@@ -117,7 +117,7 @@ Then you just have to set REST <abbr title="Uniform Resource Locator">URL</abbr>
<divclass="level2">
<p>
REST web services just have to respond with a “result” key in a JSON file. Auth/UserDB can add a “info” array to will be copied is session data (without reading “Exported variables”).
REST web services just have to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).
<!-- EDIT7 TABLE [824-1345] --><divclass="notetip">To have only one call, you can set only REST authentication, set datas in “info” key response and set Null as User Database.
<!-- EDIT7 TABLE [827-1348] --><divclass="notetip">To have just one call, you can only set REST authentication, set datas in “info” key response and set Null as User Database.
<ahref="https://metacpan.org/release/Plack"class="urlextern"title="https://metacpan.org/release/Plack"rel="nofollow">Plack</a> is a powerful engine that powers many very fast <ahref="http://plackperl.org/#servers"class="urlextern"title="http://plackperl.org/#servers"rel="nofollow">servers</a>. LLNG uses some Plack libraries to run as FastCGI server. It can so easily be launched on these servers. See also <ahref="psgi.html"class="wikilink1"title="documentation:2.0:psgi">Advanced PSGI usage</a> if you want to replace LLNG FastCGI server.
<ahref="https://metacpan.org/release/Plack"class="urlextern"title="https://metacpan.org/release/Plack"rel="nofollow">Plack</a> is a powerful engine that powers many very fast <ahref="http://plackperl.org/#servers"class="urlextern"title="http://plackperl.org/#servers"rel="nofollow">servers</a>. LLNG uses some Plack libraries to run as FastCGI server. So, It can be easily run on these servers. See also <ahref="psgi.html"class="wikilink1"title="documentation:2.0:psgi">Advanced PSGI usage</a> if you want to replace LLNG FastCGI server.
</p>
</div>
<!-- EDIT1 SECTION "Deploy LemonLDAP::NG on a Plack server" [1-377] -->
<!-- EDIT1 SECTION "Deploy LemonLDAP::NG on a Plack server" [1-373] -->
The goal of this handler is to read vhost configuration from the website itself and not in LLNG configuration. Rules and headers are set in a <strong>rules.json</strong> file available at the root of the website (ie <ahref="http://website/rules.json"class="urlextern"title="http://website/rules.json"rel="nofollow">http://website/rules.json</a>). This file looks like:
This handler is designed to read vhost configuration from the website itself not from LL:NG configuration. Rules and headers are set in a <strong>rules.json</strong> file stored at the website root directory (ie <code>http://website/rules.json</code>). This file looks like:
@@ -64,16 +64,16 @@ The goal of this handler is to read vhost configuration from the website itself
</dd></dl>
<p>
If this file is not found, a default rule is applied (accept) and 1 header is sent (Auth-User ⇒ $uid)
If this file is not found, the default rule “accept” is applied and just “Auth-User” header is sent (Auth-User ⇒ $uid).
</p>
<p>
There is nothing to configure to use it except that:
No specific configuration is required except that:
</p>
<ul>
<liclass="level1"><divclass="li"> you have to choose this handler <em>(directly using VHOSTTYPE environment variable [see below] or using manager if your websites are declared)</em></div>
<liclass="level1"><divclass="li"> you have to choose this specific handler <em>(directly by using <code>VHOSTTYPE</code> environment variable)</em></div>
</li>
<liclass="level1"><divclass="li"> you can set the loopback <abbrtitle="Uniform Resource Locator">URL</abbr> needed by the DevOps handler to get /rules.json. Default to <ahref="http://127.0.0.1"class="urlextern"title="http://127.0.0.1"rel="nofollow">http://127.0.0.1</a>:<server-port></div>
<liclass="level1"><divclass="li"> you can set the loopback <abbrtitle="Uniform Resource Locator">URL</abbr> needed by the DevOps handler to get <code>/rules.json</code> or use <code>RULES_<abbrtitle="Uniform Resource Locator">URL</abbr></code> parameter to set JSON file path <em>(see <ahref="ssoaas.html"class="wikilink1"title="documentation:2.0:ssoaas">SSO as a Service</a>)</em>. Default to <code>http://127.0.0.1:<server-port></code></div>
</li>
</ul>
<divclass="noteimportant">Note that DevOps handler will refuse to compile rules.json if <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe Jail</a> isn't enabled.
LemonLDAP::NG is designed to be very performant. In particular, it use Apache2 threads capabilities so to optimize performances, prefer using <ahref="http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#compiletime"class="urlextern"title="http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#compiletime"rel="nofollow">mpm-worker</a>.
LemonLDAP::NG is designed to be very performant. Indeed, it uses Apache2 threads capabilities. So to increase performances, prefer using <ahref="http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#compiletime"class="urlextern"title="http://httpd.apache.org/docs/2.2/misc/perf-tuning.html#compiletime"rel="nofollow">mpm-worker</a>.
On Linux, by default, there is no <abbrtitle="Domain Name System">DNS</abbr> cache and LemonLDAP::NG portal request <abbrtitle="Domain Name System">DNS</abbr> at every connexions on LDAP or DB. Under heavy loads, that can generated hundred of <abbrtitle="Domain Name System">DNS</abbr> queries and many errors on LDAP connexions (timed out) from IO::Socket.
By default, Linux does not use <abbrtitle="Domain Name System">DNS</abbr> cache and LemonLDAP::NG portal request <abbrtitle="Domain Name System">DNS</abbr> for each connexions on LDAP or DB. Under heavy loads, that can generated hundred of <abbrtitle="Domain Name System">DNS</abbr> queries and many errors on LDAP connexions (timed out) from IO::Socket.
For Nginx, you can use another auth server instead of llng-fastcgi-server. See: <ahref="highperfnginxhandler.html"class="wikilink1"title="documentation:2.0:highperfnginxhandler">High performance handler for Nginx</a>.
For Nginx, you can use another auth server instead of llng-fastcgi-server. See: <ahref="psgi.html"class="wikilink1"title="documentation:2.0:psgi">Advanced PSGI usage</a>.
</p>
<p>
To increase handler performance, you can disable “Sessions activity timeout” To prevent it from writing to the session database.
To increase handler performance, you can disable “Sessions activity timeout” to prevent it from writing to the session database.
</p>
<p>
Handlers check rights and calculate headers for each HTTP hit. So to improve performances, avoid too complex rules by using the macro or the groups or local macros.
Handlers check rights and calculate headers for each HTTP hit. So to improve performances, avoid too complex rules by using macros, groups or local macros.
</div><divclass="noteimportant">Macros and groups are computed in alphanumeric order, that is, in the order they are displayed in the manager. For example, macro “macro1” will be computed before macro “macro2”: so, expression of macro2 may involve value of macro1. As same for groups: a group rule may involve another, previously computed group.
</div>
</div>
<!-- EDIT4 SECTION "Macros and groups" [1129-3223] -->
<!-- EDIT4 SECTION "Macros and groups" [1081-3175] -->
The portal is the biggest component of Lemonldap::NG. Since version 2.0, it is run under FastCGI and rewritten using plugins, so performance is increased in comparison to earlier versions. You just have to disable unused plugins:
The portal is the biggest component of Lemonldap::NG. Since version 2.0, portal runs under FastCGI and has been rewritten using plugins, so performance is increased in comparison to earlier versions. You just have to disable unused plugins:
<ahref="https://metacpan.org/module/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable"rel="nofollow">Apache::Session::Browseable</a> is a wrapper for other Apache::Session modules that add the capability to manage indexes. Prefer versions ≥ 1.2.5 to have better performances in DB cleaning. To use it (with PostgreSQL for example), choose “Apache::Session::Browseable::Postgres” as “Apache::Session module” and use the following parameters:
<ahref="https://metacpan.org/module/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable"rel="nofollow">Apache::Session::Browseable</a> is a wrapper for other Apache::Session modules that add the capability to manage indexes. Prefer versions ≥ 1.2.5 for better performances in DB cleaning. To use it (with PostgreSQL for example), choose “Apache::Session::Browseable::Postgres” as “Apache::Session module” and use the following parameters:
@@ -284,10 +284,10 @@ Look at <a href="browseablesessionbackend.html" class="wikilink1" title="documen
<h4id="performance_test">Performance test</h4>
<divclass="level4">
<divclass="notetip">A <ahref="https://metacpan.org/module/Apache::Session::Browseable::Redis"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::Redis"rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the faster (except for session explorer, defeated by Apache::Session::Browseable::<ahref="https://metacpan.org/module/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable"rel="nofollow">DBI</a>/<ahref="https://metacpan.org/module/Apache::Session::Browseable::LDAP"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::LDAP"rel="nofollow">LDAP</a>])
<divclass="notetip">A <ahref="https://metacpan.org/module/Apache::Session::Browseable::Redis"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::Redis"rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the fastest (except for session explorer, defeated by Apache::Session::Browseable::<ahref="https://metacpan.org/module/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable"rel="nofollow">DBI</a>/<ahref="https://metacpan.org/module/Apache::Session::Browseable::LDAP"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::LDAP"rel="nofollow">LDAP</a>])
</div>
<p>
This test isn't a “only-backend” test but embed some LLNG methods, so real differences between engines are mitigate here.
This test isn't an “only-backend” test but embedded some LLNG methods, so real differences between engines are mitigate here.
@@ -338,7 +338,7 @@ This test isn't a “only-backend” test but embed some LLNG methods, so r
<tdclass="col0 centeralign"colspan="8"><em>The source of this test is available in sources: e2e-tests/sbperf.pl</em></td>
</tr>
</table></div>
<!-- EDIT9 TABLE [7676-9579] --><ul>
<!-- EDIT9 TABLE [7640-9543] --><ul>
<liclass="level1"><divclass="li"><em><strong>(1) :</strong> “purge” test is done with Apache::Session::Browseable-1.2.5 and LLG-2.0. Earlier results are not so good.</em></div>
</li>
<liclass="level1"><divclass="li"><em><strong>(2) :</strong> “purge” test is done with Apache::Session::Browseable-1.2.6 and LLG-2.0.</em></div>
Therefore, LLNG services can be provided by compatible external servers.
</p>
<divclass="notetip">FastCGI or uWSGI server(s) can be installed on separate hosts. Also you can imagine a global cloud-FastCGI/uWSGI-service for all your Nginx servers. See <ahref="ssoaas.html"class="wikilink1"title="documentation:2.0:ssoaas">SSO as a service (SSOaaS)</a> for more.
<divclass="notetip">FastCGI or uWSGI server(s) can be installed on separate hosts. Also you can imagine a global cloud-FastCGI/uWSGI-service for all your Nginx servers. See more at <ahref="ssoaas.html"class="wikilink1"title="documentation:2.0:ssoaas">SSO as a service (SSOaaS)</a>.
</div>
</div>
...
...
@@ -191,7 +191,7 @@ Therefore, LLNG services can be provided by compatible external servers.
<divclass="level4">
<p>
By default, LLNG provides a Plack based FastCGI server able to afford all LLNG services using <ahref="https://metacpan.org/pod/Plack::Handler::FCGI"class="urlextern"title="https://metacpan.org/pod/Plack::Handler::FCGI"rel="nofollow">FCGI</a> engine<strong>(default)</strong>.
By default, LLNG provides a Plack based FastCGI server able to afford all LLNG services using <ahref="https://metacpan.org/pod/Plack::Handler::FCGI"class="urlextern"title="https://metacpan.org/pod/Plack::Handler::FCGI"rel="nofollow">FCGI</a> engine.
</p>
<p>
...
...
@@ -211,7 +211,7 @@ However, you can use some other FastCGI server engines:
<liclass="level1"><divclass="li"><ahref="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler#nginx-authorization-server"class="urlextern"title="https://github.com/LemonLDAPNG/node-lemonldap-ng-handler#nginx-authorization-server"rel="nofollow">LLNG FastCGI server for Node.js</a>(*)</div>
</li>
</ul>
<divclass="notewarning">(*) LLNG Node.js handler can be used only as Nginx `auth_request` server, not to serve Portal or Manager
<divclass="notewarning">(*) LLNG Node.js handler can only be used as Nginx `auth_request` server, not to serve Portal or Manager
@@ -57,7 +57,7 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
<ul>
<liclass="level3"><divclass="li"> using own database (<ahref="authldap.html"class="wikilink1"title="documentation:2.0:authldap">LDAP</a>, <ahref="authdbi.html"class="wikilink1"title="documentation:2.0:authdbi">SQL</a>, …)</div>
</li>
<liclass="level3"><divclass="li"> using Apache authentication system (used for <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Kerberos</a>, <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">HTTP basic authentication</a>, …)</div>
<liclass="level3"><divclass="li"> using web server authentication system (used for <ahref="authssl.html"class="wikilink1"title="documentation:2.0:authssl">SSL</a>, <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">Kerberos</a>, <ahref="authapache.html"class="wikilink1"title="documentation:2.0:authapache">HTTP basic authentication</a>, …)</div>
</li>
<liclass="level3"><divclass="li"> using external identity provider (<ahref="authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML</a>, <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">OpenID</a>, <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS</a>, <ahref="authtwitter.html"class="wikilink1"title="documentation:2.0:authtwitter">Twitter</a>, other <abbrtitle="LemonLDAP::NG">LL::NG</abbr> system, …)</div>
</li>
...
...
@@ -102,7 +102,7 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
@@ -130,13 +130,13 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
</li>
<liclass="level1"><divclass="li"> Check if user is already authenticated</div>
<ul>
<liclass="level2"><divclass="li"> If not authenticated (or authentication is forced) try to find it (userDB module) and to authenticate it (auth module), create session, calculate groups and macros and store them. In 1.3, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> have a captcha feature which is used in this case.</div>
<liclass="level2"><divclass="li"> If not authenticated (or authentication is forced) try to find it (userDB module) and to authenticate it (auth module), create session, ask for second factor if required, calculate groups and macros and store them. In 1.3, <abbrtitle="LemonLDAP::NG">LL::NG</abbr> has got a captcha feature which is used in this case.</div>
</li>
</ul>
</li>
<liclass="level1"><divclass="li"> Modify password if asked</div>
<liclass="level1"><divclass="li"> Modify password if asked (password module)</div>
</li>
<liclass="level1"><divclass="li"> Provides identity if asked</div>
<liclass="level1"><divclass="li"> Provides identity if asked (IdP module)</div>
@@ -146,6 +146,6 @@ The portal is the main component of <abbr title="LemonLDAP::NG">LL::NG</abbr>. I
<divclass="noteclassic">See also <ahref="documentation/presentation.html#kinematics"class="wikilink1"title="documentation:presentation">general kinematics presentation</a>.
@@ -103,10 +103,10 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-
<!-- EDIT2 SECTION "Web Server" [48-610] -->
<h2class="sectionedit3"id="perl">Perl</h2>
<divclass="level2">
<divclass="noteclassic">Here is the list of Perl modules used in LemonLDAP::NG. Core modules must be installed on the system. Other modules must be installed only if you planned to use the related feature.
<divclass="noteclassic">Here the list of Perl modules used in LemonLDAP::NG. Core modules must be installed on the system. Other modules must be installed only if you planned to use the related feature.
</div>
</div>
<!-- EDIT3 SECTION "Perl" [611-824] -->
<!-- EDIT3 SECTION "Perl" [611-821] -->
<h3class="sectionedit4"id="core">Core</h3>
<divclass="level3">
<ul>
...
...
@@ -181,7 +181,7 @@ For Apache2, you can use all workers mpm-worker, mpm-prefork and mpm-event. Mpm-