lemonldap-ng/doc/sources/admin/soapsessionbackend.rst

SOAP session backend
====================

LL::NG portal provides SOAP end points for sessions management:

-  **sessions/**: read only access to sessions (enough for distant
   Handlers)
-  **adminSessions/**: read/write access to sessions (required for
   distant Portal, distant Manager or distant Handlers which modify
   sessions)

This session backend can be used to share sessions stored in a
non-network backend (like
:doc:`file session backend<filesessionbackend>`) or in a network backend
protected with a firewall that only accepts HTTP flows.

Most of the time, SOAP session backend is used by Handlers installed on
external servers.

To configure it, SOAP session backend will be set through Manager in
global configuration (used by all Hanlders), and the real session
backend will be configured for local components in lemonldap-ng.ini.

Setup
-----

Manager
~~~~~~~

First, active SOAP in ``General parameters`` » ``Advanced parameters`` »
``SOAP``.

Then, set ``Lemonldap::NG::Common::Apache::Session::SOAP`` in
``General parameters`` » ``Sessions`` » ``Session storage`` »
``Apache::Session module`` and add the following parameters (case
sensitive):

=================== ============================== ===========================================
Required parameters
----------------------------------------------------------------------------------------------
Name                Comment                        Example
=================== ============================== ===========================================
**proxy**           URL of sessions SOAP end point http://auth.example.com/index.fcgi/sessions
=================== ============================== ===========================================


.. tip::

    Use /adminSessions if the Handler need to modify the session,
    for example if you configured an idle timeout.

By default, only few sessions keys are shared by SOAP
(authenticationLevel, groups, ipAddr, \_startTime, \_utime, \_lastSeen,
\_session_id), you need to define which other keys you want to share in
``General parameters`` » ``Plugins`` » ``Portal servers`` »
``SOAP/REST exported attributes``.

You must start with ``+`` to keep default keys, else they will not be
shared. For example:

::

   + uid cn mail

To share only the listed attributes:

::

   _utime _session_id uid cn mail

Apache
~~~~~~

Sessions SOAP end points access must be allowed in Apache portal
configuration (for example, access by IP range):

.. code-block:: apache

   # SOAP functions for sessions management (disabled by default)
   <Location /index.fcgi/adminSessions>
       Require 192.168.2.0/24
   </Location>

   # SOAP functions for sessions access (disabled by default)
   <Location /index.fcgi/sessions>
       Require 192.168.2.0/24
   </Location>

Real session backend
~~~~~~~~~~~~~~~~~~~~

Real session backend will be configured in ``lemonldap-ng.ini``, in
``portal`` section (the portal hosts the SOAP service for sessions, and
will do the link between SOAP requests and real sessions).

For example, if real sessions are stored in
:doc:`files<filesessionbackend>`:

.. code-block:: ini

   [portal]
   globalStorage = Apache::Session::File
   globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }


.. tip::

    If your sessions explorer is on the same server that the
    portal, either use the **adminSessions** end point in Manager
    configuration, or override the ``globalStorage`` and
    ``globalStorageOptions`` parameters in section all (and not portal) of
    ``lemonldap-ng.ini``.
First version of imported doc (#1646) 5 years ago			`SOAP session backend`
			`====================`

			`LL::NG portal provides SOAP end points for sessions management:`

			`- sessions/: read only access to sessions (enough for distant`
			`Handlers)`
			`- adminSessions/: read/write access to sessions (required for`
			`distant Portal, distant Manager or distant Handlers which modify`
			`sessions)`

			`This session backend can be used to share sessions stored in a`
			`non-network backend (like`
			:doc:`file session backend<filesessionbackend>`) or in a network backend
			`protected with a firewall that only accepts HTTP flows.`

			`Most of the time, SOAP session backend is used by Handlers installed on`
			`external servers.`

Send exported attributes with REST session server & typos (#2503) 4 years ago			`To configure it, SOAP session backend will be set through Manager in`
First version of imported doc (#1646) 5 years ago			`global configuration (used by all Hanlders), and the real session`
			`backend will be configured for local components in lemonldap-ng.ini.`

			`Setup`
			`-----`

			`Manager`
			`~~~~~~~`

			First, active SOAP in ``General parameters`` » ``Advanced parameters`` »
			``SOAP``.

			Then, set ``Lemonldap::NG::Common::Apache::Session::SOAP`` in
			``General parameters`` » ``Sessions`` » ``Session storage`` »
			``Apache::Session module`` and add the following parameters (case
			`sensitive):`

			`=================== ============================== ===========================================`
doc: fix formatting 5 years ago			`Required parameters`
			`----------------------------------------------------------------------------------------------`
First version of imported doc (#1646) 5 years ago			`Name Comment Example`
doc: fix formatting 5 years ago			`=================== ============================== ===========================================`
First version of imported doc (#1646) 5 years ago			`proxy URL of sessions SOAP end point http://auth.example.com/index.fcgi/sessions`
			`=================== ============================== ===========================================`


doc: fix formatting 5 years ago			`.. tip::`
First version of imported doc (#1646) 5 years ago
			`Use /adminSessions if the Handler need to modify the session,`
			`for example if you configured an idle timeout.`

			`By default, only few sessions keys are shared by SOAP`
			`(authenticationLevel, groups, ipAddr, \_startTime, \_utime, \_lastSeen,`
			`\_session_id), you need to define which other keys you want to share in`
			``General parameters`` » ``Plugins`` » ``Portal servers`` »
			``SOAP/REST exported attributes``.

			You must start with ``+`` to keep default keys, else they will not be
			`shared. For example:`

			`::`

			`+ uid cn mail`

			`To share only the listed attributes:`

			`::`

			`_utime _session_id uid cn mail`

			`Apache`
			`~~~~~~`

			`Sessions SOAP end points access must be allowed in Apache portal`
			`configuration (for example, access by IP range):`

doc: fix markup 5 years ago			`.. code-block:: apache`
First version of imported doc (#1646) 5 years ago
			`# SOAP functions for sessions management (disabled by default)`
			`<Location /index.fcgi/adminSessions>`
			`Require 192.168.2.0/24`
			`</Location>`

			`# SOAP functions for sessions access (disabled by default)`
			`<Location /index.fcgi/sessions>`
			`Require 192.168.2.0/24`
			`</Location>`

			`Real session backend`
			`~~~~~~~~~~~~~~~~~~~~`

			Real session backend will be configured in ``lemonldap-ng.ini``, in
			``portal`` section (the portal hosts the SOAP service for sessions, and
			`will do the link between SOAP requests and real sessions).`

			`For example, if real sessions are stored in`
			:doc:`files<filesessionbackend>`:

doc: fix markup 5 years ago			`.. code-block:: ini`
First version of imported doc (#1646) 5 years ago
			`[portal]`
			`globalStorage = Apache::Session::File`
			`globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }`


doc: fix formatting 5 years ago			`.. tip::`
First version of imported doc (#1646) 5 years ago
			`If your sessions explorer is on the same server that the`
			`portal, either use the adminSessions end point in Manager`
			configuration, or override the ``globalStorage`` and
			``globalStorageOptions`` parameters in section all (and not portal) of
doc: fix formatting 5 years ago			``lemonldap-ng.ini``.