LemonLDAP-NG for Debian
This page describes a proposal to use LemonLDAP-NG (LLNG) as a replacement to DebSSO, (obsolete) Alioth accounts, and Salsa accounts.
The following describes a development instance which aims to address Debian-specific challenges. A demonstration has also been set up.
Overview
Two authentication options are available:
- Debian Accounts -- Debian's LDAP (DebLDAP)
Social Accounts -- Linked In / Github (in progress)
During "social" registration, users will authenticate with a social account and select a username.
- Username
LLNG will verify guest usernames do not exist in DebLDAP during registrations and all future logins. This will disable "social" (guest) accounts when a DebLDAP account is created with the same username. This allows guest users to maintain their username from guest to member.
Note: DSA will need to be mindful that they can create accounts which will supersede existing guest accounts. The enforcement of guest account names should make this a concern only when accounts are renamed.
- DD vs. Guest
An attribute is provided to indicate account status.
Integration
LLNG can provide authentication using:
- OpenID Connect (OIDC)
- SAML/SAML2
- SSL Certificates
Migration
A minimal database exists to maintain guest accounts and linked social account.
Guest import will strip any "-guest" suffix and verify no matching account currently exists in DebLDAP.
Applications that switch to OIDC should be able to use LLNG as a secondary provider.
Applications that are using SSL Certificates should continue to work and handle newly generated certificates, providing the existing ca.{crt,key} is obtained for a production deployment.
In-Progress Bits
- SSL Certificates
- Federated Users Plugin (guest users)
Evaluation
Pros:
- Active development / Clean source / Many unit tests
- Extremely helpful developers [1]
- Light resource utilization
- Easily scaled / Stable upgrades [2]
- Excellent development and user documentation
- Impressively useful log data
[1] This can't be over-stated. They provided most of my guidance, built AuthGithub, began building SSL Auth, and (in development) a User Federation module.
[2] LLNG was built to serve the Gendarmerie of France and has been extended into other sectors that have extremely strict policies about testing and releases. They made testing upgrades very easy. (Villeurbanne)