worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

Doc update

Browse Source
environments/ppa-mbqj77/deployments/1
Clément Oudot 15 years ago
parent e9c1139e66
commit 08648746ff
4 changed files with 91 additions and 55 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 80
      build/lemonldap-ng/doc/pages/documentation/1.0/security.html
  2. 2
      build/lemonldap-ng/doc/pages/documentation/1.0/sessions.html
  3. 10
      modules/lemonldap-ng-manager/example/skins/default/js/manager.js
  4. 54
      modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm

80
build/lemonldap-ng/doc/pages/documentation/1.0/security.html
Unescape View File

@ -56,13 +56,13 @@ By default, the manager is restricted to localhost in its Apache configuration f
<ul>
<li class="level1"><div class="li"> protect the manager by Apache configuration</div>
</li>
<li class="level1"><div class="li"> protect the manager by Lemonldap::NG</div>
<li class="level1"><div class="li"> protect the manager by <acronym title="LemonLDAP::NG">LL::NG</acronym></div>
</li>
</ul>
</div>
<!-- SECTION "Protect the Manager" [810-1097] -->
<h3><a name="protect_the_manager_by_apache" id="protect_the_manager_by_apache">Protect the manager by Apache</a></h3>
<!-- SECTION "Protect the Manager" [810-1090] -->
<h3><a name="protect_the_manager_by_apache" id="protect_the_manager_by_apache">Protect the Manager by Apache</a></h3>
<div class="level3">
<p>
@ -89,34 +89,35 @@ You can use any of the mechanisms proposed by Apache: <acronym title="Secure Soc
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</div>
<!-- SECTION "Protect the manager by Apache" [1098-1708] -->
<h3><a name="protect_the_manager_by_lemonldapng" id="protect_the_manager_by_lemonldapng">Protect the manager by Lemonldap::NG</a></h3>
<!-- SECTION "Protect the Manager by Apache" [1091-1701] -->
<h3><a name="protect_the_manager_by_llng" id="protect_the_manager_by_llng">Protect the Manager by LL::NG</a></h3>
<div class="level3">
<p>
To protect the manager by Lemonldap::NG, you just have to set this in lemonldap-ng.ini configuration file (section [manager]):
To protect the manager by <acronym title="LemonLDAP::NG">LL::NG</acronym>, you just have to set this in <code>lemonldap-ng.ini</code> configuration file (section [manager]):
</p>
<pre class="file">protection = manager</pre>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>manager<span class="br0">&#93;</span></span>
<span class="re1">protection</span> <span class="sy0">=</span><span class="re2"> manager</span></pre>
<p>
<p><div class="noteimportant">Before, you have to create the virtual host manager.your.domain in the manager and set a <a href="../../documentation/1.0/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.0:writingrulesand_headers">rule</a>, else access to the manager will be denied.
<p><div class="noteimportant">Before, you have to create the virtual host <code>manager.your.domain</code> in the manager and set a <a href="../../documentation/1.0/writingrulesand_headers.html#rules" class="wikilink1" title="documentation:1.0:writingrulesand_headers">rules</a>, else access to the manager will be denied.
</div></p>
</p>
</div>
<!-- SECTION "Protect the manager by Lemonldap::NG" [1709-2113] -->
<!-- SECTION "Protect the Manager by LL::NG" [1702-2118] -->
<h2><a name="write_good_rules" id="write_good_rules">Write good rules</a></h2>
<div class="level2">
</div>
<!-- SECTION "Write good rules" [2114-2143] -->
<!-- SECTION "Write good rules" [2119-2148] -->
<h3><a name="order_your_rules" id="order_your_rules">Order your rules</a></h3>
<div class="level3">
<p>
Rules are applied in alphabetical order (comment and regular expression). The first rule that matches is applied.
</p>
@ -141,16 +142,16 @@ The rule 2 will be applied first, so every authenticated user will access to /pu
<p>
Use comment to correct this:
</p>
<pre class="code shell"># Rule 1, comment &quot;1 pub&quot;
^/pub/admin/ -&gt; $uid eq &quot;root&quot;
# Rule 2, comment &quot;2 admin&quot;
^/pub/ -&gt; accept</pre>
<pre class="code shell"># Rule 1, comment &quot;1_pub&quot;
(?#1_pub)^/pub/admin/ -&gt; $uid eq &quot;root&quot;
# Rule 2, comment &quot;2_admin&quot;
(?#2_admin)^/pub/ -&gt; accept</pre>
<p>
<p><div class="notetip">
</p>
<ul>
<li class="level1"><div class="li"> Reload the manager to see the order that will be used</div>
<li class="level1"><div class="li"> Reload the Manager to see the order that will be used</div>
</li>
<li class="level1"><div class="li"> Use rule comments to order your rules</div>
</li>
@ -162,7 +163,7 @@ Use comment to correct this:
</p>
</div>
<!-- SECTION "Order your rules" [2144-2879] -->
<!-- SECTION "Order your rules" [2149-2903] -->
<h3><a name="be_careful_with_url_parameters" id="be_careful_with_url_parameters">Be careful with URL parameters</a></h3>
<div class="level3">
@ -192,14 +193,15 @@ You can use the following instead:
</p>
<pre class="code">
# insert a comment 0_bad for this rule:
/^(?i)index.php\?.*access.*access -&gt; deny
/^(?i#0_bad)index.php\?.*access.*access -&gt; deny
# insert a comment 1_admin for this rule
/^(?i)index.php\?.*access=admin -&gt; $groups =~ /\badmin\b/
/^(?i#1_admin)index.php\?.*access=admin -&gt; $groups =~ /\badmin\b/
default -&gt; accept
</pre>
<p>
<strong>(?i)</strong> means case no sensitive.
<p><div class="notetip"><strong>(?i)</strong> means case no sensitive.
</div></p>
</p>
<p>
@ -208,30 +210,30 @@ default -&gt; accept
</p>
</div>
<!-- SECTION "Be careful with URL parameters" [2880-3723] -->
<!-- SECTION "Be careful with URL parameters" [2904-3778] -->
<h3><a name="encoded_characters" id="encoded_characters">Encoded characters</a></h3>
<div class="level3">
<p>
Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, Lemonldap::NG decode them using <a href="http://search.cpan.org/perldoc?Apache2::URI#unescape_url" class="urlextern" title="http://search.cpan.org/perldoc?Apache2::URI#unescape_url" rel="nofollow">http://search.cpan.org/perldoc?Apache2::URI#unescape_url</a>. So write your rules using normal characters.
Some characters are encoded in URLs by the browser (such as space,…). To avoid problems, <acronym title="LemonLDAP::NG">LL::NG</acronym> decode them using <a href="http://search.cpan.org/perldoc?Apache2::URI#unescape_url" class="urlextern" title="http://search.cpan.org/perldoc?Apache2::URI#unescape_url" rel="nofollow">http://search.cpan.org/perldoc?Apache2::URI#unescape_url</a>. So write your rules using normal characters.
</p>
</div>
<!-- SECTION "Encoded characters" [3724-3984] -->
<!-- SECTION "Encoded characters" [3779-4032] -->
<h2><a name="secure_reverse-proxies" id="secure_reverse-proxies">Secure reverse-proxies</a></h2>
<div class="level2">
<p>
Lemonldap::NG can protect any Apache hosted application including Apache reverse-proxy mechanism. Example:
<acronym title="LemonLDAP::NG">LL::NG</acronym> can protect any Apache hosted application including Apache reverse-proxy mechanism. Example:
</p>
<pre class="code apache">PerlOptions +GlobalRequest
PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
&lt;<span class="kw3">VirtualHost</span> *:443&gt;
<span class="kw1">SSLEngine</span> <span class="kw2">On</span>
... other SSL parameters ...
**PerlInitHandler My::Handler**
PerlInitHandler My::Handler
<span class="kw1">ServerName</span> appl1.example.com
<span class="kw1">ProxyPass</span> / http://hiddenappl1.example.com/
<span class="kw1">ProxyPassReverse</span> / http://hiddenappl1.example.com/
@ -246,15 +248,15 @@ See <a href="http://httpd.apache.org/docs/2.2/mod/mod_proxy.html" class="urlexte
Such configuration can have some security problems:
</p>
<ul>
<li class="level1"><div class="li"> if a user can access directly to the hidden application, it can bypass Lemonldap::NG protection</div>
<li class="level1"><div class="li"> if a user can access directly to the hidden application, it can bypass <acronym title="LemonLDAP::NG">LL::NG</acronym> protection</div>
</li>
<li class="level1"><div class="li"> if many hidden applications are on the same private network, if one is corrupted (by <acronym title="Structured Query Language">SQL</acronym> injection, or another attack), the hacker will be able to access to other applications without using reverse-proxies so it can bypass Lemonldap::NG protection</div>
<li class="level1"><div class="li"> if many hidden applications are on the same private network, if one is corrupted (by <acronym title="Structured Query Language">SQL</acronym> injection, or another attack), the hacker will be able to access to other applications without using reverse-proxies so it can bypass <acronym title="LemonLDAP::NG">LL::NG</acronym> protection</div>
</li>
</ul>
<p>
It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the Lemonldap::NG protected reverse-proxies are allowed. You can use one or a combination of:
It is recommended to secure the channel between reverse-proxies and application to be sure that only request coming from the <acronym title="LemonLDAP::NG">LL::NG</acronym> protected reverse-proxies are allowed. You can use one or a combination of:
</p>
<ul>
<li class="level1"><div class="li"> firewalls (but be careful if more than 1 server is behind the firewall)</div>
@ -266,4 +268,24 @@ It is recommended to secure the channel between reverse-proxies and application
</ul>
</div>
<!-- SECTION "Secure reverse-proxies" [3985-] --></div><!-- closes <div class="dokuwiki export">-->
<!-- SECTION "Secure reverse-proxies" [4033-5701] -->
<h2><a name="configure_security_settings" id="configure_security_settings">Configure security settings</a></h2>
<div class="level2">
<p>
Go in Manager, <code>General parameters</code> » <code>Advanced parameters</code> » <code>Security</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Username control</strong>: Regular expression used to check user login syntax.</div>
</li>
<li class="level1"><div class="li"> <strong>Force authentication</strong>: set to &#039;On&#039; to force authentication when user connects to portal, even if he has a valid session</div>
</li>
<li class="level1"><div class="li"> <strong>Encryption key</strong>: key used to crypt some data, should not be known by other applications</div>
</li>
<li class="level1"><div class="li"> <strong>Trusted domains</strong>: domains on which the user can be redirected after login on portal. Set &#039;*&#039; to accept all.</div>
</li>
</ul>
</div>
<!-- SECTION "Configure security settings" [5702-] --></div><!-- closes <div class="dokuwiki export">-->

2
build/lemonldap-ng/doc/pages/documentation/1.0/sessions.html
Unescape View File

@ -49,7 +49,7 @@ To configure sessions, go in Manager, <code>General Parameters</code> » <code>S
</div></p>
</p>
<ul>
<li class="level1"><div class="li"> <strong>Sessions Storage</strong>: see <a href="../../documentation/1.0/start.html#sessions_databases" class="wikilink1" title="documentation:1.0:start">session databases configuration</a>.</div>
<li class="level1"><div class="li"> <strong>Sessions Storage</strong>: see <a href="../../documentation/1.0/start.html#sessions_database" class="wikilink1" title="documentation:1.0:start">sessions database configuration</a>.</div>
</li>
<li class="level1"><div class="li"> <strong>Multiple sessions</strong>, you can restrict the number of open sessions:</div>
<ul>

10
modules/lemonldap-ng-manager/example/skins/default/js/manager.js
Unescape View File

@ -4,6 +4,7 @@
/* Help chapters */
var helpCh={
'advanced':'/pages/documentation/latest/start.html#advanced_features',
'authApache':'/pages/documentation/latest/authapache.html',
'authDBI':'/pages/documentation/latest/authdbi.html',
'authDBIConnection':'/pages/documentation/latest/authdbi.html#connection',
@ -26,6 +27,7 @@ var helpCh={
'authSSL':'/pages/documentation/latest/authssl.html',
'authTwitter':'/pages/documentation/latest/authtwitter.html',
'cookies':'/pages/documentation/latest/ssocookie.html',
'customfunctions':'/pages/documentation/latest/customfunctions.html',
'default':'/pages/documentation/latest/start.html#configuration',
'exportedVars':'/pages/documentation/latest/exportedvars.html',
'headers':'/pages/documentation/latest/writingrulesand_headers.html#headers',
@ -33,18 +35,24 @@ var helpCh={
'issuerdbCAS':'/pages/documentation/latest/idpcas.html',
'issuerdbOpenID':'/pages/documentation/latest/idpopenid.html',
'issuerdbSAML':'/pages/documentation/latest/idpsaml.html',
'logoutforward':'/pages/documentation/latest/logoutforward.html',
'logs':'/pages/documentation/latest/logs.html',
'macrosandgroups':'/pages/documentation/latest/exportedvars.html#extend_variables_using_macros_and_groups',
'menu':'/pages/documentation/latest/portalmenu.html',
'menuCatAndApp':'/pages/documentation/latest/portalmenu.html#categories_and_applications',
'notifications':'/pages/documentation/latest/notifications.html',
'password':'/pages/documentation/latest/resetpassword.html',
'portal':'/pages/documentation/latest/ssocookie.html#portal_url',
'portalcustom':'/pages/documentation/latest/portalcustom.html',
'portalParams':'/pages/documentation/latest/portal.html',
'redirections':'/pages/documentation/latest/redirections.html',
'rules':'/pages/documentation/latest/writingrulesand_headers.html#rules',
'sessiondb':'/pages/documentation/latest/start.html#sessions',
'security':'/pages/documentation/latest/security.html#configure_security_settings',
'sessions':'/pages/documentation/latest/sessions.html',
'sessionsdb':'/pages/documentation/latest/start.html#sessions_database',
'sympa':'/pages/documentation/latest/applications/sympa.html',
'userdbParams':'/pages/documentation/latest/start.html#authentication_and_users_database',
'zimbra':'/pages/documentation/latest/applications/zimbra.html',
};
/* Init simpleTreeCollection */

54
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
Unescape View File

@ -588,7 +588,7 @@ sub struct {
issuerDBSAMLActivation => 'bool:/issuerDBSAMLActivation',
issuerDBSAMLPath => 'text:/issuerDBSAMLPath',
issuerDBSAMLRule =>
'text:/issuerDBSAMLRule:issuerdb:boolOrPerlExpr',
'text:/issuerDBSAMLRule:issuerdbSAML:boolOrPerlExpr',
},
issuerDBCAS => {
_nodes => [
@ -598,15 +598,16 @@ sub struct {
issuerDBCASActivation => 'bool:/issuerDBCASActivation',
issuerDBCASPath => 'text:/issuerDBCASPath',
issuerDBCASRule =>
'text:/issuerDBCASRule:issuerdb:boolOrPerlExpr',
'text:/issuerDBCASRule:issuerdbCAS:boolOrPerlExpr',
issuerDBCASOptions => {
_nodes => [qw(casAttr casStorage cn:casStorageOptions)],
casAttr => 'text:casAttr',
casAttr => 'text:/casAttr',
casStorage => 'text:/casStorage',
casStorageOptions => {
_nodes => ['hash:/casStorageOptions:default:btext'],
_nodes =>
['hash:/casStorageOptions:issuerDBCAS:btext'],
_js => 'hashRoot',
_help => 'default',
_help => 'issuerdbCAS',
},
},
},
@ -619,15 +620,15 @@ sub struct {
'bool:/issuerDBOpenIDActivation',
issuerDBOpenIDPath => 'text:/issuerDBOpenIDPath',
issuerDBOpenIDRule =>
'text:/issuerDBOpenIDRule:issuerdb:boolOrPerlExpr',
'text:/issuerDBOpenIDRule:issuerdbOpenID:boolOrPerlExpr',
issuerDBOpenIDOptions => {
_nodes => [
qw(openIdIssuerSecret openIdAttr openIdSPList n:openIdSreg)
],
openIdIssuerSecret => 'text:/openIdIssuerSecret',
openIdAttr => 'text:openIdAttr',
openIdAttr => 'text:/openIdAttr',
openIdSPList =>
'text:/openIdSPList:issuerdbopenid:openididplist',
'text:/openIdSPList:issuerdbOpenID:openididplist',
openIdSreg => {
_nodes => [
qw(openIdSreg_fullname openIdSreg_nickname openIdSreg_language openIdSreg_postcode openIdSreg_timezone openIdSreg_country openIdSreg_gender openIdSreg_email openIdSreg_dob)
@ -652,7 +653,7 @@ sub struct {
_help => 'logs',
syslog => 'text:/syslog',
useXForwardedForIP => 'bool:/useXForwardedForIP',
whatToTrace => 'text:/whatToTrace:whatToTrace:text',
whatToTrace => 'text:/whatToTrace',
},
# COOKIE PARAMETERS
@ -660,11 +661,11 @@ sub struct {
_nodes =>
[qw(cookieName domain cda securedCookie cookieExpiration)],
_help => 'cookies',
cookieName => 'text:/cookieName:cookieName:text',
domain => 'text:/domain:domain:text',
cookieName => 'text:/cookieName',
domain => 'text:/domain',
cda => 'bool:/cda',
securedCookie =>
'select:/securedCookie:securedCookie:securedCookieValues',
'select:/securedCookie:cookies:securedCookieValues',
cookieExpiration => 'text:/cookieExpiration',
},
@ -673,22 +674,23 @@ sub struct {
_nodes => [
qw(grantSessionRule storePassword timeout timeoutActivity n:sessionStorage n:multipleSessions)
],
_help => 'storage',
_help => 'sessions',
grantSessionRule => 'textarea:/grantSessionRule',
storePassword => 'bool:/storePassword',
timeout => 'int:/timeout:timeout:int',
timeout => 'int:/timeout',
timeoutActivity =>
'text:/timeoutActivity:timeoutActivity:timeoutActivityParams',
'text:/timeoutActivity:sessions:timeoutActivityParams',
sessionStorage => {
_nodes => [qw(globalStorage cn:globalStorageOptions)],
_help => 'sessionsdb',
globalStorage => 'text:/globalStorage',
globalStorageOptions => {
_nodes => ['hash:/globalStorageOptions:storage:btext'],
_nodes =>
['hash:/globalStorageOptions:sessionsdb:btext'],
_js => 'hashRoot',
_help => 'storage',
_help => 'sessionsdb',
},
},
@ -709,8 +711,9 @@ sub struct {
_nodes => [
qw(customFunctions n:soap n:notifications n:passwordManagement n:security n:redirection n:specialHandlers cn:logoutServices)
],
_help => 'advanced',
customFunctions => 'text:/customFunctions',
customFunctions => 'text:/customFunctions:customfunctions:text',
soap => {
_nodes => [qw(Soap exportedAttr)],
@ -738,6 +741,7 @@ sub struct {
_nodes => [
qw(SMTPServer mailUrl mailFrom mailSubject mailBody mailConfirmSubject mailConfirmBody randomPasswordRegexp)
],
_help => 'password',
SMTPServer => 'text:/SMTPServer',
mailUrl => 'text:/mailUrl',
mailFrom => 'text:/mailFrom',
@ -751,10 +755,10 @@ sub struct {
security => {
_nodes =>
[qw(userControl portalForceAuthn key trustedDomains)],
userControl => 'text:/userControl:userControl:text',
portalForceAuthn =>
'bool:/portalForceAuthn:portalForceAuthn:bool',
key => 'text:/key:key:text',
_help => 'security',
userControl => 'text:/userControl',
portalForceAuthn => 'bool:/portalForceAuthn',
key => 'text:/key',
trustedDomains => 'text:/trustedDomains',
},
@ -777,6 +781,7 @@ sub struct {
_nodes => [
qw(zimbraPreAuthKey zimbraAccountKey zimbraBy zimbraUrl zimbraSsoUrl)
],
_help => 'zimbra',
zimbraPreAuthKey => 'text:/zimbraPreAuthKey',
zimbraAccountKey => 'text:/zimbraAccountKey',
zimbraBy => 'text:/zimbraBy:default:zimbraByParams',
@ -787,15 +792,16 @@ sub struct {
# Sympa
sympaHandler => {
_nodes => [qw(sympaSecret sympaMailKey)],
_help => 'sympa',
sympaSecret => 'text:/sympaSecret',
sympaMailKey => 'text:/sympaMailKey',
},
},
logoutServices => {
_nodes => ['hash:/logoutServices:default:btext'],
_nodes => ['hash:/logoutServices:logoutforward:btext'],
_js => 'hashRoot',
_help => 'default',
_help => 'logoutforward',
},
},

Write Preview
Loading…
Cancel
Save