Configuration overview

Backends

LemonLDAP::NG configuration is stored in a backend that allows all modules to access it.

Note that all LL::NG components must have access:
  • to the configuration backend
  • to the sessions storage backend

Detailed configuration backends documentation is available here.

By default, configuration is stored in files, so access trough network is not possible. To allow this, use SOAP for configuration access, or use a network service like SQL database or LDAP directory.

Configuration backend can be set in the local configuration file, in configuration section.

For example, to configure the File configuration backend:

[configuration]
type=File
dirName = /usr/local/lemonldap-ng/data/conf
See How to change configuration backend to known how to change this.

Manager

Most of configuration can be done trough LemonLDAP::NG Manager (by default http://manager.example.com).

By default, Manager is protected to allow only the demonstration user “dwho”.

This user will not be available anymore if you configure a new authentication backend! Remember to change the access rule in Manager virtual host to allow new administrators.

If you can not access the Manager anymore, you can unprotect it by editing lemonldap-ng.ini and changing the protection parameter:

[manager]
 
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
#   * authenticate : all authenticated users can access
#   * manager      : manager is protected like other virtual hosts: you
#                    have to set rules in the corresponding virtual host
#   * rule: <rule> : you can set here directly the rule to apply
#   * none         : no protection
See Manager protection documentation to know how to use Apache modules or LL::NG to manage access to Manager.

The Manager displays main branches:

  • General Parameters: Authentication modules, portal, etc.
  • Variables: User information, macros and groups used to fill SSO session
  • Virtual Hosts: Access rules, headers, etc.
  • SAML 2 Service: SAML metadata administration
  • SAML identity providers: Registered IDP
  • SAML service providers: Registered SP
  • OpenID Connect Service: OpenID Connect service configuration
  • OpenID Connect Providers: Registered OP
  • OpenID Connect Relying Parties: Registered RP

LemonLDAP::NG configuration is mainly a key/value structure, so Manager will present all keys into a structured tree. A click on a key will display the associated value.

When all modifications are done, click on Save to store configuration.

LemonLDAP::NG will do some checks on configuration and display errors and warnings if any. Configuration is not saved if errors occur.

Configuration text editor

LemonLDAP::NG provide a script that allows one to edit configuration without graphical interface, this script is called lmConfigEditor and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:

/usr/share/lemonldap-ng/bin/lmConfigEditor
This script must be run as root, it will then use the Apache user and group to access configuration.

The script uses the editor system command, that links to your favorite editor. To change it:

update-alternatives --config editor

The configuration is displayed as a big Perl Hash, that you can edit:

$VAR1 = {
          'ldapAuthnLevel' => '2',
          'notificationWildcard' => 'allusers',
          'loginHistoryEnabled' => '1',
          'key' => 'q`e)kJE%<&wm>uaA',
          'samlIDPSSODescriptorSingleSignOnServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;',
          'portalSkin' => 'pastel',
          'failedLoginNumber' => '5',
          ...
          };

If a modification is done, the configuration is saved with a new configuration number. Else, current configuration is kept.

Command Line Interface (CLI)

LemonLDAP::NG provide a script that allows one to edit configuration items in non interactive mode. This script is called lemonldap-ng-cli and is stored in the LemonLDAP::NG bin/ directory, for example /usr/share/lemonldap-ng/bin:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli
This script must be run as root, it will then use the Apache user and group to access configuration.

To see available actions, do:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli help

You can force an update of configuration cache with:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli update-cache

To get information about current configuration:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli info

To view a configuration parameter, for example portal URL:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli get portal

To set a parameter, for example domain:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli set domain example.org

You can use accessors (options) to change the behavior:

  • -sep: separator of hierarchical values (by default: /).
  • -iniFile: the lemonldap-ng.ini file to use if not default value.
  • -yes: do not prompt for confirmation before saving new configuration.
  • -cfgNum: the configuration number. If not set, it will use the latest configuration.
  • -force: set it to 1 to save a configuration earlier than latest.

Some examples:

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -cfgNum 10 get exportedHeaders/test1.example.com
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 set notification 1
/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -sep ',' get macros,_whatToTrace

Apache

LemonLDAP::NG does not manage Apache configuration

LemonLDAP::NG ships 3 Apache configuration files:

  • portal-apache2.conf: Portal virtual host, with SOAP/REST end points
  • manager-apache2.conf: Manager virtual host
  • handler-apache2.conf : Handler declaration, reload and sample virtual hosts

See how to deploy them.

Portal

In Portal virtual host, you will find several configuration parts:

  • Standard virtual host directives, to serve portal pages:
    ServerName auth.example.com
 
    # DocumentRoot
    DocumentRoot /usr/local/lemonldap-ng/htdocs/portal/
    <Directory /usr/local/lemonldap-ng/htdocs/portal/>
        Require all granted
        Options +ExecCGI +FollowSymLinks
    </Directory>
    # For performances, you can put static html files: simply put the HTML
    # result (example: /oauth2/checksession.html) as static file. Then
    # uncomment the following line.
    # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:(?:static|javascript|favicon).*|.*\.fcgi)$"
    RewriteRule "^/(.+)$" "/index.fcgi/$1" [PT]
 
    # Note that Content-Security-Policy header is generated by portal itself
    <Files *.fcgi>
        SetHandler fcgid-script
        #CGIPassAuth on
        Options +ExecCGI
    </Files>
 
    # Static files
    Alias /static/ __PORTALSTATICDIR__/
    <Directory __PORTALSTATICDIR__>
        Require all granted
        Options +FollowSymLinks
    </Directory>
    <Location /static/>
        <IfModule mod_expires.c>
            ExpiresActive On
            ExpiresDefault "access plus 1 month"
        </IfModule>
    </Location>
 
    <IfModule mod_dir.c>
        DirectoryIndex index.fcgi index.html
    </IfModule>
  • REST/SOAP end points (disabled by default):
    # REST/SOAP functions for sessions management (disabled by default)
    <Location /index.fcgi/adminSessions>
        Require all denied
    </Location>
 
    # REST/SOAP functions for sessions access (disabled by default)
    <Location /index.fcgi/sessions>
        Require all denied
    </Location>
 
    # REST/SOAP functions for configuration access (disabled by default)
    <Location /index.fcgi/config>
        Require all denied
    </Location>
 
    # REST/SOAP functions for notification insertion (disabled by default)
    <Location /index.fcgi/notification>
        Require all denied
    </Location>

Manager

Manager virtual host is used to serve configuration interface and local documentation. It is run as a FastCGI application:

    # FASTCGI CONFIGURATION
    # ---------------------
 
    # 1) URI management
    RewriteEngine on
 
    RewriteRule "^/$" "/psgi/manager-server.fcgi" [PT]
    # For performances, you can delete the previous RewriteRule line after
    # puttings html files: simply put the HTML results of different modules
    # (configuration, sessions, notifications) as manager.html, sessions.html,
    # notifications.html and uncomment the 2 following lines:
    # DirectoryIndex manager.html
    # RewriteCond "%{REQUEST_FILENAME}" "!\.html$"
 
    # REST URLs
    RewriteCond "%{REQUEST_FILENAME}" "!^/(?:static|doc|lib).*"
    RewriteRule "^/(.+)$" "/psgi/manager-server.fcgi/$1" [PT]
 
    Alias /psgi/ /var/lib/lemonldap-ng/manager/psgi/
 
    # 2) FastCGI engine
 
    # You can choose any FastCGI system. Here is an example using mod_fcgid
    # mod_fcgid configuration
    <Directory /var/lib/lemonldap-ng/manager/psgi/>
        SetHandler fcgid-script
        Options +ExecCGI
    </Directory>
 
    # If you want to use mod_fastcgi, replace lines below by:
    #FastCgiServer /var/lib/lemonldap-ng/manager/psgi/manager-server.fcgi
 
    # Or if you prefer to use CGI, use /psgi/manager-server.cgi instead of
    # /psgi/manager-server.fcgi and adapt the rewrite rules.

Configuration interface access is not protected by Apache but by LemonLDAP::NG itself (see lemonldap-ng.ini).

Handler

  • Load Handler in Apache memory:
PerlOptions +GlobalRequest
PerlModule Lemonldap::NG::Handler
  • Catch error pages:
ErrorDocument 403 http://auth.example.com/?lmError=403
ErrorDocument 404 http://auth.example.com/?lmError=404
ErrorDocument 500 http://auth.example.com/?lmError=500
ErrorDocument 502 http://auth.example.com/?lmError=502
ErrorDocument 503 http://auth.example.com/?lmError=503
  • Reload virtual host:
<VirtualHost *:80>
    ServerName reload.example.com
 
    # Configuration reload mechanism (only 1 per physical server is
    # needed): choose your URL to avoid restarting Apache when
    # configuration change
    <Location /reload>
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/8
        SetHandler perl-script
        PerlResponseHandler Lemonldap::NG::Handler->reload
    </Location>
 
    # Uncomment this to activate status module
    #<Location /status>
    #    Order deny,allow
    #    Deny from all
    #    Allow from 127.0.0.0/8
    #    SetHandler perl-script
    #    PerlResponseHandler Lemonldap::NG::Handler->status
    #</Location>
 
</VirtualHost>

Then, to protect a standard virtual host, the only configuration line to add is:

PerlHeaderParserHandler Lemonldap::NG::Handler

Nginx

LemonLDAP::NG does not manage Nginx configuration

LemonLDAP::NG ships 3 Nginx configuration files:

  • portal-nginx.conf: Portal virtual host, with REST/SOAP end points
  • manager-nginx.conf: Manager virtual host
  • handler-nginx.conf : Handler reload virtual hosts

See how to deploy them.

LL::NG FastCGI server must be loaded separately.

Portal

In Portal virtual host, you will find several configuration parts:

  • Standard virtual host directives, to serve portal pages:
server {
  listen 80;
  server_name auth.example.com;
  root /var/lib/lemonldap-ng/portal/;
  if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
    rewrite ^/(.*)$ /index.psgi/$1 break;
  }
 
  location ~ \.psgi(?:$|/) {
    # Note that Content-Security-Policy header is generated by portal itself
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
    # Uncomment this if you use Auth SSL:
    #map $ssl_client_s_dn  $ssl_client_s_dn_cn {
    #  default           "";
    #  ~/CN=(?<CN>[^/]+) $CN;
    #}
    #fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn
  }
 
  index index.psgi;
  location / {
    try_files $uri $uri/ =404;
 
    # Uncomment this if you use https only
    #add_header Strict-Transport-Security "15768000";
  }
 
  location /static/ {
    alias __PORTALSTATICDIR__;
  }
}
  • REST/SOAP end points (inactivated by default):
  # REST/SOAP functions for sessions management (disabled by default)
  location /index.psgi/adminSessions {
    deny all;
  }
 
  # REST/SOAP functions for sessions access (disabled by default)
  location /index.psgi/sessions {
    deny all;
  }
 
  # REST/SOAP functions for configuration access (disabled by default)
  location /index.psgi/config {
    deny all;
  }
 
  # REST/SOAP functions for notification insertion (disabled by default)
  location /index.psgi/notification {
    deny all;
  }

Manager

Manager virtual host is used to serve configuration interface and local documentation.

server {
  listen 80;
  server_name manager.example.com;
  root /usr/share/lemonldap-ng/manager/;
 
  if ($uri !~ ^/(static|doc|lib|javascript)) {
    rewrite ^/(.*)$ /manager.psgi/$1 break;
  }
 
  location /manager.psgi {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    fastcgi_param LLTYPE manager;
    fastcgi_param SCRIPT_NAME /manager.psgi;
  }
 
  location / {
    index manager.psgi;
    try_files $uri $uri/ =404;
  }
}

By default, configuration interface access is not protected by Nginx but by LemonLDAP::NG itself (see lemonldap-ng.ini).

Handler

Nginx handler is provided by the LemonLDAP::NG FastCGI server.

  • Handle errors:
error_page 403 http://auth.example.com/?lmError=403;
error_page 404 http://auth.example.com/?lmError=404;
error_page 500 http://auth.example.com/?lmError=500;
error_page 502 http://auth.example.com/?lmError=502;
error_page 503 http://auth.example.com/?lmError=503;
  • Reload virtual host:
server {                                                               
  listen 80;                                                        
  server_name reload.example.com;                                      
  root /var/www/html;
 
  location = /reload {                                                 
    allow 127.0.0.1; 
    deny all;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    fastcgi_param LLTYPE reload;
  } 
 
  # Other requests                                                    
  location / {                                                         
    deny all;
  } 
 
  # Uncomment this if status is enabled                                
  #location = /status {                                              
  #  allow 127.0.0.1;
  #  deny all;
  #  include /etc/nginx/fastcgi_params;                                
  #  fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
  #  fastcgi_param LLTYPE status;
  #}
}

Then, to protect a standard virtual host, you must insert this (or create an included file):

  # Insert $_user in logs
  include /etc/lemonldap-ng/nginx-lmlog.conf;
  access_log /var/log/nginx/access.log lm_combined;
 
  # Internal call to FastCGI server
  location = /lmauth {
    internal;
    include /etc/nginx/fastcgi_params;
    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
    fastcgi_pass_request_body  off;
    fastcgi_param CONTENT_LENGTH "";
    fastcgi_param HOST $http_host;
    fastcgi_param X_ORIGINAL_URI  $request_uri;
  }
 
  # Client requests
  location / {
    auth_request /lmauth;
    auth_request_set $lmremote_user $upstream_http_lm_remote_user;
    auth_request_set $lmlocation $upstream_http_location;
    error_page 401 $lmlocation;
    try_files $uri $uri/ =404;
 
    # Set REMOTE_USER (for FastCGI apps only)
    #fastcgi_param REMOTE_USER $lmremote_user
 
    ##################################
    # PASSING HEADERS TO APPLICATION #
    ##################################
 
    # IF LUA IS SUPPORTED
    #include /path/to/nginx-lua-headers.conf
 
    # ELSE
    # Set manually your headers
    #auth_request_set $authuser $upstream_http_auth_user;
    #proxy_set_header Auth-User $authuser;
    # OR
    #fastcgi_param HTTP_AUTH_USER $authuser;
 
    # Then (if LUA not supported), change cookie header to hide LLNG cookie
    #auth_request_set $lmcookie $upstream_http_cookie;
    #proxy_set_header Cookie: $lmcookie;
    # OR
    #fastcgi_param HTTP_COOKIE $lmcookie;
 
    # Insert then your configuration (fastcgi_* or proxy_*)

Configuration reload

As Handlers keep configuration in cache, when configuration change, it should be updated in Handlers. An Apache restart will work, but LemonLDAP::NG offers the mean to reload them through an HTTP request. Configuration reload will then be effective in less than 10 minutes. If you want to change this timeout, set checkTime = 240 in your lemonldap-ng.ini file (values in seconds)

After configuration is saved by Manager, LemonLDAP::NG will try to reload configuration on distant Handlers by sending an HTTP request to the servers. The servers and URLs can be configured in Manager, General Parameters > reload configuration URLs: keys are server names or IP the requests will be sent to, and values are the requested URLs.

You also have a parameter to adjust the timeout used to request reload URLs, it is be default set to 5 seconds.

These parameters can be overwritten in LemonLDAP::NG ini file, in the section apply.

You only need a reload URL per physical servers, as Handlers share the same configuration cache on each physical server.

The reload target is managed in Apache or Nginx configuration, inside a virtual host protected by LemonLDAP::NG Handler (see below examples in Apache→handler or Nginx→Handler).

You must allow access to declared URLs to your Manager IP.
If you want to use reload mechanism on a portal only host, you must install a handler in Portal host to be able to refresh local cache. Include handler-nginx.conf or handler-apache2.conf for example

Practical use case: configure reload in a LL::NG cluster. In this case you will have two servers (with IP 1.1.1.1 and 1.1.1.2), but you can keep only one reload URL (reload.example.com):

/usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 addKey \
reloadUrls '1.1.1.1' 'http://reload.example.com/reload' \
reloadUrls '1.1.1.2' 'http://reload.example.com/reload'

You also need to adjust the protection of the reload vhost, for example:

    <Location /reload>
        Require ip 127 ::1 1.1.1.1 1.1.1.2
        SetHandler perl-script
        PerlResponseHandler Lemonldap::NG::Handler::ApacheMP2->reload
    </Location>

Local file

LemonLDAP::NG configuration can be managed in a local file with INI format. This file is called lemonldap-ng.ini and has the following sections:

  • configuration: where configuration is stored
  • apply: reload URL for distant Hanlders
  • all: parameters for all modules
  • portal: parameters only for Portal
  • manager: parameters only for Manager
  • handler: parameters only for Handler

When you set a parameter in lemonldap-ng.ini, it will override the parameter from the global configuration.

For example, to override configured skin for portal:

[portal]
portalSkin = dark
You need to know the technical name of configuration parameter to do this. You can refer to parameter list to find it.