Combination module returns the form corresponding to the first authentication scheme available for the current request. You can force it to display the forms chosen using <code>combinationForms</code> in lemonldap-ng.ini. Example:
<ahref="authsaml.html"class="wikilink1"title="documentation:2.0:authsaml">SAML</a>, <ahref="authopenidconnect.html"class="wikilink1"title="documentation:2.0:authopenidconnect">OpenID-Connect</a>, <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS</a> or <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">old OpenID</a> can't be chained with a “and” for authentication part. So “[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP]” isn't valid. This is because their authentication kinematic don't use the same steps.
@@ -292,10 +330,10 @@ The following rule is valid:
<tdclass="col0"><em><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em></td><tdclass="col1"><code>[<abbrtitle="Security Assertion Markup Language">SAML</abbr>, <abbrtitle="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code></td><tdclass="col2"> Authentication is done by <abbrtitle="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
<divclass="notetip">First parameter passed to the custom function is the requested <abbrtitle="Uniform Resource Locator">URL</abbr>, that is<ul>
<liclass="level1"><divclass="li"><strong>portal full <abbrtitle="Uniform Resource Locator">URL</abbr></strong> if custom function is run by portal (e.g. <ahref="https://auth.example.com/"class="urlextern"title="https://auth.example.com/"rel="nofollow">https://auth.example.com/</a>)</div>
</li>
<liclass="level1"><divclass="li"><strong>absolute <abbrtitle="Uniform Resource Locator">URL</abbr></strong> if it is run by handler (e.g. /admin/index.php?param=foo).</div>
@@ -162,16 +153,16 @@ Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</cod
<divclass="noteimportant">If your function is not compliant with <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail.
<divclass="notetip">To know more about the jail, check <ahref="http://perldoc.perl.org/Safe.html"class="urlextern"title="http://perldoc.perl.org/Safe.html"rel="nofollow">Safe module documentation</a>.
<divclass="noteimportant">This function is not compliant with <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
<divclass="noteimportant">This function is not compliant with <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
<divclass="noteimportant">This function is not compliant with <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>, you will need to disable the jail to use it.
<divclass="notetip">Since version 2.0, this function is now compliant with <ahref="safejail.html"class="wikilink1"title="documentation:2.0:safejail">Safe jail</a>.
...
...
@@ -371,7 +378,7 @@ This function uses the secret key of LLNG configuration to crypt a data. This ca
<preclass="code">encrypt($_whatToTrace)</pre>
</div>
<!-- EDIT12 SECTION "encrypt" [5754-6059] -->
<!-- EDIT12 SECTION "encrypt" [5833-6138] -->
<h3class="sectionedit13"id="token">token</h3>
<divclass="level3">
...
...
@@ -381,6 +388,16 @@ This function generates token used to <a href="servertoserver.html" class="wikil
<h1class="sectionedit1"id="external_second_factor">External Second Factor</h1>
<divclass="level1">
<p>
This simple plugin can be used to add a second factor for authentication (SMS, OTP,…). It uses external commands to send and validate the second factor. You can use any language to call your 2nd factor system.
</p>
</div>
<!-- EDIT1 SECTION "External Second Factor" [1-251] -->
Commands received arguments on the command line and must return a 0 code if succeed, another else. <strong>Nothing must be written to STDOUT</strong>, STDERR is reported in logs <em>(but may be lost with FastCGI server)</em>.
<liclass="level1"><divclass="li"><strong>Send command</strong>: define your command using <em>$attribute</em> like in rules. Example: <code>/usr/local/bin/sendOtp –uid $uid</code></div>
</li>
<liclass="level1"><divclass="li"><strong>Validation command</strong>: you must also use <em>$code</em> which is the value entered by user; Example: <code>/usr/local/bin/verify –uid $uid –code $code</code></div>
</li>
<liclass="level1"><divclass="li"><strong>Authentication Level</strong>: if you want to overwrite the value sent by your authentication module, you can define here the new authentication level. Example: 5</div>
</li>
</ul>
<divclass="noteimportant">The command line is split in an array and launch with exec(). So you don't need to enclose arguments in “” and this protects your system against shell injection. However, you can not use any space except to separate arguments.
<liclass="level1"><divclass="li"> An <ahref="idpopenid.html"class="wikilink1"title="documentation:2.0:idpopenid">OpenID server</a> with <ahref="authcas.html"class="wikilink1"title="documentation:2.0:authcas">CAS authentication</a></div>
</li>
<liclass="level1"><divclass="li"> An <ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML server</a> with <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">OpenID authentication</a></div>
Note that OpenID-Connect consortium hasn't already defined single-logout initiated by OpenID-Connect Provider. LLNG will implement it when this standard will be published.
</p>
<divclass="noteimportant">Development of federation can be complex. Don't hesitate to contact us on lemonldap-ng-users@ow2.org
@@ -211,11 +211,15 @@ The portal is the biggest component of Lemonldap::NG. Since version 2.0, it is r
<liclass="level1"><divclass="li"> …</div>
</li>
</ul>
<p>
By default it uses local storage to store its tokens. If you have more than 1 portal and if your load-balancer doesn't keep state, you have to disable this to use the global session storage <em>(General parameters » portal Parameters » Advanced Parameters » Forms)</em>. Note that this will decrease performances.
</p>
<divclass="notetip">In production environment for network performance, prefer using minified versions of javascript and css libs: use <code>make install <strong>PROD=yes</strong></code>. This is done by default in RPM/DEB packages.
@@ -262,11 +266,11 @@ Index -> ipAddr uid</pre>
<p>
Note that Apache::Session::Browseable::MySQL doesn't use MySQL locks.
</p>
<divclass="notetip">A <ahref="https://metacpan.org/module/Apache::Session::Browseable::Redis"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::Redis"rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the faster (except for session explorer, defeated by Apache::Session::Browseable::<ahref="https://metacpan.org/module/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable"rel="nofollow">DBI</a>/<ahref="https://metacpan.org/module/Apache::Session::Browseable::LDAP"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::LDAP"rel="nofollow">LDAP</a>>= 1.0)
<divclass="notetip">A <ahref="https://metacpan.org/module/Apache::Session::Browseable::Redis"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::Redis"rel="nofollow">Apache::Session::Browseable::Redis</a> has been created, it is the faster (except for session explorer, defeated by Apache::Session::Browseable::<ahref="https://metacpan.org/module/Apache::Session::Browseable"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable"rel="nofollow">DBI</a>/<ahref="https://metacpan.org/module/Apache::Session::Browseable::LDAP"class="urlextern"title="https://metacpan.org/module/Apache::Session::Browseable::LDAP"rel="nofollow">LDAP</a>≥ 1.0)
</div><divclass="noteimportant">Some Apache::Session module are not fully usable by Lemonldap::NG such as Apache::Session::Memcached since this modules do not offer capability to browse sessions. They does not allow one to use sessions explorer neither manage one-off sessions.
