dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
37e7e0b81e
lemonldap-ng/doc/pages/documentation/current/configlocation.html
Xavier 39c968b215 Update doc
2019-09-23 22:41:16 +02:00

820 lines
38 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:configlocation</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,configlocation"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="configlocation.html"/>
<link rel="contents" href="configlocation.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:configlocation","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#backends">Backends</a></div></li>
<li class="level1"><div class="li"><a href="#manager">Manager</a></div></li>
<li class="level1"><div class="li"><a href="#configuration_text_editor">Configuration text editor</a></div></li>
<li class="level1"><div class="li"><a href="#command_line_interface_cli">Command Line Interface (CLI)</a></div></li>
<li class="level1"><div class="li"><a href="#apache">Apache</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#portal">Portal</a></div></li>
<li class="level2"><div class="li"><a href="#manager1">Manager</a></div></li>
<li class="level2"><div class="li"><a href="#handler">Handler</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#nginx">Nginx</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#portal1">Portal</a></div></li>
<li class="level2"><div class="li"><a href="#manager2">Manager</a></div></li>
<li class="level2"><div class="li"><a href="#handler1">Handler</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#configuration_reload">Configuration reload</a></div></li>
<li class="level1"><div class="li"><a href="#local_file">Local file</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="configuration_overview">Configuration overview</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Configuration overview" [1-38] -->
<h2 class="sectionedit2" id="backends">Backends</h2>
<div class="level2">
<p>
LemonLDAP::NG configuration is stored in a backend that allows all modules to access it.
</p>
<div class="noteimportant">Note that all <abbr title="LemonLDAP::NG">LL::NG</abbr> components must have access:<ul>
<li class="level1"><div class="li"> to the configuration backend</div>
</li>
<li class="level1"><div class="li"> to the sessions storage backend</div>
</li>
</ul>
<p>
Detailed configuration backends documentation is available <a href="start.html#configuration_database" class="wikilink1" title="documentation:2.0:start">here</a>.
</p>
</div>
<p>
By default, configuration is stored in <a href="fileconfbackend.html" class="wikilink1" title="documentation:2.0:fileconfbackend">files</a>, so access trough network is not possible. To allow this, use <a href="soapconfbackend.html" class="wikilink1" title="documentation:2.0:soapconfbackend">SOAP</a> for configuration access, or use a network service like <a href="sqlconfbackend.html" class="wikilink1" title="documentation:2.0:sqlconfbackend">SQL database</a> or <a href="ldapconfbackend.html" class="wikilink1" title="documentation:2.0:ldapconfbackend">LDAP directory</a>.
</p>
<p>
Configuration backend can be set in the <a href="#local_file" title="documentation:2.0:configlocation ↵" class="wikilink1">local configuration file</a>, in <code>configuration</code> section.
</p>
<p>
For example, to configure the <code>File</code> configuration backend:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>configuration<span class="br0">&#93;</span></span>
<span class="re1">type</span><span class="sy0">=</span><span class="re2">File</span>
<span class="re1">dirName</span> <span class="sy0">=</span><span class="re2"> /usr/local/lemonldap-ng/data/conf</span></pre>
<div class="notetip">See <a href="changeconfbackend.html" class="wikilink1" title="documentation:2.0:changeconfbackend">How to change configuration backend</a> to known how to change this.
</div>
</div>
<!-- EDIT2 SECTION "Backends" [39-1047] -->
<h2 class="sectionedit3" id="manager">Manager</h2>
<div class="level2">
<p>
Most of configuration can be done trough LemonLDAP::NG Manager (by default <a href="http://manager.example.com" class="urlextern" title="http://manager.example.com" rel="nofollow">http://manager.example.com</a>).
</p>
<p>
By default, Manager is protected to allow only the demonstration user &quot;dwho&quot;.
</p>
<div class="noteimportant">This user will not be available anymore if you configure a new authentication backend! Remember to change the access rule in Manager virtual host to allow new administrators.
</div>
<p>
If you can not access the Manager anymore, you can unprotect it by editing <code>lemonldap-ng.ini</code> and changing the <code>protection</code> parameter:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
&nbsp;
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
# * authenticate : all authenticated users can access
# * manager : manager is protected like other virtual hosts: you
# have to set rules in the corresponding virtual host
# * rule: &lt;rule&gt; : you can set here directly the rule to apply
# * none : no protection</pre>
<div class="notetip">See <a href="managerprotection.html" class="wikilink1" title="documentation:2.0:managerprotection">Manager protection documentation</a> to know how to use Apache modules or <abbr title="LemonLDAP::NG">LL::NG</abbr> to manage access to Manager.
</div>
<p>
The Manager displays main branches:
</p>
<ul>
<li class="level1"><div class="li"> <strong>General Parameters</strong>: Authentication modules, portal, etc.</div>
</li>
<li class="level1"><div class="li"> <strong>Variables</strong>: User information, macros and groups used to fill <abbr title="Single Sign On">SSO</abbr> session</div>
</li>
<li class="level1"><div class="li"> <strong>Virtual Hosts</strong>: Access rules, headers, etc.</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Security Assertion Markup Language">SAML</abbr> 2 Service</strong>: <abbr title="Security Assertion Markup Language">SAML</abbr> metadata administration</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Security Assertion Markup Language">SAML</abbr> identity providers</strong>: Registered IDP</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</strong>: Registered SP</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID Connect Service</strong>: OpenID Connect service configuration</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID Connect Providers</strong>: Registered OP</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID Connect Relying Parties</strong>: Registered RP</div>
</li>
</ul>
<p>
LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.
</p>
<p>
When all modifications are done, click on <code>Save</code> to store configuration.
</p>
<div class="notewarning">LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration <strong>is not saved</strong> if errors occur.
</div>
</div>
<!-- EDIT3 SECTION "Manager" [1048-3236] -->
<h2 class="sectionedit4" id="configuration_text_editor">Configuration text editor</h2>
<div class="level2">
<p>
LemonLDAP::NG provide a script that allows one to edit configuration without graphical interface, this script is called <code>lmConfigEditor</code> and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
</p>
<ul>
<li class="level1"><div class="li"> On Debian:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lmConfigEditor</pre>
<ul>
<li class="level1"><div class="li"> On CentOS:</div>
</li>
</ul>
<pre class="code">/usr/libexec/lemonldap-ng/bin/lmConfigEditor</pre>
<div class="notetip">This script must be run as root, it will then use the Apache user and group to access configuration.
</div>
<p>
The script uses the <code>editor</code> system command, that links to your favorite editor. To change it:
</p>
<pre class="code">update-alternatives --config editor</pre>
<p>
The configuration is displayed as a big Perl Hash, that you can edit:
</p>
<pre class="code file perl"><span class="re0">$VAR1</span> <span class="sy0">=</span> <span class="br0">&#123;</span>
<span class="st_h">'ldapAuthnLevel'</span> <span class="sy0">=&gt;</span> <span class="st_h">'2'</span><span class="sy0">,</span>
<span class="st_h">'notificationWildcard'</span> <span class="sy0">=&gt;</span> <span class="st_h">'allusers'</span><span class="sy0">,</span>
<span class="st_h">'loginHistoryEnabled'</span> <span class="sy0">=&gt;</span> <span class="st_h">'1'</span><span class="sy0">,</span>
<span class="st_h">'key'</span> <span class="sy0">=&gt;</span> <span class="st_h">'q`e)kJE%&lt;&amp;wm&gt;uaA'</span><span class="sy0">,</span>
<span class="st_h">'samlIDPSSODescriptorSingleSignOnServiceHTTPPost'</span> <span class="sy0">=&gt;</span> <span class="st_h">'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;'</span><span class="sy0">,</span>
<span class="st_h">'portalSkin'</span> <span class="sy0">=&gt;</span> <span class="st_h">'pastel'</span><span class="sy0">,</span>
<span class="st_h">'failedLoginNumber'</span> <span class="sy0">=&gt;</span> <span class="st_h">'5'</span><span class="sy0">,</span>
<span class="sy0">...</span>
<span class="br0">&#125;</span><span class="sy0">;</span></pre>
<p>
If a modification is done, the configuration is saved with a new configuration number. Else, current configuration is kept.
</p>
</div>
<!-- EDIT4 SECTION "Configuration text editor" [3237-4556] -->
<h2 class="sectionedit5" id="command_line_interface_cli">Command Line Interface (CLI)</h2>
<div class="level2">
<p>
LemonLDAP::NG provide a script that allows one to edit configuration items in non interactive mode. This script is called <code>lemonldap-ng-cli</code> and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:
</p>
<ul>
<li class="level1"><div class="li"> On Debian:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli</pre>
<ul>
<li class="level1"><div class="li"> On CentOS:</div>
</li>
</ul>
<pre class="code">/usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli</pre>
<div class="notetip">This script must be run as root, it will then use the Apache user and group to access configuration.
</div>
<p>
To see available actions, do:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli help</pre>
<p>
You can force an update of configuration cache with:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache</pre>
<p>
To get information about current configuration:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli info</pre>
<p>
To view a configuration parameter, for example portal <abbr title="Uniform Resource Locator">URL</abbr>:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal</pre>
<p>
To set a parameter, for example domain:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set domain example.org</pre>
<p>
You can use accessors (options) to change the behavior:
</p>
<ul>
<li class="level1"><div class="li"> -sep: separator of hierarchical values (by default: /).</div>
</li>
<li class="level1"><div class="li"> -iniFile: the lemonldap-ng.ini file to use if not default value.</div>
</li>
<li class="level1"><div class="li"> -yes: do not prompt for confirmation before saving new configuration.</div>
</li>
<li class="level1"><div class="li"> -cfgNum: the configuration number. If not set, it will use the latest configuration.</div>
</li>
<li class="level1"><div class="li"> -force: set it to 1 to save a configuration earlier than latest.</div>
</li>
</ul>
<p>
Some examples:
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep &#039;,&#039; get macros,_whatToTrace</pre>
<div class="notetip">See <a href="cli_examples.html" class="wikilink1" title="documentation:2.0:cli_examples">other examples</a>.
</div>
</div>
<!-- EDIT5 SECTION "Command Line Interface (CLI)" [4557-6445] -->
<h2 class="sectionedit6" id="apache">Apache</h2>
<div class="level2">
<div class="noteimportant">LemonLDAP::NG does not manage Apache configuration
</div>
<p>
LemonLDAP::NG ships 3 Apache configuration files:
</p>
<ul>
<li class="level1"><div class="li"> <strong>portal-apache2.conf</strong>: Portal virtual host, with SOAP/REST end points</div>
</li>
<li class="level1"><div class="li"> <strong>manager-apache2.conf</strong>: Manager virtual host</div>
</li>
<li class="level1"><div class="li"> <strong>handler-apache2.conf</strong> : Handler declaration, reload and sample virtual hosts</div>
</li>
</ul>
<p>
See <a href="configapache.html" class="wikilink1" title="documentation:2.0:configapache">how to deploy them</a>.
</p>
</div>
<!-- EDIT6 SECTION "Apache" [6446-6844] -->
<h3 class="sectionedit7" id="portal">Portal</h3>
<div class="level3">
<p>
In Portal virtual host, you will find several configuration parts:
</p>
<ul>
<li class="level1"><div class="li"> Standard virtual host directives, to serve portal pages:</div>
</li>
</ul>
<pre class="code file apache"> <span class="kw1">ServerName</span> auth.example.com
&nbsp;
<span class="co1"># DocumentRoot</span>
<span class="kw1">DocumentRoot</span> /usr/local/lemonldap-ng/htdocs/portal/
&lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/portal/&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> granted
<span class="kw1">Options</span> +ExecCGI +<span class="kw2">FollowSymLinks</span>
&lt;/<span class="kw3">Directory</span>&gt;
<span class="co1"># For performances, you can put static html files: simply put the HTML</span>
<span class="co1"># result (example: /oauth2/checksession.html) as static file. Then</span>
<span class="co1"># uncomment the following line.</span>
<span class="co1"># RewriteCond &quot;%{REQUEST_FILENAME}&quot; &quot;!\.html$&quot;</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:(?:static|javascript|favicon).*|.*<span class="es0">\.</span>fcgi)$&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/index.fcgi/$1&quot;</span> [PT]
&nbsp;
<span class="co1"># Note that Content-Security-Policy header is generated by portal itself</span>
&lt;<span class="kw3">Files</span> *.fcgi&gt;
<span class="kw1">SetHandler</span> fcgid-<span class="kw1">script</span>
<span class="co1"># For Authorization header to be passed, please uncomment one of the following:</span>
<span class="co1"># for Apache &gt;= 2.4.13</span>
<span class="co1">#CGIPassAuth On</span>
<span class="co1"># for Apache &lt; 2.4.13</span>
<span class="co1">#RewriteCond %{HTTP:Authorization} ^(.*)</span>
<span class="co1">#RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Files</span>&gt;
&nbsp;
<span class="co1"># Static files</span>
<span class="kw1">Alias</span> /static/ __PORTALSTATICDIR__/
&lt;<span class="kw3">Directory</span> __PORTALSTATICDIR__&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> granted
<span class="kw1">Options</span> +<span class="kw2">FollowSymLinks</span>
&lt;/<span class="kw3">Directory</span>&gt;
&lt;<span class="kw3">Location</span> /static/&gt;
&lt;<span class="kw3">IfModule</span> mod_expires.c&gt;
<span class="kw1">ExpiresActive</span> <span class="kw2">On</span>
<span class="kw1">ExpiresDefault</span> <span class="st0">&quot;access plus 1 month&quot;</span>
&lt;/<span class="kw3">IfModule</span>&gt;
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
&lt;<span class="kw3">IfModule</span> mod_dir.c&gt;
<span class="kw1">DirectoryIndex</span> index.fcgi index.html
&lt;/<span class="kw3">IfModule</span>&gt;</pre>
<ul>
<li class="level1"><div class="li"> REST/SOAP end points (disabled by default):</div>
</li>
</ul>
<pre class="code file apache"> <span class="co1"># REST/SOAP functions for sessions management (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/adminSessions&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># REST/SOAP functions for sessions access (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/sessions&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># REST/SOAP functions for configuration access (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/config&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># REST/SOAP functions for notification insertion (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/notification&gt;
<span class="kw1">Require</span> <span class="kw2">all</span> denied
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT7 SECTION "Portal" [6845-9192] -->
<h3 class="sectionedit8" id="manager1">Manager</h3>
<div class="level3">
<p>
Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI application:
</p>
<pre class="code file apache"> <span class="co1"># FASTCGI CONFIGURATION</span>
<span class="co1"># ---------------------</span>
&nbsp;
<span class="co1"># 1) URI management</span>
<span class="kw1">RewriteEngine</span> <span class="kw2">on</span>
&nbsp;
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi&quot;</span> [PT]
<span class="co1"># For performances, you can delete the previous RewriteRule line after</span>
<span class="co1"># puttings html files: simply put the HTML results of different modules</span>
<span class="co1"># (configuration, sessions, notifications) as manager.html, sessions.html,</span>
<span class="co1"># notifications.html and uncomment the 2 following lines:</span>
<span class="co1"># DirectoryIndex manager.html</span>
<span class="co1"># RewriteCond &quot;%{REQUEST_FILENAME}&quot; &quot;!\.html$&quot;</span>
&nbsp;
<span class="co1"># REST URLs</span>
<span class="kw1">RewriteCond</span> <span class="st0">&quot;%{REQUEST_FILENAME}&quot;</span> <span class="st0">&quot;!^/(?:static|doc|lib).*&quot;</span>
<span class="kw1">RewriteRule</span> <span class="st0">&quot;^/(.+)$&quot;</span> <span class="st0">&quot;/psgi/manager-server.fcgi/$1&quot;</span> [PT]
&nbsp;
<span class="kw1">Alias</span> /psgi/ /var/lib/lemonldap-ng/manager/psgi/
&nbsp;
<span class="co1"># 2) FastCGI engine</span>
&nbsp;
<span class="co1"># You can choose any FastCGI system. Here is an example using mod_fcgid</span>
<span class="co1"># mod_fcgid configuration</span>
&lt;<span class="kw3">Directory</span> /var/lib/lemonldap-ng/manager/psgi/&gt;
<span class="kw1">SetHandler</span> fcgid-<span class="kw1">script</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Directory</span>&gt;
&nbsp;
<span class="co1"># If you want to use mod_fastcgi, replace lines below by:</span>
<span class="co1">#FastCgiServer /var/lib/lemonldap-ng/manager/psgi/manager-server.fcgi</span>
&nbsp;
<span class="co1"># Or if you prefer to use CGI, use /psgi/manager-server.cgi instead of</span>
<span class="co1"># /psgi/manager-server.fcgi and adapt the rewrite rules.</span></pre>
<p>
Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see <code>lemonldap-ng.ini</code>).
</p>
</div>
<!-- EDIT8 SECTION "Manager" [9193-10736] -->
<h3 class="sectionedit9" id="handler">Handler</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> Load Handler in Apache memory:</div>
</li>
</ul>
<pre class="code file apache">PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::Apache2</pre>
<ul>
<li class="level1"><div class="li"> Catch error pages:</div>
</li>
</ul>
<pre class="code file apache"><span class="kw1">ErrorDocument</span> <span class="nu0">403</span> http://auth.example.com/lmerror/<span class="nu0">403</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">404</span> http://auth.example.com/lmerror/<span class="nu0">404</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">500</span> http://auth.example.com/lmerror/<span class="nu0">500</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">502</span> http://auth.example.com/lmerror/<span class="nu0">502</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">503</span> http://auth.example.com/lmerror/<span class="nu0">503</span></pre>
<ul>
<li class="level1"><div class="li"> Reload virtual host:</div>
</li>
</ul>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> reload.example.com
&nbsp;
<span class="co1"># Configuration reload mechanism (only 1 per physical server is</span>
<span class="co1"># needed): choose your URL to avoid restarting Apache when</span>
<span class="co1"># configuration change</span>
&lt;<span class="kw3">Location</span> /reload&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 127.0.0.0/<span class="nu0">8</span>
<span class="kw1">SetHandler</span> perl-<span class="kw1">script</span>
PerlResponseHandler Lemonldap::NG::Handler::Apache2-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># Uncomment this to activate status module</span>
<span class="co1">#&lt;Location /status&gt;</span>
<span class="co1"># Order deny,allow</span>
<span class="co1"># Deny from all</span>
<span class="co1"># Allow from 127.0.0.0/8</span>
<span class="co1"># SetHandler perl-script</span>
<span class="co1"># PerlResponseHandler Lemonldap::NG::Handler::Apache2-&gt;status</span>
<span class="co1">#&lt;/Location&gt;</span>
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<p>
Then, to protect a standard virtual host, the only configuration line to add is:
</p>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler::Apache2</pre>
</div>
<!-- EDIT9 SECTION "Handler" [10737-12126] -->
<h2 class="sectionedit10" id="nginx">Nginx</h2>
<div class="level2">
<div class="noteimportant">LemonLDAP::NG does not manage Nginx configuration
</div>
<p>
LemonLDAP::NG ships 3 Nginx configuration files:
</p>
<ul>
<li class="level1"><div class="li"> <strong>portal-nginx.conf</strong>: Portal virtual host, with REST/SOAP end points</div>
</li>
<li class="level1"><div class="li"> <strong>manager-nginx.conf</strong>: Manager virtual host</div>
</li>
<li class="level1"><div class="li"> <strong>handler-nginx.conf</strong> : Handler reload virtual hosts</div>
</li>
</ul>
<p>
See <a href="confignginx.html" class="wikilink1" title="documentation:2.0:confignginx">how to deploy them</a>.
</p>
<div class="notewarning"><a href="fastcgiserver.html" class="wikilink1" title="documentation:2.0:fastcgiserver">LL::NG FastCGI</a> server must be loaded separately.
</div>
</div>
<!-- EDIT10 SECTION "Nginx" [12127-12580] -->
<h3 class="sectionedit11" id="portal1">Portal</h3>
<div class="level3">
<p>
In Portal virtual host, you will find several configuration parts:
</p>
<ul>
<li class="level1"><div class="li"> Standard virtual host directives, to serve portal pages:</div>
</li>
</ul>
<pre class="code file nginx">## map directive must be in http context
#map $ssl_client_s_dn $ssl_client_s_dn_cn {
# default &quot;&quot;;
# ~/CN=(?&lt;CN&gt;[^/]+) $CN;
# }
#fastcgi_param SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
&nbsp;
server {
listen 80;
server_name auth.example.com;
root /var/lib/lemonldap-ng/portal/;
if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
rewrite ^/(.*)$ /index.psgi/$1 break;
}
&nbsp;
location ~ \.psgi(?:$|/) {
# Note that Content-Security-Policy header is generated by portal itself
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
fastcgi_param LLTYPE psgi;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
&nbsp;
index index.psgi;
location / {
try_files $uri $uri/ =404;
&nbsp;
# Uncomment this if you use https only
#add_header Strict-Transport-Security max-age=15768000;
}
&nbsp;
location /static/ {
alias __PORTALSTATICDIR__;
}
}</pre>
<ul>
<li class="level1"><div class="li"> REST/SOAP end points (inactivated by default):</div>
</li>
</ul>
<pre class="code file nginx"> # REST/SOAP functions for sessions management (disabled by default)
location /index.psgi/adminSessions {
deny all;
}
&nbsp;
# REST/SOAP functions for sessions access (disabled by default)
location /index.psgi/sessions {
deny all;
}
&nbsp;
# REST/SOAP functions for configuration access (disabled by default)
location /index.psgi/config {
deny all;
}
&nbsp;
# REST/SOAP functions for notification insertion (disabled by default)
location /index.psgi/notification {
deny all;
}</pre>
</div>
<!-- EDIT11 SECTION "Portal" [12581-14383] -->
<h3 class="sectionedit12" id="manager2">Manager</h3>
<div class="level3">
<p>
Manager virtual host is used to serve configuration interface and local documentation.
</p>
<pre class="code file nginx">server {
listen 80;
server_name manager.example.com;
root /usr/share/lemonldap-ng/manager/;
&nbsp;
if ($uri !~ ^/(static|doc|lib|javascript)) {
rewrite ^/(.*)$ /manager.psgi/$1 break;
}
&nbsp;
location /manager.psgi {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE manager;
fastcgi_param SCRIPT_NAME /manager.psgi;
}
&nbsp;
location / {
index manager.psgi;
try_files $uri $uri/ =404;
}
}</pre>
<p>
By default, configuration interface access is not protected by Nginx but by LemonLDAP::NG itself (see <code>lemonldap-ng.ini</code>).
</p>
</div>
<!-- EDIT12 SECTION "Manager" [14384-15129] -->
<h3 class="sectionedit13" id="handler1">Handler</h3>
<div class="level3">
<p>
Nginx handler is provided by the <a href="fastcgiserver.html" class="wikilink1" title="documentation:2.0:fastcgiserver">LemonLDAP::NG FastCGI server</a>.
</p>
<ul>
<li class="level1"><div class="li"> Handle errors:</div>
</li>
</ul>
<pre class="code file nginx">error_page 403 http://auth.example.com/lmerror/403;
error_page 404 http://auth.example.com/lmerror/404;
error_page 500 http://auth.example.com/lmerror/500;
error_page 502 http://auth.example.com/lmerror/502;
error_page 503 http://auth.example.com/lmerror/503;</pre>
<ul>
<li class="level1"><div class="li"> Reload virtual host:</div>
</li>
</ul>
<pre class="code file nginx">server {
listen 80;
server_name reload.example.com;
root /var/www/html;
&nbsp;
location = /reload {
allow 127.0.0.1;
deny all;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_param LLTYPE reload;
}
&nbsp;
# Other requests
location / {
deny all;
}
&nbsp;
# Uncomment this if status is enabled
#location = /status {
# allow 127.0.0.1;
# deny all;
# include /etc/nginx/fastcgi_params;
# fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# fastcgi_param LLTYPE status;
#}
}</pre>
<p>
Then, to protect a standard virtual host, you must insert this (or create an included file):
</p>
<pre class="code file nginx"> # Insert $_user in logs
include /etc/lemonldap-ng/nginx-lmlog.conf;
access_log /var/log/nginx/access.log lm_combined;
&nbsp;
# Internal call to FastCGI server
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH &quot;&quot;;
fastcgi_param HOST $http_host;
fastcgi_param X_ORIGINAL_URI $request_uri;
}
&nbsp;
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
&nbsp;
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user
&nbsp;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
&nbsp;
# IF LUA IS SUPPORTED
#include /path/to/nginx-lua-headers.conf
&nbsp;
# ELSE
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR
#fastcgi_param HTTP_AUTH_USER $authuser;
&nbsp;
# Then (if LUA not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR
#fastcgi_param HTTP_COOKIE $lmcookie;
&nbsp;
# Insert then your configuration (fastcgi_* or proxy_*)</pre>
</div>
<!-- EDIT13 SECTION "Handler" [15130-18211] -->
<h2 class="sectionedit14" id="configuration_reload">Configuration reload</h2>
<div class="level2">
<div class="noteclassic">As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set <code>checkTime = 240</code> in your lemonldap-ng.ini file <em>(values in seconds)</em>
</div>
<p>
After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, <code>General Parameters</code> &gt; <code>reload configuration URLs</code>: keys are server names or <abbr title="Internet Protocol">IP</abbr> the requests will be sent to, and values are the requested URLs.
</p>
<p>
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
</p>
<div class="noteimportant">Configuration file is compacted to limit file size. All useless parameters are removed. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid unused parameters to be purged, you can enable &quot;Don &#039;t compact configuration file&quot; option.
</div>
<p>
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
</p>
<div class="notetip">You only need a reload <abbr title="Uniform Resource Locator">URL</abbr> per physical servers, as Handlers share the same configuration cache on each physical server.
</div>
<p>
The <code>reload</code> target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache-&gt;handler or Nginx-&gt;Handler).
</p>
<div class="noteimportant">You must allow access to declared URLs to your Manager <abbr title="Internet Protocol">IP</abbr>.
</div><div class="noteimportant">If reload <abbr title="Uniform Resource Locator">URL</abbr> is served in HTTPS, to avoid &quot;Error 500 (certificate verify failed)&quot;, Go to :
<p>
<code>General Parameters &gt; Advanced Parameters &gt; Security &gt; SSL options for server requests</code>
</p>
<p>
and set :
</p>
<p>
<strong>verify_hostname =&gt; 0</strong>
</p>
<p>
<strong>SSL_verify_mode =&gt; 0</strong>
</p>
</div><div class="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
</div>
<p>
Practical use case: configure reload in a <abbr title="LemonLDAP::NG">LL::NG</abbr> cluster. In this case you will have two servers (with <abbr title="Internet Protocol">IP</abbr> 1.1.1.1 and 1.1.1.2), but you can keep only one reload <abbr title="Uniform Resource Locator">URL</abbr> (reload.example.com):
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
reloadUrls &#039;1.1.1.1&#039; &#039;http://reload.example.com/reload&#039; \
reloadUrls &#039;1.1.1.2&#039; &#039;http://reload.example.com/reload&#039;</pre>
<p>
You also need to adjust the protection of the reload vhost, for example:
</p>
<pre class="code file apache"> &lt;<span class="kw3">Location</span> /reload&gt;
<span class="kw1">Require</span> ip <span class="nu0">127</span> ::<span class="nu0">1</span> 1.1.1.1 1.1.1.2
<span class="kw1">SetHandler</span> perl-<span class="kw1">script</span>
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT14 SECTION "Configuration reload" [18212-21062] -->
<h2 class="sectionedit15" id="local_file">Local file</h2>
<div class="level2">
<p>
LemonLDAP::NG configuration can be managed in a local file with <a href="http://en.wikipedia.org/wiki/INI_file" class="urlextern" title="http://en.wikipedia.org/wiki/INI_file" rel="nofollow">INI format</a>. This file is called <code>lemonldap-ng.ini</code> and has the following sections:
</p>
<ul>
<li class="level1"><div class="li"> <strong>configuration</strong>: where configuration is stored</div>
</li>
<li class="level1"><div class="li"> <strong>apply</strong>: reload <abbr title="Uniform Resource Locator">URL</abbr> for distant Hanlders</div>
</li>
<li class="level1"><div class="li"> <strong>all</strong>: parameters for all modules</div>
</li>
<li class="level1"><div class="li"> <strong>portal</strong>: parameters only for Portal</div>
</li>
<li class="level1"><div class="li"> <strong>manager</strong>: parameters only for Manager</div>
</li>
<li class="level1"><div class="li"> <strong>handler</strong>: parameters only for Handler</div>
</li>
</ul>
<p>
When you set a parameter in <code>lemonldap-ng.ini</code>, it will override the parameter from the global configuration.
</p>
<p>
For example, to override configured skin for portal:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">portalSkin</span> <span class="sy0">=</span><span class="re2"> dark</span></pre>
<div class="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">parameter list</a> to find it.
</div>
</div>
<!-- EDIT15 SECTION "Local file" [21063-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink