lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-11-08T11:36:24Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/13Check that authLogout is well managed in AuthMulti2017-11-08T11:36:24ZClément OUDOTCheck that authLogout is well managed in AuthMultiThe logout process call authLogout method from the authentication module. We should test how this works with AuthMulti.The logout process call authLogout method from the authentication module. We should test how this works with AuthMulti.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/16Use parameterized statements in DBI to prevent SQL injection2017-11-08T16:02:10ZClément OUDOTUse parameterized statements in DBI to prevent SQL injectionMore info here:
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statementsMore info here:
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/18[SAML] Common domain cookie support2017-11-08T16:02:05ZClément OUDOT[SAML] Common domain cookie supportThis should be implemented for 1.0 because it is required for IDP Lite SAML2 conformanceThis should be implemented for 1.0 because it is required for IDP Lite SAML2 conformance1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/19Select authentication module on authentication portal2017-11-08T16:02:00ZClément OUDOTSelect authentication module on authentication portalWe should be able to propose multiple authentication scheme so the user can choose how to log.
For example, we should let the user choose to use OpenID, SAML or a local authentication.
We can try to map each authentication shema to a U...We should be able to propose multiple authentication scheme so the user can choose how to log.
For example, we should let the user choose to use OpenID, SAML or a local authentication.
We can try to map each authentication shema to a URI :
* http://auth.example.com/openid
* http://auth.example.com/saml
* http://auth.example.com/ldap
Depending on the URI, portal will choose its auth module. If no auth module in uri, it will propose known authentication methods
1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/25Provide authorized application trough SOAP2017-11-08T16:02:05ZClément OUDOTProvide authorized application trough SOAPI want to be able to request by SOAP the portal, in order to get all authorized applications. This SOAP call can then be run from a portlet, to be included in Liferay for example.I want to be able to request by SOAP the portal, in order to get all authorized applications. This SOAP call can then be run from a portlet, to be included in Liferay for example.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/27OpenID provider2017-11-08T11:36:31ZClément OUDOTOpenID providerModule IssuerDBOpenID.pmModule IssuerDBOpenID.pm1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/28Read user information from OpenID provider2017-11-08T16:02:00ZClément OUDOTRead user information from OpenID providerThis should be implemented in UserDBOpenID.pmThis should be implemented in UserDBOpenID.pm1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/29Improve application menu configuration2017-11-08T16:02:02ZClément OUDOTImprove application menu configurationApplication list in menu is not very easy to configure (it's a big hash in lemonldap-ng.ini).
We have to discuss on how manage application list in our next stable version. It seems it's maybe not a good practice to pass HTML code to tem...Application list in menu is not very easy to configure (it's a big hash in lemonldap-ng.ini).
We have to discuss on how manage application list in our next stable version. It seems it's maybe not a good practice to pass HTML code to templates. We should rather have methods that will return all authorized applications for a category.
We have maybe to simplify how application list can be build. For example, Myabe we should only accept 1 or 2 levels of category. Same idea, is this mandatory to have applications under applications? If we restrict this, it could be then easier to configure from a graphical point of view.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/30[SAML] Unit tests2017-11-08T11:36:31ZClément OUDOT[SAML] Unit testsWe should provide unit tests (*.t) for SAML modulesWe should provide unit tests (*.t) for SAML modules1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/58Catch ENV variables to fill session for all UserDB modules2017-11-28T17:47:23ZClément OUDOTCatch ENV variables to fill session for all UserDB modulesWe have a special trick in UserDBLDAP :
# Special code to catch env var
if ( my $tmp = $ENV{$_} ) {
$tmp =~ s/[\r\n]/ /gs;
$self->{sessionInfo}->{$_} = $tmp;
}
...We have a special trick in UserDBLDAP :
# Special code to catch env var
if ( my $tmp = $ENV{$_} ) {
$tmp =~ s/[\r\n]/ /gs;
$self->{sessionInfo}->{$_} = $tmp;
}
else {
$self->{sessionInfo}->{$_} =
$self->{ldap}
->getLdapValue( $self->{entry}, $self->{exportedVars}->{$_} )
|| "";
}
This should be available for all UserDB modules. So I propose to put the code in Portal/Simple.pm in setSessionInfo. Then UserDbEnv will not be usefull anymore, UserDBNull will be ok!1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/92Cannot change password from menu2017-11-28T17:47:32ZClément OUDOTCannot change password from menuWhen changing password from menu, we have this error:
{quote}
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub authenticate
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG:...When changing password from menu, we have this error:
{quote}
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub authenticate
[Tue Jun 08 12:27:11 2010] [debug] CGI.pm(91): Lemonldap::NG::Portal::SharedConf: processing to sub userError
[Tue Jun 08 12:27:11 2010] [warn] Lemonldap::NG : Bad password for coudot (127.0.0.1)
{quote}
We should not run the authenticate process step when changing password.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/93LDAP connection error on high load2017-11-28T17:47:32ZClément OUDOTLDAP connection error on high loadWhen we have high load on LDAP, connections can be closed, but this is not well handled on our side:
{quote}
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonld...When we have high load on LDAP, connections can be closed, but this is not well handled on our side:
{quote}
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] StartTLS failed
[Wed May 26 17:47:15 2010] [error] LDAP error: I/O Error Connection reset by peer
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "loadPP" without a package or object reference at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Portal/AuthLDAP.pm line 24.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33, <DATA> line 275.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
[Wed May 26 17:47:15 2010] [error] Can't call method "search" on an undefined value at /usr/lib/perl5/vendor_perl/5.8.8/Lemonldap/NG/Common/Conf/LDAP.pm line 33.\n
{quote}
We have to be sure that our $ldap object is defined before calling search method.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/97Add configuration parameters for private keys passwords2017-11-10T06:04:24ZClément OUDOTAdd configuration parameters for private keys passwordsWe should be able to set private key password in SAML configurationWe should be able to set private key password in SAML configuration1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/101CAS Provider (IssuerDBCAS)2017-11-28T17:47:35ZClément OUDOTCAS Provider (IssuerDBCAS)we can deliver CAS tickets to authenticated users.we can deliver CAS tickets to authenticated users.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/102IssuerDB contextual selection2017-11-10T06:04:24ZClément OUDOTIssuerDB contextual selectionWe have to modify the way we use IssuerDB: for now, only one IssuerDB can be active.
The idea would be to have a regexp on URL that will activate the IssuerDB module. For example /saml/ for IssuerDBSAML.
In Manager, we can display all...We have to modify the way we use IssuerDB: for now, only one IssuerDB can be active.
The idea would be to have a regexp on URL that will activate the IssuerDB module. For example /saml/ for IssuerDBSAML.
In Manager, we can display all IssuerDB modules, with these options:
* activation
* URL regexp
* rule (to deny some users for example)
The only function to manage differently is issuerLogout, because all backends should be deconnected.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/103String encoding in sessions2017-11-28T17:47:35ZClément OUDOTString encoding in sessionsWe should discuss on how manage string encoding in sessions. It seems for now we store them as UTF-8, but this can be a problem:
* HTTP-BASIC only wants ISO
* some protected applications are not UTF-8 compliant
We should be able to choo...We should discuss on how manage string encoding in sessions. It seems for now we store them as UTF-8, but this can be a problem:
* HTTP-BASIC only wants ISO
* some protected applications are not UTF-8 compliant
We should be able to choose the encoding per vhost or per header.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/121Fake SLO process for standard applications2017-11-28T17:47:39ZClément OUDOTFake SLO process for standard applicationsWe implemented SAML SLO with iframes and all the complex SAML SLO management (request/responses, etc.)
We can maybe provide a fake SLO process for standards applications:
* We configure in Manager the full logout URLs (not a pattern)
* ...We implemented SAML SLO with iframes and all the complex SAML SLO management (request/responses, etc.)
We can maybe provide a fake SLO process for standards applications:
* We configure in Manager the full logout URLs (not a pattern)
* On portal logout, we build hidden iframes that will do a GET on these logout URLs
1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/123Store Lasso Identity Dump in UserDB2017-11-28T17:47:39ZClément OUDOTStore Lasso Identity Dump in UserDBWe should store Lasso identity Dump in userDB so that we can be compliant with persistent NameIDWe should store Lasso identity Dump in userDB so that we can be compliant with persistent NameID1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/125SAML request is lost in portal user interaction (remove other sessions for ex...2017-11-28T17:47:39ZClément OUDOTSAML request is lost in portal user interaction (remove other sessions for example)1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/128LemonLDAP::NG not compatible with perl-LDAP 0.40012017-11-28T17:47:39ZClément OUDOTLemonLDAP::NG not compatible with perl-LDAP 0.4001When using perl-LDAP 0.4001, we have errors in make test:
{quote}
t/04-Lemonldap-NG-Portal-SOAP.t .......... 1/2 Lemonldap::NG::Portal::AuthLDAP load error: Modification of a read-only value attempted at /usr/local/share/perl/5.10.1/Net...When using perl-LDAP 0.4001, we have errors in make test:
{quote}
t/04-Lemonldap-NG-Portal-SOAP.t .......... 1/2 Lemonldap::NG::Portal::AuthLDAP load error: Modification of a read-only value attempted at /usr/local/share/perl/5.10.1/Net/LDAP/Constant.pm line 13.
Compilation failed in require at /usr/local/share/perl/5.10.1/Net/LDAP/Message.pm line 7.
BEGIN failed--compilation aborted at /usr/local/share/perl/5.10.1/Net/LDAP/Message.pm line 7.
Compilation failed in require at /usr/local/share/perl/5.10.1/Net/LDAP.pm line 13.
BEGIN failed--compilation aborted at /usr/local/share/perl/5.10.1/Net/LDAP.pm line 13.
Compilation failed in require at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/_LDAP.pm line 8.
BEGIN failed--compilation aborted at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/_LDAP.pm line 8.
Compilation failed in require at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/AuthLDAP.pm line 9.
BEGIN failed--compilation aborted at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/AuthLDAP.pm line 9.
Compilation failed in require at (eval 97) line 3.
Lemonldap::NG::Portal::Simple error: Configuration error, Unable to load Lemonldap::NG::Portal::AuthLDAP
# Looks like you planned 2 tests but ran 1.
{quote}
This causes problems for packaging on Debian and RHEL5.5:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577340
1.0