341 lines
17 KiB
HTML
341 lines
17 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:browseablesessionbackend</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,browseablesessionbackend"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="browseablesessionbackend.html"/>
|
|
<link rel="contents" href="browseablesessionbackend.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:browseablesessionbackend","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#browseable_nosql">Browseable NoSQL</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#browseable_sql">Browseable SQL</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#prepare_database">Prepare database</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#manager">Manager</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#browseable_ldap">Browseable LDAP</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#security">Security</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#performances">Performances</a></div></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="browseable_session_backend">Browseable session backend</h1>
|
|
<div class="level1">
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "Browseable session backend" [1-42] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Browseable session backend (<a href="https://metacpan.org/pod/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/pod/Apache::Session::Browseable" rel="nofollow">Apache::Session::Browseable</a>) works exactly like Apache::Session::* corresponding module but add index that increase <a href="documentation/features.html#session_explorer" class="wikilink1" title="documentation:features">session explorer</a> and <a href="documentation/features.html#session_restrictions" class="wikilink1" title="documentation:features">session restrictions</a> performances.
|
|
</p>
|
|
|
|
<p>
|
|
If you use features like <abbr title="Security Assertion Markup Language">SAML</abbr> (authentication and issuer), <abbr title="Central Authentication Service">CAS</abbr> (issuer) and password reset self-service, you also need to index some fields.
|
|
</p>
|
|
<div class="noteclassic">Without index, <abbr title="LemonLDAP::NG">LL::NG</abbr> will have to retrieve all sessions stored in backend and parse them to find the needed sessions. With index, <abbr title="LemonLDAP::NG">LL::NG</abbr> wil be able to get only wanted sessions from the backend.
|
|
</div>
|
|
<p>
|
|
The following table list fields to index depending on the feature you want to increase performance:
|
|
</p>
|
|
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign"> Feature </th><th class="col1 centeralign"> Fields to index </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row1 rowodd">
|
|
<td class="col0"> Database cleanup <em>(cron)</em> </td><td class="col1 centeralign"> _session_kind _utime </td>
|
|
</tr>
|
|
<tr class="row2 roweven">
|
|
<td class="col0"> Session explorer </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
|
|
</tr>
|
|
<tr class="row3 rowodd">
|
|
<td class="col0"> Session explorer (persistent sessions) </td><td class="col1 centeralign"> _session_kind _session_uid </td>
|
|
</tr>
|
|
<tr class="row4 roweven">
|
|
<td class="col0"> Session restrictions </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
|
|
</tr>
|
|
<tr class="row5 rowodd">
|
|
<td class="col0"> Password reset by email </td><td class="col1 centeralign"> user </td>
|
|
</tr>
|
|
<tr class="row6 roweven">
|
|
<td class="col0"> <abbr title="Security Assertion Markup Language">SAML</abbr> Session </td><td class="col1 centeralign"> _saml_id </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT3 TABLE [871-1230] -->
|
|
<p>
|
|
See Apache::Session::Browseable::* man page to see how use indexes.
|
|
</p>
|
|
<div class="noteimportant"><em>WHATTOTRACE</em> must be replaced by the attribute or macro configured in the What To Trace parameter (REMOTE_USER). By default: <strong>_whatToTrace</strong>
|
|
</div><div class="notetip">It is advised to use separate session backends for standard sessions, <abbr title="Security Assertion Markup Language">SAML</abbr> sessions and <abbr title="Central Authentication Service">CAS</abbr> sessions, in order to manage index separately.
|
|
</div><div class="noteclassic">Documentation below explains how set index on ipAddr and _whatToTrace. Adapt it to configure the index you need.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [43-1753] -->
|
|
<h2 class="sectionedit4" id="browseable_nosql">Browseable NoSQL</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
You can use Redis and set up the database like explained in <a href="nosqlsessionbackend.html" class="wikilink1" title="documentation:2.0:nosqlsessionbackend">Redis session backend</a>.
|
|
</p>
|
|
|
|
<p>
|
|
You then just have to add the <code>Index</code> parameter in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> :
|
|
</p>
|
|
<div class="table sectionedit5"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign" colspan="3"> Required parameters </th>
|
|
</tr>
|
|
<tr class="row1 rowodd">
|
|
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row2 roweven">
|
|
<td class="col0 centeralign"> <strong>server</strong> </td><td class="col1"> Redis server </td><td class="col2"> 127.0.0.1:6379 </td>
|
|
</tr>
|
|
<tr class="row3 rowodd">
|
|
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT5 TABLE [2041-2198] -->
|
|
</div>
|
|
<!-- EDIT4 SECTION "Browseable NoSQL" [1754-2199] -->
|
|
<h2 class="sectionedit6" id="browseable_sql">Browseable SQL</h2>
|
|
<div class="level2">
|
|
<div class="noteclassic">This documentation concerns PostgreSQL. Some adaptations are needed with other databases.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT6 SECTION "Browseable SQL" [2200-2331] -->
|
|
<h3 class="sectionedit7" id="prepare_database">Prepare database</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Database must be prepared exactly like in <a href="sqlsessionbackend.html#prepare_the_database" class="wikilink1" title="documentation:2.0:sqlsessionbackend">SQL session backend</a> except that a field must be added for each data to index.
|
|
</p>
|
|
<div class="noteimportant">Data written to UNLOGGED tables is not written to the WAL, which makes them considerably faster than ordinary tables. However, they are not crash-safe: an unlogged table is automatically truncated after a crash or unclean shutdown. The contents of an unlogged table are also not replicated to standby servers. Any indexes created on an unlogged table are automatically unlogged as well.
|
|
|
|
</div>
|
|
<p>
|
|
Apache::Session::Browseable::Postgres example:
|
|
</p>
|
|
<pre class="code">CREATE UNLOGGED TABLE sessions (
|
|
id varchar(64) not null primary key,
|
|
a_session text,
|
|
_whatToTrace text,
|
|
_session_kind text,
|
|
_utime bigint,
|
|
user text,
|
|
ipAddr text
|
|
);
|
|
CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace);
|
|
CREATE INDEX s1 ON sessions (_session_kind);
|
|
CREATE INDEX u1 ON sessions (_utime);
|
|
CREATE INDEX ip1 ON sessions USING BTREE (ipAddr);</pre>
|
|
<div class="noteimportant">For Session Explorer and one-off sessions, it is recommended to use BTREE or any index method that indexes partial content.
|
|
</div>
|
|
<p>
|
|
“id” fieds is set to <code>varchar(64)</code> (instead of char(32)) to use the now recommended SHA256 hash algorithm. See <a href="documentation/latest/sessions.html" class="wikilink1" title="documentation:latest:sessions">Sessions</a> for more details.
|
|
</p>
|
|
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don't need to declare indexes in <code>CREATE TABLE</code> since “json” and “hstore” type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT7 SECTION "Prepare database" [2332-3966] -->
|
|
<h3 class="sectionedit8" id="manager">Manager</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
Go in the Manager and set the session module (<a href="https://metacpan.org/pod/Apache::Session::Browseable::MySQL" class="urlextern" title="https://metacpan.org/pod/Apache::Session::Browseable::MySQL" rel="nofollow">Apache::Session::Browseable::MySQL</a> for MySQL) in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
|
|
</p>
|
|
<div class="table sectionedit9"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign" colspan="3"> Required parameters </th>
|
|
</tr>
|
|
<tr class="row1 rowodd">
|
|
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row2 roweven">
|
|
<td class="col0 centeralign"> <strong>DataSource</strong> </td><td class="col1"> The <a href="https://metacpan.org/pod/DBI" class="urlextern" title="https://metacpan.org/pod/DBI" rel="nofollow">DBI</a> string </td><td class="col2"> dbi:Pg:database=sessions </td>
|
|
</tr>
|
|
<tr class="row3 rowodd">
|
|
<td class="col0 centeralign"> <strong>UserName</strong> </td><td class="col1"> The database username </td><td class="col2"> lemonldapng </td>
|
|
</tr>
|
|
<tr class="row4 roweven">
|
|
<td class="col0 centeralign"> <strong>Password</strong> </td><td class="col1"> The database password </td><td class="col2"> mysuperpassword </td>
|
|
</tr>
|
|
<tr class="row5 rowodd">
|
|
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr _session_kind _utime </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT9 TABLE [4289-4634] --><div class="notetip">Apache::Session::Browseable::MySQL doesn't use locks so performances are keeped.
|
|
<p>
|
|
For databases like PostgreSQL, don't forget to add “Commit” with a value of 1
|
|
</p>
|
|
|
|
</div>
|
|
</div>
|
|
<!-- EDIT8 SECTION "Manager" [3967-4813] -->
|
|
<h2 class="sectionedit10" id="browseable_ldap">Browseable LDAP</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Go in the Manager and set the session module to <code>Apache::Session::Browseable::LDAP</code>. Then configure the options like in <a href="ldapsessionbackend.html" class="wikilink1" title="documentation:2.0:ldapsessionbackend">LDAP session backend</a>.
|
|
</p>
|
|
|
|
<p>
|
|
You need to add the <code>Index</code> field and can also configure the <code>ldapAttributeIndex</code> field to set the attribute name where index values will be stored.
|
|
</p>
|
|
<div class="table sectionedit11"><table class="inline table table-bordered table-striped">
|
|
<thead>
|
|
<tr class="row0 roweven">
|
|
<th class="col0 centeralign" colspan="3"> Required parameters </th>
|
|
</tr>
|
|
<tr class="row1 rowodd">
|
|
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Example </th>
|
|
</tr>
|
|
</thead>
|
|
<tr class="row2 roweven">
|
|
<td class="col0 centeralign"> <strong>ldapServer</strong> </td><td class="col1"> <abbr title="Uniform Resource Identifier">URI</abbr> of the server </td><td class="col2"> ldap://localhost </td>
|
|
</tr>
|
|
<tr class="row3 rowodd">
|
|
<td class="col0 centeralign"> <strong>ldapConfBase</strong> </td><td class="col1"> <abbr title="Distinguished Name">DN</abbr> of sessions branch </td><td class="col2"> ou=sessions,dc=example,dc=com </td>
|
|
</tr>
|
|
<tr class="row4 roweven">
|
|
<td class="col0 centeralign"> <strong>ldapBindDN</strong> </td><td class="col1"> Connection login </td><td class="col2"> cn=admin,dc=example,dc=password </td>
|
|
</tr>
|
|
<tr class="row5 rowodd">
|
|
<td class="col0 centeralign"> <strong>ldapBindPassword</strong> </td><td class="col1"> Connection password </td><td class="col2"> secret </td>
|
|
</tr>
|
|
<tr class="row6 roweven">
|
|
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index list </td><td class="col2"> _whatToTrace ipAddr </td>
|
|
</tr>
|
|
<tr class="row7 rowodd">
|
|
<th class="col0 centeralign" colspan="3"> Optional parameters </th>
|
|
</tr>
|
|
<tr class="row8 roweven">
|
|
<th class="col0 centeralign"> Name </th><th class="col1 centeralign"> Comment </th><th class="col2 centeralign"> Default value </th>
|
|
</tr>
|
|
<tr class="row9 rowodd">
|
|
<td class="col0 centeralign"> <strong>ldapObjectClass</strong> </td><td class="col1"> Objectclass of the entry </td><td class="col2"> applicationProcess </td>
|
|
</tr>
|
|
<tr class="row10 roweven">
|
|
<td class="col0 centeralign"> <strong>ldapAttributeId</strong> </td><td class="col1"> Attribute storing session ID </td><td class="col2"> cn </td>
|
|
</tr>
|
|
<tr class="row11 rowodd">
|
|
<td class="col0 centeralign"> <strong>ldapAttributeContent</strong> </td><td class="col1"> Attribute storing session content </td><td class="col2"> description </td>
|
|
</tr>
|
|
<tr class="row12 roweven">
|
|
<td class="col0 centeralign"> <strong>ldapAttributeIndex</strong> </td><td class="col1"> Attribute storing index </td><td class="col2"> ou </td>
|
|
</tr>
|
|
</table></div>
|
|
<!-- EDIT11 TABLE [5165-5899] -->
|
|
</div>
|
|
<!-- EDIT10 SECTION "Browseable LDAP" [4814-5900] -->
|
|
<h2 class="sectionedit12" id="security">Security</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Restrict network access to the backend.
|
|
</p>
|
|
|
|
<p>
|
|
You can also use different user/password for your servers by overriding parameters <code>globalStorage</code> and <code>globalStorageOptions</code> in lemonldap-ng.ini file.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT12 SECTION "Security" [5901-6120] -->
|
|
<h2 class="sectionedit13" id="performances">Performances</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
Here are some recommended configurations:
|
|
</p>
|
|
|
|
<p>
|
|
<strong>Browseable::Postgres</strong>:
|
|
</p>
|
|
<pre class="code">CREATE UNLOGGED TABLE sessions (
|
|
id varchar(64) not null primary key,
|
|
a_session text,
|
|
_whatToTrace text,
|
|
_session_kind text,
|
|
_utime bigint,
|
|
user text,
|
|
ipAddr varchar(64)
|
|
);
|
|
CREATE INDEX uid1 ON sessions USING BTREE (_whatToTrace text_pattern_ops);
|
|
CREATE INDEX _s1 ON sessions (_session_kind);
|
|
CREATE INDEX _u1 ON sessions (_utime);
|
|
CREATE INDEX ip1 ON sessions USING BTREE (ipAddr)</pre>
|
|
|
|
<p>
|
|
<strong>Browseable::MySQL</strong>:
|
|
</p>
|
|
<pre class="code">CREATE TABLE sessions (
|
|
id varchar(64) not null primary key,
|
|
a_session text,
|
|
_whatToTrace varchar(64),
|
|
_session_kind varchar(15),
|
|
user text,
|
|
_utime bigint
|
|
);
|
|
CREATE INDEX uid1 ON sessions (_whatToTrace) USING BTREE;
|
|
CREATE INDEX _s1 ON sessions (_session_kind);
|
|
CREATE INDEX _u1 ON sessions (_utime);
|
|
CREATE INDEX ip1 ON sessions (ipAddr) USING BTREE;</pre>
|
|
|
|
</div>
|
|
<!-- EDIT13 SECTION "Performances" [6121-] --></div>
|
|
</body>
|
|
</html>
|