LemonLDAP-NG for Debian

This page describes a proposal to use LemonLDAP-NG (LLNG) as a replacement to DebSSO, (obsolete) Alioth accounts, and Salsa accounts.

The following describes a development instance which aims to address Debian-specific challenges. A demonstration has also been set up.

Overview

Two authentication options are available:

During "social" registration, users will authenticate with a social account and select a username.

LLNG will verify guest usernames do not exist in DebLDAP during registrations and all future logins. This will disable "social" (guest) accounts when a DebLDAP account is created with the same username. This allows guest users to maintain their username from guest to member.

Note: DSA will need to be mindful that they can create accounts which will supersede existing guest accounts. The enforcement of guest account names should make this a concern only when accounts are renamed.

An attribute is provided to indicate account status.

Integration

LLNG can provide authentication using:

Migration

A minimal database exists to maintain guest accounts and linked social account.

Guest import will strip any "-guest" suffix and verify no matching account currently exists in DebLDAP.

Applications that switch to OIDC should be able to use LLNG as a secondary provider.

Applications that are using SSL Certificates should continue to work and handle newly generated certificates, providing the existing ca.{crt,key} is obtained for a production deployment.

In-Progress Bits

Evaluation

Pros:

[1] This can't be over-stated. They provided most of my guidance, built AuthGithub, began building SSL Auth, and (in development) a User Federation module.

[2] LLNG was built to serve the Gendarmerie of France and has been extended into other sectors that have extremely strict policies about testing and releases. They made testing upgrades very easy. (Villeurbanne)