246 lines
7.7 KiB
HTML
246 lines
7.7 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
|
|
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
|
|
<head>
|
|
<meta name="generator" content=
|
|
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
|
|
|
|
<title>Lemonldap::NG documentation: 4.1-Configuration-overview.html</title>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
|
|
<style type="text/css">
|
|
/*<![CDATA[*/
|
|
body{
|
|
background: #ddd;
|
|
font-family: sans-serif;
|
|
font-size: 11pt;
|
|
padding: 0 50px;
|
|
}
|
|
div.main-content{
|
|
padding: 10px;
|
|
background: #fff;
|
|
border: 2px #ccc solid;
|
|
}
|
|
a{
|
|
text-decoration: none;
|
|
}
|
|
p.footer{
|
|
text-align: center;
|
|
margin: 5px 0 0 0;
|
|
}
|
|
.heading-1{
|
|
text-align: center;
|
|
color: orange;
|
|
font-variant: small-caps;
|
|
font-size: 20pt;
|
|
}
|
|
.heading-1-1{
|
|
color: orange;
|
|
font-size: 14pt;
|
|
border-bottom: 2px #ccc solid;
|
|
}
|
|
pre{
|
|
background: #eee;
|
|
border: 2px #ccc solid;
|
|
padding: 5px;
|
|
border-left: 10px #ccc solid;
|
|
}
|
|
ul.star li{
|
|
list-style-type: square;
|
|
}
|
|
/*]]>*/
|
|
</style>
|
|
</head>
|
|
|
|
<body>
|
|
<div class="main-content">
|
|
<h2 class="heading-1"><span id="HConfigurationoverview">Configuration
|
|
overview</span></h2>
|
|
|
|
<p class="paragraph"></p>
|
|
|
|
<ul>
|
|
<li><a href="#HGeneralparameters">General parameters</a></li>
|
|
|
|
<li><a href="#HUsergroups">User groups</a></li>
|
|
|
|
<li><a href="#HVirtualhosts">Virtual hosts</a></li>
|
|
|
|
<li><a href="#HTogofurther">To go further</a></li>
|
|
</ul>Connect to the manager with your browser (for example <span class=
|
|
"nobr"><a href=
|
|
"http://manager.example.com">http://manager.example.com</a></span>) to
|
|
start configure your WebSSO.
|
|
|
|
<p class="paragraph"></p>You can now configure a default installation,
|
|
with an LDAP directory.
|
|
|
|
<h3 class="heading-1-1"><span id="HGeneralparameters">General
|
|
parameters</span></h3>
|
|
|
|
<ul class="star">
|
|
<li>Authentication parameters:
|
|
|
|
<ul class="star">
|
|
<li>portal: URL to access to the authentication portal.</li>
|
|
|
|
<li>domain: the cookie domain. All protected VirtualHosts have to be
|
|
under it (or you have to use <span class="wikilink"><a href=
|
|
"4.9-Cross-domain-authentication.html">Cross Domain
|
|
Authentication</a></span>).</li>
|
|
</ul>
|
|
</li>
|
|
|
|
<li>LDAP parameters:
|
|
|
|
<ul class="star">
|
|
<li>ldapServer: LDAP Server.</li>
|
|
|
|
<li>managerDn and managerPassword: required only if anonymous binds
|
|
are not accepted.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
|
|
<h3 class="heading-1-1"><span id="HUsergroups">User groups</span></h3>
|
|
|
|
<p class="paragraph"></p>Use the "New Group" button to add your first
|
|
group. On the left, set the keyword which will be used later and set on
|
|
the right the corresponding rule. You can use a Perl condition enclosed
|
|
with {}. All variables declared in "General parameters -> exported
|
|
attributes" can be used with a "$".
|
|
|
|
<p class="paragraph"></p>For example:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
MyGroup => { $uid eq <span class=
|
|
"java-quote">"foo"</span> or $uid eq <span class="java-quote">"bar"</span> }
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id="HVirtualhosts">Virtual
|
|
hosts</span></h3><br />
|
|
<br />
|
|
You have to create a virtual host for each Apache host (virtual or real)
|
|
protected by LemonLDAP::NG even if just a sub-directory is protected.
|
|
Else, user who want to access to the protected area will be rejected with
|
|
a "500 Internal Server Error" message and the apache logs will explain the
|
|
problem.<br />
|
|
<br />
|
|
Each virtual host has 2 groups of parameters:
|
|
|
|
<ul class="star">
|
|
<li>Headers: the headers added to the apache request. Default: Auth-User
|
|
=> $uid.</li>
|
|
|
|
<li>Rules: subdivised in 2 categories:
|
|
|
|
<ul class="star">
|
|
<li>default: the default rule</li>
|
|
|
|
<li>personalized rules: association of a Perl regular expression and
|
|
a condition.</li>
|
|
</ul>
|
|
</li>
|
|
</ul>For example:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
^/restricted.*$ => $groups =~ /\bMyGroup\b/
|
|
</pre>
|
|
</div><br />
|
|
<br />
|
|
The VirtualHost in LemonLDAP::NG must match a VirtualHost in Apache
|
|
configuration, like:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
# Application Test
|
|
<VirtualHost *:80>
|
|
ServerName test1.example.com
|
|
ServerAlias test2.example.com<br /><br /> # SSO protection
|
|
PerlHeaderParserHandler My::Package<br /><br /> # DocumentRoot
|
|
DocumentRoot /usr/local/lemonldap-ng/htdocs/test/
|
|
<Directory /usr/local/lemonldap-ng/htdocs/test/>
|
|
Order deny,allow
|
|
Allow from all
|
|
Options +ExecCGI
|
|
</Directory><br /><br /> # Configuration reload mechanism (only 1 per physical server is
|
|
# needed): choose your URL to avoid restarting Apache when
|
|
# configuration change
|
|
<Location /reload>
|
|
Order deny,allow
|
|
Deny from all
|
|
Allow from 127.0.0.0/8
|
|
PerlHeaderParserHandler My::Package->refresh
|
|
</Location><br /><br /> # Uncomment <span class=
|
|
"java-keyword">this</span> to activate status module
|
|
#<Location /status>
|
|
# Order deny,allow
|
|
# Deny from all
|
|
# Allow from 127.0.0.0/8
|
|
# PerlHeaderParserHandler My::Package->status
|
|
#</Location><br /><br /></VirtualHost>
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p><strong class="strong">Remarks</strong>:
|
|
|
|
<ul class="star">
|
|
<li>You can use DocumentRoot to protect a local application, or use
|
|
mod_proxy to use LemonLDAP::NG as a reverse proxy (see below)</li>
|
|
|
|
<li>You have to declare only one "reload" target on a physical server,
|
|
because only one Handler can be instancied on a physical server</li>
|
|
|
|
<li>Of course you must already have a virtualhost for the portal and
|
|
another for the manager; These hosts are only in Apache, and not in
|
|
LemonLDAP::NG configuration.</li>
|
|
</ul>To transform your VirtualHost into a reverse proxy, use for example:
|
|
|
|
<div class="code">
|
|
<pre>
|
|
# Application Test
|
|
<VirtualHost *:80>
|
|
ServerName test1.example.com
|
|
ServerAlias test2.example.com<br /><br /> # SSO protection
|
|
PerlHeaderParserHandler My::Package<br /><br /> ProxyPreserveHost on
|
|
ProxyPass / <span class="nobr"><a href=
|
|
"http://APPLICATION_IP/">http://APPLICATION_IP/</a></span>
|
|
ProxyPassReverse / <span class="nobr"><a href=
|
|
"http://APPLICATION_IP/">http://APPLICATION_IP/</a></span><br /><br /></VirtualHost>
|
|
</pre>
|
|
</div>
|
|
|
|
<p class="paragraph"></p><strong class="strong">Remarks</strong>:
|
|
|
|
<ul class="star">
|
|
<li>The ProxyPreserveHost directive will forward the Host header to the
|
|
protected application</li>
|
|
</ul>Using the reverse proxy mode, you will not have the REMOTE_USER
|
|
environment variable set. Indeed, this variable is set by the Handler on
|
|
the physical server hosting the Handlers, and not on other servers where
|
|
the Handler is not installed. But this magic Apache configuration will let
|
|
you transform the Auth-User HTTP header in REMOTE_USER envronment
|
|
varibale:<br />
|
|
<br />
|
|
|
|
<div class="code">
|
|
<pre>
|
|
SetEnvIfNoCase Auth-User <span class="java-quote">"(.*)"</span> REMOTE_USER=$1
|
|
</pre>
|
|
</div>
|
|
|
|
<h3 class="heading-1-1"><span id="HTogofurther">To go
|
|
further</span></h3><br />
|
|
<br />
|
|
See the <span class="wikilink"><a href=
|
|
"4.1-Configuration-parameter-list.html">full parameters list</a></span>.
|
|
</div>
|
|
|
|
<p class="footer"><a href="index.html">Index</a></p>
|
|
</body>
|
|
</html>
|