The LemonLDAP::NG Project

LemonLDAP::NG The LemonLDAP::NG project Clément OUDOT FOSDEM – 5th February 2012 Web access under protect

Schedule● Speaker● Single Sign On● The LemonLDAP::NG software 02/05/122 http://lemonldap-ng.org

About me 02/05/123 http://lemonldap-ng.org

Clément OUDOT● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration● LinID Dream Team Manager http://linid.org● Leader of LDAP Tool Box project http://ltb-project.org● Leader of LemonLDAP::NG project http://lemonldap-ng.org 02/05/124 http://lemonldap-ng.org

Single Sign On 02/05/125 http://lemonldap-ng.org

Definition● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications● Applications do not manage passwords anymore● Identity of the user is forwarded to applications by the SSO software 02/05/12 6 http://lemonldap-ng.org

SSO for the newbies 1 User 3 2 Web Application WebSSO Portal 02/05/127 http://lemonldap-ng.org

LemonLDAP::NG 02/05/128 http://lemonldap-ng.org

Components● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations● Perl, only Perl, just Perl● Relies on Apache and mod_perl 02/05/129 http://lemonldap-ng.org

SSO for the L33T 02/05/1210 http://lemonldap-ng.org

Application protection ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 02/05/1211 http://lemonldap-ng.org

Examples ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 02/05/1212 http://lemonldap-ng.org

Configuration interface 02/05/1213 http://lemonldap-ng.org

Authentication methods ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Yubikey ● Methods can be stacked or displayed together 02/05/1214 http://lemonldap-ng.org

Identity Provider ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 02/05/1215 http://lemonldap-ng.org

Release 1.2, soon... ● New release planned for soon (this month?): ● Radius authentication module ● Login history ● New skip rule ● Improve session cache management ● Custom session granting policies ● Better URL handling in CAS and SAML Issuer modules 02/05/1216 http://lemonldap-ng.org

The end... almost 02/05/1217 http://lemonldap-ng.org

Thanks ● Thanks to: ● FOSDEM and Perl DevRoom organizers ● LINAGORA company ● Perl (it is still alive!) ● Stay in touch: ● Identica: @coudot ● Twitter: @clementoudot ● IRC: KPTN #lemonldap-ng@freenode 02/05/1218 http://lemonldap-ng.org

Questions? 02/05/1219 http://lemonldap-ng.org

http://www.linagora.com	36
http://lanyrd.com	19
http://linagora.com	6
http://a0.twimg.com	4
http://us-w1.rockmelt.com	3

The LemonLDAP::NG Project

by OUDOT Clément on Feb 06, 2012

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 68

Statistics

The LemonLDAP::NG Project — Presentation Transcript