Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The LemonLDAP::NG Project

4,070 views

Published on

Published in: Technology
  • Be the first to comment

The LemonLDAP::NG Project

  1. LemonLDAP::NG The LemonLDAP::NG project Clément OUDOT FOSDEM – 5th February 2012 Web access under protect
  2. Schedule● Speaker● Single Sign On● The LemonLDAP::NG software 02/05/122 http://lemonldap-ng.org
  3. About me 02/05/123 http://lemonldap-ng.org
  4. Clément OUDOT● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration● LinID Dream Team Manager http://linid.org● Leader of LDAP Tool Box project http://ltb-project.org● Leader of LemonLDAP::NG project http://lemonldap-ng.org 02/05/124 http://lemonldap-ng.org
  5. Single Sign On 02/05/125 http://lemonldap-ng.org
  6. Definition● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications● Applications do not manage passwords anymore● Identity of the user is forwarded to applications by the SSO software 02/05/12 6 http://lemonldap-ng.org
  7. SSO for the newbies 1 User 3 2 Web Application WebSSO Portal 02/05/127 http://lemonldap-ng.org
  8. LemonLDAP::NG 02/05/128 http://lemonldap-ng.org
  9. Components● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations● Perl, only Perl, just Perl● Relies on Apache and mod_perl 02/05/129 http://lemonldap-ng.org
  10. SSO for the L33T 02/05/1210 http://lemonldap-ng.org
  11. Application protection ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 02/05/1211 http://lemonldap-ng.org
  12. Examples ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 02/05/1212 http://lemonldap-ng.org
  13. Configuration interface 02/05/1213 http://lemonldap-ng.org
  14. Authentication methods ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Yubikey ● Methods can be stacked or displayed together 02/05/1214 http://lemonldap-ng.org
  15. Identity Provider ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 02/05/1215 http://lemonldap-ng.org
  16. Release 1.2, soon... ● New release planned for soon (this month?): ● Radius authentication module ● Login history ● New skip rule ● Improve session cache management ● Custom session granting policies ● Better URL handling in CAS and SAML Issuer modules 02/05/1216 http://lemonldap-ng.org
  17. The end... almost 02/05/1217 http://lemonldap-ng.org
  18. Thanks ● Thanks to: ● FOSDEM and Perl DevRoom organizers ● LINAGORA company ● Perl (it is still alive!) ● Stay in touch: ● Identica: @coudot ● Twitter: @clementoudot ● IRC: KPTN #lemonldap-ng@freenode 02/05/1218 http://lemonldap-ng.org
  19. Questions? 02/05/1219 http://lemonldap-ng.org

×