Commit 344eae6f authored by Christophe Maudoux's avatar Christophe Maudoux 🐛
Browse files

Merge branch 'v2.0' into 2683

parents 0b5259ff 900a15c2
Pipeline #18800 passed with stage
in 9 minutes and 45 seconds
......@@ -71,6 +71,10 @@ Then go in ``CAS Service`` to define:
matching. By default, LemonLDAP::NG will try to find a declared CAS
Application matching the hostname of the requested application if it cannot
find a match using the full path. See :ref:`idpcas-url-matching` for details
- **Temporary ticket lifetime**: (since *2.0.14*): restricts how long Service
and Proxy tickets are valid after being generated. For compatibility, the
default value of ``0`` means they are valid for the entire session duration.
But the CAS spefications recommends ``300`` (5 minutes).
.. tip::
......
......@@ -62,6 +62,7 @@ casSrvMetaDataOptions Root of CAS server optio
casStorage Apache::Session module to store CAS user data ✔
casStorageOptions Apache::Session module parameters ✔
casStrictMatching Disable host-based matching of CAS services ✔
casTicketExpiration CAS Service and Proxy tickets TTL ✔
cda Enable Cross Domain Authentication ✔ ✔
certificateResetByMailCeaAttribute ✔
certificateResetByMailCertificateAttribute ✔
......
......@@ -4,12 +4,11 @@ REST session backend
Session <type> can be 'global' for SSO sessions or 'persistent' for
persistent sessions.
LL::NG portal provides REST end points for sessions management:
LL::NG Portal provides REST end points for sessions management:
- GET /sessions/<type>/<session-id> : get session datas
- GET /sessions/<type>/<session-id>/<key> : get a session key value
- GET /sessions/<type>/<session-id>/[k1,k2] : get some session key
value
- GET /sessions/<type>/<session-id>/[k1,k2] : get some keys value
- POST /sessions/<type> : create a session
- PUT /sessions/<type>/<session-id> : update some keys
- DELETE /sessions/<type>/<session-id> : delete a session
......@@ -20,17 +19,21 @@ Sessions for connected users (used by :doc:`LLNG Proxy<authproxy>`):
- GET /session/my/<type>/key : get session key
- DELETE /session/my : ask for logout
Authorizations for connected users (always enabled):
Services for connected users (always enabled):
- GET /mysession/?authorizationfor=<base64-encoded-url>: ask if url is
authorizated
- GET /mysession/?authorizationfor=<base64-encoded-url> : ask if an url
is authorized
- GET /mysession/?whoami : get "my" uid
- PUT /mysession/<type> : update some persistent data (restricted)
- DELETE /mysession/<type>/key : delete key in data (restricted)
- GET /myapplications : get "my" appplications list
This session backend can be used to share sessions stored in a
non-network backend (like
:doc:`file session backend<filesessionbackend>`) or in a network backend
protected with a firewall that only accepts HTTP flows.
Most of the time, REST session backend is used by Handlers installed on
Most of the time, REST session backend is used by Handlers deployed on
external servers.
To configure it, REST session backend will be set through Manager in
......@@ -69,16 +72,16 @@ Name Comment Example
=================== ======================================== ==================================================
`user` and `password` parameters are only used if the entry point `index.fcgi/sessions/global`
is protected by a basic authentication. Thus, handlers will make requests to the portal
is protected by a basic authentication. Thus, handlers will make requests to the Portal
using these parameters.
.. attention::
By default, user password and other secret keys are
hidden by LLNG REST server. You can force REST server to export their
hidden by LL::NG REST server. You can force REST server to export their
real values by selecting "Export secret attributes in REST" in the
manager. This less secure option is disabled by default.
Manager. This less secure option is disabled by default.
Apache
~~~~~~
......
......@@ -29,6 +29,57 @@ None
2.0.14
------
Security
~~~~~~~~
* **CVE-2021-40874**: RESTServer pwdConfirm always returns true with Combination + Kerberos (see `issue 2612 <https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612>`__)
Weak encryption used for password-protected SAML keys
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Previous versions of LemonLDAP::NG used a weak encryption algorithm to protect
SAML keys when a password was set during certificate generation.
Run the following command to check if this is your case::
lemonldap-ng-cli get samlServicePrivateKeySig
lemonldap-ng-cli get samlServicePrivateKeyEnc
If the output of either command starts with ``BEGIN ENCRYPTED PRIVATE KEY``,
then it probably means you generated your keys using the vulnerable manager
code.
In this case, you can convert your existing keys to a stronger encryption using
the following command ::
# Extract your existing keys. If samlServicePrivateKeyEnc is empty, you can
# skip it entirely
lemonldap-ng-cli get samlServicePrivateKeySig | \
sed 's/samlServicePrivateKeySig = //' > saml-sig.pem
lemonldap-ng-cli get samlServicePrivateKeyEnc | \
sed 's/samlServicePrivateKeyEnc = //' > saml-enc.pem
# Re-encrypt the private key, using the same passphrase
openssl pkey -in saml-sig.pem -aes256 -out saml-sig-aes.pem
openssl pkey -in saml-enc.pem -aes256 -out saml-enc-aes.pem
#Or, if you are using OpenSSL 3+
openssl pkey -provider legacy -provider default -in saml-sig.pem \
-aes256 -out saml-sig-aes.pem
openssl pkey -provider legacy -provider default -in saml-enc.pem \
-aes256 -out saml-enc-aes.pem
Then, simply reimport your keys ::
lemonldap-ng-cli set samlServicePrivateKeySig "$(cat saml-sig-aes.pem)"
lemonldap-ng-cli set samlServicePrivateKeyEnc "$(cat saml-enc-aes.pem)"
If is recommended to keep the same password as before, if not, adjust the
``samlServicePrivateKeySigPwd`` and ``samlServicePrivateKeyEncPwd`` variables as well.
This operation is transparent and does not require any change to your existing
SAML configuration or SAML applications
LemonLDAP::NG version is returned by the CheckState plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
......
......@@ -29,6 +29,7 @@ sub defaultValues {
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'casTicketExpiration' => 0,
'certificateResetByMailCeaAttribute' => 'description',
'certificateResetByMailCertificateAttribute' =>
'userCertificate;binary',
......
......@@ -815,6 +815,10 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => 0,
'type' => 'bool'
},
'casTicketExpiration' => {
'default' => 0,
'type' => 'int'
},
'cda' => {
'default' => 0,
'type' => 'bool'
......
......@@ -2489,6 +2489,11 @@ sub attributes {
type => 'bool',
documentation => 'Disable host-based matching of CAS services',
},
casTicketExpiration => {
default => 0,
type => 'int',
documentation => 'Expiration time of Service and Proxy tickets',
},
issuerDBCASActivation => {
default => 0,
type => 'bool',
......
......@@ -1393,6 +1393,7 @@ sub tree {
'casStorageOptions',
'casAttributes',
'casStrictMatching',
'casTicketExpiration',
]
},
......
......@@ -212,7 +212,10 @@ sub _generateX509 {
my $strCert = Net::SSLeay::PEM_get_string_X509($cert);
my $strPrivate;
if ($password) {
$strPrivate = Net::SSLeay::PEM_get_string_PrivateKey( $key, $password );
my $alg = Net::SSLeay::EVP_get_cipherbyname("AES-256-CBC")
|| Net::SSLeay::EVP_get_cipherbyname("DES-EDE3-CBC");
$strPrivate =
Net::SSLeay::PEM_get_string_PrivateKey( $key, $password, $alg );
}
else {
$strPrivate = Net::SSLeay::PEM_get_string_PrivateKey($key);
......
......@@ -44,10 +44,14 @@ sub tests {
# Check if portal URL is well formated
portalURL => sub {
my $url = $conf->{portal};
# Append or remove trailing slashes
$conf->{portal} =~ s%/*$%/%;
return (
1,
(
( $conf->{portal} =~ m%/$% )
( $url =~ m%/$% )
? ''
: "Portal URL should end with a /"
)
......
......@@ -167,6 +167,7 @@
"casStorage":"اسم وحدة جلسات كاس",
"casStorageOptions":" خيارات وحدة جلسات كاس",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"اسم الفئة",
"cda":"نطاقات متعددة",
"certificateMailContent":"محتوى البريد",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"خدمة أل يو أر ل",
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
"zeroConfExplanations":"لا يحتوي الخادم على إعدادات. استخدام قالب لحفظ الأول"
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"CAS sessions module name",
"casStorageOptions":"CAS sessions module options",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Category name",
"cda":"Mehrere Domains",
"certificateMailContent":"Mail content",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"Service URL",
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
"zeroConfExplanations":"Server has no configuration. Use template to save the first."
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"CAS sessions module name",
"casStorageOptions":"CAS sessions module options",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Category name",
"cda":"Multiple domains",
"certificateMailContent":"Mail content",
......
......@@ -167,6 +167,7 @@
"casStorage":"CAS sessions module name",
"casStorageOptions":"CAS sessions module options",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Nombre de categoría",
"cda":"Dominios múltiples",
"certificateMailContent":"Contenido de correo",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"Service URL",
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
"zeroConfExplanations":"Server has no configuration. Use template to save the first."
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"Nom du module des sessions CAS",
"casStorageOptions":"Options du module des sessions CAS",
"casStrictMatching":"Filtrage strict des URL",
"casTicketExpiration":"Expiration des tickets temporaires",
"categoryName":"Nom de la catégorie",
"cda":"Domaines multiples",
"certificateMailContent":"Contenu du mail",
......
......@@ -167,6 +167,7 @@
"casStorage":"Nome del modulo sessioni CAS",
"casStorageOptions":"Opzioni del modulo sessioni CAS",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Nome della categoria",
"cda":"Domini multipli",
"certificateMailContent":"Contenuto della mail",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"URL del servizio",
"yubikey2fUserCanRemoveKey":"Autorizza l'utente a rimuovere la Yubikey",
"zeroConfExplanations":"Il server non ha alcuna configurazione. Utilizza il modello per salvare il primo."
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"Nazwa modułu sesji CAS",
"casStorageOptions":"Opcje modułu sesji CAS",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Nazwa Kategorii",
"cda":"Wiele domen",
"certificateMailContent":"Treść wiadomości",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"URL usługi",
"yubikey2fUserCanRemoveKey":"Pozwól użytkownikowi usunąć Yubikey",
"zeroConfExplanations":"Serwer nie ma konfiguracji. Użyj szablonu, aby zapisać pierwszy."
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"CAS oturumları modül adı",
"casStorageOptions":"CAS oturumları modül seçenekleri",
"casStrictMatching":"Katı URL eşleşmesi kullan",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Kategori ismi",
"cda":"Çoklu alan adları",
"certificateMailContent":"E-posta içeriği",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"Servis URL'si",
"yubikey2fUserCanRemoveKey":"Yubikey'i kaldırmak için kullanıcıya izin ver",
"zeroConfExplanations":"Sunucunun yapılandırması yok. Şimdi bir tane kaydetmek için şablonu kullanın."
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"Tên mô-đun phiên CAS",
"casStorageOptions":"Các tùy chọn mô-đun phiên CAS",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"Tên thể loại",
"cda":"Nhiều tên miền",
"certificateMailContent":"Nội dung thư",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"Dịch vụ URL",
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
"zeroConfExplanations":"Máy chủ không có cấu hình. Sử dụng mẫu để lưu đầu tiên. "
}
\ No newline at end of file
}
......@@ -167,6 +167,7 @@
"casStorage":"CAS 会话模块名称",
"casStorageOptions":"CAS 会话模块选项",
"casStrictMatching":"Use strict URL matching",
"casTicketExpiration":"Temporary ticket lifetime",
"categoryName":"分类名称",
"cda":"Multiple domains",
"certificateMailContent":"Mail content",
......@@ -1230,4 +1231,4 @@
"yubikey2fUrl":"Service URL",
"yubikey2fUserCanRemoveKey":"Allow user to remove Yubikey",
"zeroConfExplanations":"Server has no configuration. Use template to save the first."
}
\ No newline at end of file
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment