faq.html 16.3 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
  <meta name="generator" content=
  "HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />

  <title>FAQ LEMONLDAP::NG</title>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
</head>

<body>
  <div class="main-content">
    <h2 class="heading-1"><span id=
    "HLemonldap3A3ANGFrequentlyAskedQuestions">Lemonldap::NG Frequently Asked
    Questions</span></h2>

    <p class="paragraph"></p>

    <ul>
      <li>
        <a href="#HGeneralquestions">General questions</a>

        <ul>
          <li><a href="#HWhatisaWebSSO3F">What is a Web-SSO ?</a></li>

          <li><a href=
          "#HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings
          Lemonldap::NG compared to the other Web-SSO ?</a></li>
        </ul>
      </li>

      <li>
        <a href="#HConfiguration">Configuration</a>

        <ul>
          <li><a href="#HWhattypeofconfigurationstoragehastobeused3F">What
          type of configuration storage has to be used ?</a></li>

          <li><a href="#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The
          provided example works with HTTP, but not with HTTPS.</a></li>

          <li><a href="#HForwhatisusedthe22https22parameter3F">For what is
          used the "https" parameter ?</a></li>

          <li><a href="#HWhatisanautoprotectedCGI3F">What is an auto-protected
          CGI ?</a></li>

          <li><a href="#HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to
          use Lemonldap::NG with Active-Directory ?</a></li>

          <li><a href="#HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use
          Lemonldap::NG as reverse-proxy ?</a></li>
        </ul>
      </li>

      <li>
        <a href="#HOperation">Operation</a>

        <ul>
          <li><a href="#HWithwhatservesthehandlerlocalcache3F">With what
          serves the handler local cache ?</a></li>

          <li><a href=
          "#HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why
          handlers local cache can not be configured by the manager ?</a></li>

          <li><a href=
          "#HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
          <i class="italic">Cross Domain Authentication</i> (CDA) ?</a></li>

          <li><a href=
          "#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works
          the <i class="italic">Cross Domain Authentication</i> (CDA)
          ?</a></li>
        </ul>
      </li>

      <li>
        <a href="#HAuthentication">Authentication</a>

        <ul>
          <li><a href="#HHowtochangeauthenticationscheme3F">How to change
          authentication scheme ?</a></li>
        </ul>
      </li>
    </ul>

    <h3 class="heading-1-1"><span id="HGeneralquestions">General
    questions</span></h3>

    <h4 class="heading-1-1-1"><span id="HWhatisaWebSSO3F">What is a Web-SSO
    ?</span></h4>

    <p class="paragraph"></p>A SSO <i class="italic">(Single Sign On)</i> is a
    system that is used to share authentications between many applications.
    Users authentify themself only one time and is never prompted when he
    tries to access to another application. Kerberos (used in Active
    Directory) for example is a SSO. The problem with these systems is that in
    addition to their heaviness, they apply only to internal networks and to
    relatively homogeneous machines.

    <p class="paragraph"></p>The Web-SSO is the bearing of this principle
    restricted with the Web applications. The user is thus authenticated with
    the first access to a protected Web application and the authentifications
    are propagated when it changes application. The large advantage is whereas
    the system is usable on Internet without pre-necessary on the stations
    customers (they just have to accept session cookies). For example, when a
    user reaches a Google letter-box, it is not authentified if it reaches the
    groups management application or any other Google application.

    <h4 class="heading-1-1-1"><span id=
    "HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings
    Lemonldap::NG compared to the other Web-SSO ?</span></h4>

    <ul class="star">
      <li>Lemonldap::NG like lemonldap run as Perl Apache modules and offer
      performances which make unperceivable the treatment of the access
      control.</li>

      <li>One of the other strong points of Lemonldap::NG is its capacity to
      manage the rights in a centralized way: the standard SSO Kerberos or
      CASE allow authentication share but delegate management access
      authorizations to the applications. In the case of Lemonldap::NG,
      management rights can be centralized completely, partly or at all for
      each application&nbsp;: Lemonldap::NG provides a system of authorization
      based on the sorting of the URL by regular expressions associated to
      rules. It also provides HTTP headers containing any of the user LDAP
      atributes to the remote application. The remote application can then
      manage the traceability of the access and possibly authorization (see to
      it <span class="wikiexternallink"><a href=
      "http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation#HMC3A9canismesd27authentification2Cd27autorisa%20tionetdetraC3A7abilitC3A9">
      documentation AAA</a></span>).</li>

      <li>Lemonldap::NG can publish every LDAP attributes or calculated
      expressions issued from them. So applications can avoid consulting LDAP
      server.</li>

      <li>Lemonldap::NG treats all the hosted sites independently (virtual or
      real): every application can so have its personalized HTTP headers.</li>

      <li>Lemonldap::NG provide an web based administration interface simply
      presenting the configuration, the access policy and the per sites
      headers (see the <span class="wikiexternallink"><a href=
      "http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">demonstration</a></span>).
      A restricted interface can also be used to show only some virtual hosts
      (for reading and/or writing): the interface of administration can thus
      be partially delegated.</li>
    </ul>

    <h3 class="heading-1-1"><span id=
    "HConfiguration">Configuration</span></h3>

    <h4 class="heading-1-1-1"><span id=
    "HWhattypeofconfigurationstoragehastobeused3F">What type of configuration
    storage has to be used ?</span></h4>

    <p class="paragraph"></p>Lemonldap::NG provides 3 configuration storage
    systems:

    <ul class="star">
      <li><strong class="strong">File</strong>: the most simple system, it can
      be used only if all your servers share a file system. It can be used for
      example if all virtual hosts are on the same server,</li>

      <li><strong class="strong">DBI</strong>: <span class=
      "wikiexternallink"><a href=
      "http://www.linuxmanpages.com/man3/DBI.3pm.php">DBI(3)</a></span> is a
      database access module for the Perl programming language. Used with
      Lemonldap::NG, it permits to share configuration between servers that
      can access to the same database. This is the recommended sheme on a
      server network.</li>

      <li><strong class="strong">SOAP</strong>: This system is not a real
      storage system, but permits to a remote server to access to the
      configuration by a single HTTP(S) connection. The SOAP server use File
      or DBI to access to the real configuration and act as a proxy.</li>
    </ul>

    <h4 class="heading-1-1-1"><span id=
    "HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
    works with HTTP, but not with HTTPS.</span></h4>

    <p class="paragraph"></p>In the redirection mechanism to the portal then
    to the protected site, you have to indicate to the handler if users access
    by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. This
    parameter has to be configured directly in the handlers is not accessible
    by the manager interface:

    <p class="paragraph"></p>
    <pre>
__PACKAGE__-&gt;init ( {
    localStorage        =&gt; "Cache::FileCache",
    localStorageOptions =&gt; {
              'namespace'          =&gt; 'MyNamespace',
              'default_expires_in' =&gt; 600,
              'directory_umask'    =&gt; '007',
              'cache_root'         =&gt; '/tmp',
              'cache_depth'        =&gt; 5,
    },
    configStorage       =&gt; {
              type                 =&gt; 'File',
              dirName              =&gt; '/var/lib/lemonldap-ng/conf',
    },
    <strong class="strong">https               =&gt; 1</strong>,
} );
</pre>

    <h4 class="heading-1-1-1"><span id=
    "HForwhatisusedthe22https22parameter3F">For what is used the "https"
    parameter ?</span></h4>

    <p class="paragraph"></p>This parameter is used only in authentication
    portal redirections. It is just used to indicate to the portal that after
    authentification, the user must be redirected towards the application
    using https and not http.

    <h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
    an auto-protected CGI ?</span></h4>

    <p class="paragraph"></p>When you have just 1 Perl CGI to protect in a
    VirtualHost, you can use an auto-protected CGI instead of using a
    Lemonldap::NG handler:

    <p class="paragraph"></p>
    <pre>
  use Lemonldap::NG::Handler::CGI;
  my $cgi = Lemonldap::NG::Handler::CGI-&gt;new ( {
      # same parameters than a Lemonldap::NG::Handler::SharedConf handler
    }
  );
  $cgi-&gt;authenticate;
</pre>

    <p class="paragraph"></p>In the example above, $cgi is a CGI(3) object.
    The only difference is that it has some additional functions:

    <ul class="star">
      <li>authenticate : to call Lemonldap::NG authentication mechanism,</li>

      <li>autorize : use it if you want to use the manager to manage the
      access policy,</li>

      <li>user : returns an hash table containing user parameters,</li>

      <li>group : used to validate group permet de valider group
      membership.</li>
    </ul>This type of CGI is very usefull when rights can not be distinguish
    by URL (fields in POST requests for example). See the
    Lemonldap::NG::Handler::CGI(3) man page for more.

    <h4 class="heading-1-1-1"><span id=
    "HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG
    with Active-Directory ?</span></h4>

    <p class="paragraph"></p>Active-Directory uses <tt>cn</tt> field instead
    of <tt>uid</tt> as unique identifier. You have so to modify Lemonldap::NG
    configuration in 2 points&nbsp;:

    <ol>
      <li>the field <tt>cn</tt> (or <tt>samAccountName</tt>) has to be used to
      find the user in the portal,</li>

      <li>Apache has to use this field in logs.</li>
    </ol>For the second point, you have to replace <tt>$uid</tt> by
    <tt>$cn</tt> in the field "General Parameters -&gt; Attribute to use in
    Apache's logs" (and to verify that this variable is an exported
    attribute). The LDAP filter change needs to overload a subroutine in the
    portail. This can be done so&nbsp;:

    <p class="paragraph"></p>
    <pre>
#!/usr/bin/perl
use Lemonldap::NG::Portal::SharedConf;
my $portal = Lemonldap::NG::Portal::SharedConf-&gt;new(
    {
        configStorage =&gt; {
            type    =&gt; 'File',
            dirName =&gt; '/var/lib/lemonldap-ng/conf',
        },
        <strong class="strong">formateFilter =&gt; sub {</strong>
            my $self = shift;
            $self-&gt;{filter} = "(&amp;(cn=" . $self-&gt;{user} . ")(objectClass=person))";
            PE_OK;
        } # end of overload
    }
);
</pre>

    <h4 class="heading-1-1-1"><span id=
    "HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as
    reverse-proxy ?</span></h4>

    <p class="paragraph"></p>Lemonldap::NG protects Apache VirtualHosts. To
    use it as reverse-proxy, you just have to configure Apache as
    reverse-proxy&nbsp;:

    <p class="paragraph"></p>
    <pre>
# httpd.conf
&lt;VirtualHost *&gt;
  ServerName MyApplication.com
  PerlRequire MyFile
  PerlHeaderParserHandler My::Package
  ProxyPass / <span class="nobr"><a href=
"http://real-server/">http://real-server/</a></span>
  ProxyPassReverse / <span class="nobr"><a href=
"http://real-server/">http://real-server/</a></span>
  # You can also use mod_rewrite instead of mod_proxy
  # RewriteEngine On
  # RewriteRule /(.*)$ <span class="nobr"><a href=
"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
&lt;/VirtualHost&gt;
</pre>

    <p class="paragraph"></p>If you prefer to use a Perl proxy, Lemonldap::NG
    provides one (Lemonldap::NG::Handler::Proxy(3))

    <h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>

    <h4 class="heading-1-1-1"><span id=
    "HWithwhatservesthehandlerlocalcache3F">With what serves the handler local
    cache ?</span></h4>

    <p class="paragraph"></p>The handler local cache is used for 2 things :

    <ul class="star">
      <li>share configuration between Apache process : this avoid downloading
      configuration for each new process. This is required for the reload
      mechanism system that avoid restarting Apache,</li>

      <li>share sessions between Apache process and threads : this avoid
      having to request the central sessions storage for each hit. For example
      with Apache::Session::MySQL, we transform TCP requests in file system
      requests. This increase performances.</li>
    </ul>

    <h4 class="heading-1-1-1"><span id=
    "HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers
    local cache can not be configured by the manager ?</span></h4>

    <p class="paragraph"></p>The local cache has to be choosed nad configured
    for each server: for example with the Cache::FileCache module, the storage
    directory can be different. An other point is that the local storage can
    not be reloaded without restarting Apache, but all parameters managed by
    the manager can do it.

    <h4 class="heading-1-1-1"><span id=
    "HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
    <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>

    <p class="paragraph"></p>The Lemonldap::NG sessions propagation system is
    based on cookies, but cookies are attached to a DNS domain. Lemonldap::NG
    provides a system to bypass this restriction: you just have to use a
    Lemonldap::NG::Portal::CDA portal and Lemonldap::NG::Handler::CDA handlers
    in all protected sites outwards the portal DNS domain.

    <h4 class="heading-1-1-1"><span id=
    "HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
    <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>

    <p class="paragraph"></p>Lemonldap::NG::Portal::CDA portal detects if
    required URL is in the same domain. If not, it adds a parameter to this
    request. When the user returns to the protected application,
    Lemonldap::NG::Handler::CDA agent detects this parameter et generate a
    cookie in its domain.

    <h3 class="heading-1-1"><span id=
    "HAuthentication">Authentication</span></h3>

    <h4 class="heading-1-1-1"><span id=
    "HHowtochangeauthenticationscheme3F">How to change authentication scheme
    ?</span></h4>

    <p class="paragraph"></p>Lemonldap::NG provides several authentication
    modes (to use in the "authentification" field of the administration
    interface)&nbsp;:

    <ul class="star">
      <li><strong class="strong">ldap</strong> : this is the default mode :
      portal tries to connect to the LDAP server with the user
      credentials,</li>

      <li><strong class="strong">CAS</strong> : Lemonldap::NG portal becomes a
      simple CAS proxy : if the user is not authenticated, it is redirected to
      the CAS portal,</li>

      <li><strong class="strong">SSL</strong> : in this scheme, authentication
      is done by Apache by SSL. This is usefull to replace complete SSL
      protection: only one SSL negociation is used instead,</li>

      <li><strong class="strong">Apache</strong> : in this scheme,
      authentication is done by Apache. For example with Kerberos, the Apache
      Kerberos module protects only the portal. This increases performances
      because only one Kerberos negociation has to be done for all protected
      applications.</li>
    </ul>
  </div>
</body>
</html>