dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5d35b3271f
lemonldap-ng/po-doc/fr/pages/documentation/current/writingrulesand_headers.html
Clément Oudot 9a938793d8 FR documentation update
2017-08-30 16:47:26 +00:00

294 lines
16 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="fr" dir="ltr">
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="utf-8" />
<title>documentation:2.0:writingrulesand_headers</title><!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else --><!-- //endif -->
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,writingrulesand_headers"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="writingrulesand_headers.html"/>
<link rel="contents" href="writingrulesand_headers.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:writingrulesand_headers","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script><!-- //endif --><!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script><!-- //endif -->
</head>
<body>
<div class="dokuwiki export container"><!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#available_env_variables">Available $ENV{} variables</a></div></li>
<li class="level1"><div class="li"><a href="#rules">Règles</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#rules_on_authentication_level">Rules on authentication level</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#headers">En-têtes</a></div></li>
<li class="level1"><div class="li"><a href="#available_functions">Available functions</a></div></li>
</ul>
</div>
</div><!-- TOC END -->
<h1 class="sectionedit1" id="writing_rules_and_headers">Écrire les règles et en-têtes</h1>
<div class="level1">
<p>
Lemonldap::NG gère les applications par leurs noms d'hôtes(hôtes virtuels d'Apache). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,…).
</p>
<div class="noteimportant">Note that variables designed by $xx correspond to the name of the <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables</a> or <a href="performances.html#macros_and_groups" class="wikilink1" title="documentation:2.0:performances">macro names</a> except for <code>$ENV{&lt;cgi-header&gt;}</code> which correspond to CGI header <em>(<code>$ENV{REMOTE_ADDR}</code> for example)</em>.
</div>
</div><!-- EDIT1 SECTION "Writing rules and headers" [1-546] -->
<h2 class="sectionedit2" id="available_env_variables">Available $ENV{} variables</h2>
<div class="level2">
<p>
The %ENV table provides:
</p>
<ul>
<li class="level1"><div class="li"> all headers in CGI format <em>(<code>User-Agent</code> becomes <code>HTTP_USER_AGENT</code>)</em></div>
</li>
<li class="level1"><div class="li"> some CGI variables depending on the context:</div>
<ul>
<li class="level2"><div class="li"> For portal: all CGI standard variables <em>(you can add custom headers using <code>fastcgi_param</code> with Nginx)</em>,</div>
</li>
<li class="level2"><div class="li"> For Apache handler: REMOTE_ADDR, QUERY_STRING, REQUEST_<abbr title="Uniform Resource Identifier">URI</abbr>, SERVER_PORT, REQUEST_METHOD,</div>
</li>
<li class="level2"><div class="li"> For Nginx handler: all variables given by <code>fastcgi_param</code> commands.</div>
</li>
</ul>
</li>
</ul>
<p>
See also <a href="extendedfunctions.html" class="wikilink1" title="documentation:2.0:extendedfunctions">extended functions</a>.
</p>
</div><!-- EDIT2 SECTION "Available $ENV{} variables" [547-1077] -->
<h2 class="sectionedit3" id="rules">Règles</h2>
<div class="level2">
<p>
A rule associates a <a href="http://en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions" class="urlextern" title="http://en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions" rel="nofollow">regular expression</a> to a Perl boolean expression or a keyword.
</p>
<p>
<a href="documentation/manager-rule.png_documentation_2.0_writingrulesand_headers.html" class="media" title="documentation:manager-rule.png"><img src="documentation/manager-rule.png" class="mediacenter" alt="" /></a>
</p>
<p>
Exemples :
</p>
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> But </th><th class="col1 centeralign"> Expression régulière </th><th class="col2 centeralign"> Règle </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> Restreindre le répertoire /admin/ à l'utilisateur bart.simpson </td><td class="col1 centeralign"> ^/admin/ </td><td class="col2 centeralign"> $uid&nbsp;eq&nbsp;"bart.simpson" </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> Restreindre les répertoires /js/ et /css/ aux utilisateurs authentifiés </td><td class="col1 centeralign"> ^/(css|js)/ </td><td class="col2 centeralign"> accept </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> Interdire l'accès au répertoire /config/ </td><td class="col1 centeralign"> ^/config/ </td><td class="col2 centeralign"> deny </td>
</tr>
<tr class="row4 roweven">
<td class="col0 leftalign"> Ne pas restreindre /public/ </td><td class="col1 centeralign"> ^/public/ </td><td class="col2 centeralign"> skip </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 leftalign"> Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) </td><td class="col1 centeralign"> ^/forum/ </td><td class="col2 centeralign"> unprotect </td>
</tr>
<tr class="row6 roweven">
<td class="col0 leftalign"> Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) </td><td class="col1 centeralign"> default </td><td class="col2 centeralign"> $description&nbsp;eq&nbsp;"LDAP&nbsp;administrator" </td>
</tr>
</table></div><!-- EDIT4 TABLE [1300-2143] -->
<p>
La règle d'accès “<strong>default</strong>” est utilisée si aucune règle ne correspond à l'<abbr title="Uniform Resource Locator">URL</abbr> courante.
</p>
<div class="notetip"><ul>
<li class="level1"><div class="li"> Les commentaires peuvent être utilisés pour ordonner les règles : elles sont appliquées dans l'ordre alphabétique des commentaires (ou des expressions régulières à défaut de commentaire). Voir le <strong><a href="security.html#write_good_rules" class="wikilink1" title="documentation:2.0:security">chapître sécurité</a></strong> pour apprendre comment écrire de bonnes règles.</div>
</li>
<li class="level1"><div class="li"> Voir <a href="performances.html#handler_performance" class="wikilink1" title="documentation:2.0:performances">performances</a> pour comprendre l'intérêt des macros et groupes dans les règles.</div>
</li>
</ul>
</div>
<p>
Les règles peuvent également être utilisées pour intercepter les <abbr title="Uniform Resource Locator">URL</abbr> de déconnexion :
</p>
<div class="table sectionedit5"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> But </th><th class="col1 centeralign"> Expression régulière </th><th class="col2 centeralign"> Règle </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> Déconnecte l'utilisateur de Lemonldap::NG le redirige vers http://intranet/ </td><td class="col1 centeralign"> ^/index.php\?logout </td><td class="col2 centeralign"> logout_sso&nbsp;http://intranet/ </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> Logout user from current application and redirect it to the menu <strong><em>(Apache only)</em></strong> </td><td class="col1 centeralign"> ^/index.php\?logout </td><td class="col2 centeralign"> logout_app&nbsp;https://auth.example.com/ </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ <strong><em>(Apache only)</em></strong> </td><td class="col1 centeralign"> ^/index.php\?logout </td><td class="col2 centeralign"> logout_app_sso&nbsp;http://intranet/ </td>
</tr>
</table></div><!-- EDIT5 TABLE [2637-3285] -->
<div class="notewarning"><code>logout_app</code> and <code>logout_app_sso</code> rules are not available on Nginx, only on Apache.
</div>
<p>
Par défaut, l'utilisateur est redirigé vers le portail si aucune <abbr title="Uniform Resource Locator">URL</abbr> n'est définie ou vers l'<abbr title="Uniform Resource Locator">URL</abbr> indiquée sinon.
</p>
<div class="noteimportant">Seule l'application est concernée par les cibles logout_app*. Faire attention avec certaines applications qui ne vérifient pas les en-têtes Lemonldap::NG après avoir créé leurs propres cookies. Dans ce cas, il faut rediriger les utilisateurs vers une page <abbr title="HyperText Markup Language">HTML</abbr> qui explique qu'il est préférable de clore son navigateur après déconnexion.
</div>
</div><!-- EDIT3 SECTION "Rules" [1078-3806] -->
<h3 class="sectionedit6" id="rules_on_authentication_level">Rules on authentication level</h3>
<div class="level3">
<p>
LLNG set an “authentication level” during authentication process. This level is the value of the authentication backend used for this user. Default values are:
</p>
<ul>
<li class="level1"><div class="li"> 0 for <a href="authnull.html" class="wikilink1" title="documentation:2.0:authnull">Null</a></div>
</li>
<li class="level1"><div class="li"> 1 for <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS</a>, <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">old OpenID-2</a>, <a href="authfacebook.html" class="wikilink1" title="documentation:2.0:authfacebook">Facebook</a>,…</div>
</li>
<li class="level1"><div class="li"> 2 for web-form based authentication <em>(<a href="authldap.html" class="wikilink1" title="documentation:2.0:authldap">LDAP</a>, <a href="authdbi.html" class="wikilink1" title="documentation:2.0:authdbi">DBI</a>,…)</em></div>
</li>
<li class="level1"><div class="li"> 3 for <a href="authyubikey.html" class="wikilink1" title="documentation:2.0:authyubikey">Yubikey</a></div>
</li>
<li class="level1"><div class="li"> 4 for <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Kerberos</a></div>
</li>
<li class="level1"><div class="li"> 5 for <a href="authssl.html" class="wikilink1" title="documentation:2.0:authssl">SSL</a></div>
</li>
</ul>
<p>
There are two way to impose users to have a high authentication level:
</p>
<ul>
<li class="level1"><div class="li"> writing a rule based en authentication level: <code>$authenticationLevel &gt; 3</code></div>
</li>
<li class="level1"><div class="li"> since 2.0, set a minimum level in virtual host options</div>
</li>
</ul>
<div class="notetip">Instead of returning a 403 code, “minimum level” returns user to a form that explain that a higher level is required and propose to user to reauthenticate itself.
</div>
</div><!-- EDIT6 SECTION "Rules on authentication level" [3807-4692] -->
<h2 class="sectionedit7" id="headers">En-têtes</h2>
<div class="level2">
<p>
Les en-têtes sont des associations entre un nom d'en-tête et une expression perl qui retourne une chaîne. Les en-têtes sont utilisés pour donner aux applications les données utilisateurs.
</p>
<p>
Exemples :
</p>
<div class="table sectionedit8"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> But </th><th class="col1 centeralign"> Nom d'en-tête </th><th class="col2 centeralign"> Valeur d'en-tête </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> Donne l'uid (pour la traçabilité) </td><td class="col1 centeralign"> Auth-User </td><td class="col2 centeralign"> $uid </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> Donne une valeur statique </td><td class="col1 centeralign"> Some-Thing </td><td class="col2 centeralign"> “static-value” </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> Donne le nom à afficher </td><td class="col1 centeralign"> Display-Name </td><td class="col2 centeralign"> $givenName.“ ”.$surName </td>
</tr>
<tr class="row4 roweven">
<td class="col0 leftalign"> Done une valeur non-ascii </td><td class="col1 centeralign"> Display-Name </td><td class="col2 centeralign"> encode_base64($givenName."&nbsp;".$surName) </td>
</tr>
</table></div><!-- EDIT8 TABLE [4876-5209] -->
<p>
Comme indiqué au <a href="performances.html#handler_performance" class="wikilink1" title="documentation:2.0:performances">chapître performances</a>, on peut utiliser des macros, macros locales,…
</p>
<div class="noteimportant"><ul>
<li class="level1"><div class="li"> Since many HTTP servers refuse non ascii headers, it is recommended to use encode_base64() function to transmit those headers</div>
</li>
<li class="level1"><div class="li"> Header names must contain only letters and “-” character</div>
</li>
</ul>
</div><div class="notetip">Par défaut, le cookie <abbr title="Authentification unique (Single Sign On)">SSO</abbr> est masqué, ainsi les applications protégées ne peuvent accéder à la clef de session <abbr title="Authentification unique (Single Sign On)">SSO</abbr>. Mais on peut le transmettre tout de même si nécessaire :
<pre class="code">Session-ID =&gt; $_session_id</pre>
</div>
</div><!-- EDIT7 SECTION "Headers" [4693-5742] -->
<h2 class="sectionedit9" id="available_functions">Available functions</h2>
<div class="level2">
<p>
In addition to macros and name, you can use some functions in rules and headers:
</p>
<ul>
<li class="level1"><div class="li"> <a href="extendedfunctions.html" class="wikilink1" title="documentation:2.0:extendedfunctions">LLNG extended functions</a></div>
</li>
<li class="level1"><div class="li"> <a href="customfunctions.html" class="wikilink1" title="documentation:2.0:customfunctions">Your custom functions</a></div>
</li>
</ul>
</div><!-- EDIT9 SECTION "Available functions" [5743-] -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink