lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-09-22T14:13:29Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539[security:high, CVE-2021-35472] session cache corruption can lead to authoriz...2023-09-22T14:13:29ZChristophe Maudouxchrmdx@gmail.com[security:high, CVE-2021-35472] session cache corruption can lead to authorization bypass or spoofing### Concerned version
Version: %2.0.0 to %2.0.11
Platform: Nginx/uWSGI
### Summary
- Enable Impersonation plugin
- Enable REST Session server
- Disable CSRF tokens
- Start a terminal and execute :
for i in {1..1000}; do curl -X POST ...### Concerned version
Version: %2.0.0 to %2.0.11
Platform: Nginx/uWSGI
### Summary
- Enable Impersonation plugin
- Enable REST Session server
- Disable CSRF tokens
- Start a terminal and execute :
for i in {1..1000}; do curl -X POST -H 'Accept:application/json' -d user=msmith --data-urlencode password='msmith' http://auth.example.com:19876;done
- make reload
- Login dwho/dwho/dwho and hit F5 to refresh Portal
- Alternatively authenticated as 'dwho' or 'msmith'
### Backends used
PG![vokoscreen-2021-06-08_22-12-00](/uploads/0f9e1505bbbf02384be054e46f27c941/vokoscreen-2021-06-08_22-12-00.mp4)
### Possible fixes
Seems issue is linked to handler internal cache.
Login with 'dwho' / 'dwho'
Enable Impersonation plugin -> make reload_web_server
Start bash loop, hit F5 and session switches to 'msmith'
Stop bash loop and session is back to 'dwho' after 10/15 seconds..;2.0.12YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2543[security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret2023-09-22T14:13:29ZMaxime Besson[security:low] 2FA bypass with sfOnlyUpgrade and totp2fDisplayExistingSecret### Concerned version
Version: 2.0.11
### Summary
* Configure "Use 2FA for session upgrade"
* Configure TOTP with "Display existing secret" enabled
* Steal a user's password and login with it
* Go to 2FA manager, click TOTP
* Scan the...### Concerned version
Version: 2.0.11
### Summary
* Configure "Use 2FA for session upgrade"
* Configure TOTP with "Display existing secret" enabled
* Steal a user's password and login with it
* Go to 2FA manager, click TOTP
* Scan the user's existing TOTP to your own device, and profit.
on backends
### Possible fixes
Either
* Remove the ability to display existing 2FA secrets
Or
* Protect existing secret from being displayed when current authentication level is too low
Depending on #25412.0.12Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2477[security:low] Wildcard in virtualhost allows being redirected to untrusted d...2023-09-22T14:13:29ZAndreas Deschka[security:low] Wildcard in virtualhost allows being redirected to untrusted domainsOne of our users has reported to us the following security problem, which could be used for phishing.
In Lemonldap 2.0.10 when you create a virtual host with a wildcard, for example `*.subdomain.local.test`, an attacker can forward user...One of our users has reported to us the following security problem, which could be used for phishing.
In Lemonldap 2.0.10 when you create a virtual host with a wildcard, for example `*.subdomain.local.test`, an attacker can forward users to every domain by using specially designed urls.
Target url: `https://google.com#abc.subdomain.local.test/` (The slash at the end is important.)
Base64 encoded: `aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=`
Url which the user clicks on (looks like it is safe to use): `https://myportal.local.test/url=aHR0cHM6Ly9nb29nbGUuY29tI2FiYy5zdWJkb21haW4ubG9jYWwudGVzdC8=`
User will now get redirected to `https://google.com#abc.subdomain.local.test`
I checked if cda is also affected, but from what I saw, it seems to be not. (We anyway do not have it activated.) The following line always rejects correctly:
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CDA.pm#L29
I have no problems, with publishing this issue, when you do not have anything against it.
I used chrome version 88.0.4324.192 for testing.2.0.12YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2495[security:medium] XSS on register form2023-09-22T14:13:29ZClément OUDOT[security:medium] XSS on register formIn register form, we do not check XSS attack before registering data into session:
```perl
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstnam...In register form, we do not check XSS attack before registering data into session:
```perl
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstname} = $req->param('firstname');
$req->data->{registerInfo}->{lastname} = $req->param('lastname');
$req->data->{registerInfo}->{ipAddr} = $req->address;
```
This allow to inject HTML code in form that will be displayed in mail for the end user, and can lead to malicious information (redirection on a hacker's site).
We should check for XSS before registering data, for example:
```perl
# Check input
if ( $self->p->checkXSSAttack('mail', $req->param('mail') ) or $self->p->checkXSSAttack('firstname', $req->param('firstname') ) or $self->p->checkXSSAttack('lastname', $req->param('lastname') ) ) {
$self->logger->error("XSS on Register form");
return PE_MALFORMEDUSER;
}
# Use submitted value
$req->data->{registerInfo}->{mail} = $req->param('mail');
$req->data->{registerInfo}->{firstname} = $req->param('firstname');
$req->data->{registerInfo}->{lastname} = $req->param('lastname');
$req->data->{registerInfo}->{ipAddr} = $req->address;
```
A review on all public form should be done to check we have on other issues.2.0.12Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946userControl regexp is not applied by authSlave2023-09-22T13:59:59ZChristophe Maudouxchrmdx@gmail.comuserControl regexp is not applied by authSlave### Affected version
Version: All
Platform: All
Slave authentication module can submit an unvalid login### Affected version
Version: All
Platform: All
Slave authentication module can submit an unvalid login2.17.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3010oidcServiceAllowOnlyDeclaredScopes option drop offline_access scope2023-09-20T09:26:16ZYaddoidcServiceAllowOnlyDeclaredScopes option drop offline_access scope2.17.1https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2711Cannot override configuration in lemonldap-ng.ini when value is "0"2023-09-20T09:03:18ZMaxime BessonCannot override configuration in lemonldap-ng.ini when value is "0"### Concerned version
Version: 2.0.14
### Summary
* In config, set `portalDisplayRegister=1`
* In lemonldap-ng.ini, set `portalDisplayRegister=0`
* Expected: Register button is not displayed
* Actual: Register button is displayed
##...### Concerned version
Version: 2.0.14
### Summary
* In config, set `portalDisplayRegister=1`
* In lemonldap-ng.ini, set `portalDisplayRegister=0`
* Expected: Register button is not displayed
* Actual: Register button is displayed
### Logs
In portal `reloadConf`:
* `$conf` is configuration from backend
```
%{ $self->{conf} } = %{ $self->localConfig };
...
# Load conf in portal object
foreach my $key ( keys %$conf ) {
$self->{conf}->{$key} ||= $conf->{$key};
}
```
### Possible fixes
* `||=` should probably be `//=`
* Side effects ?
* Perhaps localConf should be loaded info `$self->{conf}` after `$conf` ?
* Does this happen elsewhere?2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2996Invalid URL for application logo in myapplications web service2023-09-15T13:46:19ZClément OUDOTInvalid URL for application logo in myapplications web serviceThe logo URL returned by /myapplications is malformed: `http:/auth.example.com//static/common/apps/demo.png`. There is a missing `/` after `http:`.
The bug was introduced in commit 6fde3a06502c0fb13375830e5e9b0ebb21c6692b
The associate...The logo URL returned by /myapplications is malformed: `http:/auth.example.com//static/common/apps/demo.png`. There is a missing `/` after `http:`.
The bug was introduced in commit 6fde3a06502c0fb13375830e5e9b0ebb21c6692b
The associated unit test is wrong, as it test the malformed value:
```
ok(
$res->{myapplications}->[0]->{Applications}->[0]->{'Application Test 1'}
->{AppLogo} eq 'http:/auth.example.com//static/common/apps/demo.png',
' Logo app1 found'
);
```
Commenting the last regexp on basePath is enough to fix the problem:
```
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
index f5b760e1c..cb8b88155 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
@@ -788,7 +788,7 @@ sub myApplications {
my $basePath = $self->conf->{portal};
$basePath =~ s#/*$#/#;
$basePath .= $self->p->{staticPrefix} . '/common/apps/';
- $basePath =~ s#//+#/#;
+ #$basePath =~ s#//+#/#;
my @appslist = map {
my @apps = map {
{
```
A better solution might be found.2.17.1Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2491Use environment variables placeholder in lemonldap json configuration2023-09-13T16:01:41Zandy tanUse environment variables placeholder in lemonldap json configuration### Summary
I would like to be able to use ENV vars placeholder inside lemonldap json configuration.
### Design proposition
Ex:
```
1 / "managerPassword" : "$ENV{LDAP_MANAGER_PASSWORD}",
```
```
2 / "oidcRPMetaDataOptions" : {
...### Summary
I would like to be able to use ENV vars placeholder inside lemonldap json configuration.
### Design proposition
Ex:
```
1 / "managerPassword" : "$ENV{LDAP_MANAGER_PASSWORD}",
```
```
2 / "oidcRPMetaDataOptions" : {
"example" : {
"oidcRPMetaDataOptionsClientSecret" : "$ENV{OIDC_EXAMPLE_CLIENT_SECRET_PASSWORD}",
"oidcRPMetaDataOptionsClientID" : "example",
"oidcRPMetaDataOptionsPublic" : 1,
"oidcRPMetaDataOptionsRefreshToken" : 1,
"oidcRPMetaDataOptionsRequirePKCE" : 0
},
```
```
3 / "persistentStorageOptions" : {
"collection" : "persistent_sessions",
"connect_timeout" : "10000",
"db_name" : "db_example",
"host" : "mongodb://localhost:27017/?replicaSet=rs0&authSource=admin",
"password" : "$ENV{MONGO_PERSISTENT_STORAGE_PASSWORD}",
"ssl" : "0",
"username" : "james"
},
```2.0.15YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2992WAYF not triggered when using SAML federation plugin + one other provider2023-09-08T13:24:45ZMaxime BessonWAYF not triggered when using SAML federation plugin + one other provider### Affected version
Version: 2.16.2
### Summary
* Set Auth=SAML
* Configure samlFederationFiles
* Configure samlDiscoveryProtocolURL/samlDiscoveryProtocolActivation
* Add one IDP (samltest.id)
* Browse to portal
* You get redirected...### Affected version
Version: 2.16.2
### Summary
* Set Auth=SAML
* Configure samlFederationFiles
* Configure samlDiscoveryProtocolURL/samlDiscoveryProtocolActivation
* Add one IDP (samltest.id)
* Browse to portal
* You get redirected to the non-federated IDP instead of the federation
### Possible fixes
getIDP assumes that having one entityID in idpList means we need to use it. But WAYF may lazy load another IDP.
We should disable this heuristic when samlFederationFiles is set
Is there a better way?2.17.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2912Non reproducible error when redirect to another url (SAML,..)2023-08-30T15:10:53ZWalter BenderNon reproducible error when redirect to another url (SAML,..)### Concerned version
Version: %2.16.1-1 (Ubuntu)
Platform: Various
### Summary
We updated from 2.0.13 to 2.16.1 and got an non-reproducible-error when redirecting to another url (as used for SAML authentification). Some perl process...### Concerned version
Version: %2.16.1-1 (Ubuntu)
Platform: Various
### Summary
We updated from 2.0.13 to 2.16.1 and got an non-reproducible-error when redirecting to another url (as used for SAML authentification). Some perl processes worked without problems. With higher load, we get more and more processes with "Bad URL" errors. After a restart of the service the error vanished first, but than grows up to about 50% redirection with an error message. We are not sure, what caused the error and if it's a security issue. Downgrading back to 2.0.13 solved the issue.
Hint: The same problem happenend in version 2.0.16
### Logs
```
Apr 6 18:34:05 XHOSTX LLNG[44612]: [debug] Required Params URL: URI::https=SCALAR(0x563e0fd10f40)
Apr 6 18:34:05 XHOSTX LLNG[44612]: [debug] Set CSP form-action with Params URL: URI::https=SCALAR(0x563e0fd10f40)
Apr 6 18:34:14 XHOSTX LLNG[44591]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fdd1838)
Apr 6 18:34:26 XHOSTX LLNG[44593]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fdedbb8)
Apr 6 18:36:22 XHOSTX LLNG[44589]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0e9a2e38)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Required urldc: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Set CSP form-action with urldc: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Required Params URL: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Set CSP form-action with Params URL: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:38:26 XHOSTX LLNG[44603]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fd74fd0)
Apr 6 18:39:47 XHOSTX LLNG[44589]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0e8df388)
Apr 6 18:41:17 XHOSTX LLNG[44596]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fd9eb08)
Apr 6 18:44:16 XHOSTX LLNG[44611]: [debug] [error] Bad URL URI::https=SCALAR(0x55c915768d50)
```
### Backends used
We use redis as backend
### Possible fixes
Downgrade to former version2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2952Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captch...2023-08-29T16:58:03ZChristophe Maudouxchrmdx@gmail.comUnable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captcha is enabled### Affected version
Version: All
Platform: All
### Summary
Enable captcha and LDAP password policy with pwdReset attribute.
Reset a userPassword -> pwdReset is set to TRUE
Login -> PE_25 thrown by LDAP server
Captcha input is not...### Affected version
Version: All
Platform: All
### Summary
Enable captcha and LDAP password policy with pwdReset attribute.
Reset a userPassword -> pwdReset is set to TRUE
Login -> PE_25 thrown by LDAP server
Captcha input is not displayed => unable to change password
![Capture_d_écran_du_2023-07-03_22-39-17](/uploads/4c84ef3dc56a7b6488db5762040a60e3/Capture_d_écran_du_2023-07-03_22-39-17.png)
Captcha is not displayed!
![Capture_d_écran_du_2023-07-03_22-40-19](/uploads/4134988b8c6788a354bc322e592ffcea/Capture_d_écran_du_2023-07-03_22-40-19.png)
![Capture_d_écran_du_2023-07-03_22-40-46](/uploads/775f7471da8f8a9a40f17ae66f8fe0a2/Capture_d_écran_du_2023-07-03_22-40-46.png)
### Logs
```
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Get configuration from cache without verification.
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:37:44 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Return TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca created
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Returned error: 9 (PE_FIRSTACCESS)
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] true
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:37:55 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Get session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca from Portal::Main::Run
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Return TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Good captcha response
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Captcha code verified
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing getUser
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing authenticate
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Call bind for uid=173668,ou=personnes,dc=police,dc=interieur,dc=gouv,dc=fr
Jul 3 22:37:56 vm5704 LLNG[1252]: [error] Error when binding to LDAP server: Invalid credentials
Jul 3 22:37:56 vm5704 LLNG[1252]: [warn] Bad password for 173668 (10.100.160.1)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] [warn] Bad password for 173668 (10.100.160.1)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Return TOKEN session ef7091e69d87f73c364ea5d7e69346a73dfb0a572ef12c9f7c9c9575497caef8
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Token ef7091e69d87f73c364ea5d7e69346a73dfb0a572ef12c9f7c9c9575497caef8 created
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> authResult = 5
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setMacros
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setPersistentSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Persistent session found for 173668
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Restore persistent parameter _loginHistory
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Restore persistent parameter _updateTime
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Launching ::Plugins::BruteForceProtection::run afterSub setPersistentSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Failed login maxAge = 2205
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Number of failed login(s) to take into account = 4
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Delta = 65
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Waiting time = 30
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing storeHistory
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Current login saved into failedLogin
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Current login -> 5
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Found 'whatToTrace' -> 173668
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Update 173668 persistent session
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] true
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Get configuration from cache without verification.
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:38:49 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/DBI.pm line 93.
Jul 3 22:38:49 vm5704 LLNG[1252]: [notice] Bad (or expired) token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [warn] Captcha token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca isn't valid
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Return TOKEN session 09f322507d878a152dd54468ec3f5208d5b97b7e56441a508b682735ab49e2aa
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Token 09f322507d878a152dd54468ec3f5208d5b97b7e56441a508b682735ab49e2aa created
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [warn] Captcha failed
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] [warn] Captcha failed
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] true
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Get configuration from cache without verification.
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:38:53 vm5704 LLNG[41826]: [info] No cookie found
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Start routing default route
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing checkUnauthLogout
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing restoreArgs
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing controlUrl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Cancel called, push authCancel calls
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing extractFormInfo
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/DBI.pm line 93.
Jul 3 22:38:53 vm5704 LLNG[41826]: [notice] Bad (or expired) token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [warn] Captcha token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca isn't valid
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Try to get a new TOKEN session
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Check session validity -> 900s
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Return TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Token fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596 created
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Prepare captcha
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [warn] Captcha failed
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] [warn] Captcha failed
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Display type standardform
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin returned: login
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Calling sendHtml with template login
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Apply following CORS policy:
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Origin
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Credentials
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] true
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Headers
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Methods
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] POST,GET
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Expose-Headers
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Max-Age
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] 86400
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:39:31 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Trying to load token fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Get session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596 from Portal::Main::Run
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Good captcha response
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Captcha code verified
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing getUser
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing authenticate
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Call bind for uid=173668,ou=personnes,dc=police,dc=interieur,dc=gouv,dc=fr
Jul 3 22:39:31 vm5704 LLNG[1252]: [error] Password policy error 2 for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] [error] Password policy error 2 for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session 9c99d95aa4b3f790ba4d5526cbfec751cf4f858d83530ecf68335a0fcd2c17a0
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Token 9c99d95aa4b3f790ba4d5526cbfec751cf4f858d83530ecf68335a0fcd2c17a0 created
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session d5acf9ad3db0e334fd4328968aad025f31052a24a280e644bee52487386ebf89
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Token d5acf9ad3db0e334fd4328968aad025f31052a24a280e644bee52487386ebf89 created
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> authResult = 25
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setMacros
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setPersistentSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Persistent session found for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Restore persistent parameter _updateTime
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Restore persistent parameter _loginHistory
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Launching ::Plugins::BruteForceProtection::run afterSub setPersistentSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Failed login maxAge = 2205
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Number of failed login(s) to take into account = 5
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Delta = 95
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Waiting time = 60
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing storeHistory
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Current login saved into failedLogin
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Current login -> 25
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Found 'whatToTrace' -> 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Update 173668 persistent session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Returned error: 25 (PE_PP_CHANGE_AFTER_RESET)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] true
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:40:01 vm5704 CRON[42207]: (root) CMD (/opt/rudder/bin/rudder agent check -q >> /var/log/rudder/agent-check/check.log 2>&1)
Jul 3 22:40:01 vm5704 CRON[42215]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Get configuration from cache without verification.
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:40:22 vm5704 LLNG[41826]: [info] No cookie found
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Start routing default route
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing checkUnauthLogout
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing restoreArgs
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing controlUrl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Cancel called, push authCancel calls
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing extractFormInfo
Jul 3 22:40:22 vm5704 LLNG[41826]: [warn] No response provided for Captcha::SecurityImage
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Try to get a new TOKEN session
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Check session validity -> 900s
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Return TOKEN session b5322520b9b8673206f3e24ffcb942848841aed2fef400cc5d38e7b1dc4c2775
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Token b5322520b9b8673206f3e24ffcb942848841aed2fef400cc5d38e7b1dc4c2775 created
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Prepare captcha
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [warn] Captcha failed
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] [warn] Captcha failed
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Display type standardform
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin returned: login
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Calling sendHtml with template login
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Apply following CORS policy:
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Origin
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Credentials
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] true
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Headers
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Methods
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] POST,GET
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Expose-Headers
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Max-Age
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] 86400
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
```2.17.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2929Set more than one class on LDAP group filter2023-08-18T16:24:32ZSoisik FrogerSet more than one class on LDAP group filter
We use two types of groups in our LDAP: groupOfNames, groupOfURLs. To be able to fetch them all, we have to set the class "top" in LDAP Parameters > Groups > Object Class, as this field is single-valued.
Making this field multi-valued...
We use two types of groups in our LDAP: groupOfNames, groupOfURLs. To be able to fetch them all, we have to set the class "top" in LDAP Parameters > Groups > Object Class, as this field is single-valued.
Making this field multi-valued would allow us to get different types of groups (static and dynamic) in a cleaner way than using the class "top".
Tks2.17.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2922Remove | as separator for Choice configuration values2023-08-18T16:23:59ZClément OUDOTRemove | as separator for Choice configuration valuesFor now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, ...For now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, and remove it from the code that splits the choice value.2.17.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2987Cannot use single quote in passwordPolicySpecialChar2023-08-18T14:58:23ZMaxime BessonCannot use single quote in passwordPolicySpecialChar### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 59...### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 5979
at JSON.parse (<anonymous>)
at HTMLScriptElement.<anonymous> (portal.js:105:20)
at Function.each (jquery.min.js:2:2976)
at S.fn.init.each (jquery.min.js:2:1454)
at n (portal.js:102:42)
at portal.js:277:13
at dispatch (jquery.min.js:2:43090)
at v.handle (jquery.min.js:2:41074)
```
### Possible fixes
`ESCAPE='js'` from HTML::Template does not correctly escape JSON strings. We need to do it before setting the template parameter2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2593Contextual / Adaptive authentication / Risk-based authentication2023-08-02T13:15:46ZMaxime BessonContextual / Adaptive authentication / Risk-based authentication### Summary
We have growing demand for a set of inter-related features:
* Send an email when connecting from a new IP (#2325)
* Send an email when connecting from a new country (own customer use case)
* Send an email when connecting fr...### Summary
We have growing demand for a set of inter-related features:
* Send an email when connecting from a new IP (#2325)
* Send an email when connecting from a new country (own customer use case)
* Send an email when connecting from a different browser (own customer use case)
* Skip 2FA when connecting from an internal network (Plugins::AdaptativeAuthenticationLevel)
* Skip authentication entirely when connecting from the same browser (Plugins::StayConnected)
* Remember 2FA and don't ask it again on the same browser (#2490)
And maybe, someday, someone will ask:
* Remember 2FA and don't ask it again on the same browser, except when the connection comes from a different country, in which case, send an email.
* Ask 2FA when IP is in Crowdsec blacklist
* etc.
All these plugins have the generic behavioral template in common:
1. Identity a specific condition in the authentication context:
* New geo location (country, city...) compared to history
* New user-agent configuration (different browser vendor, different locale, etc.) compared to history
* Remembered user-agent (stayconnected cookie)
* IP range, etc.
1. Implement an action based on this condition
* Skip 2FA
* Send an email
* Auto-login
* Deny attempt (BruteForceProtection, etc)
In order to allow complex configuration, a plugin should not implement both of these steps.
### Design proposition
I think we should ship a set of plugins to implement step 1. And a different set of plugins to implement step 2 (or modify existing plugins)
Example:
* Plugins::NewLocation (uses ip address, optionally GeoIP)
* Plugins::NewBrowser (uses UserAgent sniffing)
* Plugins::RememberBrowser (uses a cookie to remember a browser without using UA sniffing, see #2591)
* Plugins::AllowIpRange
* more as needed
These plugins might set a `$suspiciousActivityLevel` variable incrementally (integer). And populate a `$suspiciousActivityDetail` variable containing user-oriented detail
```
$suspiciousActivityDetail = {
'newLocation' => "France",
'newIp' => '1.2.3.4',
'unknownBrowser' => 1,
}
```
Starting from this common interface:
* You can add `$suspiciousActivityLevel > 0` to your 2FA rule, to only trigger 2FA on supicious logins (as defined by the other currently enabled plugins)
* We can create a new AlertSuspicious plugin that sends an email, formatted from `$suspiciousActivityDetail`, to the user when a login is suspicious, whether it is because of a new IP, unregistered browser, etc.
* We could modify the Crodsec plugin to only flag the auth attempt as suspicious, but not deny it.
* We can implement an detection algorithm that collects suspiciousActivityDetail from all existing plugins, performs Machine Learning on it (or deep learning, blockchain sorcery, buzzword-of-the-day-here), and sets the suspicion level accordingly, without having to reimplement "punitive actions" inside it.
* YOUR_USE_CASE_HERE
@guimard @clement_oudot let me know what you think of this approach, and if you have a better/different approach to suggest to make all these plugins work together2.0.14Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2959Send Access-Request without password when preparing Radius 2FA validation2023-08-01T12:12:20ZMaxime BessonSend Access-Request without password when preparing Radius 2FA validation### Summary
Some radius solutions work in the following way:
* Send a Access-Request with only the login before 2FA form is displayed
* After the user inputs the 2FA code, send an Access-Request with the login + code for validation
##...### Summary
Some radius solutions work in the following way:
* Send a Access-Request with only the login before 2FA form is displayed
* After the user inputs the 2FA code, send an Access-Request with the login + code for validation
### Design proposition
Add an option to send an access request with no password attribute2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2932unreachable LDAP server blocks initialization for too long2023-07-19T19:18:55ZMaxime Bessonunreachable LDAP server blocks initialization for too long### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP an...### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP and UserDB::LDAP preemptively try to connect to BadLDAP
### Possible fixes
All Auth::LDAP and UserDB::LDAP methods validate the LDAP server before doing any work. So there is no need to try to connect in the init() method.2.17.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2692New API for CAPTCHA plugins2023-07-18T18:53:56ZMaxime BessonNew API for CAPTCHA plugins### Summary
The current CAPTCHA (GD::SecurityImage) works for simple cases. But some of our users need more advanced features, such as those offered by proprietary systems, such as CAPTCHAs that do not need any actual interaction in usu...### Summary
The current CAPTCHA (GD::SecurityImage) works for simple cases. But some of our users need more advanced features, such as those offered by proprietary systems, such as CAPTCHAs that do not need any actual interaction in usual conditions.
Currently, users need to do this by:
* Disabling the internal captcha
* Modifying templates
* Creating an extractFormInfo plugin that validates the captcha response.
But this doesn't work in non-login scenarios (registration, mail reset..), and it's hard to do.
We need to provide a more pluggable system that lets users select which captcha they want, or easily write (and share) their own. We could include some commonly used ones (if license allows).
### Design proposition
Captcha plugins will need to hook at various points of processing:
* Before request is sent to the browser
* Captcha plugins need to generate a HTML block to be included in templates (replacing captcha.tpl)
* Captcha plugins may also need to add their own JS to the page being generated
* Captcha plugins may need to set Content-Security-Policy headers (see #2514)
* Captcha plugins may need to persist some state (by creating a token), but this is not always necessary
* After response is received
* Captcha plugin may need to extract POST fields from the HTTP response. The name of those fields are usually decided by the captcha vendor's external JS lib, and may be out of our control
* Captcha plugins will either need to validate the extracted post fields by an external HTTP request, or by restoring the state that was saved in the first step (this is what GD::SecurityImage does)
* Captcha plugins may need to declare their own routes, for example to generate new challenges dynamically
#### Compatibility
* [x] We need to preserve the existing API (Lib::Captcha / setCaptcha / validateCaptcha) in case some already existing plugins try to use it
* [x] We need to be compatible with existing templates (CAPTCHA_SRC etc) for users who use custom templates. It's fine if non-updated templates do not work with new plugins as long as they continue to work with GD::SecurityImage2.0.15Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2652Integrate Pwned Passwords API from haveibeenpwned.com2023-07-18T18:53:55ZMathieu MDIntegrate Pwned Passwords API from haveibeenpwned.com### Summary
LLNG could enhance security while user is changing her password by checking if submitted password is known to be one of the 613,584,246 leaked passwords, according to [HIBP API](https://haveibeenpwned.com/API/v3#PwnedPasswor...### Summary
LLNG could enhance security while user is changing her password by checking if submitted password is known to be one of the 613,584,246 leaked passwords, according to [HIBP API](https://haveibeenpwned.com/API/v3#PwnedPasswords) database.
### Design proposition
- Before pushing the password change to the backend DB, LLNG could do a REST call to HIBP API.
- There is a way to do these checks offline (see Scott Helme's [When Pwned Passwords Bloom!](https://scotthelme.co.uk/when-pwned-passwords-bloom/)), but it's quite more work for maintenance (updating the DB and recreating local data set seems to take several hours), and requires more than 25GB of HDD available!
- If it take longer than a defined timeout (because HIBP is down, Internet access down (in case of local network), or whatever), then it would be userfriendly to accept the password nonetheless (of course a parameter to allow or not would be best, but the risk to allow the weak password is not higher than current behaviour of not checking password against this API).
- If the API says it's a leaked password, a parameter could disallow (or allow anyway) the user to use this password.
- It would be a good idea to let the user know that this password is leaked according to HIBP, with a link to the breach on HIBP website. But the site being only English, a message translated to let the user understand should also be possible.2.0.16dcoutadeur dcoutadeurdcoutadeur dcoutadeur