364 lines
13 KiB
HTML
364 lines
13 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta name="generator" content=
|
|
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
|
|
|
|
<title>Lemonldap::NG documentation: 2-FAQ.html</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
|
<style type="text/css">
|
|
/*<![CDATA[*/
|
|
body{
|
|
background: #ddd;
|
|
font-family: sans-serif;
|
|
font-size: 11pt;
|
|
padding: 0 50px;
|
|
}
|
|
div.main-content{
|
|
padding: 10px;
|
|
background: #fff;
|
|
border: 2px #ccc solid;
|
|
}
|
|
a{
|
|
text-decoration: none;
|
|
}
|
|
p.footer{
|
|
text-align: center;
|
|
margin: 5px 0 0 0;
|
|
}
|
|
.heading-1{
|
|
text-align: center;
|
|
color: orange;
|
|
font-variant: small-caps;
|
|
font-size: 20pt;
|
|
}
|
|
.heading-1-1{
|
|
color: orange;
|
|
font-size: 14pt;
|
|
border-bottom: 2px #ccc solid;
|
|
}
|
|
pre{
|
|
background: #eee;
|
|
border: 2px #ccc solid;
|
|
padding: 5px;
|
|
border-left: 10px #ccc solid;
|
|
}
|
|
ul.star li{
|
|
list-style-type: square;
|
|
}
|
|
/*]]>*/
|
|
</style>
|
|
</head>
|
|
|
|
<body>
|
|
<div class="main-content">
|
|
<h2 class="heading-1"><span id=
|
|
"HLemonLDAP3A3ANGFrequentlyAskedQuestions">LemonLDAP::NG Frequently Asked
|
|
Questions</span></h2>
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<ul>
|
|
<li>
|
|
<a href="#HGeneralquestions">General questions</a>
|
|
|
|
<ul>
|
|
<li><a href="#HWhatisaWebSSO3F">What is a Web-SSO ?</a></li>
|
|
|
|
<li><a href=
|
|
"#HWhatbringsLemonLDAP3A3ANGcomparedtotheotherWebSSO3F">What brings
|
|
LemonLDAP::NG compared to the other Web-SSO ?</a></li>
|
|
|
|
<li><a href="#HIsitreallyfree3F">Is it really free?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#HConfiguration">Configuration</a>
|
|
|
|
<ul>
|
|
<li><a href="#HWhereistheconfiguration3F">Where is the
|
|
configuration?</a></li>
|
|
|
|
<li><a href="#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The
|
|
provided example works with HTTP, but not with HTTPS.</a></li>
|
|
|
|
<li><a href="#HWhatisanautoprotectedCGI3F">What is an auto-protected
|
|
CGI?</a></li>
|
|
|
|
<li><a href="#HHowtouseLemonLDAP3A3ANGwithActiveDirectory3F">How to
|
|
use LemonLDAP::NG with Active-Directory ?</a></li>
|
|
|
|
<li><a href="#HHowtouseLemonLDAP3A3ANGasreverseproxy3F">How to use
|
|
LemonLDAP::NG as reverse-proxy ?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>
|
|
<a href="#HOperation">Operation</a>
|
|
|
|
<ul>
|
|
<li><a href="#HWhatisHandlerlocalcache3F">What is Handler local
|
|
cache?</a></li>
|
|
|
|
<li><a href=
|
|
"#HWhyhandlerslocalcachecannotbeconfiguredbytheManager3F">Why
|
|
handlers local cache can not be configured by the Manager?</a></li>
|
|
|
|
<li><a href=
|
|
"#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works
|
|
the <i class="italic">Cross Domain Authentication</i> (CDA)
|
|
?</a></li>
|
|
|
|
<li><a href="#HWhatis22notificationsystem223F">What is "notification
|
|
system"?</a></li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li><a href="#HErroranddebugmessages">Error and debug messages</a></li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HGeneralquestions">General
|
|
questions</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HWhatisaWebSSO3F">What is a Web-SSO
|
|
?</span></h4>
|
|
|
|
<p class="paragraph"></p>A SSO <i class="italic">(Single Sign On)</i> is a
|
|
system that is used to share authentications between many applications.
|
|
User logs in only one time and is never prompted when he tries to access
|
|
to another application. Kerberos (used in Active Directory) for example is
|
|
an SSO mechanism. The problem with these systems is that in addition to
|
|
their heaviness, they apply only to internal networks and to relatively
|
|
homogeneous machines.
|
|
|
|
<p class="paragraph"></p>The Web-SSO is the bearing of this principle
|
|
restricted with the Web applications. The user is thus authenticated with
|
|
the first access to a protected Web application and the authentications
|
|
are propagated when it changes application. The large advantage is whereas
|
|
the system is usable on Internet without pre-necessary on the stations
|
|
customers (they just have to accept session cookies). For example, when a
|
|
user reaches a Google letter-box, it is not authenticated if it reaches
|
|
the groups management application or any other Google application.
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HWhatbringsLemonLDAP3A3ANGcomparedtotheotherWebSSO3F">What brings
|
|
LemonLDAP::NG compared to the other Web-SSO ?</span></h4>
|
|
|
|
<ul class="star">
|
|
<li>LemonLDAP::NG run as Perl Apache modules and offer performances
|
|
which make imperceivable the treatment of the access control.</li>
|
|
|
|
<li>One of the other strong points of LemonLDAP::NG is its capacity to
|
|
manage the rights in a centralized way: the standard SSO Kerberos or
|
|
CASE allow authentication share but delegate management access
|
|
authorizations to the applications. In the case of LemonLDAP::NG,
|
|
management rights can be centralized completely, partly or at all for
|
|
each application: LemonLDAP::NG provides a system of authorization based
|
|
on the sorting of the URL by regular expressions associated to rules. It
|
|
also provides HTTP headers containing any of the user attributes to the
|
|
remote application. The remote application can then manage the
|
|
traceability of the access and possibly authorization.</li>
|
|
|
|
<li>LemonLDAP::NG can publish every user attributes or calculate
|
|
expressions issued from them. So applications can avoid consulting LDAP
|
|
or database server.</li>
|
|
|
|
<li>LemonLDAP::NG treats all the hosted sites independently (virtual or
|
|
real): every application can so have its personalized HTTP headers.</li>
|
|
|
|
<li>LemonLDAP::NG provide an web based administration interface simply
|
|
presenting the configuration, the access policy and the per sites
|
|
headers.</li>
|
|
</ul>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HIsitreallyfree3F">Is it really
|
|
free?</span></h4>
|
|
|
|
<p class="paragraph"></p>Yes, LemonLDAP::NG is released under GPL license
|
|
(see <span class="wikilink"><a href=
|
|
"/xwiki/bin/view/Main/License">here</a></span>).
|
|
|
|
<h3 class="heading-1-1"><span id=
|
|
"HConfiguration">Configuration</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HWhereistheconfiguration3F">Where is
|
|
the configuration?</span></h4>
|
|
|
|
<p class="paragraph"></p>LemonLDAP::NG stores its configuration in a
|
|
global storage. See available backends <span class="wikilink"><a href=
|
|
"3-Table-of-contents.html">here</a></span>.
|
|
|
|
<p class="paragraph"></p>You can also manage local parameters by editing
|
|
<strong class="strong">lemonldap-ng.ini</strong> file.
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
|
|
works with HTTP, but not with HTTPS.</span></h4>
|
|
|
|
<p class="paragraph"></p>In the redirection mechanism to the portal then
|
|
to the protected site, you have to indicate to the handler if users access
|
|
by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. You
|
|
can also edit <tt>port</tt> to force port in redirections.
|
|
|
|
<h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
|
|
an auto-protected CGI?</span></h4>
|
|
|
|
<p class="paragraph"></p>When you have just one Perl CGI to protect in a
|
|
VirtualHost, you can use an auto-protected CGI instead of using a
|
|
LemonLDAP::NG handler:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
use Lemonldap::NG::Handler::CGI;
|
|
my $cgi = Lemonldap::NG::Handler::CGI-><span class=
|
|
"java-keyword">new</span> ( {
|
|
# same parameters than a Lemonldap::NG::Handler::SharedConf handler
|
|
}
|
|
);
|
|
$cgi->authenticate;
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>In the example above, $cgi is a CGI(3) object.
|
|
The only difference is that it has some additional functions:
|
|
|
|
<ul class="star">
|
|
<li>authenticate: to call LemonLDAP::NG authentication mechanism,</li>
|
|
|
|
<li>authorize: use it if you want to use the manager to manage the
|
|
access policy,</li>
|
|
|
|
<li>user: returns an hash table containing user parameters,</li>
|
|
|
|
<li>group: used to validate group membership.</li>
|
|
</ul>This type of CGI is very usefull when rights can not be distinguish
|
|
by URL (fields in POST requests for example). See the
|
|
Lemonldap::NG::Handler::CGI(3) man page for more.
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HHowtouseLemonLDAP3A3ANGwithActiveDirectory3F">How to use LemonLDAP::NG
|
|
with Active-Directory ?</span></h4>
|
|
|
|
<p class="paragraph"></p>Active-Directory uses <tt>sAMAccountName</tt>
|
|
field instead of <tt>uid</tt> as unique identifier.
|
|
|
|
<p class="paragraph"></p>You have so to modify LemonLDAP::NG
|
|
configuration:
|
|
|
|
<ul class="star">
|
|
<li>Modify LDAP authentication filter (<span class="wikilink"><a href=
|
|
"4.5-LDAP-authentication-backend.html">Auth LDAP</a></span>)</li>
|
|
|
|
<li>Add <tt>sAMAccountName</tt> to exported attributes</li>
|
|
|
|
<li>Set <tt>whatToTrace</tt> parameter to <tt>$samAccountName</tt>.</li>
|
|
</ul>
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HHowtouseLemonLDAP3A3ANGasreverseproxy3F">How to use LemonLDAP::NG as
|
|
reverse-proxy ?</span></h4>
|
|
|
|
<p class="paragraph"></p>LemonLDAP::NG protects Apache VirtualHosts. To
|
|
use it as reverse-proxy, you just have to configure Apache as
|
|
reverse-proxy:
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<div class="code">
|
|
<pre>
|
|
# httpd.conf
|
|
<VirtualHost>
|
|
ServerName MyApplication.com
|
|
PerlRequire MyFile
|
|
PerlHeaderParserHandler My::Package
|
|
ProxyPass / <span class="nobr"><a href=
|
|
"http://real&#45;server/">http://real-server/</a></span>
|
|
ProxyPassReverse / <span class="nobr"><a href=
|
|
"http://real&#45;server/">http://real-server/</a></span>
|
|
</VirtualHost>
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p>If you prefer to use a Perl proxy, LemonLDAP::NG
|
|
provides one (Lemonldap::NG::Handler::Proxy(3))
|
|
|
|
<h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HWhatisHandlerlocalcache3F">What is
|
|
Handler local cache?</span></h4>
|
|
|
|
<p class="paragraph"></p>The handler local cache is used for 2 things:
|
|
|
|
<ul class="star">
|
|
<li>share configuration between Apache process: this avoid downloading
|
|
configuration for each new process. This is required for the reload
|
|
mechanism system that avoid restarting Apache,</li>
|
|
|
|
<li>share sessions between Apache process and threads: this avoid having
|
|
to request the central sessions storage for each hit. For example with
|
|
Apache::Session::MySQL, we transform TCP requests in file system
|
|
requests. This increase performances.</li>
|
|
</ul>
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HWhyhandlerslocalcachecannotbeconfiguredbytheManager3F">Why handlers
|
|
local cache can not be configured by the Manager?</span></h4>
|
|
|
|
<p class="paragraph"></p>The local cache has to be choosen and configured
|
|
for each server: for example with the <tt>Cache::FileCache</tt> module,
|
|
the storage directory can be different. An other point is that the local
|
|
storage can not be reloaded without restarting Apache, but all parameters
|
|
managed by the manager can do it.
|
|
|
|
<h4 class="heading-1-1-1"><span id=
|
|
"HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
|
|
<i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
|
|
|
|
<p class="paragraph"></p>The LemonLDAP::NG sessions propagation system is
|
|
based on cookies, but cookies are attached to a DNS domain. LemonLDAP::NG
|
|
provides a system to bypass this restriction.
|
|
|
|
<p class="paragraph"></p>Lemonldap::NG portal detects if required URL is
|
|
in the same domain. If not, it adds a parameter to this request. When the
|
|
user returns to the protected application, Lemonldap::NG Handler detects
|
|
this parameter et generate a cookie in its domain.
|
|
|
|
<ul class="star">
|
|
<li><span class="wikilink"><a href=
|
|
"4.9-Cross-domain-authentication.html">Documentation</a></span>
|
|
(en)</li>
|
|
</ul>
|
|
|
|
<h4 class="heading-1-1-1"><span id="HWhatis22notificationsystem223F">What
|
|
is "notification system"?</span></h4>
|
|
|
|
<p class="paragraph"></p>It's a system used to notify a message to a user
|
|
using the portal. If the message contains checkboxes, they have to be all
|
|
checked to open the session.
|
|
|
|
<ul class="star">
|
|
<li><span class="wikilink"><a href=
|
|
"4.9-Notification-system.html">Documentation</a></span> (en)</li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HErroranddebugmessages">Error and debug
|
|
messages</span></h3>
|
|
|
|
<p class="paragraph"></p>LemonLDAP::NG produces error and debug messages
|
|
logged by Apache (in error.log by default). You can adapt debug level by
|
|
setting LogLevel parameter in Apache configuration file.
|
|
|
|
<p class="paragraph"></p>Those messages are described <span class=
|
|
"wikilink"><a href="6-Errors.html">here</a></span>.
|
|
</div>
|
|
|
|
<p class="footer"><a href="index.html">Index</a></p>
|
|
</body>
|
|
</html>
|