Commit 82878a34 authored by Clément OUDOT's avatar Clément OUDOT

Update documentation

parent 0b4172f4
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:aws</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,aws"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="aws.html"/>
<link rel="contents" href="aws.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:aws","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="amazon_web_services">Amazon Web Services</h1>
<div class="level1">
<p>
<a href="https://aws.amazon.com" class="urlextern" title="https://aws.amazon.com" rel="nofollow">Amazon Web Services</a> allows to delegate authentication through SAML2.
</p>
</div>
<!-- EDIT1 SECTION "Amazon Web Services" [1-132] -->
<h2 class="sectionedit2" id="saml">SAML</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Make sure you have followed the steps <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" class="urlextern" title="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html" rel="nofollow">here</a>.</div>
</li>
<li class="level1"><div class="li"> Go to <a href="https://your.portal.com/saml/metadata" class="urlextern" title="https://your.portal.com/saml/metadata" rel="nofollow">https://your.portal.com/saml/metadata</a> and save the resulting file locally.</div>
</li>
<li class="level1"><div class="li"> In each AWS account, go to IAM → Identity providers → Create Provider.</div>
</li>
<li class="level1"><div class="li"> Select <code><abbr title="Security Assertion Markup Language">SAML</abbr></code> as the provider type</div>
</li>
<li class="level1"><div class="li"> Choose a name (best if kept consistent between accounts), and then choose the metadata file you saved above.</div>
</li>
<li class="level1"><div class="li"> Looking again at the links on the left side of the page, go to Roles → Create role</div>
</li>
<li class="level1"><div class="li"> Choose <code><abbr title="Security Assertion Markup Language">SAML</abbr> / Saml 2.0 federation</code></div>
</li>
<li class="level1"><div class="li"> Select the provider you just configured, click <code>Allow programmatic and AWSManagement Console access</code> which will fill in the rest of the form for you, then click next.</div>
</li>
<li class="level1"><div class="li"> Set whatever permissions you need to and then click <code>Review</code>.</div>
</li>
<li class="level1"><div class="li"> Choose a name for the role. These will shown to people when they log in, so make them descriptive. We have different accounts for different regions of the world, so I put the region into the role name so people know which account is which.</div>
</li>
</ul>
<div class="noteclassic">If you have only one role, the configuration is simple. If you have multiple
roles for different people, it is a little trickier. As you will see, the <abbr title="Security Assertion Markup Language">SAML</abbr>
attributes are not dynamic, so you have to set them in the session when a user
logs in or use a custom function. In this example, I wanted to avoid managing
custom functions on all the servers, so the <abbr title="Security Assertion Markup Language">SAML</abbr> attributes are set in
the session. We also use LDAP for user information, so I will describe that.
In our LDAP tree, each user has attributes which are used quite heavily for
dynamic groups and authorisation. You will want something
similar, using whatever attribute makes sense to you. For example:<pre class="code file ldif"> <span class="re0">dn</span>:<span class="re1"> uid=user,ou=people,dc=your,dc=com</span>
...
<span class="re0">ou</span>:<span class="re1"> sysadmin</span>
<span class="re0">ou</span>:<span class="re1"> database</span>
<span class="re0">ou</span>:<span class="re1"> root</span></pre>
</div><ul>
<li class="level1"><div class="li"> Assuming you use the web interface to manage lemonldap, go to General Parameters → Authentication parameters → LDAP parameters → Exported variables. Here set the key to the LDAP attribute and the value to something sensible. I keep them the same to make it easy.</div>
</li>
<li class="level1"><div class="li"> Now go to *Variables → Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code><code>$ou =~ sysadmin ? “arn:aws…” : “arn:…”</code></div>
</li>
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters → Advanced Parameters → Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code><code>join(“; ”, $role_name1, $role_name2, …)</code></div>
</li>
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
<li class="level1"><div class="li"> Enter a name, click ok, then select it on the left. Select <code>Metadata</code>, then enter `<a href="https://signin.aws.amazon.com/static/saml-metadata.xml" class="urlextern" title="https://signin.aws.amazon.com/static/saml-metadata.xml" rel="nofollow">https://signin.aws.amazon.com/static/saml-metadata.xml</a>` in the <code><abbr title="Uniform Resource Locator">URL</abbr></code> field, then click load.</div>
</li>
<li class="level1"><div class="li"> Click <code>Exported attributes</code> on the left, then <code>Add attribute</code> twice to add two attributes. The first field is the name of a variable set in the user&#039;s session:</div>
<ul>
<li class="level2"><div class="li"> <code>_whatToTrace</code><code><a href="https://aws.amazon.com/SAML/Attributes/RoleSessionName" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/RoleSessionName" rel="nofollow">https://aws.amazon.com/SAML/Attributes/RoleSessionName</a></code> (leave the rest)</div>
</li>
<li class="level2"><div class="li"> <code>z_aws_roles</code> (the macro name you defined above) → <code><a href="https://aws.amazon.com/SAML/Attributes/Role" class="urlextern" title="https://aws.amazon.com/SAML/Attributes/Role" rel="nofollow">https://aws.amazon.com/SAML/Attributes/Role</a></code> (leave the rest)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> On the left, select Options → Security → Enable use of IDP initiated <abbr title="Uniform Resource Locator">URL</abbr> → On</div>
</li>
<li class="level1"><div class="li"> Select General Parameters → Portal → Menu → Categories and applications</div>
</li>
<li class="level1"><div class="li"> Select a category or create a new one if you need to. Then click <code>New application</code>. </div>
</li>
<li class="level1"><div class="li"> Enter a name etc. For the <abbr title="Uniform Resource Locator">URL</abbr>, use <code><a href="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" class="urlextern" title="https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices" rel="nofollow">https://your.portal.com/saml/singleSignOn?IDPInitiated=1&amp;sp=urn:amazon:webservices</a></code></div>
</li>
<li class="level1"><div class="li"> Display application should be set to <code>Enabled</code></div>
</li>
<li class="level1"><div class="li"> Go to your portal, click on the link, and check that it works!</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "SAML" [133-] --></div>
</body>
</html>
......@@ -50,10 +50,10 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#installation">Installation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<li class="level1"><div class="li"><a href="#http_headers">HTTP headers</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#dokuwiki_local_configuration">Dokuwiki local configuration</a></div></li>
<li class="level2"><div class="li"><a href="#plugin_installation">Plugin installation</a></div></li>
<li class="level2"><div class="li"><a href="#dokuwiki_configuration">Dokuwiki configuration</a></div></li>
<li class="level2"><div class="li"><a href="#dokuwiki_virtual_host">Dokuwiki virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#dokuwiki_virtual_host_in_manager">Dokuwiki virtual host in Manager</a></div></li>
</ul></li>
......@@ -79,46 +79,52 @@
</p>
<div class="notetip">LemonLDAP::NG wiki uses Dokuwiki!
</div>
<p>
You will need to install a Dokuwiki plugin, available on <a href="../download.html#contributions" class="wikilink1" title="download">download page</a>. The plugin will check the <code>REMOTE_USER</code> environment variable to get the connected user.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [65-750] -->
<h2 class="sectionedit3" id="installation">Installation</h2>
<!-- EDIT2 SECTION "Presentation" [65-559] -->
<h2 class="sectionedit3" id="http_headers">HTTP headers</h2>
<div class="level2">
<p>
<a href="../download.html#contributions" class="wikilink1" title="download">Download</a> the plugin and copy the files in dokuwiki <code>inc/auth/</code> directory:
You need to install a Dokuwiki plugin, available on <a href="https://www.dokuwiki.org/plugins" class="urlextern" title="https://www.dokuwiki.org/plugins" rel="nofollow">Dokuwiki plugins registry</a>: <a href="https://www.dokuwiki.org/plugin:authlemonldap" class="urlextern" title="https://www.dokuwiki.org/plugin:authlemonldap" rel="nofollow">https://www.dokuwiki.org/plugin:authlemonldap</a>
</p>
<pre class="code">cp lemonldap.class.php inc/auth/
cp lemonldapuserdatabackend.class.php inc/auth/</pre>
</div>
<!-- EDIT3 SECTION "Installation" [751-977] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<!-- EDIT3 SECTION "HTTP headers" [560-748] -->
<h3 class="sectionedit4" id="plugin_installation">Plugin installation</h3>
<div class="level3">
<p>
Install the plugin using the <a href="https://www.dokuwiki.org/plugin:plugin" class="urlextern" title="https://www.dokuwiki.org/plugin:plugin" rel="nofollow">Plugin Manager</a>.
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [978-1004] -->
<h3 class="sectionedit5" id="dokuwiki_local_configuration">Dokuwiki local configuration</h3>
<!-- EDIT4 SECTION "Plugin installation" [749-868] -->
<h3 class="sectionedit5" id="dokuwiki_configuration">Dokuwiki configuration</h3>
<div class="level3">
<p>
Edit Dokuwiki local configuration (<code>conf/local.php</code>) and set <code>lemonldap</code> as authentication type:
As administrator, go in Dokuwiki parameters and set:
</p>
<ul>
<li class="level1"><div class="li"> Authentication backend: authlemonldap</div>
</li>
<li class="level1"><div class="li"> Manager: set which users and/or groups will be admin</div>
</li>
</ul>
<p>
<a href="screenshot_dokuwiki_configuration.png_documentation_2.0_applications_dokuwiki.html" class="media" title="applications:screenshot_dokuwiki_configuration.png"><img src="screenshot_dokuwiki_configuration.png" class="mediacenter" alt="" /></a>
</p>
<pre class="code file php"><span class="re0">$conf</span><span class="br0">&#91;</span>authtype<span class="br0">&#93;</span> <span class="sy0">=</span> lemonldap<span class="sy0">;</span></pre>
</div>
<!-- EDIT5 SECTION "Dokuwiki local configuration" [1005-1194] -->
<!-- EDIT5 SECTION "Dokuwiki configuration" [869-1114] -->
<h3 class="sectionedit6" id="dokuwiki_virtual_host">Dokuwiki virtual host</h3>
<div class="level3">
<p>
Configure Dokuwiki virtual host like other <a href="../configvhost.html" class="wikilink1" title="documentation:2.0:configvhost">protected virtual host</a>.
</p>
<div class="noteimportant">If you are protecting Dokuwiki with <abbr title="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, <a href="../header_remote_user_conversion.html" class="wikilink1" title="documentation:2.0:header_remote_user_conversion">convert header into REMOTE_USER environment variable</a>.
</div><ul>
<ul>
<li class="level1"><div class="li"> For Apache:</div>
</li>
</ul>
......@@ -170,7 +176,7 @@ Configure Dokuwiki virtual host like other <a href="../configvhost.html" class="
}</pre>
</div>
<!-- EDIT6 SECTION "Dokuwiki virtual host" [1195-2630] -->
<!-- EDIT6 SECTION "Dokuwiki virtual host" [1115-2376] -->
<h3 class="sectionedit7" id="dokuwiki_virtual_host_in_manager">Dokuwiki virtual host in Manager</h3>
<div class="level3">
......@@ -179,14 +185,25 @@ Go to the Manager and <a href="../configvhost.html#lemonldapng_configuration" cl
</p>
<p>
Just configure the <a href="../writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">access rules</a>.
Configure the <a href="../writingrulesand_headers.html#rules" class="wikilink1" title="documentation:2.0:writingrulesand_headers">access rules</a>.
</p>
<p>
If using <abbr title="LemonLDAP::NG">LL::NG</abbr> as reverse proxy, configure the <code>Auth-User</code> <a href="../writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">header</a>, else no headers are needed.
Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1" title="documentation:2.0:writingrulesand_headers">headers</a>:
</p>
<ul>
<li class="level1"><div class="li"> Auth-User $uid</div>
</li>
<li class="level1"><div class="li"> Auth-Cn: $cn</div>
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&#039;&#039;)</div>
</li>
</ul>
<div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
</div>
</div>
<!-- EDIT7 SECTION "Dokuwiki virtual host in Manager" [2631-] --></div>
<!-- EDIT7 SECTION "Dokuwiki virtual host in Manager" [2377-] --></div>
</body>
</html>
......@@ -43,6 +43,22 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#http_header">HTTP header</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level2"><div class="li"><a href="#grr_virtual_host_in_llng">GRR virtual host in LL::NG</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="grr">GRR</h1>
<div class="level1">
......@@ -62,14 +78,64 @@
</div>
<!-- EDIT2 SECTION "Presentation" [62-150] -->
<h3 class="sectionedit3" id="configuration">Configuration</h3>
<h2 class="sectionedit3" id="http_header">HTTP header</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "HTTP header" [151-175] -->
<h3 class="sectionedit4" id="configuration">Configuration</h3>
<div class="level3">
<p>
GRR has a <abbr title="Single Sign On">SSO</abbr> configuration page in its administration panel. You just need to choose if the authenticated user will be a “user” or a “guest”.
GRR has a <abbr title="Single Sign On">SSO</abbr> configuration page in its administration panel.
</p>
<p>
Do not use Lemonldap mode, which is for a very old Lemonldap version, but HTTP authentication.
</p>
<p>
Set the default profile of connected users and which headers contains surname, firstname and mail.
</p>
<p>
<img src="screenshot_grr_configuration.png" class="mediacenter" alt="" />
</p>
<p>
GRR will check the username in REMOTE_USER, so use <a href="../header_remote_user_conversion.html" class="wikilink1" title="documentation:2.0:header_remote_user_conversion">remote header conversion</a> if you are in proxy mode.
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [176-660] -->
<h3 class="sectionedit5" id="grr_virtual_host_in_llng">GRR virtual host in LL::NG</h3>
<div class="level3">
<p>
Access rules:
</p>
<ul>
<li class="level1"><div class="li"> ^/index.php ⇒ accept</div>
</li>
<li class="level1"><div class="li"> default ⇒ unprotect</div>
</li>
</ul>
<p>
Headers:
</p>
<ul>
<li class="level1"><div class="li"> Auth-User $uid</div>
</li>
<li class="level1"><div class="li"> Auth-Sn: $sn</div>
</li>
<li class="level1"><div class="li"> Auth-GivenName: $givenName</div>
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Configuration" [151-] --></div>
<!-- EDIT5 SECTION "GRR virtual host in LL::NG" [661-] --></div>
</body>
</html>
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=fa0cc1a85fc0d1baf3a61bfee1cba736" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=df00727bb453bdfe152489fdb4e33ed5" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1508842909" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1516959167" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=fa0cc1a85fc0d1baf3a61bfee1cba736" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=df00727bb453bdfe152489fdb4e33ed5" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1508842909" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1516959167" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -50,7 +50,7 @@
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<li class="level1"><div class="li"><a href="#http_headers">HTTP Headers</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#limesurvey_configuration">LimeSurvey configuration</a></div></li>
<li class="level2"><div class="li"><a href="#limesurvey_virtual_host">LimeSurvey virtual host</a></div></li>
......@@ -78,123 +78,78 @@
<div class="level2">
<p>
<a href="http://www.limesurvey.org" class="urlextern" title="http://www.limesurvey.org" rel="nofollow">LimeSurvey</a> is a web survey software written in PHP. LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
<a href="http://www.limesurvey.org" class="urlextern" title="http://www.limesurvey.org" rel="nofollow">LimeSurvey</a> is a web survey software written in PHP.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [71-180] -->
<h2 class="sectionedit3" id="http_headers">HTTP Headers</h2>
<div class="level2">
<p>
To have a stronger integration, we will configure LimeSurvey to autocreate unknown users and use HTTP headers to fill name, mail and roles. For example, we will use 3 roles:
LimeSurvey has a webserver authentication mode that allows one to integrate it directly into LemonLDAP::NG.
</p>
<ul>
<li class="level1"><div class="li"> User: can answer to surveys</div>
</li>
<li class="level1"><div class="li"> Admin: can create surveys</div>
</li>
<li class="level1"><div class="li"> Superadmin: no one can stop him!</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [71-561] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
<p>
To have a stronger integration, we will configure LimeSurvey to autocreate unknown users and use HTTP headers to fill name and mail.
</p>
<div class="noteclassic">We suppose that LimeSurvey is installed in /var/www/html/limesurvey
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [562-670] -->
<!-- EDIT3 SECTION "HTTP Headers" [181-531] -->
<h3 class="sectionedit4" id="limesurvey_configuration">LimeSurvey configuration</h3>
<div class="level3">
<p>
The configuration is done in config.php:
In Administration panel, go in Configuration &gt; Parameters &gt; Extensions manager. Select the WebServer module and configure it.
</p>
<p>
<img src="screenshot_limesurvey_configuration.png" class="mediacenter" title="
" alt="
" />
</p>
<pre class="code">vi /var/www/html/limesurvey/config.php</pre>
<pre class="code file php"><span class="co1">//==================================</span>
<span class="co1">// WebSSO</span>
<span class="co1">//==================================</span>
&nbsp;
<span class="re0">$useWebserverAuth</span> <span class="sy0">=</span> <span class="kw4">true</span><span class="sy0">;</span>
<span class="re0">$WebserverAuth_autocreateUser</span> <span class="sy0">=</span> <span class="kw4">true</span><span class="sy0">;</span>
<span class="re0">$WebserverAuth_autouserprofile</span> <span class="sy0">=</span> <a href="http://www.php.net/array"><span class="kw3">Array</span></a><span class="br0">&#40;</span>
<span class="st_h">'full_name'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_CN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'email'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_MAIL'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'lang'</span> <span class="sy0">=&gt;</span> <span class="st_h">'en'</span><span class="sy0">,</span>
<span class="st_h">'htmleditormode'</span> <span class="sy0">=&gt;</span> <span class="st_h">'inline'</span><span class="sy0">,</span>
<span class="st_h">'templatelist'</span> <span class="sy0">=&gt;</span> <span class="st_h">'default,basic,MyOrgTemplate'</span><span class="sy0">,</span>
<span class="st_h">'create_survey'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_ADMIN'</span><span class="br0">&#93;</span> <span class="sy0">||</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'create_user'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'delete_user'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'superadmin'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'configurator'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'manage_template'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span><span class="sy0">,</span>
<span class="st_h">'manage_label'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_SUPERADMIN'</span><span class="br0">&#93;</span>
<span class="br0">&#41;</span><span class="sy0">;</span></pre>
<div class="notetip">We directly use HTTP headers to fill default user profile.
<p>
This is enough for the authentication part.
</p>
<div class="notetip">If you are blocked, you can deactivate the plugin with this request in database:
<pre class="code">update lime_plugins SET active=0 where name=&quot;Authwebserver&quot;;</pre>
</div>
<p>
To configure account autocreation, you need to edit application/config/config.php:
The configuration is done in config.php:
</p>
<pre class="code">vi /var/www/html/limesurvey/application/config/config.php</pre>
<pre class="code file php"> <span class="st_h">'config'</span><span class="sy0">=&gt;</span><a href="http://www.php.net/array"><span class="kw3">array</span></a><span class="br0">&#40;</span>
<span class="co1">// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this</span>
<span class="co1">// then please check your error-logs - either in your hosting provider admin panel or in some /logs directory</span>
<span class="co1">// on your webspace.</span>
<span class="co1">// LimeSurvey developers: Set this to 2 to additionally display STRICT PHP error messages and get full access to standard templates</span>
<span class="st_h">'debug'</span><span class="sy0">=&gt;</span><span class="nu0">0</span><span class="sy0">,</span>
<span class="st_h">'debugsql'</span><span class="sy0">=&gt;</span><span class="nu0">0</span><span class="sy0">,</span> <span class="co1">// Set this to 1 to enanble sql logging, only active when debug = 2</span>
<span class="co1">// Update default LimeSurvey config here</span>
<span class="st_h">'auth_webserver_autocreate_user'</span> <span class="sy0">=&gt;</span> <span class="kw4">true</span><span class="sy0">,</span>
<span class="st_h">'auth_webserver_autocreate_profile'</span> <span class="sy0">=&gt;</span> <a href="http://www.php.net/array"><span class="kw3">Array</span></a><span class="br0">&#40;</span><span class="st_h">'full_name'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_CN'</span><span class="br0">&#93;</span><span class="sy0">,</span><span class="st_h">'email'</span> <span class="sy0">=&gt;</span> <span class="re0">$_SERVER</span><span class="br0">&#91;</span><span class="st_h">'HTTP_AUTH_MAIL'</span><span class="br0">&#93;</span><span class="sy0">,</span><span class="st_h">'lang'</span><span class="sy0">=&gt;</span><span class="st_h">'en'</span><span class="br0">&#41;</span><span class="sy0">,</span>
<span class="st_h">'auth_webserver_autocreate_permissions'</span> <span class="sy0">=&gt;</span> <a href="http://www.php.net/array"><span class="kw3">Array</span></a><span class="br0">&#40;</span><span class="st_h">'surveys'</span> <span class="sy0">=&gt;</span> <a href="http://www.php.net/array"><span class="kw3">array</span></a><span class="br0">&#40;</span><span class="st_h">'create'</span><span class="sy0">=&gt;</span><span class="kw4">true</span><span class="sy0">,</span><span class="st_h">'read'</span><span class="sy0">=&gt;</span><span class="kw4">false</span><span class="sy0">,</span><span class="st_h">'update'</span><span class="sy0">=&gt;</span><span class="kw4">false</span><span class="sy0">,</span><span class="st_h">'delete'</span><span class="sy0">=&gt;</span><span class="kw4">false</span><span class="br0">&#41;</span><span class="br0">&#41;</span><span class="sy0">,</span>
<span class="br0">&#41;</span></pre>
<p>
See also <a href="https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import" class="urlextern" title="https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import" rel="nofollow">https://manual.limesurvey.org/Optional_settings#Authentication_delegation_with_automatic_user_import</a>
</p>
</div>
<!-- EDIT4 SECTION "LimeSurvey configuration" [671-1676] -->
<!-- EDIT4 SECTION "LimeSurvey configuration" [532-2298] -->
<h3 class="sectionedit5" id="limesurvey_virtual_host">LimeSurvey virtual host</h3>
<div class="level3">
<p>
Configure LimeSurvey virtual host like other <a href="../configvhost.html" class="wikilink1" title="documentation:2.0:configvhost">protected virtual host</a>.
</p>
<ul>
<li class="level1"><div class="li"> For Apache:</div>
</li>
</ul>
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> limesurvey.example.com
&nbsp;
PerlHeaderParserHandler Lemonldap::NG::Handler
&nbsp;
<span class="kw1">SetEnvIfNoCase</span> Auth-<span class="kw1">User</span> <span class="st0">&quot;(.*)&quot;</span> PHP_AUTH_USER=$1
&nbsp;
<span class="kw1">Alias</span> /limesurvey /var/www/html/limesurvey
<span class="kw1">DocumentRoot</span> /var/www/html/limesurvey
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
<div class="noteimportant">You need to set the PHP_AUTH_USER variable to have the Webserver authentication mode working.
</div><ul>
<li class="level1"><div class="li"> For Nginx:</div>
</li>
</ul>
<pre class="code file nginx">server {
listen 80;
server_name limesurvey.example.com;
root /path/to/application;
# Internal authentication request
location = /lmauth {
internal;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH &quot;&quot;;
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
&nbsp;
# Client requests
location / {
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
&nbsp;
...
&nbsp;
include /etc/lemonldap-ng/nginx-lua-headers.conf;