Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

LDAPCon 2011 - The LemonLDAP::NG Project

2,137 views

Published on

Presentation of LemonLDAP::NG, with a focus on LDAP support

Published in: Technology
  • Login to see the comments

  • Be the first to like this

LDAPCon 2011 - The LemonLDAP::NG Project

  1. 1. LemonLDAP::NG The LemonLDAP::NG project Clément OUDOT LDAP Con – 11th October 2011 Web access under protect
  2. 2. cn=Schedule,dc=lemonldap-ng,dc=org● Speaker autobiography● Single Sign On and friends● The LemonLDAP::NG software● Focus on LDAP support in LemonLDAP::NG 10/10/112 http://lemonldap-ng.org
  3. 3. uid=coudot,dc=lemonldap-ng,dc=org 10/10/113 http://lemonldap-ng.org
  4. 4. uid=coudot,dc=lemonldap-ng,dc=org● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration● French LDAP documentations on http://www.linagora.org● Leader of LDAP Tool Box project http://ltb-project.org● Leader of LemonLDAP::NG project http://lemonldap-ng.org● Weakness: prefer Perl over Java 10/10/114 http://lemonldap-ng.org
  5. 5. cn=SSO,dc=lemonldap-ng,dc=org 10/10/115 http://lemonldap-ng.org
  6. 6. cn=Why,dc=lemonldap-ng,dc=org● More and more web applications/services requiring authentication● Password strength ↘ as password number ↗ (human being laziness)● LDAP directory can help to have single credentials but not single sign on 10/10/116 http://lemonldap-ng.org
  7. 7. cn=Definition,dc=lemonldap-ng,dc=org● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications● Applications do not manage passwords anymore● Identity of the user is forwarded to applications by the SSO software 10/10/11 7 http://lemonldap-ng.org
  8. 8. cn=Kinematics,dc=lemonldap-ng,dc=org 1 User 3 2 Web Application WebSSO Portal 10/10/118 http://lemonldap-ng.org
  9. 9. cn=Delegation,dc=lemonldap-ng,dc=org 10/10/119 http://lemonldap-ng.org
  10. 10. gn=Reverse+sn=Proxy,dc=lemonldap- ng,dc=org 10/10/1110 http://lemonldap-ng.org
  11. 11. cn=Friends,dc=lemonldap-ng,dc=org ● WebSSO often share its spare time with: ● Access Management: RBAC, OrBAC, WYWBAC (What you want Based Access Control) ● Self Service: password recover, account creation ● Identity federation: share identity over defined protocols (OpenID, SAML, etc.) 10/10/1111 http://lemonldap-ng.org
  12. 12. dc=lemonldap-ng,dc=org 10/10/1112 http://lemonldap-ng.org
  13. 13. cn=History,dc=lemonldap-ng,dc=org ● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon) ● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity ● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005 ● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team. 10/10/1113 http://lemonldap-ng.org
  14. 14. cn=Components,dc=lemonldap- ng,dc=org ● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations ● Perl, only Perl, just Perl ● Relies on Apache and mod_perl 10/10/1114 http://lemonldap-ng.org
  15. 15. cn=Architecture,dc=lemonldap- ng,dc=org 10/10/1115 http://lemonldap-ng.org
  16. 16. cn=Kinematics,dc=lemonldap-ng,dc=org 10/10/1116 http://lemonldap-ng.org
  17. 17. cn=Kinematics,dc=lemonldap-ng,dc=org1.User tries to access protected application, his request is catched by Handler2.SSO cookie is not detected, so Handler redirects user to Portal3.User authenticates on Portal4.Portal checks authentication5.If authentication succeed, Portal collect user data6.Portal creates a session to store user data7.Portal gets the session key8.Portal creates SSO cookie with session key as value9.User is redirected on protected application, with his new cookie10.Handler gets session get from cookie and gets session11.Handler stores user data in its cache12.Handler check access rule and send headers to protected applications13.Protected application sends response to Handler14.Handler sends the response to user 10/10/1117 http://lemonldap-ng.org
  18. 18. description=Application protection, dc=lemonldap-ng,dc=org ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 10/10/1118 http://lemonldap-ng.org
  19. 19. cn=Examples,dc=lemonldap-ng,dc=org ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 10/10/1119 http://lemonldap-ng.org
  20. 20. cn=Configuration,dc=lemonldap- ng,dc=org ● Configuration is shared between all components ● It can be stored in: ● Local files ● SQL database ● LDAP directory ● Configuration is also available trough SOAP 10/10/1120 http://lemonldap-ng.org
  21. 21. jpegPhoto=Configuration interface, dc=lemonldap-ng,dc=org 10/10/1121 http://lemonldap-ng.org
  22. 22. cn=Cookies and sessions, dc=lemonldap-ng,dc=org ● Cookies and sessions have lifetime ● Sessions can also have an idle timeout ● Sessions can be stored in File, LDAP, SQL, noSQL (Memcached, Redis, Cassandra, …) ● Sessions are also available trough SOAP ● Cookies can be protected to travel only on secure connections ● Cross domain is managed 10/10/1122 http://lemonldap-ng.org
  23. 23. cn=Authentication methods, dc=lemonldap-ng,dc=org ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Yubikey ● Methods can be stacked or displayed together 10/10/1123 http://lemonldap-ng.org
  24. 24. cn=Identity provider, dc=lemonldap- ng,dc=org ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 10/10/1124 http://lemonldap-ng.org
  25. 25. ou=LDAP,dc=lemonldap-ng,dc=org 10/10/1125 http://lemonldap-ng.org
  26. 26. ou=LDAP,dc=lemonldap-ng,dc=org ● LemonLDAP::NG is in love with LDAP since its birth: ● Authentication, user data mining and password change ● Group membership ● Password policy ● Configuration and sessions 10/10/1126 http://lemonldap-ng.org
  27. 27. cn=Standard,ou=LDAP,dc=lemonldap- ng,dc=org ● Classical LDAP authentication process: ● Search directory to get DN from user login ● Bind with found DN and user password ● User data: ● Get attributes and store them in session data ● Manage multi-valued attributes ● Many configuration options: version, timeout, binary attributes, search base, search filter, attributes... 10/10/1127 http://lemonldap-ng.org
  28. 28. cn=Group Membership,ou=LDAP, dc=lemonldap-ng,dc=org ● LemonLDAP::NG can collect groups: ● Search on a group branch ● Keep groups where user is member ● Advanced feature: recursive groups: ● Keep all groups hierarchy ● LDAP groups can be mixed with local defined groups ● Many configuration options: search base, groups objectClass and attributes, recusivity 10/10/1128 http://lemonldap-ng.org
  29. 29. cn=Password Policy,ou=LDAP, dc=lemonldap-ng,dc=org ● Uses Password Policy defined in Behera Draft: ● Authentication: – Display account is locked or account is expired – Display seconds before expiration and used graces ● Password Change: – Display constraint check (quality, size, history, …) – Force password change if requested by the Directory ● Can use password policy with a standard modify operation, or with password modify extended operation 10/10/1129 http://lemonldap-ng.org
  30. 30. cn=Configuration+cn=Sessions, ou=LDAP, dc=lemonldap-ng,dc=org ● Configuration and sessions can be store in an LDAP Directory ● Uses standard Apache::Session API ● Allow easy multi-master architecture deployement 10/10/1130 http://lemonldap-ng.org
  31. 31. cn=The End,dc=lemonldap-ng,dc=org 10/10/1131 http://lemonldap-ng.org
  32. 32. cn=Thanks,dc=lemonldap-ng,dc=org ● Thanks to: ● LDAPCon organization for letting me speak in front of you ● LDAP Get Together France people for staying until the end of this conference ● LDAP standard to be complicated enough to allow me to teach it to other who do not want to learn it alone ● Stay in touch: ● Identica: @coudot ● Twitter: @clementoudot ● IRC: KPTN #lemonldap-ng@freenode 10/10/1132 http://lemonldap-ng.org
  33. 33. cn=Questions,dc=lemonldap-ng,dc=org 10/10/1133 http://lemonldap-ng.org

×