Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
lemonldap-ng
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
258
Issues
258
List
Boards
Labels
Service Desk
Milestones
Merge Requests
5
Merge Requests
5
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Packages & Registries
Packages & Registries
Container Registry
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
LemonLDAP NG
lemonldap-ng
Commits
d7d14bf7
Commit
d7d14bf7
authored
Apr 15, 2007
by
Yadd
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
LEMONLDAP::NG : branch trunk/build/lemonldap-ng
parent
cf4f11b7
Changes
28
Hide whitespace changes
Inline
Side-by-side
Showing
28 changed files
with
1861 additions
and
0 deletions
+1861
-0
build/lemonldap-ng/INSTALL
build/lemonldap-ng/INSTALL
+280
-0
build/lemonldap-ng/Makefile
build/lemonldap-ng/Makefile
+153
-0
build/lemonldap-ng/README
build/lemonldap-ng/README
+194
-0
build/lemonldap-ng/TODO
build/lemonldap-ng/TODO
+3
-0
build/lemonldap-ng/_example/apache-session-mysql.sql
build/lemonldap-ng/_example/apache-session-mysql.sql
+5
-0
build/lemonldap-ng/_example/apache.conf
build/lemonldap-ng/_example/apache.conf
+48
-0
build/lemonldap-ng/_example/apache2.conf
build/lemonldap-ng/_example/apache2.conf
+49
-0
build/lemonldap-ng/_example/conf/lmConf-1
build/lemonldap-ng/_example/conf/lmConf-1
+48
-0
build/lemonldap-ng/_example/for_etc_hosts
build/lemonldap-ng/_example/for_etc_hosts
+4
-0
build/lemonldap-ng/_example/index.pl
build/lemonldap-ng/_example/index.pl
+58
-0
build/lemonldap-ng/_example/lmConfig.mysql
build/lemonldap-ng/_example/lmConfig.mysql
+21
-0
build/lemonldap-ng/changelog
build/lemonldap-ng/changelog
+1
-0
build/lemonldap-ng/debian/README.Debian
build/lemonldap-ng/debian/README.Debian
+4
-0
build/lemonldap-ng/debian/changelog
build/lemonldap-ng/debian/changelog
+163
-0
build/lemonldap-ng/debian/compat
build/lemonldap-ng/debian/compat
+1
-0
build/lemonldap-ng/debian/control
build/lemonldap-ng/debian/control
+17
-0
build/lemonldap-ng/debian/copyright
build/lemonldap-ng/debian/copyright
+16
-0
build/lemonldap-ng/debian/dirs
build/lemonldap-ng/debian/dirs
+1
-0
build/lemonldap-ng/debian/docs
build/lemonldap-ng/debian/docs
+0
-0
build/lemonldap-ng/debian/lemonldap-ng.docs
build/lemonldap-ng/debian/lemonldap-ng.docs
+3
-0
build/lemonldap-ng/debian/postinst
build/lemonldap-ng/debian/postinst
+7
-0
build/lemonldap-ng/debian/rules
build/lemonldap-ng/debian/rules
+93
-0
build/lemonldap-ng/doc/install.html
build/lemonldap-ng/doc/install.html
+377
-0
build/lemonldap-ng/doc/overview.html
build/lemonldap-ng/doc/overview.html
+247
-0
build/lemonldap-ng/lemonldap-ng-handler
build/lemonldap-ng/lemonldap-ng-handler
+1
-0
build/lemonldap-ng/lemonldap-ng-manager
build/lemonldap-ng/lemonldap-ng-manager
+1
-0
build/lemonldap-ng/lemonldap-ng-portal
build/lemonldap-ng/lemonldap-ng-portal
+1
-0
build/lemonldap-ng/scripts/make_static_example.pl
build/lemonldap-ng/scripts/make_static_example.pl
+65
-0
No files found.
build/lemonldap-ng/INSTALL
0 → 100644
View file @
d7d14bf7
LEMONLDAP
::
NG
INSTALLATION
Lemonldap
::
NG
is
a
modular
Web
-
SSO
based
on
Apache
::
Session
modules
.
It
simplifies
the
build
of
a
protected
area
with
a
few
changes
in
the
application
.
It
manages
both
authentication
and
authorization
and
provides
headers
for
accounting
.
So
you
can
have
a
full
AAA
protection
.
See
README
file
to
known
how
it
works
.
------------------------
I
-
EXAMPLE
INSTALLATION
------------------------
The
proposed
example
use
a
protected
site
named
test
.
example
.
com
.
Non
authenticated
users
are
redirected
to
auth
.
example
.
com
.
1.1
-
PREREQ
------------
1.1.1
-
Software
To
use
Lemonldap
::
NG
,
you
have
to
run
a
LDAP
server
and
of
course
an
Apache
server
compiled
with
mod
-
perl
(
version
1.3
or
2.
x
).
Generaly
,
the
version
of
Apache
proposed
with
your
Linux
distribution
match
,
but
some
distributions
used
an
experimental
version
of
mod_perl
with
Apache2
(
mod_perl
-
1.99
)
which
does
not
work
with
Lemonldap
::
NG
.
With
such
distributions
(
like
Debian
-
3.1
),
you
have
to
use
Apache
-
1.3
or
to
use
a
mod_perl
backport
(
www
.
backports
.
org
package
for
Debian
works
fine
).
1.1.2
-
Perl
prereq
Perl
modules
:
Apache
::
Session
,
Net
::
LDAP
,
MIME
::
Base64
,
CGI
,
LWP
::
UserAgent
,
Cache
::
Cache
,
DBI
,
XML
::
Simple
,
SOAP
::
Lite
(
only
if
you
want
to
use
SOAP
with
the
manager
)
With
Debian
:
apt
-
get
install
libapache
-
session
-
perl
libnet
-
ldap
-
perl
libcache
-
cache
-
perl
\
libdbi
-
perl
perl
-
modules
libwww
-
perl
libcache
-
cache
-
perl
\
libxml
-
simple
-
perl
#
If
you
want
to
use
SOAP
with
the
manager
:
apt
-
get
install
libsoap
-
lite
-
perl
1.2
-
BUILDING
--------------
1.2.1
-
Complete
install
$
tar
xzf
lemonldap
-
ng
-*.
tar
.
gz
$
cd
lemonldap
-
ng
-*
$
make
&&
make
test
$
sudo
make
install
$
make
example
1.2.2
-
Install
on
Debian
$
tar
xzf
lemonldap
-
ng
-*.
tar
.
gz
$
cd
lemonldap
-
ng
-*
$
debuild
$
sudo
dpkg
-
i
../
lemonldap
-
ng
*.
deb
1.3
-
EXAMPLE
CONFIGURATION
---------------------------
After
build
,
you
have
a
new
file
named
example
/
apache
.
conf
.
You
just
have
to
include
this
file
in
Apache
configuration
:
#
in
httpd
.
conf
(
with
Apache1
)
include
/
path
/
to
/
lemonldap
-
ng
/
source
/
example
/
apache
.
conf
#
or
in
apache2
.
conf
(
with
Apache2
)
include
/
path
/
to
/
lemonldap
-
ng
/
source
/
example
/
apache2
.
conf
Modify
your
/
etc
/
hosts
file
to
include
:
127.0.0.2
auth
.
example
.
com
127.0.0.3
test
.
example
.
com
127.0.0.4
manager
.
example
.
com
Edit
/
path
/
to
/
lemonldap
-
ng
/
source
/
example
/
conf
/
lmConfig
-
1
and
specify
your
LDAP
settings
.
If
you
don
't set managerDn and managerPassword, Lemonldap::NG will
use an anonymous bind to find user dn.
(Debian users: /usr/share/doc/lemonldap-ng/example/conf/lmConfig-1)
WARNINGS:
* only few parameters can be set by hand in the configuration file. You have
to use the manager to change configuration, but since the example is yet
configured, you can edit directly the file
* each new configuration is saved by the manager in a new file (or a new
record with DBI) so you can recover an old configuration by removing
Next, restart Apache use your prefered browser and try to connect to
http://test.example.com/. You'
ll
be
redirect
to
auth
.
example
.
com
.
Try
to
authenticate
yourself
with
a
valid
account
and
the
protected
page
will
appear
.
You
will
find
other
explanations
on
this
page
.
Configuration
can
be
modified
by
connecting
your
browser
to
http
://
manager
.
example
.
com
/
-------------------------
2
-
ADVANCED
INSTALLATION
-------------------------
2.1
-
PREREQ
2.1.1
-
Apache
To
use
Lemonldap
::
NG
,
you
have
to
run
a
LDAP
server
and
of
course
an
Apache
server
compiled
with
mod
-
perl
(
version
1.3
or
2.
x
).
Generaly
,
the
version
of
Apache
proposed
with
your
Linux
distribution
match
,
but
some
distributions
used
an
experimental
version
of
mod_perl
with
Apache2
(
mod_perl
-
1.99
)
which
does
not
work
with
Lemonldap
::
NG
.
With
such
distributions
(
like
Debian
-
3.1
),
you
have
to
use
Apache
-
1.3
or
to
use
a
mod_perl
backport
(
www
.
backports
.
org
package
for
Debian
works
fine
).
For
Apache2
,
you
can
use
both
mpm
-
worker
and
mpm
-
prefork
.
Mpm
-
worker
works
faster
and
Lemonldap
::
NG
use
the
thread
system
for
best
performance
.
If
you
have
to
use
mpm
-
prefork
(
for
example
if
you
use
PHP
),
Lemonldap
::
NG
will
work
anyway
.
You
can
use
Lemonldap
::
NG
in
an
heterogene
world
:
the
authentication
portal
and
the
manager
can
work
in
any
version
of
Apache
1.3
or
more
even
if
mod_perl
is
not
compiled
,
with
ModPerl
::
Registry
or
not
...
Only
the
handler
(
site
protector
)
need
mod_perl
.
The
different
handlers
can
run
on
different
servers
with
different
versions
of
Apache
/
mod_perl
.
2.1.2
-
Perl
prereq
Warning
:
Handler
and
Portal
parts
both
need
Lemonldap
::
NG
::
Manager
components
to
access
to
configuration
.
Manager
:
-------
CGI
,
XML
::
Simple
,
DBI
,
LWP
::
UserAgent
(
and
SOAP
::
Lite
if
you
want
to
use
SOAP
)
With
Debian
:
apt
-
get
install
perl
-
modules
libxml
-
simple
-
perl
libdbi
-
perl
libwww
-
perl
#
If
you
want
to
use
SOAP
apt
-
get
install
libsoap
-
lite
-
perl
Portal
:
------
Apache
::
Session
,
Net
::
LDAP
,
CGI
,
Lemonldap
::
NG
::
Manager
With
Debian
:
apt
-
get
install
libapache
-
session
-
perl
libnet
-
ldap
-
perl
perl
-
modules
Handler
:
-------
Apache
::
Session
,
LWP
::
UserAgent
,
Cache
::
Cache
,
Lemonldap
::
NG
::
Manager
With
Debian
:
apt
-
get
install
libapache
-
session
-
perl
libwww
-
perl
libcache
-
cache
-
perl
2.2
-
SOFTWARE
INSTALLATION
---------------------------
If
you
just
want
to
install
a
handler
or
a
portal
or
a
manager
:
$
tar
xzf
lemonldap
-
ng
-*.
tar
.
gz
$
cd
lemonldap
-
ng
-*/
Lemonldap
-
NG
-(
Portal
|
Handler
|
Manager
)
$
perl
Makefile
.
PL
&&
make
&&
make
test
$
sudo
make
install
else
for
a
complete
install
:
$
tar
xzf
lemonldap
-
ng
-*.
tar
.
gz
$
cd
lemonldap
-
ng
-*
$
make
&&
make
test
$
sudo
make
install
See
prereq
in
§
1.1.2
2.3
-
LEMONLDAP
INSTALLATION
----------------------------
2.3.1
-
Database
configuration
2.3.1.1
-
Lemonldap
::
NG
Configuration
database
If
you
use
DBI
or
another
system
to
share
Lemonldap
::
NG
configuration
,
you
have
to
initialize
the
database
.
An
example
is
given
in
example
/
lmConfig
.
mysql
for
MySQL
.
2.3.1.2
-
Apache
::
Session
database
The
choice
of
Apache
::
Session
::*
module
is
free
.
See
Apache
::
Session
::
Store
::*
or
Apache
::
Session
::*
to
know
how
to
configure
the
module
.
For
example
,
if
you
want
to
use
Apache
::
Session
::
MySQL
,
you
can
create
the
database
like
this
:
CREATE
DATABASE
sessions
(
id
char
(
32
),
a_session
text
);
2.3.2
-
Manager
configuration
Copy
example
/
manager
.
cgi
and
personalize
it
if
you
want
(
see
Lemonldap
::
NG
::
Manager
).
You
have
to
set
in
particular
configStorage
.
For
example
with
MySQL
:
$
my
$
manager
=
Lemonldap
::
NG
::
Manager
->
new
(
{
dbiChain
=>
"DBI:mysql:database=mybase;host=1.2.3.4"
,
dbiUser
=>
"lemonldap-ng"
,
dbiPassword
=>
"mypass"
,
}
);
Securise
Manager
access
with
Apache
:
Lemonldap
does
not
securise
the
manager
itself
yet
:
SSLEngine
On
Order
Deny
,
Allow
Deny
from
all
Allow
from
admin
-
network
/
netmask
AuthType
Basic
...
After
configuration
,
you
can
also
protect
the
manager
with
an
Lemonldap
::
NG
handler
.
2.3.3
-
Configuration
edition
Connect
to
the
manager
with
your
browser
start
configure
your
Web
-
SSO
.
You
have
to
set
at
least
some
parameters
:
a
)
General
parameters
:
*
Authentication
parameters
->
portal
:
URL
to
access
to
the
authentication
portal
*
Domain
:
the
cookie
domain
.
All
protected
VirtualHosts
have
to
be
under
it
*
LDAP
parameters
->
LDAP
Server
*
LDAP
parameters
->
LDAP
Accout
and
password
:
required
only
if
anonymous
binds
are
not
accepted
*
Session
Storage
->
Apache
::
Session
module
:
how
to
store
user
sessions
.
You
can
use
all
module
that
inherit
from
Apache
::
Session
like
Apache
::
Session
::
MySQL
*
Session
Storage
->
Apache
::
Session
Module
parameters
:
see
Apache
::
Session
::<
Choosen
module
>
b
)
User
groups
:
Use
the
"New Group"
button
to
add
your
first
group
.
On
the
left
,
set
the
keyword
which
will
be
used
later
and
set
on
the
right
the
corresponding
rule
:
you
can
use
:
*
an
LDAP
filter
(
it
will
be
tested
with
the
user
uid
)
or
*
a
Perl
condition
enclosed
with
{}.
All
variables
declared
in
"General
parameters -> LDAP attributes"
can
be
used
with
a
"$"
.
For
example
:
MyGroup
/
{
$
uid
eq
"foo"
or
$
uid
eq
"bar"
}
c
)
Virtual
hosts
You
have
to
create
a
virtual
host
for
each
Apache
host
(
virtual
or
real
)
protected
by
Lemonldap
::
NG
even
if
just
a
sub
-
directory
is
protected
.
Else
,
user
who
want
to
access
to
the
protected
area
will
be
rejected
with
a
"500
Internal Server Error"
message
and
the
apache
logs
will
explain
the
problem
.
Each
virtual
host
has
2
groups
of
parameters
:
*
Headers
:
the
headers
added
to
the
apache
request
.
Default
:
Auth
-
User
=>
$
uid
*
Rules
:
subdivised
in
2
categories
:
*
default
:
the
default
rule
*
personalized
rules
:
association
of
a
Perl
regular
expression
and
a
condition
.
For
example
:
^/
restricted
.*$
/
$
groups
=~
/\
bMyGroup
\
b
/
-------------
3
-
DEBUGGING
-------------
Lemonldap
::
NG
uses
simply
the
Apache
log
system
.
So
use
LogLevel
to
choose
information
to
display
.
build/lemonldap-ng/Makefile
0 → 100644
View file @
d7d14bf7
#!/usr/bin/make
VERSION
=
0.9beta
HANDLERDIR
=
lemonldap-ng-handler
PORTALDIR
=
lemonldap-ng-portal
MANAGERDIR
=
lemonldap-ng-manager
EXAMPLEDIRBUILD
=
`
pwd
`
/example/
EXAMPLEDIR
=
$(EXAMPLEDIRBUILD)
EXAMPLELANG
=
en
all
:
handler manager portal
handler
:
handler_conf
$(MAKE)
-C
${HANDLERDIR}
touch
handler
portal
:
portal_conf
$(MAKE)
-C
${PORTALDIR}
touch
portal
manager
:
manager_conf
$(MAKE)
-C
${MANAGERDIR}
touch
manager
configure
:
handler_conf portal_conf manager_conf
handler_conf
:
cd
${HANDLERDIR}
;
perl Makefile.PL
INSTALLDIRS
=
$(INSTALLDIRS)
touch
handler_conf
portal_conf
:
cd
${PORTALDIR}
;
perl Makefile.PL
INSTALLDIRS
=
$(INSTALLDIRS)
touch
portal_conf
manager_conf
:
cd
${MANAGERDIR}
;
perl Makefile.PL
INSTALLDIRS
=
$(INSTALLDIRS)
touch
manager_conf
test
:
manager_test handler_test portal_test
manager_test
:
manager
$(MAKE)
-C
${MANAGERDIR}
test
handler_test
:
handler
$(MAKE)
-C
${HANDLERDIR}
test
INST_ARCHLIB
=
../
${MANAGERDIR}
/blib/lib/
portal_test
:
portal
$(MAKE)
-C
${PORTALDIR}
test
INST_ARCHLIB
=
../
${MANAGERDIR}
/blib/lib/
install
:
handler_install portal_install manager_install
handler_install
:
handler
$(MAKE)
-C
${HANDLERDIR}
install
touch
handler_install
portal_install
:
portal
$(MAKE)
-C
${PORTALDIR}
install
touch
portal_install
manager_install
:
manager
$(MAKE)
-C
${MANAGERDIR}
install
touch
manager_install
distclean
:
clean
clean
:
handler_clean portal_clean manager_clean
rm
-rf
example
find
.
-name
'*.gz'
-exec
rm
-vf
{}
\;
handler_clean
:
-
$(MAKE)
-C
${HANDLERDIR}
distclean
rm
-vf
handler
*
portal_clean
:
-
$(MAKE)
-C
${PORTALDIR}
distclean
rm
-vf
portal
*
manager_clean
:
-
$(MAKE)
-C
${MANAGERDIR}
distclean
rm
-vf
manager
*
example
:
all
mkdir
-p
example/portal example/manager example/handler example/conf
chmod
1777 example/conf
cp
-a
${HANDLERDIR}
/example/
*
example/handler
cp
-a
${PORTALDIR}
/example/
*
example/portal
cp
-a
${MANAGERDIR}
/example/
*
example/manager
cp
-a
_example/
*
example
find
${EXAMPLEDIRBUILD}
-type
f
-exec
perl
-i
-pe
's#__DIR__/?#'
${EXAMPLEDIR}
'#g'
{}
\;
@
echo
@
echo
"Example is ready."
@
echo
@
echo
"1 - Add this in your Apache configuration file:"
@
echo
" with Apache-1.3.x"
@
echo
@
echo
" include
${EXAMPLEDIR}
apache.conf"
@
echo
@
echo
" or with Apache-2.x:"
@
echo
@
echo
" include
${EXAMPLEDIR}
apache2.conf"
@
echo
@
echo
"2 - Add test.example.com and auth.example.com in yout /etc/hosts :"
@
echo
@
echo
" cat example/for_etc_hosts >> /etc/hosts"
@
echo
@
echo
"3 - edit
${EXAMPLEDIR}
/conf/lmConf-1 and set ldapServer and ldapBase."
@
echo
" or use the manager at http://manager.example.com/ (after apache restart)"
@
echo
@
echo
"4 - Restart Apache (or Apache2)"
@
echo
@
echo
"5 - Try to connect to http://test.example.com/"
uninstall
:
configure handler_uninstall portal_uninstall manager_uninstall
handler_uninstall
:
handler
$(MAKE)
-C
${HANDLERDIR}
uninstall
rm
-vf
handler_uninstall
portal_uninstall
:
portal
$(MAKE)
-C
${PORTALDIR}
uninstall
rm
-vf
portal_uninstall
manager_uninstall
:
manager
$(MAKE)
-C
${MANAGERDIR}
uninstall
rm
-vf
manager_uninstall
dist
:
-
$(MAKE)
clean
mkdir
-p
lemonldap-ng-
$(VERSION)
-
cp
-a
*
lemonldap-ng-
$(VERSION)
rm
-rf
lemonldap-ng-
$(VERSION)
/lemonldap-ng-
$(VERSION)
tar
czf lemonldap-ng-
$(VERSION)
.tar.gz lemonldap-ng-
$(VERSION)
rm
-rf
lemonldap-ng-
$(VERSION)
cpan
:
configure handler_cpan portal_cpan manager_cpan
handler_cpan
:
handler_conf
$(MAKE)
-C
${HANDLERDIR}
dist
mv
${HANDLERDIR}
/Lemonldap
*
.gz .
portal_cpan
:
portal_conf
$(MAKE)
-C
${PORTALDIR}
dist
mv
${PORTALDIR}
/Lemonldap
*
.gz .
manager_cpan
:
manager_conf
$(MAKE)
-C
${MANAGERDIR}
dist
mv
${MANAGERDIR}
/Lemonldap
*
.gz .
static_example
:
example
mkdir
-p
example/static
cd
example/static/
;
ln
-s
../manager/imgs
;
cd
-
scripts/make_static_example.pl example/manager/index.pl example/static/index.html
$(EXAMPLELANG)
build/lemonldap-ng/README
0 → 100644
View file @
d7d14bf7
Lemonldap-NG
====================
Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It
simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for
accounting. So you can have a full AAA protection for your web space as
described below.
1 - Installation
2 - Authentication, Authorization and Accounting mechanisms
2.1 - Authentication
2.2 - Authorization
2.3 - Accounting
3 - Session storage system
4 - Author
5 - Copyright and licence
1 - INSTALLATION
================
Lemonldap::NG is a different project than Lemonldap and contains all you need
to use and administer it. So softwares, like Lemonldap webmin module, may not
work with Lemonldap::NG.
The Apache module part (Lemonldap::NG::Handler) works both with Apache 1.3.x
and 2.x ie mod_perl 1 and 2 (but not with mod_perl 1.99). Portal and Manager
act as CGI, so they can work everywhere.
See INSTALL file in the source tree for a complete installation documentation.
2 - AUTHENTICATION, AUTHORIZATION AND ACCOUNTING MECHANISMS
===========================================================
Warning: Lemonldap::NG configuration has to be edited using the manager unless
you know exactly what you are doing. The parameters discussed here are all in
the configuration tree.
2.1 - Authentication
If a user isn't authenticated and attemps to connect to an area protected by a
Lemonldap::NG compatible handler, he is redirected to a portal. The portal
authenticates user with a ldap bind by default, but you can also use another
authentication sheme like using x509 user certificates (see
Lemonldap::NG::Portal::AuthSSL(3) for more).
Lemonldap use session cookies generated by Apache::Session so as secure as a
128-bit random cookie. You may use the securedCookie options to avoid session
hijacking.
You have to manage life of sessions by yourself since Lemonldap::NG knows
nothing about the L<Apache::Session> module you've choosed, but it's very easy
using a simple cron script because Lemonldap::NG::Portal stores the start
time in the _utime field.
By default, a session stay 10 minutes in the local storage, so in the worth
case, a user is authorized 10 minutes after he lost his rights.
2.2 - Authorization
Authorization is controled only by handlers because the portal knows nothing
about the way the user will choose. When configuring your Web-SSO, you have to:
* choose the ldap attributes you want to use to manage accounting and
authorization.
* create Perl expressions to define user groups (using ldap attributes)
* create an array foreach virtual host associating URI regular expressions and
Perl expressions to use to grant access.
Example (See Lemonldap::NG::Manager::Conf(3) to see how configuration is stored
* Exported variables :
# Custom-Name => LDAP attribute
cn => cn
departmentUID => departmentUID
login => uid
* User groups :
# Custom-Name => group definition
group1 => { $departmentUID eq "unit1" or $login = "xavier.guimard" }
* Area protection:
# Each VirtualHost has its own configuration
# associating URL regexp to Perl expression
* www1.domain.com :
^/protected/.*$ => $groups =~ /\bgroup1\b/
default => accept
},
* www2.domain.com => {
^/site/.*$ => $uid eq "admin" or $groups =~ /\bgroup2\b/
^/(js|css) => accept
default => deny
},
},
2.2.1 - Performance
You can use Perl expressions as complicated as you want and you can use all
the exported LDAP attributes (and create your own attributes: with 'macros'
mechanism) in groups evaluations, area protections or custom HTTP headers
(you just have to call them with a "$").
You have to be careful when choosing your expressions:
* groups and macros are evaluated each time a user is redirected to the portal
* virtual host rules and exported headers are evaluated for each request on a
protected area.
It is also recommanded to use the groups mechanism to avoid having to evaluate
a long expression at each HTTP request:
# Virtual hosts :
...
www1.domain.com :
^/protected/.*$ => $groups =~ /\bgroup1\b/
You can also use LDAP filters, or Perl expression or mixed expressions in
groups definitions. Perl expressions has to be enclosed with {}:
* group1 => (|(uid=xavier.guimard)(ou=unit1))
* group1 => {$uid eq "xavier.guimard" or $ou eq "unit1"}
* group1 => (|(uid=xavier.guimard){$ou eq "unit1"})
It is also recommanded to use Perl expressions to avoid requiering the LDAP
server more than 2 times per authentication.
2.3 - Accounting
2.3.1 - Logging portal access>
Lemonldap::NG::Portal doesn't log anything by default, but it's easy to
overload log method for normal portal access.
2.3.2 - Logging application access
Because a Web-SSO knows nothing about the protected application, it can't do
more than logging URL. As Apache does this fine, L<Lemonldap::NG::Handler>
gives it the name to used in logs. The whatToTrace parameter indicates
which variable Apache has to use ($uid by default).
The real accounting has to be done by the application itself which knows the
result of SQL transaction for example.
Lemonldap::NG can export HTTP headers either using a proxy or protecting
directly the application. By default, the Auth-User field is used but you can
change it using the exportedHeaders parameters (in the Manager, each virtual
host as custom headers branch). This parameters contains an associative array
per virtual host:
* keys are the names of the choosen headers
* values are Perl expressions where you can use user datas stored in the
global storage.
Example:
* www1.domain.com :
Auth-User => $uid
Unit => $ou
* www2.domain.com :
Authorization => "Basic ".encode_base64($employeeNumber.":dummy")
Remote-IP => $ip
3 - SESSION STORAGE SYSTEM
Lemonldap::NG use 3 levels of cache for authenticated users:
* an Apache::Session::* module used by lemonldap::NG::Portal to store
authenticated user parameters,
* a Cache::Cache* module used by Lemonldap::NG::Handler to share authenticated
users between Apache's threads or processus and of course between virtual
hosts on the same machine
* Lemonldap::NG::Handler variables : if the same user use the same thread or
processus a second time, no request are needed to grant or refuse access.
This is very efficient with HTTP/1.1 Keep-Alive system.