lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-03-26T08:15:53Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1399Yubikey as second factor2018-03-26T08:15:53ZYaddYubikey as second factor### Summary
Yubikey 2FA: Yubikey is proposed today as authentication backend. Classic usage for these keys is more a 2FA.### Summary
Yubikey 2FA: Yubikey is proposed today as authentication backend. Classic usage for these keys is more a 2FA.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/13982F Error after applying trunk2018-03-19T17:55:15ZMathieu Lecompte-melançon2F Error after applying trunk### Concerned version
Version: TRUNK
### Summary
After applying last trunk get an error page on login
### Logs
```
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Loading configuration 79 for process 1495
Mar 19 08:20:01 srv-test-nginxv...### Concerned version
Version: TRUNK
### Summary
After applying last trunk get an error page on login
### Logs
```
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Loading configuration 79 for process 1495
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Using demonstration mode, go to Manager to edit the configuration
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Using demonstration mode, go to Manager to edit the configuration
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: No cookie found
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Scheme "Demo" returned 9, trying next
Mar 19 08:20:02 srv-test-nginxv2 LLNG[1495]: Scheme "Rest" returned 9, trying next
Mar 19 08:20:02 srv-test-nginxv2 LLNG[1495]: All schemes failed
Mar 19 08:20:09 srv-test-nginxv2 LLNG[1490]: No cookie found
Mar 19 08:20:09 srv-test-nginxv2 LLNG[1490]: Second factor required for dwho
Mar 19 08:20:09 srv-test-nginxv2 LLNG[1490]: REST 2F error: hash- or arrayref expected (not a simple scalar, use allow_nonref to allow this) at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Lib/REST.pm line 22.
```
### Backends used
NGINX+ Last version
### Possible fixes2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1395error - openid connect2018-03-13T14:10:39Zpit piterror - openid connectHi,
I have this error in the *error.log* on nginx, when I check openid connect authentication (*Lemonldap 2.0 is an OP*)
``2018/03/11 15:35:21 [error] 53937#53937: *77 FastCGI sent in stderr: "Can't call method "data" on an undefined va...Hi,
I have this error in the *error.log* on nginx, when I check openid connect authentication (*Lemonldap 2.0 is an OP*)
``2018/03/11 15:35:21 [error] 53937#53937: *77 FastCGI sent in stderr: "Can't call method "data" on an undefined value at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 908" while reading response header from upstream, client: xx.xx.xx.xx server: auth.exemple.com, request: "POST /oauth2/token HTTP/1.1", upstream: "fastcgi://unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "auth.exemple.com"
``2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1391Mixed TOTP/U2F second factor plugin2018-04-17T21:01:39ZYaddMixed TOTP/U2F second factor plugin### Summary
Like Gitlab, the idea is to have a 2F module that authorize to register an U2F key only if a TOTP has been registered. Auth process proposes the 2 options
### More
This cannot be done with TOTP and U2F plugins:
* during au...### Summary
Like Gitlab, the idea is to have a 2F module that authorize to register an U2F key only if a TOTP has been registered. Auth process proposes the 2 options
### More
This cannot be done with TOTP and U2F plugins:
* during auth, U2F will be enabled with TOTP input, user has just to touch is key or enter its code
* If TOTP is unregistered, U2F keys will also be removed2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1386Multiple U2F keys2019-04-29T20:35:14ZYaddMultiple U2F keys### Summary
#1148 permits the registration of 1 U2F key. This issue propose to register more than one key _(inspired by GitLab)_.
### ToDo list
* Store more than one key in _u2f* entries *(comma separated)*
* Add a _u2f* entry to stor...### Summary
#1148 permits the registration of 1 U2F key. This issue propose to register more than one key _(inspired by GitLab)_.
### ToDo list
* Store more than one key in _u2f* entries *(comma separated)*
* Add a _u2f* entry to store a name for the key *(comma separated in the same order)*
* Modify self registration page to choose which key to remove
* Update manager U2F interface to choose which key to delete2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1385POST data are URL encoded2018-03-14T06:04:34ZClément OUDOTPOST data are URL encodedWhen testing SAML with 2.0, I see that if the SAML Response is sent trough POST, it is URL encoded, and it should not.
With 1.9, the SAMLRequest in POST is like this:
```
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U...When testing SAML with 2.0, I see that if the SAML Response is sent trough POST, it is URL encoded, and it should not.
With 1.9, the SAMLRequest in POST is like this:
```
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNkNBQzU5NkE2QzU0RjJFNzk0QzU5M0I0RUVERkYwNDIiIEluUmVzcG9uc2VUbz0iXzg1Q0RERDE3MkQ3NDlBOEIyQkQ1MTE5RDEzNDhFQ0ZGIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMy0wMlQxODoxNTo1N1oiIERlc3RpbmF0aW9uPSJodHRwOi8vbWVsbG9uLmV4YW1wbGUuY29tL21lbGxvbi9wb3N0UmVzcG9uc2UiPjxzYW1sOklzc3Vlcj5odHRwOi8vYXV0aC5leGFtcGxlLmNvbS9zYW1sL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2Ft…SJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9InVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWU+ZHdobzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9Im1haWwiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPmR3aG9AYmFkd29sZi5vcmc8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
```
With 2.0, for the exactly same SAML SP, the SAMLRequest in POST is like this:
```
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfQTU3QTcwNEZCRTU2QzZFNDFDQUFERDA1OEE3OTAyNzIiIEluUmVzcG9uc2VUbz0iXzk3ODhEOUU0QjNBNEUwM0M1OTE5NUI0QzQ0M0QwQzg5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMy0wMlQxODoyMjo0MVoiIERlc3RpbmF0aW9uPSJodHRwOi8vbWVsbG9uLmV4YW1wbGUuY29tL21lbGxvbi9wb3N0UmVzcG9uc2UiPjxzYW1sOklzc3Vlcj5odHRwczovL2F1dGgub3BlbmlkLmNsdWIvc2FtbC9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI%2BPF…ybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9InVpZCI%2BPHNhbWw6QXR0cmlidXRlVmFsdWU%2BY291ZG90PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B
```
And we have this error:
```
[Fri Mar 02 19:22:43.281515 2018] [auth_mellon:debug] [pid 5393] auth_mellon_handler.c(268): [client 127.0.0.1:60994] loaded IdP "https://auth.openid.club/saml/metadata" from "/etc/apache2/mellon/idp-metadata.xml".
[Fri Mar 02 19:22:43.281553 2018] [auth_mellon:error] [pid 5393] [client 127.0.0.1:60994] Error processing authn response. Lasso error: [-409] Unsupported protocol profile
```
This is because the value is URL encoded, and it should not. This should only be the case with GET.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1384Content Security Policy prevent SAML redirection2018-04-03T20:35:39ZClément OUDOTContent Security Policy prevent SAML redirectionWhen trying SAML with POST, the autopost is not working because of CSP:
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à http://mellon.example.com/mellon/postResponse (« form-action https:/...When trying SAML with POST, the autopost is not working because of CSP:
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à http://mellon.example.com/mellon/postResponse (« form-action https://auth.openid.club https://mellon.example.com https://mellon.example.com »).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1383Include 2nd factor register page in menu2018-05-09T04:51:33ZClément OUDOTInclude 2nd factor register page in menuI just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.I just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1379Feature: External Second Factor over REST API2018-02-27T16:47:25ZMathieu Lecompte-melançonFeature: External Second Factor over REST APIIt's possible to allow a direct call to a REST API for the second factor.
https://lemonldap-ng.org/documentation/2.0/external2f
Currently we trying to make a bash file, who make a curl request inside to use with the External process fe...It's possible to allow a direct call to a REST API for the second factor.
https://lemonldap-ng.org/documentation/2.0/external2f
Currently we trying to make a bash file, who make a curl request inside to use with the External process feature.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1367Remove old menu methods in Lemonldap::NG::Portal::Main::Menu2018-02-12T17:56:15ZClément OUDOTRemove old menu methods in Lemonldap::NG::Portal::Main::MenuWe still have old methods in Menu modules:
* _displayConfCategory
* _displayConfApplication
They should be removed (and associated templates too).We still have old methods in Menu modules:
* _displayConfCategory
* _displayConfApplication
They should be removed (and associated templates too).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1359TOTP plugin2020-04-03T09:08:16ZYaddTOTP pluginUsing [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin th...Using [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin that ask for TOTP code2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1353Mail not searched in LDAP directory in mail reset workflow2018-03-14T07:04:39ZClément OUDOTMail not searched in LDAP directory in mail reset workflowWhen testing mail reset, the mail is not searched in LDAP. Here is what we have in logs:
```
Jan 10 15:31:03 llng-site LLNG[41308]: User not authenticated, Try in use, cancel redirection
Jan 10 15:31:03 llng-site LLNG[41308]: Start routi...When testing mail reset, the mail is not searched in LDAP. Here is what we have in logs:
```
Jan 10 15:31:03 llng-site LLNG[41308]: User not authenticated, Try in use, cancel redirection
Jan 10 15:31:03 llng-site LLNG[41308]: Start routing resetpwd
Jan 10 15:31:03 llng-site LLNG[41308]: Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
Jan 10 15:31:03 llng-site LLNG[41308]: Good captcha response
Jan 10 15:31:03 llng-site LLNG[41308]: Captcha code verified
Jan 10 15:31:03 llng-site LLNG[41308]: Processing getUser
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=1 SRCH base="" scope=0 deref=2 filter="(objectClass=*)"
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=1 SRCH attr=supportedLDAPVersion
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 BIND anonymous mech=implicit ssf=0
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 BIND dn="cn=lemonldapng,ou=dsa,dc=openid,dc=club" method=128
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 BIND dn="cn=lemonldapng,ou=dsa,dc=openid,dc=club" mech=SIMPLE ssf=0
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 RESULT tag=97 err=0 text=
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=3 SRCH base="ou=people,dc=openid,dc=club" scope=2 deref=2 filter="(&(?uid=)(objectClass=inetOrgPerson))"
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=3 SRCH attr=1.1 sn givenName uid mail cn
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 10 15:31:03 llng-site LLNG[41308]: Returned error: 5
Jan 10 15:31:03 llng-site LLNG[41308]: Display called with code: 72
Jan 10 15:31:03 llng-site LLNG[41308]: Display "confirm mail sent"
Jan 10 15:31:03 llng-site LLNG[41308]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/fusioniam/mail.tpl
Jan 10 15:31:03 llng-site LLNG[41308]: Sending /usr/share/lemonldap-ng/portal/templates/fusioniam/mail.tpl
```
First we should use a different filter (mail= and not uid=) and second, we don't pass the mail value to the filter.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1348$_auth/$_userDB/... not available in session with Choice2018-03-06T22:00:31ZClément OUDOT$_auth/$_userDB/... not available in session with ChoiceWith Choice, we don't see in session which backend was usedWith Choice, we don't see in session which backend was used2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1342IDP selection in SAML IDP selection screen does not work2018-06-25T20:14:56ZClément OUDOTIDP selection in SAML IDP selection screen does not workThe javascript that selects the IDP was moved into confirm.js, but this javascript is only loaded when timer is active, and IDP selection list, timer is not active.
We need to extract the IDP selection from confirm.js, or find a way to ...The javascript that selects the IDP was moved into confirm.js, but this javascript is only loaded when timer is active, and IDP selection list, timer is not active.
We need to extract the IDP selection from confirm.js, or find a way to disable timer in the javascript.
Or we can keep the code from 1.9 which set the onclick event directly in HTML code:
```html
<button type="submit" class="btn btn-info" onclick="$('#idp').val('<TMPL_VAR NAME="VAL">')">
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1339Refresh my rights does not work with Choice2017-12-18T09:40:15ZClément OUDOTRefresh my rights does not work with ChoiceWith Choice, we cannot use the "refresh y rights" featureWith Choice, we cannot use the "refresh y rights" feature2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1338Bad encoding when values submitted from register form2017-12-21T14:41:34ZClément OUDOTBad encoding when values submitted from register formI created a user using the register plugin. I use for example "Clément" as first name, and the value is bad encoded in sent mails and in the entry created in LDAP.
Note that I used Nginx for the test.I created a user using the register plugin. I use for example "Clément" as first name, and the value is bad encoded in sent mails and in the entry created in LDAP.
Note that I used Nginx for the test.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1333Server internal error with Register module2017-12-12T06:00:34ZClément OUDOTServer internal error with Register moduleTried to use LDAP Register module and got this error
```
Dec 4 16:26:31 llng-site LLNG[40694]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:31 llng-site LLNG[40694]: Start routing register
Dec 4 16:26:31 llng-si...Tried to use LDAP Register module and got this error
```
Dec 4 16:26:31 llng-site LLNG[40694]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:31 llng-site LLNG[40694]: Start routing register
Dec 4 16:26:31 llng-site LLNG[40694]: Prepare captcha
Dec 4 16:26:31 llng-site LLNG[40694]: First access to register form
Dec 4 16:26:31 llng-site LLNG[40694]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/register.tpl
Dec 4 16:26:31 llng-site LLNG[40694]: Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/register.tpl
Dec 4 16:26:47 llng-site LLNG[40697]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:47 llng-site LLNG[40697]: Start routing register
Dec 4 16:26:47 llng-site LLNG[40697]: Good captcha response
Dec 4 16:26:47 llng-site LLNG[40697]: Captcha code verified
Dec 4 16:26:47 llng-site LLNG[40697]: No register_token
Dec 4 16:26:47 llng-site LLNG[40697]: Register session found: 1512332807_4879
Dec 4 16:26:47 llng-site LLNG[40697]: Try to get SSO session 1512332807_4879
Dec 4 16:26:47 llng-site LLNG[40697]: Session cannot be tied: Invalid session ID: 1512332807_4879 at /usr/share/perl5/Apache/Session/Generate/MD5.pm line 42, <F> line 4.
Dec 4 16:26:47 llng-site LLNG[40697]: Register expiration timestamp: 3600
Dec 4 16:26:47 llng-site LLNG[40697]: Register start timestamp: 1512401207
Dec 4 16:26:47 llng-site LLNG[40697]: Skin bootstrap selected from GET/POST parameter
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1332LDAP groups not correctly set in session2017-12-04T13:22:58ZClément OUDOTLDAP groups not correctly set in sessionI tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.I tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1330Menu rules for applications using SAML/CAS/OIDC2018-03-14T10:28:03ZYaddMenu rules for applications using SAML/CAS/OIDCMany applications use a federation protocol instead of an handler. This issue will provide capability to manage application visibility using service-provider-rules.Many applications use a federation protocol instead of an handler. This issue will provide capability to manage application visibility using service-provider-rules.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOT