LemonLDAP-NG With LDAP and SAML Google Apps
I wanted to try out a WebSSO program and I ran into LemonLDAP-NG
Install LemonLDAP::NG on CentOS
I had a VPS running CentOS which was perfect for the setup. Most of the install instructions for lemonldap-ng are laid out here.
Install the packages
There is a YUM repository available which holds all the lemonldap-ng packages. To set that up, add the following into the /etc/yum.repos.d/lemonldap-ng.repo file:
elatov@ccl:~$cat /etc/yum.repos.d/lemonldap-ng.repo [lemonldap-ng] name=LemonLDAP::NG packages baseurl=http://lemonldap-ng.org/rpm6/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
I also enabled the rpmforge repository to get a lot of other packages that are not available in the default CentOS repo. To enable the epel repository I ran the following:
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm sudo yum localinstall epel-release-6-8.noarch.rpm
and here is what I did to install the rpmforge repo:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm sudo yum localinstall rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
After enabling all the repositories, I updated my yum configuration:
sudo yum update
I then imported the lemonldap-ng GPG key:
wget http://lemonldap-ng.org/_media/rpm-gpg-key-ow2 sudo rpm --import rpm-gpg-key-ow2
After that was done, I then installed the packages:
sudo yum install lemonldap-ng --disablerepo=rpmforge
Unfortunately the liblasso package was not included in any of the above repositories, so I compiled it from source. First let’s get the source:
wget https://dev.entrouvert.org/lasso/lasso-2.3.6.tar.gz --no-check-certificate
Now let’s install some of the prerequisites. Here were the ones I was missing:
sudo yum install glib2-devel libxml2-devel xmlsec1-devel xmlsec1-openssl-devel libtool-ltdl-devel
Now let’s extract the source and configure the package:
tar xvzf lasso-2.3.6.tar.gz cd lasso-2.3.6 ./configure
To compile the software, run the following:
and then finally run the following to install it:
sudo make install
For some reason the ld-run-path wasn’t setting appropriately, and upon loading the Lasso perl module it would fail with the following message:
elatov@ccl:~$perl -MLasso Can't load '/usr/local/lib64/perl5/auto/Lasso/Lasso.so' for module Lasso: liblasso.so.3: cannot open shared object file: No such file or directory at /usr/lib64/perl5/XSLoader.pm line 70.
The file existed under /usr/local/lib:
elatov@ccl:~$locate liblasso.so.3 /usr/local/lib/liblasso.so.3 /usr/local/lib/liblasso.so.3.9.4
So I added that directory to the ldconfig configuration, to load it automatically. This is done by creating the /etc/ld.so.conf.d/lasso.conf file with the following contents:
elatov@ccl:~$cat /etc/ld.so.conf.d/lasso.conf /usr/local/lib
then running ldconfig to apply the settings:
elatov@ccl:~$sudo ldconfig -v | grep lasso liblasso.so.3 -> liblasso.so.3.9.4
After that, I was able to import the Lasso module without issues. BTW liblasso is only necessary if you are planning to use the SAML Capabilities within lemoldap-ng.
There are a couple of configuration steps to setup lemonldap-ng.
There will be 3 hostnames for my configuration. If you are planning to use the reverse proxy functionality you will need more.
First we need to have a DNS name for the manager (management portal) of lemonldap-ng. This is where all the configurations changes occur, sometimes referred to as the administration portal. I ended up using: man.dnsd.me.
Second we need a DNS Name for the application portal, this is where regular users go to access SSO enabled applications, this is sometimes referred to as the authentication portal. I ended using port.dnsd.me.
Lastly to be able to update configuration from the administration portal, we will need reload.dnsd.me. After that is in place we can start configuring lemonldap-ng. You can setup each of the components on different servers as shown here:
I actually ended up using the same server for all the components of the setup.
Modify LemonLDAP::NG Configuration Files
Now let’s fix the hostnames in the configuration files. Here is what I ran to fix all the setting files:
sed -i 's/auth\.example\.com/port.dnsd.me/g' /var/lib/lemonldap-ng/conf/lmConf-1 /etc/lemonldap-ng/* /var/lib/lemonldap-ng/test/index.pl sed -i 's/manager\.example\.com/man.dnsd.me/g' /var/lib/lemonldap-ng/conf/lmConf-1 /etc/lemonldap-ng/* /var/lib/lemonldap-ng/test/index.pl sed -i 's/reload\.example\.com/reload.dnsd.me/g' /var/lib/lemonldap-ng/conf/lmConf-1 /etc/lemonldap-ng/* /var/lib/lemonldap-ng/test/index.pl
Now let’s make sure the apache rules are good:
elatov@ccl:~$sudo apachectl configtest Syntax OK
Then enable apache on boot up and start the service:
sudo chkconfig httpd on sudo service httpd start
Don’t forget to open up the firewall for port 80, add the following into the /etc/sysconfig/iptables file:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
To apply the rules, run the following:
sudo service iptables restart
Lastly add the reload name in your /etc/hosts file to allow config updates:
echo "127.0.0.1 reload.dnsd.me" >> /etc/hosts
At this point you can visit the administration console (http://man.dnsd.me) and it will redirect you to the authentication portal:
By default you can login with:
username: dwho password: dwho
After you login, you should see the administration console:
If you visit the authentication portal (port.dnsd.me) and login with the same credentials, it will log you to the regular portal:
Install and Configure an LDAP Server for LemonLDAP::NG Authentication
I didn’t want to leave the demo account enabled (dwho), so I decided to use LDAP for authentication.
Install 389 Directory Server
The install is pretty simple, here are the steps I took:
sudo yum install 389-ds openldap-clients sudo setup-ds-admin.pl
The setup script has a couple of options. For a step by step guide for the Directory Server check out this this one.
After the install is finished we can now create users.
Use the 389 Admin Console to Create a User
You can’t access the admin console remotely, so we can use X-Forwarding to launch the application from the server it self. To enable SSH X-Forwarding, first make sure you have the following defined in your /etc/ssh/sshd_config file:
AddressFamily inet X11Forwarding yes X11UseLocalhost yes
and then install xauth:
sudo yum install xauth
and lastly restart the sshd service to apply all the settings:
sudo service sshd restart
Now for your local machine (Linux or Mac) run the following to launch the 389 Admin Console:
ssh -X email@example.com 389-console
After entering all the credentials, you should see the following:
Upon a successful login, you will see the following:
Then click on the User and Groups tab and then click Create -> User:
After you create the user it should look like this:
Notice the email address is firstname.lastname@example.org, this actually corresponds to the email address in my Google Apps account (this will come into play when using SAML to login into Google Apps).
Confirm LDAP User
I did an LDAP query against LDAP, binding to LDAP with the Directory Manager Account, and I saw the following:
elatov@ccl:~$ldapsearch -h localhost -b "dc=dnsd,dc=me" -D "cn=Directory Manager" -W "uid=elatov" -LLL Enter LDAP Password: dn: uid=elatov,ou=People,dc=dnsd,dc=me mail: email@example.com uid: elatov givenName: K objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: E cn: K E userPassword:: e1NTSEF9a
That looks good, I could actually bind with test user and do a query against him self as well:
elatov@ccl:~$ldapsearch -h localhost -b "dc=dnsd,dc=me" -D "uid=elatov,ou=People,dc=dnsd,dc=me" -W "uid=elatov" -LLL Enter LDAP Password: dn: uid=elatov,ou=People,dc=dnsd,dc=me mail: firstname.lastname@example.org uid: elatov givenName: K objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: E cn: K E
Notice this time around the password field is not shown, but obviously I had to type the user’s password to perform the bind operation.
Configure LemonLDAP::NG to Use LDAP For Authentication
Login to the administrative portal and go to General Parameters -> Authentication modules and set the following:
- Authentication Module
- Users Module
- Password Module
All to be LDAP:
Then go to General Parameters -> Authentication Modules -> LDAP parameters -> Connection and set the following settings:
- Server host => localhost
- Server port => 389
- Users search base => ou=People,dc=dnsd,dc=me
- Account => cn=Directory Manager
- Password => The directory Manager Password
Allow Access to LemonLDAP:NG Manager to Other Users
As you saw I created a user called elatov in LDAP. Also as mentioned, by default the dwho user is configured to access the manager console. Let’s change that to be the user elatov. To configure this go to Virtual Hosts -> man.dnsd.me -> Rules. And change the default rule to be
$uid eq "elatov":
Now you can configure lemonldap-ng with the elatov user.
SAML with LemonLDAP::NG
Now let’s setup lemonldap-ng to be a SAML IDP (Identity Provider) connecting to the Google Apps SP (Service Provider).
Configure LemonLDAP::NG to be a SAML IDP (Identity Provider)
First let’s enable SAML. From the managamentment console (man.dnsd.me), go to General Settings -> Issuer Module -> SAML -> Activation -> On:
Then ensure the Email NameID Format is configured to send the mail attribute from LDAP. This is done going to SAML 2 Service -> NameID Format -> Email -> mail:
Then generate a private SSL key which will be used for the signature of the SAML Assertions. Go to SAML2 Service -> Security parameters -> Signature -> Private key -> Generate:
After it’s generated, go ahead and download it and save it as lemondap-priv-key.pem (we will use this later to generate the public certificate to upload to Google Apps).
For completion, fill out your Organization information under SAML2 Service -> Organization -> Display Name / Name / URL:
Add Google Apps Service Provider in LemonLDAP::NG
First create a new Service Provider, this is done by going to SAML service provider -> New service provider.
After it’s created add Google Apps SAML Metadata. SAML service provider -> gapps -> Metadata and add the following into it:
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/moxz.mine.nu/acs" index="1" /> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> </SPSSODescriptor> </md:EntityDescriptor>
** Make sure you set the Location to your google domain.
Now let’s configure to use the Email Format for the NameID attribute. SAML service provider -> gapps > Options -> Authentication response -> Default NameID format -> Email:
Lastly let’s disable the advanced features in lemonldap-ng. This is done by going to SAML service provider -> gapps -> Options -> Signature. Then disable everything except “Sign SSO message”:
Enable SAML SSO in Google Apps
First let’s generate the signing certificate. Run the following two commands:
openssl req -new -key lemondap-priv-key.pem -out lemonldap.csr openssl x509 -req -days 3650 -in lemonldap.csr -signkey lemondap-priv-key.pem -out lemonldap.pem
Then login to the Google Apps Domain Admin Console: google.com/a/moxz.mine.nu (use your domain as necessary). After you login, go to Security -> Advanced -> Set up single sign-on (SSO):
Configure the following settings:
- Sign-in page URL => http://port.dnsd.me/saml/singleSignOn
- Sign-out page URL => http://port.dnsd.me/?logout=1
- Change password URL => http://port.dnsd.me
- Verification certificate => upload generated certificate (lemonldap.pem)
Here is how my configuration looked like:
Create An Application in LemonLDAP::NG for Google Apps
Since Google Apps uses an SP-Initiated SAML flow, we can just go to Google Apps and it will forward us to lemonldap-ng to get authenticated. If you wanted to start out at the lemonldap-ng portal, you could fake an IDP initiated flow like this. Go to General Parameters -> Portal -> Menu -> Categories and applications -> 1sample -> test1 and enter the following:
- Key => test1
- Display name => Google Apps
- Address => https://mail.google.com/a/moxz.mine.nu?hl=en
- Description => Google Apps
Test out the application
Go to the authentication portal (port.dnsd.me) and login as a user which has the same email address as the one set in google apps. After logging in, should see the Google Apps application:
I logged in with user elatov (from above I set his email to be email@example.com in LDAP… I of course had a user in Google Apps with that same email set). Then clicking on the Google Apps application logged me into Google Apps: