The LemonLDAP::NG Project
-
Upload
oudot-clement -
Category
Technology
-
view
2.477 -
download
3
Transcript of The LemonLDAP::NG Project
LemonLDAP::NG
Web accessunder protect
The LemonLDAP::NG project
Clément OUDOTFOSDEM – 5th February 2012
http://lemonldap-ng.org202/05/12
Schedule
● Speaker● Single Sign On● The LemonLDAP::NG software
http://lemonldap-ng.org302/05/12
About me
http://lemonldap-ng.org402/05/12
Clément OUDOT
● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration
● LinID Dream Team Manager http://linid.org ● Leader of LDAP Tool Box project
http://ltb-project.org● Leader of LemonLDAP::NG project
http://lemonldap-ng.org
http://lemonldap-ng.org502/05/12
Single Sign On
http://lemonldap-ng.org602/05/12
Definition
● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications
● Applications do not manage passwords anymore
● Identity of the user is forwarded to applications by the SSO software
http://lemonldap-ng.org702/05/12
User
Web Application
WebSSO Portal
1
2
3
SSO for the newbies
http://lemonldap-ng.org802/05/12
LemonLDAP::NG
http://lemonldap-ng.org902/05/12
Components
● LemonLDAP::NG main components:● Portal: authentication process, user interaction,
application menu, password change form● Manager: configuration interface, sessions explorer● Handler: Apache agent, manage access
authorizations
● Perl, only Perl, just Perl● Relies on Apache and mod_perl
http://lemonldap-ng.org1002/05/12
SSO for the L33T
http://lemonldap-ng.org1102/05/12
Application protection
● LemonLDAP::NG uses Apache virtual host as application identifier
● Each application owns:● Access rules: each rule refers to an URL pattern,
logout can be caught● HTTP headers: each header contains a session
value, or an evaluated Perl expression● POST data: only used for form replay● Redirection options: protocol and port
http://lemonldap-ng.org1202/05/12
Examples
● Access rules:● default → accept● ^/admin → $groups =~ /admin/● ^/logout.php → logout_sso
● HTTP headers:● Auth-User → $uid● Auth-Name → uc($sn).", ".ucfirst($gn)
http://lemonldap-ng.org1302/05/12
Configuration interface
http://lemonldap-ng.org1402/05/12
Authentication methods
● LemonLDAP::NG supports a lot of authentication methods:● LDAP● Database● SSL X509● Apache built-in modules (Kerberos, OTP, ...)● SAML 2.0● OpenID● Twitter● CAS● Yubikey
● Methods can be stacked or displayed together
http://lemonldap-ng.org1502/05/12
Identity Provider
● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols:● SAML 2.0● OpenID 2.0● CAS 1.0 and 2.0
http://lemonldap-ng.org1602/05/12
Release 1.2, soon...
● New release planned for soon (this month?):● Radius authentication module● Login history● New 'skip' rule● Improve session cache management● Custom session granting policies● Better URL handling in CAS and SAML Issuer
modules
http://lemonldap-ng.org1702/05/12
The end... almost
http://lemonldap-ng.org1802/05/12
Thanks
● Thanks to:● FOSDEM and Perl DevRoom organizers● LINAGORA company● Perl (it is still alive!)
● Stay in touch:● Identica: @coudot● Twitter: @clementoudot● IRC: KPTN #lemonldap-ng@freenode
http://lemonldap-ng.org1902/05/12
Questions?