<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
<title>Lemonldap::NG documentation: 2-FAQ.html</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<style type="text/css">
/*<![CDATA[*/
body{
background: #ddd;
font-family: sans-serif;
font-size: 11pt;
padding: 0 50px;
}
div.main-content{
padding: 10px;
background: #fff;
border: 2px #ccc solid;
}
a{
text-decoration: none;
}
p.footer{
text-align: center;
margin: 5px 0 0 0;
}
.heading-1{
text-align: center;
color: orange;
font-variant: small-caps;
font-size: 20pt;
}
.heading-1-1{
color: orange;
font-size: 14pt;
border-bottom: 2px #ccc solid;
}
pre{
background: #eee;
border: 2px #ccc solid;
padding: 5px;
border-left: 10px #ccc solid;
}
ul.star li{
list-style-type: square;
}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id=
"HLemonLDAP3A3ANGFrequentlyAskedQuestions">LemonLDAP::NG Frequently Asked
Questions</span></h2>
<p class="paragraph"></p>
<ul>
<li>
<a href="#HGeneralquestions">General questions</a>
<ul>
<li><a href="#HWhatisaWebSSO3F">What is a Web-SSO ?</a></li>
<li><a href=
"#HWhatbringsLemonLDAP3A3ANGcomparedtotheotherWebSSO3F">What brings
LemonLDAP::NG compared to the other Web-SSO ?</a></li>
<li><a href="#HIsitreallyfree3F">Is it really free?</a></li>
</ul>
</li>
<li>
<a href="#HConfiguration">Configuration</a>
<ul>
<li><a href="#HWhereistheconfiguration3F">Where is the
configuration?</a></li>
<li><a href="#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The
provided example works with HTTP, but not with HTTPS.</a></li>
<li><a href="#HWhatisanautoprotectedCGI3F">What is an auto-protected
CGI?</a></li>
<li><a href="#HHowtouseLemonLDAP3A3ANGwithActiveDirectory3F">How to
use LemonLDAP::NG with Active-Directory ?</a></li>
<li><a href="#HHowtouseLemonLDAP3A3ANGasreverseproxy3F">How to use
LemonLDAP::NG as reverse-proxy ?</a></li>
</ul>
</li>
<li>
<a href="#HOperation">Operation</a>
<ul>
<li><a href="#HWhatisHandlerlocalcache3F">What is Handler local
cache?</a></li>
<li><a href=
"#HWhyhandlerslocalcachecannotbeconfiguredbytheManager3F">Why
handlers local cache can not be configured by the Manager?</a></li>
<li><a href=
"#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works
the <i class="italic">Cross Domain Authentication</i> (CDA)
?</a></li>
<li><a href="#HWhatis22notificationsystem223F">What is "notification
system"?</a></li>
</ul>
</li>
<li><a href="#HErroranddebugmessages">Error and debug messages</a></li>
</ul>
<h3 class="heading-1-1"><span id="HGeneralquestions">General
questions</span></h3>
<h4 class="heading-1-1-1"><span id="HWhatisaWebSSO3F">What is a Web-SSO
?</span></h4>
<p class="paragraph"></p>A SSO <i class="italic">(Single Sign On)</i> is a
system that is used to share authentications between many applications.
User logs in only one time and is never prompted when he tries to access
to another application. Kerberos (used in Active Directory) for example is
an SSO mechanism. The problem with these systems is that in addition to
their heaviness, they apply only to internal networks and to relatively
homogeneous machines.
<p class="paragraph"></p>The Web-SSO is the bearing of this principle
restricted with the Web applications. The user is thus authenticated with
the first access to a protected Web application and the authentications
are propagated when it changes application. The large advantage is whereas
the system is usable on Internet without pre-necessary on the stations
customers (they just have to accept session cookies). For example, when a
user reaches a Google letter-box, it is not authenticated if it reaches
the groups management application or any other Google application.
<h4 class="heading-1-1-1"><span id=
"HWhatbringsLemonLDAP3A3ANGcomparedtotheotherWebSSO3F">What brings
LemonLDAP::NG compared to the other Web-SSO ?</span></h4>
<ul class="star">
<li>LemonLDAP::NG run as Perl Apache modules and offer performances
which make imperceivable the treatment of the access control.</li>
<li>One of the other strong points of LemonLDAP::NG is its capacity to
manage the rights in a centralized way: the standard SSO Kerberos or
CASE allow authentication share but delegate management access
authorizations to the applications. In the case of LemonLDAP::NG,
management rights can be centralized completely, partly or at all for
each application: LemonLDAP::NG provides a system of authorization based
on the sorting of the URL by regular expressions associated to rules. It
also provides HTTP headers containing any of the user attributes to the
remote application. The remote application can then manage the
traceability of the access and possibly authorization.</li>
<li>LemonLDAP::NG can publish every user attributes or calculate
expressions issued from them. So applications can avoid consulting LDAP
or database server.</li>
<li>LemonLDAP::NG treats all the hosted sites independently (virtual or
real): every application can so have its personalized HTTP headers.</li>
<li>LemonLDAP::NG provide an web based administration interface simply
presenting the configuration, the access policy and the per sites
headers.</li>
</ul>
<h4 class="heading-1-1-1"><span id="HIsitreallyfree3F">Is it really
free?</span></h4>
<p class="paragraph"></p>Yes, LemonLDAP::NG is released under GPL license
(see <span class="wikilink"><a href=
"/xwiki/bin/view/Main/License">here</a></span>).
<h3 class="heading-1-1"><span id=
"HConfiguration">Configuration</span></h3>
<h4 class="heading-1-1-1"><span id="HWhereistheconfiguration3F">Where is
the configuration?</span></h4>
<p class="paragraph"></p>LemonLDAP::NG stores its configuration in a
global storage. See available backends <span class="wikilink"><a href=
"3-Table-of-contents.html">here</a></span>.
<p class="paragraph"></p>You can also manage local parameters by editing
<strong class="strong">lemonldap-ng.ini</strong> file.
<h4 class="heading-1-1-1"><span id=
"HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example
works with HTTP, but not with HTTPS.</span></h4>
<p class="paragraph"></p>In the redirection mechanism to the portal then
to the protected site, you have to indicate to the handler if users access
by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. You
can also edit <tt>port</tt> to force port in redirections.
<h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is
an auto-protected CGI?</span></h4>
<p class="paragraph"></p>When you have just one Perl CGI to protect in a
VirtualHost, you can use an auto-protected CGI instead of using a
LemonLDAP::NG handler:
<p class="paragraph"></p>
<div class="code">
<pre>
use Lemonldap::NG::Handler::CGI;
my $cgi = Lemonldap::NG::Handler::CGI-><span class=
"java-keyword">new</span> ( {
# same parameters than a Lemonldap::NG::Handler::SharedConf handler
}
);
$cgi->authenticate;
</pre>
</div>
<p class="paragraph"></p>In the example above, $cgi is a CGI(3) object.
The only difference is that it has some additional functions:
<ul class="star">
<li>authenticate: to call LemonLDAP::NG authentication mechanism,</li>
<li>authorize: use it if you want to use the manager to manage the
access policy,</li>
<li>user: returns an hash table containing user parameters,</li>
<li>group: used to validate group membership.</li>
</ul>This type of CGI is very usefull when rights can not be distinguish
by URL (fields in POST requests for example). See the
Lemonldap::NG::Handler::CGI(3) man page for more.
<h4 class="heading-1-1-1"><span id=
"HHowtouseLemonLDAP3A3ANGwithActiveDirectory3F">How to use LemonLDAP::NG
with Active-Directory ?</span></h4>
<p class="paragraph"></p>Active-Directory uses <tt>sAMAccountName</tt>
field instead of <tt>uid</tt> as unique identifier.
<p class="paragraph"></p>You have so to modify LemonLDAP::NG
configuration:
<ul class="star">
<li>Modify LDAP authentication filter (<span class="wikilink"><a href=
"4.5-LDAP-authentication-backend.html">Auth LDAP</a></span>)</li>
<li>Add <tt>sAMAccountName</tt> to exported attributes</li>
<li>Set <tt>whatToTrace</tt> parameter to <tt>$samAccountName</tt>.</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HHowtouseLemonLDAP3A3ANGasreverseproxy3F">How to use LemonLDAP::NG as
reverse-proxy ?</span></h4>
<p class="paragraph"></p>LemonLDAP::NG protects Apache VirtualHosts. To
use it as reverse-proxy, you just have to configure Apache as
reverse-proxy:
<p class="paragraph"></p>
<div class="code">
<pre>
# httpd.conf
<VirtualHost>
ServerName MyApplication.com
PerlRequire MyFile
PerlHeaderParserHandler My::Package
ProxyPass / <span class="nobr"><a href=
"http://real&#45;server/">http://real-server/</a></span>
ProxyPassReverse / <span class="nobr"><a href=
"http://real&#45;server/">http://real-server/</a></span>
</VirtualHost>
</pre>
</div>
<p class="paragraph"></p>If you prefer to use a Perl proxy, LemonLDAP::NG
provides one (Lemonldap::NG::Handler::Proxy(3))
<h3 class="heading-1-1"><span id="HOperation">Operation</span></h3>
<h4 class="heading-1-1-1"><span id="HWhatisHandlerlocalcache3F">What is
Handler local cache?</span></h4>
<p class="paragraph"></p>The handler local cache is used for 2 things:
<ul class="star">
<li>share configuration between Apache process: this avoid downloading
configuration for each new process. This is required for the reload
mechanism system that avoid restarting Apache,</li>
<li>share sessions between Apache process and threads: this avoid having
to request the central sessions storage for each hit. For example with
Apache::Session::MySQL, we transform TCP requests in file system
requests. This increase performances.</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HWhyhandlerslocalcachecannotbeconfiguredbytheManager3F">Why handlers
local cache can not be configured by the Manager?</span></h4>
<p class="paragraph"></p>The local cache has to be choosen and configured
for each server: for example with the <tt>Cache::FileCache</tt> module,
the storage directory can be different. An other point is that the local
storage can not be reloaded without restarting Apache, but all parameters
managed by the manager can do it.
<h4 class="heading-1-1-1"><span id=
"HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the
<i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4>
<p class="paragraph"></p>The LemonLDAP::NG sessions propagation system is
based on cookies, but cookies are attached to a DNS domain. LemonLDAP::NG
provides a system to bypass this restriction.
<p class="paragraph"></p>Lemonldap::NG portal detects if required URL is
in the same domain. If not, it adds a parameter to this request. When the
user returns to the protected application, Lemonldap::NG Handler detects
this parameter et generate a cookie in its domain.
<ul class="star">
<li><span class="wikilink"><a href=
"4.9-Cross-domain-authentication.html">Documentation</a></span>
(en)</li>
</ul>
<h4 class="heading-1-1-1"><span id="HWhatis22notificationsystem223F">What
is "notification system"?</span></h4>
<p class="paragraph"></p>It's a system used to notify a message to a user
using the portal. If the message contains checkboxes, they have to be all
checked to open the session.
<ul class="star">
<li><span class="wikilink"><a href=
"4.9-Notification-system.html">Documentation</a></span> (en)</li>
</ul>
<h3 class="heading-1-1"><span id="HErroranddebugmessages">Error and debug
messages</span></h3>
<p class="paragraph"></p>LemonLDAP::NG produces error and debug messages
logged by Apache (in error.log by default). You can adapt debug level by
setting LogLevel parameter in Apache configuration file.
<p class="paragraph"></p>Those messages are described <span class=
"wikilink"><a href="6-Errors.html">here</a></span>.
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>
