To use Active Directory as LDAP backend, you must change few things in the manager :
</p>
<ul>
<liclass="level1"><divclass="li"> Use “Active Directory” as authentication, userDB and passwordDBbackends,</div>
<liclass="level1"><divclass="li"> Use "Active Directory" as authentication, userDB and passwordDBbackends,</div>
</li>
<liclass="level1"><divclass="li"> Export sAMAccountName in a variable declared in <ahref="exportedvars.html"class="wikilink1"title="documentation:1.9:exportedvars">exported variables</a></div>
</li>
<liclass="level1"><divclass="li"> Change the user attribute to store in Apache logs <em>(“General Parameters » Logs » REMOTE_USER”)</em>: use the variable declared above</div>
<liclass="level1"><divclass="li"> Change the user attribute to store in Apache logs <em>("General Parameters » Logs » REMOTE_USER")</em>: use the variable declared above</div>
</li>
</ul>
...
...
@@ -69,7 +69,7 @@ To use Active Directory as LDAP backend, you must change few things in the manag
<h2class="sectionedit3"id="authentication_with_kerberos">Authentication with Kerberos</h2>
<liclass="level1"><divclass="li"><ahref="authapache.html"class="wikilink1"title="documentation:1.9:authapache">Configure the Apache server</a> that host the portal to use the Apache Kerberos authentication module</div>
@@ -67,7 +67,7 @@ In the context of an HTTP transaction, the basic access authentication is a meth
</p>
<p>
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings “on the fly”.
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings "on the fly".
</blockquote>
</p>
...
...
@@ -94,7 +94,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <ahref="../passwordstore.html"class="wikilink1"title="documentation:1.9:passwordstore">password is stored in session</a>):
<divclass="noteimportant">Don't forget to add an empty string as second argument of encode_base64 to avoid insert of “newline” characters
<divclass="noteimportant">Don't forget to add an empty string as second argument of encode_base64 to avoid insert of "newline" characters
</div>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> provides a special function named <ahref="../extendedfunctions.html#basic"class="wikilink1"title="documentation:1.9:extendedfunctions">basic</a> to build this header.
@@ -96,11 +96,11 @@ similar, using whatever attribute makes sense to you. For example:<pre class="c
</li>
<liclass="level1"><divclass="li"> Now go to *Variables -> Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<liclass="level1"><divclass="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -><code>$ou =~ sysadmin ? “arn:aws...” : “arn:...”</code></div>
<liclass="level1"><divclass="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -><code>$ou =~ sysadmin ? "arn:aws..." : "arn:..."</code></div>
</li>
<liclass="level1"><divclass="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters -> Advanced Parameters -> Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<liclass="level1"><divclass="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -><code>join(“; ”, $role_name1, $role_name2, ...)</code></div>
<liclass="level1"><divclass="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -><code>join("; ", $role_name1, $role_name2, ...)</code></div>
</li>
<liclass="level1"><divclass="li"> On the left again, click <code><abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on "Create this page".
</p>
</div>
...
...
@@ -218,8 +218,18 @@ You've followed a link to a topic that doesn't exist yet. If permissio
<ahref="https://www.ow2con.org/view/2014/Awards_Results?year=2014&event=OW2con14"class="urlextern"title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&event=OW2con14"rel="nofollow">OW2con'14 Community Award</a>
</p>
<p>
<ahref="https://www.ow2con.org/view/2018/Awards_Results?year=2018&event=OW2con18"class="urlextern"title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&event=OW2con18"rel="nofollow">OW2con'18 Community Award</a>
</p>
<p>
</div>
</p>
<hr/>
...
...
@@ -262,7 +272,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio
You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on "Create this page".
</p>
</div>
...
...
@@ -218,8 +218,18 @@ You've followed a link to a topic that doesn't exist yet. If permissio
<ahref="https://www.ow2con.org/view/2014/Awards_Results?year=2014&event=OW2con14"class="urlextern"title="https://www.ow2con.org/view/2014/Awards_Results?year=2014&event=OW2con14"rel="nofollow">OW2con'14 Community Award</a>
</p>
<p>
<ahref="https://www.ow2con.org/view/2018/Awards_Results?year=2018&event=OW2con18"class="urlextern"title="https://www.ow2con.org/view/2018/Awards_Results?year=2018&event=OW2con18"rel="nofollow">OW2con'18 Community Award</a>
</p>
<p>
</div>
</p>
<hr/>
...
...
@@ -262,7 +272,7 @@ You've followed a link to a topic that doesn't exist yet. If permissio
<divclass="notewarning">In last version of Auth_remoteuser and Mediawiki, empty passwords are not authorized, so you may need to patch the extension code if you get the error:
<divclass="notewarning">In last version of Auth_remoteuser and Mediawiki, auto-provisioning requires REMOTE_USER to match the normalized mediawiki username (for example: john_doe -> john doe), so you may need to patch the extension code if you get the error:
Copy/Paste the content of your new cert.pem in the “Public X.509 certificate of the IdP” field of your NextCloud.
Copy/Paste the content of your new cert.pem in the "Public X.509 certificate of the IdP" field of your NextCloud.
</p>
<p>
...
...
@@ -192,7 +192,7 @@ We now have to define a service provider (e.g our nextcloud) in LL:NG.
</p>
<p>
Go to “<abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers”, click on “Add <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP” and name it as you want (example : 'NextCloud')
Go to "<abbrtitle="Security Assertion Markup Language">SAML</abbr> service providers", click on "Add <abbrtitle="Security Assertion Markup Language">SAML</abbr> SP" and name it as you want (example : 'NextCloud')
</p>
<p>
...
...
@@ -204,7 +204,7 @@ In the new subtree 'NextCloud', open 'Metadata' and paste th
</p>
<p>
Now go in “Exported attributes” and add, at least, the 'uid'
Now go in "Exported attributes" and add, at least, the 'uid'
Symfony provides many methods conventions to authenticate users (basic, ldap,...) and to load external user sources (ldap, database). The method presented here relies on the “remote_user” method. (in security firewall)
Symfony provides many methods conventions to authenticate users (basic, ldap,...) and to load external user sources (ldap, database). The method presented here relies on the "remote_user" method. (in security firewall)
</p>
</div>
...
...
@@ -83,7 +83,7 @@ Symfony provides many methods conventions to authenticate users (basic, ldap,...
<divclass="level2">
<p>
Follow these step to protect your application using the “REMOTE_USER” HTTP header.
Follow these step to protect your application using the "REMOTE_USER" HTTP header.
</p>
<p>
...
...
@@ -113,7 +113,7 @@ Follow these step to protect your application using the “REMOTE_USER” HTTP h
</li>
<liclass="level1"><divclass="li"> providers : define the user providers (even virtual)</div>
</li>
<liclass="level1"><divclass="li"> remote_user : define the authentication method to “assume the user is already authenticated and get an http variable to know his username”</div>
<liclass="level1"><divclass="li"> remote_user : define the authentication method to "assume the user is already authenticated and get an http variable to know his username"</div>
</li>
<liclass="level1"><divclass="li"> user : define the HTTP header containing the username</div>
</li>
...
...
@@ -122,7 +122,7 @@ Follow these step to protect your application using the “REMOTE_USER” HTTP h
</ul>
<p>
2. Define a “header user” class
2. Define a "header user" class
</p>
<p>
...
...
@@ -194,7 +194,7 @@ Create the file src/AppBundle/Security/User/HeaderUser.php :
<spanclass="sy1">?></span></pre>
<p>
3. Define a “header user provider” class relying on the previous class
3. Define a "header user provider" class relying on the previous class
<liclass="level1"><divclass="li"><strong>roleSeparator</strong> (optional): role values separator.</div>
</li>
<liclass="level1"><divclass="li"><strong>allows</strong> (optional): Define allowed remote <abbrtitle="Internet Protocol">IP</abbr> (use “,” separator for multiple <abbrtitle="Internet Protocol">IP</abbr>). Just set the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> Handler <abbrtitle="Internet Protocol">IP</abbr> on this attribute in order to add more security. If this attribute is missed all hosts are allowed.</div>
<liclass="level1"><divclass="li"><strong>allows</strong> (optional): Define allowed remote <abbrtitle="Internet Protocol">IP</abbr> (use "," separator for multiple <abbrtitle="Internet Protocol">IP</abbr>). Just set the <abbrtitle="LemonLDAP::NG">LL::NG</abbr> Handler <abbrtitle="Internet Protocol">IP</abbr> on this attribute in order to add more security. If this attribute is missed all hosts are allowed.</div>
</li>
<liclass="level1"><divclass="li"><strong>passThrough</strong> (optional): Allow anonymous access or not. When it takes “false”, HTTP headers have to be sent by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> to make authentication. So, if the user is not recognized or HTTP headers not present, a 403 error is sent.</div>
<liclass="level1"><divclass="li"><strong>passThrough</strong> (optional): Allow anonymous access or not. When it takes "false", HTTP headers have to be sent by <abbrtitle="LemonLDAP::NG">LL::NG</abbr> to make authentication. So, if the user is not recognized or HTTP headers not present, a 403 error is sent.</div>
</li>
</ul>
<divclass="notetip">For debugging, this valve can print some helpful information in debug level. See <ahref="http://tomcat.apache.org/tomcat-5.5-doc/logging.html"class="urlextern"title="http://tomcat.apache.org/tomcat-5.5-doc/logging.html"rel="nofollow">how configure logging in Tomcat</a> .
...
...
@@ -158,7 +158,7 @@ Required :
<p>
Configure your tomcat home in <code>build.properties</code> files.
</p>
<divclass="noteimportant">Be careful for Windows user, path must contains “/”. Example:
<divclass="noteimportant">Be careful for Windows user, path must contains "/". Example:
@@ -110,10 +110,10 @@ LemonLDAP::NG implements partially the policy:
</li>
<liclass="level1"><divclass="li"> when computed virtual attribute 'msDS-User-Account-Control-Computed' as 6th flag set to 8, the password is considered expired. (support from Windows Server 2003) It is too late for the user to do anything. He must contact his administrator.</div>
</li>
<liclass="level1"><divclass="li"> a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration) However it as no reality in LDAP referential. A “password warning time before password expiration” variable can be specified in LemonLDAP::NG to do so.</div>
<liclass="level1"><divclass="li"> a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration) However it as no reality in LDAP referential. A "password warning time before password expiration" variable can be specified in LemonLDAP::NG to do so.</div>
</li>
</ul>
<divclass="noteimportant">Note: since AD 2012, each user can have a specific password expiration policy. Then, the “maximum password age” can have different values. This is currently unsupported in LemonLDAP::NG because every policy must be computed with their precedence to know which maximum password age to apply.
<divclass="noteimportant">Note: since AD 2012, each user can have a specific password expiration policy. Then, the "maximum password age" can have different values. This is currently unsupported in LemonLDAP::NG because every policy must be computed with their precedence to know which maximum password age to apply.
</div>
<p>
To configure warning before password expiration, you must set two variables in Active Directory parameters in Manager:
@@ -306,9 +306,9 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
</li>
<liclass="level1"><divclass="li"><strong>Supported non-salted schemes</strong>: List of whitespace separated hash schemes. Every hash scheme MUST match a non-salted hash function in the database. LemonLDAP::NG relies on this hashing function for computing user password hashes. These hashes MUST NOT be salted (no random data used in conjunction with the password).</div>
</li>
<liclass="level1"><divclass="li"><strong>Supported salted schemes</strong>: List of whitespace separated salted hash schemes, of the form “<strong>s</strong>scheme”, where scheme MUST match a non-salted hash function in the database. LemonLDAP::NG relies on this hashing function for computing user password hashes. Salted and non-salted scheme lists are not necessarily equivalent. (for example: non-salted=“sha256” and salted=“ssha ssha512” is valid)</div>
<liclass="level1"><divclass="li"><strong>Supported salted schemes</strong>: List of whitespace separated salted hash schemes, of the form "<strong>s</strong>scheme", where scheme MUST match a non-salted hash function in the database. LemonLDAP::NG relies on this hashing function for computing user password hashes. Salted and non-salted scheme lists are not necessarily equivalent. (for example: non-salted="sha256" and salted="ssha ssha512" is valid)</div>
</li>
<liclass="level1"><divclass="li"><strong>Dynamic hash scheme for new passwords</strong>: LemonLDAP::NG is able to store new passwords in the database (while modifying or reinitializing the password). You can choose a salted or non salted dynamic hashed password. The value must be an element of “Supported non-salted schemes” or “Supported salted schemes”.</div>
<liclass="level1"><divclass="li"><strong>Dynamic hash scheme for new passwords</strong>: LemonLDAP::NG is able to store new passwords in the database (while modifying or reinitializing the password). You can choose a salted or non salted dynamic hashed password. The value must be an element of "Supported non-salted schemes" or "Supported salted schemes".</div>
</li>
</ul>
<divclass="noteimportant">The SQL function MUST have hexadecimal values as input AND output
@@ -100,7 +100,7 @@ Then, go in <code>Facebook parameters</code>:
If you use Facebook as user database, declare values in exported variables:
</p>
<ul>
<liclass="level1"><divclass="li"> use any key name you want. If you want to refuse access when a data is missing, just add a “!” before the key name</div>
<liclass="level1"><divclass="li"> use any key name you want. If you want to refuse access when a data is missing, just add a "!" before the key name</div>
</li>
<liclass="level1"><divclass="li"> in the value field, set the field name. You can show them using <ahref="https://developers.facebook.com/tools/explorer"class="urlextern"title="https://developers.facebook.com/tools/explorer"rel="nofollow">Facebook Graph API explorer</a> and have a list of supported fields in the <ahref="https://developers.facebook.com/docs/graph-api/reference/user/"class="urlextern"title="https://developers.facebook.com/docs/graph-api/reference/user/"rel="nofollow">Graph API User reference</a>. For example:</div>
@@ -170,7 +170,7 @@ This key must be stored directly in lemonldap-ng.ini:
<divclass="level3">
<p>
When using this module, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return “401 Authentication required”, but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
When using this module, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> portal will be called only if Apache does not return "401 Authentication required", but this is not the Apache behaviour: if the auth module fails, Apache returns 401.
</p>
<p>
...
...
@@ -183,7 +183,7 @@ To bypass this, follow the documentation of <a href="authapache.html" class="wik
<divclass="level3">
<p>
To chain SSL, you have to set “SSLRequire optional” in Apache configuration, else users will be authenticated by SSL only.
To chain SSL, you have to set "SSLRequire optional" in Apache configuration, else users will be authenticated by SSL only.
@@ -199,7 +199,7 @@ After registration, the OP must give you a client ID and a client secret, that w
<divclass="level3">
<p>
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like “sample-op”;
In the Manager, select node <code>OpenID Connect Providers</code> and click on <code>Add OpenID Connect Provider</code>. Give a technical name (no spaces, no special characters), like "sample-op";
@@ -120,7 +120,7 @@ You can skip JWKS data, they are not provided by France Connect. The security re
</p>
<p>
Go in <code>Exported attributes</code> to choose which attributes from “identité pivot” you want to collect. See <ahref="https://doc.integ01.dev-franceconnect.fr/identite-pivot"class="urlextern"title="https://doc.integ01.dev-franceconnect.fr/identite-pivot"rel="nofollow">https://doc.integ01.dev-franceconnect.fr/identite-pivot</a>
Go in <code>Exported attributes</code> to choose which attributes from "identité pivot" you want to collect. See <ahref="https://doc.integ01.dev-franceconnect.fr/identite-pivot"class="urlextern"title="https://doc.integ01.dev-franceconnect.fr/identite-pivot"rel="nofollow">https://doc.integ01.dev-franceconnect.fr/identite-pivot</a>
@@ -173,7 +173,7 @@ You must register IDP metadata here. You can do it either by uploading the file,
For each attribute, you can set:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>Key name</strong>: name of the key in LemonLDAP::NG session (for example “uid” will then be used as $uid in access rules)</div>
<liclass="level1"><divclass="li"><strong>Key name</strong>: name of the key in LemonLDAP::NG session (for example "uid" will then be used as $uid in access rules)</div>
</li>
<liclass="level1"><divclass="li"><strong>Mandatory</strong>: if set to On, then session will not open if this attribute is not given by IDP.</div>
<liclass="level1"><divclass="li"> Authentication: will check user login in a header and create session without prompting any credentials (but will register client <abbrtitle="Internet Protocol">IP</abbr> and creation date)</div>
</li>
<liclass="level1"><divclass="li"> Users: collect data transferred in HTTP headers by the “master”.</div>
<liclass="level1"><divclass="li"> Users: collect data transferred in HTTP headers by the "master".</div>
<divclass="notewarning">It is incompatible with authentication chaining (see Stack Multiple backends), because of Apache parameter “SSLVerifyClient”, which must have the value “require”
<divclass="notewarning">It is incompatible with authentication chaining (see Stack Multiple backends), because of Apache parameter "SSLVerifyClient", which must have the value "require"
