Lemonldap::NG is a modular Web-SSO based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application.
It manages both authentication and authorization and provides headers for accounting. So you can have a full AAA protection for your web space as described below.
The portal part inherits from CGI so yo can use it both with Apache 1 and 2 and use all CGI features.
Authentication, Autorization, Accounting
If a user isn't authenticated and attempts to connect to an area protected by a Lemonldap::NG compatible handler, he is redirected to a portal. The portal authenticates user with a ldap bind by default, but you can also use another authentication sheme like using x509 user certificates (see Lemonldap::NG::Portal::AuthSSL for more).
Lemonldap::NG use session cookies generated by Apache::Session so as secure as a 128-bit random cookie. You may use the securedCookie options of Lemonldap::NG::Portal to avoid session hijacking if all your protected sites use https.
You have to manage life of sessions by yourself since Lemonldap::NG knows nothing about the Apache::Session module you've choosed, but it's very easy using a simple cron script because Lemonldap::NG::Portal stores the start time in the _utime field. The purgeCentralCache provided in example/ directory can help you to do it. By default, a session stay 10 minutes in the Handler local storage, so in the worth case, a user is authorized 10 minutes after he lost his rights.
Authorization is controled only by handlers because the portal knows nothing about the way the user will choose. When configuring your Web-SSO, you have to:
* choose the ldap attributes you want to use to manage accounting and authorization (see exportedHeaders parameter in Lemonldap::NG::Portal documentation),
* create Perl expression to define user groups (using ldap attributes): optional, this mechanism is available with Lemonldap::NG::*::SharedConf modules,
* create an array foreach virtual host associating URI regular expressions and Perl expressions to use to grant access.