LemonLDAP::NG  The LemonLDAP::NG        project       Clément OUDOT  LDAP Con – 11th October 2011      Web access   under ...
cn=Schedule,dc=lemonldap-ng,dc=org●   Speaker autobiography●   Single Sign On and friends●   The LemonLDAP::NG software●  ...
uid=coudot,dc=lemonldap-ng,dc=org                                            10/10/113                             http://...
uid=coudot,dc=lemonldap-ng,dc=org●   LDAP engineer since 2003 in LINAGORA    company, with experiences in SUN/Oracle to   ...
cn=SSO,dc=lemonldap-ng,dc=org                                        10/10/115                         http://lemonldap-ng...
cn=Why,dc=lemonldap-ng,dc=org●   More and more web applications/services    requiring authentication●   Password strength ...
cn=Definition,dc=lemonldap-ng,dc=org●   Single Sign On authentication allow users to    submit their credentials only once...
cn=Kinematics,dc=lemonldap-ng,dc=org                         1    User                     3               2              ...
cn=Delegation,dc=lemonldap-ng,dc=org                                               10/10/119                              ...
gn=Reverse+sn=Proxy,dc=lemonldap-                             ng,dc=org                                             10/10/...
cn=Friends,dc=lemonldap-ng,dc=org ●   WebSSO often share its spare time with:     ●   Access Management: RBAC, OrBAC, WYWB...
dc=lemonldap-ng,dc=org                                  10/10/1112                  http://lemonldap-ng.org
cn=History,dc=lemonldap-ng,dc=org ●   LemonLDAP was founded in 2003 by Eric     GERMAN (MINEFI) to replace Novell WebSSO  ...
cn=Components,dc=lemonldap-                                    ng,dc=org ●   LemonLDAP::NG main components:     ●   Portal...
cn=Architecture,dc=lemonldap-                         ng,dc=org                                        10/10/1115         ...
cn=Kinematics,dc=lemonldap-ng,dc=org                                                10/10/1116                            ...
cn=Kinematics,dc=lemonldap-ng,dc=org1.User tries to access protected application, his request is catched by Handler2.SSO c...
description=Application protection,                        dc=lemonldap-ng,dc=org ●   LemonLDAP::NG uses Apache virtual ho...
cn=Examples,dc=lemonldap-ng,dc=org ●   Access rules:     ●   default → accept     ●   ^/admin → $groups =~ /admin/     ●  ...
cn=Configuration,dc=lemonldap-                                      ng,dc=org ●   Configuration is shared between all     ...
jpegPhoto=Configuration interface,               dc=lemonldap-ng,dc=org                                             10/10/...
cn=Cookies and sessions,                      dc=lemonldap-ng,dc=org ●   Cookies and sessions have lifetime ●   Sessions c...
cn=Authentication methods,                                dc=lemonldap-ng,dc=org ●   LemonLDAP::NG supports a lot of authe...
cn=Identity provider, dc=lemonldap-                                     ng,dc=org ●   LemonLDAP::NG is a federation produc...
ou=LDAP,dc=lemonldap-ng,dc=org                                          10/10/1125                          http://lemonld...
ou=LDAP,dc=lemonldap-ng,dc=org ●   LemonLDAP::NG is in love with LDAP since its     birth:     ●   Authentication, user da...
cn=Standard,ou=LDAP,dc=lemonldap-                                 ng,dc=org ●   Classical LDAP authentication process:    ...
cn=Group Membership,ou=LDAP,                      dc=lemonldap-ng,dc=org ●   LemonLDAP::NG can collect groups:     ●   Sea...
cn=Password Policy,ou=LDAP,                          dc=lemonldap-ng,dc=org ●   Uses Password Policy defined in Behera Dra...
cn=Configuration+cn=Sessions,           ou=LDAP, dc=lemonldap-ng,dc=org ●   Configuration and sessions can be store in an ...
cn=The End,dc=lemonldap-ng,dc=org                                             10/10/1131                             http:...
cn=Thanks,dc=lemonldap-ng,dc=org ●   Thanks to:     ●   LDAPCon organization for letting me speak in front of you     ●   ...
cn=Questions,dc=lemonldap-ng,dc=org                                               10/10/1133                              ...
Upcoming SlideShare
Loading in …5
×

LDAPCon 2011 - The LemonLDAP::NG Project

1,970 views

Published on

Presentation of LemonLDAP::NG, with a focus on LDAP support

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,970
On SlideShare
0
From Embeds
0
Number of Embeds
50
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

LDAPCon 2011 - The LemonLDAP::NG Project

  1. 1. LemonLDAP::NG The LemonLDAP::NG project Clément OUDOT LDAP Con – 11th October 2011 Web access under protect
  2. 2. cn=Schedule,dc=lemonldap-ng,dc=org● Speaker autobiography● Single Sign On and friends● The LemonLDAP::NG software● Focus on LDAP support in LemonLDAP::NG 10/10/112 http://lemonldap-ng.org
  3. 3. uid=coudot,dc=lemonldap-ng,dc=org 10/10/113 http://lemonldap-ng.org
  4. 4. uid=coudot,dc=lemonldap-ng,dc=org● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration● French LDAP documentations on http://www.linagora.org● Leader of LDAP Tool Box project http://ltb-project.org● Leader of LemonLDAP::NG project http://lemonldap-ng.org● Weakness: prefer Perl over Java 10/10/114 http://lemonldap-ng.org
  5. 5. cn=SSO,dc=lemonldap-ng,dc=org 10/10/115 http://lemonldap-ng.org
  6. 6. cn=Why,dc=lemonldap-ng,dc=org● More and more web applications/services requiring authentication● Password strength ↘ as password number ↗ (human being laziness)● LDAP directory can help to have single credentials but not single sign on 10/10/116 http://lemonldap-ng.org
  7. 7. cn=Definition,dc=lemonldap-ng,dc=org● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications● Applications do not manage passwords anymore● Identity of the user is forwarded to applications by the SSO software 10/10/11 7 http://lemonldap-ng.org
  8. 8. cn=Kinematics,dc=lemonldap-ng,dc=org 1 User 3 2 Web Application WebSSO Portal 10/10/118 http://lemonldap-ng.org
  9. 9. cn=Delegation,dc=lemonldap-ng,dc=org 10/10/119 http://lemonldap-ng.org
  10. 10. gn=Reverse+sn=Proxy,dc=lemonldap- ng,dc=org 10/10/1110 http://lemonldap-ng.org
  11. 11. cn=Friends,dc=lemonldap-ng,dc=org ● WebSSO often share its spare time with: ● Access Management: RBAC, OrBAC, WYWBAC (What you want Based Access Control) ● Self Service: password recover, account creation ● Identity federation: share identity over defined protocols (OpenID, SAML, etc.) 10/10/1111 http://lemonldap-ng.org
  12. 12. dc=lemonldap-ng,dc=org 10/10/1112 http://lemonldap-ng.org
  13. 13. cn=History,dc=lemonldap-ng,dc=org ● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon) ● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity ● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005 ● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team. 10/10/1113 http://lemonldap-ng.org
  14. 14. cn=Components,dc=lemonldap- ng,dc=org ● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations ● Perl, only Perl, just Perl ● Relies on Apache and mod_perl 10/10/1114 http://lemonldap-ng.org
  15. 15. cn=Architecture,dc=lemonldap- ng,dc=org 10/10/1115 http://lemonldap-ng.org
  16. 16. cn=Kinematics,dc=lemonldap-ng,dc=org 10/10/1116 http://lemonldap-ng.org
  17. 17. cn=Kinematics,dc=lemonldap-ng,dc=org1.User tries to access protected application, his request is catched by Handler2.SSO cookie is not detected, so Handler redirects user to Portal3.User authenticates on Portal4.Portal checks authentication5.If authentication succeed, Portal collect user data6.Portal creates a session to store user data7.Portal gets the session key8.Portal creates SSO cookie with session key as value9.User is redirected on protected application, with his new cookie10.Handler gets session get from cookie and gets session11.Handler stores user data in its cache12.Handler check access rule and send headers to protected applications13.Protected application sends response to Handler14.Handler sends the response to user 10/10/1117 http://lemonldap-ng.org
  18. 18. description=Application protection, dc=lemonldap-ng,dc=org ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 10/10/1118 http://lemonldap-ng.org
  19. 19. cn=Examples,dc=lemonldap-ng,dc=org ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 10/10/1119 http://lemonldap-ng.org
  20. 20. cn=Configuration,dc=lemonldap- ng,dc=org ● Configuration is shared between all components ● It can be stored in: ● Local files ● SQL database ● LDAP directory ● Configuration is also available trough SOAP 10/10/1120 http://lemonldap-ng.org
  21. 21. jpegPhoto=Configuration interface, dc=lemonldap-ng,dc=org 10/10/1121 http://lemonldap-ng.org
  22. 22. cn=Cookies and sessions, dc=lemonldap-ng,dc=org ● Cookies and sessions have lifetime ● Sessions can also have an idle timeout ● Sessions can be stored in File, LDAP, SQL, noSQL (Memcached, Redis, Cassandra, …) ● Sessions are also available trough SOAP ● Cookies can be protected to travel only on secure connections ● Cross domain is managed 10/10/1122 http://lemonldap-ng.org
  23. 23. cn=Authentication methods, dc=lemonldap-ng,dc=org ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Yubikey ● Methods can be stacked or displayed together 10/10/1123 http://lemonldap-ng.org
  24. 24. cn=Identity provider, dc=lemonldap- ng,dc=org ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 10/10/1124 http://lemonldap-ng.org
  25. 25. ou=LDAP,dc=lemonldap-ng,dc=org 10/10/1125 http://lemonldap-ng.org
  26. 26. ou=LDAP,dc=lemonldap-ng,dc=org ● LemonLDAP::NG is in love with LDAP since its birth: ● Authentication, user data mining and password change ● Group membership ● Password policy ● Configuration and sessions 10/10/1126 http://lemonldap-ng.org
  27. 27. cn=Standard,ou=LDAP,dc=lemonldap- ng,dc=org ● Classical LDAP authentication process: ● Search directory to get DN from user login ● Bind with found DN and user password ● User data: ● Get attributes and store them in session data ● Manage multi-valued attributes ● Many configuration options: version, timeout, binary attributes, search base, search filter, attributes... 10/10/1127 http://lemonldap-ng.org
  28. 28. cn=Group Membership,ou=LDAP, dc=lemonldap-ng,dc=org ● LemonLDAP::NG can collect groups: ● Search on a group branch ● Keep groups where user is member ● Advanced feature: recursive groups: ● Keep all groups hierarchy ● LDAP groups can be mixed with local defined groups ● Many configuration options: search base, groups objectClass and attributes, recusivity 10/10/1128 http://lemonldap-ng.org
  29. 29. cn=Password Policy,ou=LDAP, dc=lemonldap-ng,dc=org ● Uses Password Policy defined in Behera Draft: ● Authentication: – Display account is locked or account is expired – Display seconds before expiration and used graces ● Password Change: – Display constraint check (quality, size, history, …) – Force password change if requested by the Directory ● Can use password policy with a standard modify operation, or with password modify extended operation 10/10/1129 http://lemonldap-ng.org
  30. 30. cn=Configuration+cn=Sessions, ou=LDAP, dc=lemonldap-ng,dc=org ● Configuration and sessions can be store in an LDAP Directory ● Uses standard Apache::Session API ● Allow easy multi-master architecture deployement 10/10/1130 http://lemonldap-ng.org
  31. 31. cn=The End,dc=lemonldap-ng,dc=org 10/10/1131 http://lemonldap-ng.org
  32. 32. cn=Thanks,dc=lemonldap-ng,dc=org ● Thanks to: ● LDAPCon organization for letting me speak in front of you ● LDAP Get Together France people for staying until the end of this conference ● LDAP standard to be complicated enough to allow me to teach it to other who do not want to learn it alone ● Stay in touch: ● Identica: @coudot ● Twitter: @clementoudot ● IRC: KPTN #lemonldap-ng@freenode 10/10/1132 http://lemonldap-ng.org
  33. 33. cn=Questions,dc=lemonldap-ng,dc=org 10/10/1133 http://lemonldap-ng.org

×