Events management¶
LemonLDAP::NG has two kinds of events to propagate between its nodes:
configuration updates
session logout
By default, events aren’t really propagated but a timer permits to refresh such data.
Starting from version 2.20.0, LLNG adds an optional PUB/SUB system (not enabled by default) to replace this timers. This isn’t useful in classic deployments but may help big ones.
Default events system¶
Session reload¶
The default LLNG cache system keeps in memory sessions during 10mn, sessions are automatically refreshed after this delay.
Configuration reload¶
After configuration is saved by Manager, LemonLDAP::NG will try to
reload configuration on distant Handlers by sending an HTTP request to
the servers. The servers and URLs can be configured in Manager,
General Parameters
> reload configuration URLs
: keys are server
names or IP the requests will be sent to, and values are the requested
URLs.
You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.
Attention
If “Compact configuration file” option is enabled, all useless parameters are removed to limit file size. Typically, if SAMLv2 service is disabled, all relative parameters will be erased. To avoid useless parameters to be purged, you can disable this option.
These parameters can be overwritten in LemonLDAP::NG ini file, in the
section apply
.
Tip
You only need a reload URL per physical servers, as Handlers share the same configuration cache on each physical server.
The reload
target is managed in Apache or Nginx configuration,
inside a virtual host protected by LemonLDAP::NG Handler (see below
examples in Apache->handler or Nginx->Handler).
Attention
You must allow access to declared URLs to your Manager IP.
Attention
If reload URL is served in HTTPS, to avoid “Error 500 (certificate verify failed)”, Go to :
General Parameters > Advanced Parameters > Security > SSL options for server requests
and set :
verify_hostname => 0
SSL_verify_mode => 0
Attention
If you want to use reload mechanism on a portal only
host, you must install a handler in Portal host to be able to refresh
local cache. Include handler-nginx.conf
or handler-apache2.conf
for example
Practical use case: configure reload in a LL::NG cluster. In this case you will have two servers (with IP 1.1.1.1 and 1.1.1.2), but you can keep only one reload URL (reload.example.com):
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
reloadUrls '1.1.1.1' 'http://reload.example.com/reload' \
reloadUrls '1.1.1.2' 'http://reload.example.com/reload'
You also need to adjust the protection of the reload vhost, for example:
<Location /reload>
Require ip 127 ::1 1.1.1.1 1.1.1.2
SetHandler perl-script
PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
</Location>
Using a Pub/Sub system¶
The message broker system replaces the previous system using an external Pub/Sub system.
When enabled, all LLNG process subscribe to llng_events
channel which
propagate “events”:
configution update (
newConf
)logouts (
unlog
)
Such messages are read every 5 seconds, then logout and configuration updates
are propagated in this delay. To modify this delay (10 seconds for example),
set checkMsg=10 inside lemonldap-ng.ini
, section [all]
.
To configure the event system, go into “General Parameters » Advanced parameters » Events Management” and set Pub/Sub system to Redis, PostgreSQL or MQTT.
Then set into “Pub/Sub system options” the needed options depending on the chosen system (see below).
Note
The corresponding parameter inside lemonldap-ng.ini
is messageBroker
which takes as value: ::Redis
or ::Pg
or ::MQTT
(which are abbreviations of Lemonldap::NG::Common::MessageBroker::<name>
).
Options take place into messageBrokerOptions
parameter.
PostgreSQL¶
The following parameters are needed:
* dbiChain
: see DBD::Pg to know the syntax
* dbiUser
: the username to use to connect
* dbiPassword
: the password to use to connect
Example:
dbiChain => "dbi:Pg:dbname=llng;host=localhost;port=54432",
dbiUser => "llng",
dbiPassword => "llng",
MQTT¶
The following parameter can be set:
server
(default: ``localhost:1883``)ssl
: set to 1 if SSL is available. Remember then to install IO::Socket::SSL (libio-socket-ssl-perl on Debian).
If ssl
is set then these parameters are allowed:
user
: usernane to use for loginpassword
: password to use for loginSSL_ca_file
: file with certificate authorities (PEM encoded)SSL_cert_file
: client certificateSSL_key_file
: client private key
If ssl
is set then these environment variables can be used also:
MQTT_SIMPLE_SSL_INSECURE
: Set to something other than 0 to disable SSL validationMQTT_SIMPLE_SSL_CA
: Path to the CA certificate or a directory of certificates. IO::Socket::SSL can find the CA path automatically on some systems.MQTT_SIMPLE_SSL_CERT
: Path to the client certificate file.MQTT_SIMPLE_SSL_KEY
: Path to the client private key file.