248 lines
9.0 KiB
HTML
248 lines
9.0 KiB
HTML
<html>
|
|
<head>
|
|
<title>Lemonldap::NG</title>
|
|
<meta name="ROBOTS" content="INDEX,FOLLOW">
|
|
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
|
<meta name="DESCRIPTION" content="Lemonldap::NG overview">
|
|
<meta name="KEYWORDS" content="LEMONLDAP::NG, WEBSSO, WEB-SSO, LEMONLDAP, LEMONLDAP-NG">
|
|
</head>
|
|
<body>
|
|
|
|
<h1 style="text-align: center;">Lemonldap::NG</h1>
|
|
|
|
<p> Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
|
|
simplifies the build of a protected area with a few changes in the application.
|
|
It manages both authentication and authorization and provides headers for
|
|
accounting. So you can have a full AAA protection for your web space as
|
|
described below.</p>
|
|
|
|
<ol type="1">
|
|
<li><a href="#aaa">Authentication, Authorization and Accounting mechanisms</a></li>
|
|
<li><a href="#inst">Installation</a></li>
|
|
<li><a href="#storage">Session storage system</a></li>
|
|
<li><a href="#logout">Logout system</a></li>
|
|
<li><a href="#author">Author</a></li>
|
|
<li><a href="#copyright">Copyright and licence</a></li>
|
|
</ol>
|
|
|
|
<ol type="I">
|
|
<h2><li><a name="aaa">Authentication, Authorization and Accounting mechanisms</a></li></h2>
|
|
|
|
<ol type="1">
|
|
<h3><li>Authentication</li></h3>
|
|
|
|
<p>If a user isn't authenticated and attemps to connect to an area protected by a
|
|
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
|
|
authenticates user with a ldap bind by default, but you can also use another
|
|
authentication sheme like using x509 user certificates (see
|
|
Lemonldap::NG::Portal::AuthSSL(3) for more).</p>
|
|
|
|
<p>Lemonldap use session cookies generated by Apache::Session so as secure as a
|
|
128-bit random cookie. You may use the securedCookie options to avoid session
|
|
hijacking.</p>
|
|
|
|
<p>You have to manage life of sessions by yourself since Lemonldap::NG knows
|
|
nothing about the L<Apache::Session> module you've choosed, but it's very easy
|
|
using a simple cron script because Lemonldap::NG::Portal stores the start
|
|
time in the _utime field.<br>
|
|
By default, a session stay 10 minutes in the local storage, so in the worth
|
|
case, a user is authorized 10 minutes after he lost his rights.</p>
|
|
|
|
<h3><li>Authorization</li></h3>
|
|
|
|
<p>Authorization is controled only by handlers because the portal knows nothing
|
|
about the way the user will choose. When configuring your Web-SSO, you have to:</p>
|
|
|
|
<ul type="disc">
|
|
<li> choose the ldap attributes you want to use to manage accounting and
|
|
authorization.</li>
|
|
<li> create Perl expressions to define user groups (using ldap attributes)</li>
|
|
<li> create an array foreach virtual host associating URI regular expressions and
|
|
Perl expressions to use to grant access.</li>
|
|
</ul>
|
|
|
|
<p>Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored) :</p>
|
|
|
|
<ul>
|
|
<li> Exported variables :
|
|
<pre>
|
|
# Custom-Name => LDAP attribute
|
|
cn => cn
|
|
departmentUID => departmentUID
|
|
login => uid
|
|
</pre></li>
|
|
|
|
<li> User groups :
|
|
<pre>
|
|
# Custom-Name => group definition
|
|
group1 => { $departmentUID eq "unit1" or $login = "user1" }
|
|
</pre></li>
|
|
|
|
<li> Area protection:
|
|
<pre>
|
|
# Each VirtualHost has its own configuration
|
|
# associating URL regexp to Perl expression
|
|
* www1.domain.com :
|
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
|
default => accept
|
|
},
|
|
* www2.domain.com :
|
|
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
|
|
^/(js|css) => accept
|
|
default => deny
|
|
</pre></li>
|
|
</ul>
|
|
|
|
<ol type="a">
|
|
<h4><li>Performance</li></h4>
|
|
|
|
<p>You can use Perl expressions as complicated as you want and you can use all
|
|
the exported LDAP attributes (and create your own attributes: with 'macros'
|
|
mechanism) in groups evaluations, area protections or custom HTTP headers
|
|
(you just have to call them with a "$").</p>
|
|
|
|
<p>You have to be careful when choosing your expressions:</p>
|
|
|
|
<ul>
|
|
<li> groups and macros are evaluated each time a user is redirected to the portal,</li>
|
|
<li> virtual host rules and exported headers are evaluated for each request on a
|
|
protected area.</li>
|
|
</ul>
|
|
|
|
<p>It is also recommanded to use the groups mechanism to avoid having to evaluate
|
|
a long expression at each HTTP request :</p>
|
|
|
|
<pre>
|
|
# Virtual hosts :
|
|
...
|
|
www1.domain.com :
|
|
^/protected/.*$ => $groups =~ /\bgroup1\b/
|
|
</pre>
|
|
|
|
<p>You can also use LDAP filters, or Perl expression or mixed expressions in
|
|
groups definitions. Perl expressions has to be enclosed with {} :</p>
|
|
|
|
<pre>
|
|
* group1 => (|(uid=xavier.guimard)(ou=unit1))
|
|
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
|
|
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
|
|
</pre>
|
|
|
|
<p>It is also recommanded to use Perl expressions to avoid requiering the LDAP
|
|
server more than 2 times per authentication.</p>
|
|
|
|
</ol>
|
|
<h3><li>Accounting</li></h3>
|
|
|
|
<ol type="a">
|
|
<h4><li>Logging portal access</li></h4>
|
|
|
|
<p>Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
|
|
overload log method for normal portal access.</p>
|
|
|
|
<h4><li>Logging application access</li></h4>
|
|
|
|
<p>Because a Web-SSO knows nothing about the protected application, it can't do
|
|
more than logging URL. As Apache does this fine, Lemonldap::NG::Handler(3)
|
|
gives it the name to used in logs. The whatToTrace parameter indicates
|
|
which variable Apache has to use ($uid by default).</p>
|
|
|
|
<p>The real accounting has to be done by the application itself which knows the
|
|
result of SQL transaction for example.</p>
|
|
|
|
<p>Lemonldap::NG can export HTTP headers either using a proxy or protecting
|
|
directly the application. By default, the Auth-User field is used but you can
|
|
change it using the exportedHeaders parameters (in the Manager, each virtual
|
|
host as custom headers branch). This parameters contains an associative array
|
|
per virtual host :</p>
|
|
|
|
<ul>
|
|
<li> keys are the names of the choosen headers,</li>
|
|
<li> values are Perl expressions where you can use user datas stored in the
|
|
global storage.</li>
|
|
</ul>
|
|
|
|
<p>Example:</p>
|
|
|
|
<pre>
|
|
* www1.domain.com :
|
|
Auth-User => $uid
|
|
Unit => $ou
|
|
* www2.domain.com :
|
|
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
|
|
Remote-IP => $ip
|
|
</pre>
|
|
</ol>
|
|
</ol>
|
|
|
|
<h2><li><a name="inst">Installation</a></li></h2>
|
|
|
|
<p><b>Warnings :</b></p>
|
|
<ul>
|
|
<li><p> Lemonldap::NG is a different project than Lemonldap and contains all you need
|
|
to use and administer it. So softwares, like Lemonldap webmin module, may not
|
|
work with Lemonldap::NG.</p></li>
|
|
|
|
<li><p>The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
|
|
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
|
|
act as CGI, so they can work everywhere.</p></li>
|
|
<li><p>Lemonldap::NG configuration has to be edited using the manager unless
|
|
you know exactly what you are doing. The parameters discussed below are all in
|
|
the configuration tree.</p></li>
|
|
</ul>
|
|
|
|
<p>See <a href="install.html">INSTALL file</a> for a complete installation documentation.</p>
|
|
|
|
<h2><li><a name="storage">Session storage system</a></li></h2>
|
|
|
|
<p>Lemonldap::NG use 3 levels of cache for authenticated users :</p>
|
|
|
|
<ul>
|
|
<li> an Apache::Session::* module used by lemonldap::NG::Portal to store
|
|
authenticated user parameters,</li>
|
|
<li> a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
|
|
users between Apache's threads or processus and of course between virtual
|
|
hosts on the same machine,</li>
|
|
<li> Lemonldap::NG::Handler variables : if the same user use the same thread or
|
|
processus a second time, no request are needed to grant or refuse access.
|
|
This is very efficient with HTTP/1.1 Keep-Alive system.</li>
|
|
</ul>
|
|
|
|
<p>So the number of request to the central storage is limited to 1 per active
|
|
user each 10 minutes.</p>
|
|
|
|
<p>Lemonldap::NG is very fast, but you can increase performance using a
|
|
Cache::Cache module that does not use disk access.</p>
|
|
|
|
<h2><li><a name="logout">Logout system</a></li></h2>
|
|
|
|
<p>Lemonldap::NG provides a single logout system : you can use it by
|
|
adding a link to the portal with "logout=1" parameter in the portal (See
|
|
Lemonldap::NG::Portal(3)) and/or by configuring handler to intercept some URL
|
|
(See Lemonldap::NG::Handler(3)). The logout system:
|
|
|
|
<ul>
|
|
<li> delete session in the global session storage,</li>
|
|
<li> replace Lemonldap::NG cookie by '',</li>
|
|
<li> delete handler caches only if logout action was started from a
|
|
protected application and only in the current Apache server. So in other
|
|
servers, session is still in cache for 10 minutes maximum if the user was
|
|
connected on it in the last 10 minutes.</li>
|
|
</ul>
|
|
|
|
<h2><li><a name="author">Author</a></li></h2>
|
|
|
|
<p>Xavier Guimard, <x.guimard@free.fr>
|
|
|
|
<h2><li><a name="copyright">Copyright and licence</a></li></h2>
|
|
|
|
<p>Copyright © 2005-2007 by Xavier Guimard <x.guimard@free.fr></p>
|
|
|
|
<p>This library is free software; you can redistribute it and/or modify
|
|
it under the same terms as Perl itself, either Perl version 5.8.4 or,
|
|
at your option, any later version of Perl 5 you may have available.</p>
|
|
|
|
</ol>
|
|
</body>
|
|
</html>
|