Headline
CVE-2020-16093: LemonLDAP::NG - Web Single Sign On and Access Management Free Software
In LemonLDAP::NG (aka lemonldap-ng) through 2.0.8, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used.
Full AAA protection
LemonLDAP::NG provides authentication (LDAP, Active Directory, Kerberos, Database, SSL, Social Networks, CAS, SAML, OpenID Connect, …), authorization (access rules for applications based on attributes and groups) and accounting (user identity in logs).
- Authentication
- Authorization
- Accounting
Components
LemonLDAP::NG relies on backends (files, databases, NoSQL) to store configuration and sessions. The Portal is the visible part, it displays the authentication screen and the menu, implements the standard protocols (CAS, SAML and OpenID Connect). The Manager is the administration interface. For applications working with HTTP headers for SSO, the Handler can be configured.
Read full presentation
Identity Federation
LemonLDAP::NG implements main SSO standards and can be used as gateway between these protocols
CAS
CAS v1, v2 and v3
Attributes sharing
Access rulesSAML
SSO, SLO and AA
Metadata import and export
Discovery Protocol (WAYF)OpenID Connect
Authorization Code, Implicit and Hybrid flows
ID Token HS and RS signatures
Extra claims definition
Certifications and awards