lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2022-12-13T14:55:06Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2586RGAA: aria-label attribute needs to be translated2022-12-13T14:55:06ZAlbert RinceauRGAA: aria-label attribute needs to be translatedRule 7.1
All aria-label should be translated.
Ex: Burger navigation menu aria-label="Toggle navigation" should be in french aria-label="Ouvrir le menu"Rule 7.1
All aria-label should be translated.
Ex: Burger navigation menu aria-label="Toggle navigation" should be in french aria-label="Ouvrir le menu"Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2584RGAA: drag & drop action should also be feasible with buttons2022-12-13T14:55:10ZAlbert RinceauRGAA: drag & drop action should also be feasible with buttonsRule 13.10
In portal, we can drag & drop application groups to change their order.
This possibility should be feasible also with button because it is considered as complex move.Rule 13.10
In portal, we can drag & drop application groups to change their order.
This possibility should be feasible also with button because it is considered as complex move.Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2583RGAA: Password policy checks not usable with screen reader2022-12-13T14:55:13ZAlbert RinceauRGAA: Password policy checks not usable with screen readerRule 7.1
The checks and rules policy (red/green cross icons) for password changes are not taken into account by accessibility tools (like screen reader)Rule 7.1
The checks and rules policy (red/green cross icons) for password changes are not taken into account by accessibility tools (like screen reader)Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2582RGAA: in portal, applications should be structured as list2022-12-13T14:55:16ZAlbert RinceauRGAA: in portal, applications should be structured as listRule 9.3
For applications in portal, they should be structured as list with a \<ul\> and as many \<li\> as number of applicationsRule 9.3
For applications in portal, they should be structured as list with a \<ul\> and as many \<li\> as number of applicationsBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2581RGAA: Titles should be hierarchically structured2022-12-13T14:55:18ZAlbert RinceauRGAA: Titles should be hierarchically structuredRule 9.1
Titles should be structured in a way to have parent information > child information > grand-child information
In portal for example, main title should be "\<h1\>", applications group title "\<h2\>", applications name "\<h3\>",...Rule 9.1
Titles should be structured in a way to have parent information > child information > grand-child information
In portal for example, main title should be "\<h1\>", applications group title "\<h2\>", applications name "\<h3\>", ...
\<hX\> tag cannot be used for graphical GUI purposeBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2580RGAA: actions keyboard accessibility2022-12-13T14:55:33ZAlbert RinceauRGAA: actions keyboard accessibilityRule 7.3
All action should be accessible with a keyboard.
- Refresh captcha action should use \<button\> tag
- remove role="button" from \<a\> tag "return to portal"
- in portal menu, we use \<a\> tag instead of button (for ex: refre...Rule 7.3
All action should be accessible with a keyboard.
- Refresh captcha action should use \<button\> tag
- remove role="button" from \<a\> tag "return to portal"
- in portal menu, we use \<a\> tag instead of button (for ex: refresh my rights)
a bit like #2561Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2579RGAA: main HTML areas should be marked WAI-ARIA2022-12-13T14:55:37ZAlbert RinceauRGAA: main HTML areas should be marked WAI-ARIARule 12.6
Header should have a WAI-ARIA unique attribute role="banner"
Main content should have WAI-ARIA unique attribute role="main"
Footer should have WAI-ARIA unique attribute role="contentinfo"Rule 12.6
Header should have a WAI-ARIA unique attribute role="banner"
Main content should have WAI-ARIA unique attribute role="main"
Footer should have WAI-ARIA unique attribute role="contentinfo"Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2578RGAA: mandatory field in forms should be tagged2022-12-13T14:55:39ZAlbert RinceauRGAA: mandatory field in forms should be taggedrule 11.10
In forms, mandatory field should be tagged.
For example, by placing a "*" beside the label.
In this case a legend to explain that field marked with "*" are mandatory.
Invalid field should be marked with an attribute aria-i...rule 11.10
In forms, mandatory field should be tagged.
For example, by placing a "*" beside the label.
In this case a legend to explain that field marked with "*" are mandatory.
Invalid field should be marked with an attribute aria-invalid="true"Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2576RGAA: header, main and footer should use tag <header>, <main> and <footer>2022-12-13T14:55:42ZAlbert RinceauRGAA: header, main and footer should use tag <header>, <main> and <footer>Rule 9.2
header, main and footer should be into tag \<header\>, \<main\> and \<footer\>
today we only use \<div id="footer/header"\>Rule 9.2
header, main and footer should be into tag \<header\>, \<main\> and \<footer\>
today we only use \<div id="footer/header"\>Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2575RGAA: Language code should be ISO639 conform2022-12-13T14:55:45ZAlbert RinceauRGAA: Language code should be ISO639 conformRule 8.4
Language code (especially into page lang attribute) should be conform to ISO639:
ex: lang="fr-FR"Rule 8.4
Language code (especially into page lang attribute) should be conform to ISO639:
ex: lang="fr-FR"Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2569backend timeout leads to server ERROR with no resilience2023-07-19T19:18:55ZAlbert Rinceaubackend timeout leads to server ERROR with no resilience### Concerned version
Version: %2.0.11
Platform: Nginx with fastcgi-server
### Summary
One of my nginx workers got a LDAP timeout (I have no reason to explain it) then entered in an error loop without possibility (except restarting s...### Concerned version
Version: %2.0.11
Platform: Nginx with fastcgi-server
### Summary
One of my nginx workers got a LDAP timeout (I have no reason to explain it) then entered in an error loop without possibility (except restarting service) to get it out even if LDAP backend was reachable.
Something weird were the other workers pid which looked working perfectly keeping serving request (regarding access.log). Only this one [4721] returned errors.
I noticed it by chance getting a couple of black error page (which were not coming back after a simple refresh). After while, I checked logs, and see that I've had errors for few days. Indeed as explained, only one worker had this error, others worked perfectly.
### Logs
```
/var/log/nginx/lemonldap.log-20210717.gz:142:Jul 16 16:26:04 websso LLNG[4721]: [error] Initialization failed: Unable to protect this server (Lemonldap::NG::Common::Conf::Backends::LDAP loaded.#012TIMEOUT#012Error: No configuration available in backend.#012Get remote configuration (localStorage unavailable).)
/var/log/nginx/lemonldap.log-20210717.gz:143:Jul 16 16:26:04 websso LLNG[4721]: [error] Initialization failed! Enable debug logs, reload your web server and catch main error...
/var/log/nginx/lemonldap.log-20210717.gz:144:Jul 16 16:26:04 websso LLNG[4721]: [warn] [anonymous] Initialization failed! Enable debug logs, reload your web server and catch main error...
/var/log/nginx/lemonldap.log-20210717.gz:145:Jul 16 16:26:04 websso LLNG[4721]: [error] Error 500: Initialization failed! Enable debug logs, reload your web server and catch main error...
/var/log/nginx/lemonldap.log-20210717.gz:146:Jul 16 16:29:25 websso LLNG[4721]: [warn] [anonymous] Initialization failed! Enable debug logs, reload your web server and catch main error...
/var/log/nginx/lemonldap.log-20210717.gz:147:Jul 16 16:29:25 websso LLNG[4721]: [error] Error 500: Initialization failed! Enable debug logs, reload your web server and catch main error...
/var/log/nginx/lemonldap.log-20210717.gz:148:Jul 16 16:44:16 websso LLNG[4721]: [warn] [anonymous] Initialization failed! Enable debug logs, reload your web server and catch main error...
[...]
```
### Backends used
Using LDAP backend for configuration, user and sessions
### Possible fixes
no idea.In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2556Unable to use second factor with Kerberos authentication2021-07-01T21:32:27ZClément OUDOTUnable to use second factor with Kerberos authenticationWhen using Kerberos and a second factor, the Kerberos authentication fails and the screen to enter the OTP is not shown.
Some logs:
```
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Build URL https://xxxx/?kerberos=1
[Thu Jul 1 18:0...When using Kerberos and a second factor, the Kerberos authentication fails and the screen to enter the OTP is not shown.
Some logs:
```
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Build URL https://xxxx/?kerberos=1
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Redirect xxxx to portal (url was /?kerberos=1)
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] User not authenticated, Try in use, cancel redirection
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Start routing default route
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing checkUnauthLogout
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing controlUrl
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Kerberos ticket received: xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/xxxx.KEYTAB
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing getUser
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing authenticate
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> authResult = 0
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setAuthSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setMacros
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setGroups
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Searching LDAP groups in ou=groups,xxxx for uid=xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Group search filter: (&(objectClass=groupOfNames)(|(member=uid=xxxx)))
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setPersistentSessionInfo
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Persistent session found for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Restore persistent parameter _loginHistory
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Restore persistent parameter _updateTime
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing setLocalGroups
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing store
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Store xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Try to get a new SSO session
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Return SSO session d138efbfce3c39d3848060724d1d5443979be09b422914a9887b0cee4a6530e8
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Looking if ext2F is available
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> OK
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Processing secondFactor
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Looking if ext2F is available
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] -> OK
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [info] Second factor required for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] [info] Second factor required for xxxx
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Token 1625083574_62763 created
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Generated ext2f code : 059908
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Launching "Send" external 2F command -> /usr/local/bin/send_sms.sh $mobile $code
[Thu Jul 1 18:04:14 2021] [LLNG:49880] [debug] Executing command: /usr/local/bin/send_sms.sh xxxx 059908
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/avem/ext2fcheck.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Sending /usr/share/lemonldap-ng/portal/templates/avem/ext2fcheck.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CORS policy :
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Origin
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Credentials
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] true
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Methods
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] POST,GET
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Expose-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Max-Age
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] 86400
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Prepare external 2F verification
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned status: -4 (PE_SENDRESPONSE)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [info] No cookie found
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Build URL https://xxxx/?cancel=1&skin=xxxx
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Redirect xxxx to portal (url was /?cancel=1&skin=xxxx)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] User not authenticated, Try in use, cancel redirection
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Start routing default route
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing checkUnauthLogout
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing restoreArgs
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing controlUrl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Cancel called, push authCancel calls
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing code ref
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Launching ::Issuer::SAML::storeEnv
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [notice] Combination (Lemonldap::NG::Portal::Auth::Kerberos): Kerberos authentication has failed, back to portal
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] [notice] Combination (Lemonldap::NG::Portal::Auth::Kerberos): Kerberos authentication has failed, back to portal
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Store 0 in hidden key kerberos
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [info] Scheme "Kerberos" returned 5, trying next
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Processing extractFormInfo
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Prepare token
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Token 1625083575_27425 created
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned error: 9 (PE_FIRSTACCESS)
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Returned userId: anonymous
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Display type standardform
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin returned: login
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Calling sendHtml with template login
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin avem selected from GET/POST parameter
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/avem/login.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Skin avem selected from GET/POST parameter
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Sending /usr/share/lemonldap-ng/portal/templates/avem/login.tpl
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Apply following CORS policy :
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Origin
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Credentials
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] true
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Allow-Methods
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] POST,GET
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Expose-Headers
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] *
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] Access-Control-Max-Age
[Thu Jul 1 18:04:15 2021] [LLNG:49880] [debug] 864003.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2553Minimal Bullseye + Ansible + Apache2 static file won't be delivered2021-06-25T13:54:35ZClément JMinimal Bullseye + Ansible + Apache2 static file won't be delivered### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and oth...### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and others that don't resolve in lemon DocumentRoot.
Some URL are badly forged.
### Logs
See [lemon-debug.tar.gz](/uploads/30832bb37c11e9920396b3a06622ef41/lemon-debug.tar.gz). One file is HAR from Firefox, second is error.log from apache in debug mode.
### Backends used
File backend, actually with LDAP authentication. But with a fresh install without any tweaks, it has the same behavior.
### Possible fixes
Don't know.
Exactly same install on Debian 10.10 gives all functional Lemon.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2545Consolidate login timeout settings2021-07-01T20:59:27ZMaxime BessonConsolidate login timeout settings### Summary
We have too many different timeout for "waiting for the user to do something"
* formTimeout
* issuersTimeout
* mail2fTimeout
* mailTimeout
* registerTimeout
* oidcRPStateTimeout
* samlRelayStateTimeout
All these timeout ha...### Summary
We have too many different timeout for "waiting for the user to do something"
* formTimeout
* issuersTimeout
* mail2fTimeout
* mailTimeout
* registerTimeout
* oidcRPStateTimeout
* samlRelayStateTimeout
All these timeout have different, sometimes inconsistent values (samlRelayStateTimeout vs issuersTimeout in SAML-to-SAML scenario) of values that are too short by default (formTimeout, #2544)
### Design proposition
We should consolidate all these timeouts into broader categories.
For example:
* "User action that should be done quickly" => validating an info message, etc, could be 2 minutes by default
* "User action that takes some time" => filling a complex form, installing an OTP app, remembering their password => could be 5 or even 10 minutes by default
* etc.
As an example, this is how Keycloak does it:
![image](/uploads/4ff574a514b5f6667214a537c80b7e6c/image.png)3.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2540XSS protection of CAS service parameter should be removed2024-01-18T08:25:29ZMaxime BessonXSS protection of CAS service parameter should be removedIn #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
...In #1795 we implemented a XSS check on the service= parameter of the CAS issuer (1a8948894d61e1f37dda5c95f2ea0a619545f5f6)
However this change breaks some applications, such as Ametys CMS, who generates login URLS that look like this:
```
https://cms.example.com/plugins/core/authenticate/0?contexts=%2Fsites%2Fintranet%2C%2Fsites%2Ftest-projet-b%2C%2Fsites%2Ftest-ametys%2C%2Fsites%2Fcatalogue
```
Note: `%2C` is a legitimate separator in this context.
According to discussions in #1795, this check is meant to protect against tampering with the Location: header.
However, checkXSSAttack does NOT prevent header injection (it is supposed to prevent XSS in HTML documents, a completely different issue). You can try with the following example:
http://auth.example.com/cas/login?service=http://cas.example.com/test%0D%0AX-Test:%20inject%0D%0A
This attack is caught by
```
unless ( $service =~ m#^(https?://[^/]+)(/.*)?$# ) {
$self->logger->error("Bad service $service");
return PE_ERROR;
}
```
<details><summary>(click here to see what happens if I disable this code)</summary>
I'm surprised Plack does not protect you from this:
![image](/uploads/0e01c2040cb7a6992625fa20ebe3ecb8/image.png)
</details>
but this attack is NOT caught by
```
$service = '' if ( $self->p->checkXSSAttack( 'service', $service ) );
```
which makes this check counter-productive in my opinion
## Conclusion
Checking for XSS attacks should be only done for values that are displayed in HTML pages. For values used in Location: headers, we should only check:
* If they are properly formatted URLs (!185)
* If they are in the list of allowed redirection targets (trustedDomains, declared vhost, etc.)3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2514improve Content-Security-Policy handling2022-05-01T09:37:03ZMaxime Bessonimprove Content-Security-Policy handling### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each ...### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each module/LLNG feature handle its own CSP (see `$req->data->{cspFormAction}`).
### Design proposition
Example of a better API, in Choice.pm
<pre>
$req->setCSP("form-action", $url);
</pre>
or when embedding an iframe:
<pre>
$req->setCSP("frame-src", $url);
</pre>
( see also #2513 )3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2507LLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions2022-02-04T12:14:34ZClaude LOISEAULLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T...### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T05:49:06Z">
<saml:AudienceRestriction>
<saml:Audience>xxxxxx</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
<saml:OneTimeUse/>
</saml:Conditions>
The tag OneTimeUse is set twice, so the SP rejects assertions.
Setting One time use to Off then the assertion is correctly consumed.FAQMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2485SAML : support eduPersonTargetedID attributes2023-06-19T13:58:10ZAntoine GallavardinSAML : support eduPersonTargetedID attributes### Summary
When LemonLDAP::NG act as a SAML2 IDP It should be enable to deliver the eduPersonTargetedID attribute.
This attribute is very used inside the Inter Research and Educational Federation
see :
- https://www.switch.ch/aai/s...### Summary
When LemonLDAP::NG act as a SAML2 IDP It should be enable to deliver the eduPersonTargetedID attribute.
This attribute is very used inside the Inter Research and Educational Federation
see :
- https://www.switch.ch/aai/support/documents/attributes/edupersontargetedid/
- https://services.renater.fr/documentation/supann/supann2020/recommandations2020/attributs/edupersontargetedid
This attribute is based on the
- SP entityId
- IDP entityID
- user ID
see example value on french website.
### Design proposition
I've no idea of implementation and complexity.
One of solution is allow lemonldap to get the entityID of both IDP ans SP during the SAML Session.
Based on those fetched values, we could use the macros system like :
$idpEntityID."!".$idpEntitySP."!".$userPrincipaleName or
$idpEntityID."!".$idpEntitySP."!".encrypt($userPrincipaleName)Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2468Add the possibility for an user to create ServiceToken in the portal2022-12-13T14:47:58ZTéo GODDETAdd the possibility for an user to create ServiceToken in the portal### Sumary
We could add an interface to the portal where the users can create token for ServiceToken Handlers
We could also add a scope notions that people could set.
Token lifetime should be customizable too.
### Main issues/design ...### Sumary
We could add an interface to the portal where the users can create token for ServiceToken Handlers
We could also add a scope notions that people could set.
Token lifetime should be customizable too.
### Main issues/design points :
The ability to list and revoke token would need us to store the token somewhere.
Maybe like a persistent session (don’t know how it works exactly) maybe we should do this in a second time.
We should also discuss about authlevel
I have no idea how to handle it.
We should also take care of the docs because it would increase the risk of crsf vulnerability on protected app when an app is protected by cookie or token handler.
(Insure the main+ServieToken handler already exist, may need to create it)
What do you think of such a feature ?BacklogClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2467Expired password form does not show up on LDAP expired password2022-12-13T14:56:42ZNicolas CANIVETExpired password form does not show up on LDAP expired password### Concerned version
Version: %2.0.11
Platform: CentOS 8 / Apache 2.4.37
LDAP Directory : FreeIPA v4.8.7
### Summary
When an user logs in with expired LDAP password, the portal does not show password renewal form.
The LDAP attribute...### Concerned version
Version: %2.0.11
Platform: CentOS 8 / Apache 2.4.37
LDAP Directory : FreeIPA v4.8.7
### Summary
When an user logs in with expired LDAP password, the portal does not show password renewal form.
The LDAP attribute use by FreeIPA for considering an account as expired is "krbPasswordExpiration".
![password_settings](/uploads/5b66a9ca2c1fff54728f6f43a82ffa68/password_settings.png)
### Logs
See attached log
[auth_with_expired_pass.log](/uploads/100e3b81bb0b33efb6779f37705194c7/auth_with_expired_pass.log)
### Possible fixes
Evaluate expired status from krbPasswordExpiration attribute
I read about issue #2377, I can't say if it's linked or not.
The "_whatToTrace" macro has the value
`$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)`Backlog