<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 6 November 2007), see www.w3.org" /> <title>Lemonldap::NG documentation: faq.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id= "HLemonldap3A3ANGFrequentlyAskedQuestions">Lemonldap::NG Frequently Asked Questions</span></h2> <p class="paragraph"></p> <ul> <li> <a href="#HGeneralquestions">General questions</a> <ul> <li><a href="#HWhatisaWebSSO3F">What is a Web-SSO ?</a></li> <li><a href= "#HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings Lemonldap::NG compared to the other Web-SSO ?</a></li> </ul> </li> <li> <a href="#HConfiguration">Configuration</a> <ul> <li><a href="#HWhattypeofconfigurationstoragehastobeused3F">What type of configuration storage has to be used ?</a></li> <li><a href="#HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example works with HTTP, but not with HTTPS.</a></li> <li><a href="#HForwhatisusedthe22https22parameter3F">For what is used the "https" parameter ?</a></li> <li><a href="#HWhatisanautoprotectedCGI3F">What is an auto-protected CGI ?</a></li> <li><a href="#HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG with Active-Directory ?</a></li> <li><a href="#HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as reverse-proxy ?</a></li> </ul> </li> <li> <a href="#HOperation">Operation</a> <ul> <li><a href="#HWithwhatservesthehandlerlocalcache3F">With what serves the handler local cache ?</a></li> <li><a href= "#HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers local cache can not be configured by the manager ?</a></li> <li><a href= "#HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the <i class="italic">Cross Domain Authentication</i> (CDA) ?</a></li> <li><a href= "#HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the <i class="italic">Cross Domain Authentication</i> (CDA) ?</a></li> </ul> </li> <li> <a href="#HAuthentication">Authentication</a> <ul> <li><a href="#HHowtochangeauthenticationscheme3F">How to change authentication scheme ?</a></li> </ul> </li> <li><a href="#HErroranddebugmessages">Error and debug messages</a></li> </ul> <h3 class="heading-1-1"><span id="HGeneralquestions">General questions</span></h3> <h4 class="heading-1-1-1"><span id="HWhatisaWebSSO3F">What is a Web-SSO ?</span></h4> <p class="paragraph"></p>A SSO <i class="italic">(Single Sign On)</i> is a system that is used to share authentications between many applications. Users authentify themself only one time and is never prompted when he tries to access to another application. Kerberos (used in Active Directory) for example is a SSO. The problem with these systems is that in addition to their heaviness, they apply only to internal networks and to relatively homogeneous machines. <p class="paragraph"></p>The Web-SSO is the bearing of this principle restricted with the Web applications. The user is thus authenticated with the first access to a protected Web application and the authentifications are propagated when it changes application. The large advantage is whereas the system is usable on Internet without pre-necessary on the stations customers (they just have to accept session cookies). For example, when a user reaches a Google letter-box, it is not authentified if it reaches the groups management application or any other Google application. <h4 class="heading-1-1-1"><span id= "HWhatbringsLemonldap3A3ANGcomparedtotheotherWebSSO3F">What brings Lemonldap::NG compared to the other Web-SSO ?</span></h4> <ul class="star"> <li>Lemonldap::NG like lemonldap run as Perl Apache modules and offer performances which make unperceivable the treatment of the access control.</li> <li>One of the other strong points of Lemonldap::NG is its capacity to manage the rights in a centralized way: the standard SSO Kerberos or CASE allow authentication share but delegate management access authorizations to the applications. In the case of Lemonldap::NG, management rights can be centralized completely, partly or at all for each application : Lemonldap::NG provides a system of authorization based on the sorting of the URL by regular expressions associated to rules. It also provides HTTP headers containing any of the user LDAP atributes to the remote application. The remote application can then manage the traceability of the access and possibly authorization (see to it <span class="wikiexternallink"><a href= "http://wiki.lemonldap.objectweb.orgoverview.html#HAuthentication2CAuthorizationandAccountingmechanisms"> documentation AAA</a></span>).</li> <li>Lemonldap::NG can publish every LDAP attributes or calculated expressions issued from them. So applications can avoid consulting LDAP server.</li> <li>Lemonldap::NG treats all the hosted sites independently (virtual or real): every application can so have its personalized HTTP headers.</li> <li>Lemonldap::NG provide an web based administration interface simply presenting the configuration, the access policy and the per sites headers (see the <span class="wikiexternallink"><a href= "http://lemonldap.objectweb.org/NG/ManagerDemo/fr/">demonstration</a></span>). A restricted interface can also be used to show only some virtual hosts (for reading and/or writing): the interface of administration can thus be partially delegated.</li> </ul> <h3 class="heading-1-1"><span id= "HConfiguration">Configuration</span></h3> <h4 class="heading-1-1-1"><span id= "HWhattypeofconfigurationstoragehastobeused3F">What type of configuration storage has to be used ?</span></h4> <p class="paragraph"></p>Lemonldap::NG provides 3 configuration storage systems: <ul class="star"> <li><strong class="strong">File</strong>: the most simple system, it can be used only if all your servers share a file system. It can be used for example if all virtual hosts are on the same server,</li> <li><strong class="strong">DBI</strong>: <span class= "wikiexternallink"><a href= "http://www.linuxmanpages.com/man3/DBI.3pm.php">DBI(3)</a></span> is a database access module for the Perl programming language. Used with Lemonldap::NG, it permits to share configuration between servers that can access to the same database. This is the recommended sheme on a server network.</li> <li><strong class="strong">SOAP</strong>: This system is not a real storage system, but permits to a remote server to access to the configuration by a single HTTP(S) connection. The SOAP server use File or DBI to access to the real configuration and act as a proxy.</li> </ul> <h4 class="heading-1-1-1"><span id= "HTheprovidedexampleworkswithHTTP2CbutnotwithHTTPS">The provided example works with HTTP, but not with HTTPS.</span></h4> <p class="paragraph"></p>In the redirection mechanism to the portal then to the protected site, you have to indicate to the handler if users access by HTTPS or HTTP to it. This is done by the <tt>https</tt> parameter. This parameter has to be configured directly in the handlers is not accessible by the manager interface: <p class="paragraph"></p> <pre> __PACKAGE__->init ( { localStorage => "Cache::FileCache", localStorageOptions => { 'namespace' => 'MyNamespace', 'default_expires_in' => 600, 'directory_umask' => '007', 'cache_root' => '/tmp', 'cache_depth' => 5, }, configStorage => { type => 'File', dirName => '/var/lib/lemonldap-ng/conf', }, <strong class="strong">https => 1</strong>, } ); </pre> <h4 class="heading-1-1-1"><span id= "HForwhatisusedthe22https22parameter3F">For what is used the "https" parameter ?</span></h4> <p class="paragraph"></p>This parameter is used only in authentication portal redirections. It is just used to indicate to the portal that after authentification, the user must be redirected towards the application using https and not http. <h4 class="heading-1-1-1"><span id="HWhatisanautoprotectedCGI3F">What is an auto-protected CGI ?</span></h4> <p class="paragraph"></p>When you have just 1 Perl CGI to protect in a VirtualHost, you can use an auto-protected CGI instead of using a Lemonldap::NG handler: <p class="paragraph"></p> <pre> use Lemonldap::NG::Handler::CGI; my $cgi = Lemonldap::NG::Handler::CGI->new ( { # same parameters than a Lemonldap::NG::Handler::SharedConf handler } ); $cgi->authenticate; </pre> <p class="paragraph"></p>In the example above, $cgi is a CGI(3) object. The only difference is that it has some additional functions: <ul class="star"> <li>authenticate : to call Lemonldap::NG authentication mechanism,</li> <li>autorize : use it if you want to use the manager to manage the access policy,</li> <li>user : returns an hash table containing user parameters,</li> <li>group : used to validate group permet de valider group membership.</li> </ul>This type of CGI is very usefull when rights can not be distinguish by URL (fields in POST requests for example). See the Lemonldap::NG::Handler::CGI(3) man page for more. <h4 class="heading-1-1-1"><span id= "HHowtouseLemonldap3A3ANGwithActiveDirectory3F">How to use Lemonldap::NG with Active-Directory ?</span></h4> <p class="paragraph"></p>Active-Directory uses <tt>cn</tt> field instead of <tt>uid</tt> as unique identifier. You have so to modify Lemonldap::NG configuration in 2 points : <ol> <li>the field <tt>cn</tt> (or <tt>samAccountName</tt>) has to be used to find the user in the portal,</li> <li>Apache has to use this field in logs.</li> </ol>For the second point, you have to replace <tt>$uid</tt> by <tt>$cn</tt> in the field "General Parameters -> Attribute to use in Apache's logs" (and to verify that this variable is an exported attribute). The LDAP filter change needs to overload a subroutine in the portail. This can be done so : <p class="paragraph"></p> <pre> #!/usr/bin/perl use Lemonldap::NG::Portal::SharedConf; my $portal = Lemonldap::NG::Portal::SharedConf->new( { configStorage => { type => 'File', dirName => '/var/lib/lemonldap-ng/conf', }, <strong class="strong">formateFilter => sub {</strong> my $self = shift; $self->{filter} = "(&(cn=" . $self->{user} . ")(objectClass=person))"; PE_OK; } # end of overload } ); </pre> <h4 class="heading-1-1-1"><span id= "HHowtouseLemonldap3A3ANGasreverseproxy3F">How to use Lemonldap::NG as reverse-proxy ?</span></h4> <p class="paragraph"></p>Lemonldap::NG protects Apache VirtualHosts. To use it as reverse-proxy, you just have to configure Apache as reverse-proxy : <p class="paragraph"></p> <pre> # httpd.conf <VirtualHost *> ServerName MyApplication.com PerlRequire MyFile PerlHeaderParserHandler My::Package ProxyPass / <span class="nobr"><a href= "http://real-server/">http://real-server/</a></span> ProxyPassReverse / <span class="nobr"><a href= "http://real-server/">http://real-server/</a></span> # You can also use mod_rewrite instead of mod_proxy # RewriteEngine On # RewriteRule /(.*)$ <span class="nobr"><a href= "http://serveur-reel/$1">http://serveur-reel/$1</a></span> [P] </VirtualHost> </pre> <p class="paragraph"></p>If you prefer to use a Perl proxy, Lemonldap::NG provides one (Lemonldap::NG::Handler::Proxy(3)) <h3 class="heading-1-1"><span id="HOperation">Operation</span></h3> <h4 class="heading-1-1-1"><span id= "HWithwhatservesthehandlerlocalcache3F">With what serves the handler local cache ?</span></h4> <p class="paragraph"></p>The handler local cache is used for 2 things : <ul class="star"> <li>share configuration between Apache process : this avoid downloading configuration for each new process. This is required for the reload mechanism system that avoid restarting Apache,</li> <li>share sessions between Apache process and threads : this avoid having to request the central sessions storage for each hit. For example with Apache::Session::MySQL, we transform TCP requests in file system requests. This increase performances.</li> </ul> <h4 class="heading-1-1-1"><span id= "HWhyhandlerslocalcachecannotbeconfiguredbythemanager3F">Why handlers local cache can not be configured by the manager ?</span></h4> <p class="paragraph"></p>The local cache has to be choosed nad configured for each server: for example with the Cache::FileCache module, the storage directory can be different. An other point is that the local storage can not be reloaded without restarting Apache, but all parameters managed by the manager can do it. <h4 class="heading-1-1-1"><span id= "HWhatisthe7E7ECrossDomainAuthentication7E7E28CDA293F">What is the <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4> <p class="paragraph"></p>The Lemonldap::NG sessions propagation system is based on cookies, but cookies are attached to a DNS domain. Lemonldap::NG provides a system to bypass this restriction: you just have to use a Lemonldap::NG::Portal::CDA portal and Lemonldap::NG::Handler::CDA handlers in all protected sites outwards the portal DNS domain. <h4 class="heading-1-1-1"><span id= "HHowworksthe7E7ECrossDomainAuthentication7E7E28CDA293F">How works the <i class="italic">Cross Domain Authentication</i> (CDA) ?</span></h4> <p class="paragraph"></p>Lemonldap::NG::Portal::CDA portal detects if required URL is in the same domain. If not, it adds a parameter to this request. When the user returns to the protected application, Lemonldap::NG::Handler::CDA agent detects this parameter et generate a cookie in its domain. <h3 class="heading-1-1"><span id= "HAuthentication">Authentication</span></h3> <h4 class="heading-1-1-1"><span id= "HHowtochangeauthenticationscheme3F">How to change authentication scheme ?</span></h4> <p class="paragraph"></p>Lemonldap::NG provides several authentication modes (to use in the "authentification" field of the administration interface) : <ul class="star"> <li><strong class="strong">ldap</strong> : this is the default mode : portal tries to connect to the LDAP server with the user credentials,</li> <li><strong class="strong">CAS</strong> : Lemonldap::NG portal becomes a simple CAS proxy : if the user is not authenticated, it is redirected to the CAS portal,</li> <li><strong class="strong">SSL</strong> : in this scheme, authentication is done by Apache by SSL. This is usefull to replace complete SSL protection: only one SSL negociation is used instead,</li> <li><strong class="strong">Apache</strong> : in this scheme, authentication is done by Apache. For example with Kerberos, the Apache Kerberos module protects only the portal. This increases performances because only one Kerberos negociation has to be done for all protected applications.</li> </ul> <h3 class="heading-1-1"><span id="HErroranddebugmessages">Error and debug messages</span></h3> <p class="paragraph"></p>Lemonldap::NG produces error and debug messages logged by Apache (in error.log by default). You can adapt debug level by setting LogLevel parameter in Apache configuration file. <p class="paragraph"></p>Those messages are described <span class= "wikilink"><a href="errors.html">here</a></span>. </div> </body> </html>