The LemonLDAP::NG Project

3,991 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,991
On SlideShare
0
From Embeds
0
Number of Embeds
125
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The LemonLDAP::NG Project

  1. LemonLDAP::NG The LemonLDAP::NG project Clément OUDOT FOSDEM – 5th February 2012 Web access under protect
  2. Schedule● Speaker● Single Sign On● The LemonLDAP::NG software 02/05/122 http://lemonldap-ng.org
  3. About me 02/05/123 http://lemonldap-ng.org
  4. Clément OUDOT● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration● LinID Dream Team Manager http://linid.org● Leader of LDAP Tool Box project http://ltb-project.org● Leader of LemonLDAP::NG project http://lemonldap-ng.org 02/05/124 http://lemonldap-ng.org
  5. Single Sign On 02/05/125 http://lemonldap-ng.org
  6. Definition● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications● Applications do not manage passwords anymore● Identity of the user is forwarded to applications by the SSO software 02/05/12 6 http://lemonldap-ng.org
  7. SSO for the newbies 1 User 3 2 Web Application WebSSO Portal 02/05/127 http://lemonldap-ng.org
  8. LemonLDAP::NG 02/05/128 http://lemonldap-ng.org
  9. Components● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations● Perl, only Perl, just Perl● Relies on Apache and mod_perl 02/05/129 http://lemonldap-ng.org
  10. SSO for the L33T 02/05/1210 http://lemonldap-ng.org
  11. Application protection ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 02/05/1211 http://lemonldap-ng.org
  12. Examples ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 02/05/1212 http://lemonldap-ng.org
  13. Configuration interface 02/05/1213 http://lemonldap-ng.org
  14. Authentication methods ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Yubikey ● Methods can be stacked or displayed together 02/05/1214 http://lemonldap-ng.org
  15. Identity Provider ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 02/05/1215 http://lemonldap-ng.org
  16. Release 1.2, soon... ● New release planned for soon (this month?): ● Radius authentication module ● Login history ● New skip rule ● Improve session cache management ● Custom session granting policies ● Better URL handling in CAS and SAML Issuer modules 02/05/1216 http://lemonldap-ng.org
  17. The end... almost 02/05/1217 http://lemonldap-ng.org
  18. Thanks ● Thanks to: ● FOSDEM and Perl DevRoom organizers ● LINAGORA company ● Perl (it is still alive!) ● Stay in touch: ● Identica: @coudot ● Twitter: @clementoudot ● IRC: KPTN #lemonldap-ng@freenode 02/05/1218 http://lemonldap-ng.org
  19. Questions? 02/05/1219 http://lemonldap-ng.org

×