Commit cf3ef55d authored by sympa-authors's avatar sympa-authors
Browse files

New feature: extend the generic_sso feature ; Sympa is now able to retrieve...

New feature: extend the generic_sso feature ; Sympa is now able to retrieve the user email address in a LDAP directory


git-svn-id: https://subversion.renater.fr/sympa/trunk@2586 05aa8bb8-cd2b-0410-b1d7-8918dfa770ce
parent 2807a477
......@@ -64,7 +64,7 @@ version 4.2b.4
Olivier Salaün,
Christophe Wolfhugel,
</STRONG></P>
<P ALIGN="CENTER"><STRONG>08 October 2004</STRONG></P>
<P ALIGN="CENTER"><STRONG>11 October 2004</STRONG></P>
<P>
......@@ -404,7 +404,7 @@ version 4.2b.4
<BR><HR>
<ADDRESS>
root
2004-10-08
2004-10-11
</ADDRESS>
</BODY>
</HTML>
......@@ -911,7 +911,7 @@ Contents</A>
<BR><HR>
<ADDRESS>
root
2004-10-08
2004-10-11
</ADDRESS>
</BODY>
</HTML>
......@@ -103,12 +103,12 @@ when using user+password it can validate these credentials against LDAP authenti
<P>
When contacted on the mail interface <I>Sympa</I> has 3 authentication levels. Lower level is to trust
the <A NAME="6071"></A><TT>From:</TT> SMTP header field. A higher level of authentication will require that the
the <A NAME="6103"></A><TT>From:</TT> SMTP header field. A higher level of authentication will require that the
user confirms his/her message. The strongest supported authentication method is S/MIME (note that <I>Sympa</I>
also deals with S/MIME encrypted messages).
<P>
On the <I>Sympa</I> web interface (<A NAME="6076"></A><I>WWSympa</I>) the user can authenticate in 4 different ways (if appropriate setup
On the <I>Sympa</I> web interface (<A NAME="6108"></A><I>WWSympa</I>) the user can authenticate in 4 different ways (if appropriate setup
has been done on <I>Sympa</I> serveur). Default authentication mean is via the user's email address and a password
managed by <I>Sympa</I> itself. If an LDAP authentication backend (or multiple) has been defined, then the user
can authentication with his/her LDAP uid and password. <I>Sympa</I> is also able to delegate the authentication
......@@ -123,7 +123,7 @@ same authorization scenarios are used for both mail and web accesss ; therefore
methods are considered as equivalent : mail confirmation (on the mail interface) is equivalent to
password authentication (on the web interface) ; S/MIME authentication is equivalent to HTTPS with
client certificate authentication. Each rule in authorization scenarios requires an authentication method
(<A NAME="6084"></A><TT>smtp</TT>,<A NAME="6087"></A><TT>md5</TT> or <A NAME="6090"></A><TT>smime</TT>) ; if the required authentication method was
(<A NAME="6116"></A><TT>smtp</TT>,<A NAME="6119"></A><TT>md5</TT> or <A NAME="6122"></A><TT>smime</TT>) ; if the required authentication method was
not used, a higher authentication mode can be requested.
<P>
......@@ -162,13 +162,13 @@ SSLVerifyDepth 10
</H1>
<P>
<I>Sympa</I> stores the data relative to the subscribers in a DataBase. Among these data: password, email exploited during the Web authentication. The module of <A NAME="6098"></A>LDAP authentication allows to use <I>Sympa</I> in an intranet without duplicating user passwords.
<I>Sympa</I> stores the data relative to the subscribers in a DataBase. Among these data: password, email exploited during the Web authentication. The module of <A NAME="6130"></A>LDAP authentication allows to use <I>Sympa</I> in an intranet without duplicating user passwords.
<P>
This way users can indifferently authenticate with their ldap_uid, their alternate_email or their canonic email stored in the <A NAME="6100"></A>LDAP directory.
This way users can indifferently authenticate with their ldap_uid, their alternate_email or their canonic email stored in the <A NAME="6132"></A>LDAP directory.
<P>
<I>Sympa</I> gets the canonic email in the <A NAME="6102"></A>LDAP directory with the ldap_uid or the alternate_email.
<I>Sympa</I> gets the canonic email in the <A NAME="6134"></A>LDAP directory with the ldap_uid or the alternate_email.
<I>Sympa</I> will first attempt an anonymous bind to the directory to get the user's DN, then <I>Sympa</I> will bind with the DN and the user's ldap_password in order to perform an efficient authentication. This last bind will work only if the good ldap_password is provided. Indeed the value returned by the bind(DN,ldap_password) is tested.
<P>
......@@ -217,7 +217,10 @@ The authentication method has first been introduced to allow interraction with <
</PRE>
<P>
The SSO is also expected to provide user attributes including the user email address as environment variables. To make the SSO appear in the login menu, a <B>generic_sso</B> paragraph describing the SSO service should be added to <A NAME="6107"></A><TT>auth.conf</TT>. The format of this paragraph is described in the following section.
<I>Sympa</I> will get user attributes via environment variables. In the most simple case the SSO will provide the user email address. If not, Sympa can be configured to look for the user email address in a LDAP directory (the search filter will make use of user information inherited from the SSO Apache module).
<P>
To plug a new SSO server in your Sympa server you should add a <B>generic_sso</B> paragraph (describing the SSO service) in your <A NAME="6140"></A><TT>auth.conf</TT> configuration file (See <A HREF="node10.html#generic-sso-format">9.5.3</A>, page&nbsp;<A HREF="node10.html#generic-sso-format"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>). Once this paragraph has been added, the SSO service name will be automatically added to the web login menu.
<P>
Apart from the user email address, the SSO can provide other user attributes that <I>Sympa</I> will store in the user_table DB table (for persistancy) and make them available in the [user_attributes] structure that you can use within authorization scenarios (see&nbsp;<A HREF="node11.html#rules">10.1</A>, page&nbsp;<A HREF="node11.html#rules"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>) or in web templates via the [% user.attributes %] structure.
......@@ -234,7 +237,7 @@ Apart from the user email address, the SSO can provide other user attributes tha
CAS is Yale university SSO software. Sympa can use CAS authentication service.
<P>
The listmaster should define at least one or more CAS servers (<B>cas</B> paragraph) in <A NAME="6111"></A><TT>auth.conf</TT>. If <B>non_blocking_redirection</B> parameter was set for a CAS server then Sympa will try a transparent login on this server
The listmaster should define at least one or more CAS servers (<B>cas</B> paragraph) in <A NAME="6144"></A><TT>auth.conf</TT>. If <B>non_blocking_redirection</B> parameter was set for a CAS server then Sympa will try a transparent login on this server
when the user accesses the web interface. If one CAS server redirect the user to Sympa with a valid ticket Sympa receives a user ID from the CAS server. It then connects to the related LDAP directory to get the user email address. If no CAS server returns a valid user ID, Sympa will let the user either select a CAS server to login or perform a Sympa login.
<P>
......@@ -246,20 +249,20 @@ when the user accesses the web interface. If one CAS server redirect the user to
</H1>
<P>
The <A NAME="6114"></A><TT>/home/sympa/etc/auth.conf</TT> configuration file contains numerous
The <A NAME="6147"></A><TT>/home/sympa/etc/auth.conf</TT> configuration file contains numerous
parameters which are read on start-up of <I>Sympa</I>. If you change this file, do not forget
that you will need to restart wwsympa.fcgi afterwards.
<P>
The <A NAME="6118"></A><TT>/home/sympa/etc/auth.conf</TT> is organised in paragraphs. Each paragraph describes an authentication
The <A NAME="6151"></A><TT>/home/sympa/etc/auth.conf</TT> is organised in paragraphs. Each paragraph describes an authentication
service with all required parameters to perform an authentication using this service. Current version of
<I>Sympa</I> can perform authentication through LDAP directories, using an external Single Sign-On Service (like CAS
or Shibboleth), or using internal user_table.
<P>
The login page contains 2 forms : the login form and the SSO. When users hit the login form, each ldap or user_table authentication
paragraph is applied unless email adress input from form match the <A NAME="6122"></A><TT>negative_regexp</TT> or do not match <A NAME="6125"></A><TT>regexp</TT>.
<A NAME="6128"></A><TT>negative_regexp</TT> and <A NAME="6131"></A><TT>regexp</TT> can be defined for earch ldap or user_table authentication service so
paragraph is applied unless email adress input from form match the <A NAME="6155"></A><TT>negative_regexp</TT> or do not match <A NAME="6158"></A><TT>regexp</TT>.
<A NAME="6161"></A><TT>negative_regexp</TT> and <A NAME="6164"></A><TT>regexp</TT> can be defined for earch ldap or user_table authentication service so
administrator can block some authentication methode for class of users.
<P>
......@@ -269,7 +272,7 @@ The segond form in login page contain the list of CAS server so user can choose
Each paragraph start with one of the keyword cas, ldap or user_table
<P>
The <A NAME="6134"></A><TT>/home/sympa/etc/auth.conf</TT> file contains directives in the following format:
The <A NAME="6167"></A><TT>/home/sympa/etc/auth.conf</TT> file contains directives in the following format:
<P>
<P>
......@@ -357,7 +360,7 @@ user_table
<P>
The user_table paragraph is related to sympa internal authentication by email and password. It is the simplest one the only parameters
are <A NAME="6137"></A><TT>regexp</TT> or <A NAME="6140"></A><TT>negative_regexp</TT> which are perl regular expressions applied on a provided email address to select or block this authentication method for a subset of email addresses.
are <A NAME="6170"></A><TT>regexp</TT> or <A NAME="6173"></A><TT>negative_regexp</TT> which are perl regular expressions applied on a provided email address to select or block this authentication method for a subset of email addresses.
<P>
......@@ -368,7 +371,7 @@ are <A NAME="6137"></A><TT>regexp</TT> or <A NAME="6140"></A><TT>negative_regexp
<P>
<UL>
<LI><A NAME="6143"></A><TT>regexp</TT> and <A NAME="6146"></A><TT>negative_regexp</TT>
<LI><A NAME="6176"></A><TT>regexp</TT> and <A NAME="6179"></A><TT>negative_regexp</TT>
Same as in user_table paragraph : if a provided email address (does not apply to an uid), then the
regular expression will be applied to find out if this LDAP directory can be used to authenticate a
subset of users.
......@@ -554,7 +557,7 @@ If set to <TT>1</TT>, connection to the LDAP server will use SSL (LDAPS).
<LI>ssl_version
<P>
This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="6152"></A>Net::LDAPS to <TT>sslv2/3</TT>,
This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="6185"></A>Net::LDAPS to <TT>sslv2/3</TT>,
other possible values are <TT>sslv2</TT>, <TT>sslv3</TT>, and <TT>tlsv1</TT>.
<P>
......@@ -563,7 +566,7 @@ This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="61
<P>
Specify which subset of cipher suites are permissible for this connection, using the standard
OpenSSL string format. The default value of <A NAME="6153"></A>Net::LDAPS for ciphers is <TT>ALL</TT>,
OpenSSL string format. The default value of <A NAME="6186"></A>Net::LDAPS for ciphers is <TT>ALL</TT>,
which permits all ciphers, even those that don't encrypt!
<P>
......@@ -572,8 +575,10 @@ Specify which subset of cipher suites are permissible for this connection, using
<P>
<H2><A NAME="SECTION001053000000000000000">
9.5.3 generic_sso paragraph</A>
<H2><A NAME="SECTION001053000000000000000"></A>
<A NAME="generic-sso-format"></A>
<BR>
9.5.3 generic_sso paragraph
</H2>
<P>
......@@ -608,6 +613,91 @@ This parameter defines the environment variable that will contain the authentica
</LI>
</UL>
<P>
The following parameters define how Sympa can retrieve the user email address ; <B>these are only useful if the email_http_header entry was not defined :</B>
<P>
<UL>
<LI>ldap_host
<BR>
The LDAP host Sympa will connect to fetch user email. The ldap_host include the
port number and it may be a comma separated list of redondant host.
<P>
</LI>
<LI>ldap_bind_dn
<BR>
The DN used to bind to this server. Anonymous bind is used if this parameter is not defined.
<P>
</LI>
<LI>ldap_bind_password
<BR>
The password used unless anonymous bind is used.
<P>
</LI>
<LI>ldap_suffix
<BR>
The LDAP suffix used when seraching user email
<P>
</LI>
<LI>ldap_scope
<BR>
The scope used when seraching user email, possible values are <TT>sub</TT>, <TT>base</TT>, and <TT>one</TT>.
<P>
</LI>
<LI>ldap_get_email_by_uid_filter
<BR>
The filter to perform the email search. It can refer to any environment variables inherited from the SSO module, as shown below.
Example :
<PRE>
ldap_get_email_by_uid_filter (mail=[SSL_CLIENT_S_DN_Email])
</PRE>
<P>
</LI>
<LI>ldap_email_attribute
<BR>
The attribut name to be used as user canonical email. In the current version of sympa only the first value returned by the LDAP server is used.
<P>
</LI>
<LI>ldap_timeout
<BR>
The time out for the search.
<P>
</LI>
<LI>ldap_use_ssl
<P>
If set to <TT>1</TT>, connection to the LDAP server will use SSL (LDAPS).
<P>
</LI>
<LI>ldap_ssl_version
<P>
This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="6187"></A>Net::LDAPS to <TT>sslv2/3</TT>,
other possible values are <TT>sslv2</TT>, <TT>sslv3</TT>, and <TT>tlsv1</TT>.
<P>
</LI>
<LI>ldap_ssl_ciphers
<P>
Specify which subset of cipher suites are permissible for this connection, using the
OpenSSL string format. The default value of <A NAME="6188"></A>Net::LDAPS for ciphers is <TT>ALL</TT>,
which permits all ciphers, even those that don't encrypt!
<P>
</LI>
</UL>
<P>
<H2><A NAME="SECTION001054000000000000000">
......@@ -717,13 +807,13 @@ The password used unless anonymous bind is used.
</LI>
<LI>ldap_suffix
<BR>
The LDAP suffix use when seraching user email
The LDAP suffix used when seraching user email
<P>
</LI>
<LI>ldap_scope
<BR>
The scope use when seraching user email, possible values are <TT>sub</TT>, <TT>base</TT>, and <TT>one</TT>.
The scope used when seraching user email, possible values are <TT>sub</TT>, <TT>base</TT>, and <TT>one</TT>.
<P>
</LI>
......@@ -755,7 +845,7 @@ If set to <TT>1</TT>, connection to the LDAP server will use SSL (LDAPS).
<LI>ldap_ssl_version
<P>
This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="6155"></A>Net::LDAPS to <TT>sslv2/3</TT>,
This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="6190"></A>Net::LDAPS to <TT>sslv2/3</TT>,
other possible values are <TT>sslv2</TT>, <TT>sslv3</TT>, and <TT>tlsv1</TT>.
<P>
......@@ -764,7 +854,7 @@ This defines the version of the SSL/TLS protocol to use. Defaults of <A NAME="61
<P>
Specify which subset of cipher suites are permissible for this connection, using the
OpenSSL string format. The default value of <A NAME="6156"></A>Net::LDAPS for ciphers is <TT>ALL</TT>,
OpenSSL string format. The default value of <A NAME="6191"></A>Net::LDAPS for ciphers is <TT>ALL</TT>,
which permits all ciphers, even those that don't encrypt!
<P>
......@@ -773,7 +863,7 @@ Specify which subset of cipher suites are permissible for this connection, using
<P>
<H1><A NAME="SECTION001060000000000000000"></A><A NAME="6157"></A>
<H1><A NAME="SECTION001060000000000000000"></A><A NAME="6192"></A>
<A NAME="sharing-auth"></A>
<BR>
9.6 Sharing <I>WWSympa</I> authentication with other applications
......@@ -789,22 +879,22 @@ work with <I>Sympa</I>, you have two possibilities :
<P>
<UL>
<LI>Delegating authentication operations to <A NAME="6163"></A><I>WWSympa</I>
<LI>Delegating authentication operations to <A NAME="6198"></A><I>WWSympa</I>
<BR>
If you want to avoid spending a lot of time programming a CGI to do Login, Logout
and Remindpassword, you can copy <A NAME="6166"></A><I>WWSympa</I>'s login page to your
and Remindpassword, you can copy <A NAME="6201"></A><I>WWSympa</I>'s login page to your
application, and then make use of the cookie information within your application.
The cookie format is :
<PRE>
sympauser=&lt;user_email&gt;:&lt;checksum&gt;
</PRE>
where <TT>&lt;</TT>user_email<TT>&gt;</TT> is the user's complete e-mail address, and
<TT>&lt;</TT>checksum<TT>&gt;</TT> are the 8 last bytes of the a MD5 checksum of the <TT>&lt;</TT>user_email<TT>&gt;</TT>+<I>Sympa</I> <A NAME="6170"></A><TT>cookie</TT>
<TT>&lt;</TT>checksum<TT>&gt;</TT> are the 8 last bytes of the a MD5 checksum of the <TT>&lt;</TT>user_email<TT>&gt;</TT>+<I>Sympa</I> <A NAME="6205"></A><TT>cookie</TT>
configuration parameter.
Your application needs to know what the <A NAME="6173"></A><TT>cookie</TT> parameter
Your application needs to know what the <A NAME="6208"></A><TT>cookie</TT> parameter
is, so it can check the HTTP cookie validity ; this is a secret shared
between <A NAME="6176"></A><I>WWSympa</I> and your application.
<A NAME="6179"></A><I>WWSympa</I>'s <I>loginrequest</I> page can be called to return to the
between <A NAME="6211"></A><I>WWSympa</I> and your application.
<A NAME="6214"></A><I>WWSympa</I>'s <I>loginrequest</I> page can be called to return to the
referer URL when an action is performed. Here is a sample HTML anchor :
<P>
......@@ -813,18 +903,18 @@ referer URL when an action is performed. Here is a sample HTML anchor :
</PRE>
<P>
You can also have your own HTML page submitting data to <A NAME="6182"></A><TT>wwsympa.fcgi</TT> CGI. If you're
You can also have your own HTML page submitting data to <A NAME="6217"></A><TT>wwsympa.fcgi</TT> CGI. If you're
doing so, you can set the <TT>referer</TT> variable to another URI. You can also
set the <TT>failure_referer</TT> to make WWSympa redirect the client to a different
URI if login fails.
<P>
</LI>
<LI>Using <A NAME="6185"></A><I>WWSympa</I>'s HTTP cookie format within your auth module
<LI>Using <A NAME="6220"></A><I>WWSympa</I>'s HTTP cookie format within your auth module
<BR>
To cooperate with <A NAME="6188"></A><I>WWSympa</I>, you simply need to adopt its HTTP
To cooperate with <A NAME="6223"></A><I>WWSympa</I>, you simply need to adopt its HTTP
cookie format and share the secret it uses to generate MD5 checksums,
i.e. the <A NAME="6191"></A><TT>cookie</TT> configuration parameter. In this way, <A NAME="6194"></A><I>WWSympa</I>
i.e. the <A NAME="6226"></A><TT>cookie</TT> configuration parameter. In this way, <A NAME="6229"></A><I>WWSympa</I>
will accept users authenticated through your application without
further authentication.
......@@ -865,7 +955,7 @@ further authentication.
<!--End of Navigation Panel-->
<ADDRESS>
root
2004-10-08
2004-10-11
</ADDRESS>
</BODY>
</HTML>
......@@ -82,18 +82,18 @@ original version by: Nikos Drakos, CBLU, University of Leeds
<HR>
<H1><A NAME="SECTION001100000000000000000"></A>
<A NAME="scenarios"></A><A NAME="1568"></A>
<A NAME="scenarios"></A><A NAME="1600"></A>
<BR>
10. Authorization scenarios
</H1>
<P>
List parameters controlling the behavior of commands are linked to different authorization scenarios.
For example : the <A NAME="6197"></A><TT>send private</TT> parameter is related to the send.private scenario.
For example : the <A NAME="6232"></A><TT>send private</TT> parameter is related to the send.private scenario.
There are four possible locations for a authorization scenario. When <I>Sympa</I> seeks to apply an authorization scenario, it
looks first in the related list directory <A NAME="6213"></A><TT>/home/sympa/expl/<TT>&lt;</TT>list<TT>&gt;</TT>/scenari</TT>. If it
does not find the file there, it scans the current robot configuration directory <A NAME="6222"></A><TT>/home/sympa/etc/my.domain.org/scenari</TT>, then the site's configuration directory <A NAME="6225"></A><TT>/home/sympa/etc/scenari</TT>,
and finally <A NAME="6228"></A><TT>/home/sympa/bin/etc/scenari</TT>, which is the directory installed by the Makefile.
looks first in the related list directory <A NAME="6248"></A><TT>/home/sympa/expl/<TT>&lt;</TT>list<TT>&gt;</TT>/scenari</TT>. If it
does not find the file there, it scans the current robot configuration directory <A NAME="6257"></A><TT>/home/sympa/etc/my.domain.org/scenari</TT>, then the site's configuration directory <A NAME="6260"></A><TT>/home/sympa/etc/scenari</TT>,
and finally <A NAME="6263"></A><TT>/home/sympa/bin/etc/scenari</TT>, which is the directory installed by the Makefile.
<P>
An authorization scenario is a small configuration language to describe who
......@@ -120,11 +120,11 @@ Each authorization scenario rule contains :
SRC="img2.png"
ALT="$]$"> for the listname etc.
</LI>
<LI>an authentication method. The authentication method can be <A NAME="6232"></A><TT>smtp</TT>,
<A NAME="6235"></A><TT>md5</TT> or <A NAME="6238"></A><TT>smime</TT>. The rule is applied by <I>Sympa</I> if both condition
and authentication method match the runtime context. <A NAME="6242"></A><TT>smtp</TT> is used if
<I>Sympa</I> use the SMTP <A NAME="6246"></A><TT>from:</TT> header , <A NAME="6249"></A><TT>md5</TT> is used if a unique
md5 key as been returned by the requestor to validate her message, <A NAME="6252"></A><TT>smime</TT>
<LI>an authentication method. The authentication method can be <A NAME="6267"></A><TT>smtp</TT>,
<A NAME="6270"></A><TT>md5</TT> or <A NAME="6273"></A><TT>smime</TT>. The rule is applied by <I>Sympa</I> if both condition
and authentication method match the runtime context. <A NAME="6277"></A><TT>smtp</TT> is used if
<I>Sympa</I> use the SMTP <A NAME="6281"></A><TT>from:</TT> header , <A NAME="6284"></A><TT>md5</TT> is used if a unique
md5 key as been returned by the requestor to validate her message, <A NAME="6287"></A><TT>smime</TT>
is used for signed messages (see <A HREF="node21.html#smimeforsign">20.4.3</A>, page&nbsp;<A HREF="node21.html#smimeforsign"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>).
</LI>
<LI>a returned atomic action that will be executed by <I>Sympa</I> if the rule matches
......@@ -248,19 +248,19 @@ probably create authorization scenarios for your own need. In this case, don't f
and wwsympa because authorization scenarios are not reloaded dynamicaly.
<P>
These standard authorization scenarios are located in the <A NAME="6258"></A><TT>/home/sympa/bin/etc/scenari/</TT>
These standard authorization scenarios are located in the <A NAME="6293"></A><TT>/home/sympa/bin/etc/scenari/</TT>
directory. Default scenarios are named <TT>&lt;</TT>command<TT>&gt;</TT>.default.
<P>
You may also define and name your own authorization scenarios. Store them in the
<A NAME="6261"></A><TT>/home/sympa/etc/scenari</TT> directory. They will not be overwritten by Sympa release.
Scenarios can also be defined for a particular virtual robot (using directory <A NAME="6276"></A><TT>/home/sympa/etc/<TT>&lt;</TT>robot<TT>&gt;</TT>/scenari</TT>) or for a list ( <A NAME="6303"></A><TT>/home/sympa/expl/<TT>&lt;</TT>robot<TT>&gt;</TT>/<TT>&lt;</TT>list<TT>&gt;</TT>/scenari</TT> ).
<A NAME="6296"></A><TT>/home/sympa/etc/scenari</TT> directory. They will not be overwritten by Sympa release.
Scenarios can also be defined for a particular virtual robot (using directory <A NAME="6311"></A><TT>/home/sympa/etc/<TT>&lt;</TT>robot<TT>&gt;</TT>/scenari</TT>) or for a list ( <A NAME="6338"></A><TT>/home/sympa/expl/<TT>&lt;</TT>robot<TT>&gt;</TT>/<TT>&lt;</TT>list<TT>&gt;</TT>/scenari</TT> ).
<P>
Example:
<P>
Copy the previous scenario to <A NAME="6318"></A><TT>scenari/subscribe.rennes1</TT> :
Copy the previous scenario to <A NAME="6353"></A><TT>scenari/subscribe.rennes1</TT> :
<P><PRE>
equal([sender], 'userxxx@univ-rennes1.fr') smtp,smime -&gt; reject
......@@ -287,7 +287,7 @@ subscribe rennes1
At the moment Named Filters are only used in authorization scenarios. They enable to select a category of people who will be authorized or not to realise some actions.
<P>
As a consequence, you can grant privileges in a list to people belonging to an <A NAME="6321"></A>LDAP directory thanks to an authorization scenario.
As a consequence, you can grant privileges in a list to people belonging to an <A NAME="6356"></A>LDAP directory thanks to an authorization scenario.
<P>
......@@ -296,7 +296,7 @@ As a consequence, you can grant privileges in a list to people belonging to an <
</H2>
<P>
People are selected through an <A NAME="6322"></A>LDAP filter defined in a configuration file. This file must have the extension '.ldap'.It is stored in <A NAME="6323"></A><TT>/home/sympa/etc/search_filters/</TT>.
People are selected through an <A NAME="6357"></A>LDAP filter defined in a configuration file. This file must have the extension '.ldap'.It is stored in <A NAME="6358"></A><TT>/home/sympa/etc/search_filters/</TT>.
<P>
You must give several informations in order to create a Named Filter:
......@@ -479,7 +479,7 @@ at the my.domain.orgrobot level only.
<!--End of Navigation Panel-->
<ADDRESS>
root
2004-10-08
2004-10-11
</ADDRESS>
</BODY>
</HTML>
......@@ -111,7 +111,7 @@ Note that the main limitation of virtual robots in Sympa is that you cannot crea
</H1>
<P>
You don't need to install several Sympa servers. A single <A NAME="6330"></A><TT>sympa.pl</TT> daemon
You don't need to install several Sympa servers. A single <A NAME="6365"></A><TT>sympa.pl</TT> daemon
and one or more fastcgi servers can serve all virtual robot. Just configure the
server environment in order to accept the new domain definition.
......@@ -155,7 +155,7 @@ FastCgiServer /home/sympa/bin/wwsympa.fcgi -processes 3 -idle-timeout 120
<P>
</LI>
<LI>Create a <A NAME="6333"></A><TT>robot.conf</TT> for the virtual robot (current web interface does
<LI>Create a <A NAME="6368"></A><TT>robot.conf</TT> for the virtual robot (current web interface does
not provide Virtual robot creation yet).
<P>
......@@ -168,15 +168,15 @@ not provide Virtual robot creation yet).
11.2 robot.conf</A>
</H1>
A robot is named by its domain, let's say my.domain.organd defined by a directory
<A NAME="6336"></A><TT>/home/sympa/etc/my.domain.org</TT>. This directory must contain at least a
<A NAME="6339"></A><TT>robot.conf</TT> file. This files has the same format as <A NAME="6342"></A><TT>/etc/sympa.conf</TT>
<A NAME="6371"></A><TT>/home/sympa/etc/my.domain.org</TT>. This directory must contain at least a
<A NAME="6374"></A><TT>robot.conf</TT> file. This files has the same format as <A NAME="6377"></A><TT>/etc/sympa.conf</TT>
(have a look at robot.conf in the sample dir).
Only the following parameters can be redefined for a particular robot :
<P>
<UL>
<LI><A NAME="6345"></A><TT>http_host</TT>
<LI><A NAME="6380"></A><TT>http_host</TT>
<BR>
This hostname will be compared with 'SERVER_NAME' environment variable in wwsympa.fcgi
to determine the current Virtual Robot. You can a path at the end of this parameter if
......@@ -188,65 +188,65 @@ This hostname will be compared with 'SERVER_NAME' environment variable in wwsymp
<P>
</LI>
<LI><A NAME="6348"></A><TT>wwsympa_url</TT>
<LI><A NAME="6383"></A><TT>wwsympa_url</TT>
<BR>
The base URL of WWSympa
<P>
</LI>
<LI><A NAME="6351"></A><TT>soap_url</TT>
<LI><A NAME="6386"></A><TT>soap_url</TT>
<BR>
The base URL of Sympa's SOAP server (if it is running ; see&nbsp;<A HREF="node9.html#soap">8</A>, page&nbsp;<A HREF="node9.html#soap"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>)
<P>
</LI>
<LI><A NAME="6354"></A><TT>cookie_domain</TT>
<LI><A NAME="6389"></A><TT>cookie_domain</TT>
<P>
</LI>
<LI><A NAME="6357"></A><TT>email</TT>
<LI><A NAME="6392"></A><TT>email</TT>
<P>
</LI>
<LI><A NAME="6360"></A><TT>title</TT>
<LI><A NAME="6395"></A><TT>title</TT>
<P>
</LI>
<LI><A NAME="6363"></A><TT>default_home</TT>
<LI><A NAME="6398"></A><TT>default_home</TT>
<P>
</LI>
<LI><A NAME="6366"></A><TT>create_list</TT>
<LI><A NAME="6401"></A><TT>create_list</TT>
<P>
</LI>
<LI><A NAME="6369"></A><TT>lang</TT>
<LI><A NAME="6404"></A><TT>lang</TT>
<P>
</LI>
<LI><A NAME="6372"></A><TT>supported_lang</TT>
<LI><A NAME="6407"></A><TT>supported_lang</TT>
<P>
</LI>
<LI><A NAME="6375"></A><TT>log_smtp</TT>
<LI><A NAME="6410"></A><TT>log_smtp</TT>
<P>
</LI>
<LI><A NAME="6378"></A><TT>listmaster</TT>
<LI><A NAME="6413"></A><TT>listmaster</TT>
<P>
</LI>
<LI><A NAME="6381"></A><TT>max_size</TT>
<LI><A NAME="6416"></A><TT>max_size</TT>
<P>
</LI>
<LI><A NAME="6384"></A><TT>dark_color</TT>, <A NAME="6387"></A><TT>light_color</TT>, <A NAME="6390"></A><TT>text_color</TT>, <A NAME="6393"></A><TT>bg_color</TT>, <A NAME="6396"></A><TT>error_color</TT>, <A NAME="6399"></A><TT>selected_color</TT>, <A NAME="6402"></A><TT>shaded_color</TT>
<LI><A NAME="6419"></A><TT>dark_color</TT>, <A NAME="6422"></A><TT>light_color</TT>, <A NAME="6425"></A><TT>text_color</TT>, <A NAME="6428"></A><TT>bg_color</TT>, <A NAME="6431"></A><TT>error_color</TT>, <A NAME="6434"></A><TT>selected_color</TT>, <A NAME="6437"></A><TT>shaded_color</TT>
</LI>
</UL>
<P>
These settings overwrite the equivalent global parameter defined in <A NAME="6405"></A><TT>/etc/sympa.conf</TT>
for my.domain.orgrobot ; the main <A NAME="6408"></A><TT>listmaster</TT> still has privileges on Virtual
These settings overwrite the equivalent global parameter defined in <A NAME="6440"></A><TT>/etc/sympa.conf</TT>
for my.domain.orgrobot ; the main <A NAME="6443"></A><TT>listmaster</TT> still has privileges on Virtual
Robots though. The http_host parameter is compared by wwsympa with the SERVER_NAME
environment variable to recognize which robot is in used.
......@@ -260,10 +260,10 @@ environment variable to recognize which robot is in used.
If needed, you can customize each virtual robot using its set of templates and authorization scenarios.
<P>
<A NAME="6411"></A><TT>/home/sympa/etc/my.domain.org/wws_templates/</TT>,
<A NAME="6414"></A><TT>/home/sympa/etc/my.domain.org/templates/</TT>,
<A NAME="6417"></A><TT>/home/sympa/etc/my.domain.org/scenari/</TT> directories are searched when
loading templates or scenari before searching into <A NAME="6420"></A><TT>/home/sympa/etc</TT> and <A NAME="6423"></A><TT>/home/sympa/bin/etc</TT>. This allows to define different privileges and a different GUI for a Virtual Robot.
<A NAME="6446"></A><TT>/home/sympa/etc/my.domain.org/wws_templates/</TT>,
<A NAME="6449"></A><TT>/home/sympa/etc/my.domain.org/templates/</TT>,
<A NAME="6452"></A><TT>/home/sympa/etc/my.domain.org/scenari/</TT> directories are searched when
loading templates or scenari before searching into <A NAME="6455"></A><TT>/home/sympa/etc</TT> and <A NAME="6458"></A><TT>/home/sympa/bin/etc</TT>. This allows to define different privileges and a different GUI for a Virtual Robot.
<P>
......@@ -273,14 +273,14 @@ loading templates or scenari before searching into <A NAME="6420"></A><TT>/home/
<P>
If you are managing more than 2 virtual robots, then you might cinsider moving all the mailing lists in the default
robot to a dedicated virtual robot located in the <A NAME="6426"></A><TT>/home/sympa/expl/my.domain.org/</TT> directory. The main benefit of
robot to a dedicated virtual robot located in the <A NAME="6461"></A><TT>/home/sympa/expl/my.domain.org/</TT> directory. The main benefit of
this organisation is the ability to define default configuration elements (templates or authorization scenarios)
for this robot without inheriting them within other virtual robots.
<P>
To create such a virtual robot, you need to create <A NAME="6429"></A><TT>/home/sympa/expl/my.domain.org/</TT> and <A NAME="6432"></A><TT>/home/sympa/etc/my.domain.org/</TT> directories ;
customize <A NAME="6435"></A><TT>host</TT>, <A NAME="6438"></A><TT>http_host</TT> and <A NAME="6441"></A><TT>wwsympa_url</TT> parameters in the <A NAME="6444"></A><TT>/home/sympa/etc/my.domain.org/robot.conf</TT>
with the same values as the default robot (as defined in <A NAME="6447"></A><TT>sympa.conf</TT> and <A NAME="6450"></A><TT>wwsympa.conf</TT> files).
To create such a virtual robot, you need to create <A NAME="6464"></A><TT>/home/sympa/expl/my.domain.org/</TT> and <A NAME="6467"></A><TT>/home/sympa/etc/my.domain.org/</TT> directories ;
customize <A NAME="6470"></A><TT>host</TT>, <A NAME="6473"></A><TT>http_host</TT> and <A NAME="6476"></A><TT>wwsympa_url</TT> parameters in the <A NAME="6479"></A><TT>/home/sympa/etc/my.domain.org/robot.conf</TT>
with the same values as the default robot (as defined in <A NAME="6482"></A><TT>sympa.conf</TT> and <A NAME="6485"></A><TT>wwsympa.conf</TT> files).
<P>
......@@ -315,7 +315,7 @@ with the same values as the default robot (as defined in <A NAME="6447"></A><TT>
<!--End of Navigation Panel-->
<ADDRESS>
root
2004-10-08
2004-10-11
</ADDRESS>
</BODY>
</HTML>
......@@ -115,7 +115,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds
<!--End of Table of Child-Links-->
<HR>
<H1><A NAME="SECTION001300000000000000000"></A><A NAME="6454"></A>
<H1><A NAME="SECTION001300000000000000000"></A><A NAME="6489"></A>
<A NAME="customization"></A>
<BR>
12. Customizing <I>Sympa</I>/<I>WWSympa</I>
......@@ -124,7 +124,7 @@ original version by: Nikos Drakos, CBLU, University of Leeds
<P>
<H1><A NAME="SECTION001310000000000000000"></A>