Topic: LemondLDAP

[guest22]

@Daniel, Hi,

would it be possible to explain a bit more about how to secure a webapp with http://wiki.contribs.org/LemonLDAP-NG ?
I've looked at the sections of Tiny RSS, OpenUpload and example in the how-to, but they all are different.

Let's say I have installed LemonLDAP and installled dokuwiki in /opt/dokuwiki. Would you share how to do this please?

TIA

guest

[Daniel B.]

Yep, each app needs to be configured specialy so it can work with LemonLDAP. LemonLDAP will just ensure the user is authenticated and allowed to access the ressource, then, the app need to be configured so it trust your web server to know who is connected.

For dokuwiki, you can use the packaged version in our repo (if you have LemonLDAP up and reunning, you already have fws repo configured):

Code: [Select]

yum --enablerepo=fws install smeserver-dokuwiki
db configuration setprop dokuwiki AliasOnPrimary disabled Authentication LemonLDAP
db domains set wiki.$(db configuration get DomainName) domain Content Primary Description "DokuWiki" \
DocumentRoot /usr/share/dokuwiki/ TemplatePath WebAppVirtualHost Authentication LemonLDAP
signal-event webapps-update

Then, you need to create the vhost wiki.domain.tld (adapt it to your own domain name) and create the access rules you want in LemonLDAP::NG manager (sso-manager.domain.tld)

The packaged dokuwiki contains a plugin I've written so dokuwiki can rely on LemonLDAP::NG for the authentication, and on LDAP to get user informations (name, mail address, group membership)

[guest22]

Hi Daniel,

thanks for getting back so quickly!

The problem I face is that your methods are all integrated with your packages and pretty much all of them com pre-configured to be used with another FWS packages

How about I installed Dokuwiki from scratch on my own in /opt/dokuwiki? or Zarafa or any other non FWS pre-packaged webapp?

Merci, je vous en prie

TIA
guest

[Daniel B.]

The problem I face is that your methods are all integrated with your packages and pretty much all of them com pre-configured to be used with another FWS packages

Yep, I've tightly integrated a lot of webapps to work with LemonLDAP, and it may be difficult to install if you just want one app (that's why I haven't written any public doc about all the web app I've package like jappix, dokuwiki etc...)

How about I installed Dokuwiki from scratch on my own in /opt/dokuwiki? or Zarafa or any other non FWS pre-packaged webapp?

You can of course, but it will be harder. If you already have dokuwiki installed, you need to:

- get the plugin for dokuwiki to integrate it with LemonLDAP. You can download it from here: https://wikit.firewall-services.com/doku.php?id=tuto:webapps:llng:dokuwiki#version_ldap
- copy this file in /opt/dokuwiki/inc/auth/httpldap.class.php
- configure dokuwiki to use httpldap as auth source, and configure access to the LDAP server, comething like this should do the trick (in /opt/dokuwiki/conf/local.php)

Code: [Select]

$conf['authtype'] = 'httpldap';
$conf['auth']['ldap']['server'] = "ldap://localhost:389";
$conf['auth']['ldap']['version'] = '3';
$conf['auth']['ldap']['usertree'] = 'ou=Users,dc=domain,dc=tld';
$conf['auth']['ldap']['grouptree'] = 'ou=Groups,dc=domain,dc=tld';
$conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=mailboxRelatedObject)(memberUid=%{user}))';

- Create a virtualhost to point in your wiki:

Code: [Select]

db domains set wiki.$(db configuration get DomainName) domain Content Primary Description "DokuWiki" \
    DocumentRoot /usr/share/dokuwiki/ TemplatePath WebAppVirtualHost Authentication LemonLDAP
signal-event domain-create wiki.$(db configuration get DomainName)

- go to your LemonLDAP::NG manager (https://sso-manager.domain.tld) and create the same virtualhost, with the correct access rules (for example, you can use $groups =~ /\bshared\b/ if you want all your users to access it

All these steps are already pre-configured in our packaged version of dokuwiki.

Regards, Daniel

[guest22]

Thanks for that Daniel, it got me almost where I wanted to be. But I do struggle with the virtual hosts rules in LemonLDAP config manager.

You say to use the rule '$groups =~ /\bshared\b/' to allow all SME users access, but I am not at all experienced in regular expressions. So I wanted to ask you if you can give some exact example below to be used in the rule dialog box, e.g.:

Allow access to all SME users
Expression:
Rule:

Allow only access to SME group 'office'
Expression:
Rule:

Allow only access to SME groups 'office' and 'sales'
Expression:
Rule:

Disallow access to only SME group 'office'
Expression:
Rule:

Allow access to only SME user 'jdoe'
Expression:
Rule:

That would help a lot, and should be enough to figure how to create other rules

TIA/Merci




 

[Daniel B.]

You can get more information on LL::NG access rules here: http://lemonldap-ng.org/documentation/latest/writingrulesand_headers.

Expression is the URL you wan't to protect. If you want to protect all the virtualhost, just use ^/ as expression. Here are some examples

Allow access to all SME users
Expression: ^/
Rule: $groups =~ /\bshared\b/

Allow only access to SME group 'office'
Expression: ^/
Rule: $groups =~ /\boffice\b/

Allow only access to SME groups 'office' and 'sales'
Expression: ^/
Rule: $groups =~ /\boffice|sales\b/

Disallow access to only SME group 'office'
Expression: ^/
Rule: $groups !~ /\boffice\b/

Allow access to only SME user 'jdoe'
Expression: ^/
Rule: $uid eq 'jdoe'



You can use more variable. Anything available in LDAP can be exported in LL::NG variable, and you can then use it in rules expression. There are also some variables already configured like $ipAddr, $authenticationLevel etc....


Regards, Daniel

[guest22]

Perfect! Many thanks!

[guest22]

Daniel, would you happen to know if you can add new 'fields' to the default SME OpenLDAP server?

[Daniel B.]

It's possible, I've done that in some event scripts, but it's not that easy

- if the attribute is already defined in one of the existing schema, it can be added quite easily (using cpu or Net::LDAP)
- if you want custom attribute, you need to define your own LDAP schema, load in in slapd and then, you'll be able to add them.

[guest22]

Daniel,

I have some trouble getting things working correctly. For starters I have followed the exact example you gave on the wiki. example is an index.html in /opt/myapp. (changed /opt/kplaylist into /opt/myapp in the custom template). Saved the custom template and expanded httpd.conf.

executed the db domains command as per the wiki.

declared the app in LemonLDAP with rules as per above and myapp shows up in the user menu. When clicking myapp the html document is shown, but when I logoff from LemonLDAP, the html file is still accessible.

On the other hand, I install owncloud in /opt/owncloud and followed exact same procedure, but I get a access not allowd (err 403) from LemonLDAP.

Sorry to bother you with this, but I'm really confused, and have given it many many tries. Somewhere along the line I seem to miss something. So far, from the triple A of LemonLDAP, I only seem to get the pass the first A only.

Can you assist please?

TIA
guest
 

[Daniel B.]

Unfortunatly, LemonLDAP::NG is a big piece of software, I cannot explain how to make it working with a few forum post. You should really read the official doc here: http://lemonldap-ng.org/documentation/latest/start

Regards, Daniel