dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ed9e009a90
lemonldap-ng/doc/pages/documentation/presentation.html
Clément Oudot db1b53b05b Reorganize files - work in progress (#444)
2012-02-28 22:48:20 +00:00

452 lines
20 KiB
HTML
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="presentation" id="presentation">Presentation</a></h1>
<div class="level1">
<p>
LemonLDAP::NG is a modular WebSSO (Single Sign On) based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application.
</p>
<p>
It manages both authentication and authorization and provides headers for accounting. So you can have a full <acronym title="Authentication Authorization Accounting">AAA</acronym> protection for your web space as described below.
</p>
</div>
<!-- SECTION "Presentation" [1-361] -->
<h2><a name="architecture" id="architecture">Architecture</a></h2>
<div class="level2">
<p>
<div style="width:600px">
<a href="/_detail/documentation/lemonldap-ng-architecture.png?id=documentation%3Apresentation" class="media" title="documentation:lemonldap-ng-architecture.png"><img src="../../media/documentation/lemonldap-ng-architecture.png" class="mediacenter" alt="" width="600" /></a>
</div>
</p>
</div>
<!-- SECTION "Architecture" [362-503] -->
<h3><a name="main_components" id="main_components">Main components</a></h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <strong>Manager</strong>: used to manage LemonLDAP::NG configuration and to explore sessions. Dedicated to administrators</div>
</li>
<li class="level1"><div class="li"> <strong><a href="../documentation/1.0/portal.html" class="wikilink1" title="documentation:1.0:portal">Portal</a></strong>: used to authenticate users, display applications list and provides identity provider service (<a href="http://en.wikipedia.org/wiki/SAML" class="urlextern" title="http://en.wikipedia.org/wiki/SAML" rel="nofollow">SAML</a>, <a href="http://en.wikipedia.org/wiki/OpenID" class="urlextern" title="http://en.wikipedia.org/wiki/OpenID" rel="nofollow">OpenID</a>, <a href="http://en.wikipedia.org/wiki/Central_Authentication_Service" class="urlextern" title="http://en.wikipedia.org/wiki/Central_Authentication_Service" rel="nofollow">CAS</a>). Portal provides also many other features (see <a href="../documentation/1.0/portal.html" class="wikilink1" title="documentation:1.0:portal">portal</a> for more)</div>
</li>
<li class="level1"><div class="li"> <strong>Handler</strong>: Apache modules used to protect applications</div>
</li>
</ul>
</div>
<!-- SECTION "Main components" [504-1098] -->
<h3><a name="databases" id="databases">Databases</a></h3>
<div class="level3">
<p>
<p><div class="noteclassic">We call “database” a backend where we can read or write a data. This can be a file, an <acronym title="Lightweight Directory Access Protocol">LDAP</acronym> directory, …
</div></p>
</p>
<p>
We split databases in two categories:
</p>
<ul>
<li class="level1"><div class="li"> <strong>External databases</strong>: not managed by LemonLDAP::NG, for example user database</div>
</li>
<li class="level1"><div class="li"> <strong>Internal databases</strong>: only used by LemonLDAP::NG</div>
</li>
</ul>
<p>
Main <a href="../documentation/current/start.html#authentication_users_and_password_databases" class="wikilink1" title="documentation:latest:start">external databases</a> are:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Authentication</strong>: how authenticate users</div>
</li>
<li class="level1"><div class="li"> <strong>User</strong>: where collect user data</div>
</li>
<li class="level1"><div class="li"> <strong>Password</strong>: where change the password</div>
</li>
</ul>
<p>
Main internal databases are:
</p>
<ul>
<li class="level1"><div class="li"> <strong><a href="../documentation/current/start.html#configuration_database" class="wikilink1" title="documentation:latest:start">Configuration</a></strong>: where configuration is stored. This does not include Apache configuration which is not managed by LemonLDAP::NG</div>
</li>
<li class="level1"><div class="li"> <strong><a href="../documentation/current/start.html#sessions_database" class="wikilink1" title="documentation:latest:start">Sessions</a></strong>: where sessions are stored.</div>
</li>
<li class="level1"><div class="li"> <strong><a href="../documentation/current/notifications.html" class="wikilink1" title="documentation:latest:notifications">Notifications</a></strong>: messages displayed to connected users</div>
</li>
<li class="level1"><div class="li"> <strong>Cache</strong>: cache for configuration and sessions</div>
</li>
</ul>
</div>
<!-- SECTION "Databases" [1099-2117] -->
<h2><a name="kinematics" id="kinematics">Kinematics</a></h2>
<div class="level2">
</div>
<!-- SECTION "Kinematics" [2118-2141] -->
<h3><a name="login" id="login">Login</a></h3>
<div class="level3">
<p>
<a href="/_detail/documentation/lemonldapng-sso.png?id=documentation%3Apresentation" class="media" title="documentation:lemonldapng-sso.png"><img src="../../media/documentation/lemonldapng-sso.png" class="mediacenter" alt="" width="800" /></a>
</p>
<ol>
<li class="level1"><div class="li"> User tries to access protected application, his request is catched by Handler</div>
</li>
<li class="level1"><div class="li"> <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> is not detected, so Handler redirects user to Portal</div>
</li>
<li class="level1"><div class="li"> User authenticates on Portal</div>
</li>
<li class="level1"><div class="li"> Portal checks authentication</div>
</li>
<li class="level1"><div class="li"> If authentication succeed, Portal collect user data</div>
</li>
<li class="level1"><div class="li"> Portal creates a session to store user data</div>
</li>
<li class="level1"><div class="li"> Portal gets the session key</div>
</li>
<li class="level1"><div class="li"> Portal creates <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> with session key as value</div>
</li>
<li class="level1"><div class="li"> User is redirected on protected application, with his new cookie</div>
</li>
<li class="level1"><div class="li"> Handler gets session get from cookie and gets session</div>
</li>
<li class="level1"><div class="li"> Handler stores user data in its cache</div>
</li>
<li class="level1"><div class="li"> Handler check access rule and send headers to protected applications</div>
</li>
<li class="level1"><div class="li"> Protected application sends response to Handler</div>
</li>
<li class="level1"><div class="li"> Handler sends the response to user</div>
</li>
</ol>
<p>
Handler will then check <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> for each <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> request.
</p>
</div>
<!-- SECTION "Login" [2142-3147] -->
<h3><a name="logout" id="logout">Logout</a></h3>
<div class="level3">
<p>
Default use case:
</p>
<ol>
<li class="level1"><div class="li"> User clicks on the logout link in Portal</div>
</li>
<li class="level1"><div class="li"> Portal destroys session and redirects user on itself with an empty <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a></div>
</li>
<li class="level1"><div class="li"> User is redirected on portal and his <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> is empty</div>
</li>
</ol>
<p>
LemonLDAP::NG is also able to <a href="../documentation/current/writingrulesand_headers.html" class="wikilink1" title="documentation:latest:writingrulesand_headers">catch logout request</a> on protected applications, with different behavior:
</p>
<ul>
<li class="level1"><div class="li"> <strong><acronym title="Single Sign On">SSO</acronym> logout</strong>: the request is not forwarded to application, only the <acronym title="Single Sign On">SSO</acronym> session is closed</div>
</li>
<li class="level1"><div class="li"> <strong>Application logout</strong>: the request is forwarded to application but <acronym title="Single Sign On">SSO</acronym> session is not closed</div>
</li>
<li class="level1"><div class="li"> <strong><acronym title="Single Sign On">SSO</acronym> and Application logout</strong>: the request is forwarded to application and <acronym title="Single Sign On">SSO</acronym> session is closed</div>
</li>
</ul>
<p>
After logout process, the user is redirected on portal, or on a configured <acronym title="Uniform Resource Locator">URL</acronym>.
</p>
</div>
<!-- SECTION "Logout" [3148-3996] -->
<h3><a name="session_expiration" id="session_expiration">Session expiration</a></h3>
<div class="level3">
<p>
The session expires after 2 hours by default.
<p><div class="noteimportant">
</p>
<ul>
<li class="level1"><div class="li"> Handlers have a session cache, with a default lifetime of 10 minutes. So for Handler on different physical servers than the Portal, a user with an expired session can still be authorized still the cache expires.</div>
</li>
<li class="level1"><div class="li"> Sessions are deleted by a scheduled task. Don&#039;t forget to install cron files !</div>
</li>
</ul>
<p>
</div></p>
</p>
</div>
<!-- SECTION "Session expiration" [3997-4397] -->
<h3><a name="cross_domain_authentication_cda" id="cross_domain_authentication_cda">Cross Domain Authentication (CDA)</a></h3>
<div class="level3">
<p>
<p><div class="noteclassic">For security reason, a cookie provided for a domain cannot be sent to another domain. To extend <acronym title="Single Sign On">SSO</acronym> on several domains, a cross-domain mechanism is implemented in LemonLDAP::NG.
</div></p>
</p>
<ol>
<li class="level1"><div class="li"> User owns <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> on the main domain (see <span class="curid"><a href="../documentation/presentation.html#login" class="wikilink1" title="documentation:presentation">Login kinematics</a></span>)</div>
</li>
<li class="level1"><div class="li"> User tries to access a protected application in a different domain</div>
</li>
<li class="level1"><div class="li"> Handler does not see <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> (because it is not in main domain) and redirects user on Portal</div>
</li>
<li class="level1"><div class="li"> Portal recognizes the user with its <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a>, and see he is coming from a different domain</div>
</li>
<li class="level1"><div class="li"> Portal redirects user on protected application with his session ID as <acronym title="Uniform Resource Locator">URL</acronym> parameter</div>
</li>
<li class="level1"><div class="li"> Handler detects <acronym title="Uniform Resource Locator">URL</acronym> parameter and create a <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> on its domain, with session ID as value</div>
</li>
</ol>
</div>
<!-- SECTION "Cross Domain Authentication (CDA)" [4398-5367] -->
<h2><a name="authentication_authorization_and_accounting_aaa_mechanisms" id="authentication_authorization_and_accounting_aaa_mechanisms">Authentication, Authorization and Accounting (AAA) mechanisms</a></h2>
<div class="level2">
</div>
<!-- SECTION "Authentication, Authorization and Accounting (AAA) mechanisms" [5368-5442] -->
<h3><a name="authentication" id="authentication">Authentication</a></h3>
<div class="level3">
<p>
If a user is not authenticated and attempts to connect to an area protected by a LemonLDAP::NG compatible Handler, he is redirected to a portal.
</p>
<p>
Authentication process main steps are:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Control asked <acronym title="Uniform Resource Locator">URL</acronym></strong>: prevent <acronym title="Cross Site Scripting">XSS</acronym> attacks and bad redirections</div>
</li>
<li class="level1"><div class="li"> <strong>Control existing session</strong>: detect <acronym title="Single Sign On">SSO</acronym> session, apply configured constraints (1 session per user, 1 session per <acronym title="Internet Protocol">IP</acronym>, …)</div>
</li>
<li class="level1"><div class="li"> <strong>Extract form info</strong>: get login/password, certificate, environment variable (depending on authentication module)</div>
</li>
<li class="level1"><div class="li"> <strong>Get user info</strong>: contact user database to collect attributes</div>
</li>
<li class="level1"><div class="li"> <strong>Set macros</strong>: compute configured macros</div>
</li>
<li class="level1"><div class="li"> <strong>Set groups</strong>: request user database to find groups</div>
</li>
<li class="level1"><div class="li"> <strong>Set local groups</strong>: compute configured groups</div>
</li>
<li class="level1"><div class="li"> <strong>Authenticate</strong>: contact authentication database to check credentials</div>
</li>
<li class="level1"><div class="li"> <strong>Grant session</strong>: check rights to open <acronym title="Single Sign On">SSO</acronym> session</div>
</li>
<li class="level1"><div class="li"> <strong>Store</strong>: store user info in session database</div>
</li>
<li class="level1"><div class="li"> <strong>Build cookie</strong>: build <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> with session ID</div>
</li>
<li class="level1"><div class="li"> <strong>Redirect</strong>: redirect user on protected application or on Portal (applications menu)</div>
</li>
</ul>
<p>
LemonLDAP::NG <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">SSO cookies</a> are generated by <a href="http://search.cpan.org/perldoc?Apache::Session" class="urlextern" title="http://search.cpan.org/perldoc?Apache::Session" rel="nofollow">Apache::Session</a>, they are as secure as a 128-bit random cookie. You may use the <a href="../documentation/current/ssocookie.html#sso_cookie" class="wikilink1" title="documentation:latest:ssocookie">securedCookie</a> options to avoid session hijacking.
</p>
</div>
<!-- SECTION "Authentication" [5443-6879] -->
<h3><a name="authorization" id="authorization">Authorization</a></h3>
<div class="level3">
<p>
Authorization is controlled only by Handlers. An authorization is defined by:
</p>
<ul>
<li class="level1"><div class="li"> An <acronym title="Uniform Resource Locator">URL</acronym> pattern (or <code>default</code> to match other URLs)</div>
</li>
<li class="level1"><div class="li"> An access rule</div>
</li>
</ul>
<p>
<p><div class="noteclassic">Authorizations are defined inside a virtualhost and takes effect only on it. There are no <em>global</em> authorizations except the right to open a session in the portal.
</div></p>
</p>
<p>
Access rules values can be:
</p>
<ul>
<li class="level1"><div class="li"> <code>accept</code>: all authenticated users can pass</div>
</li>
<li class="level1"><div class="li"> <code>deny</code>: nobody is welcomed</div>
</li>
<li class="level1"><div class="li"> <code>skip</code>: all is open!</div>
</li>
<li class="level1"><div class="li"> <code>unprotect</code>: all is open, but authenticated users are seen as authenticated</div>
</li>
<li class="level1"><div class="li"> <code>logout_sso</code>, <code>logout_app</code>, <code>logout_app_sso</code>: catch logout request</div>
</li>
<li class="level1"><div class="li"> <acronym title="Practical Extraction and Report Language">Perl</acronym> expression: perl code snippet that returns 0 or 1 </div>
</li>
</ul>
<p>
Some examples:
</p>
<ul>
<li class="level1"><div class="li"> Accept all authenticated users:</div>
<ul>
<li class="level2"><div class="li"> <acronym title="Uniform Resource Locator">URL</acronym> pattern: <code>default</code></div>
</li>
<li class="level2"><div class="li"> Access rule: <code>accept</code></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Restrict /admin to administrators group</div>
<ul>
<li class="level2"><div class="li"> <acronym title="Uniform Resource Locator">URL</acronym> pattern: <code>^/admin/</code></div>
</li>
<li class="level2"><div class="li"> Access rule: <code>$groups =~ /\badministrators\b/</code></div>
</li>
</ul>
</li>
</ul>
<p>
<p><div class="notetip"><code>\b</code> means start or end of a word in PCRE (<acronym title="Practical Extraction and Report Language">Perl</acronym> Compatible Regular Expressions)
</div></p>
</p>
<p>
See <a href="../documentation/current/writingrulesand_headers.html" class="wikilink1" title="documentation:latest:writingrulesand_headers">Writing rules and headers</a> chapter.
</p>
</div>
<!-- SECTION "Authorization" [6880-8028] -->
<h3><a name="accounting" id="accounting">Accounting</a></h3>
<div class="level3">
</div>
<h4><a name="logging_portal_access" id="logging_portal_access">Logging portal access</a></h4>
<div class="level4">
<p>
Portal produce a <code>notice</code> message in <a href="../documentation/current/logs.html" class="wikilink1" title="documentation:latest:logs">Apache logs or syslog</a> when a user authenticates (or fails to authenticate) and logs out.
</p>
</div>
<h4><a name="logging_application_access" id="logging_application_access">Logging application access</a></h4>
<div class="level4">
<p>
Handler inform Apache of connected user (parameter <code>whatToTrace</code>), so you can see user login in Apache access logs.
</p>
<p>
The real accounting has to be done by the application itself since <acronym title="Single Sign On">SSO</acronym> logs can not understand transactions.
</p>
<p>
LemonLDAP::NG can export <a href="../documentation/current/writingrulesand_headers.html#headers" class="wikilink1" title="documentation:latest:writingrulesand_headers">HTTP headers</a> either using a proxy or protecting directly the application.
</p>
<p>
An <acronym title="Hyper Text Transfer Protocol">HTTP</acronym> header is defined by:
</p>
<ul>
<li class="level1"><div class="li"> A name</div>
</li>
<li class="level1"><div class="li"> A value</div>
</li>
</ul>
<p>
<p><div class="noteclassic">Headers are defined inside a virtualhost and takes effect only on it. There are no <em>global</em> headers.
</div></p>
</p>
<p>
The header value is a <acronym title="Practical Extraction and Report Language">Perl</acronym> expression, returning a string.
</p>
<p>
Some examples:
</p>
<ul>
<li class="level1"><div class="li"> Send login in Auth-User:</div>
<ul>
<li class="level2"><div class="li"> Name: <code>Auth-User</code></div>
</li>
<li class="level2"><div class="li"> Value: <code>$uid</code></div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> Send “Lastname, firstname” in Auth-Name:</div>
<ul>
<li class="level2"><div class="li"> Name: <code>Auth-Name</code></div>
</li>
<li class="level2"><div class="li"> Value: <code>$sn + ”, ” + $gn</code></div>
</li>
</ul>
</li>
</ul>
<p>
See <a href="../documentation/current/writingrulesand_headers.html" class="wikilink1" title="documentation:latest:writingrulesand_headers">Writing rules and headers</a> for more.
</p>
</div>
<!-- SECTION "Accounting" [8029-] --></div><!-- closes <div class="dokuwiki export">-->
Reference in New Issue View Git Blame Copy Permalink