documentation:1.0:configlocation

Configuration overview

LemonLDAP::NG configuration is stored in a backend that allows all modules to access it.

Note that all LL::NG components must have access :
  • to the configuration backend
  • to the sessions storage backend

Detailled configuration backends documentation is available here.

By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory.

Configuration backend can be set in the local configuration file, in configuration section.

For example, to configure the File configuration backend:

[configuration]
type=File
dirName = /usr/local/lemonldap-ng/data/conf
See How to change configuration backend to known how to change this.

Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com).

By default, Manager is protected to allow only localhost. This can be changed in etc/manager-apache2.conf:

    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Options +ExecCGI
    </Directory>
See Manager protection documentation to know how to use Apache modules or LL::NG to manage access to Manager.

The Manager displays main branches:

  • General Parameters: authentication modules, portal, etc.
  • Variables: user information, macros and groups used to fill SSO session
  • Virtual Hosts: access rules, headers, etc.
  • SAML 2 Service: SAML metadata administration
  • SAML identity providers: Registered IDP
  • SAML service providers: Registered SP

LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.

When modifying a value, always click on the Apply button if available, to be sure the value is saved.

When all modifications are done, click on Save to store configuration.

LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration is not saved if errors occur.

You can change the graphical aspect of the Manager, by clicking on the Menu style button. It will open a dialog to choose:

Menu style preferences are stored in cookies (1 year duration). You can fix default values by editing these values in lemonldap-ng.ini, section manager:
  • managerCss
  • managerCssTheme
LemonLDAP::NG does not manage Apache configuration

LemonLDAP::NG ships 3 Apache configuration files:

  • portal-apache2.conf: Portal virtual host, with SOAP and Issuer end points
  • manager-apache2.conf: Manager virtual host
  • handler-apache2.conf : Handler declaration, reload and sample virtual hosts

These files must be included in Apache configuration, either with Include directives in httpd.conf (see quick start example), or with symbolic links in Apache configuration directory (like /etc/httpd/conf.d).

Mod Perl must be loaded before LemonLDAP::NG, so include configuration after the mod_perl LoadModule directive.

In Portal virtual host, you will find several configuration parts:

  • Standard virtual host directives, to serve portal pages:
    ServerName auth.example.com
 
    # DocumentRoot
    DocumentRoot /usr/local/lemonldap-ng/htdocs/portal/
    <Directory /usr/local/lemonldap-ng/htdocs/portal/>
        Order allow,deny
        Allow from all
        Options +ExecCGI
    </Directory>
 
    # Perl script
    <Files *.pl>
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
    </Files>
 
    # Directory index
    <IfModule mod_dir.c>
        DirectoryIndex index.pl index.html
    </IfModule>
  • SOAP end points (inactivated by default):
    # SOAP functions for sessions management (disabled by default)
    <Location /index.pl/adminSessions>
        Order deny,allow
        Deny from all
    </Location>
 
    # SOAP functions for sessions access (disabled by default)
    <Location /index.pl/sessions>
        Order deny,allow
        Deny from all
    </Location>
 
    # SOAP functions for configuration access (disabled by default)
    <Location /index.pl/config>
        Order deny,allow
        Deny from all
    </Location>
 
    # SOAP functions for notification insertion (disabled by default)
    <Location /index.pl/notification>
        Order deny,allow
        Deny from all
    </Location>
  • Issuer rewrite rules (requires mod_rewrite):
    # SAML2 Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/saml/metadata /metadata.pl
        RewriteRule ^/saml/.* /index.pl
    </IfModule>
 
    # CAS Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/cas/.* /index.pl
    </IfModule>
 
    # OpenID Issuer
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^/openidserver/.* /index.pl
    </IfModule>
  • Some Perl optimizations:
# Best performance under ModPerl::Registry
# Uncomment this to increase performance of Portal
<Perl>
    require Lemonldap::NG::Portal::SharedConf;
    Lemonldap::NG::Portal::SharedConf->compile(
        qw(delete header cache read_from_client cookie redirect unescapeHTML));
    # Uncomment this line if you use Lemonldap::NG menu
    require Lemonldap::NG::Portal::Menu;
    # Uncomment this line if you use portal SOAP capabilities
    require SOAP::Lite;
</Perl>

Manager virtual host is used to serve configuration interface and local documentation.

  • Configuration interface access is protected:
    DocumentRoot /usr/local/lemonldap-ng/htdocs/manager/
    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Options +ExecCGI
    </Directory>
  • Local documentation is open to all:
    Alias /doc/ /usr/local/lemonldap-ng/htdocs/doc/
    <Directory /usr/local/lemonldap-ng/htdocs/doc/>
        Order deny,allow
        Allow from all
    </Directory>
  • Load Handler in Apache memory:
PerlOptions +GlobalRequest
PerlRequire /usr/local/lemonldap-ng/handler/MyHandler.pm
The Handler must be loaded before any protected virtual host.
  • Catch error pages:
ErrorDocument 403 http://auth.example.com/?lmError=403
ErrorDocument 500 http://auth.example.com/?lmError=500
  • Reload virtual host:
<VirtualHost *:80>
    ServerName reload.example.com
 
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
    <Location /reload>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        PerlHeaderParserHandler My::Package->refresh
    </Location>
 
    # Uncomment this to activate status module
    #<Location /status>
    #    Order deny,allow
    #    Deny from all
    #    Allow from 127.0.0.0/8
    #    PerlHeaderParserHandler My::Package->status
    #</Location>
 
</VirtualHost>

Then, to protect a standard virutal host, the only configuration line to add is:

PerlHeaderParserHandler My::Package
As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them trough an HTTP request. Configuration reload will then be effective in less than 10 minutes.

After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers. This can be configured in LemonLDAP::NG ini file, in the section apply:

[apply]
 
# URL used to reload configuration
reload.example.com=http://reload.example.com/reload
;reloaddist.example.com=http://reloaddist.example.com/reload
You only need a reload URL per physical servers, as Handlers share the same configuration cache on each physical server.

The reload target is managed in Apache configuration, inside a virtual host protected by LemonLDAP::NG Handler, for example:

<VirtualHost *:80>
    ServerName reload.example.com
 
    <Location /reload>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        PerlHeaderParserHandler My::Package->refresh
    </Location>
 
</VirtualHost>
You must allow access to Manager IP.

LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini and has the following sections:

  • configuration: where configuration is stored
  • apply: reload URL for distant Hanlders
  • all: parameters for all modules
  • portal: parameters only for Portal
  • manager: parameters only for Manager
  • handler: parameters only for Handler

When you set a parameter in lemonldap-ng.ini, it will override the parameter from the global configuration.

For example, to override configured skin for portal:

[portal]
portalSkin = dark
You need to know the technical name of configuration parameter to do this. You can refer to parameter list to find it.

LemonLDAP::NG allows to override any configuration parameter directly in script file. However, it is not advised to edit such files, as they are part of the program, and will be erased at next upgrade.

You also need to know the technical name of configuration parameter to do this. You can refer to parameter list to find it.

For example, in portal/index.pl:

my $portal = Lemonldap::NG::Portal::SharedConf->new(
    {
        portalSkin => 'dark',
    }
);

For example, in handler/MyHandler.pm:

__PACKAGE__->init(
    {
        domain => 'acme.com',
    }
);