Commit 2df81aaa authored by Xavier Guimard's avatar Xavier Guimard

Update doc

parent 10f92499
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="applications.html"/>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications:adfs</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,adfs"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="adfs.html"/>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=378132ea54accc5c67c7c9ceda71bf59" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=62a29c35a267f658799e362598e991b4" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1489508242" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1490850178" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=378132ea54accc5c67c7c9ceda71bf59" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=62a29c35a267f658799e362598e991b4" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1489508242" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1490850178" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authcombination</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,authcombination"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authcombination.html"/>
......@@ -60,6 +60,8 @@
<li class="level3"><div class="li"><a href="#let_s_be_crazy">Let&#039;s be crazy</a></div></li>
</ul>
</li>
<li class="level2"><div class="li"><a href="#combine_second_factor">Combine second factor</a></div></li>
<li class="level2"><div class="li"><a href="#display_multiple_forms">Display multiple forms</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#known_problems">Known problems</a></div>
......@@ -268,18 +270,54 @@ The following rule is valid:
</div>
<!-- EDIT7 SECTION "Rule chain" [1304-3610] -->
<h2 class="sectionedit11" id="known_problems">Known problems</h2>
<h3 class="sectionedit11" id="combine_second_factor">Combine second factor</h3>
<div class="level3">
<p>
Imagine you want to authenticate users either by SSL or LDAP+U2F, you can&#039;t directly write this rule: this is done in 2 steps:
</p>
<ul>
<li class="level1"><div class="li"> use this combination rule: <code>[SSL,LDAP] or [LDAP]</code></div>
</li>
<li class="level1"><div class="li"> enable U2F with this rule: <code>$_auth eq “LDAP”</code> or <code>$_authenticationLevel &lt; 4</code> <em>(and adapt U2F authentication level)</em></div>
</li>
</ul>
<p>
Now if you want to authenticate users either by LDAP or LDAP+U2F <em>(to have 2 different authentication level)</em>, 2 possibilities:
</p>
<ul>
<li class="level1"><div class="li"> configure 2 portals and overwrite U2F activation in the second</div>
</li>
<li class="level1"><div class="li"> Modify login template to propose the choice <em>(add a “submit” button that points to the second portal)</em></div>
</li>
</ul>
</div>
<!-- EDIT11 SECTION "Combine second factor" [3611-4260] -->
<h3 class="sectionedit12" id="display_multiple_forms">Display multiple forms</h3>
<div class="level3">
<p>
Combination module returns the form corresponding to the first authentication scheme available for the current request. You can force it to display the forms chosen using <code>combinationForms</code> in lemonldap-ng.ini. Example:
</p>
<pre class="code :ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">combinationForms</span> <span class="sy0">=</span><span class="re2"> standardform, openidform</span></pre>
</div>
<!-- EDIT12 SECTION "Display multiple forms" [4261-4589] -->
<h2 class="sectionedit13" id="known_problems">Known problems</h2>
<div class="level2">
</div>
<!-- EDIT11 SECTION "Known problems" [3611-3638] -->
<h3 class="sectionedit12" id="federation_protocols">Federation protocols</h3>
<!-- EDIT13 SECTION "Known problems" [4590-4617] -->
<h3 class="sectionedit14" id="federation_protocols">Federation protocols</h3>
<div class="level3">
<p>
<a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML</a>, <a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS</a> or <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">old OpenID</a> can&#039;t be chained with a “and” for authentication part. So “[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP]” isn&#039;t valid. This is because their authentication kinematic don&#039;t use the same steps.
</p>
<div class="table sectionedit13"><table class="inline table table-bordered table-striped">
<div class="table sectionedit15"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Bad expression </th><th class="col1 centeralign"> Solution </th><th class="col2 centeralign"> Explanation </th>
......@@ -292,10 +330,10 @@ The following rule is valid:
<td class="col0"> <em><code>[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em> </td><td class="col1"> <code>[<abbr title="Security Assertion Markup Language">SAML</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code> </td><td class="col2"> Authentication is done by <abbr title="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
</tr>
</table></div>
<!-- EDIT13 TABLE [3938-4270] -->
<!-- EDIT15 TABLE [4917-5249] -->
</div>
<!-- EDIT12 SECTION "Federation protocols" [3639-4271] -->
<h3 class="sectionedit14" id="authapache_authentication">AuthApache authentication</h3>
<!-- EDIT14 SECTION "Federation protocols" [4618-5250] -->
<h3 class="sectionedit16" id="authapache_authentication">AuthApache authentication</h3>
<div class="level3">
<p>
......@@ -311,8 +349,8 @@ To bypass this, follow the documentation of <a href="authapache.html" class="wik
</p>
</div>
<!-- EDIT14 SECTION "AuthApache authentication" [4272-4688] -->
<h3 class="sectionedit15" id="ssl_authentication">SSL authentication</h3>
<!-- EDIT16 SECTION "AuthApache authentication" [5251-5667] -->
<h3 class="sectionedit17" id="ssl_authentication">SSL authentication</h3>
<div class="level3">
<p>
......@@ -320,6 +358,6 @@ To chain SSL, you have to set “SSLRequire optional” in Apache configuration,
</p>
</div>
<!-- EDIT15 SECTION "SSL authentication" [4689-] --></div>
<!-- EDIT17 SECTION "SSL authentication" [5668-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authopenidconnect</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authopenidconnect"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authopenidconnect.html"/>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authpam</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authpam"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authpam.html"/>
......
......@@ -217,6 +217,8 @@ Then you can take any virtual host and modify it:
auth_request /lmauth;
auth_request_set $lmremote_user $upstream_http_lm_remote_user;
auth_request_set $lmlocation $upstream_http_location;
auth_request_set $cookie_value $upstream_http_set_cookie;
add_header Set-Cookie $cookie_value;
error_page 401 $lmlocation;
try_files $uri $uri/ =404;
&nbsp;
......@@ -251,7 +253,7 @@ Then you can take any virtual host and modify it:
}</pre>
</div>
<!-- EDIT6 SECTION "Nginx configuration" [3049-4833] -->
<!-- EDIT6 SECTION "Nginx configuration" [3049-4936] -->
<h3 class="sectionedit7" id="hosted_application1">Hosted application</h3>
<div class="level3">
......@@ -310,7 +312,7 @@ server {
}</pre>
</div>
<!-- EDIT7 SECTION "Hosted application" [4834-6463] -->
<!-- EDIT7 SECTION "Hosted application" [4937-6566] -->
<h3 class="sectionedit8" id="reverse_proxy1">Reverse proxy</h3>
<div class="level3">
......@@ -361,7 +363,7 @@ server {
}</pre>
</div>
<!-- EDIT8 SECTION "Reverse proxy" [6464-7758] -->
<!-- EDIT8 SECTION "Reverse proxy" [6567-7861] -->
<h2 class="sectionedit9" id="lemonldapng_configuration">LemonLDAP::NG configuration</h2>
<div class="level2">
......@@ -388,7 +390,7 @@ A virtual host contains:
</ul>
</div>
<!-- EDIT9 SECTION "LemonLDAP::NG configuration" [7759-8246] -->
<!-- EDIT9 SECTION "LemonLDAP::NG configuration" [7862-8349] -->
<h3 class="sectionedit10" id="access_rules_and_http_headers">Access rules and HTTP headers</h3>
<div class="level3">
......@@ -397,7 +399,7 @@ See <strong><a href="writingrulesand_headers.html" class="wikilink1" title="docu
</p>
</div>
<!-- EDIT10 SECTION "Access rules and HTTP headers" [8247-8439] -->
<!-- EDIT10 SECTION "Access rules and HTTP headers" [8350-8542] -->
<h3 class="sectionedit11" id="post_data">POST data</h3>
<div class="level3">
......@@ -406,7 +408,7 @@ See <strong><a href="formreplay.html" class="wikilink1" title="documentation:2.0
</p>
</div>
<!-- EDIT11 SECTION "POST data" [8440-8574] -->
<!-- EDIT11 SECTION "POST data" [8543-8677] -->
<h3 class="sectionedit12" id="options">Options</h3>
<div class="level3">
......@@ -427,6 +429,6 @@ These options are used to build redirection <abbr title="Uniform Resource Locato
</p>
</div>
<!-- EDIT12 SECTION "Options" [8575-] --></div>
<!-- EDIT12 SECTION "Options" [8678-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:customfunctions</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,customfunctions"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="customfunctions.html"/>
......@@ -86,30 +86,21 @@ Create your Perl module with custom functions. You can name your module as you w
<pre class="code file perl"><a href="http://perldoc.perl.org/functions/package.html"><span class="kw3">package</span></a> SSOExtensions<span class="sy0">;</span>
&nbsp;
<span class="kw2">sub</span> function1 <span class="br0">&#123;</span>
<span class="kw1">my</span> <span class="re0">$url</span> <span class="sy0">=</span> <a href="http://perldoc.perl.org/functions/shift.html"><span class="kw3">shift</span></a><span class="sy0">;</span>
<span class="kw1">my</span> <span class="re0">$param</span> <span class="sy0">=</span> <a href="http://perldoc.perl.org/functions/shift.html"><span class="kw3">shift</span></a><span class="sy0">;</span>
<span class="kw1">my</span> <span class="br0">&#40;</span><span class="re0">@args</span><span class="br0">&#41;</span> <span class="sy0">=</span> <span class="co5">@_</span><span class="sy0">;</span>
&nbsp;
<span class="co1"># Your nice code here</span>
&nbsp;
<a href="http://perldoc.perl.org/functions/return.html"><span class="kw3">return</span></a> <span class="re0">$param</span><span class="sy0">;</span>
<a href="http://perldoc.perl.org/functions/return.html"><span class="kw3">return</span></a> <span class="re0">$result</span><span class="sy0">;</span>
<span class="br0">&#125;</span>
&nbsp;
<span class="nu0">1</span><span class="sy0">;</span></pre>
<div class="notetip">First parameter passed to the custom function is the requested <abbr title="Uniform Resource Locator">URL</abbr>, that is<ul>
<li class="level1"><div class="li"> <strong>portal full <abbr title="Uniform Resource Locator">URL</abbr></strong> if custom function is run by portal (e.g. <a href="https://auth.example.com/" class="urlextern" title="https://auth.example.com/" rel="nofollow">https://auth.example.com/</a>)</div>
</li>
<li class="level1"><div class="li"> <strong>absolute <abbr title="Uniform Resource Locator">URL</abbr></strong> if it is run by handler (e.g. /admin/index.php?param=foo).</div>
</li>
</ul>
</div>
</div>
<!-- EDIT2 SECTION "Write custom functions library" [220-844] -->
<!-- EDIT2 SECTION "Write custom functions library" [220-554] -->
<h2 class="sectionedit3" id="import_custom_functions_in_lemonldapng">Import custom functions in LemonLDAP::NG</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Import custom functions in LemonLDAP::NG" [845-898] -->
<!-- EDIT3 SECTION "Import custom functions in LemonLDAP::NG" [555-608] -->
<h3 class="sectionedit4" id="declare_module_in_handler_server">Declare module in handler server</h3>
<div class="level3">
......@@ -151,7 +142,7 @@ GROUP=www-data
CUSTOM_FUNCTIONS_FILE=/root/SSOExtensions.pm</pre>
</div>
<!-- EDIT4 SECTION "Declare module in handler server" [899-1833] -->
<!-- EDIT4 SECTION "Declare module in handler server" [609-1543] -->
<h3 class="sectionedit5" id="declare_custom_functions">Declare custom functions</h3>
<div class="level3">
......@@ -162,16 +153,16 @@ Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</cod
<div class="noteimportant">If your function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail.
</div>
</div>
<!-- EDIT5 SECTION "Declare custom functions" [1834-2130] -->
<!-- EDIT5 SECTION "Declare custom functions" [1544-1840] -->
<h2 class="sectionedit6" id="use_it">Use it</h2>
<div class="level2">
<p>
You can now use your function in a macro, an header or an access rule, for example:
</p>
<pre class="code">Custom-Header =&gt; function1($uid)</pre>
<pre class="code">Custom-Header =&gt; function1( $uid, $ENV{REMOTE_ADDR} )</pre>
</div>
<!-- EDIT6 SECTION "Use it" [2131-] --></div>
<!-- EDIT6 SECTION "Use it" [1841-] --></div>
</body>
</html>
......@@ -62,6 +62,7 @@
<li class="level2"><div class="li"><a href="#groupmatch">groupMatch</a></div></li>
<li class="level2"><div class="li"><a href="#encrypt">encrypt</a></div></li>
<li class="level2"><div class="li"><a href="#token">token</a></div></li>
<li class="level2"><div class="li"><a href="#isinnet6">isInNet6</a></div></li>
</ul></li>
</ul>
</div>
......@@ -126,13 +127,19 @@ Inside this jail, you can access to:
</li>
<li class="level2"><div class="li"> <a href="#groupmatch" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">groupMatch</a></div>
</li>
<li class="level2"><div class="li"> <a href="#encrypt" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">encrypt</a></div>
</li>
<li class="level2"><div class="li"> <a href="#token" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">token</a></div>
</li>
<li class="level2"><div class="li"> <a href="#isinnet6" title="documentation:2.0:extendedfunctions ↵" class="wikilink1">isInNet6</a></div>
</li>
</ul>
</li>
</ul>
<div class="notetip">To know more about the jail, check <a href="http://perldoc.perl.org/Safe.html" class="urlextern" title="http://perldoc.perl.org/Safe.html" rel="nofollow">Safe module documentation</a>.
</div>
</div>
<!-- EDIT2 SECTION "Presentation" [35-1192] -->
<!-- EDIT2 SECTION "Presentation" [35-1271] -->
<h2 class="sectionedit3" id="request_information">Request information</h2>
<div class="level2">
......@@ -159,12 +166,12 @@ The following data about the current request are available through functions :
</ul>
</div>
<!-- EDIT3 SECTION "Request information" [1193-1598] -->
<!-- EDIT3 SECTION "Request information" [1272-1677] -->
<h2 class="sectionedit4" id="extended_functions_list">Extended Functions List</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Extended Functions List" [1599-1635] -->
<!-- EDIT4 SECTION "Extended Functions List" [1678-1714] -->
<h3 class="sectionedit5" id="date">date</h3>
<div class="level3">
......@@ -174,7 +181,7 @@ Returns the date, in format YYYYMMDDHHMMSS, local time by default, GMT by callin
<pre class="code">date(1)</pre>
</div>
<!-- EDIT5 SECTION "date" [1636-1755] -->
<!-- EDIT5 SECTION "date" [1715-1834] -->
<h3 class="sectionedit6" id="checklogonhours">checkLogonHours</h3>
<div class="level3">
......@@ -231,7 +238,7 @@ You can modify the default behavior for people without value in ssoLogonHours. I
<pre class="code">checkLogonHours($ssoLogonHours, &#039;&#039;, &#039;&#039;, &#039;1&#039;)</pre>
</div>
<!-- EDIT6 SECTION "checkLogonHours" [1756-3693] -->
<!-- EDIT6 SECTION "checkLogonHours" [1835-3772] -->
<h3 class="sectionedit7" id="checkdate">checkDate</h3>
<div class="level3">
......@@ -263,7 +270,7 @@ Simple usage example:
<pre class="code">checkDate($ssoStartDate, $ssoEndDate)</pre>
</div>
<!-- EDIT7 SECTION "checkDate" [3694-4321] -->
<!-- EDIT7 SECTION "checkDate" [3773-4400] -->
<h3 class="sectionedit8" id="basic">basic</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
......@@ -288,7 +295,7 @@ Simple usage example:
<pre class="code">basic($uid,$_password)</pre>
</div>
<!-- EDIT8 SECTION "basic" [4322-4784] -->
<!-- EDIT8 SECTION "basic" [4401-4863] -->
<h3 class="sectionedit9" id="unicode2iso">unicode2iso</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
......@@ -311,7 +318,7 @@ Simple usage example:
<pre class="code">unicode2iso($name)</pre>
</div>
<!-- EDIT9 SECTION "unicode2iso" [4785-5089] -->
<!-- EDIT9 SECTION "unicode2iso" [4864-5168] -->
<h3 class="sectionedit10" id="iso2unicode">iso2unicode</h3>
<div class="level3">
<div class="noteimportant">This function is not compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
......@@ -334,7 +341,7 @@ Simple usage example:
<pre class="code">iso2unicode($name)</pre>
</div>
<!-- EDIT10 SECTION "iso2unicode" [5090-5394] -->
<!-- EDIT10 SECTION "iso2unicode" [5169-5473] -->
<h3 class="sectionedit11" id="groupmatch">groupMatch</h3>
<div class="level3">
......@@ -360,7 +367,7 @@ Simple usage example:
<pre class="code">groupMatch($hGroups, &#039;description&#039;, &#039;Service 1&#039;)</pre>
</div>
<!-- EDIT11 SECTION "groupMatch" [5395-5753] -->
<!-- EDIT11 SECTION "groupMatch" [5474-5832] -->
<h3 class="sectionedit12" id="encrypt">encrypt</h3>
<div class="level3">
<div class="notetip">Since version 2.0, this function is now compliant with <a href="safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
......@@ -371,7 +378,7 @@ This function uses the secret key of LLNG configuration to crypt a data. This ca
<pre class="code">encrypt($_whatToTrace)</pre>
</div>
<!-- EDIT12 SECTION "encrypt" [5754-6059] -->
<!-- EDIT12 SECTION "encrypt" [5833-6138] -->
<h3 class="sectionedit13" id="token">token</h3>
<div class="level3">
......@@ -381,6 +388,16 @@ This function generates token used to <a href="servertoserver.html" class="wikil
<pre class="code">token($_session_id,&#039;webapp1.example.com&#039;,&#039;webapp2.example.com&#039;)</pre>
</div>
<!-- EDIT13 SECTION "token" [6060-] --></div>
<!-- EDIT13 SECTION "token" [6139-6343] -->
<h3 class="sectionedit14" id="isinnet6">isInNet6</h3>
<div class="level3">
<p>
Function to check if an IPv6 address is in a subnet. Example <em>check if <abbr title="Internet Protocol">IP</abbr> address is local</em>:
</p>
<pre class="code perl">isInNet6<span class="br0">&#40;</span><span class="re0">$ipAddr</span><span class="sy0">,</span> <span class="st_h">'fe80::/10'</span><span class="br0">&#41;</span></pre>
</div>
<!-- EDIT14 SECTION "isInNet6" [6344-] --></div>
</body>
</html>
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:external2f</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,external2f"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="external2f.html"/>
<link rel="contents" href="external2f.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:external2f","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="external_second_factor">External Second Factor</h1>
<div class="level1">
<p>
This simple plugin can be used to add a second factor for authentication (SMS, OTP,…). It uses external commands to send and validate the second factor. You can use any language to call your 2nd factor system.
</p>
</div>
<!-- EDIT1 SECTION "External Second Factor" [1-251] -->
<h2 class="sectionedit2" id="commands">Commands</h2>
<div class="level2">
<p>
Commands received arguments on the command line and must return a 0 code if succeed, another else. <strong>Nothing must be written to STDOUT</strong>, STDERR is reported in logs <em>(but may be lost with FastCGI server)</em>.
</p>
</div>
<!-- EDIT2 SECTION "Commands" [252-483] -->
<h3 class="sectionedit3" id="configuration">Configuration</h3>
<div class="level3">
<p>
All parameters are configured in “General Parameters » Portal Parameters » Extensions » External 2nd Factor”.
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong></div>
</li>
<li class="level1"><div class="li"> <strong>Send command</strong>: define your command using <em>$attribute</em> like in rules. Example: <code>/usr/local/bin/sendOtp –uid $uid</code></div>
</li>
<li class="level1"><div class="li"> <strong>Validation command</strong>: you must also use <em>$code</em> which is the value entered by user; Example: <code>/usr/local/bin/verify –uid $uid –code $code</code></div>
</li>
<li class="level1"><div class="li"> <strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
</ul>
<div class="noteimportant">The command line is split in an array and launch with exec(). So you don&#039;t need to enclose arguments in “” and this protects your system against shell injection. However, you can not use any space except to separate arguments.
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [484-] --></div>
</body>
</html>
......@@ -62,19 +62,20 @@ So you can configure it to authenticate users using a federation protocol and si
</p>
<p>
For example, a <abbr title="LemonLDAP::NG">LL::NG</abbr> server can be:
Schemes validated:
</p>
<ul>
<li class="level1"><div class="li"> A <a href="idpcas.html" class="wikilink1" title="documentation:2.0:idpcas">CAS server</a> with <a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML authentication</a></div>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr>-SP <strong></strong> LLNG as <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML</a>/<a href="authopenidconnect.html" class="wikilink1" title="documentation:2.0:authopenidconnect">OpenID-Connect</a> proxy <strong></strong> OIDC Provider</div>
</li>
<li class="level1"><div class="li"> An <a href="idpopenid.html" class="wikilink1" title="documentation:2.0:idpopenid">OpenID server</a> with <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS authentication</a></div>
</li>
<li class="level1"><div class="li"> An <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML server</a> with <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">OpenID authentication</a></div>
</li>
<li class="level1"><div class="li"></div>
<li class="level1"><div class="li"> OIDC-RP <strong></strong> LLNG as <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID-Connect</a>/<a href="authsaml.html" class="wikilink1" title="documentation:2.0:authsaml">SAML</a> proxy <strong></strong> <abbr title="Security Assertion Markup Language">SAML</abbr> Identity Provider</div>
</li>
</ul>
<p>
Note that OpenID-Connect consortium hasn&#039;t already defined single-logout initiated by OpenID-Connect Provider. LLNG will implement it when this standard will be published.
</p>
<div class="noteimportant">Development of federation can be complex. Don&#039;t hesitate to contact us on lemonldap-ng-users@ow2.org
</div>
<p>
See the following chapters:
</p>
......
......@@ -211,11 +211,15 @@ The portal is the biggest component of Lemonldap::NG. Since version 2.0, it is r
<li class="level1"><div class="li"></div>
</li>
</ul>
<p>
By default it uses local storage to store its tokens. If you have more than 1 portal and if your load-balancer doesn&#039;t keep state, you have to disable this to use the global session storage <em>(General parameters » portal Parameters » Advanced Parameters » Forms)</em>. Note that this will decrease performances.
</p>
<div class="notetip">In production environment for network performance, prefer using minified versions of javascript and css libs: use <code>make install <strong>PROD=yes</strong></code>. This is done by default in RPM/DEB packages.
</div>
</div>
<!-- EDIT7 SECTION "General performances" [3645-4198] -->
<!-- EDIT7 SECTION "General performances" [3645-4511] -->
<h3 class="sectionedit8" id="apachesession_performances">Apache::Session performances</h3>
<div class="level3">
......@@ -262,11 +266,11 @@ Index -&gt; ipAddr uid</pre>
<p>
Note that Apache::Session::Browseable::MySQL doesn&#039;t use MySQL locks.
</p>
<div class="notetip">A <a href="https://metacpan.org/module/Apache::Session::Browseable::Redis" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable::Redis" rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the faster (except for session explorer, defeated by Apache::Session::Browseable::<a href="https://metacpan.org/module/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable" rel="nofollow">DBI</a>/<a href="https://metacpan.org/module/Apache::Session::Browseable::LDAP" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable::LDAP" rel="nofollow">LDAP</a> &gt;= 1.0)
<div class="notetip">A <a href="https://metacpan.org/module/Apache::Session::Browseable::Redis" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable::Redis" rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the faster (except for session explorer, defeated by Apache::Session::Browseable::<a href="https://metacpan.org/module/Apache::Session::Browseable" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable" rel="nofollow">DBI</a>/<a href="https://metacpan.org/module/Apache::Session::Browseable::LDAP" class="urlextern" title="https://metacpan.org/module/Apache::Session::Browseable::LDAP" rel="nofollow">LDAP</a> 1.0)
</div><div class="noteimportant">Some Apache::Session module are not fully usable by Lemonldap::NG such as Apache::Session::Memcached since this modules do not offer capability to browse sessions. They does not allow one to use sessions explorer neither manage one-off sessions.
</div>
</div>
<!-- EDIT8 SECTION "Apache::Session performances" [4199-6555] -->
<!-- EDIT8 SECTION "Apache::Session performances" [4512-6869] -->
<h3 class="sectionedit9" id="ldap_performances">LDAP performances</h3>
<div class="level3">
......@@ -303,12 +307,12 @@ Now ldapgroups contains “admin su”
</div>
</div>
<!-- EDIT9 SECTION "LDAP performances" [6556-7685] -->
<!-- EDIT9 SECTION "LDAP performances" [6870-7999] -->
<h2 class="sectionedit10" id="manager_performances">Manager performances</h2>
<div class="level2">
</div>
<!-- EDIT10 SECTION "Manager performances" [7686-7719] -->
<!-- EDIT10 SECTION "Manager performances" [8000-8033] -->
<h3 class="sectionedit11" id="disable_unused_modules">Disable unused modules</h3>
<div class="level3">
......@@ -319,7 +323,7 @@ In lemonldap-ng.ini, set only modules that you will use. By default, configurati
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions</span></pre>
</div>
<!-- EDIT11 SECTION "Disable unused modules" [7720-7966] -->
<!-- EDIT11 SECTION "Disable unused modules" [8034-8280] -->
<h3 class="sectionedit12" id="use_static_html_files">Use static HTML files</h3>
<div class="level3">
......@@ -346,6 +350,6 @@ So manager <abbr title="HyperText Markup Language">HTML</abbr> templates will be
</p>
</div>
<!-- EDIT12 SECTION "Use static HTML files" [7967-] --></div>
<!-- EDIT12 SECTION "Use static HTML files" [8281-] --></div>
</body>
</html>
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/restserverplugin?do=login&amp;sectok=378132ea54accc5c67c7c9ceda71bf59" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/restserverplugin?do=login&amp;sectok=62a29c35a267f658799e362598e991b4" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -204,7 +204,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Arestserverplugin&amp;1489508257" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Arestserverplugin&amp;1490850194" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:start</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,start"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="start.html"/>
......@@ -237,7 +237,7 @@
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0"> <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 leftalign"> </td>
<td class="col0"> <a href="authad.html" class="wikilink1" title="documentation:2.0:authad">Active Directory</a> </td><td class="col1 centeralign"></td><td class="col2 centeralign"></td><td class="col3 centeralign"> </td>
</tr>
<tr class="row2 roweven">
<td class="col0"> <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache (Kerberos, NTLM, OTP, ...)</a> </td><td class="col1 centeralign"></td><td class="col2 leftalign"> </td><td class="col3 leftalign"> </td>
......@@ -323,14 +323,17 @@
<tr class="row29 rowodd">
<td class="col0"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F</a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
<tr class="row30 roweven">
<td class="col0"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External Second Factor</a> </td><td class="col1 centeralign"></td><td class="col2"></td><td class="col3"></td>
</tr>
</table></div>
<!-- EDIT10 TABLE [2160-3733] -->
<!-- EDIT10 TABLE [2160-3786] -->
<p>
</div></div>
</p>
</div>
<!-- EDIT9 SECTION "Authentication, users and password databases" [1987-3761] -->
<!-- EDIT9 SECTION "Authentication, users and password databases" [1987-3814] -->
<h3 class="sectionedit11" id="configuration_database">Configuration database</h3>
<div class="level3">