lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-11-03T22:01:36Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1515Possibility to configure main logo on portal page2018-11-03T22:01:36ZClément OUDOTPossibility to configure main logo on portal page### Summary
We have a parameter for portal background, we could also have a parameter for the main logo, so it would be easier to adapt the default bootstrap skin.### Summary
We have a parameter for portal background, we could also have a parameter for the main logo, so it would be easier to adapt the default bootstrap skin.2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1513SAML replay protection is not replaying authentication2018-10-28T12:27:08ZClément OUDOTSAML replay protection is not replaying authenticationAs SAML SP, when we check replay protection, we should replay authentication if the check fails:
```
unless ( $self->replayProtection($assertion_responded) ) {
# Assertion was already consumed or is e...As SAML SP, when we check replay protection, we should replay authentication if the check fails:
```
unless ( $self->replayProtection($assertion_responded) ) {
# Assertion was already consumed or is expired
# Force authentication replay
$self->userLogger->error(
"Message $assertion_responded already used or expired, replay authentication"
);
delete $req->{urldc};
$req->mustRedirect(1);
$req->steps( [] );
return PE_OK;
}
```
But at this moment we did not set $req->user so we end with this error in Portal/Main/Process.pm
```
sub extractFormInfo {
my ( $self, $req ) = @_;
return PE_ERROR unless ( $self->_authentication );
my $ret = $self->_authentication->extractFormInfo($req);
if ( $ret == PE_OK and not( $req->user or $req->continue ) ) {
$self->logger->error(
'Authentication module succeed but has not set $req->user');
return PE_ERROR;
}
```
Should we not set "$req->continue" in our SAML code?2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1512Option to choose which SAML attribute will be used as "user" key2018-10-02T15:21:03ZClément OUDOTOption to choose which SAML attribute will be used as "user" keyFor the moment, we use the NameID value as "user" key, which can be a problem to use it as pivot on another userDB.
We need an option to choose which SAML attribute will be used as "user" key.For the moment, we use the NameID value as "user" key, which can be a problem to use it as pivot on another userDB.
We need an option to choose which SAML attribute will be used as "user" key.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1510GrantSession module does not work2018-10-07T20:42:22ZChristophe Maudouxchrmdx@gmail.comGrantSession module does not work### Concerned version
Version: 2.0
### Summary
1/ GrantSession.pm is not loaded when rules are set from Manager
2/ Seems rules are not applied
### Logs
[debug] **Store dwho in session key uid**
[debug] Launching ::Plugins::GrantSess...### Concerned version
Version: 2.0
### Summary
1/ GrantSession.pm is not loaded when rules are set from Manager
2/ Seems rules are not applied
### Logs
[debug] **Store dwho in session key uid**
[debug] Launching ::Plugins::GrantSession::run
[debug] **Grant session condition "$uid ne "dwho"##no"**
[debug] Processing storeHistory
[debug] Current login saved into successLogin
[debug] Found 'whatToTrace' -> dwho2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1508Test all password reset by mail workflows2020-07-28T14:01:48ZClément OUDOTTest all password reset by mail workflowsWhen testing password reset, submitting twice the same mail did not show a confirmation page to inform that a mail was already sent.
The log seems to show the opposite:
```
[debug] Build URL http://auth.example.com:19876/resetpwd?skin=b...When testing password reset, submitting twice the same mail did not show a confirmation page to inform that a mail was already sent.
The log seems to show the opposite:
```
[debug] Build URL http://auth.example.com:19876/resetpwd?skin=bootstrap
[debug] Redirect 127.0.0.1 to portal (url was /resetpwd?skin=bootstrap)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing resetpwd
[debug] Trying to load token 1537653191_524
[debug] Good captcha response
[debug] Captcha code verified
[debug] Processing getUser
[debug] Processing setSessionInfo
[debug] Processing setMacros
[debug] Processing setGroups
[debug] Processing setPersistentSessionInfo
[debug] Persistent session found for dwho
[debug] Restore persistent parameter _loginHistory
[debug] Restore persistent parameter _updateTime
[debug] Processing setLocalGroups
[debug] Try to get SSO session be2b1fb4c2201bf63c2243073335d0262b9b399965a375c4acd137f7c8803456
[debug] Return SSO session be2b1fb4c2201bf63c2243073335d0262b9b399965a375c4acd137f7c8803456
[debug] Mail session found: be2b1fb4c2201bf63c2243073335d0262b9b399965a375c4acd137f7c8803456
[debug] Mail expiration timestamp: 1537796370
[debug] Mail start timestamp: 1537724370
[notice] Reset mail already sent to dwho
[debug] Display called with code: 72
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Display "confirm mail sent"
[debug] Starting HTML generation using /home/clement/dev/lemonldap-ng/lemonldap-ng-portal/site/templates/bootstrap/mail.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /home/clement/dev/lemonldap-ng/lemonldap-ng-portal/site/templates/bootstrap/mail.tpl
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';
auth.example.com:80 127.0.0.1 - - [23/Sep/2018:19:51:21 +0200] "POST /resetpwd?skin=bootstrap HTTP/1.1" 200 7597
auth.example.com:80 127.0.0.1 - - [23/Sep/2018:19:51:21 +0200] "GET /static/bwr/bootstrap/dist/css/bootstrap-theme.css HTTP/1.1" 302 543
```
Maybe an issue in the template.2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1507Force authentication to access to Portal is no more available2018-11-24T11:21:16ZChristophe Maudouxchrmdx@gmail.comForce authentication to access to Portal is no more available### Summary
On 2.0.0 Option is missing...
Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session
### Design proposition
Like in 1.9### Summary
On 2.0.0 Option is missing...
Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session
### Design proposition
Like in 1.92.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1506Implement a brut force attack protection2018-12-13T16:42:57ZChristophe Maudouxchrmdx@gmail.comImplement a brut force attack protection### Summary
Create a mechanism to prevent brut force attack
### Design proposition
After a failed login user must wait between each login attempt.
timer = Failed logins X 10 seconds### Summary
Create a mechanism to prevent brut force attack
### Design proposition
After a failed login user must wait between each login attempt.
timer = Failed logins X 10 seconds2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1505Check iframe protection2018-11-24T11:20:03ZChristophe Maudouxchrmdx@gmail.comCheck iframe protection### Summary
Test if iframe protection works fine
### Design proposition
Create an HTML page with a link to LLNG portal### Summary
Test if iframe protection works fine
### Design proposition
Create an HTML page with a link to LLNG portal2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1504Upgrade to bootstrap 42018-11-24T11:22:33ZClément OUDOTUpgrade to bootstrap 4See http://upgrade-bootstrap.bootply.com/See http://upgrade-bootstrap.bootply.com/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1502Server error when SAML metadata parsing not possible2018-09-11T09:07:46ZClément OUDOTServer error when SAML metadata parsing not possibleIf we have some metadata that are not compliant to Lasso parser, we return a server error (Error 500).
As SAML metadata parsing occurs at init, we can't display the portal anymore. I suggest we just set a warn log message and let the po...If we have some metadata that are not compliant to Lasso parser, we return a server error (Error 500).
As SAML metadata parsing occurs at init, we can't display the portal anymore. I suggest we just set a warn log message and let the portal end its process.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1501Improve Login history module2018-11-06T20:35:05ZChristophe Maudouxchrmdx@gmail.comImprove Login history module### Concerned version
Version: 2.0
Platform: Apache
### Summary
Minor fixes todo
### Concerned version
Version: 2.0
Platform: Apache
### Summary
Minor fixes todo
2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1500Possibility to override parameters in Choice modules2019-10-01T12:50:31ZAnthony ROUSSELPossibility to override parameters in Choice modules### Concerned version
Version: 1.9.17
Platform: Apache2,
### Summary
Hello
we want to try authentication choice with severals LDAP servers :
1. Active Directory for our internal users
2. OpenLDAP for "partner's users"
In managerUi,...### Concerned version
Version: 1.9.17
Platform: Apache2,
### Summary
Hello
we want to try authentication choice with severals LDAP servers :
1. Active Directory for our internal users
2. OpenLDAP for "partner's users"
In managerUi, when choosing Authmodule,usermodule,pwdmodule == Authentication Choice, I then specify "allowed modules":
- AuthAD / Active Directory / Active Directory / Active Directory / noUrl / noCondition
- AuthLDAP / LDAP / LDAP / LDAP / noUrl / noCondition
but I can only specify One LDAP configuration in "LDAP Parameters".
Am i doing it wrong or is this a "display bug" ?
I guess the problem would be the same with multiple LDAP
### Backends used
FileConf2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1499CSP prevents to submit OIDC consents form2018-10-30T19:33:07ZChristophe Maudouxchrmdx@gmail.comCSP prevents to submit OIDC consents form### Concerned version
Version: 2.0
Platform: Nginx
### Summary
CSP prevents OIDC consents to be accepted ou refused
### Logs
Calling sendHtml with template confirm
Starting HTML generation using /usr/share/lemonldap-ng/portal/temp...### Concerned version
Version: 2.0
Platform: Nginx
### Summary
CSP prevents OIDC consents to be accepted ou refused
### Logs
Calling sendHtml with template confirm
Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/confirm.tpl
Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/confirm.tpl
Apply following CSP : default-src *;img-src *;style-src *;font-src *;connect-src *;form-action 'self';frame-ancestors 'none';
Start routing oauth22.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1497Move "afterData" entry point before "buildCookie" and add "endAuth" entrypoint2018-09-05T13:43:59ZYaddMove "afterData" entry point before "buildCookie" and add "endAuth" entrypointNeeds also to modify notificationsNeeds also to modify notifications2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1477SAML Common Domain Cookie2018-09-04T09:50:03ZClément OUDOTSAML Common Domain CookieThe SAML CDC feature seems not working
First, I tried to create the local CDC page (CDC writer URL), like this:
```
# vi /usr/share/lemonldap-ng/portal/htdocs/cdc.fcgi
```
```perl
#!/usr/bin/perl
use Plack::Handler::FCGI;
use Lemonldap...The SAML CDC feature seems not working
First, I tried to create the local CDC page (CDC writer URL), like this:
```
# vi /usr/share/lemonldap-ng/portal/htdocs/cdc.fcgi
```
```perl
#!/usr/bin/perl
use Plack::Handler::FCGI;
use Lemonldap::NG::Portal::CDC;
# Roll your own
my $server = Plack::Handler::FCGI->new();
$server->run( Lemonldap::NG::Portal::CDC->run( {} ) );
```
```
# chmod +x /usr/share/lemonldap-ng/portal/htdocs/cdc.fcgi
```
When accessing to https://auth.openid.club/cdc.fcgi, we have this error:
```
==> /var/log/apache2/error.log <==
[Wed Jul 18 09:21:21.548027 2018] [fcgid:warn] [pid 94631] (104)Connection reset by peer: [client 92.184.102.58:40262] mod_fcgid: error reading data from FastCGI server
[Wed Jul 18 09:21:21.548173 2018] [core:error] [pid 94631] [client 92.184.102.58:40262] End of script output before headers: cdc.fcgi
==> /var/log/apache2/other_vhosts_access.log <==
auth.openid.club:443 92.184.102.58 - - [18/Jul/2018:09:21:21 +0200] "GET /cdc.fcgi HTTP/1.1" 302 725 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
```
Then, when calling the CDC code from the Auth::SAML module, we have another error:
```
==> /var/log/apache2/error.log <==
[debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[debug] Get configuration from cache without verification.
[debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[info] No cookie found
[debug] Build URL https://auth.openid.club/
[debug] Redirect 92.184.102.58 to portal (url was /)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing default route
[debug] Processing restoreArgs
[debug] Processing controlUrl
[debug] Processing code ref
[debug] Processing code ref
[debug] Launching ::Issuer::SAML::storeEnv
[debug] Processing code ref
[debug] Launching ::Issuer::CAS::storeEnvAndCheckGateway
[debug] Processing code ref
[debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
[debug] Processing code ref
[debug] Launching ::Plugins::AutoSignin::check
[debug] Processing extractFormInfo
[debug] Will try to use Common Domain Cookie for IDP resolution
[Wed Jul 18 09:22:33.016415 2018] [fcgid:warn] [pid 94498] [client 92.184.102.58:40270] mod_fcgid: stderr: Can't locate object method "self_url" via package "Lemonldap::NG::Portal::Auth::SAML" at /usr/share/perl5/Lemonldap/NG/Portal/Auth/SAML.pm line 1418., referer: https://auth.openid.club/
==> /var/log/apache2/other_vhosts_access.log <==
auth.openid.club:443 92.184.102.58 - - [18/Jul/2018:09:22:33 +0200] "POST / HTTP/1.1" 500 3929 "https://auth.openid.club/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1468Enabling both Auth::SAML and Issuer::SAML breaks SLO2018-06-30T06:41:53ZYaddEnabling both Auth::SAML and Issuer::SAML breaks SLO# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1465Enhance IDP selection2018-11-19T22:09:59ZClément OUDOTEnhance IDP selectionWe need a dedicated template for IDP selection, to keep confirm template for confirmation steps.
We should also have the same features for all protocols (CAS/SAML/OIDC):
* Automatic redirection when only one IDP available
* No timer whe...We need a dedicated template for IDP selection, to keep confirm template for confirmation steps.
We should also have the same features for all protocols (CAS/SAML/OIDC):
* Automatic redirection when only one IDP available
* No timer when redirecting to IDP (or make it configurable)
* IDP preslection rule
* Icon configuration2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1464Modify oidcConsents keys storage structure2018-07-22T21:15:23ZChristophe Maudouxchrmdx@gmail.comModify oidcConsents keys storage structure### Summary
Use an array of Json to store oidcConsents in persistent session.
Why not in SSO sessions too...
### Design proposition
Like _2fDevices### Summary
Use an array of Json to store oidcConsents in persistent session.
Why not in SSO sessions too...
### Design proposition
Like _2fDevices2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1463Login form JS errors2018-06-26T09:12:15ZChristophe Maudouxchrmdx@gmail.comLogin form JS errors### Concerned version
Version: 2.0.0
Platform: (Nginx/Apache/Node.js)
### Summary
### Possible fixes
Modify HTML code
See screenshot
![login](/uploads/8ffee6c118835d8162f95f01b688fe44/login.png)### Concerned version
Version: 2.0.0
Platform: (Nginx/Apache/Node.js)
### Summary
### Possible fixes
Modify HTML code
See screenshot
![login](/uploads/8ffee6c118835d8162f95f01b688fe44/login.png)2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1460Warning in Main::Process2018-06-21T15:11:00ZClément OUDOTWarning in Main::Process```
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/^Lemonldap::NG::Portal::Main=HASH(0x5611f4d93788)->conf->{ <-- HERE multiValuesSeparator}/ at /usr/share/perl5/Lemonldap/NG/Portal/Main/Pro...```
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/^Lemonldap::NG::Portal::Main=HASH(0x5611f4d93788)->conf->{ <-- HERE multiValuesSeparator}/ at /usr/share/perl5/Lemonldap/NG/Portal/Main/Process.pm line 401.
```2.0.0YaddYadd