worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

doc: fix formatting

Browse Source
Moo
Maxime Besson 5 years ago
parent 75c4ff864c
commit 86b9ffedf7
177 changed files with 2253 additions and 2166 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 64
      doc/sources/admin/applications.rst
  2. 2
      doc/sources/admin/applications/adfs.rst
  3. 42
      doc/sources/admin/applications/alfresco.rst
  4. 4
      doc/sources/admin/applications/authbasic.rst
  5. 8
      doc/sources/admin/applications/aws.rst
  6. 14
      doc/sources/admin/applications/bugzilla.rst
  7. 2
      doc/sources/admin/applications/cornerstone.rst
  8. 18
      doc/sources/admin/applications/dokuwiki.rst
  9. 18
      doc/sources/admin/applications/drupal.rst
  10. 14
      doc/sources/admin/applications/gitlab.rst
  11. 14
      doc/sources/admin/applications/googleapps.rst
  12. 6
      doc/sources/admin/applications/grafana.rst
  13. 6
      doc/sources/admin/applications/guacamole.rst
  14. 12
      doc/sources/admin/applications/humhub.rst
  15. 8
      doc/sources/admin/applications/jitsimeet.rst
  16. 28
      doc/sources/admin/applications/liferay.rst
  17. 20
      doc/sources/admin/applications/limesurvey.rst
  18. 10
      doc/sources/admin/applications/mattermost.rst
  19. 20
      doc/sources/admin/applications/mediawiki.rst
  20. 10
      doc/sources/admin/applications/nextcloud.rst
  21. 2
      doc/sources/admin/applications/nginx.rst
  22. 16
      doc/sources/admin/applications/obm.rst
  23. 16
      doc/sources/admin/applications/phpldapadmin.rst
  24. 4
      doc/sources/admin/applications/roundcube.rst
  25. 4
      doc/sources/admin/applications/salesforce.rst
  26. 10
      doc/sources/admin/applications/simplesamlphp.rst
  27. 24
      doc/sources/admin/applications/sympa.rst
  28. 16
      doc/sources/admin/applications/tomcat.rst
  29. 8
      doc/sources/admin/applications/wekan.rst
  30. 4
      doc/sources/admin/applications/xwiki.rst
  31. 10
      doc/sources/admin/applications/zimbra.rst
  32. 2
      doc/sources/admin/authad.rst
  33. 16
      doc/sources/admin/authapache.rst
  34. 23
      doc/sources/admin/authcas.rst
  35. 14
      doc/sources/admin/authchoice.rst
  36. 30
      doc/sources/admin/authcombination.rst
  37. 14
      doc/sources/admin/authcustom.rst
  38. 20
      doc/sources/admin/authdbi.rst
  39. 4
      doc/sources/admin/authdemo.rst
  40. 16
      doc/sources/admin/authfacebook.rst
  41. 12
      doc/sources/admin/authgithub.rst
  42. 4
      doc/sources/admin/authgpg.rst
  43. 14
      doc/sources/admin/authkerberos.rst
  44. 43
      doc/sources/admin/authldap.rst
  45. 12
      doc/sources/admin/authlinkedin.rst
  46. 2
      doc/sources/admin/authmulti.rst
  47. 16
      doc/sources/admin/authopenid.rst
  48. 37
      doc/sources/admin/authopenidconnect.rst
  49. 2
      doc/sources/admin/authopenidconnect_franceconnect.rst
  50. 2
      doc/sources/admin/authopenidconnect_google.rst
  51. 4
      doc/sources/admin/authpam.rst
  52. 4
      doc/sources/admin/authproxy.rst
  53. 4
      doc/sources/admin/authradius.rst
  54. 6
      doc/sources/admin/authremote.rst
  55. 6
      doc/sources/admin/authrest.rst
  56. 29
      doc/sources/admin/authsaml.rst
  57. 2
      doc/sources/admin/authslave.rst
  58. 78
      doc/sources/admin/authssl.rst
  59. 12
      doc/sources/admin/authtwitter.rst
  60. 2
      doc/sources/admin/authwebid.rst
  61. 4
      doc/sources/admin/authyubikey.rst
  62. 2
      doc/sources/admin/autosignin.rst
  63. 8
      doc/sources/admin/behindproxyminihowto.rst
  64. 44
      doc/sources/admin/browseablesessionbackend.rst
  65. 6
      doc/sources/admin/bruteforceprotection.rst
  66. 2
      doc/sources/admin/captcha.rst
  67. 16
      doc/sources/admin/cda.rst
  68. 2
      doc/sources/admin/changesessionbackend.rst
  69. 2
      doc/sources/admin/checkstate.rst
  70. 32
      doc/sources/admin/checkuser.rst
  71. 12
      doc/sources/admin/cli_examples.rst
  72. 24
      doc/sources/admin/configapache.rst
  73. 93
      doc/sources/admin/configlocation.rst
  74. 67
      doc/sources/admin/configvhost.rst
  75. 6
      doc/sources/admin/contextswitching.rst
  76. 10
      doc/sources/admin/contribute.rst
  77. 8
      doc/sources/admin/customfunctions.rst
  78. 10
      doc/sources/admin/customhandlers.rst
  79. 8
      doc/sources/admin/decryptvalue.rst
  80. 12
      doc/sources/admin/devopshandler.rst
  81. 22
      doc/sources/admin/download.rst
  82. 10
      doc/sources/admin/error.rst
  83. 5
      doc/sources/admin/exportedvars.rst
  84. 72
      doc/sources/admin/extendedfunctions.rst
  85. 12
      doc/sources/admin/external2f.rst
  86. 2
      doc/sources/admin/fastcgi.rst
  87. 6
      doc/sources/admin/fastcgiserver.rst
  88. 6
      doc/sources/admin/features.rst
  89. 6
      doc/sources/admin/federationproxy.rst
  90. 6
      doc/sources/admin/fileconfbackend.rst
  91. 2
      doc/sources/admin/filesessionbackend.rst
  92. 10
      doc/sources/admin/formreplay.rst
  93. 6
      doc/sources/admin/globallogout.rst
  94. 4
      doc/sources/admin/handlerarch.rst
  95. 20
      doc/sources/admin/handlerauthbasic.rst
  96. 12
      doc/sources/admin/header_remote_user_conversion.rst
  97. 17
      doc/sources/admin/idpcas.rst
  98. 34
      doc/sources/admin/idpopenid.rst
  99. 31
      doc/sources/admin/idpopenidconnect.rst
  100. 24
      doc/sources/admin/idpsaml.rst
  101. Some files were not shown because too many files have changed in this diff Show More

64
doc/sources/admin/applications.rst
Unescape View File

@ -35,42 +35,42 @@ Application list
================================================================= ==================================================== ============ ================ === ==== ====
Application Configuration guide HTTP headers Specific Handler CAS SAML OIDC
================================================================= ==================================================== ============ ================ === ==== ====
.. image:: applications/microsoft-adfs.png :doc:`ADFS<applications/adfs>`
.. image:: applications/alfresco_logo.png :doc:`Alfresco<applications/alfresco>` ✔ ✔
.. image:: applications/logo_amazon_web_services.jpg :doc:`Amazon Web Services<applications/aws>`
.. image:: applications/logo-awx.png :doc:`AWX (Ansible Tower)<applications/awx>`
.. image:: applications/bugzilla_logo.png :doc:`Bugzilla<applications/bugzilla>`
.. image:: applications/csod_logo.png :doc:`Cornerstone<applications/cornerstone>`
.. image:: applications/microsoft-adfs.png :doc:`ADFS<applications/adfs>`
.. image:: applications/alfresco_logo.png :doc:`Alfresco<applications/alfresco>` ✔ ✔
.. image:: applications/logo_amazon_web_services.jpg :doc:`Amazon Web Services<applications/aws>`
.. image:: applications/logo-awx.png :doc:`AWX (Ansible Tower)<applications/awx>`
.. image:: applications/bugzilla_logo.png :doc:`Bugzilla<applications/bugzilla>`
.. image:: applications/csod_logo.png :doc:`Cornerstone<applications/cornerstone>`
.. image:: applications/discourse.jpg :doc:`Discourse<applications/discourse>` ✔ ✔
.. image:: applications/django_logo.png :doc:`Django<applications/django>`
.. image:: applications/dokuwiki_logo.png :doc:`Dokuwiki<applications/dokuwiki>`
.. image:: applications/drupal_logo.png :doc:`Drupal<applications/drupal>`
.. image:: applications/fusiondirectory-logo.jpg :doc:`FusionDirectory<applications/fusiondirectory>`
.. image:: applications/django_logo.png :doc:`Django<applications/django>`
.. image:: applications/dokuwiki_logo.png :doc:`Dokuwiki<applications/dokuwiki>`
.. image:: applications/drupal_logo.png :doc:`Drupal<applications/drupal>`
.. image:: applications/fusiondirectory-logo.jpg :doc:`FusionDirectory<applications/fusiondirectory>`
.. image:: applications/gitlab_logo.png :doc:`Gitlab<applications/gitlab>` ✔ ✔
.. image:: applications/glpi_logo.png :doc:`GLPI<applications/glpi>`
.. image:: applications/googleapps_logo.png :doc:`Google Apps<applications/googleapps>`
.. image:: applications/glpi_logo.png :doc:`GLPI<applications/glpi>`
.. image:: applications/googleapps_logo.png :doc:`Google Apps<applications/googleapps>`
.. image:: applications/grafana_logo.png :doc:`Grafana<applications/grafana>`
.. image:: applications/grr_logo.png :doc:`GRR<applications/grr>`
.. image:: applications/grr_logo.png :doc:`GRR<applications/grr>`
.. image:: applications/guacamole.png :doc:`Apache Guacamole<applications/guacamole>` ✔ ✔ ✔
.. image:: applications/humhub_logo.png :doc:`HumHub<applications/humhub>`
.. image:: applications/logo-jitsimeet.png :doc:`Jitsi Meet<applications/jitsimeet>`
.. image:: applications/liferay_logo.png :doc:`Liferay<applications/liferay>`
.. image:: applications/limesurvey_logo.png :doc:`LimeSurvey<applications/limesurvey>`
.. image:: applications/logo-jitsimeet.png :doc:`Jitsi Meet<applications/jitsimeet>`
.. image:: applications/liferay_logo.png :doc:`Liferay<applications/liferay>`
.. image:: applications/limesurvey_logo.png :doc:`LimeSurvey<applications/limesurvey>`
.. image:: applications/mattermost_logo.png :doc:`Mattermost<applications/mattermost>`
.. image:: applications/mediawiki_logo.png :doc:`Mediawiki<applications/mediawiki>`
.. image:: applications/nextcloud-logo.png :doc:`NextCloud<applications/nextcloud>`
.. image:: applications/obm_logo.png :doc:`OBM<applications/obm>`
.. image:: applications/logo_office_365.png :doc:`Office 365<applications/office365>`
.. image:: applications/phpldapadmin_logo.png :doc:`phpLDAPAdmin<applications/phpldapadmin>`
.. image:: applications/roundcube_logo.png :doc:`Roundcube<applications/roundcube>`
.. image:: applications/salesforce-logo.jpg :doc:`SalesForce<applications/salesforce>`
.. image:: applications/SAPLogo.gif :doc:`SAP<applications/sap>` ✔ ✔
.. image:: applications/simplesamlphp_logo.png :doc:`simpleSAMLphp<applications/simplesamlphp>`
.. image:: applications/spring_logo.png :doc:`Spring<applications/spring>`
.. image:: applications/symfony_logo.png :doc:`Symfony<applications/symfony>`
.. image:: applications/sympa_logo.png :doc:`Sympa<applications/sympa>`
.. image:: applications/tomcat_logo.png :doc:`Tomcat<applications/tomcat>`
.. image:: applications/wordpress_logo.png :doc:`Wordpress<applications/wordpress>`
.. image:: applications/xwiki.png :doc:`XWiki<applications/xwiki>`
.. image:: applications/zimbra_logo.png :doc:`Zimbra<applications/zimbra>`
.. image:: applications/mediawiki_logo.png :doc:`Mediawiki<applications/mediawiki>`
.. image:: applications/nextcloud-logo.png :doc:`NextCloud<applications/nextcloud>`
.. image:: applications/obm_logo.png :doc:`OBM<applications/obm>`
.. image:: applications/logo_office_365.png :doc:`Office 365<applications/office365>`
.. image:: applications/phpldapadmin_logo.png :doc:`phpLDAPAdmin<applications/phpldapadmin>`
.. image:: applications/roundcube_logo.png :doc:`Roundcube<applications/roundcube>`
.. image:: applications/salesforce-logo.jpg :doc:`SalesForce<applications/salesforce>`
.. image:: applications/SAPLogo.gif :doc:`SAP<applications/sap>` ✔ ✔
.. image:: applications/simplesamlphp_logo.png :doc:`simpleSAMLphp<applications/simplesamlphp>`
.. image:: applications/spring_logo.png :doc:`Spring<applications/spring>`
.. image:: applications/symfony_logo.png :doc:`Symfony<applications/symfony>`
.. image:: applications/sympa_logo.png :doc:`Sympa<applications/sympa>`
.. image:: applications/tomcat_logo.png :doc:`Tomcat<applications/tomcat>`
.. image:: applications/wordpress_logo.png :doc:`Wordpress<applications/wordpress>`
.. image:: applications/xwiki.png :doc:`XWiki<applications/xwiki>`
.. image:: applications/zimbra_logo.png :doc:`Zimbra<applications/zimbra>`
================================================================= ==================================================== ============ ================ === ==== ====

2
doc/sources/admin/applications/adfs.rst
Unescape View File

@ -11,7 +11,7 @@ Identity/Service Provider, compatible with several protocols, including
SAML 2.0.
.. important::
.. important::
This documentation does not explains how to setup ADFS,
but give only tricks to make it works with LL::NG

42
doc/sources/admin/applications/alfresco.rst
Unescape View File

@ -17,7 +17,7 @@ Authentication against LL::NG can be done trough:
- SAML 2 (LL::NG as SAML2 IDP)
.. tip::
.. tip::
Alfresco now recommends SAML2 method
@ -30,10 +30,10 @@ Alfresco
~~~~~~~~
.. tip::
.. tip::
The official documentation can be found here:
http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\
http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\
You need to find the following files in your Alfresco installation:
@ -102,7 +102,7 @@ the ``<endpoint>``, change ``<connector-id>`` value to
You need to restart Tomcat to apply changes.
.. warning::
.. warning::
Now you can log in with a simple HTTP header. You need to
restrict access to Alfresco to LL::NG.
@ -171,13 +171,13 @@ Edit then ``share-config-custom.xml``:
...
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<!--
If using https make a CSRFPolicy with replace="true" and override the properties section.
Note, localhost is there to allow local checks to succeed.
I.e.
<properties>
@ -187,15 +187,15 @@ Edit then ``share-config-custom.xml``:
</properties>
-->
<filter>
<!-- SAML SPECIFIC CONFIG - START -->
<!--
Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET to avoid them
@ -208,7 +208,7 @@ Edit then ``share-config-custom.xml``:
</request>
</rule>
<!-- Incoming posts from IDPs do not require a token -->
<rule>
@ -218,15 +218,15 @@ Edit then ``share-config-custom.xml``:
</request>
</rule>
<!-- SAML SPECIFIC CONFIG - STOP -->
<!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml -->
<!--
Certain webscripts shall not be allowed to be accessed directly form the browser.
@ -241,7 +241,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!--
Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.
@ -260,7 +260,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!--
Certain Surf POST requests from the WebScript console must be allowed to pass without a token since
@ -279,7 +279,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!-- Certain Share POST requests does NOT require a token -->
<rule>
@ -295,7 +295,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!-- Assert logout is done from a valid domain, if so clear the token when logging out -->
<rule>
@ -315,7 +315,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!-- Make sure the first token is generated -->
<rule>
@ -332,7 +332,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!-- Refresh token on new "page" visit when a user is logged in -->
<rule>
@ -350,7 +350,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!--
Verify multipart requests from logged in users contain the token as a parameter
@ -376,7 +376,7 @@ Edit then ``share-config-custom.xml``:
</action>
</rule>
<!--
Verify that all remaining state changing requests from logged in users' requests contains a token in the

4
doc/sources/admin/applications/authbasic.rst
Unescape View File

@ -7,7 +7,7 @@ Presentation
------------
.. important::
.. important::
For now, this feature is only supported by Apache
handler.
@ -63,7 +63,7 @@ So the above example can also be written like this:
Authorization => basic($uid,$_password)
.. tip::
.. tip::
The ``basic`` function will also force conversion from UTF-8
to ISO-8859-1, which should be accepted by most of HTTP servers.

8
doc/sources/admin/applications/aws.rst
Unescape View File

@ -29,7 +29,7 @@ SAML
name so people know which account is which.
.. important::
.. important::
If you have only one role, the configuration is simple. If you
have multiple roles for different people, it is a little trickier. As
@ -41,15 +41,15 @@ SAML
user has attributes which are used quite heavily for dynamic groups and
authorisation. You will want something similar, using whatever attribute
makes sense to you. For example:
.. code::
dn: uid=user,ou=people,dc=your,dc=com
...
ou: sysadmin
ou: database
ou: root
- Assuming you use the web interface to manage lemonldap, go to General

14
doc/sources/admin/applications/bugzilla.rst
Unescape View File

@ -48,7 +48,7 @@ Configure Bugzilla virtual host like other
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
@ -71,8 +71,8 @@ Configure Bugzilla virtual host like other
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
auth_request /lmauth;
@ -80,9 +80,9 @@ Configure Bugzilla virtual host like other
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -96,9 +96,9 @@ Bugzilla virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Bugzilla.
Configure the :doc:`access rules<../writingrulesand_headers>`.
Configure the :ref:`rules<rules>`.
Configure the following :doc:`headers<../writingrulesand_headers>`.
Configure the following :ref:`header<headers>`.
- **Auth-User**: $uid
- **Auth-Mail**: $mail

2
doc/sources/admin/applications/cornerstone.rst
Unescape View File

@ -56,7 +56,7 @@ Now we will add CSOD as a new SAML Service Provider:
</md:EntityDescriptor>
.. important::
.. important::
Change **mycompanyid** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your CSOD company ID and put the

18
doc/sources/admin/applications/dokuwiki.rst
Unescape View File

@ -14,7 +14,7 @@ readable outside the Wiki and eases the creation of structured texts.
All data is stored in plain text files – no database is required.
.. tip::
.. tip::
LemonLDAP::NG wiki uses Dokuwiki!
@ -57,7 +57,7 @@ Configure Dokuwiki virtual host like other
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
@ -80,8 +80,8 @@ Configure Dokuwiki virtual host like other
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
auth_request /lmauth;
@ -89,9 +89,9 @@ Configure Dokuwiki virtual host like other
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -105,9 +105,9 @@ Dokuwiki virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Dokuwiki.
Configure the :doc:`access rules<../writingrulesand_headers>`.
Configure the :ref:`access rules<rules>`.
Configure the :doc:`headers<../writingrulesand_headers>`:
Configure the :ref:`headers<headers>`:
- Auth-User $uid
- Auth-Cn: $cn
@ -115,7 +115,7 @@ Configure the :doc:`headers<../writingrulesand_headers>`:
- Auth-Groups: encode_base64($groups,"")
.. important::
.. important::
To allow execution of encode_base64() method, you must
deactivate the :doc:`Safe jail<../safejail>`.

18
doc/sources/admin/applications/drupal.rst
Unescape View File

@ -34,7 +34,7 @@ Configure Drupal virtual host like other
:doc:`protected virtual host<../configvhost>`.
.. important::
.. important::
If you are protecting Drupal with LL::NG as reverse
proxy,
@ -50,7 +50,7 @@ Configure Drupal virtual host like other
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
@ -73,8 +73,8 @@ Configure Drupal virtual host like other
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
auth_request /lmauth;
@ -82,9 +82,9 @@ Configure Drupal virtual host like other
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -98,10 +98,10 @@ Drupal virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Drupal.
Just configure the :doc:`access rules<../writingrulesand_headers>`.
Just configure the :ref:`access rules<rules>`.
If using LL::NG as reverse proxy, configure the ``Auth-User``
:doc:`header<../writingrulesand_headers>`, else no headers are needed.
:ref:`header<headers>`, else no headers are needed.
Protect only the administration pages
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -110,7 +110,7 @@ With the above solution, all the Drupal site will be protected, so no
anonymous access will be allowed.
.. important::
.. important::
You cannot use the ``unprotect`` rule because Drupal
navigation is based on query strings (?q=admin, ?q=user, etc.), and

14
doc/sources/admin/applications/gitlab.rst
Unescape View File

@ -51,15 +51,15 @@ Find the gitlab.rb file and add these settings:
]
.. tip::
.. tip::
To get the fingerprint of IDP certificate, copy SAML
certificate from LL::NG configuration in a file and use openssl:
::
openssl x509 -in CERT.pem -noout -fingerprint
You can force SAML by default with this option:
@ -96,7 +96,7 @@ Register them in LL::NG and send these SAML attributes:
- cn => name
.. important::
.. important::
The value from LL::NG mail session attribute must be the
email of the user in Gitlab database, in order to associate
@ -180,10 +180,10 @@ Add an OpenID Connect RP to LemonLDAP::NG
LemonLDAP::NG session is mapped to the ``email`` claim.
.. important::
.. important::
You need to set a key identifier, or you will get a
*JSON::JWK::Set::KidNotFound* error on Gitlab
*JSON::JWK::Set::KidNotFound* error on Gitlab
.. |image0| image:: /applications/gitlab_logo.png
:class: align-center

14
doc/sources/admin/applications/googleapps.rst
Unescape View File

@ -26,7 +26,7 @@ Google Apps control panel
~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
.. important::
This part is based on `SimpleSAMLPHP
documentation <http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps>`__.
@ -55,7 +55,7 @@ Now configure all SAML parameters:
Example: http://auth.example.com
.. important::
.. important::
You must check the option
``Use a specific domain transmitter`` to force Google Apps to send the
@ -79,10 +79,10 @@ use openssl to generate an auto-signed certificate:
You can now the upload the certificate (``cert.pem``) on Google Apps.
.. tip::
.. tip::
You can also use the certificate instead of public key in SAML
metadata, see :doc:`SAML service configuration<../samlservice>`\
metadata, see :doc:`SAML service configuration<../samlservice>`\
New Service Provider
~~~~~~~~~~~~~~~~~~~~
@ -112,7 +112,7 @@ Now we will add Google Apps as a new SAML Service Provider:
</md:EntityDescriptor>
.. important::
.. important::
Change **mydomain.org** (in ``AssertionConsumerService``
markup, parameter ``Location``) into your Google Apps domain. Also adapt
@ -134,7 +134,7 @@ You need to adapt some parameters:
``On`` to always display it
.. important::
.. important::
Change **mydomain.org** into your Google Apps
domain
@ -155,7 +155,7 @@ To manage the other way (LL::NG → Google Apps), you can add a dedicated
GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
.. important::
.. important::
Change **mydomain.org** into your Google Apps
domain

6
doc/sources/admin/applications/grafana.rst
Unescape View File

@ -31,9 +31,9 @@ Your configuration file will have to look something like this:
client_id = CHOOSE_A_CLIENT_ID
client_secret = CHOOSE_A_CLIENT_SECRET
scopes = openid email profile
auth_url = https://auth.example.com/oauth2/authorize
token_url = https://auth.example.com/oauth2/token
api_url = https://auth.example.com/oauth2/userinfo
auth_url = https://auth.example.com/oauth2/authorize
token_url = https://auth.example.com/oauth2/token
api_url = https://auth.example.com/oauth2/userinfo
allow_sign_up = true
name = LemonLDAP::NG
send_client_credentials_via_post = false

6
doc/sources/admin/applications/guacamole.rst
Unescape View File

@ -43,11 +43,11 @@ Your Guacamole configuration directory will look something like this.
└── guacamole.properties
.. warning::
.. warning::
Make sure to rename the JAR in a way that `ensures that it
will be loaded
first <https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E>`__\
first <https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E>`__\
And ``guacamole.properties`` should contain at least
@ -61,7 +61,7 @@ And ``guacamole.properties`` should contain at least
openid-username-claim-type: sub
.. tip::
.. tip::
Remplace the ``redirect uri`` with your Guacamole server's URL

12
doc/sources/admin/applications/humhub.rst
Unescape View File

@ -23,7 +23,7 @@ authenticated by LemonLDAP::NG will be registered in HumHub upon their
first login.
.. warning::
.. warning::
HumHub retrieves a user from his username and the
authentication service he came through. As a result, a former local or
@ -36,12 +36,12 @@ OpenID Connect
--------------
.. note::
.. note::
This set-up works with option enablePrettyUrl activated in
Humhub. If not activated, rewrite URL in Humhub HTTP server and allowed
redirect URL in LemonLDAP needs to be adapted to work with the non
pretty URL format.
pretty URL format.
Configuring HumHub
~~~~~~~~~~~~~~~~~~
@ -82,10 +82,10 @@ composer :
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv
.. note::
.. note::
If you just need to update the connector, change its version
in composer.json and run the above composer update command.
in composer.json and run the above composer update command.
::
@ -142,7 +142,7 @@ can set up a redirection in the http server in front of the application
::
if ($query_string !~ "nosso"){
if ($query_string !~ "nosso"){
rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
}

8
doc/sources/admin/applications/jitsimeet.rst
Unescape View File

@ -95,23 +95,23 @@ Jitsi Meet Virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Jitsi Meet.
Configure the :doc:`access rules<../writingrulesand_headers>`.
Configure the :ref:`access rules<rules>`.
::
* Don't forget to configure the /logout/ URL
Configure the following :doc:`headers<../writingrulesand_headers>`.
Configure the following :ref:`headers<headers>`.
- **mail**: $mail
- **displayName**: $cn
.. warning::
.. warning::
Jitsi meet expects to find a ``mail`` HTTP header, it
will ignore REMOTE_USER and only use the mail value to identify the
user.
user.
.. |image0| image:: /applications/logo-jitsimeet.png
:class: align-center

28
doc/sources/admin/applications/liferay.rst
Unescape View File

@ -18,7 +18,7 @@ Of course, integration will be full if you use the LDAP directory as
users backend for LL::NG and Liferay.
.. important::
.. important::
If the user is not created, or can not be created via
LDAP import, the connection to Liferay will be refused. With LDAP,
@ -59,7 +59,7 @@ In ``General``, fill at least the following information:
- **How do users authenticate?**: by login
.. tip::
.. tip::
We advice to deactivate other options, cause users will use
LL::NG portal to modify or reset their password.
@ -67,16 +67,16 @@ In ``General``, fill at least the following information:
|image6|
.. important::
.. important::
You need to activate LDAP authentication, else SSO
authentication will not work. Do this in the control panel or in the
configuration file:
::
ldap.auth.enabled=true
Then use the ``SiteMinder`` tab to configure SSO:
@ -88,7 +88,7 @@ Then use the ``SiteMinder`` tab to configure SSO:
|image7|
.. important::
.. important::
Do not forget to save your changes!
@ -108,7 +108,7 @@ Configure Liferay virtual host like other
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
@ -131,8 +131,8 @@ Configure Liferay virtual host like other
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
auth_request /lmauth;
@ -140,9 +140,9 @@ Configure Liferay virtual host like other
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -156,14 +156,14 @@ Liferay virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Liferay.
Just configure the :doc:`access rules<../writingrulesand_headers>`. You
Just configure the :ref:`access rules<rules>`. You
can add a rule for logout:
::
^/c/portal/logout => logout_sso
Configure the ``Auth-User`` :doc:`header<../writingrulesand_headers>`.
Configure the ``Auth-User`` :ref:`header<headers>`.
.. |image0| image:: /applications/liferay_logo.png
:class: align-center

20
doc/sources/admin/applications/limesurvey.rst
Unescape View File

@ -19,7 +19,7 @@ To have a stronger integration, we will configure LimeSurvey to
autocreate unknown users and use HTTP headers to fill name and mail.
.. important::
.. important::
We suppose that LimeSurvey is installed in
/var/www/html/limesurvey
@ -35,15 +35,15 @@ manager. Select the WebServer module and configure it.
This is enough for the authentication part.
.. tip::
.. tip::
If you are blocked, you can deactivate the plugin with this
request in database:
::
update lime_plugins SET active=0 where name="Authwebserver";
To configure account autocreation, you need to edit
@ -106,15 +106,15 @@ Default default Allow only users with a LimeSurvey role
========= =========== ========================================
.. tip::
.. tip::
You can set the default access to:
::
* **accept**: all authenticated users will access surveys
* **unprotect**: no authentication will be asked to access surveys
* **unprotect**: no authentication will be asked to access surveys
.. |image0| image:: /applications/limesurvey_logo.png

10
doc/sources/admin/applications/mattermost.rst
Unescape View File

@ -30,10 +30,10 @@ integrated with LemonLDAP::NG without having to use a
:doc:`Gitlab<gitlab>` server.
.. warning::
.. warning::
The following configuration requires your user database
to expose a unique numeric identifier for every user.
to expose a unique numeric identifier for every user.
Configuring Mattermost Team Edition
-----------------------------------
@ -106,16 +106,16 @@ with the following parameters:
* ''id'': session attribute containing the user's numeric ID
.. warning::
.. warning::
Mattermost absolutely needs to receive a numerical value
in the ``id`` claim. If you are using a LDAP server, you could use the
``uidNumber`` LDAP attribute. If you use something else, you will have
to find a trick to assign a unique numeric ID to each Mattermost user.
The ``id`` attribute has to be different for each user, since this is
the field Mattermost will use internally to map Gitlab identities to
Mattermost accouts.
Mattermost accouts.
Troubleshooting
~~~~~~~~~~~~~~~

20
doc/sources/admin/applications/mediawiki.rst
Unescape View File

@ -87,7 +87,7 @@ Add then extension configuration, for example:
$wgHooks['PersonalUrls'][] = 'StripLogin';
.. warning::
.. warning::
In last version of Auth_remoteuser and Mediawiki, empty
passwords are not authorized, so you may need to patch the extension
@ -100,7 +100,7 @@ Add then extension configuration, for example:
sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php
.. warning::
.. warning::
In last version of Auth_remoteuser and Mediawiki,
auto-provisioning requires REMOTE_USER to match the normalized mediawiki
@ -121,7 +121,7 @@ Configure MediaWiki virtual host like other
:doc:`protected virtual host<../configvhost>`.
.. important::
.. important::
If you are protecting MediaWiki with LL::NG as reverse
proxy,
@ -137,7 +137,7 @@ Configure MediaWiki virtual host like other
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
@ -160,8 +160,8 @@ Configure MediaWiki virtual host like other
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
auth_request /lmauth;
@ -169,9 +169,9 @@ Configure MediaWiki virtual host like other
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -185,7 +185,7 @@ MediaWiki virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for MediaWiki.
Just configure the :doc:`access rules<../writingrulesand_headers>`. You
Just configure the :ref:`access rules<rules>`. You
can also add a rule for logout:
::
@ -201,7 +201,7 @@ extension configuration):
Auth-Mail => $mail
If using LL::NG as reverse proxy, configure also the ``Auth-User``
:doc:`header<../writingrulesand_headers>`,
:ref:`header<headers>`,
.. |image0| image:: /applications/mediawiki_logo.png
:class: align-center

10
doc/sources/admin/applications/nextcloud.rst
Unescape View File

@ -25,18 +25,18 @@ You need to `install the
software <https://docs.nextcloud.com/server/10/admin_manual/installation/index.html>`__.
.. tip::
.. tip::
If your NextCloud is behind a proxy (thus having a private
IP), metadata generated by NextCloud won't work.
Consider changing the configuration of NextCloud to force the domain, in
**$nextcloudrootwww/config/config.php**, add the following:
.. code:: php
'overwritehost' => 'nextcloud.example.com',
You also need to enable the "SAML authentication" plugin in your

2
doc/sources/admin/applications/nginx.rst
Unescape View File

@ -2,7 +2,7 @@ Nginx
=====
.. important::
.. important::
Nginx is fully supported by LemonLDAP::NG since version
1.9.

16
doc/sources/admin/applications/obm.rst
Unescape View File

@ -123,14 +123,14 @@ Edit also OBM configuration to enable LL::NG Handler:
<VirtualHost *:80>
ServerName obm.example.com
# SSO protection
PerlHeaderParserHandler Lemonldap::NG::Handler
DocumentRoot /usr/share/obm/php
...
</VirtualHost>
- For Nginx:
@ -153,8 +153,8 @@ Edit also OBM configuration to enable LL::NG Handler:
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location ~ \.php$ {
auth_request /lmauth;
@ -164,7 +164,7 @@ Edit also OBM configuration to enable LL::NG Handler:
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -191,7 +191,7 @@ To add these attributes, go in Manager, ``Variables`` »
``Exported Variables``.
.. important::
.. important::
If you plan to forward user's password to OBM, then you
have to :doc:`keep the password in session<../passwordstore>`.
@ -200,9 +200,9 @@ You may also create these macros to manage OBM administrator account
(``Variables`` » ``Macros``):
===== ====================================================== =============================== == ==============================
field value
field value
===== ====================================================== =============================== == ==============================
uidR ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
uidR ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
mailR %%($uid =~ / admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com" %%
===== ====================================================== =============================== == ==============================

16
doc/sources/admin/applications/phpldapadmin.rst
Unescape View File

@ -15,7 +15,7 @@ phpLDAPadmin will be protected by LemonLDAP::NG with specific access
rules.
.. warning::
.. warning::
phpLDAPadmin will have no idea of the user connected to
the WebSSO. So a simple user can have admin rights on the LDAP directory
@ -52,7 +52,7 @@ Configure phpLDAPadmin virtual host like other
PerlHeaderParserHandler Lemonldap::NG::Handler
...
</VirtualHost>
- For Nginx:
@ -75,8 +75,8 @@ Configure phpLDAPadmin virtual host like other
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
auth_request /lmauth;
@ -84,9 +84,9 @@ Configure phpLDAPadmin virtual host like other
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -100,9 +100,9 @@ phpLDAPadmin virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for phpLDAPadmin.
Just configure the :doc:`access rules<../writingrulesand_headers>`.
Just configure the :ref:`access rules<rules>`.
No :doc:`headers<../writingrulesand_headers>` are required.
No :ref:`headers<headers>` are required.
.. |image0| image:: /applications/phpldapadmin_logo.png
:class: align-center

4
doc/sources/admin/applications/roundcube.rst
Unescape View File

@ -26,10 +26,10 @@ LemonLDAP::NG
- in HTTP headers, you need Auth-User ($mail) and Auth-Pw ($_password).
.. important::
.. important::
To be able to forward password to RoundCube, see
:doc:`how to store password in session<../passwordstore>`\
:doc:`how to store password in session<../passwordstore>`\
- Configure :doc:`Apache or Nginx virtual host<../configvhost>`

4
doc/sources/admin/applications/salesforce.rst
Unescape View File

@ -46,7 +46,7 @@ Finally, just ensure that at least:
match with the correct values. (adapt the domain if necessary)
.. important::
.. important::
For now, the authentication service parameter has no
domain available. You must come back later to fill this parameter. Once
@ -54,7 +54,7 @@ match with the correct values. (adapt the domain if necessary)
the login form, and you'll have an automatic redirection to your
Identity Provider (no need for the user to click). Note that you can
always access Salesforce by the general login page:
https://login.salesforce.com\
https://login.salesforce.com\
SAML settings
~~~~~~~~~~~~~

10
doc/sources/admin/applications/simplesamlphp.rst
Unescape View File

@ -90,7 +90,7 @@ Then set some attributes that will be sent to simpleSAMLphp:
|image2|
.. tip::
.. tip::
Set ``Mandatory`` to ``On`` to force attributes in
authentication response.
@ -120,7 +120,7 @@ internal PHP representation. Copy the ``saml20-idp-remote`` content:
?>
.. tip::
.. tip::
Don't forget PHP start and end tag to have a valid PHP
file.
@ -183,7 +183,7 @@ And create a default IDP configuration:
?>
.. important::
.. important::
You need to configure your own certificates and
authentication scheme
@ -198,7 +198,7 @@ List attributes you want to collect:
|image6|
.. tip::
.. tip::
You can keep ``Mandatory`` to ``Off`` to not fail if attribute
is not sent by IDP
@ -227,7 +227,7 @@ internal PHP representation. Copy the ``saml20-sp-remote`` content:
?>
.. tip::
.. tip::
Don't forget PHP start and end tag to have a valid PHP
file.

24
doc/sources/admin/applications/sympa.rst
Unescape View File

@ -13,7 +13,7 @@ URL is protected by LL::NG, Sympa will display a button for users who
wants to use this feature.
.. tip::
.. tip::
Since version 1.9 of LLNG, old Auto-Login feature has been
removed since it works only with Sympa-5 which has been deprecated
@ -44,11 +44,11 @@ And fill it:
logout_url http://sympa.example.com/wws/logout
.. tip::
.. tip::
You can also disable internal Sympa authentication to keep
only LemonLDAP::NG by removing user_table paragraph
Note that if you use FastCGI, you must restart Apache to enable changes.
@ -63,7 +63,7 @@ Configure Sympa virtual host like other
authentication URL.
.. tip::
.. tip::
The location URL end is based on the ``service_id`` defined in
Sympa apache configuration.
@ -78,9 +78,9 @@ authentication URL.
<Location /wws/sso_login/lemonldapng>
PerlHeaderParserHandler Lemonldap::NG::Handler
</Location>
...
</VirtualHost>
- For Nginx:
@ -103,8 +103,8 @@ authentication URL.
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location /wws/sso_login/lemonldapng {
auth_request /lmauth;
@ -112,9 +112,9 @@ authentication URL.
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
include /etc/lemonldap-ng/nginx-lua-headers.conf;
}
location / {
@ -128,8 +128,8 @@ Sympa virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Sympa.
Configure the :doc:`access rules<../writingrulesand_headers>` and define
the following :doc:`headers<../writingrulesand_headers>`:
Configure the :ref:`access rules<rules>` and define
the following :ref:`headers<headers>`:
- Auth-User
- Mail

16
doc/sources/admin/applications/tomcat.rst
Unescape View File

@ -4,7 +4,7 @@ Apache Tomcat
|image0|
.. important::
.. important::
The Tomcat Valve is only available for tomcat 5.5 or
greater.
@ -32,7 +32,7 @@ authentication:
<user username="role1" password="tomcat" roles="role1"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
</tomcat-users>
LL::NG provides a valve, available on :doc:`download page</download>`.
This valve will check an HTTP header to set the authenticated user on
@ -48,7 +48,7 @@ Copy ``ValveLemonLDAPNG.jar`` in ``<TOMCAT_HOME>/server/lib``:
cp ValveLemonLDAPNG.jar server/lib/
.. tip::
.. tip::
If needed, you can
:doc:`recompile the valve from the sources<>`.
@ -79,7 +79,7 @@ Configure attributes:
present, a 403 error is sent.
.. tip::
.. tip::
For debugging, this valve can print some helpful information
in debug level. See `how configure logging in
@ -100,15 +100,15 @@ Required :
Configure your tomcat home in ``build.properties`` files.
.. important::
.. important::
Be careful for Windows user, path must contains "/".
Example:
::
c:/my hardisk/tomcat/
Next run ant command:

8
doc/sources/admin/applications/wekan.rst
Unescape View File

@ -31,11 +31,11 @@ theses :
* **OAUTH2_ID_MAP**: ''sub''
.. warning::
.. warning::
Be careful to the / in server_url and endpoints, the
complete URL need to be valid, ie auth.example.com/ for url & oauth2/xxx
for endpoints, OR, auth.example.com & /oauth2/xxx for endpoints.
for endpoints, OR, auth.example.com & /oauth2/xxx for endpoints.
Configuring LemonLDAP
~~~~~~~~~~~~~~~~~~~~~
@ -59,11 +59,11 @@ with the following parameters:
^^^^^^^^^^^^^^^^^^
.. warning::
.. warning::
OIDC login fails when an user as a multi-valued email
attribute, this need to be fixed on wekan's side, we can bypass that by
telling lemonldap to only send one email
telling lemonldap to only send one email
Create a new macro, name it (_singleMail is an example), the macro
should contain ``(split(/; /,$mail))[1]``

4
doc/sources/admin/applications/xwiki.rst
Unescape View File

@ -71,9 +71,9 @@ Xwiki virtual host in Manager
Go to the Manager and :doc:`create a new virtual host<../configvhost>`
for Xwiki.
Configure the :doc:`access rules<../writingrulesand_headers>`.
Configure the :ref:`access rules<rules>`.
Configure the :doc:`headers<../writingrulesand_headers>`:
Configure the :ref:`headers<headers>`:
- remote_user: $uid
- remote_groups: encode_base64($groups,'')

10
doc/sources/admin/applications/zimbra.rst
Unescape View File

@ -21,7 +21,7 @@ SSO on its application. This protocol is implemented in an LL::NG
specific Handler.
.. tip::
.. tip::
Zimbra can also be connected to LL::NG via
:doc:`SAML protocol<../idpsaml>` (see `Zimbra
@ -77,20 +77,20 @@ Zimbra parameters are the following:
(by default: ^/zimbrasso$)
.. important::
.. important::
Due to Handler API change in 1.9, you need to set these
attributes in ``lemonldap-ng.ini`` and not in Manager, for example:
.. code:: ini
[handler]
zimbraPreAuthKey = XXXX
zimbraAccountKey = uid
zimbraBy =id
zimbraUrl = /service/preauth
zimbraSsoUrl = ^/zimbrasso$
Multi-domain issues

2
doc/sources/admin/authad.rst
Unescape View File

@ -44,7 +44,7 @@ policy:
specified in LemonLDAP::NG to do so.
.. important::
.. important::
Note: since AD 2012, each user can have a specific
password expiration policy. Then, the "maximum password age" can have

16
doc/sources/admin/authapache.rst
Unescape View File

@ -4,7 +4,7 @@ Apache
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -16,14 +16,14 @@ module <http://httpd.apache.org/docs/current/howto/auth.html>`__, for
example Kerberos, Radius, OTP, etc.
.. important::
.. important::
To authenticate users using Kerberos, you can now use
the new :doc:`Kerberos authentication module<authkerberos>` which allow
one to chain Kerberos in a :doc:`combination<authcombination>`\
one to chain Kerberos in a :doc:`combination<authcombination>`\
.. tip::
.. tip::
Apache authentication module will set the ``REMOTE_USER``
environment variable, which will be used by LL::NG to get authenticated
@ -47,7 +47,7 @@ the Apache authentication fails. Use then the
Apache;LDAP
.. tip::
.. tip::
In this case, the Apache authentication module should not
require a valid user and not be authoritative, else Apache server will
@ -77,7 +77,7 @@ The Kerberos configuration is quite complex. You can find some
configuration tips :doc:`on this page<kerberos>`.
.. tip::
.. tip::
Prefer new :doc:`Kerberos<authkerberos>` module.
@ -93,8 +93,8 @@ In this case, you can add in the Apache authentication module:
.. code:: apache
Satisfy any
Order allow,deny
Satisfy any
Order allow,deny
allow from APPLICATIONS_IP
This will bypass the authentication module for request from

23
doc/sources/admin/authcas.rst
Unescape View File

@ -4,7 +4,7 @@ CAS
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -14,7 +14,7 @@ LL::NG can delegate authentication to a CAS server. This requires `Perl
CAS module <http://sourcesup.cru.fr/projects/perlcas/>`__.
.. tip::
.. tip::
LL::NG can also act as :doc:`CAS server<idpcas>`, that allows
one to interconnect two LL::NG systems.
@ -23,13 +23,12 @@ LL::NG can also request proxy tickets for its protected services. Proxy
tickets will be collected at authentication phase and stored in user
session under the form:
``_casPT``\ **serviceID** = **Proxy ticket value**
``_casPT<serviceID>`` = **Proxy ticket value**
They can then be forwarded to applications trough
:doc:`HTTP headers<writingrulesand_headers>`.
:ref:`HTTP headers<headers>`.
.. tip::
.. tip::
CAS authentication will automatically add a
:doc:`logout forward rule<logoutforward>` on CAS server logout URL in
@ -42,23 +41,23 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose CAS for authentication.
.. tip::
.. tip::
You can then choose any other module for users and
password.
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``
Then, go in ``CAS parameters``:
@ -83,7 +82,7 @@ Then create the list of CAS servers in the manager. For each, set:
- **Value** Service URL (CAS service identifier)
.. tip::
.. tip::
If no proxied services defined, CAS authentication will not
activate the CAS proxy mode with this CAS server.

14
doc/sources/admin/authchoice.rst
Unescape View File

@ -40,7 +40,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose Choice for authentication.
.. important::
.. important::
When ``Choice`` is selected for authentication, values
for Users and Password modules are also forced to ``Choice``.
@ -75,29 +75,29 @@ Define here:
$env->{urldc} =~ /test1\.example\.com/
.. important::
.. note::
Authentication request to an another URL than Portal URL can lead
to a persistent loop between Portal and a redirection URL (pdata is not
removed because domains mismatch). To avoid this, you have to set pdata
cookie domain by editing ``lemonldap-ng.ini`` in section [portal]:
.. code:: ini
[portal]
pdataDomain = example.com
.. tip::
.. tip::
You can prefix the key name with a digit to order them. The
digit will not be shown on portal page. Underscore characters are also
replaced by spaces.
.. tip::
.. tip::
You can also override some LLNG parameters for each chain. See
:doc:`Parameter list<parameterlist>` to have the key names to use

30
doc/sources/admin/authcombination.rst
Unescape View File

@ -4,7 +4,7 @@ Combination of authentication schemes
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation
@ -42,7 +42,7 @@ must set:
ldapServer,...
.. important::
.. note::
To overload parameters, you must select a module, add a parameter
and set its value. For example:
@ -50,7 +50,7 @@ must set:
==== ==== ============ ===========================
Name Type Scope Parameters
==== ==== ============ ===========================
DB1 DBI Auth only
DB1 DBI Auth only
DB2 DBI User DB only dbiAuthChain => "mysql:..."
==== ==== ============ ===========================
@ -71,7 +71,7 @@ JSON value:
{"cn" => "cn", "uid" => "sAMAccounName", "mail" => "mail"}
.. important::
.. important::
If your JSON is corrupted, LLNG will use it as string
and just report a warning in logs.
@ -104,11 +104,11 @@ Example Explanation
======================================= =============================================================================
.. important::
.. important::
Note that "or" can't be used inside a scheme. If you
think to "[mySSL or myLDAP, myLDAP]", you must write
``[mySSL, myLDAP] or [myLDAP, myLDAP]``
``[mySSL, myLDAP] or [myLDAP, myLDAP]``
================================================== =========================================================
Example Explanation
@ -118,13 +118,13 @@ Example Explanation
================================================== =========================================================
.. important::
.. important::
You can't use brackets in a boolean expression and "and"
has precedence on "or".
If you think to "( [myLDAP] or [myDBI1] ) and [myDBI2]", you must write
``[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]``
``[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]``
Tests
^^^^^
@ -140,12 +140,12 @@ Example
======================================================================================================================= ==============================================================================
.. important::
.. important::
Note that brackets can't be used except to enclose test.
If you wants to write ``if(...) then if...``, you must write
``if(not ...) then ... else if(...)...``
``if(not ...) then ... else if(...)...``
Let's be crazy
^^^^^^^^^^^^^^
@ -199,8 +199,8 @@ steps.
================================= =================================== ========================================================================
Bad expression Solution Explanation
================================= =================================== ========================================================================
*``[SAML] and [LDAP]``* ``[SAML, SAML and LDAP]`` Authentication is done by SAML only but user must match an LDAP entry
*``[SAML] and [LDAP] or [LDAP]``* ``[SAML, SAML and LDAP] or [LDAP]`` Authentication is done by SAML or LDAP but user must match an LDAP entry
``[SAML] and [LDAP]`` ``[SAML, SAML and LDAP]`` Authentication is done by SAML only but user must match an LDAP entry
``[SAML] and [LDAP] or [LDAP]`` ``[SAML, SAML and LDAP] or [LDAP]`` Authentication is done by SAML or LDAP but user must match an LDAP entry
================================= =================================== ========================================================================
Auth::Apache authentication
@ -212,7 +212,7 @@ behaviour: if the auth module fails, Apache returns 401. So it can be
used only with a "and" boolean expression.
.. tip::
.. tip::
The new :doc:`Kerberos authentication module<authkerberos>`
solve this for Kerberos: you just have to use it instead of Apache and

14
doc/sources/admin/authcustom.rst
Unescape View File

@ -14,10 +14,10 @@ This artifact allows one to define its own modules (authentication, user
database, password or register database).
.. tip::
.. tip::
The developer documentation is available in Portal manpages.
See Auth.pod and UserDB.pod
See Auth.pod and UserDB.pod
Configuration
-------------
@ -33,16 +33,18 @@ You can define your own customAuth module icon. Icon must be in
site/htdocs/static/common/modules/icon.png
.. tip::
.. tip::
::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev
.. important::
.. important::
Be careful. Don' t use an already attributed name in
configuration. These parameters are available in your plugins
using ``$self->conf->{customAddParams}->{//customName//}``.
configuration.
These parameters are available in your plugins using
``$self->conf->{customAddParams}->{<customName>}``.
Read portal manpages to see how to write these plugins.

20
doc/sources/admin/authdbi.rst
Unescape View File

@ -34,7 +34,7 @@ LL::NG can use two tables:
- User table: where user data are stored (mail, name, etc.)
.. tip::
.. tip::
Authentication table and user table can be the same.
@ -105,15 +105,15 @@ Authentication level
The authentication level given to users authenticated with this module.
.. important::
.. important::
As DBI is a login/password based module, the
authentication level can be:
- increased (+1) if portal is protected by SSL (HTTPS)
- decreased (-1) if the portal autocompletion is allowed (see
:doc:`portal customization<portalcustom>`)
Exported variables
@ -126,7 +126,7 @@ Connection
~~~~~~~~~~
.. tip::
.. tip::
Connection settings can be configured differently for
authentication process and user process. This allows one to use
@ -181,22 +181,22 @@ Password
non-salted schemes" or "Supported salted schemes".
.. important::
.. important::
The SQL function MUST have hexadecimal values as input
AND output
.. tip::
.. tip::
Here is an example for creating a postgreSQL SHA256 function.
1. Install postgresql-contrib. 2. Activate extension:
``CREATE EXTENSION pgcrypto;`` 3. Create the hash function:
::
CREATE OR REPLACE FUNCTION sha256(varchar) returns text AS $$
SELECT encode(digest(decode($1, 'hex'), 'sha256'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;

4
doc/sources/admin/authdemo.rst
Unescape View File

@ -14,7 +14,7 @@ This mode allow one to test LemonLDAP::NG without any third-party
software.
.. warning::
.. warning::
This mode must not be used for other purpose than test and
demonstration!
@ -30,7 +30,7 @@ dwho dwho dwho@badwolf.org administrator
====== ======== ================== =============
.. important::
.. note::
As you may have guessed, these accounts are famous characters from
the TV show `Doctor

16
doc/sources/admin/authfacebook.rst
Unescape View File

@ -4,7 +4,7 @@ Facebook
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation
@ -56,27 +56,27 @@ variables:
- sn => last_name
.. important::
.. important::
Do not query user field in exported variables, as it is
already registered by the authentication module in ``$_user``.
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``
.. tip::
.. tip::
You can use the same Facebook access token in your
applications. It is stored in session datas under the name
``$_facebookToken``\
``$_facebookToken``\

12
doc/sources/admin/authgithub.rst
Unescape View File

@ -4,7 +4,7 @@ GitHub
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -35,20 +35,20 @@ Then, go in ``GitHub parameters``:
https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
.. tip::
.. tip::
Collected fields are stored in session in ``github_``
keys
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in:
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``

4
doc/sources/admin/authgpg.rst
Unescape View File

@ -4,7 +4,7 @@ Databases
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -24,7 +24,7 @@ you just have to set GPG database. For example
``/usr/share/keyrings/debian-keyring.gpg``
.. tip::
.. tip::
You can then choose any other module for users and
password.

14
doc/sources/admin/authkerberos.rst
Unescape View File

@ -4,7 +4,7 @@ Kerberos
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -36,18 +36,18 @@ and configure the following parameters:
value and remove the '@domain'.
.. important::
.. important::
- Due to a perl GSSAPI issue, you may need to copy the keytab in
/etc/krb5.keytab which is the default location hardcoded in the
library
- As Kerberos ticket is passed inside Authorization header, you may
need to set CGIPassAuth on in Apache *(with old Apache, use
need to set CGIPassAuth on in Apache (with old Apache, use
``RewriteCond %{HTTP:Authorization}`` followed by
``RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]``)*
``RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]``)
Kerberos configuration

43
doc/sources/admin/authldap.rst
Unescape View File

@ -38,7 +38,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose LDAP for authentication, users and/or password modules.
.. tip::
.. tip::
For :doc:`Active Directory<authad>`, choose
``Active Directory`` instead of ``LDAP``.
@ -49,15 +49,15 @@ Authentication level
The authentication level given to users authenticated with this module.
.. important::
.. important::
As LDAP is a login/password based module, the
authentication level can be:
- increased (+1) if portal is protected by SSL (HTTPS)
- decreased (-1) if the portal autocompletion is allowed (see
:doc:`portal customization<portalcustom>`)
Exported variables
@ -74,12 +74,12 @@ Connection
- More than one server can be set here separated by spaces or
commas. They will be tested in the specified order.
- To use TLS, set ``ldap+tls:%%//%%server`` and to use LDAPS, set
``ldaps:%%//%%server`` instead of server name.
- To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
``ldaps://server`` instead of server name.
- If you use TLS, you can set any of the
`Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
start_tls() sub like
``ldap+tls:%%//%%server/verify=none&capath=/etc/ssl``. You can
``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
also use cafile and capath parameters.
- **Server port**: TCP port used by LDAP server. Can be overridden by
@ -97,7 +97,7 @@ Connection
documentation).
.. important::
.. important::
LemonLDAP::NG need anonymous access to LDAP Directory
RootDSE in order to check LDAP connection.
@ -106,7 +106,7 @@ Filters
~~~~~~~
.. tip::
.. tip::
In LDAP filters, $user is replaced by user login, and $mail by
user email.
@ -121,22 +121,24 @@ Filters
``find``)
.. tip::
.. tip::
For Active Directory, the default authentication filter is:
::
(&(sAMAccountName=$user)(objectClass=person))
And the mail filter is:
::
(&(mail=$mail)(objectClass=person))
.. _authldap-groups:
Groups
~~~~~~
@ -159,17 +161,18 @@ Groups
used in the link, for recursive group search (default: dn).
.. important::
.. note::
The groups that the user belongs to are available as ``$groups``
and ``%hGroups``, as documented :doc:`here<exportedvars>`
and ``%hGroups``, as documented :ref:`here<macros_and_groups>`
.. important::
.. important::
If your LDAP countains over a thousand groups, you
should avoid using group processing, check out
:doc:`the performance page<performances>` for alternatives
:ref:`the performance page<performances-ldap-performances>` for
alternatives
Password
~~~~~~~~

12
doc/sources/admin/authlinkedin.rst
Unescape View File

@ -4,7 +4,7 @@ LinkedIn
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -39,20 +39,20 @@ Then, go in ``LinkedIn parameters``:
and last name, and ``r_emailaddress`` to get email.
.. tip::
.. tip::
Collected fields are stored in session in ``linkedIn_``
keys
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``

2
doc/sources/admin/authmulti.rst
Unescape View File

@ -2,7 +2,7 @@ Multiple backends stack
=======================
.. important::
.. important::
This module has been removed and replaced by the more
powerful :doc:`Combination of auth schemes<authcombination>`.

16
doc/sources/admin/authopenid.rst
Unescape View File

@ -4,11 +4,11 @@ OpenID
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
.. warning::
.. warning::
OpenID protocol is deprecated. You should now use
:doc:`OpenID Connect<authopenidconnect>`.
@ -22,7 +22,7 @@ module <http://search.cpan.org/~mart/Net-OpenID-Consumer/>`__ with at
least version 1.0.
.. tip::
.. tip::
LL::NG can also act as :doc:`OpenID server<idpopenid>`, that
allows one to interconnect two LL::NG systems.
@ -31,7 +31,7 @@ LL::NG will then display a form with an OpenID input, wher users will
type their OpenID login.
.. tip::
.. tip::
OpenID authentication can proposed as an alternate
authentication scheme using the :doc:`authentication choice<authchoice>`
@ -79,14 +79,14 @@ define attributes:
See also :doc:`exported variables configuration<exportedvars>`.
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``

37
doc/sources/admin/authopenidconnect.rst
Unescape View File

@ -4,14 +4,14 @@ OpenID Connect
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation
------------
.. important::
.. note::
OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE
stacks. It is described here: http://openid.net/connect/.
@ -34,14 +34,19 @@ You can use this authentication module to link your LL::NG server to any
OpenID Connect Provider. Here are some examples, witch their specific
documentation:
================================================ ========================================
Google France Connect
================================================ ========================================
:doc:`google_logo.png<authopenidconnect_google>` :doc:`franceconnect_logo.png<authopenidconnect_franceconnect>`
================================================ ========================================
=============== ==================
Google France Connect
=============== ==================
|google| |franceconnect|
=============== ==================
.. |google| image:: applications/google_logo.png
:target: authopenidconnect_google.html
.. important::
.. |franceconnect| image:: applications/franceconnect_logo.png
:target: authopenidconnect_franceconnect.html
.. important::
OpenID-Connect specification isn't finished for logout
propagation. So logout initiated by relaying-party will be forward to
@ -67,23 +72,23 @@ In ``General Parameters`` > ``Authentication modules``, set:
- **Users module**: OpenID Connect
.. tip::
.. tip::
As passwords will not be managed by LL::NG, you can disable
:doc:`menu password module<portalmenu>`.
:ref:`menu password module<portalmenu-menu-modules>`.
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``
Then in ``General Parameters`` > ``Authentication modules`` >
``OpenID Connect parameters``, you can set:
@ -111,7 +116,7 @@ parameter, for example:
- http://auth.example.com/?lmAuth=oidc&openidcallback=1
.. important::
.. important::
If you use the :doc:`choice backend<authchoice>`, you
need to add the choice parameter in redirect URL
@ -169,7 +174,7 @@ automatically if jwks_uri is defined in metadata. Else you can paste the
content of the JSON file in the textarea.
.. tip::
.. tip::
If the OpenID Connect provider only uses symmetric encryption,
JWKS data is not useful.

2
doc/sources/admin/authopenidconnect_franceconnect.rst
Unescape View File

@ -10,7 +10,7 @@ Presentation
authentication platform made by French government.
.. important::
.. important::
It is for the moment only in BETA stage. This
documentation will explain how to configure LL::NG with the developer

2
doc/sources/admin/authopenidconnect_google.rst
Unescape View File

@ -12,7 +12,7 @@ delegate the authentication of LL::NG to Google:
https://developers.google.com/identity/protocols/OpenIDConnect
.. important::
.. important::
Google does not support logout trough OpenID Connect. If
you close your session on LL::NG side, your Google session will still be

4
doc/sources/admin/authpam.rst
Unescape View File

@ -4,7 +4,7 @@ PAM
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -41,7 +41,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose PAM for authentication.
.. tip::
.. tip::
You can then choose any other module for users and
password.

4
doc/sources/admin/authproxy.rst
Unescape View File

@ -4,7 +4,7 @@ Proxy
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation
@ -60,6 +60,6 @@ in your lemonldap-ng.ini:
soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
.. important::
.. important::
This needs LLNG version 2.0.8 at least

4
doc/sources/admin/authradius.rst
Unescape View File

@ -4,7 +4,7 @@ Radius
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -44,7 +44,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose Radius for authentication.
.. tip::
.. tip::
You can then choose any other module for users and
password.

6
doc/sources/admin/authremote.rst
Unescape View File

@ -4,11 +4,11 @@ Remote
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
.. warning::
.. warning::
This module is a LL::NG specific identity federation
protocol. You may rather use standards protocols like
@ -44,7 +44,7 @@ Presentation
#. User can now access to the protected application
.. important::
.. note::
Note that if the user is already authenticated on the first
portal, all redirections are transparent.

6
doc/sources/admin/authrest.rst
Unescape View File

@ -32,7 +32,7 @@ Password change Password change URL
===================== ====================================
.. tip::
.. tip::
You can then choose any other module for users and
password.
@ -62,9 +62,9 @@ Password change URL ``{"user":$user,"password":$password}`` ``{"result":tr
========================= ======================================= ===================================================
.. tip::
.. tip::
To have only one REST call during the login process, you can
set REST only as an Authentication backend, configure Null as your User
Database, and make sure the REST authentication URL send all your user
attributes in the ``info`` response key
attributes in the ``info`` response key

29
doc/sources/admin/authsaml.rst
Unescape View File

@ -4,7 +4,7 @@ SAML
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation
@ -22,7 +22,7 @@ be mandatory, so if they are not returned by IDP, the session will not
open.
.. tip::
.. tip::
LL::NG can also act as :doc:`SAML IDP<idpsaml>`, that allows
one to interconnect two LL::NG systems.
@ -36,17 +36,17 @@ SAML Service
See :doc:`SAML service<samlservice>` configuration chapter.
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``
Authentication and UserDB
~~~~~~~~~~~~~~~~~~~~~~~~~
@ -57,10 +57,10 @@ In ``General Parameters`` > ``Authentication modules``, set:
- Users module: Same (eq SAML)
.. tip::
.. tip::
As passwords will not be managed by LL::NG, you can disable
:doc:`menu password module<portalmenu>`.
:ref:`menu password module<portalmenu-menu-modules>`.
Register LemonLDAP::NG on partner Identity Provider
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -89,7 +89,7 @@ between your server and the IDP):
|image0|
.. tip::
.. tip::
You can also edit the metadata directly in the textarea
@ -145,8 +145,9 @@ Authentication request
- **Requested authentication context**: this context is declared in
authentication request. When receiving the request, the real
authentication context will be mapped to an internal authentication
level (see :doc:`how configure the mapping<samlservice>`), that you
can check to allow or deny session creation.
level (see
:ref:`how configure the mapping<samlservice-authentication-contexts>`),
that you can check to allow or deny session creation.
- **Allow URL as RelayState**: Set to On if the RelayState value sent
by IDP is the URL where the user must be redirected after
authentication.
@ -172,7 +173,7 @@ Signature
'''''''''
These options override service signature options (see
:doc:`SAML service configuration<samlservice>`).
:ref:`SAML service configuration<samlservice-general-options>`).
- **Sign SSO message**: sign SSO message
- **Check SSO message signature**: check SSO message signature
@ -188,7 +189,7 @@ Binding
http-post, etc.)
.. important::
.. note::
If no binding defined, the default binding in IDP metadata will be
used.
@ -213,7 +214,7 @@ Used only if you have more than 1 SAML Identity Provider declared
- **Order**: Number to sort IDP display
.. tip::
.. tip::
The chosen logo must be in Portal icons directory
(``portal/static/common/``). You can set a custom icon by setting the

2
doc/sources/admin/authslave.rst
Unescape View File

@ -4,7 +4,7 @@ Slave
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation

78
doc/sources/admin/authssl.rst
Unescape View File

@ -4,7 +4,7 @@ SSL
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -23,9 +23,8 @@ Configuration (as the only authentication module)
By default, SSL is required before the portal is displayed (handled by
webserver). If you want to display a button to connect to LLNG
*(compatible with :doc:`Combination<authcombination>`)*, you can
activate "SSL by Ajax request" in the manager. See "SSL by Ajax"
below.
(compatible with :doc:`Combination<authcombination>`), you can
activate "SSL by Ajax request" in the manager.
With Apache
~~~~~~~~~~~
@ -42,13 +41,13 @@ For CentOS/RHEL:
yum install mod_ssl
.. tip::
.. tip::
In Debian/Ubuntu mod_ssl is already shipped in
``apache*-common`` package.
.. tip::
.. tip::
For CentOS/RHEL, We advice to disable the default SSL virtual
host configured in /etc/httpd/conf.d/ssl.conf.
@ -68,16 +67,16 @@ of /etc/lemonldap-ng/portal-apache2.conf:
SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
.. important::
.. note::
Put your own files instead of ``ow2.cert``, ``ow2.key``,
``ow2-ca.cert``:
- **SSLCertificateFile**: Server certificate
- **SSLCertificateKeyFile**: Server private key
- **SSLCACertificateFile**: CA certificate to validate client
certificates
If you specify port in virtual host, then declare SSL port:
@ -161,7 +160,7 @@ Nginx SSL Virtual Host example with uWSGI
ssl_verify_client on;
ssl_verify_depth 3;
# Full chain CRL is required
# All CRLs must be concatenated in a single .pem format file
ssl_crl /etc/nginx/ssl/crl/crls.pem;
@ -187,12 +186,12 @@ Nginx SSL Virtual Host example with uWSGI
}
.. important::
.. important::
Nginx 1.11.6 change: format of the $ssl_client_s_dn and
$ssl_client_i_dn variables has been changed to follow RFC 2253 (RFC
4514); values in the old format are available in the
$ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
$ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
Configuration of LemonLDAP::NG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -201,7 +200,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose SSL for authentication.
.. tip::
.. tip::
You can then choose any other module for users and
password.
@ -296,7 +295,7 @@ limitation.
beforeSend:function(){},
type:"GET",
dataType:"html",
success:function(c,a){
success:function(c,a){
if (c !== "") {
alert("Carte OK");
window.location.href = "https://auth.example.com/sslok/";
@ -333,12 +332,12 @@ connexion reset:
ssl_session_timeout 1s;
.. warning::
.. warning::
It is incompatible with authentication combination because
of Apache parameter "SSLVerifyClient", which must have the value
"require". To enable SSL with :doc:`Combination<authcombination>`, use
"SSL by Ajax"
"SSL by Ajax"
Configuration (for Combination/Choice)
--------------------------------------
@ -348,59 +347,60 @@ If you enable this feature, you must configure 2 portal virtual hosts:
- the main *(which corresponds to portal URL)* with
``SSLVerifyClient none``
- the second with ``SSLVerifyClient require`` and a
``Header set Allow-Control-Allow-Origin %%https://portal-main-url%%``
``Header set Allow-Control-Allow-Origin https://portal-main-url``
then declare the second URL in SSL options in the Manager. That's all !
Then you can chain it in a :doc:`combination<authcombination>`.
.. important::
Then you can chain it in a :doc:`combination<authcombination>`.
.. note::
With :doc:`choice<authchoice>`, the second URL should be also declared
in module URL parameter to redirect user to Portal menu.
in module URL parameter to redirect user to Portal menu.
.. note::
.. important::
Ajax authentication request can be sent to an another URL than Portal
URL.
To avoid a persistent loop between Portal and a redirection URL (pdata
is not removed because domains mismatch), you have to set pdata cookie
domain by editing ``lemonldap-ng.ini`` in section [portal]:
.. code:: ini
[portal]
pdataDomain = example.com
To avoid a bad/expired token during session upgrading (Reauthentication)
if URLs are served by different load balancers, you can force Upgrade
tokens to be stored into Global Storage by editing ``lemonldap-ng.ini``
in section [portal]:
.. code:: ini
[portal]
forceGlobalStorageUpgradeOTT = 1
.. important::
.. important::
**Content Security Policy** may prevent to
submit Ajax Request. To avoid security warning,
Go to :
``General Parameters > Advanced Parameters > Security > Content security policy``
and set :
**Default value** => 'self' "Ajax request URL"
**Form destinations** => 'self' "Ajax request URL"
**Ajax destinations** => 'self' "Ajax request URL"
**Script source** => 'self' "Ajax request URL"
**Script source** => 'self' "Ajax request URL"
Extracting the username attribute
---------------------------------

12
doc/sources/admin/authtwitter.rst
Unescape View File

@ -4,7 +4,7 @@ Twitter
============== ===== ========
Authentication Users Password
============== ===== ========
============== ===== ========
Presentation
@ -30,23 +30,23 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
and choose Twitter for authentication module.
.. tip::
.. tip::
You can then choose any other module for users and
password.
.. important::
.. important::
Browser implementations of formAction directive are
inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
does). Administrators may have to modify formAction value with wildcard
likes \*.
In Manager, go in :
``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
``Content Security Policy`` > ``Form destination``
``Content Security Policy`` > ``Form destination``
Then, go in ``Twitter parameters``:

2
doc/sources/admin/authwebid.rst
Unescape View File

@ -4,7 +4,7 @@ WebID
============== ===== ========
Authentication Users Password
============== ===== ========
✔ ✔
✔ ✔
============== ===== ========
Presentation

4
doc/sources/admin/authyubikey.rst
Unescape View File

@ -2,7 +2,7 @@ Yubikey
=======
.. important::
.. important::
This module has been replaced by
:doc:`Yubikey Second Factor<yubikey2f>`\
:doc:`Yubikey Second Factor<yubikey2f>`\

2
doc/sources/admin/autosignin.rst
Unescape View File

@ -18,6 +18,6 @@ dwho ''$env->{REMOTE_ADDR} eq '192.168.42.42' ''
============== ===========================================
.. important::
.. important::
Username must be defined in the user database.

8
doc/sources/admin/behindproxyminihowto.rst
Unescape View File

@ -39,10 +39,10 @@ uncomment the relevant parts of the configuration file.
real_ip_header X-Forwarded-For;
.. tip::
.. tip::
Make sure Nginx was compiled with the `http_real_ip
module <http://nginx.org/en/docs/http/ngx_http_realip_module.html>`__\
module <http://nginx.org/en/docs/http/ngx_http_realip_module.html>`__\
- For Apache:
@ -52,14 +52,14 @@ uncomment the relevant parts of the configuration file.
RemoteIPInternalProxy 127.0.0.1
.. tip::
.. tip::
Make sure the `mod_remoteip
module <https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html>`__ is
enabled in your Apache installation
.. warning::
.. warning::
Both modules need you to specify the address of your
reverse proxy. Using the ``http_real_ip`` or ``mod_remoteip`` module

44
doc/sources/admin/browseablesessionbackend.rst
Unescape View File

@ -5,16 +5,16 @@ Presentation
------------
Browseable session backend
(`Apache::Session::Browseable <https://metacpan.org/pod/Apache::Session::Browseable>`)
(`Apache::Session::Browseable <https://metacpan.org/pod/Apache::Session::Browseable>`__)
works exactly like Apache::Session::\* corresponding module but add
index that increase :doc:`session explorer<features>` and
:doc:`session restrictions<features>` performances.
index that increase :ref:`session explorer<session-explorer>` and
:ref:`session restrictions<session-restrictions>` performances.
If you use features like SAML (authentication and issuer), CAS (issuer)
and password reset self-service, you also need to index some fields.
.. important::
.. note::
Without index, LL::NG will have to retrieve all sessions stored in
backend and parse them to find the needed sessions. With index, LL::NG
@ -37,21 +37,21 @@ SAML Session \_saml_id
See Apache::Session::Browseable man page to see how use indexes.
.. important::
.. important::
\ *WHATTOTRACE* must be replaced by the attribute or
macro configured in the What To Trace parameter (REMOTE_USER). By
default: **\_whatToTrace**\
default: **\_whatToTrace**\
.. tip::
.. tip::
It is advised to use separate session backends for standard
sessions, SAML sessions and CAS sessions, in order to manage index
separately.
.. important::
.. note::
Documentation below explains how set index on ipAddr and
\_whatToTrace. Adapt it to configure the index you need.
@ -67,7 +67,7 @@ You then just have to add the ``Index`` parameter in
``Apache::Session module`` :
=================== ============ ====================
Required parameters
Required parameters
=================== ============ ====================
Name Comment Example
**server** Redis server 127.0.0.1:6379
@ -78,30 +78,30 @@ Browseable SQL
--------------
.. important::
.. note::
This documentation concerns PostgreSQL. Some adaptations are
needed with other databases. When using
Apache::Session::Browseable::Postgres, it
is strongly recommended to use version 1.3.1 at least. See `bug
1732 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732>`.
1732 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732>`__.
Prepare database
~~~~~~~~~~~~~~~~
Database must be prepared exactly like in
:doc:`SQL session backend<sqlsessionbackend>` except that a field must
be added for each data to index.
:ref:`SQL session backend<sqlsessionbackend-prepare-the-database>`
except that a field must be added for each data to index.
.. important::
.. important::
Data written to UNLOGGED tables is not written to the
WAL, which makes them considerably faster than ordinary tables. However,
they are not crash-safe: an unlogged table is automatically truncated
after a crash or unclean shutdown. The contents of an unlogged table are
also not replicated to standby servers. Any indexes created on an
unlogged table are automatically unlogged as well.
unlogged table are automatically unlogged as well.
Apache::Session::Browseable::Postgres
example:
@ -124,7 +124,7 @@ example:
CREATE INDEX h1 ON sessions (_httpSessionType);
.. important::
.. important::
For Session Explorer and one-off sessions, it is
recommended to use BTREE or any index method that indexes partial
@ -135,7 +135,7 @@ now recommended SHA256 hash algorithm. See
:doc:`Sessions<sessions>` for more details.
.. tip::
.. tip::
With new
Apache::Session::Browseable::PgHstore
@ -153,7 +153,7 @@ for MySQL) in ``General parameters`` » ``Sessions`` »
parameters (case sensitive):
=================== ================================================= =============================================================
Required parameters
Required parameters
=================== ================================================= =============================================================
Name Comment Example
**DataSource** The `DBI <https://metacpan.org/pod/DBI>`__ string dbi:Pg:database=lemonldap-ng
@ -164,11 +164,11 @@ Name Comment Example
=================== ================================================= =============================================================
.. tip::
.. tip::
Apache::Session::Browseable::MySQL doesn't use locks so performances are
keeped.
For databases like PostgreSQL, don't forget to add "Commit" with a value
of 1
@ -184,7 +184,7 @@ You need to add the ``Index`` field and can also configure the
values will be stored.
======================== ================================= ===============================
Required parameters
Required parameters
======================== ================================= ===============================
Name Comment Example
**ldapServer** URI of the server ldap://localhost
@ -192,7 +192,7 @@ Name Comment Example
**ldapBindDN** Connection login cn=admin,dc=example,dc=password
**ldapBindPassword** Connection password secret
**Index** Index list \_whatToTrace ipAddr
Optional parameters
Optional parameters
Name Comment Default value
**ldapObjectClass** Objectclass of the entry applicationProcess
**ldapAttributeId** Attribute storing session ID cn

6
doc/sources/admin/bruteforceprotection.rst
Unescape View File

@ -47,11 +47,11 @@ section:
bruteForceProtectionMaxLockTime = 900
.. important::
.. note::
Max lock time value is used by this plugin if a lock time is
missing (number of failed logins higher than listed lock time values).
Lock time values can not be higher than max lock time.
Lock time values can not be higher than max lock time.
Incremental lock time disabled
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -71,7 +71,7 @@ of allowed failed login attempts (3 by default) edit
bruteForceProtectionMaxFailed = 3
.. important::
.. important::
Number of failed login attempts stored in history MUST
be higher than allowed failed logins for this plugin takes effect.

2
doc/sources/admin/captcha.rst
Unescape View File

@ -14,7 +14,7 @@ Captchas are available on the following forms:
- Register form: where user enters information to create a new account
.. important::
.. important::
We use the Perl module GD::SecurityImage to generate
images, you need to install it if you enable Captcha feature.

16
doc/sources/admin/cda.rst
Unescape View File

@ -4,7 +4,7 @@ Cross Domain Authentication
Presentation
------------
:ref:`cross_domain_authentication_cda`
:ref:`cda`
Configuration
-------------
@ -21,17 +21,17 @@ To use this feature only locally, edit ``lemonldap-ng.ini`` in section
cda = 1
.. important::
.. important::
If your handler is being served by Nginx, you have to
uncomment the following lines in your nginx configuration file:
::
# If CDA is used, uncomment this
auth_request_set $cookie_value $upstream_http_set_cookie;
# If CDA is used, uncomment this
auth_request_set $cookie_value $upstream_http_set_cookie;
add_header Set-Cookie $cookie_value;
Handlers
@ -40,5 +40,3 @@ Handlers
Choose "CDA" as type for each virtualHost concerned by CDA *(ie not in
main domain)*.
.. |section>..presentation#cross_domain_authentication_cda&noheader| image:: section>..presentation#cross_domain_authentication_cda&noheader

2
doc/sources/admin/changesessionbackend.rst
Unescape View File

@ -5,7 +5,7 @@ LemonLDAP::NG provides a script to change session backend. This script
will help you transfer existing persistent sessions (or offline
sessions) when migrating from one backend to another, or when adding
indexes to a
:doc:`browseable sessio backend</browseablesessionbackend>`. It is
:doc:`browseable session backend</browseablesessionbackend>`. It is
available in LemonLDAP::NG utilities directory (``convertSessions``).
How it works

2
doc/sources/admin/checkstate.rst
Unescape View File

@ -22,7 +22,7 @@ GET Parameter Need Value
============= ======== ============================================================
``secret`` required Same value as the shared secret given to the manager
``user`` optional If set (with password), a login/logout process will be tried
``password`` optional
``password`` optional
============= ======== ============================================================
Example

32
doc/sources/admin/checkuser.rst
Unescape View File

@ -29,47 +29,47 @@ Just enable it in the manager (section “plugins”).
attributes
.. note::
.. note::
By examples :
\* Search attributes => ``mail uid givenName``
If ``whatToTrace`` fails, sessions are searched by ``mail``, next
``uid`` if none session is found and so on...
\* Display empty headers rule => ``$uid eq "dwho"`` -> Only 'dwho' will
see empty headers
see empty headers
.. note::
.. note::
Keep in mind that Nginx HTTP proxy module gets rid of empty
headers. If the value of a header field is an empty string then this
field will not be passed to a proxied server. To avoid misunderstanding,
it might be useful to not display empty headers.
it might be useful to not display empty headers.
.. important::
.. important::
Be careful to not display secret attributes.
checkUser plugin hidden attributes are concatenation of
``checkUserHiddenAttributes`` and ``hiddenAttributes``. You just have to
append checkUser specific attributes.
append checkUser specific attributes.
.. warning::
.. warning::
This plugin displays ALL user session attributes except
the hidden ones.
You have to restrict access to specific users (administrators, DevOps,
power users and so on...) by setting an access rule like other
VirtualHosts.
By example: ``$groups =~ /\bsu\b/``
To modify persistent sessions attributes ('_loginHistory \_2fDevices
@ -87,7 +87,7 @@ Usage
When enabled, ``/checkuser`` URL path is handled by this plugin.
.. important::
.. important::
With federated authentication, checkUser plugin works
only if a session can be found in backend.
only if a session can be found in backend.

12
doc/sources/admin/cli_examples.rst
Unescape View File

@ -2,10 +2,10 @@ Command Line Interface (lemonldap-ng-cli) examples
==================================================
This page shows some examples of LL::NG Command Line Interface. See
:doc:`how to use the command<configlocation>`.
:ref:`how to use the command<configlocation-command-line-interface-cli>`.
.. important::
.. important::
On Debian, the command is located in
``/usr/share/lemonldap-ng/bin`` and on CentOS in
@ -232,7 +232,7 @@ In this example we use:
ldapExportedVars sn sn \
ldapExportedVars mobile mobile \
ldapExportedVars mail mail \
ldapExportedVars givenName givenName
ldapExportedVars givenName givenName
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
@ -248,7 +248,8 @@ Configure CAS Identity Provider
-------------------------------
You just have to enable the CAS server feature, and you can set the
access control policy (see :doc:`CAS service options<idpcas>`):
access control policy (see
:ref:`CAS service options<idpcas-configuring-the-cas-service>`):
::
@ -452,6 +453,9 @@ Create the application "sample" inside category "applications":
applicationList/applications/sample/options name "Sample application" \
applicationList/applications/sample/options uri "https://sample.example.com/"
.. _cli-examples-encryption-key:
Encryption key
--------------

24
doc/sources/admin/configapache.rst
Unescape View File

@ -2,7 +2,7 @@ Deploy Apache configuration
===========================
.. important::
.. note::
This step should have been already done if you installed LL::NG
with packages.
@ -11,7 +11,7 @@ Files
-----
.. important::
.. important::
Apache Mod Perl has many issues since 2.4 version with
MPM worker and MPM event. No problem for portal and manager since they
@ -32,21 +32,21 @@ You have to include them in Apache main configuration, for example:
include /usr/local/lemonldap-ng/etc/test-apache2.conf
.. tip::
.. tip::
- You can also use symbolic links in ``conf.d`` or ``sites-available``
Apache directory.
- If you have run the Debian/Ubuntu install command, just use:
::
a2ensite manager-apache2.conf
a2ensite portal-apache2.conf
a2ensite handler-apache2.conf
a2ensite test-apache2.conf
Modules
@ -61,12 +61,12 @@ You will also need to load some Apache modules:
- mod_headers
.. tip::
.. tip::
With Debian/Ubuntu:
::
a2enmod fcgid perl alias rewrite headers

93
doc/sources/admin/configlocation.rst
Unescape View File

@ -8,15 +8,15 @@ LemonLDAP::NG configuration is stored in a backend that allows all
modules to access it.
.. important::
.. important::
Note that all LL::NG components must have access:
- to the configuration backend
- to the sessions storage backend
Detailed configuration backends documentation is available
:doc:`here<start>`.
:ref:`here<start-configuration-database>`.
By default, configuration is stored in :doc:`files<fileconfbackend>`, so
access trough network is not possible. To allow this, use
@ -25,7 +25,8 @@ service like :doc:`SQL database<sqlconfbackend>` or
:doc:`LDAP directory<ldapconfbackend>`.
Configuration backend can be set in the
local configuration file, in ``configuration`` section.
:ref:`local configuration file<configlocation-local-file>`, in ``configuration``
section.
For example, to configure the ``File`` configuration backend:
@ -36,7 +37,7 @@ For example, to configure the ``File`` configuration backend:
dirName = /usr/local/lemonldap-ng/data/conf
.. tip::
.. tip::
See
:doc:`How to change configuration backend<changeconfbackend>` to known
@ -52,7 +53,7 @@ By default, Manager is protected to allow only the demonstration user
"dwho".
.. important::
.. important::
This user will not be available anymore if you configure
a new authentication backend! Remember to change the access rule in
@ -77,7 +78,7 @@ editing ``lemonldap-ng.ini`` and changing the ``protection`` parameter:
# * none : no protection
.. tip::
.. tip::
See :doc:`Manager protection documentation<managerprotection>`
to know how to use Apache modules or LL::NG to manage access to
@ -104,28 +105,28 @@ When all modifications are done, click on ``Save`` to store
configuration.
.. warning::
.. warning::
LemonLDAP::NG will do some checks on configuration and
display errors and warnings if any. Configuration **is not saved** if
errors occur.
.. tip::
.. tip::
- :doc:`Configuration viewer<viewer>` allow some users to edit WebSSO
configuration in Read Only mode.
- You can set and display instance name in Manager menu by editing
``lemonldap-ng.ini`` in [manager] section:
.. code:: ini
[manager]
instanceName = LLNG_Demo
Manager API
@ -141,7 +142,7 @@ See `Manager API
documentation <https://lemonldap-ng.org/manager-api/2.0/>`__.
.. important::
.. important::
To access Manager API, enable the ``manager-api``
virtual host and change the access rule. You can protect the API through
@ -168,7 +169,7 @@ and is stored in the LemonLDAP::NG bin/ directory, for example
/usr/libexec/lemonldap-ng/bin/lmConfigEditor
.. tip::
.. tip::
This script must be run as root, it will then use the Apache
user and group to access configuration.
@ -198,6 +199,8 @@ The configuration is displayed as a big Perl Hash, that you can edit:
If a modification is done, the configuration is saved with a new
configuration number. Else, current configuration is kept.
.. _configlocation-command-line-interface-cli:
Command Line Interface (CLI)
----------------------------
@ -219,7 +222,7 @@ for example /usr/share/lemonldap-ng/bin:
/usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli
.. tip::
.. tip::
This script must be run as root, it will then use the Apache
user and group to access configuration.
@ -272,15 +275,18 @@ Some examples:
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace
.. tip::
.. tip::
See :doc:`other examples<cli_examples>`.
.. _configlocation-apache:
Apache
------
.. important::
.. important::
LemonLDAP::NG does not manage Apache
configuration
@ -295,6 +301,8 @@ LemonLDAP::NG ships 3 Apache configuration files:
See :doc:`how to deploy them<configapache>`.
.. _configlocation-portal:
Portal
~~~~~~
@ -323,7 +331,7 @@ you need to edit the access rule in **handler-apache2.conf**
<Location /reload>
#CHANGE THIS######
Require ip 127 ::1
Require ip 127 ::1
###########^^^^^^^
SetHandler perl-script
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
@ -368,7 +376,7 @@ Nginx
-----
.. important::
.. important::
LemonLDAP::NG does not manage Nginx configuration
@ -382,7 +390,7 @@ LemonLDAP::NG ships 3 Nginx configuration files:
See :doc:`how to deploy them<confignginx>`.
.. warning::
.. warning::
\ :doc:`LL::NG FastCGI<fastcgiserver>` server must be
enabled and started separately.
@ -417,11 +425,11 @@ you need to edit the access rule in **handler-nginx.conf**
.. code:: nginx
location = /reload {
## CHANGE THIS #
allow 127.0.0.1;
######^^^^^^^^^#
deny all;
# FastCGI configuration
@ -492,27 +500,27 @@ included file):
#proxy_set_header Auth-User $authuser;
# OR
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR
#fastcgi_param HTTP_COOKIE $lmcookie;
# Insert then your configuration (fastcgi_* or proxy_*)
Configuration reload
--------------------
.. important::
.. note::
As Handlers keep configuration in cache, when configuration
change, it should be updated in Handlers. An Apache restart will work,
but LemonLDAP::NG offers the mean to reload them through an HTTP
request. Configuration reload will then be effective in less than 10
minutes. If you want to change this timeout, set ``checkTime = 240`` in
your lemonldap-ng.ini file *(values in seconds)*\
your lemonldap-ng.ini file *(values in seconds)*\
After configuration is saved by Manager, LemonLDAP::NG will try to
reload configuration on distant Handlers by sending an HTTP request to
@ -525,7 +533,7 @@ You also have a parameter to adjust the timeout used to request reload
URLs, it is be default set to 5 seconds.
.. important::
.. important::
If "Compact configuration file" option is enabled, all
useless parameters are removed to limit file size. Typically, if SAMLv2
@ -536,7 +544,7 @@ These parameters can be overwritten in LemonLDAP::NG ini file, in the
section ``apply``.
.. tip::
.. tip::
You only need a reload URL per physical servers, as Handlers
share the same configuration cache on each physical server.
@ -546,27 +554,27 @@ inside a virtual host protected by LemonLDAP::NG Handler (see below
examples in Apache->handler or Nginx->Handler).
.. important::
.. important::
You must allow access to declared URLs to your Manager
IP.
.. important::
.. important::
If reload URL is served in HTTPS, to avoid "Error 500
(certificate verify failed)", Go to :
``General Parameters > Advanced Parameters > Security > SSL options for server requests``
and set :
**verify_hostname => 0**
**SSL_verify_mode => 0**
**SSL_verify_mode => 0**
.. important::
.. important::
If you want to use reload mechanism on a portal only
host, you must install a handler in Portal host to be able to refresh
@ -593,6 +601,9 @@ You also need to adjust the protection of the reload vhost, for example:
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
</Location>
.. _configlocation-local-file:
Local file
----------
@ -618,7 +629,7 @@ For example, to override configured skin for portal:
portalSkin = dark
.. tip::
.. tip::
You need to know the technical name of configuration parameter
to do this. You can refer to :doc:`parameter list<parameterlist>` to

67
doc/sources/admin/configvhost.rst
Unescape View File

@ -9,7 +9,8 @@ Apache configuration
--------------------
To protect a virtual host in Apache, the LemonLDAP::NG Handler must be
activated (see :doc:`Apache global configuration<configlocation>`).
activated (see
:ref:`Apache global configuration<configlocation-apache>`).
Then you can take any virtual host, and simply add this line to protect
it:
@ -79,7 +80,7 @@ Same with remote server configured with the same host name:
</VirtualHost>
.. important::
.. note::
The ``ProxyPreserveHost`` directive will forward the Host header
to the protected application. To learn more about using Apache as
@ -88,7 +89,7 @@ Same with remote server configured with the same host name:
.. tip::
.. tip::
Some applications need the ``REMOTE_USER`` environment
variable to get the connected user, which is not set in reverse-proxy
@ -115,7 +116,7 @@ Pages where this menu is displayed can be restricted, for example:
</Location>
.. important::
.. important::
You need to disable mod_deflate to use the floating
menu
@ -137,14 +138,14 @@ Then you can take any virtual host and modify it:
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
@ -161,7 +162,7 @@ Then you can take any virtual host and modify it:
add_header Set-Cookie $cookie_value;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
...
}
@ -188,7 +189,7 @@ Then you can take any virtual host and modify it:
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
#fastcgi_param HTTP_COOKIE $lmcookie;
# Set REMOTE_USER (for FastCGI apps only)
#fastcgi_param REMOTE_USER $lmremote_user;
}
@ -220,7 +221,7 @@ Example of a protected virtual host for a local application:
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location ~ \.php$ {
@ -280,7 +281,7 @@ Reverse proxy
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
}
# Client requests
location / {
@ -316,7 +317,7 @@ by different types of handler :
listen 80;
server_name myserver;
root /var/www/html;
# Internal MAIN handler authentication request
location = /lmauth {
internal;
@ -363,7 +364,7 @@ by different types of handler :
uwsgi_buffer_size 32k;
uwsgi_buffers 32 32k;
}
# Client requests
location / {
##################################
@ -375,14 +376,14 @@ by different types of handler :
auth_request_set $lmlocation $upstream_http_location;
# Remove this for AuthBasic handler
error_page 401 $lmlocation;
##################################
# PASSING HEADERS TO APPLICATION #
##################################
# IF LUA IS SUPPORTED
include /etc/nginx/nginx-lua-headers.conf;
}
location /AuthBasic/ {
##################################
# CALLING AUTHENTICATION #
@ -400,7 +401,7 @@ by different types of handler :
# IF LUA IS SUPPORTED
include /etc/nginx/nginx-lua-headers.conf;
}
location /web-service/ {
##################################
# CALLING AUTHENTICATION #
@ -419,6 +420,8 @@ by different types of handler :
}
}
.. _configvhost-lemonldapng-configuration:
LemonLDAP::NG configuration
---------------------------
@ -445,29 +448,29 @@ learn how to configure access control and HTTP headers sent to
application by LL::NG.
.. important::
.. important::
With **Nginx**-based ReverseProxy, header directives can
be appended by a LUA script.
To send more than **TEN** headers to protected applications, you have to
edit and modify :
``/etc/nginx/nginx-lua-headers.conf``
``/etc/nginx/nginx-lua-headers.conf``
.. warning::
.. warning::
\* **Nginx** gets rid of any empty headers. There is no
point of passing along empty values to another server; it would only
serve to bloat the request. In other words, headers with **empty values
are completely removed** from the passed request.
\* **Nginx**, by default, will consider any header that **contains
underscores as invalid**. It will remove these from the proxied request.
If you wish to have Nginx interpret these as valid, you can set the
``underscores_in_headers`` directive to “on”, otherwise your headers
will never make it to the backend server.
will never make it to the backend server.
POST data
~~~~~~~~~
@ -486,9 +489,9 @@ Some options are available:
- Maintenance mode: reject all requests with a maintenance message
- Aliases: list of aliases for this virtual host *(avoid to rewrite
rules,...)*
- Type: handler type *(normal,
:doc:`ServiceToken Handler</documentation/2.0/servertoserver>`,
:doc:`DevOps Handler</documentation/2.0/devopshandler>`,...)*
- Type: handler type (normal,
:doc:`ServiceToken Handler<servertoserver>`,
:doc:`DevOps Handler<devopshandler>`,...)
- Authentication level required: this option avoids to reject user with
a rule based on ``$_authenticationLevel``. When user hasn't got the
required level, he is redirected to an upgrade page in the portal.
@ -497,24 +500,24 @@ Some options are available:
seconds by default. This TTL can be customized for each virtual host.
.. warning::
.. warning::
A same virtual host can serve many locations. Each
location can be protected by a different type of handler :
::
server test1.example.com 80
location ^/AuthBasic => AuthBasic handler
location ^/AuthCookie => Main handler
Keep in mind that AuthBasic handler use "Login/Password" to authenticate
users. If you set "Authentication level required" option to "5" by
example, AuthBasic requests will be ALWAYS rejected because AuthBasic
authentication level is lower than required level.
authentication level is lower than required level.
.. important::
.. important::
A negative or null ServiceToken timeout value will be
overloaded by ``handlerServiceTokenTTL`` (30 seconds by default).

6
doc/sources/admin/contextswitching.rst
Unescape View File

@ -23,15 +23,15 @@ can be forbidden to assume.
request.
.. warning::
.. warning::
During context switching authentication process, all
plugins are disabled. In other words, all entry points like afterData,
endAuth and so on are skipped. Therefore, second factors or
notifications by example will not be prompted!
notifications by example will not be prompted!
.. important::
.. important::
ContextSwitching plugin works only with a userDB
backend. You can not switch context with federated authentication.

10
doc/sources/admin/contribute.rst
Unescape View File

@ -18,8 +18,8 @@ applies the following rules:
- Javascript:
- code must be written in
`CoffeeScript <http://coffeescript.org/>`__ *(in
``<component>/site/coffee``)*: ``make minify`` will generate JS
`CoffeeScript <http://coffeescript.org/>`__ (in
``<component>/site/coffee``): ``make minify`` will generate JS
files
Configure SSH
@ -60,7 +60,7 @@ Debian
aptitude install vim make devscripts yui-compressor git git-gui libjs-uglify coffeescript cpanminus autopkgtest pkg-perl-autopkgtest
aptitude install libauth-yubikey-webclient-perl libnet-smtp-server-perl
cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple
cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple
curl -sL https://deb.nodesource.com/setup_9.x | bash -
apt-get install -y nodejs
@ -127,7 +127,7 @@ Install dependencies
::
aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
aptitude install apache2 libapache2-mod-fcgid libapache2-mod-perl2 # install Apache
aptitude install nginx nginx-extras # install Nginx
cpanm perltidy@20181120
@ -135,7 +135,7 @@ Install dependencies
::
SAML :
aptitude install liblasso-perl libglib-perl
aptitude install liblasso-perl libglib-perl
Working Project
---------------

8
doc/sources/admin/customfunctions.rst
Unescape View File

@ -2,8 +2,8 @@ Custom functions
================
Custom functions allow one to extend LL::NG, they can be used in
:doc:`headers<writingrulesand_headers>`,
:doc:`rules<writingrulesand_headers>` or
:ref:`headers`,
:ref:`rules` or
:doc:`form replay data<formreplay>`. Two actions are needed:
- declare them in LLNG configuration
@ -72,7 +72,7 @@ Old method
^^^^^^^^^^
.. warning::
.. warning::
This method is available but unusable by Portal under
Apache. So if your rule may be used by the menu, use the new
@ -128,7 +128,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
SSOExtensions::function1 SSOExtensions::function2
.. important::
.. important::
If your function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail.

10
doc/sources/admin/customhandlers.rst
Unescape View File

@ -56,13 +56,13 @@ LLNG provides 3 platforms:
If you want to add another, you must write:
- the platform launcher file that launch the required type *(see
- the platform launcher file that launch the required type (see
``lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2`` file for
example)*
example)
- write the main platform file
(``Lemonldap::NG::Handler::MyPlatform::Main``) that provides required
method *(see ``lemonldap-ng-handler/lib/Lemonldap/NG/Handler/*/Main``
for examples)* and inherits from ``Lemonldap::NG::Handler::Main``
method (see ``lemonldap-ng-handler/lib/Lemonldap/NG/Handler/*/Main``
for examples) and inherits from ``Lemonldap::NG::Handler::Main``
- write the "type" wrapper files (AuthBasic,...).
Wrapper usually look at this:
@ -79,7 +79,7 @@ Old fashion Nginx handlers
--------------------------
.. important::
.. important::
There is no need to use this feature now. It is kept for
compatibility.

8
doc/sources/admin/decryptvalue.rst
Unescape View File

@ -18,15 +18,15 @@ DecryptValue plugin can be allowed or denied for specific users.
to use internal decrypt function.
.. warning::
.. warning::
Custom functions must be defined into
``Lemonldap::NG::Portal::My::Plugin`` and set:
::
My::Plugin::function1 My::Plugin::function2
.. |image0| image:: /documentation/beta.png

12
doc/sources/admin/devopshandler.rst
Unescape View File

@ -4,7 +4,7 @@ DevOps Handler
This handler is designed to read vhost configuration from the website
itself not from LL:NG configuration. Rules and headers are set in a
**rules.json** file stored at the website root directory (ie
``<nowiki>http://website/rules.json</nowiki>``). This file looks like:
``http://website/rules.json``). This file looks like:
.. code:: json
@ -23,15 +23,15 @@ If this file is not found, the default rule "accept" is applied and just
No specific configuration is required except that:
- you have to choose this specific handler *(directly by using
``VHOSTTYPE`` environment variable)*
- you have to choose this specific handler (directly by using
``VHOSTTYPE`` environment variable)
- you can set the loopback URL needed by the DevOps handler to get
``/rules.json`` or use ``RULES_URL`` parameter to set JSON file path
*(see :doc:`SSO as a Service<ssoaas>`)*. Default to
``<nowiki>http://127.0.0.1:<server-port></nowiki>``
(see :doc:`SSO as a Service<ssoaas>`). Default to
``http://127.0.0.1:<server-port>``
.. important::
.. important::
Note that DevOps handler will refuse to compile
rules.json if :doc:`Safe Jail<safejail>` isn't enabled.

22
doc/sources/admin/download.rst
Unescape View File

@ -27,14 +27,11 @@ RPM
^^^
.. tip::
.. tip::
You can:
- Use :doc:`our own YUM repository<installrpm>`.
- Download them here and
:doc:`install pre-required packages<prereq>`.
- Use :ref:`our own YUM repository<installrpm-yum-repository>`.
- Download them here and :ref:`install pre-required packages<prereq-yum>`.
RHEL/CentOS 7
@ -57,17 +54,16 @@ Debian
^^^^^^
.. tip::
.. tip::
You can:
- Use
:doc:`packages provided by Debian<installdeb>`.
:ref:`packages provided by Debian<installdeb-official-repository>`.
- Use
:doc:`our own Debian repository<installdeb>`.
:ref:`our own Debian repository<installdeb-llng-repository>`.
- Download them here and
:doc:`install pre-required packages<prereq>`.
:ref:`install pre-required packages<prereq-apt-get>`.
- `DEB
@ -99,6 +95,8 @@ Contributions
See https://github.com/LemonLDAPNG
.. _download-getting-sources-from-svn-repository:
Git repository
--------------

10
doc/sources/admin/error.rst
Unescape View File

@ -2,7 +2,7 @@ Error messages
==============
.. important::
.. note::
This page do not reference all error messages, but only the
frequentest
@ -23,7 +23,7 @@ from a version older than 1.0
Can't locate /usr/share/lemonldap-ng/configStorage.pl
→ When you upgrade from Debian Lenny with customized index.pl files, you
must upgrade them. See :doc:`Debian Lenny upgrade<upgrade>`.
must upgrade them.
Lemonldap::NG::Handler
----------------------
@ -60,13 +60,13 @@ configStorageOptionsor file permissions.
mkdir /tmp/MyNamespace/2: Permission denied ...
→ The cache has been created by another user than Apache's user. Restart
Apache to purge it.
.. important::
Apache to purge it.
.. important::
This can append when you use
lmConfigEditor or launch **cron files** with a different user than
Apache process. That is why it is important to set APACHEUSER variable
when you launch "make install"
when you launch "make install"
::

5
doc/sources/admin/exportedvars.rst
Unescape View File

@ -6,7 +6,8 @@ Presentation
Exported variables are the variables available to
:doc:`write rules and headers<writingrulesand_headers>`. They are
extracted from the users database by the :doc:`users module<start>`.
extracted from the users database by the
:ref:`users module<start-authentication-users-and-password-databases>`.
To create a variable, you've just to map a user attributes in LL::NG
using ``Variables`` » ``Exported variables``. For each variable, The
@ -32,7 +33,7 @@ module.
|Exported variables in the Manager|
.. tip::
.. tip::
You can define environment variables in
``Exported variables``, this allows one to populate user session with

72
doc/sources/admin/extendedfunctions.rst
Unescape View File

@ -10,7 +10,7 @@ code execution.
This is also true for:
- :doc:`Menu modules activation rules<portalmenu>`
- :ref:`Menu modules activation rules<portalmenu-menu-modules>`
- :doc:`Form replay data<formreplay>`
- Macros
- Issuer databases use rules
@ -18,30 +18,32 @@ This is also true for:
Inside this jail, you can access to:
::
* all session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
* Core Perl subroutines (split, pop, map, etc.)
* :doc:`Custom functions<customfunctions>`
* The `encode_base64 <http://perldoc.perl.org/MIME/Base64.html>`__ subroutine
* Information about current request
* Extended functions:
* date_
* checkLogonHours_
* checkDate_
* basic_
* unicode2iso_
* iso2unicode_
* groupMatch_
* listMatch_ (|new| *since 2.0.7*)
* inGroup_ (|new| *since 2.0.8*)
* encrypt_
* token_
* isInNet6_
* varIsInUri_
.. |new| image:: /documentation/new.png
:width: 35px
* all session values and CGI environment variables //(through $ENV{<HTTP_NAME>})//
* Core Perl subroutines (split, pop, map, etc.)
* [[customfunctions|Custom functions]]
* The [[http://perldoc.perl.org/MIME/Base64.html|encode_base64]] subroutine
* [[#Request information|Information about current request]]
* [[#Extended functions list|Extended functions]]:
* [[#date|date]]
* [[#checkLogonHours|checkLogonHours]]
* [[#checkDate|checkDate]]
* [[#basic|basic]]
* [[#unicode2iso|unicode2iso]]
* [[#iso2unicode|iso2unicode]]
* [[#groupMatch|groupMatch]]
* [[#listMatch|listMatch]] ({{..:new.png?direct&35|}} // since 2.0.7)//
* [[#inGroup|inGroup]] ({{..:new.png?direct&35|}} // since 2.0.8)//
* [[#encrypt|encrypt]]
* [[#token|token]]
* [[#isInNet6|isInNet6]]
* [[#varIsInUri|varIsInUri]]
.. tip::
.. tip::
To know more about the jail, check `Safe module
documentation <http://perldoc.perl.org/Safe.html>`__.
@ -72,11 +74,10 @@ For example, for a full access, excepted week-end:
000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000
.. tip::
.. tip::
The :doc:`LDAP schema extension<authldap>` can be used to
store this value. You can also use the binary value from the logonHours
attribute of Active Directory
You can use the binary value from the logonHours attribute of Active
Directory, or create a custom attribute in your LDAP schema.
Functions parameters:
@ -130,11 +131,6 @@ This function will check the date of current request, and compare it to
a start date and an end date. It returns 1 if this match, 0 else.
.. tip::
The :doc:`LDAP schema extension<authldap>` can be used to
store these values
The date format is the LDAP date syntax, for example for the 1st March
2009:
@ -159,7 +155,7 @@ basic
~~~~~
.. important::
.. important::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
@ -184,7 +180,7 @@ unicode2iso
~~~~~~~~~~~
.. important::
.. important::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
@ -206,7 +202,7 @@ iso2unicode
~~~~~~~~~~~
.. important::
.. important::
This function is not compliant with
:doc:`Safe jail<safejail>`, you will need to disable the jail to use
@ -242,6 +238,8 @@ Simple usage example:
groupMatch($hGroups, 'description', 'Service 1')
.. _listMatch:
listMatch
~~~~~~~~~
@ -293,7 +291,7 @@ encrypt
~~~~~~~
.. tip::
.. tip::
Since version 2.0, this function is now compliant with
:doc:`Safe jail<safejail>`.

12
doc/sources/admin/external2f.rst
Unescape View File

@ -10,7 +10,7 @@ Commands
Commands receive arguments on command line and must return a 0 code if
succeed, another else. **Nothing must be written to STDOUT**, STDERR is
reported in logs *(but may be lost with FastCGI server)*.
reported in logs (but may be lost with FastCGI server).
Configuration
~~~~~~~~~~~~~
@ -33,17 +33,17 @@ All parameters are configured in "General Parameters » Portal Parameters
- **Authentication level** (Optional): if you want to overwrite the
value sent by your authentication module, you can define here the new
authentication level. Example: 5
- **Logo** (Optional): logo file *(in static/<skin> directory)*
- **Logo** (Optional): logo file (in static/<skin> directory)
- **Label** (Optional): label that should be displayed to the user on
the choice screen
.. important::
.. important::
The command line is split in an array and launched with
exec(). So you don't need to enclose arguments in "" and this feature
protects your system against shell injection. However, you can not use
any space except to separate arguments.
exec(). So you don't need to enclose arguments in quotes to protect your
system against shell injection. However, you can not use any space except
to separate arguments.
SELinux note
^^^^^^^^^^^^

2
doc/sources/admin/fastcgi.rst
Unescape View File

@ -2,6 +2,6 @@ FastCGI support
===============
.. important::
.. important::
Since 2.0, all LLNG components run under FastCGI

6
doc/sources/admin/fastcgiserver.rst
Unescape View File

@ -2,9 +2,9 @@ LemonLDAP::NG FastCGI server
============================
Since 1.9, Lemonldap::NG provides a FastCGI server usable to protect
applications with Nginx *(See
:doc:`Manage virtual hosts</documentation/1.9/configvhost>` page to
configure virtual hosts)*.
applications with Nginx (See
:doc:`Manage virtual hosts<configvhost>` page to
configure virtual hosts).
This FastCGI server can be used for all LLNG components. It compiles
enabled components on-the-fly.

6
doc/sources/admin/features.rst
Unescape View File

@ -21,7 +21,7 @@ Easy to integrate
:doc:`Integrating applications<applications>` in
LL::NG is easy since its dialog with applications is based on
:doc:`customizable HTTP headers<writingrulesand_headers>`.
:ref:`customizable HTTP headers<headers>`.
Unifying authentications (Identity Federation)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -38,6 +38,8 @@ applications.
Sessions
--------
.. _session-explorer:
Session explorer
~~~~~~~~~~~~~~~~
@ -52,6 +54,8 @@ opened sessions:
It can be used to delete a session
.. _session-restrictions:
Session restrictions
~~~~~~~~~~~~~~~~~~~~

6
doc/sources/admin/federationproxy.rst
Unescape View File

@ -35,12 +35,12 @@ initiated by OpenID-Connect Provider. LLNG will implement it when this
standard will be published.
.. important::
.. important::
Federation proxy installation can be complex. Don't
hesitate to contact us on lemonldap-ng-users@ow2.org
See the following chapters:
- :doc:`Authentication protocols<start>`
- :doc:`Identity provider<start>`
- :ref:`Authentication protocols<start-authentication-users-and-password-databases>`
- :ref:`Identity provider<start-identity-provider>`

6
doc/sources/admin/fileconfbackend.rst
Unescape View File

@ -5,14 +5,14 @@ This is the default configuration backend. Configuration is stored as
JSON.
.. tip::
.. tip::
This configuration storage can be shared between different
hosts using:
- :doc:`SOAP configuration backend proxy<soapconfbackend>`
- any files sharing system (NFS, NAS, SAN,...)
Configuration

2
doc/sources/admin/filesessionbackend.rst
Unescape View File

@ -16,7 +16,7 @@ in "General parameters » Sessions » Session storage » Apache::Session
module" and add the following parameters (case sensitive):
=================== ============================== ===================================
Required parameters
Required parameters
=================== ============================== ===================================
Name Comment Example
**Directory** The path to the main directory /var/lib/lemonldap-ng/sessions

10
doc/sources/admin/formreplay.rst
Unescape View File

@ -9,16 +9,16 @@ filling a HTML POST login form and autosubmitting it, without asking
anything to the user.
.. warning::
.. warning::
This kind of SSO mechanism is not clean, and can lead to
problems, like local password blocking, local session not well closed,
etc.
Please always try to find another solution to protect your application
with LL::NG. At least, check if it is not a
:doc:`known application<applications>`, or
:doc:`try to adapt its source code<selfmadeapplication>`.
:doc:`try to adapt its source code<selfmadeapplication>`.
If you configure form replay with LL::NG, the Handler will detect forms
to fill, add a javascript in the html page to fill form fields with
@ -28,7 +28,7 @@ data in the request body.
POST data can be static values or computed from user's session.
.. tip::
.. tip::
To post user's password, you must enable
:doc:`password storing<passwordstore>`. In this case you will be able to
@ -96,7 +96,7 @@ example:
|image1|
.. tip::
.. tip::
You can define more than one form replay URL per virtual
host.

6
doc/sources/admin/globallogout.rst
Unescape View File

@ -17,9 +17,9 @@ Just enable it in the Manager (section “plugins”).
- **Custom parameter**: Session attribut to display at global logout
.. important::
.. note::
To display more than one session attribute, you can create a
macro like this :
``user_USER => "$uid_" . uc $uid``
``user_USER => "$uid_" . uc $uid``

4
doc/sources/admin/handlerarch.rst
Unescape View File

@ -18,8 +18,8 @@ Overview of Handler packages
Usage Platform Wrapper Types Main
============================================================================== ============ ================= =========== ====
Apache2 protection ApacheMP2 ApacheMP2::<type> Lib::<type> Main
Plack servers protection or Nginx/\ :doc:`SSOaaS<ssoaas>` FastCGI/uWSGI server Server Server::<type>
:doc:`Self protected applications<selfmadeapplication>` PSGI PSGI::<type>
Plack servers protection or Nginx/\ :doc:`SSOaaS<ssoaas>` FastCGI/uWSGI server Server Server::<type>
:doc:`Self protected applications<selfmadeapplication>` PSGI PSGI::<type>
============================================================================== ============ ================= =========== ====
Types are:

20
doc/sources/admin/handlerauthbasic.rst
Unescape View File

@ -46,32 +46,32 @@ see :doc:`REST sessions backend<restsessionbackend>`, enable local cache
to access required locations in Portal Virtual Host.
.. warning::
.. warning::
With AuthBasic handler, you have to disable CSRF token by
setting a special rule based on source IP addresses like this :
requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
With AutChoice, you have to declare which authentication module is
requested by handler to create global session.
Go to:
``General Parameters > Authentication parameters > Choice parameters``
and set authentication module's name :
**AuthBasic handler parameter** => 2_LDAP (by example)
.. important::
.. important::
With HTTPS, you may have to set **LWP::UserAgent
object** with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
Go to:
``General Parameters > Advanced Parameters > Security > SSL options for server requests``

12
doc/sources/admin/header_remote_user_conversion.rst
Unescape View File

@ -45,7 +45,7 @@ two Apache configuration files:
<VirtualHost *:80>
ServerName application.example.com
SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
DocumentRoot /var/www/application
@ -53,18 +53,18 @@ two Apache configuration files:
</VirtualHost>
.. tip::
.. tip::
Sometimes, PHP applications also check the PHP_AUTH_USER and
PHP_AUHT_PW environment variables. You can set them the same way:
.. code:: apache
SetEnvIfNoCase Auth-User "(.*)" PHP_AUTH_USER=$1
SetEnvIfNoCase Auth-Password "(.*)" PHP_AUTH_PW=$1
Of course, you need to :doc:`store password in session<passwordstore>`
to fill PHP_AUTH_PW.
to fill PHP_AUTH_PW.
Nginx
-----

17
doc/sources/admin/idpcas.rst
Unescape View File

@ -29,17 +29,18 @@ In the Manager, go in ``General Parameters`` » ``Issuer modules`` »
to always allow.
.. tip::
.. tip::
For example, to allow only users with a strong authentication
level:
::
$authenticationLevel > 2
.. _idpcas-configuring-cas-applications:
Configuring the CAS Service
~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -65,15 +66,17 @@ Then go in ``CAS Service`` to define:
- **CAS session module name and options**: choose a specific module if
you do not want to mix CAS sessions and normal sessions (see
:doc:`why<samlservice>`).
:ref:`why<samlservice-saml-sessions-module-name-and-options>`).
.. tip::
.. tip::
If ``CAS login`` is not set, it uses ``General Parameters`` »
``Logs`` » ``REMOTE_USER`` data, which is set to ``uid`` by
default
.. _idpcas-configuring-the-cas-service:
Configuring CAS Applications
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -110,7 +113,7 @@ Options
left blank, access will be allowed for everyone.
.. important::
.. important::
If the access control policy is set to ``none``, this
rule will be ignored

34
doc/sources/admin/idpopenid.rst
Unescape View File

@ -2,10 +2,10 @@ OpenID server
=============
.. warning::
.. warning::
OpenID protocol is deprecated, you should now use
:doc:`OpenID Connect<idpopenidconnect>`\
:doc:`OpenID Connect<idpopenidconnect>`\
Presentation
------------
@ -31,7 +31,7 @@ their authentication using [PORTAL]/openidserver/[login] where:
- [PORTAL] is the portal URL
- [login] is the user login (or any other session information,
:doc:`see below<idpopenid>`)
:ref:`see below<idpopenid-configuration>`)
Example:
@ -39,6 +39,8 @@ Example:
http://auth.example.com/openidserver/foo.bar
.. _idpopenid-configuration:
Configuration
-------------
@ -47,39 +49,41 @@ In the Manager, go in ``General Parameters`` » ``Issuer modules`` »
- **Activation**: set to ``On``
- **Path**: keep ``^/openidserver/`` unless you have change
:doc:`Apache portal configuration<configlocation>` file.
:ref:`Apache portal configuration<configlocation-portal>` file.
- **Use rule**: a rule to allow user to use this module, set to 1 to
always allow.
.. tip::
.. tip::
For example, to allow only users with a strong authentication
level:
::
$authenticationLevel > 2
Then go in ``Options`` to define:
- **Secret token**: a secret token used to secure transmissions between
OpenID client and server (:doc:`see below<idpopenid>`).
OpenID client and server (:ref:`see below<idpopenid-security>`).
- **OpenID login**: the session key used to match OpenID login.
- **Authorized domains**: white list or black list of OpenID client
domains (:doc:`see below<idpopenid>`).
domains (:ref:`see below<idpopenid-security>`).
- **SREG mapping**: link between SREG attributes and session keys
(:doc:`see below<idpopenid>`).
(:ref:`see below<idpopenid-shared-attributes-sreg>`).
.. tip::
.. tip::
If ``OpenID login`` is not set, it uses ``General Parameters``
» ``Logs`` » ``REMOTE_USER`` data, which is set to ``uid`` by
default
.. _idpopenid-shared-attributes-sreg:
Shared attributes (SREG)
~~~~~~~~~~~~~~~~~~~~~~~~
@ -100,11 +104,13 @@ Each SREG attribute will be associated to a user session key. A session
key can be associated to more than one SREG attribute.
.. important::
.. note::
If the OpenID consumer ask for data, users will be prompted to
accept or not the data sharing.
.. _idpopenid-security:
Security
~~~~~~~~
@ -114,7 +120,7 @@ Security
encryption key.
.. important::
.. important::
Note that :doc:`SAML<idpsaml>` protocol is more secured
than OpenID, so when your partners are known, prefer

31
doc/sources/admin/idpopenidconnect.rst
Unescape View File

@ -5,7 +5,7 @@ Presentation
------------
.. important::
.. note::
OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE
stacks. It is described here: http://openid.net/connect/.
@ -58,15 +58,15 @@ and configure:
to always allow.
.. tip::
.. tip::
For example, to allow only users with a strong authentication
level:
::
$authenticationLevel > 2
Configuration of LL::NG in Relying Party
@ -173,7 +173,7 @@ So you can define for example:
- email => mail
.. important::
.. important::
The specific ``sub`` attribute is not defined here, but
in User attribute parameter (see below).
@ -182,7 +182,7 @@ Extra Claims
^^^^^^^^^^^^
.. important::
.. important::
By default, only claims that are part of standard OpenID
Connect scopes will be sent to a client. If you want to send a claim
@ -202,7 +202,7 @@ be able to read the ``rebirth_count`` and ``bloodline`` claims from the
Userinfo endpoint.
.. warning::
.. warning::
Any Claim defined in this section must be mapped to a
LemonLDAP::NG session attribute in the **Exported Attributes**
@ -268,16 +268,15 @@ Options
https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
for details. These offline sessions can be administered through
the Session Browser.
- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``) Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
- **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
::
- **Logout**
* **Allow OAuth2.0 Password Grant** (since version ''2.0.8''): Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
* **Access Rule**: lets you specify a [[rules_examples|Perl rule]] to restrict access to this client
* **Logout**
* **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ''post_logout_redirect_uri'')
* **URL**: Specify the relying party's logout URL
* **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
* **Session required**: Whether to send the Session ID in the logout request
- **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ``post_logout_redirect_uri``)
- **URL**: Specify the relying party's logout URL
- **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
- **Session required**: Whether to send the Session ID in the logout request
Macros
^^^^^^

24
doc/sources/admin/idpsaml.rst
Unescape View File

@ -32,15 +32,15 @@ configure:
to always allow.
.. tip::
.. tip::
For example, to allow only users with a strong authentication
level:
::
$authenticationLevel > 2
Register LemonLDAP::NG on partner Service Provider
@ -78,7 +78,7 @@ between your server and the SP).
|image0|
.. tip::
.. tip::
You can also edit the metadata directly in the textarea
@ -139,10 +139,10 @@ Authentication response
NotOnOrAfter="2014-07-21T12:48:08Z">
.. important::
.. important::
There is a time tolerance of 60 seconds in
``<Conditions>``\
``<Conditions>``\
- **Force UTF-8**: Activate to force UTF-8 decoding of values in SAML
attributes. If set to 0, the value from the session is directly
@ -152,7 +152,7 @@ Signature
'''''''''
These options override service signature options (see
:doc:`SAML service configuration<samlservice>`).
:ref:`SAML service configuration<samlservice-general-options>`).
- **Sign SSO message**: sign SSO message
- **Check SSO message signature**: check SSO message signature
@ -168,17 +168,17 @@ Security
Initiated URL on this SP.
.. tip::
.. tip::
The IDP Initiated URL is the SSO SAML URL with GET
parameters:
- IDPInitiated: 1
- One of:
- sp: SP entity ID
- spConfKey: SP configuration key
For example:
http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp

Some files were not shown because too many files have changed in this diff Show More

Write Preview
Loading…
Cancel
Save