Official Backends | Authentication | Users | Password |
---|---|---|---|
Active Directory | ✔ | ✔ | ✔ |
Apache (Basic, NTLM, OTP, ...) | ✔ | ||
CAS | ✔ | ||
SQL Databases | ✔ | ✔ | ✔ |
Demonstration | ✔ | ✔ | ✔ |
✔ | ✔ | ||
GPG 1) | ✔ | ||
Kerberos | ✔ | ||
LDAP | ✔ | ✔ | ✔ |
✔ | |||
Null | ✔ | ✔ | ✔ |
OpenID Connect | ✔ | ✔ | |
PAM | ✔ | ||
Proxy LL::NG | ✔ | ✔ | |
Radius | ✔ | ||
REST | ✔ | ✔ | ✔ |
SAML 2.0 / Shibboleth | ✔ | ✔ | |
Slave | ✔ | ✔ | |
SSL | ✔ | ||
✔ | |||
WebID | ✔ | ✔ | |
| Deprecated, replaced by Yubikey second factor | ||
Custom modules | ✔ | ✔ | ✔ |
Combo Backends | Authentication | Users | Password |
Choice by users | ✔ | ✔ | ✔ |
Combination of auth schemes | ✔ | ✔ | |
| Deprecated, replaced by Combination | ||
Obsolete Backends | Authentication | Users | Password |
OpenID | ✔ | ✔ | |
Remote LL::NG | ✔ | ✔ | |
Second factor (documentation) | Authentication | ||
TOTP-or-U2F | ✔ | ||
U2F | ✔ | ||
TOTP (Google Authenticator,...) | ✔ | ||
E-mail Second Factor | ✔ | ||
External Second Factor (OTP, SMS,...) | ✔ | ||
Radius Second Factor 2) | ✔ | ||
REST Second Factor | ✔ | ||
Yubikey | ✔ | ||
Additional second factors 3) | ✔ | ||
Auth addons | Authentication | ||
Auto Signin | ✔ |
Protocol | Service Provider | Identity Provider |
---|---|---|
CAS 1.0 / 2.0 / 3.0 | ✔ | ✔ |
SAML 2.0 / Shibboleth | ✔ | ✔ |
OpenID 2.0 (obsolete) | ✔ | ✔ |
OpenID Connect | ✔ | ✔ |
Get parameters provider (for poor applications) | ✔ |
* To avoid a bad/expired token and lose redirection to the SP protected application after authentication if IdP URLs are served by different load balancers, you can force Issuer tokens to be stored into Global Storage by editing lemonldap-ng.ini
in section [portal]:
[portal] forceGlobalStorageIssuerOTT = 1
Attack | LLNG protection | System Integrator protection |
---|---|---|
Brute Force | ✔ | ✔ |
Page Content | ✔ | |
CSRF | ✔ | |
Deny of Service | ✔ | |
Invisible iFrame | ✔ | ✔ |
Man-in-the-Middle | ✔ | |
Software Exploit | ✔ | |
SSO by-passing | ✔ | |
XSS | ✔ |
Name | Description |
---|---|
Auto Signin | Auto Signin Addon |
Brute Force protection | User must wait to log in after 3 failed login attempts |
CDA | Cross Domain Authentication |
Check state | Check state plugin (test page) |
Check user 4) | Check access rights, transmitted headers and session attibutes for a specific user and URL |
Configuration viewer | Edit WebSSO configuration in Read Only mode |
Context switching 5) | Switch context other users |
Custom | Write a custom plugin |
Decrypt value 6) | Decrypt ciphered values |
Display login history | |
Force Authentication | Force authentication to access to Portal |
Global Logout 7) | Suggest to close all opened sessions at logout |
Grant Sessions | Rules to apply before allowing a user to open a session |
Impersonation 8) | Allow users to use another identity |
Notifications system | |
Refresh session API 9) | Plugin that provides an API to refresh a user session |
Portal Status | Experimental portal status page |
Public pages | Enable public pages system |
Reset password by mail | |
REST services | REST server for Proxy |
SOAP services (deprecated) | SOAP server for Proxy |
Stay connected | Enable persistent connection on same browser |
Upgrade session | Plugin that explain to user that a more secure authentication is needed instead of rejected it |
Handlers are software control agents to be installed on your web servers (Nginx, Apache, PSGI like Plack based servers or Node.js).
Handler type | Apache | LLNG FastCGI/uWSGI server (Nginx, or SSOaaS) | Plack* servers | Node.js (express apps or SSOaaS) | Self protected apps | Comment |
---|---|---|---|---|---|---|
Main (default handler) | ✔ | ✔ | ✔ | Partial 10) | ✔ | |
AuthBasic | ✔ | ✔ | ✔ | ✔ | Designed for some server-to-server applications | |
CDA | ✔ | ✔ | ✔ | ✔ | For Cross Domain Authentication | |
DevOps (SSOaaS) | ✔ | ✔ | ✔ | ✔ | Allows application developers to define their own rules and headers inside their applications | |
DevOpsST (SSOaaS) | ✔ | ✔ | ✔ | ✔ | Enables both DevOps and Service Token | |
OAuth2 11) | ✔ | ✔ | ✔ | ✔ | Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services | |
Secure Token | ✔ | ✔ | ✔ | Designed to secure exchanges between a LLNG reverse-proxy and a remote app | ||
Service Token (Server-to-Server) | ✔ | ✔ | ✔ | ✔ | ✔ | Designed to permit underlying requests (API-Based Infrastructure) |
Zimbra PreAuth | ✔ | ✔ | ✔ |
LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one in the following list:
Backend | Shareable | Comment |
---|---|---|
File (JSON) | Not shareable between servers except if used in conjunction with REST or with a shared file system (NFS,...). Selected by default during installation. | |
YAML | Same as File but in YAML format instead of JSON | |
SQL (RDBI/CDBI) | ✔ | Recommended for large-scale systems. Prefer CDBI. |
LDAP | ✔ | |
MongoDB | ✔ | |
SOAP (deprecated) | ✔ | Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers. |
REST | ✔ | Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers. |
Local | Use only lemonldap-ng.ini parameters. |
Sessions are stored using Apache::Session modules family. All Apache::Session style modules are usable except for some features.
Backend | Shareable | Session explorer | Session restrictions | Session expiration | Comment |
---|---|---|---|---|---|
File | ✔ | ✔ | ✔ | Not shareable between servers except if used in conjunction with REST session backend or with a shared file system (NFS,...). Selected by default during installation. | |
SQL | ✔ | ✔ | ✔ | ✔ | Unoptimized for session explorer and single session features. |
LDAP | ✔ | ✔ | ✔ | ✔ | |
Redis | ✔ | ✔ | ✔ | ✔ | The fastest. Must be secured by network access control. |
MongoDB | ✔ | ✔ | ✔ | ✔ | Must be secured by network access control. |
Browseable (SQL, Redis or LDAP) | ✔ | ✔ | ✔ | ✔ | Optimized for session explorer and single session features. |
REST | ✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. Can be used to secure another backend for remote servers. |
SOAP (deprecated) | ✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. Can be used to secure another backend for remote servers. |
See How to report a bug.
To contribute, see :
To develop an handler, see:
To develop a portal plugin, see manpages:
To add a new language:
If you don't want to publish your translation (XX
must be replaced by your language code):
lemonldap-ng-manager/site/htdocs/static/languages/en.json
in lemonldap-ng-manager/site/htdocs/static/languages/XX.json
and enable it in "lemonldap-ng.ini" filelemonldap-ng-portal/site/htdocs/static/languages/en.json
in lemonldap-ng-portal/site/htdocs/static/languages/XX.json
and enable it in "lemonldap-ng.ini" filelemonldap-ng-portal/site/templates/common/mail/en.json
in lemonldap-ng-portal/site/templates/common/mail/XX.json