Documentation for LemonLDAP::NG 2.0

Presentation

Installation

Before installation

Installation

After installation

Configuration

First steps

Portal

Authentication, users and password databases

Official Backends Authentication Users Password
Active Directory
Apache (Basic, NTLM, OTP, ...)
CAS
SQL Databases
Demonstration
Facebook
GPG 1)
Kerberos
LDAP
LinkedIn
Null
OpenID Connect
PAM
Proxy LL::NG
Radius
REST
SAML 2.0 / Shibboleth
Slave
SSL
Twitter
WebID
Yubikey Deprecated, replaced by Yubikey second factor
Custom modules
Combo Backends Authentication Users Password
Choice by users
Combination of auth schemes
Multiple backends stack Deprecated, replaced by Combination
Obsolete Backends Authentication Users Password
OpenID
Remote LL::NG
Second factor (documentation) Authentication
TOTP-or-U2F
U2F
TOTP (Google Authenticator,...)
E-mail Second Factor
External Second Factor (OTP, SMS,...)
Radius Second Factor 2)
REST Second Factor
Yubikey
Additional second factors 3)
Auth addons Authentication
Auto Signin

Identity provider

Protocol Service Provider Identity Provider
CAS 1.0 / 2.0 / 3.0
SAML 2.0 / Shibboleth
OpenID 2.0 (obsolete)
OpenID Connect
Get parameters provider (for poor applications)

* Issuers timeout : Delay for issuers to submit their authentication requests

* To avoid a bad/expired token and lose redirection to the SP protected application after authentication if IdP URLs are served by different load balancers, you can force Issuer tokens to be stored into Global Storage by editing lemonldap-ng.ini in section [portal]:

[portal]
forceGlobalStorageIssuerOTT = 1

Attacks and Protection

To learn or find out more about security, go to Security documentation

Attack LLNG protection System Integrator protection
Brute Force
Page Content
CSRF
Deny of Service
Invisible iFrame
Man-in-the-Middle
Software Exploit
SSO by-passing
XSS

Plugins

Name Description
Auto Signin Auto Signin Addon
Brute Force protection User must wait to log in after 3 failed login attempts
CDA Cross Domain Authentication
Check state Check state plugin (test page)
Check user 4) Check access rights, transmitted headers and session attibutes for a specific user and URL
Configuration viewer Edit WebSSO configuration in Read Only mode
Context switching 5) Switch context other users
Custom Write a custom plugin
Decrypt value 6) Decrypt ciphered values
Display login history
Force Authentication Force authentication to access to Portal
Global Logout 7) Suggest to close all opened sessions at logout
Grant Sessions Rules to apply before allowing a user to open a session
Impersonation 8) Allow users to use another identity
Notifications system
Refresh session API 9) Plugin that provides an API to refresh a user session
Portal Status Experimental portal status page
Public pages Enable public pages system
Reset password by mail
REST services REST server for Proxy
SOAP services (deprecated) SOAP server for Proxy
Stay connected Enable persistent connection on same browser
Upgrade session Plugin that explain to user that a more secure authentication is needed instead of rejected it

Handlers

Handlers are software control agents to be installed on your web servers (Nginx, Apache, PSGI like Plack based servers or Node.js).

Handler type Apache LLNG FastCGI/uWSGI server (Nginx, or SSOaaS) Plack* servers Node.js (express apps or SSOaaS) Self protected apps Comment
Main (default handler) Partial 10)
AuthBasic Designed for some server-to-server applications
CDA For Cross Domain Authentication
DevOps (SSOaaS) Allows application developers to define their own rules and headers inside their applications
DevOpsST (SSOaaS) Enables both DevOps and Service Token
OAuth2 11) Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services
Secure Token Designed to secure exchanges between a LLNG reverse-proxy and a remote app
Service Token (Server-to-Server) Designed to permit underlying requests (API-Based Infrastructure)
Zimbra PreAuth

LLNG databases

Configuration database

LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one in the following list:

Backend Shareable Comment
File (JSON) Not shareable between servers except if used in conjunction with REST or with a shared file system (NFS,...). Selected by default during installation.
YAML Same as File but in YAML format instead of JSON
SQL (RDBI/CDBI) Recommended for large-scale systems. Prefer CDBI.
LDAP
MongoDB
SOAP (deprecated) Proxy backend to be used in conjunction with another configuration backend.
Can be used to secure another backend for remote servers.
REST Proxy backend to be used in conjunction with another configuration backend.
Can be used to secure another backend for remote servers.
Local Use only lemonldap-ng.ini parameters.
You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one.

Sessions database

Sessions are stored using Apache::Session modules family. All Apache::Session style modules are usable except for some features.

If you plan to use LLNG in a large-scale system, take a look at Performance Test to choose the right backend. A Browseable SQL backend is generally a good choice.
Backend Shareable Session explorer Session restrictions Session expiration Comment
File Not shareable between servers except if used in conjunction with REST session backend or with a shared file system (NFS,...). Selected by default during installation.
SQL Unoptimized for session explorer and single session features.
LDAP
Redis The fastest. Must be secured by network access control.
MongoDB Must be secured by network access control.
Browseable (SQL, Redis or LDAP) Optimized for session explorer and single session features.
REST Proxy backend to be used in conjunction with another session backend.
Can be used to secure another backend for remote servers.
SOAP (deprecated) Proxy backend to be used in conjunction with another session backend.
Can be used to secure another backend for remote servers.

Applications protection

Well known compatible applications

Here is a list of well known applications that are compatible with LL::NG. A full list is available on vendor applications page.

ADFS

Alfresco

Bugzilla

Dokuwiki

Drupal

FusionDirectory

Gitlab

GLPI

Liferay

Mediawiki

NextCloud

simpleSAMLphp

Wordpress

Xwiki

Zimbra

Advanced features

Mini howtos

Exploitation

Bug report

Developer corner

To contribute, see :

To develop an handler, see:

To develop a portal plugin, see manpages:

  • Lemonldap::NG::Portal
  • Lemonldap::NG::Portal::Auth
  • Lemonldap::NG::Portal::UserDB
  • Lemonldap::NG::Portal::Main::SecondFactor
  • Lemonldap::NG::Portal::Main::Issuer
  • Lemonldap::NG::Portal::Main::Plugin
  • Lemonldap::NG::Portal::Main::Request (the request object)

To add a new language:

If you don't want to publish your translation (XX must be replaced by your language code):

  • Manager: translate lemonldap-ng-manager/site/htdocs/static/languages/en.json in lemonldap-ng-manager/site/htdocs/static/languages/XX.json and enable it in "lemonldap-ng.ini" file
  • Portal: translate lemonldap-ng-portal/site/htdocs/static/languages/en.json in lemonldap-ng-portal/site/htdocs/static/languages/XX.json and enable it in "lemonldap-ng.ini" file
  • Portal Mails: translate lemonldap-ng-portal/site/templates/common/mail/en.json in lemonldap-ng-portal/site/templates/common/mail/XX.json
1) GPG is available with LLNG ≥ 2.0.2
2) Radius second factor is available with LLNG ≥ 2.0.6
3) Additional second factors is available with LLNG ≥ 2.0.6
4) , 8) Context switching is available with LLNG ≥ 2.0.3
5) Context switching is available with LLNG ≥ 2.0.6
6) Decrypt value is available with LLNG ≥ 2.0.7
7) Global Logout is available with LLNG ≥ 2.0.7
9) Refresh session plugin is available with LLNG ≥ 2.0.7
10) Node.js handler has not yet reached the same level of functionalities
11) OAuth2 Handler is available with LLNG ≥ 2.0.4