documentation:1.0:managerprotection

Manager protection

When installing LL::NG, the Manager can only be accessed from localhost, for security reasons. This How To explains how change this default behavior to protect Manager with Apache or directly with LL::NG.

The configuration can be changed in etc/manager-apache2.conf:

By default, the protection rule is to only accept clients from localhost:

    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        Options +ExecCGI
    </Directory>

You can change this to allow other specific IP, for example:

    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8 192.168.100.0/32
        Options +ExecCGI
    </Directory>

But you will rather prefer to use an Apache authentication module, like for example LDAP authentication module:

    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
        AuthzLDAPAuthoritative On
        AuthName "LL::NG Manager"
        AuthType Basic
        AuthBasicProvider ldap
        AuthLDAPBindDN "ou=websso,ou=applications,dc=example,dc=com"
        AuthLDAPBindPassword "secret"
        AuthLDAPURL ldap://localhost:389/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS
        Require ldap-user coudot xguimard tchemineau
        Options +ExecCGI
    </Directory>
Before enabling Manager protection by LL::NG, you must have configured how users authenticate on Portal, and test that you can log in without difficulties. Else, you will lock access to Manager and will never access it anymore.

Go on Manager, and declare Manager as a new virtual host, for example manager.example.com. You can then set the access rule. No headers are needed.

Save the configuration and exit the Manager.

The next time you will access Manager, it will be trough LL::NG.

Enable protection on Manager, by editing lemonldap-ng.ini:

[manager]
protection = manager

Remove Apache access control:

    <Directory /usr/local/lemonldap-ng/htdocs/manager/>
        Order deny,allow
        Allow from all
        Options +ExecCGI
    </Directory>

Restart Apache and try to log on Manager. You should be redirected to LL::NG Portal.

You can then add the Manager as an application in the menu.

If for an obscur reason, the WebSSO is not working and you want to access the Manager, remove the protection in lemonldap-ng.ini and reconfigure Apache access control.