Nuxeo dm and lemon ldap
Does anyone have ever made a nuxeo-dm instance work behind a lemonldap-ng sso portal ? i found documentation about the nuxeo-dm part, but dont know how to set up lemonldap-ng to go to nuxeo with the secret.
Can anyone help me ?
 |
Pascal Valois
Member (32) 1 1 2 |
05/24/2013 ( History) |
I did, and it works (and I could probably explain it in french if you prefer). Just not now, for I'm a little busy.
Short answer in the meantime : I don't use any shared secret between Lemon and Nuxeo. Nuxeo is proxyfied behind Lemon, and uses the REMOTE_USER env. variable sent by the latter.
Only thing I couldn't get to work (yet) is “non-browser” access (CMIS/DAV/…), which constantly fails because of a redirection that shouldn't happen in those case. Latest version of Debian packages should have brought the fix by upgrading Tomcat, but I haven't looked into it yet.
IIRC, I first configured my Nuxeo server to auth on the same LDAP server as my SSO. Then I set up the required bundle for "PROXY_AUTH", which I then explained to use the required env. var. as ssoHeaderName.
You'll also need to prevent direct (i.e. without Lemon' proxy) connections to your Nuxeo instance, for that may allow rather unsafe impersonation (read "wide open security issue").
auth ldap work with nuxeo 5.6.0 & auth ldap work with lemon ldap
added /var/lib/nuxeo/server/nxserver/bundles/nuxeo-platform-login-portal-sso-5.6.0-HF17.jar
told lemon ldap to send $uid as ssoHeaderName in the http header but each time i click on the link on the portal (who is a reverse proxy definition), i'm prompted for identification.
any idea about what i did wrong ?