LemonLDAP::NG: More than just SSO

Introduction link

LemonLDAP::NG was created by Éric German for the French Ministry of Finance. Initially named LevonLDAP, in tribute to Novell, it was designed to be compatible with Novell’s single sign-on (SSO) authentication system. It is based on the book “Writing Apache Modules with Perl and C The Apache API and mod_perl” by Doug MacEachern and Lincoln Stein (O’Reilly).

It was later renamed LemonLDAP::NG. From 2004, the project was gradually taken over by the French National Gendarmerie to become LemonLDAP::NG in 2005. Both projects coexisted for some time before LemonLDAP support was definitively abandoned.

It’s an SSO system with a unique identifier/password pair. SSO does not handle access control.

SSO Modes link

• SSO by agent: installed on the client machine. No notion of security

¹

• SSO by delegation: The user only needs their web browser. The server application points to the authentication portal

²

• Reverse proxy: Authentication is handled through a reverse proxy

³

HTTP Requests link

Before diving into LemonLDAP, we need to understand how the HTTP protocol works. Let’s try to retrieve a website:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

> telnet www.deimos.fr 80
Trying 88.190.51.112...
Connected to shenzi.deimos.fr.
Escape character is '^]'.
GET /

HTTP/1.1 301 Moved Permanently
Server: nginx
Content-Type: text/html; charset=UTF-8
X-Pingback: http://blog.deimos.fr/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.2.8
Location: http://localhost/
Content-Length: 0
Accept-Ranges: bytes
Date: Fri, 22 Feb 2013 18:40:10 GMT
X-Varnish: 1562646426
Age: 0
Via: 1.1 varnish
Connection: close

Connection closed by foreign host.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

> telnet www.deimos.fr 80
Trying 88.190.51.112...
Connected to shenzi.deimos.fr.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.deimos.fr 80

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
X-Pingback: http://blog.deimos.fr/xmlrpc.php
X-Powered-By: W3 Total Cache/0.9.2.8
Link: <http://wp.me/2Q0VB>; rel=shortlink
Date: Fri, 22 Feb 2013 18:40:02 GMT
X-Varnish: 1562646424 1562646423
Age: 8
Via: 1.1 varnish
Connection: close

<!DOCTYPE html>
<html lang="fr-FR">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">
<title>Deimosfr Blog | Parce que la mémoire humaine ne fait pas des Go</title>
<link rel="profile" href="http://gmpg.org/xfn/11" />
<link rel="stylesheet" type="text/css" media="screen" href="http://blog.deimos.fr/wp-content/themes/yoko/style.css" />
[...]
		</script>
</body>
</html>
<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/

Page Caching using apc
Object Caching 8437/8588 objects using apc

 Served from: blog.deimos.fr @ 2013-02-22 19:39:54 by W3 Total Cache -->Connection closed by foreign host.

The return code is 200, everything is fine. You can check the list of HTTP return codes here: http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Cookies link

The HTTP protocol is stateless. To maintain a persistent connection, we need to use HTTP 1.1 protocol. We also use cookies to store sessions. On the server side, the user session ID is stored. A cookie can be up to 4096 bytes maximum.

There are several types of cookies:

• Session cookies: The cookie will remain active for a defined time or until the browser is closed
• Persistent cookies: They remain active permanently

A cookie exchange works like this:

1. A simple request
2. Server response with a “Set-cookie” header field
3. Client request with a “Cookie” header field

As a reminder, cookies are only valid on a single DNS domain.

LemonLDAP link

The Components link

LemonLDAP::NG uses 3 components:

• The portal: authentication interface, application menu, password change
• The Handler: Apache module that controls access to web applications
• The Manager: the graphical part for configuring LemonLDAP

Communication link

The advantage compared to CAS is that the client does not need to go back through LemonLDAP::NG with each web service change.

Authentication Phases link

⁴

1. When a user tries to access a protected application, their request is intercepted by the Handler
2. If the SSO cookies are not detected, the Handler redirects the user to the portal
3. The user authenticates on the portal
4. The portal verifies their authentication
5. If validated, the portal retrieves the user information
6. The portal creates a session where it stores the user information
7. The portal retrieves a session key
8. The portal creates SSO cookies with session key/value
9. The user is redirected to a protected application with their new cookie
10. The Handler retrieves the cookie and session
11. The Handler records user data in its cache
12. The Handler checks access rights and sends headers to protected applications
13. Protected applications send a response to the Handler
14. The Handler sends a response to the user

The Different Databases link

Several databases are used:

• Authentication: how to validate authentication data
• Users: user data
• Password: where to change the user password
• Provider: how to provide identity to an external service

For example, you can use Kerberos with LDAP.

Internal databases:

• Sessions: server-side session storage
• Configuration: configuration storage (versioned)
• Notifications

Authentication Methods link

• LDAP
• Database
• SSL X509
• Apache modules (Kerberos, OTP…)
• SAML 2.0
• OpenID
• Twitter
• CAS
• Yubikey
• Radius

Session Storage link

LemonLDAP::NG uses 3 levels of cache:

• Apache::Session::*: final storage of sessions
• Cache:Cache*: allows the Handler to share data between Apache threads and processes
• Internal variables to LemonLDAP::NG::Handler: if the same user uses the same thread or process again.

Installation link

Now for the practical part! You can either use the version available through the official repositories, or add the LemonLDAP::NG repository, which is what we’ll do here:

1
2
3

# LemonLDAP::NG repository
deb     http://lemonldap-ng.org/deb squeeze main
deb-src http://lemonldap-ng.org/deb squeeze main

Then update:

1

aptitude install lemonldap-ng

Let’s change the default configuration which is example.com:

1

sed -i 's/example\.com/deimos.fr/g' /etc/lemonldap-ng/* /var/lib/lemonldap-ng/conf/lmConf-1 /var/lib/lemonldap-ng/test/index.pl

After this, you should not modify these configuration files manually!

Let’s enable the sites and the Perl module for Apache:

1
2
3
4
5

a2ensite handler-apache2.conf
a2ensite portal-apache2.conf
a2ensite manager-apache2.conf
a2ensite test-apache2.conf
a2enmod perl

Then restart Apache:

1

apache2ctl restart

Configuration link

Manager link

For the manager to work:

1

echo "127.0.0.1 reload.example.com" >> /etc/hosts

DNS Configuration link

For DNS resolution to work correctly:

1

cat /etc/lemonldap-ng/for_etc_hosts >> /etc/hosts

Test Application link

There are test1.example.com and test2.example.com to test your sites with username and password ‘dwho’: http://test1.example.com

Other admin accounts that exist are:

• rtyler/rtyler
• msmith/msmith
• dwho/dwho

This page will allow you to see important information that will be exchanged with LemonLDAP::NG. It’s useful for debugging in addition to Apache logs.

Protection link

In the file /etc/lemonldap-ng/lemonldap-ng.ini we can configure who has access to the manager!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

[...]
# Manager protection: by default, the manager is protected by a demo account.
# You can protect it :
# * by Apache itself,
# * by the parameter 'protection' which can take one of the following
# values :
#   * authenticate : all authenticated users can access
#   * manager      : manager is protected like other virtual hosts: you
#                    have to set rules in the corresponding virtual host
#   * rule: <rule> : you can set here directly the rule to apply
#   * none         : no protection
protection = manager
[...]

By default, the protection is set to Manager, which is good. Only authorized people can connect to it (VirtualHost). It’s possible to use rules to specify something specific (a uid for example).
Authenticate allows any user who connects to have access to the manager. And the last option, none, is strongly discouraged as it allows anyone to access it.

Macros link

Macros allow you to create variables in LemonLDAP. For example:

$fullname => $givenname . '' . $surname

You can then reuse $fullname.

Sessions link

By default, every 10 minutes (via cron) there is a check for sessions that need to be purged: /etc/cron.d/liblemonldap-ng-portal-perl.

HTTP Headers link

Script Parameters link

You can modify GET requests to POST, for example.

Notifications link

They allow information to be validated by users and are stored in persistent sessions.

For example, you can create a disclaimer.

CAS link

LemonLDAP::NG can handle CAS as either a client or server. CAS only performs URL redirections, with the possibility of proxy tickets.

Server link

When acting as a CAS server, you need to enable rewrite rules:

1
2

a2enmod rewrite
/etc/init.d/apache2 restart

Client link

1

aptitude install libauthcas-perl

SAML link

Here are some terms to understand:

• IDP: Identity Provider
• CoT: Circle of Trust
• InterCoT: Circle of Trust between IDPs
• AA: Attribute Authority
• Proxy IDP: proxy for IDP to transfer identity requests
• SP: Service Provider

To install LASSO (SAML), you need to install this:

1

aptitude install liblasso-perl

References link