documentation:2.1:soapsessionbackend

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:soapsessionbackend [2019/04/04 20:34] (current)
Line 1: Line 1:
 +====== SOAP session backend ======
  
 +LL::NG portal provides SOAP end points for sessions management:
 +  * **sessions/**: read only access to sessions (enough for distant Handlers)
 +  * **adminSessions/**: read/write access to sessions (required for distant Portal, distant Manager or distant Handlers which modify sessions)
 +
 +This session backend can be used to share sessions stored in a non-network backend (like [[filesessionbackend|file session backend]]) or in a network backend protected with a firewall that only accepts HTTP flows.
 +
 +Most of the time, SOAP session backend is used by Handlers installed on external servers.
 +
 +To configure it, SOAP session backend will be set trough Manager in global configuration (used by all Hanlders), and the real session backend will be configured for local components in lemonldap-ng.ini.
 +
 +===== Setup =====
 +
 +==== Manager ====
 +
 +First, active SOAP in ''General parameters'' » ''Advanced parameters'' » ''SOAP''.
 +
 +Then, set ''Lemonldap::NG::Common::Apache::Session::SOAP'' in ''General parameters'' » ''Sessions'' » ''Session storage'' » ''Apache::Session module'' and add the following parameters (case sensitive):
 +
 +^  Required parameters  ^^^
 +^  Name  ^  Comment  ^  Example  ^
 +|  **proxy**  | URL of sessions SOAP end point | %%http://auth.example.com/index.fcgi/sessions%% |
 +
 +<note tip>Use /adminSessions if the Handler need to modify the session, for example if you configured an idle timeout.</note>
 +
 +By default, only few sessions keys are shared by SOAP (authenticationLevel, groups, ipAddr, _startTime, _utime, _lastSeen, _session_id), you need to define which other keys you want to share in ''General parameters'' » ''Plugins'' » ''Portal servers'' » ''SOAP/REST exported attributes''.
 +
 +You must start with ''+'' to keep default keys, else they will not be shared. For example:
 +<code>
 ++ uid cn mail
 +</code>
 +
 +To share only the listed attributes:
 +<code>
 +_utime _session_id uid cn mail
 +</code>
 +==== Apache ====
 +
 +Sessions SOAP end points access must be allowed in Apache portal configuration (for example, access by IP range):
 +
 +<file apache>
 +# SOAP functions for sessions management (disabled by default)
 +<Location /index.fcgi/adminSessions>
 +    Require 192.168.2.0/24
 +</Location>
 +
 +# SOAP functions for sessions access (disabled by default)
 +<Location /index.fcgi/sessions>
 +    Require 192.168.2.0/24
 +</Location>
 +</file>
 +
 +==== Real session backend ====
 +
 +Real session backend will be configured in ''lemonldap-ng.ini'', in ''portal'' section (the portal hosts the SOAP service for sessions, and will do the link between SOAP requests and real sessions).
 +
 +For example, if real sessions are stored in [[filesessionbackend|files]]:
 +
 +<file ini>
 +[portal]
 +globalStorage = Apache::Session::File
 +globalStorageOptions = { 'Directory' => '/var/lib/lemonldap-ng/sessions/', 'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/', }
 +</file>
 +
 +<note tip>If your sessions explorer is on the same server that the portal, either use the **adminSessions** end point in Manager configuration, or override the ''globalStorage'' and ''globalStorageOptions'' parameters in section all (and not portal) of ''lemonldap-ng.ini''. </note>