Official Backends | Authentication | Users | Password |
---|---|---|---|
Active Directory | ✔ | ✔ | ✔ |
Apache (Basic, NTLM, OTP, …) | ✔ | ||
CAS | ✔ | ![]() |
|
SQL Databases | ✔ | ✔ | ✔ |
Demonstration | ✔ | ✔ | ✔ |
✔ | ✔ | ||
GitHub ![]() |
✔ | ||
GPG ![]() |
✔ | ||
Kerberos ![]() |
✔ | ||
LDAP | ✔ | ✔ | ✔ |
✔ | |||
Null | ✔ | ✔ | ✔ |
OpenID Connect | ✔ | ✔ | |
PAM ![]() |
✔ | ||
Proxy LL::NG | ✔ | ✔ | |
Radius | ✔ | ||
REST ![]() |
✔ | ✔ | ✔ |
SAML 2.0 / Shibboleth | ✔ | ✔ | |
Slave | ✔ | ✔ | |
SSL | ✔ | ||
✔ | |||
WebID | ✔ | ✔ | |
Yubikey ![]() |
Replaced by Yubikey Second Factor | ||
Custom modules ![]() |
✔ | ✔ | ✔ |
Combo Backends | Authentication | Users | Password |
---|---|---|---|
Choice by users | ✔ | ✔ | ✔ |
Combination of auth schemes ![]() |
✔ | ✔ | ✔ (since 2.0.10) |
Multiple backends stack ![]() |
Replaced by Combination |
Obsolete Backends | Authentication | Users | Password |
---|---|---|---|
OpenID | ✔ | ✔ | |
Remote LL::NG | ✔ | ✔ |
Second factor (documentation) | Authentication |
---|---|
TOTP-or-U2F ![]() |
✔ |
U2F ![]() |
✔ |
TOTP (Google Authenticator,…) ![]() |
✔ |
E-mail Second Factor ![]() |
✔ |
External Second Factor (OTP, SMS,…) ![]() |
✔ |
Radius Second Factor ![]() |
✔ |
REST Second Factor ![]() |
✔ |
Yubikey ![]() |
✔ |
WebAuthn ![]() |
✔ |
Additional second factors ![]() |
✔ |
Auth addons | Authentication |
---|---|
Auto Signin ![]() |
✔ |
Tip
Protocol | Service Provider | Identity Provider |
---|---|---|
CAS 1.0 / 2.0 / 3.0 | ✔ | ✔ |
SAML 2.0 / Shibboleth | ✔ | ✔ |
OpenID 2.0 (obsolete) | ✔ | ✔ |
OpenID Connect | ✔ | ✔ |
Get parameters provider (for poor applications) | ✔ |
Tip
lemonldap-ng.ini
in section [portal]:[portal]
forceGlobalStorageIssuerOTT = 1
Tip
To learn or find out more about security, go to Security documentation
Attack | LLNG protection | System Integrator protection |
---|---|---|
Brute Force | ✔ | ✔ |
Page Content | ✔ | |
CSRF | ✔ | |
Deny of Service | ✔ | |
Invisible iFrame | ✔ | ✔ |
Man-in-the-Middle | ✔ | |
Software Exploit | ✔ | |
SSO by-passing | ✔ | |
XSS | ✔ |
Name | Description |
---|---|
Auto Signin ![]() |
Auto Signin Addon |
Brute Force protection ![]() |
User must wait to log in after some failed login attempts |
CDA | Cross Domain Authentication |
Check DevOps [5] ![]() |
Check DevOps handler file plugin |
Check state ![]() |
Check state plugin (test page) |
Check user [6] ![]() |
Check access rights, transmitted headers and session attibutes for a specific user and URL |
Configuration viewer ![]() |
Edit WebSSO configuration in Read Only mode |
Context switching [7]![]() |
Switch context other users |
CrowdSec [8]![]() |
CrowdSec bouncer |
Custom | Write a custom plugin |
Decrypt value [9]![]() |
Decrypt ciphered values |
Display login history | Display Success/Fails logins |
Force Authentication | Force authentication to access to Portal |
Global Logout [10] | Suggest to close all opened sessions at logout |
Grant Sessions | Rules to apply before allowing a user to open a session |
Impersonation [11]![]() |
Allow users to use another identity |
Find user [12]![]() |
Search for user account |
NewLocationWarning [13]![]() |
Send an email when user sign in from a new location |
Notifications system | Display a message during log in process |
Portal Status | Experimental portal status page |
Public pages | Enable public pages system |
Refresh session API [14] | Plugin that provides an API to refresh a user session |
Reset password by mail | Send a mail to reset its password |
Reset certificate by mail [15]![]() |
Allow users to reset their certificate |
REST services ![]() |
REST server for Proxy |
SOAP services ![]() |
SOAP server for Proxy |
Stay connected ![]() |
Enable persistent connection on same browser |
Upgrade session ![]() |
This plugin explains to an already authenticated user that a higher authentication level is required to access the URL instead of reject him |
Handlers are software control agents to be installed on your web servers (Nginx, Apache, PSGI like Plack based servers or Node.js).
Handler type | Apache | LLNG FastCGI/uWSGI server (Nginx, or SSOaaS) | Plack servers | Node.js ( express apps or SSOaaS) | Self protected apps | Comment |
---|---|---|---|---|---|---|
Main (default handler) | ✔ | ✔ | ✔ | Partial ** [16] ** | ✔ | |
AuthBasic | ✔ | ✔ | ✔ | ✔ | Designed for some server-to-server applications | |
CDA | ✔ | ✔ | ✔ | ✔ | For Cross Domain Authentication | |
DevOps (SSOaaS) ![]() |
✔ | ✔ | ✔ | ✔ | Allows application developers to define their own rules and headers inside their applications | |
DevOpsST (SSOaaS) ![]() |
✔ | ✔ | ✔ | ✔ | Enables both DevOps and Service Token | |
OAuth2 [17]![]() |
✔ | ✔ | ✔ | ✔ | Uses OpenID Connect/OAuth2 access token to check authentication and authorization, can be used to protect Web Services | |
Secure Token | ✔ | ✔ | ✔ | Designed to secure exchanges between a LLNG reverse-proxy and a remote app | ||
Service Token ![]() |
✔ | ✔ | ✔ | ✔ | ✔ | Designed to permit underlying requests (API-Based Infrastructure) |
Zimbra PreAuth | ✔ | ✔ | ✔ |
LL::NG needs a storage system to store its own configuration (managed by the manager). Choose one in the following list:
Backend | Shareable | Comment |
---|---|---|
File (JSON) | Not shareable between servers except if used in conjunction with REST or with a shared file system (NFS,…). Selected by default during installation. | |
YAML ![]() |
Same as File but in YAML format instead of JSON | |
SQL (CDBI/RDBI) | ✔ | Recommended for large-scale systems. Prefer CDBI. |
LDAP | ✔ | |
MongoDB | ✔ | |
SOAP ![]() |
✔ | Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers. |
REST ![]() |
✔ | Proxy backend to be used in conjunction with another configuration backend. Can be used to secure another backend for remote servers. |
Local ![]() |
Use only lemonldap-ng.ini parameters. |
Tip
You can not start with an empty configuration, so read how to change configuration backend to convert your existing configuration into another one.
Sessions are stored using Apache::Session modules family. All Apache::Session style modules are usable except for some features.
Attention
If you plan to use LLNG in a large-scale system, take a look at Performance Test to choose the right backend. A Browseable SQL backend is generally a good choice.
Backend | Shareable | Session explorer | Session restrictions | Session expiration | Comment |
---|---|---|---|---|---|
File | ✔ | ✔ | ✔ | Not shareable between servers except if used in conjunction with REST session backend or with a shared file system (NFS,…). Selected by default during installation. | |
PgJSON | ✔ | ✔ | ✔ | ✔ | Recommended backend for production installations |
Browseable MySQL | ✔ | ✔ | ✔ | ✔ | Recommended for those who prefer MySQL |
Browseable LDAP | ✔ | ✔ | ✔ | ✔ | |
Redis | ✔ | ✔ | ✔ | ✔ | The fastest. Must be secured by network access control. |
MongoDB | ✔ | ✔ | ✔ | ✔ | Must be secured by network access control. |
SQL | ✔ | ✔ | ✔ | ✔ | Unoptimized for session explorer and single session features. |
REST ![]() |
✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. |
SOAP ![]() |
✔ | ✔ | ✔ | ✔ | Proxy backend to be used in conjunction with another session backend. |
Tip
You can migrate from one session backend to another using the
session conversion script. (
since 2.0.7)
Note
Here is a list of well known applications that are compatible with LL::NG. A full list is available on vendor applications page.
See How to report a bug.
To contribute, see :
To develop an handler, see:
To develop a portal plugin, see manpages:
To add a new language:
If you don’t want to publish your translation (XX
must be replaced
by your language code):
lemonldap-ng-manager/site/htdocs/static/languages/en.json
in
lemonldap-ng-manager/site/htdocs/static/languages/XX.json
and
enable it in “lemonldap-ng.ini” filelemonldap-ng-portal/site/htdocs/static/languages/en.json
in
lemonldap-ng-portal/site/htdocs/static/languages/XX.json
and
enable it in “lemonldap-ng.ini” filelemonldap-ng-portal/site/templates/common/mail/en.json
in
lemonldap-ng-portal/site/templates/common/mail/XX.json
[1] | GitHub authentication is available with LLNG ≥ 2.0.8 |
[2] | GPG authentication is available with LLNG ≥ 2.0.2 |
[3] | Radius second factor is available with LLNG ≥ 2.0.6 |
[4] | Check DevOps file plugin are available with LLNG ≥ 2.0.12 |
[5] | Additional second factors are available with LLNG ≥ 2.0.6 |
[6] | Check user plugin is available with LLNG ≥ 2.0.3 |
[7] | Context switching plugin is available with LLNG ≥ 2.0.6 |
[8] | CrowdSec bouncer is available with LLNG ≥ 2.0.12 |
[9] | Decrypt value plugin is available with LLNG ≥ 2.0.7 |
[10] | Global Logout plugin is available with LLNG ≥ 2.0.7 |
[11] | Impersonation plugin is available with LLNG ≥ 2.0.3 |
[12] | Find user plugin is available with LLNG ≥ 2.0.11 |
[13] | NewLocationWarning is available with LLNG ≥ 2.0.14 |
[14] | Refresh session API plugin is available with LLNG ≥ 2.0.7 |
[15] | Reset certificate by mail plugin is available with LLNG ≥ 2.0.7 |
[16] | Node.js handler has not yet reached the same level of functionalities |
[17] | OAuth2 Handler is available with LLNG ≥ 2.0.4 |