Documentation for LemonLDAP::NG 2.0

LL::NG logo

Upgrading

Configuration

Configuring your Web server

Portal

image6

Authentication, users and password databases

image7

Official Backends Authentication Users Password
Active Directory
Apache (Basic, NTLM, OTP, …)    
CAS new  
SQL Databases
Demonstration
Facebook  
GitHub new [1]    
GPG new [2]    
Kerberos new    
LDAP
LinkedIn    
Null
OpenID Connect  
PAM new    
Proxy LL::NG  
Radius    
REST new
SAML 2.0 / Shibboleth  
Slave  
SSL    
Twitter    
WebID  
Yubico OTP deprecated Replaced by Yubico OTP Second Factor    
Custom modules new
Combo Backends Authentication Users Password
Choice by users
Combination of auth schemes new ✔ (since 2.0.10)
Multiple backends stack deprecated Replaced by Combination    
Obsolete Backends Authentication Users Password
OpenID  
Remote LL::NG  
Second factor (documentation) Authentication Self-registration
TOTP (Google Authenticator,…) new
WebAuthn new
E-mail Second Factor new [18]
Yubico OTP new
External Second Factor (OTP, SMS,…) new [18]
REST Second Factor new [18]
Radius Second Factor new [3]  
Password as second factor new [4]
TOTP-or-U2F deprecated
U2F deprecated

New in version 2.0.6: See Additional second factors for configuring several multiple REST, external or e-mail based second factors with different parameters

Auth addons Authentication
Auto Signin new

Identity provider

Tip

image26

Protocol Service Provider Identity Provider
CAS 1.0 / 2.0 / 3.0
SAML 2.0 / Shibboleth
OpenID Connect
OpenID 2.0 (deprecated)
Get parameters provider (for poor applications)  
Jitsi Meet Tokens  

Options

Issuers timeout: Delay for issuers for submitting their authentication requests

Tip

  • To avoid a bad/expired token and lose redirection to the SP protected application after authentication if IdP URLs are served by different load balancers, you can force Issuer tokens to be stored into Global Storage by editing lemonldap-ng.ini in section [portal]:
[portal]
forceGlobalStorageIssuerOTT = 1

Attacks and Protection

Tip

To learn or find out more about security, go to Security documentation

image27

Attack LLNG protection System Integrator protection
Brute Force
Page Content  
CSRF  
Deny of Service  
Invisible iFrame
Man-in-the-Middle  
Software Exploit  
SSO by-passing  
XSS  
IP reputation

Plugins

image28

Name Description
Adaptative authentication Rules to modulate authentication level
Auto Signin Sign-in automatically
Brute Force protection User must wait to log in after some failed login attempts
CDA Cross Domain Authentication
Check DevOps [5] new Check DevOps handler file
Check HIBP [19] new Check Have I Been Pwned
Check entropy [21] new Check entropy of password
InitializePasswordReset [22] new Initialize Password Reset by mail
Check state new Check state plugin (test page)
Check user [6] Check access rights, transmitted headers and session attibutes for a specific user and URL
Configuration viewer Edit WebSSO configuration in Read Only mode
Context switching [7] Switch context other users
CrowdSec [8]new CrowdSec bouncer
Custom Write a custom plugin
Decrypt value [9] Decrypt ciphered values
Display login history Display Success/Fails logins
Find user [12]new Search for user account
Force authentication Force authentication to access to Portal
Global logout [10] Suggest to close all opened sessions at logout
Grant sessions Rules to apply before allowing a user to open a session
Impersonation [11] Allow users to use another identity
NewLocationWarning [13]new Send an email when user sign in from a new location
Notifications system Display a message during log in process
Portal status Experimental portal status page
Public pages Enable public pages system
Refresh session API [14] Plugin that provides an API to refresh a user session
Reset certificate by mail [15]new Allow users to reset their certificate
Reset password by mail Send a mail to reset its password
Remember auth choice [20]new Remember user last authentication choice
REST services REST server for Proxy
SOAP services deprecated SOAP server for Proxy
Trusted browser Remember previous authentications
Upgrade session This plugin explains to an already authenticated user that a higher authentication level is required to access the URL instead of reject him

Handlers

image41

Handlers are software control agents to be installed on your web servers (Nginx, Traefik, Apache, PSGI like Plack based servers or Node.js).

Handler type Apache LLNG FastCGI/uWSGI server (Nginx, Traefik or SSOaaS) Plack servers Node.js ( express apps or SSOaaS) Self protected apps Comment
Main (default handler) Partial ** [16] **  
AuthBasic   Designed for some server-to-server applications
CDA   For Cross Domain Authentication
DevOps (SSOaaS) new   Allows application developers to define their own rules and headers inside their applications
DevOpsST (SSOaaS) new   Enables both DevOps and Service Token
DevOpsCDA (SSOaaS) new   Enables both DevOps and CDA
OAuth2 [17]new   Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services
Secure Token     Designed to secure exchanges between a LLNG reverse-proxy and a remote app
Service Token new (Server-to-Server) Designed to permit underlying requests (API-Based Infrastructure)
Zimbra PreAuth      

LLNG databases

Configuration database

image46

LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one in the following list:

Backend Shareable Comment
File (JSON)   Not shareable between servers except if used in conjunction with REST or with a shared file system (NFS,…). Selected by default during installation.
YAML new   Same as File but in YAML format instead of JSON
SQL (CDBI/RDBI) Recommended for large-scale systems. Prefer CDBI.
Cassandra Via SQL pseudo-driver
LDAP  
MongoDB deprecated  
SOAP deprecated Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers.
REST new Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers.
Local new   Use only lemonldap-ng.ini parameters.
Overlay new Pseudo configuration backend that permits one to store part of the configuration into local files. (for example to not store secrets into central configuration)

Tip

You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one.

Sessions database

image50

Sessions are stored using Apache::Session modules family. All Apache::Session style modules are usable except for some features.

Attention

If you plan to use LLNG in a large-scale system, take a look at Performance Test to choose the right backend. A Browseable SQL backend is generally a good choice.

Backend Shareable Session explorer Session restrictions Session expiration Comment
File   Not shareable between servers except if used in conjunction with REST session backend or with a shared file system (NFS,…). Selected by default during installation.
PgJSON Recommended backend for production installations
Browseable MySQL Recommended for those who prefer MySQL
Browseable LDAP  
Redis The fastest. Must be secured by network access control.
MongoDB deprecated Must be secured by network access control.
Cassandra Another supported NoSQL DB
SQL Unoptimized for session explorer and single session features.
REST new Proxy backend to be used in conjunction with another session backend.
SOAP deprecated Proxy backend to be used in conjunction with another session backend.

Tip

You can migrate from one session backend to another using the session conversion script. (new since 2.0.7)

Applications protection

image53

Well known compatible applications

Note

Here is a list of well known applications that are compatible with LL::NG. A full list is available on vendor applications page.

adfs alfresco awx bugzilla dokuwiki drupal fusiondirectory gitlab glpi liferay mediawiki nextcloud simplesamlphp wordpress xwiki zimbra

Bug report

See How to report a bug.

Developer corner

To contribute, see :

To develop an handler, see:

To develop a portal plugin, see manpages:

  • Lemonldap::NG::Portal
  • Lemonldap::NG::Portal::Auth
  • Lemonldap::NG::Portal::UserDB
  • Lemonldap::NG::Portal::Main::SecondFactor
  • Lemonldap::NG::Portal::Main::Issuer
  • Lemonldap::NG::Portal::Main::Plugin
  • Lemonldap::NG::Portal::Main::Request (the request object)

To add a new language:

If you don’t want to publish your translation (XX must be replaced by your language code):

  • Manager: translate lemonldap-ng-manager/site/htdocs/static/languages/en.json in lemonldap-ng-manager/site/htdocs/static/languages/XX.json and enable it in “lemonldap-ng.ini” file
  • Portal: translate lemonldap-ng-portal/site/htdocs/static/languages/en.json in lemonldap-ng-portal/site/htdocs/static/languages/XX.json and enable it in “lemonldap-ng.ini” file
  • Portal Mails: translate lemonldap-ng-portal/site/templates/common/mail/en.json in lemonldap-ng-portal/site/templates/common/mail/XX.json
[1]GitHub authentication is available with LLNG ≥ 2.0.8
[2]GPG authentication is available with LLNG ≥ 2.0.2
[3]Radius second factor is available with LLNG ≥ 2.0.6
[4]Password second factor is available with LLNG ≥ 2.0.16
[5]Check DevOps file plugin is available with LLNG ≥ 2.0.12
[6]Check user plugin is available with LLNG ≥ 2.0.3
[7]Context switching plugin is available with LLNG ≥ 2.0.6
[8]CrowdSec bouncer is available with LLNG ≥ 2.0.12
[9]Decrypt value plugin is available with LLNG ≥ 2.0.7
[10]Global Logout plugin is available with LLNG ≥ 2.0.7
[11]Impersonation plugin is available with LLNG ≥ 2.0.3
[12]Find user plugin is available with LLNG ≥ 2.0.11
[13]NewLocationWarning is available with LLNG ≥ 2.0.14
[14]Refresh session API plugin is available with LLNG ≥ 2.0.7
[15]Reset certificate by mail plugin is available with LLNG ≥ 2.0.7
[16]Node.js handler has not yet reached the same level of functionalities
[17]OAuth2 Handler is available with LLNG ≥ 2.0.4
[18](1, 2, 3) When configured as an additional second factor, see Registration
[19]Check HIBP plugin is available with LLNG ≥ 2.0.16
[20]Remember AuthChoice plugin is available with LLNG ≥ 2.0.15
[21]Check entropy plugin is available with LLNG ≥ 2.18.0
[22]initializePasswordReset is available with LLNG ≥ 2.18.0