LemonLDAP::NG is a modular WebSSO (Single Sign On) based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for accounting. So you can have a full <acronymtitle="Authentication Authorization Accounting">AAA</acronym> protection for your web space as described below.
<liclass="level1"><divclass="li"><strong>Manager</strong>: used to manage LemonLDAP::NG configuration and to explore sessions. Dedicated to administrators</div>
<liclass="level1"><divclass="li"><strong><ahref="../documentation/1.0/portal.html"class="wikilink1"title="documentation:1.0:portal">Portal</a></strong>: used to authenticate users, display applications list and provides identity provider service (<ahref="http://en.wikipedia.org/wiki/SAML"class="urlextern"title="http://en.wikipedia.org/wiki/SAML"rel="nofollow">SAML</a>, <ahref="http://en.wikipedia.org/wiki/OpenID"class="urlextern"title="http://en.wikipedia.org/wiki/OpenID"rel="nofollow">OpenID</a>, <ahref="http://en.wikipedia.org/wiki/Central_Authentication_Service"class="urlextern"title="http://en.wikipedia.org/wiki/Central_Authentication_Service"rel="nofollow">CAS</a>). Portal provides also many other features (see <ahref="../documentation/1.0/portal.html"class="wikilink1"title="documentation:1.0:portal">portal</a> for more)</div>
<p><divclass="noteclassic">We call “database” a backend where we can read or write a data. This can be a file, an <acronymtitle="Lightweight Directory Access Protocol">LDAP</acronym> directory, …
</div></p>
</p>
<p>
We split databases in two categories:
</p>
<ul>
<liclass="level1"><divclass="li"><strong>External databases</strong>: not managed by LemonLDAP::NG, for example user database</div>
</li>
<liclass="level1"><divclass="li"><strong>Internal databases</strong>: only used by LemonLDAP::NG</div>
Main <ahref="../documentation/current/start.html#authentication_users_and_password_databases"class="wikilink1"title="documentation:latest:start">external databases</a> are:
<liclass="level1"><divclass="li"><strong><ahref="../documentation/current/start.html#configuration_database"class="wikilink1"title="documentation:latest:start">Configuration</a></strong>: where configuration is stored. This does not include Apache configuration which is not managed by LemonLDAP::NG</div>
<liclass="level1"><divclass="li"><strong><ahref="../documentation/current/start.html#sessions_database"class="wikilink1"title="documentation:latest:start">Sessions</a></strong>: where sessions are stored.</div>
<liclass="level1"><divclass="li"><ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> is not detected, so Handler redirects user to Portal</div>
<liclass="level1"><divclass="li"> Portal creates <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> with session key as value</div>
Handler will then check <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> for each <acronymtitle="Hyper Text Transfer Protocol">HTTP</acronym> request.
<liclass="level1"><divclass="li"> Portal destroys session and redirects user on itself with an empty <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a></div>
<liclass="level1"><divclass="li"> User is redirected on portal and his <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> is empty</div>
LemonLDAP::NG is also able to <ahref="../documentation/current/writingrulesand_headers.html"class="wikilink1"title="documentation:latest:writingrulesand_headers">catch logout request</a> on protected applications, with different behavior:
<liclass="level1"><divclass="li"><strong><acronymtitle="Single Sign On">SSO</acronym> logout</strong>: the request is not forwarded to application, only the <acronymtitle="Single Sign On">SSO</acronym> session is closed</div>
<liclass="level1"><divclass="li"><strong>Application logout</strong>: the request is forwarded to application but <acronymtitle="Single Sign On">SSO</acronym> session is not closed</div>
<liclass="level1"><divclass="li"><strong><acronymtitle="Single Sign On">SSO</acronym> and Application logout</strong>: the request is forwarded to application and <acronymtitle="Single Sign On">SSO</acronym> session is closed</div>
<liclass="level1"><divclass="li"> Handlers have a session cache, with a default lifetime of 10 minutes. So for Handler on different physical servers than the Portal, a user with an expired session can still be authorized still the cache expires.</div>
</li>
<liclass="level1"><divclass="li"> Sessions are deleted by a scheduled task. Don't forget to install cron files !</div>
<p><divclass="noteclassic">For security reason, a cookie provided for a domain cannot be sent to another domain. To extend <acronymtitle="Single Sign On">SSO</acronym> on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
<liclass="level1"><divclass="li"> User owns <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> on the main domain (see <spanclass="curid"><ahref="../documentation/presentation.html#login"class="wikilink1"title="documentation:presentation">Login kinematics</a></span>)</div>
<liclass="level1"><divclass="li"> Handler does not see <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> (because it is not in main domain) and redirects user on Portal</div>
<liclass="level1"><divclass="li"> Portal recognizes the user with its <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a>, and see he is coming from a different domain</div>
<liclass="level1"><divclass="li"> Portal redirects user on protected application with his session ID as <acronymtitle="Uniform Resource Locator">URL</acronym> parameter</div>
<liclass="level1"><divclass="li"> Handler detects <acronymtitle="Uniform Resource Locator">URL</acronym> parameter and create a <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> on its domain, with session ID as value</div>
<liclass="level1"><divclass="li"><strong>Control asked <acronymtitle="Uniform Resource Locator">URL</acronym></strong>: prevent <acronymtitle="Cross Site Scripting">XSS</acronym> attacks and bad redirections</div>
<liclass="level1"><divclass="li"><strong>Extract form info</strong>: get login/password, certificate, environment variable (depending on authentication module)</div>
LemonLDAP::NG <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">SSO cookies</a> are generated by <ahref="http://search.cpan.org/perldoc?Apache::Session"class="urlextern"title="http://search.cpan.org/perldoc?Apache::Session"rel="nofollow">Apache::Session</a>, they are as secure as a 128-bit random cookie. You may use the <ahref="../documentation/current/ssocookie.html#sso_cookie"class="wikilink1"title="documentation:latest:ssocookie">securedCookie</a> options to avoid session hijacking.
<liclass="level1"><divclass="li"> An <acronymtitle="Uniform Resource Locator">URL</acronym> pattern (or <code>default</code> to match other URLs)</div>
<p><divclass="noteclassic">Authorizations are defined inside a virtualhost and takes effect only on it. There are no <em>global</em> authorizations except the right to open a session in the portal.
<liclass="level1"><divclass="li"><acronymtitle="Practical Extraction and Report Language">Perl</acronym> expression: perl code snippet that returns 0 or 1 </div>
</li>
</ul>
<p>
Some examples:
</p>
<ul>
<liclass="level1"><divclass="li"> Accept all authenticated users:</div>
<p><divclass="notetip"><code>\b</code> means start or end of a word in PCRE (<acronymtitle="Practical Extraction and Report Language">Perl</acronym> Compatible Regular Expressions)
See <ahref="../documentation/current/writingrulesand_headers.html"class="wikilink1"title="documentation:latest:writingrulesand_headers">Writing rules and headers</a> chapter.
Portal produce a <code>notice</code> message in <ahref="../documentation/current/logs.html"class="wikilink1"title="documentation:latest:logs">Apache logs or syslog</a> when a user authenticates (or fails to authenticate) and logs out.
LemonLDAP::NG can export <ahref="../documentation/current/writingrulesand_headers.html#headers"class="wikilink1"title="documentation:latest:writingrulesand_headers">HTTP headers</a> either using a proxy or protecting directly the application.
See <ahref="../documentation/current/writingrulesand_headers.html"class="wikilink1"title="documentation:latest:writingrulesand_headers">Writing rules and headers</a> for more.