LINAGORA's plugins for Lemonldap::NG
Lemonldap::NG is the leader SSO in France and one of the best Open-Source SSO in the world.
LINAGORA is member of Lemonldap::NG Team since 2007 and actively continues to contribute.
Several of these plugins power Open Bastion, an open-source SSH bastion that relies on LemonLDAP::NG for centralized authentication and authorization. In particular, the pam-access, ssh-ca, oidc-device-authorization, and oidc-device-organization plugins provide the PAM integration, SSH certificate signing, and server enrollment used by Open Bastion.
This repository contains:
See also the list of specifications (RFCs, OIDC, SAML, CAS…) implemented by LLNG core and by the plugins published here.
These plugins are packaged for lemonldap-ng-store (available since LLNG 2.23.0) and published as a store. They are also available as Debian packages.
# Register this store
sudo lemonldap-ng-store add-store https://linagora.github.io/lemonldap-ng-plugins/
# List available plugins
lemonldap-ng-store list
# Install a plugin
sudo lemonldap-ng-store install <plugin-name>Most plugins in this store ship an autoload rule. Each rule is the JSON
equivalent of one condition => module pair of LLNG's static
Portal::Main::Plugins::@pList: both condition and module are
mandatory, and the plugin is loaded only when the condition is truthy
against the running configuration — exactly as the core plugin list does.
What happens at install time depends on whether the
Autoloader
plugin is loaded by your portal:
- With Autoloader loaded (default in LLNG >= 2.24.0, or when
::Plugins::Autoloaderis present incustomPlugins— thelinagora-lemonldap-ng-storebackport deb adds it automatically for LLNG < 2.24.0): nothing else to do.lemonldap-ng-store install <plugin>drops the rule into/etc/lemonldap-ng/autoload.d/, and the portal loads the plugin on next reload as soon as the condition (typically an RP/OP option or a global config key) becomes truthy.--activateis a no-op and is ignored when the plugin ships an autoload rule. - Without Autoloader: run
sudo lemonldap-ng-store install <plugin-name> --activate(or editcustomPluginsyourself) — the installer appends the plugin module name to the LLNGcustomPluginsconfiguration key.
A few plugins in this store (e.g. reports, mail-autodiscover) do not
have a natural "on/off" configuration key, so they do not ship an
autoload rule — for these, --activate (or a manual customPlugins
edit) remains the only activation path. See each plugin's README for the
exact condition used.
The yadd/lemonldap-ng-* Docker
images (tags latest or >= 2.22.2) ship with linagora-lemonldap-ng-store
pre-installed, this store pre-registered, and ::Plugins::Autoloader
enabled by default. Installing any plugin is a one-liner, no
customPlugins edit needed:
docker run --rm -it -p 80:80 yadd/lemonldap-ng-full:latest
# then, inside the container:
lemonldap-ng-store list
lemonldap-ng-store install oidc-par
# …then toggle the feature in the Manager (e.g. enable PAR on an RP) and
# reload the portal — the plugin autoloads because its condition is now truthy.Available images include lemonldap-ng-full, lemonldap-ng-portal,
lemonldap-ng-manager, etc. (see the
docker-compose examples).
See doc of wanted plugin.
All plugins are also available as Debian packages. A Debian repository is published alongside the store.
# Import the GPG key
curl -fsSL https://linagora.github.io/lemonldap-ng-plugins/store-key.asc \
| sudo gpg --dearmor -o /usr/share/keyrings/linagora-llng-plugins.gpg
# Add the repository
echo "deb [signed-by=/usr/share/keyrings/linagora-llng-plugins.gpg] https://linagora.github.io/lemonldap-ng-plugins/debian stable main" \
| sudo tee /etc/apt/sources.list.d/linagora-llng-plugins.list
# Install plugins
sudo apt update
sudo apt install linagora-lemonldap-ng-plugin-json-fileThe Manager rebuild is triggered only once via dpkg triggers, even when installing multiple plugins simultaneously.
LLNG < 2.24.0: the
linagora-lemonldap-ng-storepackage is available in this repository and provideslemonldap-ng-storefor older LemonLDAP::NG versions. It is pulled automatically when needed.
LLNG < 2.23.0: if you use plugins with manager-overrides, install the
linagora-llng-build-manager-filespackage to getllng-build-manager-fileswith--plugins-dirsupport:sudo apt install linagora-llng-build-manager-files
| Plugin | Description | Status |
|---|---|---|
| matrix-token-exchange | Matrix federation token exchange for OIDC relying parties | stable |
| reports | Session and browser usage reports (CSV) | stable |
| mail-autodiscover | SMTP/IMAP autodiscover for Outlook and Thunderbird | stable |
| json-file | JSON file-based Auth/UserDB backend for dev/test | stable |
| pam-access | PAM access token generation and authorization for SSH/sudo | beta |
| ssh-ca | SSH Certificate Authority | beta |
| twake | Twake well-known endpoint and applicative accounts | beta |
| fixed-logout-redirection | Force redirect to a fixed URL after logout | beta |
| external-menu | Redirect authenticated users to an external menu URL | beta |
| Plugin | Description | Status |
|---|---|---|
| pacc | PACC — Provider Automatic Configuration for Clients | beta |
| oidc-jarm | JARM — JWT Secured Authorization Response Mode (RFC 9207) | beta |
| oidc-par | Pushed Authorization Requests (RFC 9126) | beta |
| oidc-jar | JWT-Secured Authorization Request (RFC 9101) | beta |
| oidc-ciba | Client-Initiated Backchannel Authentication (CIBA) | beta |
| oidc-device-authorization | Device Authorization Grant (RFC 8628) | beta |
| oidc-device-organization | Organization Device Ownership for Device Auth | beta |
| oidc-scope-applications | Portal application menu in OIDC userinfo | beta |
| oidc-federation | OpenID Connect Federation (server side) | beta |
| oidc-global-scopes | Global OIDC scopes and claim mapping for all RPs | beta |
Extra Debian-only packages published in the same APT repository, for use
outside the lemonldap-ng-store workflow:
| Package | Description |
|---|---|
linagora-llng-crowdsec-filters |
CrowdSec-compatible HTTP filters for crowdsecFilters — scanners, admin probes, CVE exploit signatures. Installs to /var/lib/lemonldap-ng/crowdsec-filters/. Requires LLNG ≥ 2.23.0. |
Here are the Lemonldap::NG "LTS" versions:
| Version | Community LTS | Debian LTS1 | Limit2 |
|---|---|---|---|
| 2.0.11 | ❌3 | ✅ | 2026 |
| 2.16.x | ✅ | ✅ | 2028 |
| 2.21.x | ✅ | ✅ | 2030 |
- LTS community files for 2.16.x and 2.21.x
- LINAGORA files for 2.0.11
Copyright: 2024-2026 LINAGORA
Following Lemonldap::NG License, all files here are released under GPL-2+ license, unless specified:
These files are free softwares; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/.
Footnotes
-
Possible extension via LINAGORA's OSSA ↩
-
Supported here ↩