When installing LL::NG, the Manager can only be accessed with the demo account dwho
. This How To explains how change this default behavior to protect Manager with other rules.
The configuration can be changed in etc/manager-apache2.conf
, for example to restrict the IP allowed to access the Manager:
<Directory /usr/local/lemonldap-ng/htdocs/manager/> Order deny,allow Deny from all Allow from 127.0.0.0/8 192.168.100.0/32 Options +ExecCGI </Directory>
But you will rather prefer to use an Apache authentication module, like for example LDAP authentication module:
<Directory /usr/local/lemonldap-ng/htdocs/manager/> AuthzLDAPAuthoritative On AuthName "LL::NG Manager" AuthType Basic AuthBasicProvider ldap AuthLDAPBindDN "ou=websso,ou=applications,dc=example,dc=com" AuthLDAPBindPassword "secret" AuthLDAPURL ldap://localhost:389/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS Require ldap-user coudot xguimard tchemineau Options +ExecCGI </Directory>
[manager] ;protection = manager
By default, you will have a manager virtual host define in configuration. If not Go on Manager, and declare Manager as a new virtual host, for example manager.example.com
. You can then set the access rule. No headers are needed.
The default rule is:
$uid eq "dwho"
You have to change it to match your admin user (or use other conditions like group membership, or any other rule based on a session variable).
Save the configuration and exit the Manager.
Enable protection on Manager, by editing lemonldap-ng.ini
:
[manager] protection = manager
You can also adapt Apache access control:
<Directory /usr/local/lemonldap-ng/htdocs/manager/> Order deny,allow Allow from all Options +ExecCGI </Directory>
Restart Apache and try to log on Manager. You should be redirected to LL::NG Portal.
You can then add the Manager as an application in the menu.
lemonldap-ng.ini
. Add an Apache access control to avoid other access.