<divclass="notetip">You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces.
</div><divclass="notetip">You can also override some LLNG parameters for each chain. See <ahref="parameterlist.html"class="wikilink1"title="documentation:2.0:parameterlist">Parameter list</a> to have the key names to use
You just have to define class names of your custom modules in “Custom module names”. You can also add your custom parameters in “Additional parameters”. Be careful to use names not already used elsewhere in configuration. This parameters are available in your plugins using <code>$self→conf→{<em>customName</em>}</code>.
In Manager, go in <code>General Parameters</code>><code>Authentication modules</code> and choose 'Custom module'.
</p>
<p>
Then, you just have to define class names of your custom modules in “Custom module names”. Custom parameters can be set in “Additional parameters”. Full path must be specify.
</p>
<p>
You can define your own customAuth module icon. Icon must be in site/htdocs/static/common/modules/icon.png
</p>
<divclass="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev.pm
</div><divclass="noteclassic">Be careful. Don' t use an already attributed name in configuration.
</div>
<p>
These parameters are available in your plugins using <code>$self→conf→{<em>customName</em>}</code>.
</p>
<p>
See portal manpages to see how to write these plugins.
Read portal manpages to see how to write these plugins.
<divclass="notetip">Connection settings can be configured differently for authentication process and user process. This allows one to use different databases for these process. By default, if user process connection settings are empty, authentication process connection settings will be used.
...
...
@@ -277,7 +277,7 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
</ul>
</div>
<!-- EDIT13 SECTION "Connection" [2526-3044] -->
<!-- EDIT13 SECTION "Connection" [2534-3052] -->
<h3class="sectionedit14"id="schema1">Schema</h3>
<divclass="level3">
<ul>
...
...
@@ -296,7 +296,7 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
@@ -117,7 +117,7 @@ Then you just have to set REST <abbr title="Uniform Resource Locator">URL</abbr>
<divclass="level2">
<p>
REST web services just have to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).
REST web services have just to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).
@@ -223,7 +223,7 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
</li>
<liclass="level1"><divclass="li"><strong>Allow login from IDP</strong>: allow a user to connect directly from an IDP link. In this case, authentication is not a response to an issued authentication request, and we have less control on conditions.</div>
</li>
<liclass="level1"><divclass="li"><strong>Requested authentication context</strong>: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped ton an internal authentication level (see <ahref="samlservice.html#authentication_contexts"class="wikilink1"title="documentation:2.0:samlservice">how configure the mapping</a>), that you can check to allow or deny session creation.</div>
<liclass="level1"><divclass="li"><strong>Requested authentication context</strong>: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped to an internal authentication level (see <ahref="samlservice.html#authentication_contexts"class="wikilink1"title="documentation:2.0:samlservice">how configure the mapping</a>), that you can check to allow or deny session creation.</div>
</li>
<liclass="level1"><divclass="li"><strong>Allow <abbrtitle="Uniform Resource Locator">URL</abbr> as RelayState</strong>: Set to On if the RelayState value sent by IDP is the <abbrtitle="Uniform Resource Locator">URL</abbr> where the user must be redirected after authentication.</div>
</li>
...
...
@@ -240,6 +240,8 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
</li>
<liclass="level1"><divclass="li"><strong>Store <abbrtitle="Security Assertion Markup Language">SAML</abbr> Token</strong>: allows one to keep <abbrtitle="Security Assertion Markup Language">SAML</abbr> token (assertion) inside user session. Don't enable it unless you need to replay this token on an application.</div>
</li>
<liclass="level1"><divclass="li"><strong>Attribute containing user identifier</strong>: set the value of <abbrtitle="Security Assertion Markup Language">SAML</abbr> attribute (“Name”) that should be used as user main identifier ($user). If empty, the NameID content is used.</div>
Auto-Signin add-on provides a simple way to bypass authentication based on rules. For example, a TV can be automatically authenticated by its <abbrtitle="Internet Protocol">IP</abbr> address.
Auto-Signin add-on provides an easy way to bypass authentication process based on rules. For example, a TV can be automatically authenticated by its <abbrtitle="Internet Protocol">IP</abbr> address.
This add-on is automatically enabled if a rule is declared. A rule links username to a rule. The only usable variable here is <code>$env</code>. Example:
This add-on is automatically enabled if a rule is declared. A rule links rule to a username. The only usable variable here is <code>$env</code>. Example:
Browseable session backend (<ahref="http://search.cpan.org/perldoc?Apache::Session::Browseable"class="urlextern"title="http://search.cpan.org/perldoc?Apache::Session::Browseable"rel="nofollow">Apache::Session::Browseable</a>) works exactly like Apache::Session::* corresponding module but add index that increase <ahref="documentation/features.html#session_explorer"class="wikilink1"title="documentation:features">session explorer</a> and <ahref="documentation/features.html#session_restrictions"class="wikilink1"title="documentation:features">session restrictions</a> performances.
Browseable session backend (<ahref="https://metacpan.org/pod/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/pod/Apache::Session::Browseable"rel="nofollow">Apache::Session::Browseable</a>) works exactly like Apache::Session::* corresponding module but add index that increase <ahref="documentation/features.html#session_explorer"class="wikilink1"title="documentation:features">session explorer</a> and <ahref="documentation/features.html#session_restrictions"class="wikilink1"title="documentation:features">session restrictions</a> performances.
</p>
<p>
...
...
@@ -104,7 +104,7 @@ The following table list fields to index depending on the feature you want to in
@@ -177,12 +178,12 @@ Database must be prepared exactly like in <a href="sqlsessionbackend.html#prepar
<divclass="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don't need to declare indexes in <code>CREATE TABLE</code> since “json” and “hstore” type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
Go in the Manager and set the session module (<ahref="http://search.cpan.org/perldoc?Apache::Session::Browseable::MySQL"class="urlextern"title="http://search.cpan.org/perldoc?Apache::Session::Browseable::MySQL"rel="nofollow">Apache::Session::Browseable::MySQL</a> for MySQL) in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
Go in the Manager and set the session module (<ahref="https://metacpan.org/pod/Apache::Session::Browseable::MySQL"class="urlextern"title="https://metacpan.org/pod/Apache::Session::Browseable::MySQL"rel="nofollow">Apache::Session::Browseable::MySQL</a> for MySQL) in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
bruteForceProtection plugin prevents brute force attack. Plugin DISABLED by default.
</p>
<p>
After three failed login attempts, user must wait (30 seconds by default) before try to log in again.
</p>
<p>
The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds.
Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Brute-force attack protection</code> and set to <code>On</code>.
</p>
<p>
To modify waiting time (30 seconds by default) before reAuthentication and MaxAge between current and last stored failed login (300 seconds by default) edit <code>lemonldap-ng.ini</code> in section [portal]:
<h2class="sectionedit10"id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<divclass="level2">
<p>
Create the category “applications”:
```
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/applications type category applicationList/applications catname Applications
```
</p>
<p>
Create the application “sample” inside category “applications”:
```
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/icons/kmultiple.png” applicationList/applications/sample/options name “Sample application” applicationList/applications/sample/options uri “<ahref="https://sample.example.com/"class="urlextern"title="https://sample.example.com/"rel="nofollow">https://sample.example.com/</a>”
```
</p>
</div>
<!-- EDIT10 SECTION "Categories and applications in menu" [9178-] --></div>
@@ -706,6 +706,10 @@ Then, to protect a standard virtual host, you must insert this (or create an inc
After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, <code>General Parameters</code>><code>reload configuration URLs</code>: keys are server names or <abbrtitle="Internet Protocol">IP</abbr> the requests will be sent to, and values are the requested URLs.
</p>
<p>
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
</p>
<p>
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
</p>
...
...
@@ -717,8 +721,24 @@ The <code>reload</code> target is managed in Apache or Nginx configuration, insi
<divclass="noteimportant">You must allow access to declared URLs to your Manager <abbrtitle="Internet Protocol">IP</abbr>.
</div><divclass="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
</div>
<p>
Practical use case: configure reload in a <abbrtitle="LemonLDAP::NG">LL::NG</abbr> cluster. In this case you will have two servers (with <abbrtitle="Internet Protocol">IP</abbr> 1.1.1.1 and 1.1.1.2), but you can keep only one reload <abbrtitle="Uniform Resource Locator">URL</abbr> (reload.example.com):
@@ -752,6 +772,6 @@ For example, to override configured skin for portal:
<divclass="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <ahref="parameterlist.html"class="wikilink1"title="documentation:2.0:parameterlist">parameter list</a> to find it.
