0
LemonLDAP::NG  The LemonLDAP::NG        project      Clément OUDOT  FOSDEM – 5th February 2012      Web access   under pro...
Schedule●   Speaker●   Single Sign On●   The LemonLDAP::NG software                                                02/05/1...
About me                   02/05/123    http://lemonldap-ng.org
Clément OUDOT●   LDAP engineer since 2003 in LINAGORA    company, with experiences in SUN/Oracle to    OpenLDAP migration●...
Single Sign On                        02/05/125         http://lemonldap-ng.org
Definition●   Single Sign On authentication allow users to    submit their credentials only once, and to    access all tru...
SSO for the newbies                         1    User                     3               2                               ...
LemonLDAP::NG                         02/05/128          http://lemonldap-ng.org
Components●   LemonLDAP::NG main components:    ●   Portal: authentication process, user interaction,        application m...
SSO for the L33T                           02/05/1210           http://lemonldap-ng.org
Application protection ●   LemonLDAP::NG uses Apache virtual host as     application identifier ●   Each application owns:...
Examples ●   Access rules:     ●   default → accept     ●   ^/admin → $groups =~ /admin/     ●   ^/logout.php → logout_sso...
Configuration interface                                  02/05/1213                  http://lemonldap-ng.org
Authentication methods ●   LemonLDAP::NG supports a lot of authentication methods:     ●   LDAP     ●   Database     ●   S...
Identity Provider ●   LemonLDAP::NG is a federation product,     allowing services to get user identity trough     standar...
Release 1.2, soon... ●   New release planned for soon (this month?):     ●   Radius authentication module     ●   Login hi...
The end... almost                            02/05/1217            http://lemonldap-ng.org
Thanks ●   Thanks to:     ●   FOSDEM and Perl DevRoom organizers     ●   LINAGORA company     ●   Perl (it is still alive!...
Questions?                      02/05/1219      http://lemonldap-ng.org
Upcoming SlideShare
Loading in...5
×

The LemonLDAP::NG Project

2,507

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,507
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "The LemonLDAP::NG Project"

  1. 1. LemonLDAP::NG The LemonLDAP::NG project Clément OUDOT FOSDEM – 5th February 2012 Web access under protect
  2. 2. Schedule● Speaker● Single Sign On● The LemonLDAP::NG software 02/05/122 http://lemonldap-ng.org
  3. 3. About me 02/05/123 http://lemonldap-ng.org
  4. 4. Clément OUDOT● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration● LinID Dream Team Manager http://linid.org● Leader of LDAP Tool Box project http://ltb-project.org● Leader of LemonLDAP::NG project http://lemonldap-ng.org 02/05/124 http://lemonldap-ng.org
  5. 5. Single Sign On 02/05/125 http://lemonldap-ng.org
  6. 6. Definition● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications● Applications do not manage passwords anymore● Identity of the user is forwarded to applications by the SSO software 02/05/12 6 http://lemonldap-ng.org
  7. 7. SSO for the newbies 1 User 3 2 Web Application WebSSO Portal 02/05/127 http://lemonldap-ng.org
  8. 8. LemonLDAP::NG 02/05/128 http://lemonldap-ng.org
  9. 9. Components● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations● Perl, only Perl, just Perl● Relies on Apache and mod_perl 02/05/129 http://lemonldap-ng.org
  10. 10. SSO for the L33T 02/05/1210 http://lemonldap-ng.org
  11. 11. Application protection ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 02/05/1211 http://lemonldap-ng.org
  12. 12. Examples ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 02/05/1212 http://lemonldap-ng.org
  13. 13. Configuration interface 02/05/1213 http://lemonldap-ng.org
  14. 14. Authentication methods ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Yubikey ● Methods can be stacked or displayed together 02/05/1214 http://lemonldap-ng.org
  15. 15. Identity Provider ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 02/05/1215 http://lemonldap-ng.org
  16. 16. Release 1.2, soon... ● New release planned for soon (this month?): ● Radius authentication module ● Login history ● New skip rule ● Improve session cache management ● Custom session granting policies ● Better URL handling in CAS and SAML Issuer modules 02/05/1216 http://lemonldap-ng.org
  17. 17. The end... almost 02/05/1217 http://lemonldap-ng.org
  18. 18. Thanks ● Thanks to: ● FOSDEM and Perl DevRoom organizers ● LINAGORA company ● Perl (it is still alive!) ● Stay in touch: ● Identica: @coudot ● Twitter: @clementoudot ● IRC: KPTN #lemonldap-ng@freenode 02/05/1218 http://lemonldap-ng.org
  19. 19. Questions? 02/05/1219 http://lemonldap-ng.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×