LemonLDAP::NG configuration is stored in a backend that allows all modules to access it.
Detailed configuration backends documentation is available here.
By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory.
Configuration backend can be set in the local configuration file, in configuration
section.
For example, to configure the File
configuration backend:
[configuration] type=File dirName = /usr/local/lemonldap-ng/data/conf
Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com).
By default, Manager is protected to allow only the demonstration user "dwho".
If you can not access the Manager anymore, you can unprotect it by editing lemonldap-ng.ini
and changing the protection
parameter:
[manager]
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
# * authenticate : all authenticated users can access
# * manager : manager is protected like other virtual hosts: you
# have to set rules in the corresponding virtual host
# * rule: <rule> : you can set here directly the rule to apply
# * none : no protection
The Manager displays main branches:
LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.
When all modifications are done, click on Save
to store configuration.
LemonLDAP::NG provide a script that allows one to edit configuration without graphical interface, this script is called lmConfigEditor
and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
/usr/share/lemonldap-ng/bin/lmConfigEditor
/usr/libexec/lemonldap-ng/bin/lmConfigEditor
The script uses the editor
system command, that links to your favorite editor. To change it:
update-alternatives --config editor
The configuration is displayed as a big Perl Hash, that you can edit:
$VAR1 = { 'ldapAuthnLevel' => '2', 'notificationWildcard' => 'allusers', 'loginHistoryEnabled' => '1', 'key' => 'q`e)kJE%<&wm>uaA', 'samlIDPSSODescriptorSingleSignOnServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;', 'portalSkin' => 'pastel', 'failedLoginNumber' => '5', ... };
If a modification is done, the configuration is saved with a new configuration number. Else, current configuration is kept.
LemonLDAP::NG provide a script that allows one to edit configuration items in non interactive mode. This script is called lemonldap-ng-cli
and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli
/usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli
To see available actions, do:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli help
You can force an update of configuration cache with:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache
To get information about current configuration:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli info
To view a configuration parameter, for example portal URL:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal
To set a parameter, for example domain:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set domain example.org
You can use accessors (options) to change the behavior:
Some examples:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1 /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace
LemonLDAP::NG ships 3 Apache configuration files:
See how to deploy them.
After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the portal-apache2.conf configuration file.
By default, access to those URLs is denied:
# REST/SOAP functions for sessions management (disabled by default) <Location /index.fcgi/adminSessions> Order deny,allow Deny from all </Location>
In order to allow configuration reload from a different server (if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in handler-apache2.conf
<Location /reload> #CHANGE THIS###### Require ip 127 ::1 ###########^^^^^^^ SetHandler perl-script PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload </Location>
In order to protect your application VHosts with the LemonLDAP::NG handler, you need to add these directives:
(in a global configuration file)
PerlOptions +GlobalRequest PerlModule Lemonldap::NG::Handler::ApacheMP2
ErrorDocument 403 http://auth.example.com/lmerror/403 ErrorDocument 404 http://auth.example.com/lmerror/404 ErrorDocument 500 http://auth.example.com/lmerror/500 ErrorDocument 502 http://auth.example.com/lmerror/502 ErrorDocument 503 http://auth.example.com/lmerror/503
Then, to protect a standard virtual host, the only configuration line to add is:
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
See test-apache2.conf for a complete example of a protected application
LemonLDAP::NG ships 3 Nginx configuration files:
See how to deploy them.
After enabling any REST/SOAP endpoints in the Manager, you also need to configure some for of authentication on the corresponding URLs in the portal-nginx.conf configuration file.
By default, access to those URLs is denied:
location ~ ^/index.psgi/adminSessions { fastcgi_pass llng_portal_upstream; deny all; }
In order to allow configuration reload from a different server (if your manager is on a different server or if you are using load-balancing), you need to edit the access rule in handler-nginx.conf
location = /reload { ## CHANGE THIS # allow 127.0.0.1; ######^^^^^^^^^# deny all; # FastCGI configuration include /etc/nginx/fastcgi_params; fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock; fastcgi_param LLTYPE reload; }
Nginx handler is provided by the LemonLDAP::NG FastCGI server.
error_page 403 http://auth.example.com/lmerror/403; error_page 404 http://auth.example.com/lmerror/404; error_page 500 http://auth.example.com/lmerror/500; error_page 502 http://auth.example.com/lmerror/502; error_page 503 http://auth.example.com/lmerror/503;
To protect a standard virtual host, you must insert this (or create an included file):
# Insert $_user in logs include /etc/lemonldap-ng/nginx-lmlog.conf; access_log /var/log/nginx/access.log lm_combined; # Internal call to FastCGI server location = /lmauth { internal; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; fastcgi_pass_request_body off; fastcgi_param CONTENT_LENGTH ""; fastcgi_param HOST $http_host; fastcgi_param X_ORIGINAL_URI $request_uri; } # Client requests location / { auth_request /lmauth; auth_request_set $lmremote_user $upstream_http_lm_remote_user; auth_request_set $lmlocation $upstream_http_location; error_page 401 $lmlocation; try_files $uri $uri/ =404; # Set REMOTE_USER (for FastCGI apps only) #fastcgi_param REMOTE_USER $lmremote_user ################################## # PASSING HEADERS TO APPLICATION # ################################## # IF LUA IS SUPPORTED #include /path/to/nginx-lua-headers.conf # ELSE # Set manually your headers #auth_request_set $authuser $upstream_http_auth_user; #proxy_set_header Auth-User $authuser; # OR #fastcgi_param HTTP_AUTH_USER $authuser; # Then (if LUA not supported), change cookie header to hide LLNG cookie #auth_request_set $lmcookie $upstream_http_cookie; #proxy_set_header Cookie: $lmcookie; # OR #fastcgi_param HTTP_COOKIE $lmcookie; # Insert then your configuration (fastcgi_* or proxy_*)
checkTime = 240
in your lemonldap-ng.ini file (values in seconds)
After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, General Parameters
> reload configuration URLs
: keys are server names or IP the requests will be sent to, and values are the requested URLs.
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
These parameters can be overwritten in LemonLDAP::NG ini file, in the section apply
.
The reload
target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache->handler or Nginx->Handler).
General Parameters > Advanced Parameters > Security > SSL options for server requests
and set :
verify_hostname => 0
SSL_verify_mode => 0
handler-nginx.conf
or handler-apache2.conf
for example
Practical use case: configure reload in a LL::NG cluster. In this case you will have two servers (with IP 1.1.1.1 and 1.1.1.2), but you can keep only one reload URL (reload.example.com):
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \ reloadUrls '1.1.1.1' 'http://reload.example.com/reload' \ reloadUrls '1.1.1.2' 'http://reload.example.com/reload'
You also need to adjust the protection of the reload vhost, for example:
<Location /reload> Require ip 127 ::1 1.1.1.1 1.1.1.2 SetHandler perl-script PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload </Location>
LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini
and has the following sections:
When you set a parameter in lemonldap-ng.ini
, it will override the parameter from the global configuration.
For example, to override configured skin for portal:
[portal] portalSkin = dark