LemonLDAP-NG/fr

From SME Server
Jump to navigationJump to search



Mainteneur

Daniel B.
Firewall Services
mailto:daniel@firewall-services.com


Description

LemonLDAP::NG offre une protection AAA (Authentification Autorisation Historique - « Accounting ») complète :

  • Authentification : les informations d'identification sont nécessaires pour ouvrir la session SSO (cf. ci-dessous) ;
  • Autorisation : les règles d'accès sont vérifiées pour chaque requête HTTP ;
  • Historique : chaque connexion est enregistrée.

Le principal avantage de l'utilisation de LemonLDAP::NG est que les utilisateurs n'ont besoin de se connecter qu'une seule fois sur le portail LemonLDP::NG. Ensuite, toutes les applications configurées pour être protégées par LemonLDAP::NG reconnaîtront l'utilisateur. Cela s'appelle SSO (Single Sign On). LemonLDAP::NG est très flexible, vous pouvez utiliser différents arrière-plans pour la base de données des informations utilisateur, la vérification des mots de passe, etc.

Cette contribution utilise le serveur LDAP interne pour tout. Par défaut, tout sera pré-configuré, donc tous les utilisateurs pourront avoir un accès, avec leur mot de passe normal. L'appartenance à un groupe est également utilisable pour écrire des règles d'accès.

Cette page décrit uniquement le processus d'installation sur un serveur SME KOOZALI. Pour un guide complet sur la façon d'utiliser et de configurer LemonLDAP::NG, veuillez vous référer à la documentation officielle (en anglais).

Spécifications requises

LemonLDAP-NG a été développé et testé uniquement sur les versions 8 et 9 de KOOZALI SMEServeur, et ne sera pas adapté pour fonctionner sur SME 7.

Vous avez également besoin des dernières mises à jour du dépôt « smeupdates-testing ».

yum --enablerepo=smeupdates-testing update
signal-event post-upgrade
signal-event reboot

Installation 8.x and 9.x

Configure Firewall-Services's repository:

db yum_repositories set fws repository \
BaseURL http://repo.firewall-services.com/centos/\$releasever \
EnableGroups no GPGCheck yes \
Name "Firewall Services" \
GPGKey http://repo.firewall-services.com/RPM-GPG-KEY \
Visible yes status disabled
signal-event yum-modify

Configure the Epel and Dag repositories (choose the correct repository according to Your Sme version - 8 or 9).

  • install the rpms
yum --enablerepo=fws --enablerepo=epel --enablerepo=dag install smeserver-lemonldap-ng
  • Now, appply the needed configuration:
signal-event webapps-update
db configuration set UnsavedChanges no

Configuration

This contrib will automatically create two new domains:

  • sso-manager.domain.tld: this domain is used to access LemonLDAP management interface (configuration and session explorer)
  • auth.domain.tld: this domain is the authentication portal

Those domains will work out-of-the-box from the internal network if you use your SME Server as DNS, else, you'll need to add those two hostnames in your DNS Server. You also need to add those hostnames in your external DNS server if you want the portal to work from the outside.

Most of the configuration of LemonLDAP::NG is available from https://sso-manager.domain.tld/. You'll need to login using the admin credentials of your server to access this page.

Additional options

Some settings are available from the DB

  • ManagerAuth: If you want the manager interface (https://sso-manager.domain.tld) to be self protected (LemonLDAP protects it's own management interface), you can set the prop to self. You first need to be sure authentication on the portal is working.
  • Reload: A list of additionnal handler to call on configuration reloads. This setting is only usefull if you connect other handler on different phisical machines (using the Soap backend for example to access the configuration and session database). This needs to be a comma-separated list in the form:
db configuration setprop lemonldap Reload server1=https://server1.domain.tld/reload,server2=https://reload.domain.tld
  • SoapAllowFrom: A comma-separated list a IP addresses and/or networks which will be granted access to the SOAP ressources (/sessions, /config etc...). This is only needed if you configure remote handler to use the Soap backend to access sessions and configuration databases.
  • SoapPassword: All soap ressources are protected by IP restriction (see SoapAllowFrom), and username/password (basic auth). The username is lemonsaop, and the password is the value of this prop (the default password is randomly generated)


example:

db configuration setprop lemonldap Reload lamp.firewall-services.com=https://lamp.firewall-services.com/lm-reload SoapAllowFrom 10.11.12.13
signal-event webapps-update

Domain Name change

When you first install this contrib, the main domain name is used in the default LemonLDAP configuration. If you later change the main domain name, you'll need to adapt LemonLDAP configuration manually (using https://sso-manager.domain.tld/)

How-to protect applications

Here's quick guide on how to protect an web application with LemonLDAP::NG on SME Server:

  • First, you can install your application (for example in /opt/myapp)
  • Now, you need to create a custom template to make this application available from the web. LemonLDAP::NG uses VirtualHosts to protect different applications, so it's recommended to not create alias on the primary domain in your custom-template. A dedicated virtualhost will be created later to access the application. Here's a example of custom-template:
# MyApp configuration
<Directory /opt/myapp>
    AllowOverride None
    SSLRequireSSL on
    AddType application/x-httpd-php .php
    php_admin_value open_basedir /opt/myapp:/tmp
    order deny,allow
    deny from all
    allow from {"$localAccess $externalSSLAccess";}
    Satisfy all
</Directory>

Ok, now the application is ready to be served, but is not accessible yet (because there's no alias to make this application accessible).

  • Create a domain for this application
db domains set myapp.domain.tld domain Content Primary \
Description 'My App' DocumentRoot /opt/myapp Authentication LemonLDAP \
Nameservers internet TemplatePath WebAppVirtualHost
signal-event domain-create myapp.domain.tld


Important.png Note:
Instead of LemonLDAP you can also use LemonLDAPBasic as Authentication type. LemonLDAPBasic will still use LemonLDAP::NG to handle authentication and authorization, but will use a basic HTTP auth scheme, it's usefull in some situation, like being able to connect native mobile application for example (but of course, you won't have the benefit of the SSO with a basic auth)


It's important to set TemplatePath to WebAppVirtualHost. Those templates are provided by smeserver-webapps-common package (automatically installed, as it's need by LemonLDAP). Those templates make it easy to protect any virtualhost by LemonLDAP::NG

  • Ok, now your application is available from this addresse https://myapp.domain.tld/ but you'll get a access denied if you try to access it now. The last step is to declare myapp.domain.tld in LemonLDAP::NG. This is done using the configuration manager (https://sso-manager.domain.tld). You can then set the access rules you want. You can read the project documentation for this part, especially this page [1]

Troubleshoot

LemonLDAP logs are sent in apache error logs (/var/log/httpd/error_log)

Backup and Restore

You should backup the directory /var/lib/lemonldap/conf and /var/lib/lemonldap-ng/notifications/ which is where configuration and notifications are stored

Uninstall

If you want to remove the contrib, just run:

yum remove lemonldap-ng

Source

The source for this contrib can be found in Firewall-Services's repository.