Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
lemonldap-ng
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Xavier Bachelot
lemonldap-ng
Commits
5ffac300
Commit
5ffac300
authored
Jun 13, 2007
by
Xavier Guimard
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
LEMONLDAP::NG : Change in configuration storage format (Closes: #307173) and documentation
parent
d420e2bb
Changes
14
Hide whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
501 additions
and
56 deletions
+501
-56
build/lemonldap-ng/_example/conf/lmConf-1
build/lemonldap-ng/_example/conf/lmConf-1
+13
-4
build/lemonldap-ng/debian/README.Debian
build/lemonldap-ng/debian/README.Debian
+34
-30
build/lemonldap-ng/debian/changelog
build/lemonldap-ng/debian/changelog
+7
-0
build/lemonldap-ng/debian/handler-apache.conf
build/lemonldap-ng/debian/handler-apache.conf
+4
-2
build/lemonldap-ng/debian/handler-apache2.conf
build/lemonldap-ng/debian/handler-apache2.conf
+4
-2
build/lemonldap-ng/debian/liblemonldap-ng-conf-perl.postinst
build/lemonldap-ng/debian/liblemonldap-ng-conf-perl.postinst
+1
-1
build/lemonldap-ng/doc/faq-fr.html
build/lemonldap-ng/doc/faq-fr.html
+4
-6
build/lemonldap-ng/doc/faq.html
build/lemonldap-ng/doc/faq.html
+402
-0
build/lemonldap-ng/scripts/doc.pl
build/lemonldap-ng/scripts/doc.pl
+1
-0
modules/lemonldap-ng-manager/Changes
modules/lemonldap-ng-manager/Changes
+3
-0
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
+1
-1
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
...les/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
+22
-7
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/DBI.pm
...lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf/DBI.pm
+1
-2
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
...les/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Simple.pm
+4
-1
No files found.
build/lemonldap-ng/_example/conf/lmConf-1
View file @
5ffac300
...
...
@@ -19,23 +19,32 @@ portal
domain
'example.com'
whatToTrace
'$uid'
groups
'$data1 = {};'
macros
'$data1 = {};'
globalStorage
'Apache::Session::File'
globalStorageOptions
'
BAcEMTIzNAQEBAgZAAEAAAAXBC90bXACCQAAAERpcmVjdG9yeQ==
'
'
$data1 = {&39;Directory&39; => &39;/tmp&39;};
'
exportedHeaders
'
BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwQkdWlkAgkAAABBdXRoLVVzZXICEAAAAHRlc3QuZXhhbXBsZS5jb20=
'
'
$data1 = {&39;test.example.com&39; => {&39;Auth-User&39; => &39;$uid&39;}};
'
exportedVars
'
BAcEMTIzNAQEBAgZAAMAAAAXA3VpZAIDAAAAdWlkFwJjbgICAAAAY24XBG1haWwCBAAAAG1haWw=
'
'
$data1 = {&39;uid&39; => &39;uid&39;,&39;cn&39; => &39;cn&39;,&39;mail&39; => &39;mail&39;};
'
authentication
'ldap'
locationRules
'
BAcEMTIzNAQEBAgZAAEAAAAEGQABAAAAFwZhY2NlcHQCBwAAAGRlZmF1bHQCEAAAAHRlc3QuZXhhbXBsZS5jb20=
'
'
$data1 = {&39;test.example.com&39; => {&39;default&39; => &39;accept&39;}};
'
cfgNum
1
...
...
build/lemonldap-ng/debian/README.Debian
View file @
5ffac300
...
...
@@ -2,28 +2,19 @@ lemonldap-ng for Debian
-----------------------
Topics:
1 -
Configuration storage
1 -
Manager installation
2 - Portal installation
3 -
Manager installa
tion
4 -
Area protection
3 -
Area protec
tion
4 -
Configuration storage
I - LEMONLDAP::NG CONFIGURATION STORAGE
---------------------------------------
Package: liblemonldap-ng-conf-perl
Lemonldap::NG configuration is stored by default in /var/lib/lemonldap-ng/conf.
Modify /etc/lemonldap-ng/storage.conf to change configuration storage.
1.1 - Migrating from 'File' to 'DBI'
To use DBI mechanism to store configuration, you have to create database. An
example is given for MySQL in the file
/usr/share/doc/liblemonldap-ng-conf-perl/examples/lmConfig.mysql.
If you have a running configuration, use this to populate SQL database :
I - LEMONLDAP::NG MANAGER INSTALLATION
----------------------------------------
Package: liblemonldap-ng-manager-perl
perl /usr/share/lemonldap-ng/bin/lmConfig_File2MySQL \
/var/lib/lemonldap-ng/conf/lmConf-<last-number>
liblemonldap-ng-manager-perl installs files named manager-apache.conf and
manager-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
and configure it (virtual host has to be adapt).
II - LEMONLDAP::NG PORTAL INSTALLATION
...
...
@@ -32,23 +23,36 @@ Package: liblemonldap-ng-portal-perl
liblemonldap-ng-portal-perl installs files named portal-apache.conf and
portal-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
and personalize files in /var/lib/lemonldap-ng/portal.
and configure it (virtual host has to be adapt). You can also customize
/var/lib/lemonldap-ng/portal/index.pl to adapt it to your site. This file is
protected against upgrade.
III - LEMONLDAP::NG MANAGER INSTALLATION
----------------------------------------
Package: liblemonldap-ng-manager-perl
liblemonldap-ng-manager-perl installs files named manager-apache.conf and
manager-apache2.conf in /etc/lemonldap-ng/. Include it in apache configuration
and personalize files in /var/lib/lemonldap-ng/manager.
IV - LEMONLDAP::NG AREA PROTECTION
III - LEMONLDAP::NG AREA PROTECTION
----------------------------------
Package: liblemonldap-ng-handler-perl
liblemonldap-ng-handler-perl installs a file named MyHandler.pm in
/var/lib/lemonldap-ng/handler/. See handler-apache.conf or handler-apache2.conf
in /usr/share/doc/liblemonldap-ng-handler-perl/examples/ to know how to use it.
in /etc/lemonldap-ng/ to know how to use it.
IV - LEMONLDAP::NG CONFIGURATION STORAGE
---------------------------------------
Package: liblemonldap-ng-conf-perl
Lemonldap::NG configuration is stored by default in /var/lib/lemonldap-ng/conf.
Modify /etc/lemonldap-ng/storage.conf to change configuration storage.
1.1 - Migrating from 'File' to 'DBI'
To use DBI mechanism to store configuration, you have to create database. An
example is given for MySQL in the file
/usr/share/doc/liblemonldap-ng-conf-perl/examples/lmConfig.mysql.
If you have a running configuration, use this to populate SQL database :
perl /usr/share/lemonldap-ng/bin/lmConfig_File2MySQL -c \
/var/lib/lemonldap-ng/conf/lmConf-<last-number>
"-c" options adds "create table" instruction.
build/lemonldap-ng/debian/changelog
View file @
5ffac300
lemonldap-ng (0.8.2.3) unstable; urgency=low
* Change configuration storage format (Storable bug).
Closes: #307173/objectweb.org
-- Xavier Guimard <x.guimard@free.fr> Wed, 13 Jun 2007 13:49:27 +0200
lemonldap-ng (0.8.2.2) unstable; urgency=low
* Debian packages modifications due to Lintian control.
...
...
build/lemonldap-ng/debian/handler-apache.conf
View file @
5ffac300
...
...
@@ -5,7 +5,9 @@
# Area protection
PerlHeaderParserHandler
My
::
Package
# Configuration reload mechanism
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<
Location
/
reload
>
Order
deny
,
allow
Deny
from
all
...
...
@@ -13,7 +15,7 @@
PerlHeaderParserHandler
My
::
Package
->
refresh
</
Location
>
# Optional interception of the logout URL
# Optional interception of the logout URL
=> single logout
<
Location
/
logout
>
PerlHeaderParserHandler
My
::
Package
->
logout
</
Location
>
...
...
build/lemonldap-ng/debian/handler-apache2.conf
View file @
5ffac300
...
...
@@ -6,7 +6,9 @@ PerlOptions +GlobalRequest
# Area protection
PerlHeaderParserHandler
My
::
Package
# Configuration reload mechanism
# Configuration reload mechanism (only 1 per physical server is
# needed): choose your URL to avoid restarting Apache when
# configuration change
<
Location
/
reload
>
Order
deny
,
allow
Deny
from
all
...
...
@@ -14,7 +16,7 @@ PerlOptions +GlobalRequest
PerlHeaderParserHandler
My
::
Package
->
refresh
</
Location
>
# Optional interception of the logout URL
# Optional interception of the logout URL
=> single logout
<
Location
/
logout
>
PerlHeaderParserHandler
My
::
Package
->
logout
</
Location
>
...
...
build/lemonldap-ng/debian/liblemonldap-ng-conf-perl.postinst
View file @
5ffac300
...
...
@@ -17,6 +17,6 @@ then
db_get liblemonldap-ng-conf-perl/
$i
||
true
perl
-000
-i
-pe
"s#^
$i
(
\\
n
\\
s+)('?)[^
\\
n]*?('?)
\$
#
$i
\$
{1}
\$
{2}
$RET
\$
{3}#m"
$FIRSTCONFFILE
done
perl
-000
-i
-pe
"s#^(globalStorageOptions
\\
n
\\
s+)'[^
\\
n]*?'
\$
#
\$
{1}
\'
BAcEMTIzNAQEBAgDAgAAAAofL3Zhci9saWIvbGVtb25sZGFwLW5nL3Nlc3Npb25zLwkAAABEaXJlY3RvcnkKJC92YXIvbGliL2xlbW9ubGRhcC1uZy9zZXNzaW9ucy9sb2NrLw0AAABMb2NrRGlyZWN0b3J5
'#m"
$FIRSTCONFFILE
perl
-000
-i
-pe
"s#^(globalStorageOptions
\\
n
\\
s+)'[^
\\
n]*?'
\$
#
\$
{1}
\'
\\\$
data1 = {&39;Directory&39; => &39;/var/lib/lemonldap-ng/sessions/&39;,&39;LockDirectory&39; => &39;/var/lib/lemonldap-ng/sessions/lock/&39;};
'#m"
$FIRSTCONFFILE
fi
exit
0
build/lemonldap-ng/doc/faq-fr.html
View file @
5ffac300
...
...
@@ -306,9 +306,9 @@ __PACKAGE__->init ( {
</ol>
Pour le deuxi
è
me point, la modification est tr
è
s simple
: il faut remplacer
<tt>
$uid
</tt>
par
<tt>
$cn
</tt>
dans le champ
"Param
è
tres g
é
n
é
raux -
>
Donn
é
e
à
inscrire dans les journaux d'Apache
(et v
é
rifier que cette variabl
e
est d
é
clar
é
e dand les attributs
à
exporter). Le
changement de filtre de recherche n
é
cessite la surcharge d'une
inscrire dans les journaux d'Apache
" (et v
é
rifier que cett
e
variable est d
é
clar
é
e dand les attributs
à
exporter).
Le
changement de filtre de recherche n
é
cessite la surcharge d'une
m
é
thode dans le portail. Cette modification peut
ê
tre
effectu
é
e comme suit:
<pre>
...
...
@@ -351,9 +351,7 @@ my $portal = Lemonldap::NG::Portal::SharedConf->new(
# on peut aussi utiliser mod_rewrite
# RewriteEngine On
# RewriteRule /(.*)$
<span
class=
"nobr"
><a
href=
"http://serveur-reel/$1"
>
http://serveur-reel/$1
</a></span>
<a
class=
"wikicreatelink"
href=
"/xwiki/bin/edit/NG/P?parent=NG.FAQ"
><span
class=
"wikicreatelinktext"
>
P
</span><span
class=
"wikicreatelinkqm"
>
?
</span></a>
"http://serveur-reel/$1"
>
http://serveur-reel/$1
</a></span>
[P]
<
/VirtualHost
>
</pre>
...
...
build/lemonldap-ng/doc/faq.html
0 → 100644
View file @
5ffac300
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
xmlns=
"http://www.w3.org/1999/xhtml"
lang=
"fr"
xml:lang=
"fr"
>
<head>
<meta
name=
"generator"
content=
"HTML Tidy for Linux/x86 (vers 1 September 2005), see www.w3.org"
/>
<title>
FAQ LEMONLDAP::NG
</title>
<meta
http-equiv=
"Content-Type"
content=
"text/html; charset=us-ascii"
/>
</head>
<body>
<div
class=
"main-content"
>
<h2
class=
"heading-1"
><span
id=
"HLemonldap3A3ANGFrequentlyAskedQuestions"
>
Lemonldap::NG Frequently Asked
Questions
</span></h2>
<p
class=
"paragraph"
></p>
<ul>
<li>
<a
href=
"#HGeneralquestions"
>
General questions
</a>
<ul>
<li><a
href=
"#HWhatisaWebSSO3F"
>
What is a Web-SSO ?
</a></li>
<li><a
href=
"#HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F"
>
What brings
Lemonldap::NG compared to the other Web-SSO ?
</a></li>
</ul>
</li>
<li>
<a
href=
"#HConfiguration"
>
Configuration
</a>
<ul>
<li><a
href=
"#HWhattypeofconfigurationstoragehastobeused3F"
>
What
type of configuration storage has to be used ?
</a></li>
<li><a
href=
"#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS"
>
The
provided example works with HTTP, but not with HTTPS.
</a></li>
<li><a
href=
"#HForwhatisusedthe22https22parameter3F"
>
For what is
used the "https" parameter ?
</a></li>
<li><a
href=
"#HWhatisanautoprotectedCGI3F"
>
What is an auto-protected
CGI ?
</a></li>
<li><a
href=
"#HHowtouseLemonldap3A3ANGwithActiveDirectory3F"
>
How to
use Lemonldap::NG with Active-Directory ?
</a></li>
<li><a
href=
"#HHowtouseLemonldap3A3ANGasreverseproxy3F"
>
How to use
Lemonldap::NG as reverse-proxy ?
</a></li>
</ul>
</li>
<li>
<a
href=
"#HOperation"
>
Operation
</a>
<ul>
<li><a
href=
"#HWithwhatservesthehandlerlocalcache3F"
>
With what
serves the handler local cache ?
</a></li>
<li><a
href=
"#HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F"
>
Why
handlers local cache can not be configured by the manager ?
</a></li>
<li><a
href=
"#HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F"
>
What is the
<i
class=
"italic"
>
Cross Domain Authentication
</i>
(CDA) ?
</a></li>
<li><a
href=
"#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F"
>
How works
the
<i
class=
"italic"
>
Cross Domain Authentication
</i>
(CDA)
?
</a></li>
</ul>
</li>
<li>
<a
href=
"#HAuthentication"
>
Authentication
</a>
<ul>
<li><a
href=
"#HHowtochangeauthenticationscheme3F"
>
How to change
authentication scheme ?
</a></li>
</ul>
</li>
</ul>
<h3
class=
"heading-1-1"
><span
id=
"HGeneralquestions"
>
General
questions
</span></h3>
<h4
class=
"heading-1-1-1"
><span
id=
"HWhatisaWebSSO3F"
>
What is a Web-SSO
?
</span></h4>
<p
class=
"paragraph"
></p>
A SSO
<i
class=
"italic"
>
(Single Sign On)
</i>
is a
system that is used to share authentications between many applications.
Users authentify themself only one time and is never prompted when he
tries to access to another application. Kerberos (used in Active
Directory) for example is a SSO. The problem with these systems is that in
addition to their heaviness, they apply only to internal networks and to
relatively homogeneous machines.
<p
class=
"paragraph"
></p>
The Web-SSO is the bearing of this principle
restricted with the Web applications. The user is thus authenticated with
the first access to a protected Web application and the authentifications
are propagated when it changes application. The large advantage is whereas
the system is usable on Internet without pre-necessary on the stations
customers (they just have to accept session cookies). For example, when a
user reaches a Google letter-box, it is not authentified if it reaches the
groups management application or any other Google application.
<h4
class=
"heading-1-1-1"
><span
id=
"HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F"
>
What brings
Lemonldap::NG compared to the other Web-SSO ?
</span></h4>
<ul
class=
"star"
>
<li>
Lemonldap::NG like lemonldap run as Perl Apache modules and offer
performances which make unperceivable the treatment of the access
control.
</li>
<li>
One of the other strong points of Lemonldap::NG is its capacity to
manage the rights in a centralized way: the standard SSO Kerberos or
CASE allow authentication share but delegate management access
authorizations to the applications. In the case of Lemonldap::NG,
management rights can be centralized completely, partly or at all for
each application
: Lemonldap::NG provides a system of authorization
based on the sorting of the URL by regular expressions associated to
rules. It also provides HTTP headers containing any of the user LDAP
atributes to the remote application. The remote application can then
manage the traceability of the access and possibly authorization (see to
it
<span
class=
"wikiexternallink"
><a
href=
"http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation#HMC3A9canismesd27authentification2Cd27autorisa%20tionetdetraC3A7abilitC3A9"
>
documentation AAA
</a></span>
).
</li>
<li>
Lemonldap::NG can publish every LDAP attributes or calculated
expressions issued from them. So applications can avoid consulting LDAP
server.
</li>
<li>
Lemonldap::NG treats all the hosted sites independently (virtual or
real): every application can so have its personalized HTTP headers.
</li>
<li>
Lemonldap::NG provide an web based administration interface simply
presenting the configuration, the access policy and the per sites
headers (see the
<span
class=
"wikiexternallink"
><a
href=
"http://lemonldap.objectweb.org/NG/ManagerDemo/fr/"
>
demonstration
</a></span>
).
A restricted interface can also be used to show only some virtual hosts
(for reading and/or writing): the interface of administration can thus
be partially delegated.
</li>
</ul>
<h3
class=
"heading-1-1"
><span
id=
"HConfiguration"
>
Configuration
</span></h3>
<h4
class=
"heading-1-1-1"
><span
id=
"HWhattypeofconfigurationstoragehastobeused3F"
>
What type of configuration
storage has to be used ?
</span></h4>
<p
class=
"paragraph"
></p>
Lemonldap::NG provides 3 configuration storage
systems:
<ul
class=
"star"
>
<li><strong
class=
"strong"
>
File
</strong>
: the most simple system, it can
be used only if all your servers share a file system. It can be used for
example if all virtual hosts are on the same server,
</li>
<li><strong
class=
"strong"
>
DBI
</strong>
:
<span
class=
"wikiexternallink"
><a
href=
"http://www.linuxmanpages.com/man3/DBI.3pm.php"
>
DBI(3)
</a></span>
is a
database access module for the Perl programming language. Used with
Lemonldap::NG, it permits to share configuration between servers that
can access to the same database. This is the recommended sheme on a
server network.
</li>
<li><strong
class=
"strong"
>
SOAP
</strong>
: This system is not a real
storage system, but permits to a remote server to access to the
configuration by a single HTTP(S) connection. The SOAP server use File
or DBI to access to the real configuration and act as a proxy.
</li>
</ul>
<h4
class=
"heading-1-1-1"
><span
id=
"HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS"
>
The provided example
works with HTTP, but not with HTTPS.
</span></h4>
<p
class=
"paragraph"
></p>
In the redirection mechanism to the portal then
to the protected site, you have to indicate to the handler if users access
by HTTPS or HTTP to it. This is done by the
<tt>
https
</tt>
parameter. This
parameter has to be configured directly in the handlers is not accessible
by the manager interface:
<p
class=
"paragraph"
></p>
<pre>
__PACKAGE__-
>
init ( {
localStorage =
>
"Cache::FileCache",
localStorageOptions =
>
{
'namespace' =
>
'MyNamespace',
'default_expires_in' =
>
600,
'directory_umask' =
>
'007',
'cache_root' =
>
'/tmp',
'cache_depth' =
>
5,
},
configStorage =
>
{
type =
>
'File',
dirName =
>
'/var/lib/lemonldap-ng/conf',
},
<strong
class=
"strong"
>
https =
>
1
</strong>
,
} );
</pre>
<h4
class=
"heading-1-1-1"
><span
id=
"HForwhatisusedthe22https22parameter3F"
>
For what is used the "https"
parameter ?
</span></h4>
<p
class=
"paragraph"
></p>
This parameter is used only in authentication
portal redirections. It is just used to indicate to the portal that after
authentification, the user must be redirected towards the application
using https and not http.
<h4
class=
"heading-1-1-1"
><span
id=
"HWhatisanautoprotectedCGI3F"
>
What is
an auto-protected CGI ?
</span></h4>
<p
class=
"paragraph"
></p>
When you have just 1 Perl CGI to protect in a
VirtualHost, you can use an auto-protected CGI instead of using a
Lemonldap::NG handler:
<p
class=
"paragraph"
></p>
<pre>
use Lemonldap::NG::Handler::CGI;
my $cgi = Lemonldap::NG::Handler::CGI-
>
new ( {
# same parameters than a Lemonldap::NG::Handler::SharedConf handler
}
);
$cgi-
>
authenticate;
</pre>
<p
class=
"paragraph"
></p>
In the example above, $cgi is a CGI(3) object.
The only difference is that it has some additional functions:
<ul
class=
"star"
>
<li>
authenticate : to call Lemonldap::NG authentication mechanism,
</li>
<li>
autorize : use it if you want to use the manager to manage the
access policy,
</li>
<li>
user : returns an hash table containing user parameters,
</li>
<li>
group : used to validate group permet de valider group
membership.
</li>
</ul>
This type of CGI is very usefull when rights can not be distinguish
by URL (fields in POST requests for example). See the
Lemonldap::NG::Handler::CGI(3) man page for more.
<h4
class=
"heading-1-1-1"
><span
id=
"HHowtouseLemonldap3A3ANGwithActiveDirectory3F"
>
How to use Lemonldap::NG
with Active-Directory ?
</span></h4>
<p
class=
"paragraph"
></p>
Active-Directory uses
<tt>
cn
</tt>
field instead
of
<tt>
uid
</tt>
as unique identifier. You have so to modify Lemonldap::NG
configuration in 2 points
:
<ol>
<li>
the field
<tt>
cn
</tt>
(or
<tt>
samAccountName
</tt>
) has to be used to
find the user in the portal,
</li>
<li>
Apache has to use this field in logs.
</li>
</ol>
For the second point, you have to replace
<tt>
$uid
</tt>
by
<tt>
$cn
</tt>
in the field "General Parameters -
>
Attribute to use in
Apache's logs" (and to verify that this variable is an exported
attribute). The LDAP filter change needs to overload a subroutine in the
portail. This can be done so
:
<p
class=
"paragraph"
></p>
<pre>
#!/usr/bin/perl
use Lemonldap::NG::Portal::SharedConf;
my $portal = Lemonldap::NG::Portal::SharedConf-
>
new(
{
configStorage =
>
{
type =
>
'File',
dirName =
>
'/var/lib/lemonldap-ng/conf',
},
<strong
class=
"strong"
>
formateFilter =
>
sub {
</strong>
my $self = shift;
$self-
>
{filter} = "(
&
(cn=" . $self-
>
{user} . ")(objectClass=person))";
PE_OK;
} # end of overload
}
);
</pre>
<h4
class=
"heading-1-1-1"
><span
id=
"HHowtouseLemonldap3A3ANGasreverseproxy3F"
>
How to use Lemonldap::NG as
reverse-proxy ?
</span></h4>
<p
class=
"paragraph"
></p>
Lemonldap::NG protects Apache VirtualHosts. To
use it as reverse-proxy, you just have to configure Apache as
reverse-proxy
:
<p
class=
"paragraph"
></p>
<pre>
# httpd.conf
<
VirtualHost *
>
ServerName MyApplication.com
PerlRequire MyFile
PerlHeaderParserHandler My::Package
ProxyPass /
<span
class=
"nobr"
><a
href=
"http://real-server/"
>
http://real-server/
</a></span>
ProxyPassReverse /
<span
class=
"nobr"
><a
href=
"http://real-server/"
>
http://real-server/
</a></span>
# You can also use mod_rewrite instead of mod_proxy
# RewriteEngine On
# RewriteRule /(.*)$
<span
class=
"nobr"
><a
href=
"http://serveur-reel/$1"
>
http://serveur-reel/$1
</a></span>
[P]
<
/VirtualHost
>
</pre>
<p
class=
"paragraph"
></p>
If you prefer to use a Perl proxy, Lemonldap::NG
provides one (Lemonldap::NG::Handler::Proxy(3))
<h3
class=
"heading-1-1"
><span
id=
"HOperation"
>
Operation
</span></h3>
<h4
class=
"heading-1-1-1"
><span
id=
"HWithwhatservesthehandlerlocalcache3F"
>
With what serves the handler local
cache ?
</span></h4>
<p
class=
"paragraph"
></p>
The handler local cache is used for 2 things :
<ul
class=
"star"
>
<li>
share configuration between Apache process : this avoid downloading
configuration for each new process. This is required for the reload
mechanism system that avoid restarting Apache,
</li>
<li>
share sessions between Apache process and threads : this avoid
having to request the central sessions storage for each hit. For example
with Apache::Session::MySQL, we transform TCP requests in file system
requests. This increase performances.
</li>
</ul>
<h4
class=
"heading-1-1-1"
><span
id=
"HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F"
>
Why handlers
local cache can not be configured by the manager ?
</span></h4>
<p
class=
"paragraph"
></p>
The local cache has to be choosed nad configured
for each server: for example with the Cache::FileCache module, the storage
directory can be different. An other point is that the local storage can
not be reloaded without restarting Apache, but all parameters managed by
the manager can do it.
<h4
class=
"heading-1-1-1"
><span
id=
"HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F"
>
What is the
<i
class=
"italic"
>
Cross Domain Authentication
</i>
(CDA) ?
</span></h4>
<p
class=
"paragraph"
></p>
The Lemonldap::NG sessions propagation system is
based on cookies, but cookies are attached to a DNS domain. Lemonldap::NG
provides a system to bypass this restriction: you just have to use a
Lemonldap::NG::Portal::CDA portal and Lemonldap::NG::Handler::CDA handlers
in all protected sites outwards the portal DNS domain.
<h4
class=
"heading-1-1-1"
><span
id=
"HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F"
>
How works the
<i
class=
"italic"
>
Cross Domain Authentication
</i>
(CDA) ?
</span></h4>
<p
class=
"paragraph"
></p>
Lemonldap::NG::Portal::CDA portal detects if
required URL is in the same domain. If not, it adds a parameter to this
request. When the user returns to the protected application,
Lemonldap::NG::Handler::CDA agent detects this parameter et generate a
cookie in its domain.
<h3
class=
"heading-1-1"
><span
id=
"HAuthentication"
>
Authentication
</span></h3>
<h4
class=
"heading-1-1-1"
><span
id=
"HHowtochangeauthenticationscheme3F"
>
How to change authentication scheme
?
</span></h4>
<p
class=
"paragraph"
></p>
Lemonldap::NG provides several authentication
modes (to use in the "authentification" field of the administration
interface)
:
<ul
class=
"star"
>
<li><strong
class=
"strong"
>
ldap
</strong>
: this is the default mode :
portal tries to connect to the LDAP server with the user
credentials,
</li>
<li><strong
class=
"strong"
>
CAS
</strong>
: Lemonldap::NG portal becomes a
simple CAS proxy : if the user is not authenticated, it is redirected to
the CAS portal,
</li>
<li><strong
class=
"strong"
>
SSL
</strong>
: in this scheme, authentication
is done by Apache by SSL. This is usefull to replace complete SSL
protection: only one SSL negociation is used instead,
</li>
<li><strong
class=
"strong"
>
Apache
</strong>
: in this scheme,
authentication is done by Apache. For example with Kerberos, the Apache
Kerberos module protects only the portal. This increases performances
because only one Kerberos negociation has to be done for all protected
applications.
</li>
</ul>
</div>
</body>
</html>
build/lemonldap-ng/scripts/doc.pl
View file @
5ffac300
...
...
@@ -6,6 +6,7 @@ use utf8;
my
$docs
=
{
'
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=fr
'
=>
'
faq-fr.html
',
'
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/FAQ?language=en
'
=>
'
faq.html
',
'
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=en
'
=>
'
overview.html
',
'
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/Presentation?language=fr
'
=>
'
overview-fr.html
',
'
http://wiki.lemonldap.objectweb.org/xwiki/bin/view/NG/DocInstallExample?language=en
'
=>
'
install.html
',
...
...
modules/lemonldap-ng-manager/Changes
View file @
5ffac300
Revision history for Perl extension Lemonldap::NG::Manager.
0.7 Tue jun 12 22:20:54 2007
- Changing storage format due to a bug in Storable module
0.66 Tue May 15 19:53:40 2007
- Little bug correction: '-' is authorized in domain names
...
...
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
View file @
5ffac300
...
...
@@ -16,7 +16,7 @@ use MIME::Base64;
our
@ISA
=
qw(Lemonldap::NG::Manager::Base)
;
our
$VERSION
=
'
0.
66
';
our
$VERSION
=
'
0.
7
';
sub
new
{
my
(
$class
,
$args
)
=
@_
;
...
...
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Conf.pm
View file @
5ffac300
...
...
@@ -2,11 +2,12 @@ package Lemonldap::NG::Manager::Conf;
use
strict
;
no
strict
'
refs
';
use
Storable
qw(thaw freeze)
;
use
MIME::
Base64
;
use
Data::
Dumper
;
use
Lemonldap::NG::Manager::Conf::
Constants
;
our
$VERSION
=
0.45
;