LEMONLDAP::NG : branch trunk/build/lemonldap-ng
This commit is contained in:
parent
cf4f11b7a0
commit
d7d14bf782
|
@ -0,0 +1,280 @@
|
||||||
|
LEMONLDAP::NG INSTALLATION
|
||||||
|
|
||||||
|
Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||||
|
simplifies the build of a protected area with a few changes in the application.
|
||||||
|
It manages both authentication and authorization and provides headers for
|
||||||
|
accounting. So you can have a full AAA protection.
|
||||||
|
|
||||||
|
See README file to known how it works.
|
||||||
|
|
||||||
|
------------------------
|
||||||
|
I - EXAMPLE INSTALLATION
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
The proposed example use a protected site named test.example.com. Non
|
||||||
|
authenticated users are redirected to auth.example.com.
|
||||||
|
|
||||||
|
1.1 - PREREQ
|
||||||
|
------------
|
||||||
|
|
||||||
|
1.1.1 - Software
|
||||||
|
|
||||||
|
To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||||
|
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||||
|
Apache proposed with your Linux distribution match, but some distributions used
|
||||||
|
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||||
|
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||||
|
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||||
|
package for Debian works fine).
|
||||||
|
|
||||||
|
1.1.2 - Perl prereq
|
||||||
|
|
||||||
|
Perl modules:
|
||||||
|
Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
|
||||||
|
DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)
|
||||||
|
|
||||||
|
With Debian:
|
||||||
|
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
|
||||||
|
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
|
||||||
|
libxml-simple-perl
|
||||||
|
# If you want to use SOAP with the manager:
|
||||||
|
apt-get install libsoap-lite-perl
|
||||||
|
|
||||||
|
1.2 - BUILDING
|
||||||
|
--------------
|
||||||
|
|
||||||
|
1.2.1 - Complete install
|
||||||
|
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*
|
||||||
|
$ make && make test
|
||||||
|
$ sudo make install
|
||||||
|
$ make example
|
||||||
|
|
||||||
|
1.2.2 - Install on Debian
|
||||||
|
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*
|
||||||
|
$ debuild
|
||||||
|
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||||
|
|
||||||
|
1.3 - EXAMPLE CONFIGURATION
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
After build, you have a new file named example/apache.conf. You just have to
|
||||||
|
include this file in Apache configuration:
|
||||||
|
|
||||||
|
# in httpd.conf (with Apache1)
|
||||||
|
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||||
|
# or in apache2.conf (with Apache2)
|
||||||
|
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||||
|
|
||||||
|
Modify your /etc/hosts file to include:
|
||||||
|
|
||||||
|
127.0.0.2 auth.example.com
|
||||||
|
127.0.0.3 test.example.com
|
||||||
|
127.0.0.4 manager.example.com
|
||||||
|
|
||||||
|
Edit /path/to/lemonldap-ng/source/example/conf/lmConfig-1 and specify your LDAP
|
||||||
|
settings. If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||||
|
use an anonymous bind to find user dn.
|
||||||
|
(Debian users: /usr/share/doc/lemonldap-ng/example/conf/lmConfig-1)
|
||||||
|
WARNINGS:
|
||||||
|
* only few parameters can be set by hand in the configuration file. You have
|
||||||
|
to use the manager to change configuration, but since the example is yet
|
||||||
|
configured, you can edit directly the file
|
||||||
|
* each new configuration is saved by the manager in a new file (or a new
|
||||||
|
record with DBI) so you can recover an old configuration by removing
|
||||||
|
|
||||||
|
Next, restart Apache use your prefered browser and try to connect to
|
||||||
|
http://test.example.com/. You'll be redirect to auth.example.com. Try
|
||||||
|
to authenticate yourself with a valid account and the protected page will
|
||||||
|
appear. You will find other explanations on this page.
|
||||||
|
|
||||||
|
Configuration can be modified by connecting your browser to
|
||||||
|
http://manager.example.com/
|
||||||
|
|
||||||
|
-------------------------
|
||||||
|
2 - ADVANCED INSTALLATION
|
||||||
|
-------------------------
|
||||||
|
|
||||||
|
2.1 - PREREQ
|
||||||
|
|
||||||
|
2.1.1 - Apache
|
||||||
|
|
||||||
|
To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||||
|
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||||
|
Apache proposed with your Linux distribution match, but some distributions used
|
||||||
|
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||||
|
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||||
|
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||||
|
package for Debian works fine).
|
||||||
|
|
||||||
|
For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
|
||||||
|
faster and Lemonldap::NG use the thread system for best performance. If you
|
||||||
|
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
|
||||||
|
anyway.
|
||||||
|
|
||||||
|
You can use Lemonldap::NG in an heterogene world: the authentication portal and
|
||||||
|
the manager can work in any version of Apache 1.3 or more even if mod_perl is
|
||||||
|
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
|
||||||
|
need mod_perl. The different handlers can run on different servers with
|
||||||
|
different versions of Apache/mod_perl.
|
||||||
|
|
||||||
|
2.1.2 - Perl prereq
|
||||||
|
|
||||||
|
Warning: Handler and Portal parts both need Lemonldap::NG::Manager components
|
||||||
|
to access to configuration.
|
||||||
|
|
||||||
|
Manager:
|
||||||
|
-------
|
||||||
|
CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)
|
||||||
|
|
||||||
|
With Debian:
|
||||||
|
apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
|
||||||
|
# If you want to use SOAP
|
||||||
|
apt-get install libsoap-lite-perl
|
||||||
|
|
||||||
|
Portal:
|
||||||
|
------
|
||||||
|
Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager
|
||||||
|
|
||||||
|
With Debian:
|
||||||
|
apt-get install libapache-session-perl libnet-ldap-perl perl-modules
|
||||||
|
|
||||||
|
Handler:
|
||||||
|
-------
|
||||||
|
Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager
|
||||||
|
|
||||||
|
With Debian:
|
||||||
|
apt-get install libapache-session-perl libwww-perl libcache-cache-perl
|
||||||
|
|
||||||
|
2.2 - SOFTWARE INSTALLATION
|
||||||
|
---------------------------
|
||||||
|
|
||||||
|
If you just want to install a handler or a portal or a manager:
|
||||||
|
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
||||||
|
$ perl Makefile.PL && make && make test
|
||||||
|
$ sudo make install
|
||||||
|
|
||||||
|
else for a complete install:
|
||||||
|
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*
|
||||||
|
$ make && make test
|
||||||
|
$ sudo make install
|
||||||
|
|
||||||
|
See prereq in §1.1.2
|
||||||
|
|
||||||
|
2.3 - LEMONLDAP INSTALLATION
|
||||||
|
----------------------------
|
||||||
|
|
||||||
|
2.3.1 - Database configuration
|
||||||
|
|
||||||
|
2.3.1.1 - Lemonldap::NG Configuration database
|
||||||
|
|
||||||
|
If you use DBI or another system to share Lemonldap::NG configuration, you have
|
||||||
|
to initialize the database. An example is given in example/lmConfig.mysql for
|
||||||
|
MySQL.
|
||||||
|
|
||||||
|
2.3.1.2 - Apache::Session database
|
||||||
|
|
||||||
|
The choice of Apache::Session::* module is free. See Apache::Session::Store::*
|
||||||
|
or Apache::Session::* to know how to configure the module. For example, if you
|
||||||
|
want to use Apache::Session::MySQL, you can create the database like this:
|
||||||
|
|
||||||
|
CREATE DATABASE sessions (
|
||||||
|
id char(32),
|
||||||
|
a_session text
|
||||||
|
);
|
||||||
|
|
||||||
|
2.3.2 - Manager configuration
|
||||||
|
|
||||||
|
Copy example/manager.cgi and personalize it if you want (see
|
||||||
|
Lemonldap::NG::Manager). You have to set in particular configStorage. For
|
||||||
|
example with MySQL:
|
||||||
|
|
||||||
|
$my $manager = Lemonldap::NG::Manager->new ( {
|
||||||
|
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
|
||||||
|
dbiUser => "lemonldap-ng",
|
||||||
|
dbiPassword => "mypass",
|
||||||
|
} );
|
||||||
|
|
||||||
|
Securise Manager access with Apache: Lemonldap does not securise the manager
|
||||||
|
itself yet:
|
||||||
|
|
||||||
|
SSLEngine On
|
||||||
|
Order Deny, Allow
|
||||||
|
Deny from all
|
||||||
|
Allow from admin-network/netmask
|
||||||
|
AuthType Basic
|
||||||
|
...
|
||||||
|
|
||||||
|
After configuration, you can also protect the manager with an Lemonldap::NG
|
||||||
|
handler.
|
||||||
|
|
||||||
|
2.3.3 - Configuration edition
|
||||||
|
|
||||||
|
Connect to the manager with your browser start configure your Web-SSO. You have
|
||||||
|
to set at least some parameters:
|
||||||
|
|
||||||
|
a) General parameters :
|
||||||
|
|
||||||
|
* Authentication parameters -> portal : URL to access to the authentication
|
||||||
|
portal
|
||||||
|
* Domain : the cookie domain. All protected VirtualHosts have to be under it
|
||||||
|
|
||||||
|
* LDAP parameters -> LDAP Server
|
||||||
|
|
||||||
|
* LDAP parameters -> LDAP Accout and password : required only if anonymous
|
||||||
|
binds are not accepted
|
||||||
|
|
||||||
|
* Session Storage -> Apache::Session module : how to store user sessions.
|
||||||
|
You can use all module that
|
||||||
|
inherit from Apache::Session
|
||||||
|
like Apache::Session::MySQL
|
||||||
|
|
||||||
|
* Session Storage -> Apache::Session Module parameters :
|
||||||
|
see Apache::Session::<Choosen module>
|
||||||
|
|
||||||
|
b) User groups :
|
||||||
|
|
||||||
|
Use the "New Group" button to add your first group. On the left, set the
|
||||||
|
keyword which will be used later and set on the right the corresponding rule:
|
||||||
|
you can use :
|
||||||
|
|
||||||
|
* an LDAP filter (it will be tested with the user uid)
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
* a Perl condition enclosed with {}. All variables declared in "General
|
||||||
|
parameters -> LDAP attributes" can be used with a "$". For example:
|
||||||
|
MyGroup / { $uid eq "foo" or $uid eq "bar" }
|
||||||
|
|
||||||
|
c) Virtual hosts
|
||||||
|
|
||||||
|
You have to create a virtual host for each Apache host (virtual or real)
|
||||||
|
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
|
||||||
|
user who want to access to the protected area will be rejected with a "500
|
||||||
|
Internal Server Error" message and the apache logs will explain the problem.
|
||||||
|
|
||||||
|
Each virtual host has 2 groups of parameters:
|
||||||
|
|
||||||
|
* Headers: the headers added to the apache request. Default :
|
||||||
|
Auth-User => $uid
|
||||||
|
* Rules: subdivised in 2 categories:
|
||||||
|
* default : the default rule
|
||||||
|
* personalized rules: association of a Perl regular expression and
|
||||||
|
a condition. For example:
|
||||||
|
^/restricted.*$ / $groups =~ /\bMyGroup\b/
|
||||||
|
|
||||||
|
|
||||||
|
-------------
|
||||||
|
3 - DEBUGGING
|
||||||
|
-------------
|
||||||
|
|
||||||
|
Lemonldap::NG uses simply the Apache log system. So use LogLevel to choose
|
||||||
|
information to display.
|
||||||
|
|
|
@ -0,0 +1,153 @@
|
||||||
|
#!/usr/bin/make
|
||||||
|
|
||||||
|
VERSION=0.9beta
|
||||||
|
HANDLERDIR=lemonldap-ng-handler
|
||||||
|
PORTALDIR=lemonldap-ng-portal
|
||||||
|
MANAGERDIR=lemonldap-ng-manager
|
||||||
|
EXAMPLEDIRBUILD=`pwd`/example/
|
||||||
|
EXAMPLEDIR=$(EXAMPLEDIRBUILD)
|
||||||
|
EXAMPLELANG=en
|
||||||
|
|
||||||
|
all: handler manager portal
|
||||||
|
|
||||||
|
handler: handler_conf
|
||||||
|
$(MAKE) -C ${HANDLERDIR}
|
||||||
|
touch handler
|
||||||
|
|
||||||
|
portal: portal_conf
|
||||||
|
$(MAKE) -C ${PORTALDIR}
|
||||||
|
touch portal
|
||||||
|
|
||||||
|
manager: manager_conf
|
||||||
|
$(MAKE) -C ${MANAGERDIR}
|
||||||
|
touch manager
|
||||||
|
|
||||||
|
configure: handler_conf portal_conf manager_conf
|
||||||
|
|
||||||
|
handler_conf:
|
||||||
|
cd ${HANDLERDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS)
|
||||||
|
touch handler_conf
|
||||||
|
|
||||||
|
portal_conf:
|
||||||
|
cd ${PORTALDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS)
|
||||||
|
touch portal_conf
|
||||||
|
|
||||||
|
manager_conf:
|
||||||
|
cd ${MANAGERDIR}; perl Makefile.PL INSTALLDIRS=$(INSTALLDIRS)
|
||||||
|
touch manager_conf
|
||||||
|
|
||||||
|
test: manager_test handler_test portal_test
|
||||||
|
|
||||||
|
manager_test: manager
|
||||||
|
$(MAKE) -C ${MANAGERDIR} test
|
||||||
|
|
||||||
|
handler_test: handler
|
||||||
|
$(MAKE) -C ${HANDLERDIR} test INST_ARCHLIB=../${MANAGERDIR}/blib/lib/
|
||||||
|
|
||||||
|
portal_test: portal
|
||||||
|
$(MAKE) -C ${PORTALDIR} test INST_ARCHLIB=../${MANAGERDIR}/blib/lib/
|
||||||
|
|
||||||
|
install: handler_install portal_install manager_install
|
||||||
|
|
||||||
|
handler_install: handler
|
||||||
|
$(MAKE) -C ${HANDLERDIR} install
|
||||||
|
touch handler_install
|
||||||
|
|
||||||
|
portal_install: portal
|
||||||
|
$(MAKE) -C ${PORTALDIR} install
|
||||||
|
touch portal_install
|
||||||
|
|
||||||
|
manager_install: manager
|
||||||
|
$(MAKE) -C ${MANAGERDIR} install
|
||||||
|
touch manager_install
|
||||||
|
|
||||||
|
distclean: clean
|
||||||
|
|
||||||
|
clean: handler_clean portal_clean manager_clean
|
||||||
|
rm -rf example
|
||||||
|
find . -name '*.gz' -exec rm -vf {} \;
|
||||||
|
|
||||||
|
handler_clean:
|
||||||
|
- $(MAKE) -C ${HANDLERDIR} distclean
|
||||||
|
rm -vf handler*
|
||||||
|
|
||||||
|
portal_clean:
|
||||||
|
- $(MAKE) -C ${PORTALDIR} distclean
|
||||||
|
rm -vf portal*
|
||||||
|
|
||||||
|
manager_clean:
|
||||||
|
- $(MAKE) -C ${MANAGERDIR} distclean
|
||||||
|
rm -vf manager*
|
||||||
|
|
||||||
|
example: all
|
||||||
|
mkdir -p example/portal example/manager example/handler example/conf
|
||||||
|
chmod 1777 example/conf
|
||||||
|
cp -a ${HANDLERDIR}/example/* example/handler
|
||||||
|
cp -a ${PORTALDIR}/example/* example/portal
|
||||||
|
cp -a ${MANAGERDIR}/example/* example/manager
|
||||||
|
cp -a _example/* example
|
||||||
|
find ${EXAMPLEDIRBUILD} -type f -exec perl -i -pe 's#__DIR__/?#'${EXAMPLEDIR}'#g' {} \;
|
||||||
|
@echo
|
||||||
|
@echo "Example is ready."
|
||||||
|
@echo
|
||||||
|
@echo "1 - Add this in your Apache configuration file:"
|
||||||
|
@echo " with Apache-1.3.x"
|
||||||
|
@echo
|
||||||
|
@echo " include ${EXAMPLEDIR}apache.conf"
|
||||||
|
@echo
|
||||||
|
@echo " or with Apache-2.x:"
|
||||||
|
@echo
|
||||||
|
@echo " include ${EXAMPLEDIR}apache2.conf"
|
||||||
|
@echo
|
||||||
|
@echo "2 - Add test.example.com and auth.example.com in yout /etc/hosts :"
|
||||||
|
@echo
|
||||||
|
@echo " cat example/for_etc_hosts >> /etc/hosts"
|
||||||
|
@echo
|
||||||
|
@echo "3 - edit ${EXAMPLEDIR}/conf/lmConf-1 and set ldapServer and ldapBase."
|
||||||
|
@echo " or use the manager at http://manager.example.com/ (after apache restart)"
|
||||||
|
@echo
|
||||||
|
@echo "4 - Restart Apache (or Apache2)"
|
||||||
|
@echo
|
||||||
|
@echo "5 - Try to connect to http://test.example.com/"
|
||||||
|
|
||||||
|
uninstall: configure handler_uninstall portal_uninstall manager_uninstall
|
||||||
|
|
||||||
|
handler_uninstall: handler
|
||||||
|
$(MAKE) -C ${HANDLERDIR} uninstall
|
||||||
|
rm -vf handler_uninstall
|
||||||
|
|
||||||
|
portal_uninstall: portal
|
||||||
|
$(MAKE) -C ${PORTALDIR} uninstall
|
||||||
|
rm -vf portal_uninstall
|
||||||
|
|
||||||
|
manager_uninstall: manager
|
||||||
|
$(MAKE) -C ${MANAGERDIR} uninstall
|
||||||
|
rm -vf manager_uninstall
|
||||||
|
|
||||||
|
dist:
|
||||||
|
- $(MAKE) clean
|
||||||
|
mkdir -p lemonldap-ng-$(VERSION)
|
||||||
|
- cp -a * lemonldap-ng-$(VERSION)
|
||||||
|
rm -rf lemonldap-ng-$(VERSION)/lemonldap-ng-$(VERSION)
|
||||||
|
tar czf lemonldap-ng-$(VERSION).tar.gz lemonldap-ng-$(VERSION)
|
||||||
|
rm -rf lemonldap-ng-$(VERSION)
|
||||||
|
|
||||||
|
cpan: configure handler_cpan portal_cpan manager_cpan
|
||||||
|
|
||||||
|
handler_cpan: handler_conf
|
||||||
|
$(MAKE) -C ${HANDLERDIR} dist
|
||||||
|
mv ${HANDLERDIR}/Lemonldap*.gz .
|
||||||
|
|
||||||
|
portal_cpan: portal_conf
|
||||||
|
$(MAKE) -C ${PORTALDIR} dist
|
||||||
|
mv ${PORTALDIR}/Lemonldap*.gz .
|
||||||
|
|
||||||
|
manager_cpan: manager_conf
|
||||||
|
$(MAKE) -C ${MANAGERDIR} dist
|
||||||
|
mv ${MANAGERDIR}/Lemonldap*.gz .
|
||||||
|
|
||||||
|
static_example: example
|
||||||
|
mkdir -p example/static
|
||||||
|
cd example/static/;ln -s ../manager/imgs;cd -
|
||||||
|
scripts/make_static_example.pl example/manager/index.pl example/static/index.html $(EXAMPLELANG)
|
||||||
|
|
|
@ -0,0 +1,194 @@
|
||||||
|
Lemonldap-NG
|
||||||
|
====================
|
||||||
|
|
||||||
|
Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||||
|
simplifies the build of a protected area with a few changes in the application.
|
||||||
|
It manages both authentication and authorization and provides headers for
|
||||||
|
accounting. So you can have a full AAA protection for your web space as
|
||||||
|
described below.
|
||||||
|
|
||||||
|
1 - Installation
|
||||||
|
2 - Authentication, Authorization and Accounting mechanisms
|
||||||
|
2.1 - Authentication
|
||||||
|
2.2 - Authorization
|
||||||
|
2.3 - Accounting
|
||||||
|
3 - Session storage system
|
||||||
|
4 - Author
|
||||||
|
5 - Copyright and licence
|
||||||
|
|
||||||
|
1 - INSTALLATION
|
||||||
|
================
|
||||||
|
|
||||||
|
Lemonldap::NG is a different project than Lemonldap and contains all you need
|
||||||
|
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
||||||
|
work with Lemonldap::NG.
|
||||||
|
|
||||||
|
The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
||||||
|
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
||||||
|
act as CGI, so they can work everywhere.
|
||||||
|
|
||||||
|
See INSTALL file in the source tree for a complete installation documentation.
|
||||||
|
|
||||||
|
2 - AUTHENTICATION, AUTHORIZATION AND ACCOUNTING MECHANISMS
|
||||||
|
===========================================================
|
||||||
|
|
||||||
|
Warning: Lemonldap::NG configuration has to be edited using the manager unless
|
||||||
|
you know exactly what you are doing. The parameters discussed here are all in
|
||||||
|
the configuration tree.
|
||||||
|
|
||||||
|
2.1 - Authentication
|
||||||
|
|
||||||
|
If a user isn't authenticated and attemps to connect to an area protected by a
|
||||||
|
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
||||||
|
authenticates user with a ldap bind by default, but you can also use another
|
||||||
|
authentication sheme like using x509 user certificates (see
|
||||||
|
Lemonldap::NG::Portal::AuthSSL(3) for more).
|
||||||
|
|
||||||
|
Lemonldap use session cookies generated by Apache::Session so as secure as a
|
||||||
|
128-bit random cookie. You may use the securedCookie options to avoid session
|
||||||
|
hijacking.
|
||||||
|
|
||||||
|
You have to manage life of sessions by yourself since Lemonldap::NG knows
|
||||||
|
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
||||||
|
using a simple cron script because Lemonldap::NG::Portal stores the start
|
||||||
|
time in the _utime field.
|
||||||
|
By default, a session stay 10 minutes in the local storage, so in the worth
|
||||||
|
case, a user is authorized 10 minutes after he lost his rights.
|
||||||
|
|
||||||
|
2.2 - Authorization
|
||||||
|
|
||||||
|
Authorization is controled only by handlers because the portal knows nothing
|
||||||
|
about the way the user will choose. When configuring your Web-SSO, you have to:
|
||||||
|
|
||||||
|
* choose the ldap attributes you want to use to manage accounting and
|
||||||
|
authorization.
|
||||||
|
* create Perl expressions to define user groups (using ldap attributes)
|
||||||
|
* create an array foreach virtual host associating URI regular expressions and
|
||||||
|
Perl expressions to use to grant access.
|
||||||
|
|
||||||
|
Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored
|
||||||
|
|
||||||
|
* Exported variables :
|
||||||
|
|
||||||
|
# Custom-Name => LDAP attribute
|
||||||
|
cn => cn
|
||||||
|
departmentUID => departmentUID
|
||||||
|
login => uid
|
||||||
|
|
||||||
|
* User groups :
|
||||||
|
|
||||||
|
# Custom-Name => group definition
|
||||||
|
group1 => { $departmentUID eq "unit1" or $login = "xavier.guimard" }
|
||||||
|
|
||||||
|
* Area protection:
|
||||||
|
|
||||||
|
# Each VirtualHost has its own configuration
|
||||||
|
# associating URL regexp to Perl expression
|
||||||
|
* www1.domain.com :
|
||||||
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||||
|
default => accept
|
||||||
|
},
|
||||||
|
* www2.domain.com => {
|
||||||
|
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
||||||
|
^/(js|css) => accept
|
||||||
|
default => deny
|
||||||
|
},
|
||||||
|
},
|
||||||
|
|
||||||
|
2.2.1 - Performance
|
||||||
|
|
||||||
|
You can use Perl expressions as complicated as you want and you can use all
|
||||||
|
the exported LDAP attributes (and create your own attributes: with 'macros'
|
||||||
|
mechanism) in groups evaluations, area protections or custom HTTP headers
|
||||||
|
(you just have to call them with a "$").
|
||||||
|
|
||||||
|
You have to be careful when choosing your expressions:
|
||||||
|
|
||||||
|
* groups and macros are evaluated each time a user is redirected to the portal
|
||||||
|
* virtual host rules and exported headers are evaluated for each request on a
|
||||||
|
protected area.
|
||||||
|
|
||||||
|
It is also recommanded to use the groups mechanism to avoid having to evaluate
|
||||||
|
a long expression at each HTTP request:
|
||||||
|
|
||||||
|
# Virtual hosts :
|
||||||
|
...
|
||||||
|
www1.domain.com :
|
||||||
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||||
|
|
||||||
|
You can also use LDAP filters, or Perl expression or mixed expressions in
|
||||||
|
groups definitions. Perl expressions has to be enclosed with {}:
|
||||||
|
|
||||||
|
* group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||||
|
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
|
||||||
|
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
|
||||||
|
|
||||||
|
It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
||||||
|
server more than 2 times per authentication.
|
||||||
|
|
||||||
|
2.3 - Accounting
|
||||||
|
|
||||||
|
2.3.1 - Logging portal access>
|
||||||
|
|
||||||
|
Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
||||||
|
overload log method for normal portal access.
|
||||||
|
|
||||||
|
2.3.2 - Logging application access
|
||||||
|
|
||||||
|
Because a Web-SSO knows nothing about the protected application, it can't do
|
||||||
|
more than logging URL. As Apache does this fine, L<Lemonldap::NG::Handler>
|
||||||
|
gives it the name to used in logs. The whatToTrace parameter indicates
|
||||||
|
which variable Apache has to use ($uid by default).
|
||||||
|
|
||||||
|
The real accounting has to be done by the application itself which knows the
|
||||||
|
result of SQL transaction for example.
|
||||||
|
|
||||||
|
Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
||||||
|
directly the application. By default, the Auth-User field is used but you can
|
||||||
|
change it using the exportedHeaders parameters (in the Manager, each virtual
|
||||||
|
host as custom headers branch). This parameters contains an associative array
|
||||||
|
per virtual host:
|
||||||
|
|
||||||
|
* keys are the names of the choosen headers
|
||||||
|
* values are Perl expressions where you can use user datas stored in the
|
||||||
|
global storage.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
* www1.domain.com :
|
||||||
|
Auth-User => $uid
|
||||||
|
Unit => $ou
|
||||||
|
* www2.domain.com :
|
||||||
|
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
||||||
|
Remote-IP => $ip
|
||||||
|
|
||||||
|
3 - SESSION STORAGE SYSTEM
|
||||||
|
|
||||||
|
Lemonldap::NG use 3 levels of cache for authenticated users:
|
||||||
|
|
||||||
|
* an Apache::Session::* module used by lemonldap::NG::Portal to store
|
||||||
|
authenticated user parameters,
|
||||||
|
* a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
||||||
|
users between Apache's threads or processus and of course between virtual
|
||||||
|
hosts on the same machine
|
||||||
|
* Lemonldap::NG::Handler variables : if the same user use the same thread or
|
||||||
|
processus a second time, no request are needed to grant or refuse access.
|
||||||
|
This is very efficient with HTTP/1.1 Keep-Alive system.
|
||||||
|
|
||||||
|
So the number of request to the central storage is limited to 1 per active
|
||||||
|
user each 10 minutes.
|
||||||
|
|
||||||
|
Lemonldap::NG is very fast, but you can increase performance using a
|
||||||
|
Cache::Cache module that does not use disk access.
|
||||||
|
|
||||||
|
4 - AUTHOR
|
||||||
|
|
||||||
|
Xavier Guimard, x.guimard@free.fr
|
||||||
|
|
||||||
|
5 - COPYRIGHT AND LICENSE
|
||||||
|
|
||||||
|
Copyright (C) 2005-2007 by Xavier Guimard x.guimard@free.fr
|
||||||
|
|
||||||
|
This library is free software; you can redistribute it and/or modify
|
||||||
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
||||||
|
at your option, any later version of Perl 5 you may have available.
|
|
@ -0,0 +1,3 @@
|
||||||
|
* Help english
|
||||||
|
* Help generalParameters
|
||||||
|
* Help in Static
|
|
@ -0,0 +1,5 @@
|
||||||
|
CREATE TABLE sessions (
|
||||||
|
id char(32) not null primary key,
|
||||||
|
a_session text
|
||||||
|
);
|
||||||
|
|
|
@ -0,0 +1,48 @@
|
||||||
|
include __DIR__/handler/lmH-apache.conf
|
||||||
|
#Listen 127.0.0.2:80
|
||||||
|
<VirtualHost 127.0.0.2:*>
|
||||||
|
ServerName auth.example.com
|
||||||
|
|
||||||
|
# DocumentRoot
|
||||||
|
DocumentRoot __DIR__/portal
|
||||||
|
<Directory __DIR__/portal>
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
Options +ExecCGI
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Portal and Manager must be interpreted by Perl
|
||||||
|
<Files *.pl>
|
||||||
|
SetHandler perl-script
|
||||||
|
PerlHandler Apache::Registry
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
<IfModule mod_dir.c>
|
||||||
|
DirectoryIndex index.pl index.html
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
#Listen 127.0.0.4:80
|
||||||
|
<VirtualHost 127.0.0.4:*>
|
||||||
|
ServerName manager.example.com
|
||||||
|
|
||||||
|
# DocumentRoot
|
||||||
|
DocumentRoot __DIR__/manager
|
||||||
|
<Directory __DIR__/manager>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
Allow from 127.0.0.0/8
|
||||||
|
Options +ExecCGI
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Portal and Manager must be interpreted by Perl
|
||||||
|
<Files *.pl>
|
||||||
|
SetHandler perl-script
|
||||||
|
PerlHandler Apache::Registry
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
<IfModule mod_dir.c>
|
||||||
|
DirectoryIndex index.pl index.html
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</VirtualHost>
|
|
@ -0,0 +1,49 @@
|
||||||
|
include __DIR__/handler/lmH-apache2.conf
|
||||||
|
PerlOptions +GlobalRequest
|
||||||
|
#Listen 127.0.0.2:80
|
||||||
|
<VirtualHost 127.0.0.2:*>
|
||||||
|
ServerName auth.example.com
|
||||||
|
|
||||||
|
# DocumentRoot
|
||||||
|
DocumentRoot __DIR__/portal
|
||||||
|
<Directory __DIR__/portal>
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
Options +ExecCGI
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Portal and Manager must be interpreted by Perl
|
||||||
|
<Files *.pl>
|
||||||
|
SetHandler perl-script
|
||||||
|
PerlResponseHandler ModPerl::Registry
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
<IfModule mod_dir.c>
|
||||||
|
DirectoryIndex index.pl index.html
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</VirtualHost>
|
||||||
|
#Listen 127.0.0.4:80
|
||||||
|
<VirtualHost 127.0.0.4:*>
|
||||||
|
ServerName manager.example.com
|
||||||
|
|
||||||
|
# DocumentRoot
|
||||||
|
DocumentRoot __DIR__/manager
|
||||||
|
<Directory __DIR__/manager>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
Allow from 127.0.0.0/8
|
||||||
|
Options +ExecCGI
|
||||||
|
</Directory>
|
||||||
|
|
||||||
|
# Portal and Manager must be interpreted by Perl
|
||||||
|
<Files *.pl>
|
||||||
|
SetHandler perl-script
|
||||||
|
PerlResponseHandler ModPerl::Registry
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
<IfModule mod_dir.c>
|
||||||
|
DirectoryIndex index.pl index.html
|
||||||
|
</IfModule>
|
||||||
|
|
||||||
|
</VirtualHost>
|
|
@ -0,0 +1,48 @@
|
||||||
|
ldapServer
|
||||||
|
'localhost'
|
||||||
|
|
||||||
|
ldapBase
|
||||||
|
'dc=example,dc=com'
|
||||||
|
|
||||||
|
ldapPort
|
||||||
|
389
|
||||||
|
|
||||||
|
managerDn
|
||||||
|
''
|
||||||
|
|
||||||
|
managerPassword
|
||||||
|
''
|
||||||
|
|
||||||
|
portal
|
||||||
|
'http://auth.example.com/'
|
||||||
|
|
||||||
|
domain
|
||||||
|
'example.com'
|
||||||
|
|
||||||
|
globalStorage
|
||||||
|
'Apache::Session::File'
|
||||||
|
|
||||||
|
globalStorageOptions
|
||||||
|
'BAcEMTIzNAQEBAgZAAEAAAAXBC90bXACCQAAAERpcmVjdG9yeQ=='
|
||||||
|
|
||||||
|
exportedHeaders
|
||||||
|
'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwQkdWlkAgkAAABBdXRoLVVzZXICEAAAAHRlc3QuZXhhbXBsZS5jb20='
|
||||||
|
|
||||||
|
exportedVars
|
||||||
|
'BAcEMTIzNAQEBAgZAAMAAAAXA3VpZAIDAAAAdWlkFwJjbgICAAAAY24XBG1haWwCBAAAAG1haWw='
|
||||||
|
|
||||||
|
authentication
|
||||||
|
'ldap'
|
||||||
|
|
||||||
|
locationRules
|
||||||
|
'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwZhY2NlcHQCBwAAAGRlZmF1bHQCEAAAAHRlc3QuZXhhbXBsZS5jb20='
|
||||||
|
|
||||||
|
cfgNum
|
||||||
|
1
|
||||||
|
|
||||||
|
cookieName
|
||||||
|
'lemonldap'
|
||||||
|
|
||||||
|
securedCookie
|
||||||
|
0
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
127.0.0.2 auth.example.com
|
||||||
|
127.0.0.3 test.example.com
|
||||||
|
127.0.0.4 manager.example.com
|
||||||
|
|
|
@ -0,0 +1,58 @@
|
||||||
|
#!/usr/bin/perl
|
||||||
|
|
||||||
|
use CGI;
|
||||||
|
|
||||||
|
my $cgi=CGI->new;
|
||||||
|
|
||||||
|
print $cgi->header;
|
||||||
|
print $cgi->start_html( 'Page protected by Lemonldap::NG' );
|
||||||
|
my($headers, $env)=({},{});
|
||||||
|
use Data::Dumper;
|
||||||
|
print "<pre>";
|
||||||
|
foreach(keys %ENV) {
|
||||||
|
if($_ =~ /^HTTP_/) {
|
||||||
|
($a=$_) =~ s/^HTTP_//i;
|
||||||
|
#$a =~ s/_/ /g;
|
||||||
|
#$a = ucfirst(lc($a));
|
||||||
|
#$a =~ s/ /-/g;
|
||||||
|
$a = join '-', map {ucfirst(lc)} split '_',$a;
|
||||||
|
$headers->{$a} = $_;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
$env->{$_} = $ENV{$_};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
print "</pre>";
|
||||||
|
print qq#<h1>Authentication succeed</h1>
|
||||||
|
<a href="/logout">logout</a>
|
||||||
|
<p>Authenticated user : $ENV{HTTP_AUTH_USER}</p>
|
||||||
|
<p>To know who is connected in your applications, you can read HTTP headers :</p>
|
||||||
|
<table border=1 style="font-size: small;">\n
|
||||||
|
<tr><th>Header</th><th>Perl CGI</th><th>PHP script</th><th>Value</th></tr>
|
||||||
|
#;
|
||||||
|
foreach(keys %$headers) {
|
||||||
|
$style = $_ eq 'Auth-User' ? 'style="background-color: #FFEEEE;font-weight: bold;"' : '';
|
||||||
|
print "<tr>
|
||||||
|
<td $style>$_</td>
|
||||||
|
<td $style>\$ENV{$headers->{$_}}</td>
|
||||||
|
<td $style>\$_SERVER{$headers->{$_}}</td>
|
||||||
|
<td $style> $ENV{$headers->{$_}}</td>
|
||||||
|
</tr>\n"
|
||||||
|
}
|
||||||
|
print '</table>
|
||||||
|
<p>Note that lemonldap cookie is hidden. So that application developpers can
|
||||||
|
not spoof sessions.</p>
|
||||||
|
<p>You can access to any information (IP address or LDAP attribute) by customizing
|
||||||
|
exported headers with the
|
||||||
|
<a href="http://manager.example.com/">Lemonldap::NG Management interface</a></p>
|
||||||
|
<hr>';
|
||||||
|
|
||||||
|
print qq#<h2>Environment for Perl CGI :</h2>
|
||||||
|
<p>Be carefull, the \$ENV{REMOTE_USER} is set only if your script is in the
|
||||||
|
same server than Lemonldap::NG handler (\$whatToTrace parameter). If you use
|
||||||
|
it on a reverse-proxy, \$ENV{REMOTE_USER} is not set.</p>
|
||||||
|
<table border=0 style="font-size: small;">\n#;
|
||||||
|
print "<tr><td>$_</td><td>=> $ENV{$_}</td></tr>\n" foreach(keys %ENV);
|
||||||
|
print '</table>';
|
||||||
|
print $cgi->end_html;
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
CREATE TABLE lmConfig (
|
||||||
|
cfgNum int not null primary key,
|
||||||
|
locationRules text,
|
||||||
|
exportedHeaders text,
|
||||||
|
globalStorage text,
|
||||||
|
globalStorageOptions text,
|
||||||
|
macros text,
|
||||||
|
groups text,
|
||||||
|
portal text,
|
||||||
|
domain text,
|
||||||
|
ldapServer text,
|
||||||
|
ldapPort int,
|
||||||
|
ldapBase text,
|
||||||
|
securedCookie int,
|
||||||
|
cookieName text,
|
||||||
|
authentication text,
|
||||||
|
exportedVars text,
|
||||||
|
managerDn text,
|
||||||
|
managerPassword text,
|
||||||
|
whatToTrace text
|
||||||
|
);
|
|
@ -0,0 +1 @@
|
||||||
|
debian/changelog
|
|
@ -0,0 +1,4 @@
|
||||||
|
lemonldap-ng for Debian
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 17 Dec 2006 17:46:47 +0100
|
|
@ -0,0 +1,163 @@
|
||||||
|
lemonldap-ng (0.8.1) unstable; urgency=low
|
||||||
|
|
||||||
|
* New features :
|
||||||
|
- Logout system
|
||||||
|
- Configuration check before saving in Manager
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 15 Apr 2007 19:18:29 +0200
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.7) unstable; urgency=low
|
||||||
|
|
||||||
|
* Bug fix in manager javascript (Closes: #306776 ?)
|
||||||
|
* Display bug fix in manager
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 15 Apr 2007 13:21:43 +0200
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.6) unstable; urgency=low
|
||||||
|
|
||||||
|
* Little bug fix in unprotect function
|
||||||
|
* Bug fix in authentication scheme different than default
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Thu, 12 Apr 2007 07:03:51 +0200
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.5) unstable; urgency=low
|
||||||
|
|
||||||
|
* i18n bug: Lemonldap::NG works does not fall in english but creates a bug
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Wed, 28 Mar 2007 21:26:16 +0200
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.4) unstable; urgency=low
|
||||||
|
|
||||||
|
* Multi-valued attributes in HTTP headers (Closes: #306792 /
|
||||||
|
forge.objectweb.org)
|
||||||
|
* Warning in Manager/Conf.pm: the same type of storage has to be used for
|
||||||
|
all Lemonldap::NG parts in a same server.
|
||||||
|
* Apache-1.3 configuration reload (Closes: #306761 / forge.objectweb.org)
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Thu, 22 Mar 2007 22:42:23 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.3) unstable; urgency=low
|
||||||
|
|
||||||
|
* New feature in Manager : "Delete VHost" button (Closes: #306761)
|
||||||
|
* Typo correction in Makefile : (Closes: #306775)
|
||||||
|
* Correction of build-depends : (Closes: #306773)
|
||||||
|
* Bug correction : existingSessions was not called in Portal.pm
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Tue, 13 Mar 2007 07:55:42 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.2) unstable; urgency=low
|
||||||
|
|
||||||
|
* Bug correction: lock doesn't work with File.pm (Closes: #306760 /
|
||||||
|
forge.objectweb.org)
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 11 Mar 2007 21:08:38 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.8.0.1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Closes: #306756 / forge.objectweb.org
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Fri, 10 Mar 2007 08:49:01 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.8) unstable; urgency=low
|
||||||
|
|
||||||
|
* Release 0.8:
|
||||||
|
- corrects differents little bugs issued from test in real life.
|
||||||
|
- on line documentation in english
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Fri, 9 Mar 2007 20:29:01 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b12) unstable; urgency=low
|
||||||
|
|
||||||
|
* New features:
|
||||||
|
- session access via SOAP
|
||||||
|
- authentication via CAS
|
||||||
|
- 'apply changes' button in Manager used to reload configuration in
|
||||||
|
handlers (by calling reload sub via HTTP) (Closes: #306565 /
|
||||||
|
forge.objectweb.org)
|
||||||
|
- i18n module in portal (for displaying errors)
|
||||||
|
- lock in DBI configuration system (NOT YET TESTED)
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 4 Mar 2007 15:50:38 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b11) unstable; urgency=low
|
||||||
|
|
||||||
|
* New features:
|
||||||
|
- Cross Domain Authentication
|
||||||
|
- SOAP configuration access
|
||||||
|
- READMEs and documentation update
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Tue, 27 Feb 2007 15:01:09 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b10) unstable; urgency=low
|
||||||
|
|
||||||
|
* Corrections in Manager issued from the first test in real life:
|
||||||
|
- Close #306573 / forge.objectweb.org
|
||||||
|
- Close #306574 / forge.objectweb.org
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Wed, 17 Jan 2007 20:57:33 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b9) unstable; urgency=low
|
||||||
|
|
||||||
|
* Internationalization of javascripts (close #306564 / forge.objectweb.org)
|
||||||
|
* Help in "General Parameters"
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 14 Jan 2007 21:50:39 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b8) unstable; urgency=low
|
||||||
|
|
||||||
|
* Correction of the use of Safe in portal: &share doesn't work with a
|
||||||
|
variable declared with my.
|
||||||
|
* New system in the configuration: 'macro' section can be used to add
|
||||||
|
custom exported variables. So configuration is more simple in heavy case.
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sat, 13 Jan 2007 20:19:19 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b7) unstable; urgency=low
|
||||||
|
|
||||||
|
* Correction of a bug in internal redirections: now internal
|
||||||
|
redirections are not examined: for example,http://test.example.com/ is
|
||||||
|
internaly redirected to /index.pl, but only the first request (/) is
|
||||||
|
tested.
|
||||||
|
* Help in french
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Fri, 5 Jan 2007 18:22:32 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b6) unstable; urgency=low
|
||||||
|
|
||||||
|
* Help system skeleton
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Thu, 4 Jan 2007 09:04:05 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b5) unstable; urgency=low
|
||||||
|
|
||||||
|
* Localization in Manager interface (only fr and en)
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 31 Dec 2006 16:39:06 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b4) unstable; urgency=low
|
||||||
|
|
||||||
|
* Safe jail runs now
|
||||||
|
* example runs now
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 31 Dec 2006 14:00:08 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b3) unstable; urgency=low
|
||||||
|
|
||||||
|
* Replacement of eval by Safe for external expressions
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sat, 30 Dec 2006 22:23:22 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.7b) unstable; urgency=low
|
||||||
|
|
||||||
|
* Corrections in example
|
||||||
|
* Example installation in debian
|
||||||
|
* Revision in documentation
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 17 Dec 2006 18:37:39 +0100
|
||||||
|
|
||||||
|
lemonldap-ng (0.6) unstable; urgency=low
|
||||||
|
|
||||||
|
* Initial release built starting from the three modules of the CPAN.
|
||||||
|
|
||||||
|
-- Xavier Guimard <x.guimard@free.fr> Sun, 17 Dec 2006 17:46:47 +0100
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
4
|
|
@ -0,0 +1,17 @@
|
||||||
|
Source: lemonldap-ng
|
||||||
|
Section: perl
|
||||||
|
Priority: extra
|
||||||
|
Maintainer: Xavier Guimard <x.guimard@free.fr>
|
||||||
|
Build-Depends: debhelper (>= 4), libapache-session-perl, libnet-ldap-perl, libdbi-perl, libwww-perl, libcache-cache-perl, libxml-simple-perl
|
||||||
|
Standards-Version: 3.7.2
|
||||||
|
|
||||||
|
Package: lemonldap-ng
|
||||||
|
Architecture: all
|
||||||
|
Depends: libapache-session-perl, libnet-ldap-perl, libdbi-perl, libwww-perl, libcache-cache-perl, libxml-simple-perl
|
||||||
|
Provides: liblemonldap-ng-manager-perl, liblemonldap-ng-portal-perl, liblemonldap-ng-manager-perl
|
||||||
|
Conflicts: liblemonldap-ng-manager-perl, liblemonldap-ng-portal-perl, liblemonldap-ng-manager-perl
|
||||||
|
Recommends: libsoap-lite-perl, liblasso-perl
|
||||||
|
Description: Lemonldap::NG Web-SSO system
|
||||||
|
Lemonldap::NG is a complete Web-SSO system that can run with reverse-proxies
|
||||||
|
or directly on application apache servers.
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
This package was debianized by Xavier Guimard <x.guimard@free.fr> on
|
||||||
|
Sun, 17 Dec 2006 17:46:47 +0100.
|
||||||
|
|
||||||
|
Copyright:
|
||||||
|
|
||||||
|
Copyright 2004, 2005, 2006 by Xavier Guimard
|
||||||
|
|
||||||
|
Licence:
|
||||||
|
|
||||||
|
Perl is distributed under your choice of the GNU General Public License
|
||||||
|
or the Artistic License. On Debian GNU/Linux systems, the copyright terms
|
||||||
|
for Perl itself are located in `/usr/share/doc/perl/copyright'. On Debian
|
||||||
|
GNU/Linux systems, the complete text of the GNU General Public License can
|
||||||
|
be found in `/usr/share/common-licenses/GPL' and the Artistic Licence in
|
||||||
|
`/usr/share/common-licenses/Artistic'.
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
usr/share
|
|
@ -0,0 +1,3 @@
|
||||||
|
doc/*
|
||||||
|
README
|
||||||
|
INSTALL
|
|
@ -0,0 +1,7 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Maintainer: #DEBHELPER#
|
||||||
|
|
||||||
|
if [ "$1" = "configure" ]
|
||||||
|
then
|
||||||
|
chown -R www-data /usr/share/doc/lemonldap-ng/examples/conf
|
||||||
|
fi
|
|
@ -0,0 +1,93 @@
|
||||||
|
#!/usr/bin/make -f
|
||||||
|
# -*- makefile -*-
|
||||||
|
# Sample debian/rules that uses debhelper.
|
||||||
|
# This file was originally written by Joey Hess and Craig Small.
|
||||||
|
# As a special exception, when this file is copied by dh-make into a
|
||||||
|
# dh-make output file, you may use that output file without restriction.
|
||||||
|
# This special exception was added by Craig Small in version 0.37 of dh-make.
|
||||||
|
|
||||||
|
# Uncomment this to turn on verbose mode.
|
||||||
|
#export DH_VERBOSE=1
|
||||||
|
|
||||||
|
export PERL_MM_USE_DEFAULT=1
|
||||||
|
|
||||||
|
|
||||||
|
configure: configure-stamp
|
||||||
|
configure-stamp:
|
||||||
|
dh_testdir
|
||||||
|
# Add here commands to configure the package.
|
||||||
|
|
||||||
|
touch configure-stamp
|
||||||
|
|
||||||
|
|
||||||
|
build: build-stamp
|
||||||
|
|
||||||
|
build-stamp: configure-stamp
|
||||||
|
dh_testdir
|
||||||
|
|
||||||
|
# Add here commands to compile the package.
|
||||||
|
$(MAKE) INSTALLDIRS=vendor
|
||||||
|
#docbook-to-man debian/lemonldap-ng.sgml > lemonldap-ng.1
|
||||||
|
|
||||||
|
touch $@
|
||||||
|
|
||||||
|
clean:
|
||||||
|
dh_testdir
|
||||||
|
dh_testroot
|
||||||
|
rm -f build-stamp configure-stamp
|
||||||
|
|
||||||
|
# Add here commands to clean up after the build process.
|
||||||
|
-$(MAKE) clean
|
||||||
|
|
||||||
|
dh_clean
|
||||||
|
|
||||||
|
install: build
|
||||||
|
dh_testdir
|
||||||
|
dh_testroot
|
||||||
|
dh_clean -k
|
||||||
|
dh_installdirs
|
||||||
|
|
||||||
|
# Add here commands to install the package into debian/lemonldap-ng.
|
||||||
|
$(MAKE) test
|
||||||
|
$(MAKE) install DESTDIR=$(CURDIR)/debian/lemonldap-ng PREFIX=/usr
|
||||||
|
$(MAKE) example EXAMPLEDIR=/usr/share/doc/lemonldap-ng/examples/
|
||||||
|
|
||||||
|
|
||||||
|
# Build architecture-independent files here.
|
||||||
|
binary-indep: build install
|
||||||
|
# We have nothing to do by default.
|
||||||
|
|
||||||
|
# Build architecture-dependent files here.
|
||||||
|
binary-arch: build install
|
||||||
|
dh_testdir
|
||||||
|
dh_testroot
|
||||||
|
dh_installchangelogs
|
||||||
|
dh_installdocs
|
||||||
|
dh_installexamples example/*
|
||||||
|
# dh_install
|
||||||
|
# dh_installmenu
|
||||||
|
# dh_installdebconf
|
||||||
|
# dh_installlogrotate
|
||||||
|
# dh_installemacsen
|
||||||
|
# dh_installpam
|
||||||
|
# dh_installmime
|
||||||
|
# dh_python
|
||||||
|
# dh_installinit
|
||||||
|
# dh_installcron
|
||||||
|
# dh_installinfo
|
||||||
|
dh_installman
|
||||||
|
dh_link
|
||||||
|
dh_strip
|
||||||
|
dh_compress
|
||||||
|
gunzip $(CURDIR)/debian/lemonldap-ng/usr/share/doc/lemonldap-ng/examples/manager/lemonldap-ng-manager.js.gz
|
||||||
|
dh_fixperms
|
||||||
|
# dh_perl
|
||||||
|
# dh_makeshlibs
|
||||||
|
dh_installdeb
|
||||||
|
dh_shlibdeps
|
||||||
|
dh_gencontrol
|
||||||
|
dh_md5sums
|
||||||
|
dh_builddeb
|
||||||
|
|
||||||
|
binary: binary-indep binary-arch
|
||||||
|
.PHONY: build clean binary-indep binary-arch binary install configure
|
|
@ -0,0 +1,377 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Lemonldap::NG</title>
|
||||||
|
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||||
|
<meta name="DESCRIPTION" content="Lemonldap::NG installation">
|
||||||
|
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG, INSTALLATION">
|
||||||
|
<style>
|
||||||
|
</style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<h1 style="text-align: center;">Lemonldap::NG Installation</h1>
|
||||||
|
<p>Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||||
|
simplifies the build of a protected area with a few changes in the application.
|
||||||
|
It manages both authentication and authorization and provides headers for
|
||||||
|
accounting. So you can have a full AAA protection.</p>
|
||||||
|
|
||||||
|
<p>See <a href=overview.html>README file</a> to known how it works.</p>
|
||||||
|
|
||||||
|
<ol type="I">
|
||||||
|
<li><a href="#example">Example installation</a>
|
||||||
|
<ol type="1">
|
||||||
|
<li><a href="#prereq1">Prereq</a></li>
|
||||||
|
<li><a href="#ebuilding">Building</a></li>
|
||||||
|
<li><a href="#econf">Example configuration</a></li>
|
||||||
|
</ol>
|
||||||
|
</li>
|
||||||
|
<li><a href="#advanced">Advanced installation</a>
|
||||||
|
<ol type="1">
|
||||||
|
<li><a href="#prereq2">Prereq</a></li>
|
||||||
|
<li><a href="#softInst">Software installation</a></li>
|
||||||
|
<li><a href="#lmInst">Lemonldap::NG installation</a></li>
|
||||||
|
</ol>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
|
||||||
|
<ol type="I">
|
||||||
|
|
||||||
|
<h2><li><a name="example">Example installation</a></li></h2>
|
||||||
|
|
||||||
|
<p>The proposed example use a protected site named test.example.com. Non
|
||||||
|
authenticated users are redirected to auth.example.com.</p>
|
||||||
|
|
||||||
|
<ol type="1">
|
||||||
|
|
||||||
|
<h3><li><a name="prereq1">Prereq</a></li></h3>
|
||||||
|
|
||||||
|
<ol type="a">
|
||||||
|
<h4><li>Software</li></h4>
|
||||||
|
|
||||||
|
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||||
|
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||||
|
Apache proposed with your Linux distribution match, but some distributions used
|
||||||
|
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||||
|
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||||
|
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||||
|
package for Debian works fine).</p>
|
||||||
|
|
||||||
|
<h4><li>Perl prereq</li></h4>
|
||||||
|
|
||||||
|
<dl>
|
||||||
|
<dt><b>Perl modules :</b></dt>
|
||||||
|
<dd>
|
||||||
|
<p>Apache::Session, Net::LDAP, MIME::Base64, CGI, LWP::UserAgent, Cache::Cache,
|
||||||
|
DBI, XML::Simple, SOAP::Lite (only if you want to use SOAP with the manager)</p>
|
||||||
|
</dd>
|
||||||
|
|
||||||
|
<dt><b>With Debian :</b></dt>
|
||||||
|
<dd>
|
||||||
|
<pre>
|
||||||
|
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
|
||||||
|
libdbi-perl perl-modules libwww-perl libcache-cache-perl \
|
||||||
|
libxml-simple-perl
|
||||||
|
</pre>
|
||||||
|
<p>If you want to use SOAP with the manager :</p>
|
||||||
|
<pre>
|
||||||
|
apt-get install libsoap-lite-perl
|
||||||
|
</pre>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<h3><li><a name="ebuilding">Building</a></li></h3>
|
||||||
|
|
||||||
|
<ol type="a">
|
||||||
|
|
||||||
|
<h4><li>Complete installation</li></h4>
|
||||||
|
<pre>
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*
|
||||||
|
$ make && make test
|
||||||
|
$ sudo make install
|
||||||
|
$ make example
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<h4><li>Installation on Debian</li></h4>
|
||||||
|
<pre>
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*
|
||||||
|
$ debuild # or fakeroot dpkg-buildpackage
|
||||||
|
$ sudo dpkg -i ../lemonldap-ng*.deb
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<h3><li><a name="econf">Example configuration</a></li></h3>
|
||||||
|
|
||||||
|
<p>After build, you have new files in the example/ directory
|
||||||
|
(<code>/usr/share/doc/lemonldap-ng/example</code> with Debian). You just have
|
||||||
|
to include this file in Apache configuration :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>in httpd.conf (with Apache-1.3.x)
|
||||||
|
<pre>
|
||||||
|
include /path/to/lemonldap-ng/source/example/apache.conf
|
||||||
|
</pre>
|
||||||
|
</li>
|
||||||
|
|
||||||
|
<li>or with Apache2
|
||||||
|
<pre>
|
||||||
|
include /path/to/lemonldap-ng/source/example/apache2.conf
|
||||||
|
</pre>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>Modify your /etc/hosts file to include :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
127.0.0.2 auth.example.com
|
||||||
|
127.0.0.3 test.example.com
|
||||||
|
127.0.0.4 manager.example.com
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<p>and restart Apache.</p>
|
||||||
|
|
||||||
|
<p>Before the example works, you have to set your LDAP settings. There are two
|
||||||
|
ways to do it :
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li>Connect to <a href="http://manager.example.com/">http://manager.example.com/</a>
|
||||||
|
and edit the corresponding parameters in "general parameters"</li>
|
||||||
|
|
||||||
|
<li>Edit <code>/path/to/lemonldap-ng/source/example/conf/lmConfig-1</code> and
|
||||||
|
specify your LDAP settings.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>If you don't set managerDn and managerPassword, Lemonldap::NG will
|
||||||
|
use an anonymous bind to find user dn.</p>
|
||||||
|
|
||||||
|
<p>WARNINGS :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> only few parameters can be set by hand in the configuration file. You have
|
||||||
|
to use the manager to change configuration, but since the example is yet
|
||||||
|
configured, you can edit directly the file</li>
|
||||||
|
<li> each new configuration is saved by the manager in a new file (or a new
|
||||||
|
record with DBI) so you can recover an old configuration by removing</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>Next, try to connect to <a href="http://test.example.com/">http://test.example.com/</a>.
|
||||||
|
You'll be redirect to auth.example.com. Try to authenticate yourself with a
|
||||||
|
valid account and the protected page will appear. You will find other
|
||||||
|
explanations on this page.</p>
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<h2><li><a name="advanced">Advanced installation</a></li></h2>
|
||||||
|
|
||||||
|
<ol type="1">
|
||||||
|
|
||||||
|
<h3><li><a name="prereq2">Prereq</a></li></h3>
|
||||||
|
|
||||||
|
<ol type="a">
|
||||||
|
|
||||||
|
<h4><li>Apache</li></h4>
|
||||||
|
|
||||||
|
<p>To use Lemonldap::NG, you have to run a LDAP server and of course an Apache
|
||||||
|
server compiled with mod-perl (version 1.3 or 2.x). Generaly, the version of
|
||||||
|
Apache proposed with your Linux distribution match, but some distributions used
|
||||||
|
an experimental version of mod_perl with Apache2 (mod_perl-1.99) which does
|
||||||
|
not work with Lemonldap::NG. With such distributions (like Debian-3.1), you
|
||||||
|
have to use Apache-1.3 or to use a mod_perl backport (www.backports.org
|
||||||
|
package for Debian works fine).</p>
|
||||||
|
|
||||||
|
<p>For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works
|
||||||
|
faster and Lemonldap::NG use the thread system for best performance. If you
|
||||||
|
have to use mpm-prefork (for example if you use PHP), Lemonldap::NG will work
|
||||||
|
anyway.</p>
|
||||||
|
|
||||||
|
<p>You can use Lemonldap::NG in an heterogene world : the authentication portal and
|
||||||
|
the manager can work in any version of Apache 1.3 or more even if mod_perl is
|
||||||
|
not compiled, with ModPerl::Registry or not... Only the handler (site protector)
|
||||||
|
need mod_perl. The different handlers can run on different servers with
|
||||||
|
different versions of Apache/mod_perl.</p>
|
||||||
|
|
||||||
|
<h4><li>Perl Prereq</li></h4>
|
||||||
|
|
||||||
|
<p>Warning : Handler and Portal parts both need Lemonldap::NG::Manager components
|
||||||
|
to access to configuration.</p>
|
||||||
|
|
||||||
|
<dl>
|
||||||
|
<dt>Manager :</dt>
|
||||||
|
<dd><p>CGI, XML::Simple, DBI, LWP::UserAgent (and SOAP::Lite if you want to use SOAP)</p>
|
||||||
|
|
||||||
|
<p>With Debian :</p>
|
||||||
|
<pre>
|
||||||
|
# apt-get install perl-modules libxml-simple-perl libdbi-perl libwww-perl
|
||||||
|
</pre>
|
||||||
|
<p>And if you want to use SOAP :</p>
|
||||||
|
<pre>
|
||||||
|
# apt-get install libsoap-lite-perl
|
||||||
|
</pre>
|
||||||
|
</dd>
|
||||||
|
|
||||||
|
<dt>Portal :</dt>
|
||||||
|
<dd><p>Apache::Session, Net::LDAP, CGI, Lemonldap::NG::Manager</p>
|
||||||
|
|
||||||
|
<p>With Debian :</p>
|
||||||
|
<pre>
|
||||||
|
# apt-get install libapache-session-perl libnet-ldap-perl perl-modules
|
||||||
|
</pre>
|
||||||
|
</dd>
|
||||||
|
|
||||||
|
<dt>Handler :</dt>
|
||||||
|
<dd><p>Apache::Session, LWP::UserAgent, Cache::Cache, Lemonldap::NG::Manager</p>
|
||||||
|
|
||||||
|
<p>With Debian :</p>
|
||||||
|
<pre>
|
||||||
|
# apt-get install libapache-session-perl libwww-perl libcache-cache-perl
|
||||||
|
</pre>
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<h3><li><a name="softInst">Software installation</a></li></h3>
|
||||||
|
|
||||||
|
<p>If you just want to install a handler or a portal or a manager :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
||||||
|
$ perl Makefile.PL && make && make test
|
||||||
|
$ sudo make install
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<p>else for a complete install :</p>
|
||||||
|
<pre>
|
||||||
|
$ tar xzf lemonldap-ng-*.tar.gz
|
||||||
|
$ cd lemonldap-ng-*
|
||||||
|
$ make && make test
|
||||||
|
$ sudo make install
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<p>See prereq in Exeample installation</p>
|
||||||
|
|
||||||
|
<h3><li><a name="lmInst">Lemonldap::NG installation</a></li></h3>
|
||||||
|
|
||||||
|
<ol type="a">
|
||||||
|
|
||||||
|
<h4><li>Databases configuration</li></h4>
|
||||||
|
|
||||||
|
<h5>Lemonldap::NG Configuration database</h5>
|
||||||
|
|
||||||
|
<p>If you use DBI or another system to share Lemonldap::NG configuration, you have
|
||||||
|
to initialize the database. An example is given in example/lmConfig.mysql for
|
||||||
|
MySQL.</p>
|
||||||
|
<!-- TODO: File -->
|
||||||
|
|
||||||
|
<h5>Apache::Session database</h5>
|
||||||
|
|
||||||
|
<p>The choice of Apache::Session::* module is free. See Apache::Session::Store::*
|
||||||
|
or Apache::Session::* to know how to configure the module. For example, if you
|
||||||
|
want to use Apache::Session::MySQL, you can create the database like this :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
CREATE DATABASE sessions (
|
||||||
|
id char(32),
|
||||||
|
a_session text
|
||||||
|
);
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<h4><li>Manager configuration</li></h4>
|
||||||
|
|
||||||
|
<p>Copy example/manager.cgi and personalize it if you want (see
|
||||||
|
Lemonldap::NG::Manager). You have to set in particular configStorage. For
|
||||||
|
example with MySQL :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
$my $manager = Lemonldap::NG::Manager->new ( {
|
||||||
|
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
|
||||||
|
dbiUser => "lemonldap-ng",
|
||||||
|
dbiPassword => "mypass",
|
||||||
|
} );
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<p>You can securise Manager access with Lemonldap::NG like any other site (after
|
||||||
|
configuring it) or with Apache. Example :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
SSLEngine On
|
||||||
|
Order Deny, Allow
|
||||||
|
Deny from all
|
||||||
|
Allow from admin-network/netmask
|
||||||
|
AuthType Basic
|
||||||
|
...
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<h4><li>Configuration edition</li></h4>
|
||||||
|
|
||||||
|
<p>Connect to the manager with your browser start configure your Web-SSO. You have
|
||||||
|
to set at least some parameters :</p>
|
||||||
|
|
||||||
|
<h5>General parameters</h5>
|
||||||
|
|
||||||
|
<p>Main parameters :</p>
|
||||||
|
<ul>
|
||||||
|
<li> <b>Authentication parameters -> portal</b> : URL to access to the authentication portal</li>
|
||||||
|
<li> <b>Domain</b> : the cookie domain. Unless some protected VirtualHosts
|
||||||
|
are not under it, you have to use Lemonldap::NG::Portal::CDA and
|
||||||
|
Lemonldap::NG::Handler::CDA </li>
|
||||||
|
<li> <b>LDAP parameters -> LDAP Server</b></li>
|
||||||
|
<li> <b>LDAP parameters -> LDAP Accout and password</b> : required only if anonymous binds are not accepted</li>
|
||||||
|
<li> <b>Session Storage -> Apache::Session module</b> : how to store user sessions. You can use all module that inherit
|
||||||
|
from Apache::Session like Apache::Session::MySQL</li>
|
||||||
|
<li> <b>Session Storage -> Apache::Session Module parameters</b> : see Apache::Session::<Choosen module></li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<h5>User groups</h5>
|
||||||
|
|
||||||
|
<p>Use the "New Group" button to add your first group. On the left, set the
|
||||||
|
keyword which will be used later and set on the right the corresponding rule.
|
||||||
|
you can use :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> an LDAP filter (it will be tested with the user uid)</li>
|
||||||
|
<li> or a Perl condition enclosed with <b>{}</b>. All variables declared in
|
||||||
|
"General parameters -> LDAP attributes" or "macros"
|
||||||
|
can be used with a "<b>$</b>". For example :
|
||||||
|
<pre>
|
||||||
|
MyGroup => { $uid eq "foo" or $uid eq "bar" }
|
||||||
|
</pre>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<h5>Virtual hosts</h5>
|
||||||
|
|
||||||
|
<p>You have to create a virtual host for each Apache host (virtual or real)
|
||||||
|
protected by Lemonldap::NG even if just a sub-directory is protected. Else,
|
||||||
|
user who want to access to the protected area will be rejected with a "500
|
||||||
|
Internal Server Error" message and the apache logs will explain the problem.</p>
|
||||||
|
|
||||||
|
<p>Each virtual host has 2 groups of parameters :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> Headers : the headers added to the apache request. Default :
|
||||||
|
<pre>
|
||||||
|
Auth-User => $uid
|
||||||
|
</pre>
|
||||||
|
</li>
|
||||||
|
<li> Rules : subdivised in 2 categories :
|
||||||
|
<ul>
|
||||||
|
<li><b>default</b> : the default rule</li>
|
||||||
|
<li>personalized rules : association of a Perl regular expression and a
|
||||||
|
condition. For example :
|
||||||
|
<pre>
|
||||||
|
^/restricted.*$ / $groups =~ /\bMyGroup\b/
|
||||||
|
</pre>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</ol>
|
||||||
|
</ol>
|
||||||
|
</ol>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
|
|
@ -0,0 +1,247 @@
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>Lemonldap::NG</title>
|
||||||
|
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
||||||
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||||||
|
<meta name="DESCRIPTION" content="Lemonldap::NG overview">
|
||||||
|
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG">
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
|
||||||
|
<h1 style="text-align: center;">Lemonldap::NG</h1>
|
||||||
|
|
||||||
|
<p> Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
||||||
|
simplifies the build of a protected area with a few changes in the application.
|
||||||
|
It manages both authentication and authorization and provides headers for
|
||||||
|
accounting. So you can have a full AAA protection for your web space as
|
||||||
|
described below.</p>
|
||||||
|
|
||||||
|
<ol type="1">
|
||||||
|
<li><a href="#aaa">Authentication, Authorization and Accounting mechanisms</a></li>
|
||||||
|
<li><a href="#inst">Installation</a></li>
|
||||||
|
<li><a href="#storage">Session storage system</a></li>
|
||||||
|
<li><a href="#logout">Logout system</a></li>
|
||||||
|
<li><a href="#author">Author</a></li>
|
||||||
|
<li><a href="#copyright">Copyright and licence</a></li>
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<ol type="I">
|
||||||
|
<h2><li><a name="aaa">Authentication, Authorization and Accounting mechanisms</a></li></h2>
|
||||||
|
|
||||||
|
<ol type="1">
|
||||||
|
<h3><li>Authentication</li></h3>
|
||||||
|
|
||||||
|
<p>If a user isn't authenticated and attemps to connect to an area protected by a
|
||||||
|
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
||||||
|
authenticates user with a ldap bind by default, but you can also use another
|
||||||
|
authentication sheme like using x509 user certificates (see
|
||||||
|
Lemonldap::NG::Portal::AuthSSL(3) for more).</p>
|
||||||
|
|
||||||
|
<p>Lemonldap use session cookies generated by Apache::Session so as secure as a
|
||||||
|
128-bit random cookie. You may use the securedCookie options to avoid session
|
||||||
|
hijacking.</p>
|
||||||
|
|
||||||
|
<p>You have to manage life of sessions by yourself since Lemonldap::NG knows
|
||||||
|
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
||||||
|
using a simple cron script because Lemonldap::NG::Portal stores the start
|
||||||
|
time in the _utime field.<br>
|
||||||
|
By default, a session stay 10 minutes in the local storage, so in the worth
|
||||||
|
case, a user is authorized 10 minutes after he lost his rights.</p>
|
||||||
|
|
||||||
|
<h3><li>Authorization</li></h3>
|
||||||
|
|
||||||
|
<p>Authorization is controled only by handlers because the portal knows nothing
|
||||||
|
about the way the user will choose. When configuring your Web-SSO, you have to:</p>
|
||||||
|
|
||||||
|
<ul type="disc">
|
||||||
|
<li> choose the ldap attributes you want to use to manage accounting and
|
||||||
|
authorization.</li>
|
||||||
|
<li> create Perl expressions to define user groups (using ldap attributes)</li>
|
||||||
|
<li> create an array foreach virtual host associating URI regular expressions and
|
||||||
|
Perl expressions to use to grant access.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored) :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> Exported variables :
|
||||||
|
<pre>
|
||||||
|
# Custom-Name => LDAP attribute
|
||||||
|
cn => cn
|
||||||
|
departmentUID => departmentUID
|
||||||
|
login => uid
|
||||||
|
</pre></li>
|
||||||
|
|
||||||
|
<li> User groups :
|
||||||
|
<pre>
|
||||||
|
# Custom-Name => group definition
|
||||||
|
group1 => { $departmentUID eq "unit1" or $login = "user1" }
|
||||||
|
</pre></li>
|
||||||
|
|
||||||
|
<li> Area protection:
|
||||||
|
<pre>
|
||||||
|
# Each VirtualHost has its own configuration
|
||||||
|
# associating URL regexp to Perl expression
|
||||||
|
* www1.domain.com :
|
||||||
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||||
|
default => accept
|
||||||
|
},
|
||||||
|
* www2.domain.com :
|
||||||
|
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
||||||
|
^/(js|css) => accept
|
||||||
|
default => deny
|
||||||
|
</pre></li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<ol type="a">
|
||||||
|
<h4><li>Performance</li></h4>
|
||||||
|
|
||||||
|
<p>You can use Perl expressions as complicated as you want and you can use all
|
||||||
|
the exported LDAP attributes (and create your own attributes: with 'macros'
|
||||||
|
mechanism) in groups evaluations, area protections or custom HTTP headers
|
||||||
|
(you just have to call them with a "$").</p>
|
||||||
|
|
||||||
|
<p>You have to be careful when choosing your expressions:</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> groups and macros are evaluated each time a user is redirected to the portal,</li>
|
||||||
|
<li> virtual host rules and exported headers are evaluated for each request on a
|
||||||
|
protected area.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>It is also recommanded to use the groups mechanism to avoid having to evaluate
|
||||||
|
a long expression at each HTTP request :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
# Virtual hosts :
|
||||||
|
...
|
||||||
|
www1.domain.com :
|
||||||
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<p>You can also use LDAP filters, or Perl expression or mixed expressions in
|
||||||
|
groups definitions. Perl expressions has to be enclosed with {} :</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
* group1 => (|(uid=xavier.guimard)(ou=unit1))
|
||||||
|
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
|
||||||
|
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
|
||||||
|
</pre>
|
||||||
|
|
||||||
|
<p>It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
||||||
|
server more than 2 times per authentication.</p>
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
<h3><li>Accounting</li></h3>
|
||||||
|
|
||||||
|
<ol type="a">
|
||||||
|
<h4><li>Logging portal access</li></h4>
|
||||||
|
|
||||||
|
<p>Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
||||||
|
overload log method for normal portal access.</p>
|
||||||
|
|
||||||
|
<h4><li>Logging application access</li></h4>
|
||||||
|
|
||||||
|
<p>Because a Web-SSO knows nothing about the protected application, it can't do
|
||||||
|
more than logging URL. As Apache does this fine, Lemonldap::NG::Handler(3)
|
||||||
|
gives it the name to used in logs. The whatToTrace parameter indicates
|
||||||
|
which variable Apache has to use ($uid by default).</p>
|
||||||
|
|
||||||
|
<p>The real accounting has to be done by the application itself which knows the
|
||||||
|
result of SQL transaction for example.</p>
|
||||||
|
|
||||||
|
<p>Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
||||||
|
directly the application. By default, the Auth-User field is used but you can
|
||||||
|
change it using the exportedHeaders parameters (in the Manager, each virtual
|
||||||
|
host as custom headers branch). This parameters contains an associative array
|
||||||
|
per virtual host :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> keys are the names of the choosen headers,</li>
|
||||||
|
<li> values are Perl expressions where you can use user datas stored in the
|
||||||
|
global storage.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>Example:</p>
|
||||||
|
|
||||||
|
<pre>
|
||||||
|
* www1.domain.com :
|
||||||
|
Auth-User => $uid
|
||||||
|
Unit => $ou
|
||||||
|
* www2.domain.com :
|
||||||
|
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
||||||
|
Remote-IP => $ip
|
||||||
|
</pre>
|
||||||
|
</ol>
|
||||||
|
</ol>
|
||||||
|
|
||||||
|
<h2><li><a name="inst">Installation</a></li></h2>
|
||||||
|
|
||||||
|
<p><b>Warnings :</b></p>
|
||||||
|
<ul>
|
||||||
|
<li><p> Lemonldap::NG is a different project than Lemonldap and contains all you need
|
||||||
|
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
||||||
|
work with Lemonldap::NG.</p></li>
|
||||||
|
|
||||||
|
<li><p>The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
||||||
|
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
||||||
|
act as CGI, so they can work everywhere.</p></li>
|
||||||
|
<li><p>Lemonldap::NG configuration has to be edited using the manager unless
|
||||||
|
you know exactly what you are doing. The parameters discussed below are all in
|
||||||
|
the configuration tree.</p></li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>See <a href="install.html">INSTALL file</a> for a complete installation documentation.</p>
|
||||||
|
|
||||||
|
<h2><li><a name="storage">Session storage system</a></li></h2>
|
||||||
|
|
||||||
|
<p>Lemonldap::NG use 3 levels of cache for authenticated users :</p>
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> an Apache::Session::* module used by lemonldap::NG::Portal to store
|
||||||
|
authenticated user parameters,</li>
|
||||||
|
<li> a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
||||||
|
users between Apache's threads or processus and of course between virtual
|
||||||
|
hosts on the same machine,</li>
|
||||||
|
<li> Lemonldap::NG::Handler variables : if the same user use the same thread or
|
||||||
|
processus a second time, no request are needed to grant or refuse access.
|
||||||
|
This is very efficient with HTTP/1.1 Keep-Alive system.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<p>So the number of request to the central storage is limited to 1 per active
|
||||||
|
user each 10 minutes.</p>
|
||||||
|
|
||||||
|
<p>Lemonldap::NG is very fast, but you can increase performance using a
|
||||||
|
Cache::Cache module that does not use disk access.</p>
|
||||||
|
|
||||||
|
<h2><li><a name="logout">Logout system</a></li></h2>
|
||||||
|
|
||||||
|
<p>Lemonldap::NG provides a single logout system : you can use it by
|
||||||
|
adding a link to the portal with "logout=1" parameter in the portal (See
|
||||||
|
Lemonldap::NG::Portal(3)) and/or by configuring handler to intercept some URL
|
||||||
|
(See Lemonldap::NG::Handler(3)). The logout system:
|
||||||
|
|
||||||
|
<ul>
|
||||||
|
<li> delete session in the global session storage,</li>
|
||||||
|
<li> replace Lemonldap::NG cookie by '',</li>
|
||||||
|
<li> delete handler caches only if logout action was started from a
|
||||||
|
protected application and only in the current Apache server. So in other
|
||||||
|
servers, session is still in cache for 10 minutes maximum if the user was
|
||||||
|
connected on it in the last 10 minutes.</li>
|
||||||
|
</ul>
|
||||||
|
|
||||||
|
<h2><li><a name="author">Author</a></li></h2>
|
||||||
|
|
||||||
|
<p>Xavier Guimard, <x.guimard@free.fr>
|
||||||
|
|
||||||
|
<h2><li><a name="copyright">Copyright and licence</a></li></h2>
|
||||||
|
|
||||||
|
<p>Copyright © 2005-2007 by Xavier Guimard <x.guimard@free.fr></p>
|
||||||
|
|
||||||
|
<p>This library is free software; you can redistribute it and/or modify
|
||||||
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
||||||
|
at your option, any later version of Perl 5 you may have available.</p>
|
||||||
|
|
||||||
|
</ol>
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -0,0 +1 @@
|
||||||
|
../../modules/lemonldap-ng-handler/
|
|
@ -0,0 +1 @@
|
||||||
|
../../modules/lemonldap-ng-manager/
|
|
@ -0,0 +1 @@
|
||||||
|
../../modules/lemonldap-ng-portal/
|
|
@ -0,0 +1,65 @@
|
||||||
|
#!/usr/bin/perl
|
||||||
|
|
||||||
|
use strict;
|
||||||
|
|
||||||
|
die "usage: static.pl script.pl index.html" unless (@ARGV);
|
||||||
|
|
||||||
|
my $script = $ARGV[0];
|
||||||
|
my $dir = `pwd`;
|
||||||
|
chomp $dir;
|
||||||
|
our $lib = "$dir/lemonldap-ng-manager/blib/lib/";
|
||||||
|
$script = "$dir/$script" unless ( $script =~ m#^/# );
|
||||||
|
my $file = $ARGV[1];
|
||||||
|
my $lang = $ARGV[2] || "en";
|
||||||
|
$file =~ s#^.*/##;
|
||||||
|
$dir = $&;
|
||||||
|
`mkdir -p $dir` unless ( -d $dir );
|
||||||
|
chdir $dir;
|
||||||
|
|
||||||
|
&scan( $script, $file, '' );
|
||||||
|
|
||||||
|
sub scan {
|
||||||
|
my ( $script, $filename, $args ) = @_;
|
||||||
|
print STDERR "$filename\n";
|
||||||
|
my ( $IN, $OUT );
|
||||||
|
open $IN, "HTTP_ACCEPT_LANGUAGE=$lang SCRIPT_NAME=__SCRIPTNAME__ SCRIPT_FILENAME=$script perl -I$lib $script '$args'|";
|
||||||
|
open $OUT, ">$filename";
|
||||||
|
my $ind = 0;
|
||||||
|
local ( $_, $1 );
|
||||||
|
while (<$IN>) {
|
||||||
|
s/\r//g;
|
||||||
|
if (/lmQuery/) {
|
||||||
|
if (s/__SCRIPTNAME__\?lmQuery=([^"']*)js/$1.js/) {
|
||||||
|
scan( $script, "$1.js", "lmQuery=$1js" );
|
||||||
|
}
|
||||||
|
elsif (s/__SCRIPTNAME__\?lmQuery=upload/#/) {
|
||||||
|
# Nothing to do here
|
||||||
|
}
|
||||||
|
elsif (s/__SCRIPTNAME__\?lmQuery=conf/conf.xml/) {
|
||||||
|
scan( $script, "conf.xml", "lmQuery=conf" );
|
||||||
|
}
|
||||||
|
elsif (s/__SCRIPTNAME__\?lmQuery=([^"']*)css/style$1.css/) {
|
||||||
|
scan( $script, "style$1.css", "lmQuery=$1css" );
|
||||||
|
}
|
||||||
|
elsif (s/__SCRIPTNAME__\?lmQuery=help&help="\+s/help_"+s+".html"/) {
|
||||||
|
# Nothing to do here
|
||||||
|
}
|
||||||
|
elsif (s/__SCRIPTNAME__\?lmQuery=([^"'&]*)&?[^"']*/$1/) {
|
||||||
|
scan( $script, "$1", "lmQuery=$1" );
|
||||||
|
}
|
||||||
|
s/["']help["']\+s/"help"/;
|
||||||
|
}
|
||||||
|
elsif (/help\((['"])(\w+)\1/) {
|
||||||
|
scan( $script, "help_$2.html", "lmQuery=help&help=$2" );
|
||||||
|
}
|
||||||
|
# but+=button('$text{saveConf}','saveConf',nodeId);
|
||||||
|
elsif (s/(but\+=)button\((['"])([^'"]*)\2,'saveConf.*$/$1'<input type=button value="$3" onclick="alert(\\'This is a demo\\');saveConf;"> ';/) {
|
||||||
|
# '<input type=button value="'+text+'" onclick="'+func+'('+"'"+nodeId+"'"+')"> '
|
||||||
|
# Nothing to do here
|
||||||
|
}
|
||||||
|
s#tree.setImagePath\(["'][^"']*["']\);#tree.setImagePath("imgs/")#;
|
||||||
|
print $OUT $_ if ($ind);
|
||||||
|
$ind++ if /^$/;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue