doc: fix formatting

doc/sources/admin/applications.rst

@@ -35,42 +35,42 @@ Application list
 ================================================================= ==================================================== ============ ================ === ==== ====
 Application                                                       Configuration guide                                  HTTP headers Specific Handler CAS SAML OIDC
 ================================================================= ==================================================== ============ ================ === ==== ====
-.. image:: applications/microsoft-adfs.png                        :doc:`ADFS<applications/adfs>`                                                         ✔   
+.. image:: applications/microsoft-adfs.png                        :doc:`ADFS<applications/adfs>`                                                         ✔
-.. image:: applications/alfresco_logo.png                         :doc:`Alfresco<applications/alfresco>`               ✔                                 ✔   
+.. image:: applications/alfresco_logo.png                         :doc:`Alfresco<applications/alfresco>`               ✔                                 ✔
-.. image:: applications/logo_amazon_web_services.jpg              :doc:`Amazon Web Services<applications/aws>`                                           ✔   
+.. image:: applications/logo_amazon_web_services.jpg              :doc:`Amazon Web Services<applications/aws>`                                           ✔
-.. image:: applications/logo-awx.png                              :doc:`AWX (Ansible Tower)<applications/awx>`                                           ✔   
+.. image:: applications/logo-awx.png                              :doc:`AWX (Ansible Tower)<applications/awx>`                                           ✔
-.. image:: applications/bugzilla_logo.png                         :doc:`Bugzilla<applications/bugzilla>`               ✔                                     
+.. image:: applications/bugzilla_logo.png                         :doc:`Bugzilla<applications/bugzilla>`               ✔
-.. image:: applications/csod_logo.png                             :doc:`Cornerstone<applications/cornerstone>`                                           ✔   
+.. image:: applications/csod_logo.png                             :doc:`Cornerstone<applications/cornerstone>`                                           ✔
 .. image:: applications/discourse.jpg                             :doc:`Discourse<applications/discourse>`                                               ✔    ✔
-.. image:: applications/django_logo.png                           :doc:`Django<applications/django>`                   ✔                                     
+.. image:: applications/django_logo.png                           :doc:`Django<applications/django>`                   ✔
-.. image:: applications/dokuwiki_logo.png                         :doc:`Dokuwiki<applications/dokuwiki>`               ✔                                     
+.. image:: applications/dokuwiki_logo.png                         :doc:`Dokuwiki<applications/dokuwiki>`               ✔
-.. image:: applications/drupal_logo.png                           :doc:`Drupal<applications/drupal>`                   ✔                                     
+.. image:: applications/drupal_logo.png                           :doc:`Drupal<applications/drupal>`                   ✔
-.. image:: applications/fusiondirectory-logo.jpg                  :doc:`FusionDirectory<applications/fusiondirectory>` ✔                                     
+.. image:: applications/fusiondirectory-logo.jpg                  :doc:`FusionDirectory<applications/fusiondirectory>` ✔
 .. image:: applications/gitlab_logo.png                           :doc:`Gitlab<applications/gitlab>`                                                     ✔    ✔
-.. image:: applications/glpi_logo.png                             :doc:`GLPI<applications/glpi>`                       ✔                                     
+.. image:: applications/glpi_logo.png                             :doc:`GLPI<applications/glpi>`                       ✔
-.. image:: applications/googleapps_logo.png                       :doc:`Google Apps<applications/googleapps>`                                            ✔   
+.. image:: applications/googleapps_logo.png                       :doc:`Google Apps<applications/googleapps>`                                            ✔
 .. image:: applications/grafana_logo.png                          :doc:`Grafana<applications/grafana>`                                                        ✔
-.. image:: applications/grr_logo.png                              :doc:`GRR<applications/grr>`                         ✔                                     
+.. image:: applications/grr_logo.png                              :doc:`GRR<applications/grr>`                         ✔
 .. image:: applications/guacamole.png                             :doc:`Apache Guacamole<applications/guacamole>`      ✔                             ✔        ✔
 .. image:: applications/humhub_logo.png                           :doc:`HumHub<applications/humhub>`                                                          ✔
-.. image:: applications/logo-jitsimeet.png                        :doc:`Jitsi Meet<applications/jitsimeet>`            ✔                                     
+.. image:: applications/logo-jitsimeet.png                        :doc:`Jitsi Meet<applications/jitsimeet>`            ✔
-.. image:: applications/liferay_logo.png                          :doc:`Liferay<applications/liferay>`                 ✔                                     
+.. image:: applications/liferay_logo.png                          :doc:`Liferay<applications/liferay>`                 ✔
-.. image:: applications/limesurvey_logo.png                       :doc:`LimeSurvey<applications/limesurvey>`           ✔                                     
+.. image:: applications/limesurvey_logo.png                       :doc:`LimeSurvey<applications/limesurvey>`           ✔
 .. image:: applications/mattermost_logo.png                       :doc:`Mattermost<applications/mattermost>`                                                  ✔
-.. image:: applications/mediawiki_logo.png                        :doc:`Mediawiki<applications/mediawiki>`             ✔                                     
+.. image:: applications/mediawiki_logo.png                        :doc:`Mediawiki<applications/mediawiki>`             ✔
-.. image:: applications/nextcloud-logo.png                        :doc:`NextCloud<applications/nextcloud>`                                               ✔   
+.. image:: applications/nextcloud-logo.png                        :doc:`NextCloud<applications/nextcloud>`                                               ✔
-.. image:: applications/obm_logo.png                              :doc:`OBM<applications/obm>`                         ✔                                     
+.. image:: applications/obm_logo.png                              :doc:`OBM<applications/obm>`                         ✔
-.. image:: applications/logo_office_365.png                       :doc:`Office 365<applications/office365>`                                              ✔   
+.. image:: applications/logo_office_365.png                       :doc:`Office 365<applications/office365>`                                              ✔
-.. image:: applications/phpldapadmin_logo.png                     :doc:`phpLDAPAdmin<applications/phpldapadmin>`       ✔                                     
+.. image:: applications/phpldapadmin_logo.png                     :doc:`phpLDAPAdmin<applications/phpldapadmin>`       ✔
-.. image:: applications/roundcube_logo.png                        :doc:`Roundcube<applications/roundcube>`             ✔                                     
+.. image:: applications/roundcube_logo.png                        :doc:`Roundcube<applications/roundcube>`             ✔
-.. image:: applications/salesforce-logo.jpg                       :doc:`SalesForce<applications/salesforce>`                                             ✔   
+.. image:: applications/salesforce-logo.jpg                       :doc:`SalesForce<applications/salesforce>`                                             ✔
-.. image:: applications/SAPLogo.gif                               :doc:`SAP<applications/sap>`                         ✔                                 ✔   
+.. image:: applications/SAPLogo.gif                               :doc:`SAP<applications/sap>`                         ✔                                 ✔
-.. image:: applications/simplesamlphp_logo.png                    :doc:`simpleSAMLphp<applications/simplesamlphp>`                                       ✔   
+.. image:: applications/simplesamlphp_logo.png                    :doc:`simpleSAMLphp<applications/simplesamlphp>`                                       ✔
-.. image:: applications/spring_logo.png                           :doc:`Spring<applications/spring>`                   ✔                                     
+.. image:: applications/spring_logo.png                           :doc:`Spring<applications/spring>`                   ✔
-.. image:: applications/symfony_logo.png                          :doc:`Symfony<applications/symfony>`                 ✔                                     
+.. image:: applications/symfony_logo.png                          :doc:`Symfony<applications/symfony>`                 ✔
-.. image:: applications/sympa_logo.png                            :doc:`Sympa<applications/sympa>`                     ✔                                     
+.. image:: applications/sympa_logo.png                            :doc:`Sympa<applications/sympa>`                     ✔
-.. image:: applications/tomcat_logo.png                           :doc:`Tomcat<applications/tomcat>`                   ✔                                     
+.. image:: applications/tomcat_logo.png                           :doc:`Tomcat<applications/tomcat>`                   ✔
-.. image:: applications/wordpress_logo.png                        :doc:`Wordpress<applications/wordpress>`                                           ✔       
+.. image:: applications/wordpress_logo.png                        :doc:`Wordpress<applications/wordpress>`                                           ✔
-.. image:: applications/xwiki.png                                 :doc:`XWiki<applications/xwiki>`                     ✔                                     
+.. image:: applications/xwiki.png                                 :doc:`XWiki<applications/xwiki>`                     ✔
-.. image:: applications/zimbra_logo.png                           :doc:`Zimbra<applications/zimbra>`                                ✔                        
+.. image:: applications/zimbra_logo.png                           :doc:`Zimbra<applications/zimbra>`                                ✔
 ================================================================= ==================================================== ============ ================ === ==== ====

doc/sources/admin/applications/adfs.rst

@@ -11,7 +11,7 @@ Identity/Service Provider, compatible with several protocols, including
 SAML 2.0.
 
 
-.. important:: 
+.. important::
 
     This documentation does not explains how to setup ADFS,
     but give only tricks to make it works with LL::NG

doc/sources/admin/applications/alfresco.rst

@@ -17,7 +17,7 @@ Authentication against LL::NG can be done trough:
 -  SAML 2 (LL::NG as SAML2 IDP)
 
 
-.. tip:: 
+.. tip::
 
     Alfresco now recommends SAML2 method
 
@@ -30,10 +30,10 @@ Alfresco
 ~~~~~~~~
 
 
-.. tip:: 
+.. tip::
 
     The official documentation can be found here:
-    http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\ 
+    http://docs.alfresco.com/4.0/tasks/auth-alfrescoexternal-sso.html\
 
 You need to find the following files in your Alfresco installation:
 
@@ -102,7 +102,7 @@ the ``<endpoint>``, change ``<connector-id>`` value to
 You need to restart Tomcat to apply changes.
 
 
-.. warning:: 
+.. warning::
 
     Now you can log in with a simple HTTP header. You need to
     restrict access to Alfresco to LL::NG.
@@ -171,13 +171,13 @@ Edit then ``share-config-custom.xml``:
        ...
            <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
 
-        
+
 
            <!--
                If using https make a CSRFPolicy with replace="true" and override the properties section.
                Note, localhost is there to allow local checks to succeed.
 
-        
+
 
                I.e.
                <properties>
@@ -187,15 +187,15 @@ Edit then ``share-config-custom.xml``:
                </properties>
            -->
 
-        
+
 
                <filter>
 
-        
+
 
                    <!-- SAML SPECIFIC CONFIG -  START -->
 
-        
+
 
                    <!--
                     Since we have added the CSRF filter with filter-mapping of "/*" we will catch all public GET to avoid them
@@ -208,7 +208,7 @@ Edit then ``share-config-custom.xml``:
                        </request>
                    </rule>
 
-        
+
 
                    <!-- Incoming posts from IDPs do not require a token -->
                    <rule>
@@ -218,15 +218,15 @@ Edit then ``share-config-custom.xml``:
                        </request>
                    </rule>
 
-        
+
 
                    <!-- SAML SPECIFIC CONFIG -  STOP -->
 
-        
+
 
                    <!-- EVERYTHING BELOW FROM HERE IS COPIED FROM share-security-config.xml -->
 
-        
+
 
                    <!--
                     Certain webscripts shall not be allowed to be accessed directly form the browser.
@@ -241,7 +241,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!--
                     Certain Repo webscripts should be allowed to pass without a token since they have no Share knowledge.
@@ -260,7 +260,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!--
                     Certain Surf POST requests from the WebScript console must be allowed to pass without a token since
@@ -279,7 +279,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!-- Certain Share POST requests does NOT require a token -->
                    <rule>
@@ -295,7 +295,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!-- Assert logout is done from a valid domain, if so clear the token when logging out -->
                    <rule>
@@ -315,7 +315,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!-- Make sure the first token is generated -->
                    <rule>
@@ -332,7 +332,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!-- Refresh token on new "page" visit when a user is logged in -->
                    <rule>
@@ -350,7 +350,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!--
                     Verify multipart requests from logged in users contain the token as a parameter
@@ -376,7 +376,7 @@ Edit then ``share-config-custom.xml``:
                        </action>
                    </rule>
 
-        
+
 
                    <!--
                     Verify that all remaining state changing requests from logged in users' requests contains a token in the

doc/sources/admin/applications/authbasic.rst

@@ -7,7 +7,7 @@ Presentation
 ------------
 
 
-.. important:: 
+.. important::
 
     For now, this feature is only supported by Apache
     handler.
@@ -63,7 +63,7 @@ So the above example can also be written like this:
    Authorization => basic($uid,$_password)
 
 
-.. tip:: 
+.. tip::
 
     The ``basic`` function will also force conversion from UTF-8
     to ISO-8859-1, which should be accepted by most of HTTP servers.

doc/sources/admin/applications/aws.rst

@@ -29,7 +29,7 @@ SAML
    name so people know which account is which.
 
 
-.. important:: 
+.. important::
 
     If you have only one role, the configuration is simple. If you
     have multiple roles for different people, it is a little trickier. As
@@ -41,15 +41,15 @@ SAML
     user has attributes which are used quite heavily for dynamic groups and
     authorisation. You will want something similar, using whatever attribute
     makes sense to you. For example:
-    
+
     .. code::
-    
+
          dn: uid=user,ou=people,dc=your,dc=com
          ...
          ou: sysadmin
          ou: database
          ou: root
-    
+
 
 
 -  Assuming you use the web interface to manage lemonldap, go to General

doc/sources/admin/applications/bugzilla.rst

@@ -48,7 +48,7 @@ Configure Bugzilla virtual host like other
           PerlHeaderParserHandler Lemonldap::NG::Handler
 
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -71,8 +71,8 @@ Configure Bugzilla virtual host like other
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location / {
        auth_request /lmauth;
@@ -80,9 +80,9 @@ Configure Bugzilla virtual host like other
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-    
+
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -96,9 +96,9 @@ Bugzilla virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Bugzilla.
 
-Configure the :doc:`access rules<../writingrulesand_headers>`.
+Configure the :ref:`rules<rules>`.
 
-Configure the following :doc:`headers<../writingrulesand_headers>`.
+Configure the following :ref:`header<headers>`.
 
 -  **Auth-User**: $uid
 -  **Auth-Mail**: $mail

doc/sources/admin/applications/cornerstone.rst

@@ -56,7 +56,7 @@ Now we will add CSOD as a new SAML Service Provider:
    </md:EntityDescriptor>
 
 
-.. important:: 
+.. important::
 
     Change **mycompanyid** (in ``AssertionConsumerService``
     markup, parameter ``Location``) into your CSOD company ID and put the

doc/sources/admin/applications/dokuwiki.rst

@@ -14,7 +14,7 @@ readable outside the Wiki and eases the creation of structured texts.
 All data is stored in plain text files – no database is required.
 
 
-.. tip:: 
+.. tip::
 
     LemonLDAP::NG wiki uses Dokuwiki!
 
@@ -57,7 +57,7 @@ Configure Dokuwiki virtual host like other
           PerlHeaderParserHandler Lemonldap::NG::Handler
 
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -80,8 +80,8 @@ Configure Dokuwiki virtual host like other
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location / {
        auth_request /lmauth;
@@ -89,9 +89,9 @@ Configure Dokuwiki virtual host like other
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-    
+
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -105,9 +105,9 @@ Dokuwiki virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Dokuwiki.
 
-Configure the :doc:`access rules<../writingrulesand_headers>`.
+Configure the :ref:`access rules<rules>`.
 
-Configure the :doc:`headers<../writingrulesand_headers>`:
+Configure the :ref:`headers<headers>`:
 
 -  Auth-User $uid
 -  Auth-Cn: $cn
@@ -115,7 +115,7 @@ Configure the :doc:`headers<../writingrulesand_headers>`:
 -  Auth-Groups: encode_base64($groups,"")
 
 
-.. important:: 
+.. important::
 
     To allow execution of encode_base64() method, you must
     deactivate the :doc:`Safe jail<../safejail>`.

doc/sources/admin/applications/drupal.rst

@@ -34,7 +34,7 @@ Configure Drupal virtual host like other
 :doc:`protected virtual host<../configvhost>`.
 
 
-.. important:: 
+.. important::
 
     If you are protecting Drupal with LL::NG as reverse
     proxy,
@@ -50,7 +50,7 @@ Configure Drupal virtual host like other
           PerlHeaderParserHandler Lemonldap::NG::Handler
 
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -73,8 +73,8 @@ Configure Drupal virtual host like other
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location / {
        auth_request /lmauth;
@@ -82,9 +82,9 @@ Configure Drupal virtual host like other
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-    
+
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -98,10 +98,10 @@ Drupal virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Drupal.
 
-Just configure the :doc:`access rules<../writingrulesand_headers>`.
+Just configure the :ref:`access rules<rules>`.
 
 If using LL::NG as reverse proxy, configure the ``Auth-User``
-:doc:`header<../writingrulesand_headers>`, else no headers are needed.
+:ref:`header<headers>`, else no headers are needed.
 
 Protect only the administration pages
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -110,7 +110,7 @@ With the above solution, all the Drupal site will be protected, so no
 anonymous access will be allowed.
 
 
-.. important:: 
+.. important::
 
     You cannot use the ``unprotect`` rule because Drupal
     navigation is based on query strings (?q=admin, ?q=user, etc.), and

doc/sources/admin/applications/gitlab.rst

@@ -51,15 +51,15 @@ Find the gitlab.rb file and add these settings:
    ]
 
 
-.. tip:: 
+.. tip::
 
     To get the fingerprint of IDP certificate, copy SAML
     certificate from LL::NG configuration in a file and use openssl:
-    
+
     ::
-    
+
        openssl x509 -in CERT.pem -noout -fingerprint
-    
+
 
 
 You can force SAML by default with this option:
@@ -96,7 +96,7 @@ Register them in LL::NG and send these SAML attributes:
 -  cn => name
 
 
-.. important:: 
+.. important::
 
     The value from LL::NG mail session attribute must be the
     email of the user in Gitlab database, in order to associate
@@ -180,10 +180,10 @@ Add an OpenID Connect RP to LemonLDAP::NG
    LemonLDAP::NG session is mapped to the ``email`` claim.
 
 
-.. important:: 
+.. important::
 
     You need to set a key identifier, or you will get a
-    *JSON::JWK::Set::KidNotFound* error on Gitlab 
+    *JSON::JWK::Set::KidNotFound* error on Gitlab
 
 .. |image0| image:: /applications/gitlab_logo.png
    :class: align-center

doc/sources/admin/applications/googleapps.rst

@@ -26,7 +26,7 @@ Google Apps control panel
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
-.. important:: 
+.. important::
 
     This part is based on `SimpleSAMLPHP
     documentation <http://simplesamlphp.org/docs/1.6/simplesamlphp-googleapps>`__.
@@ -55,7 +55,7 @@ Now configure all SAML parameters:
    Example: http://auth.example.com
 
 
-.. important:: 
+.. important::
 
     You must check the option
     ``Use a specific domain transmitter`` to force Google Apps to send the
@@ -79,10 +79,10 @@ use openssl to generate an auto-signed certificate:
 You can now the upload the certificate (``cert.pem``) on Google Apps.
 
 
-.. tip:: 
+.. tip::
 
     You can also use the certificate instead of public key in SAML
-    metadata, see :doc:`SAML service configuration<../samlservice>`\ 
+    metadata, see :doc:`SAML service configuration<../samlservice>`\
 
 New Service Provider
 ~~~~~~~~~~~~~~~~~~~~
@@ -112,7 +112,7 @@ Now we will add Google Apps as a new SAML Service Provider:
    </md:EntityDescriptor>
 
 
-.. important:: 
+.. important::
 
     Change **mydomain.org** (in ``AssertionConsumerService``
     markup, parameter ``Location``) into your Google Apps domain. Also adapt
@@ -134,7 +134,7 @@ You need to adapt some parameters:
    ``On`` to always display it
 
 
-.. important:: 
+.. important::
 
     Change **mydomain.org** into your Google Apps
     domain
@@ -155,7 +155,7 @@ To manage the other way (LL::NG → Google Apps), you can add a dedicated
    GoogleApps => http://www.google.com/calendar/hosted/mydomain.org/logout
 
 
-.. important:: 
+.. important::
 
     Change **mydomain.org** into your Google Apps
     domain

doc/sources/admin/applications/grafana.rst

@@ -31,9 +31,9 @@ Your configuration file will have to look something like this:
    client_id = CHOOSE_A_CLIENT_ID
    client_secret = CHOOSE_A_CLIENT_SECRET
    scopes = openid email profile
-   auth_url = https://auth.example.com/oauth2/authorize 
+   auth_url = https://auth.example.com/oauth2/authorize
-   token_url = https://auth.example.com/oauth2/token 
+   token_url = https://auth.example.com/oauth2/token
-   api_url = https://auth.example.com/oauth2/userinfo 
+   api_url = https://auth.example.com/oauth2/userinfo
    allow_sign_up = true
    name = LemonLDAP::NG
    send_client_credentials_via_post = false

doc/sources/admin/applications/guacamole.rst

@@ -43,11 +43,11 @@ Your Guacamole configuration directory will look something like this.
    └── guacamole.properties
 
 
-.. warning:: 
+.. warning::
 
     Make sure to rename the JAR in a way that `ensures that it
     will be loaded
-    first <https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E>`__\ 
+    first <https://lists.apache.org/thread.html/b781a5c4e4d14f7ce297200ba6886d888df4333f83836220ac8b69f1@%3Cuser.guacamole.apache.org%3E>`__\
 
 And ``guacamole.properties`` should contain at least
 
@@ -61,7 +61,7 @@ And ``guacamole.properties`` should contain at least
    openid-username-claim-type: sub
 
 
-.. tip:: 
+.. tip::
 
     Remplace the ``redirect uri`` with your Guacamole server's URL
 

doc/sources/admin/applications/humhub.rst

@@ -23,7 +23,7 @@ authenticated by LemonLDAP::NG will be registered in HumHub upon their
 first login.
 
 
-.. warning:: 
+.. warning::
 
     HumHub retrieves a user from his username and the
     authentication service he came through. As a result, a former local or
@@ -36,12 +36,12 @@ OpenID Connect
 --------------
 
 
-.. note:: 
+.. note::
 
     This set-up works with option enablePrettyUrl activated in
     Humhub. If not activated, rewrite URL in Humhub HTTP server and allowed
     redirect URL in LemonLDAP needs to be adapted to work with the non
-    pretty URL format. 
+    pretty URL format.
 
 Configuring HumHub
 ~~~~~~~~~~~~~~~~~~
@@ -82,10 +82,10 @@ composer :
    composer update worteks/humhub-auth-oidc  --no-dev --prefer-dist -vvv
 
 
-.. note:: 
+.. note::
 
     If you just need to update the connector, change its version
-    in composer.json and run the above composer update command. 
+    in composer.json and run the above composer update command.
 
 ::
 
@@ -142,7 +142,7 @@ can set up a redirection in the http server in front of the application
 
 ::
 
-   if ($query_string !~ "nosso"){                                                                       
+   if ($query_string !~ "nosso"){
      rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
    }
 

doc/sources/admin/applications/jitsimeet.rst

@@ -95,23 +95,23 @@ Jitsi Meet Virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Jitsi Meet.
 
-Configure the :doc:`access rules<../writingrulesand_headers>`.
+Configure the :ref:`access rules<rules>`.
 
 ::
 
      * Don't forget to configure the /logout/ URL
 
-Configure the following :doc:`headers<../writingrulesand_headers>`.
+Configure the following :ref:`headers<headers>`.
 
 -  **mail**: $mail
 -  **displayName**: $cn
 
 
-.. warning:: 
+.. warning::
 
     Jitsi meet expects to find a ``mail`` HTTP header, it
     will ignore REMOTE_USER and only use the mail value to identify the
-    user. 
+    user.
 
 .. |image0| image:: /applications/logo-jitsimeet.png
    :class: align-center

doc/sources/admin/applications/liferay.rst

@@ -18,7 +18,7 @@ Of course, integration will be full if you use the LDAP directory as
 users backend for LL::NG and Liferay.
 
 
-.. important:: 
+.. important::
 
     If the user is not created, or can not be created via
     LDAP import, the connection to Liferay will be refused. With LDAP,
@@ -59,7 +59,7 @@ In ``General``, fill at least the following information:
 -  **How do users authenticate?**: by login
 
 
-.. tip:: 
+.. tip::
 
     We advice to deactivate other options, cause users will use
     LL::NG portal to modify or reset their password.
@@ -67,16 +67,16 @@ In ``General``, fill at least the following information:
 |image6|
 
 
-.. important:: 
+.. important::
 
     You need to activate LDAP authentication, else SSO
     authentication will not work. Do this in the control panel or in the
     configuration file:
-    
+
     ::
-    
+
        ldap.auth.enabled=true
-    
+
 
 
 Then use the ``SiteMinder`` tab to configure SSO:
@@ -88,7 +88,7 @@ Then use the ``SiteMinder`` tab to configure SSO:
 |image7|
 
 
-.. important:: 
+.. important::
 
     Do not forget to save your changes!
 
@@ -108,7 +108,7 @@ Configure Liferay virtual host like other
           PerlHeaderParserHandler Lemonldap::NG::Handler
 
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -131,8 +131,8 @@ Configure Liferay virtual host like other
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location / {
        auth_request /lmauth;
@@ -140,9 +140,9 @@ Configure Liferay virtual host like other
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-    
+
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -156,14 +156,14 @@ Liferay virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Liferay.
 
-Just configure the :doc:`access rules<../writingrulesand_headers>`. You
+Just configure the :ref:`access rules<rules>`. You
 can add a rule for logout:
 
 ::
 
     ^/c/portal/logout => logout_sso
 
-Configure the ``Auth-User`` :doc:`header<../writingrulesand_headers>`.
+Configure the ``Auth-User`` :ref:`header<headers>`.
 
 .. |image0| image:: /applications/liferay_logo.png
    :class: align-center

doc/sources/admin/applications/limesurvey.rst

@@ -19,7 +19,7 @@ To have a stronger integration, we will configure LimeSurvey to
 autocreate unknown users and use HTTP headers to fill name and mail.
 
 
-.. important:: 
+.. important::
 
     We suppose that LimeSurvey is installed in
     /var/www/html/limesurvey
@@ -35,15 +35,15 @@ manager. Select the WebServer module and configure it.
 This is enough for the authentication part.
 
 
-.. tip:: 
+.. tip::
 
     If you are blocked, you can deactivate the plugin with this
     request in database:
-    
+
     ::
-    
+
        update lime_plugins SET active=0 where name="Authwebserver";
-    
+
 
 
 To configure account autocreation, you need to edit
@@ -106,15 +106,15 @@ Default   default     Allow only users with a LimeSurvey role
 ========= =========== ========================================
 
 
-.. tip:: 
+.. tip::
 
     You can set the default access to:
-    
+
     ::
-    
+
         * **accept**: all authenticated users will access surveys
-        * **unprotect**: no authentication will be asked to access surveys 
+        * **unprotect**: no authentication will be asked to access surveys
-    
+
 
 
 .. |image0| image:: /applications/limesurvey_logo.png

doc/sources/admin/applications/mattermost.rst

@@ -30,10 +30,10 @@ integrated with LemonLDAP::NG without having to use a
 :doc:`Gitlab<gitlab>` server.
 
 
-.. warning:: 
+.. warning::
 
     The following configuration requires your user database
-    to expose a unique numeric identifier for every user. 
+    to expose a unique numeric identifier for every user.
 
 Configuring Mattermost Team Edition
 -----------------------------------
@@ -106,16 +106,16 @@ with the following parameters:
          * ''id'': session attribute containing the user's numeric ID
 
 
-.. warning:: 
+.. warning::
 
     Mattermost absolutely needs to receive a numerical value
     in the ``id`` claim. If you are using a LDAP server, you could use the
     ``uidNumber`` LDAP attribute. If you use something else, you will have
     to find a trick to assign a unique numeric ID to each Mattermost user.
-    
+
     The ``id`` attribute has to be different for each user, since this is
     the field Mattermost will use internally to map Gitlab identities to
-    Mattermost accouts. 
+    Mattermost accouts.
 
 Troubleshooting
 ~~~~~~~~~~~~~~~

doc/sources/admin/applications/mediawiki.rst

@@ -87,7 +87,7 @@ Add then extension configuration, for example:
    $wgHooks['PersonalUrls'][] = 'StripLogin';
 
 
-.. warning:: 
+.. warning::
 
     In last version of Auth_remoteuser and Mediawiki, empty
     passwords are not authorized, so you may need to patch the extension
@@ -100,7 +100,7 @@ Add then extension configuration, for example:
    sed -i "s/'wpPassword' => ''/'wpPassword' => 'none'/" extensions/Auth_remoteuser/Auth_remoteuser.body.php
 
 
-.. warning:: 
+.. warning::
 
     In last version of Auth_remoteuser and Mediawiki,
     auto-provisioning requires REMOTE_USER to match the normalized mediawiki
@@ -121,7 +121,7 @@ Configure MediaWiki virtual host like other
 :doc:`protected virtual host<../configvhost>`.
 
 
-.. important:: 
+.. important::
 
     If you are protecting MediaWiki with LL::NG as reverse
     proxy,
@@ -137,7 +137,7 @@ Configure MediaWiki virtual host like other
           PerlHeaderParserHandler Lemonldap::NG::Handler
 
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -160,8 +160,8 @@ Configure MediaWiki virtual host like other
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location / {
        auth_request /lmauth;
@@ -169,9 +169,9 @@ Configure MediaWiki virtual host like other
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-    
+
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -185,7 +185,7 @@ MediaWiki virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for MediaWiki.
 
-Just configure the :doc:`access rules<../writingrulesand_headers>`. You
+Just configure the :ref:`access rules<rules>`. You
 can also add a rule for logout:
 
 ::
@@ -201,7 +201,7 @@ extension configuration):
    Auth-Mail => $mail
 
 If using LL::NG as reverse proxy, configure also the ``Auth-User``
-:doc:`header<../writingrulesand_headers>`,
+:ref:`header<headers>`,
 
 .. |image0| image:: /applications/mediawiki_logo.png
    :class: align-center

doc/sources/admin/applications/nextcloud.rst

@@ -25,18 +25,18 @@ You need to `install the
 software <https://docs.nextcloud.com/server/10/admin_manual/installation/index.html>`__.
 
 
-.. tip:: 
+.. tip::
 
     If your NextCloud is behind a proxy (thus having a private
     IP), metadata generated by NextCloud won't work.
-    
+
     Consider changing the configuration of NextCloud to force the domain, in
     **$nextcloudrootwww/config/config.php**, add the following:
-    
+
     .. code:: php
-    
+
        'overwritehost' => 'nextcloud.example.com',
-    
+
 
 
 You also need to enable the "SAML authentication" plugin in your

doc/sources/admin/applications/nginx.rst

@@ -2,7 +2,7 @@ Nginx
 =====
 
 
-.. important:: 
+.. important::
 
     Nginx is fully supported by LemonLDAP::NG since version
     1.9.

doc/sources/admin/applications/obm.rst

@@ -123,14 +123,14 @@ Edit also OBM configuration to enable LL::NG Handler:
 
    <VirtualHost *:80>
        ServerName obm.example.com
-       
+
        # SSO protection
        PerlHeaderParserHandler Lemonldap::NG::Handler
 
        DocumentRoot /usr/share/obm/php
 
        ...
-       
+
    </VirtualHost>
 
 -  For Nginx:
@@ -153,8 +153,8 @@ Edit also OBM configuration to enable LL::NG Handler:
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location ~ \.php$ {
        auth_request /lmauth;
@@ -164,7 +164,7 @@ Edit also OBM configuration to enable LL::NG Handler:
        try_files $uri $uri/ =404;
 
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -191,7 +191,7 @@ To add these attributes, go in Manager, ``Variables`` »
 ``Exported Variables``.
 
 
-.. important:: 
+.. important::
 
     If you plan to forward user's password to OBM, then you
     have to :doc:`keep the password in session<../passwordstore>`.
@@ -200,9 +200,9 @@ You may also create these macros to manage OBM administrator account
 (``Variables`` » ``Macros``):
 
 ===== ====================================================== =============================== == ==============================
-field value                                                                                    
+field value
 ===== ====================================================== =============================== == ==============================
-uidR  ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid                                   
+uidR  ($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid
 mailR %%($uid =~ /                                           admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com" %%
 ===== ====================================================== =============================== == ==============================
 

doc/sources/admin/applications/phpldapadmin.rst

@@ -15,7 +15,7 @@ phpLDAPadmin will be protected by LemonLDAP::NG with specific access
 rules.
 
 
-.. warning:: 
+.. warning::
 
     phpLDAPadmin will have no idea of the user connected to
     the WebSSO. So a simple user can have admin rights on the LDAP directory
@@ -52,7 +52,7 @@ Configure phpLDAPadmin virtual host like other
           PerlHeaderParserHandler Lemonldap::NG::Handler
 
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -75,8 +75,8 @@ Configure phpLDAPadmin virtual host like other
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location / {
        auth_request /lmauth;
@@ -84,9 +84,9 @@ Configure phpLDAPadmin virtual host like other
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-    
+
        ...
-    
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -100,9 +100,9 @@ phpLDAPadmin virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for phpLDAPadmin.
 
-Just configure the :doc:`access rules<../writingrulesand_headers>`.
+Just configure the :ref:`access rules<rules>`.
 
-No :doc:`headers<../writingrulesand_headers>` are required.
+No :ref:`headers<headers>` are required.
 
 .. |image0| image:: /applications/phpldapadmin_logo.png
    :class: align-center

doc/sources/admin/applications/roundcube.rst

@@ -26,10 +26,10 @@ LemonLDAP::NG
 -  in HTTP headers, you need Auth-User ($mail) and Auth-Pw ($_password).
 
 
-.. important:: 
+.. important::
 
     To be able to forward password to RoundCube, see
-    :doc:`how to store password in session<../passwordstore>`\ 
+    :doc:`how to store password in session<../passwordstore>`\
 
 -  Configure :doc:`Apache or Nginx virtual host<../configvhost>`
 

doc/sources/admin/applications/salesforce.rst

@@ -46,7 +46,7 @@ Finally, just ensure that at least:
 match with the correct values. (adapt the domain if necessary)
 
 
-.. important:: 
+.. important::
 
     For now, the authentication service parameter has no
     domain available. You must come back later to fill this parameter. Once
@@ -54,7 +54,7 @@ match with the correct values. (adapt the domain if necessary)
     the login form, and you'll have an automatic redirection to your
     Identity Provider (no need for the user to click). Note that you can
     always access Salesforce by the general login page:
-    https://login.salesforce.com\ 
+    https://login.salesforce.com\
 
 SAML settings
 ~~~~~~~~~~~~~

doc/sources/admin/applications/simplesamlphp.rst

@@ -90,7 +90,7 @@ Then set some attributes that will be sent to simpleSAMLphp:
 |image2|
 
 
-.. tip:: 
+.. tip::
 
     Set ``Mandatory`` to ``On`` to force attributes in
     authentication response.
@@ -120,7 +120,7 @@ internal PHP representation. Copy the ``saml20-idp-remote`` content:
    ?>
 
 
-.. tip:: 
+.. tip::
 
     Don't forget PHP start and end tag to have a valid PHP
     file.
@@ -183,7 +183,7 @@ And create a default IDP configuration:
    ?>
 
 
-.. important:: 
+.. important::
 
     You need to configure your own certificates and
     authentication scheme
@@ -198,7 +198,7 @@ List attributes you want to collect:
 |image6|
 
 
-.. tip:: 
+.. tip::
 
     You can keep ``Mandatory`` to ``Off`` to not fail if attribute
     is not sent by IDP
@@ -227,7 +227,7 @@ internal PHP representation. Copy the ``saml20-sp-remote`` content:
    ?>
 
 
-.. tip:: 
+.. tip::
 
     Don't forget PHP start and end tag to have a valid PHP
     file.

doc/sources/admin/applications/sympa.rst

@@ -13,7 +13,7 @@ URL is protected by LL::NG, Sympa will display a button for users who
 wants to use this feature.
 
 
-.. tip:: 
+.. tip::
 
     Since version 1.9 of LLNG, old Auto-Login feature has been
     removed since it works only with Sympa-5 which has been deprecated
@@ -44,11 +44,11 @@ And fill it:
            logout_url                          http://sympa.example.com/wws/logout
 
 
-.. tip:: 
+.. tip::
 
     You can also disable internal Sympa authentication to keep
     only LemonLDAP::NG by removing user_table paragraph
-    
+
     Note that if you use FastCGI, you must restart Apache to enable changes.
 
 
@@ -63,7 +63,7 @@ Configure Sympa virtual host like other
 authentication URL.
 
 
-.. tip:: 
+.. tip::
 
     The location URL end is based on the ``service_id`` defined in
     Sympa apache configuration.
@@ -78,9 +78,9 @@ authentication URL.
           <Location /wws/sso_login/lemonldapng>
           PerlHeaderParserHandler Lemonldap::NG::Handler
           </Location>
-          
+
           ...
-          
+
    </VirtualHost>
 
 -  For Nginx:
@@ -103,8 +103,8 @@ authentication URL.
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will received /llauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
-    
+
      # Client requests
      location /wws/sso_login/lemonldapng {
        auth_request /lmauth;
@@ -112,9 +112,9 @@ authentication URL.
        auth_request_set $lmlocation $upstream_http_location;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-       
+
        ...
-        
+
        include /etc/lemonldap-ng/nginx-lua-headers.conf;
      }
      location / {
@@ -128,8 +128,8 @@ Sympa virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Sympa.
 
-Configure the :doc:`access rules<../writingrulesand_headers>` and define
+Configure the :ref:`access rules<rules>` and define
-the following :doc:`headers<../writingrulesand_headers>`:
+the following :ref:`headers<headers>`:
 
 -  Auth-User
 -  Mail

doc/sources/admin/applications/tomcat.rst

@@ -4,7 +4,7 @@ Apache Tomcat
 |image0|
 
 
-.. important:: 
+.. important::
 
     The Tomcat Valve is only available for tomcat 5.5 or
     greater.
@@ -32,7 +32,7 @@ authentication:
      <user username="role1" password="tomcat" roles="role1"/>
      <user username="both" password="tomcat" roles="tomcat,role1"/>
    </tomcat-users>
-    
+
 
 LL::NG provides a valve, available on :doc:`download page</download>`.
 This valve will check an HTTP header to set the authenticated user on
@@ -48,7 +48,7 @@ Copy ``ValveLemonLDAPNG.jar`` in ``<TOMCAT_HOME>/server/lib``:
    cp ValveLemonLDAPNG.jar server/lib/
 
 
-.. tip:: 
+.. tip::
 
     If needed, you can
     :doc:`recompile the valve from the sources<>`.
@@ -79,7 +79,7 @@ Configure attributes:
    present, a 403 error is sent.
 
 
-.. tip:: 
+.. tip::
 
     For debugging, this valve can print some helpful information
     in debug level. See `how configure logging in
@@ -100,15 +100,15 @@ Required :
 Configure your tomcat home in ``build.properties`` files.
 
 
-.. important:: 
+.. important::
 
     Be careful for Windows user, path must contains "/".
     Example:
-    
+
     ::
-    
+
        c:/my hardisk/tomcat/
-    
+
 
 
 Next run ant command:

doc/sources/admin/applications/wekan.rst

@@ -31,11 +31,11 @@ theses :
      * **OAUTH2_ID_MAP**: ''sub''
 
 
-.. warning:: 
+.. warning::
 
     Be careful to the / in server_url and endpoints, the
     complete URL need to be valid, ie auth.example.com/ for url & oauth2/xxx
-    for endpoints, OR, auth.example.com & /oauth2/xxx for endpoints. 
+    for endpoints, OR, auth.example.com & /oauth2/xxx for endpoints.
 
 Configuring LemonLDAP
 ~~~~~~~~~~~~~~~~~~~~~
@@ -59,11 +59,11 @@ with the following parameters:
 ^^^^^^^^^^^^^^^^^^
 
 
-.. warning:: 
+.. warning::
 
     OIDC login fails when an user as a multi-valued email
     attribute, this need to be fixed on wekan's side, we can bypass that by
-    telling lemonldap to only send one email 
+    telling lemonldap to only send one email
 
 Create a new macro, name it (_singleMail is an example), the macro
 should contain ``(split(/; /,$mail))[1]``

doc/sources/admin/applications/xwiki.rst

@@ -71,9 +71,9 @@ Xwiki virtual host in Manager
 Go to the Manager and :doc:`create a new virtual host<../configvhost>`
 for Xwiki.
 
-Configure the :doc:`access rules<../writingrulesand_headers>`.
+Configure the :ref:`access rules<rules>`.
 
-Configure the :doc:`headers<../writingrulesand_headers>`:
+Configure the :ref:`headers<headers>`:
 
 -  remote_user: $uid
 -  remote_groups: encode_base64($groups,'')

doc/sources/admin/applications/zimbra.rst

@@ -21,7 +21,7 @@ SSO on its application. This protocol is implemented in an LL::NG
 specific Handler.
 
 
-.. tip:: 
+.. tip::
 
     Zimbra can also be connected to LL::NG via
     :doc:`SAML protocol<../idpsaml>` (see `Zimbra
@@ -77,20 +77,20 @@ Zimbra parameters are the following:
    (by default: ^/zimbrasso$)
 
 
-.. important:: 
+.. important::
 
     Due to Handler API change in 1.9, you need to set these
     attributes in ``lemonldap-ng.ini`` and not in Manager, for example:
-    
+
     .. code:: ini
-    
+
        [handler]
        zimbraPreAuthKey = XXXX
        zimbraAccountKey = uid
        zimbraBy =id
        zimbraUrl = /service/preauth
        zimbraSsoUrl = ^/zimbrasso$
-    
+
 
 
 Multi-domain issues

doc/sources/admin/authad.rst

@@ -44,7 +44,7 @@ policy:
    specified in LemonLDAP::NG to do so.
 
 
-.. important:: 
+.. important::
 
     Note: since AD 2012, each user can have a specific
     password expiration policy. Then, the "maximum password age" can have

doc/sources/admin/authapache.rst

@@ -4,7 +4,7 @@ Apache
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -16,14 +16,14 @@ module <http://httpd.apache.org/docs/current/howto/auth.html>`__, for
 example Kerberos, Radius, OTP, etc.
 
 
-.. important:: 
+.. important::
 
     To authenticate users using Kerberos, you can now use
     the new :doc:`Kerberos authentication module<authkerberos>` which allow
-    one to chain Kerberos in a :doc:`combination<authcombination>`\ 
+    one to chain Kerberos in a :doc:`combination<authcombination>`\
 
 
-.. tip:: 
+.. tip::
 
     Apache authentication module will set the ``REMOTE_USER``
     environment variable, which will be used by LL::NG to get authenticated
@@ -47,7 +47,7 @@ the Apache authentication fails. Use then the
    Apache;LDAP
 
 
-.. tip:: 
+.. tip::
 
     In this case, the Apache authentication module should not
     require a valid user and not be authoritative, else Apache server will
@@ -77,7 +77,7 @@ The Kerberos configuration is quite complex. You can find some
 configuration tips :doc:`on this page<kerberos>`.
 
 
-.. tip:: 
+.. tip::
 
     Prefer new :doc:`Kerberos<authkerberos>` module.
 
@@ -93,8 +93,8 @@ In this case, you can add in the Apache authentication module:
 
 .. code:: apache
 
-         Satisfy any 
+         Satisfy any
-         Order allow,deny 
+         Order allow,deny
          allow from APPLICATIONS_IP
 
 This will bypass the authentication module for request from

doc/sources/admin/authcas.rst

@@ -4,7 +4,7 @@ CAS
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -14,7 +14,7 @@ LL::NG can delegate authentication to a CAS server. This requires `Perl
 CAS module <http://sourcesup.cru.fr/projects/perlcas/>`__.
 
 
-.. tip:: 
+.. tip::
 
     LL::NG can also act as :doc:`CAS server<idpcas>`, that allows
     one to interconnect two LL::NG systems.
@@ -23,13 +23,12 @@ LL::NG can also request proxy tickets for its protected services. Proxy
 tickets will be collected at authentication phase and stored in user
 session under the form:
 
-``_casPT``\ **serviceID** = **Proxy ticket value**
+``_casPT<serviceID>`` = **Proxy ticket value**
 
 They can then be forwarded to applications trough
-:doc:`HTTP headers<writingrulesand_headers>`.
+:ref:`HTTP headers<headers>`.
 
-
+.. tip::
-.. tip:: 
 
     CAS authentication will automatically add a
     :doc:`logout forward rule<logoutforward>` on CAS server logout URL in
@@ -42,23 +41,23 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose CAS for authentication.
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``
 
 Then, go in ``CAS parameters``:
 
@@ -83,7 +82,7 @@ Then create the list of CAS servers in the manager. For each, set:
    -  **Value** Service URL (CAS service identifier)
 
 
-.. tip:: 
+.. tip::
 
     If no proxied services defined, CAS authentication will not
     activate the CAS proxy mode with this CAS server.

doc/sources/admin/authchoice.rst

@@ -40,7 +40,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose Choice for authentication.
 
 
-.. important:: 
+.. important::
 
     When ``Choice`` is selected for authentication, values
     for Users and Password modules are also forced to ``Choice``.
@@ -75,29 +75,29 @@ Define here:
    $env->{urldc} =~ /test1\.example\.com/
 
 
-.. important:: 
+.. note::
 
     Authentication request to an another URL than Portal URL can lead
     to a persistent loop between Portal and a redirection URL (pdata is not
     removed because domains mismatch). To avoid this, you have to set pdata
     cookie domain by editing ``lemonldap-ng.ini`` in section [portal]:
-    
+
     .. code:: ini
-    
+
        [portal]
        pdataDomain = example.com
-    
 
 
 
-.. tip:: 
+
+.. tip::
 
     You can prefix the key name with a digit to order them. The
     digit will not be shown on portal page. Underscore characters are also
     replaced by spaces.
 
 
-.. tip:: 
+.. tip::
 
     You can also override some LLNG parameters for each chain. See
     :doc:`Parameter list<parameterlist>` to have the key names to use

doc/sources/admin/authcombination.rst

@@ -4,7 +4,7 @@ Combination of authentication schemes
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation
@@ -42,7 +42,7 @@ must set:
    ldapServer,...
 
 
-.. important:: 
+.. note::
 
     To overload parameters, you must select a module, add a parameter
     and set its value.  For example:
@@ -50,7 +50,7 @@ must set:
 ==== ==== ============ ===========================
 Name Type Scope        Parameters
 ==== ==== ============ ===========================
-DB1  DBI  Auth only   
+DB1  DBI  Auth only
 DB2  DBI  User DB only dbiAuthChain => "mysql:..."
 ==== ==== ============ ===========================
 
@@ -71,7 +71,7 @@ JSON value:
    {"cn" => "cn", "uid" => "sAMAccounName", "mail" => "mail"}
 
 
-.. important:: 
+.. important::
 
     If your JSON is corrupted, LLNG will use it as string
     and just report a warning in logs.
@@ -104,11 +104,11 @@ Example                                 Explanation
 ======================================= =============================================================================
 
 
-.. important:: 
+.. important::
 
     Note that "or" can't be used inside a scheme. If you
     think to "[mySSL or myLDAP, myLDAP]", you must write
-    ``[mySSL, myLDAP] or [myLDAP, myLDAP]`` 
+    ``[mySSL, myLDAP] or [myLDAP, myLDAP]``
 
 ================================================== =========================================================
 Example                                            Explanation
@@ -118,13 +118,13 @@ Example                                            Explanation
 ================================================== =========================================================
 
 
-.. important:: 
+.. important::
 
     You can't use brackets in a boolean expression and "and"
     has precedence on "or".
-    
+
     If you think to "( [myLDAP] or [myDBI1] ) and [myDBI2]", you must write
-    ``[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]`` 
+    ``[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]``
 
 Tests
 ^^^^^
@@ -140,12 +140,12 @@ Example
 ======================================================================================================================= ==============================================================================
 
 
-.. important:: 
+.. important::
 
     Note that brackets can't be used except to enclose test.
-    
+
     If you wants to write ``if(...) then if...``, you must write
-    ``if(not ...) then ... else if(...)...`` 
+    ``if(not ...) then ... else if(...)...``
 
 Let's be crazy
 ^^^^^^^^^^^^^^
@@ -199,8 +199,8 @@ steps.
 ================================= =================================== ========================================================================
 Bad expression                    Solution                            Explanation
 ================================= =================================== ========================================================================
-*``[SAML] and [LDAP]``*           ``[SAML, SAML and LDAP]``           Authentication is done by SAML only but user must match an LDAP entry
+``[SAML] and [LDAP]``             ``[SAML, SAML and LDAP]``           Authentication is done by SAML only but user must match an LDAP entry
-*``[SAML] and [LDAP] or [LDAP]``* ``[SAML, SAML and LDAP] or [LDAP]`` Authentication is done by SAML or LDAP but user must match an LDAP entry
+``[SAML] and [LDAP] or [LDAP]``   ``[SAML, SAML and LDAP] or [LDAP]`` Authentication is done by SAML or LDAP but user must match an LDAP entry
 ================================= =================================== ========================================================================
 
 Auth::Apache authentication
@@ -212,7 +212,7 @@ behaviour: if the auth module fails, Apache returns 401. So it can be
 used only with a "and" boolean expression.
 
 
-.. tip:: 
+.. tip::
 
     The new :doc:`Kerberos authentication module<authkerberos>`
     solve this for Kerberos: you just have to use it instead of Apache and

doc/sources/admin/authcustom.rst

@@ -14,10 +14,10 @@ This artifact allows one to define its own modules (authentication, user
 database, password or register database).
 
 
-.. tip:: 
+.. tip::
 
     The developer documentation is available in Portal manpages.
-    See Auth.pod and UserDB.pod 
+    See Auth.pod and UserDB.pod
 
 Configuration
 -------------
@@ -33,16 +33,18 @@ You can define your own customAuth module icon. Icon must be in
 site/htdocs/static/common/modules/icon.png
 
 
-.. tip:: 
+.. tip::
 
     ::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev
 
 
 
-.. important:: 
+.. important::
 
     Be careful. Don' t use an already attributed name in
-    configuration.  These parameters are available in your plugins
+    configuration.
-    using ``$self->conf->{customAddParams}->{//customName//}``.
+
+These parameters are available in your plugins using
+``$self->conf->{customAddParams}->{<customName>}``.
 
 Read portal manpages to see how to write these plugins.

doc/sources/admin/authdbi.rst

@@ -34,7 +34,7 @@ LL::NG can use two tables:
 -  User table: where user data are stored (mail, name, etc.)
 
 
-.. tip:: 
+.. tip::
 
     Authentication table and user table can be the same.
 
@@ -105,15 +105,15 @@ Authentication level
 The authentication level given to users authenticated with this module.
 
 
-.. important:: 
+.. important::
 
     As DBI is a login/password based module, the
     authentication level can be:
-    
+
     -  increased (+1) if portal is protected by SSL (HTTPS)
     -  decreased (-1) if the portal autocompletion is allowed (see
        :doc:`portal customization<portalcustom>`)
-    
+
 
 
 Exported variables
@@ -126,7 +126,7 @@ Connection
 ~~~~~~~~~~
 
 
-.. tip:: 
+.. tip::
 
     Connection settings can be configured differently for
     authentication process and user process. This allows one to use
@@ -181,22 +181,22 @@ Password
    non-salted schemes" or "Supported salted schemes".
 
 
-.. important:: 
+.. important::
 
     The SQL function MUST have hexadecimal values as input
     AND output
 
 
-.. tip:: 
+.. tip::
 
     Here is an example for creating a postgreSQL SHA256 function.
     1. Install postgresql-contrib. 2. Activate extension:
     ``CREATE EXTENSION pgcrypto;`` 3. Create the hash function:
-    
+
     ::
-    
+
        CREATE OR REPLACE FUNCTION sha256(varchar) returns text AS $$
        SELECT encode(digest(decode($1, 'hex'), 'sha256'), 'hex')
        $$ LANGUAGE SQL STRICT IMMUTABLE;
-    
+
 

doc/sources/admin/authdemo.rst

@@ -14,7 +14,7 @@ This mode allow one to test LemonLDAP::NG without any third-party
 software.
 
 
-.. warning:: 
+.. warning::
 
     This mode must not be used for other purpose than test and
     demonstration!
@@ -30,7 +30,7 @@ dwho   dwho     dwho@badwolf.org   administrator
 ====== ======== ================== =============
 
 
-.. important:: 
+.. note::
 
     As you may have guessed, these accounts are famous characters from
     the TV show `Doctor

doc/sources/admin/authfacebook.rst

@@ -4,7 +4,7 @@ Facebook
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation
@@ -56,27 +56,27 @@ variables:
    -  sn => last_name
 
 
-.. important:: 
+.. important::
 
     Do not query user field in exported variables, as it is
     already registered by the authentication module in ``$_user``.
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``
 
 
-.. tip:: 
+.. tip::
 
     You can use the same Facebook access token in your
     applications. It is stored in session datas under the name
-    ``$_facebookToken``\ 
+    ``$_facebookToken``\

doc/sources/admin/authgithub.rst

@@ -4,7 +4,7 @@ GitHub
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -35,20 +35,20 @@ Then, go in ``GitHub parameters``:
    https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/
 
 
-.. tip:: 
+.. tip::
 
     Collected fields are stored in session in ``github_``
     keys
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in:
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``

doc/sources/admin/authgpg.rst

@@ -4,7 +4,7 @@ Databases
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -24,7 +24,7 @@ you just have to set GPG database. For example
 ``/usr/share/keyrings/debian-keyring.gpg``
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.

doc/sources/admin/authkerberos.rst

@@ -4,7 +4,7 @@ Kerberos
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -36,18 +36,18 @@ and configure the following parameters:
    value and remove the '@domain'.
 
 
-.. important:: 
+.. important::
+
+
 
-    
-    
     -  Due to a perl GSSAPI issue, you may need to copy the keytab in
        /etc/krb5.keytab which is the default location hardcoded in the
        library
     -  As Kerberos ticket is passed inside Authorization header, you may
-       need to set CGIPassAuth on in Apache *(with old Apache, use
+       need to set CGIPassAuth on in Apache (with old Apache, use
        ``RewriteCond %{HTTP:Authorization}`` followed by
-       ``RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]``)*
+       ``RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]``)
-    
+
 
 
 Kerberos configuration

doc/sources/admin/authldap.rst

@@ -38,7 +38,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose LDAP for authentication, users and/or password modules.
 
 
-.. tip:: 
+.. tip::
 
     For :doc:`Active Directory<authad>`, choose
     ``Active Directory`` instead of ``LDAP``.
@@ -49,15 +49,15 @@ Authentication level
 The authentication level given to users authenticated with this module.
 
 
-.. important:: 
+.. important::
 
     As LDAP is a login/password based module, the
     authentication level can be:
-    
+
     -  increased (+1) if portal is protected by SSL (HTTPS)
     -  decreased (-1) if the portal autocompletion is allowed (see
        :doc:`portal customization<portalcustom>`)
-    
+
 
 
 Exported variables
@@ -74,12 +74,12 @@ Connection
 
    -  More than one server can be set here separated by spaces or
       commas. They will be tested in the specified order.
-   -  To use TLS, set ``ldap+tls:%%//%%server`` and to use LDAPS, set
+   -  To use TLS, set ``ldap+tls://server`` and to use LDAPS, set
-      ``ldaps:%%//%%server`` instead of server name.
+      ``ldaps://server`` instead of server name.
    -  If you use TLS, you can set any of the
       `Net::LDAP <http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod>`__
       start_tls() sub like
-      ``ldap+tls:%%//%%server/verify=none&capath=/etc/ssl``. You can
+      ``ldap+tls://server/verify=none&capath=/etc/ssl``. You can
       also use cafile and capath parameters.
 
 -  **Server port**: TCP port used by LDAP server. Can be overridden by
@@ -97,7 +97,7 @@ Connection
    documentation).
 
 
-.. important:: 
+.. important::
 
     LemonLDAP::NG need anonymous access to LDAP Directory
     RootDSE in order to check LDAP connection.
@@ -106,7 +106,7 @@ Filters
 ~~~~~~~
 
 
-.. tip:: 
+.. tip::
 
     In LDAP filters, $user is replaced by user login, and $mail by
     user email.
@@ -121,22 +121,24 @@ Filters
    ``find``)
 
 
-.. tip:: 
+.. tip::
 
     For Active Directory, the default authentication filter is:
-    
+
     ::
-    
+
        (&(sAMAccountName=$user)(objectClass=person))
-    
+
     And the mail filter is:
-    
+
     ::
-    
+
        (&(mail=$mail)(objectClass=person))
-    
 
 
+
+.. _authldap-groups:
+
 Groups
 ~~~~~~
 
@@ -159,17 +161,18 @@ Groups
    used in the link, for recursive group search (default: dn).
 
 
-.. important:: 
+.. note::
 
     The groups that the user belongs to are available as ``$groups``
-    and ``%hGroups``, as documented :doc:`here<exportedvars>` 
+    and ``%hGroups``, as documented :ref:`here<macros_and_groups>`
 
 
-.. important:: 
+.. important::
 
     If your LDAP countains over a thousand groups, you
     should avoid using group processing, check out
-    :doc:`the performance page<performances>` for alternatives 
+    :ref:`the performance page<performances-ldap-performances>` for
+    alternatives 
 
 Password
 ~~~~~~~~

doc/sources/admin/authlinkedin.rst

@@ -4,7 +4,7 @@ LinkedIn
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -39,20 +39,20 @@ Then, go in ``LinkedIn parameters``:
    and last name, and ``r_emailaddress`` to get email.
 
 
-.. tip:: 
+.. tip::
 
     Collected fields are stored in session in ``linkedIn_``
     keys
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``

doc/sources/admin/authmulti.rst

@@ -2,7 +2,7 @@ Multiple backends stack
 =======================
 
 
-.. important:: 
+.. important::
 
     This module has been removed and replaced by the more
     powerful :doc:`Combination of auth schemes<authcombination>`.

doc/sources/admin/authopenid.rst

@@ -4,11 +4,11 @@ OpenID
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 
-.. warning:: 
+.. warning::
 
     OpenID protocol is deprecated. You should now use
     :doc:`OpenID Connect<authopenidconnect>`.
@@ -22,7 +22,7 @@ module <http://search.cpan.org/~mart/Net-OpenID-Consumer/>`__ with at
 least version 1.0.
 
 
-.. tip:: 
+.. tip::
 
     LL::NG can also act as :doc:`OpenID server<idpopenid>`, that
     allows one to interconnect two LL::NG systems.
@@ -31,7 +31,7 @@ LL::NG will then display a form with an OpenID input, wher users will
 type their OpenID login.
 
 
-.. tip:: 
+.. tip::
 
     OpenID authentication can proposed as an alternate
     authentication scheme using the :doc:`authentication choice<authchoice>`
@@ -79,14 +79,14 @@ define attributes:
 See also :doc:`exported variables configuration<exportedvars>`.
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``

doc/sources/admin/authopenidconnect.rst

@@ -4,14 +4,14 @@ OpenID Connect
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation
 ------------
 
 
-.. important:: 
+.. note::
 
     OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE
     stacks. It is described here: http://openid.net/connect/.
@@ -34,14 +34,19 @@ You can use this authentication module to link your LL::NG server to any
 OpenID Connect Provider. Here are some examples, witch their specific
 documentation:
 
-================================================ ========================================
+=============== ==================
-Google                                           France Connect
+Google          France Connect
-================================================ ========================================
+=============== ==================
-:doc:`google_logo.png<authopenidconnect_google>` :doc:`franceconnect_logo.png<authopenidconnect_franceconnect>`
+|google|        |franceconnect|
-================================================ ========================================
+=============== ==================
 
+.. |google| image:: applications/google_logo.png
+   :target: authopenidconnect_google.html
 
-.. important:: 
+.. |franceconnect| image:: applications/franceconnect_logo.png
+   :target: authopenidconnect_franceconnect.html
+
+.. important::
 
     OpenID-Connect specification isn't finished for logout
     propagation. So logout initiated by relaying-party will be forward to
@@ -67,23 +72,23 @@ In ``General Parameters`` > ``Authentication modules``, set:
 -  **Users module**: OpenID Connect
 
 
-.. tip:: 
+.. tip::
 
     As passwords will not be managed by LL::NG, you can disable
-    :doc:`menu password module<portalmenu>`.
+    :ref:`menu password module<portalmenu-menu-modules>`.
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``
 
 Then in ``General Parameters`` > ``Authentication modules`` >
 ``OpenID Connect parameters``, you can set:
@@ -111,7 +116,7 @@ parameter, for example:
 -  http://auth.example.com/?lmAuth=oidc&openidcallback=1
 
 
-.. important:: 
+.. important::
 
     If you use the :doc:`choice backend<authchoice>`, you
     need to add the choice parameter in redirect URL
@@ -169,7 +174,7 @@ automatically if jwks_uri is defined in metadata. Else you can paste the
 content of the JSON file in the textarea.
 
 
-.. tip:: 
+.. tip::
 
     If the OpenID Connect provider only uses symmetric encryption,
     JWKS data is not useful.

doc/sources/admin/authopenidconnect_franceconnect.rst

@@ -10,7 +10,7 @@ Presentation
 authentication platform made by French government.
 
 
-.. important:: 
+.. important::
 
     It is for the moment only in BETA stage. This
     documentation will explain how to configure LL::NG with the developer

doc/sources/admin/authopenidconnect_google.rst

@@ -12,7 +12,7 @@ delegate the authentication of LL::NG to Google:
 https://developers.google.com/identity/protocols/OpenIDConnect
 
 
-.. important:: 
+.. important::
 
     Google does not support logout trough OpenID Connect. If
     you close your session on LL::NG side, your Google session will still be

doc/sources/admin/authpam.rst

@@ -4,7 +4,7 @@ PAM
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -41,7 +41,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose PAM for authentication.
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.

doc/sources/admin/authproxy.rst

@@ -4,7 +4,7 @@ Proxy
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation
@@ -60,6 +60,6 @@ in your lemonldap-ng.ini:
    soapProxyUrn = urn:Lemonldap/NG/Common/CGI/SOAPService
 
 
-.. important:: 
+.. important::
 
     This needs LLNG version 2.0.8 at least

doc/sources/admin/authradius.rst

@@ -4,7 +4,7 @@ Radius
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -44,7 +44,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose Radius for authentication.
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.

doc/sources/admin/authremote.rst

@@ -4,11 +4,11 @@ Remote
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 
-.. warning:: 
+.. warning::
 
     This module is a LL::NG specific identity federation
     protocol. You may rather use standards protocols like
@@ -44,7 +44,7 @@ Presentation
 #. User can now access to the protected application
 
 
-.. important:: 
+.. note::
 
     Note that if the user is already authenticated on the first
     portal, all redirections are transparent.

doc/sources/admin/authrest.rst

@@ -32,7 +32,7 @@ Password change       Password change URL
 ===================== ====================================
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.
@@ -62,9 +62,9 @@ Password change URL       ``{"user":$user,"password":$password}`` ``{"result":tr
 ========================= ======================================= ===================================================
 
 
-.. tip:: 
+.. tip::
 
     To have only one REST call during the login process, you can
     set REST only as an Authentication backend, configure Null as your User
     Database, and make sure the REST authentication URL send all your user
-    attributes in the ``info`` response key 
+    attributes in the ``info`` response key

doc/sources/admin/authsaml.rst

@@ -4,7 +4,7 @@ SAML
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation
@@ -22,7 +22,7 @@ be mandatory, so if they are not returned by IDP, the session will not
 open.
 
 
-.. tip:: 
+.. tip::
 
     LL::NG can also act as :doc:`SAML IDP<idpsaml>`, that allows
     one to interconnect two LL::NG systems.
@@ -36,17 +36,17 @@ SAML Service
 See :doc:`SAML service<samlservice>` configuration chapter.
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``
 
 Authentication and UserDB
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -57,10 +57,10 @@ In ``General Parameters`` > ``Authentication modules``, set:
 -  Users module: Same (eq SAML)
 
 
-.. tip:: 
+.. tip::
 
     As passwords will not be managed by LL::NG, you can disable
-    :doc:`menu password module<portalmenu>`.
+    :ref:`menu password module<portalmenu-menu-modules>`.
 
 Register LemonLDAP::NG on partner Identity Provider
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -89,7 +89,7 @@ between your server and the IDP):
 |image0|
 
 
-.. tip:: 
+.. tip::
 
     You can also edit the metadata directly in the textarea
 
@@ -145,8 +145,9 @@ Authentication request
 -  **Requested authentication context**: this context is declared in
    authentication request. When receiving the request, the real
    authentication context will be mapped to an internal authentication
-   level (see :doc:`how configure the mapping<samlservice>`), that you
+   level (see
-   can check to allow or deny session creation.
+   :ref:`how configure the mapping<samlservice-authentication-contexts>`),
+   that you can check to allow or deny session creation.
 -  **Allow URL as RelayState**: Set to On if the RelayState value sent
    by IDP is the URL where the user must be redirected after
    authentication.
@@ -172,7 +173,7 @@ Signature
 '''''''''
 
 These options override service signature options (see
-:doc:`SAML service configuration<samlservice>`).
+:ref:`SAML service configuration<samlservice-general-options>`).
 
 -  **Sign SSO message**: sign SSO message
 -  **Check SSO message signature**: check SSO message signature
@@ -188,7 +189,7 @@ Binding
    http-post, etc.)
 
 
-.. important:: 
+.. note::
 
     If no binding defined, the default binding in IDP metadata will be
     used.
@@ -213,7 +214,7 @@ Used only if you have more than 1 SAML Identity Provider declared
 -  **Order**: Number to sort IDP display
 
 
-.. tip:: 
+.. tip::
 
     The chosen logo must be in Portal icons directory
     (``portal/static/common/``). You can set a custom icon by setting the

doc/sources/admin/authslave.rst

@@ -4,7 +4,7 @@ Slave
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation

doc/sources/admin/authssl.rst

@@ -4,7 +4,7 @@ SSL
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -23,9 +23,8 @@ Configuration (as the only authentication module)
 
 By default, SSL is required before the portal is displayed (handled by
 webserver). If you want to display a button to connect to LLNG
-*(compatible with :doc:`Combination<authcombination>`)*, you can
+(compatible with :doc:`Combination<authcombination>`), you can
-activate "SSL by Ajax request" in the manager. See "SSL by Ajax"
+activate "SSL by Ajax request" in the manager.
-below.
 
 With Apache
 ~~~~~~~~~~~
@@ -42,13 +41,13 @@ For CentOS/RHEL:
    yum install mod_ssl
 
 
-.. tip:: 
+.. tip::
 
     In Debian/Ubuntu mod_ssl is already shipped in
     ``apache*-common`` package.
 
 
-.. tip:: 
+.. tip::
 
     For CentOS/RHEL, We advice to disable the default SSL virtual
     host configured in /etc/httpd/conf.d/ssl.conf.
@@ -68,16 +67,16 @@ of /etc/lemonldap-ng/portal-apache2.conf:
    SSLCACertificateFile /etc/httpd/certs/ow2-ca.cert
 
 
-.. important:: 
+.. note::
 
     Put your own files instead of ``ow2.cert``, ``ow2.key``,
     ``ow2-ca.cert``:
-    
+
     -  **SSLCertificateFile**: Server certificate
     -  **SSLCertificateKeyFile**: Server private key
     -  **SSLCACertificateFile**: CA certificate to validate client
        certificates
-    
+
 
 
 If you specify port in virtual host, then declare SSL port:
@@ -161,7 +160,7 @@ Nginx SSL Virtual Host example with uWSGI
 
      ssl_verify_client on;
      ssl_verify_depth 3;
-     
+
      # Full chain CRL is required
      # All CRLs must be concatenated in a single .pem format file
      ssl_crl /etc/nginx/ssl/crl/crls.pem;
@@ -187,12 +186,12 @@ Nginx SSL Virtual Host example with uWSGI
    }
 
 
-.. important:: 
+.. important::
 
     Nginx 1.11.6 change: format of the $ssl_client_s_dn and
     $ssl_client_i_dn variables has been changed to follow RFC 2253 (RFC
     4514); values in the old format are available in the
-    $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables. 
+    $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy variables.
 
 Configuration of LemonLDAP::NG
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -201,7 +200,7 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose SSL for authentication.
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.
@@ -296,7 +295,7 @@ limitation.
            beforeSend:function(){},
            type:"GET",
            dataType:"html",
-           success:function(c,a){ 
+           success:function(c,a){
              if (c !== "") {
                    alert("Carte OK");
                    window.location.href = "https://auth.example.com/sslok/";
@@ -333,12 +332,12 @@ connexion reset:
    ssl_session_timeout 1s;
 
 
-.. warning:: 
+.. warning::
 
     It is incompatible with authentication combination because
     of Apache parameter "SSLVerifyClient", which must have the value
     "require". To enable SSL with :doc:`Combination<authcombination>`, use
-    "SSL by Ajax" 
+    "SSL by Ajax"
 
 Configuration (for Combination/Choice)
 --------------------------------------
@@ -348,59 +347,60 @@ If you enable this feature, you must configure 2 portal virtual hosts:
 -  the main *(which corresponds to portal URL)* with
    ``SSLVerifyClient none``
 -  the second with ``SSLVerifyClient require`` and a
-   ``Header set Allow-Control-Allow-Origin %%https://portal-main-url%%``
+   ``Header set Allow-Control-Allow-Origin https://portal-main-url``
 
 then declare the second URL in SSL options in the Manager. That's all !
-Then you can chain it in a :doc:`combination<authcombination>`. 
+Then you can chain it in a :doc:`combination<authcombination>`.
-.. important:: 
+
+.. note::
+
 
-    
     With :doc:`choice<authchoice>`, the second URL should be also declared
-    in module URL parameter to redirect user to Portal menu.  
+    in module URL parameter to redirect user to Portal menu.
+
+.. note::
 
-.. important:: 
 
-    
     Ajax authentication request can be sent to an another URL than Portal
     URL.
-    
+
     To avoid a persistent loop between Portal and a redirection URL (pdata
     is not removed because domains mismatch), you have to set pdata cookie
     domain by editing ``lemonldap-ng.ini`` in section [portal]:
-    
+
     .. code:: ini
-    
+
        [portal]
        pdataDomain = example.com
-    
+
     To avoid a bad/expired token during session upgrading (Reauthentication)
     if URLs are served by different load balancers, you can force Upgrade
     tokens to be stored into Global Storage by editing ``lemonldap-ng.ini``
     in section [portal]:
-    
+
     .. code:: ini
-    
+
        [portal]
        forceGlobalStorageUpgradeOTT = 1
-    
+
- 
+
-.. important:: 
+.. important::
 
     **Content Security Policy** may prevent to
     submit Ajax Request. To avoid security warning,
-    
+
     Go to :
     ``General Parameters > Advanced Parameters > Security > Content security policy``
-    
+
     and set :
-    
+
     **Default value** => 'self' "Ajax request URL"
-    
+
     **Form destinations** => 'self' "Ajax request URL"
-    
+
     **Ajax destinations** => 'self' "Ajax request URL"
-    
+
-    **Script source** => 'self' "Ajax request URL" 
+    **Script source** => 'self' "Ajax request URL"
 
 Extracting the username attribute
 ---------------------------------

doc/sources/admin/authtwitter.rst

@@ -4,7 +4,7 @@ Twitter
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔                   
+✔
 ============== ===== ========
 
 Presentation
@@ -30,23 +30,23 @@ In Manager, go in ``General Parameters`` > ``Authentication modules``
 and choose Twitter for authentication module.
 
 
-.. tip:: 
+.. tip::
 
     You can then choose any other module for users and
     password.
 
 
-.. important:: 
+.. important::
 
     Browser implementations of formAction directive are
     inconsistent (e.g. Firefox doesn't block the redirects whereas Chrome
     does). Administrators may have to modify formAction value with wildcard
     likes \*.
-    
+
     In Manager, go in :
-    
+
     ``General Parameters`` > ``Advanced Parameters`` > ``Security`` >
-    ``Content Security Policy`` > ``Form destination`` 
+    ``Content Security Policy`` > ``Form destination``
 
 Then, go in ``Twitter parameters``:
 

doc/sources/admin/authwebid.rst

@@ -4,7 +4,7 @@ WebID
 ============== ===== ========
 Authentication Users Password
 ============== ===== ========
-✔              ✔    
+✔              ✔
 ============== ===== ========
 
 Presentation

doc/sources/admin/authyubikey.rst

@@ -2,7 +2,7 @@ Yubikey
 =======
 
 
-.. important:: 
+.. important::
 
     This module has been replaced by
-    :doc:`Yubikey Second Factor<yubikey2f>`\ 
+    :doc:`Yubikey Second Factor<yubikey2f>`\

doc/sources/admin/autosignin.rst

@@ -18,6 +18,6 @@ dwho           ''$env->{REMOTE_ADDR} eq '192.168.42.42' ''
 ============== ===========================================
 
 
-.. important:: 
+.. important::
 
     Username must be defined in the user database.

doc/sources/admin/behindproxyminihowto.rst

@@ -39,10 +39,10 @@ uncomment the relevant parts of the configuration file.
        real_ip_header    X-Forwarded-For;
 
 
-.. tip:: 
+.. tip::
 
     Make sure Nginx was compiled with the `http_real_ip
-    module <http://nginx.org/en/docs/http/ngx_http_realip_module.html>`__\ 
+    module <http://nginx.org/en/docs/http/ngx_http_realip_module.html>`__\
 
 -  For Apache:
 
@@ -52,14 +52,14 @@ uncomment the relevant parts of the configuration file.
         RemoteIPInternalProxy 127.0.0.1
 
 
-.. tip:: 
+.. tip::
 
     Make sure the `mod_remoteip
     module <https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html>`__ is
     enabled in your Apache installation
 
 
-.. warning:: 
+.. warning::
 
     Both modules need you to specify the address of your
     reverse proxy. Using the ``http_real_ip`` or ``mod_remoteip`` module

doc/sources/admin/browseablesessionbackend.rst

@@ -5,16 +5,16 @@ Presentation
 ------------
 
 Browseable session backend
-(`Apache::Session::Browseable <https://metacpan.org/pod/Apache::Session::Browseable>`)
+(`Apache::Session::Browseable <https://metacpan.org/pod/Apache::Session::Browseable>`__)
 works exactly like Apache::Session::\* corresponding module but add
-index that increase :doc:`session explorer<features>` and
+index that increase :ref:`session explorer<session-explorer>` and
-:doc:`session restrictions<features>` performances.
+:ref:`session restrictions<session-restrictions>` performances.
 
 If you use features like SAML (authentication and issuer), CAS (issuer)
 and password reset self-service, you also need to index some fields.
 
 
-.. important:: 
+.. note::
 
     Without index, LL::NG will have to retrieve all sessions stored in
     backend and parse them to find the needed sessions. With index, LL::NG
@@ -37,21 +37,21 @@ SAML Session                           \_saml_id
 See Apache::Session::Browseable man page to see how use indexes.
 
 
-.. important:: 
+.. important::
 
     \ *WHATTOTRACE* must be replaced by the attribute or
     macro configured in the What To Trace parameter (REMOTE_USER). By
-    default: **\_whatToTrace**\ 
+    default: **\_whatToTrace**\
 
 
-.. tip:: 
+.. tip::
 
     It is advised to use separate session backends for standard
     sessions, SAML sessions and CAS sessions, in order to manage index
     separately.
 
 
-.. important:: 
+.. note::
 
     Documentation below explains how set index on ipAddr and
     \_whatToTrace. Adapt it to configure the index you need.
@@ -67,7 +67,7 @@ You then just have to add the ``Index`` parameter in
 ``Apache::Session module`` :
 
 =================== ============ ====================
-Required parameters             
+Required parameters
 =================== ============ ====================
 Name                Comment      Example
 **server**          Redis server 127.0.0.1:6379
@@ -78,30 +78,30 @@ Browseable SQL
 --------------
 
 
-.. important:: 
+.. note::
 
     This documentation concerns PostgreSQL. Some adaptations are
     needed with other databases. When using
     Apache::Session::Browseable::Postgres, it
     is strongly recommended to use version 1.3.1 at least. See `bug
-    1732 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732>`.
+    1732 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732>`__.
 
 Prepare database
 ~~~~~~~~~~~~~~~~
 
 Database must be prepared exactly like in
-:doc:`SQL session backend<sqlsessionbackend>` except that a field must
+:ref:`SQL session backend<sqlsessionbackend-prepare-the-database>`
-be added for each data to index.
+except that a field must be added for each data to index.
 
 
-.. important:: 
+.. important::
 
     Data written to UNLOGGED tables is not written to the
     WAL, which makes them considerably faster than ordinary tables. However,
     they are not crash-safe: an unlogged table is automatically truncated
     after a crash or unclean shutdown. The contents of an unlogged table are
     also not replicated to standby servers. Any indexes created on an
-    unlogged table are automatically unlogged as well. 
+    unlogged table are automatically unlogged as well.
 
 Apache::Session::Browseable::Postgres
 example:
@@ -124,7 +124,7 @@ example:
    CREATE INDEX h1   ON sessions (_httpSessionType);
 
 
-.. important:: 
+.. important::
 
     For Session Explorer and one-off sessions, it is
     recommended to use BTREE or any index method that indexes partial
@@ -135,7 +135,7 @@ now recommended SHA256 hash algorithm. See
 :doc:`Sessions<sessions>` for more details.
 
 
-.. tip:: 
+.. tip::
 
     With new
     Apache::Session::Browseable::PgHstore
@@ -153,7 +153,7 @@ for MySQL) in ``General parameters`` » ``Sessions`` »
 parameters (case sensitive):
 
 =================== ================================================= =============================================================
-Required parameters                                                  
+Required parameters
 =================== ================================================= =============================================================
 Name                Comment                                           Example
 **DataSource**      The `DBI <https://metacpan.org/pod/DBI>`__ string dbi:Pg:database=lemonldap-ng
@@ -164,11 +164,11 @@ Name                Comment                                           Example
 =================== ================================================= =============================================================
 
 
-.. tip:: 
+.. tip::
 
     Apache::Session::Browseable::MySQL doesn't use locks so performances are
     keeped.
-    
+
     For databases like PostgreSQL, don't forget to add "Commit" with a value
     of 1
 
@@ -184,7 +184,7 @@ You need to add the ``Index`` field and can also configure the
 values will be stored.
 
 ======================== ================================= ===============================
-Required parameters                                       
+Required parameters
 ======================== ================================= ===============================
 Name                     Comment                           Example
 **ldapServer**           URI of the server                 ldap://localhost
@@ -192,7 +192,7 @@ Name                     Comment                           Example
 **ldapBindDN**           Connection login                  cn=admin,dc=example,dc=password
 **ldapBindPassword**     Connection password               secret
 **Index**                Index list                        \_whatToTrace ipAddr
-Optional parameters                                       
+Optional parameters
 Name                     Comment                           Default value
 **ldapObjectClass**      Objectclass of the entry          applicationProcess
 **ldapAttributeId**      Attribute storing session ID      cn

doc/sources/admin/bruteforceprotection.rst

@@ -47,11 +47,11 @@ section:
    bruteForceProtectionMaxLockTime = 900
 
 
-.. important:: 
+.. note::
 
     Max lock time value is used by this plugin if a lock time is
     missing (number of failed logins higher than listed lock time values).
-    Lock time values can not be higher than max lock time. 
+    Lock time values can not be higher than max lock time.
 
 Incremental lock time disabled
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -71,7 +71,7 @@ of allowed failed login attempts (3 by default) edit
    bruteForceProtectionMaxFailed = 3
 
 
-.. important:: 
+.. important::
 
     Number of failed login attempts stored in history MUST
     be higher than allowed failed logins for this plugin takes effect.

doc/sources/admin/captcha.rst

@@ -14,7 +14,7 @@ Captchas are available on the following forms:
 -  Register form: where user enters information to create a new account
 
 
-.. important:: 
+.. important::
 
     We use the Perl module GD::SecurityImage to generate
     images, you need to install it if you enable Captcha feature.

doc/sources/admin/cda.rst

@@ -4,7 +4,7 @@ Cross Domain Authentication
 Presentation
 ------------
 
-:ref:`cross_domain_authentication_cda`
+:ref:`cda`
 
 Configuration
 -------------
@@ -21,17 +21,17 @@ To use this feature only locally, edit ``lemonldap-ng.ini`` in section
    cda = 1
 
 
-.. important:: 
+.. important::
 
     If your handler is being served by Nginx, you have to
     uncomment the following lines in your nginx configuration file:
-    
+
     ::
-    
+
-       # If CDA is used, uncomment this 
+       # If CDA is used, uncomment this
-       auth_request_set $cookie_value $upstream_http_set_cookie; 
+       auth_request_set $cookie_value $upstream_http_set_cookie;
        add_header Set-Cookie $cookie_value;
-    
+
 
 
 Handlers
@@ -40,5 +40,3 @@ Handlers
 Choose "CDA" as type for each virtualHost concerned by CDA *(ie not in
 main domain)*.
 
-.. |section>..presentation#cross_domain_authentication_cda&noheader| image:: section>..presentation#cross_domain_authentication_cda&noheader
-

doc/sources/admin/changesessionbackend.rst

@@ -5,7 +5,7 @@ LemonLDAP::NG provides a script to change session backend. This script
 will help you transfer existing persistent sessions (or offline
 sessions) when migrating from one backend to another, or when adding
 indexes to a
-:doc:`browseable sessio backend</browseablesessionbackend>`. It is
+:doc:`browseable session backend</browseablesessionbackend>`. It is
 available in LemonLDAP::NG utilities directory (``convertSessions``).
 
 How it works

doc/sources/admin/checkstate.rst

@@ -22,7 +22,7 @@ GET Parameter Need     Value
 ============= ======== ============================================================
 ``secret``    required Same value as the shared secret given to the manager
 ``user``      optional If set (with password), a login/logout process will be tried
-``password``  optional 
+``password``  optional
 ============= ======== ============================================================
 
 Example

doc/sources/admin/checkuser.rst

@@ -29,47 +29,47 @@ Just enable it in the manager (section “plugins”).
       attributes
 
 
-.. note:: 
+.. note::
 
     By examples :
-    
+
     \* Search attributes => ``mail uid givenName``
-    
+
     If ``whatToTrace`` fails, sessions are searched by ``mail``, next
     ``uid`` if none session is found and so on...
-    
+
     \* Display empty headers rule => ``$uid eq "dwho"`` -> Only 'dwho' will
-    see empty headers 
+    see empty headers
 
 
-.. note:: 
+.. note::
 
     Keep in mind that Nginx HTTP proxy module gets rid of empty
     headers. If the value of a header field is an empty string then this
     field will not be passed to a proxied server. To avoid misunderstanding,
-    it might be useful to not display empty headers. 
+    it might be useful to not display empty headers.
 
 
-.. important:: 
+.. important::
 
     Be careful to not display secret attributes.
-    
+
     checkUser plugin hidden attributes are concatenation of
     ``checkUserHiddenAttributes`` and ``hiddenAttributes``. You just have to
-    append checkUser specific attributes. 
+    append checkUser specific attributes.
 
 
-.. warning:: 
+.. warning::
 
     This plugin displays ALL user session attributes except
     the hidden ones.
-    
+
     You have to restrict access to specific users (administrators, DevOps,
     power users and so on...) by setting an access rule like other
     VirtualHosts.
-    
+
     By example: ``$groups =~ /\bsu\b/``
-    
+
 
 
 To modify persistent sessions attributes ('_loginHistory \_2fDevices
@@ -87,7 +87,7 @@ Usage
 When enabled, ``/checkuser`` URL path is handled by this plugin.
 
 
-.. important:: 
+.. important::
 
     With federated authentication, checkUser plugin works
-    only if a session can be found in backend. 
+    only if a session can be found in backend.

doc/sources/admin/cli_examples.rst

@@ -2,10 +2,10 @@ Command Line Interface (lemonldap-ng-cli) examples
 ==================================================
 
 This page shows some examples of LL::NG Command Line Interface. See
-:doc:`how to use the command<configlocation>`.
+:ref:`how to use the command<configlocation-command-line-interface-cli>`.
 
 
-.. important:: 
+.. important::
 
     On Debian, the command is located in
     ``/usr/share/lemonldap-ng/bin`` and on CentOS in
@@ -232,7 +232,7 @@ In this example we use:
            ldapExportedVars sn sn \
            ldapExportedVars mobile mobile \
            ldapExportedVars mail mail \
-           ldapExportedVars givenName givenName 
+           ldapExportedVars givenName givenName
 
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
        set \
@@ -248,7 +248,8 @@ Configure CAS Identity Provider
 -------------------------------
 
 You just have to enable the CAS server feature, and you can set the
-access control policy (see :doc:`CAS service options<idpcas>`):
+access control policy (see
+:ref:`CAS service options<idpcas-configuring-the-cas-service>`):
 
 ::
 
@@ -452,6 +453,9 @@ Create the application "sample" inside category "applications":
            applicationList/applications/sample/options name "Sample application" \
            applicationList/applications/sample/options uri "https://sample.example.com/"
 
+
+.. _cli-examples-encryption-key:
+
 Encryption key
 --------------
 

doc/sources/admin/configapache.rst

@@ -2,7 +2,7 @@ Deploy Apache configuration
 ===========================
 
 
-.. important:: 
+.. note::
 
     This step should have been already done if you installed LL::NG
     with packages.
@@ -11,7 +11,7 @@ Files
 -----
 
 
-.. important:: 
+.. important::
 
     Apache Mod Perl has many issues since 2.4 version with
     MPM worker and MPM event. No problem for portal and manager since they
@@ -32,21 +32,21 @@ You have to include them in Apache main configuration, for example:
    include /usr/local/lemonldap-ng/etc/test-apache2.conf
 
 
-.. tip:: 
+.. tip::
+
+
 
-    
-    
     -  You can also use symbolic links in ``conf.d`` or ``sites-available``
        Apache directory.
     -  If you have run the Debian/Ubuntu install command, just use:
-    
+
     ::
-    
+
        a2ensite manager-apache2.conf
        a2ensite portal-apache2.conf
        a2ensite handler-apache2.conf
        a2ensite test-apache2.conf
-    
+
 
 
 Modules
@@ -61,12 +61,12 @@ You will also need to load some Apache modules:
 -  mod_headers
 
 
-.. tip:: 
+.. tip::
 
     With Debian/Ubuntu:
-    
+
     ::
-    
+
        a2enmod fcgid perl alias rewrite headers
-    
+
 

doc/sources/admin/configlocation.rst

@@ -8,15 +8,15 @@ LemonLDAP::NG configuration is stored in a backend that allows all
 modules to access it.
 
 
-.. important:: 
+.. important::
 
     Note that all LL::NG components must have access:
-    
+
     -  to the configuration backend
     -  to the sessions storage backend
-    
+
     Detailed configuration backends documentation is available
-    :doc:`here<start>`.
+    :ref:`here<start-configuration-database>`.
 
 By default, configuration is stored in :doc:`files<fileconfbackend>`, so
 access trough network is not possible. To allow this, use
@@ -25,7 +25,8 @@ service like :doc:`SQL database<sqlconfbackend>` or
 :doc:`LDAP directory<ldapconfbackend>`.
 
 Configuration backend can be set in the
-local configuration file, in ``configuration`` section.
+:ref:`local configuration file<configlocation-local-file>`, in ``configuration``
+section.
 
 For example, to configure the ``File`` configuration backend:
 
@@ -36,7 +37,7 @@ For example, to configure the ``File`` configuration backend:
    dirName = /usr/local/lemonldap-ng/data/conf
 
 
-.. tip:: 
+.. tip::
 
     See
     :doc:`How to change configuration backend<changeconfbackend>` to known
@@ -52,7 +53,7 @@ By default, Manager is protected to allow only the demonstration user
 "dwho".
 
 
-.. important:: 
+.. important::
 
     This user will not be available anymore if you configure
     a new authentication backend! Remember to change the access rule in
@@ -77,7 +78,7 @@ editing ``lemonldap-ng.ini`` and changing the ``protection`` parameter:
    #   * none         : no protection
 
 
-.. tip:: 
+.. tip::
 
     See :doc:`Manager protection documentation<managerprotection>`
     to know how to use Apache modules or LL::NG to manage access to
@@ -104,28 +105,28 @@ When all modifications are done, click on ``Save`` to store
 configuration.
 
 
-.. warning:: 
+.. warning::
 
     LemonLDAP::NG will do some checks on configuration and
     display errors and warnings if any. Configuration **is not saved** if
     errors occur.
 
 
-.. tip:: 
+.. tip::
+
+
 
-    
-    
     -  :doc:`Configuration viewer<viewer>` allow some users to edit WebSSO
        configuration in Read Only mode.
-    
+
     -  You can set and display instance name in Manager menu by editing
        ``lemonldap-ng.ini`` in [manager] section:
-    
+
     .. code:: ini
-    
+
        [manager]
        instanceName = LLNG_Demo
-    
+
 
 
 Manager API
@@ -141,7 +142,7 @@ See `Manager API
 documentation <https://lemonldap-ng.org/manager-api/2.0/>`__.
 
 
-.. important:: 
+.. important::
 
     To access Manager API, enable the ``manager-api``
     virtual host and change the access rule. You can protect the API through
@@ -168,7 +169,7 @@ and is stored in the LemonLDAP::NG bin/ directory, for example
    /usr/libexec/lemonldap-ng/bin/lmConfigEditor
 
 
-.. tip:: 
+.. tip::
 
     This script must be run as root, it will then use the Apache
     user and group to access configuration.
@@ -198,6 +199,8 @@ The configuration is displayed as a big Perl Hash, that you can edit:
 If a modification is done, the configuration is saved with a new
 configuration number. Else, current configuration is kept.
 
+.. _configlocation-command-line-interface-cli:
+
 Command Line Interface (CLI)
 ----------------------------
 
@@ -219,7 +222,7 @@ for example /usr/share/lemonldap-ng/bin:
    /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli
 
 
-.. tip:: 
+.. tip::
 
     This script must be run as root, it will then use the Apache
     user and group to access configuration.
@@ -272,15 +275,18 @@ Some examples:
    /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace
 
 
-.. tip:: 
+.. tip::
 
     See :doc:`other examples<cli_examples>`.
 
+
+.. _configlocation-apache:
+
 Apache
 ------
 
 
-.. important:: 
+.. important::
 
     LemonLDAP::NG does not manage Apache
     configuration
@@ -295,6 +301,8 @@ LemonLDAP::NG ships 3 Apache configuration files:
 
 See :doc:`how to deploy them<configapache>`.
 
+.. _configlocation-portal:
+
 Portal
 ~~~~~~
 
@@ -323,7 +331,7 @@ you need to edit the access rule in **handler-apache2.conf**
 
        <Location /reload>
            #CHANGE THIS######
-           Require ip 127 ::1 
+           Require ip 127 ::1
            ###########^^^^^^^
            SetHandler perl-script
            PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
@@ -368,7 +376,7 @@ Nginx
 -----
 
 
-.. important:: 
+.. important::
 
     LemonLDAP::NG does not manage Nginx configuration
 
@@ -382,7 +390,7 @@ LemonLDAP::NG ships 3 Nginx configuration files:
 See :doc:`how to deploy them<confignginx>`.
 
 
-.. warning:: 
+.. warning::
 
     \ :doc:`LL::NG FastCGI<fastcgiserver>` server must be
     enabled and started separately.
@@ -417,11 +425,11 @@ you need to edit the access rule in **handler-nginx.conf**
 .. code:: nginx
 
      location = /reload {
-      
+
        ## CHANGE THIS #
        allow 127.0.0.1;
        ######^^^^^^^^^#
-      
+
        deny all;
 
        # FastCGI configuration
@@ -492,27 +500,27 @@ included file):
        #proxy_set_header Auth-User $authuser;
        # OR
        #fastcgi_param HTTP_AUTH_USER $authuser;
-       
+
        # Then (if LUA not supported), change cookie header to hide LLNG cookie
        #auth_request_set $lmcookie $upstream_http_cookie;
        #proxy_set_header Cookie: $lmcookie;
        # OR
        #fastcgi_param HTTP_COOKIE $lmcookie;
-       
+
        # Insert then your configuration (fastcgi_* or proxy_*)
 
 Configuration reload
 --------------------
 
 
-.. important:: 
+.. note::
 
     As Handlers keep configuration in cache, when configuration
     change, it should be updated in Handlers. An Apache restart will work,
     but LemonLDAP::NG offers the mean to reload them through an HTTP
     request. Configuration reload will then be effective in less than 10
     minutes. If you want to change this timeout, set ``checkTime = 240`` in
-    your lemonldap-ng.ini file *(values in seconds)*\ 
+    your lemonldap-ng.ini file *(values in seconds)*\
 
 After configuration is saved by Manager, LemonLDAP::NG will try to
 reload configuration on distant Handlers by sending an HTTP request to
@@ -525,7 +533,7 @@ You also have a parameter to adjust the timeout used to request reload
 URLs, it is be default set to 5 seconds.
 
 
-.. important:: 
+.. important::
 
     If "Compact configuration file" option is enabled, all
     useless parameters are removed to limit file size. Typically, if SAMLv2
@@ -536,7 +544,7 @@ These parameters can be overwritten in LemonLDAP::NG ini file, in the
 section ``apply``.
 
 
-.. tip:: 
+.. tip::
 
     You only need a reload URL per physical servers, as Handlers
     share the same configuration cache on each physical server.
@@ -546,27 +554,27 @@ inside a virtual host protected by LemonLDAP::NG Handler (see below
 examples in Apache->handler or Nginx->Handler).
 
 
-.. important:: 
+.. important::
 
     You must allow access to declared URLs to your Manager
     IP.
 
 
-.. important:: 
+.. important::
 
     If reload URL is served in HTTPS, to avoid "Error 500
     (certificate verify failed)", Go to :
-    
+
     ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
-    
+
     and set :
-    
+
     **verify_hostname => 0**
-    
+
-    **SSL_verify_mode => 0** 
+    **SSL_verify_mode => 0**
 
 
-.. important:: 
+.. important::
 
     If you want to use reload mechanism on a portal only
     host, you must install a handler in Portal host to be able to refresh
@@ -593,6 +601,9 @@ You also need to adjust the protection of the reload vhost, for example:
            PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
        </Location>
 
+
+.. _configlocation-local-file:
+
 Local file
 ----------
 
@@ -618,7 +629,7 @@ For example, to override configured skin for portal:
    portalSkin = dark
 
 
-.. tip:: 
+.. tip::
 
     You need to know the technical name of configuration parameter
     to do this. You can refer to :doc:`parameter list<parameterlist>` to

doc/sources/admin/configvhost.rst

@@ -9,7 +9,8 @@ Apache configuration
 --------------------
 
 To protect a virtual host in Apache, the LemonLDAP::NG Handler must be
-activated (see :doc:`Apache global configuration<configlocation>`).
+activated (see
+:ref:`Apache global configuration<configlocation-apache>`).
 
 Then you can take any virtual host, and simply add this line to protect
 it:
@@ -79,7 +80,7 @@ Same with remote server configured with the same host name:
    </VirtualHost>
 
 
-.. important:: 
+.. note::
 
     The ``ProxyPreserveHost`` directive will forward the Host header
     to the protected application. To learn more about using Apache as
@@ -88,7 +89,7 @@ Same with remote server configured with the same host name:
 
 
 
-.. tip:: 
+.. tip::
 
     Some applications need the ``REMOTE_USER`` environment
     variable to get the connected user, which is not set in reverse-proxy
@@ -115,7 +116,7 @@ Pages where this menu is displayed can be restricted, for example:
    </Location>
 
 
-.. important:: 
+.. important::
 
     You need to disable mod_deflate to use the floating
     menu
@@ -137,14 +138,14 @@ Then you can take any virtual host and modify it:
        internal;
        include /etc/nginx/fastcgi_params;
        fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
-       
+
        # Drop post datas
        fastcgi_pass_request_body  off;
        fastcgi_param CONTENT_LENGTH "";
-       
+
        # Keep original hostname
        fastcgi_param HOST $http_host;
-       
+
        # Keep original request (LLNG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
      }
@@ -161,7 +162,7 @@ Then you can take any virtual host and modify it:
        add_header Set-Cookie $cookie_value;
        error_page 401 $lmlocation;
        try_files $uri $uri/ =404;
-       
+
        ...
      }
 
@@ -188,7 +189,7 @@ Then you can take any virtual host and modify it:
        #proxy_set_header Cookie: $lmcookie;
        # OR in the corresponding block
        #fastcgi_param HTTP_COOKIE $lmcookie;
-       
+
        # Set REMOTE_USER (for FastCGI apps only)
        #fastcgi_param REMOTE_USER $lmremote_user;
      }
@@ -220,7 +221,7 @@ Example of a protected virtual host for a local application:
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
 
      # Client requests
      location ~ \.php$ {
@@ -280,7 +281,7 @@ Reverse proxy
        fastcgi_param HOST $http_host;
        # Keep original request (LLNG server will receive /lmauth)
        fastcgi_param X_ORIGINAL_URI  $request_uri;
-     } 
+     }
 
      # Client requests
      location / {
@@ -316,7 +317,7 @@ by different types of handler :
      listen 80;
      server_name myserver;
      root /var/www/html;
-     
+
     # Internal MAIN handler authentication request
      location = /lmauth {
        internal;
@@ -363,7 +364,7 @@ by different types of handler :
        uwsgi_buffer_size 32k;
        uwsgi_buffers 32 32k;
      }
-     
+
      # Client requests
      location / {
        ##################################
@@ -375,14 +376,14 @@ by different types of handler :
        auth_request_set $lmlocation $upstream_http_location;
        # Remove this for AuthBasic handler
        error_page 401 $lmlocation;
-     
+
        ##################################
        # PASSING HEADERS TO APPLICATION #
        ##################################
        # IF LUA IS SUPPORTED
        include /etc/nginx/nginx-lua-headers.conf;
      }
-     
+
      location /AuthBasic/ {
        ##################################
        # CALLING AUTHENTICATION         #
@@ -400,7 +401,7 @@ by different types of handler :
        # IF LUA IS SUPPORTED
        include /etc/nginx/nginx-lua-headers.conf;
      }
-     
+
      location /web-service/ {
        ##################################
        # CALLING AUTHENTICATION         #
@@ -419,6 +420,8 @@ by different types of handler :
      }
    }
 
+.. _configvhost-lemonldapng-configuration:
+
 LemonLDAP::NG configuration
 ---------------------------
 
@@ -445,29 +448,29 @@ learn how to configure access control and HTTP headers sent to
 application by LL::NG.
 
 
-.. important:: 
+.. important::
 
     With **Nginx**-based ReverseProxy, header directives can
     be appended by a LUA script.
-    
+
     To send more than **TEN** headers to protected applications, you have to
     edit and modify :
-    
+
-    ``/etc/nginx/nginx-lua-headers.conf`` 
+    ``/etc/nginx/nginx-lua-headers.conf``
 
 
-.. warning:: 
+.. warning::
 
     \* **Nginx** gets rid of any empty headers. There is no
     point of passing along empty values to another server; it would only
     serve to bloat the request. In other words, headers with **empty values
     are completely removed** from the passed request.
-    
+
     \* **Nginx**, by default, will consider any header that **contains
     underscores as invalid**. It will remove these from the proxied request.
     If you wish to have Nginx interpret these as valid, you can set the
     ``underscores_in_headers`` directive to “on”, otherwise your headers
-    will never make it to the backend server. 
+    will never make it to the backend server.
 
 POST data
 ~~~~~~~~~
@@ -486,9 +489,9 @@ Some options are available:
 -  Maintenance mode: reject all requests with a maintenance message
 -  Aliases: list of aliases for this virtual host *(avoid to rewrite
    rules,...)*
--  Type: handler type *(normal,
+-  Type: handler type (normal,
-   :doc:`ServiceToken Handler</documentation/2.0/servertoserver>`,
+   :doc:`ServiceToken Handler<servertoserver>`,
-   :doc:`DevOps Handler</documentation/2.0/devopshandler>`,...)*
+   :doc:`DevOps Handler<devopshandler>`,...)
 -  Authentication level required: this option avoids to reject user with
    a rule based on ``$_authenticationLevel``. When user hasn't got the
    required level, he is redirected to an upgrade page in the portal.
@@ -497,24 +500,24 @@ Some options are available:
    seconds by default. This TTL can be customized for each virtual host.
 
 
-.. warning:: 
+.. warning::
 
     A same virtual host can serve many locations. Each
     location can be protected by a different type of handler :
-    
+
     ::
-    
+
        server test1.example.com 80
          location ^/AuthBasic  => AuthBasic handler
          location ^/AuthCookie => Main handler
-    
+
     Keep in mind that AuthBasic handler use "Login/Password" to authenticate
     users. If you set "Authentication level required" option to "5" by
     example, AuthBasic requests will be ALWAYS rejected because AuthBasic
-    authentication level is lower than required level. 
+    authentication level is lower than required level.
 
 
-.. important:: 
+.. important::
 
     A negative or null ServiceToken timeout value will be
     overloaded by ``handlerServiceTokenTTL`` (30 seconds by default).

doc/sources/admin/contextswitching.rst

@@ -23,15 +23,15 @@ can be forbidden to assume.
       request.
 
 
-.. warning:: 
+.. warning::
 
     During context switching authentication process, all
     plugins are disabled. In other words, all entry points like afterData,
     endAuth and so on are skipped. Therefore, second factors or
-    notifications by example will not be prompted! 
+    notifications by example will not be prompted!
 
 
-.. important:: 
+.. important::
 
     ContextSwitching plugin works only with a userDB
     backend. You can not switch context with federated authentication.

doc/sources/admin/contribute.rst

@@ -18,8 +18,8 @@ applies the following rules:
 -  Javascript:
 
    -  code must be written in
-      `CoffeeScript <http://coffeescript.org/>`__ *(in
+      `CoffeeScript <http://coffeescript.org/>`__ (in
-      ``<component>/site/coffee``)*: ``make minify`` will generate JS
+      ``<component>/site/coffee``): ``make minify`` will generate JS
       files
 
 Configure SSH
@@ -60,7 +60,7 @@ Debian
    aptitude install vim make devscripts yui-compressor git git-gui libjs-uglify coffeescript cpanminus autopkgtest pkg-perl-autopkgtest
    aptitude install libauth-yubikey-webclient-perl libnet-smtp-server-perl
 
-   cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple 
+   cpanm Authen::U2F Authen::U2F::Tester Crypt::U2F::Server::Simple
 
    curl -sL https://deb.nodesource.com/setup_9.x | bash -
    apt-get install -y nodejs
@@ -127,7 +127,7 @@ Install dependencies
 
 ::
 
-   aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus 
+   aptitude install libapache-session-perl libcache-cache-perl libclone-perl libconfig-inifiles-perl libconvert-pem-perl libcrypt-openssl-bignum-perl libcrypt-openssl-rsa-perl libcrypt-openssl-x509-perl libcrypt-rijndael-perl libdbi-perl libdigest-hmac-perl libemail-sender-perl libgd-securityimage-perl libhtml-template-perl libio-string-perl libjson-perl libmime-tools-perl libmouse-perl libnet-ldap-perl libplack-perl libregexp-assemble-perl libregexp-common-perl libsoap-lite-perl libstring-random-perl libtext-unidecode-perl libunicode-string-perl liburi-perl libwww-perl libxml-simple-perl libxml-libxslt-perl libcrypt-urandom-perl libconvert-base32-perl cpanminus
    aptitude install apache2 libapache2-mod-fcgid libapache2-mod-perl2  # install Apache
    aptitude install nginx nginx-extras  # install Nginx
    cpanm perltidy@20181120
@@ -135,7 +135,7 @@ Install dependencies
 ::
 
     SAML :
-   aptitude install liblasso-perl libglib-perl 
+   aptitude install liblasso-perl libglib-perl
 
 Working Project
 ---------------

doc/sources/admin/customfunctions.rst

@@ -2,8 +2,8 @@ Custom functions
 ================
 
 Custom functions allow one to extend LL::NG, they can be used in
-:doc:`headers<writingrulesand_headers>`,
+:ref:`headers`,
-:doc:`rules<writingrulesand_headers>` or
+:ref:`rules` or
 :doc:`form replay data<formreplay>`. Two actions are needed:
 
 -  declare them in LLNG configuration
@@ -72,7 +72,7 @@ Old method
 ^^^^^^^^^^
 
 
-.. warning:: 
+.. warning::
 
     This method is available but unusable by Portal under
     Apache. So if your rule may be used by the menu, use the new
@@ -128,7 +128,7 @@ Go in Manager, ``General Parameters`` » ``Advanced Parameters`` »
    SSOExtensions::function1 SSOExtensions::function2
 
 
-.. important:: 
+.. important::
 
     If your function is not compliant with
     :doc:`Safe jail<safejail>`, you will need to disable the jail.

doc/sources/admin/customhandlers.rst

@@ -56,13 +56,13 @@ LLNG provides 3 platforms:
 
 If you want to add another, you must write:
 
--  the platform launcher file that launch the required type *(see
+-  the platform launcher file that launch the required type (see
    ``lemonldap-ng-handler/lib/Lemonldap/NG/Handler/ApacheMP2`` file for
-   example)*
+   example)
 -  write the main platform file
    (``Lemonldap::NG::Handler::MyPlatform::Main``) that provides required
-   method *(see ``lemonldap-ng-handler/lib/Lemonldap/NG/Handler/*/Main``
+   method (see ``lemonldap-ng-handler/lib/Lemonldap/NG/Handler/*/Main``
-   for examples)* and inherits from ``Lemonldap::NG::Handler::Main``
+   for examples) and inherits from ``Lemonldap::NG::Handler::Main``
 -  write the "type" wrapper files (AuthBasic,...).
 
 Wrapper usually look at this:
@@ -79,7 +79,7 @@ Old fashion Nginx handlers
 --------------------------
 
 
-.. important:: 
+.. important::
 
     There is no need to use this feature now. It is kept for
     compatibility.

doc/sources/admin/decryptvalue.rst

@@ -18,15 +18,15 @@ DecryptValue plugin can be allowed or denied for specific users.
       to use internal decrypt function.
 
 
-.. warning:: 
+.. warning::
 
     Custom functions must be defined into
     ``Lemonldap::NG::Portal::My::Plugin`` and set:
-    
+
     ::
-    
+
        My::Plugin::function1 My::Plugin::function2
-    
+
 
 
 .. |image0| image:: /documentation/beta.png

doc/sources/admin/devopshandler.rst

@@ -4,7 +4,7 @@ DevOps Handler
 This handler is designed to read vhost configuration from the website
 itself not from LL:NG configuration. Rules and headers are set in a
 **rules.json** file stored at the website root directory (ie
-``<nowiki>http://website/rules.json</nowiki>``). This file looks like:
+``http://website/rules.json``). This file looks like:
 
 .. code:: json
 
@@ -23,15 +23,15 @@ If this file is not found, the default rule "accept" is applied and just
 
 No specific configuration is required except that:
 
--  you have to choose this specific handler *(directly by using
+-  you have to choose this specific handler (directly by using
-   ``VHOSTTYPE`` environment variable)*
+   ``VHOSTTYPE`` environment variable)
 -  you can set the loopback URL needed by the DevOps handler to get
    ``/rules.json`` or use ``RULES_URL`` parameter to set JSON file path
-   *(see :doc:`SSO as a Service<ssoaas>`)*. Default to
+   (see :doc:`SSO as a Service<ssoaas>`). Default to
-   ``<nowiki>http://127.0.0.1:<server-port></nowiki>``
+   ``http://127.0.0.1:<server-port>``
 
 
-.. important:: 
+.. important::
 
     Note that DevOps handler will refuse to compile
     rules.json if :doc:`Safe Jail<safejail>` isn't enabled.

doc/sources/admin/download.rst

@@ -27,14 +27,11 @@ RPM
 ^^^
 
 
-.. tip:: 
+.. tip::
 
     You can:
-    
+    -  Use :ref:`our own YUM repository<installrpm-yum-repository>`.
-    -  Use :doc:`our own YUM repository<installrpm>`.
+    -  Download them here and :ref:`install pre-required packages<prereq-yum>`.
-    -  Download them here and
-       :doc:`install pre-required packages<prereq>`.
-    
 
 
 RHEL/CentOS 7
@@ -57,17 +54,16 @@ Debian
 ^^^^^^
 
 
-.. tip:: 
+.. tip::
 
     You can:
-    
+
     -  Use
-       :doc:`packages provided by Debian<installdeb>`.
+       :ref:`packages provided by Debian<installdeb-official-repository>`.
     -  Use
-       :doc:`our own Debian repository<installdeb>`.
+       :ref:`our own Debian repository<installdeb-llng-repository>`.
     -  Download them here and
-       :doc:`install pre-required packages<prereq>`.
+       :ref:`install pre-required packages<prereq-apt-get>`.
-    
 
 
 -  `DEB
@@ -99,6 +95,8 @@ Contributions
 
 See https://github.com/LemonLDAPNG
 
+.. _download-getting-sources-from-svn-repository:
+
 Git repository
 --------------
 

doc/sources/admin/error.rst

@@ -2,7 +2,7 @@ Error messages
 ==============
 
 
-.. important:: 
+.. note::
 
     This page do not reference all error messages, but only the
     frequentest
@@ -23,7 +23,7 @@ from a version older than 1.0
    Can't locate /usr/share/lemonldap-ng/configStorage.pl
 
 → When you upgrade from Debian Lenny with customized index.pl files, you
-must upgrade them. See :doc:`Debian Lenny upgrade<upgrade>`.
+must upgrade them. 
 
 Lemonldap::NG::Handler
 ----------------------
@@ -60,13 +60,13 @@ configStorageOptionsor file permissions.
    mkdir /tmp/MyNamespace/2: Permission denied ...
 
 → The cache has been created by another user than Apache's user. Restart
-Apache to purge it. 
+Apache to purge it.
-.. important:: 
+.. important::
 
     This can append when you use
     lmConfigEditor or launch **cron files** with a different user than
     Apache process. That is why it is important to set APACHEUSER variable
-    when you launch "make install" 
+    when you launch "make install"
 
 ::
 

doc/sources/admin/exportedvars.rst

@@ -6,7 +6,8 @@ Presentation
 
 Exported variables are the variables available to
 :doc:`write rules and headers<writingrulesand_headers>`. They are
-extracted from the users database by the :doc:`users module<start>`.
+extracted from the users database by the
+:ref:`users module<start-authentication-users-and-password-databases>`.
 
 To create a variable, you've just to map a user attributes in LL::NG
 using ``Variables`` » ``Exported variables``. For each variable, The
@@ -32,7 +33,7 @@ module.
 |Exported variables in the Manager|
 
 
-.. tip:: 
+.. tip::
 
     You can define environment variables in
     ``Exported variables``, this allows one to populate user session with

doc/sources/admin/extendedfunctions.rst

@@ -10,7 +10,7 @@ code execution.
 
 This is also true for:
 
--  :doc:`Menu modules activation rules<portalmenu>`
+-  :ref:`Menu modules activation rules<portalmenu-menu-modules>`
 -  :doc:`Form replay data<formreplay>`
 -  Macros
 -  Issuer databases use rules
@@ -18,30 +18,32 @@ This is also true for:
 
 Inside this jail, you can access to:
 
-::
+* all session values and CGI environment variables (through `$ENV{<HTTP_NAME>}`)
+* Core Perl subroutines (split, pop, map, etc.)
+* :doc:`Custom functions<customfunctions>`
+* The `encode_base64 <http://perldoc.perl.org/MIME/Base64.html>`__ subroutine
+* Information about current request
+* Extended functions:
+
+  * date_
+  * checkLogonHours_
+  * checkDate_
+  * basic_
+  * unicode2iso_
+  * iso2unicode_
+  * groupMatch_
+  * listMatch_ (|new| *since 2.0.7*)
+  * inGroup_ (|new| *since 2.0.8*)
+  * encrypt_
+  * token_
+  * isInNet6_
+  * varIsInUri_
+
+
+.. |new| image:: /documentation/new.png
+   :width: 35px
 
-   * all session values and CGI environment variables //(through $ENV{<HTTP_NAME>})//
+.. tip::
-   * Core Perl subroutines (split, pop, map, etc.)
-   * [[customfunctions|Custom functions]]
-   * The [[http://perldoc.perl.org/MIME/Base64.html|encode_base64]] subroutine
-   * [[#Request information|Information about current request]]
-   * [[#Extended functions list|Extended functions]]:
-     * [[#date|date]]
-     * [[#checkLogonHours|checkLogonHours]]
-     * [[#checkDate|checkDate]]
-     * [[#basic|basic]]
-     * [[#unicode2iso|unicode2iso]]
-     * [[#iso2unicode|iso2unicode]]
-     * [[#groupMatch|groupMatch]]
-     * [[#listMatch|listMatch]] ({{..:new.png?direct&35|}} // since 2.0.7)//
-     * [[#inGroup|inGroup]] ({{..:new.png?direct&35|}} // since 2.0.8)//
-     * [[#encrypt|encrypt]]
-     * [[#token|token]]
-     * [[#isInNet6|isInNet6]]
-     * [[#varIsInUri|varIsInUri]]
-
-
-.. tip:: 
 
     To know more about the jail, check `Safe module
     documentation <http://perldoc.perl.org/Safe.html>`__.
@@ -72,11 +74,10 @@ For example, for a full access, excepted week-end:
    000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000
 
 
-.. tip:: 
+.. tip::
 
-    The :doc:`LDAP schema extension<authldap>` can be used to
+    You can use the binary value from the logonHours attribute of Active
-    store this value. You can also use the binary value from the logonHours
+    Directory, or create a custom attribute in your LDAP schema.
-    attribute of Active Directory
 
 Functions parameters:
 
@@ -130,11 +131,6 @@ This function will check the date of current request, and compare it to
 a start date and an end date. It returns 1 if this match, 0 else.
 
 
-.. tip:: 
-
-    The :doc:`LDAP schema extension<authldap>` can be used to
-    store these values
-
 The date format is the LDAP date syntax, for example for the 1st March
 2009:
 
@@ -159,7 +155,7 @@ basic
 ~~~~~
 
 
-.. important:: 
+.. important::
 
     This function is not compliant with
     :doc:`Safe jail<safejail>`, you will need to disable the jail to use
@@ -184,7 +180,7 @@ unicode2iso
 ~~~~~~~~~~~
 
 
-.. important:: 
+.. important::
 
     This function is not compliant with
     :doc:`Safe jail<safejail>`, you will need to disable the jail to use
@@ -206,7 +202,7 @@ iso2unicode
 ~~~~~~~~~~~
 
 
-.. important:: 
+.. important::
 
     This function is not compliant with
     :doc:`Safe jail<safejail>`, you will need to disable the jail to use
@@ -242,6 +238,8 @@ Simple usage example:
 
    groupMatch($hGroups, 'description', 'Service 1')
 
+.. _listMatch:
+
 listMatch
 ~~~~~~~~~
 
@@ -293,7 +291,7 @@ encrypt
 ~~~~~~~
 
 
-.. tip:: 
+.. tip::
 
     Since version 2.0, this function is now compliant with
     :doc:`Safe jail<safejail>`.

doc/sources/admin/external2f.rst

@@ -10,7 +10,7 @@ Commands
 
 Commands receive arguments on command line and must return a 0 code if
 succeed, another else. **Nothing must be written to STDOUT**, STDERR is
-reported in logs *(but may be lost with FastCGI server)*.
+reported in logs (but may be lost with FastCGI server).
 
 Configuration
 ~~~~~~~~~~~~~
@@ -33,17 +33,17 @@ All parameters are configured in "General Parameters » Portal Parameters
 -  **Authentication level** (Optional): if you want to overwrite the
    value sent by your authentication module, you can define here the new
    authentication level. Example: 5
--  **Logo** (Optional): logo file *(in static/<skin> directory)*
+-  **Logo** (Optional): logo file (in static/<skin> directory)
 -  **Label** (Optional): label that should be displayed to the user on
    the choice screen
 
 
-.. important:: 
+.. important::
 
     The command line is split in an array and launched with
-    exec(). So you don't need to enclose arguments in "" and this feature
+    exec(). So you don't need to enclose arguments in quotes to  protect your
-    protects your system against shell injection. However, you can not use
+    system against shell injection. However, you can not use any space except
-    any space except to separate arguments.
+    to separate arguments.
 
 SELinux note
 ^^^^^^^^^^^^

doc/sources/admin/fastcgi.rst

@@ -2,6 +2,6 @@ FastCGI support
 ===============
 
 
-.. important:: 
+.. important::
 
     Since 2.0, all LLNG components run under FastCGI

doc/sources/admin/fastcgiserver.rst

@@ -2,9 +2,9 @@ LemonLDAP::NG FastCGI server
 ============================
 
 Since 1.9, Lemonldap::NG provides a FastCGI server usable to protect
-applications with Nginx *(See
+applications with Nginx (See
-:doc:`Manage virtual hosts</documentation/1.9/configvhost>` page to
+:doc:`Manage virtual hosts<configvhost>` page to
-configure virtual hosts)*.
+configure virtual hosts).
 
 This FastCGI server can be used for all LLNG components. It compiles
 enabled components on-the-fly.

doc/sources/admin/features.rst

@@ -21,7 +21,7 @@ Easy to integrate
 
 :doc:`Integrating applications<applications>` in
 LL::NG is easy since its dialog with applications is based on
-:doc:`customizable HTTP headers<writingrulesand_headers>`.
+:ref:`customizable HTTP headers<headers>`.
 
 Unifying authentications (Identity Federation)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -38,6 +38,8 @@ applications.
 Sessions
 --------
 
+.. _session-explorer:
+
 Session explorer
 ~~~~~~~~~~~~~~~~
 
@@ -52,6 +54,8 @@ opened sessions:
 
 It can be used to delete a session
 
+.. _session-restrictions:
+
 Session restrictions
 ~~~~~~~~~~~~~~~~~~~~
 

doc/sources/admin/federationproxy.rst

@@ -35,12 +35,12 @@ initiated by OpenID-Connect Provider. LLNG will implement it when this
 standard will be published.
 
 
-.. important:: 
+.. important::
 
     Federation proxy installation can be complex. Don't
     hesitate to contact us on lemonldap-ng-users@ow2.org
 
 See the following chapters:
 
--  :doc:`Authentication protocols<start>`
+-  :ref:`Authentication protocols<start-authentication-users-and-password-databases>`
--  :doc:`Identity provider<start>`
+-  :ref:`Identity provider<start-identity-provider>`

doc/sources/admin/fileconfbackend.rst

@@ -5,14 +5,14 @@ This is the default configuration backend. Configuration is stored as
 JSON.
 
 
-.. tip:: 
+.. tip::
 
     This configuration storage can be shared between different
     hosts using:
-    
+
     -  :doc:`SOAP configuration backend proxy<soapconfbackend>`
     -  any files sharing system (NFS, NAS, SAN,...)
-    
+
 
 
 Configuration

doc/sources/admin/filesessionbackend.rst

@@ -16,7 +16,7 @@ in "General parameters » Sessions » Session storage » Apache::Session
 module" and add the following parameters (case sensitive):
 
 =================== ============================== ===================================
-Required parameters                               
+Required parameters
 =================== ============================== ===================================
 Name                Comment                        Example
 **Directory**       The path to the main directory /var/lib/lemonldap-ng/sessions

doc/sources/admin/formreplay.rst

@@ -9,16 +9,16 @@ filling a HTML POST login form and autosubmitting it, without asking
 anything to the user.
 
 
-.. warning:: 
+.. warning::
 
     This kind of SSO mechanism is not clean, and can lead to
     problems, like local password blocking, local session not well closed,
     etc.
-    
+
     Please always try to find another solution to protect your application
     with LL::NG. At least, check if it is not a
     :doc:`known application<applications>`, or
-    :doc:`try to adapt its source code<selfmadeapplication>`. 
+    :doc:`try to adapt its source code<selfmadeapplication>`.
 
 If you configure form replay with LL::NG, the Handler will detect forms
 to fill, add a javascript in the html page to fill form fields with
@@ -28,7 +28,7 @@ data in the request body.
 POST data can be static values or computed from user's session.
 
 
-.. tip:: 
+.. tip::
 
     To post user's password, you must enable
     :doc:`password storing<passwordstore>`. In this case you will be able to
@@ -96,7 +96,7 @@ example:
 |image1|
 
 
-.. tip:: 
+.. tip::
 
     You can define more than one form replay URL per virtual
     host.

doc/sources/admin/globallogout.rst

@@ -17,9 +17,9 @@ Just enable it in the Manager (section “plugins”).
    -  **Custom parameter**: Session attribut to display at global logout
 
 
-.. important:: 
+.. note::
 
     To display more than one session attribute, you can create a
     macro like this :
-    
+
-    ``user_USER => "$uid_" . uc $uid`` 
+    ``user_USER => "$uid_" . uc $uid``

doc/sources/admin/handlerarch.rst

@@ -18,8 +18,8 @@ Overview of Handler packages
 Usage                                                                          Platform      Wrapper           Types       Main
 ============================================================================== ============  ================= =========== ====
 Apache2 protection                                                             ApacheMP2     ApacheMP2::<type> Lib::<type> Main
-Plack servers protection or Nginx/\ :doc:`SSOaaS<ssoaas>` FastCGI/uWSGI server Server        Server::<type>             
+Plack servers protection or Nginx/\ :doc:`SSOaaS<ssoaas>` FastCGI/uWSGI server Server        Server::<type>
-:doc:`Self protected applications<selfmadeapplication>`                        PSGI          PSGI::<type>               
+:doc:`Self protected applications<selfmadeapplication>`                        PSGI          PSGI::<type>
 ============================================================================== ============  ================= =========== ====
 
 Types are:

doc/sources/admin/handlerauthbasic.rst

@@ -46,32 +46,32 @@ see :doc:`REST sessions backend<restsessionbackend>`, enable local cache
 to access required locations in Portal Virtual Host.
 
 
-.. warning:: 
+.. warning::
 
     With AuthBasic handler, you have to disable CSRF token by
     setting a special rule based on source IP addresses like this :
-    
+
     requireToken => $env->{REMOTE_ADDR} !~ /^127\.0\.[1-3]\.1$/
-    
+
     With AutChoice, you have to declare which authentication module is
     requested by handler to create global session.
-    
+
     Go to:
     ``General Parameters > Authentication parameters > Choice parameters``
-    
+
     and set authentication module's name :
-    
+
     **AuthBasic handler parameter** => 2_LDAP (by example)
-    
 
 
 
-.. important:: 
+
+.. important::
 
     With HTTPS, you may have to set **LWP::UserAgent
     object** with ``verify_hostname => 0`` and ``SSL_verify_mode => 0``.
-    
+
     Go to:
-    
+
     ``General Parameters > Advanced Parameters > Security > SSL options for server requests``
 

doc/sources/admin/header_remote_user_conversion.rst

@@ -45,7 +45,7 @@ two Apache configuration files:
 
    <VirtualHost *:80>
            ServerName application.example.com
-           
+
            SetEnvIfNoCase Auth-User "(.*)" REMOTE_USER=$1
 
            DocumentRoot /var/www/application
@@ -53,18 +53,18 @@ two Apache configuration files:
    </VirtualHost>
 
 
-.. tip:: 
+.. tip::
 
     Sometimes, PHP applications also check the PHP_AUTH_USER and
     PHP_AUHT_PW environment variables. You can set them the same way:
-    
+
     .. code:: apache
-    
+
        SetEnvIfNoCase Auth-User "(.*)" PHP_AUTH_USER=$1
        SetEnvIfNoCase Auth-Password "(.*)" PHP_AUTH_PW=$1
-    
+
     Of course, you need to :doc:`store password in session<passwordstore>`
-    to fill PHP_AUTH_PW. 
+    to fill PHP_AUTH_PW.
 
 Nginx
 -----

doc/sources/admin/idpcas.rst

@@ -29,17 +29,18 @@ In the Manager, go in ``General Parameters`` » ``Issuer modules`` »
    to always allow.
 
 
-.. tip:: 
+.. tip::
 
     For example, to allow only users with a strong authentication
     level:
-    
+
     ::
-    
+
        $authenticationLevel > 2
-    
 
 
+.. _idpcas-configuring-cas-applications:
+
 Configuring the CAS Service
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -65,15 +66,17 @@ Then go in ``CAS Service`` to define:
 
 -  **CAS session module name and options**: choose a specific module if
    you do not want to mix CAS sessions and normal sessions (see
-   :doc:`why<samlservice>`).
+   :ref:`why<samlservice-saml-sessions-module-name-and-options>`).
 
 
-.. tip:: 
+.. tip::
 
     If ``CAS login`` is not set, it uses ``General Parameters`` »
     ``Logs`` » ``REMOTE_USER`` data, which is set to ``uid`` by
     default
 
+.. _idpcas-configuring-the-cas-service:
+
 Configuring CAS Applications
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -110,7 +113,7 @@ Options
    left blank, access will be allowed for everyone.
 
 
-.. important:: 
+.. important::
 
     If the access control policy is set to ``none``, this
     rule will be ignored

doc/sources/admin/idpopenid.rst

@@ -2,10 +2,10 @@ OpenID server
 =============
 
 
-.. warning:: 
+.. warning::
 
     OpenID protocol is deprecated, you should now use
-    :doc:`OpenID Connect<idpopenidconnect>`\ 
+    :doc:`OpenID Connect<idpopenidconnect>`\
 
 Presentation
 ------------
@@ -31,7 +31,7 @@ their authentication using [PORTAL]/openidserver/[login] where:
 
 -  [PORTAL] is the portal URL
 -  [login] is the user login (or any other session information,
-   :doc:`see below<idpopenid>`)
+   :ref:`see below<idpopenid-configuration>`)
 
 Example:
 
@@ -39,6 +39,8 @@ Example:
 
    http://auth.example.com/openidserver/foo.bar
 
+.. _idpopenid-configuration:
+
 Configuration
 -------------
 
@@ -47,39 +49,41 @@ In the Manager, go in ``General Parameters`` » ``Issuer modules`` »
 
 -  **Activation**: set to ``On``
 -  **Path**: keep ``^/openidserver/`` unless you have change
-   :doc:`Apache portal configuration<configlocation>` file.
+   :ref:`Apache portal configuration<configlocation-portal>` file.
 -  **Use rule**: a rule to allow user to use this module, set to 1 to
    always allow.
 
 
-.. tip:: 
+.. tip::
 
     For example, to allow only users with a strong authentication
     level:
-    
+
     ::
-    
+
        $authenticationLevel > 2
-    
+
 
 
 Then go in ``Options`` to define:
 
 -  **Secret token**: a secret token used to secure transmissions between
-   OpenID client and server (:doc:`see below<idpopenid>`).
+   OpenID client and server (:ref:`see below<idpopenid-security>`).
 -  **OpenID login**: the session key used to match OpenID login.
 -  **Authorized domains**: white list or black list of OpenID client
-   domains (:doc:`see below<idpopenid>`).
+   domains (:ref:`see below<idpopenid-security>`).
 -  **SREG mapping**: link between SREG attributes and session keys
-   (:doc:`see below<idpopenid>`).
+   (:ref:`see below<idpopenid-shared-attributes-sreg>`).
 
 
-.. tip:: 
+.. tip::
 
     If ``OpenID login`` is not set, it uses ``General Parameters``
     » ``Logs`` » ``REMOTE_USER`` data, which is set to ``uid`` by
     default
 
+.. _idpopenid-shared-attributes-sreg:
+
 Shared attributes (SREG)
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -100,11 +104,13 @@ Each SREG attribute will be associated to a user session key. A session
 key can be associated to more than one SREG attribute.
 
 
-.. important:: 
+.. note::
 
     If the OpenID consumer ask for data, users will be prompted to
     accept or not the data sharing.
 
+.. _idpopenid-security:
+
 Security
 ~~~~~~~~
 
@@ -114,7 +120,7 @@ Security
    encryption key.
 
 
-.. important:: 
+.. important::
 
     Note that :doc:`SAML<idpsaml>` protocol is more secured
     than OpenID, so when your partners are known, prefer

doc/sources/admin/idpopenidconnect.rst

@@ -5,7 +5,7 @@ Presentation
 ------------
 
 
-.. important:: 
+.. note::
 
     OpenID Connect is a protocol based on REST, OAuth 2.0 and JOSE
     stacks. It is described here: http://openid.net/connect/.
@@ -58,15 +58,15 @@ and configure:
    to always allow.
 
 
-.. tip:: 
+.. tip::
 
     For example, to allow only users with a strong authentication
     level:
-    
+
     ::
-    
+
        $authenticationLevel > 2
-    
+
 
 
 Configuration of LL::NG in Relying Party
@@ -173,7 +173,7 @@ So you can define for example:
 -  email => mail
 
 
-.. important:: 
+.. important::
 
     The specific ``sub`` attribute is not defined here, but
     in User attribute parameter (see below).
@@ -182,7 +182,7 @@ Extra Claims
 ^^^^^^^^^^^^
 
 
-.. important:: 
+.. important::
 
     By default, only claims that are part of standard OpenID
     Connect scopes will be sent to a client. If you want to send a claim
@@ -202,7 +202,7 @@ be able to read the ``rebirth_count`` and ``bloodline`` claims from the
 Userinfo endpoint.
 
 
-.. warning:: 
+.. warning::
 
     Any Claim defined in this section must be mapped to a
     LemonLDAP::NG session attribute in the **Exported Attributes**
@@ -268,16 +268,15 @@ Options
       https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
       for details. These offline sessions can be administered through
       the Session Browser.
+   - **Allow OAuth2.0 Password Grant** (since version ``2.0.8``) Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
+   - **Access Rule**: lets you specify a :doc:`Perl rule<rules_examples>` to restrict access to this client
 
-::
+- **Logout**
 
-      * **Allow OAuth2.0 Password Grant** (since version ''2.0.8''): Allow the use of the Resource Owner Password Credentials Grant on by this client. This feature only works if you have configured a form-based authentication module.
+   - **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ``post_logout_redirect_uri``)
-      * **Access Rule**: lets you specify a [[rules_examples|Perl rule]] to restrict access to this client
+   - **URL**: Specify the relying party's logout URL
-   * **Logout**
+   - **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
-     * **Allowed redirection addresses for logout**: A space separated list of URLs that this client can redirect the user to once the logout is done (through ''post_logout_redirect_uri'')
+   - **Session required**: Whether to send the Session ID in the logout request
-     * **URL**: Specify the relying party's logout URL
-     * **Type**: Type of Logout to perform (only Front-Channel is implemented for now)
-     * **Session required**: Whether to send the Session ID in the logout request
 
 Macros
 ^^^^^^

doc/sources/admin/idpsaml.rst

@@ -32,15 +32,15 @@ configure:
    to always allow.
 
 
-.. tip:: 
+.. tip::
 
     For example, to allow only users with a strong authentication
     level:
-    
+
     ::
-    
+
        $authenticationLevel > 2
-    
+
 
 
 Register LemonLDAP::NG on partner Service Provider
@@ -78,7 +78,7 @@ between your server and the SP).
 |image0|
 
 
-.. tip:: 
+.. tip::
 
     You can also edit the metadata directly in the textarea
 
@@ -139,10 +139,10 @@ Authentication response
      NotOnOrAfter="2014-07-21T12:48:08Z">
 
 
-.. important:: 
+.. important::
 
     There is a time tolerance of 60 seconds in
-    ``<Conditions>``\ 
+    ``<Conditions>``\
 
 -  **Force UTF-8**: Activate to force UTF-8 decoding of values in SAML
    attributes. If set to 0, the value from the session is directly
@@ -152,7 +152,7 @@ Signature
 '''''''''
 
 These options override service signature options (see
-:doc:`SAML service configuration<samlservice>`).
+:ref:`SAML service configuration<samlservice-general-options>`).
 
 -  **Sign SSO message**: sign SSO message
 -  **Check SSO message signature**: check SSO message signature
@@ -168,17 +168,17 @@ Security
    Initiated URL on this SP.
 
 
-.. tip:: 
+.. tip::
 
     The IDP Initiated URL is the SSO SAML URL with GET
     parameters:
-    
+
     -  IDPInitiated: 1
     -  One of:
-    
+
        -  sp: SP entity ID
        -  spConfKey: SP configuration key
-    
+
     For example:
     http://auth.example.com/saml/singleSignOn?IDPInitiated=1&spConfKey=simplesamlphp