diff --git a/build/lemonldap-ng/doc/overview-fr.html b/build/lemonldap-ng/doc/1-Overview-fr.html similarity index 92% rename from build/lemonldap-ng/doc/overview-fr.html rename to build/lemonldap-ng/doc/1-Overview-fr.html index 7f8fb6a05..9cd3514e2 100644 --- a/build/lemonldap-ng/doc/overview-fr.html +++ b/build/lemonldap-ng/doc/1-Overview-fr.html @@ -7,7 +7,7 @@ - Lemonldap::NG documentation: overview-fr.html + Lemonldap::NG documentation: 1-Overview-fr.html + + + +
+

Documentation de + LemonLDAP::NG

+ +

+ + Documentation applicable pour LemonLDAP::NG + >= 0.9 + +

Merci de lire FAQ en premier + +

Installation

out_of_the_box_nicu_bucu_01.png + + + +

Configuration

tools_nicu_buculei_01.png + +

Général

+ + + +

LDAP

+ + + +

Fonctionnalités + étendues

+ + + +

Protection + des applications

+ + +

Applications + existantes

+ +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ApplicationDescription
Dokuwiki
+ dokuwiki_logo.png		Dokuwiki est un moteur de wiki en PHP
+
+ Procédure SSO (en)
+ Site + web officiel
Gestion et de Réservations de + Ressources
+ grr_logo.png		GRR permet de gérer la réservation de + ressources
+
+ Procédure SSO + (fr)
+ Site web officiel
GLPI
+ +		GLPI est outil de gestion de parc
+
+ Procédure SSO + (en)
+ Site + web officiel
phpLDAPadmin
+ phpldapadmin_logo.png		Interface web de gestion d'annuaire LDAP
+
+ Procédure SSO (en)
+ Site web + officiel
Sympa
+ +		Gestionnaire de listes de diffusion
+
+ Procédure + SSO (en)
+ Site + web officiel
+ +

Connecteurs

+ +

+ + + + + + + + + + + + + +
ApplicationDescription
Tomcat
+ tomcat_logo.png		Tomcat est un conteneur de servlets J2EE. Il utilise des valves + pour certaines fonctionnalités, comme l'intégration au + SSO.
+
+ Procédure SSO (en)
+ Site web officiel
+ +

Applications + "maison"

+ + + +

Autres

tux_clemente_01.png + +

FAQ

+ +

Voir la page FAQ. + +

Erreurs

+ +

Voir la page erreurs. + +

Formations

+ + +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/3-Table-of-contents.html b/build/lemonldap-ng/doc/3-Table-of-contents.html new file mode 100644 index 000000000..f8a5f5988 --- /dev/null +++ b/build/lemonldap-ng/doc/3-Table-of-contents.html @@ -0,0 +1,318 @@ + + + + + + + + Lemonldap::NG documentation: 3-Table-of-contents.html + + + + + +
+

Lemonldap::NG Documentation

+ +

+ + Documentation applicable for LemonLDAP::NG + >= 0.9 + +

Please read the + FAQ first + +

Installation

out_of_the_box_nicu_bucu_01.png + + + +

Configuration

tools_nicu_buculei_01.png + +

General

+ + + +

LDAP

+ + + +

Extended + features

+ + + +

Application + protection

+ + +

Existing + applications

+ +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ApplicationDescription
Dokuwiki
+ dokuwiki_logo.png		Dokuwiki is a popular PHP wiki Engine
+
+ SSO + procedure (en)
+ Official website
Gestion et de Réservations de + Ressources
+ grr_logo.png		GRR is a system to manage ressources booking
+
+ SSO + procedure (fr)
+ Official website
GLPI
+ +		GLPI is an IT and asset management software
+
+ SSO + procedure (en)
+ Official website
phpLDAPadmin
+ phpldapadmin_logo.png		Web interface to manage LDAP directory
+
+ SSO + procedure (en)
+ Official website
Sympa
+ +		Mailing lists manager
+
+ SSO + procedure (en)
+ Official website
+ +

Connectors

+ +

+ + + + + + + + + + + + + +
ApplicationDescription
Tomcat
+ tomcat_logo.png		Tomcat is a J2EE servlet container. It uses Valve to use extra + functionnalities, like SSO integration.
+
+ SSO + procedure (en)
+ Official website
+ +

Self-made

+ + + +

Others

tux_clemente_01.png + +

FAQ

+ +

See FAQ page. + +

Errors

+ +

See errors page. + +

Training

+ + +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/3.1-Install-prerequesites.html b/build/lemonldap-ng/doc/3.1-Install-prerequesites.html new file mode 100644 index 000000000..2c93bcf34 --- /dev/null +++ b/build/lemonldap-ng/doc/3.1-Install-prerequesites.html @@ -0,0 +1,132 @@ + + + + + + + + Lemonldap::NG documentation: 3.1-Install-prerequesites.html + + + + + +
+

Prerequisites and dependencies

+ +

+ + + +

Apache

+ +

To use Lemonldap::NG, you have to run a LDAP + server and of course an Apache server compiled with mod-perl (version 1.3 + or 2.x). Generaly, the version of Apache proposed with your Linux + distribution match, but some distributions used an experimental version of + mod_perl with Apache2 (mod_perl-1.99) which does not work with + Lemonldap::NG. With such distributions (like Debian-3.1), you have to use + Apache-1.3 or to use a mod_perl backport (www.backports.org package for + Debian works fine). + +

For Apache2, you can use both mpm-worker and + mpm-prefork. Mpm-worker works faster and Lemonldap::NG use the thread + system for best performance. If you have to use mpm-prefork (for example + if you use PHP), Lemonldap::NG will work anyway. + +

You can use Lemonldap::NG in an heterogene world: + the authentication portal and the manager can work in any version of + Apache 1.3 or more even if mod_perl is not compiled, with + ModPerl::Registry or not… Only the handler (site protector) need + mod_perl. The different handlers can run on different servers with + different versions of Apache/mod_perl. + +

Perl

+ +

Needed for all + modules

+ +

Apache::Session, Net::LDAP, MIME::Base64, CGI, + LWP::UserAgent, Cache::Cache, DBI, XML::Simple + +

Needed for + Portal

+ +

Apache::Session, Net::LDAP, MIME::Base64, CGI, + DBI + +

Needed for + Handler

+ +

Apache::Session, LWP::UserAgent, Cache::Cache, + DBI + +

Needed for + Manager

+ +

CGI, XML::Simple, DBI +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/3.2-Install-from-tarball.html b/build/lemonldap-ng/doc/3.2-Install-from-tarball.html new file mode 100644 index 000000000..dc241b31e --- /dev/null +++ b/build/lemonldap-ng/doc/3.2-Install-from-tarball.html @@ -0,0 +1,161 @@ + + + + + + + + Lemonldap::NG documentation: 3.2-Install-from-tarball.html + + + + + +
+

Installation + from the tarball

+ +

+ + + +

Get the + tarball

+ +

All tarballs can be downloaded from the OW2 + forge: http://forge.objectweb.org/project/showfiles.php?group_id=274 + +

If you want the last SVN snapshot, please choose: + http://forge.objectweb.org/svnsnapshots/lemonldap-svn-latest.tar.gz + +

Warning: the + contents of the SVN tarball are not the same as the official tarballs. + Please see the next chapter to learn how build an official tarball from + SVN files. + +

Build the + tarball from SVN

+ +

Either checkout + or export the SVN repository, or extract + the SVN tarball to get the SVN files on your disk. + +

Then go to build directory: + +
+ 
+$ cd trunk/build/lemonldap-ng
+
+

+
+ And run the "dist" target: + +
+ 
+$ make dist
+
+

+
+ The generated tarball is in the current directory. + +

Extraction


+
+ Just run the tar command: + +
+ 
+$ tar zxvf lemonldap-ng-*.tar.gz
+
+
+ +

Installation


+
+ First check and install the prerequisites.
+
+ If you just want to install a handler or a portal or a manager:
+
+ +
+ 
+$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager|Common)
+$ perl Makefile.PL && make && make test
+$ sudo make install
+
+
+ +

Else for full modules install: + +

+ +
+ 
+$ cd lemonldap-ng-*
+$ make && make test
+$ sudo make install
+
+
+
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/debian-packages-install.html b/build/lemonldap-ng/doc/3.3-Install-from-debian-packages.html similarity index 70% rename from build/lemonldap-ng/doc/debian-packages-install.html rename to build/lemonldap-ng/doc/3.3-Install-from-debian-packages.html index 451a330a9..819c8eded 100644 --- a/build/lemonldap-ng/doc/debian-packages-install.html +++ b/build/lemonldap-ng/doc/3.3-Install-from-debian-packages.html @@ -7,7 +7,8 @@ - Lemonldap::NG documentation: debian-packages-install.html + Lemonldap::NG documentation: + 3.3-Install-from-debian-packages.html + + + +
+

Use of MySQL for + sessions and/or configuration storage

+ +

+ + + +

MySQL + configuration

+ +

Remark: we advice + to create a specific user/password in MySQL for LemonLDAP::NG, with rights + on ist database. + +

Database + creation


+
+ For example, create the database "lemonldapng" :
+
+ +
+ 
+# mysqladmin create lemonldapng
+
+
+ +

Configuration + table


+
+ To store configuration, use this table creation instruction:
+
+ +
+ 
+CREATE TABLE lmConfig (
+     cfgNum int not null primary key,
+     locationRules text,
+     exportedHeaders text,
+     globalStorage text,
+     globalStorageOptions text,
+     macros text,
+     groups text,
+     portal text,
+     domain text,
+     ldapServer text,
+     ldapPort int,
+     ldapBase text,
+     securedCookie int,
+     cookieName text,
+     authentication text,
+     exportedVars text,
+     managerDn text,
+     managerPassword text,
+     whatToTrace text,
+     timeout int
+     );
+
+
+ +

Session + table

+ +

The choice of Apache::Session::* module is free. + See Apache::Session::Store::* or Apache::Session::* to know how to + configure the module. + +

If you want to use Apache::Session::MySQL, you + can create the database like this: + +

+ +
+ 
+CREATE TABLE sessions (
+    id char(32),
+    a_session text
+    );
+
+
+ +

LemonLDAP::NG configuration

+ +

Set configStorage for + LemonLDAP::NG modules

+ +

By default, configStorage use the "File" backend, + like: + +
+ 
+configStorage => {
+     type    => "File",
+     dirName => "/etc/lemonldap-ng/conf/",
+  },
+
+
+ +

You have to replace it with MySQL parameters, for + example: + +
+ 
+configStorage => {
+      type        => "DBI",
+      dbiChain    => "dbi:mysql:...",
+      dbiUser     => "lemonldap",
+      dbiPassword => "password",
+      dbiTable    => "lmConfig",
+  },
+
+
+ +

Set + Apache::Session backend

+ +

Go to the Manager and go in General Parameters > Session Storage. Then change + Apache::Session module to + "Apache::Session::MySQL" and in Apache::Session + parameters configure the following options: + + You can also set the session module in perl scripts: + +
+ 
+globalStorage  => "Apache::Session::MySQL",
+  globalStorageOptions => {
+      DataSource       => "dbi:mysql:database=lemonldapng;host=127.0.0.1",
+      UserName         => "db_user",
+      Password         => "db_password",
+      TableName        => "sessions",
+      LockDataSource   => "dbi:mysql:database=lemonldapng;host=127.0.0.1",
+      LockUserName     => "db_user",
+      LockPassword     => "db_password",
+  },
+
+
+
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/install-fr.html b/build/lemonldap-ng/doc/3.5-Install-of-example-fr.html similarity index 53% rename from build/lemonldap-ng/doc/install-fr.html rename to build/lemonldap-ng/doc/3.5-Install-of-example-fr.html index 8e6149bb5..90a0c6f5a 100644 --- a/build/lemonldap-ng/doc/install-fr.html +++ b/build/lemonldap-ng/doc/3.5-Install-of-example-fr.html @@ -7,7 +7,7 @@ - Lemonldap::NG documentation: install-fr.html + Lemonldap::NG documentation: 3.5-Install-of-example-fr.html + + + +
+

Configuration + overview

+ +

+ + Connect to the manager with your browser (for example http://manager.example.com) to + start configure your WebSSO. + +

You have to set at least some parameters: + +

General + parameters

+ + + +

User groups

+ +

Use the "New Group" button to add your first + group. On the left, set the keyword which will be used later and set on + the right the corresponding rule. You can use : + + or + + + +

Virtual hosts

+ +

You have to create a virtual host for each Apache + host (virtual or real) protected by Lemonldap::NG even if just a + sub-directory is protected. Else, user who want to access to the protected + area will be rejected with a "500 Internal Server Error" message and the + apache logs will explain the problem. + +

Each virtual host has 2 groups of parameters: + + +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html b/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html new file mode 100644 index 000000000..a11f1f5a9 --- /dev/null +++ b/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html @@ -0,0 +1,243 @@ + + + + + + + + Lemonldap::NG documentation: + 4.1-Configuration-parameter-list.html + + + + + +
+

Parameter list

+ +

+ + Documentation applicable for LemonLDAP::NG + >= 1.0 + +

Configuration

+ + + +

General + Parameters

+ + + +

Virtual hosts

+ + + +

Applications

+ + +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/4.1-Configure-portal-menu.html b/build/lemonldap-ng/doc/4.1-Configure-portal-menu.html new file mode 100644 index 000000000..9aefb3919 --- /dev/null +++ b/build/lemonldap-ng/doc/4.1-Configure-portal-menu.html @@ -0,0 +1,283 @@ + + + + + + + + Lemonldap::NG documentation: 4.1-Configure-portal-menu.html + + + + + +
+

Enhanced menu

+ +

+ + Documentation applicable for LemonLDAP::NG + >= 0.9.3 + +

Presentation

+ +

Menu is a new Portal module providing these + functionalities: + + + +

Activate + the menu in the portal

+ +

With a 0.9.3 fresh installation, the default + portal/index.pl enables the menu. For the others, add this to the perl + code: + +

+ +
+ 
+if ( $portal->process() ) {

    # HTML::Template object creation
+    my $template = HTML::Template->new(
+        filename          => "$skin_dir/$skin/menu.tpl",
+        die_on_bad_params => 0,
+        cache             => 0,
+        filter            => sub { $portal->translate_template(@_) }
+    );

    # Menu creation
+    use Lemonldap::NG::Portal::Menu;
+    my $menu = Lemonldap::NG::Portal::Menu->new(
+        {
+            portalObject => $portal,
+            apps         => {
+                xmlfile => "$appsxmlfile",
+                imgpath => "$appsimgpath",
+            },
+            modules => {
+                appslist => 1,
+                password => 1,
+                logout   => 1,
+            },
+            # CUSTOM FUNCTION : if you want to create customFunctions in rules, declare them here
+            #customFunctions    => 'function1 function2',
+        }
+    );

    $template->param( AUTH_ERROR       => $menu->error );
+    $template->param( AUTH_ERROR_TYPE  => $menu->error_type );
+    $template->param( DISPLAY_APPSLIST => $menu->displayModule("appslist") );
+    $template->param( DISPLAY_PASSWORD => $menu->displayModule("password") );
+    $template->param( DISPLAY_LOGOUT   => $menu->displayModule("logout") );
+    $template->param( DISPLAY_TAB      => $menu->displayTab );
+    $template->param( LOGOUT_URL       => "$ENV{SCRIPT_NAME}?logout=1" );
+    if ( $menu->displayModule("appslist") ) {
+        $template->param( APPSLIST_MENU => $menu->appslistMenu );
+        $template->param( APPSLIST_DESC => $menu->appslistDescription );
+    }

    print $portal->header('text/html; charset=utf8');
+    print $template->output;
+}
+
+
+ +

XML applications + list

+ +

DTD

+ +

The XML applications list must respect this DTD: + +

+ +
+ 
+<!ELEMENT menu (category*) >

<!ELEMENT category (application*, category*) >
+<!ATTLIST category name CDATA #REQUIRED >

<!ELEMENT application (name, uri?, description?, logo?, screenshot?, display?) >
+<!ATTLIST application id ID #REQUIRED >

<!ELEMENT name ( #PCDATA ) >
+<!ELEMENT uri ( #PCDATA ) >
+<!ELEMENT description ( #PCDATA ) >
+<!ELEMENT logo ( #PCDATA ) >
+<!ELEMENT screenshot ( #PCDATA ) >
+<!ELEMENT display ( #PCDATA ) >
+
+
+ +

Parameters + definition

+ + The menu must contains at least one category. Each category can + contain applications and categories. An application cannot contain a + category. An application must be inside a category. + +

Sample XML + file

+ +

Now you can configure your applications list, in + /etc/lemonldap-ng/apps-list.xml. For example: + +

+ +
+ 
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!DOCTYPE menu SYSTEM "apps-list.dtd">
+<menu>
+    <category name="Business">
+        <application id="aaa">
+                <name>AAA</name>
+                <uri>http://test.ow2.org/aaa</uri>
+                <description>AAA description</description>
+                <logo>aaa-logo.gif</logo>
+                <display>auto</display>
+        </application>
+        <application id="bbb">
+                <name>BBB</name>
+                <uri>http://test.ow2.org/bbb/login.do</uri>
+                <description>BBB description</description>
+                <logo>bbb-logo.gif</logo>
+                <display>on</display>
+        </application>
+   </category>
+   <category name="Technical">
+     <category name="Directories">
+        <application id="pla">
+                <name>phpLDAPAdmin</name>
+                <uri>http://phpldapadmin.ow2.org</uri>
+                <description>LDAP directory administration</description>
+                <logo>pla-logo.gif</logo>
+                <display>auto</display>
+        </application>
+     </category>
+     <category name="Application servers">
+        <application id="probe">
+                <name>Probe</name>
+                <uri>http://probe.ow2.org</uri>
+                <description>Tomcat stats</description>
+                <logo>probe-logo.gif</logo>
+                <display>auto</display>
+        </application>
+     </category>
+   </category>
+</menu>
+
+
+
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/4.1-HTML-templates-customization.html b/build/lemonldap-ng/doc/4.1-HTML-templates-customization.html new file mode 100644 index 000000000..ac002d4d5 --- /dev/null +++ b/build/lemonldap-ng/doc/4.1-HTML-templates-customization.html @@ -0,0 +1,275 @@ + + + + + + + + Lemonldap::NG documentation: + 4.1-HTML-templates-customization.html + + + + + +
+

Portal HTML + templates design

+ +

+ + Documentation applicable for LemonLDAP::NG + >= 0.9.3 + +

LemonLDAP::NG skins + and HTML::Template Perl module

+ +

LemonLDAP::NG templates are designed for + HTML::Templates + Perl module. + +

LemonLDAP::NG portal use "skins", located in the + skins/ directory of the portal. Each skin is a particular directory, for + example skins/default/ for the default skin. + +

Here is the list of required template files: + + Each template include a CSS file, named "styles.css". + +

To create your own skin, just copy the default + skin to another directory (eg.: skins/myskin/) and edit templates and CSS + files. Advanced customization can be done by editing the portal/index.pl. + +

Templates variables + provided by portal/index.pl

+ +

When you edit/create a template file, you can use + some variables provided by the portal script. Of course, you can add + variables by editing the portal/index.pl. + +

Common + variables

+ + + +

login.tpl + specific variables

+ + + +

menu.tpl + specific variables

+ + + +

Template + structure

+ +

The default LemonLDAP::NG template follow this + structure: + + + +

Internationalization (i18n)

+ +

LemonLDAP::NG portal is able to display an HTML + template according to the user's browser language. + +

In order to work, you have to set inside the + template the translations of all displayed text. Error message translation + is already done inside LemonLDAP::NG Portal module. + +

Example + of mono-lingual template

+ +

+ +
+ 
+<p><label>Login</label>
+<input name="user" type="text" size="30" />
+</p>
+
+
+ +

The string "Login" is set in the template and + will not be translated. + +

Example of multi-lingual + template

+ +

+ +
+ 
+<p><label><lang en="Login" fr="Identifiant" /></label>
+<input name="user" type="text" size="30" />
+</p>
+
+
+ +

The markup <lang> will be catched by + LemonLDAP::NG and only the wanted translation will be displayed. If the + user's language has no corresponding translation, the first translation is + selected. So you can set your default language by choosing the first + translation ("en" in the above example). + +

Warning: don't + forget the quotes and the trailing slash of the markup! +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/4.1-RBAC-model.html b/build/lemonldap-ng/doc/4.1-RBAC-model.html new file mode 100644 index 000000000..19454ad04 --- /dev/null +++ b/build/lemonldap-ng/doc/4.1-RBAC-model.html @@ -0,0 +1,226 @@ + + + + + + + + Lemonldap::NG documentation: 4.1-RBAC-model.html + + + + + +
+

RBAC model

+ +

+ + + +

Presentation

+ +

RBAC stands for Role Based Access Control. It + means that you manage authorizations to access applications by checking + the role(s) of the user, and provide this role to the application. + +

More informations on http://en.wikipedia.org/wiki/Role-based_access_control + +

LemonLDAP::NG allows to use this model. + +

Roles as simple values of a user + attribute


+
+ Imagine you've set your directory schema to store roles as values of + ssoRoles, an attribute of the user. This is simple because you can send + the role to the application by creating a HTTP header (for example + Auth-Role) with the concatened values (';' is the concatenation + string):
+
+ +
+ 
+Auth-Roles => $ssoRoles
+
+

+
+ If the user has these values inside its entry:
+
+ +
+ 
+ssoRoles: user
+ssoRoles: admin
+
+

+
+ Then you got this value inside the Auth-Roles header:
+
+ +
+ 
+user; admin
+
+
+ +

Roles as + entries in the directory


+
+ Now imagine the following DIT:
+
+ DIA_DIT_Roles.png
+
+ Roles are entries, below branchs representing applications. Each user has + a ssoRoles attributes, which values are the DN of the corresponding roles. + With this oragnization, you can set roles to user within specific + application.
+
+ In the schema above, the user has the following values:
+
+ +
+ 
+ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
+ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
+
+
+ +

So he is "user" on application "BBB" and "admin" + on application "AAA". + +

Now we have to send to right role to the right + application trough LemonLDAP::NG. + +

First step: create a rule to grant access only if + the user has a role in the application: + + + +
+ 
+default => $ssoRoles =~ /ou=aaa,ou=roles/
+
+
+ + + +
+ 
+default => $ssoRoles =~ /ou=bbb,ou=roles/
+
+

+
+ Second step: get the role name for the application. We will use the macros + to do that. Create two macros (inside General Parameters > Macros): + + + +
+ 
+aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]
+
+
+ + + +
+ 
+bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]
+
+

+
+ These regular expressions read the 'ou' value of the DN of the role of the + concerned application. This work if the user has only one role per + application.
+
+ Third step: provide the role to the application. It is done by creating + the correct HTTP header: + + + +
+ 
+Auth-Roles => $aaaRoles
+
+
+ + + +
+ 
+Auth-Roles => $bbbRoles
+
+

+
+ Now the protected application can read in the header HTTP_AUTH_ROLES the + role of the user. +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/4.2-Configure-LDAP-schema.html b/build/lemonldap-ng/doc/4.2-Configure-LDAP-schema.html new file mode 100644 index 000000000..77659078d --- /dev/null +++ b/build/lemonldap-ng/doc/4.2-Configure-LDAP-schema.html @@ -0,0 +1,206 @@ + + + + + + + + Lemonldap::NG documentation: 4.2-Configure-LDAP-schema.html + + + + + +
+

LDAP + Schema for advanced access rules

+ +

+ + + +

Topic

+ +

LemonLDAP::NG is powerfull WebSSO engine who + manage access trough user's attributes stored in an LDAP directory. + +

We can use standards attributes like uid, cn or + mail to describe access rules to protected web applications. + +

But sometimes we need more information! For + example: + + + +

LDAP Schema

+ +

OID prefix

+ +

We plan to use this prefix: + 1.3.6.1.4.1.10943.10.2. + +

The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA + (See http://www.iana.org/assignments/enterprise-numbers). + +

OpenLDAP + schema

+ +

Just add this file to OpenLDAP schemas: + +

+ +
+ 
+#=======================================
+# Schema for advanced SSO access rules
+#
+# Designed for OpenLDAP software
+#   http://www.openldap.org
+#
+# Part of LemonLDAP::NG project
+#   http://lemonldap.ow2.org
+#
+# Author: Clement OUDOT
+#=======================================

#=======================================
+# OID Prefix
+#   Registered in IANA database
+#=======================================
+objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2

#=======================================
+# Attributes
+#=======================================

# Application Name
+attributetype ( SSOOID:1:1
+        NAME 'ssoName'
+        DESC 'An application name'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Roles
+attributetype ( SSOOID:1:2
+        NAME 'ssoRoles'
+        DESC 'One or more roles'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Time profile
+attributetype ( SSOOID:1:3
+        NAME 'ssoLogonsHours'
+        DESC 'Logons hours'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Start date
+attributetype ( SSOOID:1:4
+        NAME 'ssoStartDate'
+        DESC 'Start date'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# End date
+attributetype ( SSOOID:1:5
+        NAME 'ssoEndDate'
+        DESC 'End date'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#=======================================
+# ObjectClasses
+#=======================================

# SSO user
+objectClass ( SSOOID:2:1
+        NAME 'ssoUser'
+        DESC 'SSO extended informations for a user'
+        SUP top
+        AUXILIARY
+        MAY ( ssoName $ ssoRoles $ ssoLogonHours $
+                ssoStartDate $ ssoEndDate ) )
+
+
+ +

How to use + it in LemonLDAP::NG

+ +

In LemonLDAP::NG Manager, go to General + Parameters > Exported Variables and add new variables: + + Save and reload Apache and Handler to get the configuration updated. +
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/password-policy.html b/build/lemonldap-ng/doc/4.2-Configure-password-policy.html similarity index 80% rename from build/lemonldap-ng/doc/password-policy.html rename to build/lemonldap-ng/doc/4.2-Configure-password-policy.html index 8e6885513..2edf44055 100644 --- a/build/lemonldap-ng/doc/password-policy.html +++ b/build/lemonldap-ng/doc/4.2-Configure-password-policy.html @@ -7,7 +7,8 @@ - Lemonldap::NG documentation: password-policy.html + Lemonldap::NG documentation: + 4.2-Configure-password-policy.html + + + +
+

Roadmap for + LemonLDAP::NG

+ +

+ + Icons legend:
+ ok.png Task finished
+ warning_triangle.png Work in + progress
+ error.png To be done
+ +

Version 0.9 + (2008)

ok.png Liberty Alliance + authentication module (learn more)
+ ok.png Skins for Manager and Portal
+ ok.png SOAP access to configuration and + sessions (learn more)
+ +

Version 0.9.3 (end 2008/begin + 2009)

ok.png Dissociate + authentication and user backend capabilities (for example, to choose LDAP + for authentication, and MySQL for reading user's information)
+ ok.png Add a Menu.pm to portal modules, to + provide an enhanced application menu and password modification form + (learn + more)
+ ok.png i18n (internationalization) for modules, + scripts and HTML templates (learn more)
+ ok.png Sessions explorer
+ ok.png Accounting and authentication in + manager
+ ok.png Shared functions for macros, groups, + access rules and headers.
+ warning_triangle.png Production + installation script
+ +

Version 1.0 + (2009)

+ Packages for Debian/Ubuntu, RedHat/CentOS
+ warning_triangle.png Date and + time parameters in access rules
+ warning_triangle.png Monitoring + scripts (MRTG, Cacti, Nagios)
+ error.png Handler POST functionnalities, to + fill authentication forms with login/password
+ error.png Portal and Manager trigger system, + to execute code on specified action (apply, save, etc.)
+ error.png Configuration update, to manage + all new parameters (learn more)
+ error.png Configuration migration + scripts
+ error.png Change configuration storage to + XML
+ +

Version 2.0 + (2010)

error.png Rewrite Manager + with JQuery and Ajax
+ error.png Manage Apache virtualhost + configuration through LDAP backend
+ error.png SAML2 authentication and user + backend
+ error.png SNMP extensions for + monitoring
+ error.png Local password policy
+ error.png Notification system
+ error.png LQL parser (LDAP Query + Language)
+ error.png Shared "grant" function
+
+ +

Index

+ + diff --git a/build/lemonldap-ng/doc/advanced-access-rules.html b/build/lemonldap-ng/doc/advanced-access-rules.html deleted file mode 100644 index bcb35e5d1..000000000 --- a/build/lemonldap-ng/doc/advanced-access-rules.html +++ /dev/null @@ -1,420 +0,0 @@ - - - - - - - - Lemonldap::NG documentation: advanced-access-rules.html - - - - - -
-

LDAP - Schema for advanced access rules

- -

- - - -

Topic

- -

LemonLDAP::NG is powerfull WebSSO engine who - manage access trough user's attributes stored in an LDAP directory. - -

We can use standards attributes like uid, cn or - mail to describe access rules to protected web applications. - -

But sometimes we need more information! For - example: - - - -

LDAP Schema

- -

OID prefix

- -

We plan to use this prefix: - 1.3.6.1.4.1.10943.10.2. - -

The prefix 1.3.6.1.4.1.10943 is owned by LINAGORA - (See http://www.iana.org/assignments/enterprise-numbers). - -

OpenLDAP - schema

- -

Just add this file to OpenLDAP schemas: - -

- -
- 
-#=======================================
-# Schema for advanced SSO access rules
-#
-# Designed for OpenLDAP software
-#   http://www.openldap.org
-#
-# Part of LemonLDAP::NG project
-#   http://lemonldap.ow2.org
-#
-# Author: Clement OUDOT
-#=======================================

#=======================================
-# OID Prefix
-#   Registered in IANA database
-#=======================================
-objectIdentifier SSOOID 1.3.6.1.4.1.10943.10.2

#=======================================
-# Attributes
-#=======================================

# Application Name
-attributetype ( SSOOID:1:1
-        NAME 'ssoName'
-        DESC 'An application name'
-        EQUALITY caseIgnoreMatch
-        SUBSTR caseIgnoreSubstringsMatch
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Roles
-attributetype ( SSOOID:1:2
-        NAME 'ssoRoles'
-        DESC 'One or more roles'
-        EQUALITY caseIgnoreMatch
-        SUBSTR caseIgnoreSubstringsMatch
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Time profile
-attributetype ( SSOOID:1:3
-        NAME 'ssoTimeProfile'
-        DESC 'A time profile'
-        EQUALITY caseIgnoreMatch
-        SUBSTR caseIgnoreSubstringsMatch
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# Start date
-attributetype ( SSOOID:1:4
-        NAME 'ssoStartDate'
-        DESC 'Start date'
-        EQUALITY caseIgnoreMatch
-        SUBSTR caseIgnoreSubstringsMatch
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

# End date
-attributetype ( SSOOID:1:5
-        NAME 'ssoEndDate'
-        DESC 'End date'
-        EQUALITY caseIgnoreMatch
-        SUBSTR caseIgnoreSubstringsMatch
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

#=======================================
-# ObjectClasses
-#=======================================

# SSO user
-objectClass ( SSOOID:2:1
-        NAME 'ssoUser'
-        DESC 'SSO extended informations for a user'
-        SUP top
-        AUXILIARY
-        MAY ( ssoName $ ssoRoles $ ssoTimeProfile $
-                ssoStartDate $ ssoEndDate ) )
-
-
- -

How to use - it in LemonLDAP::NG

- -

Specify new attributes in - exported variables

- -

In LemonLDAP::NG Manager, go to General - Parameters > Exported Variables and add new variables: - - Save and reload Apache and Handler to get the configuration updated. - -

Habilitation based on an - application name


-
- If a user has got the ssoName attribute, with each value being the name of - a protected application, you can configure the rules of virtualhosts by - checking the application name.
-
- Go in LemonLDAP::NG Manager, choose your virtualhost (for example - test.acme.com), and set the default rule to accept users if they have - "acme" has one of the value of their attribute "ssoName":
-
- -
- 
-default => $ssoName =~ /\bacme\b/
-
-

-
- Save and reload.
-
- Now you can decide who access this application just by adding or removing - a value inside the entry of the users. - -

Habilitation based on a date


-
- If the user has got ssoStartDate and/or ssoEndDate, you can configure - rules to compare the current date to the start/end dates. - -

Habilitation based on a - period


-
- If the user has got ssoTimeProfile, you can configure rules to compare the - current time and compare it to the time profile. - -

Send a role to a protected - application

- -
Roles as simple values of a user - attribute

-
- Imagine you've set your directory schema to store roles as values of - ssoRoles, an attribute of the user. This is simple because you can send - the role to the application by creating a HTTP header (for example - Auth-Role) with the concatened values (';' is the concatenation - string):
-
- -
- 
-Auth-Roles => $ssoRoles
-
-

-
- If the user has these values inside its entry:
-
- -
- 
-ssoRoles: user
-ssoRoles: admin
-
-

-
- Then you got this value inside the Auth-Roles header:
-
- -
- 
-user;admin
-
-
- -
Roles - as entries in the directory

-
- Now imagine the following DIT:
-
- DIA_DIT_Roles.png
-
- Roles are entries, below branchs representing applications. Each user has - a ssoRoles attributes, which values are the DN of the corresponding roles. - With this oragnization, you can set roles to user within specific - application.
-
- In the schema above, the user has the following values:
-
- -
- 
-ssoRoles: ou=admin,ou=aaa,ou=roles,dc=acme,dc=com
-ssoRoles: ou=user,ou=bbb,ou=roles,dc=acme,dc=com
-
-
- -

So he is "user" on application "BBB" and "admin" - on application "AAA". - -

Now we have to send to right role to the right - application trough LemonLDAP::NG. - -

First step: create a rule to grant access only if - the user has a role in the application: - - - -
- 
-default => $ssoRoles =~ /ou=aaa,ou=roles/
-
-
- - - -
- 
-default => $ssoRoles =~ /ou=bbb,ou=roles/
-
-

-
- Second step: get the role name for the application. We will use the macros - to do that. Create two macros (inside General Parameters > Macros): - - - -
- 
-aaaRole => ((grep{/ou=aaa/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=aaa/)[0]
-
-
- - - -
- 
-bbbRole => ((grep{/ou=bbb/} split(';',$ssoRoles))[0] =~ /ou=(.*),ou=bbb/)[0]
-
-

-
- These regular expressions read the 'ou' value of the DN of the role of the - concerned application. This work if the user has only one role per - application.
-
- Third step: provide the role to the application. It is done by creating - the correct HTTP header: - - - -
- 
-Auth-Roles => $aaaRoles
-
-
- - - -
- 
-Auth-Roles => $bbbRoles
-
-

-
- Now the protected application can read in the header HTTP_AUTH_ROLES the - role of the user. -
- -

Index

- - diff --git a/build/lemonldap-ng/doc/advanced-install.html b/build/lemonldap-ng/doc/advanced-install.html deleted file mode 100644 index 4f743b0c1..000000000 --- a/build/lemonldap-ng/doc/advanced-install.html +++ /dev/null @@ -1,417 +0,0 @@ - - - - - - - - Lemonldap::NG documentation: advanced-install.html - - - - - -
-

ADVANCED - INSTALLATION

- -

Warning: This - document is written for people who know Lemonldap::NG. For other people, - it is recommended to build the example provided in the source and next to adapt - it to local installation. - -

- - - -

PREREQ

- -

Apache

- -

To use Lemonldap::NG, you have to run a LDAP - server and of course an Apache server compiled with mod-perl (version 1.3 - or 2.x). Generaly, the version of Apache proposed with your Linux - distribution match, but some distributions used an experimental version of - mod_perl with Apache2 (mod_perl-1.99) which does not work with - Lemonldap::NG. With such distributions (like Debian-3.1), you have to use - Apache-1.3 or to use a mod_perl backport (www.backports.org package for - Debian works fine). - -

For Apache2, you can use both mpm-worker and - mpm-prefork. Mpm-worker works faster and Lemonldap::NG use the thread - system for best performance. If you have to use mpm-prefork (for example - if you use PHP), Lemonldap::NG will work anyway. - -

You can use Lemonldap::NG in an heterogene world: - the authentication portal and the manager can work in any version of - Apache 1.3 or more even if mod_perl is not compiled, with - ModPerl::Registry or not… Only the handler (site protector) need - mod_perl. The different handlers can run on different servers with - different versions of Apache/mod_perl. - -

Perl prereq

- -

Perl modules: Apache::Session, Net::LDAP, - MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple - -

With Debian: - -

- -
- 
-apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl \
-                  libdbi-perl perl-modules libwww-perl libcache-cache-perl \
-                  libxml-simple-perl
-
-
- -

Portal: - -

Apache::Session, Net::LDAP, MIME::Base64, CGI, - DBI - -

With Debian: - -

- -
- 
-apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl \
-                  perl-modules
-
-
- -

Handler: - -

Apache::Session, LWP::UserAgent, Cache::Cache, - DBI - -

With Debian: - -

- -
- 
-apt-get install libapache-session-perl libdbi-perl libwww-perl \
-                  libcache-cache-perl
-
-

-
- Manager:
-
- CGI, XML::Simple, DBI
-
- With Debian:
-
- -
- 
-apt-get install perl-modules libxml-simple-perl
-
-
- -

SOFTWARE - INSTALLATION


-
- If you just want to install a handler or a portal or a manager:
-
- -
- 
-$ tar xzf lemonldap-ng-*.tar.gz
-  $ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
-  $ perl Makefile.PL && make && make test
-  $ sudo make install
-
-
- -

else for a complete install: - -

- -
- 
-$ tar xzf lemonldap-ng-*.tar.gz
-  $ cd lemonldap-ng-*
-  $ make && make test
-  $ sudo make install
-
-
- -

See prereq in - -

LEMONLDAP - INSTALLATION

- -

Database - configuration

If you use DBI or another system to share - Lemonldap::NG configuration, you have to initialize the database.
-
- For example, create the database "lemonldapng" :
-
- -
- 
-# mysqladmin create lemonldapng
-
-
- -
Lemonldap::NG Configuration - database

-
- To store configuration, use this table :
-
- -
- 
-CREATE TABLE lmConfig (
-     cfgNum int not null primary key,
-     locationRules text,
-     exportedHeaders text,
-     globalStorage text,
-     globalStorageOptions text,
-     macros text,
-     groups text,
-     portal text,
-     domain text,
-     ldapServer text,
-     ldapPort int,
-     ldapBase text,
-     securedCookie int,
-     cookieName text,
-     authentication text,
-     exportedVars text,
-     managerDn text,
-     managerPassword text,
-     whatToTrace text,
-     timeout int
-     );
-
-
- -
Apache::Session database
- -

The choice of Apache::Session::* module is free. - See Apache::Session::Store::* or Apache::Session::* to know how to - configure the module. For example, if you want to use - Apache::Session::MySQL, you can create the database like this: - -

- -
- 
-CREATE TABLE sessions (
-    id char(32),
-    a_session text
-    );
-
-
- -

Manager - configuration

- -

Copy example/manager.cgi and personalize it if - you want (see Lemonldap::NG::Manager). You have to set in particular - configStorage. For example with MySQL: - -

- -
- 
-$my $manager = Lemonldap::NG::Manager->new ( {
-                        dbiChain   => "DBI:mysql:database=mybase;host=1.2.3.4",
-                        dbiUser    => "lemonldap-ng",
-                        dbiPasword => "mypass",
-                 } );
-
-
- -

Securise Manager access with Apache: Lemonldap - does not securise the manager itself yet: - -

- -
- 
-SSLEngine On
-  Order Deny, Allow
-  Deny from all
-  Allow from admin/network
-  AuthType Basic
-  ...
-
-
- -

Configuration - edition

- -

Connect to the manager with your browser start - configure your Web-SSO. You have to set at least some parameters: - -
General - parameters
- - - -
User groups
- -

Use the "New Group" button to add your first - group. On the left, set the keyword which will be used later and set on - the right the corresponding rule. You can use : - - or - - - -
Virtual - hosts
- -

You have to create a virtual host for each Apache - host (virtual or real) protected by Lemonldap::NG even if just a - sub-directory is protected. Else, user who want to access to the protected - area will be rejected with a "500 Internal Server Error" message and the - apache logs will explain the problem. - -

Each virtual host has 2 groups of parameters: - - -
- -

Index

- - diff --git a/build/lemonldap-ng/doc/dokuwiki_logo.png b/build/lemonldap-ng/doc/dokuwiki_logo.png new file mode 100644 index 000000000..c0efbebf0 Binary files /dev/null and b/build/lemonldap-ng/doc/dokuwiki_logo.png differ diff --git a/build/lemonldap-ng/doc/error.png b/build/lemonldap-ng/doc/error.png new file mode 100644 index 000000000..70c73c31f Binary files /dev/null and b/build/lemonldap-ng/doc/error.png differ diff --git a/build/lemonldap-ng/doc/grr_logo.png b/build/lemonldap-ng/doc/grr_logo.png new file mode 100644 index 000000000..15922cda9 Binary files /dev/null and b/build/lemonldap-ng/doc/grr_logo.png differ diff --git a/build/lemonldap-ng/doc/index.html b/build/lemonldap-ng/doc/index.html index f73aeab3f..2a4dc948c 100644 --- a/build/lemonldap-ng/doc/index.html +++ b/build/lemonldap-ng/doc/index.html @@ -49,27 +49,36 @@

LemonLDAP::NG documentation

Find the latest version of the documentation on LemonLDAP::NG Wiki !

diff --git a/build/lemonldap-ng/doc/ok.png b/build/lemonldap-ng/doc/ok.png new file mode 100644 index 000000000..8477d6d77 Binary files /dev/null and b/build/lemonldap-ng/doc/ok.png differ diff --git a/build/lemonldap-ng/doc/out_of_the_box_nicu_bucu_01.png b/build/lemonldap-ng/doc/out_of_the_box_nicu_bucu_01.png new file mode 100644 index 000000000..93db0b360 Binary files /dev/null and b/build/lemonldap-ng/doc/out_of_the_box_nicu_bucu_01.png differ diff --git a/build/lemonldap-ng/doc/padlock_aj_ashton_01.png b/build/lemonldap-ng/doc/padlock_aj_ashton_01.png new file mode 100644 index 000000000..9b18e871a Binary files /dev/null and b/build/lemonldap-ng/doc/padlock_aj_ashton_01.png differ diff --git a/build/lemonldap-ng/doc/roadmap.html b/build/lemonldap-ng/doc/roadmap.html deleted file mode 100644 index af2c734c1..000000000 --- a/build/lemonldap-ng/doc/roadmap.html +++ /dev/null @@ -1,126 +0,0 @@ - - - - - - - - Lemonldap::NG documentation: roadmap.html - - - - - -
-

Roadmap for - LemonLDAP::NG

- -

- - - -

Version 0.9 - (2008)

- - - -

Version 1.0 (end - 2008)

- - - -

Version 2.0 - (2010)

- - -
- -

Index

- - diff --git a/build/lemonldap-ng/doc/tomcat_logo.png b/build/lemonldap-ng/doc/tomcat_logo.png new file mode 100644 index 000000000..1d4d21326 Binary files /dev/null and b/build/lemonldap-ng/doc/tomcat_logo.png differ diff --git a/build/lemonldap-ng/doc/tools_nicu_buculei_01.png b/build/lemonldap-ng/doc/tools_nicu_buculei_01.png new file mode 100644 index 000000000..d3c3ec416 Binary files /dev/null and b/build/lemonldap-ng/doc/tools_nicu_buculei_01.png differ diff --git a/build/lemonldap-ng/doc/tux_clemente_01.png b/build/lemonldap-ng/doc/tux_clemente_01.png new file mode 100644 index 000000000..a6274b542 Binary files /dev/null and b/build/lemonldap-ng/doc/tux_clemente_01.png differ diff --git a/build/lemonldap-ng/doc/warning_triangle.png b/build/lemonldap-ng/doc/warning_triangle.png new file mode 100644 index 000000000..b1d01f45a Binary files /dev/null and b/build/lemonldap-ng/doc/warning_triangle.png differ