Writing rules and headers

Lemonldap::NG manage applications by their hostname (Apache's virtualHosts). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,…).

Note that variables designed by $xx correspond to the name of the exported variables or macro names except for $ENV{<cgi-header>} which correspond to CGI header ($ENV{REMOTE_ADDR} for example).

Available $ENV{} variables

The %ENV table provides:

  • all headers in CGI format (User-Agent becomes HTTP_USER_AGENT)
  • some CGI variables depending on the context:
    • For portal: all CGI standard variables (you can add custom headers using fastcgi_param with Nginx),
    • For Nginx handler: all variables given by fastcgi_param commands.
  • For portal:
    • $ENV{urldc} : Origin URL before Handler redirection, in cleartext
    • $ENV{_url} : Origin URL before Handler redirection, base64 encoded

See also extended functions.


A rule associates a regular expression to a Perl boolean expression or a keyword.


Goal Regular expression Rule
Restrict /admin/ directory to user bart.simpson ^/admin/ $uid eq "bart.simpson"
Restrict /js/ and /css/ directory to authenticated users ^/(css|js)/ accept
Deny access to /config/ directory ^/config/ deny
Do not restrict /public/ ^/public/ skip
Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) ^/forum/ unprotect
Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) default $description eq "LDAP administrator"

The “default” access rule is used if no other access rule match the current URL.

  • Comments can be used to order your rules: rules are applied in the alphabetical order of comment (or regexp in there is no comment). See security chapter to learn more about writing good rules.
  • See performances to know how to use macros and groups in rules.

Rules can also be used to intercept logout URL:

Goal Regular expression Rule
Logout user from Lemonldap::NG and redirect it to http://intranet/ ^/index.php\?logout logout_sso http://intranet/
Logout user from current application and redirect it to the menu (Apache only) ^/index.php\?logout logout_app https://auth.example.com/
Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ (Apache only) ^/index.php\?logout logout_app_sso http://intranet/
logout_app and logout_app_sso rules are not available on Nginx, only on Apache.

By default, user will be redirected on portal if no URL defined, or on the specified URL if any.

Only current application is concerned by logout_app* targets. Be careful with some applications which doesn't verify Lemonldap::NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.

Rules on authentication level

LLNG set an “authentication level” during authentication process. This level is the value of the authentication backend used for this user. Default values are:

There are two way to impose users to have a high authentication level:

  • writing a rule based en authentication level: $authenticationLevel > 3
  • since 2.0, set a minimum level in virtual host options
Instead of returning a 403 code, “minimum level” returns user to a form that explain that a higher level is required and propose to user to reauthenticate itself.


Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user datas to the application.


Goal Header name Header value
Give the uid (for accounting) Auth-User $uid
Give a static value Some-Thing “static-value”
Give display name Display-Name $givenName.“ ”.$surName
Give a non ascii data Display-Name encode_base64($givenName." ".$surName,"")

As described in performances chapter, you can use macros, local macros,…

  • Since many HTTP servers refuse non ascii headers, it is recommended to use encode_base64() function to transmit those headers
  • Don't forget to add an empty string as second argument to encode_base64 function to avoid a “newline” characters insertion in result
  • Header names must contain only letters and “-” character
By default, SSO cookie is hidden. So protected applications cannot retrieve SSO session key. But you can forward this key if absolutely needed:
Session-ID => $_session_id

Available functions

In addition to macros and name, you can use some functions in rules and headers:

Wildcards in hostnames

Since 2.0, a wildcard can be used in virtualhost name (not in aliases !): *.example.com matches all hostnames that belong to example.com domain.

Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order:

  1. test.sub.example.com
  2. *.sub.example.com
  3. test.example.com
  4. *.example.com