LDAPCon 2011 - The LemonLDAP::NG Project

LemonLDAP::NG

Web accessunder protect

The LemonLDAP::NG project

Clément OUDOTLDAP Con – 11th October 2011

http://lemonldap-ng.org210/10/11

cn=Schedule,dc=lemonldap-ng,dc=org

● Speaker autobiography● Single Sign On and friends● The LemonLDAP::NG software● Focus on LDAP support in LemonLDAP::NG


uid=coudot,dc=lemonldap-ng,dc=org


uid=coudot,dc=lemonldap-ng,dc=org

● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration

● French LDAP documentations on http://www.linagora.org

● Leader of LDAP Tool Box project http://ltb-project.org

● Leader of LemonLDAP::NG project http://lemonldap-ng.org

● Weakness: prefer Perl over Java

http://www.linagora.org/

http://ltb-project.org/

http://lemonldap-ng.org/


cn=SSO,dc=lemonldap-ng,dc=org


cn=Why,dc=lemonldap-ng,dc=org

● More and more web applications/services requiring authentication

● Password strength ↘ as password number ↗ (human being laziness)

● LDAP directory can help to have single credentials but not single sign on


cn=Definition,dc=lemonldap-ng,dc=org

● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications

● Applications do not manage passwords anymore

● Identity of the user is forwarded to applications by the SSO software


User

Web Application

WebSSO Portal

1

2

3

cn=Kinematics,dc=lemonldap-ng,dc=org


cn=Delegation,dc=lemonldap-ng,dc=org


gn=Reverse+sn=Proxy,dc=lemonldap-ng,dc=org


cn=Friends,dc=lemonldap-ng,dc=org

● WebSSO often share its spare time with:● Access Management: RBAC, OrBAC, WYWBAC

(What you want Based Access Control)● Self Service: password recover, account creation● Identity federation: share identity over defined

protocols (OpenID, SAML, etc.)


dc=lemonldap-ng,dc=org


cn=History,dc=lemonldap-ng,dc=org

● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon)

● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity

● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005

● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team.


cn=Components,dc=lemonldap-ng,dc=org

● LemonLDAP::NG main components:● Portal: authentication process, user interaction,

application menu, password change form● Manager: configuration interface, sessions explorer● Handler: Apache agent, manage access

authorizations

● Perl, only Perl, just Perl● Relies on Apache and mod_perl


cn=Architecture,dc=lemonldap-ng,dc=org





1.User tries to access protected application, his request is catched by Handler

2.SSO cookie is not detected, so Handler redirects user to Portal

3.User authenticates on Portal

4.Portal checks authentication

5.If authentication succeed, Portal collect user data

6.Portal creates a session to store user data

7.Portal gets the session key

8.Portal creates SSO cookie with session key as value

9.User is redirected on protected application, with his new cookie

10.Handler gets session get from cookie and gets session

11.Handler stores user data in its cache

12.Handler check access rule and send headers to protected applications

13.Protected application sends response to Handler

14.Handler sends the response to user


description=Application protection, dc=lemonldap-ng,dc=org

● LemonLDAP::NG uses Apache virtual host as application identifier

● Each application owns:● Access rules: each rule refers to an URL pattern,

logout can be caught● HTTP headers: each header contains a session

value, or an evaluated Perl expression● POST data: only used for form replay● Redirection options: protocol and port


cn=Examples,dc=lemonldap-ng,dc=org

● Access rules:● default → accept● ^/admin → $groups =~ /admin/● ^/logout.php → logout_sso

● HTTP headers:● Auth-User → $uid● Auth-Name → uc($sn).", ".ucfirst($gn)


cn=Configuration,dc=lemonldap-ng,dc=org

● Configuration is shared between all components

● It can be stored in:● Local files● SQL database● LDAP directory

● Configuration is also available trough SOAP


jpegPhoto=Configuration interface, dc=lemonldap-ng,dc=org


cn=Cookies and sessions, dc=lemonldap-ng,dc=org

● Cookies and sessions have lifetime● Sessions can also have an idle timeout● Sessions can be stored in File, LDAP, SQL,

noSQL (Memcached, Redis, Cassandra, …)● Sessions are also available trough SOAP● Cookies can be protected to travel only on

secure connections● Cross domain is managed


cn=Authentication methods, dc=lemonldap-ng,dc=org

● LemonLDAP::NG supports a lot of authentication methods:● LDAP● Database● SSL X509● Apache built-in modules (Kerberos, OTP, ...)● SAML 2.0● OpenID● Twitter● CAS● Yubikey

● Methods can be stacked or displayed together


cn=Identity provider, dc=lemonldap-ng,dc=org

● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols:● SAML 2.0● OpenID 2.0● CAS 1.0 and 2.0


ou=LDAP,dc=lemonldap-ng,dc=org


ou=LDAP,dc=lemonldap-ng,dc=org

● LemonLDAP::NG is in love with LDAP since its birth:● Authentication, user data mining and password

change● Group membership● Password policy● Configuration and sessions


cn=Standard,ou=LDAP,dc=lemonldap-ng,dc=org

● Classical LDAP authentication process:● Search directory to get DN from user login● Bind with found DN and user password

● User data:● Get attributes and store them in session data● Manage multi-valued attributes

● Many configuration options: version, timeout, binary attributes, search base, search filter, attributes...


cn=Group Membership,ou=LDAP, dc=lemonldap-ng,dc=org

● LemonLDAP::NG can collect groups:● Search on a group branch● Keep groups where user is member

● Advanced feature: recursive groups:● Keep all groups hierarchy

● LDAP groups can be mixed with local defined groups

● Many configuration options: search base, groups objectClass and attributes, recusivity


cn=Password Policy,ou=LDAP, dc=lemonldap-ng,dc=org

● Uses Password Policy defined in Behera Draft:● Authentication:

– Display account is locked or account is expired– Display seconds before expiration and used graces

● Password Change:– Display constraint check (quality, size, history, …)– Force password change if requested by the Directory

● Can use password policy with a standard modify operation, or with password modify extended operation


cn=Configuration+cn=Sessions, ou=LDAP, dc=lemonldap-ng,dc=org

● Configuration and sessions can be store in an LDAP Directory

● Uses standard Apache::Session API● Allow easy multi-master architecture

deployement


cn=The End,dc=lemonldap-ng,dc=org


cn=Thanks,dc=lemonldap-ng,dc=org

● Thanks to:● LDAPCon organization for letting me speak in front of you● LDAP Get Together France people for staying until the end

of this conference● LDAP standard to be complicated enough to allow me to

teach it to other who do not want to learn it alone

● Stay in touch:● Identica: @coudot● Twitter: @clementoudot● IRC: KPTN #lemonldap-ng@freenode


cn=Questions,dc=lemonldap-ng,dc=org

Technology

LDAPCon 2011 - The LemonLDAP::NG Project