lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-11-08T16:02:07Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/5Configure use of HTTPS and redirection port per virtual host2017-11-08T16:02:07ZClément OUDOTConfigure use of HTTPS and redirection port per virtual hostToday, we can just configure https and port for all virtual hosts. We should provide options for vhosts to have custom values for these attributes (this will allow to manage http and https applications with the same Handler).Today, we can just configure https and port for all virtual hosts. We should provide options for vhosts to have custom values for these attributes (this will allow to manage http and https applications with the same Handler).1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/6Change 403 error into 302 error for ungranted access2017-11-08T16:02:05ZClément OUDOTChange 403 error into 302 error for ungranted accessWhen a user is not granted to access an application, Handler send a 403 HTTP error code. This does not allow to catch the referer. We should allow a configuration parameter to use redirect (302) and display more information on reject cau...When a user is not granted to access an application, Handler send a 403 HTTP error code. This does not allow to catch the referer. We should allow a configuration parameter to use redirect (302) and display more information on reject cause to user (for example, the refererer of the referer)1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/46[logout] verify referer into logout process2017-11-08T15:56:39ZThomas Chemineau[logout] verify referer into logout processWhen handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP ...When handler intercepts logout URL (which is directly write by hand in a internet browser), handler redirects it to the portal.
The URL is the form of "http://auth.example.com/url=base64(url)".
There is no Referer header into the HTTP request when user goes to the portal. An error is produced: "Bad URL".
1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1331Manage UTF-8 values in HTTP headers2019-09-06T08:36:11ZClément OUDOTManage UTF-8 values in HTTP headersSince 1.9, seems we have an issue with UTF-8 values in HTTP Headers:
As written by @guimard :
> From rfc7230#section-3.2.4:
>
> Historically, HTTP has allowed field content with text in the
> ISO-8859-1 charset [ISO-8859-1], sup...Since 1.9, seems we have an issue with UTF-8 values in HTTP Headers:
As written by @guimard :
> From rfc7230#section-3.2.4:
>
> Historically, HTTP has allowed field content with text in the
> ISO-8859-1 charset [ISO-8859-1], supporting other charsets only
> through use of [RFC2047] encoding. In practice, most HTTP header
> field values use only a subset of the US-ASCII charset [USASCII].
> Newly defined header fields SHOULD limit their field values to
> US-ASCII octets. A recipient SHOULD treat other octets in field
> content (obs-text) as opaque data.
>
> so "downgrade" is required if you want to take the risk to send some
> non-ascii characters.
>
> Note that LLNG-1.4 wasn't really UTF8, that's why it has accidentally
> succeed to send encoded headers.
Here is the proposed patch:
```perl
diff --git
a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/API/ApacheMP2.pm
b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/API/ApacheMP2.pm
index 1a0193e1b..2695c85b0 100644
--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/API/ApacheMP2.pm
+++ b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/API/ApacheMP2.pm
@@ -99,6 +99,8 @@ sub header_in {
sub set_header_in {
my ( $class, %headers ) = @_;
while ( my ( $h, $v ) = each %headers ) {
+ use utf8;
+ utf8::downgrade($v);
$request->headers_in->set( $h => $v );
}
}
```1.9.14Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1310Form replay javascript generates error for fields with a dot2017-11-16T14:51:59ZClément OUDOTForm replay javascript generates error for fields with a dotWhen using Form Replay and configuring a field 'test.field', there is a js error, because the generated code is :
```
var form = jQuery('form');
form.attr('autocomplete', 'off');
form.find('input[name=test.field], select[name=test.f...When using Form Replay and configuring a field 'test.field', there is a js error, because the generated code is :
```
var form = jQuery('form');
form.attr('autocomplete', 'off');
form.find('input[name=test.field], select[name=test.field], textarea[name=test.field]').val('xxxxxxxxxxxxxxxx')
```
We indeed need to set name value inside quotes to avoid such error.1.9.14https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/54Handler parameters (https, port, etc.) are not taken into account if only def...2017-11-28T17:47:23ZClément OUDOTHandler parameters (https, port, etc.) are not taken into account if only defined in Manager, and not in ini fileI think I had corrected this bug, but I reproduced it yesterday.I think I had corrected this bug, but I reproduced it yesterday.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/55Distribute SympaAutoLogin Handler2017-11-28T17:47:23ZClément OUDOTDistribute SympaAutoLogin HandlerTo configure SympaAutoLogin, we have to write a MyHandlerSympa.pm. It should be distributed with other Handlers.To configure SympaAutoLogin, we have to write a MyHandlerSympa.pm. It should be distributed with other Handlers.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/57Local Handler macros2017-11-28T17:47:23ZYaddLocal Handler macrosSome macros are specific to 1 virtual host but stored in the session even if the user does not walk over this vhost. Proposition :
* remember datas key count before rules evaluation
* some rules (or headers) contains "$a ||= <complex r...Some macros are specific to 1 virtual host but stored in the session even if the user does not walk over this vhost. Proposition :
* remember datas key count before rules evaluation
* some rules (or headers) contains "$a ||= <complex rule>"
* if key count has changed, store updates in local cache
So session will stay unchanged, but local complex rules will be calculated only 1 time each 10 minutes max.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/99Special UTF-8 characters cannot be sent in HTTP-BASIC2017-11-28T17:47:35ZClément OUDOTSpecial UTF-8 characters cannot be sent in HTTP-BASICWhen we send HTTP-BASIC string, UTF-8 characters are not accepted.
See:
http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http-basic-auth-username
http://code.google.com/p/chromium/issues/detail?id=25790
I will crea...When we send HTTP-BASIC string, UTF-8 characters are not accepted.
See:
http://stackoverflow.com/questions/702629/utf-8-characters-mangled-in-http-basic-auth-username
http://code.google.com/p/chromium/issues/detail?id=25790
I will create a method in SafeLib to convert them in ISO1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/103String encoding in sessions2017-11-28T17:47:35ZClément OUDOTString encoding in sessionsWe should discuss on how manage string encoding in sessions. It seems for now we store them as UTF-8, but this can be a problem:
* HTTP-BASIC only wants ISO
* some protected applications are not UTF-8 compliant
We should be able to choo...We should discuss on how manage string encoding in sessions. It seems for now we store them as UTF-8, but this can be a problem:
* HTTP-BASIC only wants ISO
* some protected applications are not UTF-8 compliant
We should be able to choose the encoding per vhost or per header.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/112Handler/AuthBasic does not use local cache2017-11-28T17:47:36ZYaddHandler/AuthBasic does not use local cacheAuthBasic use "md5_base64(<Authorization-header>)" to find users in the local cache but store them using $res->{cookies}->{$cookieName} value, so local cache (and thread cache) are never used.AuthBasic use "md5_base64(<Authorization-header>)" to find users in the local cache but store them using $res->{cookies}->{$cookieName} value, so local cache (and thread cache) are never used.1.0-rc2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/117Invalid use of Safe to access APR::Table module (LL::NG not working on RHEL5.5)2017-11-28T17:47:36ZClément OUDOTInvalid use of Safe to access APR::Table module (LL::NG not working on RHEL5.5)In RHEL 5.5 we have a bug in Handler.
The RedHat people say:
{quote}
I read up a little more on the vulnerability fix and it looks like the
LemonLdap program was using the bug to function correctly, due to which
it is now broken. The...In RHEL 5.5 we have a bug in Handler.
The RedHat people say:
{quote}
I read up a little more on the vulnerability fix and it looks like the
LemonLdap program was using the bug to function correctly, due to which
it is now broken. The problem is that the lmSetHeaders function in
Simple.pm is restricted in a Safe jail and it tries to access APR::Table
module contents without explicitly 'use'ing it. This needs to be fixed
in LemonLdap, so please open a bug report with them for this.
Unfortunately I will not be able to assist with this issue too much
since we cannot support applications that we do not ship.
{quote}
We should correct our code.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1334Logout does not work in the CDA context with multiple servers2017-12-21T11:16:42ZGuillaume VANEECLOOLogout does not work in the CDA context with multiple serversHello,
I have an architecture with multiple servers, one dedicated to lemonldap-ng portal (SSO server) and another dedicaded to my application (WAS server).
My application can be accessed by severals URLs with different domains.
First,...Hello,
I have an architecture with multiple servers, one dedicated to lemonldap-ng portal (SSO server) and another dedicaded to my application (WAS server).
My application can be accessed by severals URLs with different domains.
First, when I log in to my application by URL in same domain than lemonldap-ng portal, the log out works well. However, I notice that the session is purged from the local cache on SSO server but not on WAS server but the logout working because cookie is cleared.
Then, when I log in to my application by URL in a different domain than lemonldap-ng portal (CDA context), the log out doesn't work although the session is purged from the local cache on SSO server.
I had a look to the code and I think a
```perl
$session->remove;
```
is missing in package Lemonldap/NG/Handler/Main.pm in method localUnlog.
I did some tests and it seems to solve my problem.
I use lemonldap-ng 1.9.14.In discussionClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/59RRD database for handlers (status)2017-12-05T18:36:04ZYaddRRD database for handlers (status)The status process provides datas that must be collected by another process (like mrtg). The idea here is to store those datas into an RRD and display it with a little CGI (parameter : RRDstatus => /somewhere/db.rrd). It could be used wi...The status process provides datas that must be collected by another process (like mrtg). The idea here is to store those datas into an RRD and display it with a little CGI (parameter : RRDstatus => /somewhere/db.rrd). It could be used with or without status=>1Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/60Squid handler2020-01-30T12:53:52ZYaddSquid handlerIn some cases, using Squid can be more interresting than Apache for reverse-proxies. Using the same interface than SquidGuard, it seems be possible to build a handlerIn some cases, using Squid can be more interresting than Apache for reverse-proxies. Using the same interface than SquidGuard, it seems be possible to build a handler3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/94Integration with OpenPERMIS2019-10-14T16:08:54ZClément OUDOTIntegration with OpenPERMISRomain Guignard proposed an integration with OpenPERMIS : http://openpermis.info/
This means Handler will send XACML request to PERMIS to check user's authorization rather than use the LL::NG rules.
I join an implementation he made.Romain Guignard proposed an integration with OpenPERMIS : http://openpermis.info/
This means Handler will send XACML request to PERMIS to check user's authorization rather than use the LL::NG rules.
I join an implementation he made.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/290Dynamic output filters are not called on /2017-12-05T18:36:05ZClément OUDOTDynamic output filters are not called on /We use sometimes output filter, injected dynamically (with $r->add_output_filter), for example to manage logout or form replay. Recently I used this with the SecureToken Handler.
But it seems we have a little bug. The output filter is a...We use sometimes output filter, injected dynamically (with $r->add_output_filter), for example to manage logout or form replay. Recently I used this with the SecureToken Handler.
But it seems we have a little bug. The output filter is always called, except if the URI is '/'. It is maybe a side effect of DocumentIndex? I will try to send a mail to mod_perl users mailing list to get more information.
This is not a critical bug, as our filters are often executed on URI not equal to '/'.Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/321Use references from URI regexp in rules2020-01-29T07:04:56ZClément OUDOTUse references from URI regexp in rulesThe idea is to catch a string in the uri to be used in the rule, like :
```
/groupe-(\d+) => $groups =~ /groupe$1/
```
This need to be done in all modules that use the "grant" function. Seems not really easy, planning this for a la...The idea is to catch a string in the uri to be used in the rule, like :
```
/groupe-(\d+) => $groups =~ /groupe$1/
```
This need to be done in all modules that use the "grant" function. Seems not really easy, planning this for a later release3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/480Floating menu is not localized2018-08-08T21:21:14ZDaniel B.Floating menu is not localizedThe floating menu is great, but texts Home and Logout are hardcoded. Would it be possible to localize this ?The floating menu is great, but texts Home and Logout are hardcoded. Would it be possible to localize this ?Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/482Rules for maintenance mode2019-11-21T17:36:36ZDaniel B.Rules for maintenance modeThe new maintenance mode is a great idea, but it would be better if it was possible to enable it with specific rules, for example, we could set:
$groups !~ /\badmins\b/
so users get the maintenance message, but members of the admins gr...The new maintenance mode is a great idea, but it would be better if it was possible to enable it with specific rules, for example, we could set:
$groups !~ /\badmins\b/
so users get the maintenance message, but members of the admins group can upgrade the app and check everything is OK before removing the maintenance mode.3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/502vhost general access rule2019-05-31T07:41:12ZFX Deltombevhost general access ruleGiven a vhost, it would be nice to have an optional general access rule that would be checked before any other access rule.
For example, let a vhost test.example.com,
instead of access rules
/admin/ => $authLevel >= 5 && $groups =~...Given a vhost, it would be nice to have an optional general access rule that would be checked before any other access rule.
For example, let a vhost test.example.com,
instead of access rules
/admin/ => $authLevel >= 5 && $groups =~ /\badmin\b/
/secret/ => $authLevel >= 5 && $groups =~ /\bsu\b/
default => $authLevel >= 5
it would be more legible (and easier to manage) to have
general => $authLevel >= 5
as general access rule, and
/admin/ => $groups =~ /\badmin\b/
/secret/ => $groups =~ /\bsu\b/
default => accept
Of course, this general access would not be checked when skipping access control (with keyword 'skip'). But it would with 'unprotect'.
About manager, I think the general access rule should be defined in vhost options.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/610Sympa 6 Auto login2017-12-05T18:36:13ZFlorian PradenSympa 6 Auto loginHi,
Since Sympa v6.0, the sharing of the sympa auth is no more possible via the cookie
See: http://www.sympa.org/manual_6.0/authentication#sharing_wwsympa_s_authentication_with_other_applications
For now, I added a new handler to do ...Hi,
Since Sympa v6.0, the sharing of the sympa auth is no more possible via the cookie
See: http://www.sympa.org/manual_6.0/authentication#sharing_wwsympa_s_authentication_with_other_applications
For now, I added a new handler to do it, which interact directly with the Sympa database.
Sympa6AutoLogin.pm and SympaSession.pm (which is a copy (part of it) of the Sympa perl module)
SympaHandler is the handler to adapt to config.
It's in alpha state.
Another possibility for a "near" future: https://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4056&group_id=23&atid=170
Best,
--
FlorianBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/706Forbid portal URL to be a perl expression2024-03-04T08:04:49ZFX DeltombeForbid portal URL to be a perl expressionSince LL::NG 0.9.4, it is possible in handler and portal config to define portal URL as a perl expression, for example "http://$vhost/auth" (then, $vhost will be replaced with the request hostname, e.g. test1.example.com).
I would like ...Since LL::NG 0.9.4, it is possible in handler and portal config to define portal URL as a perl expression, for example "http://$vhost/auth" (then, $vhost will be replaced with the request hostname, e.g. test1.example.com).
I would like to remove this feature from handler,
* since it is undocumented (well, to be honest it is mentionned on the old wiki)
* since it can be configured only in handler's / portal's config (that is, in __PACKAGE__->init parameters, and maybe in lemonldap-ng.ini ; but you can't set it in manager : it raises an error)
* since it looks like a screwy feature (I have never had such a need)
* and since I can't keep it if I try to pass apacheRequest as function parameters instead of as global var (needed for ##583) - at least, I can't replace $vhost with the request hostname.
By the way, it would allow to simplify code.
Clément, could you give me your opinion / agreement ?In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1146Allow Handler to read OAuth2 access token instead of browser cookie2019-05-10T20:32:15ZClément OUDOTAllow Handler to read OAuth2 access token instead of browser cookieI have a lot of questions on how protect REST API (or any machine to machine requests) with LemonLDAP::NG.
Now we have implemented OpenIDConnect, we have an OAuth2 access token database (OIDC sessions) that we could use. The Handler cou...I have a lot of questions on how protect REST API (or any machine to machine requests) with LemonLDAP::NG.
Now we have implemented OpenIDConnect, we have an OAuth2 access token database (OIDC sessions) that we could use. The Handler could try to read access token (sent in Authorization header) instead the cookie to get the access token session and find the corresponding SSO session.
The question is: do we allow Handler to test access token and cookie or should we have separate Handlers for that? The difficulty of mixing both it to know how to answer to a request without access token and cookie: HTTP unauthorized or redirection on portal? It would require to know if the request comes from a browser of from an application.
Any though about this?2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/977Problem with accents characters in SOAP Requests2018-12-04T08:29:39ZRichard PhanProblem with accents characters in SOAP RequestsHi,
I have a critical bug, I use SOAP for using sessions, but, when there are accents in sessions information, the handlers send increasingly large POST requests to /index.pl/adminSessions :
```
lemonldap [11/Mar/2016:14:52:16 +0100] "...Hi,
I have a critical bug, I use SOAP for using sessions, but, when there are accents in sessions information, the handlers send increasingly large POST requests to /index.pl/adminSessions :
```
lemonldap [11/Mar/2016:14:52:16 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 146080 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:52:41 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 146080 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:53:41 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 277152 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:54:51 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 539296 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:56:01 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 1063584 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:57:02 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 2112160 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:57:16 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 4209312 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:58:07 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 4209312 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:59:32 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 8403616 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:14:59:37 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 8403616 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:01:48 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 16792224 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:01:54 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 16792224 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:02:51 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:02:46 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:03:35 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:03:28 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:02:40 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
lemonldap [11/Mar/2016:15:03:22 +0100] "POST /index.pl/adminSessions HTTP/1.1" 200 33569440 "-" "SOAP::Lite/Perl/1.1"
...
```
A request SOAP size may exceed 60 MB !
I dump all my mysql request and here is a request extract which show the problem when contain a accent is replace by strange repeat characters :
```
UPDATE sessions SET a_session = '^E ^Y\0\0\0\0^_^D^Y\0\0\0\0^A^D^B\0\0\0^E^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1456741132^B\0\0\0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455876018^B\0\0\
0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455874416^B\0\0\0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455793697^B\0\0\0^F_utime^D^Y\0\0\0\0^B^W\rXXX.XX.XXX.XX^B\0\0\0^FipAddr^W\n1455712268^B\0\0\
0^F_utime^B\0\0\0^LsuccessLogin^B\0\0\0^LloginHistory^A\0\0^B^KJosÃ<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â
<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â
<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â
<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â
<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0083>Ã<U+0082>Â<U+0083>Ã<U+0083>Â<U+0082>Ã<U+0082>Â<U+0082>Ã<U+0083>Â
<U+0083>Ã<U+0082>Â<U+0082>Ã<U+0083>Â<U+0082>Ã<U+0082>...
```
As you see, the word José is remplaced by JosÃ<U+0083>Â<U+0083>Ã<U+0082>...
Any Idea ?
Regards
In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/982CPAN Tests fails for Lemonldap-NG-Handler2017-12-05T18:36:14ZClément OUDOTCPAN Tests fails for Lemonldap-NG-HandlerSee for example http://www.cpantesters.org/cpan/report/3c076310-eeaf-11e5-a54c-72f12867457e
```
# Failed test 'use Lemonldap::NG::Handler::Reload;'
# at t/01-Lemonldap-NG-Handler-Main.t line 13.
# Tried to use 'Lemonldap::NG::H...See for example http://www.cpantesters.org/cpan/report/3c076310-eeaf-11e5-a54c-72f12867457e
```
# Failed test 'use Lemonldap::NG::Handler::Reload;'
# at t/01-Lemonldap-NG-Handler-Main.t line 13.
# Tried to use 'Lemonldap::NG::Handler::Reload'.
# Error: Can't locate Crypt/Rijndael.pm in @INC (you may need to install the Crypt::Rijndael module) (@INC contains: /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/lib /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/arch /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/arch /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/lib /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/arch /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/lib /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/arch /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/lib /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/arch /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5 /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/arch /home/smoker/.cpan/build/Apache-Session-1.93-CgGkg9/blib/lib /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/arch /home/smoker/.cpan/build/SOAP-Lite-1.19-yOFk7q/blib/lib /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/arch /home/smoker/.cpan/build/HTML-Template-2.95-MzfoMr/blib/lib /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/arch /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib /home/smoker/perl5/lib/perl5/5.23.8/x86_64-linux /home/smoker/perl5/lib/perl5/5.23.8 /home/smoker/perl5/lib/perl5/x86_64-linux /home/smoker/perl5/lib/perl5 /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/site_perl/5.23.8/x86_64-linux /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/site_perl/5.23.8 /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/5.23.8/x86_64-linux /home/smoker/perl5/perlbrew/perls/perl-5.23.8/lib/5.23.8 .) at /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib/Lemonldap/NG/Common/Crypto.pm line 12.
# BEGIN failed--compilation aborted at /home/smoker/.cpan/build/Lemonldap-NG-Common-1.9.0-m1TDwz/blib/lib/Lemonldap/NG/Common/Crypto.pm line 12.
# Compilation failed in require at /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/lib/Lemonldap/NG/Handler/Reload.pm line 12.
# BEGIN failed--compilation aborted at /home/smoker/.cpan/build/Lemonldap-NG-Handler-1.9.0-9WfX7U/blib/lib/Lemonldap/NG/Handler/Reload.pm line 12.
# Compilation failed in require at t/01-Lemonldap-NG-Handler-Main.t line 13.
# BEGIN failed--compilation aborted at t/01-Lemonldap-NG-Handler-Main.t line 13.
# Looks like you planned 10 tests but ran 2.
# Looks like you failed 1 test of 2 run.
# Looks like your test exited with 25 just after 2.
t/01-Lemonldap-NG-Handler-Main.t .........
Dubious, test returned 25 (wstat 6400, 0x1900)
Failed 9/10 subtests
t/02-Lemonldap-NG-Handler-Main-Portal.t .. ok
```
Dependency to Crypt::Rijndael seems missing.In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1167Manage multi tenancy (multi tenant) with Apache2018-02-07T13:07:54ZClément OUDOTManage multi tenancy (multi tenant) with ApacheWe already discussed about this feature. The goal is to have one LL::NG installation that can be used for several tenants (clients/domains/etc.)
I think the work that is needed is:
* Be able to set the lemonldap-ng.ini file to use as an...We already discussed about this feature. The goal is to have one LL::NG installation that can be used for several tenants (clients/domains/etc.)
I think the work that is needed is:
* Be able to set the lemonldap-ng.ini file to use as an environment variable in Nginx/Apache virtual hosts
* Be able to separate caches between tenant, maybe be having the tenant ID as primary cache level
With different lemonldap-ng.ini per tenant, it is then really easy to isolate configuration/sessions for each tenant.Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1240Access rules redirection with nginx2017-12-05T18:36:14ZIsmael DuprasAccess rules redirection with nginxI try to use logout_sso with an url to redirect after logout and it doesn’t work do you have any idea why ?
I try to use logout_sso with an url to redirect after logout and it doesn’t work do you have any idea why ?
In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1276FailOver mode - For globalStorage (session)2017-12-05T18:36:15ZMathieu Lecompte-melançonFailOver mode - For globalStorage (session)Is case of disaster recovery plan, or simply maintenance.
We would like a failover-mode in case of SGBd is'not reachable during exploration of SGBD.
After X attempt of connection or a manual switch form the manager, LLNG should be ...Is case of disaster recovery plan, or simply maintenance.
We would like a failover-mode in case of SGBd is'not reachable during exploration of SGBD.
After X attempt of connection or a manual switch form the manager, LLNG should be able to fail over session storage in a local File system.
Some time we want to update/check our SGB and we could have to bring those down for some minute/hours. We suggestion that when happen LLNG switch in failover mode, make a annoncement in the main login page ( FailOver mode ON - Some feature could be unavailable) and ask again for a new sessions.
To switch back in normal mode, the main globale storage should be available and be activate from the manager page by a config push to ensure every node of LLNG is in normal modeIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1281purgeLocalCache should use conf from manager2019-04-08T11:16:33ZMathieu ParentpurgeLocalCache should use conf from managerHere is my proposed fix, inspired by purgeCentralCache:
```
diff --git a/lemonldap-ng-handler/example/scripts/purgeLocalCache b/lemonldap-ng-handler/example/scripts/purgeLocalCache
index f945dc52b..7929c7187 100755
--- a/lemonldap...Here is my proposed fix, inspired by purgeCentralCache:
```
diff --git a/lemonldap-ng-handler/example/scripts/purgeLocalCache b/lemonldap-ng-handler/example/scripts/purgeLocalCache
index f945dc52b..7929c7187 100755
--- a/lemonldap-ng-handler/example/scripts/purgeLocalCache
+++ b/lemonldap-ng-handler/example/scripts/purgeLocalCache
@@ -19,9 +19,14 @@ my $debug = 0;
#=============================================================================
my $lmconf = Lemonldap::NG::Common::Conf->new()
or die $Lemonldap::NG::Common::Conf::msg;
-my $conf = $lmconf->getLocalConf(HANDLERSECTION)
+my $conf = $lmconf->getConf or die "Unable to get configuration ($!)";
+my $localconf = $lmconf->getLocalConf(HANDLERSECTION)
or die "Unable to get local configuration ($!)";
+if ($localconf) {
+ $conf->{$_} = $localconf->{$_} foreach ( keys %$localconf );
+}
+
print "Configuration loaded\n" if $debug;
# Handler cache
```
1.9.15https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1284FORM Replay - NGinx integration via LUA2018-11-28T13:26:56ZMathieu Lecompte-melançonFORM Replay - NGinx integration via LUARelated to #1192.
It,s was said in the below tickek ,that was the static way of NGINX who not allow the dynamic injection.
As you already use lua integration to render dynamicly header.
You could exploit lua for injecting code dir...Related to #1192.
It,s was said in the below tickek ,that was the static way of NGINX who not allow the dynamic injection.
As you already use lua integration to render dynamicly header.
You could exploit lua for injecting code directly in page.
https://github.com/openresty/lua-nginx-module#body_filter_by_lua3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1355local session storage not being cleaned up2018-01-17T10:09:26ZRomain Gervaislocal session storage not being cleaned upHi,
It seems that the cache folder containing the sessions is not being cleaned up by the `purgeCentralCache` and `purgeLocalCache` scripts for the expired sessions. In our cases this folder is growing up and up and up... We have to cle...Hi,
It seems that the cache folder containing the sessions is not being cleaned up by the `purgeCentralCache` and `purgeLocalCache` scripts for the expired sessions. In our cases this folder is growing up and up and up... We have to clean it up by hand with a `rm -rf`. This temporary solution is not acceptable on the long term.
For example on my test server, right now I have 0 session in backend (Redis) and I can list 8 sessions on LemonLDAP file system.
On __Redis__ server :
```
[root@111111bbbb ~]$ redis-cli -h localhost -p 6379
localhost:6379> keys *
(empty list or set)
```
On __LemonLDAP__ server :
```
[root@111111aaaa ~]# /opt/lemonldap-ng/bin/purgeCentralCache
[root@111111aaaa ~]# /opt/lemonldap-ng/bin/purgeLocalCache
[root@111111aaaa ~]# cd /opt/lemonldap-ng/cache/lemonldap-ng-sessions/
[root@111111aaaa lemonldap-ng-sessions]# find . -regextype sed -regex ".*/[0-9a-z]\{40\}"
./e/2/c/e2cbfb544e11dff8082cdc9b0de1ab105e421d61
./4/d/0/4d049020c55bc656be5efc3573c0f8fe22a9a1dc
./4/8/b/48bf760cc604582205f5100981ee3ca9dd398e14
./5/4/b/54b24021cc9464be5dff9cf05b1d1d6f1ed034d2
./3/a/d/3ad03d3a5d709317508fc869a026ef1b5c479fe9
./2/b/3/2b3b8a5c242877b3ab29d034b3a0c43315fd9fcb
./0/3/d/03dcfe4d5c1965ea8cb7303a8f6504622f90ce02
./d/c/7/dc7a883fa5c76e8f3e429e66622f34951b1af1fb
```
Cron is configure as follow :
```sh
lemonldap-ng-portal
# Regular cron jobs for LemonLDAP::NG
#
*/10 * * * * apache [ -x /opt/lemonldap-ng/bin/purgeCentralCache ] && /opt/lemonldap-ng/bin/purgeCentralCache
lemonldap-ng-handler
# Regular cron jobs for LemonLDAP::NG
#
1 * * * * apache [ -x /opt/lemonldap-ng/bin/purgeLocalCache ] && /opt/lemonldap-ng/bin/purgeLocalCache
```
I will give you all parameters related to storage as I'm not sure which is used and when.
Our `lemonldap-ng.ini` file looks like this :
```ini
[all]
globalStorage = Apache::Session::Browseable::Redis
globalStorageOptions = { sentinels => ['192.168.50.10:26379', '192.168.50.11:26379', '192.168.50.12:26379'], service => 'mymaster', 'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256', }
```
Our `lmConf` file looks like this :
```js
"globalStorage":"Apache::Session::File",
"globalStorageOptions":{
"generateModule":"Lemonldap::NG::Common::Apache::Session::Generate::SHA256",
"Directory":"/opt/lemonldap-ng/lib/sessions",
"LockDirectory":"/opt/lemonldap-ng/lib/sessions/lock"
},
"localSessionStorage":"Cache::FileCache",
"localSessionStorageOptions":{
"cache_root":"/opt/lemonldap-ng/cache",
"cache_depth":3,
"directory_umask":"007",
"default_expires_in":600,
"namespace":"lemonldap-ng-sessions"
},
"persistentStorage":"Apache::Session::File",
"persistentStorageOptions":{
"Directory":"/opt/lemonldap-ng/lib/psessions",
"LockDirectory":"/opt/lemonldap-ng/lib/psessions/lock"
},
```
We use __LemonLDAP 1.9.6__, __Redis 3.0.7__ and __Redhat / Centos 7.2__. Please tell me if you need more info.
Could you investigate to see if you are able to reproduce this bug ?
Best regards,
Romain.1.9.15Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1363Bad equality operator in Handler::Main::Jail2018-02-06T10:28:00ZClément OUDOTBad equality operator in Handler::Main::JailWhen using custom functions, we get these errors:
```
Argument "Custom::test...." isn't numeric in numeric eq (==) at /usr/share/perl5/Lemonldap/NG/Handler/Main/Jail.pm line 30.
```When using custom functions, we get these errors:
```
Argument "Custom::test...." isn't numeric in numeric eq (==) at /usr/share/perl5/Lemonldap/NG/Handler/Main/Jail.pm line 30.
```1.9.16Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1396logout not working with Nginx on query parameters2018-04-18T09:06:38ZClément OUDOTlogout not working with Nginx on query parametersTrying to set a logout rule on index.php?signout=1, this is not intercepted by Nginx. This may be because Nginx Handler does not get the query parameters.Trying to set a logout rule on index.php?signout=1, this is not intercepted by Nginx. This may be because Nginx Handler does not get the query parameters.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1397Plack servers support2018-03-15T19:55:09ZYaddPlack servers support### Summary
Plack provides a family of [powerful web servers](http://plackperl.org/#servers). We simply have to build a Plack::Middleware::Auth::LemonldapNG module to support them
### Full example
```perl
#!/usr/bin/perl
use Data::Du...### Summary
Plack provides a family of [powerful web servers](http://plackperl.org/#servers). We simply have to build a Plack::Middleware::Auth::LemonldapNG module to support them
### Full example
```perl
#!/usr/bin/perl
use Data::Dumper;
use Plack::Builder;
# Test
my $testApp = sub {
my ($env) = @_;
return [
200,
[ 'Content-Type' => 'text/plain' ],
[ "Hello world\n\n" . Dumper($env) ],
];
};
my $test = builder {
enable "Auth::LemonldapNG";
$testApp;
};
use Lemonldap::NG::Portal::Main;
my $portal = builder {
enable "Plack::Middleware::Static",
path => '^/static/',
root => '/path/to/portal/htdocs/';
Lemonldap::NG::Portal::Main->run( {} );
};
use Lemonldap::NG::Manager;
my $manager = builder {
enable "Plack::Middleware::Static",
path => '^/static/',
root => '/path/to/manager/htdocs/';
enable "Plack::Middleware::Static",
path => '^/doc/',
root => '/path/to/parent/of/doc/';
enable "Plack::Middleware::Static",
path => '^/lib/',
root => '/path/to/doc/pages/documentation/current/';
enable "Plack::Middleware::Static",
path => '^/fr-doc/',
root => '/path/to/parent/of/fr-doc/link/';
Lemonldap::NG::Manager->run( {} );
};
builder {
mount 'http://test1.example.com/' => $test;
mount 'http://auth.example.com/' => $portal;
mount 'http://manager.example.com/' => $manager;
};
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1400CLUSTER - Status page who check the working state of LLNG2018-05-17T04:31:32ZMathieu Lecompte-melançonCLUSTER - Status page who check the working state of LLNG### Summary
The idea is to tell Keepalived service that LLNG not working fine.
(EX: memory issue, or mongodb issue have generate an error 500) but nginx not fail-back even if there something wrong...
The idea is to add a HTTP_GET health...### Summary
The idea is to tell Keepalived service that LLNG not working fine.
(EX: memory issue, or mongodb issue have generate an error 500) but nginx not fail-back even if there something wrong...
The idea is to add a HTTP_GET healthcheck to told keepalived service to force a fail-over on the backup-node. That easy to do.
But to get it working on LLNG side we need a status page who will try to authenticate an (defined test user) and return a result like: Everthing seem to work! if not, another message. It's more like an unit test page who call on demand (every 30 seconde by keepalived service)
### Design proposition
auth.exemple.com/check_state
return a simple HTML page with the result.
Note: the result should not change between version to avoid failover when upgrade to a new version.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/998encode_base64 can be udefined after a reload by URL2018-05-15T20:31:11ZSwaelens Jontathanencode_base64 can be udefined after a reload by URLHello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must rel...Hello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must reload apache to fix it.
Cheers.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1061Multiple segfault using ModPerl::Registry with Apache2.42018-05-15T20:31:11ZJeremy KespiteMultiple segfault using ModPerl::Registry with Apache2.4I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scal...I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scalar: SV 0x7f3682a244a0, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemo
nldap/NG/Handler/API.pm line 44.
Attempt to free unreferenced scalar: SV 0x7f363c019f70, Perl interpreter: 0x7f368321f550.
Out of memory!
Attempt to free unreferenced scalar: SV 0x7f363402c818, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemonldap/NG/Handler/API.pm line 73.
```
I found lots of issues on the Internet about Apache2.4 reporting segfault frequently but no good answer. My guess is that it is a Apache issue more than a LLNG issue.
I also use Nginx Handler and it works perfectly.
So my question is:
Is there anyone else having the same kind of problem with Apache2.4?
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/157Warning messages in make test2018-05-18T05:17:10ZClément OUDOTWarning messages in make testWe have some warning messages in make test:
{panel:title=Console output}
t/30-Lemonldap-NG-Handler-CGI.t ......... Subroutine Lemonldap::NG::Handler::CGI::lmLog redefined at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-handler...We have some warning messages in make test:
{panel:title=Console output}
t/30-Lemonldap-NG-Handler-CGI.t ......... Subroutine Lemonldap::NG::Handler::CGI::lmLog redefined at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-handler/blib/lib/Lemonldap/NG/Handler/SharedConf.pm line 16
Subroutine lmLog redefined at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-handler/blib/lib/Lemonldap/NG/Handler/CGI.pm line 196.
t/10-Manager.t ....... Subroutine lmLog redefined at ../lemonldap-ng-handler/blib/lib//Lemonldap/NG/Handler/CGI.pm line 196.
{panel}
And other logging messages, that should be hidden:
{panel:title=Console output}
t/01-Lemonldap-NG-Portal-Simple.t ........ 1/10 Session 1 isn't yet available (127.0.0.1)
t/25-Lemonldap-NG-Portal-Multi.t ......... 1/13 Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
{panel}1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/168Delete local session when logout URL is cached2018-05-18T05:17:10ZClément OUDOTDelete local session when logout URL is cachedWhen Handler catches a logout URL, it redirect user on portal logout page. We chould first delete local session, so that this session is no more in the cache when user returns to deconnected application. With CDA, we can still have the c...When Handler catches a logout URL, it redirect user on portal logout page. We chould first delete local session, so that this session is no more in the cache when user returns to deconnected application. With CDA, we can still have the cross-domain cookie (not deleted by portal) and a session in cache when going back to cross-domain application.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/173Token for cross domain authentication2018-05-18T05:17:11ZClément OUDOTToken for cross domain authenticationCDA works like this:
* Access to CDA handler
* No Cookie -> redirect on portal
* Portal see we are from a CDA domain
* Portal redirects on CDA Handler with session_id in URL (as GET parameter)
We could just redirect the user with a toke...CDA works like this:
* Access to CDA handler
* No Cookie -> redirect on portal
* Portal see we are from a CDA domain
* Portal redirects on CDA Handler with session_id in URL (as GET parameter)
We could just redirect the user with a token in URL, and then the Handler would call directly the portal to get the real session ID. This can avoid to keep the session_id in users's history.
This will be a configuration option, because this requires a direct access between Handler and Portal, and maybe activation of SOAP services.1.9.7https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/174Configure auto POST in Manager2018-05-18T05:17:11ZClément OUDOTConfigure auto POST in ManagerWe have a magic feature to auto POST protected applications forms. But this is not configurable trough Manager yet.We have a magic feature to auto POST protected applications forms. But this is not configurable trough Manager yet.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/176POST Handler feature does not work with mod_proxy2018-05-18T05:17:11ZClément OUDOTPOST Handler feature does not work with mod_proxyIt seems that PerlResponseHandler and mod_proxy are not a good mix:
http://www.gossamer-threads.com/lists/modperl/modperl/101955
We had a solution here, using a perl script on the Reverse Proxy to POST on the proxied application:
http:/...It seems that PerlResponseHandler and mod_proxy are not a good mix:
http://www.gossamer-threads.com/lists/modperl/modperl/101955
We had a solution here, using a perl script on the Reverse Proxy to POST on the proxied application:
http://mail.ow2.org/wws/arc/lemonldap-ng-users/2009-09/msg00013.html
The problem with this:
* need to create another vhost and a dedicated script
* posted datas are visble to user
So we have to find how manage POST and mod_proxy.
I do not put this for 1.0 as this is maybe not trivial.1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/188Use autoloader to reduce handler size2018-05-18T05:17:11ZYaddUse autoloader to reduce handler sizeA lot of functions are never used (depending on configuration). Autoloader can reduce the memory sizeA lot of functions are never used (depending on configuration). Autoloader can reduce the memory size1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/189Cleanup process slows down considerably the Apache server2018-05-18T05:17:11ZYaddCleanup process slows down considerably the Apache serverCache::Cache::cleanup process must not be called at each request since keys are purged when read. It must be replaced by a cron file (for keys unused)Cache::Cache::cleanup process must not be called at each request since keys are purged when read. It must be replaced by a cron file (for keys unused)1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/198Cross domain does not work anymore2018-05-18T05:17:12ZClément OUDOTCross domain does not work anymore1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/204abort() instead of die in handlers2018-05-18T05:17:12ZYaddabort() instead of die in handlersInstead of having bad message "internal server error", I propose to replace die by abort function pushed at svn 1716Instead of having bad message "internal server error", I propose to replace die by abort function pushed at svn 17161.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/206Upgrade spec file to build RPMs for 1.002018-05-18T05:17:12ZClément OUDOTUpgrade spec file to build RPMs for 1.001.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/216getLocalConf called without 2nd argument2018-05-18T05:17:13ZYaddgetLocalConf called without 2nd argumentgetLocalConf is called without $self->{confFile} in manager, handler and portal. So confFile customization isn't applied for local argsgetLocalConf is called without $self->{confFile} in manager, handler and portal. So confFile customization isn't applied for local args1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/220Special function in handlers to redirect instead of forbidden2018-05-18T05:17:13ZYaddSpecial function in handlers to redirect instead of forbiddenThe idea :
/regexp => 'redirectOnFail(<boolean expression>, <message>)'
redirect creates $datas->{_redirect}=<msg> and portal display itThe idea :
/regexp => 'redirectOnFail(<boolean expression>, <message>)'
redirect creates $datas->{_redirect}=<msg> and portal display ithttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/236SSO with public/auth Website2018-05-18T05:17:14ZulkeshSSO with public/auth WebsiteHi,
1 - Needs
---------------
I have one Website with an user auth in the webpage. I want to have a websso for the Website and to keep the login/password in the webpage. I don't want to:
- be redirected on the portal to enter login/pa...Hi,
1 - Needs
---------------
I have one Website with an user auth in the webpage. I want to have a websso for the Website and to keep the login/password in the webpage. I don't want to:
- be redirected on the portal to enter login/password
- have a directory or an new URL for protect content (i don't want to modify my stats system)
However, i can do some modifications :
- I can post login and password on the portal
- I can read HTTP Header (of course. otherwise i don't use lemonldap-ng)
2 - How to do it ?
---------------
For me, there is maybe a not very complex solution. It would be great to have a keyword like 'allownosession' (we have 'accept', ...) to configure an Handler. With the option 'allownosession', lemonldap-ng let the user go through. 2 cases :
- A wrong lemoncookie or no lemoncookie : handler delete HTTP Header (if the client want to forge it. For the security)
- A good cookie : handler add HTTP Headers.
Best regards,1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/254Lemonldap::NG::Handler::CGI frees CGI object only when a new one is created2018-05-18T05:17:15ZYaddLemonldap::NG::Handler::CGI frees CGI object only when a new one is createdSince Lemonldap::NG::Handler::CGI stores CGI object in $Lemonldap::NG::Handler::_CGI::cgi, it is freed only when a new is created. This can cause some problems with CGI that have a DESTROY function: it could be called to late. We have to...Since Lemonldap::NG::Handler::CGI stores CGI object in $Lemonldap::NG::Handler::_CGI::cgi, it is freed only when a new is created. This can cause some problems with CGI that have a DESTROY function: it could be called to late. We have to rewrite lmLog for Lemonldap::NG::Handler::CGI to solve this. It's not a problem for Lemonldap::NG CGIs.1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/258Portal with $vhost in Handler does not work2018-05-18T05:17:15ZClément OUDOTPortal with $vhost in Handler does not workReported by codebfu:
{quote}
I've added the followin line in MyHandler.pm at line 40 : portal =>
'$vhost."/auth-bpce"',
first I had this error during redirection to portal : Can't use string ("1") as
a subroutine ref while "strict refs...Reported by codebfu:
{quote}
I've added the followin line in MyHandler.pm at line 40 : portal =>
'$vhost."/auth-bpce"',
first I had this error during redirection to portal : Can't use string ("1") as
a subroutine ref while "strict refs" in use at (eval 122) line 1.\n
I've modified handler/simple.pm at line 589 from
my $portal = $class->conditionSub( $args->{portal} );
to
my ($portal, $unused) = $class->conditionSub( $args->{portal} );
in order to prevent $portal from holding the 1 from "return ( $sub, 1 );"
now the error is the following :
Can't call method "hostname" on an undefined value at (eval 121) line 1.\n
I've print $cond in handler/simple.pm at line 536 (juste before # Eval sub), I
get the following :
sub {return ($apacheRequest->hostname."/auth-bpce")}
If you have any idea on how to get it work fine ...
thank you.
ps: this works with lemonldap-ng 0.9.4
{quote}1.0.1https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/266logout_app in rules break the manager2018-05-18T05:17:15ZDaniel B.logout_app in rules break the managerOn some Linux system / perl version (at least on CentOS 5.5), using logout_app in rules break the manager.
How to reproduce:
- Create a rule like this on any virtualhost:
Comment: 01backup
Expression: ^/BackupPC
Rule: logout_app https...On some Linux system / perl version (at least on CentOS 5.5), using logout_app in rules break the manager.
How to reproduce:
- Create a rule like this on any virtualhost:
Comment: 01backup
Expression: ^/BackupPC
Rule: logout_app https://backup.domain.tld
- Save the config
- Try to access the manager, you get a black page with an error message like this one:
Unable to get configuration
Not a CODE reference at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Handler/Simple.pm line 538
And here are the error in appache error log:
[Wed Dec 29 18:30:09 2010] [error] [client 192.168.7.50] Bareword found where operator expected at (eval 45) line 1, near "//backup"
[Wed Dec 29 18:30:09 2010] [error] [client 192.168.7.50] \t(Missing operator before backup?)
[Wed Dec 29 18:30:09 2010] [error] [client 192.168.7.50] Lemonldap::NG::Manager error: Unable to get configuration, Not a CODE reference at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Handler/Simple.pm line 538
[Wed Dec 29 18:30:09 2010] [error] [client 192.168.7.50]
1.0.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/268logout_app and logout_app_sso does not work with Lemonldap::NG::Handler::Proxy2018-05-18T05:17:15ZClément OUDOTlogout_app and logout_app_sso does not work with Lemonldap::NG::Handler::ProxyWhen we use Lemonldap::NG::Handler::Proxy to replace mod_proxy, the logout_app and logout_app_sso rules do not work.
We have this message in Apache logs:
{panel:title=Apache error log}
:Apache2 IO flush: (302) Unknown error 302 at -e li...When we use Lemonldap::NG::Handler::Proxy to replace mod_proxy, the logout_app and logout_app_sso rules do not work.
We have this message in Apache logs:
{panel:title=Apache error log}
:Apache2 IO flush: (302) Unknown error 302 at -e line 0
{panel}
All work fine with mod_proxy, or with logout and logout_sso rules.1.0.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/270Safe.pm 2.27 restrict the usage of custom functions2018-05-18T05:17:15ZClément OUDOTSafe.pm 2.27 restrict the usage of custom functionsFor example:
{panel:title=SSOExtensions.pm}
package SSOExtensions;
use Net::LDAP;
sub function1 \{
my $portal = shift;
my $ldap = Net::LDAP->new('localhost');
return $ldap;
\}
1;
{panel}
This works well on ...For example:
{panel:title=SSOExtensions.pm}
package SSOExtensions;
use Net::LDAP;
sub function1 \{
my $portal = shift;
my $ldap = Net::LDAP->new('localhost');
return $ldap;
\}
1;
{panel}
This works well on Debian or Ubuntu (Safe 2.18) but not in CentOS (Safe 2.27):
{panel:title=Apache error log}
Can't locate object method "new" via package "Net::LDAP" (perhaps you forgot to load "Net::LDAP"?) at /root/SSOExtensions.pm
{panel}
1.0.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/274Redirection URL is not good in Handler::CGI::_uri function2018-05-18T05:17:16ZClément OUDOTRedirection URL is not good in Handler::CGI::_uri functionWe change the $https option to manage per virtualhost options, we upgrade the buildURL method in Handler::Vhost but not in Handler::CGI.
The code to change is:
```
sub _uri {
return
'http'
. ( $https ? 's' : '' ) . '...We change the $https option to manage per virtualhost options, we upgrade the buildURL method in Handler::Vhost but not in Handler::CGI.
The code to change is:
```
sub _uri {
return
'http'
. ( $https ? 's' : '' ) . '://'
. $ENV{SERVER_NAME}
. $ENV{REQUEST_URI};
}
```1.0.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/283CPAN Testers report2018-05-18T05:17:16ZClément OUDOTCPAN Testers reportWe have two failing reports:
* http://www.cpantesters.org/cpan/report/0fac3e7e-4394-11e0-b68e-b06b7ed6bd13
* http://www.cpantesters.org/cpan/report/1f454344-4344-11e0-982f-0b93332d9f4bWe have two failing reports:
* http://www.cpantesters.org/cpan/report/0fac3e7e-4394-11e0-b68e-b06b7ed6bd13
* http://www.cpantesters.org/cpan/report/1f454344-4344-11e0-982f-0b93332d9f4b1.0.3https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/287Implement HTTP Strict Transport Security2018-05-18T05:17:16ZClément OUDOTImplement HTTP Strict Transport SecuritySee http://en.wikipedia.org/wiki/HTTP_Strict_Transport_SecuritySee http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/288Secure Token Handler2018-05-18T05:17:16ZClément OUDOTSecure Token HandlerFor one of my customer, I have created a "Secure Token" specific Handler, that I will publish for the community.
The goal is to transfer to the protected application a token, that will be used by this application to do a call (web servi...For one of my customer, I have created a "Secure Token" specific Handler, that I will publish for the community.
The goal is to transfer to the protected application a token, that will be used by this application to do a call (web service, or other) to get the real user identity. This token is created at the request, and deleted when the response comes back.
A use case: the protected application is calling a third party web service, but for security reasons, cannot send the user identity to this web service. Instead, it sends the token to this web service, and the web service resolves the token to get user identity.
My first implementation uses a Memcached server, with these benefits:
* High read/write performances (remember that we create a token per request!)
* Built-in token expiration (no need to purge token manually)
This is a kind of proof of concept, but can maybe be useful to others.1.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/303Form replay filter is not compatible with recent Safe module version2018-05-18T05:17:17ZClément OUDOTForm replay filter is not compatible with recent Safe module versionWith a recent upgrade of Perl, the form replay does not work anymore. Here is the log:
{panel:title=Apache error.log}
[Mon May 16 11:20:40 2011] [error] [client 127.0.0.1] Can't locate object method "new" via package "URI" (perhaps you ...With a recent upgrade of Perl, the form replay does not work anymore. Here is the log:
{panel:title=Apache error.log}
[Mon May 16 11:20:40 2011] [error] [client 127.0.0.1] Can't locate object method "new" via package "URI" (perhaps you forgot to load "URI"?) at (eval 152) line 6.\n, referer: http://test1.example.com/index.pl
[Mon May 16 11:20:40 2011] [error] Apache2::RequestIO::read: (120001) filter handler has failed at (eval 133) line 5
{panel}
This work with Safe jail disabled:
{panel:title=lemonldap-ng.ini}
[all]
useSafeJail = 0
{panel}1.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/319Custom functions and SafeLib ignored if Safe jail is disabled2018-05-18T05:17:17ZClément OUDOTCustom functions and SafeLib ignored if Safe jail is disabledIf useSafeJail is set to 0, SafeLib functions and custom functions are not loaded.If useSafeJail is set to 0, SafeLib functions and custom functions are not loaded.1.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/320Unprotect rule does not delete headers2018-05-18T05:17:18ZClément OUDOTUnprotect rule does not delete headersFound by Quentin Garnier.
When we unprotect a zone, or a complete vhost, we can access it sithout authentication, but if we own a SSO sessions, the headers are sent, and they should not: an unprotected zone can be an unsafe zone.
Seems...Found by Quentin Garnier.
When we unprotect a zone, or a complete vhost, we can access it sithout authentication, but if we own a SSO sessions, the headers are sent, and they should not: an unprotected zone can be an unsafe zone.
Seems linked to ##2361.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/338Handler::Proxy raise error with POST request without content-length2018-05-18T05:17:18ZClément OUDOTHandler::Proxy raise error with POST request without content-lengthBug found by Pascal PEJAC.
{panel:title=error.log}
The LENGTH argument can't be negative at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Handler/Proxy.pm line 90.
{panel}
We must test content-length before reading the socket. If no le...Bug found by Pascal PEJAC.
{panel:title=error.log}
The LENGTH argument can't be negative at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Handler/Proxy.pm line 90.
{panel}
We must test content-length before reading the socket. If no length, the read function should not be called.1.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/342Create a "maintenance" rule target to disallow an application2018-05-18T05:17:19ZClément OUDOTCreate a "maintenance" rule target to disallow an applicationWe can add a new target (like accept/deny/unprotect/etc.) to deny access to an application for maintenance. The user will be redirected on the portal with a maintenance message. We can also remove the application from the menu.
The idea...We can add a new target (like accept/deny/unprotect/etc.) to deny access to an application for maintenance. The user will be redirected on the portal with a maintenance message. We can also remove the application from the menu.
The idea is from François PICHOUD.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/350remote SOAP handlers errors on reload2018-05-18T05:17:19ZDaniel B.remote SOAP handlers errors on reloadSince upgrade to 1.1.0 on my main server, remote handlers (using SOAP) have random errors when the configuration reload:
[Sat Jul 09 14:21:15 2011] [notice] My::Package: request for
configuration reload
SOAP error : lastCfg is not an au...Since upgrade to 1.1.0 on my main server, remote handlers (using SOAP) have random errors when the configuration reload:
[Sat Jul 09 14:21:15 2011] [notice] My::Package: request for
configuration reload
SOAP error : lastCfg is not an authorizated function
at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/CGI/SOAPService.pm line 40.
[Sat Jul 09 14:21:15 2011] [error] My::Package: Unable to load
configuration : Lemonldap::NG::Common::Conf::SOAP loaded.\nNo
configuration available.\nNo configuration available.\nNo configuration
available.\nNo configuration available.\n
Or:
SOAP error : lastCfg is not an authorizated function
at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/CGI/SOAPService.pm line 40.
Sometimes the configuration is reloaded without error, but most of the time I get one of these error message. Everything was working when the main server was running 1.0.6 (so for now, I've downgraded)
Regards, Daniel
1.1.1https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/357CPAN tester report: missing dependency for SecureToken Handler2018-05-18T05:17:19ZClément OUDOTCPAN tester report: missing dependency for SecureToken HandlerSee http://www.cpantesters.org/cpan/report/f58f1d04-cecb-11e0-85c1-834ae7bc264dSee http://www.cpantesters.org/cpan/report/f58f1d04-cecb-11e0-85c1-834ae7bc264d1.1.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/358[SecureToken] Check if cached connection is alive before using it2018-05-18T05:17:19ZClément OUDOT[SecureToken] Check if cached connection is alive before using it1.1.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/359[SecureToken] Add an option to raise error if token could not be generated2018-05-18T05:17:19ZClément OUDOT[SecureToken] Add an option to raise error if token could not be generated1.1.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/365Log sent headers in debug mode2018-05-18T05:17:20ZClément OUDOTLog sent headers in debug modeIt would be useful to see sent headers in debug mode.It would be useful to see sent headers in debug mode.1.1.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/386use LL::NG::Handler instead of custom perl module in apache config2018-05-18T05:17:21ZFX Deltombeuse LL::NG::Handler instead of custom perl module in apache configTo protect apps with LL::NG, an administrator has to build his own perl package calling LL::NG::Handler::SharedConf, and executing __PACKAGE__->init($h), where $h is a parameters hashref. But $h is often empty, since now most parameters ...To protect apps with LL::NG, an administrator has to build his own perl package calling LL::NG::Handler::SharedConf, and executing __PACKAGE__->init($h), where $h is a parameters hashref. But $h is often empty, since now most parameters are in global conf and in lemonldap-ng.ini.
It would be meaningful to call __PACKAGE__->init({}) in LL::NG::Handler. Now, LL::NG::Handler is just an alias of LL::NG::Handler::SharedConf, so it is not really useful. Add init() in Handler.pm would make this package directly usable by an administrator, so a basic configuration LL::NG would be easier to set: no custom package anymore, just add "PerlHeaderParserHandler Lemonldap::NG::Handler" in apache config.1.4.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/395LL::NG::Handler::CGI ignores some config parameters2018-05-18T05:17:21ZFX DeltombeLL::NG::Handler::CGI ignores some config parametersLL::NG::Handler::CGI doesn't take care some config parameters as useRedirectOnForbidden (probably also useRedirectOnError) and access rule keywords "unprotect" and (I suppose) "logout_*"LL::NG::Handler::CGI doesn't take care some config parameters as useRedirectOnForbidden (probably also useRedirectOnError) and access rule keywords "unprotect" and (I suppose) "logout_*"1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/417Apache Fitler to add application panel on protected pages2018-05-18T05:17:22ZClément OUDOTApache Fitler to add application panel on protected pagesThe idea is to add a little panel with a link on the portal, and why not a link on the other applications. This can be done with a filter, that will add a floating div in the DOM.The idea is to add a little panel with a link on the portal, and why not a link on the other applications. This can be done with a filter, that will add a floating div in the DOM.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/420Unable to access to http virtualhosts2018-05-18T05:17:22ZFX DeltombeUnable to access to http virtualhostsThe manager makes possible to have http and https virtualhosts on the same server : this was point of Lemonldap-5.
But in that case the access control doesn't work for http virtualhosts, since the handler looks for the secured cookie ins...The manager makes possible to have http and https virtualhosts on the same server : this was point of Lemonldap-5.
But in that case the access control doesn't work for http virtualhosts, since the handler looks for the secured cookie instead of the unsecure one.
1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/421Double cookie but single session2018-05-18T05:17:22ZFX DeltombeDouble cookie but single sessionLL::NG can deliver two cookies, a secured/https one and an unsecure/http one. In that case, two sessions are written, one per cookie, and these sessions hardly differ.
It would be more interesting for the database to write just one sess...LL::NG can deliver two cookies, a secured/https one and an unsecure/http one. In that case, two sessions are written, one per cookie, and these sessions hardly differ.
It would be more interesting for the database to write just one session. For that, the http cookie's value can be obtained by ciphering the secured cookie'.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/423Free adminstrators from My::Package2018-05-18T05:17:22ZFX DeltombeFree adminstrators from My::PackageIt seems that originally, perl module My::Package was done to override global conf parameters on a server. But now this can be done also in lemonldap-ng.ini.
On an other hand, "My::Package" doesn't sound very serious and explicit, espec...It seems that originally, perl module My::Package was done to override global conf parameters on a server. But now this can be done also in lemonldap-ng.ini.
On an other hand, "My::Package" doesn't sound very serious and explicit, especially if it is defined in a file called "MyHandler.pm". It also induces the administrator to write his own package - as it is recommended in handler's pod - and that is not really intuitive, even with a guideline.
I think the perl directives in a standard handler apache config should look like
```
PerlModule Lemonldap::NG::Handler
PerlChildInitHandler Lemonldap::NG::Handler->init
PerlHeaderParserHandler Lemonldap::NG::Handler
```
or even skip the PerlChildInitHandler directive, by executing init() on loading the module. It would be easy to understand and to use, and on first sight it would be obvious that the module is a standard module.
What is your opinion about that ?https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/424keyword 'skip' in access rules, to skip access control2018-05-18T05:17:23ZFX Deltombekeyword 'skip' in access rules, to skip access controlFor better performance, you may want to protect only meaningful contents, and not dummy contents or static files as images and css.
Configuring access control only on some specific urls may be done in apache config, with 'Location' and ...For better performance, you may want to protect only meaningful contents, and not dummy contents or static files as images and css.
Configuring access control only on some specific urls may be done in apache config, with 'Location' and 'LocationMatch' directives, but it's not easy to use. For example, if you want to control access to all urls except /images/ and /static/css/, you must write
```
<LocationMatch "(?!\/(images|static\/css)\/)">
PerlHeaderParserHandler Lemonldap::NG::Handler
</LocationMatch>
```
Besides, lemonldap-ng cookies are not removed from the unprotected requests, so they may be catched by remote apps. Of course it can be done with 'Header delete Cookies', but then it removes all cookies.
I would like to add possibility to tell Lemonldap::NG Handler to skip access control, but just remove cookies, by adding a keyword 'skip' in access rules.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/444Reorganize files in SVN repository2018-05-18T05:17:24ZClément OUDOTReorganize files in SVN repositoryWe need to reorganize files, now that contributions have been moved to github. The goal is to have the content of build/lemonldap-ng directly at the root.We need to reorganize files, now that contributions have been moved to github. The goal is to have the content of build/lemonldap-ng directly at the root.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/454Replace $ip with client IP in forging HTTP headers doesn't work2018-05-18T05:17:24ZFX DeltombeReplace $ip with client IP in forging HTTP headers doesn't workLet's assume we have a HTTP Header rule "client_ip" => $ip,
it should be filled with the client IP, but it throws a perl error "Can't locate object method "remote_ip" via package "Apache2::Connection" at (eval 10544) line 1"Let's assume we have a HTTP Header rule "client_ip" => $ip,
it should be filled with the client IP, but it throws a perl error "Can't locate object method "remote_ip" via package "Apache2::Connection" at (eval 10544) line 1"1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/459Translate cookie domain in internat proxy (lmProxy)2018-05-18T05:17:24ZClément OUDOTTranslate cookie domain in internat proxy (lmProxy)The internal proxy can rewrite the Location header, but it is also usefull to rewrite the cookie domain.The internal proxy can rewrite the Location header, but it is also usefull to rewrite the cookie domain.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/464LL::NG::Handler::AuthBasic displays login / password in error log2018-05-18T05:17:24ZFX DeltombeLL::NG::Handler::AuthBasic displays login / password in error logWhen running LL::NG::Handler::AuthBasic, base-64 encoded 'login:password' are written into error logs with loglevel notice (but mentioned as 'debug'). This is a security lack, it must be written as debug log.When running LL::NG::Handler::AuthBasic, base-64 encoded 'login:password' are written into error logs with loglevel notice (but mentioned as 'debug'). This is a security lack, it must be written as debug log.1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/470Zimbra PreAuth Handler syntax error2018-05-18T05:17:25ZClément OUDOTZimbra PreAuth Handler syntax errorroot@ader:~# perl -c /usr/local/share/perl/5.14.2/Lemonldap/NG/Handler/ZimbraPreAuth.pm
syntax error at /usr/local/share/perl/5.14.2/Lemonldap/NG/Handler/ZimbraPreAuth.pm line 79, near ");"
/usr/local/share/perl/5.14.2/Lemonldap/NG/Hand...root@ader:~# perl -c /usr/local/share/perl/5.14.2/Lemonldap/NG/Handler/ZimbraPreAuth.pm
syntax error at /usr/local/share/perl/5.14.2/Lemonldap/NG/Handler/ZimbraPreAuth.pm line 79, near ");"
/usr/local/share/perl/5.14.2/Lemonldap/NG/Handler/ZimbraPreAuth.pm had compilation errors.
1.2.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/483Remove all defined() on @array or %hash of LL::NG code2018-05-18T05:17:25ZSandro CAZZANIGA Sandro CAZZANIGARemove all defined() on @array or %hash of LL::NG codeHi all around there,
I'd like to propose a cleaning code for 1.3.0! It concerns the defined() perl function. As explained in the perldoc, its use is deprecated on hash and array (and may disappear in the future).
Use of defined on aggr...Hi all around there,
I'd like to propose a cleaning code for 1.3.0! It concerns the defined() perl function. As explained in the perldoc, its use is deprecated on hash and array (and may disappear in the future).
Use of defined on aggregates (hashes and arrays) is deprecated. It used to report whether memory for that aggregate had ever been allocated. In fact, we also have warnings at tests time.
So, for the 1.3.0 LL::NG release, I suggest that we fix that in ALL the LL::NG code. No more stuffs like:
- if (defined(@stuff)) (will become if (@stuff))
- if (defined(%otherstuff) (will become if (%otherstuff))
1.2.1https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/491Don't import all functions of POSIX2018-05-18T05:17:26ZSandro CAZZANIGA Sandro CAZZANIGADon't import all functions of POSIXI've found several occurences where we import all functions of POSIX instead of import only functions that we use.
As POSIX export list is *HUGE*, this cost a lot in memory.
We can reduce the quantity of used memory by a lot, just by i...I've found several occurences where we import all functions of POSIX instead of import only functions that we use.
As POSIX export list is *HUGE*, this cost a lot in memory.
We can reduce the quantity of used memory by a lot, just by importing only functions that we use.1.2.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/492Macro execution failed2018-05-18T05:17:26ZThomas BétrancourtMacro execution failedI have a user user1 which is into the group "administrateurs".
From the session explorer, i confirm that LemonLDAP::NG sees this group for this user.
I've defined a macro "_isAdmin" with this rule : $uid eq "admin" or $groups =~ /\badmi...I have a user user1 which is into the group "administrateurs".
From the session explorer, i confirm that LemonLDAP::NG sees this group for this user.
I've defined a macro "_isAdmin" with this rule : $uid eq "admin" or $groups =~ /\badministrateurs\b/
This rule is also defined as access rule to the manager.
The user can access the manager, but the result of the macro execution is false ?!
I've attached my config filehttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/497CDA not working2018-05-18T05:17:26ZThomas BétrancourtCDA not workingI followed the documentation about CDA configuration.
My auth system is working with mydomain.net. I've some websites on the domain mydomain.com. I've defined the property cda in /etc/lemonldap-ng/lemonldap-ng.ini to '1'
In manager, i'...I followed the documentation about CDA configuration.
My auth system is working with mydomain.net. I've some websites on the domain mydomain.com. I've defined the property cda in /etc/lemonldap-ng/lemonldap-ng.ini to '1'
In manager, i've enabled the parameter General Parameters > Cookies > Multiple domain
I've defined a vhost for my application (configuration attached as target.conf).
When i try to go the the application, URL is http://my_appli/?1&1&1&1&1...
I've also attached logs from LemonLDAP for this application (nagios_betrancourt_access.log ; error is empty).
HTTPD logs for the target are empty.1.2.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/499purgeLocalCache does not work2018-05-18T05:17:26ZFX DeltombepurgeLocalCache does not workScript purgeLocalCache does not work in a standard configuration, for two reasons :
- it tries to get local cache parameters in lemonldap-ng.ini's Handler section, but the standard lemonldap-ng.ini suggests to define it in Configuration ...Script purgeLocalCache does not work in a standard configuration, for two reasons :
- it tries to get local cache parameters in lemonldap-ng.ini's Handler section, but the standard lemonldap-ng.ini suggests to define it in Configuration section - we must adapt lemonldap-ng.ini
- $cacheObject->Purge() does not work (I don't know why), but $cacheObject->purge() does.
Besides, this script loads remote configuration, but it is useless.
By the way, I tried to replace this purge with Cache::Cache's auto purge mechanism, but it does not work because of file rights (directory __AUTO_PURGE__ is created by root, so LL::NG can't update it).
Finally, there are plenty of odd things about cache, and mostly ambiguity about session cache and config cache. I am opening an improvement for that.1.3.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/503vhost aliases2018-05-18T05:17:26ZFX Deltombevhost aliasesIt would be nice to be able to define several domain name for a single vhost.
Now, if you have an Apache vhost with a ServerName and one or several ServerAlias directives, you must set one vhost per domain name in LL::NG config.
It woul...It would be nice to be able to define several domain name for a single vhost.
Now, if you have an Apache vhost with a ServerName and one or several ServerAlias directives, you must set one vhost per domain name in LL::NG config.
It would be better to define the ServerAlias names as aliases, for legibility and to spare memory (since precompiled methods for access rules and headers would be shared).
By the way, it could also be used for twin apps (I mean, apps corresponding to different Apache vhosts, but with same LL::NG parameters).
An improvement would be to be able to set a regexp instead of a list of aliases.
About manager, I think the aliases should be defined in vhost options.1.3.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/519SOAP webservice getCookies() should work with Auth Multi2018-05-18T05:17:27ZDaniel B.SOAP webservice getCookies() should work with Auth MultiIt's not possible to use Lemonldap::NG::Handler::AuthBasic when using AuthMulti. At least, when using AuthMulti with SSL; LDAP
the SOAP request getCookie to open the session will not check the password. In fact, it's the first auth modu...It's not possible to use Lemonldap::NG::Handler::AuthBasic when using AuthMulti. At least, when using AuthMulti with SSL; LDAP
the SOAP request getCookie to open the session will not check the password. In fact, it's the first auth module (SSL) which validate the basic auth, and any password is accepted.
You can find attached my apache error log in debug LogLevel (the forbiden access at the end is expected, as the user in this example is not allowed in the access rules, but he was able to open a session with a wrong password)
If I just switch to AuthLDAP (without changing anything else), then, the password is checked, and I get a 550 Internal Server Failure when I enter a wrong password.1.2.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/522Cross-domain authentication and http cookies2018-05-18T05:17:27ZFX DeltombeCross-domain authentication and http cookiesWhen double cookie is enabled, CDA works only with secured cookie.
Precisely, if user comes from a cross-domain http URL, he is redirected to portal, then portal redirects him to that URL with lemonldaphttp=XXX in query string (assume c...When double cookie is enabled, CDA works only with secured cookie.
Precisely, if user comes from a cross-domain http URL, he is redirected to portal, then portal redirects him to that URL with lemonldaphttp=XXX in query string (assume cookie name is 'lemondlap'), but handler expects lemonldap=XXX.1.2.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/527Error with CDA when redirecting to other domain with lemon cookie as a get pa...2018-05-18T05:17:27ZJaboeuf QuentinError with CDA when redirecting to other domain with lemon cookie as a get parameterthere is a syntax error in /usr/share/perl5/Lemonldap/NG/Portal/Simple.pm
on Line 2505
missing parentheses around
$self->{securedCookie} < 2
or $ssl
so 'or' is prevailing on '?:' operator and breaking it
so when por...there is a syntax error in /usr/share/perl5/Lemonldap/NG/Portal/Simple.pm
on Line 2505
missing parentheses around
$self->{securedCookie} < 2
or $ssl
so 'or' is prevailing on '?:' operator and breaking it
so when portal would have to redirect with lemon cookie as a get parameter,
instead it adds /?1 to the url
I propose 2 patches
one with missing parentheses added, another replacing :? operator with if/then/else statement1.2.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/528With CDA, even if service url is https, cookie secure flag is not set for the...2018-05-18T05:17:27ZJaboeuf QuentinWith CDA, even if service url is https, cookie secure flag is not set for the second domaina mistake in handler/Simple.pm on line 960
my $redirectHttps = ( $redirectUrl =~ m/^ĥttps/ );
look at it closer : there is a ĥ !!! and not a h
so the correct line is :
my $redirectHttps = ( $redirectUrl =~ m/^https/ );
the bug induc...a mistake in handler/Simple.pm on line 960
my $redirectHttps = ( $redirectUrl =~ m/^ĥttps/ );
look at it closer : there is a ĥ !!! and not a h
so the correct line is :
my $redirectHttps = ( $redirectUrl =~ m/^https/ );
the bug induced by this syntax error is that cookie generated for the second domain in cross domain situation will never have the secure flag set even if the service url https
patch joined1.2.2https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/531The "basic($uid,$_password)" extended function doesn't return the password2018-05-18T05:17:28ZUpdateme HugoThe "basic($uid,$_password)" extended function doesn't return the passwordHello,
I do have an issue with LemonLDAP, as I followed the documentation I guess this is a bug. (I hope I'm not wrong).
On the manager I added a HTTP header.
key auth is Authorisation value is "Basic ".encode_base64("$uid:$_password"...Hello,
I do have an issue with LemonLDAP, as I followed the documentation I guess this is a bug. (I hope I'm not wrong).
On the manager I added a HTTP header.
key auth is Authorisation value is "Basic ".encode_base64("$uid:$_password")
StorePassword is set to 1 (enabled)
On the handler the $_password is empty :
Simple.pm(220): Send header Authorization with value Basic aHVnby5kZXByZXo6
If you decode password is empty.
If you need more information feel free to ask.
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/532SOAP not working with SSL2018-05-18T05:17:28ZUpdateme HugoSOAP not working with SSLHello,
I am trying to use lemonldap with the portal protected by a HTTPS.
My configuration is the following :
- Apache2 virtual host configured with HTTPS,
- I changed on the manager the URL for the portal,
- I changed the handler conf...Hello,
I am trying to use lemonldap with the portal protected by a HTTPS.
My configuration is the following :
- Apache2 virtual host configured with HTTPS,
- I changed on the manager the URL for the portal,
- I changed the handler configuration : proxy using https URL.
Access to portail is working.
Access to the application (using http) is not working.
Here is the log apache2 logs :
[Wed Sep 19 16:47:07 2012] [debug] Simple.pm(220): Redirect 192.168.202.1 to portal (url was /)
[Wed Sep 19 16:47:07 2012] [debug] Simple.pm(220): Build URL http://application.mydomain.fr
[Wed Sep 19 16:47:07 2012] [debug] mod_deflate.c(615): [client 10.10.40.134] Zlib: Compressed 354 to 271 : URL /
[Wed Sep 19 16:47:07 2012] [debug] Simple.pm(219): /usr/share/perl5/Lemonldap/NG/Handler/Simple.pm 899:
[Wed Sep 19 16:47:07 2012] [info] Session 7cc35b22baf1af7ecd0b6b2a1c981684 can't be retrieved: 411 Length Required at /usr/share/perl5/Lemonldap/NG/Common/Apache/Sessio
n/SOAP.pm line 138\n
Cookie seems to be created, but the handler is unable to retrieve the session.
When I use HTTP protocol I don't have any issue.
For information I use self signed certificates for the virtualhost.
1.2.5https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/533Handler is not reading /etc/lemonldap-ng/lemonldap-ng.ini for SOAP parametes2018-05-18T05:17:28ZUpdateme HugoHandler is not reading /etc/lemonldap-ng/lemonldap-ng.ini for SOAP parametesHello,
when I just install the handler on the remote host and I configured the SOAP parameter in /etc/lemonldap-ng/lemonldap-ng.ini
such as :
type = SOAP
proxy = http://auth.mydomain.fr/index.pl/co...Hello,
when I just install the handler on the remote host and I configured the SOAP parameter in /etc/lemonldap-ng/lemonldap-ng.ini
such as :
type = SOAP
proxy = http://auth.mydomain.fr/index.pl/config
proxyOptions = { timeout => 15 }
When I try to acces to a protect virtualhost I get the following error :
Session 526e3778200c79702488313d845a5014 can't be retrieved: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/File.pm
line 93.\n
To solve this issue I have to modify the following file :
/var/lib/lemonldap-ng/handler//MyHandler.pm
globalStorage => 'Lemonldap::NG::Common::Apache::Session::SOAP',
globalStorageOptions => {
proxy => 'http://auth.mydomain.fr/index.pl/sessions',
proxyOptions => {
timeout => 15,
},
},
Seems that the handler is not reading parameters in /etc/lemonldap-ng/lemonldap-ng.ini
Let me know if I am wrong.
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/534splice not necessary to parse @_ in subroutines2018-05-18T05:17:28ZPeter Marschallsplice not necessary to parse @_ in subroutinesHi,
I saw that you are using splice to parse @_ into individual variables in subroutines, e.g.
my ( $class, $uri ) = splice @_;
This is not necessary. For the individual variables the above code equivalent to
my ( $class, $uri ) = ...Hi,
I saw that you are using splice to parse @_ into individual variables in subroutines, e.g.
my ( $class, $uri ) = splice @_;
This is not necessary. For the individual variables the above code equivalent to
my ( $class, $uri ) = @_;
The only difference is that using splice, @_ gets emptied (which costs time).
So leaving away splice has the following advantages:
* identical bahaviour
* smaller code (1,5k in all ;-)
* maybe a bit of speed gain ;-)
* option to reuse @_ or parts of it for subroutines
to be called, e.g.
sub routineA {
# @_ may contain more than 2 elements
my ($x,$y) = @_;
my $z = routineB(@_); # all elements passed
...
}
I.e. no need to parse & copy all variables in
routineA if they are used only in routineB.
Thanks for considering this optimization.
1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/539Add SOAP::Lite dependency for Handler CPAN module2018-05-18T05:17:28ZClément OUDOTAdd SOAP::Lite dependency for Handler CPAN moduleSee http://www.cpantesters.org/cpan/report/0f5d9ce6-0afe-11e2-8755-e63c2a028b78See http://www.cpantesters.org/cpan/report/0f5d9ce6-0afe-11e2-8755-e63c2a028b781.2.3https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/541Handler SOAP errors : setAttributes is not an authorizated function2018-05-18T05:17:28ZUpdateme HugoHandler SOAP errors : setAttributes is not an authorizated functionHello,
On the handler, from time to time I have the following errors in apache2 logs file :
SOAP Error: setAttributes is not an authorizated function at /usr/share/perl5/Lemonldap/NG/Common/CGI/SOAPService.pm line 40
Maybe this is a ...Hello,
On the handler, from time to time I have the following errors in apache2 logs file :
SOAP Error: setAttributes is not an authorizated function at /usr/share/perl5/Lemonldap/NG/Common/CGI/SOAPService.pm line 40
Maybe this is a configuration issue but I don't find any thing wrong.
Regards
Hugo1.2.3https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/543LL:NG::Handler::AuthBasic fails to manage persistent connections2018-05-18T05:17:28ZFX DeltombeLL:NG::Handler::AuthBasic fails to manage persistent connectionsLL::NG::Handler::Simple and LL::NG::Handler::AuthBasic try to check if current user is the same as previous request's user - in that case, it is useless to retrieve session in local cache or in session backend, since it is still in memor...LL::NG::Handler::Simple and LL::NG::Handler::AuthBasic try to check if current user is the same as previous request's user - in that case, it is useless to retrieve session in local cache or in session backend, since it is still in memory.
But LL::NG::Handler::AuthBasic fails that check, since it compares $id and $datas->{_session_id}, but $id is computed from user:password, not from session_id.
To manage the check, we have to store that $id in session data in local cache.1.2.3https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/545"none" target does not work in Handler/CGI.pm2018-05-18T05:17:29ZYadd"none" target does not work in Handler/CGI.pmHandler/CGI.pm does not look at "protection" value before calling "authenticate" so "none" target does not workHandler/CGI.pm does not look at "protection" value before calling "authenticate" so "none" target does not work1.2.3