378 lines
11 KiB
HTML
378 lines
11 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta name="generator" content=
|
|
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
|
|
|
|
<title>FAQ LEMONLDAP::NG</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
|
</head>
|
|
|
|
<body>
|
|
<div class="main-content">
|
|
<h2 class="heading-1"><span id="HADVANCEDINSTALLATION">ADVANCED
|
|
INSTALLATION</span></h2>
|
|
|
|
<p class="paragraph"></p><strong class="strong">Warning:</strong> This
|
|
document is written for people who know Lemonldap::NG. For other people,
|
|
it is recommended to build the <span class="wikilink"><a href=
|
|
"/xwiki/bin/view/NG/DocInstallExample">example</a></span> provided in the
|
|
source and next to adapt it to local installation.
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<ul>
|
|
<li>
|
|
<a href="#HPREREQ">PREREQ</a>
|
|
|
|
<ul>
|
|
<li><a href="#HApache">Apache</a></li>
|
|
|
|
<li><a href="#HPerlprereq">Perl prereq</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li><a href="#HSOFTWAREINSTALLATION">SOFTWARE INSTALLATION</a></li>
|
|
|
|
<li>
|
|
<a href="#HLEMONLDAPINSTALLATION">LEMONLDAP INSTALLATION</a>
|
|
|
|
<ul>
|
|
<li>
|
|
<a href="#HDatabaseconfiguration">Database configuration</a>
|
|
|
|
<ul>
|
|
<li><a href=
|
|
"#HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG
|
|
Configuration database</a></li>
|
|
|
|
<li><a href="#HApache3A3ASessiondatabase">Apache::Session
|
|
database</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li><a href="#HManagerconfiguration">Manager configuration</a></li>
|
|
|
|
<li>
|
|
<a href="#HConfigurationedition">Configuration edition</a>
|
|
|
|
<ul>
|
|
<li><a href="#HGeneralparameters">General parameters</a></li>
|
|
|
|
<li><a href="#HUsergroups">User groups</a></li>
|
|
|
|
<li><a href="#HVirtualhosts">Virtual hosts</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HPREREQ">PREREQ</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HApache">Apache</span></h4>
|
|
|
|
<p class="paragraph"></p>To use Lemonldap::NG, you have to run a LDAP
|
|
server and of course an Apache server compiled with mod-perl (version 1.3
|
|
or 2.x). Generaly, the version of Apache proposed with your Linux
|
|
distribution match, but some distributions used an experimental version of
|
|
mod_perl with Apache2 (mod_perl-1.99) which does not work with
|
|
Lemonldap::NG. With such distributions (like Debian-3.1), you have to use
|
|
Apache-1.3 or to use a mod_perl backport (www.backports.org package for
|
|
Debian works fine).
|
|
|
|
<p class="paragraph"></p>For Apache2, you can use both mpm-worker and
|
|
mpm-prefork. Mpm-worker works faster and Lemonldap::NG use the thread
|
|
system for best performance. If you have to use mpm-prefork (for example
|
|
if you use PHP), Lemonldap::NG will work anyway.
|
|
|
|
<p class="paragraph"></p>You can use Lemonldap::NG in an heterogene world:
|
|
the authentication portal and the manager can work in any version of
|
|
Apache 1.3 or more even if mod_perl is not compiled, with
|
|
ModPerl::Registry or not… Only the handler (site protector) need
|
|
mod_perl. The different handlers can run on different servers with
|
|
different versions of Apache/mod_perl.
|
|
|
|
<h4 class="heading-1-1-1"><span id="HPerlprereq">Perl prereq</span></h4>
|
|
|
|
<p class="paragraph"></p>Perl modules: Apache::Session, Net::LDAP,
|
|
MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple
|
|
|
|
<p class="paragraph"></p>With Debian:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl
|
|
libdbi-perl perl-modules libwww-perl libcache-cache-perl
|
|
libxml-simple-perl
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>Portal:
|
|
|
|
<p class="paragraph"></p>Apache::Session, Net::LDAP, MIME::Base64, CGI,
|
|
DBI
|
|
|
|
<p class="paragraph"></p>With Debian:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl
|
|
perl-modules
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>Handler:
|
|
|
|
<p class="paragraph"></p>Apache::Session, LWP::UserAgent, Cache::Cache,
|
|
DBI
|
|
|
|
<p class="paragraph"></p>With Debian:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
apt-get install libapache-session-perl libdbi-perl libwww-perl
|
|
libcache-cache-perl
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>Manager:
|
|
|
|
<p class="paragraph"></p>CGI, XML::Simple, DBI
|
|
|
|
<p class="paragraph"></p>With Debian:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
apt-get install perl-modules libxml-simple-perl
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id="HSOFTWAREINSTALLATION">SOFTWARE
|
|
INSTALLATION</span></h3>
|
|
|
|
<p class="paragraph"></p>If you just want to install a handler or a portal
|
|
or a manager:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
$ tar xzf lemonldap-ng-*.tar.gz
|
|
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
|
|
$ perl Makefile.PL && make && make test
|
|
$ sudo make install
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>else for a complete install:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
$ tar xzf lemonldap-ng-*.tar.gz
|
|
$ cd lemonldap-ng-*
|
|
$ make && make test
|
|
$ sudo make install
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>See prereq in
|
|
|
|
<h3 class="heading-1-1"><span id="HLEMONLDAPINSTALLATION">LEMONLDAP
|
|
INSTALLATION</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HDatabaseconfiguration">Database
|
|
configuration</span></h4>If you use DBI or another system to share
|
|
Lemonldap::NG configuration, you have to initialize the database.
|
|
|
|
<p class="paragraph"></p>For example, create the database "lemonldapng" :
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
# mysqladmin create lemonldapng
|
|
</pre>
|
|
</div>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id=
|
|
"HLemonldap3A3ANGConfigurationdatabase">Lemonldap::NG Configuration
|
|
database</span></h5>
|
|
|
|
<p class="paragraph"></p>To store configuration, use this table :
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
CREATE TABLE lmConfig (
|
|
cfgNum <span class="java-object">int</span> not <span class=
|
|
"java-keyword">null</span> primary key,
|
|
locationRules text,
|
|
exportedHeaders text,
|
|
globalStorage text,
|
|
globalStorageOptions text,
|
|
macros text,
|
|
groups text,
|
|
portal text,
|
|
domain text,
|
|
ldapServer text,
|
|
ldapPort <span class="java-object">int</span>,
|
|
ldapBase text,
|
|
securedCookie <span class="java-object">int</span>,
|
|
cookieName text,
|
|
authentication text,
|
|
exportedVars text,
|
|
managerDn text,
|
|
managerPassword text,
|
|
whatToTrace text
|
|
);
|
|
</pre>
|
|
</div>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id=
|
|
"HApache3A3ASessiondatabase">Apache::Session database</span></h5>
|
|
|
|
<p class="paragraph"></p>The choice of Apache::Session::* module is free.
|
|
See Apache::Session::Store::* or Apache::Session::* to know how to
|
|
configure the module. For example, if you want to use
|
|
Apache::Session::MySQL, you can create the database like this:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
CREATE TABLE sessions (
|
|
id <span class="java-object">char</span>(32),
|
|
a_session text
|
|
);
|
|
</pre>
|
|
</div>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HManagerconfiguration">Manager
|
|
configuration</span></h4>
|
|
|
|
<p class="paragraph"></p>Copy example/manager.cgi and personalize it if
|
|
you want (see Lemonldap::NG::Manager). You have to set in particular
|
|
configStorage. For example with MySQL:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
$my $manager = Lemonldap::NG::Manager-><span class=
|
|
"java-keyword">new</span> ( {
|
|
dbiChain => <span class=
|
|
"java-quote">"DBI:mysql:database=mybase;host=1.2.3.4"</span>,
|
|
dbiUser => <span class=
|
|
"java-quote">"lemonldap-ng"</span>,
|
|
dbiPasword => <span class=
|
|
"java-quote">"mypass"</span>,
|
|
} );
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>Securise Manager access with Apache: Lemonldap
|
|
does not securise the manager itself yet:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
SSLEngine On
|
|
Order Deny, Allow
|
|
Deny from all
|
|
Allow from admin/network
|
|
AuthType Basic
|
|
...
|
|
</pre>
|
|
</div>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HConfigurationedition">Configuration
|
|
edition</span></h4>
|
|
|
|
<p class="paragraph"></p>Connect to the manager with your browser start
|
|
configure your Web-SSO. You have to set at least some parameters:
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HGeneralparameters">General
|
|
parameters</span></h5>
|
|
|
|
<ul class="star">
|
|
<li>Authentication parameters -> portal URL to access to the
|
|
authentication portal.</li>
|
|
|
|
<li>Domain: the cookie domain. All protected VirtualHosts have to be
|
|
under it.</li>
|
|
|
|
<li>LDAP parameters -> LDAP Server.</li>
|
|
|
|
<li>LDAP parameters -> LDAP Accout and password: required only if
|
|
anonymous binds are not accepted.</li>
|
|
|
|
<li>Session Storage -> Apache::Session module: how to store user
|
|
sessions. You can use all module that inherit from Apache::Session like
|
|
Apache::Session::MySQL.</li>
|
|
|
|
<li>Session Storage -> Apache::Session Module parameters: see
|
|
Apache::Session::<Choosen module>.</li>
|
|
</ul>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HUsergroups">User groups</span></h5>
|
|
|
|
<p class="paragraph"></p>Use the "New Group" button to add your first
|
|
group. On the left, set the keyword which will be used later and set on
|
|
the right the corresponding rule. You can use :
|
|
|
|
<ul class="star">
|
|
<li>an LDAP filter (it will be tested with the user uid)</li>
|
|
</ul>or
|
|
|
|
<ul class="star">
|
|
<li>a Perl condition enclosed with {}. All variables declared in
|
|
"General parameters -> LDAP attributes" can be used with a "$". For
|
|
example: MyGroup / { $uid eq "foo" or $uid eq "bar" }</li>
|
|
</ul>
|
|
|
|
<h5 class="heading-1-1-1-1"><span id="HVirtualhosts">Virtual
|
|
hosts</span></h5>
|
|
|
|
<p class="paragraph"></p>You have to create a virtual host for each Apache
|
|
host (virtual or real) protected by Lemonldap::NG even if just a
|
|
sub-directory is protected. Else, user who want to access to the protected
|
|
area will be rejected with a "500 Internal Server Error" message and the
|
|
apache logs will explain the problem.
|
|
|
|
<p class="paragraph"></p>Each virtual host has 2 groups of parameters:
|
|
|
|
<ul class="star">
|
|
<li>Headers: the headers added to the apache request. Default: Auth-User
|
|
=> $uid.</li>
|
|
|
|
<li>Rules: subdivised in 2 categories:
|
|
|
|
<ul class="star">
|
|
<li>default: the default rule</li>
|
|
|
|
<li>personalized rules: association of a Perl regular expression and
|
|
a condition. For example: ^/restricted.*$ / $groups =~
|
|
/bMyGroupb/</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</body>
|
|
</html>
|