lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-12-01T21:44:18Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1561Configuration save generates bad warnings2018-12-01T21:44:18ZClément OUDOTConfiguration save generates bad warningsWe have an annoying issue in the 2.0.0 version, when saving configuration in Manager or with lemonldap-ng-cli, we have a lot of warnings:
```
{
'message' => 'totp2fActivation: __badExpression__: \'require\' trapped ...We have an annoying issue in the 2.0.0 version, when saving configuration in Manager or with lemonldap-ng-cli, we have a lot of warnings:
```
{
'message' => 'totp2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 166) line 1, <STDIN> line 1.'
},
{
'message' => 'issuerDBCASRule: __badExpression__: \'require\' trapped by operation mask at (eval 168) line 1, <STDIN> line 1.'
},
{
'message' => 'portalDisplayChangePassword: __badExpression__: \'require\' trapped by operation mask at (eval 170) line 1, <STDIN> line 1.'
},
{
'message' => 'portalSkinRules/1: __badExpression__: \'require\' trapped by operation mask at (eval 172) line 1, <STDIN> line 1.'
},
{
'message' => 'portalDisplayAppslist: __badExpression__: \'require\' trapped by operation mask at (eval 174) line 1, <STDIN> line 1.'
},
{
'message' => 'sfRequired: __badExpression__: \'require\' trapped by operation mask at (eval 176) line 1, <STDIN> line 1.'
},
{
'message' => 'utotp2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 178) line 1, <STDIN> line 1.'
},
{
'message' => 'portalDisplayLogout: __badExpression__: \'require\' trapped by operation mask at (eval 180) line 1, <STDIN> line 1.'
},
{
'message' => 'u2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 182) line 1, <STDIN> line 1.'
},
{
'message' => 'yubikey2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 184) line 1, <STDIN> line 1.'
},
{
'message' => 'totp2fSelfRegistration: __badExpression__: \'require\' trapped by operation mask at (eval 186) line 1, <STDIN> line 1.'
},
{
'message' => 'jsRedirect: __badExpression__: \'require\' trapped by operation mask at (eval 188) line 1, <STDIN> line 1.'
},
{
'message' => 'ext2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 190) line 1, <STDIN> line 1.'
},
{
'message' => 'rest2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 192) line 1, <STDIN> line 1.'
},
{
'message' => 'u2fSelfRegistration: __badExpression__: \'require\' trapped by operation mask at (eval 194) line 1, <STDIN> line 1.'
},
{
'message' => 'yubikey2fSelfRegistration: __badExpression__: \'require\' trapped by operation mask at (eval 196) line 1, <STDIN> line 1.'
},
{
'message' => 'issuerDBSAMLRule: __badExpression__: \'require\' trapped by operation mask at (eval 198) line 1, <STDIN> line 1.'
}
```
Should be linked to a recent change in the code?2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1468Enabling both Auth::SAML and Issuer::SAML breaks SLO2018-06-30T06:41:53ZYaddEnabling both Auth::SAML and Issuer::SAML breaks SLO# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1420Answering to CAS proxy requests as CAS Provider2018-05-14T10:24:05ZClément OUDOTAnswering to CAS proxy requests as CAS ProviderThere is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3c...There is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa
[debug] Redirect 192.168.100.1 to portal (url was /cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing cas
Bad response 2 at /usr/share/perl5/Plack/Handler/FCGI.pm line 156.
[Fri May 11 21:49:25.545901 2018] [core:error] [pid 103079] [client 192.168.100.1:48558] End of script output before headers: index.fcgi
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/757"Attempt to free unreferenced scalar" in Lemonldap::NG::Common::Session2018-05-15T20:31:11ZClément OUDOT"Attempt to free unreferenced scalar" in Lemonldap::NG::Common::SessionLes erreurs suivantes sont visibles dans les logs :
{panel}
Attempt to free unreferenced scalar: SV 0x7f651397cd08, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 84.
Attempt to free unreferenced...Les erreurs suivantes sont visibles dans les logs :
{panel}
Attempt to free unreferenced scalar: SV 0x7f651397cd08, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 84.
Attempt to free unreferenced scalar: SV 0x7f6513b4b898, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 150.
Attempt to free unreferenced scalar: SV 0x7f6513b4c1b0, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 111.
Attempt to free unreferenced scalar: SV 0x7f6512e5c760, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 112.
{panel}
Certainement lié à la version de Mouse qui est assez ancienne.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/789Apache reloading breaks SAML authentication2018-05-15T20:31:11ZUpdateme LulandcoApache reloading breaks SAML authenticationHi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configura...Hi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configuration cache
[Fri Feb 13 19:51:45.934468 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML cache configuration: 46
[Fri Feb 13 19:51:45.934549 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get Metadata for this service
[Fri Feb 13 19:51:45.938604 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: 2015-02-13 19:51:45 (server.c/:699) Failed to load metadata from preloaded buffer
[Fri Feb 13 19:51:45.938754 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
[Fri Feb 13 19:51:45.938777 2015] [perl:debug] [pid 11688] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 186:
[Fri Feb 13 19:51:45.938788 2015] [perl:error] [pid 11688] Unable to create Lasso server
[Fri Feb 13 19:51:45.939030 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
I checked, all apache's modules are normally reloaded. Restarting apache doesn't produce the issue.
LulAndCo2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/804Uncomplete logout in Issuer modules2018-05-15T20:31:11ZClément OUDOTUncomplete logout in Issuer modulesWe have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
Bu...We have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
But this process is not used when a logout request comes form an Issuer module (CAS, OpenID or OpenID Connect). This seems to be OK for the SAML Issuer.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/998encode_base64 can be udefined after a reload by URL2018-05-15T20:31:11ZSwaelens Jontathanencode_base64 can be udefined after a reload by URLHello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must rel...Hello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must reload apache to fix it.
Cheers.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1061Multiple segfault using ModPerl::Registry with Apache2.42018-05-15T20:31:11ZJeremy KespiteMultiple segfault using ModPerl::Registry with Apache2.4I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scal...I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scalar: SV 0x7f3682a244a0, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemo
nldap/NG/Handler/API.pm line 44.
Attempt to free unreferenced scalar: SV 0x7f363c019f70, Perl interpreter: 0x7f368321f550.
Out of memory!
Attempt to free unreferenced scalar: SV 0x7f363402c818, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemonldap/NG/Handler/API.pm line 73.
```
I found lots of issues on the Internet about Apache2.4 reporting segfault frequently but no good answer. My guess is that it is a Apache issue more than a LLNG issue.
I also use Nginx Handler and it works perfectly.
So my question is:
Is there anyone else having the same kind of problem with Apache2.4?
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1113OIDC Provider to SAML SP does not work2018-05-15T20:31:11Zdcoutadeur dcoutadeurOIDC Provider to SAML SP does not workI have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
t...I have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
the final return does not work : ie SAML SP not calling his internal IdP
I propose a basic patch, which, in summary :
- happens before soring relay state in SAML SP (Portal/_SAML.pm)
- gets called URL
- if URL match with current portal URL, store it in relay state.
The patch is working, but maybe these points should be validated :
- make sure it is generic, in particular make sure the other way is working: SAML IdP calling an OIDC RP
- security: make sure we won't redirect to unsecure locations
- using CGI module may be improved ? (if the portal is to be made more generic and less adherence to apache)
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1171Session explorer freezes when session number is high2018-05-15T20:31:11ZJean-Charles RogezSession explorer freezes when session number is highWhen browsing thousands of sessions, the browser freezes (see the attached screenshot).
We think that browsing is not a good solution in this case.
A solution should be to replace the browsing tree by a search formular (uid and ip for a...When browsing thousands of sessions, the browser freezes (see the attached screenshot).
We think that browsing is not a good solution in this case.
A solution should be to replace the browsing tree by a search formular (uid and ip for active sessions, uid for persistent sessions).
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOT