lemonldap-ng/doc/pages/documentation/current/restsessionbackend.html

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:restsessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,restsessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="restsessionbackend.html"/>
<link rel="contents" href="restsessionbackend.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:restsessionbackend","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#setup">Setup</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#manager">Manager</a></div></li>
<li class="level2"><div class="li"><a href="#apache">Apache</a></div></li>
<li class="level2"><div class="li"><a href="#real_session_backend">Real session backend</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="rest_session_backend">REST session backend</h1>
<div class="level1">

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> portal provides REST end points for sessions management:
</p>
<ul>
<li class="level1"><div class="li"> GET /sessions/&lt;type&gt;/&lt;session-id&gt;          : get session datas</div>
</li>
<li class="level1"><div class="li"> GET /sessions/&lt;type&gt;/&lt;session-id&gt;/&lt;key&gt;    : get a session key value</div>
</li>
<li class="level1"><div class="li"> GET /sessions/&lt;type&gt;/&lt;session-id&gt;/[k1,k2]  : get some session key value</div>
</li>
<li class="level1"><div class="li"> POST /sessions/&lt;type&gt;                      : create a session</div>
</li>
<li class="level1"><div class="li"> PUT /sessions/&lt;type&gt;/&lt;session-id&gt;          : update some keys</div>
</li>
<li class="level1"><div class="li"> DELETE /sessions/&lt;type&gt;/&lt;session-id&gt;       : delete a session</div>
</li>
</ul>

<p>
Sessions for connected users <em>(used by <a href="authproxy.html" class="wikilink1" title="documentation:2.0:authproxy">LLNG Proxy</a>)</em>:
</p>
<ul>
<li class="level1"><div class="li"> GET /session/my/&lt;type&gt;                      : get session datas</div>
</li>
<li class="level1"><div class="li"> GET /session/my/&lt;type&gt;/key                  : get session key</div>
</li>
<li class="level1"><div class="li"> DELETE /session/my                          : ask for logout</div>
</li>
</ul>

<p>
Authorizations for connected users (always enabled):
</p>
<ul>
<li class="level1"><div class="li"> GET /mysession/?authorizationfor=&lt;base64-encoded-url&gt;: ask if url is authorized</div>
</li>
</ul>

<p>
This session backend can be used to share sessions stored in a non-network backend (like <a href="filesessionbackend.html" class="wikilink1" title="documentation:2.0:filesessionbackend">file session backend</a>) or in a network backend protected with a firewall that only accepts HTTP flows.
</p>

<p>
Most of the time, REST session backend is used by Handlers installed on external servers.
</p>

<p>
To configure it, REST session backend will be set trough Manager in global configuration (used by all Handlers), and the real session backend will be configured for local components in lemonldap-ng.ini.
</p>

</div>
<!-- EDIT1 SECTION "REST session backend" [1-1432] -->
<h2 class="sectionedit2" id="setup">Setup</h2>
<div class="level2">

</div>
<!-- EDIT2 SECTION "Setup" [1433-1451] -->
<h3 class="sectionedit3" id="manager">Manager</h3>
<div class="level3">

<p>
First, activate REST in <code>General parameters</code> » <code>Plugins</code> » <code>Portal servers</code> » <code>REST session server</code>.
</p>

<p>
Then, set <code>Lemonldap::NG::Common::Apache::Session::REST</code> in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
</p>
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign" colspan="3">  Required parameters  </th>
	</tr>
	<tr class="row1 rowodd">
		<th class="col0 centeralign">  Name  </th><th class="col1 centeralign">  Comment  </th><th class="col2 centeralign">  Example  </th>
	</tr>
	</thead>
	<tr class="row2 roweven">
		<td class="col0 centeralign">  <strong>baseUrl</strong>  </td><td class="col1"> <abbr title="Uniform Resource Locator">URL</abbr> of sessions REST end point </td><td class="col2"> http://auth.example.com/index.fcgi/sessions/global </td>
	</tr>
	<tr class="row3 rowodd">
		<th class="col0 centeralign" colspan="3">  Optional parameters  </th>
	</tr>
	<tr class="row4 roweven">
		<td class="col0 centeralign">  <strong>user</strong>  </td><td class="col1"> Username to use for auth basic mechanism </td><td class="col2 leftalign">   </td>
	</tr>
	<tr class="row5 rowodd">
		<td class="col0 centeralign">  <strong>password</strong>  </td><td class="col1"> Password to use for auth basic mechanism </td><td class="col2 leftalign">   </td>
	</tr>
</table></div>
<!-- EDIT4 TABLE [1790-2116] --><div class="noteimportant">By default, user password and other secret keys are hidden by LLNG REST server. You can force REST server to export their real values by selecting “Export secret attributes in REST” in the manager. This less secure option is disabled by default.
</div>
</div>
<!-- EDIT3 SECTION "Manager" [1452-2386] -->
<h3 class="sectionedit5" id="apache">Apache</h3>
<div class="level3">

<p>
Sessions REST end points access must be allowed in Apache portal configuration (for example, access by <abbr title="Internet Protocol">IP</abbr> range):
</p>
<pre class="code file apache"><span class="co1"># REST/SOAP functions for sessions access (disabled by default)</span>
&lt;<span class="kw3">Location</span> /index.fcgi/sessions&gt;
    <span class="kw1">Require</span> 192.168.2.0/<span class="nu0">24</span>
&lt;/<span class="kw3">Location</span>&gt;</pre>

</div>
<!-- EDIT5 SECTION "Apache" [2387-2677] -->
<h3 class="sectionedit6" id="real_session_backend">Real session backend</h3>
<div class="level3">

<p>
Real session backend will be configured in <code>lemonldap-ng.ini</code>, in <code>portal</code> section (the portal hosts the REST service for sessions, and will do the link between REST requests and real sessions).
</p>

<p>
For example, if real sessions are stored in <a href="filesessionbackend.html" class="wikilink1" title="documentation:2.0:filesessionbackend">files</a>:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">globalStorage</span> <span class="sy0">=</span><span class="re2"> Apache::Session::File</span>
<span class="re1">globalStorageOptions</span> <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span> 'Directory' <span class="sy0">=</span>&gt; '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' <span class="sy0">=</span>&gt; '/var/lib/lemonldap-ng/sessions/lock/', <span class="br0">&#125;</span></span></pre>
<div class="notetip">Session explorer and “single session” features can&#039;t be used using this backend. Session explorer and portal must be launched with real backend.
</div>
<p>
By default, only few sessions keys are shared by REST (authenticationLevel, groups, ipAddr, _startTime, _utime, _lastSeen, _session_id), you need to define which other keys you want to share in <code>General parameters</code> » <code>Plugins</code> » <code>Portal servers</code> » <code>SOAP/REST exported attributes</code>.
</p>

<p>
You must start with <code>+</code> to keep default keys, else they will not be shared. For example:
</p>
<pre class="code">+ uid cn mail</pre>

<p>
To share only the listed attributes:
</p>
<pre class="code">authenticationLevel groups ipAddr _startTime _utime _lastSeen _session_id uid cn mail</pre>

</div>
<!-- EDIT6 SECTION "Real session backend" [2678-] --></div>
</body>
</html>