Français
LemonLDAP::NG is an open source solution Single Sign-On (SSO) and web access management designed to centralise user authentication, authorisation and accounting (AAA). It aims to simplify access management in complex environments, LDAP, Active Directory, databases or integrations via standard protocols, while providing fine‑grained access‑control and high interoperability. In this review we analyse its features, installation, use‑cases, compare it with alternatives, and evaluate its strengths and limitations.
Problems Solved
Why adopt a solution like LemonLDAP::NG
In many organisations, commercial access‑management solutions are expensive, rigid or proprietary, making identity federation and interoperability difficult.
Diverse web applications—legacy, modern, internal or external—often use heterogeneous authentication mechanisms, making user management heavy and error‑prone.
Need to centralise access policies, ensure authentication consistency and reduce the number of log‑ins for the end‑user.
- Need for a reliable SSO that complies with open standards, simplifies maintenance, remains flexible and customisable, and fits perfectly into an environment that favours a mature open‑source service.
With LemonLDAP::NG, an administrator can standardise authentication, federate identities and manage access centrally, meeting these needs in a free and transparent way.
Key Features and Capabilities
Authentication and Identity Federation
Support for many standard SSO and federation protocols, notably SAML, CAS and OpenID Connect (OIDC).
- Ability to use various identity sources such as LDAP directories, Active Directory, SQL/NoSQL databases, Kerberos or client certificates.
Capability to act as an Identity Provider (IdP), a Service Provider (SP) or a federation proxy, depending on the desired architecture.
Access Control and Session Management
Fine‑grained access control via regular‑expression‑based rules applied to application URLs, enabling granular protection of resources.
Session‑management UI: view open sessions by user, IP address, date; enforce limits (one session per user, per IP, etc.) and terminate sessions.
- Support for password reset/change, a user‑portal for self‑service, and an application menu filtered by rights, reinforcing the open‑source community that continuously improves these features.
Customisation and Integration
MVC modular architecture, easing customisation of the HTML/CSS front‑end to meet specific organisational needs.
Simplified integration with web applications via HTTP headers, allowing SSO deployment even for apps not originally designed for it.
Extensibility through reverse‑proxy mode to protect applications on various web servers, or native mode on Apache or Nginx.
Security and Compliance
Multi‑factor (MFA) / two‑factor (2FA) authentication, including standards such as WebAuthn or FIDO2, strengthening access security.
- Full AAA (Identity, Authorisation, Accounting) handling with logging, enabling audit trails and compliance reporting, useful when the organisation relies on internal or external technical support.
Installation and Configuration
A simplified typical installation workflow:
Download the latest release from the official website or project repository.
Deploy on a web server (Apache or Nginx) or via a reverse proxy if you host applications on other servers.
Configure back‑ends: choose the identity source (LDAP, SQL, etc.) and set up the session/configuration database.
Configure the desired authentication/federation protocols (CAS, SAML, OpenID Connect) according to your needs.
- Define access rules: protected URLs, permissions, session constraints (number of sessions, IP limits, etc.).
(Optional) Enable MFA/2FA, set up the user portal (password reset, change, etc.) for complete self‑service.
Use‑Cases
Concrete examples where LemonLDAP::NG shines:
Public administration or large enterprise : centralise access to many internal applications (intranet, HR services, CRM, business tools) behind a single SSO while providing fine‑grained rights management. Several French administrations already use it.
Multi‑directory / hybrid organisation : when some services rely on LDAP, others on SQL databases, or external directories, LemonLDAP::NG federates them under a single authentication system.
Migration of a heterogeneous application fleet : add an SSO layer without modifying each application, using simple HTTP‑header integration.
DevOps / micro‑services environments : proxy mode plus OpenID Connect support secures diverse services, APIs and web apps while keeping central control. As an open‑source IAM solution, it fits modern architecture well.
Comparison with Alternatives
| Feature / criteria | LemonLDAP::NG | Keycloak | FreeIPA |
|---|---|---|---|
| Open source / free | ✅ | ✅ | ✅ |
| SSO protocols (SAML, CAS, OIDC) | ✅ | ✅ | Partial – LDAP/Kerberos‑focused |
| Multi‑backend support (LDAP, SQL, …) | ✅ | ✅ | Yes, but more directory/domain‑oriented |
| Fine‑grained URL access control | ✅ | ✅ (RBAC rules) | Less flexible for varied web apps |
| HTTP‑header / proxy integration | ✅ | Yes | No |
| Multi‑factor authentication (MFA/2FA) | ✅ (WebAuthn, etc.) | Yes | Limited / directory‑centric |
Advantages and disadvantages
| Advantages | Disadvantages |
|---|---|
| ✅ Completely free and open source | ❌ Learning curve for initial configuration |
| ✅ Highly flexible and customisable (back‑ends, UI, access rules) | ❌ Fewer “out‑of‑the‑box” support options than commercial products |
| ✅ Works with a wide range of applications and SSO protocols | ❌ Documentation can be complex for advanced scenarios |
| ✅ Enables identity federation and consolidation of heterogeneous fleets | ❌ Requires technical expertise for administration and maintenance |
Conclusion
LemonLDAP::NG is particularly suited to organisations, companies, municipalities and administrations that seek a flexible, powerful open‑source solution for authentication, identity federation and access control in a heterogeneous environment.
If you have the technical skills to install and configure it, the platform offers an excellent trade‑off between flexibility, cost and efficiency. It centralises SSO, homogenises access, and secures services without dependence on a commercial vendor, while remaining compatible with an open‑source platform that promotes independence and transparency.
For a professional or large‑scale project, giving LemonLDAP::NG a serious look is well‑worth.
