-
-
-
-
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG configuration is stored in a backend (File, database, …), that allows all modules to access it.
-
-
-
-
Detailled configuration backends documentation is available
here.
-
-
-
-
-By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory.
-
-
-
-Configuration backend can be set in the local configuration file, in configuration section.
-
-
-
-For example, to configure the File configuration backend:
-
-
[configuration]
-type=File
-dirName = /usr/local/lemonldap-ng/data/conf
-
-
-
-
-
-
-
-
-Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com).
-
-
-
-By default, Manager is protected to allow only localhost. This can be changed in etc/manager-apache2.conf:
-
-
<Directory /usr/local/lemonldap-ng/htdocs/manager/>
- Order deny,allow
- Deny from all
- Allow from 127.0.0.0/8
- Options +ExecCGI
- </Directory>
-
-
-
You can change allowed
IP, or add an Apache authentication module. When LemonLDAP::NG will be fully configured, you can also protect Manager with the Handler, as any other web application.
-
-
-
-
-The Manager displays main branches:
-
-
- General Parameters: authentication modules, portal, etc.
- Variables: user information, macros and groups used to fill
SSO session
- Virtual Hosts: access rules, headers, etc.
- SAML 2 Service:
SAML metadata administration
- SAML identity providers: Registered IDP
- SAML service providers: Registered SP
-
-
-
-
-LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.
-
-
-
-When modifying a value, always click on the Apply button if available, to be sure the value is saved. When all modifications are done, click on Save to store configuration.
-
-
-
-
LemonLDAP::NG will do some checks on configuration and display errors if any. Configuration is not saved if errors occur.
-
-
-
-
-
-
-
-
-
-
-
LemonLDAP::NG does not manage Apache configuration
-
-
-
-
-LemonLDAP::NG ships 3 Apache configuration files:
-
-
- portal-apache2.conf: Portal virtual host, with
SOAP and Issuer end points
- manager-apache2.conf: Manager virtual host
- handler-apache2.conf : Handler declaration, reload and sample virtual hosts
-
-
-
-
-These files must be included in Apache configuration, either with Include directives in httpd.conf (see quick start example), or with symbolic links in Apache configuration directory (like /etc/httpd/conf.d).
-
-
-
-
Mod
Perl must be loaded before LemonLDAP::NG, so include configuration after the mod_perl
LoadModule directive.
-
-
-
-
-
-
-
-
-
-
-In Portal virtual host, you will find several configuration parts:
-
-
-
-
ServerName auth.example.com
-
- # DocumentRoot
- DocumentRoot /usr/local/lemonldap-ng/htdocs/portal/
- <Directory /usr/local/lemonldap-ng/htdocs/portal/>
- Order allow,deny
- Allow from all
- Options +ExecCGI
- </Directory>
-
- # Perl script
- <Files *.pl>
- SetHandler perl-script
- PerlResponseHandler ModPerl::Registry
- </Files>
-
- # Directory index
- <IfModule mod_dir.c>
- DirectoryIndex index.pl index.html
- </IfModule>
-
- SOAP end points (inactivated by default):
-
-
# SOAP functions for sessions management (disabled by default)
- <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/adminSessions>
- Order deny,allow
- Deny from all
- </Directory>
-
- # SOAP functions for sessions access (disabled by default)
- <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/sessions>
- Order deny,allow
- Deny from all
- </Directory>
-
- # SOAP functions for configuration access (disabled by default)
- <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/config>
- Order deny,allow
- Deny from all
- </Directory>
-
- # SOAP functions for notification insertion (disabled by default)
- <Directory /usr/local/lemonldap-ng/htdocs/portal//index.pl/notification>
- Order deny,allow
- Deny from all
- </Directory>
-
-
# SAML2 Issuer
- <IfModule mod_rewrite.c>
- RewriteEngine On
- RewriteRule ^/saml/metadata /metadata.pl
- RewriteRule ^/saml/.* /index.pl
- </IfModule>
-
- # CAS Issuer
- <IfModule mod_rewrite.c>
- RewriteEngine On
- RewriteRule ^/cas/.* /index.pl
- </IfModule>
-
- # OpenID Issuer
- <IfModule mod_rewrite.c>
- RewriteEngine On
- RewriteRule ^/openidserver/.* /index.pl
- </IfModule>
-
-
# Best performance under ModPerl::Registry
-# Uncomment this to increase performance of Portal
-<Perl>
- require Lemonldap::NG::Portal::SharedConf;
- Lemonldap::NG::Portal::SharedConf->compile(
- qw(delete header cache read_from_client cookie redirect unescapeHTML));
- # Uncomment this line if you use Lemonldap::NG menu
- require Lemonldap::NG::Portal::Menu;
- # Uncomment this line if you use portal SOAP capabilities
- require SOAP::Lite;
-</Perl>
-
-
-
-
-
-
-
-
-Manager virtual host is used to serve configuration interface and local documentation.
-
-
-
-
DocumentRoot /usr/local/lemonldap-ng/htdocs/manager/
- <Directory /usr/local/lemonldap-ng/htdocs/manager/>
- Order deny,allow
- Deny from all
- Allow from 127.0.0.0/8
- Options +ExecCGI
- </Directory>
-
-
Alias /doc/ /usr/local/lemonldap-ng/htdocs/doc/
- <Directory /usr/local/lemonldap-ng/htdocs/doc/>
- Order deny,allow
- Allow from all
- </Directory>
-
-
-
-
-
-
-
PerlOptions +GlobalRequest
-PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm
-
-
-
The Handler must be loaded before any protected virtual host.
-
-
-
-
-
ErrorDocument 403 http://auth.example.com/?lmError=403
-ErrorDocument 500 http://auth.example.com/?lmError=500
-
- Reload virtual host:
-
-
<VirtualHost *:80>
- ServerName reload.example.com
-
- # Configuration reload mechanism (only 1 per physical server is
- # needed): choose your URL to avoid restarting Apache when
- # configuration change
- <Location /reload>
- Order deny,allow
- Deny from all
- Allow from 127.0.0.0/8
- PerlHeaderParserHandler My::Package->refresh
- </Location>
-
- # Uncomment this to activate status module
- #<Location /status>
- # Order deny,allow
- # Deny from all
- # Allow from 127.0.0.0/8
- # PerlHeaderParserHandler My::Package->status
- #</Location>
-
-</VirtualHost>
-
-
-Then, to protect a standard virutal host, the only configuration line to add is:
-
-
PerlHeaderParserHandler My::Package
-
-
-
-
-
-
-
-
-
As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them trough an
HTTP request. Configuration reload will then be effective in less than 10 minutes.
-
-
-
-
-After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers. This can be configured in LemonLDAP::NG ini file, in the section apply:
-
-
[apply]
-
-# URL used to reload configuration
-reload.example.com=http://reload.example.com/reload
-;reloaddist.example.com=http://reloaddist.example.com/reload
-
-
-
You only need a reload
URL per physical servers, as Handlers share the same configuration cache on each physical server.
-
-
-
-
-The reload target is managed in Apache configuration, inside a virtual host protected by LemonLDAP::NG Handler, for example:
-
-
<VirtualHost *:80>
- ServerName reload.example.com
-
- <Location /reload>
- Order deny,allow
- Deny from all
- Allow from 127.0.0.0/8
- PerlHeaderParserHandler My::Package->refresh
- </Location>
-
-</VirtualHost>
-
-
-
You must allow access to Manager
IP.
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini and has the following sections:
-
-
- configuration: where configuration is stored
- apply: reload
URL for distant Hanlders
- all: parameters for all modules
- portal: parameters only for Portal
- manager: parameters only for Manager
- handler: parameters only for Handler
-
-
-
-
-When you set a parameter in lemonldap-ng.ini, it will override the parameter from the global configuration.
-
-
-
-For example, to override configured skin for portal:
-
-
[portal]
-portalSkin = dark
-
-
-
You need to know the technical name of configuration parameter to do this. You can refer to
parameter list to find it.
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG allows to override any configuration parameter directly in script file. However, it is not advised to edit such files, as they are part of the program, and will be erased at next upgrade.
-
-
-
-
You also need to know the technical name of configuration parameter to do this. You can refer to
parameter list to find it.
-
-
-
-
-
-
-
-
-
-
-For example, in portal/index.pl:
-
-
my $portal = Lemonldap::NG::Portal::SharedConf->new(
- {
- portalSkin => 'dark',
- }
-);
-
-
-
-
-
-
-
-
-For example, in handler/MyHandler.pm:
-
-
__PACKAGE__->init(
- {
- domain => 'acme.com',
- }
-);
-
-
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG configuration is build around Apache virtual hosts. Each virtual host is a protected resource, with access rules, headers, POST data and options.
-
-
-
-
-
-
-
-
-
-To protect a virtual host in Apache, the LemonLDAP::NG Handler must be activated (see Apache global configuration).
-
-
-
-Then you can take any virtual host, and simply add this line to protect it:
-
-
PerlHeaderParserHandler My::Package
-
-
-For example, a protected virtual host for a local application:
-
-
<VirtualHost *:80>
- ServerName localsite.example.com
-
- PerlHeaderParserHandler My::Package
-
- DocumentRoot /var/www/localsite
-
- ErrorLog /var/log/apache2/localsite_error.log
- CustomLog /var/log/apache2/localsite_access.log combined
-
-</VirtualHost>
-
-
-And a protected virtual host with LemonLDAP::NG as reverse proxy:
-
-
<VirtualHost *:80>
- ServerName proxysite.example.com
-
- PerlHeaderParserHandler My::Package
-
- ProxyPreserveHost on
- ProxyPass / http://APPLICATION_IP/
- ProxyPassReverse / http://APPLICATION_IP/
-
- ErrorLog /var/log/apache2/proxysite_error.log
- CustomLog /var/log/apache2/proxysite_access.log combined
-</VirtualHost>
-
-
-
The ProxyPreserveHost directive will forward the Host header to the protected application
-
-
-
-
-
Using the reverse proxy mode, you will not have the
REMOTE_USER environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.
-
-
-
-But this magic Apache configuration will let you transform the Auth-User HTTP header in REMOTE_USER envronment variable:
-
-
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
-
-
-
-
-
-
-
-
-
-
-
-
-
-An apache virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration.
-
-
-
-To do this, use the Manager, and go in Virtual Hosts branch. You can add, delete or modify a virtual host here.
-
-
-
-A virtual host contains:
-
-
-
-
-
-
-
-
-
-
-There is a default access rule which is used if no other access rule match the current URL. Else, each access rule refers to an URL pattern.
-
-
-
-Access rule value is an expression, evaluated for each request, and returning 1 if user is authorized, 0 else.
-
-
-
-
-
-
-
-Access rules examples:
-
-
-
-(?#Admin access)^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
-(?#Static content)^/(js|css) => accept
-default => deny
-
-
-
-
Rule comments are used in Manager to display the rule. Comments can also be used to sort rules.
-
-
-
-
-Access rules accepts special targets:
-
-
-
-
-
-
The logout* targets can have an
URL as parameter. By default, user will be redirected on portal if no
URL defined, or on the specified
URL if any.
-
-
-
-
-
-
-
-
-
-
-Headers are sent to application, they are not visible to users.
-
-
-
-Headers value can be a single session key or a full Perl expression. For example:
-
-
-
-Auth-User => $uid
-Unit => 'Unit-'.$ou
-
-
-
-
By default,
SSO cookie is hidden, so protected applications cannot get
SSO session key. But you can forward this key if it is really needed:
-
-
-
-Session-ID => $_session_id
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Add link to form replay page
-
-
-
-
-
-
-
-
-
-Two options are available:
-
-
-
-
-
-These options are used to build redirection URL (when user is not logged, or for CDA requests). By default, default values are used. These options are only here to override default values.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
This page do not reference all error messages, but only the frequentest
-
-
-
-
-
-
-
-
Warning: key is not defined, set it in the manager !
-
-
-
-→ LemonLDAP::NG uses a key to crypt/decrypt some datas. You have to set its value in Manager.
-
-
-
-
-
-
-
Unable to clear local cache
-
-
-
-→ Local cache cannot be cleard, check the localStorage and localStorageOptions or file permissions
-
-
Status module can not be loaded without localStorage parameter
-
-
-
-→ You tried to activate Status module without localStorage. Configure local cache first.
-
-
No configuration found
-
-
-
-→ The configuration cannot be loaded. Check configStorage and configStorageOptionsor file permissions.
-
-
User rejected because VirtualHost XXXX has no configuration
-
-
-
-→ The specified virtual host was not configured in Manager.
-
-
-
-
-
-
-
XXXX was not found in tree
-
-
-
-→ The specified node is not the uploaded tree.
-
-
-
-
-
-
-
User XXXX was not granted to open session
-
-
-
-→ Check grantSessionRule parameter.
-
-
XML menu configuration is deprecated. Please use lmMigrateConfFiles2ini to migrate your menu configuration
-
-
-
-→ You do not use the new configuration syntax for application list. XML file is no more accepted.
-
-
Apache is not configured to authenticate users !
-
-
-
-→ You use the Apache authentication backend, but Apache is not or bad configured (no REMOTE_USER send to LemonLDAP::NG).
-
-
URL contains a non protected host
-
-
-
-→ The host is not known by LemonLDAP::NG. Add it to trustedDomains (or set * in trustedDomains to accept all).
-
-
XSS attack detected
-
-
-
-→ Some URL parameters contain forbidden characters.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG provides many RPMs :
-
-
- lemonldap-ng: meta-package, contains no file but dependencies on other packages
- lemonldap-ng-doc: contains
HTML documentation and project docs (README, etc.)
lemonldap-ng-conf: contains default configuration (
DNS domain: example.com)
lemonldap-ng-test: contains sample
CGI test page
lemonldap-ng-handler: contains Apache Handler implementation (agent)
- lemonldap-ng-manager: contains administration interface and session explorer
- lemonldap-ng-portal: contains authentication portal and menu
- perl-Lemonldap-NG-Common: CPAN - Shared modules
- perl-Lemonldap-NG-Handler: CPAN - Handler modules
- perl-Lemonldap-NG-Manager: CPAN - Manager modules
- perl-Lemonldap-NG-Portal: CPAN - Portal modules
-
-
-
-This schema shows the dependencies between modules:
-
-
-
-
-
-
-
-
-
-
-
-
-
-For now, RPMS are only available on the Download page.
-
-
-
-
-
-
-
-
-
-If you need it, you can rebuild RPMs:
-
-
- Install rpm-build package
- Install all build dependencies (see BuildRequires in lemonldap-ng.
spec)
Put lemonldap-ng.
spec in %_topdir/SPECS
Put LemonLDAP::NG tarball in %_topdir/SOURCES
- Edit ~/.rpmmacros and set your build parameters (example for RHEL5):
-
-
-%_topdir /home/user/build
-%dist .el5
-%rhel 5
-
-
- Go to %_topdir
- Build:
-
-
-$ rpmbuild -ba SPECS/lemonldap-ng.spec
-
-
-
-
-
-
-
-
-The GPG key can be downloaded here: rpm-gpg-key-ow2
-
-
-
-Install it to trust RPMs:
-
-
-# rpm --import rpm-gpg-key-ow2
-
-
-
-
-
-
-
-
-
-If the packages are stored in a yum repository:
-
-
-
-# yum install lemonldap-ng
-
-
-
-You can also use yum on local RPMs file, to manage dependencies:
-
-
-
-# yum install lemonldap-ng-* perl-Lemonldap-NG-*
-
-
-
-
-
-
-
-
-
-Before installing the packages, install dependencies.
-
-
-
-You have then to install all the downloaded packages:
-
-
-
-# rpm -Uvh lemonldap-ng-* perl-Lemonldap-NG-*
-
-
-
-
-
-
-
-
-
-You can choose to install only one component by choosing the package lemonldap-ng-portal, lemonldap-ng-handler or lemonldap-ng-manager. Install the package lemonldap-ng-conf only on the server which stores configuration.
-
-
-
-
-
-
-
-
-
-
-
-
-By default, DNS domain is example.com. You can change it quick with a sed command. For example, we change it to ow2.org:
-
-
-# sed -i 's/example\.com/ow2.org/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Get the tarball from download page. You can also find on this page the SVN tarball if you want to test latest features.
-
-
-
-
The content of the SVN tarball is not the same as the official tarball. Please see the next chapter to learn how build an official tarball from SVN files.
-
-
-
-
-
-
-
-
-
-
-Either checkout or export the SVN repository, or extract the SVN tarball to get the SVN files on your disk.
-
-
-
-Then go to build directory:
-
-
-
-$ cd trunk/build/lemonldap-ng
-
-
-
-And run the “dist” target:
-
-
-
-$ make dist
-
-
-
-The generated tarball is in the current directory.
-
-
-
-
-
-
-
-
-
-Just run the tar command:
-
-
-
-$ tar zxvf lemonldap-ng-*.tar.gz
-
-
-
-
-
-
-
-
-
-First check and install the prerequisites.
-
-
-
-For full install:
-
-
-$ cd lemonldap-ng-*
-$ make
-$ make configure
-$ make test
-$ sudo make install
-
-
-
-You can modify location of default storage configuration file in configure target:
-
-
-
-$ sudo make configure STORAGECONFFILE=/etc/lemonldap-ng/lemonldap-ng.ini
-
-
-
-You can choose other Makefile targets:
-
-
--
-
- install_libs (all
Perl libraries)
install_portal_libs
- install_manager_libs
- install_handler_libs
-
-
- Binaries install :
-
- Web sites install :
-
- install_site (all sites including install_doc_site)
- install_portal_site (/usr/local/lemonldap-ng/htdocs/portal)
- install_manager_site (/usr/local/lemonldap-ng/htdocs/manager)
- install_handler_site (/usr/local/lemonldap-ng/handler)
-
- Documentation install :
-
-
-
-
-
-You can also pass parameters to the make install command, with this syntax:
-
-
-
-$ sudo make install PARAM=VALUE PARAM=VALUE ...
-
-
-
-Available parameters are:
-
-
- ERASECONFIG: set to 0 if you want to keep your configuration files (default: 1)
- DESTDIR: only for packaging, install the product in a jailroot (default: ””)
- PREFIX: installation directory (default: /usr/local)
- STORAGECONFFILE: location of default storage configuration file (default: /usr/local/lemonldap-ng/etc/lemonldap-ng.ini)
- CRONDIR: Cronfile directory (default: $PREFIX/etc/lemonldap-ng/cron.d)
- APACHEUSER: user running Apache
- APACHEGROUP: group running Apache
- DNSDOMAIN: Main
DNS domain (default: example.com)
- LDAPHOST:
LDAP server (default: localhost)
- LDAPPORT:
LDAP port (default: 389)
- LDAPSUFFIX:
LDAP suffix (default: dc=example,dc=com)
- APACHEVERSION: Apache major version (default: 2)
- VHOSTLISTEN: how listen parameter is configured for virtual hosts in Apache (default: \*:80)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-By default, LemonLDAP::NG uses Apache logs to store user actions and other messages:
-
-
- Error log: all messages emitted by the program, depending on the configured log level
- Access log: the issuer of each request is identified
-
-
-
-
-The log level can be set with Apache LogLevel parameter. It can be configured globally, or inside a virtual host.
-
-
-
-See http://httpd.apache.org/docs/2.2/mod/core.html#loglevel for more information.
-
-
-
-To configure the user identifier in access log, go in Manager, General Parameters > Logging > REMOTE_USER.
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG can also use syslog (only for user actions).
-
-
-
-In Manager, set syslog facility in General Parameters > Logging > Syslog facility.
-
-
-
-The messages are stored with the facilities :
-
-
-
-
-
-
-
-
-
-
-You can customize logs by redefining userNotice() and userError() methods, directly in lemonldap-ng.ini
-
-
-
-Example:
-
-
[portal]
-userError = sub { my ($self, $message) = @_; ... }
-userNotice = sub { my ($self, $message) = @_; ... }
-
-
-
-
-
-
-
-
-
-
-
-
-
The portal is the visible part of LemonLDAP::NG, all user interactions are displayed on it.
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG is shipped with 3 skins:
-
-
- pastel
- impact
- dark
-
-
-
-
-You can change the skin in Manager: General Parameters > Portal > Customization > Skin.
-
-
-
-
-
-
-
-
-
-A skin is composed of different files:
-
-
-
-
-
-A skin will often refer to the common skin, which is not a real skin, but shared skin objects (like scripts, images and CSS).
-
-
-
-
-
-
-
-
-
-
If you modify directly the skin files, your modifications will certainly be erased on the next upgrade.
-
-
-
-
-To customize a skin, the simplest way is to create a new skin folder:
-
-
-
-$ cd portal/skins
-$ mkdir myskin
-$ mkdir myskin/css
-$ mkdir myskin/images
-
-
-
-Then create symbolic links on template files, as you might not want to rewrite all HTML code (else, do as you want).
-
-
-
-$ cd myskin
-$ ln -s ../pastel/*.tpl .
-
-
-
-Then you only have to write myskin/css/styles.css and add your media to myskin/images.
-
-
-
-As your skin is not registered in Manager, configure it trough lemonldap-ng.ini:
-
-
-
[portal]
-portalSkin = myskin
-
-
-
-
-
-
- Reset password: display a link to reset a password (for password based authentication backends)
- Auto complete: allow the browser to remember the password (for password based authentication backends)
- Require old password: used only in the password changing module of the menu, will check the old password before updating it
- User attribute: which session attribute will be used to display Connected as in the menu
- New window: open menu links in new window
- Anti iframe protection: will kill parent frames to avoid some well known attacks
-
-
-
-
-
If you enable auto completion, authentication level will be decreased (-1) as you do not ask the user to type its password (it could be in browser passwords wallet).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
The menu is displayed if authentication is successful.
-
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG portal menu has 3 modules:
-
-
-
-
-
-Each module can be activated trough a rule, using user session information. These rules can be set trough Manager: General Parameters > Portal > Menu > Modules activation.
-
-
-
-You can use 0 or 1 to disable/enable the module, or use a more complex rule. For example, to display the password change form only for user authenticated trough LDAP or DBI:
-
-
$_auth eq LDAP or $_auth eq DBI
-
-
-
-
-
-
-
-
-Configuring the virtual hosts is not sufficient to display an application in the menu. Indeed, a virtual host can contain several applications (http://vhost.example.com/appli1, http://vhost.example.com/appli2).
-
-
-
-In Manager, you can configure categories and applications in General Parameters > Portal > Menu > Categories and applications.
-
-
-
-Category parameters:
-
-
- Key: category identifier
- Name: display text
-
-
-
-
-Application parameters:
-
-
-
-
-
-
Category and application key can have a digit as first character, which will allow to display categories in the right order (categories and applications are displayed in alphabetical order).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-When status feature is activated, Handlers and portal will collect statistics and save them in their local cache. This means that if several Handlers are deployed, each will manage its own statistics.
-
-
-
-
-This page can be browsed for example by
mrtg using the script
lmng-mrtg
-
-
-
-
-
-The statistics are collected trough a daemon launched by the Handler. It can be seen in system processes, for example:
-
-
-
-perl -MLemonldap::NG::Handler::Status -I/etc/perl -I/usr/local/lib/perl/5.10.1 -I/usr/local/share/perl/5.10.1 -I/usr/lib/perl5 -I/usr/share/perl5 -I/usr/lib/perl/5.10 -I/usr/share/perl/5.10 -I/usr/local/lib/site_perl -I. -I/etc/apache2 -e &Lemonldap::NG::Handler::Status::run(Cache::FileCache,{? 'cache_depth' => 5,? 'cache_root' => '/tmp',? 'directory_umask' => '007',? 'default_expires_in' => 600,? 'namespace' => 'MyNamespace'? }?);
-
-
-
-Statistics are displayed when calling the status path on an Handler (for example: http://test1.example.com/status).
-
-
-
-Example of status page:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-You need to give access to status path in the Handler Apache configuration:
-
-
# Uncomment this to activate status module
- <Location /status>
- Order deny,allow
- Allow from 127.0.0.0/8
- PerlHeaderParserHandler My::Package->status
- </Location>
-
-
-Then restart Apache.
-
-
-
-
You should change the
Allow directive to match administration
IP, or use another Apache protection mean.
-
-
-
-
-
-
-
-
-
-
-Edit lemonldap-ng.ini, and activate status in the handler section:
-
-
[handler]
-# Set status to 1 if you want to have the report of activity (used for
-# example to inform MRTG)
-status = 1
-
-
-Then restart Apache.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
If you are using packages, they should have done the upgrade process for you, but you can check here that all is in order.
-
-
-
-
-
-
-
-
-
-
-Now LemonLDAP::NG is shipped with 3 Apache configuration files:
-
-
- portal-apache2.conf: portal virtual host
- manager-apache2.conf: manager virtual host
- handler-apache2.conf: handler declaration and protected application virtual hosts
-
-
-
-
-
If you are still using Apache 1, those files are named portal-apache.conf, manager-apache.conf, handler-apache.conf, but some features will not work (automatic post,…).
-
-
-
-
-You need to update these files with all your Apache configuration customization.
-
-
-
-
-
-
-
-
-
-LemonLDAP::NG 0.9.4 used local files for some settings:
-
-
-
-
-
-Those file are not used anymore, and merged into lemonldap-ng.ini.
-
-
-
-There is a script in the bin/ directory called lmMigrateConfFiles2ini designed to parse old configuration files and copy parameters in the new file.
-
-
-
-Script options:
-
-
- --dir,-d: path to main configuration directory (default: /etc/lemonldap-ng)
- --storage,-s: path to storage.conf (if not stored in conf dir)
- --apply,-a: path to apply.conf (if not stored in conf dir)
- --menuxml,-m: path to apps-list.xml (if not stored in conf dir)
- --ini,-i: path to lemonldap-ng.ini (if not stored in conf dir)
- --preserve,-p: do not erase old files after import
- --help,-h: show this message
- --verbose,-v: let me tell you my life
-
-
-
-
-Here is how you can use it, if you installed LemonLDAP::NG from the tarball in the /usr/local/lemonldap-ng directory:
-
-
-
-$ sudo /usr/local/lemonldap-ng/bin/lmMigrateConfFiles2ini -d /usr/local/lemonldap-ng/etc -v -p
-
-
-
-Remove the -p options if you want to delete old files.
-
-
-
-
The migration of application list in ini file will work, but it will then be hard to update. You should use the Manager and reconfigure all categories and applications trough it, and then comment application list in ini file.
-
-
-
-
-
-
-
-
-
-
-Before 1.0, we used to override some configuration parameters by editing perl scripts (like portal/index.pl) and setting values like this :
-
-
my $portal = Lemonldap::NG::Portal::SharedConf->new( {
- portal => 'auth.example.com',
- cookieName => 'lemonldap',
- ldapPort => '390',
-} );
-
-
-The new lemonldap-ng.ini file should be now used to do this, as perl scripts are program files that are erased on software updates. You have to know too that all configuration parameters are now available in Manager interface.
-
-
-
-If you still need to customize those program files, please prefer to copy them:
-
-
-
-# cp portal/index.pl portal/indexcustom.pl
-
-
-
-And declare your custom file in Apache configuration
-
-
-
DirectoryIndex indexcustom.pl
-
-
-This will prevent your local modifications to be dropped when you will update your LemonLDAP::NG version.
-
-
-
-
-
-
-
-
-
-Liberty Alliance portal was removed. So ID-FF authentication is no more supported.
-
-
-
-To replace it, LemonLDAP::NG has now SAML2 authentication backend.
-
-
-
-
-
-
-
-
-
-DBI configuration has been removed. You now have two choices to store configuration in a database:
-
-
-
-
-
- add links to RDBI and CDBI conf
-
-
-
-
-
-
