Changes

From SME Server
Jump to navigationJump to search
5,279 bytes added ,  11:07, 31 January 2011
m
Created page with '{{Languages}} ===Maintainer=== Daniel B.<br/> [http://www.firewall-services.com Firewall Services]<br> mailto:daniel@firewall-services.com === Description ==…'
{{Languages}}


===Maintainer===
[[User:VIP-ire|Daniel B.]]<br/>
[http://www.firewall-services.com Firewall Services]<br>
mailto:daniel@firewall-services.com


=== Description ===

[http://lemonldap-ng.org LemonLDAP::NG] offers a full AAA (Authentication Authorization Accounting) protection:

* '''Authentication''': credentials are needed to open SSO session
* '''Authorization''': access rules are checked for every HTTP requests
* '''Accounting''': each access is logged

The main benefit of using LemonLDAP::NG is that users only needs to login once: on LemonLDP::NG portal. Then, all applications configured to be protected by LemonLDAP::NG will recognize the user. This is called SSO (Single Sign On). LemonLDAP::NG is very flexible, you can use different backends for user information database, password verification etc...
This contrib uses the internal LDAP server for everything. By default, everything will be pre-configured, so all users will be available, with their standard password. Group membership is also available to write access rules.

This page only describe the installation process on a SME Server. For a complete guide on how to use and configure LemonLDAP::NG, please refer to the official [http://lemonldap-ng.org/documentation documentation]

=== Requirement ===

LemonLDAP-NG has been developped and tested only on SMEServer 8b6. It'll will probably won't work with earlier releases, and won't be adapted to work on SME7.

=== Installation ===

Configure Firewall-Services's repository:

db yum_repositories set fws repository \
BaseURL http://repo.firewall-services.com/centos/\$releasever \
EnableGroups no GPGCheck yes \
Name "Firewall Services" \
GPGKey http://repo.firewall-services.com/RPM-GPG-KEY \
Visible yes status disabled
signal-event yum-modify

Configure the EPEL repository

db yum_repositories set epel repository \
Name 'Extra Packages for Enterprise Linux 5' \
MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=i386' \
status disabled GPGCheck yes \
GPGKey http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
signal-event yum-modify

*install the rpms

yum --enablerepo=fws --enablerepo=epel install smeserver-lemonldap-ng

* Now, appply the needed configuration:

signal-event webapps-update
db configuration set UnsavedChanges no


=== Configuration ===

This contrib will automatically create two new domains:

* sso-manager.domain.tld: this domain is used to access LemonLDAP management interface (configuration and session explorer)
* auth.domain.tld: this domain is the authentication portal

Those domains will work out-of-the-box from the internal network if you use your SME Server as DNS, else, you'll need to add thos two hostname to your DNS Server. You also need to add those hostnames on your external DNS server if you wawnt the portal to work from the outside.

Most of the configuration of LemonLDAP::NG is available from https://sso-manager.domain.tld/. You'll need to login using the admin credentials of your server to access this page.

=== Additional options ===

Some settings are available from the DB
* '''ManagerAuth''': If you want the manager interface (https://sso-manager.domain.tld) to be self protected (LemonLDAP protects it's own management interface), you can set the prop to '''self'''. You first need to be sure authentication on the portal is working.
* '''Reload''': A list of additionnal handler to call on configuration reloads. This setting is only usefull if you connect other handler on different phisical machines (using the Soap backend for example to access the configuration and session database). This needs to be a comma-separated list in the form:
db configuration setprop lemonldap Reload server1=https://server1.domain.tld/reload,server2=https://reload.domain.tld
* '''SoapAllowFrom''': A comma-separated list a IP addresses and/or networks which will be granted access to the SOAP ressources (/sessions, /config etc...). This is only needed if you configure remote handler to use the Soap backend to access sessions and configuration databases.
* '''SoapPassword''': All soap ressources are protected by IP restriction (see SoapAllowFrom), and username/password (basic auth). The username is lemonsaop, and the password is the value of this prop (the default password is randomly generated)


example:
db configuration setprop lemonldap Reload lamp.firewall-services.com=https://lamp.firewall-services.com/lm-reload SoapAllowFrom 10.11.12.13
signal-event webapps-update

=== Domain Name change ===
When you first install this contrib, the main domain name is used in the default LemonLDAP configuration. If you later change the main domain name, you'll need to adapt LemonLDAP configuration manually (using https://sso-manager.domain.tld/)

=== Troubleshoot ===
LemonLDAP logs are sent in apache error logs (/var/log/httpd/error_log)

=== Backup and Restore ===
You should backup the directory /var/lib/lemonldap, which is where configuration and sessions are stored

=== Uninstall ===
If you want to remove the contrib, just run:
yum remove lemonldap-ng

=== Source ===
The source for this contrib can be found in Firewall-Services's [http://repo.firewall-services.com/centos/5/SRPMS/ repository].

----
[[Category:Contrib]]

Navigation menu