Commit 153ef2df authored by Clément OUDOT's avatar Clément OUDOT

Update documentation

parent 9cb56173
Pipeline #3516 passed with stages
in 7 minutes and 18 seconds
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=b080493cd401ddb4d6ec6dbe57503dcd" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=f2af53b99ba25aa5353674957471d8e4" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -241,7 +241,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1531599531" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1543238040" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=b080493cd401ddb4d6ec6dbe57503dcd" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=f2af53b99ba25aa5353674957471d8e4" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -241,7 +241,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1531599531" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1543238040" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -144,6 +144,7 @@ Define here:
</li>
</ul>
<div class="notetip">You can prefix the key name with a digit to order them. The digit will not be shown on portal page. Underscore characters are also replaced by spaces.
</div><div class="notetip">You can also override some LLNG parameters for each chain. See <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">Parameter list</a> to have the key names to use
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [649-] --></div>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,authcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authcustom.html"/>
......@@ -63,24 +63,41 @@
<div class="level2">
<p>
This artifact allows one to define its own modules (authentication, user database, password or register DB).
This artifact allows one to define its own modules (authentication, user database, password or register database).
</p>
<div class="notetip">The developer documentation is available in Portal manpages.
<div class="notetip">The developer documentation is available in Portal manpages. See Auth.pod and UserDB.pod
</div>
</div>
<!-- EDIT3 SECTION "Presentation" [117-330] -->
<!-- EDIT3 SECTION "Presentation" [117-365] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
<p>
You just have to define class names of your custom modules in “Custom module names”. You can also add your custom parameters in “Additional parameters”. Be careful to use names not already used elsewhere in configuration. This parameters are available in your plugins using <code>$self→conf→{<em>customName</em>}</code>.
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose &#039;Custom module&#039;.
</p>
<p>
Then, you just have to define class names of your custom modules in “Custom module names”. Custom parameters can be set in “Additional parameters”. Full path must be specify.
</p>
<p>
You can define your own customAuth module icon. Icon must be in site/htdocs/static/common/modules/icon.png
</p>
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev.pm
</div><div class="noteclassic">Be careful. Don&#039; t use an already attributed name in configuration.
</div>
<p>
These parameters are available in your plugins using <code>$self→conf→{<em>customName</em>}</code>.
</p>
<p>
See portal manpages to see how to write these plugins.
Read portal manpages to see how to write these plugins.
</p>
</div>
<!-- EDIT4 SECTION "Configuration" [331-] --></div>
<!-- EDIT4 SECTION "Configuration" [366-] --></div>
</body>
</html>
......@@ -101,7 +101,7 @@
<abbr title="LemonLDAP::NG">LL::NG</abbr> can use a lot of databases as authentication, users and password backend:
</p>
<ul>
<li class="level1"><div class="li"> MySQL</div>
<li class="level1"><div class="li"> MariaDB/MySQL</div>
</li>
<li class="level1"><div class="li"> PostGreSQL</div>
</li>
......@@ -116,7 +116,7 @@ Indeed, any <a href="http://search.cpan.org/search?query=DBD%3A%3A&amp;mode=modu
</p>
</div>
<!-- EDIT4 SECTION "Drivers" [123-371] -->
<!-- EDIT4 SECTION "Drivers" [123-379] -->
<h3 class="sectionedit5" id="schema">Schema</h3>
<div class="level3">
......@@ -168,7 +168,7 @@ The password can be in plain text, or encoded with a standard SQL method:
<td class="col0"> 2 </td><td class="col1"> tchemineau </td><td class="col2"> 1f777a6581e478499f4284e54fe2d4a4e513dfff </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [772-977] -->
<!-- EDIT6 TABLE [780-985] -->
</div>
<h5 id="user_table">User table</h5>
......@@ -189,7 +189,7 @@ The password can be in plain text, or encoded with a standard SQL method:
<td class="col0"> 2 </td><td class="col1"> xguimard </td><td class="col2"> Xavier GUIMARD </td><td class="col3"> xguimard@example.com </td>
</tr>
</table></div>
<!-- EDIT7 TABLE [997-1197] -->
<!-- EDIT7 TABLE [1005-1205] -->
</div>
<h4 id="example_2single_table">Example 2: single table</h4>
......@@ -210,9 +210,9 @@ The password can be in plain text, or encoded with a standard SQL method:
<td class="col0"> 2 </td><td class="col1"> xguimard </td><td class="col2"> a15a18c8bb17e6f67886a9af1898c018b9f5a072 </td><td class="col3"> Xavier GUIMARD </td><td class="col4"> xguimard@example.com </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [1232-1572] -->
<!-- EDIT8 TABLE [1240-1580] -->
</div>
<!-- EDIT5 SECTION "Schema" [372-1573] -->
<!-- EDIT5 SECTION "Schema" [380-1581] -->
<h3 class="sectionedit9" id="sql">SQL</h3>
<div class="level3">
......@@ -229,7 +229,7 @@ The password can be in plain text, or encoded with a standard SQL method:
</ul>
</div>
<!-- EDIT9 SECTION "SQL" [1574-1847] -->
<!-- EDIT9 SECTION "SQL" [1582-1855] -->
<h2 class="sectionedit10" id="configuration">Configuration</h2>
<div class="level2">
......@@ -238,7 +238,7 @@ In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modu
</p>
</div>
<!-- EDIT10 SECTION "Configuration" [1848-2022] -->
<!-- EDIT10 SECTION "Configuration" [1856-2030] -->
<h3 class="sectionedit11" id="authentication_level">Authentication level</h3>
<div class="level3">
......@@ -254,7 +254,7 @@ The authentication level given to users authenticated with this module.
</div>
</div>
<!-- EDIT11 SECTION "Authentication level" [2023-2387] -->
<!-- EDIT11 SECTION "Authentication level" [2031-2395] -->
<h3 class="sectionedit12" id="exported_variables">Exported variables</h3>
<div class="level3">
......@@ -263,7 +263,7 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
</p>
</div>
<!-- EDIT12 SECTION "Exported variables" [2388-2525] -->
<!-- EDIT12 SECTION "Exported variables" [2396-2533] -->
<h3 class="sectionedit13" id="connection">Connection</h3>
<div class="level3">
<div class="notetip">Connection settings can be configured differently for authentication process and user process. This allows one to use different databases for these process. By default, if user process connection settings are empty, authentication process connection settings will be used.
......@@ -277,7 +277,7 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
</ul>
</div>
<!-- EDIT13 SECTION "Connection" [2526-3044] -->
<!-- EDIT13 SECTION "Connection" [2534-3052] -->
<h3 class="sectionedit14" id="schema1">Schema</h3>
<div class="level3">
<ul>
......@@ -296,7 +296,7 @@ List of columns to query to fill user session. See also <a href="exportedvars.ht
</ul>
</div>
<!-- EDIT14 SECTION "Schema" [3045-3488] -->
<!-- EDIT14 SECTION "Schema" [3053-3496] -->
<h3 class="sectionedit15" id="password">Password</h3>
<div class="level3">
<ul>
......@@ -325,6 +325,6 @@ $$ LANGUAGE SQL STRICT IMMUTABLE;</pre>
</div>
</div>
<!-- EDIT15 SECTION "Password" [3489-] --></div>
<!-- EDIT15 SECTION "Password" [3497-] --></div>
</body>
</html>
......@@ -177,9 +177,10 @@ List of attributes to query to fill user session. See also <a href="exportedvars
<li class="level1"><div class="li"> <strong>Binary attributes</strong>: regular expression matching binary attributes (see <a href="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" class="urlextern" title="http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP.pod" rel="nofollow">Net::LDAP</a> documentation).</div>
</li>
</ul>
<div class="noteimportant">LemonLDAP::NG need anonymous access to LDAP Directory RootDSE in order to check LDAP connection.
</div>
</div>
<!-- EDIT7 SECTION "Connection" [1677-2868] -->
<!-- EDIT7 SECTION "Connection" [1677-2988] -->
<h3 class="sectionedit8" id="filters">Filters</h3>
<div class="level3">
<div class="notetip">In LDAP filters, $user is replaced by user login, and $mail by user email.
......@@ -203,7 +204,7 @@ And the mail filter is:
</div>
</div>
<!-- EDIT8 SECTION "Filters" [2869-3590] -->
<!-- EDIT8 SECTION "Filters" [2989-3710] -->
<h3 class="sectionedit9" id="groups">Groups</h3>
<div class="level3">
<ul>
......@@ -224,7 +225,7 @@ And the mail filter is:
</ul>
</div>
<!-- EDIT9 SECTION "Groups" [3591-4425] -->
<!-- EDIT9 SECTION "Groups" [3711-4545] -->
<h3 class="sectionedit10" id="password">Password</h3>
<div class="level3">
<ul>
......@@ -258,6 +259,6 @@ And the mail filter is:
</p>
</div>
<!-- EDIT10 SECTION "Password" [4426-] --></div>
<!-- EDIT10 SECTION "Password" [4546-] --></div>
</body>
</html>
......@@ -117,7 +117,7 @@ Then you just have to set REST <abbr title="Uniform Resource Locator">URL</abbr>
<div class="level2">
<p>
REST web services just have to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).
REST web services have just to respond with a “result” key in a JSON file. Auth/UserDB can add an “info” array that will be stored in session data (without reading “Exported variables”).
</p>
<div class="table sectionedit7"><table class="inline table table-bordered table-striped">
<thead>
......
......@@ -223,7 +223,7 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
</li>
<li class="level1"><div class="li"> <strong>Allow login from IDP</strong>: allow a user to connect directly from an IDP link. In this case, authentication is not a response to an issued authentication request, and we have less control on conditions.</div>
</li>
<li class="level1"><div class="li"> <strong>Requested authentication context</strong>: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped ton an internal authentication level (see <a href="samlservice.html#authentication_contexts" class="wikilink1" title="documentation:2.0:samlservice">how configure the mapping</a>), that you can check to allow or deny session creation.</div>
<li class="level1"><div class="li"> <strong>Requested authentication context</strong>: this context is declared in authentication request. When receiving the request, the real authentication context will be mapped to an internal authentication level (see <a href="samlservice.html#authentication_contexts" class="wikilink1" title="documentation:2.0:samlservice">how configure the mapping</a>), that you can check to allow or deny session creation.</div>
</li>
<li class="level1"><div class="li"> <strong>Allow <abbr title="Uniform Resource Locator">URL</abbr> as RelayState</strong>: Set to On if the RelayState value sent by IDP is the <abbr title="Uniform Resource Locator">URL</abbr> where the user must be redirected after authentication.</div>
</li>
......@@ -240,6 +240,8 @@ For example, to preselect this IDP for users coming from 129.168.0.0/16 network
</li>
<li class="level1"><div class="li"> <strong>Store <abbr title="Security Assertion Markup Language">SAML</abbr> Token</strong>: allows one to keep <abbr title="Security Assertion Markup Language">SAML</abbr> token (assertion) inside user session. Don&#039;t enable it unless you need to replay this token on an application.</div>
</li>
<li class="level1"><div class="li"> <strong>Attribute containing user identifier</strong>: set the value of <abbr title="Security Assertion Markup Language">SAML</abbr> attribute (“Name”) that should be used as user main identifier ($user). If empty, the NameID content is used.</div>
</li>
</ul>
</div>
......
......@@ -48,16 +48,16 @@
<div class="level1">
<p>
Auto-Signin add-on provides a simple way to bypass authentication based on rules. For example, a TV can be automatically authenticated by its <abbr title="Internet Protocol">IP</abbr> address.
Auto-Signin add-on provides an easy way to bypass authentication process based on rules. For example, a TV can be automatically authenticated by its <abbr title="Internet Protocol">IP</abbr> address.
</p>
</div>
<!-- EDIT1 SECTION "Auto Signin Addon" [1-188] -->
<!-- EDIT1 SECTION "Auto Signin Addon" [1-195] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
<p>
This add-on is automatically enabled if a rule is declared. A rule links username to a rule. The only usable variable here is <code>$env</code>. Example:
This add-on is automatically enabled if a rule is declared. A rule links rule to a username. The only usable variable here is <code>$env</code>. Example:
</p>
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
<thead>
......@@ -69,9 +69,9 @@ This add-on is automatically enabled if a rule is declared. A rule links usernam
<td class="col0"> dwho </td><td class="col1"> $env→{REMOTE_ADDR} == &#039;192.168.42.42&#039; </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [362-437] --><div class="noteimportant">Username must be defined in the user database.
<!-- EDIT3 TABLE [369-444] --><div class="noteimportant">Username must be defined in the user database.
</div>
</div>
<!-- EDIT2 SECTION "Configuration" [189-] --></div>
<!-- EDIT2 SECTION "Configuration" [196-] --></div>
</body>
</html>
......@@ -74,7 +74,7 @@
<div class="level2">
<p>
Browseable session backend (<a href="http://search.cpan.org/perldoc?Apache::Session::Browseable" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::Browseable" rel="nofollow">Apache::Session::Browseable</a>) works exactly like Apache::Session::* corresponding module but add index that increase <a href="documentation/features.html#session_explorer" class="wikilink1" title="documentation:features">session explorer</a> and <a href="documentation/features.html#session_restrictions" class="wikilink1" title="documentation:features">session restrictions</a> performances.
Browseable session backend (<a href="https://metacpan.org/pod/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/pod/Apache::Session::Browseable" rel="nofollow">Apache::Session::Browseable</a>) works exactly like Apache::Session::* corresponding module but add index that increase <a href="documentation/features.html#session_explorer" class="wikilink1" title="documentation:features">session explorer</a> and <a href="documentation/features.html#session_restrictions" class="wikilink1" title="documentation:features">session restrictions</a> performances.
</p>
<p>
......@@ -104,7 +104,7 @@ The following table list fields to index depending on the feature you want to in
<td class="col0"> Session restrictions </td><td class="col1 centeralign"> _session_kind ipAddr <em>WHATTOTRACE</em> </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [877-1168] -->
<!-- EDIT3 TABLE [871-1162] -->
<p>
See Apache::Session::Browseable::* man page to see how use indexes.
</p>
......@@ -113,7 +113,7 @@ See Apache::Session::Browseable::* man page to see how use indexes.
</div><div class="noteclassic">Documentation below explains how set index on ipAddr and _whatToTrace. Adapt it to configure the index you need.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [43-1691] -->
<!-- EDIT2 SECTION "Presentation" [43-1685] -->
<h2 class="sectionedit4" id="browseable_nosql">Browseable NoSQL</h2>
<div class="level2">
......@@ -140,15 +140,15 @@ You then just have to add the <code>Index</code> parameter in <code>General par
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr </td>
</tr>
</table></div>
<!-- EDIT5 TABLE [1979-2136] -->
<!-- EDIT5 TABLE [1973-2130] -->
</div>
<!-- EDIT4 SECTION "Browseable NoSQL" [1692-2137] -->
<!-- EDIT4 SECTION "Browseable NoSQL" [1686-2131] -->
<h2 class="sectionedit6" id="browseable_sql">Browseable SQL</h2>
<div class="level2">
<div class="noteclassic">This documentation concerns PostgreSQL. Some adaptations are needed with other databases.
</div>
</div>
<!-- EDIT6 SECTION "Browseable SQL" [2138-2269] -->
<!-- EDIT6 SECTION "Browseable SQL" [2132-2263] -->
<h3 class="sectionedit7" id="prepare_database">Prepare database</h3>
<div class="level3">
......@@ -163,6 +163,7 @@ Database must be prepared exactly like in <a href="sqlsessionbackend.html#prepar
_whatToTrace text<span class="sy0">,</span>
_session_kind text<span class="sy0">,</span>
_utime <span class="kw1">BIGINT</span><span class="sy0">,</span>
<span class="kw1">USER</span> text<span class="sy0">,</span>
ipAddr text
<span class="br0">&#41;</span>;
<span class="kw1">CREATE</span> <span class="kw1">INDEX</span> uid1 <span class="kw1">ON</span> sessions <span class="kw1">USING</span> BTREE <span class="br0">&#40;</span>_whatToTrace<span class="br0">&#41;</span>;
......@@ -177,12 +178,12 @@ Database must be prepared exactly like in <a href="sqlsessionbackend.html#prepar
<div class="notetip">With new Apache::Session::Browseable::<strong>PgHstore</strong> and <strong>PgJSON</strong>, you don&#039;t need to declare indexes in <code>CREATE TABLE</code> since “json” and “hstore” type are browseable. You should anyway add some indexes <em>(see manpage)</em>.
</div>
</div>
<!-- EDIT7 SECTION "Prepare database" [2270-3479] -->
<!-- EDIT7 SECTION "Prepare database" [2264-3488] -->
<h3 class="sectionedit8" id="manager">Manager</h3>
<div class="level3">
<p>
Go in the Manager and set the session module (<a href="http://search.cpan.org/perldoc?Apache::Session::Browseable::MySQL" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session::Browseable::MySQL" rel="nofollow">Apache::Session::Browseable::MySQL</a> for MySQL) in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
Go in the Manager and set the session module (<a href="https://metacpan.org/pod/Apache::Session::Browseable::MySQL" class="urlextern" title="https://metacpan.org/pod/Apache::Session::Browseable::MySQL" rel="nofollow">Apache::Session::Browseable::MySQL</a> for MySQL) in <code>General parameters</code> » <code>Sessions</code> » <code>Session storage</code> » <code>Apache::Session module</code> and add the following parameters (case sensitive):
</p>
<div class="table sectionedit9"><table class="inline table table-bordered table-striped">
<thead>
......@@ -194,7 +195,7 @@ Go in the Manager and set the session module (<a href="http://search.cpan.org/pe
</tr>
</thead>
<tr class="row2 roweven">
<td class="col0 centeralign"> <strong>DataSource</strong> </td><td class="col1"> The <a href="http://search.cpan.org/perldoc?DBI" class="urlextern" title="http://search.cpan.org/perldoc?DBI" rel="nofollow">DBI</a> string </td><td class="col2"> dbi:Pg:database=sessions </td>
<td class="col0 centeralign"> <strong>DataSource</strong> </td><td class="col1"> The <a href="https://metacpan.org/pod/DBI" class="urlextern" title="https://metacpan.org/pod/DBI" rel="nofollow">DBI</a> string </td><td class="col2"> dbi:Pg:database=sessions </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> <strong>UserName</strong> </td><td class="col1"> The database username </td><td class="col2"> lemonldapng </td>
......@@ -206,14 +207,14 @@ Go in the Manager and set the session module (<a href="http://search.cpan.org/pe
<td class="col0 centeralign"> <strong>Index</strong> </td><td class="col1"> Index </td><td class="col2"> _whatToTrace ipAddr _session_kind _utime </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [3808-4159] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<!-- EDIT9 TABLE [3811-4156] --><div class="notetip">Apache::Session::Browseable::MySQL doesn&#039;t use locks so performances are keeped.
<p>
For databases like PostgreSQL, don&#039;t forget to add “Commit” with a value of 1
</p>
</div>
</div>
<!-- EDIT8 SECTION "Manager" [3480-4338] -->
<!-- EDIT8 SECTION "Manager" [3489-4335] -->
<h2 class="sectionedit10" id="browseable_ldap">Browseable LDAP</h2>
<div class="level2">
......@@ -267,9 +268,9 @@ You need to add the <code>Index</code> field and can also configure the <code>ld
<td class="col0 centeralign"> <strong>ldapAttributeIndex</strong> </td><td class="col1"> Attribute storing index </td><td class="col2"> ou </td>
</tr>
</table></div>
<!-- EDIT11 TABLE [4690-5424] -->
<!-- EDIT11 TABLE [4687-5421] -->
</div>
<!-- EDIT10 SECTION "Browseable LDAP" [4339-5425] -->
<!-- EDIT10 SECTION "Browseable LDAP" [4336-5422] -->
<h2 class="sectionedit12" id="security">Security</h2>
<div class="level2">
......@@ -282,7 +283,7 @@ You can also use different user/password for your servers by overriding paramete
</p>
</div>
<!-- EDIT12 SECTION "Security" [5426-5645] -->
<!-- EDIT12 SECTION "Security" [5423-5642] -->
<h2 class="sectionedit13" id="performances">Performances</h2>
<div class="level2">
......@@ -299,6 +300,7 @@ Here are some recommended configurations:
_whatToTrace text<span class="sy0">,</span>
_session_kind text<span class="sy0">,</span>
_utime <span class="kw1">BIGINT</span><span class="sy0">,</span>
<span class="kw1">USER</span> text<span class="sy0">,</span>
ipAddr <span class="kw1">VARCHAR</span><span class="br0">&#40;</span><span class="nu0">64</span><span class="br0">&#41;</span>
<span class="br0">&#41;</span>;
<span class="kw1">CREATE</span> <span class="kw1">INDEX</span> uid1 <span class="kw1">ON</span> sessions <span class="kw1">USING</span> BTREE <span class="br0">&#40;</span>_whatToTrace text_pattern_ops<span class="br0">&#41;</span>;
......@@ -314,6 +316,7 @@ Here are some recommended configurations:
a_session text<span class="sy0">,</span>
_whatToTrace <span class="kw1">VARCHAR</span><span class="br0">&#40;</span><span class="nu0">64</span><span class="br0">&#41;</span><span class="sy0">,</span>
_session_kind <span class="kw1">VARCHAR</span><span class="br0">&#40;</span><span class="nu0">15</span><span class="br0">&#41;</span><span class="sy0">,</span>
<span class="kw1">USER</span> text<span class="sy0">,</span>
_utime <span class="kw1">BIGINT</span>
<span class="br0">&#41;</span>;
<span class="kw1">CREATE</span> <span class="kw1">INDEX</span> uid1 <span class="kw1">ON</span> sessions <span class="br0">&#40;</span>_whatToTrace<span class="br0">&#41;</span> <span class="kw1">USING</span> BTREE;
......@@ -322,6 +325,6 @@ Here are some recommended configurations:
<span class="kw1">CREATE</span> <span class="kw1">INDEX</span> ip1 <span class="kw1">ON</span> sessions <span class="br0">&#40;</span>ipAddr<span class="br0">&#41;</span> <span class="kw1">USING</span> BTREE;</pre>
</div>
<!-- EDIT13 SECTION "Performances" [5646-] --></div>
<!-- EDIT13 SECTION "Performances" [5643-] --></div>
</body>
</html>
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:bruteforceprotection</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,bruteforceprotection"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="bruteforceprotection.html"/>
<link rel="contents" href="bruteforceprotection.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:bruteforceprotection","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<p>
bruteForceProtection plugin prevents brute force attack. Plugin DISABLED by default.
</p>
<p>
After three failed login attempts, user must wait (30 seconds by default) before try to log in again.
</p>
<p>
The aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user. If it is disabled, automated tools may submit thousands of password attempts in a matter of seconds.
</p>
<h2 class="sectionedit1" id="configuration">Configuration</h2>
<div class="level2">
<p>
To enable Brute Force Attack protection :
</p>
<p>
Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Brute-force attack protection</code> and set to <code>On</code>.
</p>
<p>
To modify waiting time (30 seconds by default) before reAuthentication and MaxAge between current and last stored failed login (300 seconds by default) edit <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">bruteForceProtectionTempo</span> <span class="sy0">=</span><span class="re2"> 30</span>
<span class="re1">bruteForceProtectionMaxAge</span> <span class="sy0">=</span><span class="re2"> 300</span></pre>
</div>
<!-- EDIT1 SECTION "Configuration" [414-] --></div>
</body>
</html>
......@@ -57,6 +57,7 @@
<li class="level1"><div class="li"><a href="#register_an_saml_service_provider">Register an SAML Service Provider</a></div></li>
<li class="level1"><div class="li"><a href="#configure_openid_connect_identity_provider">Configure OpenID Connect Identity Provider</a></div></li>
<li class="level1"><div class="li"><a href="#register_an_openid_connect_relying_party">Register an OpenID Connect Relying Party</a></div></li>
<li class="level1"><div class="li"><a href="#categories_and_applications_in_menu">Categories and applications in menu</a></div></li>
</ul>
</div>
</div>
......@@ -339,6 +340,25 @@ In this example we have:
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
</div>
<!-- EDIT9 SECTION "Register an OpenID Connect Relying Party" [7670-] --></div>
<!-- EDIT9 SECTION "Register an OpenID Connect Relying Party" [7670-9177] -->
<h2 class="sectionedit10" id="categories_and_applications_in_menu">Categories and applications in menu</h2>
<div class="level2">
<p>
Create the category “applications”:
```
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/applications type category applicationList/applications catname Applications
```
</p>
<p>
Create the application “sample” inside category “applications”:
```
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli addKey applicationList/icons/kmultiple.png” applicationList/applications/sample/options name “Sample application” applicationList/applications/sample/options uri “<a href="https://sample.example.com/" class="urlextern" title="https://sample.example.com/" rel="nofollow">https://sample.example.com/</a>
```
</p>
</div>
<!-- EDIT10 SECTION "Categories and applications in menu" [9178-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:configlocation</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,configlocation"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="configlocation.html"/>
......@@ -706,6 +706,10 @@ Then, to protect a standard virtual host, you must insert this (or create an inc
After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, <code>General Parameters</code> &gt; <code>reload configuration URLs</code>: keys are server names or <abbr title="Internet Protocol">IP</abbr> the requests will be sent to, and values are the requested URLs.
</p>
<p>
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
</p>
<p>
These parameters can be overwritten in LemonLDAP::NG ini file, in the section <code>apply</code>.
</p>
......@@ -717,8 +721,24 @@ The <code>reload</code> target is managed in Apache or Nginx configuration, insi
<div class="noteimportant">You must allow access to declared URLs to your Manager <abbr title="Internet Protocol">IP</abbr>.
</div><div class="noteimportant">If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include <code>handler-nginx.conf</code> or <code>handler-apache2.conf</code> for example
</div>
<p>
Practical use case: configure reload in a <abbr title="LemonLDAP::NG">LL::NG</abbr> cluster. In this case you will have two servers (with <abbr title="Internet Protocol">IP</abbr> 1.1.1.1 and 1.1.1.2), but you can keep only one reload <abbr title="Uniform Resource Locator">URL</abbr> (reload.example.com):
</p>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
reloadUrls &#039;1.1.1.1&#039; &#039;http://reload.example.com/reload&#039; \
reloadUrls &#039;1.1.1.2&#039; &#039;http://reload.example.com/reload&#039;</pre>
<p>
You also need to adjust the protection of the reload vhost, for example:
</p>
<pre class="code file apache"> &lt;<span class="kw3">Location</span> /reload&gt;
<span class="kw1">Require</span> ip <span class="nu0">127</span> ::<span class="nu0">1</span> 1.1.1.1 1.1.1.2
<span class="kw1">SetHandler</span> perl-<span class="kw1">script</span>
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT14 SECTION "Configuration reload" [17740-19253] -->
<!-- EDIT14 SECTION "Configuration reload" [17740-20023] -->
<h2 class="sectionedit15" id="local_file">Local file</h2>
<div class="level2">
......@@ -752,6 +772,6 @@ For example, to override configured skin for portal:
<div class="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">parameter list</a> to find it.
</div>
</div>
<!-- EDIT15 SECTION "Local file" [19254-] --></div>
<!-- EDIT15 SECTION "Local file" [20024-] --></div>
</body>
</html>
......@@ -92,10 +92,10 @@ To protect a virtual host in Apache, the LemonLDAP::NG Handler must be activated
<p>
Then you can take any virtual host, and simply add this line to protect it:
</p>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler</pre>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2</pre>
</div>
<!-- EDIT2 SECTION "Apache configuration" [207-530] -->
<!-- EDIT2 SECTION "Apache configuration" [207-541] -->
<h3 class="sectionedit3" id="hosted_application">Hosted application</h3>
<div class="level3">
......@@ -105,7 +105,7 @@ Example of a protected virtual host for a local application:
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> localsite.example.com
&nbsp;
PerlHeaderParserHandler Lemonldap::NG::Handler
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
&nbsp;
<span class="kw1">DocumentRoot</span> /var/www/localsite
&nbsp;
......@@ -115,7 +115,7 @@ Example of a protected virtual host for a local application:
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
</div>
<!-- EDIT3 SECTION "Hosted application" [531-938] -->
<!-- EDIT3 SECTION "Hosted application" [542-960] -->
<h3 class="sectionedit4" id="reverse_proxy">Reverse proxy</h3>
<div class="level3">
......@@ -125,7 +125,7 @@ Example of a protected virtual host with LemonLDAP::NG as reverse proxy:
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> application.example.com
&nbsp;
PerlHeaderParserHandler Lemonldap::NG::Handler
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
&nbsp;
<span class="co1"># Reverse-Proxy</span>
<span class="kw1">ProxyPass</span> / http://private-name/
......@@ -144,7 +144,7 @@ Same with remote server configured with the same host name:
<pre class="code file apache">&lt;<span class="kw3">VirtualHost</span> *:<span class="nu0">80</span>&gt;
<span class="kw1">ServerName</span> application.example.com
&nbsp;
PerlHeaderParserHandler Lemonldap::NG::Handler
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2
&nbsp;
<span class="co1"># Reverse-Proxy</span>
<span class="kw1">ProxyPass</span> / http://APPLICATION_IP/
......@@ -160,7 +160,7 @@ To learn more about using Apache as reverse-proxy, see <a href="http://httpd.apa
</div><div class="notetip">Some applications need the <code>REMOTE_USER</code> environment variable to get the connected user, which is not set in reverse-proxy mode. In this case, see <a href="header_remote_user_conversion.html" class="wikilink1" title="documentation:2.0:header_remote_user_conversion">how convert header into environment variable</a>.
</div>
</div>
<!-- EDIT4 SECTION "Reverse proxy" [939-2531] -->
<!-- EDIT4 SECTION "Reverse proxy" [961-2575] -->
<h3 class="sectionedit5" id="add_a_floating_menu">Add a floating menu</h3>
<div class="level3">
......@@ -168,18 +168,18 @@ To learn more about using Apache as reverse-proxy, see <a href="http://httpd.apa
A little floating menu can be added to application with this simple Apache configuration:
</p>
<pre class="code file apache">PerlModule Lemonldap::NG::Handler::Menu
PerlOutputFilterHandler Lemonldap::NG::Handler::Menu-&gt;run</pre>
PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu-&gt;run</pre>
<p>
Pages where this menu is displayed can be restricted, for example:
</p>
<pre class="code file apache">&lt;<span class="kw3">Location</span> /var/www/html/index.php&gt;
PerlOutputFilterHandler Lemonldap::NG::Handler::Menu-&gt;run
PerlOutputFilterHandler Lemonldap::NG::Handler::ApacheMP2::Menu-&gt;run
&lt;/<span class="kw3">Location</span>&gt;</pre>
<div class="noteimportant">You need to disable mod_deflate to use the floating menu
</div>
</div>
<!-- EDIT5 SECTION "Add a floating menu" [2532-3048] -->
<!-- EDIT5 SECTION "Add a floating menu" [2576-3114] -->
<h2 class="sectionedit6" id="nginx_configuration">Nginx configuration</h2>