Documentation for LemonLDAP::NG 2.0

LL::NG logo

Upgrading

Configuration

Configuring your Web server

Portal

image6

Authentication, users and password databases

image7

Official Backends

Authentication

Users

Password

Active Directory

Apache (Basic, NTLM, OTP, …)

CAS

new

SQL Databases

Demonstration

Facebook

GitHub new 1

GPG new 2

Kerberos new

LDAP

LinkedIn

Null

OpenID Connect

PAM new

Proxy LL::NG

Radius

REST new

SAML 2.0 / Shibboleth

Slave

SSL

Twitter

WebID

Yubico OTP deprecated

Replaced by Yubico OTP Second Factor

Custom modules new

Combo Backends

Authentication

Users

Password

Choice by users

Combination of auth schemes new

✔ (since 2.0.10)

Multiple backends stack deprecated

Replaced by Combination

Obsolete Backends

Authentication

Users

Password

OpenID

Remote LL::NG

Second factor (documentation)

Authentication

Self-registration

TOTP (Google Authenticator,…) new

WebAuthn new

E-mail Second Factor new

18

Yubico OTP new

External Second Factor (OTP, SMS,…) new

18

REST Second Factor new

18

Radius Second Factor new 3

Password as second factor new 4

TOTP-or-U2F deprecated

U2F deprecated

New in version 2.0.6: See Additional second factors for configuring several multiple REST, external or e-mail based second factors with different parameters

Auth addons

Authentication

Auto Signin new

Identity provider

Tip

image26

Protocol

Service Provider

Identity Provider

CAS 1.0 / 2.0 / 3.0

SAML 2.0 / Shibboleth

OpenID Connect

OpenID 2.0 (deprecated)

Get parameters provider (for poor applications)

Options

Issuers timeout: Delay for issuers for submitting their authentication requests

Tip

  • To avoid a bad/expired token and lose redirection to the SP protected application after authentication if IdP URLs are served by different load balancers, you can force Issuer tokens to be stored into Global Storage by editing lemonldap-ng.ini in section [portal]:

[portal]
forceGlobalStorageIssuerOTT = 1

Attacks and Protection

Tip

To learn or find out more about security, go to Security documentation

image27

Attack

LLNG protection

System Integrator protection

Brute Force

Page Content

CSRF

Deny of Service

Invisible iFrame

Man-in-the-Middle

Software Exploit

SSO by-passing

XSS

IP reputation

Plugins

image28

Name

Description

Adaptative authentication

Rules to modulate authentication level

Auto Signin

Sign-in automatically

Brute Force protection

User must wait to log in after some failed login attempts

CDA

Cross Domain Authentication

Check DevOps 5 new

Check DevOps handler file

Check HIBP 19 new

Check Have I Been Pwned

Check entropy 21 new

Check entropy of password

InitializePasswordReset 22 new

Initialize Password Reset by mail

Check state new

Check state plugin (test page)

Check user 6

Check access rights, transmitted headers and session attibutes for a specific user and URL

Configuration viewer

Edit WebSSO configuration in Read Only mode

Context switching 7

Switch context other users

CrowdSec 8new

CrowdSec bouncer

Custom

Write a custom plugin

Decrypt value 9

Decrypt ciphered values

Display login history

Display Success/Fails logins

Find user 12new

Search for user account

Force authentication

Force authentication to access to Portal

Global logout 10

Suggest to close all opened sessions at logout

Grant sessions

Rules to apply before allowing a user to open a session

Impersonation 11

Allow users to use another identity

NewLocationWarning 13new

Send an email when user sign in from a new location

Notifications system

Display a message during log in process

Portal status

Experimental portal status page

Public pages

Enable public pages system

Refresh session API 14

Plugin that provides an API to refresh a user session

Reset certificate by mail 15new

Allow users to reset their certificate

Reset password by mail

Send a mail to reset its password

Remember auth choice 20new

Remember user last authentication choice

REST services

REST server for Proxy

SOAP services deprecated

SOAP server for Proxy

Trusted browser

Remember previous authentications

Upgrade session

This plugin explains to an already authenticated user that a higher authentication level is required to access the URL instead of reject him

Handlers

image41

Handlers are software control agents to be installed on your web servers (Nginx, Traefik, Apache, PSGI like Plack based servers or Node.js).

Handler type

Apache

LLNG FastCGI/uWSGI server (Nginx, Traefik or SSOaaS)

Plack servers

Node.js ( express apps or SSOaaS)

Self protected apps

Comment

Main (default handler)

Partial ** 16 **

AuthBasic

Designed for some server-to-server applications

CDA

For Cross Domain Authentication

DevOps (SSOaaS) new

Allows application developers to define their own rules and headers inside their applications

DevOpsST (SSOaaS) new

Enables both DevOps and Service Token

DevOpsCDA (SSOaaS) new

Enables both DevOps and CDA

OAuth2 17new

Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services

Secure Token

Designed to secure exchanges between a LLNG reverse-proxy and a remote app

Service Token new (Server-to-Server)

Designed to permit underlying requests (API-Based Infrastructure)

Zimbra PreAuth

LLNG databases

Configuration database

image46

LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one in the following list:

Backend

Shareable

Comment

File (JSON)

Not shareable between servers except if used in conjunction with REST or with a shared file system (NFS,…). Selected by default during installation.

YAML new

Same as File but in YAML format instead of JSON

SQL (CDBI/RDBI)

Recommended for large-scale systems. Prefer CDBI.

Cassandra

Via SQL pseudo-driver

LDAP

MongoDB deprecated

SOAP deprecated

Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers.

REST new

Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers.

Local new

Use only lemonldap-ng.ini parameters.

Tip

You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one.

Sessions database

image50

Sessions are stored using Apache::Session modules family. All Apache::Session style modules are usable except for some features.

Attention

If you plan to use LLNG in a large-scale system, take a look at Performance Test to choose the right backend. A Browseable SQL backend is generally a good choice.

Backend

Shareable

Session explorer

Session restrictions

Session expiration

Comment

File

Not shareable between servers except if used in conjunction with REST session backend or with a shared file system (NFS,…). Selected by default during installation.

PgJSON

Recommended backend for production installations

Browseable MySQL

Recommended for those who prefer MySQL

Browseable LDAP

Redis

The fastest. Must be secured by network access control.

MongoDB deprecated

Must be secured by network access control.

Cassandra

Another supported NoSQL DB

SQL

Unoptimized for session explorer and single session features.

REST new

Proxy backend to be used in conjunction with another session backend.

SOAP deprecated

Proxy backend to be used in conjunction with another session backend.

Tip

You can migrate from one session backend to another using the session conversion script. (new since 2.0.7)

Applications protection

image53

Well known compatible applications

Note

Here is a list of well known applications that are compatible with LL::NG. A full list is available on vendor applications page.

adfs alfresco awx bugzilla dokuwiki drupal fusiondirectory gitlab glpi liferay mediawiki nextcloud simplesamlphp wordpress xwiki zimbra

Bug report

See How to report a bug.

Developer corner

To contribute, see :

To develop an handler, see:

To develop a portal plugin, see manpages:

  • Lemonldap::NG::Portal

  • Lemonldap::NG::Portal::Auth

  • Lemonldap::NG::Portal::UserDB

  • Lemonldap::NG::Portal::Main::SecondFactor

  • Lemonldap::NG::Portal::Main::Issuer

  • Lemonldap::NG::Portal::Main::Plugin

  • Lemonldap::NG::Portal::Main::Request (the request object)

To add a new language:

If you don’t want to publish your translation (XX must be replaced by your language code):

  • Manager: translate lemonldap-ng-manager/site/htdocs/static/languages/en.json in lemonldap-ng-manager/site/htdocs/static/languages/XX.json and enable it in “lemonldap-ng.ini” file

  • Portal: translate lemonldap-ng-portal/site/htdocs/static/languages/en.json in lemonldap-ng-portal/site/htdocs/static/languages/XX.json and enable it in “lemonldap-ng.ini” file

  • Portal Mails: translate lemonldap-ng-portal/site/templates/common/mail/en.json in lemonldap-ng-portal/site/templates/common/mail/XX.json

1

GitHub authentication is available with LLNG ≥ 2.0.8

2

GPG authentication is available with LLNG ≥ 2.0.2

3

Radius second factor is available with LLNG ≥ 2.0.6

4

Password second factor is available with LLNG ≥ 2.0.16

5

Check DevOps file plugin is available with LLNG ≥ 2.0.12

6

Check user plugin is available with LLNG ≥ 2.0.3

7

Context switching plugin is available with LLNG ≥ 2.0.6

8

CrowdSec bouncer is available with LLNG ≥ 2.0.12

9

Decrypt value plugin is available with LLNG ≥ 2.0.7

10

Global Logout plugin is available with LLNG ≥ 2.0.7

11

Impersonation plugin is available with LLNG ≥ 2.0.3

12

Find user plugin is available with LLNG ≥ 2.0.11

13

NewLocationWarning is available with LLNG ≥ 2.0.14

14

Refresh session API plugin is available with LLNG ≥ 2.0.7

15

Reset certificate by mail plugin is available with LLNG ≥ 2.0.7

16

Node.js handler has not yet reached the same level of functionalities

17

OAuth2 Handler is available with LLNG ≥ 2.0.4

18(1,2,3)

When configured as an additional second factor, see Registration

19

Check HIBP plugin is available with LLNG ≥ 2.0.16

20

Remember AuthChoice plugin is available with LLNG ≥ 2.0.15

21

Check entropy plugin is available with LLNG ≥ 2.18.0

22

initializePasswordReset is available with LLNG ≥ 2.18.0