644 build/lemonldap-ng/_example/lmConfig.mysql create mode 120000 build/lemonldap-ng/changelog create mode 100644 build/lemonldap-ng/debian/README.Debian create mode 100644 build/lemonldap-ng/debian/changelog create mode 100644 build/lemonldap-ng/debian/compat create mode 100644 build/lemonldap-ng/debian/control create mode 100644 build/lemonldap-ng/debian/copyright create mode 100644 build/lemonldap-ng/debian/dirs create mode 100644 build/lemonldap-ng/debian/docs create mode 100644 build/lemonldap-ng/debian/lemonldap-ng.docs create mode 100755 build/lemonldap-ng/debian/postinst create mode 100755 build/lemonldap-ng/debian/rules create mode 100644 build/lemonldap-ng/doc/install.html create mode 100644 build/lemonldap-ng/doc/overview.html create mode 120000 build/lemonldap-ng/lemonldap-ng-handler create mode 120000 build/lemonldap-ng/lemonldap-ng-manager create mode 120000 build/lemonldap-ng/lemonldap-ng-portal create mode 100755 build/lemonldap-ng/scripts/make_static_example.pl diff --git a/build/lemonldap-ng/INSTALL b/build/lemonldap-ng/INSTALL new file mode 100644 index 000000000..e06d6177c --- /dev/null +++ b/build/lemonldap-ng/INSTALL @@ -0,0 +1,280 @@ + LEMONLDAP::NG INSTALLATION + +Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It +simplifies the build of a protected area with a few changes in the application. +It manages both authentication and authorization and provides headers for +accounting. So you can have a full AAA protection. + +See README file to known how it works. + +------------------------ +I - EXAMPLE INSTALLATION +------------------------ + +The proposed example use a protected site named test.example.com. Non +authenticated users are redirected to auth.example.com. + +1.1 - PREREQ +------------ + +1.1.1 - Software + +To use Lemonldap::NG, you have to run a LDAP server and of course an Apache +server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of +Apache proposed with your Linux distribution match, but some distributions used +an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does +not work with Lemonldap::NG. With such distributions (like Debian-3.1), you +have to use Apache-1.3 or to use a mod_perl backport (www.backports.org +package for Debian works fine). + +1.1.2 - Perl prereq + +Perl modules: + Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, + DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager) + +With Debian: + apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \ + libdbi-perl perl-modules libwww-perl libcache-cache-perl \ + libxml-simple-perl + # If you want to use SOAP with the manager: + apt-get install libsoap-lite-perl + +1.2 - BUILDING +-------------- + +1.2.1 - Complete install + + $ tar xzf lemonldap-ng-*.tar.gz + $ cd lemonldap-ng-* + $ make && make test + $ sudo make install + $ make example + +1.2.2 - Install on Debian + + $ tar xzf lemonldap-ng-*.tar.gz + $ cd lemonldap-ng-* + $ debuild + $ sudo dpkg -i ../lemonldap-ng*.deb + +1.3 - EXAMPLE CONFIGURATION +--------------------------- + +After build, you have a new file named example/apache.conf. You just have to +include this file in Apache configuration: + + # in httpd.conf (with Apache1) + include /path/to/lemonldap-ng/source/example/apache.conf + # or in apache2.conf (with Apache2) + include /path/to/lemonldap-ng/source/example/apache2.conf + +Modify your /etc/hosts file to include: + + 127.0.0.2 auth.example.com + 127.0.0.3 test.example.com + 127.0.0.4 manager.example.com + +Edit /path/to/lemonldap-ng/source/example/conf/lmConfig-1 and specify your LDAP +settings. If you don't set managerDn and managerPassword, Lemonldap::NG will +use an anonymous bind to find user dn. +(Debian users: /usr/share/doc/lemonldap-ng/example/conf/lmConfig-1) +WARNINGS: + * only few parameters can be set by hand in the configuration file. You have + to use the manager to change configuration, but since the example is yet + configured, you can edit directly the file + * each new configuration is saved by the manager in a new file (or a new + record with DBI) so you can recover an old configuration by removing + +Next, restart Apache use your prefered browser and try to connect to +http://test.example.com/. You'll be redirect to auth.example.com. Try +to authenticate yourself with a valid account and the protected page will +appear. You will find other explanations on this page. + +Configuration can be modified by connecting your browser to +http://manager.example.com/ + +------------------------- +2 - ADVANCED INSTALLATION +------------------------- + +2.1 - PREREQ + +2.1.1 - Apache + +To use Lemonldap::NG, you have to run a LDAP server and of course an Apache +server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of +Apache proposed with your Linux distribution match, but some distributions used +an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does +not work with Lemonldap::NG. With such distributions (like Debian-3.1), you +have to use Apache-1.3 or to use a mod_perl backport (www.backports.org +package for Debian works fine). + +For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works +faster and Lemonldap::NG use the thread system for best performance. If you +have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work +anyway. + +You can use Lemonldap::NG in an heterogene world: the authentication portal and +the manager can work in any version of Apache 1.3 or more even if mod_perl is +not compiled, with ModPerl::Registry or not... Only the handler (site protector) +need mod_perl. The different handlers can run on different servers with +different versions of Apache/mod_perl. + +2.1.2 - Perl prereq + +Warning: Handler and Portal parts both need Lemonldap::NG::Manager components +to access to configuration. + +Manager: +------- +CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP) + +With Debian: + apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl + # If you want to use SOAP + apt-get install libsoap-lite-perl + +Portal: +------ +Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager + +With Debian: + apt-get install libapache-session-perl libnet-ldap-perl perl-modules + +Handler: +------- +Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager + +With Debian: + apt-get install libapache-session-perl libwww-perl libcache-cache-perl + +2.2 - SOFTWARE INSTALLATION +--------------------------- + +If you just want to install a handler or a portal or a manager: + + $ tar xzf lemonldap-ng-*.tar.gz + $ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager) + $ perl Makefile.PL && make && make test + $ sudo make install + +else for a complete install: + + $ tar xzf lemonldap-ng-*.tar.gz + $ cd lemonldap-ng-* + $ make && make test + $ sudo make install + +See prereq in §1.1.2 + +2.3 - LEMONLDAP INSTALLATION +---------------------------- + +2.3.1 - Database configuration + +2.3.1.1 - Lemonldap::NG Configuration database + +If you use DBI or another system to share Lemonldap::NG configuration, you have +to initialize the database. An example is given in example/lmConfig.mysql for +MySQL. + +2.3.1.2 - Apache::Session database + +The choice of Apache::Session::* module is free. See Apache::Session::Store::* +or Apache::Session::* to know how to configure the module. For example, if you +want to use Apache::Session::MySQL, you can create the database like this: + + CREATE DATABASE sessions ( + id char(32), + a_session text + ); + +2.3.2 - Manager configuration + +Copy example/manager.cgi and personalize it if you want (see +Lemonldap::NG::Manager). You have to set in particular configStorage. For +example with MySQL: + + $my $manager = Lemonldap::NG::Manager->new ( { + dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4", + dbiUser => "lemonldap-ng", + dbiPassword => "mypass", + } ); + +Securise Manager access with Apache: Lemonldap does not securise the manager +itself yet: + + SSLEngine On + Order Deny, Allow + Deny from all + Allow from admin-network/netmask + AuthType Basic + ... + +After configuration, you can also protect the manager with an Lemonldap::NG +handler. + +2.3.3 - Configuration edition + +Connect to the manager with your browser start configure your Web-SSO. You have +to set at least some parameters: + +a) General parameters : + + * Authentication parameters -> portal : URL to access to the authentication + portal + * Domain : the cookie domain. All protected VirtualHosts have to be under it + + * LDAP parameters -> LDAP Server + + * LDAP parameters -> LDAP Accout and password : required only if anonymous + binds are not accepted + + * Session Storage -> Apache::Session module : how to store user sessions. + You can use all module that + inherit from Apache::Session + like Apache::Session::MySQL + + * Session Storage -> Apache::Session Module parameters : + see Apache::Session:: + +b) User groups : + +Use the "New Group" button to add your first group. On the left, set the +keyword which will be used later and set on the right the corresponding rule: +you can use : + + * an LDAP filter (it will be tested with the user uid) + +or + + * a Perl condition enclosed with {}. All variables declared in "General + parameters -> LDAP attributes" can be used with a "$". For example: + MyGroup / { $uid eq "foo" or $uid eq "bar" } + +c) Virtual hosts + +You have to create a virtual host for each Apache host (virtual or real) +protected by Lemonldap::NG even if just a sub-directory is protected. Else, +user who want to access to the protected area will be rejected with a "500 +Internal Server Error" message and the apache logs will explain the problem. + +Each virtual host has 2 groups of parameters: + + * Headers: the headers added to the apache request. Default : + Auth-User => $uid + * Rules: subdivised in 2 categories: + * default : the default rule + * personalized rules: association of a Perl regular expression and + a condition. For example: + ^/restricted.*$ / $groups =~ /\bMyGroup\b/ + + +------------- +3 - DEBUGGING +------------- + +Lemonldap::NG uses simply the Apache log system. So use LogLevel to choose +information to display. + diff --git a/build/lemonldap-ng/Makefile b/build/lemonldap-ng/Makefile new file mode 100644 index 000000000..8d45b3034 --- /dev/null +++ b/build/lemonldap-ng/Makefile @@ -0,0 +1,153 @@ +#!/usr/bin/make + +VERSION=0.9beta +HANDLERDIR=lemonldap-ng-handler +PORTALDIR=lemonldap-ng-portal +MANAGERDIR=lemonldap-ng-manager +EXAMPLEDIRBUILD=`pwd`/example/ +EXAMPLEDIR=$(EXAMPLEDIRBUILD) +EXAMPLELANG=en + +all: handler manager portal + +handler: handler_conf + $(MAKE) -C ${HANDLERDIR} + touch handler + +portal: portal_conf + $(MAKE) -C ${PORTALDIR} + touch portal + +manager: manager_conf + $(MAKE) -C ${MANAGERDIR} + touch manager + +configure: handler_conf portal_conf manager_conf + +handler_conf: + cd ${HANDLERDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS) + touch handler_conf + +portal_conf: + cd ${PORTALDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS) + touch portal_conf + +manager_conf: + cd ${MANAGERDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS) + touch manager_conf + +test: manager_test handler_test portal_test + +manager_test: manager + $(MAKE) -C ${MANAGERDIR} test + +handler_test: handler + $(MAKE) -C ${HANDLERDIR} test INST_ARCHLIB=../${MANAGERDIR}/blib/lib/ + +portal_test: portal + $(MAKE) -C ${PORTALDIR} test INST_ARCHLIB=../${MANAGERDIR}/blib/lib/ + +install: handler_install portal_install manager_install + +handler_install: handler + $(MAKE) -C ${HANDLERDIR} install + touch handler_install + +portal_install: portal + $(MAKE) -C ${PORTALDIR} install + touch portal_install + +manager_install: manager + $(MAKE) -C ${MANAGERDIR} install + touch manager_install + +distclean: clean + +clean: handler_clean portal_clean manager_clean + rm -rf example + find . -name '*.gz' -exec rm -vf {} \; + +handler_clean: + - $(MAKE) -C ${HANDLERDIR} distclean + rm -vf handler* + +portal_clean: + - $(MAKE) -C ${PORTALDIR} distclean + rm -vf portal* + +manager_clean: + - $(MAKE) -C ${MANAGERDIR} distclean + rm -vf manager* + +example: all + mkdir -p example/portal example/manager example/handler example/conf + chmod 1777 example/conf + cp -a ${HANDLERDIR}/example/* example/handler + cp -a ${PORTALDIR}/example/* example/portal + cp -a ${MANAGERDIR}/example/* example/manager + cp -a _example/* example + find ${EXAMPLEDIRBUILD} -type f -exec perl -i -pe 's#__DIR__/?#'${EXAMPLEDIR}'#g' {} \; + @echo + @echo "Example is ready." + @echo + @echo "1 - Add this in your Apache configuration file:" + @echo " with Apache-1.3.x" + @echo + @echo " include ${EXAMPLEDIR}apache.conf" + @echo + @echo " or with Apache-2.x:" + @echo + @echo " include ${EXAMPLEDIR}apache2.conf" + @echo + @echo "2 - Add test.example.com and auth.example.com in yout /etc/hosts :" + @echo + @echo " cat example/for_etc_hosts >> /etc/hosts" + @echo + @echo "3 - edit ${EXAMPLEDIR}/conf/lmConf-1 and set ldapServer and ldapBase." + @echo " or use the manager at http://manager.example.com/ (after apache restart)" + @echo + @echo "4 - Restart Apache (or Apache2)" + @echo + @echo "5 - Try to connect to http://test.example.com/" + +uninstall: configure handler_uninstall portal_uninstall manager_uninstall + +handler_uninstall: handler + $(MAKE) -C ${HANDLERDIR} uninstall + rm -vf handler_uninstall + +portal_uninstall: portal + $(MAKE) -C ${PORTALDIR} uninstall + rm -vf portal_uninstall + +manager_uninstall: manager + $(MAKE) -C ${MANAGERDIR} uninstall + rm -vf manager_uninstall + +dist: + - $(MAKE) clean + mkdir -p lemonldap-ng-$(VERSION) + - cp -a * lemonldap-ng-$(VERSION) + rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION) + tar czf lemonldap-ng-$(VERSION).tar.gz lemonldap-ng-$(VERSION) + rm -rf lemonldap-ng-$(VERSION) + +cpan: configure handler_cpan portal_cpan manager_cpan + +handler_cpan: handler_conf + $(MAKE) -C ${HANDLERDIR} dist + mv ${HANDLERDIR}/Lemonldap*.gz . + +portal_cpan: portal_conf + $(MAKE) -C ${PORTALDIR} dist + mv ${PORTALDIR}/Lemonldap*.gz . + +manager_cpan: manager_conf + $(MAKE) -C ${MANAGERDIR} dist + mv ${MANAGERDIR}/Lemonldap*.gz . + +static_example: example + mkdir -p example/static + cd example/static/;ln -s ../manager/imgs;cd - + scripts/make_static_example.pl example/manager/index.pl example/static/index.html $(EXAMPLELANG) + diff --git a/build/lemonldap-ng/README b/build/lemonldap-ng/README new file mode 100644 index 000000000..d915f59ca --- /dev/null +++ b/build/lemonldap-ng/README @@ -0,0 +1,194 @@ +Lemonldap-NG +==================== + +Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It +simplifies the build of a protected area with a few changes in the application. +It manages both authentication and authorization and provides headers for +accounting. So you can have a full AAA protection for your web space as +described below. + + 1 - Installation + 2 - Authentication, Authorization and Accounting mechanisms + 2.1 - Authentication + 2.2 - Authorization + 2.3 - Accounting + 3 - Session storage system + 4 - Author + 5 - Copyright and licence + +1 - INSTALLATION +================ + +Lemonldap::NG is a different project than Lemonldap and contains all you need +to use and administer it. So softwares, like Lemonldap webmin module, may not +work with Lemonldap::NG. + +The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x +and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager +act as CGI, so they can work everywhere. + +See INSTALL file in the source tree for a complete installation documentation. + +2 - AUTHENTICATION, AUTHORIZATION AND ACCOUNTING MECHANISMS +=========================================================== + +Warning: Lemonldap::NG configuration has to be edited using the manager unless +you know exactly what you are doing. The parameters discussed here are all in +the configuration tree. + +2.1 - Authentication + +If a user isn't authenticated and attemps to connect to an area protected by a +Lemonldap::NG compatible handler, he is redirected to a portal. The portal +authenticates user with a ldap bind by default, but you can also use another +authentication sheme like using x509 user certificates (see +Lemonldap::NG::Portal::AuthSSL(3) for more). + +Lemonldap use session cookies generated by Apache::Session so as secure as a +128-bit random cookie. You may use the securedCookie options to avoid session +hijacking. + +You have to manage life of sessions by yourself since Lemonldap::NG knows +nothing about the L module you've choosed, but it's very easy +using a simple cron script because Lemonldap::NG::Portal stores the start +time in the _utime field. +By default, a session stay 10 minutes in the local storage, so in the worth +case, a user is authorized 10 minutes after he lost his rights. + +2.2 - Authorization + +Authorization is controled only by handlers because the portal knows nothing +about the way the user will choose. When configuring your Web-SSO, you have to: + + * choose the ldap attributes you want to use to manage accounting and + authorization. + * create Perl expressions to define user groups (using ldap attributes) + * create an array foreach virtual host associating URI regular expressions and + Perl expressions to use to grant access. + +Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored + + * Exported variables : + + # Custom-Name => LDAP attribute + cn => cn + departmentUID => departmentUID + login => uid + + * User groups : + + # Custom-Name => group definition + group1 => { $departmentUID eq "unit1" or $login = "xavier.guimard" } + + * Area protection: + + # Each VirtualHost has its own configuration + # associating URL regexp to Perl expression + * www1.domain.com : + ^/protected/.*$ => $groups =~ /\bgroup1\b/ + default => accept + }, + * www2.domain.com => { + ^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/ + ^/(js|css) => accept + default => deny + }, + }, + +2.2.1 - Performance + +You can use Perl expressions as complicated as you want and you can use all +the exported LDAP attributes (and create your own attributes: with 'macros' +mechanism) in groups evaluations, area protections or custom HTTP headers +(you just have to call them with a "$"). + +You have to be careful when choosing your expressions: + + * groups and macros are evaluated each time a user is redirected to the portal + * virtual host rules and exported headers are evaluated for each request on a + protected area. + +It is also recommanded to use the groups mechanism to avoid having to evaluate +a long expression at each HTTP request: + + # Virtual hosts : + ... + www1.domain.com : + ^/protected/.*$ => $groups =~ /\bgroup1\b/ + +You can also use LDAP filters, or Perl expression or mixed expressions in +groups definitions. Perl expressions has to be enclosed with {}: + + * group1 => (|(uid=xavier.guimard)(ou=unit1)) + * group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"} + * group1 => (|(uid=xavier.guimard){$ou eq "unit1"}) + +It is also recommanded to use Perl expressions to avoid requiering the LDAP +server more than 2 times per authentication. + +2.3 - Accounting + +2.3.1 - Logging portal access> + +Lemonldap::NG::Portal doesn't log anything by default, but it's easy to +overload log method for normal portal access. + +2.3.2 - Logging application access + +Because a Web-SSO knows nothing about the protected application, it can't do +more than logging URL. As Apache does this fine, L +gives it the name to used in logs. The whatToTrace parameter indicates +which variable Apache has to use ($uid by default). + +The real accounting has to be done by the application itself which knows the +result of SQL transaction for example. + +Lemonldap::NG can export HTTP headers either using a proxy or protecting +directly the application. By default, the Auth-User field is used but you can +change it using the exportedHeaders parameters (in the Manager, each virtual +host as custom headers branch). This parameters contains an associative array +per virtual host: + + * keys are the names of the choosen headers + * values are Perl expressions where you can use user datas stored in the + global storage. + +Example: + + * www1.domain.com : + Auth-User => $uid + Unit => $ou + * www2.domain.com : + Authorization => "Basic ".encode_base64($employeeNumber.":dummy") + Remote-IP => $ip + +3 - SESSION STORAGE SYSTEM + +Lemonldap::NG use 3 levels of cache for authenticated users: + + * an Apache::Session::* module used by lemonldap::NG::Portal to store + authenticated user parameters, + * a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated + users between Apache's threads or processus and of course between virtual + hosts on the same machine + * Lemonldap::NG::Handler variables : if the same user use the same thread or + processus a second time, no request are needed to grant or refuse access. + This is very efficient with HTTP/1.1 Keep-Alive system. + +So the number of request to the central storage is limited to 1 per active +user each 10 minutes. + +Lemonldap::NG is very fast, but you can increase performance using a +Cache::Cache module that does not use disk access. + +4 - AUTHOR + +Xavier Guimard, x.guimard@free.fr + +5 - COPYRIGHT AND LICENSE + +Copyright (C) 2005-2007 by Xavier Guimard x.guimard@free.fr + +This library is free software; you can redistribute it and/or modify +it under the same terms as Perl itself, either Perl version 5.8.4 or, +at your option, any later version of Perl 5 you may have available. diff --git a/build/lemonldap-ng/TODO b/build/lemonldap-ng/TODO new file mode 100644 index 000000000..aee362cf7 --- /dev/null +++ b/build/lemonldap-ng/TODO @@ -0,0 +1,3 @@ + * Help english + * Help generalParameters + * Help in Static diff --git a/build/lemonldap-ng/_example/apache-session-mysql.sql b/build/lemonldap-ng/_example/apache-session-mysql.sql new file mode 100644 index 000000000..3f115c20a --- /dev/null +++ b/build/lemonldap-ng/_example/apache-session-mysql.sql @@ -0,0 +1,5 @@ +CREATE TABLE sessions ( + id char(32) not null primary key, + a_session text + ); + diff --git a/build/lemonldap-ng/_example/apache.conf b/build/lemonldap-ng/_example/apache.conf new file mode 100644 index 000000000..048135a9a --- /dev/null +++ b/build/lemonldap-ng/_example/apache.conf @@ -0,0 +1,48 @@ +include __DIR__/handler/lmH-apache.conf +#Listen 127.0.0.2:80 + + ServerName auth.example.com + + # DocumentRoot + DocumentRoot __DIR__/portal + + Order allow,deny + Allow from all + Options +ExecCGI + + + # Portal and Manager must be interpreted by Perl + + SetHandler perl-script + PerlHandler Apache::Registry + + + + DirectoryIndex index.pl index.html + + + +#Listen 127.0.0.4:80 + + ServerName manager.example.com + + # DocumentRoot + DocumentRoot __DIR__/manager + + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + Options +ExecCGI + + + # Portal and Manager must be interpreted by Perl + + SetHandler perl-script + PerlHandler Apache::Registry + + + + DirectoryIndex index.pl index.html + + + diff --git a/build/lemonldap-ng/_example/apache2.conf b/build/lemonldap-ng/_example/apache2.conf new file mode 100644 index 000000000..36394ba58 --- /dev/null +++ b/build/lemonldap-ng/_example/apache2.conf @@ -0,0 +1,49 @@ +include __DIR__/handler/lmH-apache2.conf +PerlOptions +GlobalRequest +#Listen 127.0.0.2:80 + + ServerName auth.example.com + + # DocumentRoot + DocumentRoot __DIR__/portal + + Order allow,deny + Allow from all + Options +ExecCGI + + + # Portal and Manager must be interpreted by Perl + + SetHandler perl-script + PerlResponseHandler ModPerl::Registry + + + + DirectoryIndex index.pl index.html + + + +#Listen 127.0.0.4:80 + + ServerName manager.example.com + + # DocumentRoot + DocumentRoot __DIR__/manager + + Order deny,allow + Deny from all + Allow from 127.0.0.0/8 + Options +ExecCGI + + + # Portal and Manager must be interpreted by Perl + + SetHandler perl-script + PerlResponseHandler ModPerl::Registry + + + + DirectoryIndex index.pl index.html + + + diff --git a/build/lemonldap-ng/_example/conf/lmConf-1 b/build/lemonldap-ng/_example/conf/lmConf-1 new file mode 100644 index 000000000..6ce2077f7 --- /dev/null +++ b/build/lemonldap-ng/_example/conf/lmConf-1 @@ -0,0 +1,48 @@ +ldapServer + 'localhost' + +ldapBase + 'dc=example,dc=com' + +ldapPort + 389 + +managerDn + '' + +managerPassword + '' + +portal + 'http://auth.example.com/' + +domain + 'example.com' + +globalStorage + 'Apache::Session::File' + +globalStorageOptions + 'BAcEMTIzNAQEBAgZAAEAAAAXBC90bXACCQAAAERpcmVjdG9yeQ==' + +exportedHeaders + 'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwQkdWlkAgkAAABBdXRoLVVzZXICEAAAAHRlc3QuZXhhbXBsZS5jb20=' + +exportedVars + 'BAcEMTIzNAQEBAgZAAMAAAAXA3VpZAIDAAAAdWlkFwJjbgICAAAAY24XBG1haWwCBAAAAG1haWw=' + +authentication + 'ldap' + +locationRules + 'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwZhY2NlcHQCBwAAAGRlZmF1bHQCEAAAAHRlc3QuZXhhbXBsZS5jb20=' + +cfgNum + 1 + +cookieName + 'lemonldap' + +securedCookie + 0 + diff --git a/build/lemonldap-ng/_example/for_etc_hosts b/build/lemonldap-ng/_example/for_etc_hosts new file mode 100644 index 000000000..42c3285e1 --- /dev/null +++ b/build/lemonldap-ng/_example/for_etc_hosts @@ -0,0 +1,4 @@ +127.0.0.2 auth.example.com +127.0.0.3 test.example.com +127.0.0.4 manager.example.com + diff --git a/build/lemonldap-ng/_example/index.pl b/build/lemonldap-ng/_example/index.pl new file mode 100755 index 000000000..10ee56529 --- /dev/null +++ b/build/lemonldap-ng/_example/index.pl @@ -0,0 +1,58 @@ +#!/usr/bin/perl + +use CGI; + +my $cgi=CGI->new; + +print $cgi->header; +print $cgi->start_html( 'Page protected by Lemonldap::NG' ); +my($headers, $env)=({},{}); +use Data::Dumper; +print "
";
+foreach(keys %ENV) {
+    if($_ =~ /^HTTP_/) {
+        ($a=$_) =~ s/^HTTP_//i;
+        #$a =~ s/_/ /g;
+        #$a = ucfirst(lc($a));
+        #$a =~ s/ /-/g;
+        $a = join '-', map {ucfirst(lc)} split '_',$a;
+        $headers->{$a} = $_;
+    }
+    else {
+        $env->{$_} = $ENV{$_};
+    }
+}
+print "
"; +print qq#

Authentication succeed

+logout +

Authenticated user : $ENV{HTTP_AUTH_USER}

+

To know who is connected in your applications, you can read HTTP headers :

+\n + +#; +foreach(keys %$headers) { + $style = $_ eq 'Auth-User' ? 'style="background-color: #FFEEEE;font-weight: bold;"' : ''; + print " + + + + + \n" +} +print '
HeaderPerl CGIPHP scriptValue
$_\$ENV{$headers->{$_}}\$_SERVER{$headers->{$_}} $ENV{$headers->{$_}}
+

Note that lemonldap cookie is hidden. So that application developpers can +not spoof sessions.

+

You can access to any information (IP address or LDAP attribute) by customizing +exported headers with the +Lemonldap::NG Management interface

+
'; + +print qq#

Environment for Perl CGI :

+

Be carefull, the \$ENV{REMOTE_USER} is set only if your script is in the +same server than Lemonldap::NG handler (\$whatToTrace parameter). If you use +it on a reverse-proxy, \$ENV{REMOTE_USER} is not set.

+\n#; +print "\n" foreach(keys %ENV); +print '
$_=> $ENV{$_}
'; +print $cgi->end_html; + diff --git a/build/lemonldap-ng/_example/lmConfig.mysql b/build/lemonldap-ng/_example/lmConfig.mysql new file mode 100644 index 000000000..044a19d23 --- /dev/null +++ b/build/lemonldap-ng/_example/lmConfig.mysql @@ -0,0 +1,21 @@ +CREATE TABLE lmConfig ( + cfgNum int not null primary key, + locationRules text, + exportedHeaders text, + globalStorage text, + globalStorageOptions text, + macros text, + groups text, + portal text, + domain text, + ldapServer text, + ldapPort int, + ldapBase text, + securedCookie int, + cookieName text, + authentication text, + exportedVars text, + managerDn text, + managerPassword text, + whatToTrace text + ); diff --git a/build/lemonldap-ng/changelog b/build/lemonldap-ng/changelog new file mode 120000 index 000000000..d526672ce --- /dev/null +++ b/build/lemonldap-ng/changelog @@ -0,0 +1 @@ +debian/changelog \ No newline at end of file diff --git a/build/lemonldap-ng/debian/README.Debian b/build/lemonldap-ng/debian/README.Debian new file mode 100644 index 000000000..711a9a2bf --- /dev/null +++ b/build/lemonldap-ng/debian/README.Debian @@ -0,0 +1,4 @@ +lemonldap-ng for Debian +----------------------- + + -- Xavier Guimard Sun, 17 Dec 2006 17:46:47 +0100 diff --git a/build/lemonldap-ng/debian/changelog b/build/lemonldap-ng/debian/changelog new file mode 100644 index 000000000..a256a9d6c --- /dev/null +++ b/build/lemonldap-ng/debian/changelog @@ -0,0 +1,163 @@ +lemonldap-ng (0.8.1) unstable; urgency=low + + * New features : + - Logout system + - Configuration check before saving in Manager + + -- Xavier Guimard Sun, 15 Apr 2007 19:18:29 +0200 + +lemonldap-ng (0.8.0.7) unstable; urgency=low + + * Bug fix in manager javascript (Closes: #306776 ?) + * Display bug fix in manager + + -- Xavier Guimard Sun, 15 Apr 2007 13:21:43 +0200 + +lemonldap-ng (0.8.0.6) unstable; urgency=low + + * Little bug fix in unprotect function + * Bug fix in authentication scheme different than default + + -- Xavier Guimard Thu, 12 Apr 2007 07:03:51 +0200 + +lemonldap-ng (0.8.0.5) unstable; urgency=low + + * i18n bug: Lemonldap::NG works does not fall in english but creates a bug + + -- Xavier Guimard Wed, 28 Mar 2007 21:26:16 +0200 + +lemonldap-ng (0.8.0.4) unstable; urgency=low + + * Multi-valued attributes in HTTP headers (Closes: #306792 / + forge.objectweb.org) + * Warning in Manager/Conf.pm: the same type of storage has to be used for + all Lemonldap::NG parts in a same server. + * Apache-1.3 configuration reload (Closes: #306761 / forge.objectweb.org) + + -- Xavier Guimard Thu, 22 Mar 2007 22:42:23 +0100 + +lemonldap-ng (0.8.0.3) unstable; urgency=low + + * New feature in Manager : "Delete VHost" button (Closes: #306761) + * Typo correction in Makefile : (Closes: #306775) + * Correction of build-depends : (Closes: #306773) + * Bug correction : existingSessions was not called in Portal.pm + + -- Xavier Guimard Tue, 13 Mar 2007 07:55:42 +0100 + +lemonldap-ng (0.8.0.2) unstable; urgency=low + + * Bug correction: lock doesn't work with File.pm (Closes: #306760 / + forge.objectweb.org) + + -- Xavier Guimard Sun, 11 Mar 2007 21:08:38 +0100 + +lemonldap-ng (0.8.0.1) unstable; urgency=medium + + * Closes: #306756 / forge.objectweb.org + + -- Xavier Guimard Fri, 10 Mar 2007 08:49:01 +0100 + +lemonldap-ng (0.8) unstable; urgency=low + + * Release 0.8: + - corrects differents little bugs issued from test in real life. + - on line documentation in english + + -- Xavier Guimard Fri, 9 Mar 2007 20:29:01 +0100 + +lemonldap-ng (0.7b12) unstable; urgency=low + + * New features: + - session access via SOAP + - authentication via CAS + - 'apply changes' button in Manager used to reload configuration in + handlers (by calling reload sub via HTTP) (Closes: #306565 / + forge.objectweb.org) + - i18n module in portal (for displaying errors) + - lock in DBI configuration system (NOT YET TESTED) + + -- Xavier Guimard Sun, 4 Mar 2007 15:50:38 +0100 + +lemonldap-ng (0.7b11) unstable; urgency=low + + * New features: + - Cross Domain Authentication + - SOAP configuration access + - READMEs and documentation update + + -- Xavier Guimard Tue, 27 Feb 2007 15:01:09 +0100 + +lemonldap-ng (0.7b10) unstable; urgency=low + + * Corrections in Manager issued from the first test in real life: + - Close #306573 / forge.objectweb.org + - Close #306574 / forge.objectweb.org + + -- Xavier Guimard Wed, 17 Jan 2007 20:57:33 +0100 + +lemonldap-ng (0.7b9) unstable; urgency=low + + * Internationalization of javascripts (close #306564 / forge.objectweb.org) + * Help in "General Parameters" + + -- Xavier Guimard Sun, 14 Jan 2007 21:50:39 +0100 + +lemonldap-ng (0.7b8) unstable; urgency=low + + * Correction of the use of Safe in portal: &share doesn't work with a + variable declared with my. + * New system in the configuration: 'macro' section can be used to add + custom exported variables. So configuration is more simple in heavy case. + + -- Xavier Guimard Sat, 13 Jan 2007 20:19:19 +0100 + +lemonldap-ng (0.7b7) unstable; urgency=low + + * Correction of a bug in internal redirections: now internal + redirections are not examined: for example,http://test.example.com/ is + internaly redirected to /index.pl, but only the first request (/) is + tested. + * Help in french + + -- Xavier Guimard Fri, 5 Jan 2007 18:22:32 +0100 + +lemonldap-ng (0.7b6) unstable; urgency=low + + * Help system skeleton + + -- Xavier Guimard Thu, 4 Jan 2007 09:04:05 +0100 + +lemonldap-ng (0.7b5) unstable; urgency=low + + * Localization in Manager interface (only fr and en) + + -- Xavier Guimard Sun, 31 Dec 2006 16:39:06 +0100 + +lemonldap-ng (0.7b4) unstable; urgency=low + + * Safe jail runs now + * example runs now + + -- Xavier Guimard Sun, 31 Dec 2006 14:00:08 +0100 + +lemonldap-ng (0.7b3) unstable; urgency=low + + * Replacement of eval by Safe for external expressions + + -- Xavier Guimard Sat, 30 Dec 2006 22:23:22 +0100 + +lemonldap-ng (0.7b) unstable; urgency=low + + * Corrections in example + * Example installation in debian + * Revision in documentation + + -- Xavier Guimard Sun, 17 Dec 2006 18:37:39 +0100 + +lemonldap-ng (0.6) unstable; urgency=low + + * Initial release built starting from the three modules of the CPAN. + + -- Xavier Guimard Sun, 17 Dec 2006 17:46:47 +0100 + diff --git a/build/lemonldap-ng/debian/compat b/build/lemonldap-ng/debian/compat new file mode 100644 index 000000000..b8626c4cf --- /dev/null +++ b/build/lemonldap-ng/debian/compat @@ -0,0 +1 @@ +4 diff --git a/build/lemonldap-ng/debian/control b/build/lemonldap-ng/debian/control new file mode 100644 index 000000000..86143766b --- /dev/null +++ b/build/lemonldap-ng/debian/control @@ -0,0 +1,17 @@ +Source: lemonldap-ng +Section: perl +Priority: extra +Maintainer: Xavier Guimard +Build-Depends: debhelper (>= 4), libapache-session-perl, libnet-ldap-perl, libdbi-perl, libwww-perl, libcache-cache-perl, libxml-simple-perl +Standards-Version: 3.7.2 + +Package: lemonldap-ng +Architecture: all +Depends: libapache-session-perl, libnet-ldap-perl, libdbi-perl, libwww-perl, libcache-cache-perl, libxml-simple-perl +Provides: liblemonldap-ng-manager-perl, liblemonldap-ng-portal-perl, liblemonldap-ng-manager-perl +Conflicts: liblemonldap-ng-manager-perl, liblemonldap-ng-portal-perl, liblemonldap-ng-manager-perl +Recommends: libsoap-lite-perl, liblasso-perl +Description: Lemonldap::NG Web-SSO system + Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies + or directly on application apache servers. + diff --git a/build/lemonldap-ng/debian/copyright b/build/lemonldap-ng/debian/copyright new file mode 100644 index 000000000..27c20bae5 --- /dev/null +++ b/build/lemonldap-ng/debian/copyright @@ -0,0 +1,16 @@ +This package was debianized by Xavier Guimard on +Sun, 17 Dec 2006 17:46:47 +0100. + +Copyright: + +Copyright 2004, 2005, 2006 by Xavier Guimard + +Licence: + +Perl is distributed under your choice of the GNU General Public License +or the Artistic License. On Debian GNU/Linux systems, the copyright terms +for Perl itself are located in `/usr/share/doc/perl/copyright'. On Debian +GNU/Linux systems, the complete text of the GNU General Public License can +be found in `/usr/share/common-licenses/GPL' and the Artistic Licence in +`/usr/share/common-licenses/Artistic'. + diff --git a/build/lemonldap-ng/debian/dirs b/build/lemonldap-ng/debian/dirs new file mode 100644 index 000000000..dd222dbfa --- /dev/null +++ b/build/lemonldap-ng/debian/dirs @@ -0,0 +1 @@ +usr/share diff --git a/build/lemonldap-ng/debian/docs b/build/lemonldap-ng/debian/docs new file mode 100644 index 000000000..e69de29bb diff --git a/build/lemonldap-ng/debian/lemonldap-ng.docs b/build/lemonldap-ng/debian/lemonldap-ng.docs new file mode 100644 index 000000000..df82a86cf --- /dev/null +++ b/build/lemonldap-ng/debian/lemonldap-ng.docs @@ -0,0 +1,3 @@ +doc/* +README +INSTALL diff --git a/build/lemonldap-ng/debian/postinst b/build/lemonldap-ng/debian/postinst new file mode 100755 index 000000000..98f530d77 --- /dev/null +++ b/build/lemonldap-ng/debian/postinst @@ -0,0 +1,7 @@ +#!/bin/bash +# Maintainer: #DEBHELPER# + +if [ "$1" = "configure" ] +then + chown -R www-data /usr/share/doc/lemonldap-ng/examples/conf +fi diff --git a/build/lemonldap-ng/debian/rules b/build/lemonldap-ng/debian/rules new file mode 100755 index 000000000..a8429a89e --- /dev/null +++ b/build/lemonldap-ng/debian/rules @@ -0,0 +1,93 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +export PERL_MM_USE_DEFAULT=1 + + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + + # Add here commands to compile the package. + $(MAKE) INSTALLDIRS=vendor + #docbook-to-man debian/lemonldap-ng.sgml > lemonldap-ng.1 + + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + -$(MAKE) clean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/lemonldap-ng. + $(MAKE) test + $(MAKE) install DESTDIR=$(CURDIR)/debian/lemonldap-ng PREFIX=/usr + $(MAKE) example EXAMPLEDIR=/usr/share/doc/lemonldap-ng/examples/ + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples example/* +# dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_python +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman + dh_link + dh_strip + dh_compress + gunzip $(CURDIR)/debian/lemonldap-ng/usr/share/doc/lemonldap-ng/examples/manager/lemonldap-ng-manager.js.gz + dh_fixperms +# dh_perl +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure diff --git a/build/lemonldap-ng/doc/install.html b/build/lemonldap-ng/doc/install.html new file mode 100644 index 000000000..df022102d --- /dev/null +++ b/build/lemonldap-ng/doc/install.html @@ -0,0 +1,377 @@ + + + Lemonldap::NG + + + + + + + + +

Lemonldap::NG Installation

+

Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It +simplifies the build of a protected area with a few changes in the application. +It manages both authentication and authorization and provides headers for +accounting. So you can have a full AAA protection.

+ +

See README file to known how it works.

+ +
    +
  1. Example installation +
      +
    1. Prereq
      2. +
    2. Building
      3. +
    3. Example configuration
      4. +
    +
    2. +
  2. Advanced installation +
      +
    1. Prereq
      2. +
    2. Software installation
      3. +
    3. Lemonldap::NG installation
      4. +
    +
    3. +
+ + +
    + +

  1. Example installation

    2. + +

    The proposed example use a protected site named test.example.com. Non +authenticated users are redirected to auth.example.com.

    + +
      + +

    1. Prereq

      2. + +
        +

      1. Software

        2. + +

        To use Lemonldap::NG, you have to run a LDAP server and of course an Apache +server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of +Apache proposed with your Linux distribution match, but some distributions used +an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does +not work with Lemonldap::NG. With such distributions (like Debian-3.1), you +have to use Apache-1.3 or to use a mod_perl backport (www.backports.org +package for Debian works fine).

        + +

      2. Perl prereq

        3. + +
        +
        Perl modules :
        +
        +

        Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, + DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)

        +
        + +
        With Debian :
        +
        + 
        +    apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
+                    libdbi-perl perl-modules libwww-perl libcache-cache-perl \
+                    libxml-simple-perl
+
        +

        If you want to use SOAP with the manager :

        + 
        +    apt-get install libsoap-lite-perl
+
        +
        +
        +
      + +

    2. Building

      3. + +
        + +

      1. Complete installation

        2. +
        +    $ tar xzf lemonldap-ng-*.tar.gz
+    $ cd lemonldap-ng-*
+    $ make && make test
+    $ sudo make install
+    $ make example
+
        + +

      2. Installation on Debian

        3. +
        +    $ tar xzf lemonldap-ng-*.tar.gz
+    $ cd lemonldap-ng-*
+    $ debuild   # or fakeroot dpkg-buildpackage
+    $ sudo dpkg -i ../lemonldap-ng*.deb
+
        + +
      + +

    3. Example configuration

      4. + +

      After build, you have new files in the example/ directory +(/usr/share/doc/lemonldap-ng/example with Debian). You just have +to include this file in Apache configuration :

      + +
        +
      • in httpd.conf (with Apache-1.3.x) + 
        +    include /path/to/lemonldap-ng/source/example/apache.conf
+
        +
        • + +
      • or with Apache2 + 
        +    include /path/to/lemonldap-ng/source/example/apache2.conf
+
        +
        • +
      + +

      Modify your /etc/hosts file to include :

      + +
      +    127.0.0.2       auth.example.com
+    127.0.0.3       test.example.com
+    127.0.0.4       manager.example.com
+
      + +

      and restart Apache.

      + +

      Before the example works, you have to set your LDAP settings. There are two +ways to do it : + +

        +
      • Connect to http://manager.example.com/ + and edit the corresponding parameters in "general parameters"
        • + +
      • Edit /path/to/lemonldap-ng/source/example/conf/lmConfig-1 and + specify your LDAP settings.
        • +
      + +

      If you don't set managerDn and managerPassword, Lemonldap::NG will +use an anonymous bind to find user dn.

      + +

      WARNINGS :

      + +
        +
      • only few parameters can be set by hand in the configuration file. You have + to use the manager to change configuration, but since the example is yet + configured, you can edit directly the file
        • +
      • each new configuration is saved by the manager in a new file (or a new + record with DBI) so you can recover an old configuration by removing
        • +
      + +

      Next, try to connect to http://test.example.com/. +You'll be redirect to auth.example.com. Try to authenticate yourself with a +valid account and the protected page will appear. You will find other +explanations on this page.

      + +
    + +

  2. Advanced installation

    3. + +
      + +

    1. Prereq

      2. + +
        + +

      1. Apache

        2. + +

        To use Lemonldap::NG, you have to run a LDAP server and of course an Apache +server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of +Apache proposed with your Linux distribution match, but some distributions used +an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does +not work with Lemonldap::NG. With such distributions (like Debian-3.1), you +have to use Apache-1.3 or to use a mod_perl backport (www.backports.org +package for Debian works fine).

        + +

        For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works +faster and Lemonldap::NG use the thread system for best performance. If you +have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work +anyway.

        + +

        You can use Lemonldap::NG in an heterogene world : the authentication portal and +the manager can work in any version of Apache 1.3 or more even if mod_perl is +not compiled, with ModPerl::Registry or not... Only the handler (site protector) +need mod_perl. The different handlers can run on different servers with +different versions of Apache/mod_perl.

        + +

      2. Perl Prereq

        3. + +

        Warning : Handler and Portal parts both need Lemonldap::NG::Manager components +to access to configuration.

        + +
        +
        Manager :
        +

        CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)

        + +

        With Debian :

        + 
        +    # apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
+
        +

        And if you want to use SOAP :

        + 
        +    # apt-get install libsoap-lite-perl
+
        +
        + +
        Portal :
        +

        Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager

        + +

        With Debian :

        + 
        +   # apt-get install libapache-session-perl libnet-ldap-perl perl-modules
+
        +
        + +
        Handler :
        +

        Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager

        + +

        With Debian :

        + 
        +    # apt-get install libapache-session-perl libwww-perl libcache-cache-perl
+
        +
        +
        +
      + +

    2. Software installation

      3. + +

      If you just want to install a handler or a portal or a manager :

      + +
      +    $ tar xzf lemonldap-ng-*.tar.gz
+    $ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
+    $ perl Makefile.PL && make && make test
+    $ sudo make install
+
      + +

      else for a complete install :

      +
      +    $ tar xzf lemonldap-ng-*.tar.gz
+    $ cd lemonldap-ng-*
+    $ make && make test
+    $ sudo make install
+
      + +

      See prereq in Exeample installation

      + +

    3. Lemonldap::NG installation

      4. + +
        + +

      1. Databases configuration

        2. + +
        Lemonldap::NG Configuration database
        + +

        If you use DBI or another system to share Lemonldap::NG configuration, you have +to initialize the database. An example is given in example/lmConfig.mysql for +MySQL.

        + + +
        Apache::Session database
        + +

        The choice of Apache::Session::* module is free. See Apache::Session::Store::* +or Apache::Session::* to know how to configure the module. For example, if you +want to use Apache::Session::MySQL, you can create the database like this :

        + +
        +    CREATE DATABASE sessions (
+      id char(32),
+      a_session text
+    );
+
        + +

      2. Manager configuration

        3. + +

        Copy example/manager.cgi and personalize it if you want (see +Lemonldap::NG::Manager). You have to set in particular configStorage. For +example with MySQL :

        + +
        +    $my $manager = Lemonldap::NG::Manager->new ( {
+                        dbiChain   => "DBI:mysql:database=mybase;host=1.2.3.4",
+                        dbiUser    => "lemonldap-ng",
+                        dbiPassword => "mypass",
+                 } );
+
        + +

        You can securise Manager access with Lemonldap::NG like any other site (after +configuring it) or with Apache. Example :

        + +
        +    SSLEngine On
+    Order Deny, Allow
+    Deny from all
+    Allow from admin-network/netmask
+    AuthType Basic
+    ...
+
        + +

      3. Configuration edition

        4. + +

        Connect to the manager with your browser start configure your Web-SSO. You have +to set at least some parameters :

        + +
        General parameters
        + +

        Main parameters :

        +
          +
        • Authentication parameters -> portal : URL to access to the authentication portal
          • +
        • Domain : the cookie domain. Unless some protected VirtualHosts + are not under it, you have to use Lemonldap::NG::Portal::CDA and + Lemonldap::NG::Handler::CDA
          • +
        • LDAP parameters -> LDAP Server
          • +
        • LDAP parameters -> LDAP Accout and password : required only if anonymous binds are not accepted
          • +
        • Session Storage -> Apache::Session module : how to store user sessions. You can use all module that inherit + from Apache::Session like Apache::Session::MySQL
          • +
        • Session Storage -> Apache::Session Module parameters : see Apache::Session::<Choosen module>
          • +
        + +
        User groups
        + +

        Use the "New Group" button to add your first group. On the left, set the +keyword which will be used later and set on the right the corresponding rule. +you can use :

        + +
          +
        • an LDAP filter (it will be tested with the user uid)
          • +
        • or a Perl condition enclosed with {}. All variables declared in + "General parameters -> LDAP attributes" or "macros" + can be used with a "$". For example : + 
          +    MyGroup  =>  { $uid eq "foo" or $uid eq "bar" }
+
          +
          • +
        + +
        Virtual hosts
        + +

        You have to create a virtual host for each Apache host (virtual or real) +protected by Lemonldap::NG even if just a sub-directory is protected. Else, +user who want to access to the protected area will be rejected with a "500 +Internal Server Error" message and the apache logs will explain the problem.

        + +

        Each virtual host has 2 groups of parameters :

        + +
          +
        • Headers : the headers added to the apache request. Default : + 
          +        Auth-User => $uid
+
          +
          • +
        • Rules : subdivised in 2 categories : +
            +
          • default : the default rule
            • +
          • personalized rules : association of a Perl regular expression and a + condition. For example : + 
            +        ^/restricted.*$  /  $groups =~ /\bMyGroup\b/
+
            +
            • +
          +
      +
    +
+ + + diff --git a/build/lemonldap-ng/doc/overview.html b/build/lemonldap-ng/doc/overview.html new file mode 100644 index 000000000..39c794363 --- /dev/null +++ b/build/lemonldap-ng/doc/overview.html @@ -0,0 +1,247 @@ + + + Lemonldap::NG + + + + + + + +

Lemonldap::NG

+ +

Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It +simplifies the build of a protected area with a few changes in the application. +It manages both authentication and authorization and provides headers for +accounting. So you can have a full AAA protection for your web space as +described below.

+ +
    +
  1. Authentication, Authorization and Accounting mechanisms
    2. +
  2. Installation
    3. +
  3. Session storage system
    4. +
  4. Logout system
    5. +
  5. Author
    6. +
  6. Copyright and licence
    7. +
+ +
    +

  1. Authentication, Authorization and Accounting mechanisms

    2. + +
      +

    1. Authentication

      2. + +

      If a user isn't authenticated and attemps to connect to an area protected by a +Lemonldap::NG compatible handler, he is redirected to a portal. The portal +authenticates user with a ldap bind by default, but you can also use another +authentication sheme like using x509 user certificates (see +Lemonldap::NG::Portal::AuthSSL(3) for more).

      + +

      Lemonldap use session cookies generated by Apache::Session so as secure as a +128-bit random cookie. You may use the securedCookie options to avoid session +hijacking.

      + +

      You have to manage life of sessions by yourself since Lemonldap::NG knows +nothing about the L module you've choosed, but it's very easy +using a simple cron script because Lemonldap::NG::Portal stores the start +time in the _utime field.
      +By default, a session stay 10 minutes in the local storage, so in the worth +case, a user is authorized 10 minutes after he lost his rights.

      + +

    2. Authorization

      3. + +

      Authorization is controled only by handlers because the portal knows nothing +about the way the user will choose. When configuring your Web-SSO, you have to:

      + +
        +
      • choose the ldap attributes you want to use to manage accounting and + authorization.
        • +
      • create Perl expressions to define user groups (using ldap attributes)
        • +
      • create an array foreach virtual host associating URI regular expressions and + Perl expressions to use to grant access.
        • +
      + +

      Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored) :

      + +
        +
      • Exported variables : + 
        +# Custom-Name    => LDAP attribute
+cn               => cn
+departmentUID    => departmentUID
+login            => uid
+
        • + +
      • User groups : + 
        +# Custom-Name => group definition
+  group1      => { $departmentUID eq "unit1" or $login = "user1" }
+
        • + +
      • Area protection: + 
        +# Each VirtualHost has its own configuration
+# associating URL regexp to Perl expression
+    * www1.domain.com :
+          ^/protected/.*$  => $groups =~ /\bgroup1\b/
+          default          => accept
+      },
+    * www2.domain.com :
+          ^/site/.*$       => $uid eq "admin" or $groups =~ /\bgroup2\b/
+          ^/(js|css)       => accept
+          default          => deny
+
        • +
      + +
        +

      1. Performance

        2. + +

        You can use Perl expressions as complicated as you want and you can use all +the exported LDAP attributes (and create your own attributes: with 'macros' +mechanism) in groups evaluations, area protections or custom HTTP headers +(you just have to call them with a "$").

        + +

        You have to be careful when choosing your expressions:

        + +
          +
        • groups and macros are evaluated each time a user is redirected to the portal,
          • +
        • virtual host rules and exported headers are evaluated for each request on a + protected area.
          • +
        + +

        It is also recommanded to use the groups mechanism to avoid having to evaluate +a long expression at each HTTP request :

        + +
        +  # Virtual hosts :
+      ...
+      www1.domain.com :
+          ^/protected/.*$   => $groups =~ /\bgroup1\b/
+
        + +

        You can also use LDAP filters, or Perl expression or mixed expressions in +groups definitions. Perl expressions has to be enclosed with {} :

        + +
        + * group1 => (|(uid=xavier.guimard)(ou=unit1))
+ * group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
+ * group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
+
        + +

        It is also recommanded to use Perl expressions to avoid requiering the LDAP +server more than 2 times per authentication.

        + +
      +

    3. Accounting

      4. + +
        +

      1. Logging portal access

        2. + +

        Lemonldap::NG::Portal doesn't log anything by default, but it's easy to +overload log method for normal portal access.

        + +

      2. Logging application access

        3. + +

        Because a Web-SSO knows nothing about the protected application, it can't do +more than logging URL. As Apache does this fine, Lemonldap::NG::Handler(3) +gives it the name to used in logs. The whatToTrace parameter indicates +which variable Apache has to use ($uid by default).

        + +

        The real accounting has to be done by the application itself which knows the +result of SQL transaction for example.

        + +

        Lemonldap::NG can export HTTP headers either using a proxy or protecting +directly the application. By default, the Auth-User field is used but you can +change it using the exportedHeaders parameters (in the Manager, each virtual +host as custom headers branch). This parameters contains an associative array +per virtual host :

        + +
          +
        • keys are the names of the choosen headers,
          • +
        • values are Perl expressions where you can use user datas stored in the + global storage.
          • +
        + +

        Example:

        + +
        + * www1.domain.com :
+        Auth-User     => $uid
+        Unit          => $ou
+ * www2.domain.com :
+        Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
+        Remote-IP     => $ip
+
        +
      +
    + +

  2. Installation

    3. + +

    Warnings :

    +
      +

    • Lemonldap::NG is a different project than Lemonldap and contains all you need +to use and administer it. So softwares, like Lemonldap webmin module, may not +work with Lemonldap::NG.

      • + +

    • The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x +and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager +act as CGI, so they can work everywhere.

      • +

    • Lemonldap::NG configuration has to be edited using the manager unless +you know exactly what you are doing. The parameters discussed below are all in +the configuration tree.

      • +
    + +

    See INSTALL file for a complete installation documentation.

    + +

  3. Session storage system

    4. + +

    Lemonldap::NG use 3 levels of cache for authenticated users :

    + +
      +
    • an Apache::Session::* module used by lemonldap::NG::Portal to store + authenticated user parameters,
      • +
    • a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated + users between Apache's threads or processus and of course between virtual + hosts on the same machine,
      • +
    • Lemonldap::NG::Handler variables : if the same user use the same thread or + processus a second time, no request are needed to grant or refuse access. + This is very efficient with HTTP/1.1 Keep-Alive system.
      • +
    + +

    So the number of request to the central storage is limited to 1 per active +user each 10 minutes.

    + +

    Lemonldap::NG is very fast, but you can increase performance using a +Cache::Cache module that does not use disk access.

    + +

  4. Logout system

    5. + +

    Lemonldap::NG provides a single logout system : you can use it by + adding a link to the portal with "logout=1" parameter in the portal (See + Lemonldap::NG::Portal(3)) and/or by configuring handler to intercept some URL + (See Lemonldap::NG::Handler(3)). The logout system: + +

      +
    • delete session in the global session storage,
      • +
    • replace Lemonldap::NG cookie by '',
      • +
    • delete handler caches only if logout action was started from a + protected application and only in the current Apache server. So in other + servers, session is still in cache for 10 minutes maximum if the user was + connected on it in the last 10 minutes.
      • +
    + +

  5. Author

    6. + +

    Xavier Guimard, <x.guimard@free.fr> + +

  6. Copyright and licence

    7. + +

    Copyright © 2005-2007 by Xavier Guimard <x.guimard@free.fr>

    + +

    This library is free software; you can redistribute it and/or modify +it under the same terms as Perl itself, either Perl version 5.8.4 or, +at your option, any later version of Perl 5 you may have available.

    + +
+ + diff --git a/build/lemonldap-ng/lemonldap-ng-handler b/build/lemonldap-ng/lemonldap-ng-handler new file mode 120000 index 000000000..928f99cdc --- /dev/null +++ b/build/lemonldap-ng/lemonldap-ng-handler @@ -0,0 +1 @@ +../../modules/lemonldap-ng-handler/ \ No newline at end of file diff --git a/build/lemonldap-ng/lemonldap-ng-manager b/build/lemonldap-ng/lemonldap-ng-manager new file mode 120000 index 000000000..c2518c814 --- /dev/null +++ b/build/lemonldap-ng/lemonldap-ng-manager @@ -0,0 +1 @@ +../../modules/lemonldap-ng-manager/ \ No newline at end of file diff --git a/build/lemonldap-ng/lemonldap-ng-portal b/build/lemonldap-ng/lemonldap-ng-portal new file mode 120000 index 000000000..8efdac4db --- /dev/null +++ b/build/lemonldap-ng/lemonldap-ng-portal @@ -0,0 +1 @@ +../../modules/lemonldap-ng-portal/ \ No newline at end of file diff --git a/build/lemonldap-ng/scripts/make_static_example.pl b/build/lemonldap-ng/scripts/make_static_example.pl new file mode 100755 index 000000000..dedbb8e8b --- /dev/null +++ b/build/lemonldap-ng/scripts/make_static_example.pl @@ -0,0 +1,65 @@ +#!/usr/bin/perl + +use strict; + +die "usage: static.pl script.pl index.html" unless (@ARGV); + +my $script = $ARGV[0]; +my $dir = `pwd`; +chomp $dir; +our $lib = "$dir/lemonldap-ng-manager/blib/lib/"; +$script = "$dir/$script" unless ( $script =~ m#^/# ); +my $file = $ARGV[1]; +my $lang = $ARGV[2] || "en"; +$file =~ s#^.*/##; +$dir = $&; +`mkdir -p $dir` unless ( -d $dir ); +chdir $dir; + +&scan( $script, $file, '' ); + +sub scan { + my ( $script, $filename, $args ) = @_; + print STDERR "$filename\n"; + my ( $IN, $OUT ); + open $IN, "HTTP_ACCEPT_LANGUAGE=$lang SCRIPT_NAME=__SCRIPTNAME__ SCRIPT_FILENAME=$script perl -I$lib $script '$args'|"; + open $OUT, ">$filename"; + my $ind = 0; + local ( $_, $1 ); + while (<$IN>) { + s/\r//g; + if (/lmQuery/) { + if (s/__SCRIPTNAME__\?lmQuery=([^"']*)js/$1.js/) { + scan( $script, "$1.js", "lmQuery=$1js" ); + } + elsif (s/__SCRIPTNAME__\?lmQuery=upload/#/) { + # Nothing to do here + } + elsif (s/__SCRIPTNAME__\?lmQuery=conf/conf.xml/) { + scan( $script, "conf.xml", "lmQuery=conf" ); + } + elsif (s/__SCRIPTNAME__\?lmQuery=([^"']*)css/style$1.css/) { + scan( $script, "style$1.css", "lmQuery=$1css" ); + } + elsif (s/__SCRIPTNAME__\?lmQuery=help&help="\+s/help_"+s+".html"/) { + # Nothing to do here + } + elsif (s/__SCRIPTNAME__\?lmQuery=([^"'&]*)&?[^"']*/$1/) { + scan( $script, "$1", "lmQuery=$1" ); + } + s/["']help["']\+s/"help"/; + } + elsif (/help\((['"])(\w+)\1/) { + scan( $script, "help_$2.html", "lmQuery=help&help=$2" ); + } + # but+=button('$text{saveConf}','saveConf',nodeId); + elsif (s/(but\+=)button\((['"])([^'"]*)\2,'saveConf.*$/$1'  ';/) { + # '   ' + # Nothing to do here + } + s#tree.setImagePath\(["'][^"']*["']\);#tree.setImagePath("imgs/")#; + print $OUT $_ if ($ind); + $ind++ if /^$/; + } +} +