Newer
Older
lemonldap-ng (2.0.15.1) jammy; urgency=medium
* Bugs:
* #2796: "Internal Server Error" during MFA flow when using LDAP as UserDB in 2.0.15
-- Clément <clem.oudot@gmail.com> Thu, 15 Sep 2022 15:58:47 +0200
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
lemonldap-ng (2.0.15) jammy; urgency=medium
* Bugs:
* #2615: Redirection issue with Issue SAML + ForceAuthn=true + Kerberos authentication
* #2650: Empty SCRIPT_NAME breaks the portal
* #2690: Second factor logo/label not used on registration screen
* #2708: Auth::OpenIDConnect redirects in a loop when invalid JSON metadata is provided
* #2712: 2fSelfRegistration == 0 + 2fActivation == 1 leads to registrable second factor being presented every time
* #2714: Session upgrade link in 2FA manager not working
* #2716: 2FA registration does not auto-redirect to only available provider after deleting an existing 2FA
* #2724: one importMetadata Script default option isn't correct
* #2733: Allowing ALL special characters does not work with reset password form
* #2742: convertConfig no error but nothing converted
* #2758: [CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity
* #2760: Userinfo does not show updated attributs when using Offline sessions
* #2769: missing handler logs with default Nginx + LemonLDAP
* #2772: translation overrides from skin json files are not used when sending emails
* #2773: translation override from skin bypasses llng.ini
* #2785: Invalid <Organization> in SAML metadata can crash portal startup
* #2787: Status: Unknown command line during OIDC flow
* #2789: $portal->templateDir causes skin mix-up
* #2791: After token timeout during 2FA flow, login form is left in broken state
* #2793: samlGotAuthnRequest cannot modify $login->request when signature validation is enabled
* New features:
* #2491: Use environment variables placeholder in lemonldap json configuration
* #2713: handle refresh tokens in Auth::OpenIDConnect
* #2737: remember previous authentication choice
* #2763: Install LL::NG on EL9
* Improvements:
* #2607: bypass OIDC logout confirmation
* #2674: Add HSTS as new security parameter in the Manager
* #2692: New API for CAPTCHA plugins
* #2719: importMetadata should handle conflicts between multiple federations
* #2720: importMetadata should be configurable
* #2723: Cannot specify custom urn:oasis:names:tc:SAML:2.0:assertion:AuthnContextClassRef values for LemonLDAP IdPs
* #2725: Add session data to oidcGenerateUserInfoResponse
* #2726: Add a session variable for used 2F module
* #2732: Add userLogger event when a specific 2FA is selected
* #2739: Provide a specific package to install LLNG FastCGI client
* #2745: portalEnablePasswordDisplay is not used in password change form
* #2746: SAML metadata without SingleLogoutService leads to error at logout
* #2753: Add IDP selection rules for CAS and OIDC
* #2755: OIDC : issue on token endpoint with method client_secret_basic
* #2756: Allow customization of portal JS code with jQuery events
* #2757: Allow admins to change the 2FA timeout
* #2759: Append a go-back-to-top button
* #2761: Append an option to customize Manager CSS
* #2762: Add re-send option to code-based OTPs
* #2768: Add new hooks on Access Token refresh
* #2775: Notification process can not be continued with JSON response
* #2780: New lemonldap-ng-cli subcommand: merge
* #2782: Notifications are not sorted by sessions explorer and epoch is not converted into local date
* #2784: Allow history fields to be translated in templates
* Templates:
* #2690: Second factor logo/label not used on registration screen
* #2714: Session upgrade link in 2FA manager not working
* #2737: remember previous authentication choice
* #2745: portalEnablePasswordDisplay is not used in password change form
* #2750: Option to define the favicon
* #2759: Append a go-back-to-top button
* #2761: Append an option to customize Manager CSS
-- Clément <clem.oudot@gmail.com> Fri, 09 Sep 2022 10:13:43 +0200
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
lemonldap-ng (2.0.14) focal; urgency=medium
* Bugs:
* #2519: first authentication returns 500 code after inactivity period
* #2566: No configuration available in fresh LemonLDAP 2.0.12
* #2594: Double slashes in _pdata->{_url} when LLNG is OIDC RP
* #2595: Portal does not run correctly with portalRequireOldPassword=0
* #2596: [security:low] open redirect in CAS gateway mode
* #2597: External password reset URL is called with skin= and url= parameters
* #2600: RESTProxy authentication does not work with AuthChoice-enabled internal Portal
* #2603: Saving configuration drops OIDC scope rules
* #2606: FindUser plugin: SpoofId field is not updated if a value has been already set before the Ajax request
* #2612: [Security: low, CVE-2021-40874] RESTServer pwdConfirm always returns true with Combination + Kerberos
* #2613: ProxyAuth cookie name can not be modified
* #2616: Login is not remembered when password is incorrect
* #2618: DevOps handler does not work if RULES_URL uWSGI/FastCGI parameter is set
* #2620: Net::LDAP::Control::PasswordPolicy is not always loaded
* #2622: Fail oauth2 grants when resulting scope is empty
* #2626: Portal fatal errors cause "Conflict detected between 2 extensions, aborting 1 route" message to appear in logs
* #2632: Handler::Server::Nginx does not use logger config from lemonldap-ng.ini
* #2637: Error with default locationRules
* #2645: importMetadata does not set NameIDFormat to "persistent" for new providers
* #2648: "Authentication module succeed but has not set $req->user" when using SAML Artifact mode with some, but not all IDPs
* #2655: 'afterData' plugins loaded after Impersonation will be never executed
* #2656: CAS: multiple proxies is not correctly implemented
* #2658: Macros based on '_XXX' and authenticationLevel attributes are not computed by refresh function
* #2660: Combination is not compatible with LDAP password policies
* #2663: Radius authentication fails when radius used as authentication module
* #2671: xss attack detected on a relayState parameter
* #2675: Auth::Custom calls module init twice
* #2676: UserDB::Custom and Password::Custom loads module twice and calls init three times
* #2677: *::Custom do not allow config overrides
* #2678: Auth::Custom getDisplayType is broken with choice
* #2682: Fails to create password-protected X509 certificates with OpenSSL 3.0
* #2689: REST server: 400 bad request with DELETE /session/my
* #2691: Error when using has2f in a manager rule
* #2693: "Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses
* #2703: OIDC RP menu attributes name do not refresh live
* New features:
* #1411: Web Authentication API (webauthn)
* #2325: "Warn on new network location" plugin
* #2679: CheckDevOps: Append an option to check if used attributes are existing
* #2686: Web service for application list
* Improvements:
* #1714: Check logLevel value
* #2277: pdata cookie is not removed if SAML flow fails
* #2457: Do not translate OIDC RP exported attributes
* #2476: $groups is not initialize for at least LDAP authentication
* #2508: Look configuration timestamp to dismiss cache
* #2558: Add a new portal error code for Auth::OIDC issues
* #2565: Adding per-request information in logs
* #2570: RGAA: Adding a role attribute into messages
* #2577: RGAA: placeholder only should not be used as label
* #2591: stayconnected plugin: allow to disable browser fingerprint check and update documentation
* #2593: Contextual / Adaptive authentication / Risk-based authentication
* #2599: Certificate reset templates are not translated
* #2601: RESTProxy authentication does not support Impersonation
* #2602: Export OIDC grant type in rules
* #2604: Append an option to normalize HTTP headers with CheckDevOps plugin
* #2605: llnglanguage cookie will be rejected if sameSite attribute is not set
* #2609: Better history management for plugins
* #2614: display precise error while sending direct SOAP SAML message
* #2617: SafeJail must be enabled with CheckDevOps plugin
* #2619: Brazilian translation
* #2621: SAML: HTTP-Artifact mode should be discouraged
* #2625: Add an option to encrypt TOTP secrets
* #2627: Append an option in Manager to be able to set RULES_URL param
* #2638: Redirect to 2fregisters is missing a slash
* #2644: No error displayed in logs in DevOps Handler when rules file can't be downloaded
* #2646: bruteForceProtectionMaxAge and bruteForceProtectionMaxLockTime missing from manager
* #2647: Display logins history with CheckUser plugin
* #2649: Portal plugins should not require an "init" method
* #2651: Hebrew Translation
* #2654: CAS temporary tickets should have a short expiration time
* #2657: Hidden attributes, custom functions and plugins declarations are inconsistent
* #2662: CheckUser plugin: Append a rule to allow some users to display hidden attributes
* #2664: impossible to use getModule in the Password modules
* #2667: Add RP confkey to oidcGenerateUserInfoResponse plugin hook
* #2668: CheckDevOps: prevent portal crash/loop if a bad rules.json file is provided
* #2672: DBI password hash list is too restrictive
* #2673: Allow to configure multiple service URL per CAS application
* #2679: CheckDevOps: Append an option to check if used attributes are existing
* #2683: Possibility to set an activation rule for "remember me" option
* #2685: DevOps handler uses default HTTPS redirection if no VH is defined
* #2694: Chrome warns about compromised data when using form replay
* #2698: Avoid useless warning messages in log
* Templates:
* #2325: "Warn on new network location" plugin
* #2570: RGAA: Adding a role attribute into messages
* #2577: RGAA: placeholder only should not be used as label
* #2597: External password reset URL is called with skin= and url= parameters
-- Clément <clem.oudot@gmail.com> Sat, 19 Feb 2022 17:49:18 +0100
lemonldap-ng (2.0.13) focal; urgency=medium
* Bugs:
* #2428: Correctly report the number of purged sessions when using deleteIfLowerThan
* #2566: No configuration available in fresh LemonLDAP 2.0.12
* #2567: CORS headers not sent in userinfo endpoint error response
* #2568: SafeJail does not report errors correctly
* #2573: convertConfig does not work when target backend is empty
* #2589: FindUser plugin: minor improvements and several issues
* Improvements:
* #2558: Add a new portal error code for Auth::OIDC issues
* #2564: Missing options to use text emails for some features
* #2585: RGAA: to use autocomplete when possible
* #2589: FindUser plugin: minor improvements and several issues
* #2592: Bad error reporting during portal init
* Templates:
* #2585: RGAA: to use autocomplete when possible
* #2589: FindUser plugin: minor improvements and several issues
-- Clément <clem.oudot@gmail.com> Fri, 20 Aug 2021 18:30:23 +0200
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
lemonldap-ng (2.0.12) focal; urgency=medium
* Bugs:
* #2153: logout forward url pointing to a protected application cause infinite redirection (pdata)
* #2439: Unable to configure oidcOPMetaDataJSON and oidcOPMetaDataJWKS trough lemonldap-ng-cli
* #2453: Manager API: missing doc and array handling of additional audiences
* #2455: llng-fastcgi-server exited with signal 13
* #2459: Debian packages: missing dependency to gsfonts may break Captcha
* #2460: "Underlying object can't load conf" in v2.0.11
* #2463: Portal plugin hooks triggered multiple times after reload
* #2469: mySessionAuthorizedRWKeys causes internal server error when removing OIDC consent
* #2474: OAuth2 endpoints should return an error when multiple client authentication methods are used
* #2475: OIDC: Invalid error code returned in badAuthRequest
* #2477: [security:low] Wildcard in virtualhost allows being redirected to untrusted domains
* #2480: Set an authLevel and disable ReAuthentication plugin leads to an endless loop
* #2481: missing _utime in OIDC Client Credential sessions
* #2482: unexpected persistent sessions appear since 2.0.10
* #2483: Second factor removal does not work when hiding session ids from manager
* #2487: Incorrect error reporting in convertSessions
* #2489: Do not grant the openid scope during Resource Owner Password Grant
* #2493: Unable to register a new configuration attribute with CLI when option force is enabled and backend is RDBI
* #2495: [security:medium] XSS on register form
* #2498: convertSessions does not filter sessionKind correctly
* #2503: REST/SOAP exported attributes are not sent by REST server
* #2509: Local password policy: Allowing ALL special characters does not work
* #2511: expires_in in token response has the wrong JSON type in some cases
* #2513: LLNG 2.0.11 : SAML SLO from IDP to SP with POST Binding blocked by browser
* #2518: SAML: persistent NameID is empty when using "unspecified" format on SP side
* #2520: Missing translations for DBI configuration
* #2525: Gracefully handle invalid perl expression in CAS/SAML/OIDC
* #2529: [bug] OIDC userinfo as jwt not readable
* #2531: calling to_json with hash containing file handle fails
* #2534: CDA does not work with wildcard vhosts
* #2535: [security:low] Incorrect regexp construction in isTrustedUrl lets attacker steal session on CDA application
* #2539: [security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing
* #2541: Misleading TOTP options
* #2543: [security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret
* #2547: Parameter oidcRPMetaDataOptionsUserInfoSignAlg is missing in Manager
* #2548: OpenID Connect ACR value can't be configured with something else than 'loa-...'
* #2549: [security:low, CVE-2021-35473] OAuth2 handler does not verify access token validity
* #2550: Token endpoint should only emit ID token when scope contains "openid"
* New features:
* #1976: FindUser plugin
* #2451: CrowdSec plugin to query Crowdsec server
* #2458: CheckDevOps plugin
* #2510: Hook on password change
* #2532: add oidcGenerateCode hook
* #2554: Remove OIDC checksession iframe from metadata
* Improvements:
* #2260: Missing elements in sphinx documentation (mongodb)
* #2419: Support JWT as OAuth 2.0 Bearer Access Tokens
* #2424: Feature: Scope Rules
* #2454: Append a Show/Hide password button into login form
* #2456: Prevent DevOps handler to send hidden session attributes
* #2462: Use timezone provided in input dates in extended function "checkDate"
* #2465: Force OIDC error messages to use JSON
* #2472: Loading metadata can be slow due to parsing of default certificate bundle
* #2484: Hook for populating client credential session
* #2488: Allow selection of AssertionConsumerServiceURL in IDP-Initiated SAML login
* #2496: Add new option to ignore undeclared OIDC scopes
* #2499: add key mapper for convertSession
* #2502: Resource Owner Password fails with PE_FIRSTACCESS when using Auth::Choice
* #2506: CAS: add an option to forbid host-based matching
* #2521: Avoid browsers parameter hide placeholder
* #2533: add hooks for CAS issuer
* #2536: optimize SingleSession to avoid unneeded session fetches
* #2544: Default 2FA register timeout is too low
* #2557: Avoid browsers to store new, old and confirmed password during update process
* #2562: Add --user/--group options to lmConfigEditor and lemonldap-ng-cli (user:group hardcoded to apache may not work correctly)
* Templates:
* #1976: FindUser plugin
* #2454: Append a Show/Hide password button into login form
* #2458: CheckDevOps plugin
* #2495: [security:medium] XSS on register form
* #2521: Avoid browsers parameter hide placeholder
* #2541: Misleading TOTP options
* #2557: Avoid browsers to store new, old and confirmed password during update process
-- Clément <clem.oudot@gmail.com> Thu, 22 Jul 2021 17:41:44 +0200
lemonldap-ng (2.0.11) focal; urgency=medium
* Bugs:
* #2445: lmAuth param sent to protected application
* #2446: Incorrect MIME type on /psgi.js
* #2448: Adaptative Authentication rule triggered several times
* #2449: SAML SLO using Redirect/POST binding does not work with multiple SP
* New features:
* #1987: add grant_type=client_credentials in OIDC
* Improvements:
* #2397: OAuth2 handler should make client_id and scopes of the access token available to rules and headers
* #2436: CheckUser displays headers as they have been defined in conf intead of how they are sent
* #2444: set oidcServiceKeyIdSig by default
-- Clément <clem.oudot@gmail.com> Sat, 30 Jan 2021 18:33:37 +0100
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
lemonldap-ng (2.0.10) stable; urgency=medium
* Bugs:
* #1978: can't configure variables to post in virtual host's form replay with lemonldap-cli
* #2245: Manager API does not call reloadUrls
* #2262: SAML: SP-initiated logout does not propagate to external authentication modules
* #2267: LDAP timeout does not apply to search/bind/etc
* #2293: LL:NG 2.0.8 Manager test for external/working SMTP fails @ SSL handshake, terminates connections
* #2304: Error when using SMTP over SSL in CentOS 7
* #2310: Misspelled parameter in call to ldap->search()
* #2315: CheckUser plugin: option rules rely on checked user rather than connected user
* #2318: Manager API: translate JSON booleans to int
* #2332: [security:low] removal of registrable 2F does not test the current authn level
* #2340: lemonldap-ng-cli restore does not work if the config backend is empty
* #2342: Calling logout page for unauthenticated user forces login
* #2344: Enable keepalive on LDAP connections
* #2347: [Manager API] postLogoutRedirectUris should be an array
* #2348: [Manager API] Bad URL in documentation
* #2352: skipRenewConfirmation and skipUpgradeConfirmation options do not work
* #2354: Lemonldap::NG::Common::Conf::msg is never reset and grows indefinitely
* #2355: Password policy checker broken in password reset by mail template
* #2357: CDA query parameter not parsed when query params are reordered
* #2361: Cannot remove OIDC consent from session explorer
* #2364: llngconnexion cookie in the StayConnected-Plugin rejected
* #2365: Check my last logins option does not work with StayConnected plugin
* #2366: StayConnected plugin does not work with 2FA
* #2367: skip rule doesn't work with DevOps handler
* #2369: Memory leak in Issuer::_redirect
* #2373: Remove spaces from generated login when user register account
* #2374: Missing form-check-input class in form groups
* #2375: Refresh session plugin: refresh result is not checked before returning JSON answer
* #2377: Reset expired password process does not work without _whatToTrace macro or if old password is not required
* #2378: Error in inGroup expansion
* #2383: Vhost with wildcard with % sign, configuration not loaded in manager
* #2387: logout does not clear handler cache
* #2399: Local password policy check should be disabled when clicking on "generate password" checkbox
* #2401: Selinux policy blocks cache after restorecon
* #2403: Missing Ldap attribute in CAS ticket if equals 0
* #2410: LDAP connectivity issues on startup cause fatal initialization error when passwordDB=LDAP
* #2411: Javascript error when local password policy configured and password tab disabled in menu
* #2413: checkstate returns error 500 with user parameter
* #2417: Error in cookie name used by lemonldap regexp
* #2420: Auth::SAML should handle missing NameID
* #2425: "Configuration error: xxx SAML metadata has no EntityID" when updating SAML sp in manager API
* #2426: twitter auth fails when coming from oidc/saml/cas service
* #2429: SAML sessions fill up with logout sessions that do not expire
* #2430: Password not updated in session after password change
* #2440: OIDC api: redirect URI not handled at top level during get/update operations
* New features:
* #2336: Adaptative Authentication Plugin
* #2391: Add extended function to test for registered second factor
* #2408: Add Chinese (Taiwan) translation
* Improvements:
* #714: Make password change compatible with Combination
* #716: Make password reset work with Combination
* #2232: lmAttrOrMacro test in Manager is too restrictive
* #2266: local password policy conflicts with LDAP password policy
* #2301: password reset page(s) CSS issues
* #2309: Unintialized $app in CAS Issuer during test
* #2314: CheckUser plugin: Append an option to display computed sessions data
* #2316: "New keys" in saml security configuration should generate a certificate
* #2317: Combination and fail2ban logs
* #2319: Allow the SAML signature alg to be set per-provider
* #2321: Can't save configuration with 2 CAS applications sharing the same hostname
* #2322: Support for SHA384 and SHA512 saml signatures
* #2329: Display a warning if password module is enabled without password backend
* #2330: Allow to configure OIDC claims type
* #2331: Warning in default Nginx configuration
* #2334: GlobalLogout plugin can sometimes found some non-SSO or corrupted sessions
* #2335: apache handler: allow users to override the port/scheme for redirections
* #2339: Plugins refactoring
* #2341: Make SHA256 the default signature method for SAML
* #2345: RGAA recommand alt tags to be empty for decoration images
* #2350: [security:low] Hiding session ids from the manager
* #2356: RGAA 5.4 requires arrays to have defined captions
* #2359: plugin engine for issuers
* #2360: Avoid assignment in expressions
* #2368: StayConnected-Plugin: when user-agent changes login is only possible after deleting cookies
* #2372: Add a domain whitelist to Auth::Kerberos
* #2380: CORS headers not sent by sendError
* #2381: Append a hook to be able to overwrite access log
* #2386: CheckUser does not resolve vhost aliases
* #2388: Allow custom SSL logos when using choice
* #2393: All messages printed in userLogger should use whatToTrace value to log user name
* #2398: CheckUser: Append an option to hide specific headers value depending on tested VHost
* #2404: Force deletion of corrupted sessions in DBI and LDAP backends
* #2406: Possibility to use a different mail for 2FA and password reset
* #2409: Update Spanish translation
* #2414: Manager evaluates macros with Safe Jail whereas useSafeJail has been disabled
* #2422: Missing alt attributes in mail HTML templates
* #2427: Make AssertionConsumerServiceURL available to SAML rules
* #2438: Add a confirmation when deleting second factor
* Templates:
* #2301: password reset page(s) CSS issues
* #2355: Password policy checker broken in password reset by mail template
* #2356: RGAA 5.4 requires arrays to have defined captions
* #2365: Check my last logins option does not work with StayConnected plugin
* #2366: StayConnected plugin does not work with 2FA
* #2374: Missing form-check-input class in form groups
* #2422: Missing alt attributes in mail HTML templates
* #2438: Add a confirmation when deleting second factor
* WebServer Confs:
* #2331: Warning in default Nginx configuration
* #2434: [security:medium] Headers are not deleted for unprotected or skip locations with nginx handler
-- Clément <clem.oudot@gmail.com> Sun, 17 Jan 2021 16:52:38 +0100
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
lemonldap-ng (2.0.9) stable; urgency=medium
* Bugs:
* #1659: RESTProxy doesn't fully work as a UserDB module
* #1980: Refresh my rights causes error 500 with OIDC provider
* #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
* #2196: Unable do display integer field with other fields in Manager
* #2199: StayConnected plugin not working due to error in fingerprint javascript
* #2200: Bad default value for portalDisplayOidcConsents
* #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
* #2212: Captcha or OTT is not renewed if Impersonation process failed
* #2215: CheckUser idRule is checked only if session is computed
* #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
* #2221: Bad error message when conf backend fails to load
* #2222: Errors in lemonldap-ng.ini are not correctly reported
* #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
* #2224: regression in redirection to SAML urls with query string after #2085
* #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
* #2230: LLNG 2.0.8 - Error on portal.js with IE 11
* #2234: Prevent browser caching in sendJSONresponse
* #2237: SAML SP error with auth kerberos
* #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
* #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
* #2254: Local session cache and systemd PrivateTmp
* #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
* #2257: Missing country in OpenID Connect Address Claim
* #2258: Error when using lougout_app_sso
* #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
* #2263: Incorrect SOAP Content-Type
* #2271: Labels are not working in auth form
* #2272: Secure flag missing on lemonldappdata cookie and during logout
* #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
* #2275: sgRequired option does not work when global storage is enabled for token
* #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
* #2288: LL:NG 2.0.8 manager missing doc-referenced "Login History" tab
* #2289: Special chars password policy is not displayed if password is expired
* #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
* #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
* #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
* #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
* #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication
* New features:
* #1646: integrate documentation into the codebase
* #2124: use 2FA only if and when needed
* #2205: Add a session command line (CLI) tool
* Improvements:
* #1598: Proxy Backend support for Password Module (passwordDB)
* #2188: Declare vhost with wildcard and prefix/suffix
* #2189: Make externally-provisionned yubikeys easier to configure
* #2193: Polish translation
* #2195: Manager - Configuration's Author IP address field should honor $ipAddr
* #2201: Avoid Portal to crash with bad GrantSession rule
* #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
* #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
* #2214: add option to make convertConfig easier in most cases
* #2225: REST ression server is too intolerant of clock drift (2)
* #2233: Error/Warnings id not replaced with CLI
* #2239: Mail reset token should not be deleted at first page access
* #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
* #2241: Add CAS App management to the manager API
* #2242: Display new supported grant_types in OIDC discovery page
* #2244: Use configuration key in user log messages for all Issuer modules
* #2249: Check password policy on the client side when changing password
* #2251: Add a parameter for Syslog options
* #2252: No host in logs to use with Fail2ban
* #2265: increase log level for mail sending and password reset
* #2273: URL is not set to Portal URL after ContextSwitching
* #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
* #2278: Display instance name when prompting a message
* #2280: User attribute based on local macro in Openid rp
* #2281: Manage SameSite default behavior
* #2283: Improve Notifications explorer to display done notifications content
* #2284: Improve serviceToken debug logs
* #2292: request "do not minify" json config option
* #2295: Erroneous use of NTLM should be explicitely reported to the user
* #2299: healthcheck endpoint for manager API
* #2302: correct usage of invalid vs unvalid in code & messaging
* #2303: Add del method to lemonldap-ng-cli
-- Clément <clem.oudot@gmail.com> Sun, 06 Sep 2020 19:59:22 +0200
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
lemonldap-ng (2.0.8) stable; urgency=medium
* Bugs:
* #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
* #1659: RESTProxy doesn't fully work as a UserDB module
* #1776: Manager breaks when moving a newly created category or application
* #1939: expired issuer context is not reset when starting new authentication
* #1990: [warn] Route xxx redefined when using the fastCGI server
* #1992: Memory leak issue on CentOS 7 / perl 5.16
* #2048: t/32-OIDC-Refresh-Token.t fails randomly
* #2049: Unable to display notifications marked as done (DBI)
* #2050: Wrong message displayed by CheckUser plugin
* #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
* #2057: Log in request without captcha returns an internal server error
* #2058: Use of configuration cache can mix global and local configuration parameters
* #2059: Error in Manager / CLI / Editor when an attribute is not defined
* #2061: pdata not cleaned with Kerberos authentication
* #2063: Javascript error: window.datas is undefined
* #2072: Configuration comparator error on application menu "order"
* #2074: Portal menu : display condition with sp: does not work for SAML SP
* #2080: SAML POST to SP becomes GET when an info is displayed
* #2081: Parameter added to external redirect URL when info.tpl is used
* #2082: SSLVarIf cannot be set in manager
* #2085: OIDC provider doesn't work when info is displayed during the login process
* #2086: LDAP notifications backend does not work
* #2089: Old format notifications with file backend don t work
* #2090: Session creation mixup when supplying an existing _session_id
* #2097: Error after activating userLogger (Apache)
* #2099: Error 500 when SAML Session is expired
* #2101: Wildcard in virtualhost names : URL contains a non protected host
* #2104: Sessions are not well computed by CheckUser plugin
* #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
* #2111: Bad translation tag for password policy remaining grace message
* #2113: Password policy warning before password expiration is badly displayed
* #2116: Missing goToPortal translation for mails
* #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
* #2120: OIDC: hybrid flow does not issue ID token
* #2123: Rest2F does not transmit session attributes to Verify URL
* #2127: Cache reload throw an error if status enabled
* #2128: Manager with CDA issue
* #2133: Issues with removed second factors notification system
* #2138: logout forward doesn't work anymore
* #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
* #2142: OIDC consent validation fails after second factor form or redirection from external IDP
* #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
* #2144: OTT is not sent if SSL authentication fails with Choice
* #2148: Bad request with Notification SPA
* #2151: Session upgrade does not work with multiple second factors
* #2152: Nginx configuration files do not work with IPv6
* #2159: Single session module configuration
* #2165: Server error with rule on Combination
* #2167: OAuth2 handler should return 401 when access token is missing or invalid
* #2168: LLNG is too strict on OIDC scope syntax
* #2169: duplicates in _oidcConsents when scope is updated
* #2171: Introspection endpoint does not recognize refreshed Access Tokens
* #2179: refresh my rights downgrades authentication level set by 2FA
* #2180: SingleSession plugin does not work if history is displayed
* New features:
* #2033: Manager API to reset 2FA
* #2034: Manager API to manage SAML and OIDC clients
* #2069: Manage Cookie SameSite value
* #2136: Possibility to override language with a parameter in URL
* #2154: Github authentication backend
* Improvements:
* #1598: Proxy Backend support for Password Module (passwordDB)
* #1877: Option to run setMacros after setGroups
* #1902: Configuration is saved even with errors with lemonldap-ng-cli
* #1957: Provide packages for CentOS 8
* #2046: compactConf is confusing
* #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
* #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
* #2068: Append an option to set CSP frame ancestors header
* #2070: LemonLDAP session cookie - SameSite attribute
* #2071: Allow users to see and display theirs accepted notifications
* #2073: Improve notifications SPA
* #2076: Possibility to configure a custom CSS file
* #2084: Make "error" the default log level for lasso
* #2088: BruteForce module: increase delay between each login attempt
* #2091: Better look for buttons in 2FA choice screen
* #2093: CheckUser - Remove persistent session attributes if required
* #2096: Improve introspection endpoint
* #2102: Bad Autologin rule lead to error 500 and crash the portal
* #2103: Add a rollback option to lemonldap-ng-cli
* #2106: CheckUser: Append an option to hide empty headers
* #2108: "Underlying object can't load conf" is a bad error message
* #2109: Securing the new API endpoints for 2.0.8 release
* #2114: Improve adaptive display and show instance name
* #2115: Possibility to select choice tab, as for menu tab
* #2117: Remove warning messages "uninitialized value $encryption_mode"
* #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
* #2121: Prevent Portal to crash if Custom Functions module is not found
* #2125: Internal Server Error when REST backend does not return a JSON Object
* #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
* #2129: AuthenticationLevel based macros and groups should be updated with second factor
* #2130: Append password policy options to define and require special characters
* #2131: Make json does nothing if only a Portal constant is appended
* #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
* #2135: Remove 'underscore' in notification reference
* #2140: Append an option to define applications tooltip
* #2145: Display a custom param with GlobalLogout plugin
* #2149: Add an easy way to set level of additional second factors
* #2155: Implement Resource Owner Password Credentials Grant
* #2156: "Require 2FA" should be renamed
* #2161: DBI should test that "table" is set
* #2164: Make SingleSession options configurable by a rule
* #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
* #2173: Make CheckUser options configurable by a rule
* #2175: Reorganize OIDC RP options in manager
* #2177: OIDC: Allow additional audiences for ID Token
* #2178: Make require old password option configurable by a rule
* #2182: Append a Show/Hide password button into change password form
* #2184: SAML logout request returns 400 error code if session is not found
* #2185: Append a rule to display sfaManager link
-- Clément <clem.oudot@gmail.com> Mon, 04 May 2020 22:43:29 +0200
lemonldap-ng (2.0.7) stable; urgency=medium
* Bugs:
* #1893: Issuer urldc is lost after error in 2F flow
* #1909: Reset password by email issue
* #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
* #1945: passwordpolicy.tpl contains wrong tag
* #1948: Tranlation menu does not work with Diff.html
* #1949: Don't Store Password shows password in cleartext
* #1952: "Attributes and macros" session keys should not be translated
* #1954: zimbra preauth not working
* #1955: Redirection lost after notification validation
* #1960: REST config service not working
* #1961: IDP selection rule regression in 2.0.0
* #1963: Server Error with OpenID Connect register endpoint
* #1964: Diff.html does not work with minified JS
* #1966: Configuration reload does not apply changes to location rules
* #1968: skippedUnitTests/skippedGlobalTests have no effect
* #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
* #1974: ServiceToken handler TTL value always set to default
* #1984: Reset expired password doesn't trigger when using Combination
* #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
* #2009: Display authentication error on login form with Combination Kerberos + LDAP
* #2010: Kerberos not working with session upgrade
* #2012: Several issues with notification system
* #2013: Handler, yum install
* #2018: After temporary ldap failure, ldap connections stop working forever
* #2038: Missing type attribute in 2FA HTML inputs
* #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
* New features:
* #1605: certificate reset by mail
* #1956: DecryptValue plugin
* #1999: Possibility to view/close other sessions opened for the same user
* #2006: Create a web service for "refresh my rights"
* Improvements:
* #1590: Possibility to configure new plugins in Manager
* #1905: Append overScheme for persistent sessions
* #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
* #1947: Highlight active module with Diff.html
* #1967: allow differents type of managerDN
* #1983: The script purgeCentralCache should be more fault tolerant
* #1988: Append a requiredAuthenticationLevel option for each uri
* #1989: Main logo and lang icons are missing with upgradesession template
* #1991: Some user logs not using whatToTrace for username
* #1993: Same issue like (#1884) occures with Issuer redirection
* #1994: Append varInUri extended function
* #1995: Add an option to force claims in ID token
* #1996: REQUEST_URI env variable is not set by CheckUser plugin
* #1997: Enable checkTime option by default
* #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
* #2007: Password change prompt displayed even if initial auth fails
* #2008: Specific message and error code for 2F failure
* #2011: Create a function to test if a value belongs to a list
* #2012: Several issues with notification system
* #2014: New script to convert sessions between backends
* #2019: Renew Captcha button
* #2024: Change default value for cspFormAction
* #2042: Add per-service macros
-- Clément <clem.oudot@gmail.com> Sat, 21 Dec 2019 16:59:22 +0100
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:
* #1834: Use base64 URL for JWT generation
* #1838: Return claims from scope values in ID token if no access token requested
* #1852: SAML request lost after notification
* #1853: Adding a second notification with same reference is not refused
* #1856: Unable to validate more than one notification (JSON format)
* #1857: Message "session is expired" if a notification is refused
* #1861: Persistent data and notification validation
* #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
* #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
* #1865: Dependencies missing in RPM
* #1866: Skin parameter is lost in second factor choice
* #1867: Bad error template with Combination and OTT timeout
* #1868: Yubikey enrolment failed on Internet Explorer
* #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
* #1874: OTT not regenerated after submitting TOTP form with an expired OTT
* #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
* #1876: $_ no longer works in macros, rules and headers since 2.0
* #1878: Pdata cookie not cleared after cross domain Auth request
* #1880: [Security:low] Restricted users can edit conf by using default route
* #1881: [Security:high] oidc authorization codes are not tied to their RP
* #1883: Infinite loop when displaying sessions by IP address
* #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
* #1890: LinkedIn v1 API is not available anymore
* #1891: GET parameter "cancel" with Choice and CAS authentication
* #1897: Emails are sometimes sent in the wrong language
* #1898: Handler SecureToken is not working anymore
* #1901: Handler error if a header definition is empty
* #1903: Mail password reset and Combination with LDAP does not work
* #1906: Missing MAIN_LOGO variable in redirect.tpl
* #1910: Issue with "force password change on next login" feature with LDAP
* #1915: Skin selected by rule is lost in 2FA process
* #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
* #1925: AuthBasic handler does not work with AuthChoice
* #1933: [Security:low] nginx portal example file does not filter REST urls
* #1935: [Security:medium] AuthSlave does not check credential headers
* New features:
* #993: Define a local password policy
* #1783: ContextSwitching plugin
* #1843: OAuth2 introspection endpoint
* #1847: Radius 2F module
* #1860: Multiple instances of 2F modules
* Improvements:
* #1619: Support IBM Tivoli Directory Server (ITDS)
* #1702: Improve log generated by lemonldap
* #1825: Possibility to disable persistent sessions
* #1829: Redirection lost between SSL/Ajax and SAML
* #1831: Warning in lemonldap-ng-cli
* #1832: Add save/restore in CLI help message and control restore parameters
* #1833: Show cli errors on file access
* #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
* #1842: Merge userLogger notice with logger debug
* #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
* #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
* #1849: CDA is not compatible with Handler::PSGI::Try
* #1850: No "Session granted" log if grantSession plugin not enabled
* #1851: Append notification REST services
* #1862: When displaying notifications, sort them by date and references
* #1870: REST Api endpoint "error"
* #1873: Labels for 2FA choices
* #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
* #1882: Confusing default OIDC issuer setting
* #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
* #1885: Append an option to log an extra parameter
* #1888: Javascript error on textContent method with .Net framework and WPF
* #1896: Add _session_kind to default SOAP/REST exported attributes
* #1899: Fix portal and manager display for Internet Explorer
* #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
* #1908: Complete blackout probably due to uncontroled SQL connexion timeout
* #1913: Append an option to allow / forbid browsers to store users password
* #1916: Issuer OTT timeout
* #1919: Customizable error message when a required SAML attribute is missing
* #1923: REST ression server is too intolerant of clock drift
* #1927: Implement CORS preflight request
* #1928: Option to hide password generation checkbox in mail password reset plugin
* #1929: Custom functions are not imported into Safe Jail
* #1930: Display password change form after a password policy error in mail reset password plugin
* #1931: Disable password input field until font is fully downloaded by browser
* #1932: REST session server should return both session and _httpSession id
* #1936: Append an option to display Slave logo
* #1938: CheckUser plugin : include search parameters
-- Clément <clem.oudot@gmail.com> Tue, 24 Sep 2019 11:13:39 +0200
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
lemonldap-ng (2.0.5) stable; urgency=medium
* Bugs:
* #1521: The manager renames the id of applications created by lemonldap-ng-cli
* #1655: Can't delete notifications from the manager
* #1717: Warnings "Devel::StackTrace" when using unnative Perl functions
* #1746: Impersonation does not work with double cookies authentication
* #1749: Authentication with "Double Cookies for a single session" (securedCookie==3) does not work
* #1753: Logout with CASv2 is not working (Bad URL)
* #1754: Configuration caching issue when overriding globalStorage in lemonldap-ng.ini
* #1755: CheckUser plugin fails if OTT globalStrorage is enabled
* #1759: Server Error when OpenID Connect provider enabled without any RP
* #1762: CDA sessions are not removed when handler uses SOAP
* #1775: Authentication with double cookies fails when uniq session is enabled
* #1777: Server Error with SAML SLO and expired SSO session
* #1779: Go to portal message not translated in register confirmation mail
* #1795: [Security: low] CAS 3.0 Logout does not validate redirect URL
* #1800: Auth::Slave is unusable with Choice
* #1802: No error returned if no code provided on OpenID Connect token endpoint
* #1805: Auth::LDAP unusable in combination if UserDB::LDAP isn't called
* #1809: UserDB::DBI with Auth::LDAP seems to not work properly
* #1810: [Security: low] llng-fastcgi-server could fail to setgid
* #1811: Lua-headers file is missing
* #1813: searchOn* does not work when a portal uses REST session backend
* #1814: Local cache not fully purged
* #1818: [Security:low] XXE vulnerability in SOAP notification server
* #1819: Portal Notification server unusable with old XML format
* #1821: Pdata not cleared after session upgrade
* #1822: Session upgrade does not work with 2FA
* #1824: lmConfigEditor does not work anymore
* #1826: Race condition on SSL login form button
* New features:
* #1796: Display a message if an expired 2f device is removed
* Improvements:
* #1706: html not interpreted for translated messages
* #1723: Real authentication is masked when using proxy authentication module
* #1732: Sessions explorer and Browseable::Postgres
* #1734: RPM version uses JSON::PP instead of JSON::XS
* #1747: Logging out from portal cause an error with doubleCookie after refreshing rights
* #1750: Wrong version / author / IP / log in lemonldap-ng-cli
* #1758: Warnings in Viewer.pm when saving configuration
* #1763: Transmission of Authorization header should probably be on by default
* #1764: Set choosen language in user session
* #1765: Better CORS handling
* #1766: Warning in logs with SAML
* #1767: Append startTime overScheme to display sessions to avoid browser crash
* #1769: CSRF token is not automatically regenerated after a failed login with Auth::Choice
* #1770: Add save/restore commands in cli
* #1771: SSO sessions _updateTime value is not updated after a refresh request
* #1773: Append option to modify service Token handler TTL
* #1774: CheckUser plugin does not work with SAML
* #1782: Append an option to set 2FA TTL
* #1791: Append an option in Manager to merge only specified SSO groups with Impersonation
* #1797: Allow ServiceToken to send service headers
* #1799: StorePassword in session not working when using session REST server
* #1827: Using lemonldap-ng-cli info gives warning with default configuration
* #1828: 2F plugins and method loadTemplate are not using skin rules
* #1830: [Security:improvement] Improved use of cryptography
-- Clément <clem.oudot@gmail.com> Sat, 29 Jun 2019 22:25:02 +0200
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
* Bugs:
* #1684: UI manager: boolean values do not appears in configuration forms with Yaml config format
* #1709: ViewDiff template not displayed
* #1710: Configuration keys not displayed in Viewer
* #1716: [Security:minor] Update jQuery
* #1720: Duplicate session opening when using multiple Kerberos instances in Combination
* #1724: CAS 1.0 /validate endpoint does not return username
* #1726: Deb package: missing dependency IO::String
* #1733: Invalid default crontab in RPM
* #1736: Configuration version in Manager is different from software version
* #1738: Error not well catched with Ext2F
* #1741: Deleted category is not detected as a change when saving conf.
* #1742: [Security: high] Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)
* #1743: [Security: low] register_token used for account creation can be used as a valid session identifier
* #1746: Impersonation does not work with double cookies authentication
* New features:
* #1146: Allow Handler to read OAuth2 access token instead of browser cookie
* #1722: [Security: improvement] PKCE to secure OIDC Authorization Code flow
* Improvements:
* #1703: Fix faulty headers on a null value
* #1711: Return Session ID when authentication is done via REST
* #1712: Display idpChoice cancel button only if AuthChoice is enabled
* #1713: CAS : Allow per application CAS login override
* #1714: Check logLevel value
* #1725: Allow unauthenticated clients on OIDC token endpoint
* #1728: Improve redirect page
* #1729: Display error if SAML service is enabled without private and public keys signature
* #1730: Sort real and spoofed attributes in CheckUser and Session explorer
* #1735: Highlight valid SSO sessions in sessions explorer
* #1739: Improve log in Grant Session plugin
-- Clément <clem.oudot@gmail.com> Sun, 12 May 2019 16:17:01 +0200
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
* Bugs:
* #1543: Redirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDP
* #1654: Password must change on AD still not fully working
* #1656: No IP shown in history logon
* #1667: [Security:medium] Option userControl is not applied anymore in standard login process
* #1671: Error in SP-initiated saml logout with multiple SP
* #1672: In SAML Issuer, environment variables to store current SP are not filled
* #1673: Application list display and specific rules
* #1675: [Security:minor] Using /logout instead of /?logout=1 does not work
* #1676: Active Directory connection information not saved
* #1679: Default jQuery URL in form replay has changed
* #1680: In form replay, POST data keys are not URL encoded
* #1682: LinkedIn OAuth2 authentication is not available in combination modules list
* #1683: Changing configuration option cspScript has no effect
* #1684: UI manager: boolean values do not appears in configuration forms with Yaml config format
* #1686: SOAP Portal WSDL file is invalid
* #1691: Password policy can't display messages
* #1692: Parameter base64 is ignored in setHiddenFormValue
* #1693: Information is not displayed in logout process
* #1698: Invalid pdata causes SAML login to fail after logout
* #1703: Fix faulty headers on a null value
* #1708: lmerror page loops on url parameter
* New features:
* #1632: Optionally let Ext2F module handle code generation
* #1658: CheckUser plugin
* #1661: Configuration viewer module
* #1664: Impersonation plugin
* #1697: Command-line tool to delete session for specific user(s)
* Improvements:
* #1549: Option to override IDP entityID
* #1595: Possibility to override message with a custom JSON file in template
* #1651: Disable cache on portal page
* #1653: Allow failback to default skin when a template is not found in custom theme
* #1660: Restore possibility to hide message in portal template
* #1666: Display errors on login form
* #1668: As IDP SAML, do not try to send SLO response if no SLO endpoint defined in SP metadata
* #1670: Display "authentication in progress" when using Ajax with Kerberos
* #1681: Change behavior with SAML mandatory/optional attributes in SAML Issuer
* #1687: Add granted log for user and connexion informations
* #1694: Disable CSRF token with AuthBasic
* #1696: Remove unnecessary antiframe protection in portal javascript
* #1699: Authentication level for REST and GPG authentication
* #1700: Update AuthBasic handler doc : REST server is required
* #1704: Append parameter to sort IDP, OP and CAS servers in Auth menu loop
-- Clément <clem.oudot@gmail.com> Thu, 11 Apr 2019 10:09:35 +0200
* Bugs:
* #1574: "Manager is unprotected" message when whatToTrace value is not the default
* #1603: Warnings with confirmation required don't work
* #1604: Manager unit tests randomly failed
* #1607: Safe errors when saving configuration with lmConfigEditor
* #1610: Unable to save empty value for cookie expiration time in Manager
* #1613: handler https redirection does not work
* #1614: Accents not well displayed in Portal
* #1618: Version in server signature is wrong
* #1623: ADPwdExpireWarning and ADPwdMaxAge parameters are missing in Manager
* #1627: Display issue with GrantSession plugin
* #1628: [Security:minor] GrantSession plugin discloses its message to unlogged users
* #1630: [Security:minor] SSO cookie is sent to protected applications with Nginx-based ReverseProxy
* #1636: SSL and Kerberos Auth Modules don t work with choice
* #1639: User must change password on AD is broken
* #1642: Unable to select skin from URL
* #1643: Portal CSS is sent with empty background when portalSkinBackground is not defined
* #1644: error while reseting password with ppolicy enabled
* #1648: ldapAuthnLevel and dbiAuthnLevel are ignored
* #1649: Error about Handler when saving configuration in lmConfigEditor
* New features:
* #1569: GPG authentication module
* #1629: Email-based two-factor module
* #1631: Allow to display "env" as template variables
* Improvements:
* #1486: Portal starts even if init() has failed
* #1600: Improve e2e tests
* #1601: Create LDAP option to decode DN value
* #1608: Date and comment not updated with lemonldap-ng-cli
* #1609: add autocomplete="off" to 2F form fields
* #1611: Improve apache configuration
* #1622: Display delete button in 2FAManager only if action is allowed
* #1625: "Use rule" option in issuer modules seem not to be used anymore
* #1633: Better random generation
* #1634: Improve management of template parameters
* #1635: SAML attribut default value is not set
* #1637: Add display options for SAML IDP like OIDC and CAS providers
-- Clément <clem.oudot@gmail.com> Tue, 12 Feb 2019 08:57:14 +0100
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
* Bugs:
* #1564: Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL"
* #1572: Error when saving in manager (mongoDB as ConfigurationBackend)
* #1576: Browser doesn t select Portal appropriate language
* #1579: SOAP Backend error for empty collection
* #1582: MongoDB Conf backend looses sub hash keys
* #1586: Portal message override do not work on plugins and mails templates
* #1587: Captcha is not displayed in Register form if mail already exists
* #1588: Captcha is validated with additional letters
* #1589: Error in MailReset when asking to resend confirmation mail
* #1592: Cannot select a menu tab with ?tab=<tab id> in URL
* #1594: Cannot select oidcConsents tab in menu
* Improvements:
* #1565: OpenId - Default CSP value cause breakdown in OpenId authentification form
* #1578: Fix fcgi/psgi extensions in documentation
* #1583: Append parameter to configure number of allowed failed logins before brute force protection activation
* #1584: Browser doesn t select Manager appropriate language
* #1585: Fix main logo and langs icons display & double slash in lmerror 403 error URL
* #1591: $req->user not available in plugins authenticated routes
* #1593: Bad userinfo response: Unauthorized
* #1596: Possibility to define new tabs in Menu
* #1599: Usage of OpenID Connect with bad scope value result in unlimited session grow
-- Clément <clem.oudot@gmail.com> Fri, 21 Dec 2018 15:12:13 +0100
* Bugs:
* #757: "Attempt to free unreferenced scalar" in Lemonldap::NG::Common::Session
* #789: Apache reloading breaks SAML authentication
* #804: Uncomplete logout in Issuer modules
* #856: LemonLDAP loses exportedVars conf randomly
* #863: get_url function builds wrong Portal URL
* #918: Env variables are searched in backends
* #998: encode_base64 can be udefined after a reload by URL
* #1061: Multiple segfault using ModPerl::Registry with Apache2.4
* #1113: OIDC Provider to SAML SP does not work
* #1150: Can't get captcha to work with LDAP as backend
* #1171: Session explorer freezes when session number is high
* #1327: Facebook module not working due to API changes in Facebook
* #1420: Answering to CAS proxy requests as CAS Provider