@ -135,6 +135,8 @@ Each module that will be used in combination rule must be declared. You must set
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> overwritten parameters: you can redefine any LLNG string parameter. For example, if you use 2 different LDAP, the first can use normal configuration and for the second, overwritten parameter can redefine ldapServer,…</div>
<thclass="col0"> Name </th><thclass="col1"> Type </th><thclass="col2"> Scope </th>
<thclass="col0"> Name </th><thclass="col1"> Type </th><thclass="col2"> Scope </th><thclass="col3"> Parameters </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0"> DB1 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> Auth only </td>
<tdclass="col0"> DB1 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> Auth only </td><tdclass="col3"></td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"> DB2 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> User DB only </td>
<tdclass="col0"> DB2 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> User DB only </td><tdclass="col3"> dbiAuthChain ⇒ “mysql:…” </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [811-889] -->
<!-- EDIT6 TABLE [1034-1157] -->
<p>
Usually, you can't declare two modules of the same type if they don't have the same parameters. For example, usually you can't declare a MySQL <abbrtitle="Database Interface">DBI</abbr> and a PostgreSQL <abbrtitle="Database Interface">DBI</abbr>, because there is no extra field for PostgreSQL parameters. Now with Combination, you can declare some overloaded parameters. For example, if <abbrtitle="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
@ -222,7 +224,7 @@ If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, my
<tdclass="col0"><code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code></td><tdclass="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [2361-2605] --><divclass="noteimportant">You can't use brackets in a boolean expression and “and” has precedence on “or”.
<!-- EDIT9 TABLE [2629-2873] --><divclass="noteimportant">You can't use brackets in a boolean expression and “and” has precedence on “or”.
<p>
If you think to “( [myLDAP] or [myDBI1] ) and [myDBI2]”, you must write <code>[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]</code>
</p>
@ -249,7 +251,7 @@ Test can use only the <code>$env</code> variable. It contains the FastCGI enviro
<tdclass="col0"><code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2]</code></td><tdclass="col1"> Chain tests </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [2941-3263] --><divclass="noteimportant">Note that brackets can't be used except to enclose test.
<!-- EDIT10 TABLE [3209-3531] --><divclass="noteimportant">Note that brackets can't be used except to enclose test.
<p>
If you wants to write <code>if(…) then if…</code>, you must write <code>if(not …) then … else if(…)…</code>
</p>
@ -269,7 +271,7 @@ The following rule is valid:
</p>
</div>
<!-- EDIT7 SECTION "Rule chain" [1304-3610] -->
<!-- EDIT7 SECTION "Rule chain" [1572-3878] -->
<h3class="sectionedit11"id="combine_second_factor">Combine second factor</h3>
<divclass="level3">
@ -294,7 +296,7 @@ Now if you want to authenticate users either by LDAP or LDAP+U2F <em>(to have 2
</ul>
</div>
<!-- EDIT11 SECTION "Combine second factor" [3611-4260] -->
<!-- EDIT11 SECTION "Combine second factor" [3879-4528] -->
@ -330,9 +332,9 @@ Combination module returns the form corresponding to the first authentication sc
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
An apache virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration.
A virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration.
</p>
<p>
To do this, use the Manager, and go in <code>Virtual Hosts</code> branch. You can add, delete or modify a virtual host here.
To do this, use the Manager, and go in <code>Virtual Hosts</code> branch. You can add, delete or modify a virtual host here. Enter the exact virtual host name (for example <code>test.example.com</code>) or use a wildcard (for example <code>*.example.com</code>).
<h4id="fastcgi_server_nginx">FastCGI server (Nginx)</h4>
<divclass="level4">
<h5id="fastcgi_server_nginx">FastCGI server (Nginx)</h5>
<divclass="level5">
<p>
You've just to incicate to <ahref="fastcgiserver.html"class="wikilink1"title="documentation:2.0:fastcgiserver">LLNG FastCGI server</a> the file to read using either <code>-f</code> option or <code>CUSTOM_FUNCTIONS_FILE</code> environment variable. Using packages, you just have to modify your <code>/etc/default/llng-fastcgi-server</code> (or <code>/etc/default/lemonldap-ng-fastcgi-server</code>) file:
@ -153,7 +172,7 @@ Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</cod
<divclass="noteimportant">If your function is not compliant with <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail.
Using <abbrtitle="LemonLDAP::NG">LL::NG</abbr> in reverse proxy mode, you will not have the <code>REMOTE_USER</code> environment variable set. Indeed, this variable is set by the Handler on the physical server hosting the Handler, and not on other servers where the Handler is not installed.
</p>
@ -95,6 +100,17 @@ Of course, you need to <a href="passwordstore.html" class="wikilink1" title="doc
</div>
</div>
<!-- EDIT2 SECTION "Apache" [62-1756] -->
<h2class="sectionedit3"id="nginx">Nginx</h2>
<divclass="level2">
<p>
Nginx doesn't launch directly PHP pages (or other languages): it dials with FastCGI servers (like php-fpm). As you can see in examples, it's easy to map a LLNG header to a fastcgi param. Example:
Since version 2.0, a Node.js handler is available on <ahref="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"class="urlextern"title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"rel="nofollow">GitHub</a>.
Since version 2.0, an experimental Node.js handler is available on <ahref="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"class="urlextern"title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"rel="nofollow">GitHub</a>.
<divclass="notetip">You need <ahref="http://fedoraproject.org/wiki/EPEL/"class="urlextern"title="http://fedoraproject.org/wiki/EPEL/"rel="nofollow">EPEL</a> repository. See how you can activate this repository: <ahref="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse"class="urlextern"title="http://fedoraproject.org/wiki/EPEL/FAQ#howtouse"rel="nofollow">http://fedoraproject.org/wiki/EPEL/FAQ#howtouse</a>
@ -328,6 +338,6 @@ For Nginx:
<divclass="noteimportant">As you need a recent version of Nginx, the best is to install <ahref="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages"class="urlextern"title="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages"rel="nofollow">Nginx official packages</a>.
@ -428,7 +429,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<tdclass="col0"><ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">Secure Token</a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to secure dialog between a LLNG reverse-proxy and a remote app </td><tdclass="col5"></td>
</tr>
<trclass="row6 roweven">
<tdclass="col0"><ahref="servertoserver.html"class="wikilink1"title="documentation:2.0:servertoserver">Service Token</a><em>(Server-to-Server)</em><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to permits underlying requests <em>(<abbrtitle="Application Programming Interface">API</abbr>-Based Infrastructure)</em></td><tdclass="col5"></td>
<tdclass="col0"><ahref="servertoserver.html"class="wikilink1"title="documentation:2.0:servertoserver">Service Token</a><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a><em>(Server-to-Server)</em></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to permits underlying requests <em>(<abbrtitle="Application Programming Interface">API</abbr>-Based Infrastructure)</em></td><tdclass="col5"></td>
@ -111,7 +112,18 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [305-1090] -->
<h2class="sectionedit5"id="logs">Logs</h2>
<h2class="sectionedit5"id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"> A new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
</li>
<liclass="level1"><divclass="li"> For <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, a new <ahref="authssl.html#ssl_by_ajax"class="wikilink1"title="documentation:2.0:authssl">Ajax option</a> can be used in the same idea: so SSL can be used in conjunction with other backends.</div>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "Kerberos or SSL usage" [1091-1599] -->
<h2class="sectionedit6"id="logs">Logs</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"><strong>Syslog</strong>: logs are now configured only in <code>lemonldap-ng.ini</code> file. If you use Syslog, you must reconfigure it. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
@ -121,8 +133,8 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
<liclass="level1"><divclass="li"><ahref="cda.html"class="wikilink1"title="documentation:2.0:cda">CDA</a>, <ahref="documentation/latest/applications/zimbra.html"class="wikilink1"title="documentation:latest:applications:zimbra">ZimbraPreAuth</a>, <ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">SecureToken</a> and <ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic</a> are now <ahref="handlerarch.html"class="wikilink1"title="documentation:2.0:handlerarch">Handler Types</a>. So there is no more special file to load: you just have to choose “VirtualHost type” in the manager/VirtualHosts.</div>
@ -147,8 +159,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT7 SECTION "Handlers" [2071-2731] -->
<h2class="sectionedit8"id="rules_and_headers">Rules and headers</h2>
<!-- EDIT8 SECTION "Handlers" [2581-3242] -->
<h2class="sectionedit9"id="rules_and_headers">Rules and headers</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"> hostname() and remote_ip() are no more provided to avoid some name conflicts <em>(replaced by $ENV{})</em></div>
@ -160,8 +172,8 @@ LLNG portal now embeds the following features:
</ul>
</div>
<!-- EDIT8 SECTION "Rules and headers" [2732-3050] -->
Before 2.0, an Ajax query that was launched after session timeout received a 302 code. Now a response 401 is given. The <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Single Sign On">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
Before 2.0, an Ajax query that was launched after session timeout received a 302 code. Now a 401 HTTP code is given in response. The <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Single Sign On">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
<liclass="level1"><divclass="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
@ -194,13 +206,13 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
<divclass="noteimportant"><ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
<h2class="sectionedit10"id="wildcards_in_hostnames">Wildcards in hostnames</h2>
<divclass="level2">
<p>
<ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a> Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): <code>*.example.com</code> matches all hostnames that belong to <code>example.com</code> domain.
</p>
<p>
Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order:
<seg><bpt i='0' x='0'><s0></bpt>Display<ept i='0'></s0></ept>: As Google Apps is not a protected application, set to <bpt i='1' x='1'><c1></bpt>On<ept i='1'></c1></ept> to always display it</seg>
<seg><bpt i='0' x='0'><s0></bpt>Protected URLs<ept i='0'></s0></ept>: Regexp of URLs for which the secure token will be sent, separated by spaces</seg>
<seg><s0>Domaines autorisés</s0> : liste blanche ou noire des domaines clients OpenID (<s1><a2>voir ci-dessous</a2></s1>).</seg>
@ -142,6 +142,8 @@ Each module that will be used in combination rule must be declared. You must set
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> overwritten parameters: you can redefine any LLNG string parameter. For example, if you use 2 different LDAP, the first can use normal configuration and for the second, overwritten parameter can redefine ldapServer,…</div>
<thclass="col0"> Nom </th><thclass="col1"> Type </th><thclass="col2"> Scope </th>
<thclass="col0"> Nom </th><thclass="col1"> Type </th><thclass="col2"> Scope </th><thclass="col3"> Parameters </th>
</tr>
</thead>
<trclass="row1 rowodd">
<tdclass="col0"> DB1 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> Auth only </td>
<tdclass="col0"> DB1 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> Auth only </td><tdclass="col3"></td>
</tr>
<trclass="row2 roweven">
<tdclass="col0"> DB2 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> User DB only </td>
<tdclass="col0"> DB2 </td><tdclass="col1"><abbrtitle="Database Interface">DBI</abbr></td><tdclass="col2"> User DB only </td><tdclass="col3"> dbiAuthChain ⇒ “mysql:…” </td>
</tr>
</table></div><!-- EDIT6 TABLE [811-889] -->
</table></div><!-- EDIT6 TABLE [1034-1157] -->
<p>
@ -167,7 +169,7 @@ Usually, you can't declare two modules of the same type if they don't have the s
@ -220,7 +222,7 @@ Remember that schemes in rules are the names declared above.
<trclass="row4 roweven">
<tdclass="col0 leftalign"><code>[mySSL and myLDAP, myLDAP ]</code></td><tdclass="col1"> Use mySSL and myLDAP to authentify, myLDAP to get user </td>
</tr>
</table></div><!-- EDIT8 TABLE [1757-2188] -->
</table></div><!-- EDIT8 TABLE [2025-2456] -->
<divclass="noteimportant">Note that “or” can't be used inside a scheme.
If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code>
@ -236,7 +238,7 @@ If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, my
<trclass="row2 roweven">
<tdclass="col0"><code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code></td><tdclass="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
</tr>
</table></div><!-- EDIT9 TABLE [2361-2605] -->
</table></div><!-- EDIT9 TABLE [2629-2873] -->
<divclass="noteimportant">You can't use brackets in a boolean expression and “and” has precedence on “or”.
<p>
@ -267,7 +269,7 @@ Test can use only the <code>$env</code> variable. It contains the FastCGI enviro
<trclass="row2 roweven">
<tdclass="col0"><code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2]</code></td><tdclass="col1"> Chain tests </td>
</tr>
</table></div><!-- EDIT10 TABLE [2941-3263] -->
</table></div><!-- EDIT10 TABLE [3209-3531] -->
<divclass="noteimportant">Note that brackets can't be used except to enclose test.
<p>
@ -291,7 +293,7 @@ The following rule is valid:
<code>if($env→{REMOTE_ADDR} =~ /^192\./) then [mySSL, myLDAP] or [myLDAP] else [myLDAP and myDBI, myLDAP]</code>
@ -357,9 +359,9 @@ Combination module returns the form corresponding to the first authentication sc
<trclass="row2 roweven">
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
@ -388,7 +390,7 @@ Pour outrepasser ceci, suivre la documentation du <a href="authapache.html" clas
Pour chaîner SSL, il est nécessaire de mettre “SSLRequire optional” dans le fichier de configuration Apache, sinon les utilisateurs ne seront authentifiés que par SSL.
Un hôte virtuel apache protégé par un agent LemonLDAP::NG doit être enregistré dans la configuration LemonLDAP::NG.
A virtual host protected by LemonLDAP::NG Handler must be registered in LemonLDAP::NG configuration.
</p>
<p>
Pour ce faire, utiliser le manager, et aller dans la branche <code>Virtual Hosts</code>. Il est possible d'ajouter, effacer ou modifier un hôte virtuel ici.
Pour ce faire, utiliser le manager, et aller dans la branche <code>Virtual Hosts</code>. Il est possible d'ajouter, effacer ou modifier un hôte virtuel ici. Enter the exact virtual host name (for example <code>test.example.com</code>) or use a wildcard (for example <code>*.example.com</code>).
<h3class="sectionedit10"id="access_rules_and_http_headers">Règles d'accès et en-têtes HTTP</h3>
<divclass="level3">
@ -400,7 +402,7 @@ Un hôte vituel contient :
Voir <strong><ahref="writingrulesand_headers.html"class="wikilink1"title="documentation:2.0:writingrulesand_headers">Écrire des règles et des en-têtes</a></strong> pour savoir comment configurer le contrôle d'accès et les en-têtes HTTP transmis à l'application par <abbrtitle="LemonLDAP::NG">LL::NG</abbr>.
</p>
</div><!-- EDIT10 SECTION "Access rules and HTTP headers" [8350-8542] -->
</div><!-- EDIT10 SECTION "Access rules and HTTP headers" [8462-8654] -->
Voir <strong><ahref="formreplay.html"class="wikilink1"title="documentation:2.0:formreplay">Rejeu des formulaires</a></strong> pour savoir comment configurer le rejeu des formulaires pour poster des données à une applications protégée.
@ -430,7 +432,7 @@ Quelques options sont disponibles :
Ces options sont utilisées dans la construction des <abbrtitle="Uniform Resource Locator">URL</abbr> de redirection (lorsque l'utilisateur n'est pas connecté ou pour les requêtes <abbrtitle="Authentification inter-domaines">CDA</abbr>). Sauf modification, les valeurs par défaut sont utilisées. Ces options ne sont à utiliser que pour surcharger les valeurs par défaut.
Il faut indiquer au <ahref="fastcgiserver.html"class="wikilink1"title="documentation:2.0:fastcgiserver">serveur FastCGI de LLNG</a> le fichier à lire en utilisant l'option <code>-f</code> ou la variable d'environnement <code>CUSTOM_FUNCTIONS_FILE</code>. En utilisant les packages, il suffit de modifier le fichier <code>/etc/default/llng-fastcgi-server</code> (ou <code>/etc/default/lemonldap-ng-fastcgi-server</code>) :
</div><!-- EDIT4 SECTION "Declare module in handler server" [609-1543] -->
</div><!-- EDIT4 SECTION "Declare module in handler server" [609-1892] -->
<h3class="sectionedit5"id="declare_custom_functions">Declarer les fonctions personnalisées</h3>
<divclass="level3">
@ -155,7 +177,7 @@ Aller dans le manager, <code>Paramètres généraux</code> » <code>Paramètres
<preclass="code">SSOExtensions::function1</pre>
<divclass="noteimportant">Si la fonction n'est pas compatible avec la <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">cage saine</a>, il faut désactiver la mise en cage.
Lorsque <abbrtitle="LemonLDAP::NG">LL::NG</abbr> est utilisé en mode reverse-proxy, la variable d'environnement <code>REMOTE_USER</code> n'est pas renseignée. Toutefois, cette variable est renseignée par l'agent dans le serveur physique l'hébergeant mais pas dans les autres serveurs sans agents.
</p>
@ -95,7 +100,18 @@ Bien sûr, il faut <a href="passwordstore.html" class="wikilink1" title="documen
</p>
</div>
</div>
</div><!-- EDIT2 SECTION "Apache" [62-1756] -->
<h2class="sectionedit3"id="nginx">Nginx</h2>
<divclass="level2">
<p>
Nginx doesn't launch directly PHP pages (or other languages): it dials with FastCGI servers (like php-fpm). As you can see in examples, it's easy to map a LLNG header to a fastcgi param. Exemple :
<h3class="sectionedit14"id="upgrade">Mise à jour</h3>
<divclass="level3">
@ -236,7 +245,7 @@ Pour autoriser le manager à recharger la configuration, enregistrer le nom d'h
Pour mettre à jour <abbrtitle="LemonLDAP::NG">LL::NG</abbr>, lisez toutes les <ahref="upgrade.html"class="wikilink1"title="documentation:2.0:upgrade">notes de mise à jour</a>.
Since version 2.0, a Node.js handler is available on <ahref="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"class="urlextern"title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"rel="nofollow">GitHub</a>.
Since version 2.0, an experimental Node.js handler is available on <ahref="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"class="urlextern"title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler"rel="nofollow">GitHub</a>.
<divclass="noteimportant">As you need a recent version of Nginx, the best is to install <ahref="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages"class="urlextern"title="https://www.nginx.com/resources/wiki/start/topics/tutorials/install/#official-red-hat-centos-packages"rel="nofollow">Nginx official packages</a>.
@ -431,7 +432,7 @@ Handlers are software control agents to install on your web servers <em>(Nginx,
<tdclass="col0"><ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">Secure Token</a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to secure dialog between a LLNG reverse-proxy and a remote app </td><tdclass="col5"></td>
</tr>
<trclass="row6 roweven">
<tdclass="col0"><ahref="servertoserver.html"class="wikilink1"title="documentation:2.0:servertoserver">Service Token</a><em>(Server-to-Server)</em><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to permits underlying requests <em>(<abbrtitle="Interface de programmation">API</abbr>-Based Infrastructure)</em></td><tdclass="col5"></td>
<tdclass="col0"><ahref="servertoserver.html"class="wikilink1"title="documentation:2.0:servertoserver">Service Token</a><ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a><em>(Server-to-Server)</em></td><tdclass="col1 centeralign"> ✔ </td><tdclass="col2 centeralign"> ✔ </td><tdclass="col3 leftalign"></td><tdclass="col4"> Designed to permits underlying requests <em>(<abbrtitle="Interface de programmation">API</abbr>-Based Infrastructure)</em></td><tdclass="col5"></td>
<h2class="sectionedit5"id="kerberos_or_ssl_usage">Kerberos or SSL usage</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"> A new <ahref="authkerberos.html"class="wikilink1"title="documentation:2.0:authkerberos">Kerberos</a> authentication backend has been added since 2.0. This module solves many Kerberos integration problems <em>(usage in conjunction with other backends, better error display,…)</em>. However, you can retain the old integration manner <em>(using <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Apache authentication module</a>)</em>.</div>
</li>
<liclass="level1"><divclass="li"> For <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, a new <ahref="authssl.html#ssl_by_ajax"class="wikilink1"title="documentation:2.0:authssl">Ajax option</a> can be used in the same idea: so SSL can be used in conjunction with other backends.</div>
</li>
</ul>
</div><!-- EDIT5 SECTION "Kerberos or SSL usage" [1091-1599] -->
<h2class="sectionedit6"id="logs">Journaux</h2>
<divclass="level2">
<ul>
<liclass="level1"><divclass="li"><strong>Syslog</strong>: logs are now configured only in <code>lemonldap-ng.ini</code> file. If you use Syslog, you must reconfigure it. See <ahref="logs.html"class="wikilink1"title="documentation:2.0:logs">logs</a> for more.</div>
@ -126,9 +138,9 @@ To build Debian package with Wheezy, remove <code>debian/lemonldap-ng-doc.maints
<liclass="level1"><divclass="li"><ahref="cda.html"class="wikilink1"title="documentation:2.0:cda">CDA</a>, <ahref="documentation/latest/applications/zimbra.html"class="wikilink1"title="documentation:latest:applications:zimbra">ZimbraPreAuth</a>, <ahref="securetoken.html"class="wikilink1"title="documentation:2.0:securetoken">SecureToken</a> and <ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic</a> are now <ahref="handlerarch.html"class="wikilink1"title="documentation:2.0:handlerarch">Handler Types</a>. So there is no more special file to load: you just have to choose “VirtualHost type” in the manager/VirtualHosts.</div>
@ -154,9 +166,9 @@ LLNG portal now embeds the following features:
Before 2.0, an Ajax query that was launched after session timeout received a 302 code. Now a response 401 is given. The <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Authentification unique (Single Sign On)">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
Before 2.0, an Ajax query that was launched after session timeout received a 302 code. Now a 401 HTTP code is given in response. The <code>WWW-Authenticate</code> header contains: <code><abbrtitle="Authentification unique (Single Sign On)">SSO</abbr><portal-<abbrtitle="Uniform Resource Locator">URL</abbr>></code>
<liclass="level1"><divclass="li"> SOAP server activation is now split in 2 parameters (configuration/sessions). You must set them else SOAP service will be disabled</div>
@ -203,14 +215,14 @@ Before 2.0, an Ajax query that was launched after session timeout received a 302
<divclass="noteimportant"><ahref="handlerauthbasic.html"class="wikilink1"title="documentation:2.0:handlerauthbasic">AuthBasic Handler</a> uses now REST services instead of SOAP.
<h2class="sectionedit10"id="wildcards_in_hostnames">Wildcards in hostnames</h2>
<divclass="level2">
<p>
<ahref="new.png"class="media"title="documentation:2.0:new.png"><imgsrc="new.edf565b3f89a0ad56df9a5e7a31a6de8.png"class="media"alt=""width="35"/></a> Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): <code>*.example.com</code> matches all hostnames that belong to <code>example.com</code> domain.
</p>
<p>
Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order:
Xavier Guimard
8 years ago
