lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-12-13T16:42:57Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1506Implement a brut force attack protection2018-12-13T16:42:57ZChristophe Maudouxchrmdx@gmail.comImplement a brut force attack protection### Summary
Create a mechanism to prevent brut force attack
### Design proposition
After a failed login user must wait between each login attempt.
timer = Failed logins X 10 seconds### Summary
Create a mechanism to prevent brut force attack
### Design proposition
After a failed login user must wait between each login attempt.
timer = Failed logins X 10 seconds2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1505Check iframe protection2018-11-24T11:20:03ZChristophe Maudouxchrmdx@gmail.comCheck iframe protection### Summary
Test if iframe protection works fine
### Design proposition
Create an HTML page with a link to LLNG portal### Summary
Test if iframe protection works fine
### Design proposition
Create an HTML page with a link to LLNG portal2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1137Avoid using inline Javascript and CSS2018-05-18T05:17:09ZMathieu ParentAvoid using inline Javascript and CSSThis is #1125, cont.
To further protect the manager, inline JS and CSS should be removed.This is #1125, cont.
To further protect the manager, inline JS and CSS should be removed.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1138Generate Content-Security-Policy headers and related2018-05-18T05:17:09ZMathieu ParentGenerate Content-Security-Policy headers and related(Once #1137 is fixed).
Generate those headers:
```
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $...(Once #1137 is fixed).
Generate those headers:
```
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $FORM_ACTION; frame-ancestors 'none'; report-uri $REPORT_URI
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
```
With:
- $CHILD_SRC empty, except with logout iframes
- $FORM_ACTION empty, except with SAML forms
- $REPORT_URI : configurable (default empty)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1140Add CSRF protection to login and password change forms2018-05-18T05:17:09ZMathieu ParentAdd CSRF protection to login and password change formsPlease add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).Please add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1468Enabling both Auth::SAML and Issuer::SAML breaks SLO2018-06-30T06:41:53ZYaddEnabling both Auth::SAML and Issuer::SAML breaks SLO# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/789Apache reloading breaks SAML authentication2018-05-15T20:31:11ZUpdateme LulandcoApache reloading breaks SAML authenticationHi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configura...Hi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configuration cache
[Fri Feb 13 19:51:45.934468 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML cache configuration: 46
[Fri Feb 13 19:51:45.934549 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get Metadata for this service
[Fri Feb 13 19:51:45.938604 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: 2015-02-13 19:51:45 (server.c/:699) Failed to load metadata from preloaded buffer
[Fri Feb 13 19:51:45.938754 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
[Fri Feb 13 19:51:45.938777 2015] [perl:debug] [pid 11688] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 186:
[Fri Feb 13 19:51:45.938788 2015] [perl:error] [pid 11688] Unable to create Lasso server
[Fri Feb 13 19:51:45.939030 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
I checked, all apache's modules are normally reloaded. Restarting apache doesn't produce the issue.
LulAndCo2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/804Uncomplete logout in Issuer modules2018-05-15T20:31:11ZClément OUDOTUncomplete logout in Issuer modulesWe have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
Bu...We have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
But this process is not used when a logout request comes form an Issuer module (CAS, OpenID or OpenID Connect). This seems to be OK for the SAML Issuer.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1113OIDC Provider to SAML SP does not work2018-05-15T20:31:11Zdcoutadeur dcoutadeurOIDC Provider to SAML SP does not workI have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
t...I have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
the final return does not work : ie SAML SP not calling his internal IdP
I propose a basic patch, which, in summary :
- happens before soring relay state in SAML SP (Portal/_SAML.pm)
- gets called URL
- if URL match with current portal URL, store it in relay state.
The patch is working, but maybe these points should be validated :
- make sure it is generic, in particular make sure the other way is working: SAML IdP calling an OIDC RP
- security: make sure we won't redirect to unsecure locations
- using CGI module may be improved ? (if the portal is to be made more generic and less adherence to apache)
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1550Error when enables "SSL, Custom " Auth modules with Choice2018-11-29T20:19:44ZChristophe Maudouxchrmdx@gmail.comError when enables "SSL, Custom " Auth modules with Choice### Concerned version
Version: 2.0
### Summary
Append SSL / LDAP / LDAP / / /
### Logs
[Wed Nov 21 20:37:46.066332 2018] [fcgid:warn] [pid 104980] [client 77.136.14.47:38540] mod_fcgid: stderr: Can't call method "conf" on an undefi...### Concerned version
Version: 2.0
### Summary
Append SSL / LDAP / LDAP / / /
### Logs
[Wed Nov 21 20:37:46.066332 2018] [fcgid:warn] [pid 104980] [client 77.136.14.47:38540] mod_fcgid: stderr: Can't call method "conf" on an undefined value at /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm line 66.
[Wed Nov 21 20:45:16.196593 2018] [fcgid:warn] [pid 105473] [client 77.136.14.47:38642] mod_fcgid: stderr: Can't use an undefined value as a subroutine reference at /usr/share/perl5/Lemonldap/NG/Portal/Lib/Choice.pm line 236.2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1542Provide sessions attributes in template2018-11-15T10:54:39ZClément OUDOTProvide sessions attributes in templateFor customization, we need to be able to display some user informations in portal. So it would be great to load as template parameters all sessions attributes, with a prefix in key, for example : 'session_'
So to display 'cn', we can ca...For customization, we need to be able to display some user informations in portal. So it would be great to load as template parameters all sessions attributes, with a prefix in key, for example : 'session_'
So to display 'cn', we can call this in template:
```html
<TMPL_VAR NAME="session_cn">
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1522Notifications with checkbox does not work2018-10-16T20:09:22ZChristophe Maudouxchrmdx@gmail.comNotifications with checkbox does not work### Concerned version
Version: 2.0
Platform: Apache
### Summary
If I submit the form twice without ticking the checbox, session is always granted.
Notification is not deleted
### Backends used
Demo
TODO : Add a goToPortal button ...### Concerned version
Version: 2.0
Platform: Apache
### Summary
If I submit the form twice without ticking the checbox, session is always granted.
Notification is not deleted
### Backends used
Demo
TODO : Add a goToPortal button & Modify unit tests to replay issue2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1515Possibility to configure main logo on portal page2018-11-03T22:01:36ZClément OUDOTPossibility to configure main logo on portal page### Summary
We have a parameter for portal background, we could also have a parameter for the main logo, so it would be easier to adapt the default bootstrap skin.### Summary
We have a parameter for portal background, we could also have a parameter for the main logo, so it would be easier to adapt the default bootstrap skin.2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1504Upgrade to bootstrap 42018-11-24T11:22:33ZClément OUDOTUpgrade to bootstrap 4See http://upgrade-bootstrap.bootply.com/See http://upgrade-bootstrap.bootply.com/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1501Improve Login history module2018-11-06T20:35:05ZChristophe Maudouxchrmdx@gmail.comImprove Login history module### Concerned version
Version: 2.0
Platform: Apache
### Summary
Minor fixes todo
### Concerned version
Version: 2.0
Platform: Apache
### Summary
Minor fixes todo
2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.com