lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-09-08T02:07:47Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3002managerPassword is incorrectly decoded when using Conf::LDAP2023-09-08T02:07:47ZMaxime BessonmanagerPassword is incorrectly decoded when using Conf::LDAP### Affected version
Version: 2.17.0
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure LDAP as a conf backend and an auth backend
* set managerPassword=é
Password is incorrectly encoded when sent to LDAP server
related to #2...### Affected version
Version: 2.17.0
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure LDAP as a conf backend and an auth backend
* set managerPassword=é
Password is incorrectly encoded when sent to LDAP server
related to #2748
```Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2989Bad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you wan...2023-08-25T12:37:47ZYaddBad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you want to use refresh_tokenHere is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->new...Here is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
redirect_uri => $codeSession->data->{redirect_uri},
scope => $scope,
client_id => $client_id,
user_session_id => $codeSession->data->{user_session_id},
grant_type => "authorizationcode",
},
0,
);
```
The "0" disable the use of `oidcServiceOfflineSessionExpiration` _(or `oidcRPMetaDataOptionsOfflineSessionExpiration`)_ so `refresh_token` timeout is set to `$conf->{timeout}`.
@maxbes, @clement_oudot: is it normal or a bug ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2986Delete sessions of a user through Rest API2023-08-18T09:01:59ZKanthanathan SDelete sessions of a user through Rest API
We need to understand if there is a way to terminate all the sessions of a given user through Rest API/SOAP API.
We have an ldap at the backend and we have a self service portal that allows users to change their passwords. As part of...
We need to understand if there is a way to terminate all the sessions of a given user through Rest API/SOAP API.
We have an ldap at the backend and we have a self service portal that allows users to change their passwords. As part of our compliance, once the password is changed/reset all users sessions needs to be invalidated. WE are trying to achieve this with API integration.
Please advice.https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2981perl-lasso package2023-08-17T00:26:27ZShane Treweekperl-lasso packagejust wondering I have installed lemonldap-ng on Nethserver(centos 7) running on Raspberry Pi I only need the perl-lasso package which I had access to one in the past that was compiled for arm32 but I know longer have access to the repo f...just wondering I have installed lemonldap-ng on Nethserver(centos 7) running on Raspberry Pi I only need the perl-lasso package which I had access to one in the past that was compiled for arm32 but I know longer have access to the repo for it could you suggest anything (basically I just had to reinstall everything and my backup hdd was corrupted) if I had access to the .src.rpm I could compile itFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2977lemonldap-ng-cli delKey locationRules failed2023-12-25T17:55:55ZYaddlemonldap-ng-cli delKey locationRules failedFrom [GitHub #2](https://github.com/LemonLDAPNG/lemonldap-ng/issues/2)
> The `simpleHashKeys` rule does not contain `locationRules`.
>
> https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-manager/lib/Lemonldap/NG/...From [GitHub #2](https://github.com/LemonLDAPNG/lemonldap-ng/issues/2)
> The `simpleHashKeys` rule does not contain `locationRules`.
>
> https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Cli.pm#L261
>
```
$ /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey locationRules manager.example.com
[Tue Jul 25 00:58:49 2023] [LLNG:320838] [info] Loading configuration 29 for process 320838
[Tue Jul 25 00:58:49 2023] [LLNG:320838] [info] CLI: Retrieve last conf.
[Tue Jul 25 00:58:49 2023] [LLNG:320838] [info] REST request to get configuration metadata (29)
locationRules is not a simple hash. Aborting at /usr/share/perl5/Lemonldap/NG/Manager/Cli.pm line 262.
```https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2930migration u2f to webauthn => keys are no longer recognized2023-05-19T07:42:10ZDidier Testelinmigration u2f to webauthn => keys are no longer recognizedVersion: lemonldap 2.16.2
https://hub.docker.com/r/coudot/lemonldap-ng/
I migrated u2f keys to webauthn.
The keys are no longer recognized.
Tests carried out:
1st trial
- webauthn configuration and U2F deactivation
- deletion of all se...Version: lemonldap 2.16.2
https://hub.docker.com/r/coudot/lemonldap-ng/
I migrated u2f keys to webauthn.
The keys are no longer recognized.
Tests carried out:
1st trial
- webauthn configuration and U2F deactivation
- deletion of all sessions
- registration with username/password + double authentication Webauthn
- identification with username/password + Webauthn double authentication
=> no problem. Webauth works.
2nd test
- webauthn configuration and U2F deactivation
- restoration of old sessions under U2F
- launch of
lemonldap-ng-sessions secondfactors migrateu2f --all
- identification with username/password + Webauthn double authentication
=> error message stating that the key is not familiar. It is therefore not recognized.
Did I forget something for the migration?
THANKS.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2927Redirection loop on portal with oidc2023-05-17T07:04:59ZJ-B VRedirection loop on portal with oidc### Concerned version
Version: 2.16.2
Platform: (Nginx)
### Summary
I'm trying to upgrade from lemonldap 2.0.13-2 to lemonldap 2.16.2 with the same configuration.
Everything is working fine except one of our oidc client: after auth, ...### Concerned version
Version: 2.16.2
Platform: (Nginx)
### Summary
I'm trying to upgrade from lemonldap 2.0.13-2 to lemonldap 2.16.2 with the same configuration.
Everything is working fine except one of our oidc client: after auth, the web browser is going into a redirect loop on the portal instead of going to the redirect uri. The web browser display the "Redirection in progress" message and keep reloading the page.
The other OIDC client or CAS client are ok.
jsRedirect is set to 0.
There is no error in the browser console and the issue is the same with firefox v102 or Chrome v113.
The OS is a debian 10.13 for lemon 2.0.13-2 and a debian 12.0 for lemon 2.16.2
The issue was the same with version 2.16.1 last week.
The log with version 2.16.2 (redirect loop) show:
```
May 12 12:23:10 lemon2 LLNG[131]: [debug] Returned status: -2 (PE_REDIRECT)
May 12 12:23:10 lemon2 LLNG[131]: [debug] Skin returned: redirect
May 12 12:23:10 lemon2 LLNG[131]: [debug] Calling sendHtml with template redirect
```
With version 2.0.13-2 (ok, no loop) we have:
```
May 12 12:29:13 lemon LLNG[329]: [debug] Redirect user to https://biblio.toutapprendre.com/ws/authLyon.aspx?code=0291198
May 12 12:29:13 lemon LLNG[329]: [debug] Returned status: -2 (PE_REDIRECT)
May 12 12:29:13 lemon LLNG[329]: [debug] Calling autoredirect
```
Detailled log of the two version are below.
### Logs
#### Logs with version 2.16.2:
```
May 12 12:23:10 lemon2 LLNG[131]: [debug] OIDC request parameter client_id: mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF in hidden key client_id
May 12 12:23:10 lemon2 LLNG[131]: [debug] OIDC request parameter state: b0da98665f354e8390831b792a29a492
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store b0da98665f354e8390831b792a29a492 in hidden key state
May 12 12:23:10 lemon2 LLNG[131]: [debug] OIDC request parameter redirect_uri: https://biblio.toutapprendre.com/ws/auth>
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store https://biblio.toutapprendre.com/ws/authLyon.aspx in hidden key redirec>
May 12 12:23:10 lemon2 LLNG[131]: [debug] OIDC request parameter response_mode: form_post
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store form_post in hidden key response_mode
May 12 12:23:10 lemon2 LLNG[131]: [debug] Calling hook oidcGotRequest
May 12 12:23:10 lemon2 LLNG[131]: [debug] OIDC authorizationcode flow requested (response type: code)
May 12 12:23:10 lemon2 LLNG[131]: [debug] Request from client id mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF
May 12 12:23:10 lemon2 LLNG[131]: [debug] Client id mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF matches RP rp-toutapprendre
May 12 12:23:10 lemon2 LLNG[131]: [notice] User 27001000006666 (BML) is authorized to access to rp-toutapprendre
May 12 12:23:10 lemon2 LLNG[131]: [debug] [notice] User 27001000006666 (BML) is authorized to access to rp-toutapprendre
May 12 12:23:10 lemon2 LLNG[131]: [debug] Calling hook oidcResolveScope
May 12 12:23:10 lemon2 LLNG[131]: [debug] Resolved scopes: openid profile
May 12 12:23:10 lemon2 LLNG[131]: [debug] Consent is disabled for Relying Party rp-toutapprendre, user will not be prom>
May 12 12:23:10 lemon2 LLNG[131]: [debug] Calling hook oidcGenerateCode
May 12 12:23:10 lemon2 LLNG[131]: [debug] Generated code: 671c71aae51ec30a5e68c444e5d9e46d
May 12 12:23:10 lemon2 LLNG[131]: [debug] Delete all hidden values
May 12 12:23:10 lemon2 LLNG[131]: [debug] Processing autoPost
May 12 12:23:10 lemon2 LLNG[131]: [debug] Delete all hidden values
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store ItjPm152IqLR7wz9/R3f9uXiFydygQZAQJKzxrPPTkw=.empOZk1lalI3Uys2eDkrbXFDK3>
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store 671c71aae51ec30a5e68c444e5d9e46d in hidden key code
May 12 12:23:10 lemon2 LLNG[131]: [debug] Store b0da98665f354e8390831b792a29a492 in hidden key state
May 12 12:23:10 lemon2 LLNG[131]: [debug] Returned status: -2 (PE_REDIRECT)
May 12 12:23:10 lemon2 LLNG[131]: [debug] Skin returned: redirect
May 12 12:23:10 lemon2 LLNG[131]: [debug] Calling sendHtml with template redirect
```
#### Log with version 2.0.13-2:
```
May 12 12:29:13 lemon LLNG[329]: [debug] OIDC request parameter client_id: mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF
May 12 12:29:13 lemon LLNG[329]: [debug] Store mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF in hidden key client_id
May 12 12:29:13 lemon LLNG[329]: [debug] OIDC request parameter state: dae988ae12e049c3ba7768a876b99c6c
May 12 12:29:13 lemon LLNG[329]: [debug] Store dae988ae12e049c3ba7768a876b99c6c in hidden key state
May 12 12:29:13 lemon LLNG[329]: [debug] OIDC request parameter redirect_uri: https://biblio.toutapprendre.com/ws/authLy
May 12 12:29:13 lemon LLNG[329]: [debug] Store https://biblio.toutapprendre.com/ws/authLyon.aspx in hidden key redirect_
May 12 12:29:13 lemon LLNG[329]: [debug] OIDC request parameter response_mode: form_post
May 12 12:29:13 lemon LLNG[329]: [debug] Store form_post in hidden key response_mode
May 12 12:29:13 lemon LLNG[329]: [debug] Calling hook oidcGotRequest
May 12 12:29:13 lemon LLNG[329]: [debug] OIDC authorizationcode flow requested (response type: code)
May 12 12:29:13 lemon LLNG[329]: [debug] Request from client id mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF
May 12 12:29:13 lemon LLNG[329]: [debug] Client id mhsxpzzqkzvkCXNkvJThLgKHCMdjfRkF matches RP rp-toutapprendre
May 12 12:29:13 lemon LLNG[329]: [notice] User 27001000006666 (BML) is authorized to access to rp-toutapprendre
May 12 12:29:13 lemon LLNG[329]: [debug] [notice] User 27001000006666 (BML) is authorized to access to rp-toutapprendre
May 12 12:29:13 lemon LLNG[329]: [debug] Calling hook oidcResolveScope
May 12 12:29:13 lemon LLNG[329]: [debug] Consent is disabled for Relying Party rp-toutapprendre, user will not be prompt
May 12 12:29:13 lemon LLNG[329]: [debug] Calling hook oidcGenerateCode
May 12 12:29:13 lemon LLNG[329]: [debug] Generated code: 0291198f419f55353795de14235da1ee
May 12 12:29:13 lemon LLNG[329]: [debug] Delete all hidden values
May 12 12:29:13 lemon LLNG[329]: [debug] Redirect user to https://biblio.toutapprendre.com/ws/authLyon.aspx?code=0291198
May 12 12:29:13 lemon LLNG[329]: [debug] Returned status: -2 (PE_REDIRECT)
May 12 12:29:13 lemon LLNG[329]: [debug] Calling autoredirect
May 12 12:29:13 lemon LLNG[329]: [debug] Building redirection to https://biblio.toutapprendre.com/ws/authLyon.aspx?code=
```FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2891Mini HowTo OIDC with a single page application2023-07-06T15:35:05ZBlack SousnenuMini HowTo OIDC with a single page applicationHi all,
We try to authenticate a single page application with OIDC, we did not find in the documentation how to do it.
Is it possible to create a mini how-to ?
Thanks
Regards
BSHi all,
We try to authenticate a single page application with OIDC, we did not find in the documentation how to do it.
Is it possible to create a mini how-to ?
Thanks
Regards
BSIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2888SAML IdP-initiated Single Logout2023-03-07T18:07:58ZXIAOJUN TIANSAML IdP-initiated Single LogoutThis is not an issue but more like a help ticket.
I am writing my own SAML sp and using LLNG as IdP to test. My own sp just supports IdP-initiated logout and I am looking for something similar with [SimpleSAMLphp IdP-initiated logout](h...This is not an issue but more like a help ticket.
I am writing my own SAML sp and using LLNG as IdP to test. My own sp just supports IdP-initiated logout and I am looking for something similar with [SimpleSAMLphp IdP-initiated logout](https://webcache.googleusercontent.com/search?q=cache:U9D_G3YnUT0J:https://simplesamlphp.org/docs/1.16/simplesamlphp-idp-more.html&cd=1&hl=en&ct=clnk&gl=ca) at the page bottom.
I can tell after reading the official documentation and issues that LLNG should support SAML IdP-initiated logout but the information is in fragments. Can anyone give ideas on how to trigger the IdP-initiated logout? Many thanks!
For now, the IdP ```<SingleLogoutService>``` metadata looks like this, and I am using HTTP-Redirect for single logout (the single login has already worked out in my local environment):
```
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp.example.com:8080/saml/singleLogoutSOAP" />
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp.example.com:8080/saml/singleLogout"
ResponseLocation="http://idp.example.com:8080/saml/singleLogoutReturn"
/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://idp.example.com:8080/saml/singleLogout"
ResponseLocation="http://idp.example.com:8080/saml/singleLogoutReturn"
/>
```https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2856Possibility to check minimal special characters even if no special character ...2023-01-25T18:01:19ZClément OUDOTPossibility to check minimal special characters even if no special character list configuredFor now, we can't allow minimal special characters if no special character list is defined.
If no special character list is configured, we should check minimal special characters with all special characters.For now, we can't allow minimal special characters if no special character list is defined.
If no special character list is configured, we should check minimal special characters with all special characters.FAQChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2813libclass-xsaccessor-perl dependency is missing with fresh install2022-10-25T19:07:42ZChristophe Maudouxchrmdx@gmail.comlibclass-xsaccessor-perl dependency is missing with fresh install### Concerned version
Version: %2.0.15
Platform: All
### Summary
apt install libclass-xsaccessor-perl
### Logs
```
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] route renewcaptcha added
[Fri Oct 21 17:12:56 2022] [LLNG:2723314]...### Concerned version
Version: %2.0.15
Platform: All
### Summary
apt install libclass-xsaccessor-perl
### Logs
```
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] route renewcaptcha added
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Plugin ::Captcha::SecurityImage initialized
Trace begun at (eval 13) line 1
main::__ANON__('Can\'t locate Class/XSAccessor.pm in @INC (you may need to install the Class::XSAccessor module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.32.1 /usr/local/share/perl/5.32.1 /usr/lib/x86_64-linux-gnu/perl5/5.32 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.32 /usr/share/perl/5.32 /usr/local/lib/site_perl) at /usr/share/perl5/Moo/_Utils.pm line 107, <DATA> line 960.^J') called at /usr/share/perl5/Moo/_Utils.pm line 107
eval {...} at /usr/share/perl5/Moo/_Utils.pm line 107
Moo::_Utils::_require('Class/XSAccessor.pm') called at /usr/share/perl5/Moo/_Utils.pm line 151
Moo::_Utils::_maybe_load_module('Class::XSAccessor') called at /usr/share/perl5/Method/Generate/Accessor.pm line 20
Method::Generate::Accessor::BEGIN at /usr/share/perl5/Method/Generate/Accessor.pm line 26
eval {...} at /usr/share/perl5/Method/Generate/Accessor.pm line 26
require Method/Generate/Accessor.pm at /usr/share/perl5/Moo/Role.pm line 59
Moo::Role::_accessor_maker_for('Moo::Role', 'Throwable') called at /usr/share/perl5/Moo/Role.pm line 86
Moo::Role::has('previous_exception', 'is', 'ro', 'default', 'CODE(0x55c9856fee30)') called at /usr/share/perl5/Throwable.pm line 42
require Throwable.pm at /usr/share/perl5/Moo/_Utils.pm line 107
eval {...} at /usr/share/perl5/Moo/_Utils.pm line 107
Moo::_Utils::_require('Throwable.pm') called at /usr/share/perl5/Moo/_Utils.pm line 125
Moo::_Utils::_load_module('Throwable') called at /usr/share/perl5/Moo/Role.pm line 303
Moo::Role::apply_roles_to_package('Moo::Role', 'Throwable::Error', 'Throwable', 'StackTrace::Auto') called at /usr/share/perl5/Moo.pm line 102
Moo::with('Throwable', 'StackTrace::Auto') called at /usr/share/perl5/Throwable/Error.pm line 5
require Throwable/Error.pm at /usr/share/perl5/Moo/_Utils.pm line 107
eval {...} at /usr/share/perl5/Moo/_Utils.pm line 107
Moo::_Utils::_require('Throwable/Error.pm') called at /usr/share/perl5/Moo/_Utils.pm line 125
Moo::_Utils::_load_module('Throwable::Error') called at /usr/share/perl5/Moo.pm line 146
Moo::_set_superclasses('Moo', 'Email::Sender::Failure', 'Throwable::Error') called at /usr/share/perl5/Moo.pm line 96
Moo::extends('Throwable::Error') called at /usr/share/perl5/Email/Sender/Failure.pm line 5
require Email/Sender/Failure.pm at /usr/share/perl5/Moo/_Utils.pm line 107
eval {...} at /usr/share/perl5/Moo/_Utils.pm line 107
Moo::_Utils::_require('Email/Sender/Failure.pm') called at /usr/share/perl5/Moo/_Utils.pm line 125
Moo::_Utils::_load_module('Email::Sender::Failure') called at /usr/share/perl5/Moo.pm line 146
Moo::_set_superclasses('Moo', 'Email::Sender::Failure::Temporary', 'Email::Sender::Failure') called at /usr/share/perl5/Moo.pm line 96
Moo::extends('Email::Sender::Failure') called at /usr/share/perl5/Email/Sender/Failure/Temporary.pm line 5
require Email/Sender/Failure/Temporary.pm at /usr/share/perl5/Email/Sender/Role/CommonSending.pm line 9
Email::Sender::Role::CommonSending::BEGIN at /usr/share/perl5/Method/Generate/Accessor.pm line 26
eval {...} at /usr/share/perl5/Method/Generate/Accessor.pm line 26
require Email/Sender/Role/CommonSending.pm at /usr/share/perl5/Moo/_Utils.pm line 107
eval {...} at /usr/share/perl5/Moo/_Utils.pm line 107
Moo::_Utils::_require('Email/Sender/Role/CommonSending.pm') called at /usr/share/perl5/Moo/_Utils.pm line 125
Moo::_Utils::_load_module('Email::Sender::Role::CommonSending') called at /usr/share/perl5/Moo/Role.pm line 303
Moo::Role::apply_roles_to_package('Moo::Role', 'Email::Sender::Transport', 'Email::Sender::Role::CommonSending') called at /usr/share/perl5/Moo/Role.pm line 106
Moo::Role::with('Email::Sender::Role::CommonSending') called at /usr/share/perl5/Email/Sender/Transport.pm line 30
require Email/Sender/Transport.pm at /usr/share/perl5/Email/Sender/Simple.pm line 23
Email::Sender::Simple::BEGIN at /usr/share/perl5/Method/Generate/Accessor.pm line 26
eval {...} at /usr/share/perl5/Method/Generate/Accessor.pm line 26
require Email/Sender/Simple.pm at /usr/share/perl5/Lemonldap/NG/Portal/Lib/SMTP.pm line 12
Lemonldap::NG::Portal::Lib::SMTP::BEGIN at /usr/share/perl5/Method/Generate/Accessor.pm line 26
eval {...} at /usr/share/perl5/Method/Generate/Accessor.pm line 26
require Lemonldap/NG/Portal/Lib/SMTP.pm at /usr/lib/x86_64-linux-gnu/perl5/5.32/Mouse/Util.pm line 295
eval {...} at /usr/lib/x86_64-linux-gnu/perl5/5.32/Mouse/Util.pm line 295
Mouse::Util::_try_load_one_class('Lemonldap::NG::Portal::Lib::SMTP') called at /usr/lib/x86_64-linux-gnu/perl5/5.32/Mouse/Util.pm line 303
Mouse::Util::load_class('Lemonldap::NG::Portal::Lib::SMTP') called at /usr/lib/x86_64-linux-gnu/perl5/5.32/Mouse/Meta/Class.pm line 58
Mouse::Meta::Class::superclasses('Mouse::Meta::Class=HASH(0x55c984e0bac0)', 'Lemonldap::NG::Portal::Lib::SMTP', 'Lemonldap::NG::Portal::Main::Plugin', 'Lemonldap::NG::Portal::Lib::_tokenRule') called at /usr/lib/x86_64-linux-gnu/perl5/5.32/Mouse.pm line 35
Mouse::extends('Lemonldap::NG::Portal::Lib::SMTP', 'Lemonldap::NG::Portal::Main::Plugin', 'Lemonldap::NG::Portal::Lib::_tokenRule') called at /usr/share/perl5/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm line 37
require Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm at (eval 119) line 1
eval 'require Lemonldap::NG::Portal::Plugins::MailPasswordReset' at /usr/share/perl5/Lemonldap/NG/Portal/Main/Init.pm line 583
Lemonldap::NG::Portal::Main::loadModule('Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)', '::Plugins::MailPasswordReset') called at /usr/share/perl5/Lemonldap/NG/Portal/Main/Init.pm line 477
Lemonldap::NG::Portal::Main::loadPlugin('Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)', '::Plugins::MailPasswordReset') called at /usr/share/perl5/Lemonldap/NG/Portal/Main/Init.pm line 373
Lemonldap::NG::Portal::Main::reloadConf('Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)', 'HASH(0x55c9841f5a28)') called at /usr/share/perl5/Lemonldap/NG/Handler/Main/Reload.pm line 82
Lemonldap::NG::Handler::Main::checkConf('Lemonldap::NG::Handler::PSGI::Main', 'Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)') called at /usr/share/perl5/Lemonldap/NG/Handler/Lib/PSGI.pm line 23
Lemonldap::NG::Handler::Lib::PSGI::init('Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)', 'HASH(0x55c984271628)') called at /usr/share/perl5/Lemonldap/NG/Handler/PSGI/Router.pm line 14
Lemonldap::NG::Handler::PSGI::Router::init('Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)', 'HASH(0x55c984271628)') called at /usr/share/perl5/Lemonldap/NG/Portal/Main/Init.pm line 140
Lemonldap::NG::Portal::Main::init('Lemonldap::NG::Portal::Main=HASH(0x55c98424f8a0)', 'HASH(0x55c98309a6d8)') called at /usr/share/perl5/Lemonldap/NG/Common/PSGI.pm line 343
Lemonldap::NG::Common::PSGI::run('Lemonldap::NG::Portal::Main', 'HASH(0x55c98309a6d8)') called at /usr/share/lemonldap-ng/portal/htdocs/index.psgi line 3
require /usr/share/lemonldap-ng/portal/htdocs/index.psgi at /usr/share/lemonldap-ng/llng-server/llng-server.psgi line 52
Plack::Sandbox::_2fusr_2fshare_2flemonldap_2dng_2fllng_2dserver_2fllng_2dserver_2epsgi::__ANON__('HASH(0x55c982de2650)') called at /usr/share/lemonldap-ng/llng-server/llng-server.psgi line 66
Plack::Sandbox::_2fusr_2fshare_2flemonldap_2dng_2fllng_2dserver_2fllng_2dserver_2epsgi::__ANON__('HASH(0x55c982de2650)') called at /usr/share/perl5/Method/Generate/Accessor.pm line 26
eval {...} at /usr/share/perl5/Method/Generate/Accessor.pm line 26
Trace begun at (eval 13) line 1
main::__ANON__('Can\'t locate object method "tid" via package "threads" at /usr/share/perl/5.32/XSLoader.pm line 111, <DATA> line 960.^J') called at /usr/share/perl/5.32/XSLoader.pm line 111
eval {...} at /usr/share/perl/5.32/XSLoader.pm line 111
XSLoader::load('Net::SSLeay', 1.88) called at /usr/lib/x86_64-linux-gnu/perl5/5.32/Net/SSLeay.pm line 444
eval {...} at /usr/lib/x86_64-linux-gnu/perl5/5.32/Net/SSLeay.pm line 446
require Net/SSLeay.pm at /usr/share/perl5/IO/Socket/SSL.pm line 19
IO::Socket::SSL::BEGIN at /usr/lib/x86_64-linux-gnu/perl5/5.32/Net/SSLeay.pm line 0
eval {...} at /usr/lib/x86_64-linux-gnu/perl5/5.32/Net/SSLeay.pm line 0
require IO/Socket/SSL.pm at /usr/share/perl/5.32/Net/SMTP.pm line 26
eval {...} at /usr/share/perl/5.3[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Module Lemonldap::NG::Portal::Plugins::MailPasswordReset loaded
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Declaring unauth route
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Add POST route:
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] route resetpwd added
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Add GET route:
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] route resetpwd added
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Plugin ::Plugins::MailPasswordReset initialized
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Module Lemonldap::NG::Portal::Plugins::Notifications loaded
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Declaring unauth route
[Fri Oct 21 17:12:56 2022] [LLNG:2723314] [debug] Add POST route:
```FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2800Session encoding corruption2024-03-05T14:06:19ZBenjamin DemarteauSession encoding corruption### Concerned version
Version: 1.9.22-1.el7 and 2.0.15.1-1.el8
Platform: httpd (Apache)
### Summary
After a while, sessions containing UTF-8 characters get double encoded.
### Logs
I can't tell exactly when the corruption happens. ...### Concerned version
Version: 1.9.22-1.el7 and 2.0.15.1-1.el8
Platform: httpd (Apache)
### Summary
After a while, sessions containing UTF-8 characters get double encoded.
### Logs
I can't tell exactly when the corruption happens. If I delete the session from the manager, a new connection recreates the session correctly, after a while, accentuated characters become garbled again.
### Backends used
Auth mode is User/Pass, with LDAP user backend, session and appconfig are also stored in LDAP using globalStorage
```yaml
ini:
all:
globalStorage: Apache::Session::Browseable::LDAP
globalStorageOptions: |-
{ \
'type' => 'LDAP', \
'ldapServer' => 'ldap+tls://{{ ldap_host }}', \
'ldapConfBase' => 'ou=sessions,ou=lemonldap,ou=appconfig,dc=liege,dc=be', \
'ldapBindDN' => 'cn=lemonldap-{{ inventory_hostname }},ou=technical,ou=people,dc=liege,dc=be', \
'ldapBindPassword' => '{{ lemonldap_ldap_password }}', \
'ldapObjectClass' => 'applicationProcess', \
'ldapAttributeId' => 'cn', \
'ldapAttributeContent' => 'description', \
'ldapAttributeIndex' => 'ou', \
'Index' => '_whatToTrace _session_kind _assert_id' \
}
configuration:
type: LDAP
ldapServer: ldap+tls://{{ ldap_host }}
ldapConfBase: ou=config,ou=lemonldap,ou=appconfig,dc=liege,dc=be
ldapBindDN: cn=lemonldap-{{ inventory_hostname }},ou=technical,ou=people,dc=liege,dc=be
ldapBindPassword: "{{ lemonldap_ldap_password }}"
ldapObjectClass: applicationProcess
ldapAttributeId: cn
ldapAttributeContent: description
localStorageOptions: |-
{ \
'namespace' => 'lemonldap-ng-config', \
'default_expires_in' => 600, \
'directory_umask' => '007', \
'cache_root' => '/var/cache/lemonldap-ng', \
'cache_depth' => 3, \
}
```
### Possible fixes
We are writing a script that detects and removes sessions in the LDAP server. That's only a band aid though.https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2794Link to change password on page with info about expired password2022-09-13T00:41:39ZStanislav ShchetinkinLink to change password on page with info about expired passwordHow create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate ...How create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate a link to the "change password" page and then redirect from it to the user's working page. To get the following workflow:
1) user call "work.site.com/index"
2) lemonldap redirect to "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA=="
3) the user enters the current password
4) lenonldap redirected to a page that says the password will expire in 10 days
5) user use link or button to redirect on page with change password
6) user changes password
7) lemonldap redirect user on "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA==" so that he can log in again
When i make link like "auth.site.com?tab=password&url=d29yay5zaXRlLmNvbS9pbmRleA==" lemonldap redirect me to "work.site.com/index" immediately without prompting me to change my passwordFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2781forAuthUser hook inconsistency according auth method2023-01-12T10:10:57ZAlbert RinceauforAuthUser hook inconsistency according auth method### Concerned version
Version: %2.0.14
### Summary
I have choice auth: LDAP or OIDC
I have a plugin with a function which is called at forAuthUser hook.
When authenticating with LDAP, after authentication function is called well.
...### Concerned version
Version: %2.0.14
### Summary
I have choice auth: LDAP or OIDC
I have a plugin with a function which is called at forAuthUser hook.
When authenticating with LDAP, after authentication function is called well.
When authenticating with OIDC, plugin is not.
Once authenticated, if I come back on portal, then plugin triggers well anyway the authentication method used.
Not sure what should be the expected behavior during authentication.
### Logs
```
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Launching ::Auth::Choice::_endAuth
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Processing code ref
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Launching ::Plugins::Notifications::checkNotifDuringAuth
Aug 4 05:32:03 ansible LLNG[8824]: [info] No notification found
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Processing code ref
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Removing _choice from pdata
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Removing keepPdata from pdata
Aug 4 05:32:03 ansible LLNG[8824]: [debug] [notice] alt.r7-etprxwl@exemple.com@superIDP connected
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Calling autoredirect
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Evaluate condition 1 for module Appslist
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Evaluate condition $_auth =~ /^(LDAP|DBI|Demo)$/ for module ChangePassword
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Evaluate condition 1 for module LoginHistory
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Evaluate condition $_oidcConsents && $_oidcConsents =~ /\w+/ for module OidcConsents
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Evaluate condition 1 for module Logout
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Check if Appslist has to be displayed
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Check if ChangePassword has to be displayed
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Check if LoginHistory has to be displayed
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Check if OidcConsents has to be displayed
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Check if Logout has to be displayed
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Searching for "alt.r7-etprxwl@exemple.com@superIDP" accepted notification(s)
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Skin returned: menu
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Calling sendHtml with template menu
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Use fr.json to override messages
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/mySkin/menu.tpl
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/mySkin/menu.tpl
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Apply following CORS policy :
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Access-Control-Allow-Origin
Aug 4 05:32:03 ansible LLNG[8824]: [debug] *
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Access-Control-Allow-Credentials
Aug 4 05:32:03 ansible LLNG[8824]: [debug] true
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Access-Control-Allow-Headers
Aug 4 05:32:03 ansible LLNG[8824]: [debug] *
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Access-Control-Allow-Methods
Aug 4 05:32:03 ansible LLNG[8824]: [debug] POST,GET
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Access-Control-Expose-Headers
Aug 4 05:32:03 ansible LLNG[8824]: [debug] *
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Access-Control-Max-Age
Aug 4 05:32:03 ansible LLNG[8824]: [debug] 86400
Aug 4 05:32:03 ansible LLNG[8824]: [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self' 'unsafe-inline';script-src 'self' 'unsafe-inline';form-action *;frame-ancestors 'none';
```
### Possible fixes
workaround is to trigger plugin for "forAuthUser" and "endAuth" hook, but "forAuthUser" behavior remains inconsistent according auth method.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2729Skin rule not working properly2022-03-16T16:14:16ZBEZY RémySkin rule not working properly### Concerned version
Version: %2.0.14
Platform: Nginx
### Summary
Issue : Wrong skin is being used with a Skin Rule
Wrong URL seems to be stored in $_url during SAML REQUEST and redirection to Login Portal.
We have an application t...### Concerned version
Version: %2.0.14
Platform: Nginx
### Summary
Issue : Wrong skin is being used with a Skin Rule
Wrong URL seems to be stored in $_url during SAML REQUEST and redirection to Login Portal.
We have an application thas is connected to LemonLDAP-NG with SAML.
The user is automatically redirected from my application to LemonLDAP-NG Login portal
It seems that the wrong skin is used.
- Default Skin = BootStrap
- Custom Skin = MySkin
Skin Rule :
* Key = $_url =~ m#^https://myapplication.example.com/.*#
* Value = MySkin
With this configuration, it's my Bootstrap skin which is being used and not my custom Skin "MySkin" when the user comes from "https://preprod-myapplication.example.com"
However if I set the following rule :
* Key = $_url =~ m#^https://preprod-auth.example.com/.*#
* Value = MySkin
(Portal URL is https://preprod-auth.example.com)
My custom Skin is used for both Application and Auth URL
It seems that the key $_url contains https://preprod-auth.example.com/ and not https://preprod-myapplication.example.com/
### Logs
```
REMOVED
```
### Backends used
N/A
### Possible fixesFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2695U2F does not work anymore with Brave 1.35.101 / Chromium 98.0.4758.872022-02-14T09:15:02ZBenjamin MALYNOVYTCHU2F does not work anymore with Brave 1.35.101 / Chromium 98.0.4758.87### Concerned version
Version: 2.0.13
Platform: nginx / perl-fcgi
### Summary
Using U2F/Fido USB token doesn't work anymore (key doesn't blink while page indicates it is waiting for it, browser doesn't even ask to authorize using the...### Concerned version
Version: 2.0.13
Platform: nginx / perl-fcgi
### Summary
Using U2F/Fido USB token doesn't work anymore (key doesn't blink while page indicates it is waiting for it, browser doesn't even ask to authorize using the key, while it used to) with latest Brave version on MacOS.
Seems to still be working with older versions of Brave (successfully tested on Brave 1.33.106 / Chromium 96.0.4664.110)
### Logs
Browser JS log:
```
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('chrome-extension://kmendfapggjehodndflmmgagdbamhnfd') does not match the recipient window's origin ('null').
(anonymous) @ u2f-api.min.js:2
load (async)
u2f.getIframePort_ @ u2f-api.min.js:2
(anonymous) @ u2f-api.min.js:2
```
Extension seems to refer to CryptoTokenExtension.
### Possible fixes
Workaround: use firefox.
### Extra information
Before this error, I was having another one related to CSP not allowing inline hash in style. I worked around it by changing the following config:
```
"cspStyle": "'self' 'unsafe-inline'"
```Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2680Proxy vhost's log does not get username/uid?2021-12-23T11:55:37ZMathieu MDProxy vhost's log does not get username/uid?### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
While the Portal does get the username/uid in the log (thanks to `log_format lm_app '$remote_addr - $upstream_http_lm_remote_user ...` configured), the Proxy does not...### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
While the Portal does get the username/uid in the log (thanks to `log_format lm_app '$remote_addr - $upstream_http_lm_remote_user ...` configured), the Proxy does not.
```nginx
log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';
# Used in the access log settings:
# - Portal:
access_log /var/log/nginx/auth-test.example.com_access.log lm_app;
# - Proxy:
access_log /var/log/nginx/glpi-test.example.com_access.log lm_app;
```
Am I missing something, or is it a bug?
### Logs
```
# On the Portal
::ffff:10.1.2.3 - mathieu [22/Dec/2021:10:49:16 +0100] "GET /portal.css HTTP/2.0" 200 ...
^^^^^^^ Correct.
# On the Proxy (in the log of a vhosted app)
::ffff:10.1.2.3 - - [22/Dec/2021:10:50:15 +0100] "GET /front/central.php HTTP/2.0" 200 ...
^ Nothing here.
```https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2643U2F does not work in uwsgi due to json library conflict2022-09-14T09:32:32ZMaxime BessonU2F does not work in uwsgi due to json library conflict### Concerned version
Version: 2.0.13
Platform: Debian >= 10, possibly CentOS
### Summary
* Configure LLNG to run in Apache or Nginx
* Try to register a U2F device in the device => OK
* Configure LLNG to run in UWSGI
* Try to registe...### Concerned version
Version: 2.0.13
Platform: Debian >= 10, possibly CentOS
### Summary
* Configure LLNG to run in Apache or Nginx
* Try to register a U2F device in the device => OK
* Configure LLNG to run in UWSGI
* Try to register a U2F device => FAIL
### Logs
On UWSGI:
```
[debug] Prepare U2F verification
[debug] -> Send challenge:
```
(challenge is empty)
### Cause
After investigating this, I found that the challenge is correctly generated by libu2f-server, but there is an issue that prevents it from being generated as JSON correctly
output of `authenticationChallenge` function:
```
{ "keyHandle": null, "version": null, "challenge": null, "appId": null }
```
The code that serialized the challenge to JSON is here:
https://github.com/Yubico/libu2f-server/blob/master/u2f-server/core.c#L999
We see that is uses `json_object_get` to populate the JSON fields (keyHandle, challenge, etc)
But UWSGI is build again libjansson which also defines a `json_object_get` symbol that conflicts with the one used by libu2f-server!
```
37083: symbol=json_object_get; lookup in file=uwsgi [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libpthread.so.0 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libm.so.6 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libdl.so.2 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libz.so.1 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libpcre.so.3 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libcap.so.2 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libuuid.so.1 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libyaml-0.so.2 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libjansson.so.4 [0]
37083: binding file /lib/x86_64-linux-gnu/libu2f-server.so.0 [0] to /lib/x86_64-linux-gnu/libjansson.so.4 [0]: normal symbol `json_object_get' [JSONC_0.14]
```
Instead of libjson-c.so.5 (when using Apache):
```
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libdl.so.2 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libm.so.6 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libpthread.so.0 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libc.so.6 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libcrypt.so.1 [0]
37091: symbol=json_object_get; lookup in file=/lib64/ld-linux-x86-64.so.2 [0]
37091: symbol=json_object_get; lookup in file=/usr/lib/x86_64-linux-gnu/perl5/5.32/auto/Crypt/U2F/Server/Server.so [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libu2f-server.so.0 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libc.so.6 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libjson-c.so.5 [0]
37091: binding file /lib/x86_64-linux-gnu/libu2f-server.so.0 [0] to /lib/x86_64-linux-gnu/libjson-c.so.5 [0]: normal symbol `json_object_get' [JSONC_0.14]
```
This problem does not occur in old versions of libu2f-server because they did not use json_object_get
https://github.com/Yubico/libu2f-server/commit/eea59f260ba2fe71aee911e60068743acf00dc40
### Possible fixes
A workaround I found is to force priority to json-c bindings with LD_PRELOAD. But that probably means uwsgi cannot parse JSON configs anymore
A long term fix would be for Jansson and JSON-C to use symbol versionning. JSON-C does it in Bullseye (but not in Buster, nor CentOS7)
see https://github.com/json-c/json-c/issues/621
Building uwsgi against yajl could work as well, but I have not tested it.
This issue needs to be reported in the docs
@maudoux have you already encountered this issue? Do you use U2F in production on your uwsgi servers?FAQMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2639OIDC error when multiple email addresses2022-02-04T12:09:43ZMathieu ValoisOIDC error when multiple email addresses### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in ...### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in failed because Email is invalid.
### Possible fixes
Provide a way to map attributes on a single element of an array, like `mail => mail[0]`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2624Import unicode2iso and iso2unicode into Safe jail2022-07-01T18:07:28ZChristophe Maudouxchrmdx@gmail.comImport unicode2iso and iso2unicode into Safe jail### Summary
I planned to deploy two flavours of SSO as a service soon (full and hybrid). So, DevOps handler will be employed but Safe jail is required. We use uWSGI server and we are facing encoding issues. To by pass those I used unic...### Summary
I planned to deploy two flavours of SSO as a service soon (full and hybrid). So, DevOps handler will be employed but Safe jail is required. We use uWSGI server and we are facing encoding issues. To by pass those I used unicode2iso and iso2unicode extended functions.
Problem is those functions are not compliant with Safe jail. I tried many solutions but without success...
Help would be appreciated 🙏
### Design proposition
Import unicode2iso and other into Safe jail.2.0.15Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.com