When installing LL::NG, the Manager can only be accessed with the demo account
dwho. This How To explains how change this default behavior to protect Manager with other rules.
The configuration can be changed in
etc/manager-apache2.conf, for example to restrict the IP allowed to access the Manager:
<Directory /usr/local/lemonldap-ng/htdocs/manager/> Order deny,allow Deny from all Allow from 127.0.0.0/8 192.168.100.0/32 Options +ExecCGI </Directory>
But you will rather prefer to use an Apache authentication module, like for example LDAP authentication module:
<Directory /usr/local/lemonldap-ng/htdocs/manager/> AuthzLDAPAuthoritative On AuthName "LL::NG Manager" AuthType Basic AuthBasicProvider ldap AuthLDAPBindDN "ou=websso,ou=applications,dc=example,dc=com" AuthLDAPBindPassword "secret" AuthLDAPURL ldap://localhost:389/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS Require ldap-user coudot xguimard tchemineau Options +ExecCGI </Directory>
[manager] ;protection = manager
By default, you will have a manager virtual host define in configuration. If not Go on Manager, and declare Manager as a new virtual host, for example
manager.example.com. You can then set the access rule. No headers are needed.
The default rule is:
$uid eq "dwho"
You have to change it to match your admin user (or use other conditions like group membership, or any other rule based on a session variable).
Save the configuration and exit the Manager.
Enable protection on Manager, by editing
[manager] protection = manager
You can also adapt Apache access control:
<Directory /usr/local/lemonldap-ng/htdocs/manager/> Order deny,allow Allow from all Options +ExecCGI </Directory>
Restart Apache and try to log on Manager. You should be redirected to LL::NG Portal.
You can then add the Manager as an application in the menu.
lemonldap-ng.ini. Add an Apache access control to avoid other access.