...
 
Commits (247)
......@@ -17,12 +17,17 @@ before_script:
- env | grep ^CI_
# Converting to native package...
- sed -i "1{s/-1) /$suffix) /}" debian/changelog
- sed -i "1{s/-2) /$suffix) /}" debian/changelog
- sed -i 's/3.0 (quilt)/3.0 (native)/' debian/source/format
build_stretch:
image: buildpkg/debian:stretch
<<: *job_build
build_buster:
image: buildpkg/debian:buster
<<: *job_build
#build_xenial:
# image: buildpkg/ubuntu:xenial
# <<: *job_build
......@@ -42,6 +47,7 @@ sign:
- ci-sign-pkg
dependencies:
- build_stretch
- build_buster
# - build_xenial
- build_bionic
artifacts:
......
......@@ -109,7 +109,7 @@ License: CC-BY-NC-ND-3.0 or GFDL-1.3
Comment: downloaded from https://commons.wikimedia.org
Files: lemonldap-ng-manager/site/htdocs/static/bwr/angular*
Copyright: 2010-2017, Google, Inc. https://angularjs.org
Copyright: 2010-2018, Google, Inc. https://angularjs.org
License: Expat
Files: lemonldap-ng-manager/site/htdocs/static/bwr/angular-bootstrap/*
......@@ -121,7 +121,7 @@ Copyright: 2014, unspecified
License: Expat
Files: lemonldap-ng-*/site/htdocs/static/bwr/bootstrap/*
Copyright: 2011-2016, Twitter Inc.
Copyright: 2011-2018, Twitter Inc.
License: Expat
Files: lemonldap-ng-portal/site/htdocs/static/bwr/crypto-js/*
......@@ -130,7 +130,7 @@ Copyright: 2009-2013 Jeff Mott
License: Expat
Files: lemonldap-ng-manager/site/htdocs/static/bwr/es5-shim/*
Copyright: 2009-2015, Kristopher Michael Kowal and contributors
Copyright: 2009-2015, contributors
License: Expat
Files: lemonldap-ng-manager/site/htdocs/static/bwr/file-saver.js/*
......
......@@ -111,6 +111,9 @@ UWSGIGROUP=$(APACHEGROUP)
# Apache version
APACHEVERSION=2.X
# Apache log dir
APACHELOGDIR=/var/log/apache2
# DNS Domain for cookie and virtual hosts
DNSDOMAIN=example.com
......@@ -120,6 +123,7 @@ VHOSTLISTEN="*:$(PORT)"
TESTWEBSERVER=apache
TESTWEBSERVERPORT=19876
TESTUSESSL=0
E2E_TESTS='portal/*.js'
# LDAP backend test
LLNGTESTLDAP_SLAPD_BIN=/usr/sbin/slapd
......@@ -379,12 +383,8 @@ autopkgtest: all
e2e_test: all prepare_test_server start_web_server launch_protractor stop_web_server
nox_full_test: test prepare_test_server start_web_server
X -noreset +extension GLX +extension RANDR +extension RENDER -logfile ./e2e-tests/conf/X.log -config ./e2e-tests/xorg.conf :11 & \
echo $$! > e2e-tests/conf/X.pid
-DISPLAY=:11 $(MAKE) launch_protractor
kill $$(cat e2e-tests/conf/X.pid)
$(MAKE) stop_web_server
nox_e2e_test:
xvfb-run -a -s "-screen 0 800x600x16" $(MAKE) e2e_test
prepare_test_server:
-@mkdir -p e2e-tests/conf/sessions/lock e2e-tests/conf/persistents/lock
......@@ -408,6 +408,7 @@ prepare_test_server:
#@cp -f e2e-tests/index.* e2e-tests/conf/
@cp -f $(SRCMANAGERDIR)/site/htdocs/manager* e2e-tests/conf/manager
@cp -f $(SRCPORTALDIR)/site/htdocs/index* e2e-tests/conf/portal
@cp e2e-tests/persistent/5efe8af397fc3577e05b483aca964f1b e2e-tests/conf/persistents
@cp e2e-tests/saml-sp.xml e2e-tests/conf/site/saml-sp.xml
@cp e2e-tests/rules.json e2e-tests/conf/site/test.json
@for f in $$(find e2e-tests/conf -name '*.fcgi'); do \
......@@ -548,7 +549,7 @@ launch_protractor:
# Start e2e tests
# NB: you must have protractor installed (using npm install -g protractor)
# and have run update-webdriver at least once and have a node.js > 4.0
@TESTWEBSERVERPORT=$(TESTWEBSERVERPORT) protractor e2e-tests/protractor-conf.js
@E2E_TESTS=$(E2E_TESTS) TESTWEBSERVERPORT=$(TESTWEBSERVERPORT) protractor e2e-tests/protractor-conf.js
stop_web_server:
# Stop web server
......@@ -568,7 +569,7 @@ plackup:
-F >e2e-tests/conf/fastcgi.log 2>&1 &
install_test:
@TESTWEBSERVERPORT=$(PORT) protractor e2e-tests/protractor-conf.js
@E2E_TESTS=$(E2E_TESTS) TESTWEBSERVERPORT=$(PORT) protractor e2e-tests/protractor-conf.js
# Install targets
# ---------------
......@@ -711,6 +712,7 @@ install_webserver_conf:
s#__MANAGERSITEDIR__#$(MANAGERSITEDIR)/#g; \
s#__MANAGERSTATICDIR__#$(MANAGERSTATICDIR)/#g; \
s#__TESTDIR__#$(TESTDIR)/#g; \
s#__APACHELOGDIR__#$(APACHELOGDIR)#g; \
s#__PORT__#$(PORT)#g; \
s#__CONFDIR__#$(CONFDIR)#g; \
s#__FASTCGISOCKDIR__#$(FASTCGISOCKDIR)#g; \
......
......@@ -75,7 +75,7 @@
"description" : "Official LemonLDAP::NG Website",
"display" : "on",
"logo" : "network.png",
"name" : "Offical Website",
"name" : "Official Website",
"uri" : "http://lemonldap-ng.org/"
},
"type" : "application"
......@@ -86,7 +86,7 @@
"authentication" : "Demo",
"cfgAuthor" : "The LemonLDAP::NG team",
"cfgNum" : 1,
"cfgVersion" : "2.0.0",
"cfgVersion" : "2.0.1",
"cookieName" : "lemonldap",
"demoExportedVars" : {
"cn" : "cn",
......
......@@ -12,9 +12,6 @@
# IMPORTANT:
# To protect applications, see test-apache.conf template in example files
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost __VHOSTLISTEN__
# Load LemonLDAP::NG Handler
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler::ApacheMP2
......
......@@ -2,9 +2,6 @@
# Apache configuration for LemonLDAP::NG Manager
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost __VHOSTLISTEN__
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O" llng
......@@ -14,8 +11,8 @@
ServerName manager.__DNSDOMAIN__
LogLevel notice
# See above to set LLNG user id in Apache logs
#CustomLog ${APACHE_LOG_DIR}/manager.log llng
#ErrorLog ${APACHE_LOG_DIR}/lm_err.log
#CustomLog __APACHELOGDIR__/manager.log llng
#ErrorLog __APACHELOGDIR__/lm_err.log
# FASTCGI CONFIGURATION
# ---------------------
......
......@@ -14,8 +14,8 @@
ServerName manager.__DNSDOMAIN__
LogLevel notice
# See above to set LLNG user id in Apache logs
#CustomLog ${APACHE_LOG_DIR}/manager.log llng
#ErrorLog ${APACHE_LOG_DIR}/lm_err.log
#CustomLog __APACHELOGDIR__/manager.log llng
#ErrorLog __APACHELOGDIR__/lm_err.log
# FASTCGI CONFIGURATION
# ---------------------
......
......@@ -14,8 +14,8 @@
ServerName manager.__DNSDOMAIN__
LogLevel notice
# See above to set LLNG user id in Apache logs
#CustomLog ${APACHE_LOG_DIR}/manager.log llng
#ErrorLog ${APACHE_LOG_DIR}/lm_err.log
#CustomLog __APACHELOGDIR__/manager.log llng
#ErrorLog __APACHELOGDIR__/lm_err.log
# FASTCGI CONFIGURATION
# ---------------------
......
......@@ -2,9 +2,6 @@
# Apache configuration for LemonLDAP::NG Portal
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost __VHOSTLISTEN__
# To insert LLNG user id in Apache logs, declare this format and use it in
# CustomLog directive
#LogFormat "%v:%p %h %l %{Lm-Remote-User}o %t \"%r\" %>s %O" llng
......@@ -13,7 +10,7 @@
<VirtualHost __VHOSTLISTEN__>
ServerName auth.__DNSDOMAIN__
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
#CustomLog __APACHELOGDIR__/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot __PORTALSITEDIR__
......@@ -32,7 +29,12 @@
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
#CGIPassAuth on
# For Authorization header to be passed, please uncomment one of the following:
# for Apache >= 2.4.13
#CGIPassAuth On
# for Apache < 2.4.13
#RewriteCond %{HTTP:Authorization} ^(.*)
#RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
Options +ExecCGI
header unset Lm-Remote-User
</Files>
......@@ -41,7 +43,7 @@
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ __PORTALSTATICDIR__/
Alias /static/ __PORTALSTATICDIR__
<Directory __PORTALSTATICDIR__>
Require all granted
Options +FollowSymLinks
......
......@@ -13,7 +13,7 @@
<VirtualHost __VHOSTLISTEN__>
ServerName auth.__DNSDOMAIN__
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
#CustomLog __APACHELOGDIR__/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot __PORTALSITEDIR__
......@@ -38,7 +38,12 @@
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
#CGIPassAuth on
# For Authorization header to be passed, please uncomment one of the following:
# for Apache >= 2.4.13
#CGIPassAuth On
# for Apache < 2.4.13
#RewriteCond %{HTTP:Authorization} ^(.*)
#RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
Options +ExecCGI
header unset Lm-Remote-User
</Files>
......@@ -47,7 +52,7 @@
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ __PORTALSTATICDIR__/
Alias /static/ __PORTALSTATICDIR__
<Directory __PORTALSTATICDIR__>
Require all granted
Options +FollowSymLinks
......
......@@ -13,7 +13,7 @@
<VirtualHost __VHOSTLISTEN__>
ServerName auth.__DNSDOMAIN__
# See above to set LLNG user id in Apache logs
#CustomLog /var/log/apache2/portal.log llng
#CustomLog __APACHELOGDIR__/portal.log llng
# DocumentRoot (FCGI scripts)
DocumentRoot __PORTALSITEDIR__
......@@ -33,7 +33,12 @@
# Note that Content-Security-Policy header is generated by portal itself
<Files *.fcgi>
SetHandler fcgid-script
#CGIPassAuth on
# For Authorization header to be passed, please uncomment one of the following:
# for Apache >= 2.4.13
#CGIPassAuth On
# for Apache < 2.4.13
#RewriteCond %{HTTP:Authorization} ^(.*)
#RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
Options +ExecCGI
header unset Lm-Remote-User
</Files>
......@@ -42,7 +47,7 @@
#FcgidInitialEnv LLNGSTATUSHOST 127.0.0.1:64321
# Static files
Alias /static/ __PORTALSTATICDIR__/
Alias /static/ __PORTALSTATICDIR__
<Directory __PORTALSTATICDIR__>
Order allow,deny
Allow from all
......
......@@ -2,8 +2,6 @@
# Apache configuration for LemonLDAP::NG sample applications
#====================================================================
# Uncomment this if no previous NameVirtualHost declaration
#NameVirtualHost __VHOSTLISTEN__
PerlModule Lemonldap::NG::Handler::ApacheMP2::Menu
# Sample application
......
......@@ -61,10 +61,10 @@ server {
# Set manually your headers
#auth_request_set $authuser $upstream_http_auth_user;
#proxy_set_header Auth-User $authuser;
# OR in the correspondinc block
# OR in the corresponding block
#fastcgi_param HTTP_AUTH_USER $authuser;
# Then (if LUA not supported), change cookie header to hide LLNG cookie
# Then (if LUA is not supported), change cookie header to hide LLNG cookie
#auth_request_set $lmcookie $upstream_http_cookie;
#proxy_set_header Cookie: $lmcookie;
# OR in the corresponding block
......
lemonldap-ng (2.0.1) artful; urgency=medium
* Bugs:
* #1564: Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL"
* #1572: Error when saving in manager (mongoDB as ConfigurationBackend)
* #1576: Browser doesn t select Portal appropriate language
* #1579: SOAP Backend error for empty collection
* #1582: MongoDB Conf backend looses sub hash keys
* #1586: Portal message override do not work on plugins and mails templates
* #1587: Captcha is not displayed in Register form if mail already exists
* #1588: Captcha is validated with additional letters
* #1589: Error in MailReset when asking to resend confirmation mail
* #1592: Cannot select a menu tab with ?tab=<tab id> in URL
* #1594: Cannot select oidcConsents tab in menu
* Improvements:
* #1565: OpenId - Default CSP value cause breakdown in OpenId authentification form
* #1578: Fix fcgi/psgi extensions in documentation
* #1583: Append parameter to configure number of allowed failed logins before brute force protection activation
* #1584: Browser doesn t select Manager appropriate language
* #1585: Fix main logo and langs icons display & double slash in lmerror 403 error URL
* #1591: $req->user not available in plugins authenticated routes
* #1593: Bad userinfo response: Unauthorized
* #1596: Possibility to define new tabs in Menu
* #1599: Usage of OpenID Connect with bad scope value result in unlimited session grow
-- Clément <clem.oudot@gmail.com> Fri, 21 Dec 2018 15:12:13 +0100
lemonldap-ng (2.0.0) artful; urgency=medium
* Bugs:
......
lemonldap-ng (2.0.1-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Fri, 11 Dec 2018 12:00:00 +0100
lemonldap-ng (2.0.0-2) unstable; urgency=medium
* Fix warnings in Manager
-- Clement OUDOT <clement@oodo.net> Sat, 01 Dec 2018 12:00:00 +0100
lemonldap-ng (2.0.0-1) unstable; urgency=medium
* New release. See changes on our website:
......
......@@ -47,7 +47,7 @@ Build-Depends-Indep: libapache-session-perl,
libxml-libxslt-perl,
libxml-simple-perl,
perl
Standards-Version: 4.2.1
Standards-Version: 4.3.0
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/
......@@ -100,6 +100,7 @@ Section: web
Depends: ${misc:Depends},
${perl:Depends},
lsb-base,
libfcgi-perl,
libfcgi-procmanager-perl,
liblemonldap-ng-handler-perl (= ${binary:Version}),
libplack-perl
......@@ -271,11 +272,12 @@ Recommends: libcrypt-openssl-bignum-perl,
libnet-ldap-perl,
libstring-random-perl,
libunicode-string-perl
Suggests: libauthcas-perl,
libcrypt-u2f-server-perl,
Suggests: libcrypt-u2f-server-perl,
libdbi-perl,
libglib-perl,
libgssapi-perl,
libimage-magick-perl,
libipc-run-perl,
liblasso-perl,
libnet-facebook-oauth2-perl (>= 0.10),
libnet-openid-consumer-perl,
......
......@@ -109,7 +109,7 @@ License: CC-BY-NC-ND-3.0 or GFDL-1.3
Comment: downloaded from https://commons.wikimedia.org
Files: lemonldap-ng-manager/site/htdocs/static/bwr/angular*
Copyright: 2010-2017, Google, Inc. https://angularjs.org
Copyright: 2010-2018, Google, Inc. https://angularjs.org
License: Expat
Files: lemonldap-ng-manager/site/htdocs/static/bwr/angular-bootstrap/*
......@@ -121,7 +121,7 @@ Copyright: 2014, unspecified
License: Expat
Files: lemonldap-ng-*/site/htdocs/static/bwr/bootstrap/*
Copyright: 2011-2016, Twitter Inc.
Copyright: 2011-2018, Twitter Inc.
License: Expat
Files: lemonldap-ng-portal/site/htdocs/static/bwr/crypto-js/*
......@@ -130,7 +130,7 @@ Copyright: 2009-2013 Jeff Mott
License: Expat
Files: lemonldap-ng-manager/site/htdocs/static/bwr/es5-shim/*
Copyright: 2009-2015, Kristopher Michael Kowal and contributors
Copyright: 2009-2015, contributors
License: Expat
Files: lemonldap-ng-manager/site/htdocs/static/bwr/file-saver.js/*
......
#!/bin/bash
set -e
. /usr/share/debconf/confmodule
if [ "$1" == "configure" ]
then
find /var/lib/lemonldap-ng/manager/{static,manager.fcgi} -type l -xtype l -delete 2>/dev/null || true
fi
#DEBHELPER#
exit 0
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=df13de1d1df0e6da1b89ce87ded3ea23" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=d452aa8bbc7962a5bfc893503ed1a55d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -241,7 +241,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1543524687" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1545404374" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=df13de1d1df0e6da1b89ce87ded3ea23" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=d452aa8bbc7962a5bfc893503ed1a55d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -241,7 +241,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1543524687" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1545404374" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -89,6 +89,16 @@ They can then be forwarded to applications trough <a href="writingrulesand_heade
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose <abbr title="Central Authentication Service">CAS</abbr> for authentication.
</p>
<div class="notetip">You can then choose any other module for users and password.
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
<p>
Then, go in <code><abbr title="Central Authentication Service">CAS</abbr> parameters</code>:
......
......@@ -135,10 +135,12 @@ Each module that will be used in combination rule must be declared. You must set
</li>
</ul>
</li>
<li class="level1"><div class="li"> overwritten parameters: you can redefine any LLNG string parameter. For example, if you use 2 different LDAP, the first can use normal configuration and for the second, overwritten parameter can redefine ldapServer,…</div>
<li class="level1"><div class="li"> overloaded parameters: you can redefine any LLNG string parameters. For example, if you use 2 different LDAP, the first can use normal configuration and for the second, overwritten parameter can redefine ldapServer,…</div>
</li>
</ul>
<div class="noteclassic">To overload parameters, you must select a module, add a parameter and set its value.
</div>
<p>
For example:
</p>
......@@ -155,13 +157,13 @@ For example:
<td class="col0"> DB2 </td><td class="col1"> <abbr title="Database Interface">DBI</abbr> </td><td class="col2"> User DB only </td><td class="col3"> dbiAuthChain ⇒ “mysql:…” </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [1034-1157] -->
<!-- EDIT6 TABLE [1133-1256] -->
<p>
Usually, you can&#039;t declare two modules of the same type if they don&#039;t have the same parameters. For example, usually you can&#039;t declare a MySQL <abbr title="Database Interface">DBI</abbr> and a PostgreSQL <abbr title="Database Interface">DBI</abbr>, because there is no extra field for PostgreSQL parameters. Now with Combination, you can declare some overloaded parameters. For example, if <abbr title="Database Interface">DBI</abbr> is configured to use PostgreSQL but DB2 is a MySQL DB, you can override the “dbiChain” parameter.
</p>
</div>
<!-- EDIT5 SECTION "Modules declaration" [516-1571] -->
<!-- EDIT5 SECTION "Modules declaration" [516-1670] -->
<h3 class="sectionedit7" id="rule_chain">Rule chain</h3>
<div class="level3">
......@@ -208,7 +210,7 @@ Remember that schemes in rules are the names declared above.
<td class="col0 leftalign"> <code>[mySSL and myLDAP, myLDAP ]</code> </td><td class="col1"> Use mySSL and myLDAP to authentify, myLDAP to get user </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [2025-2456] --><div class="noteimportant">Note that “or” can&#039;t be used inside a scheme.
<!-- EDIT8 TABLE [2124-2555] --><div class="noteimportant">Note that “or” can&#039;t be used inside a scheme.
If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, myLDAP] or [myLDAP, myLDAP]</code>
</div><div class="table sectionedit9"><table class="inline table table-bordered table-striped">
......@@ -224,7 +226,7 @@ If you think to “[mySSL or myLDAP, myLDAP]”, you must write <code>[mySSL, my
<td class="col0"> <code>[myDBI1] and [myDBI2] or [myLDAP] and [myDBI2]</code> </td><td class="col1"> Try myDBI1 and myDBI2, if it fails, try myLDAP and myDBI2 </td>
</tr>
</table></div>
<!-- EDIT9 TABLE [2629-2873] --><div class="noteimportant">You can&#039;t use brackets in a boolean expression and “and” has precedence on “or”.
<!-- EDIT9 TABLE [2728-2972] --><div class="noteimportant">You can&#039;t use brackets in a boolean expression and “and” has precedence on “or”.
<p>
If you think to “( [myLDAP] or [myDBI1] ) and [myDBI2]”, you must write <code>[myLDAP] and [myDBI2] or [myDBI1] and [myDBI2]</code>
</p>
......@@ -251,7 +253,7 @@ Test can use only the <code>$env</code> variable. It contains the FastCGI enviro
<td class="col0"> <code>if($env→{REMOTE_ADDR} =~ /^10\./) then [myLDAP] else if($env→{REMOTE_ADDR} =~ /^192/) then [myDBI1] else [myDBI2]</code> </td><td class="col1"> Chain tests </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [3209-3531] --><div class="noteimportant">Note that brackets can&#039;t be used except to enclose test.
<!-- EDIT10 TABLE [3308-3630] --><div class="noteimportant">Note that brackets can&#039;t be used except to enclose test.
<p>
If you wants to write <code>if(…) then if…</code>, you must write <code>if(not …) then … else if(…)…</code>
</p>
......@@ -271,7 +273,7 @@ The following rule is valid:
</p>
</div>
<!-- EDIT7 SECTION "Rule chain" [1572-3878] -->
<!-- EDIT7 SECTION "Rule chain" [1671-3977] -->
<h3 class="sectionedit11" id="combine_second_factor">Combine second factor</h3>
<div class="level3">
......@@ -296,7 +298,7 @@ Now if you want to authenticate users either by LDAP or LDAP+U2F <em>(to have 2
</ul>
</div>
<!-- EDIT11 SECTION "Combine second factor" [3879-4528] -->
<!-- EDIT11 SECTION "Combine second factor" [3978-4627] -->
<h3 class="sectionedit12" id="display_multiple_forms">Display multiple forms</h3>
<div class="level3">
......@@ -307,12 +309,12 @@ Combination module returns the form corresponding to the first authentication sc
<span class="re1">combinationForms</span> <span class="sy0">=</span><span class="re2"> standardform, openidform</span></pre>
</div>
<!-- EDIT12 SECTION "Display multiple forms" [4529-4857] -->
<!-- EDIT12 SECTION "Display multiple forms" [4628-4956] -->
<h2 class="sectionedit13" id="known_problems">Known problems</h2>
<div class="level2">
</div>
<!-- EDIT13 SECTION "Known problems" [4858-4885] -->
<!-- EDIT13 SECTION "Known problems" [4957-4984] -->
<h3 class="sectionedit14" id="federation_protocols">Federation protocols</h3>
<div class="level3">
......@@ -332,9 +334,9 @@ Combination module returns the form corresponding to the first authentication sc
<td class="col0"> <em><code>[<abbr title="Security Assertion Markup Language">SAML</abbr>] and [LDAP] or [LDAP]</code></em> </td><td class="col1"> <code>[<abbr title="Security Assertion Markup Language">SAML</abbr>, <abbr title="Security Assertion Markup Language">SAML</abbr> and LDAP] or [LDAP]</code> </td><td class="col2"> Authentication is done by <abbr title="Security Assertion Markup Language">SAML</abbr> or LDAP but user must match an LDAP entry </td>
</tr>
</table></div>
<!-- EDIT15 TABLE [5185-5517] -->
<!-- EDIT15 TABLE [5284-5616] -->
</div>
<!-- EDIT14 SECTION "Federation protocols" [4886-5518] -->
<!-- EDIT14 SECTION "Federation protocols" [4985-5617] -->
<h3 class="sectionedit16" id="authapache_authentication">Auth::Apache authentication</h3>
<div class="level3">
......@@ -352,7 +354,7 @@ To bypass this, follow the documentation of <a href="authapache.html" class="wik
</p>
</div>
<!-- EDIT16 SECTION "Auth::Apache authentication" [5519-6130] -->
<!-- EDIT16 SECTION "Auth::Apache authentication" [5618-6229] -->
<h3 class="sectionedit17" id="ssl_authentication">SSL authentication</h3>
<div class="level3">
......@@ -361,6 +363,6 @@ To chain SSL, you have to set “SSLRequire optional” in Apache configuration,
</p>
</div>
<!-- EDIT17 SECTION "SSL authentication" [6131-] --></div>
<!-- EDIT17 SECTION "SSL authentication" [6230-] --></div>
</body>
</html>
......@@ -115,6 +115,16 @@ If you use Facebook as user database, declare values in exported variables:
</li>
</ul>
<div class="noteimportant">Do not query user field in exported variables, as it is already registered by the authentication module in <code>$_user</code>.
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div><div class="notetip">You can use the same Facebook access token in your applications. It is stored in session datas under the name <code>$_facebookToken</code>
</div>
</div>
......
......@@ -97,6 +97,16 @@ Then, go in <code>LinkedIn parameters</code>:
</li>
</ul>
<div class="notetip">Collected fields are stored in session in <code>linkedIn_</code> keys
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [527-] --></div>
......
......@@ -141,7 +141,17 @@ To configure requested attributes, edit <strong>Exported variables</strong> and
<p>
See also <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables configuration</a>.
</p>
<div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
</div>
<!-- EDIT4 SECTION "Configuration" [948-] --></div>
</body>
......
......@@ -155,6 +155,16 @@ In <code>General Parameters</code> &gt; <code>Authentication modules</code>, set
</li>
</ul>
<div class="notetip">As passwords will not be managed by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you can disable <a href="portalmenu.html#menu_modules" class="wikilink1" title="documentation:2.0:portalmenu">menu password module</a>.
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
<p>
Then in <code>General Parameters</code> &gt; <code>Authentication modules</code> &gt; <code>OpenID Connect parameters</code>, you can set:
......@@ -169,7 +179,7 @@ Then in <code>General Parameters</code> &gt; <code>Authentication modules</code>
</ul>
</div>
<!-- EDIT7 SECTION "Authentication and UserDB" [1547-2338] -->
<!-- EDIT7 SECTION "Authentication and UserDB" [1547-2707] -->
<h3 class="sectionedit8" id="register_llng_to_an_openid_connect_provider">Register LL::NG to an OpenID Connect Provider</h3>
<div class="level3">
......@@ -195,7 +205,7 @@ After registration, the OP must give you a client ID and a client secret, that w
</p>
</div>
<!-- EDIT8 SECTION "Register LL::NG to an OpenID Connect Provider" [2339-3053] -->
<!-- EDIT8 SECTION "Register LL::NG to an OpenID Connect Provider" [2708-3422] -->
<h3 class="sectionedit9" id="declare_the_openid_connect_provider_in_llng">Declare the OpenID Connect Provider in LL::NG</h3>
<div class="level3">
......@@ -428,6 +438,6 @@ So you can define for example:
</ul>
</div>
<!-- EDIT9 SECTION "Declare the OpenID Connect Provider in LL::NG" [3054-] --></div>
<!-- EDIT9 SECTION "Declare the OpenID Connect Provider in LL::NG" [3423-] --></div>
</body>
</html>
......@@ -112,20 +112,20 @@ Then, go in <code>Proxy parameters</code>:
</li>
<li class="level1"><div class="li"> <strong>Authentication level</strong>: level given to this authentication</div>
</li>
<li class="level1"><div class="li"> <strong>Use SOAP instead of REST</strong>: use a SOAP server (deprecated) instead of a REST one (you must set it if internal portal version is &lt; 2.0). In this case, “Portal <abbr title="Uniform Resource Locator">URL</abbr>” parameter must contains SOAP endpoint (generally <a href="http://auth.example.com/index.pl/sessions" class="urlextern" title="http://auth.example.com/index.pl/sessions" rel="nofollow">http://auth.example.com/index.pl/sessions</a> for 1.9 and earlier, <a href="http://auth.example.com/sessions" class="urlextern" title="http://auth.example.com/sessions" rel="nofollow">http://auth.example.com/sessions</a> for 2.0)</div>
<li class="level1"><div class="li"> <strong>Use SOAP instead of REST</strong>: use a deprecated SOAP server instead of a REST one (you must set it if internal portal version is &lt; 2.0). In this case, “Portal <abbr title="Uniform Resource Locator">URL</abbr>” parameter must contains SOAP endpoint (generally <a href="http://auth.example.com/index.pl/sessions" class="urlextern" title="http://auth.example.com/index.pl/sessions" rel="nofollow">http://auth.example.com/index.pl/sessions</a> for 1.9 and earlier, <a href="http://auth.example.com/sessions" class="urlextern" title="http://auth.example.com/sessions" rel="nofollow">http://auth.example.com/sessions</a> for 2.0)</div>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "External portal" [486-1341] -->
<!-- EDIT5 SECTION "External portal" [486-1339] -->
<h3 class="sectionedit6" id="internal_portal">Internal portal</h3>
<div class="level3">
<p>
The portal must be configured to accept REST or SOAP authentication requests if you&#039;ve choose to use SOAP. See: <a href="restserverplugin" class="wikilink2" title="documentation:2.0:restserverplugin" rel="nofollow">REST server plugin</a> or <a href="soapsessionbackend.html" class="wikilink1" title="documentation:2.0:soapsessionbackend">SOAP session backend</a>.
The portal must be configured to accept REST or SOAP authentication requests if you&#039;ve choose to use SOAP. See: <a href="restservices.html" class="wikilink1" title="documentation:2.0:restservices">REST server plugin</a> or <a href="soapsessionbackend.html" class="wikilink1" title="documentation:2.0:soapsessionbackend">SOAP session backend</a> <em>(deprecated)</em>.
</p>
</div>
<!-- EDIT6 SECTION "Internal portal" [1342-] --></div>
<!-- EDIT6 SECTION "Internal portal" [1340-] --></div>
</body>
</html>
......@@ -111,9 +111,19 @@ For each IDP, you can configure attributes that are collected. Some can be manda
<p>
See <a href="samlservice.html" class="wikilink1" title="documentation:2.0:samlservice">SAML service</a> configuration chapter.
</p>
<div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
<!-- EDIT5 SECTION "SAML Service" [721-801] -->
</div>
<!-- EDIT5 SECTION "SAML Service" [721-1170] -->
<h3 class="sectionedit6" id="authentication_and_userdb">Authentication and UserDB</h3>
<div class="level3">
......@@ -129,7 +139,7 @@ In <code>General Parameters</code> &gt; <code>Authentication modules</code>, set
<div class="notetip">As passwords will not be managed by <abbr title="LemonLDAP::NG">LL::NG</abbr>, you can disable <a href="portalmenu.html#menu_modules" class="wikilink1" title="documentation:2.0:portalmenu">menu password module</a>.
</div>
</div>
<!-- EDIT6 SECTION "Authentication and UserDB" [802-1085] -->
<!-- EDIT6 SECTION "Authentication and UserDB" [1171-1454] -->
<h3 class="sectionedit7" id="register_lemonldapng_on_partner_identity_provider">Register LemonLDAP::NG on partner Identity Provider</h3>
<div class="level3">
......@@ -142,7 +152,7 @@ They are available at the EntityID <abbr title="Uniform Resource Locator">URL</a
</p>
</div>
<!-- EDIT7 SECTION "Register LemonLDAP::NG on partner Identity Provider" [1086-1332] -->
<!-- EDIT7 SECTION "Register LemonLDAP::NG on partner Identity Provider" [1455-1701] -->
<h3 class="sectionedit8" id="register_partner_identity_provider_on_lemonldapng">Register partner Identity Provider on LemonLDAP::NG</h3>
<div class="level3">
......@@ -289,6 +299,6 @@ These options override service signature options (see <a href="samlservice.html#
</ul>
</div>
<!-- EDIT8 SECTION "Register partner Identity Provider on LemonLDAP::NG" [1333-] --></div>
<!-- EDIT8 SECTION "Register partner Identity Provider on LemonLDAP::NG" [1702-] --></div>
</body>
</html>
......@@ -83,6 +83,16 @@ You need to register a new application on Twitter to get <abbr title="Applicatio
In Manager, go in <code>General Parameters</code> &gt; <code>Authentication modules</code> and choose Twitter for authentication module.
</p>
<div class="notetip">You can then choose any other module for users and password.
</div><div class="noteimportant">Browser implementations of formAction directive are inconsistent (e.g. Firefox doesn&#039;t block the redirects whereas Chrome does).
Administrators may have to modify formAction value with wildcard likes *.
<p>
In Manager, go in :
</p>
<p>
<code>General Parameters</code> &gt; <code>Advanced Parameters</code> &gt; <code>Security</code> &gt; <code>Content Security Policy</code> &gt; <code>Form destination</code>
</p>
</div>
<p>
Then, go in <code>Twitter parameters</code>:
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:bruteforceprotection</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,bruteforceprotection"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="bruteforceprotection.html"/>
......@@ -52,7 +52,7 @@ bruteForceProtection plugin prevents brute force attack. Plugin DISABLED by defa
</p>
<p>
After three failed login attempts, user must wait (30 seconds by default) before try to log in again.
After some failed login attempts, user must wait (30 seconds by default) before try to log in again.
</p>
<p>
......@@ -60,7 +60,7 @@ The aim of a brute force attack is to gain access to user accounts by repeatedly
</p>
</div>
<!-- EDIT1 SECTION "Brute Force Protection Addon" [1-456] -->
<!-- EDIT1 SECTION "Brute Force Protection Addon" [1-455] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
......@@ -73,13 +73,14 @@ Go in Manager, <code>General Parameters</code> » <code>Advanced Parameters</cod
</p>
<p>
To modify waiting time (30 seconds by default) before reAuthentication and MaxAge between current and last stored failed login (300 seconds by default) edit <code>lemonldap-ng.ini</code> in section [portal]:
To modify waiting time (30 seconds by default) before reAuthentication, MaxAge between current and last stored failed login (300 seconds by default) or number of allowed failed login attempts (3 by default) edit <code>lemonldap-ng.ini</code> in section [portal]:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">bruteForceProtectionTempo</span> <span class="sy0">=</span><span class="re2"> 30</span>
<span class="re1">bruteForceProtectionMaxAge</span> <span class="sy0">=</span><span class="re2"> 300</span></pre>
<span class="re1">bruteForceProtectionMaxAge</span> <span class="sy0">=</span><span class="re2"> 300</span>
<span class="re1">bruteForceProtectionMaxFailed</span> <span class="sy0">=</span><span class="re2"> 3</span></pre>
</div>
<!-- EDIT2 SECTION "Configuration" [457-] --></div>
<!-- EDIT2 SECTION "Configuration" [456-] --></div>
</body>
</html>
......@@ -323,7 +323,12 @@ In Portal virtual host, you will find several configuration parts:
<span class="co1"># Note that Content-Security-Policy header is generated by portal itself</span>
&lt;<span class="kw3">Files</span> *.fcgi&gt;
<span class="kw1">SetHandler</span> fcgid-<span class="kw1">script</span>
<span class="co1">#CGIPassAuth on</span>
<span class="co1"># For Authorization header to be passed, please uncomment one of the following:</span>
<span class="co1"># for Apache &gt;= 2.4.13</span>
<span class="co1">#CGIPassAuth On</span>
<span class="co1"># for Apache &lt; 2.4.13</span>
<span class="co1">#RewriteCond %{HTTP:Authorization} ^(.*)</span>
<span class="co1">#RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]</span>
<span class="kw1">Options</span> +ExecCGI
&lt;/<span class="kw3">Files</span>&gt;
&nbsp;
......@@ -368,7 +373,7 @@ In Portal virtual host, you will find several configuration parts:
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT7 SECTION "Portal" [6660-8757] -->
<!-- EDIT7 SECTION "Portal" [6660-9007] -->
<h3 class="sectionedit8" id="manager1">Manager</h3>
<div class="level3">
......@@ -415,7 +420,7 @@ Configuration interface access is not protected by Apache but by LemonLDAP::NG i
</p>
</div>
<!-- EDIT8 SECTION "Manager" [8758-10301] -->
<!-- EDIT8 SECTION "Manager" [9008-10551] -->
<h3 class="sectionedit9" id="handler">Handler</h3>
<div class="level3">
<ul>
......@@ -423,16 +428,16 @@ Configuration interface access is not protected by Apache but by LemonLDAP::NG i
</li>
</ul>
<pre class="code file apache">PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler</pre>
PerlModule Lemonldap::NG::Handler::Apache2</pre>
<ul>
<li class="level1"><div class="li"> Catch error pages:</div>
</li>
</ul>
<pre class="code file apache"><span class="kw1">ErrorDocument</span> <span class="nu0">403</span> http://auth.example.com/?lmError=<span class="nu0">403</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">404</span> http://auth.example.com/?lmError=<span class="nu0">404</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">500</span> http://auth.example.com/?lmError=<span class="nu0">500</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">502</span> http://auth.example.com/?lmError=<span class="nu0">502</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">503</span> http://auth.example.com/?lmError=<span class="nu0">503</span></pre>
<pre class="code file apache"><span class="kw1">ErrorDocument</span> <span class="nu0">403</span> http://auth.example.com/lmerror/<span class="nu0">403</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">404</span> http://auth.example.com/lmerror/<span class="nu0">404</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">500</span> http://auth.example.com/lmerror/<span class="nu0">500</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">502</span> http://auth.example.com/lmerror/<span class="nu0">502</span>
<span class="kw1">ErrorDocument</span> <span class="nu0">503</span> http://auth.example.com/lmerror/<span class="nu0">503</span></pre>
<ul>
<li class="level1"><div class="li"> Reload virtual host:</div>
</li>
......@@ -448,7 +453,7 @@ PerlModule Lemonldap::NG::Handler</pre>
<span class="kw1">Deny</span> from <span class="kw2">all</span>
<span class="kw1">Allow</span> from 127.0.0.0/<span class="nu0">8</span>
<span class="kw1">SetHandler</span> perl-<span class="kw1">script</span>
PerlResponseHandler Lemonldap::NG::Handler-&gt;reload
PerlResponseHandler Lemonldap::NG::Handler::Apache2-&gt;reload
&lt;/<span class="kw3">Location</span>&gt;
&nbsp;
<span class="co1"># Uncomment this to activate status module</span>
......@@ -457,7 +462,7 @@ PerlModule Lemonldap::NG::Handler</pre>
<span class="co1"># Deny from all</span>
<span class="co1"># Allow from 127.0.0.0/8</span>
<span class="co1"># SetHandler perl-script</span>
<span class="co1"># PerlResponseHandler Lemonldap::NG::Handler-&gt;status</span>
<span class="co1"># PerlResponseHandler Lemonldap::NG::Handler::Apache2-&gt;status</span>
<span class="co1">#&lt;/Location&gt;</span>
&nbsp;
&lt;/<span class="kw3">VirtualHost</span>&gt;</pre>
......@@ -465,10 +470,10 @@ PerlModule Lemonldap::NG::Handler</pre>
<p>
Then, to protect a standard virtual host, the only configuration line to add is:
</p>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler</pre>
<pre class="code file apache">PerlHeaderParserHandler Lemonldap::NG::Handler::Apache2</pre>
</div>
<!-- EDIT9 SECTION "Handler" [10302-11660] -->
<!-- EDIT9 SECTION "Handler" [10552-11941] -->
<h2 class="sectionedit10" id="nginx">Nginx</h2>
<div class="level2">
<div class="noteimportant">LemonLDAP::NG does not manage Nginx configuration
......@@ -491,7 +496,7 @@ See <a href="confignginx.html" class="wikilink1" title="documentation:2.0:config
<div class="notewarning"><a href="fastcgiserver.html" class="wikilink1" title="documentation:2.0:fastcgiserver">LL::NG FastCGI</a> server must be loaded separately.
</div>
</div>
<!-- EDIT10 SECTION "Nginx" [11661-12114] -->
<!-- EDIT10 SECTION "Nginx" [11942-12395] -->
<h3 class="sectionedit11" id="portal1">Portal</h3>
<div class="level3">
......@@ -563,7 +568,7 @@ In Portal virtual host, you will find several configuration parts:
}</pre>
</div>
<!-- EDIT11 SECTION "Portal" [12115-13906] -->
<!-- EDIT11 SECTION "Portal" [12396-14187] -->
<h3 class="sectionedit12" id="manager2">Manager</h3>
<div class="level3">
......@@ -597,7 +602,7 @@ By default, configuration interface access is not protected by Nginx but by Lemo
</p>
</div>
<!-- EDIT12 SECTION "Manager" [13907-14652] -->
<!-- EDIT12 SECTION "Manager" [14188-14933] -->
<h3 class="sectionedit13" id="handler1">Handler</h3>
<div class="level3">
......@@ -608,11 +613,11 @@ Nginx handler is provided by the <a href="fastcgiserver.html" class="wikilink1"
<li class="level1"><div class="li"> Handle errors:</div>
</li>
</ul>
<pre class="code file nginx">error_page 403 http://auth.example.com/?lmError=403;
error_page 404 http://auth.example.com/?lmError=404;
error_page 500 http://auth.example.com/?lmError=500;
error_page 502 http://auth.example.com/?lmError=502;
error_page 503 http://auth.example.com/?lmError=503;</pre>
<pre class="code file nginx">error_page 403 http://auth.example.com/lmerror/403;
error_page 404 http://auth.example.com/lmerror/404;
error_page 500 http://auth.example.com/lmerror/500;
error_page 502 http://auth.example.com/lmerror/502;
error_page 503 http://auth.example.com/lmerror/503;</pre>
<ul>
<li class="level1"><div class="li"> Reload virtual host:</div>
</li>
......@@ -697,7 +702,7 @@ Then, to protect a standard virtual host, you must insert this (or create an inc
# Insert then your configuration (fastcgi_* or proxy_*)</pre>
</div>
<!-- EDIT13 SECTION "Handler" [14653-17739] -->
<!-- EDIT13 SECTION "Handler" [14934-18015] -->
<h2 class="sectionedit14" id="configuration_reload">Configuration reload</h2>
<div class="level2">
<div class="noteclassic">As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set <code>checkTime = 240</code> in your lemonldap-ng.ini file <em>(values in seconds)</em>
......@@ -738,7 +743,7 @@ You also need to adjust the protection of the reload vhost, for example:
&lt;/<span class="kw3">Location</span>&gt;</pre>
</div>
<!-- EDIT14 SECTION "Configuration reload" [17740-20023] -->
<!-- EDIT14 SECTION "Configuration reload" [18016-20299] -->
<h2 class="sectionedit15" id="local_file">Local file</h2>
<div class="level2">
......@@ -772,6 +777,6 @@ For example, to override configured skin for portal:
<div class="notetip">You need to know the technical name of configuration parameter to do this. You can refer to <a href="parameterlist.html" class="wikilink1" title="documentation:2.0:parameterlist">parameter list</a> to find it.
</div>
</div>
<!-- EDIT15 SECTION "Local file" [20024-] --></div>
<!-- EDIT15 SECTION "Local file" [20300-] --></div>
</body>
</html>
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:docker</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,docker"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="docker.html"/>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=df13de1d1df0e6da1b89ce87ded3ea23" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/dos?do=login&amp;sectok=d452aa8bbc7962a5bfc893503ed1a55d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -241,7 +241,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1543524736" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Ados&amp;1545404423" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=df13de1d1df0e6da1b89ce87ded3ea23" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/exploit?do=login&amp;sectok=d452aa8bbc7962a5bfc893503ed1a55d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -241,7 +241,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1543524736" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aexploit&amp;1545404423" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -4,7 +4,7 @@
<meta charset="utf-8" />
<title>documentation:2.0:forcereauthn</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,forcereauthn"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="forcereauthn.html"/>
......
......@@ -43,20 +43,43 @@
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<h1 class="sectionedit1" id="cas_server">CAS server</h1>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#enabling_cas">Enabling CAS</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_the_cas_service">Configuring the CAS Service</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_cas_applications">Configuring CAS Applications</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#options">Options</a></div></li>
<li class="level3"><div class="li"><a href="#exported_attributes">Exported Attributes</a></div></li>
</ul></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<p>
AS server
</p>
<div class="level1">
</div>
<!-- EDIT1 SECTION "CAS server" [1-26] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<h2 class="sectionedit1" id="presentation">Presentation</h2>
<div class="level2">
<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can be used as a <abbr title="Central Authentication Service">CAS</abbr> server. It can allow one to federate <abbr title="LemonLDAP::NG">LL::NG</abbr> with:
</p>
<ul>
<li class="level1"><div class="li"> Another <a href="authcas.html" class="wikilink1" title="documentation:2.0:authcas">CAS authentication</a> <abbr title="LemonLDAP::NG">LL::NG</abbr> provider</div>
<li class="level1"><div class="li"> Another <a href="authcas.html" class="wikilink1" title="documentation:2.1:authcas">CAS authentication</a> <abbr title="LemonLDAP::NG">LL::NG</abbr> provider</div>
</li>
<li class="level1"><div class="li"> Any <abbr title="Central Authentication Service">CAS</abbr> consumer</div>
</li>
......@@ -67,36 +90,41 @@
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [27-397] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<!-- EDIT1 SECTION "Presentation" [19-389] -->
<h2 class="sectionedit2" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT2 SECTION "Configuration" [390-416] -->
<h3 class="sectionedit3" id="enabling_cas">Enabling CAS</h3>
<div class="level3">
<p>
In the Manager, go in <code>General Parameters</code> » <code>Issuer modules</code> » <code><abbr title="Central Authentication Service">CAS</abbr></code> and configure:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: set to <code>On</code>.</div>
</li>
<li class="level1"><div class="li"> <strong>Path</strong>: keep <code>^/cas/</code> unless you have change <a href="configlocation.html#portal" class="wikilink1" title="documentation:2.0:configlocation">Apache portal configuration</a> file.</div>
</li>
<li class="level1"><div class="li"> <strong>Use rule</strong>: a rule to allow user to use this module, set to 1 to always allow.</div>
<li class="level1"><div class="li"> <strong>Path</strong>: it is recommended to keep the default value (<code>^/cas/</code>)</div>
</li>
</ul>
<div class="notetip">For example, to allow only users with a strong authentication level:
<pre class="code">$authenticationLevel &gt; 2</pre>
</div>
<!-- EDIT3 SECTION "Enabling CAS" [417-640] -->
<h3 class="sectionedit4" id="configuring_the_cas_service">Configuring the CAS Service</h3>
<div class="level3">
<p>
Then go in <code>Options</code> to define:
Then go in <code><abbr title="Central Authentication Service">CAS</abbr> Service</code> to define:
</p>
<ul>
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> login</strong>: the session key used to fill user login (value will be transmitted to <abbr title="Central Authentication Service">CAS</abbr> clients).</div>
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> login</strong>: the session key transmitted to <abbr title="Central Authentication Service">CAS</abbr> client as the main identifier (<abbr title="Central Authentication Service">CAS</abbr> Principal)</div>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> attributes</strong>: list of attributes that will be transmitted in validate response. Keys are the name of attribute in the <abbr title="Central Authentication Service">CAS</abbr> response, values are the name of session key.</div>
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> attributes</strong>: list of attributes that will be transmitted by default in the validate response. Keys are the name of attribute in the <abbr title="Central Authentication Service">CAS</abbr> response, values are the name of session key. </div>
</li>
<li class="level1"><div class="li"> <strong>Access control policy</strong>: define if access control should be done on <abbr title="Central Authentication Service">CAS</abbr> service. Three options:</div>
<ul>
<li class="level2"><div class="li"> <strong>none</strong>: no access control, the server will answer without checking if the user is authorized for the service (this is the default)</div>
<li class="level2"><div class="li"> <strong>none</strong>: no access control. The <abbr title="Central Authentication Service">CAS</abbr> service will accept non-declared <abbr title="Central Authentication Service">CAS</abbr> applications and ignore access control rules. This is the default.</div>
</li>
<li class="level2"><div class="li"> <strong>error</strong>: if user has no access, an error is shown on the portal, the user is not redirected to <abbr title="Central Authentication Service">CAS</abbr> service</div>
</li>
......@@ -104,12 +132,54 @@ Then go in <code>Options</code> to define:
</li>
</ul>
</li>
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> session module name and options</strong>: choose a specific module if you do not want to mix <abbr title="Central Authentication Service">CAS</abbr> sessions and normal sessions (see <a href="samlservice.html#saml_sessions_module_name_and_options" class="wikilink1" title="documentation:2.0:samlservice">why</a>).</div>
<li class="level1"><div class="li"> <strong><abbr title="Central Authentication Service">CAS</abbr> session module name and options</strong>: choose a specific module if you do not want to mix <abbr title="Central Authentication Service">CAS</abbr> sessions and normal sessions (see <a href="samlservice.html#saml_sessions_module_name_and_options" class="wikilink1" title="documentation:2.1:samlservice">why</a>).</div>
</li>
</ul>
<div class="notetip">If <code><abbr title="Central Authentication Service">CAS</abbr> login</code> is not set, it uses <code>General Parameters</code> » <code>Logs</code> » <code>REMOTE_USER</code> data, which is set to <code>uid</code> by default
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [398-] --></div>
<!-- EDIT4 SECTION "Configuring the CAS Service" [641-1923] -->
<h3 class="sectionedit5" id="configuring_cas_applications">Configuring CAS Applications</h3>
<div class="level3">
<p>
If an access control policy other than <code>none</code> is specified, applications that want to authenticate users through the <abbr title="Central Authentication Service">CAS</abbr> protocol have to be declared before LemonLDAP::NG accepts to issue service tickets for them.