LEMONLDAP::NG : Change in configuration storage format (Closes: #307173) and documentation

5ffac300 · Xavier Guimard · d420e2bb · 5ffac300 · 5ffac300 · 5ffac300
Commit 5ffac300 authored Jun 13, 2007 by Xavier Guimard
14 changed files
--- a/build/lemonldap-ng/_example/conf/lmConf-1
+++ b/build/lemonldap-ng/_example/conf/lmConf-1
@@ -19,23 +19,32 @@ portal
 domain
 	'example.com'

+whatToTrace
+	'$uid'
+
+groups
+	'$data1 = {};'
+
+macros
+	'$data1 = {};'
+
 globalStorage
 	'Apache::Session::File'

 globalStorageOptions
-	'BAcEMTIzNAQEBAgZAAEAAAAXBC90bXACCQAAAERpcmVjdG9yeQ=='
+	'$data1 = {&39;Directory&39; => &39;/tmp&39;};'

 exportedHeaders
-	'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwQkdWlkAgkAAABBdXRoLVVzZXICEAAAAHRlc3QuZXhhbXBsZS5jb20='
+	'$data1 = {&39;test.example.com&39; => {&39;Auth-User&39; => &39;$uid&39;}};'

 exportedVars
-	'BAcEMTIzNAQEBAgZAAMAAAAXA3VpZAIDAAAAdWlkFwJjbgICAAAAY24XBG1haWwCBAAAAG1haWw='
+	'$data1 = {&39;uid&39; => &39;uid&39;,&39;cn&39; => &39;cn&39;,&39;mail&39; => &39;mail&39;};'

 authentication
 	'ldap'

 locationRules
-	'BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwZhY2NlcHQCBwAAAGRlZmF1bHQCEAAAAHRlc3QuZXhhbXBsZS5jb20='
+	'$data1 = {&39;test.example.com&39; => {&39;default&39; => &39;accept&39;}};'

 cfgNum
 	1

--- a/build/lemonldap-ng/debian/README.Debian
+++ b/build/lemonldap-ng/debian/README.Debian
@@ -2,28 +2,19 @@ lemonldap-ng for Debian
 -----------------------

 Topics:
- 1 - Configuration storage
+ 1 - Manager installation
 2 - Portal installation
- 3 - Manager installation
- 4 - Area protection
+ 3 - Area protection
+ 4 - Configuration storage


-I - LEMONLDAP::NG CONFIGURATION STORAGE
---------------------------------------
-Package: liblemonldap-ng-conf-perl
-
-Lemonldap::NG configuration is stored by default in /var/lib/lemonldap-ng/conf.
-Modify /etc/lemonldap-ng/storage.conf to change configuration storage.
-
-1.1 - Migrating from 'File' to 'DBI'
-
-To use DBI mechanism to store configuration, you have to create database. An
-example is given for MySQL in the file
-/usr/share/doc/liblemonldap-ng-conf-perl/examples/lmConfig.mysql.
-If you have a running configuration, use this to populate SQL database :
+I - LEMONLDAP::NG MANAGER INSTALLATION
+----------------------------------------
+Package: liblemonldap-ng-manager-perl

-  perl /usr/share/lemonldap-ng/bin/lmConfig_File2MySQL \
-         /var/lib/lemonldap-ng/conf/lmConf-<last-number>
+liblemonldap-ng-manager-perl installs files named manager-apache.conf and
+manager-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
+and configure it (virtual host has to be adapt).


 II - LEMONLDAP::NG PORTAL INSTALLATION
@@ -32,23 +23,36 @@ Package: liblemonldap-ng-portal-perl

 liblemonldap-ng-portal-perl installs files named portal-apache.conf and
 portal-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
-and personalize files in /var/lib/lemonldap-ng/portal.
+and configure it (virtual host has to be adapt). You can also customize
+/var/lib/lemonldap-ng/portal/index.pl to adapt it to your site. This file is
+protected against upgrade.


-III - LEMONLDAP::NG MANAGER INSTALLATION
----------------------------------------
-Package: liblemonldap-ng-manager-perl
-
-liblemonldap-ng-manager-perl installs files named manager-apache.conf and
-manager-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
-and personalize files in /var/lib/lemonldap-ng/manager.
-
-
-IV - LEMONLDAP::NG AREA PROTECTION
+III - LEMONLDAP::NG AREA PROTECTION
 ----------------------------------
 Package: liblemonldap-ng-handler-perl

 liblemonldap-ng-handler-perl installs a file named MyHandler.pm in
 /var/lib/lemonldap-ng/handler/. See handler-apache.conf or handler-apache2.conf
-in /usr/share/doc/liblemonldap-ng-handler-perl/examples/ to know how to use it.
+in /etc/lemonldap-ng/ to know how to use it.
+
+
+IV - LEMONLDAP::NG CONFIGURATION STORAGE
+---------------------------------------
+Package: liblemonldap-ng-conf-perl
+
+Lemonldap::NG configuration is stored by default in /var/lib/lemonldap-ng/conf.
+Modify /etc/lemonldap-ng/storage.conf to change configuration storage.
+
+1.1 - Migrating from 'File' to 'DBI'
+
+To use DBI mechanism to store configuration, you have to create database. An
+example is given for MySQL in the file
+/usr/share/doc/liblemonldap-ng-conf-perl/examples/lmConfig.mysql.
+If you have a running configuration, use this to populate SQL database :
+
+  perl /usr/share/lemonldap-ng/bin/lmConfig_File2MySQL -c \
+         /var/lib/lemonldap-ng/conf/lmConf-<last-number>
+
+"-c" options adds "create table" instruction.

--- a/build/lemonldap-ng/debian/changelog
+++ b/build/lemonldap-ng/debian/changelog
+lemonldap-ng (0.8.2.3) unstable; urgency=low
+
+  * Change configuration storage format (Storable bug).
+    Closes: #307173/objectweb.org
+
+ -- Xavier Guimard <x.guimard@free.fr>  Wed, 13 Jun 2007 13:49:27 +0200
+
 lemonldap-ng (0.8.2.2) unstable; urgency=low

  * Debian packages modifications due to Lintian control.

--- a/build/lemonldap-ng/debian/handler-apache.conf
+++ b/build/lemonldap-ng/debian/handler-apache.conf
@@ -5,7 +5,9 @@
 	# Area protection
 	PerlHeaderParserHandler My::Package

-	# Configuration reload mechanism
+	# Configuration reload mechanism (only 1 per physical server is
+	# needed): choose your URL to avoid restarting Apache when
+	# configuration change
 	<Location /reload>
 		Order deny,allow
 		Deny from all
@@ -13,7 +15,7 @@
 		PerlHeaderParserHandler My::Package->refresh
 	</Location>

-	# Optional interception of the logout URL
+	# Optional interception of the logout URL => single logout
 	<Location /logout>
 		PerlHeaderParserHandler My::Package->logout
 	</Location>

--- a/build/lemonldap-ng/debian/handler-apache2.conf
+++ b/build/lemonldap-ng/debian/handler-apache2.conf
@@ -6,7 +6,9 @@ PerlOptions +GlobalRequest
 	# Area protection
 	PerlHeaderParserHandler My::Package

-	# Configuration reload mechanism
+	# Configuration reload mechanism (only 1 per physical server is
+	# needed): choose your URL to avoid restarting Apache when
+	# configuration change
 	<Location /reload>
 		Order deny,allow
 		Deny from all
@@ -14,7 +16,7 @@ PerlOptions +GlobalRequest
 		PerlHeaderParserHandler My::Package->refresh
 	</Location>

-	# Optional interception of the logout URL
+	# Optional interception of the logout URL => single logout
 	<Location /logout>
 		PerlHeaderParserHandler My::Package->logout
 	</Location>

--- a/build/lemonldap-ng/debian/liblemonldap-ng-conf-perl.postinst
+++ b/build/lemonldap-ng/debian/liblemonldap-ng-conf-perl.postinst
@@ -17,6 +17,6 @@ then
        db_get liblemonldap-ng-conf-perl/$i || true
        perl -000 -i -pe "s#^$i(\\n\\s+)('?)[^\\n]*?('?)\$#$i\${1}\${2}$RET\${3}#m" $FIRSTCONFFILE
    done
-    perl -000 -i -pe "s#^(globalStorageOptions\\n\\s+)'[^\\n]*?'\$#\${1}\'BAcEMTIzNAQEBAgDAgAAAAofL3Zhci9saWIvbGVtb25sZGFwLW5nL3Nlc3Npb25zLwkAAABEaXJlY3RvcnkKJC92YXIvbGliL2xlbW9ubGRhcC1uZy9zZXNzaW9ucy9sb2NrLw0AAABMb2NrRGlyZWN0b3J5'#m" $FIRSTCONFFILE
+    perl -000 -i -pe "s#^(globalStorageOptions\\n\\s+)'[^\\n]*?'\$#\${1}\'\\\$data1 = {&39;Directory&39; => &39;/var/lib/lemonldap-ng/sessions/&39;,&39;LockDirectory&39; => &39;/var/lib/lemonldap-ng/sessions/lock/&39;};'#m" $FIRSTCONFFILE
 fi
 exit 0
--- a/build/lemonldap-ng/doc/faq-fr.html
+++ b/build/lemonldap-ng/doc/faq-fr.html
@@ -306,9 +306,9 @@ __PACKAGE__-&gt;init ( {
    </ol>Pour le deuxi&egrave;me point, la modification est tr&egrave;s simple
    : il faut remplacer <tt>$uid</tt> par <tt>$cn</tt> dans le champ
    "Param&egrave;tres g&eacute;n&eacute;raux -&gt; Donn&eacute;e &agrave;
-    inscrire dans les journaux d'Apache (et v&eacute;rifier que cette variable
-    est d&eacute;clar&eacute;e dand les attributs &agrave; exporter). Le
-    changement de filtre de recherche n&eacute;cessite la surcharge d'une
+    inscrire dans les journaux d'Apache" (et v&eacute;rifier que cette
+    variable est d&eacute;clar&eacute;e dand les attributs &agrave; exporter).
+    Le changement de filtre de recherche n&eacute;cessite la surcharge d'une
    m&eacute;thode dans le portail. Cette modification peut &ecirc;tre
    effectu&eacute;e comme suit:
    <pre>
@@ -351,9 +351,7 @@ my $portal = Lemonldap::NG::Portal::SharedConf-&gt;new(
  # on peut aussi utiliser mod_rewrite
  # RewriteEngine On
  # RewriteRule /(.*)$ <span class="nobr"><a href=
-"http://serveur-reel/$1">http://serveur-reel/$1</a></span> <a class=
-"wikicreatelink" href="/xwiki/bin/edit/NG/P?parent=NG.FAQ"><span class=
-"wikicreatelinktext">P</span><span class="wikicreatelinkqm">?</span></a>
+"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
 &lt;/VirtualHost&gt;
 </pre>


--- a/build/lemonldap-ng/doc/faq.html
+++ b/build/lemonldap-ng/doc/faq.html
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
+<head>
+  <meta name="generator" content=
+  "HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org" />
+
+  <title>FAQ LEMONLDAP::NG</title>
+  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
+</head>
+
+<body>
+  <div class="main-content">
+    <h2 class="heading-1"><span id=
+    "HLemonldap3A3ANGFrequentlyAskedQuestions">Lemonldap::NG Frequently Asked
+    Questions</span></h2>
+
+    <p class="paragraph"></p>
+
+    <ul>
+      <li>
+        <a href="#HGeneralquestions">General questions</a>
+
+        <ul>
+          <li><a href="#HWhatisaWebSSO3F">What is a Web-SSO ?</a></li>
+
+          <li><a href=
+          "#HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings
+          Lemonldap::NG compared to the other Web-SSO ?</a></li>
+        </ul>
+      </li>
+
+      <li>
+        <a href="#HConfiguration">Configuration</a>
+
+        <ul>
+          <li><a href="#HWhattypeofconfigurationstoragehastobeused3F">What
+          type of configuration storage has to be used ?</a></li>
+
+          <li><a href="#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The
+          provided example works with HTTP, but not with HTTPS.</a></li>
+
+          <li><a href="#HForwhatisusedthe22https22parameter3F">For what is
+          used the "https" parameter ?</a></li>
+
+          <li><a href="#HWhatisanautoprotectedCGI3F">What is an auto-protected
+          CGI ?</a></li>
+
+          <li><a href="#HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to
+          use Lemonldap::NG with Active-Directory ?</a></li>
+
+          <li><a href="#HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use
+          Lemonldap::NG as reverse-proxy ?</a></li>
+        </ul>
+      </li>
+
+      <li>
+        <a href="#HOperation">Operation</a>
+
+        <ul>
+          <li><a href="#HWithwhatservesthehandlerlocalcache3F">With what
+          serves the handler local cache ?</a></li>
+
+          <li><a href=
+          "#HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why
+          handlers local cache can not be configured by the manager ?</a></li>
+
+          <li><a href=
+          "#HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
+          <i class="italic">Cross Domain Authentication</i> (CDA) ?</a></li>
+
+          <li><a href=
+          "#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works
+          the <i class="italic">Cross Domain Authentication</i> (CDA)
+          ?</a></li>
+        </ul>
+      </li>
+
+      <li>
+        <a href="#HAuthentication">Authentication</a>
+
+        <ul>
+          <li><a href="#HHowtochangeauthenticationscheme3F">How to change
+          authentication scheme ?</a></li>
+        </ul>
+      </li>
+    </ul>
+
+    <h3 class="heading-1-1"><span id="HGeneralquestions">General
+    questions</span></h3>
+
+    <h4 class="heading-1-1-1"><span id="HWhatisaWebSSO3F">What is a Web-SSO
+    ?</span></h4>
+
+    <p class="paragraph"></p>A SSO <i class="italic">(Single Sign On)</i> is a
+    system that is used to share authentications between many applications.
+    Users authentify themself only one time and is never prompted when he
+    tries to access to another application. Kerberos (used in Active
+    Directory) for example is a SSO. The problem with these systems is that in
+    addition to their heaviness, they apply only to internal networks and to
+    relatively homogeneous machines.
+
+    <p class="paragraph"></p>The Web-SSO is the bearing of this principle
+    restricted with the Web applications. The user is thus authenticated with
+    the first access to a protected Web application and the authentifications
+    are propagated when it changes application. The large advantage is whereas
+    the system is usable on Internet without pre-necessary on the stations
+    customers (they just have to accept session cookies). For example, when a
+    user reaches a Google letter-box, it is not authentified if it reaches the
+    groups management application or any other Google application.
+
+    <h4 class="heading-1-1-1"><span id=
+    "HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings
+    Lemonldap::NG compared to the other Web-SSO ?</span></h4>
+
+    <ul class="star">
+      <li>Lemonldap::NG like lemonldap run as Perl Apache modules and offer
+      performances which make unperceivable the treatment of the access
+      control.</li>
+
+      <li>One of the other strong points of Lemonldap::NG is its capacity to
+      manage the rights in a centralized way: the standard SSO Kerberos or
+      CASE allow authentication share but delegate management access
+      authorizations to the applications. In the case of Lemonldap::NG,
+      management rights can be centralized completely, partly or at all for
+      each application&nbsp;: Lemonldap::NG provides a system of authorization
+      based on the sorting of the URL by regular expressions associated to
+      rules. It also provides HTTP headers containing any of the user LDAP
+      atributes to the remote application. The remote application can then
+      manage the traceability of the access and possibly authorization (see to
+      it <span class="wikiexternallink"><a href=
+      "http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation#HMC3A9canismesd27authentification2Cd27autorisa%20tionetdetraC3A7abilitC3A9">
+      documentation AAA</a></span>).</li>
+
+      <li>Lemonldap::NG can publish every LDAP attributes or calculated
+      expressions issued from them. So applications can avoid consulting LDAP
+      server.</li>
+
+      <li>Lemonldap::NG treats all the hosted sites independently (virtual or
+      real): every application can so have its personalized HTTP headers.</li>
+
+      <li>Lemonldap::NG provide an web based administration interface simply
+      presenting the configuration, the access policy and the per sites
+      headers (see the <span class="wikiexternallink"><a href=
+      "http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">demonstration</a></span>).
+      A restricted interface can also be used to show only some virtual hosts
+      (for reading and/or writing): the interface of administration can thus
+      be partially delegated.</li>
+    </ul>
+
+    <h3 class="heading-1-1"><span id=
+    "HConfiguration">Configuration</span></h3>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HWhattypeofconfigurationstoragehastobeused3F">What type of configuration
+    storage has to be used ?</span></h4>
+
+    <p class="paragraph"></p>Lemonldap::NG provides 3 configuration storage
+    systems:
+
+    <ul class="star">
+      <li><strong class="strong">File</strong>: the most simple system, it can
+      be used only if all your servers share a file system. It can be used for
+      example if all virtual hosts are on the same server,</li>
+
+      <li><strong class="strong">DBI</strong>: <span class=
+      "wikiexternallink"><a href=
+      "http://www.linuxmanpages.com/man3/DBI.3pm.php">DBI(3)</a></span> is a
+      database access module for the Perl programming language. Used with
+      Lemonldap::NG, it permits to share configuration between servers that
+      can access to the same database. This is the recommended sheme on a
+      server network.</li>
+
+      <li><strong class="strong">SOAP</strong>: This system is not a real
+      storage system, but permits to a remote server to access to the
+      configuration by a single HTTP(S) connection. The SOAP server use File
+      or DBI to access to the real configuration and act as a proxy.</li>
+    </ul>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
+    works with HTTP, but not with HTTPS.</span></h4>
+
+    <p class="paragraph"></p>In the redirection mechanism to the portal then
+    to the protected site, you have to indicate to the handler if users access
+    by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. This
+    parameter has to be configured directly in the handlers is not accessible
+    by the manager interface:
+
+    <p class="paragraph"></p>
+    <pre>
+__PACKAGE__-&gt;init ( {
+    localStorage        =&gt; "Cache::FileCache",
+    localStorageOptions =&gt; {
+              'namespace'          =&gt; 'MyNamespace',
+              'default_expires_in' =&gt; 600,
+              'directory_umask'    =&gt; '007',
+              'cache_root'         =&gt; '/tmp',
+              'cache_depth'        =&gt; 5,
+    },
+    configStorage       =&gt; {
+              type                 =&gt; 'File',
+              dirName              =&gt; '/var/lib/lemonldap-ng/conf',
+    },
+    <strong class="strong">https               =&gt; 1</strong>,
+} );
+</pre>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HForwhatisusedthe22https22parameter3F">For what is used the "https"
+    parameter ?</span></h4>
+
+    <p class="paragraph"></p>This parameter is used only in authentication
+    portal redirections. It is just used to indicate to the portal that after
+    authentification, the user must be redirected towards the application
+    using https and not http.
+
+    <h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
+    an auto-protected CGI ?</span></h4>
+
+    <p class="paragraph"></p>When you have just 1 Perl CGI to protect in a
+    VirtualHost, you can use an auto-protected CGI instead of using a
+    Lemonldap::NG handler:
+
+    <p class="paragraph"></p>
+    <pre>
+  use Lemonldap::NG::Handler::CGI;
+  my $cgi = Lemonldap::NG::Handler::CGI-&gt;new ( {
+      # same parameters than a Lemonldap::NG::Handler::SharedConf handler
+    }
+  );
+  $cgi-&gt;authenticate;
+</pre>
+
+    <p class="paragraph"></p>In the example above, $cgi is a CGI(3) object.
+    The only difference is that it has some additional functions:
+
+    <ul class="star">
+      <li>authenticate : to call Lemonldap::NG authentication mechanism,</li>
+
+      <li>autorize : use it if you want to use the manager to manage the
+      access policy,</li>
+
+      <li>user : returns an hash table containing user parameters,</li>
+
+      <li>group : used to validate group permet de valider group
+      membership.</li>
+    </ul>This type of CGI is very usefull when rights can not be distinguish
+    by URL (fields in POST requests for example). See the
+    Lemonldap::NG::Handler::CGI(3) man page for more.
+
+    <h4 class="heading-1-1-1"><span id=
+    "HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG
+    with Active-Directory ?</span></h4>
+
+    <p class="paragraph"></p>Active-Directory uses <tt>cn</tt> field instead
+    of <tt>uid</tt> as unique identifier. You have so to modify Lemonldap::NG
+    configuration in 2 points&nbsp;:
+
+    <ol>
+      <li>the field <tt>cn</tt> (or <tt>samAccountName</tt>) has to be used to
+      find the user in the portal,</li>
+
+      <li>Apache has to use this field in logs.</li>
+    </ol>For the second point, you have to replace <tt>$uid</tt> by
+    <tt>$cn</tt> in the field "General Parameters -&gt; Attribute to use in
+    Apache's logs" (and to verify that this variable is an exported
+    attribute). The LDAP filter change needs to overload a subroutine in the
+    portail. This can be done so&nbsp;:
+
+    <p class="paragraph"></p>
+    <pre>
+#!/usr/bin/perl
+use Lemonldap::NG::Portal::SharedConf;
+my $portal = Lemonldap::NG::Portal::SharedConf-&gt;new(
+    {
+        configStorage =&gt; {
+            type    =&gt; 'File',
+            dirName =&gt; '/var/lib/lemonldap-ng/conf',
+        },
+        <strong class="strong">formateFilter =&gt; sub {</strong>
+            my $self = shift;
+            $self-&gt;{filter} = "(&amp;(cn=" . $self-&gt;{user} . ")(objectClass=person))";
+            PE_OK;
+        } # end of overload
+    }
+);
+</pre>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as
+    reverse-proxy ?</span></h4>
+
+    <p class="paragraph"></p>Lemonldap::NG protects Apache VirtualHosts. To
+    use it as reverse-proxy, you just have to configure Apache as
+    reverse-proxy&nbsp;:
+
+    <p class="paragraph"></p>
+    <pre>
+# httpd.conf
+&lt;VirtualHost *&gt;
+  ServerName MyApplication.com
+  PerlRequire MyFile
+  PerlHeaderParserHandler My::Package
+  ProxyPass / <span class="nobr"><a href=
+"http://real-server/">http://real-server/</a></span>
+  ProxyPassReverse / <span class="nobr"><a href=
+"http://real-server/">http://real-server/</a></span>
+  # You can also use mod_rewrite instead of mod_proxy
+  # RewriteEngine On
+  # RewriteRule /(.*)$ <span class="nobr"><a href=
+"http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P]
+&lt;/VirtualHost&gt;
+</pre>
+
+    <p class="paragraph"></p>If you prefer to use a Perl proxy, Lemonldap::NG
+    provides one (Lemonldap::NG::Handler::Proxy(3))
+
+    <h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HWithwhatservesthehandlerlocalcache3F">With what serves the handler local
+    cache ?</span></h4>
+
+    <p class="paragraph"></p>The handler local cache is used for 2 things :
+
+    <ul class="star">
+      <li>share configuration between Apache process : this avoid downloading
+      configuration for each new process. This is required for the reload
+      mechanism system that avoid restarting Apache,</li>
+
+      <li>share sessions between Apache process and threads : this avoid
+      having to request the central sessions storage for each hit. For example
+      with Apache::Session::MySQL, we transform TCP requests in file system
+      requests. This increase performances.</li>
+    </ul>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers
+    local cache can not be configured by the manager ?</span></h4>
+
+    <p class="paragraph"></p>The local cache has to be choosed nad configured
+    for each server: for example with the Cache::FileCache module, the storage
+    directory can be different. An other point is that the local storage can
+    not be reloaded without restarting Apache, but all parameters managed by
+    the manager can do it.
+
+    <h4 class="heading-1-1-1"><span id=
+    "HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the
+    <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
+
+    <p class="paragraph"></p>The Lemonldap::NG sessions propagation system is
+    based on cookies, but cookies are attached to a DNS domain. Lemonldap::NG
+    provides a system to bypass this restriction: you just have to use a
+    Lemonldap::NG::Portal::CDA portal and Lemonldap::NG::Handler::CDA handlers
+    in all protected sites outwards the portal DNS domain.
+
+    <h4 class="heading-1-1-1"><span id=
+    "HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
+    <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
+
+    <p class="paragraph"></p>Lemonldap::NG::Portal::CDA portal detects if
+    required URL is in the same domain. If not, it adds a parameter to this
+    request. When the user returns to the protected application,
+    Lemonldap::NG::Handler::CDA agent detects this parameter et generate a
+    cookie in its domain.
+
+    <h3 class="heading-1-1"><span id=
+    "HAuthentication">Authentication</span></h3>
+
+    <h4 class="heading-1-1-1"><span id=
+    "HHowtochangeauthenticationscheme3F">How to change authentication scheme
+    ?</span></h4>
+
+    <p class="paragraph"></p>Lemonldap::NG provides several authentication
+    modes (to use in the "authentification" field of the administration
+    interface)&nbsp;:
+
+    <ul class="star">
+      <li><strong class="strong">ldap</strong> : this is the default mode :
+      portal tries to connect to the LDAP server with the user
+      credentials,</li>
+
+      <li><strong class="strong">CAS</strong> : Lemonldap::NG portal becomes a
+      simple CAS proxy : if the user is not authenticated, it is redirected to
+      the CAS portal,</li>
+
+      <li><strong class="strong">SSL</strong> : in this scheme, authentication
+      is done by Apache by SSL. This is usefull to replace complete SSL
+      protection: only one SSL negociation is used instead,</li>
+
+      <li><strong class="strong">Apache</strong> : in this scheme,
+      authentication is done by Apache. For example with Kerberos, the Apache
+      Kerberos module protects only the portal. This increases performances
+      because only one Kerberos negociation has to be done for all protected
+      applications.</li>
+    </ul>
+  </div>
+</body>
+</html>
--- a/build/lemonldap-ng/scripts/doc.pl
+++ b/build/lemonldap-ng/scripts/doc.pl
@@ -6,6 +6,7 @@ use utf8;

 my $docs = {
    'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=fr'               => 'faq-fr.html',
+    'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=en'               => 'faq.html',
    'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=en'      => 'overview.html',
    'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=fr'      => 'overview-fr.html',
    'http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=en' => 'install.html',

--- a/modules/lemonldap-ng-manager/Changes
+++ b/modules/lemonldap-ng-manager/Changes
 Revision history for Perl extension Lemonldap::NG::Manager.

+0.7   Tue jun 12 22:20:54 2007
+	- Changing storage format due to a bug in Storable module
+
 0.66  Tue May 15 19:53:40 2007
 	- Little bug correction: '-' is authorized in domain names


--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
@@ -16,7 +16,7 @@ use MIME::Base64;

 our @ISA = qw(Lemonldap::NG::Manager::Base);

-our $VERSION = '0.66';
+our $VERSION = '0.7';

 sub new {
    my ( $class, $args ) = @_;

--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
@@ -2,11 +2,12 @@ package Lemonldap::NG::Manager::Conf;

 use strict;
 no strict 'refs';
-use Storable qw(thaw freeze);
-use MIME::Base64;
+use Data::Dumper;
 use Lemonldap::NG::Manager::Conf::Constants;

-our $VERSION = 0.45;