Commit 0546303d authored by Christophe Maudoux's avatar Christophe Maudoux 🐛

Merge branch 'v2.0'

parents ff095ca1 f37c2399
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
* #1893: Issuer urldc is lost after error in 2F flow
* #1909: Reset password by email issue
* #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
* #1945: passwordpolicy.tpl contains wrong tag
* #1948: Tranlation menu does not work with Diff.html
* #1949: Don't Store Password shows password in cleartext
* #1952: "Attributes and macros" session keys should not be translated
* #1953: Outgoing emails are missing a Date: field
* #1954: zimbra preauth not working
* #1955: Redirection lost after notification validation
* #1960: REST config service not working
* #1961: IDP selection rule regression in 2.0.0
* #1963: Server Error with OpenID Connect register endpoint
* #1964: Diff.html does not work with minified JS
* #1966: Configuration reload does not apply changes to location rules
* #1968: skippedUnitTests/skippedGlobalTests have no effect
* #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
* #1974: ServiceToken handler TTL value always set to default
* #1984: Reset expired password doesn't trigger when using Combination
* #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
* #2009: Display authentication error on login form with Combination Kerberos + LDAP
* #2010: Kerberos not working with session upgrade
* #2012: Several issues with notification system
* #2013: Handler, yum install
* #2018: After temporary ldap failure, ldap connections stop working forever
* #2038: Missing type attribute in 2FA HTML inputs
* #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
* New features:
* #813: Provide refresh tokens in OpenID Connect
* #1605: certificate reset by mail
* #1956: DecryptValue plugin
* #1999: Possibility to view/close other sessions opened for the same user
* #2006: Create a web service for "refresh my rights"
* Improvements:
* #1590: Possibility to configure new plugins in Manager
* #1905: Append overScheme for persistent sessions
* #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
* #1947: Highlight active module with Diff.html
* #1967: allow differents type of managerDN
* #1983: The script purgeCentralCache should be more fault tolerant
* #1988: Append a requiredAuthenticationLevel option for each uri
* #1989: Main logo and lang icons are missing with upgradesession template
* #1991: Some user logs not using whatToTrace for username
* #1993: Same issue like (#1884) occures with Issuer redirection
* #1994: Append varInUri extended function
* #1995: Add an option to force claims in ID token
* #1996: REQUEST_URI env variable is not set by CheckUser plugin
* #1997: Enable checkTime option by default
* #1998: Misleading token ID format
* #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
* #2007: Password change prompt displayed even if initial auth fails
* #2008: Specific message and error code for 2F failure
* #2011: Create a function to test if a value belongs to a list
* #2012: Several issues with notification system
* #2014: New script to convert sessions between backends
* #2019: Renew Captcha button
* #2024: Change default value for cspFormAction
* #2042: Add per-service macros
-- Clément <clem.oudot@gmail.com> Sat, 21 Dec 2019 16:59:22 +0100
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:
......
lemonldap-ng (2.0.7-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Sat, 21 Dec 2019 17:00:00 +0100
lemonldap-ng (2.0.6-1) unstable; urgency=medium
* New release. See changes on our website:
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/authchoice_with_slave_and_secured_cookie_gt/double_cookies_for_a_single_session?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1569271173" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=authchoice_with_slave_and_secured_cookie_gt%3Adouble_cookies_for_a_single_session&amp;1576942824" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="applications.html"/>
......
......@@ -171,7 +171,7 @@ Edit then <code>share-config-custom.xml</code> and uncomment the last part. In t
<span class="sc3"><span class="re1">&lt;name<span class="re2">&gt;</span></span></span>Alfresco - user access<span class="sc3"><span class="re1">&lt;/name<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;description<span class="re2">&gt;</span></span></span>Access to Alfresco Repository WebScripts that require user authentication<span class="sc3"><span class="re1">&lt;/description<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;connector-id<span class="re2">&gt;</span></span></span>alfrescoHeader<span class="sc3"><span class="re1">&lt;/connector-id<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/wcs<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;endpoint-url<span class="re2">&gt;</span></span></span>http://localhost:8080/alfresco/s<span class="sc3"><span class="re1">&lt;/endpoint-url<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;identity<span class="re2">&gt;</span></span></span>user<span class="sc3"><span class="re1">&lt;/identity<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;external-auth<span class="re2">&gt;</span></span></span>true<span class="sc3"><span class="re1">&lt;/external-auth<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/endpoint<span class="re2">&gt;</span></span></span>
......@@ -184,7 +184,7 @@ You need to restart Tomcat to apply changes.
<div class="notewarning">Now you can log in with a simple HTTP header. You need to restrict access to Alfresco to <abbr title="LemonLDAP::NG">LL::NG</abbr>.
</div>
</div>
<!-- EDIT4 SECTION "Alfresco" [457-3157] -->
<!-- EDIT4 SECTION "Alfresco" [457-3155] -->
<h3 class="sectionedit5" id="llng">LL::NG</h3>
<div class="level3">
......@@ -217,12 +217,12 @@ Other rules:
</ul>
</div>
<!-- EDIT5 SECTION "LL::NG" [3158-3497] -->
<!-- EDIT5 SECTION "LL::NG" [3156-3495] -->
<h2 class="sectionedit6" id="saml2">SAML2</h2>
<div class="level2">
</div>
<!-- EDIT6 SECTION "SAML2" [3498-3517] -->
<!-- EDIT6 SECTION "SAML2" [3496-3515] -->
<h3 class="sectionedit7" id="alfresco2">Alfresco</h3>
<div class="level3">
......@@ -521,7 +521,7 @@ To finish with Alfresco configuration, tick the “Enable <abbr title="Security
</p>
</div>
<!-- EDIT7 SECTION "Alfresco" [3518-14174] -->
<!-- EDIT7 SECTION "Alfresco" [3516-14172] -->
<h3 class="sectionedit8" id="llng1">LL::NG</h3>
<div class="level3">
......@@ -556,7 +556,7 @@ And you can define these exported attributes:
</ul>
</div>
<!-- EDIT8 SECTION "LL::NG" [14175-14553] -->
<!-- EDIT8 SECTION "LL::NG" [14173-14551] -->
<h2 class="sectionedit9" id="other_resources">Other resources</h2>
<div class="level2">
<ul>
......@@ -567,6 +567,6 @@ And you can define these exported attributes:
</ul>
</div>
<!-- EDIT9 SECTION "Other resources" [14554-] --></div>
<!-- EDIT9 SECTION "Other resources" [14552-] --></div>
</body>
</html>
......@@ -93,7 +93,7 @@ The Basic Authentication relies on a specific HTTP header, as described above. S
<p>
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <a href="../passwordstore.html" class="wikilink1" title="documentation:2.0:passwordstore">password is stored in session</a>):
</p>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;)</pre>
<pre class="code">Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;, &quot;&quot;)</pre>
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> provides a special function named <a href="../extendedfunctions.html#basic" class="wikilink1" title="documentation:2.0:extendedfunctions">basic</a> to build this header.
......
......@@ -198,7 +198,7 @@ Configure the <a href="../writingrulesand_headers.html#headers" class="wikilink1
</li>
<li class="level1"><div class="li"> Auth-Mail: $mail</div>
</li>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&#039;&#039;)</div>
<li class="level1"><div class="li"> Auth-Groups: encode_base64($groups,&quot;&quot;)</div>
</li>
</ul>
<div class="noteimportant">To allow execution of encode_base64() method, you must deactivate the <a href="../safejail.html" class="wikilink1" title="documentation:2.0:safejail">Safe jail</a>.
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:applications:humhub</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,applications,humhub"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="humhub.html"/>
......@@ -54,6 +54,7 @@
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_humhub">Configuring HumHub</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li>
<li class="level2"><div class="li"><a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</a></div></li>
<li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li>
</ul></li>
</ul>
......@@ -88,28 +89,30 @@ Administrator can configure one or several OAuth, OAuth2 or OIDC authentication
<p>
With <a href="#openid_connect" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
</p>
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service.
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service. See <a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> Migrate former local or ldap Humhub account to connect through SSO</a>
</div>
</div>
<!-- EDIT2 SECTION "Présentation" [68-1041] -->
<!-- EDIT2 SECTION "Présentation" [68-1186] -->
<h2 class="sectionedit3" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<div class="noteclassic">This set-up works with option enablePrettyUrl activated in Humhub. If not activated, rewrite <abbr title="Uniform Resource Locator">URL</abbr> in Humhub HTTP server and allowed redirect <abbr title="Uniform Resource Locator">URL</abbr> in LemonLDAP needs to be adapted to work with the non pretty <abbr title="Uniform Resource Locator">URL</abbr> format.
</div>
<!-- EDIT3 SECTION "OpenID Connect" [1042-1069] -->
</div>
<!-- EDIT3 SECTION "OpenID Connect" [1187-1450] -->
<h3 class="sectionedit4" id="configuring_humhub">Configuring HumHub</h3>
<div class="level3">
<p>
First disable LDAP (Administration &gt; Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users.
First disable LDAP (Administration &gt; Users section) and delete (or <a href="#migrate_former_local_or_ldap_humhub_account_to_connect_through_sso" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> migrate</a>) any local users whose username or email are conflicting with the username or email of your OIDC users.
</p>
<p>
Then install and configure the <a href="https://github.com/Worteks/humhub-auth-oidc" class="urlextern" title="https://github.com/Worteks/humhub-auth-oidc" rel="nofollow"> OIDC connector for humhub </a> extension using composer :
</p>
<ul>
<li class="level1"><div class="li"> Install composer and php-tokenizer.</div>
<li class="level1"><div class="li"> Install composer.</div>
</li>
</ul>
<ul>
......@@ -118,34 +121,89 @@ Then install and configure the <a href="https://github.com/Worteks/humhub-auth-o
</ul>
<pre class="code">composer global require hirak/prestissimo</pre>
<ul>
<li class="level1"><div class="li"> Go to {humhumb_home} folder (containing humhub&#039;s composer.json file) and execute</div>
<li class="level1"><div class="li"> Go to {humhub_home} folder</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Check if composer.json file is present. If not, download it for your current version:</div>
</li>
</ul>
<pre class="code">wget https://raw.githubusercontent.com/humhub/humhub/v1.3.15/composer.json</pre>
<ul>
<li class="level1"><div class="li"> Install the connector as a dependency: </div>
</li>
</ul>
<pre class="code">composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhumb_home}/protected/config/common.php with the client configuration :</div>
<div class="noteclassic">If you just need to update the connector, change its version in composer.json and run the above composer update command.
</div><ul>
<li class="level1"><div class="li"> Edit {humhub_home}/protected/config/common.php with the client configuration :</div>
</li>
</ul>
<pre class="code">&#039;components&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;clients&#039; =&gt; [
// ...
&#039;lemonldapng&#039; =&gt; [
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
],
],
],
&#039;authClientCollection&#039; =&gt; [
&#039;clients&#039; =&gt; [
// ...
&#039;lemonldapng&#039; =&gt; [
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
&#039;cssIcon&#039; =&gt; &#039;fa fa-lemon-o&#039;, // Icon displayed in login button
],
],
// ...
]</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhub_home}/protected/config/web.php to disconnect users from LemonLDAP::NG after they logged out of Humhub:</div>
</li>
</ul>
<pre class="code">return [
// ...
&#039;modules&#039; =&gt; [
&#039;user&#039; =&gt; [
&#039;logoutUrl&#039; =&gt; &#039;https://auth.domain.com/?logout=1&#039;,
],
]
];</pre>
<p>
User can now log in through <abbr title="Single Sign On">SSO</abbr> using a button on humhub logging page. If you want to remove this intermediate login page, so user are automatically logged in through <abbr title="Single Sign On">SSO</abbr> when they first access Humhub, you can set up a redirection in the http server in front of the application :
</p>
<ul>
<li class="level1"><div class="li"> Example in apache</div>
</li>
</ul>
<pre class="code">RewriteEngine On
RewriteCond %{QUERY_STRING} !nosso [NC]
RewriteRule &quot;^/user/auth/login$&quot; &quot;/user/auth/external?authclient=lemonldapng&quot; [L,R=301]</pre>
<ul>
<li class="level1"><div class="li"> Example in nginx</div>
</li>
</ul>
<pre class="code">if ($query_string !~ &quot;nosso&quot;){
rewrite ^/user/auth/login$ /user/auth/external?authclient=lemonldapng permanent;
}</pre>
<p>
If the authentication was successful but the user could not be registered in Humhub (which often happen if there is a conflict between source, username or email), Humhub will redirect to the login page to display the error, which trigger a redirection to the portal, ultimately triggering a loop error while registration error is not displayed.
</p>
<p>
To change this behavior and display the registration error, AuthController.onAuthSuccess method needs to be adapted so redirect to <abbr title="Single Sign On">SSO</abbr> will be bypassed when a registration error occured. This works for version 1.3.15 :
</p>
<ul>
<li class="level1"><div class="li"> Go to {humhub_home} folder</div>
</li>
<li class="level1"><div class="li"> Execute</div>
</li>
</ul>
<pre class="code">sed -i &quot;s|return \$this-&gt;redirect(\[&#039;/user/auth/login&#039;\]);|return \$this-&gt;redirect([&#039;/user/auth/login&#039;,&#039;nosso&#039;=&gt;&#039;showerror&#039;]);|&quot; protected/humhub/modules/user/controllers/AuthController.php</pre>
</div>
<!-- EDIT4 SECTION "Configuring HumHub" [1070-2515] -->
<!-- EDIT4 SECTION "Configuring HumHub" [1451-4994] -->
<h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3">
......@@ -154,7 +212,7 @@ If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice.
</p>
<p>
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> using the following parameters:
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect Relying Party </a> using the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in HumHub configuration</div>
......@@ -193,8 +251,39 @@ Configuration sample using CLI:
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 &amp;&amp; \</pre>
</div>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [2516-4258] -->
<h3 class="sectionedit6" id="troubleshooting">Troubleshooting</h3>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [4995-6736] -->
<h3 class="sectionedit6" id="migrate_former_local_or_ldap_humhub_account_to_connect_through_sso">Migrate former local or ldap Humhub account to connect through SSO</h3>
<div class="level3">
<p>
You need to manually update Humhub database to swith authentication mode to LemonLDAP::NG.
</p>
<p>
Table &quot;user&quot;:
</p>
<ul>
<li class="level1"><div class="li"> Columns &quot;username&quot; and &quot;email&quot; should match exactly OIDC sub and email attributes ;</div>
</li>
<li class="level1"><div class="li"> If former ldap user, change column &quot;auth_mode&quot; to &quot;local&quot;.</div>
</li>
</ul>
<p>
Table &quot;user_auth&quot;:
</p>
<ul>
<li class="level1"><div class="li"> Add an entry with user_id, username and &quot;lemonldapng&quot; as source (or the name you chose in your connector configuration) :</div>
</li>
</ul>
<pre class="code">+---------+-------------+-------------+
| user_id | source | source_id |
+---------+-------------+-------------+
| 4 | lemonldapng | jdoe |</pre>
</div>
<!-- EDIT6 SECTION "Migrate former local or ldap Humhub account to connect through SSO" [6737-7396] -->
<h3 class="sectionedit7" id="troubleshooting">Troubleshooting</h3>
<div class="level3">
<p>
......@@ -205,6 +294,6 @@ If LemonLDAP login page freezes because of a browser security blockage, adapt se
cspFormAction &quot;&#039;self&#039; https://*.example.com&quot;</pre>
</div>
<!-- EDIT6 SECTION "Troubleshooting" [4259-] --></div>
<!-- EDIT7 SECTION "Troubleshooting" [7397-] --></div>
</body>
</html>
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1569271147" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1569271147" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1576942799" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/jitsimet?do=login&amp;sectok=dd0430f7cec89a350deb28406029abc8" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1569271166" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Ajitsimet&amp;1576942817" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -56,6 +56,7 @@
<li class="level2"><div class="li"><a href="#zimbra_application_in_menu">Zimbra application in menu</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_virtual_host">Zimbra virtual host</a></div></li>
<li class="level2"><div class="li"><a href="#zimbra_handler_parameters">Zimbra Handler parameters</a></div></li>
<li class="level2"><div class="li"><a href="#multi-domain_issues">Multi-domain issues</a></div></li>
</ul></li>
</ul>
</div>
......@@ -163,6 +164,66 @@ Zimbra parameters are the following:
</div>
</div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-] --></div>
<!-- EDIT7 SECTION "Zimbra Handler parameters" [1862-2771] -->
<h3 class="sectionedit8" id="multi-domain_issues">Multi-domain issues</h3>
<div class="level3">
<p>
Some organizations have multiple zimbra domains:
</p>
<ol>
<li class="level1"><div class="li"> foo@domain1.com</div>
</li>
<li class="level1"><div class="li"> bar@domain2.com</div>
</li>
</ol>
<p>
However, the zimbra preauth key is:
</p>
<ul>
<li class="level1"><div class="li"> generated for one zimbra domain only</div>
</li>
<li class="level1"><div class="li"> declared globally for every LemonLDAP::NG virtual hosts.</div>
</li>
</ul>
<p>
Thus, if domain1 has been registered on LemonLDAP::NG, user bar won&#039;t be able to connect to zimbra because preauth key is different. If you accept to have the same preauth key for all zimbra domains, you can set the same preauth key using this procedure:
</p>
<p>
We are going to use the first key (the domain1 one) for every domain.
On Zimbra machine, generate the keys:
</p>
<pre class="code"> zmprov generateDomainPreAuthKey domain1.com
preAuthKey: 4e2816f16c44fab20ecdee39fb850c3b0bb54d03f1d8e073aaea376a4f407f0c
zmprov generateDomainPreAuthKey domain2.com
preAuthKey: 6b7ead4bd425836e8cf0079cd6c1a05acc127acd07c8ee4b61023e19250e929c</pre>
<p>
Then, connect to your zimbra LDAP server with your favourite tool (Apache Directory Studio can do the job).
Take care to connect with the super admin and password account.
</p>
<ul>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain1&quot; branch</div>
</li>
<li class="level1"><div class="li"> Get the value of zimbraPreAuthKey</div>
</li>
<li class="level1"><div class="li"> Expand the branch &quot;dc=com&quot;, then click the &quot;dc=domain2&quot; branch</div>
</li>
<li class="level1"><div class="li"> Replace the value of zimbraPreAuthKey you have previously copied</div>
</li>
<li class="level1"><div class="li"> Wait for all Zimbra servers to update, or restart the zcs server</div>
</li>
</ul>
<p>
That&#039;s it, all zimbra servers will be able to decipher the hmac because they share the same key!
</p>
</div>
<!-- EDIT8 SECTION "Multi-domain issues" [2772-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:authcustom</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,authcustom"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authcustom.html"/>
......@@ -84,13 +84,13 @@ Then, you just have to define class names of your custom modules in &quot;Custom
<p>
You can define your own customAuth module icon. Icon must be in site/htdocs/static/common/modules/icon.png
</p>
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev.pm
<div class="notetip">::Auth::My::Dev.pm means Lemonldap::NG::Portal::Auth::My::Dev
</div><div class="noteimportant">Be careful. Don&#039; t use an already attributed name in configuration.
</div>
<p>
These parameters are available in your plugins using <code>$self-&gt;conf-&gt;{<em>customName</em>}</code>.
These parameters are available in your plugins using <code>$self-&gt;conf-&gt;{customAddParams}-&gt;{<em>customName</em>}</code>.
</p>
<p>
......
......@@ -248,8 +248,6 @@ You can also define:
</li>