LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.


Published on

LemonLDAP::NG is a FOSS for WebSSO, access management and identity federation developed since 2005. Its community is active and regurlarly proposes new versions. This software provides many functionalities: * Multi-domain SSO * Configuration and session management * Form replay * Protocols support : LDAP, CAS, OpenID, SAML, Radius * Authentication methods chaining * Applications portal * Password management * Notifications * Connection history management * Put an application in maintenance state * Inserting a menu on protected applications LemonLDAP::NG can be used as a gateway between many authentifcation protocoles, for example : * Provide identity trough SAML after an LDAP authentication * Provide identity trough CAS after an OpenID authentication * Provide identity trough OpenID after a Twitter authentication LemonLDAP::NG is a efficient mean to link Saas applications to internal applications, all relying on the authentication of the enterprise directory.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

LemonLDAP::NG - the New Generation WebSSO !, David Coutadeur, Linagora.

  1. 1. LemonLDAP::NG 1.3 David Coutadeur New features of LemonLDAP::NG 1.3 www.ow2.org Twitter #ow2con
  2. 2. About the speaker www.ow2.org Twitter #ow2con
  3. 3. David Coutadeur ● LDAP engineer since 2010 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration ● Integrator for LinID solutions http://linid.org ● Member of the LTB team http://ltb-project.org ● Member of the LSC team http://lsc-project.org ● Member of LemonLDAP::NG project core-team http://lemonldap-ng.org www.ow2.org Twitter #ow2con
  4. 4. LemonLDAP::NG www.ow2.org Twitter #ow2con
  5. 5. Components ● LemonLDAP::NG main components: ● ● ● Portal: authentication process, user interaction, application menu, password change form Manager: configuration interface, sessions explorer Handler: Apache agent, manage access authorizations ● Perl, only Perl, just Perl ● Relies on Apache and mod_perl www.ow2.org Twitter #ow2con
  6. 6. Follow the white request www.ow2.org Twitter #ow2con
  7. 7. What's new ? ● FastCGI Portal ● Authentication/user modules: – – – – – Active Directory, BrowserID, WebID, Google, Facebook ● JSON file configuration backend ● Captcha ● Aliases for virtual hosts ● CLI LemonLDAP Manager www.ow2.org Twitter #ow2con
  8. 8. FastCGI Portal ● ● ● CGI interfaces applications to web servers FastCGI reduces overhead thanks to persistent processes, joined by a socket or TCP connexion LemonLDAP::NG CGIs can now be easily extended to FastCGI: Manager (not so useful) – Portal Improves response time – ● ● Scalability not tested yet (cgi farm servers) www.ow2.org Twitter #ow2con
  9. 9. Active Directory module ● ● Active Directory is a "special" LDAP directory AD module is nearly the same as LDAP ● ● ● Specific default values for filters to match AD schema Compatible password modification Reset password on next logon workflow www.ow2.org Twitter #ow2con
  10. 10. BrowserID module ● ● ● ● Authentication database only Mozilla Persona: implementation of a distributed login system based on BrowserID protocol Similar to OpenID BrowserID based on email address / OpenID based on a complicated URL ● Cross-browser (if recent) ● Public key cryptography ● Involves users, Relying Parties, and Identity Providers www.ow2.org Twitter #ow2con
  11. 11. WebID module ● ● FOAF Invented by a community group at W3C Public Key WebID = URI that refers to a person → uniquely identifies a user by his relation to a public key e.g. https://mywebsite.net/#dco ● ● ● ● WebID protocol is based on these URIs and a client certificate You may already have one! By joining a social network site: Libre.fm, MyOpera, Twitter URI can be linked to other profiles, to create a linked web of trust FOAF sites: store Friend of a a friend datas can provision users module in LemonLDAP::NG www.ow2.org Twitter #ow2con
  12. 12. Google module ● Authentication and users databases ● Users log in with Google authentication process ● LemonLDAP uses OpenID protocol to trust the latter ● OpenID ● ● ● ● decentralized authentication system based on URL, involving Providers, Relying parties and users, user chooses what data he wants to be accessible for each RP Mail used as login name A few data available: country, email, firstname, language, lastname www.ow2.org Twitter #ow2con
  13. 13. Facebook module ● More than 1.1 billion users in the world ● Authentication and users databases ● Oauth2 as authorization protocol (no authentication) ● Oauth2 – – Based on access and refresh tokens exchanged between client application and resource server Binding between LemonLDAP (client) and Facebook (resource server) is done by getting an application ID and a secret www.ow2.org Twitter #ow2con
  14. 14. JSON file configuration backend ● ● "JavaScript Object Notation" Generic data format allowing to represent structured information ● Configuration stored in a more readable way ● Can be shared by – – any files sharing system (NFS, NAS, SAN,…) SOAP configuration backend proxy www.ow2.org Twitter #ow2con
  15. 15. And much more... ● Captcha ● Can be used At user connection – In mail reset component Extra control to ensure one is human – ● ● Aliases for virtual hosts ● ● Allows numerous vhosts creation owning same headers and same protection rules CLI LemonLDAP Manager ● Tool to manage LemonLDAP configuration with the command line www.ow2.org Twitter #ow2con
  16. 16. What's next ? ● ● ● Configuration and cache optimization Code refactoring with Moose/Mouse for a better OO code Handler modularization ● compatibility with apache MPM-event or Nginx ? www.ow2.org Twitter #ow2con
  17. 17. The end... almost www.ow2.org Twitter #ow2con
  18. 18. Thanks ● Thanks to: ● ● LINAGORA company ● ● OW2 Con organizers LemonLDAP::NG and Perl community Stay in touch: ● IRC: stryg #lemonldap-ng@freenode www.ow2.org Twitter #ow2con
  19. 19. Questions? www.ow2.org Twitter #ow2con