Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for accounting. So you can have a full AAA protection for your web space as described below.
The Apache module part works both with Apache 1.3.x and 2.x ie mod_perl 1 and 2 but not with mod_perl 1.99.
Authentication, Authorization, Accounting
If a user isn't authenticated and attempts to connect to an area protected by a Lemonldap::NG compatible handler, he is redirected to a portal. The portal authenticates user with a ldap bind by default, but you can also use another authentication sheme like using x509 user certificates (see Lemonldap::NG::Portal::AuthSSL for more).
Lemonldap::NG use session cookies generated by Apache::Session so as secure as a 128-bit random cookie. You may use the securedCookie options of Lemonldap::NG::Portal to avoid session hijacking.
You have to manage life of sessions by yourself since Lemonldap::NG knows nothing about the Apache::Session module you've choosed, but it's very easy using a simple cron script because Lemonldap::NG::Portal stores the start time in the _utime field. By default, a session stay 10 minutes in the local storage, so in the worth case, a user is authorized 10 minutes after he lost his rights.
Authorization is controled only by handlers because the portal knows nothing about the way the user will choose. When configuring your Web-SSO, you have to:
* choose the ldap attributes you want to use to manage accounting and authorization (see exportedHeaders parameter in Lemonldap::NG::Portal documentation).
* create Perl expressions to define user groups (using ldap attributes)
* create an array foreach virtual host associating URI regular expressions and Perl expressions to use to grant access.