Before you install LemonLDAP::NG on a production environment, you need to make several choices regarding architecture.
Protecting applications is the reason why you are installing LemonLDAP::NG. Before starting with the installation, you need to inventory all the applications you want to protect and how you can protect them.
This is the simplest option: your application is natively compatible with an SSO protocol such as CAS, SAML or OpenID Connect:
Some older applications can only be protected by placing a reverse proxy in front of them. In this case, applications will receive user information through HTTP headers. LemonLDAP::NG provides a Handler component to perform this function.
The handler has always been the central feature of LemonLDAP::NG, however it comes at a cost:
Note
You can use both protection modes at the same time on a single LemonLDAP::NG instance. On small deployments (hundreds of users) you can also probably run the handler and portal on the same server. On large deployments you can run as many handlers as you like.
LemonLDAP::NG is compatible with two common web servers
If you choose Apache, and intent to use the LemonLDAP::NG Handler, you must use the Prefork MPM, since mod_perl is not compatible with other MPMs.
If you are an advanced user, and you only want to run the Portal and/or Manager components, you can use any PSGI compatible web server instead.
Nginx is the recommended choice for running a Handler. If you are not running a Handler, you can freely choose your favorite between Apache and Nginx.
You can find more information at the Platforms overview page.
If you are running a Handler, it is highly recommended to dedicate a DNS subdomain to SSO-protected apps, such as *.example.com.
In every case, you will need at least:
For production use, TLS is extremely recommended. You will need X.509 certificates for at least auth.example.com and manager.example.com.