Differences

This shows you the differences between two versions of the page.

--- docs:configuration:lemonldap [2010/03/08 12:00]
sylvaing
+++ docs:configuration:lemonldap [2010/07/13 16:36] (current)
elegall
@@ Line 1: / Line 1: @@
-====== OBM Lemon LDAP ======
+====== LemonLdap::ng and OBM ======
+==== Introduction ====
+[[http://wiki.lemonldap.ow2.org/xwiki/bin/view/NG/Presentation|LemonLDAP::NG]] can handle LDAP authentication and WebSSO. The OBM integration with LemonLdap::ng allows you to automatically create users form their first web connection. This means that you can handle all the user managment on yuor current directory without using the OBM administration interfaces.
-when you use Lemon Ldap you must deactivate password modification in OBM ([[http://www.obm.org/bugzilla/show_bug.cgi?id=889|889]]).
+A good thing is that, Lemon LDAP and OBM can permit you to import metadata from you directory. For example you can import mail, quota, passwords and a lot of other things through timple HTTP headers. That permit you to totally control mail managment on your current main LDAP directory.
-In your file /etc/obm/obm_conf.inc add this line:
+And the last but not the least: Lemonldap::ng offer a web user interface to change password as user. It applies changes directly on your LDAP direcoty.
+==== What you need ====
+  * OBM 2.3 installation with a dedicated virtualhost.
+  * An admin account (with write permissions) if you want to enable "users password managment" through LemonLdap::ng. Or simply an account to bind on LDAP directory.
+  * A network connection to your Directory - port 389.
+  * A new user in your LDAP Directory. This user is used as "OBM admin0". Optional: another account for the domain admin (often called admin1).
+==== Packages installation ====
+The stable version used in this how-to is 0.9.4.1 available for:\\
+  * Debian: [[http://forge.ow2.org/project/download.php?group_id=274&file_id=13689|DEB]]
+  * RedHat / CentOS: [[http://forge.ow2.org/project/download.php?group_id=274&file_id=13690|RPM]]
+Now, just follow further instruction to install on debian:
+<code> # tar zxf lemonldap*.tar.gz
+ # dpkg -i *.deb && aptitude install</code>
+On CentOS / RedHat:
+<code> # yum localinstall --nogpgcheck *.rpm </code>
+Information for RedHat / CentOS: You will need [[http://fedoraproject.org/wiki/EPEL|EPEL]]).
+==== LemonLDAP::NG initial configuration ====
+All the configurations files are in ///etc/lemonldap-ng// and ///var/lib/lemonldap-ng/conf//.
+The second one is used to configure the web manager and has to be "write-accessible" by apache / httpd user.
+Change ///var/lib/lemonldap-ng/handler/MyHandler.pm// to activate this:
 <code>
-$cgp_show['module']['password'] = '';
+...
+    status => 1,
+...
+    https => 1,
+...
+</code>
+Then, change ///var/lib/lemonldap-ng/manager/index.pl// to obtain:
+<code>
+...
+    dhtmlXTreeImageLocation => "/sso/lm/manager/imgs/",
+...
+</code>
+Edit ///var/lib/lemonldap-ng/manager/sessions.pl// to obtain:
+<code>
+...
+    imagePath     => '/sso/lm/manager/images/',
+...
+</code>
+If you don't want to allow users to change their password through LemonLdap::ng:
+Change ///var/lib/lemonldap-ng/portal/index.pl//:
+<code>
+     use constant USER_CAN_CHANGE_PASSWORD => 0;
+</code>
+The ///etc/lemonldap-ng/apps-list.xml// file is change to handle only OBM:
+<code>
+<?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!DOCTYPE menu SYSTEM "apps-list.dtd">
+<menu>
+        <category name="Applications">
+        <application id="obm">
+                <name>OBM</name>
+                <uri>https://obm.example.com</uri>
+                <description>Travail collaboratif</description>
+                <logo>obm.png</logo>
+                <display>auto</display>
+        </application>
+        </category>
+</menu>
+</code>
+==== Apache Configuration ====
+To access to LemonLdap web manager through mod_ldap:
+ # htpassword -c /var/lib/lemonldap-ng/conf/htpasswd ldapadmin
+This is an example of obm.conf virtualhost file.
+<code>
+...
+#_LEMONLDAPNG_BEGIN_
+# SSO protection
+PerlRequire /var/lib/lemonldap-ng/handler/MyHandler.pm
+PerlOptions +GlobalRequest
+PerlHeaderParserHandler My::Package
+# Configuration reload mechanism (only 1 per physical server is
+# needed): choose your URL to avoid restarting Apache when
+# configuration change
+<Location /reload>
+  Order deny,allow
+  Deny from all
+  Allow from 127.0.0.0/8
+  PerlHeaderParserHandler My::Package->refresh
+</Location>
+<Location /status>
+    Order deny,allow
+    Deny from all
+    Allow from 127.0.0.0/8
+    PerlHeaderParserHandler My::Package->status
+</Location>
+<Location /obm-sync>
+ProxyPass http://127.0.0.1:8080/obm-sync
+ProxyPassReverse http://127.0.0.1:8080/obm-sync
+PerlHeaderParserHandler My::Package->unprotect
+</Location>
+<Location /minig>
+ProxyPass ajp://127.0.0.1:8009/minig max=2
+ProxyPassReverse ajp://127.0.0.1:8009/minig
+PerlHeaderParserHandler My::Package->unprotect
+</Location>
+<Location /Microsoft-Server-ActiveSync>
+ProxyPass http://127.0.0.1:8082/Microsoft-Server-ActiveSync
+ProxyPassReverse http://127.0.0.1:8082/Microsoft-Server-ActiveSync
+PerlHeaderParserHandler My::Package->unprotect
+</Location>
+<Location /caldav>
+ProxyPass http://127.0.0.1:8083
+ProxyPassReverse http://127.0.0.1:8083
+PerlHeaderParserHandler My::Package->unprotect
+</Location>
+# Manager
+Alias /sso/lm/manager /var/lib/lemonldap-ng/manager
+<Directory /var/lib/lemonldap-ng/manager>
+    Order deny,allow
+    Deny from all
+    Allow from 172.31.0.0/16
+    Options +ExecCGI
+    PerlHeaderParserHandler My::Package->unprotect
+    AuthUserFile /var/lib/lemonldap-ng/.htpasswd
+    AuthName "LemonLDAP::NG Manager"
+    AuthType Basic
+    Require valid-user
+</Directory>
+# Auth
+Alias /sso/lm /var/lib/lemonldap-ng/portal
+<Directory /var/lib/lemonldap-ng/portal>
+    Order allow,deny
+    Allow from all
+    Options +ExecCGI
+    PerlHeaderParserHandler My::Package->unprotect
+</Directory>
+# Unprotect OBM SSO
+<Location /sso>
+    Order allow,deny
+    Allow from all
+    PerlHeaderParserHandler My::Package->unprotect
+</Location>
+# Portal must be interpreted by Perl
+<Files *.pl>
+    SetHandler perl-script
+    PerlResponseHandler ModPerl::Registry
+</Files>
+<IfModule mod_dir.c>
+    DirectoryIndex index.pl index.html
+</IfModule>
+# SOAP functions for sessions management (disabled by default)
+<Directory /var/lib/lemonldap-ng/portal/index.pl/adminSessions>
+    Order deny,allow
+    Deny from all
+</Directory>
+# SOAP functions for sessions access (disabled by default)
+<Directory /var/lib/lemonldap-ng/portal/index.pl/sessions>
+    Order deny,allow
+    Allow from all
+    AuthUserFile /var/lib/lemonldap-ng/.htpasswd
+    AuthName "LemonLDAP::NG Manager"
+    AuthType Basic
+    Require valid-user
+</Directory>
+# SOAP functions for configuration access (disabled by default)
+<Directory /var/lib/lemonldap-ng/portal/index.pl/config>
+    Order deny,allow
+    Allow from all
+    AuthUserFile /var/lib/lemonldap-ng/conf/htpasswd
+    AuthName "LemonLDAP::NG Manager"
+    AuthType Basic
+    Require valid-user
+</Directory>
+# SOAP functions for notification insertion (disabled by default)
+<Directory /var/lib/lemonldap-ng/portal/index.pl/notification>
+    Order deny,allow
+    Deny from all
+</Directory>
+#_LEMONLDAPNG_END_
+</VirtualHost>
+...
+</code>
+==== LemonLDAP::NG configuation through web manager ====
+Change this fields:
+  * portail: https://obm.example.com/sso/lm/
+  * domain: example.com
+  * LDAP attributs to export: ''Enter further paramters (a lot are optionnals)''
+  * LDAP parameters: ''Enter you LDAP directory informations''
+  * Macros: (It's used to link admin0 LDAP account to the OBM admin0 one).
+^field ^value ^
+| uidR | <nowiki>($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid  </nowiki>|
+| mailR  |<nowiki> ($uid =~ /^admin0/i)[0] ? "" : ($mail =~ /^([^@]+)/)[0] . "\@example.com" </nowiki>|
+  * VirtualHost: obm.example.com
+    * HTTP Header:
+^field ^valeur ^
+|OBM_GIVENNAME|$givenName|
+|OBM_GROUPS|$groups|
+|OBM_UID|$uidR|
+|OBM_MAIL|$mailR|
+|OBM_USERPASSWORD|$_password|
+    * Rules:
+^field ^value ^
+|<nowiki>^/logout</nowiki>|<nowiki>logout_sso https://obm.example.com/</nowiki>|
+|default|accept|
+You now have plug your LemonLdap::ng to your LDAP Directory. We will finish by connecting LemonLdap::ng to OBM.
+==== OBM configuration ====
+You need to edit ///etc/obm/obm_conf.inc//.
+Values must match the LemonLdap::ng headers seen before.
+<code>
+// authentification : 'CAS' (SSO AliaSuite), 'ldap' (LDAP authentication) or 'standalone' (default)
+//$auth_kind = 'CAS';
+//$cas_server = 'sso.aliacom.local';
+//$cas_server_port = 8443;
+//$cas_server_uri = '';
+//$auth_kind='ldap';
+$auth_kind = 'LemonLDAP';
+$lemonldap_config = Array(
+                "auto_update"           => true,
+                "auto_update_force_user" => true,
+                "auto_update_force_group" => false,
+                "url_logout"            => "https://obm.example.com/logout",
+                "server_ip_address"     => "localhost",
+                "server_ip_check"       => false,
+                "debug_level"           => "NONE",
+//                "debug_header_name"     => "HTTP_OBM_UID",
+//                "group_header_name"     => "HTTP_OBM_GROUPS",
+                "headers_map"           => Array(
+                        //"userobm_gid"                   => "HTTP_OBM_GID",
+                        //"userobm_domain_id"           => ,
+                        "userobm_login"                 => "HTTP_OBM_UID",
+                        "userobm_password"              => "HTTP_OBM_USERPASSWORD",
+                        //"userobm_password_type"       => ,
+                        "userobm_perms"                 => "HTTP_OBM_PERMS",
+                        //"userobm_kind"                => ,
+                        "userobm_lastname"              => "HTTP_OBM_SN",
+                        "userobm_firstname"             => "HTTP_OBM_GIVENNAME",
+//                        "userobm_title"                 => "HTTP_OBM_TITLE",
+                        "userobm_email"                 => "HTTP_OBM_MAIL",
+                        "userobm_datebegin"             => "HTTP_OBM_DATEBEGIN",
+                        //"userobm_account_dateexp"     => ,
+                        //"userobm_delegation_target"   => ,
+                        //"userobm_delegation"          => ,
+                        "userobm_description"           => "HTTP_OBM_DESCRIPTION",
+                        //"userobm_archive"             => ,
+                        //"userobm_hidden"              => ,
+                        //"userobm_status"              => ,
+                        //"userobm_local"               => ,
+                        //"userobm_photo_id"            => ,
+                        "userobm_phone"                 => "HTTP_OBM_TELEPHONENUMBER",
+                        //"userobom_phone2"             => ,
+                        //"userobm_mobile"              => ,
+                        "userobm_fax"                   => "HTTP_OBM_FACSIMILETELEPHONENUMBER",
+                        //"userobm_fax2"                => ,
+                        "userobm_company"               => "HTTP_OBM_O",
+                        //"userobm_direction"           => ,
+                        "userobm_service"               => "HTTP_OBM_OU",
+                        "userobm_address1"              => "HTTP_OBM_POSTALADDRESS",
+                        //"userobm_address2"            => ,
+                        //"userobm_address3"            => ,
+                        "userobm_zipcode"               => "HTTP_OBM_POSTALCODE",
+                        "userobm_town"                  => "HTTP_OBM_L",
+                        "userobm_zipcode"               => "HTTP_OBM_POSTALCODE",
+                        "userobm_town"                  => "HTTP_OBM_L",
+                        //"userobm_expresspostal"       => ,
+                        //"userobm_host_id"             => ,
+                        //"userobm_web_perms"           => ,
+                        //"userobm_web_list"            => ,
+                        //"userobm_web_all"             => ,
+                        //"userobm_mail_perms"          => ,
+                        //"userobm_mail_ext_perms"      => ,
+                        //"userobm_mail_server_id"      => ,
+                        //"userobm_mail_server_hostname" => ,
+                        "userobm_mail_quota"            => "HTTP_OBM_MAILQUOTA",
+                        //"userobm_nomade_perms"        => ,
+                        //"userobm_nomade_enable"       => ,
+                        //"userobm_nomade_local_copy"   => ,
+                        //"userobm_email_nomade"        => ,
+                        //"userobm_vacation_enable"     => ,
+                        //"userobm_vacation_datebegin"  => ,
+                        //"userobm_vacation_dateend"    => ,
+                        //"userobm_vacation_message"    => ,
+                        //"userobm_samba_perms"         => ,
+                        //"userobm_samba_home"          => ,
+                        //"userobm_samba_home_drive"    => ,
+                        //"userobm_samba_logon_script"  => ,
+                        // ---- Unused values ? ----
+                        "userobm_ext_id"                => "HTTP_OBM_SERIALNUMBER",
+                        //"userobm_system"              => ,
+                        //"userobm_nomade_datebegin"    => ,
+                        //"userobm_nomade_dateend"      => ,
+                        //"userobm_location"            => ,
+                        //"userobm_education"           => ,
+                        ),
+        );
 </code>
+Enjoy !