Commit a8cdb046 authored by Xavier Guimard's avatar Xavier Guimard

Update doc

parent af138325
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=b1ead7f504050dc6ea4ebced99caf5c1" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=5e53528a309f1afd578fccb6a5f04cf7" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -220,7 +220,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1526412059" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1526585770" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=b1ead7f504050dc6ea4ebced99caf5c1" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=5e53528a309f1afd578fccb6a5f04cf7" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -220,7 +220,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1526412059" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1526585770" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -66,25 +66,25 @@ Just enable it in the manager (section “plugins”). You <em class="u">must</e
<div class="level2">
<p>
When enabled, <code>/checkstate</code> <abbr title="Uniform Resource Locator">URL</abbr> path is handled by this plugin. It can be called only by an unauthenticated request. GET parameters:
When enabled, <code>/checkstate</code> <abbr title="Uniform Resource Locator">URL</abbr> path is handled by this plugin. GET parameters:
</p>
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Parameter </th><th class="col1 leftalign"> </th><th class="col2 centeralign"> Value </th>
<th class="col0 centeralign"> GET Parameter </th><th class="col1 centeralign"> Need </th><th class="col2 centeralign"> Value </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> secret </td><td class="col1 centeralign"> required </td><td class="col2"> Same value as the shared secret given to the manager </td>
<td class="col0 centeralign"> <code>secret</code> </td><td class="col1 centeralign"> required </td><td class="col2"> Same value as the shared secret given to the manager </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> user </td><td class="col1 centeralign"> optional </td><td class="col2"> If set (with password), a login/logout process will be tried </td>
<td class="col0 centeralign"> <code>user</code> </td><td class="col1 centeralign"> optional </td><td class="col2" rowspan="2"> If set (with password), a login/logout process will be tried </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> password </td><td class="col1 centeralign"> optional </td><td class="col2 leftalign"> </td>
<td class="col0 centeralign"> <code>password</code> </td><td class="col1 centeralign"> optional </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [466-693] -->
<!-- EDIT4 TABLE [413-667] -->
<p>
Example: <code><a href="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" class="urlextern" title="https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho" rel="nofollow">https://auth.example.com/checkstate?secret=qwerty&amp;user=dwho&amp;password=dwho</a></code>
</p>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:cli_examples</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,cli_examples"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="cli_examples.html"/>
......@@ -298,7 +298,13 @@ In this example we have:
</li>
<li class="level1"><div class="li"> Client secret : testclientsecret</div>
</li>
<li class="level1"><div class="li"> Allowed redirection <abbr title="Uniform Resource Locator">URL</abbr>: <a href="https://testrp.e-serv.ch/?callback=1" class="urlextern" title="https://testrp.e-serv.ch/?callback=1" rel="nofollow">https://testrp.e-serv.ch/?callback=1</a></div>
<li class="level1"><div class="li"> Allowed redirection <abbr title="Uniform Resource Locator">URL</abbr>:</div>
<ul>
<li class="level2"><div class="li"> For login: <a href="https://testrp.example.com/?callback=1" class="urlextern" title="https://testrp.example.com/?callback=1" rel="nofollow">https://testrp.example.com/?callback=1</a></div>
</li>
<li class="level2"><div class="li"> For logout: <a href="https://testrp.example.com/" class="urlextern" title="https://testrp.example.com/" rel="nofollow">https://testrp.example.com/</a></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Exported attributes:</div>
<ul>
......@@ -325,12 +331,12 @@ In this example we have:
<li class="level1"><div class="li"> Redirection:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris &#039;https://testrp.e-serv.ch/?callback=1&#039;</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsRedirectUris &#039;https://testrp.example.com/?callback=1&#039; oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsPostLogoutRedirectUris &#039;https://testrp.example.com/&#039;</pre>
<ul>
<li class="level1"><div class="li"> Signature and token expiration:</div>
</li>
</ul>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/idm oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/idm oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/idm oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
<pre class="code">/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenSignAlg RS512 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsIDTokenExpiration 3600 oidcRPMetaDataOptions/testrp oidcRPMetaDataOptionsAccessTokenExpiration 3600</pre>
</div>
<!-- EDIT9 SECTION "Register an OpenID Connect Relying Party" [7670-] --></div>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:configapache</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,configapache"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="configapache.html"/>
......@@ -46,13 +46,13 @@
<h1 class="sectionedit1" id="deploy_apache_configuration">Deploy Apache configuration</h1>
<div class="level1">
<div class="noteclassic">This step should already have been if you installed <abbr title="LemonLDAP::NG">LL::NG</abbr> with packages.
<div class="noteclassic">This step should have been already done if you installed <abbr title="LemonLDAP::NG">LL::NG</abbr> with packages.
</div>
</div>
<!-- EDIT1 SECTION "Deploy Apache configuration" [1-131] -->
<!-- EDIT1 SECTION "Deploy Apache configuration" [1-136] -->
<h2 class="sectionedit2" id="files">Files</h2>
<div class="level2">
<div class="noteimportant">Apache-ModPerl is no longer usable since version 2.4 <em>(many segfaults,…)</em>. No problem for portal and manager since they are now handle by FastCGI.
<div class="noteimportant">Apache-ModPerl is no longer usable since 2.4 version <em>(many segfaults,…)</em>. No problem for portal and manager since they are now handled by FastCGI.
<p>
<strong>But for handlers, please use <a href="confignginx.html" class="wikilink1" title="documentation:2.0:confignginx">Nginx</a> !</strong>
</p>
......@@ -82,7 +82,7 @@ a2ensite test-apache2.conf</pre>
</div>
</div>
<!-- EDIT2 SECTION "Files" [132-1156] -->
<!-- EDIT2 SECTION "Files" [137-1162] -->
<h2 class="sectionedit3" id="modules">Modules</h2>
<div class="level2">
......@@ -104,6 +104,6 @@ You will also need to load some Apache modules:
</div>
</div>
<!-- EDIT3 SECTION "Modules" [1157-] --></div>
<!-- EDIT3 SECTION "Modules" [1163-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:handlerarch</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,handlerarch"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="handlerarch.html"/>
......@@ -44,14 +44,14 @@
<body>
<div class="dokuwiki export container">
<h1 class="sectionedit1" id="handler_architecture">Handler architecture</h1>
<h1 class="sectionedit1" id="handler_libraries_architecture">Handler libraries architecture</h1>
<div class="level1">
<p>
Handlers are build on rows of modules:
</p>
<ul>
<li class="level1"><div class="li"> Applications or launchers that get the request and choose the good type <em>(Main, AuthBasic, ZimbraPreAuth,…)</em> and launch it <em>(may not inherits of other Handler::* modules)</em></div>
<li class="level1"><div class="li"> Applications or launchers that get the request and choose the right type <em>(Main, AuthBasic, ZimbraPreAuth,…)</em> and launch it <em>(may not inherits from other Handler::* modules)</em></div>
</li>
<li class="level1"><div class="li"> Wrappers that call “type” library and platform “Main” <em>(may all inherits from Platform::Main)</em></div>
</li>
......@@ -62,7 +62,7 @@ Handlers are build on rows of modules:
</ul>
</div>
<!-- EDIT1 SECTION "Handler architecture" [1-452] -->
<!-- EDIT1 SECTION "Handler libraries architecture" [1-465] -->
<h2 class="sectionedit2" id="overview_of_handler_packages">Overview of Handler packages</h2>
<div class="level2">
<div class="table sectionedit3"><table class="inline table table-bordered table-striped">
......@@ -84,7 +84,7 @@ Handlers are build on rows of modules:
<td class="col0 centeralign" colspan="2"> PSGI </td><td class="col2 centeralign"> PSGI::&lt;type&gt; </td>
</tr>
</table></div>
<!-- EDIT3 TABLE [495-753] -->
<!-- EDIT3 TABLE [508-766] -->
<p>
Types are:
</p>
......@@ -102,6 +102,6 @@ Types are:
</ul>
</div>
<!-- EDIT2 SECTION "Overview of Handler packages" [453-] --></div>
<!-- EDIT2 SECTION "Overview of Handler packages" [466-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:handlerauthbasic</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,handlerauthbasic"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="handlerauthbasic.html"/>
......@@ -70,25 +70,25 @@
<div class="level2">
<p>
The AuthBasic Handler is a special Handler that will us AuthBasic to authenticate to a virtual host, and then play authorizations rules to allow access to the virtual
The AuthBasic Handler is a special Handler that will use AuthBasic to authenticate to a virtual host, and then run authorization rules to allow access to the virtual
host.
</p>
<p>
The Handler will send a WWW-Authenticate header to the client, to request user and password, and then check the credentials using REST web service (you must enable REST session service in the manager). When session is granted, the Handler will then check the authorizations like the standard Handler.
The Handler will send a WWW-Authenticate header to the client, to request user and password, and then check the credentials using REST web service (you must enable REST session service in the manager). Then, when session is granted, the Handler will check authorizations like the standard Handler.
</p>
<p>
This can be useful to allow an third party application to access a virtual host with users credentials by sending a Basic challenge to it.
This can be useful to allow a third party application to access a virtual host with users credentials by sending a Basic challenge to it.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [34-677] -->
<!-- EDIT2 SECTION "Presentation" [34-672] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Configuration" [678-704] -->
<!-- EDIT3 SECTION "Configuration" [673-699] -->
<h3 class="sectionedit4" id="virtual_host">Virtual host</h3>
<div class="level3">
......@@ -107,7 +107,7 @@ If you want to protect only a virtualHost part, keep type on “Main” and set
</ul>
</div>
<!-- EDIT4 SECTION "Virtual host" [705-1095] -->
<!-- EDIT4 SECTION "Virtual host" [700-1090] -->
<h3 class="sectionedit5" id="nginx">Nginx</h3>
<div class="level3">
......@@ -144,7 +144,7 @@ location / {
}</pre>
</div>
<!-- EDIT5 SECTION "Nginx" [1096-2119] -->
<!-- EDIT5 SECTION "Nginx" [1091-2114] -->
<h3 class="sectionedit6" id="handler_parameters">Handler parameters</h3>
<div class="level3">
......@@ -153,6 +153,6 @@ No parameters needed. But you have to allow sessions web services, see <a href="
</p>
</div>
<!-- EDIT6 SECTION "Handler parameters" [2120-] --></div>
<!-- EDIT6 SECTION "Handler parameters" [2115-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:logs</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,logs"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="logs.html"/>
......
......@@ -88,7 +88,7 @@ Up-to-date documentation is available on GitHub.
</li>
<li class="level1"><div class="li"> Multi-lines are not supported in lemonldap-ng.ini</div>
</li>
<li class="level1"><div class="li"> Virtualhosts handled by node-lemonldap-ng-handler must be explicitly declared in you <code>lemonldap-ng.ini</code> file in <code>[node-handler]</code> section <em>(<strong>NB</strong>: section <code>[handler]</code> isn&#039;t used by node handler)</em>:</div>
<li class="level1"><div class="li"> Virtualhosts handled by node-lemonldap-ng-handler must be explicitly declared in your <code>lemonldap-ng.ini</code> file in <code>[node-handler]</code> section <em>(<strong>NB</strong>: section <code>[handler]</code> isn&#039;t used by node handler)</em>:</div>
</li>
</ul>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>node-handler<span class="br0">&#93;</span></span>
......@@ -96,7 +96,7 @@ Up-to-date documentation is available on GitHub.
<span class="re1">nodeVhosts</span> <span class="sy0">=</span><span class="re2"> test.example.com, test2.example.com</span></pre>
</div>
<!-- EDIT2 SECTION "Examples" [210-730] -->
<!-- EDIT2 SECTION "Examples" [210-731] -->
<h3 class="sectionedit3" id="use_it_as_fastcgi_server_application_protection_only">Use it as FastCGI server (application protection only)</h3>
<div class="level3">
......@@ -142,7 +142,7 @@ handler.<span class="me1">nginxServer</span><span class="br0">&#40;</span><span
# Keep original hostname
fastcgi_param HOST $http_host;
&nbsp;
# Keep original request (LLNG server will received /llauth)
# Keep original request (LLNG server will received /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
&nbsp;
......@@ -158,7 +158,7 @@ handler.<span class="me1">nginxServer</span><span class="br0">&#40;</span><span
</dd></dl>
</div>
<!-- EDIT3 SECTION "Use it as FastCGI server (application protection only)" [731-1912] -->
<!-- EDIT3 SECTION "Use it as FastCGI server (application protection only)" [732-1913] -->
<h3 class="sectionedit4" id="use_it_to_protect_an_express_app">Use it to protect an express app</h3>
<div class="level3">
<dl class="file">
......@@ -188,6 +188,6 @@ app.<span class="me1">listen</span><span class="br0">&#40;</span><span class="nu
</dd></dl>
</div>
<!-- EDIT4 SECTION "Use it to protect an express app" [1913-] --></div>
<!-- EDIT4 SECTION "Use it to protect an express app" [1914-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:parameterlist</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,parameterlist"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="parameterlist.html"/>
......
This diff is collapsed.
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:psgi</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,psgi"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="psgi.html"/>
......@@ -66,11 +66,11 @@ LLNG is build on <a href="http://plackperl.org/" class="urlextern" title="http:/
</ul>
<p>
uWSGI and <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js handler</a> may provide the highest performance.
uWSGI or <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:nodehandler">Node.js FastCGI server</a> may provide the highest performance.
</p>
</div>
<!-- EDIT1 SECTION "Advanced PSGI usage" [1-629] -->
<!-- EDIT1 SECTION "Advanced PSGI usage" [1-635] -->
<h2 class="sectionedit2" id="fastcgi_server_replacement">FastCGI server replacement</h2>
<div class="level2">
......@@ -78,9 +78,21 @@ uWSGI and <a href="nodehandler.html" class="wikilink1" title="documentation:2.0:
A <code>llng-server.psgi</code> is provided in example directory. It is designed to replace exactly FastCGI server. You can use it :
</p>
<ul>
<li class="level1"><div class="li"> with a FCGI Plack server, but you just have to change llng-fastcgi-server engine <em>(in /etc/default/llng-fastcgi-server)</em> to have the same result</div>
<li class="level1"><div class="li"> with a FCGI Plack server, but you just have to change llng-fastcgi-server engine <em>(in /etc/default/llng-fastcgi-server)</em> to have the same result. Available engines:</div>
<ul>
<li class="level2"><div class="li"> <a href="https://metacpan.org/pod/Plack::Handler::FCGI" class="urlextern" title="https://metacpan.org/pod/Plack::Handler::FCGI" rel="nofollow">FCGI</a> <strong>(default)</strong></div>
</li>
<li class="level2"><div class="li"> <a href="https://metacpan.org/pod/Plack::Handler::AnyEvent::FCGI" class="urlextern" title="https://metacpan.org/pod/Plack::Handler::AnyEvent::FCGI" rel="nofollow">AnyEvent::FCGI</a></div>
</li>
<li class="level2"><div class="li"> <a href="https://metacpan.org/pod/Plack::Handler::FCGI::EV" class="urlextern" title="https://metacpan.org/pod/Plack::Handler::FCGI::EV" rel="nofollow">FCGI::EV</a></div>
</li>
<li class="level2"><div class="li"> <a href="https://metacpan.org/pod/Plack::Handler::FCGI::Engine" class="urlextern" title="https://metacpan.org/pod/Plack::Handler::FCGI::Engine" rel="nofollow">FCGI::Engine</a></div>
</li>
<li class="level1"><div class="li"> with a HTTP Plack server, not yet tested</div>
<li class="level2"><div class="li"> <a href="https://metacpan.org/pod/Plack::Handler::FCGI::Engine::ProcManager" class="urlextern" title="https://metacpan.org/pod/Plack::Handler::FCGI::Engine::ProcManager" rel="nofollow">FCGI::Engine::ProcManager</a></div>
</li>
<li class="level2"><div class="li"> <a href="https://metacpan.org/pod/Plack::Handler::FCGI::Async" class="urlextern" title="https://metacpan.org/pod/Plack::Handler::FCGI::Async" rel="nofollow">FCGI::Async</a></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> with uWSGI <em><strong>(see below)</strong></em></div>
</li>
......@@ -100,7 +112,7 @@ See also <a href="highperfnginxhandler.html" class="wikilink1" title="documentat
</p>
</div>
<!-- EDIT2 SECTION "FastCGI server replacement" [630-1417] -->
<!-- EDIT2 SECTION "FastCGI server replacement" [636-1878] -->
<h3 class="sectionedit3" id="using_uwsgi">Using uWSGI</h3>
<div class="level3">
......@@ -114,6 +126,6 @@ You will find in LLNG Nginx configuration files some comments that explain how t
</p>
</div>
<!-- EDIT3 SECTION "Using uWSGI" [1418-] --></div>
<!-- EDIT3 SECTION "Using uWSGI" [1879-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:redirections</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,redirections"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="redirections.html"/>
......@@ -43,15 +43,37 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<h1 class="sectionedit1" id="handler_redirections">Handler Redirections</h1>
<ul class="toc">
<li class="level1"><div class="li"><a href="#handler_redirections">Handler Redirections</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#protocol_and_port">Protocol and port</a></div></li>
<li class="level2"><div class="li"><a href="#forbidden_and_server_error">Forbidden and Server error</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#portal_redirections">Portal Redirections</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="redirections">Redirections</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Redirections" [1-28] -->
<h2 class="sectionedit2" id="handler_redirections">Handler Redirections</h2>
<div class="level2">
<div class="noteclassic">When a user access a Handler without a cookie, he is redirected on portal, and the target <abbr title="Uniform Resource Locator">URL</abbr> is encoded in redirection <abbr title="Uniform Resource Locator">URL</abbr> (to redirect user after authentication process).
</div>
</div>
<!-- EDIT1 SECTION "Handler Redirections" [1-223] -->
<h2 class="sectionedit2" id="protocol_and_port">Protocol and port</h2>
<div class="level2">
<!-- EDIT2 SECTION "Handler Redirections" [29-249] -->
<h3 class="sectionedit3" id="protocol_and_port">Protocol and port</h3>
<div class="level3">
<p>
To encode the redirection <abbr title="Uniform Resource Locator">URL</abbr>, the handler will use some Apache environment variables and also configuration settings:
......@@ -69,9 +91,9 @@ These parameters can be configured in Manager, in <code>General Parameters</code
<div class="notetip">These settings can be overridden per virtual host, see <a href="configvhost.html" class="wikilink1" title="documentation:2.0:configvhost">virtual host management</a>.
</div>
</div>
<!-- EDIT2 SECTION "Protocol and port" [224-732] -->
<h2 class="sectionedit3" id="forbidden_and_server_error">Forbidden and Server error</h2>
<div class="level2">
<!-- EDIT3 SECTION "Protocol and port" [250-756] -->
<h3 class="sectionedit4" id="forbidden_and_server_error">Forbidden and Server error</h3>
<div class="level3">
<p>
Handler use the default Apache error code for the following cases:
......@@ -116,18 +138,20 @@ These parameters can be configured in Manager, in <code>General Parameters</code
</ul>
</div>
<!-- EDIT3 SECTION "Forbidden and Server error" [733-2104] -->
<h1 class="sectionedit4" id="portal_redirections">Portal Redirections</h1>
<div class="level1">
<!-- EDIT4 SECTION "Forbidden and Server error" [757-2126] -->
<h2 class="sectionedit5" id="portal_redirections">Portal Redirections</h2>
<div class="level2">
<div class="noteclassic">If a user is redirected from handler to portal for authentication and once he is authenticated, portal redirects him to the redirection <abbr title="Uniform Resource Locator">URL</abbr>.
</div><ul>
<li class="level1"><div class="li"> <strong>Redirection message</strong>: The redirection from portal can be done either with code 303 (See Other), or with a JavaScript redirection. Often the redirection takes some time because it is user&#039;s first access to the protected app, so a new app session has to be created : JavaScript redirection improves user experience by informing that authentication is performed, and by preventing from clicking again on the button because it is too slow.</div>
</li>
<li class="level1"><div class="li"> <strong>Keep redirections for Ajax</strong>: By default, when an Ajax request is done on the portal for an unauthenticated user (after a redirection done by the handler), a 401 code will be sentwith a <code>WWW-Authenticate</code> header containing “<abbr title="Single Sign On">SSO</abbr> &lt;portal-<abbr title="Uniform Resource Locator">URL</abbr>&gt;”. Set this option to 1 to keep the old behavior (return of <abbr title="HyperText Markup Language">HTML</abbr> code).</div>
</li>
<li class="level1"><div class="li"> <strong>Skip re-auth confirmation</strong>: by default, when re-authentication is needed, a confirmation screen is displayed to let user accept the re-authentication. If you enable this option, user will be directly redirected to login page.</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Portal Redirections" [2105-] --></div>
<!-- EDIT5 SECTION "Portal Redirections" [2127-] --></div>
</body>
</html>
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/restserverplugin?do=login&amp;sectok=b1ead7f504050dc6ea4ebced99caf5c1" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/restserverplugin?do=login&amp;sectok=5e53528a309f1afd578fccb6a5f04cf7" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -220,7 +220,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Arestserverplugin&amp;1526412078" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Arestserverplugin&amp;1526585789" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -43,18 +43,60 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#our_concept_of_ssoaas">Our concept of SSOaaS</a></div></li>
<li class="level1"><div class="li"><a href="#using_front_reverse-proxies">Using front reverse-proxies</a></div></li>
<li class="level1"><div class="li"><a href="#using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="sso_as_a_service_ssoaas">SSO as a service (SSOaaS)</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1-41] -->
<h2 class="sectionedit2" id="our_concept_of_ssoaas">Our concept of SSOaaS</h2>
<div class="level2">
<p>
LLNG provides some features that can be used to provide <abbr title="Single Sign On">SSO</abbr> as a service. Two possibility to do it:
Access management provides 3 services:
</p>
<ul>
<li class="level1"><div class="li"> Using front reverse-proxies</div>
<li class="level1"><div class="li"> Global authentication: Single-Sign-On</div>
</li>
<li class="level1"><div class="li"> Authorization check: authentication isn&#039;t enough, user rights mus be checked</div>
</li>
<li class="level1"><div class="li"> Accounting: <abbr title="Single Sign On">SSO</abbr> logs + application logs <em>(transactions and results)</em></div>
</li>
</ul>
<p>
LLNG provides all these services (except application logs of course, but headers are provided to permit this). Headers is another LLNG service: LLNG can provide any user attributes to the application <em>(see <a href="writingrulesand_headers.html" class="wikilink1" title="documentation:2.0:writingrulesand_headers">Rules and headers</a>)</em>
</p>
<p>
<code>*aaS</code> means that application can drive undelying layer (IaaS for infrastructure, PaaS for platform,…). So for us, <code>SSOaaS</code> must provide the ability for an app to manage authorizations and to get user attributes. Authentication can&#039;t be really “*aaS”: app must not drive it, only consumes it.
</p>
<p>
LLNG provides some features that can be used to provide <abbr title="Single Sign On">SSO</abbr> as a service: a web application can drive its rules and headers. Docker or VM images (Nginx only) includes LLNG Nginx configuration that points to a global <a href="platformsoverview.html#external_servers_for_nginx" class="wikilink1" title="documentation:2.0:platformsoverview">LLNG authorization server</a>. By default, all authenticated users can access and one header is set: <code>Auth-User</code>. If application gives a RULES_<abbr title="Uniform Resource Locator">URL</abbr> parameter that points to a JSON file, authorization server will read it and apply given rules and set asked headers <em>(see <a href="devopshandler.html" class="wikilink1" title="documentation:2.0:devopshandler">DevOps Handler</a>)</em>.
</p>
<p>
Two architectures to do it:
</p>
<ul>
<li class="level1"><div class="li"> Using a global FastCGI (or uWSGI) server</div>
</li>
<li class="level1"><div class="li"> Using front reverse-proxies <em>(some cloud installation use reverse-proxies in front of the cloud)</em></div>
</li>
</ul>
<p>
......@@ -62,8 +104,8 @@ In both case, Handler type must be set to <a href="devopshandler.html" class="wi
</p>
</div>
<!-- EDIT1 SECTION "SSO as a service (SSOaaS)" [1-288] -->
<h2 class="sectionedit2" id="using_front_reverse-proxies">Using front reverse-proxies</h2>
<!-- EDIT2 SECTION "Our concept of SSOaaS" [42-1689] -->
<h2 class="sectionedit3" id="using_front_reverse-proxies">Using front reverse-proxies</h2>
<div class="level2">
<p>
......@@ -94,7 +136,7 @@ This configuration handles <code>*.dev.sso.my.domain</code> services and forward
fastcgi_param CONTENT_LENGTH &quot;&quot;;
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will received /llauth)
# Keep original request (LLNG server will received /lmauth)
fastcgi_param X_ORIGINAL_URI $request_uri;
}
location /rules.json {
......@@ -114,8 +156,8 @@ This configuration handles <code>*.dev.sso.my.domain</code> services and forward
</dd></dl>
</div>
<!-- EDIT2 SECTION "Using front reverse-proxies" [289-1765] -->
<h2 class="sectionedit3" id="using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</h2>
<!-- EDIT3 SECTION "Using front reverse-proxies" [1690-3166] -->
<h2 class="sectionedit4" id="using_a_global_fastcgi_or_uwsgi_server">Using a global FastCGI (or uWSGI) server</h2>
<div class="level2">
<p>
......@@ -165,6 +207,6 @@ In this example, web server templates (Nginx only) are configured to ask authori
</dd></dl>
</div>
<!-- EDIT3 SECTION "Using a global FastCGI (or uWSGI) server" [1766-] --></div>
<!-- EDIT4 SECTION "Using a global FastCGI (or uWSGI) server" [3167-] --></div>
</body>
</html>
This diff is collapsed.
......@@ -14548,6 +14548,14 @@ Le nouveau rôle est-il un super-utilisateur ?</seg>
<seg>LemonLDAP::NG est hautement scalable, donc facile à insérer derière un répartisseur de charge :</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>LemonLDAP::NG offline documentation</seg>
</tuv>
<tuv lang="FR-FR" changeid="xavier" changedate="20180517T194110Z" creationid="xavier" creationdate="20180517T194110Z">
<seg>Documentation hors-ligne de LemonLDAP::NG</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>LemonLDAP::NG portal menu has 4 modules:</seg>
......@@ -15090,6 +15098,14 @@ Le nouveau rôle est-il un super-utilisateur ?</seg>
<seg>Système LL::NG principal</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>Main features</seg>
</tuv>
<tuv lang="FR-FR">
<seg>Fonctionnalités principales</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>Main parameters</seg>
......@@ -16770,6 +16786,14 @@ Le nouveau rôle est-il un super-utilisateur ?</seg>
<seg>Placer vos propres fichiers au lieu de ow2.cert, ow2.key, ow2-ca.cert:</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>Quick start tutorial</seg>
</tuv>
<tuv lang="FR-FR">
<seg>Tutoriel rapide</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>RBAC model</seg>
......@@ -19092,14 +19116,6 @@ DataSource -&gt; dbi:mysql:sessions;host=...</seg>
<seg>La configuration Apache dépend du module choisi, se référer à sa documentation. Exemple :</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>The AuthBasic Handler is a special Handler that will us AuthBasic to authenticate to a virtual host, and then play authorizations rules to allow access to the virtual host.</seg>
</tuv>
<tuv lang="FR-FR" changeid="xavier" changedate="20121005T040839Z">
<seg>L'agent AuthBasic est un agent spécial qui utilise l'authentification web basique pour authentifier dans un hôte virtuel et qui utilise ensuite les règles d'autorisation pour valider les accès à l'hôte virtuel.</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>The AuthDemo and UserDBDemo will allow you to log in and get the standard attributes (uid, cn and mail).</seg>
......@@ -20350,14 +20366,6 @@ failregex = Lemonldap\:\:NG \: .* was not found in LDAP directory \(&lt;HOST&gt;
<seg>Ceci permet de protéger des applications nécessitant la variable d'environnement REMOTE_USER en mode reverse-proxy.</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>This can be useful to allow an third party application to access a virtual host with users credentials by sending a Basic challenge to it.</seg>
</tuv>
<tuv lang="FR-FR" changeid="xavier" changedate="20121005T041259Z">
<seg>Ce peut être pratique pour autoriser une application cliente à accéder à un hôte virtuel avec un authentifiant en envoyant un en-tête basique.</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>This concerns all parameters for the Attribute Authority metadata section</seg>
......@@ -20790,14 +20798,6 @@ failregex = Lemonldap\:\:NG \: .* was not found in LDAP directory \(&lt;HOST&gt;
<seg>Peut être défini par défaut.</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>This step should already have been if you installed LL::NG with packages.</seg>
</tuv>
<tuv lang="FR-FR" changeid="xavier" changedate="20160301T061046Z">
<seg>Cette étape est effectuée automatiquement lorsqu'on installe LL::NG avec les packages.</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>This user will not be available anymore if you configure a new authentication backend!</seg>
......@@ -22178,14 +22178,6 @@ Index -&gt; ipAddr uid</seg>
<seg>À la réception de la requête, le contexte d'authentification réel est traduit en un niveau d'authentification interne (voir comment configurer la translation), utilisable pour accorder ou non la création de session.</seg>
</tuv>
</tu>
<tu>
<tuv lang="EN-US">
<seg>When session is granted, the Handler will then check the authorizations like the standard Handler.</seg>
</tuv>
<tuv lang="FR-FR" changeid="xavier" changedate="20121005T041124Z">
<seg>Lorsque la session est validée, l'agent examine les autorisations comme un agent standard.</seg>
</tuv>
</tu>
<tu>