Commit f67374c2 authored by Clément OUDOT's avatar Clément OUDOT

Doc update

parent 2fedaba8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="http_basic_authentication" id="http_basic_authentication">HTTP Basic Authentication</a></h1>
<div class="level1">
<p>
<a href="/_detail/applications/http_logo.png?id=documentation%3A1.0%3Aapplications%3Aauthbasic" class="media" title="applications:http_logo.png"><img src="../../../../media/applications/http_logo.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- SECTION "HTTP Basic Authentication" [1-77] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
Extract from the <a href="http://en.wikipedia.org/wiki/Basic_access_authentication" class="urlextern" title="http://en.wikipedia.org/wiki/Basic_access_authentication" rel="nofollow">Wikipedia article</a>:
</p>
<p>
<blockquote>
In the context of an <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request.
</p>
<p>
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings “on the fly”.
</blockquote>
</p>
<p>
So <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> Basic Autentication is managed trough an <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> header (<code>Authorization</code>), that can be forged by <acronym title="LemonLDAP::NG">LL::NG</acronym>, with this precautions:
</p>
<ul>
<li class="level1"><div class="li"> Data should not contains accents or special characters, as <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> protocol only allow <acronym title="American Standard Code for Information Interchange">ASCII</acronym> values in header (but depending on the <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> server, you can use <acronym title="International Organization for Standardization">ISO</acronym> encoded values)</div>
</li>
<li class="level1"><div class="li"> You need to forward the password, which can be the user main password (if <a href="../../../documentation/1.0/passwordstore.html" class="wikilink1" title="documentation:1.0:passwordstore">password is stored in session</a>, or any user attribute (if you keep secondary passwords in users database).</div>
</li>
</ul>
</div>
<!-- SECTION "Presentation" [78-1452] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
<p>
The Basic Authentication relies on a specific <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> header, as described above. So you have just to declare this header for the virtual host in Manager.
</p>
<p>
For example, to forward login (<code>$uid</code>) and password (<code>$_password</code> if <a href="../../../documentation/1.0/passwordstore.html" class="wikilink1" title="documentation:1.0:passwordstore">password is stored in session</a>):
</p>
<pre class="code">
Authorization =&gt; &quot;Basic &quot;.encode_base64(&quot;$uid:$_password&quot;)
</pre>
<p>
<acronym title="LemonLDAP::NG">LL::NG</acronym> provides a special function named <a href="../../../documentation/1.0/extendedfunctions.html#basic" class="wikilink1" title="documentation:1.0:extendedfunctions">basic</a> to build this header.
</p>
<p>
So the above example can also be written like this:
</p>
<pre class="code">
Authorization =&gt; basic($uid,$_password)
</pre>
<p>
<p><div class="notetip">The <code>basic</code> function will also force conversion from UTF-8 to <acronym title="International Organization for Standardization">ISO</acronym>-8859-1, which should be accepted by most of <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> servers.
</div></p>
</p>
</div>
<!-- SECTION "Configuration" [1453-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="spring_security_acegi" id="spring_security_acegi">Spring Security (ACEGI)</a></h1>
<div class="level1">
<p>
<a href="/_detail/applications/spring_logo.png?id=documentation%3A1.0%3Aapplications%3Aspring" class="media" title="applications:spring_logo.png"><img src="../../../../media/applications/spring_logo.png" class="mediacenter" alt="" /></a>
</p>
</div>
<!-- SECTION "Spring Security (ACEGI)" [1-77] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
<a href="http://static.springsource.org/spring-security/site/" class="urlextern" title="http://static.springsource.org/spring-security/site/" rel="nofollow">Spring Security</a> is the new ACEGI name. This is a well known security framework for J2EE applications.
</p>
<p>
Spring Security provides a default <code>pre-authentication</code> mechanism that can be used to connect your J2EE application to <acronym title="LemonLDAP::NG">LL::NG</acronym>.
</p>
</div>
<!-- SECTION "Presentation" [78-394] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
<p>
You can find all suitable information here: <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html" class="urlextern" title="http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html" rel="nofollow">http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html</a>
</p>
<p>
To summarize, to get the user connected trough the <code>Auth-User</code> <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> Header, use this Sping Security configuration:
</p>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;bean</span> <span class="re0">id</span>=<span class="st0">&quot;LemonLDAPNGFilter&quot;</span> <span class="re0">class</span>=</span>
<span class="sc3"><span class="st0">&quot;org.springframework.security.web.authentication.preauth.header.RequestHeaderPreAuthenticatedProcessingFilter&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;security:custom-filter</span> <span class="re0">position</span>=<span class="st0">&quot;PRE_AUTH_FILTER&quot;</span> <span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;property</span> <span class="re0">name</span>=<span class="st0">&quot;principalRequestHeader&quot;</span> <span class="re0">value</span>=<span class="st0">&quot;Auth-User&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;property</span> <span class="re0">name</span>=<span class="st0">&quot;authenticationManager&quot;</span> <span class="re0">ref</span>=<span class="st0">&quot;authenticationManager&quot;</span> <span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;/bean<span class="re2">&gt;</span></span></span>
&nbsp;
<span class="sc3"><span class="re1">&lt;bean</span> <span class="re0">id</span>=<span class="st0">&quot;preauthAuthProvider&quot;</span> <span class="re0">class</span>=<span class="st0">&quot;org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;security:custom-authentication-provider</span> <span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;property</span> <span class="re0">name</span>=<span class="st0">&quot;preAuthenticatedUserDetailsService&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;bean</span> <span class="re0">id</span>=<span class="st0">&quot;userDetailsServiceWrapper&quot;</span> <span class="re0">class</span>=<span class="st0">&quot;org.springframework.security.userdetails.UserDetailsByNameServiceWrapper&quot;</span><span class="re2">&gt;</span></span>
<span class="sc3"><span class="re1">&lt;property</span> <span class="re0">name</span>=<span class="st0">&quot;userDetailsService&quot;</span> <span class="re0">ref</span>=<span class="st0">&quot;userDetailsService&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;/bean<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/property<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;/bean<span class="re2">&gt;</span></span></span>
&nbsp;
<span class="sc3"><span class="re1">&lt;security:authentication-manager</span> <span class="re0">alias</span>=<span class="st0">&quot;authenticationManager&quot;</span> <span class="re2">/&gt;</span></span></pre>
</div>
<!-- SECTION "Configuration" [395-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="apache_tomcat" id="apache_tomcat">Apache Tomcat</a></h1>
<div class="level1">
<p>
<a href="/_detail/applications/tomcat_logo.png?id=documentation%3A1.0%3Aapplications%3Atomcat" class="media" title="applications:tomcat_logo.png"><img src="../../../../media/applications/tomcat_logo.png" class="mediacenter" alt="" /></a>
</p>
<p>
<p><div class="noteimportant">The Tomcat Valve is only available for tomcat 5.5 or greater.
</div></p>
</p>
</div>
<!-- SECTION "Apache Tomcat" [1-154] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
<a href="http://tomcat.apache.org/" class="urlextern" title="http://tomcat.apache.org/" rel="nofollow">Apache Tomcat</a> is an open source software implementation of the Java Servlet and JavaServer Pages technologies.
</p>
<p>
As J2EE servlet container, Tomcat provides standard security feature, like authentication: the application deployed in Tomcat can delegate its authentication to Tomcat.
</p>
<p>
By default, Tomcat provides a file called <code>users.xml</code> to manage authentication:
</p>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;?xml</span> <span class="re0">version</span>=<span class="st0">'1.0'</span> <span class="re0">encoding</span>=<span class="st0">'utf-8'</span><span class="re2">?&gt;</span></span>
<span class="sc3"><span class="re1">&lt;tomcat-users<span class="re2">&gt;</span></span></span>
<span class="sc3"><span class="re1">&lt;role</span> <span class="re0">rolename</span>=<span class="st0">&quot;tomcat&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;role</span> <span class="re0">rolename</span>=<span class="st0">&quot;role1&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;user</span> <span class="re0">username</span>=<span class="st0">&quot;tomcat&quot;</span> <span class="re0">password</span>=<span class="st0">&quot;tomcat&quot;</span> <span class="re0">roles</span>=<span class="st0">&quot;tomcat&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;user</span> <span class="re0">username</span>=<span class="st0">&quot;role1&quot;</span> <span class="re0">password</span>=<span class="st0">&quot;tomcat&quot;</span> <span class="re0">roles</span>=<span class="st0">&quot;role1&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;user</span> <span class="re0">username</span>=<span class="st0">&quot;both&quot;</span> <span class="re0">password</span>=<span class="st0">&quot;tomcat&quot;</span> <span class="re0">roles</span>=<span class="st0">&quot;tomcat,role1&quot;</span><span class="re2">/&gt;</span></span>
<span class="sc3"><span class="re1">&lt;/tomcat-users<span class="re2">&gt;</span></span></span>
&nbsp;</pre>
<p>
<acronym title="LemonLDAP::NG">LL::NG</acronym> provides a valve, available on <a href="../../../download.html#contributions" class="wikilink1" title="download">download page</a>. This valve will check an <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> header to set the authenticated user on the J2EE container.
</p>
</div>
<!-- SECTION "Presentation" [155-1077] -->
<h2><a name="installation" id="installation">Installation</a></h2>
<div class="level2">
<p>
Copy <code>ValveLemonLDAPNG.jar</code> in <code>&lt;TOMCAT_HOME&gt;/server/lib</code>:
</p>
<pre class="code">
cp ValveLemonLDAPNG.jar server/lib/
</pre>
<p>
<p><div class="notetip">If needed, you can <a href="#compilation" title="documentation:1.0:applications:tomcat &crarr;" class="wikilink1">recompile the valve from the sources</a>.
</div></p>
</p>
</div>
<!-- SECTION "Installation" [1078-1310] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
<p>
Add on your <code>server.xml</code> file a new valve entry like this (in host section):
</p>
<pre class="code file xml"><span class="sc3"><span class="re1">&lt;Valve</span> <span class="re0">className</span>=<span class="st0">&quot;org.lemonLDAPNG.SSOValve&quot;</span> <span class="re0">userKey</span>=<span class="st0">&quot;AUTH-USER&quot;</span> <span class="re0">roleKey</span>=<span class="st0">&quot;AUTH-ROLE&quot;</span> <span class="re0">roleSeparator</span>=<span class="st0">&quot;,&quot;</span> <span class="re0">allows</span>=<span class="st0">&quot;127.0.0.1&quot;</span><span class="re2">/&gt;</span></span></pre>
<p>
Configure attributes:
</p>
<ul>
<li class="level1"><div class="li"> <strong>userKey</strong>: key in the <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> header containing user login.</div>
</li>
<li class="level1"><div class="li"> <strong>roleKey</strong>: key in the <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> header containing roles. If <acronym title="LemonLDAP::NG">LL::NG</acronym> send some roles split by some commas, configure <strong>roleSeparator</strong>.</div>
</li>
<li class="level1"><div class="li"> <strong>roleSeparator</strong> (optional): role values separator.</div>
</li>
<li class="level1"><div class="li"> <strong>allows</strong> (optional): Define allowed remote <acronym title="Internet Protocol">IP</acronym> (use ”,” separator for multiple <acronym title="Internet Protocol">IP</acronym>). Just set the <acronym title="LemonLDAP::NG">LL::NG</acronym> Handler <acronym title="Internet Protocol">IP</acronym> on this attribute in order to add more security. If this attribute is missed all hosts are allowed.</div>
</li>
<li class="level1"><div class="li"> <strong>passThrough</strong> (optional): Allow anonymous access or not. When it takes “false”, <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> headers have to be sent by <acronym title="LemonLDAP::NG">LL::NG</acronym> to make authentication. So, if the user is not recognized or <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> headers not present, a 403 error is sent.</div>
</li>
</ul>
<p>
<p><div class="notetip">For debugging, this valve can print some helpful information in debug level. See <a href="http://tomcat.apache.org/tomcat-5.5-doc/logging.html" class="urlextern" title="http://tomcat.apache.org/tomcat-5.5-doc/logging.html" rel="nofollow">how configure logging in Tomcat</a> .
</div></p>
</p>
</div>
<!-- SECTION "Configuration" [1311-2481] -->
<h2><a name="compilation" id="compilation">Compilation</a></h2>
<div class="level2">
<p>
The sources are available on <a href="../../../download.html#contributions" class="wikilink1" title="download">download page</a>.
</p>
<p>
Required :
</p>
<ul>
<li class="level1"><div class="li"> ant</div>
</li>
<li class="level1"><div class="li"> jre &gt; 1.4</div>
</li>
<li class="level1"><div class="li"> tomcat &gt;= 5.5</div>
</li>
</ul>
<p>
Configure your tomcat home in <code>build.properties</code> files.
</p>
<p>
<p><div class="noteimportant">
Be careful for Windows user, path must contains ”/”. Example:
</p>
<pre class="code">
c:/my hardisk/tomcat/
</pre>
<p>
</div></p>
</p>
<p>
Next run ant command:
</p>
<pre class="code">
ant
</pre>
<p>
<code>ValveLemonLDAPNG.jar</code> is created under <code>/dist</code> directory.
</p>
</div>
<!-- SECTION "Compilation" [2482-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
......@@ -60,8 +60,13 @@
They can then be forwarded to applications trough <a href="../../documentation/1.0/writingrulesand_headers.html#headers" class="wikilink1" title="documentation:1.0:writingrulesand_headers">HTTP headers</a>.
</p>
<p>
<p><div class="notetip"><acronym title="Central Authentication Service">CAS</acronym> authentication will automatically add a <a href="../../documentation/1.0/logoutforward.html" class="wikilink1" title="documentation:1.0:logoutforward">logout forward rule</a> on <acronym title="Central Authentication Service">CAS</acronym> server logout <acronym title="Uniform Resource Locator">URL</acronym> in order to close <acronym title="Central Authentication Service">CAS</acronym> session on <acronym title="LemonLDAP::NG">LL::NG</acronym> logout.
</div></p>
</p>
</div>
<!-- SECTION "Presentation" [71-655] -->
<!-- SECTION "Presentation" [71-828] -->
<h2><a name="perl-cas_module_installation" id="perl-cas_module_installation">Perl-CAS module installation</a></h2>
<div class="level2">
......@@ -95,7 +100,7 @@ sudo make install
</pre>
</div>
<!-- SECTION "Perl-CAS module installation" [656-989] -->
<!-- SECTION "Perl-CAS module installation" [829-1162] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
......@@ -158,4 +163,4 @@ touch /tmp/pgt.txt
</p>
</div>
<!-- SECTION "Configuration" [990-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
<!-- SECTION "Configuration" [1163-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
......@@ -219,4 +219,87 @@ And this as mail filter:
</ul>
</div>
<!-- SECTION "Password" [4089-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
<!-- SECTION "Password" [4089-4674] -->
<h2><a name="schema_extension" id="schema_extension">Schema extension</a></h2>
<div class="level2">
<p>
Standards attributes, like uid, cn or mail, are often enough to configure access rules and headers.
</p>
<p>
But sometimes other data are needed (in particular to use <a href="../../documentation/1.0/extendedfunctions.html" class="wikilink1" title="documentation:1.0:extendedfunctions">extended functions</a>):
</p>
<ul>
<li class="level1"><div class="li"> An application name (to allow access by applications and not by group of users)</div>
</li>
<li class="level1"><div class="li"> A start date and an end date (to open or close the service even the entry already exists)</div>
</li>
<li class="level1"><div class="li"> A time profile (allowed hours and day of the week)</div>
</li>
<li class="level1"><div class="li"> One or more roles (to send to the protected applications)</div>
</li>
</ul>
<p>
Of course, standard <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> attributes can be used to store these data, but <acronym title="LemonLDAP::NG">LL::NG</acronym> also provides an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> schema extension to manage them.
</p>
</div>
<!-- SECTION "Schema extension" [4675-5338] -->
<h3><a name="oid_prefix" id="oid_prefix">OID prefix</a></h3>
<div class="level3">
<p>
Extended attributes and object classes use this prefix: 1.3.6.1.4.1.10943.10.2.
</p>
<p>
The prefix 1.3.6.1.4.1.10943 is owned by <a href="http://www.linagora.com" class="urlextern" title="http://www.linagora.com" rel="nofollow">LINAGORA</a> (See <a href="http://www.iana.org/assignments/enterprise-numbers" class="urlextern" title="http://www.iana.org/assignments/enterprise-numbers" rel="nofollow">http://www.iana.org/assignments/enterprise-numbers</a>).
</p>
</div>
<!-- SECTION "OID prefix" [5339-5583] -->
<h3><a name="openldap_schema" id="openldap_schema">OpenLDAP schema</a></h3>
<div class="level3">
<p>
Just add this file to OpenLDAP schemas by including it in <code>slapd.conf</code>:
</p>
<pre class="file">
include /usr/share/lemonldap-ng/ressources/sso.schema
</pre>
<p>
This will provide the auxiliary object class <code>ssoUser</code> with attributes:
</p>
<ul>
<li class="level1"><div class="li"> ssoName</div>
</li>
<li class="level1"><div class="li"> ssoRoles</div>
</li>
<li class="level1"><div class="li"> ssoLogonHours</div>
</li>
<li class="level1"><div class="li"> ssoStartDate</div>
</li>
<li class="level1"><div class="li"> ssoEndDate</div>
</li>
</ul>
<p>
You can add this object class to any entry of your directory.
</p>
<p>
<p><div class="noteimportant">To get attributes values in session, declare them in <a href="../../documentation/1.0/exportedvars.html" class="wikilink1" title="documentation:1.0:exportedvars">exported variables</a>
</div></p>
</p>
</div>
<!-- SECTION "OpenLDAP schema" [5584-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
......@@ -79,9 +79,37 @@
</div></p>
</p>
<pre class="file">Lemonldap::NG::Handler::SharedConf: No cookie found</pre>
<p>
→ User does not have Lemonldap::NG cookie, handler redirect it to the portal
</p>
<pre class="file">The cookie $id isn&#039;t yet available: Object does not exist in the data store</pre>
<p>
→ User session has expired or handler does not have access to the same Apache::Session database than the portal
</p>
<pre class="file">Firefox has detected that the server is redirecting the request for this address in a way that will never complete</pre>
<p>
→ Your browser loops between portal and handler, it is probably a cookie problem. Verify that:
</p>
<ul>
<li class="level1"><div class="li"> the portal is in the declared domain</div>
</li>
<li class="level1"><div class="li"> <acronym title="Cross Domain Authentication">CDA</acronym> is set if the handler is not in the same domain</div>
</li>
<li class="level1"><div class="li"> portal is in a https virtualhost if securedCookie is set</div>
</li>
<li class="level1"><div class="li"> you&#039;ve restart all Apache server after having change cookie name or domain</div>
</li>
</ul>
</div>
<!-- SECTION "Lemonldap::NG::Handler" [393-1397] -->
<!-- SECTION "Lemonldap::NG::Handler" [393-2209] -->
<h2><a name="lemonldapngmanager" id="lemonldapngmanager">Lemonldap::NG::Manager</a></h2>
<div class="level2">
<pre class="file">XXXX was not found in tree</pre>
......@@ -92,7 +120,7 @@
</p>
</div>
<!-- SECTION "Lemonldap::NG::Manager" [1398-1523] -->
<!-- SECTION "Lemonldap::NG::Manager" [2210-2335] -->
<h2><a name="lemonldapngportal" id="lemonldapngportal">Lemonldap::NG::Portal</a></h2>
<div class="level2">
<pre class="file">User XXXX was not granted to open session</pre>
......@@ -127,4 +155,4 @@
</p>
</div>
<!-- SECTION "Lemonldap::NG::Portal" [1524-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
<!-- SECTION "Lemonldap::NG::Portal" [2336-] --></div><!-- closes <div class="dokuwiki export">-->
\ No newline at end of file
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="extended_functions" id="extended_functions">Extended functions</a></h1>
<div class="level1">
</div>
<!-- SECTION "Extended functions" [1-34] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<p>
When <a href="../../documentation/1.0/writingrulesand_headers.html" class="wikilink1" title="documentation:1.0:writingrulesand_headers">writing rules and headers</a>, you can use <acronym title="Practical Extraction and Report Language">Perl</acronym> expressions that will be evaluated in a jail, to prevent bad code execution.
</p>
<p>
This is also true for:
</p>
<ul>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/portalmenu.html#menu_modules" class="wikilink1" title="documentation:1.0:portalmenu">Menu modules activation rules</a></div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/formreplay.html" class="wikilink1" title="documentation:1.0:formreplay">Form replay data</a></div>
</li>
<li class="level1"><div class="li"> Macros</div>
</li>
<li class="level1"><div class="li"> Issuer databases use rules</div>
</li>
<li class="level1"><div class="li"> etc.</div>
</li>
</ul>
<p>
Inside this jail, you can access to:
</p>
<ul>
<li class="level1"><div class="li"> Core <acronym title="Practical Extraction and Report Language">Perl</acronym> subroutines (split, pop, map, etc.)</div>
</li>
<li class="level1"><div class="li"> <a href="../../documentation/1.0/customfunctions.html" class="wikilink1" title="documentation:1.0:customfunctions">Custom functions</a></div>
</li>
<li class="level1"><div class="li"> The <a href="http://perldoc.perl.org/MIME/Base64.html" class="urlextern" title="http://perldoc.perl.org/MIME/Base64.html" rel="nofollow">encode_base64</a> subroutine</div>
</li>
<li class="level1"><div class="li"> All environment variables (trough %ENV)</div>
</li>
<li class="level1"><div class="li"> <a href="#functions_list" title="documentation:1.0:extendedfunctions &crarr;" class="wikilink1">Extended functions</a></div>
</li>
</ul>
<p>
<p><div class="notetip">To know more about the jail, check <a href="http://perldoc.perl.org/Safe.html" class="urlextern" title="http://perldoc.perl.org/Safe.html" rel="nofollow">Safe module documentation</a>.
</div></p>
</p>
</div>
<!-- SECTION "Presentation" [35-800] -->
<h2><a name="functions_list" id="functions_list">Functions list</a></h2>
<div class="level2">
</div>
<!-- SECTION "Functions list" [801-828] -->
<h3><a name="checklogonhours" id="checklogonhours">checkLogonHours</a></h3>
<div class="level3">
<p>
This function will check the day and the hour of current request, and compare it to allowed days and hours. It returns 1 if this match, 0 else.
</p>
<p>
By default, the allowed days and hours is an hexadecimal value, representing each hour of the week. A day has 24 hours, and a week 7 days, so the value contains 168 bits, converted into 42 hexadecimal characters. Sunday is the first day.
</p>
<p>
For example, for a full access, excepted week-end:
</p>
<pre class="code">
000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000
</pre>
<p>
<p><div class="notetip">The <a href="../../documentation/1.0/authldap.html#schema_extension" class="wikilink1" title="documentation:1.0:authldap">LDAP schema extension</a> can be used to store this value. You can also use the binary value from the logonHours attribute of Active Directory
</div></p>
</p>
<p>
Functions parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>logon_hours</strong>: string representing allowed logon hours (GMT)</div>
</li>
<li class="level1"><div class="li"> <strong>syntax</strong> (optional): <code>hexadecimal</code> (default) or <code>octetstring</code></div>
</li>
<li class="level1"><div class="li"> <strong>time_correction</strong> (optional): hours to add or to subtract</div>
</li>