lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2022-02-17T21:37:10Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2703OIDC RP menu attributes name do not refresh live2022-02-17T21:37:10ZAlexandre KARIMOIDC RP menu attributes name do not refresh live### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
OpenID Connect Relying Parties "Exported Attributes" menu items do not refresh live when editing, unlike in other attributes menus.
Attributes names updated only aft...### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
OpenID Connect Relying Parties "Exported Attributes" menu items do not refresh live when editing, unlike in other attributes menus.
Attributes names updated only after saving the configuration.
Expected behavior :
![1](/uploads/abd61443d4388e601c8b4a859075c33a/1.png)
What is actually happening :
![2](/uploads/b4e1f7c3d391df8599916c03cf0374a4/2.png)2.0.14Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2693"Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses2023-12-05T15:51:39ZJérémie Pierson"Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
If Status handler is enabled, for each user access through a handler, if action was SKIP or EXPIRED, a line is logged to STDERR.
As an example, this morning on one o...### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
If Status handler is enabled, for each user access through a handler, if action was SKIP or EXPIRED, a line is logged to STDERR.
As an example, this morning on one of our production system it amounts to 40,370 lines out of 43,294 total log lines of LemonLDAP::NG handler service.
### Logs
Example log line:
```
Feb 03 18:04:15 llnghost1 llng-fastcgi-server[1234]: Status: Unknown command line -> 192.168.0.27 => webapp1.example.com/path/to/a/page SKIP
```
### Possible fixes
It seems that the Status handler has to know each and every possible handler action.
Every time an action is reached in `Lemonldap/NG/Handler/Main/Run.pm`, the code calls `$class->updateStatus($req, $action, ...)`, which appears to send a line of text to the Status handler via a pipe.
In the Status handler, this line is then handled according to its match against regular expressions. One of the regexp is `/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|\-?\d+)$/` (commented as "Activity collect"). It **does not** match status lines for SKIP or EXPIRED actions. Then the code falls into the catch-all case which logs unknown status lines to STDERR.
If I edit this regular expression to add the two missing actions, the spurious log lines disappear (and I see new entries in the status JSON :-) ).
Patch looks like this:
```diff
--- Lemonldap/NG/Handler/Lib/Status.pm.ori 2022-02-04 08:58:46.000000000 +0100
+++ Lemonldap/NG/Handler/Lib/Status.pm 2022-02-04 08:55:18.000000000 +0100
@@ -63,7 +63,7 @@
# Activity collect
if (
-/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|\-?\d+)$/
+/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|SKIP|EXPIRED|\-?\d+)$/
)
{
my ( $user, $uri, $code ) = ( $1, $2, $3 );
```
There may be other actions which we do not see in our logs, but that are also missing from the regular expression...2.0.14YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2691Error when using has2f in a manager rule2022-02-03T15:03:18ZMaxime BessonError when using has2f in a manager rule### Concerned version
Version: 2.0.13
Platform: (Nginx/Apache/Node.js)
### Summary
Summarize the bug encountered concisely
Add a 2F triggering rule containing
```
has2f('TOTP')
```
as specified in doc
### Logs
When saving config...### Concerned version
Version: 2.0.13
Platform: (Nginx/Apache/Node.js)
### Summary
Summarize the bug encountered concisely
Add a 2F triggering rule containing
```
has2f('TOTP')
```
as specified in doc
### Logs
When saving config:
```
totp2fActivation: Bad expression: Can't use string ("TOTP") as a HASH ref while "strict refs" in use at /usr/share/perl5/Lemonldap/NG/Common/Safelib.pm line 249, <FILE> line 2.
```
### Possible fixes
This comes from the perlExpr test failing to evaluate the rule because has2f exists in SafeLib with a different signature
Solution: rename the internal method, it's never used directly2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2690Second factor logo/label not used on registration screen2022-07-07T12:16:51ZMaxime BessonSecond factor logo/label not used on registration screen### Concerned version
Version: 2.0.13
### Summary
* Define a custom logo/label for your registrable 2FA
* It is correctly used on the login page
![image](/uploads/66c1ad3a54c721ccd1558ca961a03073/image.png)
* But it is not used on ...### Concerned version
Version: 2.0.13
### Summary
* Define a custom logo/label for your registrable 2FA
* It is correctly used on the login page
![image](/uploads/66c1ad3a54c721ccd1558ca961a03073/image.png)
* But it is not used on the registration page
![image](/uploads/bdf8f85e5931af22845f0a75c7cf6eb0/image.png)
### Possible fixes
This comes from the fact that 2F/Register/XXX.pm does not load xxx2fLogo / xxx2fLabel in init like 2F/XXX.pm does
Solution could be to create a 2F/Register/Base.pm class and add this behavior to it, and make all registrable 2Fs inherit from 2F::Register::Base instead of Portal::Plugin2.0.15Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2689REST server: 400 bad request with DELETE /session/my2022-02-01T15:20:33ZChristophe Maudouxchrmdx@gmail.comREST server: 400 bad request with DELETE /session/my### Concerned version
Version: %2.0.X
Platform: All
### Summary
Try to delete current session. '400 Bad request' is returned by Portal.
### Logs
```
(DevOps-redirection *=)$ curl -H "Accept: application/json" -d user=dwho -d passwor...### Concerned version
Version: %2.0.X
Platform: All
### Summary
Try to delete current session. '400 Bad request' is returned by Portal.
### Logs
```
(DevOps-redirection *=)$ curl -H "Accept: application/json" -d user=dwho -d password=dwho http://auth.example.com:19876
{"result":1,"id":"2ed46599ec9c351007c76404a5c292569146f58cbbc7eb4d20059ff77ee99ed6","error":"0"}
curl -H "Accept: application/json" -H "cookie: lemonldap=2ed46599ec9c351007c76404a5c292569146f58cbbc7eb4d20059ff77ee99ed6" http://auth.example.com:19876/session/my/global
{"_session_kind":"SSO","_utime":1643205886,"groups":"timelords; users","authenticationLevel":1,"_session_id":"2ed46599ec9c351007c76404a5c292569146f58cbbc7eb4d20059ff77ee99ed6","_startTime":"20220126150446","UA":"curl/7.68.0","_lastSeen":null,"ipAddr":"127.0.0.1","_whatToTrace":"dwho"}
curl -X DELETE -H "Accept: application/json" -H "cookie: lemonldap=2ed46599ec9c351007c76404a5c292569146f58cbbc7eb4d20059ff77ee99ed6" http://auth.example.com:19876/session/my
{"error":"Bad request"}
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Start routing session
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Request to get exported attributes -> Keys: groups, _utime, _session_kind, _session_id, _startTime, authenticationLevel, _lastSeen, UA, _whatToTrace, ipAddr
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Get session 2ed46599ec9c351007c76404a5c292569146f58cbbc7eb4d20059ff77ee99ed6 from Common::Session::REST
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Apply following CORS policy :
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Access-Control-Allow-Origin
Jan 26 15:05:19 localhost LLNG[12052]: [debug] *
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Access-Control-Allow-Credentials
Jan 26 15:05:19 localhost LLNG[12052]: [debug] true
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Access-Control-Allow-Headers
Jan 26 15:05:19 localhost LLNG[12052]: [debug] *
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Access-Control-Allow-Methods
Jan 26 15:05:19 localhost LLNG[12052]: [debug] POST,GET
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Access-Control-Expose-Headers
Jan 26 15:05:19 localhost LLNG[12052]: [debug] *
Jan 26 15:05:19 localhost LLNG[12052]: [debug] Access-Control-Max-Age
Jan 26 15:05:19 localhost LLNG[12052]: [debug] 86400
Jan 26 15:05:53 localhost LLNG[12053]: [debug] Start routing session
Jan 26 15:05:53 localhost LLNG[12053]: [debug] Returned userId: dwho
Jan 26 15:05:53 localhost LLNG[12053]: [debug] [warn] [dwho] Bad request
Jan 26 15:05:53 localhost LLNG[12053]: [notice] Error 400: Bad request
Jan 26 15:05:53 localhost LLNG[12053]: [debug] Apply following CORS policy :
Jan 26 15:05:53 localhost LLNG[12053]: [debug] Access-Control-Allow-Origin
Jan 26 15:05:53 localhost LLNG[12053]: [debug] *
```
### Backends used
Demo2.0.14Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2682Fails to create password-protected X509 certificates with OpenSSL 3.02022-01-14T15:58:24ZSimon ChopinFails to create password-protected X509 certificates with OpenSSL 3.0Hi,
In the course of transitioning to OpenSSL 3.0 in Ubuntu, we've noticed that the lemonldap-ng test suite fails on the rest-api-RSA testcase, more specifically when trying the `newCertificate` REST endpoint with a password.
I tracked...Hi,
In the course of transitioning to OpenSSL 3.0 in Ubuntu, we've noticed that the lemonldap-ng test suite fails on the rest-api-RSA testcase, more specifically when trying the `newCertificate` REST endpoint with a password.
I tracked down the issue to https://github.com/radiator-software/p5-net-ssleay/issues/272
The possible resolutions are thus either to use a supported cipher, or to explicitly load the legacy provider on application start (along with the default provider, as explicitly loading a provider removes the default one).
You can see an example of the new provider API used to solve this problem in this commit (in the test suite) : https://github.com/radiator-software/p5-net-ssleay/commit/d0616e8d76d0328fd74af921eac2e586e06ab5752.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2678Auth::Custom getDisplayType is broken with choice2022-01-20T14:13:07ZMaxime BessonAuth::Custom getDisplayType is broken with choice### Concerned version
Version: 2.0.13
### Summary
* Configure a choice with Name = MyChoice, Auth=Null
* Create MyChoice.png logo in static/common/
* Logo is correctly displayed
* Edit MyChoice with Auth=Custom and customAuth=Null
* ...### Concerned version
Version: 2.0.13
### Summary
* Configure a choice with Name = MyChoice, Auth=Null
* Create MyChoice.png logo in static/common/
* Logo is correctly displayed
* Edit MyChoice with Auth=Custom and customAuth=Null
* a form is displayed instead
### Logs
getDisplayType in Auth::Custom tries to detect the logo, I'm not sure why. It should delegate this to the underlying module (or Choice) instead.
```
getDisplayType {
# Warning : $self passed here is the Portal itself
my ($self) = @_;
my $logo = ( $self->{conf}->{customAuth} =~ /::(\w+)$/ )[0];
if ( -e $self->{conf}->{templateDir}
. "/../htdocs/static/common/modules/"
. $logo
. ".png" )
{
$self->logger->debug("CustomAuth $logo.png found");
return "logo";
}
return "standardform";
}
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixes
* Remove getDisplayType in Auth::Custom (why is it needed??)
* Rework Lib/Choice.pm:
```
my $displayType = eval {
"Lemonldap::NG::Portal::Auth::${auth}"
->can('getDisplayType')->( $self, $req );
} || 'logo';
```
to call the loaded module instance's getDisplayType instead2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2677*::Custom do not allow config overrides2022-01-20T14:13:06ZMaxime Besson*::Custom do not allow config overrides### Concerned version
Version: 2.0.13
### Summary
* Configure Auth Choice with
* Choice 1: Custom Auth, Custom UserDB
* Choice 2: Custom Auth, Custom UserDB, override nullAuthnLevel =5
* set customAuth = customUserDB = Null
* set glob...### Concerned version
Version: 2.0.13
### Summary
* Configure Auth Choice with
* Choice 1: Custom Auth, Custom UserDB
* Choice 2: Custom Auth, Custom UserDB, override nullAuthnLevel =5
* set customAuth = customUserDB = Null
* set global nullAuthnLevel to 0
* Login with choice 2
* authenticationLevel is 0
### Possible fixes
Transmit the config from received $self to the concrete module constructor
Custom probably needs to be overhauled, see #2676 and #26752.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2676UserDB::Custom and Password::Custom loads module twice and calls init three t...2022-01-20T14:13:05ZMaxime BessonUserDB::Custom and Password::Custom loads module twice and calls init three timesSame issue as #2675 except that UserDB::Custom calls moduleLoad twice:
```
eval $self->{p}->loadModule( $self->{conf}->{customUserDB} ); # init called here
($@)
? return $self->{p}->loadModule( $self->{conf}...Same issue as #2675 except that UserDB::Custom calls moduleLoad twice:
```
eval $self->{p}->loadModule( $self->{conf}->{customUserDB} ); # init called here
($@)
? return $self->{p}->loadModule( $self->{conf}->{customUserDB} ) # init called here
: die 'Unable to load UserDB module ' . $self->{conf}->{customUserDB};
# init called after returning by outer loadModule
```
Also affects Password::Custom2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2675Auth::Custom calls module init twice2022-01-20T14:13:03ZMaxime BessonAuth::Custom calls module init twice### Concerned version
Version: 2.0.13
### Summary
* Set authentication to Custom
* Set customAuth to "::Auth::OpenIDConnect"
### Logs
```
[info] Loading configuration 29 for process 91818
[warn] Route "flogout" redefined
[warn] Rout...### Concerned version
Version: 2.0.13
### Summary
* Set authentication to Custom
* Set customAuth to "::Auth::OpenIDConnect"
### Logs
```
[info] Loading configuration 29 for process 91818
[warn] Route "flogout" redefined
[warn] Route "flogout" redefined
[warn] Route "blogout" redefined
[warn] Route "blogout" redefined
[warn] Route "flogout" redefined
[warn] Route "flogout" redefined
[warn] Route "blogout" redefined
[warn] Route "blogout" redefined
[info] No cookie found
```
Reason is:
* loadModule(Auth::Custom) calls Auth::Custom->new during portal init
* Auth::Custom->new calls loadModule(Auth::OpenIDConnect)
* loadModule(Auth::OpenIDConnect) calls Auth::OpenIDConnect->new
* Auth::OpenIDConnect->new returns Auth::OpenIDConnect instance
* loadModule(Auth::OpenIDConnect) calls **init on Auth::OpenIDConnect instance**
* Auth::Custom->new returns a new Auth::OpenIDConnect instance
* loadModule(Auth::Custom) calls init on the received Auth::OpenIDConnect instance
* At this step, **Auth::OpenIDConnect->init is called for the second time.**
### Possible fixes
Perhaps Auth::Custom should not call loadModule? but manually load the perl module and instanciate it?
I'm not sure what are the implications, any ideas @guimard ?2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2671xss attack detected on a relayState parameter2021-12-23T11:56:24Zalexandre souppartxss attack detected on a relayState parameter### Concerned version
Version: 1.9.20
Platform: Apache
### Summary
When sending requests for SAML authentication, the response received by the service provider does not contain the relayState field. An warning "attack xss" is in the l...### Concerned version
Version: 1.9.20
Platform: Apache
### Summary
When sending requests for SAML authentication, the response received by the service provider does not contain the relayState field. An warning "attack xss" is in the logs.
If i turn off protection of xss attacks, there is a relayState field in the response, but it doesn't contain the same value as in the request.
### Logs
the configuration 'xss attack protection' is to off
```
[perl:warn] [pid 308] XSS attack detected (param: RelayState | value: {"d": "toto", "p": 1, "r": "https%3A%2F%2Furl-toto.de-destination.com%2Fweb"})
[perl:debug] [pid 308] Lemonldap::NG::Portal::SharedConf: Store {"d": "toto", "p": 1, "r": "https%3A%2F%2Furl-toto.de-destination.com%2Fweb"} in hidden key RelayState
```2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2663Radius authentication fails when radius used as authentication module2022-01-03T07:58:02ZChristophe SeguiRadius authentication fails when radius used as authentication module### Concerned version
Version: %X.X.X
Platform: Nginx
### Summary
configuration setup
Authentication Module : Radius
User Module : LDAP
Password Module : LDAP
### Logs
2021/11/09 09:30:51 [error] 13192#0: *970 FastCGI sent in stder...### Concerned version
Version: %X.X.X
Platform: Nginx
### Summary
configuration setup
Authentication Module : Radius
User Module : LDAP
Password Module : LDAP
### Logs
2021/11/09 09:30:51 [error] 13192#0: *970 FastCGI sent in stderr: "Can't call method "setToken" on an undefined value at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Auth/_WebForm.pm line 181, <DATA> line 755" while reading response header from upstream, client: <ip_address>, server: <portal_name>, request: "GET /?url=aHR0cDovL21hbmFnZXIubWV0ZW8uZnIv HTTP/1.1", upstream: "fastcgi://unix:/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "<portal_name>"
### Backends used
local storage
### Possible fixes
modify the init method in Auth/Radius.pm:
sub init {
my $self = shift;
unless ( $self->initRadius ) {
$self->error('Radius connect failed');
}
return $self->Lemonldap::NG::Portal::Auth::_WebForm::init;
}2.0.14Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2660Combination is not compatible with LDAP password policies2022-02-03T10:50:24ZMaxime BessonCombination is not compatible with LDAP password policies### Concerned version
Version: 2.0.13
### Summary
* Configure Combination (Kerberos+LDAP, or multiple LDAP, or even just [LDAP])
* Force a password reset through password policy
* Instead of displaying the password change on login, au...### Concerned version
Version: 2.0.13
### Summary
* Configure Combination (Kerberos+LDAP, or multiple LDAP, or even just [LDAP])
* Force a password reset through password policy
* Instead of displaying the password change on login, authentication fails
### Logs
```
[debug] Processing authenticate
[debug] Call bind for CN=testuser,XXX
[warn] Bad password for montest
[debug] Prepare token
[notice] Combination (Lemonldap::NG::Portal::Auth::AD): [AD] Password reset. User must change his password
[debug] Prepare token
[info] Scheme "AD1" returned 25, trying next
[debug] -> authResult = 0
[debug] Processing extractFormInfo
[debug] Processing getUser
[notice] Combination (Lemonldap::NG::Portal::Lib::LDAP): montest was not found in LDAP directory
[debug] Prepare token
[warn] All schemes failed for user montest
[debug] [warn] All schemes failed for user montest
[debug] Returned error: 5 (PE_BADCREDENTIALS)
[debug] Returned userId: anonymous
[debug] Display type standardform
[debug] Skin returned: login
```
Authentication flow is restarted because 25 (PE_PP_CHANGE_AFTER_RESET ) is considered as an error
### Possible fixes
This quick fix in Auth::Combination.pm seems to work somewhat fine:
```
# On error, restart authentication with next scheme
if ( $res > PE_OK and $res != PE_PP_CHANGE_AFTER_RESET and $res != PE_PP_PASSWORD_EXPIRED and $res != PE_PASSWORD_OK and $res != PE_PP_ACCOUNT_LOCKED ) {
```
Unit test: [21-Auth-LDAP-Policy-Combination.t](/uploads/44db2e11bebc7a2e811f57bf5ce22768/21-Auth-LDAP-Policy-Combination.t)
But it raises some questions: are there cases in which an account that is locked or expired in one directory is supposed to be successfully authenticated in another directory (locked in AD1, ok in AD2)?
This is a regression: the Multi backend in 1.9 used a "stop" method to decide which answeres were authoritative (stop combination) or not (fallback to next backend)
@clement_oudot @guimard not sure what the right approach is2.0.14YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2658Macros based on '_XXX' and authenticationLevel attributes are not computed by...2022-01-10T21:10:17ZChristophe Maudouxchrmdx@gmail.comMacros based on '_XXX' and authenticationLevel attributes are not computed by refresh function### Concerned version
Version: %2.0.X
Platform: All
### Summary
We got a macro like this: "$authMode => $_auth eq 'LDAP' ? 'Pwd' : $_auth eq 'SSL' ? 'Card : $_auth eq 'SAML' ? 'By-federation' : $_auth"
During authentication process,...### Concerned version
Version: %2.0.X
Platform: All
### Summary
We got a macro like this: "$authMode => $_auth eq 'LDAP' ? 'Pwd' : $_auth eq 'SSL' ? 'Card : $_auth eq 'SAML' ? 'By-federation' : $_auth"
During authentication process, all is well computed.
After 'Refresh my rights' request, $authMode is empty...
### Possible fixes
Sub for restoring _XXX attributes should be done after 'setSessionInfo' step.2.0.14Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2656CAS: multiple proxies is not correctly implemented2022-01-14T16:22:13ZMaxime BessonCAS: multiple proxies is not correctly implemented### Concerned version
Version: 2.0.13
### Summary
* Login to CAS service http://casapp.com/
* Get a PGT for http://casapp.com/proxy
* Using this PGT get a proxy ticket for http://service.com/srv
* On service.com, using this PT, get a ...### Concerned version
Version: 2.0.13
### Summary
* Login to CAS service http://casapp.com/
* Get a PGT for http://casapp.com/proxy
* Using this PGT get a proxy ticket for http://service.com/srv
* On service.com, using this PT, get a PGT for http://service.com/proxy
* Using this new PGT, get a proxy ticket for http://service2.com/srv
* Validate PT on http://service2.com/srv
### Logs
Expected result:
```
# <cas:proxies>
# <cas:proxy>http://service.com/proxy</cas:proxy>
# <cas:proxy>http://casapp.com/proxy</cas:proxy>
# </cas:proxies>
```
Actual result:
```
# <cas:proxies>
# <cas:proxy>http://casapp.com/proxy; http://service.com/proxy</cas:proxy>
# </cas:proxies>
```
Lucky for us, noone uses this feature :)2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2655'afterData' plugins loaded after Impersonation will be never executed2021-11-11T08:54:31ZChristophe Maudouxchrmdx@gmail.com'afterData' plugins loaded after Impersonation will be never executed### Concerned version
Version: %2.0.4
Platform: All
### Summary
Impersonation plugin overwrites $req->step and pops afterData entry point to compute spoofed sessions.
So all plugins using 'afterData' EP especially Custom plugins load...### Concerned version
Version: %2.0.4
Platform: All
### Summary
Impersonation plugin overwrites $req->step and pops afterData entry point to compute spoofed sessions.
So all plugins using 'afterData' EP especially Custom plugins loaded after Impersonation will be never launched.
### Possible fixes
Impersonation must be the last loaded plugin.2.0.14Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2650Empty SCRIPT_NAME breaks the portal2022-08-12T07:29:35ZMaxime BessonEmpty SCRIPT_NAME breaks the portal### Concerned version
Version: 2.0.13
Platform: Apache + mod_proxy_uwsgi
### Summary
I'm trying to run the portal behind Apache + mod_proxy_uwsgi
With the following simple config:
```
ProxyPass /static !
ProxyPass / uwsgi://localhos...### Concerned version
Version: 2.0.13
Platform: Apache + mod_proxy_uwsgi
### Summary
I'm trying to run the portal behind Apache + mod_proxy_uwsgi
With the following simple config:
```
ProxyPass /static !
ProxyPass / uwsgi://localhost:5000/
```
Apache sets SCRIPT_NAME to an empty value. The LLNG code (sendJs, sendHtml) tends to replace it with '.':
```
my $sc = $req->script_name;
$sc = '.' unless ($sc);
$sc =~ s#/*$#/#;
```
Which works in GET /, but not in GET /oauth2/authorize, GET /saml/singleSignOn, etc. In those cases ./psgi.js is loaded at /oauth2/psgi.js, /saml/psgi.js etc.
@guimard do you remember why you set `.` as the value when $req->script_name is empty?
According to the PSGI spec, SCRIPT_NAME "may be an empty string if the application corresponds to the server's root URI."
So in that case, we should load `/psgi.js` (absolute URL) and not `./psgi.js`, right? Was there another use case where `.` was needed?2.0.15Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2648"Authentication module succeed but has not set $req->user" when using SAML Ar...2021-10-29T09:26:19ZMaxime Besson"Authentication module succeed but has not set $req->user" when using SAML Artifact mode with some, but not all IDPs### Concerned version
Version: 2.0.13
### Summary
* Configure samltest.id as an IDP
* Try to login => Error
### Logs
```
[debug] This module do not manage SSO request, see IssuerDBSAML
[error] Authentication module succeed but has ...### Concerned version
Version: 2.0.13
### Summary
* Configure samltest.id as an IDP
* Try to login => Error
### Logs
```
[debug] This module do not manage SSO request, see IssuerDBSAML
[error] Authentication module succeed but has not set $req->user
```
### Possible fixes
This is caused by the following code:
```
# Request or response ?
if ( $message =~ /samlp:response/i ) {
$response = $message;
}
```
which only works if the XML document uses the expected namespace
We should find a more robust way to check the type of an artifact response. Or refactor checkMessage so that it won't try to detect the type, which should be known in advance from context.2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2645importMetadata does not set NameIDFormat to "persistent" for new providers2021-10-21T12:44:18ZMaxime BessonimportMetadata does not set NameIDFormat to "persistent" for new providers### Concerned version
Version: 2.0.13
Platform: (Nginx/Apache/Node.js)
### Summary
* Import renater metadata into default config
```
/usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/ma...### Concerned version
Version: 2.0.13
Platform: (Nginx/Apache/Node.js)
### Summary
* Import renater metadata into default config
```
/usr/share/lemonldap-ng/bin/importMetadata -m https://metadata.federation.renater.fr/renater/main/main-all-renater-metadata.xml -r -v -i 'idp-renater-' -s 'sp-renater-'
```
* services that use eduPersonTargetedID are not set with persistent NameIDFormat
* Update metadata with same command
* NameIDFormat is correctly set2.0.14Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2641Unable to remove value for casAppMetaDataOptionsAuthnLevel2023-07-24T09:48:48ZClément OUDOTUnable to remove value for casAppMetaDataOptionsAuthnLevelIn Manager, no changes is detected if we try to remove the value set in authentication level in a CAS application.
Maybe other parameter have also this issue.In Manager, no changes is detected if we try to remove the value set in authentication level in a CAS application.
Maybe other parameter have also this issue.2.17.0YaddYadd