Nuxeo dm and lemon ldap

Does anyone have ever made a nuxeo-dm instance work behind a lemonldap-ng sso portal ? i found documentation about the nuxeo-dm part, but dont know how to set up lemonldap-ng to go to nuxeo with the secret.

Can anyone help me ?

1 votes

1 answers

859 views

ANSWER



I did, and it works (and I could probably explain it in french if you prefer). Just not now, for I'm a little busy.

Short answer in the meantime : I don't use any shared secret between Lemon and Nuxeo. Nuxeo is proxyfied behind Lemon, and uses the REMOTE_USER env. variable sent by the latter.

Only thing I couldn't get to work (yet) is “non-browser” access (CMIS/DAV/…), which constantly fails because of a redirection that shouldn't happen in those case. Latest version of Debian packages should have brought the fix by upgrading Tomcat, but I haven't looked into it yet.

0 votes



french or english are the same for me. what suit you the best ;) do you have pointer about how you made it ?
05/27/2013

Nothing specific, but it's been months since I first told myself I had to document that.

IIRC, I first configured my Nuxeo server to auth on the same LDAP server as my SSO. Then I set up the required bundle for "PROXY_AUTH", which I then explained to use the required env. var. as ssoHeaderName.

You'll also need to prevent direct (i.e. without Lemon' proxy) connections to your Nuxeo instance, for that may allow rather unsafe impersonation (read "wide open security issue").

05/27/2013

i'm stuck.

auth ldap work with nuxeo 5.6.0 & auth ldap work with lemon ldap

added /var/lib/nuxeo/server/nxserver/bundles/nuxeo-platform-login-portal-sso-5.6.0-HF17.jar

told lemon ldap to send $uid as ssoHeaderName in the http header but each time i click on the link on the portal (who is a reverse proxy definition), i'm prompted for identification.

any idea about what i did wrong ?

05/28/2013