Documentation for LemonLDAP::NG 2.0
Presentation
Upgrading
Installation
Configuration
Configuring your Web server
Deploy Nginx configuration(recommendedconfiguration)
Basics
Portal
Authentication, users and password databases
Official Backends | Authentication | Users | Password |
|---|---|---|---|
✔ | ✔ | ✔ | |
✔ | |||
✔ |
| ||
✔ | ✔ | ✔ | |
✔ | ✔ | ✔ | |
✔ | ✔ | ||
✔ | |||
✔ | |||
✔ | |||
✔ | ✔ | ✔ | |
✔ | |||
✔ | ✔ | ✔ | |
✔ | ✔ | ||
✔ | |||
✔ | ✔ | ||
✔ | |||
✔ | ✔ | ✔ | |
✔ | ✔ | ||
✔ | ✔ | ||
✔ | |||
✔ | |||
✔ | ✔ | ||
✔ | |||
Replaced byYubico OTP Second Factor | |||
✔ | ✔ | ✔ |
Combo Backends | Authentication | Users | Password |
|---|---|---|---|
✔ | ✔ | ✔ | |
✔ | ✔ | ✔ (since2.0.10) | |
Replaced byCombination |
Obsolete Backends | Authentication | Users | Password |
|---|---|---|---|
✔ | ✔ | ||
✔ | ✔ |
Second factor (documentation) | Authentication | Self-registration |
|---|---|---|
TOTP(Google Authenticator,…) | ✔ | ✔ |
✔ | ✔ | |
✔ | ||
✔ | ✔ | |
External Second Factor(OTP, SMS,…) | ✔ | |
✔ | ||
✔ | ||
✔ | ✔ |
New in version 2.0.6:SeeAdditional second factors for configuring several multipleREST, external or e-mail based second factors with different parameters
Auth addons | Authentication |
|---|---|
✔ |
Identity provider
Tip
All identity provider protocols can be used simultaneously
LemonLDAP::NG can be used as aproxy between those protocols
Protocol | Service Provider | Identity Provider |
|---|---|---|
✔ | ✔ | |
✔ | ✔ | |
✔ | ✔ | |
OpenID 2.0(deprecated) | ✔ | ✔ |
Get parameters provider(for poor applications) | ✔ | |
✔ |
Options
Issuers timeout: Delay for issuers for submitting their authentication requests
Tip
To avoid a bad/expired token and lose redirection to the SP protectedapplication after authentication if IdP URLs are served by different loadbalancers, you can force Issuer tokens to be stored into Global Storageby editing
lemonldap-ng.iniin section [portal]:
[portal]forceGlobalStorageIssuerOTT=1
Attacks and Protection
Tip
To learn or find out more about security, go toSecurity documentation
Attack | LLNG protection | System Integrator protection |
|---|---|---|
✔ | ✔ | |
✔ | ||
✔ | ||
Deny of Service | ✔ | |
✔ | ✔ | |
Man-in-the-Middle | ✔ | |
Software Exploit | ✔ | |
✔ | ||
✔ | ||
✔ | ✔ |
Plugins
Name | Description |
|---|---|
Rules to modulate authentication level | |
Sign-in automatically | |
User must wait to log in after some failed login attempts | |
Cross Domain Authentication | |
Check DevOps handler file | |
Check Have I Been Pwned | |
Check entropy of password | |
Initialize Password Reset by mail | |
Check state plugin (test page) | |
Check access rights, transmitted headers and session attibutes for a specific user and URL | |
Edit WebSSO configuration in Read Only mode | |
Switch context other users | |
CrowdSec bouncer | |
Write a custom plugin | |
Decrypt ciphered values | |
Display Success/Fails logins | |
Search for user account | |
Force authentication to access to Portal | |
Suggest to close all opened sessions at logout | |
Rules to apply before allowing a user to open a session | |
Allow users to use another identity | |
Send an email when user sign in from a new location | |
Display a message during log in process | |
Enable public pages system | |
Plugin that provides an API to refresh a user session | |
Allow users to reset their certificate | |
Send a mail to reset its password | |
Remember user last authentication choice | |
REST server forProxy | |
SOAP server forProxy | |
Remember previous authentications | |
Upgrade session | This plugin explains to an already authenticated user that a higher authentication level is required to access the URL instead of reject him |
Handlers
Handlers are software control agents to be installed on your web servers(Nginx, Traefik, Apache, PSGI like Plack based servers or Node.js).
Handler type | Apache | LLNG FastCGI/uWSGI server (Nginx, Traefik orSSOaaS) | Node.js (express apps orSSOaaS) | Comment | ||
|---|---|---|---|---|---|---|
Main(default handler) | ✔ | ✔ | ✔ | ✔ | ||
✔ | ✔ | ✔ | ✔ | Designed for some server-to-server applications | ||
✔ | ✔ | ✔ | ✔ | For Cross Domain Authentication | ||
✔ | ✔ | ✔ | ✔ | Allows application developers to define their own rules and headers inside their applications | ||
✔ | ✔ | ✔ | ✔ | Enables bothDevOps andService Token | ||
✔ | ✔ | ✔ | ✔ | |||
✔ | ✔ | ✔ | ✔ | Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services | ||
✔ | ✔ | ✔ | Designed to secure exchanges between a LLNG reverse-proxy and a remote app | |||
Service Token | ✔ | ✔ | ✔ | ✔ | ✔ | Designed to permit underlying requests(API-Based Infrastructure) |
✔ | ✔ | ✔ |
LLNG databases
Configuration database
LL::NG needs a storage system to store its own configuration (managed bythe manager). Choose one in the following list:
Backend | Shareable | Comment |
|---|---|---|
Not shareable between servers exceptif used in conjunction withRESTor with a shared file system (NFS,…).Selected by default during installation. | ||
Same asFile but in YAML formatinstead of JSON | ||
✔ | Recommended for large-scale systems. Prefer CDBI. | |
✔ | Via SQL pseudo-driver | |
✔ | ||
✔ | ||
✔ | Proxy backend to be used in conjunction with anotherconfiguration backend.Can be used to secure another backendfor remote servers. | |
✔ | Proxy backend to be used in conjunction with another configurationbackend.Can be used to secure another backend forremote servers. | |
Use only lemonldap-ng.ini parameters. | ||
✔ | Pseudo configuration backend that permits one to store part of theconfiguration into local files.(for example to not store secretsinto central configuration) |
Tip
You can not start with an empty configuration, so readhow to change configuration backend to convertyour existing configuration into another one.
Sessions database
Sessions are stored usingApache::Sessionmodules family. AllApache::Sessionstyle modules are usable except for some features.
Attention
If you plan to use LLNG in a large-scale system, take alook atPerformance Test to choose the rightbackend. ABrowseable SQL backend isgenerally a good choice.
Backend | Shareable | Session explorer | Session restrictions | Session expiration | Comment |
|---|---|---|---|---|---|
✔ | ✔ | ✔ | Not shareable between servers except if used in conjunction withREST session backend or with a shared file system (NFS,…). Selected by default during installation. | ||
✔ | ✔ | ✔ | ✔ | Recommended backend for production installations | |
✔ | ✔ | ✔ | ✔ | Recommended for those who prefer MySQL | |
✔ | ✔ | ✔ | ✔ | ||
✔ | ✔ | ✔ | ✔ | The fastest. Must be secured by network access control. | |
✔ | ✔ | ✔ | ✔ | Must be secured by network access control. | |
✔ | ✔ | ✔ | ✔ | Another supported NoSQL DB | |
✔ | ✔ | ✔ | ✔ | Unoptimized for session explorer and single session features. | |
✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. | |
✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. |
Tip
You can migrate from one session backend to another using thesession conversion script. (
since 2.0.7)
Applications protection
Well known compatible applications
Note
Here is a list of well known applications that are compatible withLL::NG. A full list is available onvendor applications page.
Advanced features
SSO as a Service(SSOaaS)
Deploy LemonLDAP::NG on Plack servers family(Twiggy, Starman, Corona,…)
Mini howtos
Create a protocol proxy(SAML to OpenID, CASto SAML ,…)
Exploitation
Portal state check(health check for fail-over)
Bug report
Developer corner
To contribute, see :
To develop an handler, see:
To develop a portal plugin, see manpages:
Lemonldap::NG::Portal
Lemonldap::NG::Portal::Auth
Lemonldap::NG::Portal::UserDB
Lemonldap::NG::Portal::Main::SecondFactor
Lemonldap::NG::Portal::Main::Issuer
Lemonldap::NG::Portal::Main::Plugin
Lemonldap::NG::Portal::Main::Request(the request object)
To add a new language:
Join us onhttps://app.transifex.com/lemonldapng/lemonldapng/dashboard/
translate the 3 files
then we will append them in sources.
If you don’t want to publish your translation (XX must be replacedby your language code):
Manager: translate
lemonldap-ng-manager/site/htdocs/static/languages/en.jsoninlemonldap-ng-manager/site/htdocs/static/languages/XX.jsonandenable it in “lemonldap-ng.ini” filePortal: translate
lemonldap-ng-portal/site/htdocs/static/languages/en.jsoninlemonldap-ng-portal/site/htdocs/static/languages/XX.jsonandenable it in “lemonldap-ng.ini” filePortal Mails: translate
lemonldap-ng-portal/site/templates/common/mail/en.jsoninlemonldap-ng-portal/site/templates/common/mail/XX.json
GitHub authentication is available with LLNG ≥2.0.8
[2]GPG authentication is available with LLNG ≥ 2.0.2
[3]Radius second factor is available with LLNG ≥ 2.0.6
[4]Password second factor is available with LLNG ≥ 2.0.16
[5]Check DevOps file plugin is available with LLNG ≥2.0.12
[6]Check user plugin is available with LLNG ≥ 2.0.3
[7]Context switching plugin is available withLLNG ≥ 2.0.6
[8]CrowdSec bouncer is available with LLNG ≥ 2.0.12
[9]Decrypt value plugin is available with LLNG ≥2.0.7
[10]Global Logout plugin is available with LLNG ≥2.0.7
[11]Impersonation plugin is available with LLNG ≥2.0.3
[12]Find user plugin is available with LLNG ≥2.0.11
[13]NewLocationWarning is availablewith LLNG ≥ 2.0.14
[14]Refresh session API plugin is availablewith LLNG ≥ 2.0.7
[15]Reset certificate by mail plugin isavailable with LLNG ≥ 2.0.7
[16]Node.js handler has not yet reached the samelevel of functionalities
[17]OAuth2 Handler is available with LLNG ≥ 2.0.4
[18](1,2,3)When configured as an additional second factor, seeRegistration
[19]Check HIBP plugin is available with LLNG ≥2.0.16
[20]Remember AuthChoice plugin is available with LLNG ≥2.0.15
[21]Check entropy plugin is available with LLNG ≥2.18.0
[22]initializePasswordReset is available with LLNG ≥2.18.0