1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
|
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:1.9:variables</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,variables"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="variables.html"/>
<link rel="contents" href="variables.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:variables","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#modules">Modules</a></div></li>
<li class="level1"><div class="li"><a href="#connection">Connection</a></div></li>
<li class="level1"><div class="li"><a href="#authentication">Authentication</a></div></li>
<li class="level1"><div class="li"><a href="#dates">Dates</a></div></li>
<li class="level1"><div class="li"><a href="#saml">SAML</a></div></li>
<li class="level1"><div class="li"><a href="#notifications">Notifications</a></div></li>
<li class="level1"><div class="li"><a href="#login_history">Login history</a></div></li>
<li class="level1"><div class="li"><a href="#ldap">LDAP</a></div></li>
<li class="level1"><div class="li"><a href="#openid">OpenID</a></div></li>
<li class="level1"><div class="li"><a href="#openid_connect">OpenID Connect</a></div></li>
<li class="level1"><div class="li"><a href="#other">Other</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="variables">Variables</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Variables" [1-25] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
Variables can be used in rules and headers. All rules are concerned:
</p>
<ul>
<li class="level1"><div class="li"> Access rule in virtual host</div>
</li>
<li class="level1"><div class="li"> <abbr title="Security Assertion Markup Language">SAML</abbr> IDP preselection</div>
</li>
<li class="level1"><div class="li"> Session opening</div>
</li>
<li class="level1"><div class="li"> …</div>
</li>
</ul>
<p>
Variables are stored in the user session. We can distinguish several kind of variables:
</p>
<ul>
<li class="level1"><div class="li"> internal variables, managed by LemonLDAP::NG</div>
</li>
<li class="level1"><div class="li"> <a href="exportedvars.html" class="wikilink1" title="documentation:1.9:exportedvars">exported variables</a> collected from UserDB backend</div>
</li>
<li class="level1"><div class="li"> <a href="performances.html#macros_and_groups" class="wikilink1" title="documentation:1.9:performances">macro and groups</a></div>
</li>
</ul>
<p>
When you know the key of the variable, you just have to prefix it with the dollar sign to use it, for example to test if <code>uid</code> variable match <code>coudot</code> :
</p>
<pre class="code">$uid eq "coudot"</pre>
<div class="notetip">You can inspect a user session with the sessions explorer (in Manager)
</div>
<p>
Below are documented internal variables.
</p>
</div>
<!-- EDIT2 SECTION "Presentation" [26-794] -->
<h2 class="sectionedit3" id="modules">Modules</h2>
<div class="level2">
<p>
Register what module was used for authentication, user data, password, …
</p>
<div class="table sectionedit4"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"> _auth </td><td class="col1 leftalign"> Authentication module </td>
</tr>
<tr class="row2 roweven">
<td class="col0 centeralign"> _userDB </td><td class="col1 leftalign"> User module </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 centeralign"> _passwordDB </td><td class="col1 leftalign"> Password module </td>
</tr>
<tr class="row4 roweven">
<td class="col0 centeralign"> _issuerDB </td><td class="col1 leftalign"> Issuer module (can be multivalued) </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 centeralign"> _authChoice </td><td class="col1 leftalign"> User choice done if <a href="authchoice.html" class="wikilink1" title="documentation:1.9:authchoice">authentication choice</a> was used </td>
</tr>
<tr class="row6 roweven">
<td class="col0 centeralign"> _authMulti </td><td class="col1 leftalign"> Full name of authentication module (with <code>#label</code>) used in Multi </td>
</tr>
<tr class="row7 rowodd">
<td class="col0 centeralign"> _userDBMulti </td><td class="col1 leftalign"> Full name of user module (with <code>#label</code>) used in Multi </td>
</tr>
</table></div>
<!-- EDIT4 TABLE [891-1328] -->
</div>
<!-- EDIT3 SECTION "Modules" [795-1328] -->
<h2 class="sectionedit5" id="connection">Connection</h2>
<div class="level2">
<p>
Datas concerning the first connection to the portal
</p>
<div class="table sectionedit6"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> ipAddr </td><td class="col1 leftalign"> <abbr title="Internet Protocol">IP</abbr> of the user (can be the X Forwarded For <abbr title="Internet Protocol">IP</abbr> if trusted proxies are configured) </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> _timezone </td><td class="col1"> Timezone of the user, set with javascript from standard login form (will be empty if other authentication methods are used) </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> _url </td><td class="col1 leftalign"> <abbr title="Uniform Resource Locator">URL</abbr> used before being redirected to the portal (empty if portal was used as entry point) </td>
</tr>
</table></div>
<!-- EDIT6 TABLE [1406-1770] -->
</div>
<!-- EDIT5 SECTION "Connection" [1329-1771] -->
<h2 class="sectionedit7" id="authentication">Authentication</h2>
<div class="level2">
<p>
Datas around the authentication process.
</p>
<div class="table sectionedit8"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> _session_id </td><td class="col1 leftalign"> Session identifier (carried in cookie) </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> _user </td><td class="col1 leftalign"> User found from login process </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> _password </td><td class="col1 leftalign"> Password found from login process (only if <a href="passwordstore.html" class="wikilink1" title="documentation:1.9:passwordstore">password store in session</a> is configured) </td>
</tr>
<tr class="row4 roweven">
<td class="col0 leftalign"> authenticationLevel </td><td class="col1 leftalign"> Authentication level </td>
</tr>
</table></div>
<!-- EDIT8 TABLE [1842-2139] -->
</div>
<!-- EDIT7 SECTION "Authentication" [1772-2140] -->
<h2 class="sectionedit9" id="dates">Dates</h2>
<div class="level2">
<div class="table sectionedit10"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> _utime </td><td class="col1 leftalign"> Timestamp of session creation </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> startTime </td><td class="col1 leftalign"> Date of session creation </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> updateTime </td><td class="col1 leftalign"> Date of session last modification </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> _lastAuthnUTime </td><td class="col1 leftalign"> Timestamp of last authentication time </td>
</tr>
</table></div>
<!-- EDIT10 TABLE [2160-2387] -->
</div>
<!-- EDIT9 SECTION "Dates" [2141-2388] -->
<h2 class="sectionedit11" id="saml">SAML</h2>
<div class="level2">
<p>
Datas related to <abbr title="Security Assertion Markup Language">SAML</abbr> protocol
</p>
<div class="table sectionedit12"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> _idp </td><td class="col1 leftalign"> Name of IDP used for authentication </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> _idpConfKey </td><td class="col1 leftalign"> Configuration key of IDP used for authentication </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> _samlToken </td><td class="col1 leftalign"> <abbr title="Security Assertion Markup Language">SAML</abbr> token </td>
</tr>
<tr class="row4 roweven">
<td class="col0 leftalign"> _lassoSessionDump </td><td class="col1 leftalign"> Lasso session dump </td>
</tr>
<tr class="row5 rowodd">
<td class="col0 leftalign"> _lassoIdentityDump </td><td class="col1 leftalign"> Lasso identity dump </td>
</tr>
</table></div>
<!-- EDIT12 TABLE [2439-2704] -->
</div>
<!-- EDIT11 SECTION "SAML" [2389-2705] -->
<h2 class="sectionedit13" id="notifications">Notifications</h2>
<div class="level2">
<div class="table sectionedit14"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> _notification_<em>id</em> </td><td class="col1 leftalign"> Date of validation of the notification <em>id</em> </td>
</tr>
</table></div>
<!-- EDIT14 TABLE [2733-2833] -->
</div>
<!-- EDIT13 SECTION "Notifications" [2706-2834] -->
<h2 class="sectionedit15" id="login_history">Login history</h2>
<div class="level2">
<div class="table sectionedit16"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> loginHistory </td><td class="col1 leftalign"> HASH of login success and failures </td>
</tr>
</table></div>
<!-- EDIT16 TABLE [2862-2943] -->
</div>
<!-- EDIT15 SECTION "Login history" [2835-2944] -->
<h2 class="sectionedit17" id="ldap">LDAP</h2>
<div class="level2">
<p>
Only with UserDB LDAP.
</p>
<div class="table sectionedit18"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> dn </td><td class="col1"> Distinguished name </td>
</tr>
</table></div>
<!-- EDIT18 TABLE [2987-3041] -->
</div>
<!-- EDIT17 SECTION "LDAP" [2945-3042] -->
<h2 class="sectionedit19" id="openid">OpenID</h2>
<div class="level2">
<div class="table sectionedit20"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> _openid_<em>id</em> </td><td class="col1 leftalign"> Consent to share attribute <em>id</em> trough OpenID </td>
</tr>
</table></div>
<!-- EDIT20 TABLE [3063-3159] -->
</div>
<!-- EDIT19 SECTION "OpenID" [3043-3160] -->
<h2 class="sectionedit21" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<div class="table sectionedit22"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> OpenIDConnect_IDToken </td><td class="col1 leftalign"> ID Token </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> OpenIDConnect_OP </td><td class="col1 leftalign"> Configuration key of OP used for authentication </td>
</tr>
<tr class="row3 rowodd">
<td class="col0 leftalign"> OpenIDConnect_access_token </td><td class="col1 leftalign"> OAuth2 Access Token used to get UserInfo data </td>
</tr>
<tr class="row4 roweven">
<td class="col0"> _oidc_consent_scope_<em>rp</em> </td><td class="col1 leftalign"> Scope for which consent was given for RP <em>rp</em> </td>
</tr>
<tr class="row5 rowodd">
<td class="col0"> _oidc_consent_time_<em>rp</em> </td><td class="col1 leftalign"> Time when consent was given for RP <em>rp</em> </td>
</tr>
</table></div>
<!-- EDIT22 TABLE [3189-3564] -->
</div>
<!-- EDIT21 SECTION "OpenID Connect" [3161-3565] -->
<h2 class="sectionedit23" id="other">Other</h2>
<div class="level2">
<div class="table sectionedit24"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Key </th><th class="col1 centeralign"> Description </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 leftalign"> appsListOrder </td><td class="col1 leftalign"> Order of categories in the menu </td>
</tr>
<tr class="row2 roweven">
<td class="col0 leftalign"> _session_kind </td><td class="col1 leftalign"> Type of session (<abbr title="Single Sign On">SSO</abbr>, Persistent, …) </td>
</tr>
</table></div>
<!-- EDIT24 TABLE [3585-3725] -->
</div>
<!-- EDIT23 SECTION "Other" [3566-] --></div>
</body>
</html>
|
