Commit 0546303d authored by Christophe Maudoux's avatar Christophe Maudoux 🐛

Merge branch 'v2.0'

parents ff095ca1 f37c2399
Pipeline #7554 failed with stages
in 16 minutes and 4 seconds
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
* #1893: Issuer urldc is lost after error in 2F flow
* #1909: Reset password by email issue
* #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
* #1945: passwordpolicy.tpl contains wrong tag
* #1948: Tranlation menu does not work with Diff.html
* #1949: Don't Store Password shows password in cleartext
* #1952: "Attributes and macros" session keys should not be translated
* #1953: Outgoing emails are missing a Date: field
* #1954: zimbra preauth not working
* #1955: Redirection lost after notification validation
* #1960: REST config service not working
* #1961: IDP selection rule regression in 2.0.0
* #1963: Server Error with OpenID Connect register endpoint
* #1964: Diff.html does not work with minified JS
* #1966: Configuration reload does not apply changes to location rules
* #1968: skippedUnitTests/skippedGlobalTests have no effect
* #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
* #1974: ServiceToken handler TTL value always set to default
* #1984: Reset expired password doesn't trigger when using Combination
* #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
* #2009: Display authentication error on login form with Combination Kerberos + LDAP
* #2010: Kerberos not working with session upgrade
* #2012: Several issues with notification system
* #2013: Handler, yum install
* #2018: After temporary ldap failure, ldap connections stop working forever
* #2038: Missing type attribute in 2FA HTML inputs
* #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
* New features:
* #813: Provide refresh tokens in OpenID Connect
* #1605: certificate reset by mail
* #1956: DecryptValue plugin
* #1999: Possibility to view/close other sessions opened for the same user
* #2006: Create a web service for "refresh my rights"
* Improvements:
* #1590: Possibility to configure new plugins in Manager
* #1905: Append overScheme for persistent sessions
* #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
* #1947: Highlight active module with Diff.html
* #1967: allow differents type of managerDN
* #1983: The script purgeCentralCache should be more fault tolerant
* #1988: Append a requiredAuthenticationLevel option for each uri
* #1989: Main logo and lang icons are missing with upgradesession template
* #1991: Some user logs not using whatToTrace for username
* #1993: Same issue like (#1884) occures with Issuer redirection
* #1994: Append varInUri extended function
* #1995: Add an option to force claims in ID token
* #1996: REQUEST_URI env variable is not set by CheckUser plugin
* #1997: Enable checkTime option by default
* #1998: Misleading token ID format
* #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
* #2007: Password change prompt displayed even if initial auth fails
* #2008: Specific message and error code for 2F failure
* #2011: Create a function to test if a value belongs to a list
* #2012: Several issues with notification system
* #2014: New script to convert sessions between backends
* #2019: Renew Captcha button
* #2024: Change default value for cspFormAction
* #2042: Add per-service macros
-- Clément <clem.oudot@gmail.com> Sat, 21 Dec 2019 16:59:22 +0100
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:
......
lemonldap-ng (2.0.7-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Sat, 21 Dec 2019 17:00:00 +0100
lemonldap-ng (2.0.6-1) unstable; urgency=medium
* New release. See changes on our website:
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1569271173" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1576942824" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="applications.html"/>
......
......@@ -171,7 +171,7 @@ Edit then <code>share-config-custom.xml</code> and uncomment the last part. In t
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/s<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span>
......@@ -184,7 +184,7 @@ You need to restart Tomcat to apply changes.
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT4 SECTION "Alfresco" [457-3157] -->
<!-- EDIT4 SECTION "Alfresco" [457-3155] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">
......@@ -217,12 +217,12 @@ Other rules:
</ul>
</div>
<!-- EDIT5 SECTION "LL::NG" [3158-3497] -->
<!-- EDIT5 SECTION "LL::NG" [3156-3495] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "SAML2" [3498-3517] -->
<!-- EDIT6 SECTION "SAML2" [3496-3515] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3">
......@@ -521,7 +521,7 @@ To finish with Alfresco configuration, tick the “Enable <abbr title="Security
</p>
</div>
<!-- EDIT7 SECTION "Alfresco" [3518-14174] -->
<!-- EDIT7 SECTION "Alfresco" [3516-14172] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3">
......@@ -556,7 +556,7 @@ And you can define these exported attributes:
</ul>
</div>
<!-- EDIT8 SECTION "LL::NG" [14175-14553] -->
<!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
<div class="level2">
<ul>
......@@ -567,6 +567,6 @@ And you can define these exported attributes:
</ul>
</div>
<!-- EDIT9 SECTION "Other resources" [14554-] --></div>
<!-- EDIT9 SECTION "Other resources" [14552-] --></div>
</body>
</html>
......@@ -93,7 +93,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S
<p>
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <a href="../passwordstore.html" class="wikilink1" title="documentation:2.0:passwordstore">password is stored in session</a>):
</p>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;)</pre>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;, &quot;&quot;)</pre>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> provides a special function named <a href="../extendedfunctions.html#basic" class="wikilink1" title="documentation:2.0:extendedfunctions">basic</a> to build this header.
......
......@@ -198,7 +198,7 @@ Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&#039;&#039;)</div>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&quot;&quot;)</div>
</li>
</ul>
<div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1569271147" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1569271147" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1569271166" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1576942817" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -56,6 +56,7 @@
<li class="level2"><div class="li"><a href="#zimbra_application_in_menu">Zimbra application in menu</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_virtual_host">Zimbra virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_handler_parameters">Zimbra Handler parameters</a></div></li>
<li class="level2"><div class="li"><a href="#multi-domain_issues">Multi-domain issues</a></div></li>
</ul></li>
</ul>
</div>
......@@ -163,6 +164,66 @@ Zimbra parameters are the following:
</div>
</div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-] --></div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-2771] -->
<h3 class="sectionedit8" id="multi-domain_issues">Multi-domain issues</h3>
<div class="level3">
<p>
Some organizations have multiple zimbra domains:
</p>
<ol>
<li class="level1"><div class="li"> foo@domain1.com</div>
</li>
<li class="level1"><div class="li"> bar@domain2.com</div>
</li>
</ol>
<p>
However, the zimbra preauth key is:
</p>
<ul>
<li class="level1"><div class="li"> generated for one zimbra domain only</div>
</li>
<li class="level1"><div class="li"> declared globally for every LemonLDAP::NG virtual hosts.</div>
</li>
</ul>
<p>
Thus, if domain1 has been registered on LemonLDAP::NG, user bar won&#039;t be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:
</p>
<p>
We are going to use the first key (the domain1 one) for every domain.
On Zimbra machine, generate the keys:
</p>
<pre class="code"> zmprov generateDomainPreAuthKey domain1.com
preAuthKey: 4e2816f16c44fab20ecdee39fb850c3b0bb54d03f1d8e073aaea376a4f407f0c
zmprov generateDomainPreAuthKey domain2.com
preAuthKey: 6b7ead4bd425836e8cf0079cd6c1a05acc127acd07c8ee4b61023e19250e929c</pre>
<p>
Then, connect to your zimbra LDAP server with your favourite tool (Apache Directory Studio can do the job).
Take care to connect with the super admin and password account.
</p>
<ul>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain1&quot; branch</div>
</li>
<li class="level1"><div class="li"> Get the value of zimbraPreAuthKey</div>
</li>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain2&quot; branch</div>
</li>
<li class="level1"><div class="li"> Replace the value of zimbraPreAuthKey you have previously copied</div>
</li>
<li class="level1"><div class="li"> Wait for all Zimbra servers to update, or restart the zcs server</div>
</li>
</ul>
<p>
That&#039;s it, all zimbra servers will be able to decipher the hmac because they share the same key!
</p>
</div>
<!-- EDIT8 SECTION "Multi-domain issues" [2772-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,authcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authcustom.html"/>
......@@ -84,13 +84,13 @@ Then, you just have to define class names of your custom modules in &quot;Custom
<p>
You can define your own customAuth module icon. Icon must be in site/htdocs/static/common/modules/icon.png
</p>
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev.pm
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev
</div><div class="noteimportant">Be careful. Don&#039; t use an already attributed name in configuration.
</div>
<p>
These parameters are available in your plugins using <code>$self-&gt;conf-&gt;{<em>customName</em>}</code>.
These parameters are available in your plugins using <code>$self-&gt;conf-&gt;{customAddParams}-&gt;{<em>customName</em>}</code>.
</p>
<p>
......
......@@ -248,8 +248,6 @@ You can also define:
</li>
<li class="level1"><div class="li"> endsession_endpoint</div>
</li>
<li class="level1"><div class="li"> introspection_endpoint</div>
</li>
</ul>
<p>
......
......@@ -416,7 +416,7 @@ To avoid a persistent loop between Portal and a redirection <abbr title="Uniform
<span class="re1">pdataDomain</span> <span class="sy0">=</span><span class="re2"> example.com</span></pre>
<p>
To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens be stored into Global Storage by editing <code>lemonldap-ng.ini</code> in section [portal]:
To avoid a bad/expired token during session upgrading (Reauthentication) if URLs are served by different load balancers, you can force Upgrade tokens to be stored into Global Storage by editing <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">forceGlobalStorageUpgradeOTT</span> <span class="sy0">=</span><span class="re2"> 1</span></pre>
......
This diff is collapsed.
......@@ -95,10 +95,10 @@ The following table list fields to index depending on the feature you want to in
<td class="col0"> Database cleanup <em>(cron)</em> </td><td class="col1 centeralign"> _session_kind _utime </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> Session explorer </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
<td class="col0"> Session explorer </td><td class="col1 centeralign"> _session_kind ipAddr _httpSessionType <em>WHATTOTRACE</em> </td>
</tr>
<tr class="row3 rowodd">
<td class="col0"> Session explorer (persistent sessions) </td><td class="col1 centeralign"> _session_kind _session_uid </td>
<td class="col0"> Session explorer (persistent sessions) </td><td class="col1 centeralign"> _session_kind _session_uid ipAddr _httpSessionType <em>WHATTOTRACE</em> </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> Session restrictions </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
......@@ -110,7 +110,7 @@ The following table list fields to index depending on the feature you want to in
<td class="col0"> <abbr title="Security Assertion Markup Language">SAML</abbr> Session </td><td class="col1 centeralign"> _saml_id </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [871-1230] -->
<!-- EDIT3 TABLE [871-1287] -->
<p>
See Apache::Session::Browseable::* man page to see how use indexes.
</p>
......@@ -119,7 +119,7 @@ See Apache::Session::Browseable::* man page to see how use indexes.
</div><div class="noteclassic">Documentation below explains how set index on ipAddr and _whatToTrace. Adapt it to configure the index you need.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [43-1753] -->
<!-- EDIT2 SECTION "Presentation" [43-1810] -->
<h2 class="sectionedit4" id="browseable_nosql">Browseable NoSQL</h2>
<div class="level2">
......@@ -146,15 +146,15 @@ You then just have to add the <code>Index</code> parameter in <code>General par
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [2041-2198] -->
<!-- EDIT5 TABLE [2098-2255] -->
</div>
<!-- EDIT4 SECTION "Browseable NoSQL" [1754-2199] -->
<!-- EDIT4 SECTION "Browseable NoSQL" [1811-2256] -->
<h2 class="sectionedit6" id="browseable_sql">Browseable SQL</h2>
<div class="level2">
<div class="noteclassic">This documentation concerns PostgreSQL. Some adaptations are needed with other databases. When using Apache::Session::Browseable::Postgres, it is strongly recommended to use version 1.3.1 at least. See <a href="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732" class="urlextern" title="https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1732" rel="nofollow">bug 1732</a>.
</div>
</div>
<!-- EDIT6 SECTION "Browseable SQL" [2200-2518] -->
<!-- EDIT6 SECTION "Browseable SQL" [2257-2575] -->
<h3 class="sectionedit7" id="prepare_database">Prepare database</h3>
<div class="level3">
......@@ -189,7 +189,7 @@ CREATE INDEX h1 ON sessions (_httpSessionType);</pre>
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don&#039;t need to declare indexes in <code>CREATE TABLE</code> since &quot;json&quot; and &quot;hstore&quot; type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
</div>
</div>
<!-- EDIT7 SECTION "Prepare database" [2519-4234] -->
<!-- EDIT7 SECTION "Prepare database" [2576-4291] -->
<h3 class="sectionedit8" id="manager">Manager</h3>
<div class="level3">
......@@ -221,14 +221,14 @@ Go in the Manager and set the session module (<a href="https://metacpan.org/pod/
<td class="col0 centeralign"> <strong>TableName</strong> </td><td class="col1"> Table name (optional) </td><td class="col2"> sessions </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [4557-4978] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<!-- EDIT9 TABLE [4614-5035] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<p>
For databases like PostgreSQL, don&#039;t forget to add &quot;Commit&quot; with a value of 1
</p>
</div>
</div>
<!-- EDIT8 SECTION "Manager" [4235-5157] -->
<!-- EDIT8 SECTION "Manager" [4292-5214] -->
<h2 class="sectionedit10" id="browseable_ldap">Browseable LDAP</h2>
<div class="level2">
......@@ -282,9 +282,9 @@ You need to add the <code>Index</code> field and can also configure the <code>ld
<td class="col0 centeralign"> <strong>ldapAttributeIndex</strong> </td><td class="col1"> Attribute storing index </td><td class="col2"> ou </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [5509-6243] -->
<!-- EDIT11 TABLE [5566-6300] -->
</div>
<!-- EDIT10 SECTION "Browseable LDAP" [5158-6244] -->
<!-- EDIT10 SECTION "Browseable LDAP" [5215-6301] -->
<h2 class="sectionedit12" id="security">Security</h2>
<div class="level2">
......@@ -297,7 +297,7 @@ You can also use different user/password for your servers by overriding paramete
</p>
</div>
<!-- EDIT12 SECTION "Security" [6245-6464] -->
<!-- EDIT12 SECTION "Security" [6302-6521] -->
<h2 class="sectionedit13" id="performances">Performances</h2>
<div class="level2">
......@@ -340,6 +340,6 @@ CREATE INDEX _u1 ON sessions (_utime);
CREATE INDEX ip1 ON sessions (ipAddr) USING BTREE;</pre>
</div>
<!-- EDIT13 SECTION "Performances" [6465-] --></div>
<!-- EDIT13 SECTION "Performances" [6522-] --></div>
</body>
</html>
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:changesessionbackend</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,changesessionbackend"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="changesessionbackend.html"/>
<link rel="contents" href="changesessionbackend.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:changesessionbackend","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="how_to_change_session_backend">How to change session backend</h1>
<div class="level1">
<p>
LemonLDAP::NG provides a script to change session backend. This script will help you transfer existing persistent sessions (or offline sessions) when migrating from one backend to another, or when adding indexes to a <a href="browseablesessionbackend" class="wikilink2" title="browseablesessionbackend" rel="nofollow">browseable sessio backend</a>. It is available in LemonLDAP::NG utilities directory (<code>convertSessions</code>).
</p>
</div>
<!-- EDIT1 SECTION "How to change session backend" [1-397] -->
<h2 class="sectionedit2" id="how_it_works">How it works</h2>
<div class="level2">
<p>
The <code>convertSessions</code> utility requires you to create a job configuration file with the following content:
</p>
<pre class="file"># This example migrates psessions from the default File backend to a PostgreSQL database
[sessions_from]
storageModule = Apache::Session::File
storageModuleOptions = { \\
&#039;Directory&#039; =&gt; &#039;/var/lib/lemonldap-ng/psessions&#039;, \\
&#039;LockDirectory&#039; =&gt; &#039;/var/lib/lemonldap-ng/psessions/lock&#039;, \\
}
# Only convert some session types
# sessionKind = Persistent, SSO
[sessions_to]
storageModule = Apache::Session::Browseable::Postgres
storageModuleOptions = { \\
&#039;DataSource&#039; =&gt; &#039;DBI:Pg:database=lemonldapdb;host=pg.example.com&#039;, \\
&#039;UserName&#039; =&gt; &#039;lemonldaplogin&#039;, \\
&#039;Password&#039; =&gt; &#039;lemonldappw&#039;, \\
&#039;Commit&#039; =&gt; 1, \\
&#039;Index&#039; =&gt; &#039;ipAddr _whatToTrace user&#039;, \\
&#039;TableName&#039; =&gt; &#039;psessions&#039;, \\
}
</pre>
</div>
<!-- EDIT2 SECTION "How it works" [398-1250] -->
<h2 class="sectionedit3" id="invokation">Invokation</h2>
<div class="level2">
<pre class="code shell">convertSessions -c job.ini </pre>
<p>
Options:
</p>
<ul>
<li class="level1"><div class="li"> <code>-c</code>: job configuration file (mandatory)</div>
</li>
<li class="level1"><div class="li"> <code>-i</code>: ignore errors. By default errors will stop the script execution</div>
</li>
<li class="level1"><div class="li"> <code>-d</code>: print debugging output</div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Invokation" [1251-] --></div>
</body>
</html>
......@@ -43,6 +43,21 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level1"><div class="li"><a href="#usage">Usage</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#example">Example</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="check_state_plugin">Check state plugin</h1>
<div class="level1">
......@@ -57,11 +72,11 @@ This plugin can be used to check if portal instance is ready. This can be a heal
<div class="level2">
<p>
Just enable it in the manager (section &quot;plugins&quot;). You <em class="u">must</em> also set a shared secret.
Just enable it in the manager (*<em>General Parameters</em> » <em>Plugins</em> » <em>State Check</em>). You <em class="u">must</em> also set a shared secret.
</p>
</div>
<!-- EDIT2 SECTION "Configuration" [196-313] -->
<!-- EDIT2 SECTION "Configuration" [196-353] -->
<h2 class="sectionedit3" id="usage">Usage</h2>
<div class="level2">
......@@ -84,12 +99,19 @@ When enabled, <code>/checkstate</code> <abbr title="Uniform Resource Locator">UR
<td class="col0 centeralign"> <code>password</code> </td><td class="col1 centeralign"> optional </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [416-670] -->
<p>
Example: <code><a href="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho</a></code>
</p>
<!-- EDIT4 TABLE [456-710] -->
</div>
<!-- EDIT3 SECTION "Usage" [354-711] -->
<h3 class="sectionedit5" id="example">Example</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> Basic availability check: <code><a href="https://auth.example.com/checkstate?secret=qwerty" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty</a></code></div>
</li>
<li class="level1"><div class="li"> Try to log a user in: <code><a href="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho</a></code></div>
</li>
</ul>
</div>
<!-- EDIT3 SECTION "Usage" [314-] --></div>
<!-- EDIT5 SECTION "Example" [712-] --></div>
</body>
</html>