ADVANCED
INSTALLATION
Warning: This
document is written for people who know Lemonldap::NG. For other people,
it is recommended to build the
example provided in the source and next to adapt
it to local installation.
PREREQ
Apache
To use Lemonldap::NG, you have to run a LDAP
server and of course an Apache server compiled with mod-perl (version 1.3
or 2.x). Generaly, the version of Apache proposed with your Linux
distribution match, but some distributions used an experimental version of
mod_perl with Apache2 (mod_perl-1.99) which does not work with
Lemonldap::NG. With such distributions (like Debian-3.1), you have to use
Apache-1.3 or to use a mod_perl backport (www.backports.org package for
Debian works fine).
For Apache2, you can use both mpm-worker and
mpm-prefork. Mpm-worker works faster and Lemonldap::NG use the thread
system for best performance. If you have to use mpm-prefork (for example
if you use PHP), Lemonldap::NG will work anyway.
You can use Lemonldap::NG in an heterogene world:
the authentication portal and the manager can work in any version of
Apache 1.3 or more even if mod_perl is not compiled, with
ModPerl::Registry or not… Only the handler (site protector) need
mod_perl. The different handlers can run on different servers with
different versions of Apache/mod_perl.
Perl prereq
Perl modules: Apache::Session, Net::LDAP,
MIME::Base64, CGI, LWP::UserAgent, Cache::Cache, DBI, XML::Simple
With Debian:
apt-get install libapache-session-perl libnet-ldap-perl libcache-cache-perl
libdbi-perl perl-modules libwww-perl libcache-cache-perl
libxml-simple-perl
Portal:
Apache::Session, Net::LDAP, MIME::Base64, CGI,
DBI
With Debian:
apt-get install libapache-session-perl libnet-ldap-perl libdbi-perl
perl-modules
Handler:
Apache::Session, LWP::UserAgent, Cache::Cache,
DBI
With Debian:
apt-get install libapache-session-perl libdbi-perl libwww-perl
libcache-cache-perl
Manager:
CGI, XML::Simple, DBI
With Debian:
apt-get install perl-modules libxml-simple-perl
SOFTWARE
INSTALLATION
If you just want to install a handler or a portal
or a manager:
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*/Lemonldap-NG-(Portal|Handler|Manager)
$ perl Makefile.PL && make && make test
$ sudo make install
else for a complete install:
$ tar xzf lemonldap-ng-*.tar.gz
$ cd lemonldap-ng-*
$ make && make test
$ sudo make install
See prereq in
LEMONLDAP
INSTALLATION
Database
configuration
If you use DBI or another system to share
Lemonldap::NG configuration, you have to initialize the database.
For example, create the database "lemonldapng" :
# mysqladmin create lemonldapng
Lemonldap::NG Configuration
database
To store configuration, use this table :
CREATE TABLE lmConfig (
cfgNum int not null primary key,
locationRules text,
exportedHeaders text,
globalStorage text,
globalStorageOptions text,
macros text,
groups text,
portal text,
domain text,
ldapServer text,
ldapPort int,
ldapBase text,
securedCookie int,
cookieName text,
authentication text,
exportedVars text,
managerDn text,
managerPassword text,
whatToTrace text
);
Apache::Session database
The choice of Apache::Session::* module is free.
See Apache::Session::Store::* or Apache::Session::* to know how to
configure the module. For example, if you want to use
Apache::Session::MySQL, you can create the database like this:
CREATE TABLE sessions (
id char(32),
a_session text
);
Manager
configuration
Copy example/manager.cgi and personalize it if
you want (see Lemonldap::NG::Manager). You have to set in particular
configStorage. For example with MySQL:
$my $manager = Lemonldap::NG::Manager->new ( {
dbiChain => "DBI:mysql:database=mybase;host=1.2.3.4",
dbiUser => "lemonldap-ng",
dbiPasword => "mypass",
} );
Securise Manager access with Apache: Lemonldap
does not securise the manager itself yet:
SSLEngine On
Order Deny, Allow
Deny from all
Allow from admin/network
AuthType Basic
...
Configuration
edition
Connect to the manager with your browser start
configure your Web-SSO. You have to set at least some parameters:
General
parameters
- Authentication parameters -> portal URL to access to the
authentication portal.
- Domain: the cookie domain. All protected VirtualHosts have to be
under it.
- LDAP parameters -> LDAP Server.
- LDAP parameters -> LDAP Accout and password: required only if
anonymous binds are not accepted.
- Session Storage -> Apache::Session module: how to store user
sessions. You can use all module that inherit from Apache::Session like
Apache::Session::MySQL.
- Session Storage -> Apache::Session Module parameters: see
Apache::Session::<Choosen module>.
User groups
Use the "New Group" button to add your first
group. On the left, set the keyword which will be used later and set on
the right the corresponding rule. You can use :
- an LDAP filter (it will be tested with the user uid)
or
- a Perl condition enclosed with {}. All variables declared in
"General parameters -> LDAP attributes" can be used with a "$". For
example: MyGroup / { $uid eq "foo" or $uid eq "bar" }
Virtual
hosts
You have to create a virtual host for each Apache
host (virtual or real) protected by Lemonldap::NG even if just a
sub-directory is protected. Else, user who want to access to the protected
area will be rejected with a "500 Internal Server Error" message and the
apache logs will explain the problem.
Each virtual host has 2 groups of parameters:
- Headers: the headers added to the apache request. Default: Auth-User
=> $uid.
- Rules: subdivised in 2 categories:
- default: the default rule
- personalized rules: association of a Perl regular expression and
a condition. For example: ^/restricted.*$ / $groups =~
/bMyGroupb/