dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cc79680b89
lemonldap-ng/doc/pages/documentation/current/managerprotection.html
Xavier Guimard 8af300995c Update doc
2018-03-08 13:29:31 +01:00

141 lines
7.8 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:managerprotection</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,managerprotection"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="managerprotection.html"/>
<link rel="contents" href="managerprotection.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:managerprotection","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="manager_protection">Manager protection</h1>
<div class="level1">
<p>
When installing <abbr title="LemonLDAP::NG">LL::NG</abbr>, the Manager can only be accessed with the demo account <code>dwho</code>. This How To explains how change this default behavior to protect Manager with other rules.
</p>
</div>
<!-- EDIT1 SECTION "Manager protection" [1-215] -->
<h2 class="sectionedit2" id="apache_based_protection">Apache based protection</h2>
<div class="level2">
<div class="notetip">Apache based protection allow one to be independent from WebSSO, so Manager will always be reachable even if WebSSO configuration is corrupted.
</div>
<p>
The configuration can be changed in <code>etc/manager-apache2.conf</code>, for example to restrict the <abbr title="Internet Protocol">IP</abbr> allowed to access the Manager:
</p>
<pre class="code file apache"> &lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/manager/&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 127.0.0.0/<span class="nu0">8</span> 192.168.100.0/<span class="nu0">32</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Directory</span>&gt;</pre>
<p>
But you will rather prefer to use an Apache authentication module, like for example <a href="http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html" class="urlextern" title="http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html" rel="nofollow">LDAP authentication module</a>:
</p>
<pre class="code file apache"> &lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/manager/&gt;
<span class="kw1">AuthzLDAPAuthoritative</span> <span class="kw2">On</span>
<span class="kw1">AuthName</span> <span class="st0">&quot;LL::NG Manager&quot;</span>
<span class="kw1">AuthType</span> Basic
<span class="kw1">AuthBasicProvider</span> ldap
<span class="kw1">AuthLDAPBindDN</span> <span class="st0">&quot;ou=websso,ou=applications,dc=example,dc=com&quot;</span>
<span class="kw1">AuthLDAPBindPassword</span> <span class="st0">&quot;secret&quot;</span>
<span class="kw1">AuthLDAPURL</span> ldap://localhost:<span class="nu0">389</span>/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS
<span class="kw1">Require</span> ldap-<span class="kw1">user</span> coudot xguimard tchemineau
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Directory</span>&gt;</pre>
<div class="noteimportant">You need to disable default Manager protection in lemonldap-ng.ini to rely only on Apache:
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="co0">;protection = manager</span></pre>
</div>
</div>
<!-- EDIT2 SECTION "Apache based protection" [216-1609] -->
<h2 class="sectionedit3" id="llng_based_protection">LL::NG based protection</h2>
<div class="level2">
<div class="notewarning">Before enabling Manager protection by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you must have configured how users authenticate on Portal, and test that you can log in without difficulties. Else, you will lock access to Manager and will never access it anymore.
</div>
<p>
By default, you will have a manager virtual host define in configuration. If not Go on Manager, and declare Manager as a new <a href="configvhost.html#lemonldapng_configuration" class="wikilink1" title="documentation:2.0:configvhost">virtual host</a>, for example <code>manager.example.com</code>. You can then set the access rule. No headers are needed.
</p>
<p>
The default rule is:
</p>
<pre class="code perl"><span class="re0">$uid</span> <span class="kw1">eq</span> <span class="st0">&quot;dwho&quot;</span></pre>
<p>
You have to change it to match your admin user (or use other conditions like group membership, or any other rule based on a session variable).
</p>
<p>
Save the configuration and exit the Manager.
</p>
<div class="notetip">The next time you will access Manager, it will be trough <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
<p>
Enable protection on Manager, by editing <code>lemonldap-ng.ini</code>:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">protection</span> <span class="sy0">=</span><span class="re2"> manager</span></pre>
<p>
You can also adapt Apache access control:
</p>
<pre class="code file apache"> &lt;<span class="kw3">Directory</span> /usr/local/lemonldap-ng/htdocs/manager/&gt;
<span class="kw1">Order</span> <span class="kw1">deny</span>,<span class="kw1">allow</span>
<span class="kw1">Allow</span> from <span class="kw2">all</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Directory</span>&gt;</pre>
<p>
Restart Apache and try to log on Manager. You should be redirected to <abbr title="LemonLDAP::NG">LL::NG</abbr> Portal.
</p>
<p>
You can then add the Manager as <a href="portalmenu.html#categories_and_applications" class="wikilink1" title="documentation:2.0:portalmenu">an application in the menu</a>.
</p>
<div class="notetip">If for an obscure reason, the WebSSO is not working and you want to access the Manager, remove the protection in <code>lemonldap-ng.ini</code>. Add an Apache access control to avoid other access.
</div>
</div>
<!-- EDIT3 SECTION "LL::NG based protection" [1610-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink