Commit cc79680b authored by Xavier Guimard's avatar Xavier Guimard

Merge branch 'v2.0'

parents 9ec3ef8c e5fb911e
Pipeline #6601 failed with stages
in 20 minutes and 48 seconds
......@@ -124,7 +124,7 @@ foreach ( sort keys %$headers ) {
print "</tbody></table>\n";
print "</div><p></p>\n";
print
"<div class=\"alert alert-warning\">Note that LemonLDAP::NG cookie is hidden. So that application developpers can not spoof sessions.</div>\n";
"<div class=\"alert alert-warning\">Note that LemonLDAP::NG cookie is hidden. So that application developers can not spoof sessions.</div>\n";
print
"<div class=\"alert alert-info\">You can access to any information (IP address or LDAP attribute) by customizing exported headers with the <a href=\"$manager_url\">LemonLDAP::NG Management interface</a>.</div>\n";
print "</div>\n";
......
lemonldap-ng (2.0.6) stable; urgency=medium
* Bugs:
* #1834: Use base64 URL for JWT generation
* #1838: Return claims from scope values in ID token if no access token requested
* #1852: SAML request lost after notification
* #1853: Adding a second notification with same reference is not refused
* #1856: Unable to validate more than one notification (JSON format)
* #1857: Message "session is expired" if a notification is refused
* #1861: Persistent data and notification validation
* #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
* #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
* #1865: Dependencies missing in RPM
* #1866: Skin parameter is lost in second factor choice
* #1867: Bad error template with Combination and OTT timeout
* #1868: Yubikey enrolment failed on Internet Explorer
* #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
* #1874: OTT not regenerated after submitting TOTP form with an expired OTT
* #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
* #1876: $_ no longer works in macros, rules and headers since 2.0
* #1878: Pdata cookie not cleared after cross domain Auth request
* #1880: [Security:low] Restricted users can edit conf by using default route
* #1881: [Security:high] oidc authorization codes are not tied to their RP
* #1883: Infinite loop when displaying sessions by IP address
* #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
* #1890: LinkedIn v1 API is not available anymore
* #1891: GET parameter "cancel" with Choice and CAS authentication
* #1897: Emails are sometimes sent in the wrong language
* #1898: Handler SecureToken is not working anymore
* #1901: Handler error if a header definition is empty
* #1903: Mail password reset and Combination with LDAP does not work
* #1906: Missing MAIN_LOGO variable in redirect.tpl
* #1910: Issue with "force password change on next login" feature with LDAP
* #1915: Skin selected by rule is lost in 2FA process
* #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
* #1925: AuthBasic handler does not work with AuthChoice
* #1933: [Security:low] nginx portal example file does not filter REST urls
* #1935: [Security:medium] AuthSlave does not check credential headers
* New features:
* #993: Define a local password policy
* #1783: ContextSwitching plugin
* #1843: OAuth2 introspection endpoint
* #1847: Radius 2F module
* #1860: Multiple instances of 2F modules
* Improvements:
* #1619: Support IBM Tivoli Directory Server (ITDS)
* #1702: Improve log generated by lemonldap
* #1825: Possibility to disable persistent sessions
* #1829: Redirection lost between SSL/Ajax and SAML
* #1831: Warning in lemonldap-ng-cli
* #1832: Add save/restore in CLI help message and control restore parameters
* #1833: Show cli errors on file access
* #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
* #1842: Merge userLogger notice with logger debug
* #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
* #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
* #1849: CDA is not compatible with Handler::PSGI::Try
* #1850: No "Session granted" log if grantSession plugin not enabled
* #1851: Append notification REST services
* #1862: When displaying notifications, sort them by date and references
* #1870: REST Api endpoint "error"
* #1873: Labels for 2FA choices
* #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
* #1882: Confusing default OIDC issuer setting
* #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
* #1885: Append an option to log an extra parameter
* #1888: Javascript error on textContent method with .Net framework and WPF
* #1896: Add _session_kind to default SOAP/REST exported attributes
* #1899: Fix portal and manager display for Internet Explorer
* #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
* #1908: Complete blackout probably due to uncontroled SQL connexion timeout
* #1913: Append an option to allow / forbid browsers to store users password
* #1916: Issuer OTT timeout
* #1919: Customizable error message when a required SAML attribute is missing
* #1923: REST ression server is too intolerant of clock drift
* #1927: Implement CORS preflight request
* #1928: Option to hide password generation checkbox in mail password reset plugin
* #1929: Custom functions are not imported into Safe Jail
* #1930: Display password change form after a password policy error in mail reset password plugin
* #1931: Disable password input field until font is fully downloaded by browser
* #1932: REST session server should return both session and _httpSession id
* #1936: Append an option to display Slave logo
* #1938: CheckUser plugin : include search parameters
-- Clément <clem.oudot@gmail.com> Tue, 24 Sep 2019 11:13:39 +0200
lemonldap-ng (2.0.5) stable; urgency=medium
* Bugs:
......
lemonldap-ng (2.0.6-1) unstable; urgency=medium
* New release. See changes on our website:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
-- Clement OUDOT <clement@oodo.net> Tue, 24 Sep 2019 14:00:00 +0100
lemonldap-ng (2.0.5-1) unstable; urgency=medium
* New release. See changes on our website:
......
......@@ -5,53 +5,53 @@ Section: perl
Priority: optional
Build-Depends: debhelper (>= 10),
po-debconf
Build-Depends-Indep: libapache-session-perl,
libauthen-oath-perl,
libcache-cache-perl,
libclone-perl,
libconfig-inifiles-perl,
libconvert-base32-perl,
libconvert-pem-perl,
libcrypt-openssl-rsa-perl,
libcrypt-openssl-x509-perl,
libcrypt-urandom-perl,
libcrypt-rijndael-perl,
libdatetime-format-rfc3339-perl,
libdbd-sqlite3-perl,
libdbi-perl,
libdigest-hmac-perl,
libemail-sender-perl,
libgd-securityimage-perl,
libglib-perl,
libgssapi-perl,
libhtml-template-perl,
libimage-magick-perl,
libio-string-perl,
libipc-run-perl,
libjson-perl,
liblasso-perl,
libmime-tools-perl,
libmouse-perl,
libnet-cidr-lite-perl,
libnet-ldap-perl,
libnet-openid-consumer-perl,
libnet-openid-server-perl,
libplack-perl,
libregexp-assemble-perl,
libregexp-common-perl,
libsoap-lite-perl,
libstring-random-perl,
libtest-mockobject-perl,
libtest-pod-perl,
libtext-unidecode-perl,
libunicode-string-perl,
liburi-perl,
libwww-perl,
libxml-libxml-perl,
libxml-libxslt-perl,
libxml-simple-perl,
Build-Depends-Indep: libapache-session-perl <!nocheck>,
libauthen-oath-perl <!nocheck>,
libcache-cache-perl <!nocheck>,
libclone-perl <!nocheck>,
libconfig-inifiles-perl <!nocheck>,
libconvert-base32-perl <!nocheck>,
libconvert-pem-perl <!nocheck>,
libcrypt-openssl-rsa-perl <!nocheck>,
libcrypt-openssl-x509-perl <!nocheck>,
libcrypt-urandom-perl <!nocheck>,
libcrypt-rijndael-perl <!nocheck>,
libdatetime-format-rfc3339-perl <!nocheck>,
libdbd-sqlite3-perl <!nocheck>,
libdbi-perl <!nocheck>,
libdigest-hmac-perl <!nocheck>,
libemail-sender-perl <!nocheck>,
libgd-securityimage-perl <!nocheck>,
libglib-perl <!nocheck>,
libgssapi-perl <!nocheck>,
libhtml-template-perl <!nocheck>,
libimage-magick-perl <!nocheck>,
libio-string-perl <!nocheck>,
libipc-run-perl <!nocheck>,
libjson-perl <!nocheck>,
liblasso-perl <!nocheck>,
libmime-tools-perl <!nocheck>,
libmouse-perl <!nocheck>,
libnet-cidr-lite-perl <!nocheck>,
libnet-ldap-perl <!nocheck>,
libnet-openid-consumer-perl <!nocheck>,
libnet-openid-server-perl <!nocheck>,
libplack-perl <!nocheck>,
libregexp-assemble-perl <!nocheck>,
libregexp-common-perl <!nocheck>,
libsoap-lite-perl <!nocheck>,
libstring-random-perl <!nocheck>,
libtest-mockobject-perl <!nocheck>,
libtest-pod-perl <!nocheck>,
libtext-unidecode-perl <!nocheck>,
libunicode-string-perl <!nocheck>,
liburi-perl <!nocheck>,
libwww-perl <!nocheck>,
libxml-libxml-perl <!nocheck>,
libxml-libxslt-perl <!nocheck>,
libxml-simple-perl <!nocheck>,
perl
Standards-Version: 4.3.0
Standards-Version: 4.4.0
Vcs-Browser: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng
Vcs-Git: https://salsa.debian.org/perl-team/modules/packages/lemonldap-ng.git
Homepage: https://lemonldap-ng.org/
......@@ -101,6 +101,7 @@ Description: Lemonldap::NG Web-SSO system documentation
Package: lemonldap-ng-fastcgi-server
Architecture: all
Section: web
Pre-Depends: ${misc:Pre-Depends}
Depends: ${misc:Depends},
${perl:Depends},
lsb-base,
......@@ -280,7 +281,8 @@ Recommends: libcrypt-openssl-bignum-perl,
libmime-tools-perl,
libnet-ldap-perl,
libunicode-string-perl
Suggests: libcrypt-u2f-server-perl,
Suggests: gpg,
libcrypt-u2f-server-perl,
libdatetime-format-rfc3339-perl,
libdbi-perl,
libglib-perl,
......
......@@ -56,11 +56,11 @@
To use Active Directory as LDAP backend, you must change few things in the manager :
</p>
<ul>
<li class="level1"><div class="li"> Use “Active Directory” as authentication, userDB and passwordDBbackends,</div>
<li class="level1"><div class="li"> Use &quot;Active Directory&quot; as authentication, userDB and passwordDBbackends,</div>
</li>
<li class="level1"><div class="li"> Export sAMAccountName in a variable declared in <a href="exportedvars.html" class="wikilink1" title="documentation:2.0:exportedvars">exported variables</a></div>
</li>
<li class="level1"><div class="li"> Change the user attribute to store in Apache logs <em>(“General Parameters » Logs » REMOTE_USER”)</em>: use the variable declared above</div>
<li class="level1"><div class="li"> Change the user attribute to store in Apache logs <em>(&quot;General Parameters » Logs » REMOTE_USER&quot;)</em>: use the variable declared above</div>
</li>
</ul>
......@@ -69,7 +69,7 @@ To use Active Directory as LDAP backend, you must change few things in the manag
<h2 class="sectionedit3" id="authentication_with_kerberos">Authentication with Kerberos</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> Choose “Apache” as authentication module <em>(“General Parameters » Authentication modules » Authentication module”)</em></div>
<li class="level1"><div class="li"> Choose &quot;Apache&quot; as authentication module <em>(&quot;General Parameters » Authentication modules » Authentication module&quot;)</em></div>
</li>
<li class="level1"><div class="li"> <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Configure the Apache server</a> that host the portal to use the Apache Kerberos authentication module</div>
</li>
......
......@@ -67,7 +67,7 @@ In the context of an HTTP transaction, the basic access authentication is a meth
</p>
<p>
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings “on the fly”.
Before transmission, the username and password are encoded as a sequence of base-64 characters. For example, the user name Aladdin and password open sesame would be combined as Aladdin:open sesame – which is equivalent to QWxhZGRpbjpvcGVuIHNlc2FtZQ== when encoded in Base64. Little effort is required to translate the encoded string back into the user name and password, and many popular security tools will decode the strings &quot;on the fly&quot;.
</blockquote>
</p>
......
......@@ -96,11 +96,11 @@ similar, using whatever attribute makes sense to you. For example:<pre class="c
</li>
<li class="level1"><div class="li"> Now go to *Variables -&gt; Macros*. Here set up variables which will be computed based on the attributes you exported above. You will need to emit strings in this format <code>arn:aws:iam::account-number:role/role-name1,arn:aws:iam::account-number:saml-provider/provider-name</code>. The parts you need to change are <code>account-number</code>, <code>role-name1</code> and <code>provier-name</code>. The last two will be the provider name and role names you just set up in AWS.</div>
</li>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -&gt; <code>$ou =~ sysadmin ? “arn:aws...” : “arn:...”</code></div>
<li class="level1"><div class="li"> Perl works in here, so something like this is valid: <code>aws_eu_role</code> -&gt; <code>$ou =~ sysadmin ? &quot;arn:aws...&quot; : &quot;arn:...&quot;</code></div>
</li>
<li class="level1"><div class="li"> If it easier, split multiple roles into different macros. Then tie all the variables you define together into one string concatenating them with whatever is in General Parameters -&gt; Advanced Parameters -&gt; Separator. Actually click into this field and move around with the arrow keys to see if there is a space, since spaces can be part of the separator.</div>
</li>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -&gt; <code>join(“; ”, $role_name1, $role_name2, ...)</code></div>
<li class="level1"><div class="li"> Remember macros are defined alphanumerically, so you want one right at the end, like <code>z_aws_roles</code> -&gt; <code>join(&quot;; &quot;, $role_name1, $role_name2, ...)</code></div>
</li>
<li class="level1"><div class="li"> On the left again, click <code><abbr title="Security Assertion Markup Language">SAML</abbr> service providers</code>, then <code>Add <abbr title="Security Assertion Markup Language">SAML</abbr> SP</code>.</div>
</li>
......
......@@ -55,6 +55,12 @@
<li class="level2"><div class="li"><a href="#gitlab_configuration">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration">LL::NG configuration</a></div></li>
<li class="level2"><div class="li"><a href="#manage_groups">Manage groups</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#openid_connect">OpenID Connect</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#gitlab_configuration1">Gitlab configuration</a></div></li>
<li class="level2"><div class="li"><a href="#llng_configuration1">LL::NG configuration</a></div></li>
</ul></li>
</ul>
</div>
......@@ -191,6 +197,70 @@ And in <abbr title="LemonLDAP::NG">LL::NG</abbr>, export the groups attribute:
</ul>
</div>
<!-- EDIT6 SECTION "Manage groups" [2526-] --></div>
<!-- EDIT6 SECTION "Manage groups" [2526-2818] -->
<h2 class="sectionedit7" id="openid_connect">OpenID Connect</h2>
<div class="level2">
<p>
<strong>Alternatively</strong> to <abbr title="Security Assertion Markup Language">SAML</abbr>, you can choose to configure Gitlab to use OpenID Connect.
</p>
</div>
<!-- EDIT7 SECTION "OpenID Connect" [2819-2932] -->
<h3 class="sectionedit8" id="gitlab_configuration1">Gitlab configuration</h3>
<div class="level3">
<p>
In <code>/etc/gitlab/gitlab.rb</code>
</p>
<pre class="code file ruby">...
<span class="me1">gitlab_rails</span><span class="br0">&#91;</span><span class="st0">'omniauth_allow_single_sign_on'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span><span class="st0">'openid_connect'</span><span class="br0">&#93;</span>
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_block_auto_created_users'</span><span class="br0">&#93;</span> = <span class="kw2">false</span>
&nbsp;
gitlab_rails<span class="br0">&#91;</span><span class="st0">'omniauth_providers'</span><span class="br0">&#93;</span> = <span class="br0">&#91;</span>
<span class="br0">&#123;</span> <span class="st0">'name'</span> <span class="sy0">=&gt;</span> <span class="st0">'openid_connect'</span>,
<span class="st0">'label'</span> <span class="sy0">=&gt;</span> <span class="st0">'LemonLDAP::NG'</span>,
<span class="st0">'args'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st0">'name'</span> <span class="sy0">=&gt;</span> <span class="st0">'openid_connect'</span>,
<span class="st0">'issuer'</span> <span class="sy0">=&gt;</span> <span class="st0">'https://auth.example.com'</span>,
<span class="st0">'scope'</span> <span class="sy0">=&gt;</span> <span class="br0">&#91;</span><span class="st0">'openid'</span>, <span class="st0">'profile'</span>, <span class="st0">'email'</span><span class="br0">&#93;</span>,
<span class="st0">'response_type'</span> <span class="sy0">=&gt;</span> <span class="st0">'code'</span>,
<span class="st0">'client_auth_method'</span> <span class="sy0">=&gt;</span> <span class="st0">'client_secret_post'</span>,
<span class="st0">'discovery'</span> <span class="sy0">=&gt;</span> <span class="kw2">true</span>,
<span class="st0">'uid_field'</span> <span class="sy0">=&gt;</span> <span class="st0">'sub'</span>,
<span class="st0">'client_options'</span> <span class="sy0">=&gt;</span> <span class="br0">&#123;</span>
<span class="st0">'redirect_uri'</span> <span class="sy0">=&gt;</span> <span class="st0">'http://gitlab.example.com/users/auth/openid_connect/callback'</span>,
<span class="st0">'identifier'</span> <span class="sy0">=&gt;</span> <span class="st0">'LEMONLDAP_CLIENT_ID'</span>,
<span class="st0">'secret'</span> <span class="sy0">=&gt;</span> <span class="st0">'LEMONLDAP_CLIENT_SECRET'</span>,
<span class="br0">&#125;</span>
<span class="br0">&#125;</span>
<span class="br0">&#125;</span>
<span class="br0">&#93;</span>;
&nbsp;
...</pre>
</div>
<!-- EDIT8 SECTION "Gitlab configuration" [2933-3771] -->
<h3 class="sectionedit9" id="llng_configuration1">LL::NG configuration</h3>
<div class="level3">
<p>
Add an OpenID Connect RP to LemonLDAP::NG
</p>
<ul>
<li class="level1"><div class="li"> Chose a client ID and a client secret, and write the same values in the <code>gitlab.rb</code> file above</div>
</li>
<li class="level1"><div class="li"> You need to chose an asymetrical signature algorithm for the ID Token (RS256 or above)</div>
</li>
<li class="level1"><div class="li"> You also need to set a key identifier on your LemonLDAP::NG server in <code>OpenID Connect service</code> » <code>Security</code> » <code>Signing key ID</code> (use something like <code>default</code> as the value). </div>
</li>
<li class="level1"><div class="li"> Make sure the attribute containing the user email in the LemonLDAP::NG session is mapped to the <code>email</code> claim.</div>
</li>
</ul>
<div class="noteclassic">You need to set a key identifier, or you will get a <em>JSON::JWK::Set::KidNotFound</em> error on Gitlab
</div>
</div>
<!-- EDIT9 SECTION "LL::NG configuration" [3772-] --></div>
</body>
</html>
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:applications:humhub</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="noindex,nofollow"/>
<meta name="keywords" content="documentation,2.0,applications,humhub"/>
<link rel="search" type="application/opensearchdescription+xml" href="../lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="humhub.html"/>
<link rel="contents" href="humhub.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="../lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications';var JSINFO = {"id":"documentation:2.0:applications:humhub","namespace":"documentation:2.0:applications"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="../lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Présentation</a></div></li>
<li class="level1"><div class="li"><a href="#openid_connect">OpenID Connect</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#configuring_humhub">Configuring HumHub</a></div></li>
<li class="level2"><div class="li"><a href="#configuring_lemonldap">Configuring LemonLDAP</a></div></li>
<li class="level2"><div class="li"><a href="#troubleshooting">Troubleshooting</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="humhub">HumHub</h1>
<div class="level1">
<p>
<img src="humhub_logo.png" class="mediacenter" alt="" />
</p>
</div>
<!-- EDIT1 SECTION "HumHub" [1-67] -->
<h2 class="sectionedit2" id="presentation">Présentation</h2>
<div class="level2">
<p>
<a href="https://humhub.org/" class="urlextern" title="https://humhub.org/" rel="nofollow">HumHub</a> is a free and open-source social network written on top of the <a href="https://www.yiiframework.com/" class="urlextern" title="https://www.yiiframework.com/" rel="nofollow">Yii2 PHP framework</a> that provides an easy to use toolkit for creating and launching your own social network.
</p>
<p>
Unauthenticated users may connect using a login form against HumHub local database or a LDAP directory, or choose which authentication service they want to use.
</p>
<p>
Administrator can configure one or several OAuth, OAuth2 or OIDC authentication services to be displayed as buttons on the login page.
</p>
<p>
With <a href="#openid_connect" title="documentation:2.0:applications:humhub ↵" class="wikilink1"> OpenID Connect </a> authentication service, users successfully authenticated by LemonLDAP::NG will be registered in HumHub upon their first login.
</p>
<div class="notewarning">HumHub retrieves a user from his username and the authentication service he came through. As a result, a former local or LDAP user will be rejected when trying to authenticate using another authentication service.
</div>
</div>
<!-- EDIT2 SECTION "Présentation" [68-1041] -->
<h2 class="sectionedit3" id="openid_connect">OpenID Connect</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "OpenID Connect" [1042-1069] -->
<h3 class="sectionedit4" id="configuring_humhub">Configuring HumHub</h3>
<div class="level3">
<p>
First disable LDAP (Administration &gt; Users section) and delete (or migrate source) any local users whose username or email are conflicting with the username or email of your OIDC users.
</p>
<p>
Then install and configure the <a href="https://github.com/Worteks/humhub-auth-oidc" class="urlextern" title="https://github.com/Worteks/humhub-auth-oidc" rel="nofollow"> OIDC connector for humhub </a> extension using composer :
</p>
<ul>
<li class="level1"><div class="li"> Install composer and php-tokenizer.</div>
</li>
</ul>
<ul>
<li class="level1"><div class="li"> Consider using prestissimo, to speed up composer update command (4x faster):</div>
</li>
</ul>
<pre class="code">composer global require hirak/prestissimo</pre>
<ul>
<li class="level1"><div class="li"> Go to {humhumb_home} folder (containing humhub&#039;s composer.json file) and execute</div>
</li>
</ul>
<pre class="code">composer require --no-update --update-no-dev worteks/humhub-auth-oidc
composer update worteks/humhub-auth-oidc --no-dev --prefer-dist -vvv</pre>
<ul>
<li class="level1"><div class="li"> Edit {humhumb_home}/protected/config/common.php with the client configuration :</div>
</li>
</ul>
<pre class="code">&#039;components&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;authClientCollection&#039; =&gt; [
&#039;clients&#039; =&gt; [
// ...
&#039;lemonldapng&#039; =&gt; [
&#039;class&#039; =&gt; &#039;worteks\humhub\authclient\OIDC&#039;,
&#039;domain&#039; =&gt; &#039;https://auth.example.com&#039;,
&#039;clientId&#039; =&gt; &#039;myClientId&#039;, // Client ID for this RP in LemonLDAP
&#039;clientSecret&#039; =&gt; &#039;myClientSecret&#039;, // Client secret for this RP in LemonLDAP
&#039;defaultTitle&#039; =&gt; &#039;auth.example.com&#039;, // Text displayed in login button
],
],
],
// ...
]</pre>
</div>
<!-- EDIT4 SECTION "Configuring HumHub" [1070-2515] -->
<h3 class="sectionedit5" id="configuring_lemonldap">Configuring LemonLDAP</h3>
<div class="level3">
<p>
If not done yet, configure LemonLDAP::NG as an <a href="../openidconnectservice.html" class="wikilink1" title="documentation:2.0:openidconnectservice"> OpenID Connect service</a>.
</p>
<p>
Then, configure LemonLDAP::NG to recognize your HumHub instance as a valid <a href="../idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect"> new OpenID Connect relaying party </a> using the following parameters:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Client ID</strong>: the same you set in HumHub configuration</div>
</li>
<li class="level2"><div class="li"> <strong>Client Secret</strong>: the same you set in HumHub configuration</div>
</li>
<li class="level2"><div class="li"> Add the following <strong>exported attributes</strong></div>
<ul>
<li class="level4"><div class="li"> <strong>given_name</strong>: user&#039;s givenName attribute</div>
</li>
<li class="level4"><div class="li"> <strong>family_name</strong>: user&#039;s sn attribute</div>
</li>
<li class="level4"><div class="li"> <strong>email</strong>: user&#039;s mail attribute</div>
</li>
</ul>
</li>
<li class="level2"><div class="li"> <strong>Redirect URIs</strong> containing your Yii2 auth client ID.</div>
</li>
</ul>
<p>
Configuration sample using CLI:
</p>
<pre class="code"> $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
addKey \
oidcRPMetaDataExportedVars/humhub given_name givenName \
oidcRPMetaDataExportedVars/humhub family_name sn \
oidcRPMetaDataExportedVars/humhub email mail \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientID myClientId \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsClientSecret myClientSecret \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsRedirectUris &#039;https://humhub.example.com/user/auth/external?authclient=lemonldapng&#039; \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsPostLogoutRedirectUris &#039;https://humhub.example.com&#039; \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenSignAlg RS512 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsIDTokenExpiration 3600 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsAccessTokenExpiration 3600 \
oidcRPMetaDataOptions/humhub oidcRPMetaDataOptionsBypassConsent 1 &amp;&amp; \</pre>
</div>
<!-- EDIT5 SECTION "Configuring LemonLDAP" [2516-4258] -->
<h3 class="sectionedit6" id="troubleshooting">Troubleshooting</h3>
<div class="level3">
<p>
If LemonLDAP login page freezes because of a browser security blockage, adapt security&#039;s CSP Form Action to allow HumHub host :
</p>
<pre class="code"> $ /usr/libexec/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 \
set \
cspFormAction &quot;&#039;self&#039; https://*.example.com&quot;</pre>
</div>
<!-- EDIT6 SECTION "Troubleshooting" [4259-] --></div>
</body>
</html>
......@@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0:applications:img"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/applications/img/icons.png"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/applications/img/icons.png"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications:img';var JSINFO = {"id":"documentation:2.0:applications:img:icons.png","namespace":"documentation:2.0:applications:img"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/icons.png?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1561840284" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aicons.png&amp;1569271147" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......
......@@ -23,10 +23,10 @@
<link rel="alternate" type="application/rss+xml" title="Current namespace" href="/feed.php?mode=list&amp;ns=documentation:2.0:applications:img"/>
<link rel="alternate" type="text/html" title="Plain HTML" href="/_export/xhtml/documentation/2.0/applications/img/loader.gif"/>
<link rel="alternate" type="text/plain" title="Wiki Markup" href="/_export/raw/documentation/2.0/applications/img/loader.gif"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=666dbe073d7d2522373106d8d2d68438"/>
<link rel="stylesheet" type="text/css" href="/lib/exe/css.php?t=bootstrap3&amp;tseed=a3a28b97aa1359a6551738d33203e559"/>
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0:applications:img';var JSINFO = {"id":"documentation:2.0:applications:img:loader.gif","namespace":"documentation:2.0:applications:img"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=666dbe073d7d2522373106d8d2d68438&amp;template=bootstrap3"></script>
<script type="text/javascript" charset="utf-8" src="/lib/exe/js.php?tseed=a3a28b97aa1359a6551738d33203e559&amp;template=bootstrap3"></script>
<script type="text/javascript" src="/lib/tpl/bootstrap3/assets/bootstrap/js/bootstrap.min.js"></script>
<style type="text/css">
body { padding-top: 20px; }
......@@ -90,7 +90,7 @@
<form action="/start" accept-charset="utf-8" class="search" id="dw__search" method="get" role="search"><div class="no"><input type="hidden" name="do" value="search" /><input type="text" id="qsearch__in" accesskey="f" name="id" class="edit" title="[F]" /><input type="submit" value="Search" class="button" title="Search" /><div id="qsearch__out" class="ajax_qsearch JSpopup"></div></div></form>
<ul class="nav navbar-nav">
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=bed3833398ac80a8fabe34952ef1721d" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
<li><a href="/documentation/2.0/applications/img/loader.gif?do=login&amp;sectok=594f5b54f4cd53665bf9d5ac7a31ad7a" class="action login" rel="nofollow" title="Login"><i class="glyphicon glyphicon-log-in"></i> Login</a></li> </ul>
</div>
......@@ -133,7 +133,7 @@
<div class="level1">
<p>
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on “Create this page”.
You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissions allow, you may create it by clicking on &quot;Create this page&quot;.
</p>
</div>
......@@ -272,7 +272,7 @@ You&#039;ve followed a link to a topic that doesn&#039;t exist yet. If permissio
</div><!-- /site -->
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1561840284" width="2" height="1" alt="" /></div>
<div class="no"><img src="/lib/exe/indexer.php?id=documentation%3A2.0%3Aapplications%3Aimg%3Aloader.gif&amp;1569271147" width="2" height="1" alt="" /></div>
<div id="screen__mode" class="no">
<span class="visible-xs"></span>
<span class="visible-sm"></span>
......