Sophie

Sophie

distrib > Mandriva > cooker > x86_64 > by-pkgid > a100f0997407ff82957e996a98fb9db2 > files > 171

lemonldap-ng-1.0-0.3.rc1mdv2011.0.noarch.rpm

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
  <meta name="generator" content=
  "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />

  <title>Lemonldap::NG documentation: 4.1-Configuration-overview.html</title>
  <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
  <style type="text/css">
/*<![CDATA[*/
    body{
      background: #ddd;
      font-family: sans-serif;
      font-size: 11pt;
      padding: 0 50px;
    }
    div.main-content{
      padding: 10px;
      background: #fff;
      border: 2px #ccc solid;
    }
    a{
      text-decoration: none;
    }
    p.footer{
      text-align: center;
      margin: 5px 0 0 0;
    }
    .heading-1{
      text-align: center;
      color: orange;
      font-variant: small-caps;
      font-size: 20pt;
    }
    .heading-1-1{
      color: orange;
      font-size: 14pt;
      border-bottom: 2px #ccc solid;
    }
    pre{
      background: #eee;
      border: 2px #ccc solid;
      padding: 5px;
      border-left: 10px #ccc solid;
    }
    ul.star li{
      list-style-type: square;
    }
  /*]]>*/
  </style>
</head>

<body>
  <div class="main-content">
    <h2 class="heading-1"><span id="HConfigurationoverview">Configuration
    overview</span></h2>

    <p class="paragraph"></p>

    <ul>
      <li><a href="#HGeneralparameters">General parameters</a></li>

      <li><a href="#HUsergroups">User groups</a></li>

      <li><a href="#HVirtualhosts">Virtual hosts</a></li>

      <li><a href="#HTogofurther">To go further</a></li>
    </ul>Connect to the manager with your browser (for example <span class=
    "nobr"><a href=
    "http://manager.example.com">http://manager.example.com</a></span>) to
    start configure your WebSSO.

    <p class="paragraph"></p>You can now configure a default installation,
    with an LDAP directory.

    <h3 class="heading-1-1"><span id="HGeneralparameters">General
    parameters</span></h3>

    <ul class="star">
      <li>Authentication parameters:

        <ul class="star">
          <li>portal: URL to access to the authentication portal.</li>

          <li>domain: the cookie domain. All protected VirtualHosts have to be
          under it (or you have to use <span class="wikilink"><a href=
          "4.9-Cross-domain-authentication.html">Cross Domain
          Authentication</a></span>).</li>
        </ul>
      </li>

      <li>LDAP parameters:

        <ul class="star">
          <li>ldapServer: LDAP Server.</li>

          <li>managerDn and managerPassword: required only if anonymous binds
          are not accepted.</li>
        </ul>
      </li>
    </ul>

    <h3 class="heading-1-1"><span id="HUsergroups">User groups</span></h3>

    <p class="paragraph"></p>Use the "New Group" button to add your first
    group. On the left, set the keyword which will be used later and set on
    the right the corresponding rule. You can use a Perl condition enclosed
    with {}. All variables declared in "General parameters -&gt; exported
    attributes" can be used with a "$".

    <p class="paragraph"></p>For example:

    <div class="code">
      <pre>
MyGroup =&gt; { $uid eq <span class=
"java-quote">"foo"</span> or $uid eq <span class="java-quote">"bar"</span> }
</pre>
    </div>

    <h3 class="heading-1-1"><span id="HVirtualhosts">Virtual
    hosts</span></h3><br />
    <br />
    You have to create a virtual host for each Apache host (virtual or real)
    protected by LemonLDAP::NG even if just a sub-directory is protected.
    Else, user who want to access to the protected area will be rejected with
    a "500 Internal Server Error" message and the apache logs will explain the
    problem.<br />
    <br />
    Each virtual host has 2 groups of parameters:

    <ul class="star">
      <li>Headers: the headers added to the apache request. Default: Auth-User
      =&gt; $uid.</li>

      <li>Rules: subdivised in 2 categories:

        <ul class="star">
          <li>default: the default rule</li>

          <li>personalized rules: association of a Perl regular expression and
          a condition.</li>
        </ul>
      </li>
    </ul>For example:

    <div class="code">
      <pre>
^/restricted.*$  =&gt;  $groups =~ /\bMyGroup\b/
</pre>
    </div><br />
    <br />
    The VirtualHost in LemonLDAP::NG must match a VirtualHost in Apache
    configuration, like:

    <div class="code">
      <pre>
# Application Test
&lt;VirtualHost *:80&gt;
    ServerName test1.example.com
    ServerAlias test2.example.com<br /><br />    # SSO protection
    PerlHeaderParserHandler My::Package<br /><br />    # DocumentRoot
    DocumentRoot /usr/local/lemonldap-ng/htdocs/test/
    &lt;Directory /usr/local/lemonldap-ng/htdocs/test/&gt;
        Order deny,allow
        Allow from all
        Options +ExecCGI
    &lt;/Directory&gt;<br /><br />    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
    &lt;Location /reload&gt;
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        PerlHeaderParserHandler My::Package-&gt;refresh
    &lt;/Location&gt;<br /><br />    # Uncomment <span class=
"java-keyword">this</span> to activate status module
    #&lt;Location /status&gt;
    #    Order deny,allow
    #    Deny from all
    #    Allow from 127.0.0.0/8
    #    PerlHeaderParserHandler My::Package-&gt;status
    #&lt;/Location&gt;<br /><br />&lt;/VirtualHost&gt;
</pre>
    </div>

    <p class="paragraph"></p><strong class="strong">Remarks</strong>:

    <ul class="star">
      <li>You can use DocumentRoot to protect a local application, or use
      mod_proxy to use LemonLDAP::NG as a reverse proxy (see below)</li>

      <li>You have to declare only one "reload" target on a physical server,
      because only one Handler can be instancied on a physical server</li>

      <li>Of course you must already have a virtualhost for the portal and
      another for the manager; These hosts are only in Apache, and not in
      LemonLDAP::NG configuration.</li>
    </ul>To transform your VirtualHost into a reverse proxy, use for example:

    <div class="code">
      <pre>
# Application Test
&lt;VirtualHost *:80&gt;
    ServerName test1.example.com
    ServerAlias test2.example.com<br /><br />    # SSO protection
    PerlHeaderParserHandler My::Package<br /><br />    ProxyPreserveHost on
    ProxyPass / <span class="nobr"><a href=
"http://APPLICATION_IP/">http://APPLICATION_IP/</a></span>
    ProxyPassReverse / <span class="nobr"><a href=
"http://APPLICATION_IP/">http://APPLICATION_IP/</a></span><br /><br />&lt;/VirtualHost&gt;
</pre>
    </div>

    <p class="paragraph"></p><strong class="strong">Remarks</strong>:

    <ul class="star">
      <li>The ProxyPreserveHost directive will forward the Host header to the
      protected application</li>
    </ul>Using the reverse proxy mode, you will not have the REMOTE_USER
    environment variable set. Indeed, this variable is set by the Handler on
    the physical server hosting the Handlers, and not on other servers where
    the Handler is not installed. But this magic Apache configuration will let
    you transform the Auth-User HTTP header in REMOTE_USER envronment
    varibale:<br />
    <br />

    <div class="code">
      <pre>
SetEnvIfNoCase Auth-User <span class="java-quote">"(.*)"</span> REMOTE_USER=$1
</pre>
    </div>

    <h3 class="heading-1-1"><span id="HTogofurther">To go
    further</span></h3><br />
    <br />
    See the <span class="wikilink"><a href=
    "4.1-Configuration-parameter-list.html">full parameters list</a></span>.
  </div>

  <p class="footer"><a href="index.html">Index</a></p>
</body>
</html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional