Lemonldap::NG manages applications by their hostname (Apache’s virtualHosts). Rules are used to protect applications, headers are HTTP headers added to the request to give datas to the application (for logs, profiles,…).
Attention
Note that variables designed by $xx correspond to the
name of the exported variables or
macro names except for $ENV{<cgi-header>}
which
correspond to CGI header ($ENV{REMOTE_ADDR}
for example).
The %ENV table provides:
User-Agent
becomes
HTTP_USER_AGENT
)fastcgi_param
with Nginx),fastcgi_param
commands.See also extended functions.
A rule associates a regular expression to a Perl boolean expression or a keyword.
Examples:
Goal | Regular expression | Rule |
---|---|---|
Restrict /admin/ directory to user bart.simpson | ^/admin/ | |
Restrict /js/ and /css/ directory to authenticated users | ^/(css|js)/ | accept |
Deny access to /config/ directory | ^/config/ | deny |
Do not restrict /public/ | ^/public/ | skip |
Do not restrict /skip/ and restrict other to authenticated users | ^/skip/ | $ENV{REQUEST_URI} =~ /skip/ ? skip : 1 |
Makes authentication optional, but authenticated users are seen as such (that is, user data are sent to the app through HTTP headers) | ^/forum/ | unprotect |
Restrict access to the whole site to users that have the LDAP description field set to “LDAP administrator” (must be set in exported variables) | default |
The “default” access rule is used if no other access rule match the current URL.
Tip
See the rules examples page for a few common use cases
Tip
Rules can also be used to intercept logout URL:
Goal | Regular expression | Rule |
---|---|---|
Logout user from Lemonldap::NG and redirect it to http://intranet/ | ^/index.php?logout | logout_sso http://intranet/ |
Logout user from current application and redirect it to the menu (Apache only) | ^/index.php?logout | logout_app https://auth.example.com/ |
Logout user from current application and from Lemonldap::NG and redirect it to http://intranet/ (Apache only) | ^/index.php?logout | logout_app_sso http://intranet/ |
Danger
logout_app
and logout_app_sso
rules are not
available on Nginx, only on Apache.
By default, user will be redirected on portal if no URL defined, or on the specified URL if any.
Attention
Only current application is concerned by logout_app* targets. Be careful with some applications which doesn’t verify Lemonldap::NG headers after having created their own cookies. If so, you can redirect users to a HTML page that explain that it is safe to close browser after disconnect.
LLNG set an “authentication level” during authentication process. This level depends on authentication backend used by this user. Default values are:
There are three ways to impose users a higher authentication level:
$authenticationLevel > 3
Tip
Instead of returning a 403 code, “minimum level” returns user to a form that explain that a higher level is required and propose to reauthenticate himself.
Headers are associations between an header name and a perl expression that returns a string. Headers are used to give user data to the application.
Examples:
Goal | Header name | Header value |
---|---|---|
Give the uid (for accounting) | Auth-User | $uid |
Give a static value | Some-Thing | “static-value” |
Give display name | Display-Name | $givenName.” “.$surName |
Give a non ascii data | Display-Name |
As described in performances chapter, you can use macros, local macros,…
Attention
underscores_in_headers on;
directiveTip
By default, SSO cookie is hidden. So protected applications cannot retrieve SSO session key. But you can forward this key if absolutely needed:
Session-ID => $_session_id
In addition to macros and name, you can use some functions in rules and headers:
Since 2.0, a wildcard can be used in virtualhost name (not in
aliases !):
*.example.com
matches all hostnames that belong to
example.com
domain. Version 2.0.9 improves this and allows better
wildcards such as test-*.example.com
or test-%.example.com
. The
%
wilcard doesn’t match subdomains.
Even if a wildcard exists, if a virtualhost is explicitly declared, this rule is applied. Example with precedence order for test.sub.example.com:
%.example.com
does not match
test.sub.example.com)