Lemonldap::NG manage applications by their hostname (Apache's virtualHosts). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,…).
$ENV{<cgi-header>}
which correspond to CGI header ($ENV{REMOTE_ADDR}
for example).
The %ENV table provides:
User-Agent
becomes HTTP_USER_AGENT
)fastcgi_param
with Nginx),fastcgi_param
commands.See also extended functions.
A rule associates a regular expression to a Perl boolean expression or a keyword.
Examples:
Goal | Regular expression | Rule |
---|---|---|
Restrict /admin/ directory to user bart.simpson | ^/admin/ | $uid eq "bart.simpson" |
Restrict /js/ and /css/ directory to authenticated users | ^/(css|js)/ | accept |
Deny access to /config/ directory | ^/config/ | deny |
Do not restrict /public/ | ^/public/ | skip |
Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) | ^/forum/ | unprotect |
Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) | default | $description eq "LDAP administrator" |
The “default” access rule is used if no other access rule match the current URL.
Rules can also be used to intercept logout URL:
Goal | Regular expression | Rule |
---|---|---|
Logout user from Lemonldap::NG and redirect it to http://intranet/ | ^/index.php\?logout | logout_sso http://intranet/ |
Logout user from current application and redirect it to the menu (Apache only) | ^/index.php\?logout | logout_app https://auth.example.com/ |
Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ (Apache only) | ^/index.php\?logout | logout_app_sso http://intranet/ |
logout_app
and logout_app_sso
rules are not available on Nginx, only on Apache.
By default, user will be redirected on portal if no URL defined, or on the specified URL if any.
LLNG set an “authentication level” during authentication process. This level is the value of the authentication backend used for this user. Default values are:
There are two way to impose users to have a high authentication level:
$authenticationLevel > 3
Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user datas to the application.
Examples:
Goal | Header name | Header value |
---|---|---|
Give the uid (for accounting) | Auth-User | $uid |
Give a static value | Some-Thing | “static-value” |
Give display name | Display-Name | $givenName.“ ”.$surName |
Give a non ascii data | Display-Name | encode_base64($givenName." ".$surName,"") |
As described in performances chapter, you can use macros, local macros,…
Session-ID => $_session_id
In addition to macros and name, you can use some functions in rules and headers:
Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): *.example.com
matches all hostnames that belong to example.com
domain.
Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order: