lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2018-05-19T19:41:42Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1131
Portal plugin to "Stay connected on this device"
2018-05-19T19:41:42Z
Yadd
Portal plugin to "Stay connected on this device"
Many websites provide a "Stay connected" based on a permanent cookie. I propose to add this feature but using [Fingerprintjs2|https://github.com/Valve/fingerprintjs2] to secure the cookie.
Many websites provide a "Stay connected" based on a permanent cookie. I propose to add this feature but using [Fingerprintjs2|https://github.com/Valve/fingerprintjs2] to secure the cookie.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1148
U2F - Universal 2nd Factor Authentication
2018-06-12T15:56:55Z
Yadd
U2F - Universal 2nd Factor Authentication
Insert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.
Insert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1151
Replace Multi by a Combination parser
2018-05-19T19:41:43Z
Yadd
Replace Multi by a Combination parser
Multi will be replaced by a combination parser that can understand :
* [ LDAP ] or [ DBI ]
* [ LDAP ] and [ DBI ]
* [ SSL, LDAP ] or [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else [ LDAP ]
* if ($env->{REMOTE_ADD...
Multi will be replaced by a combination parser that can understand :
* [ LDAP ] or [ DBI ]
* [ LDAP ] and [ DBI ]
* [ SSL, LDAP ] or [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else if ($env->{REMOTE_ADDR} =~ /^192/) then [ LDAP ] else [ DBI ]
* [ MyLDAP1 ] or [ MyLDAP2 ]
* [ LDAP, LDAP and DBI ]
...
Names given _(LDAP, DBI,…)_ must be declared:
```
combModules => {
MyLDAP1 => {
type => 'LDAP',
for => 0 # 1 = auth, 2 = userDB, 0 = both
over => {
ldapServer => 'ldaps://10.0.0.1',
}
}
}
```
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161
Manage access rules for CAS, SAML and OpenID Connect clients
2018-06-23T08:19:18Z
Clément OUDOT
Manage access rules for CAS, SAML and OpenID Connect clients
As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...
As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1162
Capability to use Log4Perl (and other log backends)
2018-06-13T19:34:33Z
Yadd
Capability to use Log4Perl (and other log backends)
Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.
Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1188
Custom auth/userDB/password/register modules
2018-05-19T19:41:45Z
Yadd
Custom auth/userDB/password/register modules
Insert "Custom" in selects. customParams will contain real class names.
Insert "Custom" in selects. customParams will contain real class names.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1196
Auth::PAM module
2018-05-19T19:41:45Z
Yadd
Auth::PAM module
Using Authen::PAM, it seems easy to write this.
Using Authen::PAM, it seems easy to write this.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1204
Propose reauthentication if higher access level is requested
2019-07-09T17:15:57Z
Clément OUDOT
Propose reauthentication if higher access level is requested
We need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if...
We need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if the level is not enough.
This also implies to only propose authentication backends that are up to requested level in the combination module.
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1206
TLS support for mails
2018-05-19T19:41:45Z
Yadd
TLS support for mails
Add options in MIME::Lite to enable SSL or STARTTLS
Add options in MIME::Lite to enable SSL or STARTTLS
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1212
Propose SSL authentication by Ajax
2018-11-21T19:17:21Z
Yadd
Propose SSL authentication by Ajax
To be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth module
To be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth module
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1312
errors using saml post sso
2018-05-19T19:41:51Z
dcoutadeur dcoutadeur
errors using saml post sso
Here is the use case:
- LemonLDAP 2.0 SAML IdP, authentication = combination (Kerberos, LDAP)
- LemonLDAP SAML SP
On the IdP, I get the following errors, which lead to a 500 internal error
```
Use of uninitialized value $encryp...
Here is the use case:
- LemonLDAP 2.0 SAML IdP, authentication = combination (Kerberos, LDAP)
- LemonLDAP SAML SP
On the IdP, I get the following errors, which lead to a 500 internal error
```
Use of uninitialized value $encryption_mode in pattern match (m//) at /usr/local/share/perl5/Lemonldap/NG/Portal/Lib/SAML.pm line 2888.
Use of uninitialized value $encryption_mode in pattern match (m//) at /usr/local/share/perl5/Lemonldap/NG/Portal/Lib/SAML.pm line 2890.
Use of uninitialized value $encryption_mode in concatenation (.) or string at /usr/local/share/perl5/Lemonldap/NG/Portal/Lib/SAML.pm line 362.
[warn] No IDP found in configuration
Argument "Lasso::Constants::LOGIN_PROTOCOL_PROFILE_BRWS_ART" isn't numeric in numeric eq (==) at /usr/local/share/perl5/Lemonldap/NG/Portal/Issuer/SAML.pm line 726.
Argument "Lasso::Constants::LOGIN_PROTOCOL_PROFILE_BRWS_ART" isn't numeric in numeric eq (==) at /usr/local/share/perl5/Lemonldap/NG/Portal/Issuer/SAML.pm line 743.
mod_fcgid: stderr: Attribute (storageModule) does not pass the type constraint because: Validation failed for 'Str' with value undef at /usr/lib64/perl5/vendor_perl/Mouse/Util.pm line 383., referer: https://www.auth.example.com/
mod_fcgid: stderr: \tMouse::Util::throw_error('Mouse::Meta::Attribute=HASH(0x198c3e8)', 'Attribute (storageModule) does not pass the type constraint b...', 'data', undef, 'depth', -1) called at /usr/local/share/perl5/Lemonldap/NG/Portal/Lib/SAML.pm line 2778, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Lib::SAML::getSamlSession('Lemonldap::NG::Portal::Issuer::SAML=HASH(0x2, referer: https://www.auth.example.com/
mod_fcgid: stderr: 1a10a0)', undef, 'HASH(0x3ea8bd8)') called at /usr/local/share/perl5/Lemonldap/NG/Portal/Issuer/SAML.pm line 809, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Issuer::SAML::run('Lemonldap::NG::Portal::Issuer::SAML=HASH(0x21a10a0)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)', 'singleSignOn') called at /usr/local/share/perl5/Lemonldap/NG/Portal/Main/Issuer.pm line 123, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Main::Issuer::__ANON__('Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)') called at /usr/local/share/perl5/Lemonldap, referer: https://www.auth.example.com/
mod_fcgid: stderr: /NG/Portal/Main/Process.pm line 25, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Main::process('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)') called at /usr/local/share/perl5/Lemonldap/NG/Portal/Main/Run.pm line 162, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Main::do('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)', 'ARRAY(0x3ea2660)') called at /usr/local/share/perl5/Lemonldap/NG/Portal/Main/Issuer.pm line 125, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Porta, referer: https://www.auth.example.com/
mod_fcgid: stderr: l::Main::Issuer::_forAuthUser('Lemonldap::NG::Portal::Issuer::SAML=HASH(0x21a10a0)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)', 'singleSignOn') called at /usr/local/share/perl5/Lemonldap/NG/Portal/Main/Plugin.pm line 45, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Main::Plugin::__ANON__('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)', 'singleSignOn') called at /usr/local/share/perl5/Lemonldap/NG/Common/PSGI/Router.pm line 145, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Common::PSGI, referer: https://www.auth.example.com/
mod_fcgid: stderr: ::Router::followPath('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)', 'HASH(0x28b6900)', 'ARRAY(0x1908c18)') called at /usr/local/share/perl5/Lemonldap/NG/Common/PSGI/Router.pm line 141, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Common::PSGI::Router::followPath('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)', 'HASH(0xafa820)', 'ARRAY(0x1908c18)') called at /usr/local/share/perl5/Lemonldap/NG/Common/PSGI/Router.pm line 1, referer: https://www.auth.example.com/
mod_fcgid: stderr: 29, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Common::PSGI::Router::handler('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)') called at /usr/local/share/perl5/Lemonldap/NG/Portal/Main/Run.pm line 36, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Portal::Main::handler('Lemonldap::NG::Portal::Main=HASH(0x1631c20)', 'Lemonldap::NG::Portal::Main::Request=HASH(0x3e6db80)') called at /usr/local/share/perl5/Lemonldap/NG/Handler/PSGI/Try.pm line 71, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tLemonldap::NG::Handler::PSGI::Try::__ANON__('HASH(0x3e5faa0)') , referer: https://www.auth.example.com/
mod_fcgid: stderr: called at /usr/share/perl5/vendor_perl/Plack/Util.pm line 142, referer: https://www.auth.example.com/
mod_fcgid: stderr: \teval {...} called at /usr/share/perl5/vendor_perl/Plack/Util.pm line 142, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tPlack::Util::run_app('CODE(0x3e5d178)', 'HASH(0x3e5faa0)') called at /usr/share/perl5/vendor_perl/Plack/Handler/FCGI.pm line 134, referer: https://www.auth.example.com/
mod_fcgid: stderr: \tPlack::Handler::FCGI::run('Plack::Handler::FCGI=HASH(0xadfc48)', 'CODE(0x3e5d178)') called at /usr/local/lemonldap-ng/htdocs/portal/htdocs/index.fcgi line 8, referer: https://www.auth.example.com/
```
It seems some Lasso variables are not loaded. The other errors may be only consequences...
2.0.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1321
Choice/renew conflict
2018-06-12T14:10:49Z
Yadd
Choice/renew conflict
2.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1555
Do not remember choice in pdata when redirecting user for logout
2018-11-28T10:37:52Z
Clément OUDOT
Do not remember choice in pdata when redirecting user for logout
For example in CAS protocol, the user is redirected back to the CAS server when the logout has ended. When LL::NG is a CAS client configured with Choice, we get well redirected to CAS server, but the CAS authentication is remembered, so ...
For example in CAS protocol, the user is redirected back to the CAS server when the logout has ended. When LL::NG is a CAS client configured with Choice, we get well redirected to CAS server, but the CAS authentication is remembered, so when using the portal page, we are always redirected back to CAS server, we can not select another authentication Choice.
2.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1554
Parameter portalRequireOldPassword is not restored after mail reset
2018-11-24T11:04:36Z
Clément OUDOT
Parameter portalRequireOldPassword is not restored after mail reset
In Mail Reset plugin, we modify portalRequireOldPassword so that the password change form do not require the old password, but we need to restore this parameter after.
In Mail Reset plugin, we modify portalRequireOldPassword so that the password change form do not require the old password, but we need to restore this parameter after.
2.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1547
Confirmation password not verified in menu password change form
2018-11-19T18:58:11Z
Clément OUDOT
Confirmation password not verified in menu password change form
When putting different passwords in new password/confirm password, the password is changed with the first value, the second value is not verified
When putting different passwords in new password/confirm password, the password is changed with the first value, the second value is not verified
2.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1540
Wrong LDAP DN encoding when modifying password
2018-11-15T09:41:53Z
Clément OUDOT
Wrong LDAP DN encoding when modifying password
The LDAP DN is well stored in session after authentication:
```
$ cat e2e-tests/conf/sessions/805a2f0620a1839d5d4d18a2b67cc94f9af58708a17c88f42b9fba8f3f40c3b7 | json_pp
```
```js
{
"UA" : "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:6...
The LDAP DN is well stored in session after authentication:
```
$ cat e2e-tests/conf/sessions/805a2f0620a1839d5d4d18a2b67cc94f9af58708a17c88f42b9fba8f3f40c3b7 | json_pp
```
```js
{
"UA" : "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0",
"_dn" : "cn=Clément OUDOT,ou=users,dc=example,dc=com",
"_session_kind" : "SSO",
"_loginHistory" : {
"successLogin" : [
{
"_utime" : 1542126092,
"ipAddr" : "127.0.0.1"
}
]
},
"ipAddr" : "127.0.0.1",
"_session_id" : "805a2f0620a1839d5d4d18a2b67cc94f9af58708a17c88f42b9fba8f3f40c3b7",
"_auth" : "LDAP",
"_lastAuthnUTime" : 1542126092,
"_utime" : 1542126092,
"authenticationLevel" : 1,
"_userDB" : "LDAP",
"uid" : "coudot2",
"_user" : "coudot2",
"_whatToTrace" : "coudot2",
"_startTime" : "20181113172132",
"mail" : "clement@oodo.net",
"cn" : "Clément OUDOT",
"_choice" : "2LDAP",
"_updateTime" : "20181113172132"
}
```
But we have an error when modifying password:
```
Nov 13 17:22:06 ader-worteks slapd[1205]: conn=1020 op=1 BIND anonymous mech=implicit ssf=0
Nov 13 17:22:06 ader-worteks slapd[1205]: conn=1020 op=1 BIND dn="cn=Clément OUDOT,ou=users,dc=example,dc=com" method=128
Nov 13 17:22:06 ader-worteks slapd[1205]: conn=1020 op=1 RESULT tag=97 err=49 text=
Nov 13 17:22:06 ader-worteks slapd[1205]: conn=1020 op=2 UNBIND
Nov 13 17:22:06 ader-worteks slapd[1205]: conn=1020 fd=16 closed
```
2.0.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1536
Yubikey always valid if no internet connection
2018-11-06T21:07:22Z
Christophe Maudoux
chrmdx@gmail.com
Yubikey always valid if no internet connection
### Concerned version
Version: 2.0
### Summary
I register second factors (totp, yubikey…), then at the first user connexion, after the login / password prompt, a register prompt is asked (very good feature). Then after registering it...
### Concerned version
Version: 2.0
### Summary
I register second factors (totp, yubikey…), then at the first user connexion, after the login / password prompt, a register prompt is asked (very good feature). Then after registering it and going back to the login page, any second factor value is accepted as correct.
Portal is displayed but session not granted
Of course, I’ve restarted services, and check from others computers to avoid cache source issues.
### Possible fixes
Send error tpl
2.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1534
Provide ipAddr in $req->env for rules
2018-11-09T11:05:49Z
Clément OUDOT
Provide ipAddr in $req->env for rules
We had in 1.9 the $ipAddr that could be used in rules, we need the same in 2.0.
We had in 1.9 the $ipAddr that could be used in rules, we need the same in 2.0.
2.0.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1533
OIDC Consent always required
2018-10-30T22:26:54Z
Christophe Maudoux
chrmdx@gmail.com
OIDC Consent always required
### Concerned version
Version: 2.0
Platform: Apache2
### Summary
OIDC Consent always required despite user already gave it
### Concerned version
Version: 2.0
Platform: Apache2
### Summary
OIDC Consent always required despite user already gave it
2.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1532
The source list for CSP directive 'form-action' contains an invalid source
2018-11-03T22:31:21Z
Christophe Maudoux
chrmdx@gmail.com
The source list for CSP directive 'form-action' contains an invalid source
### Concerned version
Version: 2.0
Platform: Apache2
### Summary
The source list for Content Security Policy directive 'form-action' contains an invalid source: '/?cancel=1'. It will be ignored.
### Log
```
[debug] Display type logo...
### Concerned version
Version: 2.0
Platform: Apache2
### Summary
The source list for Content Security Policy directive 'form-action' contains an invalid source: '/?cancel=1'. It will be ignored.
### Log
```
[debug] Display type logo for module Twitter
[debug] Authentication choice Twitter will be displayed
[debug] Displaying authentication choice 5_Facebook
[debug] Use URL /?cancel=1
[debug] Display type logo for module Facebook
[debug] Authentication choice Facebook will be displayed
[debug] Displaying authentication choice 6_SAML
[debug] Use URL /?cancel=1
[debug] Display type logo for module SAML
[debug] Authentication choice SAML will be displayed
[debug] Displaying authentication choice 7_OpenID_Connect
[debug] Use URL /?cancel=1
[debug] Display type logo for module OpenIDConnect
[debug] Authentication choice OpenID Connect will be displayed
[debug] Displaying authentication choice 8_CAS
[debug] Use URL /?cancel=1
[debug] Display type logo for module CAS
[debug] Authentication choice CAS will be displayed
[debug] Skin returned: login
[debug] Calling sendHtml with template login
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
[debug] Set CSP form-action with request URL: /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self' * /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1 /?cancel=1;frame-ancestors 'none';
```
![Capture_d_écran_2018-10-29_21-40-00](/uploads/7f3416d84b44f2e753ebc2649bf9f911/Capture_d_écran_2018-10-29_21-40-00.png)
2.0.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com