LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
19
Twitter #ow2con www.ow2.org LemonLDAP::NG 1.3 David Coutadeur New features of LemonLDAP::NG 1.3
-
Upload
ow2-consortium -
Category
Technology
-
view
3.354 -
download
5
description
LemonLDAP::NG is a FOSS for WebSSO, access management and identity federation developed since 2005. Its community is active and regurlarly proposes new versions. This software provides many functionalities: * Multi-domain SSO * Configuration and session management * Form replay * Protocols support : LDAP, CAS, OpenID, SAML, Radius * Authentication methods chaining * Applications portal * Password management * Notifications * Connection history management * Put an application in maintenance state * Inserting a menu on protected applications LemonLDAP::NG can be used as a gateway between many authentifcation protocoles, for example : * Provide identity trough SAML after an LDAP authentication * Provide identity trough CAS after an OpenID authentication * Provide identity trough OpenID after a Twitter authentication LemonLDAP::NG is a efficient mean to link Saas applications to internal applications, all relying on the authentication of the enterprise directory.
Transcript of LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.
Twitter #ow2conwww.ow2.org
LemonLDAP::NG 1.3David Coutadeur
New features of LemonLDAP::NG 1.3
Twitter #ow2conwww.ow2.org
About the speaker
Twitter #ow2conwww.ow2.org
David Coutadeur
● LDAP engineer since 2010 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration
● Integrator for LinID solutions http://linid.org● Member of the LTB team http://ltb-project.org● Member of the LSC team http://lsc-project.org● Member of LemonLDAP::NG project core-team
http://lemonldap-ng.org
Twitter #ow2conwww.ow2.org
LemonLDAP::NG
Twitter #ow2conwww.ow2.org
Components
● LemonLDAP::NG main components:● Portal: authentication process, user interaction,
application menu, password change form● Manager: configuration interface, sessions explorer● Handler: Apache agent, manage access
authorizations
● Perl, only Perl, just Perl● Relies on Apache and mod_perl
Twitter #ow2conwww.ow2.org
Follow the white request
Twitter #ow2conwww.ow2.org
What's new ?● FastCGI Portal
● Authentication/user modules:– Active Directory,– BrowserID,– WebID,– Google,– Facebook
● JSON file configuration backend
● Captcha
● Aliases for virtual hosts
● CLI LemonLDAP Manager
Twitter #ow2conwww.ow2.org
FastCGI Portal● CGI interfaces applications to web servers
● FastCGI reduces overhead thanks to persistent processes, joined by a socket or TCP connexion
● LemonLDAP::NG CGIs can now be easily extended to FastCGI:
– Manager (not so useful)– Portal
● Improves response time
● Scalability not tested yet (cgi farm servers)
Twitter #ow2conwww.ow2.org
Active Directory module● Active Directory is a "special"
LDAP directory
● AD module is nearly the same as LDAP
● Specific default values for filters to match AD schema
● Compatible password modification
● Reset password on next logon workflow
Twitter #ow2conwww.ow2.org
BrowserID module● Authentication database only
● Mozilla Persona: implementation of a distributed login system based on BrowserID protocol
● Similar to OpenID
● BrowserID based on email address / OpenID based on a complicated URL
● Cross-browser (if recent)
● Public key cryptography
● Involves users, Relying Parties, and Identity Providers
Twitter #ow2conwww.ow2.org
WebID module● Invented by a community group at W3C
● Public Key WebID = URI that refers to a person→ uniquely identifies a user by his relation to a public key
e.g. https://mywebsite.net/#dco
● WebID protocol is based on these URIs and a client certificate
● You may already have one!By joining a social network site: Libre.fm, MyOpera, Twitter
● URI can be linked to other profiles, to create a linked web of trust
● FOAF sites: store Friend of a a friend datascan provision users module in LemonLDAP::NG
FOAF
Twitter #ow2conwww.ow2.org
Google module● Authentication and users databases
● Users log in with Google authentication process
● LemonLDAP uses OpenID protocol to trust the latter
● OpenID
● decentralized authentication system based on URL, involving Providers, Relying parties and users,
● user chooses what data he wants to be accessible for each RP
● Mail used as login name
● A few data available: country, email, firstname, language, lastname
Twitter #ow2conwww.ow2.org
Facebook module● More than 1.1 billion users in the world
● Authentication and users databases
● Oauth2 as authorization protocol (no authentication)
● Oauth2
– Based on access and refresh tokens exchanged between client application and resource server
– Binding between LemonLDAP (client) and Facebook (resource server) is done by getting an application ID and a secret
Twitter #ow2conwww.ow2.org
JSON file configuration backend● "JavaScript Object Notation"
● Generic data format allowing to represent structured information
● Configuration stored in a more readable way
● Can be shared by
– any files sharing system (NFS, NAS, SAN,…)– SOAP configuration backend proxy
Twitter #ow2conwww.ow2.org
And much more...● Captcha
● Can be used
– At user connection– In mail reset component
● Extra control to ensure one is human● Aliases for virtual hosts
● Allows numerous vhosts creation owning same headers and same protection rules
● CLI LemonLDAP Manager● Tool to manage LemonLDAP configuration with the
command line
Twitter #ow2conwww.ow2.org
What's next ?
● Configuration and cache optimization● Code refactoring with Moose/Mouse for a
better OO code● Handler modularization
● compatibility with apache MPM-event or Nginx ?
Twitter #ow2conwww.ow2.org
The end... almost
Twitter #ow2conwww.ow2.org
Thanks
● Thanks to:● OW2 Con organizers● LINAGORA company● LemonLDAP::NG and Perl community
● Stay in touch:● IRC: stryg #lemonldap-ng@freenode
Twitter #ow2conwww.ow2.org
Questions?
