Obsolete Releases > SME 8.x Contribs

LemondLDAP

(1/3) > >>

guest22:
@Daniel, Hi,

would it be possible to explain a bit more about how to secure a webapp with http://wiki.contribs.org/LemonLDAP-NG ?
I've looked at the sections of Tiny RSS, OpenUpload and example in the how-to, but they all are different.

Let's say I have installed LemonLDAP and installled dokuwiki in /opt/dokuwiki. Would you share how to do this please?

TIA

guest

Daniel B.:
Yep, each app needs to be configured specialy so it can work with LemonLDAP. LemonLDAP will just ensure the user is authenticated and allowed to access the ressource, then, the app need to be configured so it trust your web server to know who is connected.

For dokuwiki, you can use the packaged version in our repo (if you have LemonLDAP up and reunning, you already have fws repo configured):


--- Code: ---yum --enablerepo=fws install smeserver-dokuwiki
db configuration setprop dokuwiki AliasOnPrimary disabled Authentication LemonLDAP
db domains set wiki.$(db configuration get DomainName) domain Content Primary Description "DokuWiki" \
DocumentRoot /usr/share/dokuwiki/ TemplatePath WebAppVirtualHost Authentication LemonLDAP
signal-event webapps-update

--- End code ---

Then, you need to create the vhost wiki.domain.tld (adapt it to your own domain name) and create the access rules you want in LemonLDAP::NG manager (sso-manager.domain.tld)

The packaged dokuwiki contains a plugin I've written so dokuwiki can rely on LemonLDAP::NG for the authentication, and on LDAP to get user informations (name, mail address, group membership)

guest22:
Hi Daniel,

thanks for getting back so quickly!

The problem I face is that your methods are all integrated with your packages and pretty much all of them com pre-configured to be used with another FWS packages :-)

How about I installed Dokuwiki from scratch on my own in /opt/dokuwiki? or Zarafa or any other non FWS pre-packaged webapp?

Merci, je vous en prie ;-)

TIA
guest

Daniel B.:

--- Quote from: guest22 on December 06, 2012, 07:07:53 PM ---
The problem I face is that your methods are all integrated with your packages and pretty much all of them com pre-configured to be used with another FWS packages :-)

--- End quote ---

Yep, I've tightly integrated a lot of webapps to work with LemonLDAP, and it may be difficult to install if you just want one app (that's why I haven't written any public doc about all the web app I've package like jappix, dokuwiki etc...)


--- Quote from: guest22 on December 06, 2012, 07:07:53 PM ---How about I installed Dokuwiki from scratch on my own in /opt/dokuwiki? or Zarafa or any other non FWS pre-packaged webapp?

--- End quote ---

You can of course, but it will be harder. If you already have dokuwiki installed, you need to:

- get the plugin for dokuwiki to integrate it with LemonLDAP. You can download it from here: https://wikit.firewall-services.com/doku.php?id=tuto:webapps:llng:dokuwiki#version_ldap
- copy this file in /opt/dokuwiki/inc/auth/httpldap.class.php
- configure dokuwiki to use httpldap as auth source, and configure access to the LDAP server, comething like this should do the trick (in /opt/dokuwiki/conf/local.php)


--- Code: ---$conf['authtype'] = 'httpldap';
$conf['auth']['ldap']['server'] = "ldap://localhost:389";
$conf['auth']['ldap']['version'] = '3';
$conf['auth']['ldap']['usertree'] = 'ou=Users,dc=domain,dc=tld';
$conf['auth']['ldap']['grouptree'] = 'ou=Groups,dc=domain,dc=tld';
$conf['auth']['ldap']['userfilter'] = '(&(uid=%{user})(objectClass=inetOrgPerson))';
$conf['auth']['ldap']['groupfilter'] = '(&(objectClass=mailboxRelatedObject)(memberUid=%{user}))';

--- End code ---

- Create a virtualhost to point in your wiki:

--- Code: ---db domains set wiki.$(db configuration get DomainName) domain Content Primary Description "DokuWiki" \
    DocumentRoot /usr/share/dokuwiki/ TemplatePath WebAppVirtualHost Authentication LemonLDAP
signal-event domain-create wiki.$(db configuration get DomainName)

--- End code ---

- go to your LemonLDAP::NG manager (https://sso-manager.domain.tld) and create the same virtualhost, with the correct access rules (for example, you can use $groups =~ /\bshared\b/ if you want all your users to access it

All these steps are already pre-configured in our packaged version of dokuwiki.

Regards, Daniel

guest22:
Thanks for that Daniel, it got me almost where I wanted to be. But I do struggle with the virtual hosts rules in LemonLDAP config manager.

You say to use the rule '$groups =~ /\bshared\b/' to allow all SME users access, but I am not at all experienced in regular expressions. So I wanted to ask you if you can give some exact example below to be used in the rule dialog box, e.g.:

Allow access to all SME users
Expression:
Rule:

Allow only access to SME group 'office'
Expression:
Rule:

Allow only access to SME groups 'office' and 'sales'
Expression:
Rule:

Disallow access to only SME group 'office'
Expression:
Rule:

Allow access to only SME user 'jdoe'
Expression:
Rule:

That would help a lot, and should be enough to figure how to create other rules

TIA/Merci




 

Navigation

[0] Message Index

[#] Next page