Upload
oudot-clement
View
105
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentation of LemonLDAP::NG, with a focus on LDAP support
Citation preview
LemonLDAP::NG
Web accessunder protect
The LemonLDAP::NG project
Clément OUDOTLDAP Con – 11th October 2011
http://lemonldap-ng.org210/10/11
cn=Schedule,dc=lemonldap-ng,dc=org
● Speaker autobiography● Single Sign On and friends● The LemonLDAP::NG software● Focus on LDAP support in LemonLDAP::NG
http://lemonldap-ng.org310/10/11
uid=coudot,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org410/10/11
uid=coudot,dc=lemonldap-ng,dc=org
● LDAP engineer since 2003 in LINAGORA company, with experiences in SUN/Oracle to OpenLDAP migration
● French LDAP documentations on http://www.linagora.org
● Leader of LDAP Tool Box project http://ltb-project.org
● Leader of LemonLDAP::NG project http://lemonldap-ng.org
● Weakness: prefer Perl over Java
http://lemonldap-ng.org510/10/11
cn=SSO,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org610/10/11
cn=Why,dc=lemonldap-ng,dc=org
● More and more web applications/services requiring authentication
● Password strength ↘ as password number ↗ (human being laziness)
● LDAP directory can help to have single credentials but not single sign on
http://lemonldap-ng.org710/10/11
cn=Definition,dc=lemonldap-ng,dc=org
● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications
● Applications do not manage passwords anymore
● Identity of the user is forwarded to applications by the SSO software
http://lemonldap-ng.org810/10/11
User
Web Application
WebSSO Portal
1
2
3
cn=Kinematics,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org910/10/11
cn=Delegation,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org1010/10/11
gn=Reverse+sn=Proxy,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org1110/10/11
cn=Friends,dc=lemonldap-ng,dc=org
● WebSSO often share its spare time with:● Access Management: RBAC, OrBAC, WYWBAC
(What you want Based Access Control)● Self Service: password recover, account creation● Identity federation: share identity over defined
protocols (OpenID, SAML, etc.)
http://lemonldap-ng.org1210/10/11
dc=lemonldap-ng,dc=org
http://lemonldap-ng.org1310/10/11
cn=History,dc=lemonldap-ng,dc=org
● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon)
● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity
● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005
● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team.
http://lemonldap-ng.org1410/10/11
cn=Components,dc=lemonldap-ng,dc=org
● LemonLDAP::NG main components:● Portal: authentication process, user interaction,
application menu, password change form● Manager: configuration interface, sessions explorer● Handler: Apache agent, manage access
authorizations
● Perl, only Perl, just Perl● Relies on Apache and mod_perl
http://lemonldap-ng.org1510/10/11
cn=Architecture,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org1610/10/11
cn=Kinematics,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org1710/10/11
cn=Kinematics,dc=lemonldap-ng,dc=org
1.User tries to access protected application, his request is catched by Handler
2.SSO cookie is not detected, so Handler redirects user to Portal
3.User authenticates on Portal
4.Portal checks authentication
5.If authentication succeed, Portal collect user data
6.Portal creates a session to store user data
7.Portal gets the session key
8.Portal creates SSO cookie with session key as value
9.User is redirected on protected application, with his new cookie
10.Handler gets session get from cookie and gets session
11.Handler stores user data in its cache
12.Handler check access rule and send headers to protected applications
13.Protected application sends response to Handler
14.Handler sends the response to user
http://lemonldap-ng.org1810/10/11
description=Application protection, dc=lemonldap-ng,dc=org
● LemonLDAP::NG uses Apache virtual host as application identifier
● Each application owns:● Access rules: each rule refers to an URL pattern,
logout can be caught● HTTP headers: each header contains a session
value, or an evaluated Perl expression● POST data: only used for form replay● Redirection options: protocol and port
http://lemonldap-ng.org1910/10/11
cn=Examples,dc=lemonldap-ng,dc=org
● Access rules:● default → accept● ^/admin → $groups =~ /admin/● ^/logout.php → logout_sso
● HTTP headers:● Auth-User → $uid● Auth-Name → uc($sn).", ".ucfirst($gn)
http://lemonldap-ng.org2010/10/11
cn=Configuration,dc=lemonldap-ng,dc=org
● Configuration is shared between all components
● It can be stored in:● Local files● SQL database● LDAP directory
● Configuration is also available trough SOAP
http://lemonldap-ng.org2110/10/11
jpegPhoto=Configuration interface, dc=lemonldap-ng,dc=org
http://lemonldap-ng.org2210/10/11
cn=Cookies and sessions, dc=lemonldap-ng,dc=org
● Cookies and sessions have lifetime● Sessions can also have an idle timeout● Sessions can be stored in File, LDAP, SQL,
noSQL (Memcached, Redis, Cassandra, …)● Sessions are also available trough SOAP● Cookies can be protected to travel only on
secure connections● Cross domain is managed
http://lemonldap-ng.org2310/10/11
cn=Authentication methods, dc=lemonldap-ng,dc=org
● LemonLDAP::NG supports a lot of authentication methods:● LDAP● Database● SSL X509● Apache built-in modules (Kerberos, OTP, ...)● SAML 2.0● OpenID● Twitter● CAS● Yubikey
● Methods can be stacked or displayed together
http://lemonldap-ng.org2410/10/11
cn=Identity provider, dc=lemonldap-ng,dc=org
● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols:● SAML 2.0● OpenID 2.0● CAS 1.0 and 2.0
http://lemonldap-ng.org2510/10/11
ou=LDAP,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org2610/10/11
ou=LDAP,dc=lemonldap-ng,dc=org
● LemonLDAP::NG is in love with LDAP since its birth:● Authentication, user data mining and password
change● Group membership● Password policy● Configuration and sessions
http://lemonldap-ng.org2710/10/11
cn=Standard,ou=LDAP,dc=lemonldap-ng,dc=org
● Classical LDAP authentication process:● Search directory to get DN from user login● Bind with found DN and user password
● User data:● Get attributes and store them in session data● Manage multi-valued attributes
● Many configuration options: version, timeout, binary attributes, search base, search filter, attributes...
http://lemonldap-ng.org2810/10/11
cn=Group Membership,ou=LDAP, dc=lemonldap-ng,dc=org
● LemonLDAP::NG can collect groups:● Search on a group branch● Keep groups where user is member
● Advanced feature: recursive groups:● Keep all groups hierarchy
● LDAP groups can be mixed with local defined groups
● Many configuration options: search base, groups objectClass and attributes, recusivity
http://lemonldap-ng.org2910/10/11
cn=Password Policy,ou=LDAP, dc=lemonldap-ng,dc=org
● Uses Password Policy defined in Behera Draft:● Authentication:
– Display account is locked or account is expired– Display seconds before expiration and used graces
● Password Change:– Display constraint check (quality, size, history, …)– Force password change if requested by the Directory
● Can use password policy with a standard modify operation, or with password modify extended operation
http://lemonldap-ng.org3010/10/11
cn=Configuration+cn=Sessions, ou=LDAP, dc=lemonldap-ng,dc=org
● Configuration and sessions can be store in an LDAP Directory
● Uses standard Apache::Session API● Allow easy multi-master architecture
deployement
http://lemonldap-ng.org3110/10/11
cn=The End,dc=lemonldap-ng,dc=org
http://lemonldap-ng.org3210/10/11
cn=Thanks,dc=lemonldap-ng,dc=org
● Thanks to:● LDAPCon organization for letting me speak in front of you● LDAP Get Together France people for staying until the end
of this conference● LDAP standard to be complicated enough to allow me to
teach it to other who do not want to learn it alone
● Stay in touch:● Identica: @coudot● Twitter: @clementoudot● IRC: KPTN #lemonldap-ng@freenode
http://lemonldap-ng.org3310/10/11
cn=Questions,dc=lemonldap-ng,dc=org