diff --git a/build/lemonldap-ng/Makefile b/build/lemonldap-ng/Makefile index 9c40d3dfa..9e03da517 100644 --- a/build/lemonldap-ng/Makefile +++ b/build/lemonldap-ng/Makefile @@ -494,6 +494,12 @@ static_example: documentation: @cd doc/ && ../scripts/doc.pl + @rm -rf doc/pages/documentation/latest + @ln -s $$(perl -e '$$h{sprintf("%03d\.%03d\.%03d",split/\./,$$_)}=$$_ foreach(@ARGV); \ + foreach(sort keys %h){$$last="$$h{$$_}\n"};print $$last;' \ + $$(find doc/pages/documentation/ -maxdepth 1 -mindepth 1 -type d ! \ + -name .svn ! -name latest -printf "%f\n") \ + ) doc/pages/documentation/latest doxygen: clean $(PERL) -i -pe 's/^(PROJECT_NUMBER\s*=\s*)\d.*$$/$${1}'$(VERSION)'/' Doxyfile diff --git a/build/lemonldap-ng/doc/pages/documentation/latest/configlocation.html b/build/lemonldap-ng/doc/pages/documentation/latest/configlocation.html deleted file mode 100644 index 442d7c68f..000000000 --- a/build/lemonldap-ng/doc/pages/documentation/latest/configlocation.html +++ /dev/null @@ -1,463 +0,0 @@ - - - - -
- -- -LemonLDAP::NG configuration is stored in a backend (File, database, …), that allows all modules to access it. -
- --
-By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory. -
- -
-Configuration backend can be set in the local configuration file, in configuration
section.
-
-For example, to configure the File
configuration backend:
-
[configuration] -type=File -dirName = /usr/local/lemonldap-ng/data/conf- -
- -Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com). -
- -
-By default, Manager is protected to allow only localhost. This can be changed in etc/manager-apache2.conf
:
-
<Directory /usr/local/lemonldap-ng/htdocs/manager/> - Order deny,allow - Deny from all - Allow from 127.0.0.0/8 - Options +ExecCGI - </Directory>- -
-
-The Manager displays main branches: -
-- -LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value. -
- -
-When modifying a value, always click on the Apply
button if available, to be sure the value is saved. When all modifications are done, click on Save
to store configuration.
-
-
- -
-LemonLDAP::NG ships 3 Apache configuration files: -
-
-
-These files must be included in Apache configuration, either with Include
directives in httpd.conf
(see quick start example), or with symbolic links in Apache configuration directory (like /etc/httpd/conf.d
).
-
-
LoadModule
directive.
-- -In Portal virtual host, you will find several configuration parts: - -
-ServerName auth.example.com - - # DocumentRoot - DocumentRoot /usr/local/lemonldap-ng/htdocs/portal/ - <Directory /usr/local/lemonldap-ng/htdocs/portal/> - Order allow,deny - Allow from all - Options +ExecCGI - </Directory> - - # Perl script - <Files *.pl> - SetHandler perl-script - PerlResponseHandler ModPerl::Registry - </Files> - - # Directory index - <IfModule mod_dir.c> - DirectoryIndex index.pl index.html - </IfModule>-
# SOAP functions for sessions management (disabled by default) - <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/adminSessions> - Order deny,allow - Deny from all - </Directory> - - # SOAP functions for sessions access (disabled by default) - <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/sessions> - Order deny,allow - Deny from all - </Directory> - - # SOAP functions for configuration access (disabled by default) - <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/config> - Order deny,allow - Deny from all - </Directory> - - # SOAP functions for notification insertion (disabled by default) - <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/notification> - Order deny,allow - Deny from all - </Directory>-
mod_rewrite
):# SAML2 Issuer - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteRule ^/saml/metadata /metadata.pl - RewriteRule ^/saml/.* /index.pl - </IfModule> - - # CAS Issuer - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteRule ^/cas/.* /index.pl - </IfModule> - - # OpenID Issuer - <IfModule mod_rewrite.c> - RewriteEngine On - RewriteRule ^/openidserver/.* /index.pl - </IfModule>-
# Best performance under ModPerl::Registry -# Uncomment this to increase performance of Portal -<Perl> - require Lemonldap::NG::Portal::SharedConf; - Lemonldap::NG::Portal::SharedConf->compile( - qw(delete header cache read_from_client cookie redirect unescapeHTML)); - # Uncomment this line if you use Lemonldap::NG menu - require Lemonldap::NG::Portal::Menu; - # Uncomment this line if you use portal SOAP capabilities - require SOAP::Lite; -</Perl>- -
- -Manager virtual host is used to serve configuration interface and local documentation. - -
-DocumentRoot /usr/local/lemonldap-ng/htdocs/manager/ - <Directory /usr/local/lemonldap-ng/htdocs/manager/> - Order deny,allow - Deny from all - Allow from 127.0.0.0/8 - Options +ExecCGI - </Directory>-
Alias /doc/ /usr/local/lemonldap-ng/htdocs/doc/ - <Directory /usr/local/lemonldap-ng/htdocs/doc/> - Order deny,allow - Allow from all - </Directory>- -
PerlOptions +GlobalRequest -PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm- -
-
ErrorDocument 403 http://auth.example.com/?lmError=403 -ErrorDocument 500 http://auth.example.com/?lmError=500-
<VirtualHost *:80> - ServerName reload.example.com - - # Configuration reload mechanism (only 1 per physical server is - # needed): choose your URL to avoid restarting Apache when - # configuration change - <Location /reload> - Order deny,allow - Deny from all - Allow from 127.0.0.0/8 - PerlHeaderParserHandler My::Package->refresh - </Location> - - # Uncomment this to activate status module - #<Location /status> - # Order deny,allow - # Deny from all - # Allow from 127.0.0.0/8 - # PerlHeaderParserHandler My::Package->status - #</Location> - -</VirtualHost>- -
-Then, to protect a standard virutal host, the only configuration line to add is: -
-PerlHeaderParserHandler My::Package- -
- -
-After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers. This can be configured in LemonLDAP::NG ini file, in the section apply
:
-
[apply] - -# URL used to reload configuration -reload.example.com=http://reload.example.com/reload -;reloaddist.example.com=http://reloaddist.example.com/reload- -
-
-The reload
target is managed in Apache configuration, inside a virtual host protected by LemonLDAP::NG Handler, for example:
-
<VirtualHost *:80> - ServerName reload.example.com - - <Location /reload> - Order deny,allow - Deny from all - Allow from 127.0.0.0/8 - PerlHeaderParserHandler My::Package->refresh - </Location> - -</VirtualHost>- -
-
-
-LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini
and has the following sections:
-
-
-When you set a parameter in lemonldap-ng.ini
, it will override the parameter from the global configuration.
-
-For example, to override configured skin for portal: -
-[portal] -portalSkin = dark- -
-
- -LemonLDAP::NG allows to override any configuration parameter directly in script file. However, it is not advised to edit such files, as they are part of the program, and will be erased at next upgrade. -
- --
- -For example, in portal/index.pl: -
-my $portal = Lemonldap::NG::Portal::SharedConf->new( - { - portalSkin => 'dark', - } -);- -
- -For example, in handler/MyHandler.pm: -
-__PACKAGE__->init( - { - domain => 'acme.com', - } -);- -
- -LemonLDAP::NG configuration is build around Apache virtual hosts. Each virtual host is a protected resource, with access rules, headers, POST data and options. -
- -- -To protect a virtual host in Apache, the LemonLDAP::NG Handler must be activated (see Apache global configuration). -
- --Then you can take any virtual host, and simply add this line to protect it: -
-PerlHeaderParserHandler My::Package- -
-For example, a protected virtual host for a local application: -
-<VirtualHost *:80> - ServerName localsite.example.com - - PerlHeaderParserHandler My::Package - - DocumentRoot /var/www/localsite - - ErrorLog /var/log/apache2/localsite_error.log - CustomLog /var/log/apache2/localsite_access.log combined - -</VirtualHost>- -
-And a protected virtual host with LemonLDAP::NG as reverse proxy: -
-<VirtualHost *:80> - ServerName proxysite.example.com - - PerlHeaderParserHandler My::Package - - ProxyPreserveHost on - ProxyPass / http://APPLICATION_IP/ - ProxyPassReverse / http://APPLICATION_IP/ - - ErrorLog /var/log/apache2/proxysite_error.log - CustomLog /var/log/apache2/proxysite_access.log combined -</VirtualHost>- -
-
ProxyPreserveHost
directive will forward the Host header to the protected application
--
REMOTE_USER
environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.
-
-
-
-But this magic Apache configuration will let you transform the Auth-User HTTP header in REMOTE_USER
envronment variable:
-
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1- -
- -
- -An apache virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration. -
- -
-To do this, use the Manager, and go in Virtual Hosts
branch. You can add, delete or modify a virtual host here.
-
-A virtual host contains: -
-
-
-There is a default
access rule which is used if no other access rule match the current URL. Else, each access rule refers to an URL pattern.
-
-Access rule value is an expression, evaluated for each request, and returning 1 if user is authorized, 0 else. -
- - - --Access rules examples: - -
--(?#Admin access)^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/ -(?#Static content)^/(js|css) => accept -default => deny -- -
-
-Access rules accepts special targets: -
-- -
- -Headers are sent to application, they are not visible to users. -
- --Headers value can be a single session key or a full Perl expression. For example: - -
--Auth-User => $uid -Unit => 'Unit-'.$ou -- -
-
-Session-ID => $_session_id -- -
- - -
-
- Add link to form replay page
-
- -Two options are available: -
-- -These options are used to build redirection URL (when user is not logged, or for CDA requests). By default, default values are used. These options are only here to override default values. -
- -- -
Warning: key is not defined, set it in the manager !- -
- -→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager. -
- -Unable to clear local cache- -
- -→ Local cache cannot be cleard, check the localStorage and localStorageOptions or file permissions -
-Status module can not be loaded without localStorage parameter- -
- -→ You tried to activate Status module without localStorage. Configure local cache first. -
-No configuration found- -
- -→ The configuration cannot be loaded. Check configStorage and configStorageOptionsor file permissions. -
-User rejected because VirtualHost XXXX has no configuration- -
- -→ The specified virtual host was not configured in Manager. -
- -XXXX was not found in tree- -
- -→ The specified node is not the uploaded tree. -
- -User XXXX was not granted to open session- -
- -→ Check grantSessionRule parameter. -
-XML menu configuration is deprecated. Please use lmMigrateConfFiles2ini to migrate your menu configuration- -
- -→ You do not use the new configuration syntax for application list. XML file is no more accepted. -
-Apache is not configured to authenticate users !- -
- -→ You use the Apache authentication backend, but Apache is not or bad configured (no REMOTE_USER send to LemonLDAP::NG). -
-URL contains a non protected host- -
-
-→ The host is not known by LemonLDAP::NG. Add it to trustedDomains (or set *
in trustedDomains to accept all).
-
XSS attack detected- -
- -→ Some URL parameters contain forbidden characters. -
- -- -If you run Debian testing or unstable, the LemonLDAP::NG packages are directly installable: - -
--# apt-cache search lemonldap-ng -- -
-
- -You can also get the LemonLDAP::NG archive and make the package yourself: - -
--$ tar xzf lemonldap-ng-*.tar.gz -$ cd lemonldap-ng-* -$ debuild -- -
-# apt-get install apache2 lemonldap-ng -- -
- -Before installing the packages, install dependencies. -
- --Then: - -
--# dpkg -i liblemonldap-ng-* lemonldap-ng* -- -
-
-By default, DNS domain is example.com
. You can change it quick with a sed command. For example, we change it to ow2.org:
-
# sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/* /var/lib/lemonldap-ng/test/*- -
- -LemonLDAP::NG provides many RPMs : -
--This schema shows the dependencies between modules: -
- - - -- -For now, RPMS are only available on the Download page. -
- -- -If you need it, you can rebuild RPMs: -
--%_topdir /home/user/build -%dist .el5 -%rhel 5 --
-$ rpmbuild -ba SPECS/lemonldap-ng.spec -- -
-The GPG key can be downloaded here: rpm-gpg-key-ow2 -
- --Install it to trust RPMs: -
--# rpm --import rpm-gpg-key-ow2 -- -
- -If the packages are stored in a yum repository: - -
--# yum install lemonldap-ng -- -
-You can also use yum on local RPMs file, to manage dependencies: - -
--# yum install lemonldap-ng-* perl-Lemonldap-NG-* -- -
- -Before installing the packages, install dependencies. -
- --You have then to install all the downloaded packages: - -
--# rpm -Uvh lemonldap-ng-* perl-Lemonldap-NG-* -- -
- -You can choose to install only one component by choosing the package lemonldap-ng-portal, lemonldap-ng-handler or lemonldap-ng-manager. Install the package lemonldap-ng-conf only on the server which stores configuration. -
- -
-
-By default, DNS domain is example.com
. You can change it quick with a sed command. For example, we change it to ow2.org
:
-
-# sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl -- -
- -Get the tarball from download page. You can also find on this page the SVN tarball if you want to test latest features. -
- --
- -Either checkout or export the SVN repository, or extract the SVN tarball to get the SVN files on your disk. -
- --Then go to build directory: - -
--$ cd trunk/build/lemonldap-ng -- -
-And run the “dist” target: - -
--$ make dist -- -
-The generated tarball is in the current directory. -
- -- -Just run the tar command: - -
--$ tar zxvf lemonldap-ng-*.tar.gz -- -
- -First check and install the prerequisites. -
- --For full install: -
--$ cd lemonldap-ng-* -$ make -$ make configure -$ make test -$ sudo make install -- -
-You can modify location of default storage configuration file in configure target: - -
--$ sudo make configure STORAGECONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini -- -
-You can choose other Makefile targets: -
-- -You can also pass parameters to the make install command, with this syntax: - -
--$ sudo make install PARAM=VALUE PARAM=VALUE ... -- -
-Available parameters are: -
-- -By default, LemonLDAP::NG uses Apache logs to store user actions and other messages: -
-
-
-The log level can be set with Apache LogLevel
parameter. It can be configured globally, or inside a virtual host.
-
-See http://httpd.apache.org/docs/2.2/mod/core.html#loglevel for more information. -
- -
-To configure the user identifier in access log, go in Manager, General Parameters
> Logging
> REMOTE_USER
.
-
- -LemonLDAP::NG can also use syslog (only for user actions). -
- -
-In Manager, set syslog facility in General Parameters
> Logging
> Syslog facility
.
-
-The messages are stored with the facilities : -
-
-
-You can customize logs by redefining userNotice() and userError() methods, directly in lemonldap-ng.ini
-
-Example: -
-[portal] -userError = sub { my ($self, $message) = @_; ... } -userNotice = sub { my ($self, $message) = @_; ... }- -
- -
lemonldap-ng.ini
or in Perl scripts to override configuration parameters (see configuration location).
-
--
Full name | Key name | Portal | Handler | Manager | -
---|---|---|---|---|
Authentication backend | authentication | ✔ | - | |
User backend | userDB | ✔ | - | |
Password backend | passwordDB | ✔ | - | |
Session backend | globalStorage | ✔ | ✔ | - |
Session backend options | globalStorageOptions | ✔ | ✔ | - |
SAML Session backend | samlStorage | ✔ | - | |
SAML Session backend options | samlStorageOptions | ✔ | - | |
CAS Session backend | casStorage | ✔ | - | |
CAS Session backend options | casStorageOptions | ✔ | - | |
Configuration backend | configStorage | ✔ | ✔ | ✔ | -
Cache backend | localStorage | ✔ | ✔ | ✔ | -
Cache backend options | localStorageOptions | ✔ | ✔ | ✔ | -
Notification backend | notificationStorage | ✔ | - | |
Notification backend options | notificationStorageOptions | ✔ | - | |
Remote user | whatToTrace | ✔ | ✔ | - |
Custom functions | customFunctions | ✔ | ✔ | ✔ | -
Headers sent | exportedHeaders | ✔ | - | |
Access rules | locationRules | ✔ | - | |
Portal URL | portal | ✔ | ✔ | - |
Name of the cookie | cookieName | ✔ | ✔ | - |
Main DNS domain | domain | ✔ | ✔ | - |
CDA activation | cda | ✔ | ✔ | - |
Cookie security | securedCookie | ✔ | ✔ | - |
Cookie expiration | cookieExpiration | ✔ | ✔ | - |
Attributes from user backend | exportedVars | ✔ | - | |
Local groups | groups | ✔ | - | |
Macros | macros | ✔ | - | |
Session lifetime for cronjob | timeout | ✔ | - | |
Syslog facility | syslog | ✔ | - | |
SOAP activation | Soap | ✔ | - | |
Attributes exported in SOAP | exportedAttr | ✔ | - | |
Store password in session | storePassword | ✔ | - | |
Notification activation | notification | ✔ | - | |
Trusted domains | trustedDomains | ✔ | - | |
Rule for session granting | grantSessionRule | ✔ | - | |
Status module | status | ✔ | - | |
Force HTTPS in redirection | https | ✔ | - | |
Force port in redirection | port | ✔ | - | |
Protection scheme | protection | ✔ | ✔ | -|
Use XForwardedFor for IP | useXForwardedForIP | ✔ | ✔ | -|
Multi values separator | multiValuesSeparator | ✔ | ✔ | ✔ | -
SMTP server | SMTPServer | ✔ | - | |
Mail From address | mailFrom | ✔ | - | |
Regular expression for random password | randomPasswordRegexp | ✔ | - | |
Subject for password mail | mailSubject | ✔ | - | |
Body for password mail | mailBody | ✔ | - | |
Subject for confirmation mail | mailConfirmSubject | ✔ | - | |
Body for confirmation mail | mailConfirmBody | ✔ | - | |
URL for mail reset | mailUrl | ✔ | - | |
Skin name | portalSkin | ✔ | - | |
Display logout module | portalDisplayLogout | ✔ | - | |
Display reset password form | portalDisplayResetPassword | ✔ | - | |
Display change password module | portalDisplayChangePassword | ✔ | - | |
Display applications list | portalDisplayAppslist | ✔ | - | |
Allow form autocompletion | portalAutocomplete | ✔ | - | |
Require old password (change) | portalRequireOldPassword | ✔ | - | |
User name session field | portalUserAttr | ✔ | - | |
Open links in new window | portalOpenLinkInNewWindow | ✔ | - | |
Anti frame protection | portalAntiFrame | ✔ | - | |
Delete other session | singleSession | ✔ | - | |
Delete other session if IP differs | singleIP | ✔ | - | |
Do not allow several users for 1 IP | singleUserByIP | ✔ | - | |
Display other sessions | notifyOther | ✔ | - | |
Display deleted sessions | notifyDeleted | ✔ | - | |
LDAP server or Net::LDAP connexion string | ldapServer | ✔ | - | |
LDAP Port | ldapPort | ✔ | - | |
LDAP search base | ldapBase | ✔ | - | |
LDAP Bind DN | managerDn | ✔ | - | |
LDAP Bind Password | managerPassword | ✔ | - | |
LDAP main search filter | LDAPFilter | ✔ | - | |
LDAP authentication search filter | AuthLDAPFilter | ✔ | - | |
LDAP mail search filter | mailLDAPFilter | ✔ | - | |
LDAP password policy control | ldapPpolicyControl | ✔ | - | |
LDAP extended SetPassword modify | ldapSetPassword | ✔ | - | |
LDAP groups base | ldapGroupBase | ✔ | - | |
LDAP groups objectClass | ldapGroupObjectClass | ✔ | - | |
LDAP groups member attribute | ldapGroupAttributeName | ✔ | - | |
LDAP groups member link value | ldapGroupAttributeNameUser | ✔ | - | |
LDAP groups name attribute | ldapGroupAttributeNameSearch | ✔ | - | |
LDAP activate recursive groups | ldapGroupRecursive | ✔ | - | |
LDAP group link attribute name | ldapGroupAttributeNameGroup | ✔ | - | |
LDAP change password as user | ldapChangePasswordAsUser | ✔ | - | |
LDAP password encoding | ldapPwdEnc | ✔ | - | |
LDAP timeout | ldapTimeout | ✔ | - | |
LDAP version | ldapVersion | ✔ | - | |
LDAP binary attributes | ldapRaw | ✔ | - | |
LDAP authentication level | ldapAuthnLevel | ✔ | - | |
DBI Connection chain | dbiAuthChain | ✔ | - | |
DBI Connection user | dbiAuthUser | ✔ | - | |
DBI Connection password | dbiAuthPassword | ✔ | - | |
DBI Authentication table | dbiAuthTable | ✔ | - | |
DBI Login column | dbiAuthLoginCol | ✔ | - | |
DBI Password column | dbiAuthPasswordCol | ✔ | - | |
DBI Password hash | dbiAuthPasswordHash | ✔ | - | |
DBI UserDB connection chain | dbiUserChain | ✔ | - | |
DBI UserDB connection user | dbiUserUser | ✔ | - | |
DBI UserDB connection password | dbiUserPassword | ✔ | - | |
DBI UserDB table | dbiUserTable | ✔ | - | |
DBI Mail column | dbiPasswordMailCol | ✔ | - | |
DBI Pivot from user table | userPivot | ✔ | - | |
DBI authentication level | dbiAuthnLevel | ✔ | - | |
SSL user field in certificate | SSLVar | ✔ | - | |
SSL map with LDAP attribute | SSLLDAPField | ✔ | - | |
SSL force SSL authentication | SSLRequire | ✔ | - | |
SSL authentication level | SSLAuthnLevel | ✔ | - | |
CAS server URL | CAS_url | ✔ | - | |
CAS CA file | CAS_CAFile | ✔ | - | |
CAS force authentication renewal | CAS_renew | ✔ | - | |
CAS force gateway authentication | CAS_gateway | ✔ | - | |
CAS PGT temporary file | CAS_pgtFile | ✔ | - | |
CAS proxied services | CAS_proxiedServices | ✔ | - | |
CAS authentication level | CAS_authnLevel | ✔ | - | |
Remote portal | remotePortal | ✔ | - | |
Remote Session backend | remoteGlobalStorage | ✔ | - | |
Remote Session backend options | remoteGlobalStorageOptions | ✔ | - | |
Remote cookie name | remoteCookieName | ✔ | - | |
Proxy portal URL | soapAuthService | ✔ | - | |
Proxy cookie name | remoteCookieName | ✔ | - | |
Proxy session SOAP end point | soapSessionService | ✔ | - | |
Twitter application key | twitterKey | ✔ | - | |
Twitter application secret | twitterSecret | ✔ | - | |
Twitter application name | twitterAppName | ✔ | - | |
Twitter authentication level | twitterAuthnLevel | ✔ | - | |
OpenID secret token | openIdSecret | ✔ | - | |
OpenID allowed domains | openIdIDPList | ✔ | - | |
OpenID authentication level | openIdAuthnLevel | ✔ | - | |
Apache authentication level | apacheAuthnLevel | ✔ | - | |
Null authentication level | nullAuthnLevel | ✔ | - | |
Choice URL parameter | authChoiceParam | ✔ | - | |
Choice modules | authChoiceModules | ✔ | - | |
Multi overridden parameters | multi | ✔ | - | |
Zimbra preauthentication key | zimbraPreAuthKey | ✔ | - | |
Zimbra account session key | zimbraAccountKey | ✔ | - | |
Zimbra account type | zimbraBy | ✔ | - | |
Zimbra preauthentication URL | zimbraUr | ✔ | - | |
Zimbra local SSO URL pattern | zimbraSsoUrl | ✔ | - | |
Sympa shared secret | sympaSecret | ✔ | - | |
Sympa mail session key | sympaMailKey | ✔ | - |
- -
- -LemonLDAP::NG is shipped with 3 skins: -
-
-
-You can change the skin in Manager: General Parameters
> Portal
> Customization
> Skin
.
-
- -A skin is composed of different files: -
-
-
-A skin will often refer to the common
skin, which is not a real skin, but shared skin objects (like scripts, images and CSS).
-
- -
-To customize a skin, the simplest way is to create a new skin folder: - -
--$ cd portal/skins -$ mkdir myskin -$ mkdir myskin/css -$ mkdir myskin/images -- -
-Then create symbolic links on template files, as you might not want to rewrite all HTML code (else, do as you want). - -
--$ cd myskin -$ ln -s ../pastel/*.tpl . -- -
-Then you only have to write myskin/css/styles.css
and add your media to myskin/images
.
-
-As your skin is not registered in Manager, configure it trough lemonldap-ng.ini
:
-
-
[portal] -portalSkin = myskin- -
Connected as
in the menu- -
- -
- -LemonLDAP::NG portal menu has 3 modules: -
-
-
-Each module can be activated trough a rule, using user session information. These rules can be set trough Manager: General Parameters
> Portal
> Menu
> Modules activation
.
-
-You can use 0
or 1
to disable/enable the module, or use a more complex rule. For example, to display the password change form only for user authenticated trough LDAP or DBI:
-
$_auth eq LDAP or $_auth eq DBI- -
- -Configuring the virtual hosts is not sufficient to display an application in the menu. Indeed, a virtual host can contain several applications (http://vhost.example.com/appli1, http://vhost.example.com/appli2). -
- -
-In Manager, you can configure categories and applications in General Parameters
> Portal
> Menu
> Categories and applications
.
-
-Category parameters: -
-- -Application parameters: -
-- -
- -To use LemonLDAP::NG, you have to run an Apache -server compiled with mod-perl (version 1.3 or 2.x). -
- --
-For Apache2, you can use both mpm-worker and mpm-prefork. Mpm-worker works faster and LemonLDAP::NG use the thread system for best performance. If you have to use mpm-prefork (for example if you use PHP), LemonLDAP::NG will work anyway. -
- --You can use LemonLDAP::NG in an heterogeneous world: the authentication portal and the manager can work in any version of Apache 1.3 or more even if mod_perl is not compiled, with ModPerl::Registry or not… Only the handler -need mod_perl. The different handlers can run on different servers with -different versions of Apache/mod_perl. -
- -- -
-# apt-get install apache2 libapache2-mod-perl2 libapache-session-perl libnet-ldap-perl libcache-cache-perl libdbi-perl perl-modules libwww-perl libcache-cache-perl libxml-simple-perl libsoap-lite-perl libhtml-template-perl libregexp-assemble-perl libjs-jquery libxml-libxml-perl libcrypt-rijndael-perl libio-string-perl libxml-libxslt-perl libconfig-inifiles-perl libjson-perl libstring-random-perl libemail-date-format-perl libmime-lite-perl libcrypt-openssl-rsa-perl libdigest-hmac-perl -- -
- -Choose a repository which hosted Perl dependencies: -
--# yum install httpd mod_perl perl-Apache-Session perl-LDAP perl-XML-SAX perl-XML-NamespaceSupport perl-HTML-Template perl-Regexp-Assemble perl-Error perl-IPC-ShareLite perl-Cache-Cache perl-FreezeThaw perl-XML-Simple perl-version perl-CGI-Session perl-DBD-Pg perl-XML-LibXML-Common perl-BSD-Resource perl-XML-LibXML perl-Crypt-Rijndael perl-IO-String perl-XML-LibXSLT perl-SOAP-Lite perl-Config-IniFiles perl-JSON perl-Digest-HMAC -- -
- -The SSO cookie is build by the portal (as described in the login kinematic), or by the Handler for cross domain authentication (see CDA kinematic). -
- -
-To edit SSO cookie parameters, go in Manager, General Parameters
> Cookies
:
-
- -
- -Portal URL is the address used to redirect users on the authentication portal by: -
-- -
- -When status feature is activated, Handlers and portal will collect statistics and save them in their local cache. This means that if several Handlers are deployed, each will manage its own statistics. -
- --
-The statistics are collected trough a daemon launched by the Handler. It can be seen in system processes, for example: - -
--perl -MLemonldap::NG::Handler::Status -I/etc/perl -I/usr/local/lib/perl/5.10.1 -I/usr/local/share/perl/5.10.1 -I/usr/lib/perl5 -I/usr/share/perl5 -I/usr/lib/perl/5.10 -I/usr/share/perl/5.10 -I/usr/local/lib/site_perl -I. -I/etc/apache2 -e &Lemonldap::NG::Handler::Status::run(Cache::FileCache,{? 'cache_depth' => 5,? 'cache_root' => '/tmp',? 'directory_umask' => '007',? 'default_expires_in' => 600,? 'namespace' => 'MyNamespace'? }?); -- -
-Statistics are displayed when calling the status path on an Handler (for example: http://test1.example.com/status). -
- --Example of status page: -
- - - -- -You need to give access to status path in the Handler Apache configuration: -
-# Uncomment this to activate status module - <Location /status> - Order deny,allow - Allow from 127.0.0.0/8 - PerlHeaderParserHandler My::Package->status - </Location>- -
-Then restart Apache. -
- --
Allow
directive to match administration IP, or use another Apache protection mean.
-
-
-Edit lemonldap-ng.ini
, and activate status in the handler
section:
-
[handler] -# Set status to 1 if you want to have the report of activity (used for -# example to inform MRTG) -status = 1- -
-Then restart Apache. -
- -- -
- -Now LemonLDAP::NG is shipped with 3 Apache configuration files: -
-- -
-You need to update these files with all your Apache configuration customization. -
- -- -LemonLDAP::NG 0.9.4 used local files for some settings: -
-
-
-Those file are not used anymore, and merged into lemonldap-ng.ini
.
-
-There is a script in the bin/ directory called lmMigrateConfFiles2ini
designed to parse old configuration files and copy parameters in the new file.
-
-Script options: -
-- -Here is how you can use it, if you installed LemonLDAP::NG from the tarball in the /usr/local/lemonldap-ng directory: - -
--$ sudo /usr/local/lemonldap-ng/bin/lmMigrateConfFiles2ini -d /usr/local/lemonldap-ng/etc -v -p -- -
-Remove the -p
options if you want to delete old files.
-
-
-
-Before 1.0, we used to override some configuration parameters by editing perl scripts (like portal/index.pl
) and setting values like this :
-
my $portal = Lemonldap::NG::Portal::SharedConf->new( { - portal => 'auth.example.com', - cookieName => 'lemonldap', - ldapPort => '390', -} );- -
-The new lemonldap-ng.ini
file should be now used to do this, as perl scripts are program files that are erased on software updates. You have to know too that all configuration parameters are now available in Manager interface.
-
-If you still need to customize those program files, please prefer to copy them: - -
--# cp portal/index.pl portal/indexcustom.pl -- -
-And declare your custom file in Apache configuration - -
-DirectoryIndex indexcustom.pl
-
--This will prevent your local modifications to be dropped when you will update your LemonLDAP::NG version. -
- -- -Liberty Alliance portal was removed. So ID-FF authentication is no more supported. -
- --To replace it, LemonLDAP::NG has now SAML2 authentication backend. -
- -- -DBI configuration has been removed. You now have two choices to store configuration in a database: -
-
-
- add links to RDBI and CDBI conf
-
-