Manager protection¶
When installing LL::NG, the Manager can only be accessed with the demo
account dwho
. This How To explains how change this default behavior
to protect Manager with other rules.
Apache based protection¶
Tip
Apache based protection allow one to be independent from WebSSO, so Manager will always be reachable even if WebSSO configuration is corrupted.
The configuration can be changed in etc/manager-apache2.conf
, for
example to restrict the IP allowed to access the Manager:
<Directory /usr/local/lemonldap-ng/htdocs/manager/>
Order deny,allow
Deny from all
Allow from 127.0.0.0/8 192.168.100.0/32
Options +ExecCGI
</Directory>
But you will rather prefer to use an Apache authentication module, like for example LDAP authentication module:
<Directory /usr/local/lemonldap-ng/htdocs/manager/>
AuthzLDAPAuthoritative On
AuthName "LL::NG Manager"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "ou=websso,ou=applications,dc=example,dc=com"
AuthLDAPBindPassword "secret"
AuthLDAPURL ldap://localhost:389/ou=users,dc=example,dc=com???(objectClass=inetOrgPerson) TLS
Require ldap-user coudot xguimard tchemineau
Options +ExecCGI
</Directory>
Attention
You need to disable default Manager protection in lemonldap-ng.ini to rely only on Apache:
[manager]
;protection = manager
LL::NG based protection¶
Danger
Before enabling Manager protection by LL::NG, you must have configured how users authenticate on Portal, and test that you can log in without difficulties. Else, you will lock access to Manager and will never access it anymore.
By default, you will have a manager virtual host define in
configuration. If not Go on Manager, and declare Manager as a new
virtual host, for example
manager.example.com
. You can then set the access rule. No headers
are needed.
The default rule is:
$uid eq "dwho"
You have to change it to match your admin user (or use other conditions like group membership, or any other rule based on a session variable).
Save the configuration and exit the Manager.
Tip
The next time you will access Manager, it will be through LL::NG.
Enable protection on Manager, by editing lemonldap-ng.ini
:
[manager]
protection = manager
You can also adapt Apache access control:
<Directory /usr/local/lemonldap-ng/htdocs/manager/>
Order deny,allow
Allow from all
Options +ExecCGI
</Directory>
Restart Apache and try to log on Manager. You should be redirected to LL::NG Portal.
You can then add the Manager as an application in the menu.
Tip
If for an obscure reason, the WebSSO is not working and you
want to access the Manager, remove the protection in
lemonldap-ng.ini
. Add an Apache access control to avoid other
access.