lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-03-14T10:28:03Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1330Menu rules for applications using SAML/CAS/OIDC2018-03-14T10:28:03ZYaddMenu rules for applications using SAML/CAS/OIDCMany applications use a federation protocol instead of an handler. This issue will provide capability to manage application visibility using service-provider-rules.Many applications use a federation protocol instead of an handler. This issue will provide capability to manage application visibility using service-provider-rules.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1332LDAP groups not correctly set in session2017-12-04T13:22:58ZClément OUDOTLDAP groups not correctly set in sessionI tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.I tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1333Server internal error with Register module2017-12-12T06:00:34ZClément OUDOTServer internal error with Register moduleTried to use LDAP Register module and got this error
```
Dec 4 16:26:31 llng-site LLNG[40694]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:31 llng-site LLNG[40694]: Start routing register
Dec 4 16:26:31 llng-si...Tried to use LDAP Register module and got this error
```
Dec 4 16:26:31 llng-site LLNG[40694]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:31 llng-site LLNG[40694]: Start routing register
Dec 4 16:26:31 llng-site LLNG[40694]: Prepare captcha
Dec 4 16:26:31 llng-site LLNG[40694]: First access to register form
Dec 4 16:26:31 llng-site LLNG[40694]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/register.tpl
Dec 4 16:26:31 llng-site LLNG[40694]: Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/register.tpl
Dec 4 16:26:47 llng-site LLNG[40697]: User not authenticated, Try in use, cancel redirection
Dec 4 16:26:47 llng-site LLNG[40697]: Start routing register
Dec 4 16:26:47 llng-site LLNG[40697]: Good captcha response
Dec 4 16:26:47 llng-site LLNG[40697]: Captcha code verified
Dec 4 16:26:47 llng-site LLNG[40697]: No register_token
Dec 4 16:26:47 llng-site LLNG[40697]: Register session found: 1512332807_4879
Dec 4 16:26:47 llng-site LLNG[40697]: Try to get SSO session 1512332807_4879
Dec 4 16:26:47 llng-site LLNG[40697]: Session cannot be tied: Invalid session ID: 1512332807_4879 at /usr/share/perl5/Apache/Session/Generate/MD5.pm line 42, <F> line 4.
Dec 4 16:26:47 llng-site LLNG[40697]: Register expiration timestamp: 3600
Dec 4 16:26:47 llng-site LLNG[40697]: Register start timestamp: 1512401207
Dec 4 16:26:47 llng-site LLNG[40697]: Skin bootstrap selected from GET/POST parameter
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/8Publish WSDL for SOAP services2018-09-27T04:09:56ZClément OUDOTPublish WSDL for SOAP servicesWSDL should be published trough HTTP, like http://auth.example.com/index.pl?wsdlWSDL should be published trough HTTP, like http://auth.example.com/index.pl?wsdl2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/259Add system to overload parameters in *Choice (like "multi" key)2018-11-29T08:52:07ZYaddAdd system to overload parameters in *Choice (like "multi" key)UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/778Multi backend authentication with SAML + LDAP2018-11-28T12:47:47ZNicolas DutertreMulti backend authentication with SAML + LDAPWith the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into ...With the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into error and loop on the LDAP authentication form.2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/819Support of FIDO Alliance (multi-factor authentication)2018-06-26T13:59:27ZClément OUDOTSupport of FIDO Alliance (multi-factor authentication)A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161Manage access rules for CAS, SAML and OpenID Connect clients2018-06-23T08:19:18ZClément OUDOTManage access rules for CAS, SAML and OpenID Connect clientsAs we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1224No proxy tickets received when proxiedServices configured2018-06-19T14:48:37ZClément OUDOTNo proxy tickets received when proxiedServices configuredWhen configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac...When configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Redirect 127.0.0.1 to portal (url was /?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing default route
[debug] Processing controlUrl
[debug] Processing extractFormInfo
[debug] CAS server example choosen
[debug] CAS: Service Ticket received: ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Get CAS serviceValidate response: HTTP/1.1 200 OK
Connection: close
Date: Tue, 25 Apr 2017 13:25:57 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: User-Agent
Content-Type: application/xml; charset=ISO-8859-1
Client-Date: Tue, 25 Apr 2017 13:25:57 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>dwho</cas:user>
<cas:attributes>
<cas:uid>dwho</cas:uid>
<cas:mail>dwho@badwolf.org</cas:mail>
<cas:cn>Doctor Who</cas:cn>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1247Support RSA SHA256 signature in SAML2018-06-19T08:24:07ZClément OUDOTSupport RSA SHA256 signature in SAMLWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.htmlWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.html2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1321Choice/renew conflict2018-06-12T14:10:49ZYaddChoice/renew conflict2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1322Get user attributes in Auth module for external authentication2018-06-23T06:33:23ZClément OUDOTGet user attributes in Auth module for external authenticationWhen we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.When we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1338Bad encoding when values submitted from register form2017-12-21T14:41:34ZClément OUDOTBad encoding when values submitted from register formI created a user using the register plugin. I use for example "Clément" as first name, and the value is bad encoded in sent mails and in the entry created in LDAP.
Note that I used Nginx for the test.I created a user using the register plugin. I use for example "Clément" as first name, and the value is bad encoded in sent mails and in the entry created in LDAP.
Note that I used Nginx for the test.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1339Refresh my rights does not work with Choice2017-12-18T09:40:15ZClément OUDOTRefresh my rights does not work with ChoiceWith Choice, we cannot use the "refresh y rights" featureWith Choice, we cannot use the "refresh y rights" feature2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1342IDP selection in SAML IDP selection screen does not work2018-06-25T20:14:56ZClément OUDOTIDP selection in SAML IDP selection screen does not workThe javascript that selects the IDP was moved into confirm.js, but this javascript is only loaded when timer is active, and IDP selection list, timer is not active.
We need to extract the IDP selection from confirm.js, or find a way to ...The javascript that selects the IDP was moved into confirm.js, but this javascript is only loaded when timer is active, and IDP selection list, timer is not active.
We need to extract the IDP selection from confirm.js, or find a way to disable timer in the javascript.
Or we can keep the code from 1.9 which set the onclick event directly in HTML code:
```html
<button type="submit" class="btn btn-info" onclick="$('#idp').val('<TMPL_VAR NAME="VAL">')">
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1348$_auth/$_userDB/... not available in session with Choice2018-03-06T22:00:31ZClément OUDOT$_auth/$_userDB/... not available in session with ChoiceWith Choice, we don't see in session which backend was usedWith Choice, we don't see in session which backend was used2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1353Mail not searched in LDAP directory in mail reset workflow2018-03-14T07:04:39ZClément OUDOTMail not searched in LDAP directory in mail reset workflowWhen testing mail reset, the mail is not searched in LDAP. Here is what we have in logs:
```
Jan 10 15:31:03 llng-site LLNG[41308]: User not authenticated, Try in use, cancel redirection
Jan 10 15:31:03 llng-site LLNG[41308]: Start routi...When testing mail reset, the mail is not searched in LDAP. Here is what we have in logs:
```
Jan 10 15:31:03 llng-site LLNG[41308]: User not authenticated, Try in use, cancel redirection
Jan 10 15:31:03 llng-site LLNG[41308]: Start routing resetpwd
Jan 10 15:31:03 llng-site LLNG[41308]: Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
Jan 10 15:31:03 llng-site LLNG[41308]: Good captcha response
Jan 10 15:31:03 llng-site LLNG[41308]: Captcha code verified
Jan 10 15:31:03 llng-site LLNG[41308]: Processing getUser
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=1 SRCH base="" scope=0 deref=2 filter="(objectClass=*)"
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=1 SRCH attr=supportedLDAPVersion
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 BIND anonymous mech=implicit ssf=0
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 BIND dn="cn=lemonldapng,ou=dsa,dc=openid,dc=club" method=128
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 BIND dn="cn=lemonldapng,ou=dsa,dc=openid,dc=club" mech=SIMPLE ssf=0
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=2 RESULT tag=97 err=0 text=
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=3 SRCH base="ou=people,dc=openid,dc=club" scope=2 deref=2 filter="(&(?uid=)(objectClass=inetOrgPerson))"
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=3 SRCH attr=1.1 sn givenName uid mail cn
Jan 10 15:31:03 llng-site slapd[35573]: conn=1478 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 10 15:31:03 llng-site LLNG[41308]: Returned error: 5
Jan 10 15:31:03 llng-site LLNG[41308]: Display called with code: 72
Jan 10 15:31:03 llng-site LLNG[41308]: Display "confirm mail sent"
Jan 10 15:31:03 llng-site LLNG[41308]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/fusioniam/mail.tpl
Jan 10 15:31:03 llng-site LLNG[41308]: Sending /usr/share/lemonldap-ng/portal/templates/fusioniam/mail.tpl
```
First we should use a different filter (mail= and not uid=) and second, we don't pass the mail value to the filter.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1359TOTP plugin2020-04-03T09:08:16ZYaddTOTP pluginUsing [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin th...Using [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin that ask for TOTP code2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1367Remove old menu methods in Lemonldap::NG::Portal::Main::Menu2018-02-12T17:56:15ZClément OUDOTRemove old menu methods in Lemonldap::NG::Portal::Main::MenuWe still have old methods in Menu modules:
* _displayConfCategory
* _displayConfApplication
They should be removed (and associated templates too).We still have old methods in Menu modules:
* _displayConfCategory
* _displayConfApplication
They should be removed (and associated templates too).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1379Feature: External Second Factor over REST API2018-02-27T16:47:25ZMathieu Lecompte-melançonFeature: External Second Factor over REST APIIt's possible to allow a direct call to a REST API for the second factor.
https://lemonldap-ng.org/documentation/2.0/external2f
Currently we trying to make a bash file, who make a curl request inside to use with the External process fe...It's possible to allow a direct call to a REST API for the second factor.
https://lemonldap-ng.org/documentation/2.0/external2f
Currently we trying to make a bash file, who make a curl request inside to use with the External process feature.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1383Include 2nd factor register page in menu2018-05-09T04:51:33ZClément OUDOTInclude 2nd factor register page in menuI just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.I just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1384Content Security Policy prevent SAML redirection2018-04-03T20:35:39ZClément OUDOTContent Security Policy prevent SAML redirectionWhen trying SAML with POST, the autopost is not working because of CSP:
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à http://mellon.example.com/mellon/postResponse (« form-action https:/...When trying SAML with POST, the autopost is not working because of CSP:
> Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à http://mellon.example.com/mellon/postResponse (« form-action https://auth.openid.club https://mellon.example.com https://mellon.example.com »).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1385POST data are URL encoded2018-03-14T06:04:34ZClément OUDOTPOST data are URL encodedWhen testing SAML with 2.0, I see that if the SAML Response is sent trough POST, it is URL encoded, and it should not.
With 1.9, the SAMLRequest in POST is like this:
```
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U...When testing SAML with 2.0, I see that if the SAML Response is sent trough POST, it is URL encoded, and it should not.
With 1.9, the SAMLRequest in POST is like this:
```
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfNkNBQzU5NkE2QzU0RjJFNzk0QzU5M0I0RUVERkYwNDIiIEluUmVzcG9uc2VUbz0iXzg1Q0RERDE3MkQ3NDlBOEIyQkQ1MTE5RDEzNDhFQ0ZGIiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMy0wMlQxODoxNTo1N1oiIERlc3RpbmF0aW9uPSJodHRwOi8vbWVsbG9uLmV4YW1wbGUuY29tL21lbGxvbi9wb3N0UmVzcG9uc2UiPjxzYW1sOklzc3Vlcj5odHRwOi8vYXV0aC5leGFtcGxlLmNvbS9zYW1sL21ldGFkYXRhPC9zYW1sOklzc3Vlcj48c2Ft…SJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9InVpZCI+PHNhbWw6QXR0cmlidXRlVmFsdWU+ZHdobzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJtYWlsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9Im1haWwiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPmR3aG9AYmFkd29sZi5vcmc8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48L3NhbWw6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDpBc3NlcnRpb24+PC9zYW1scDpSZXNwb25zZT4=
```
With 2.0, for the exactly same SAML SP, the SAMLRequest in POST is like this:
```
PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJfQTU3QTcwNEZCRTU2QzZFNDFDQUFERDA1OEE3OTAyNzIiIEluUmVzcG9uc2VUbz0iXzk3ODhEOUU0QjNBNEUwM0M1OTE5NUI0QzQ0M0QwQzg5IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOC0wMy0wMlQxODoyMjo0MVoiIERlc3RpbmF0aW9uPSJodHRwOi8vbWVsbG9uLmV4YW1wbGUuY29tL21lbGxvbi9wb3N0UmVzcG9uc2UiPjxzYW1sOklzc3Vlcj5odHRwczovL2F1dGgub3BlbmlkLmNsdWIvc2FtbC9tZXRhZGF0YTwvc2FtbDpJc3N1ZXI%2BPF…ybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGUgTmFtZT0idWlkIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBGcmllbmRseU5hbWU9InVpZCI%2BPHNhbWw6QXR0cmlidXRlVmFsdWU%2BY291ZG90PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU%2BPC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U%2B
```
And we have this error:
```
[Fri Mar 02 19:22:43.281515 2018] [auth_mellon:debug] [pid 5393] auth_mellon_handler.c(268): [client 127.0.0.1:60994] loaded IdP "https://auth.openid.club/saml/metadata" from "/etc/apache2/mellon/idp-metadata.xml".
[Fri Mar 02 19:22:43.281553 2018] [auth_mellon:error] [pid 5393] [client 127.0.0.1:60994] Error processing authn response. Lasso error: [-409] Unsupported protocol profile
```
This is because the value is URL encoded, and it should not. This should only be the case with GET.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1386Multiple U2F keys2019-04-29T20:35:14ZYaddMultiple U2F keys### Summary
#1148 permits the registration of 1 U2F key. This issue propose to register more than one key _(inspired by GitLab)_.
### ToDo list
* Store more than one key in _u2f* entries *(comma separated)*
* Add a _u2f* entry to stor...### Summary
#1148 permits the registration of 1 U2F key. This issue propose to register more than one key _(inspired by GitLab)_.
### ToDo list
* Store more than one key in _u2f* entries *(comma separated)*
* Add a _u2f* entry to store a name for the key *(comma separated in the same order)*
* Modify self registration page to choose which key to remove
* Update manager U2F interface to choose which key to delete2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1391Mixed TOTP/U2F second factor plugin2018-04-17T21:01:39ZYaddMixed TOTP/U2F second factor plugin### Summary
Like Gitlab, the idea is to have a 2F module that authorize to register an U2F key only if a TOTP has been registered. Auth process proposes the 2 options
### More
This cannot be done with TOTP and U2F plugins:
* during au...### Summary
Like Gitlab, the idea is to have a 2F module that authorize to register an U2F key only if a TOTP has been registered. Auth process proposes the 2 options
### More
This cannot be done with TOTP and U2F plugins:
* during auth, U2F will be enabled with TOTP input, user has just to touch is key or enter its code
* If TOTP is unregistered, U2F keys will also be removed2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1395error - openid connect2018-03-13T14:10:39Zpit piterror - openid connectHi,
I have this error in the *error.log* on nginx, when I check openid connect authentication (*Lemonldap 2.0 is an OP*)
``2018/03/11 15:35:21 [error] 53937#53937: *77 FastCGI sent in stderr: "Can't call method "data" on an undefined va...Hi,
I have this error in the *error.log* on nginx, when I check openid connect authentication (*Lemonldap 2.0 is an OP*)
``2018/03/11 15:35:21 [error] 53937#53937: *77 FastCGI sent in stderr: "Can't call method "data" on an undefined value at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 908" while reading response header from upstream, client: xx.xx.xx.xx server: auth.exemple.com, request: "POST /oauth2/token HTTP/1.1", upstream: "fastcgi://unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "auth.exemple.com"
``2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/13982F Error after applying trunk2018-03-19T17:55:15ZMathieu Lecompte-melançon2F Error after applying trunk### Concerned version
Version: TRUNK
### Summary
After applying last trunk get an error page on login
### Logs
```
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Loading configuration 79 for process 1495
Mar 19 08:20:01 srv-test-nginxv...### Concerned version
Version: TRUNK
### Summary
After applying last trunk get an error page on login
### Logs
```
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Loading configuration 79 for process 1495
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Using demonstration mode, go to Manager to edit the configuration
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Using demonstration mode, go to Manager to edit the configuration
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: No cookie found
Mar 19 08:20:01 srv-test-nginxv2 LLNG[1495]: Scheme "Demo" returned 9, trying next
Mar 19 08:20:02 srv-test-nginxv2 LLNG[1495]: Scheme "Rest" returned 9, trying next
Mar 19 08:20:02 srv-test-nginxv2 LLNG[1495]: All schemes failed
Mar 19 08:20:09 srv-test-nginxv2 LLNG[1490]: No cookie found
Mar 19 08:20:09 srv-test-nginxv2 LLNG[1490]: Second factor required for dwho
Mar 19 08:20:09 srv-test-nginxv2 LLNG[1490]: REST 2F error: hash- or arrayref expected (not a simple scalar, use allow_nonref to allow this) at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Lib/REST.pm line 22.
```
### Backends used
NGINX+ Last version
### Possible fixes2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1399Yubikey as second factor2018-03-26T08:15:53ZYaddYubikey as second factor### Summary
Yubikey 2FA: Yubikey is proposed today as authentication backend. Classic usage for these keys is more a 2FA.### Summary
Yubikey 2FA: Yubikey is proposed today as authentication backend. Classic usage for these keys is more a 2FA.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1400CLUSTER - Status page who check the working state of LLNG2018-05-17T04:31:32ZMathieu Lecompte-melançonCLUSTER - Status page who check the working state of LLNG### Summary
The idea is to tell Keepalived service that LLNG not working fine.
(EX: memory issue, or mongodb issue have generate an error 500) but nginx not fail-back even if there something wrong...
The idea is to add a HTTP_GET health...### Summary
The idea is to tell Keepalived service that LLNG not working fine.
(EX: memory issue, or mongodb issue have generate an error 500) but nginx not fail-back even if there something wrong...
The idea is to add a HTTP_GET healthcheck to told keepalived service to force a fail-over on the backup-node. That easy to do.
But to get it working on LLNG side we need a status page who will try to authenticate an (defined test user) and return a result like: Everthing seem to work! if not, another message. It's more like an unit test page who call on demand (every 30 seconde by keepalived service)
### Design proposition
auth.exemple.com/check_state
return a simple HTML page with the result.
Note: the result should not change between version to avoid failover when upgrade to a new version.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1401History not well managed by 2F engine2018-03-21T19:48:37ZYaddHistory not well managed by 2F engineVersion: 2.0Version: 2.02.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1417Better 2FA screen for end users2018-05-08T12:45:57ZClément OUDOTBetter 2FA screen for end usersTrying to use 2FA management skins, when key display is diabled we have a page with big blank zone:
![Screenshot-2018-5-6_Authentication_portal](/uploads/50ca56be14b75a4a64694e758887ee02/Screenshot-2018-5-6_Authentication_portal.png)
O...Trying to use 2FA management skins, when key display is diabled we have a page with big blank zone:
![Screenshot-2018-5-6_Authentication_portal](/uploads/50ca56be14b75a4a64694e758887ee02/Screenshot-2018-5-6_Authentication_portal.png)
Other issue, I don't see where we can remove the key (the option is enabled in Manager, but no button is shown).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1422CAS renew + Auth Choice leads to empty page2018-05-20T07:17:14ZClément OUDOTCAS renew + Auth Choice leads to empty pageWhen testing CAS renew parameter and Auth Choice, we end up on an empty page:
![Screenshot-2018-5-14_Authentication_portal](/uploads/ba05ec271386be58e6fa0e1f2efd1aac/Screenshot-2018-5-14_Authentication_portal.png)
We should instead be ...When testing CAS renew parameter and Auth Choice, we end up on an empty page:
![Screenshot-2018-5-14_Authentication_portal](/uploads/ba05ec271386be58e6fa0e1f2efd1aac/Screenshot-2018-5-14_Authentication_portal.png)
We should instead be able to reauthenticate2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/789Apache reloading breaks SAML authentication2018-05-15T20:31:11ZUpdateme LulandcoApache reloading breaks SAML authenticationHi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configura...Hi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configuration cache
[Fri Feb 13 19:51:45.934468 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML cache configuration: 46
[Fri Feb 13 19:51:45.934549 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get Metadata for this service
[Fri Feb 13 19:51:45.938604 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: 2015-02-13 19:51:45 (server.c/:699) Failed to load metadata from preloaded buffer
[Fri Feb 13 19:51:45.938754 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
[Fri Feb 13 19:51:45.938777 2015] [perl:debug] [pid 11688] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 186:
[Fri Feb 13 19:51:45.938788 2015] [perl:error] [pid 11688] Unable to create Lasso server
[Fri Feb 13 19:51:45.939030 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
I checked, all apache's modules are normally reloaded. Restarting apache doesn't produce the issue.
LulAndCo2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/804Uncomplete logout in Issuer modules2018-05-15T20:31:11ZClément OUDOTUncomplete logout in Issuer modulesWe have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
Bu...We have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
But this process is not used when a logout request comes form an Issuer module (CAS, OpenID or OpenID Connect). This seems to be OK for the SAML Issuer.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1113OIDC Provider to SAML SP does not work2018-05-15T20:31:11Zdcoutadeur dcoutadeurOIDC Provider to SAML SP does not workI have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
t...I have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
the final return does not work : ie SAML SP not calling his internal IdP
I propose a basic patch, which, in summary :
- happens before soring relay state in SAML SP (Portal/_SAML.pm)
- gets called URL
- if URL match with current portal URL, store it in relay state.
The patch is working, but maybe these points should be validated :
- make sure it is generic, in particular make sure the other way is working: SAML IdP calling an OIDC RP
- security: make sure we won't redirect to unsecure locations
- using CGI module may be improved ? (if the portal is to be made more generic and less adherence to apache)
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1137Avoid using inline Javascript and CSS2018-05-18T05:17:09ZMathieu ParentAvoid using inline Javascript and CSSThis is #1125, cont.
To further protect the manager, inline JS and CSS should be removed.This is #1125, cont.
To further protect the manager, inline JS and CSS should be removed.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1138Generate Content-Security-Policy headers and related2018-05-18T05:17:09ZMathieu ParentGenerate Content-Security-Policy headers and related(Once #1137 is fixed).
Generate those headers:
```
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $...(Once #1137 is fixed).
Generate those headers:
```
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $FORM_ACTION; frame-ancestors 'none'; report-uri $REPORT_URI
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
```
With:
- $CHILD_SRC empty, except with logout iframes
- $FORM_ACTION empty, except with SAML forms
- $REPORT_URI : configurable (default empty)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1140Add CSRF protection to login and password change forms2018-05-18T05:17:09ZMathieu ParentAdd CSRF protection to login and password change formsPlease add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).Please add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/440Timer for automatic redirection in info.tpl2018-05-18T05:17:23ZFX DeltombeTimer for automatic redirection in info.tplAutomatic redirection after few seconds are quite troublesome for prompting info : you have just ten seconds to read the info or to find the button "wait".
I think the timer should be either removed from info.tpl, or be a manager option....Automatic redirection after few seconds are quite troublesome for prompting info : you have just ten seconds to read the info or to find the button "wait".
I think the timer should be either removed from info.tpl, or be a manager option. Actually there is a hidden parameter "activeTimer" to disable timer, I would like to put it in manager.
(But I don't challenge automatic redirection in confirm.tpl)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/587Selecting language while connecting to LemonLDAP2018-05-18T05:17:31ZIheb KhemissiSelecting language while connecting to LemonLDAPHi,
First of all, thank you for your hard work.
During our migration process to LemonLDAP (while creating a new skin) I have encountered a problem concerning the ability to select a language (instead of the browser's language sent in t...Hi,
First of all, thank you for your hard work.
During our migration process to LemonLDAP (while creating a new skin) I have encountered a problem concerning the ability to select a language (instead of the browser's language sent in the HTTP header "Accept Languague").
Currently, during the connexion process, my app's users can select which language to choose regardless of the browser's language (which is used by default if the user hasn't choosen a diffrent one). Users can also specify a language in the query string (i.e. http://example.com?lang=fr).
So is there any way to do this with LemonLDAP's skins ? basically, what I want to do is to add some flags in the login page and if the user clicks the flag, I respond with the page translated in the selected language and I continue using the selected language.
I have thought of some solutions (but none of them is appealing enough) :
1) Updating the "Accept-Language" header by adding the value of the LANG param (extracted from the QUERY-STRING) using a lemonldap's custom function.
2) Updating the "Accept-Language" header or the environment variable "HTTP_ACCEPT_LANGUAGE" using a LL::NG Handler
3) Updating the "Accept-Language" header by prepending the value of the LANG param (extracted from the QUERY-STRING and transformed to correct format) using Apache's mods --> I don't know how to preprend the param's value to the header.
4) Creating a patch to the "extract_lang" method to accept other entries.
Should I use one of them or is there a better method ?
Thank you very much (and sorry for the lengthy mail),
Best regards,
Iheb2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/595Portal powered by FastCGI (using Plack)2018-12-21T10:26:30ZYaddPortal powered by FastCGI (using Plack)For performances _(and many bugs with ModPerl::Registry / Apache-2.4)_, all CGI are replaced by FastCGI using [Plack|https://metacpan.org/pod/Plack] like Manager-1.9. This allows also a better Nginx integration.For performances _(and many bugs with ModPerl::Registry / Apache-2.4)_, all CGI are replaced by FastCGI using [Plack|https://metacpan.org/pod/Plack] like Manager-1.9. This allows also a better Nginx integration.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/673Split conf/session/flags management from the Portal $self object2018-05-18T05:17:35ZClément OUDOTSplit conf/session/flags management from the Portal $self objectFor now, the Portal $self object is very big and carry all data (configuration, sessions, etc.). We have to split it.For now, the Portal $self object is very big and carry all data (configuration, sessions, etc.). We have to split it.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/713Request management to handle sessions2018-05-18T05:17:37ZFX DeltombeRequest management to handle sessionsCreating a session causes four request to session backend (at least for SQL session backend, but I guess it behave the same with any backend), one insert request and three update,
* the first one to add "_session_kind" => "SSO",
* the se...Creating a session causes four request to session backend (at least for SQL session backend, but I guess it behave the same with any backend), one insert request and three update,
* the first one to add "_session_kind" => "SSO",
* the second one to add session data
* the third one to add "updateTime" and "_issuerDB"
Till version 1.3, it was done with two requests, one insert and one update. And it could be done with one single request.
As same, logout causes three select requests to read user session, whereas a single request is enough.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/803AuthSSL : Ability to choose SSLvar or UserDB depending of the CA2018-05-18T05:17:41ZYaddAuthSSL : Ability to choose SSLvar or UserDB depending of the CAWhen using AuthSSL with multiple AC, it could be interesting to be able to choose UserDB backend (or simply SSLvar) depending on the CA that signed the user certificate.When using AuthSSL with multiple AC, it could be interesting to be able to choose UserDB backend (or simply SSLvar) depending on the CA that signed the user certificate.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/826Tab in portal to manage OpenID Connect consent2018-05-18T05:17:42ZClément OUDOTTab in portal to manage OpenID Connect consentThe goal is to be able to view all applications that have the consent of the user, and allow user to revoke them.The goal is to be able to view all applications that have the consent of the user, and allow user to revoke them.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/834Auth Yubikey : second factor authentication module2018-05-18T05:17:42ZMaxime De roucyAuth Yubikey : second factor authentication moduleAdd a second factor authentication module for Yubikey.Add a second factor authentication module for Yubikey.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/852Possibility to reload/refresh his session without logout and relogin2018-05-18T05:17:43ZClément OUDOTPossibility to reload/refresh his session without logout and reloginThe goal is to be able to refresh the content of the session without forcing the user to logout and login again. This is useful for example if user was affected to a new group, and needs to access an application requiring this group.
The goal is to be able to refresh the content of the session without forcing the user to logout and login again. This is useful for example if user was affected to a new group, and needs to access an application requiring this group.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/857Adapt apache log level message on multi authentication scheme2018-05-18T05:17:43ZPhilippe BayeAdapt apache log level message on multi authentication schemeWhen Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better n...When Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better not have these logs at a low level ("info" or "debug") : first authentication fails are "normal" case.
Exemple 1 :
I have this log, before the connection form is displayed
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : Client IP not accredited for Slave module (172.xxx.xxx.xxx)
Exemple 2 :
If IP is accredited for Slave module (or slaveMasterIP empty), then the message is at "error" level :
[Thu Oct 15 15:25:34 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:25:34 2015] [error] No header Slave-Auth-User found
Moreover, each time connection form is submitted (for example wrong password), these 2 first lines are logged.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/868Replace XML format by JSON for notifications2018-05-18T05:17:44ZYaddReplace XML format by JSON for notificationsUsing XML provides no benefit but consumes memory and cpu on the server sideUsing XML provides no benefit but consumes memory and cpu on the server side2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/970REST API for Portal2018-05-18T05:17:48Zdcoutadeur dcoutadeurREST API for PortalThis is a proposition for making a REST-API for portal, as it was done recently with Manager.This is a proposition for making a REST-API for portal, as it was done recently with Manager.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1015Two-Factor Authentication with OTP for portal user logins2018-05-18T05:17:51ZPasi KarkkainenTwo-Factor Authentication with OTP for portal user loginsCurrently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN deliv...Currently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN delivered to mobile phone using SMS) like this:
1) User goes to lemonldap-ng login page and gets the usual prompt for username/password.
2) After successfull user/pass authentication user gets another dialog/form on the login web page with "OTP" prompt (challenge), to enter valid one-time-password/pin.
3) If using SMS-OTP, user will now also get SMS message delivered with the OTP in it into his mobile phone.
4) User enters the OTP (response) from the SMS to the OTP-form on the lemonldap-ng login page.
5) When user entered correct OTP, login is successful and lemonldap session is started.
This can be implemented in the following way:
1) Add Challenge-Response support to lemonldap-ng AuthRadius plugin. Challenge-Response is a generic/standard method of implementing two-factor or multi-factor authentication with Radius. Challenge-Response also supports other types of OTP aswell, not just SMS-OTP.
2) Add Two-Factor / Multi-Factor support to lemonldap-ng login page, so it can display multi-part login forms, based on Challenge-Response results.
Basicly during the first phase of authentication (username/password entered) the radius server will verify the username/password, and normally when it would respond with "Access Accept" for successful authentication, but now in the case of OTP, it'll reply with "Access Challenge" instead, which means LemonLDAP-NG should request additional information from the user. Radius server also includes the actual text that should be given to the user (for example "Enter SMS-OTP"). Also the radius-server, or the configured radius backend, will generate the actual one-time-password/pin and send it to the user using SMS, or some other method.
In the second phase of the authentication LemonLDAP-NG will send the OTP to the radius server, and when radius server verifies that the OTP is correct, the user authentication is successful.
There are multiple Radius-servers/products with support for Two-Factor Authentication with One Time Passwords/PINs. Freeradius also supports this.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1019Evaluate custom template parameters2018-05-18T05:17:51ZClément OUDOTEvaluate custom template parametersWe have the possibility to set custom template parameters: http://lemonldap-ng.org/documentation/latest/portalcustom#template_parameters
But this would even more useful if this parameter is evaluated, so we can use %ENV and all session ...We have the possibility to set custom template parameters: http://lemonldap-ng.org/documentation/latest/portalcustom#template_parameters
But this would even more useful if this parameter is evaluated, so we can use %ENV and all session values. For example :
```
tpl_helloworld = "Hello world from ".$ipAddr
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1425CAS gateway mode2018-06-25T08:44:50ZClément OUDOTCAS gateway modeIn CAS protocol, if we use gateway=true, if the user is not authenticated, we should not stop on login form but redirect to CAS service without ticket.
This was working in 1.9 but not in 2.0.In CAS protocol, if we use gateway=true, if the user is not authenticated, we should not stop on login form but redirect to CAS service without ticket.
This was working in 1.9 but not in 2.0.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1033Translate mail subject - forgotten password2018-05-19T19:41:37ZJulian LayenTranslate mail subject - forgotten passwordHello,
I need to translate the mails about " forgotten password " in the manager unfortunately it is not possible to translate mail subjet in multiple languages. How I can do to change the subject for each language ?
I modified the fol...Hello,
I need to translate the mails about " forgotten password " in the manager unfortunately it is not possible to translate mail subjet in multiple languages. How I can do to change the subject for each language ?
I modified the following file to change the subject but it does not work well :
/usr/share/perl5/Lemonldap/NG/Portal/MailReset.pm
line 310 :
# TEST
# my $subject = $self->{mailConfirmSubject};
my $subject;
my $a = substr($ENV{HTTP_ACCEPT_LANGUAGE}, 0, 2);
if ( $a == "fr" ) {
$subject = "Espace PRO Zodiac : Demande de re-initialisation de mot de passe";
}
if ( $a == "en" ) {
$subject = "Zodiac Espace PRO : password modification request";
}
if ( $a ==" it" ) {
$subject = "Zodiac Area PRO: modifica della password richiesta";
}
if ( $a == "pt" ) {
$subject = "Espaço PRO Zodiac : pedido de alteração da contra-senha";
}
if ( $a =="es" ) {
$subject = "Zodiac Espacio PRO : solicitud de modificación de contraseña";
}
if ( $a == "nl" ) {
$subject = "Zodiac Espace PRO : Boekingsverzoek reset van het wachtwoord";
}
if ( $a == "de" ) {
$subject = "Zodiac Händlerbereich: Anfrage zur Passwortänderung";
}
$subject .= $a;
# TEST
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1085CDA: use different cookies for each protected vhost instead of one for all2018-05-19T19:41:40ZJaboeuf QuentinCDA: use different cookies for each protected vhost instead of one for allIn a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie.
So, if someone steal the cookie, he could access all the applicati...In a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie.
So, if someone steal the cookie, he could access all the applications the cookie-owner user can access.
He suggests to deal with secondary session ids/cookie to limit the impact of stealing a cookie.
Does this sound to you ? Is this achievable ?2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1131Portal plugin to "Stay connected on this device"2018-05-19T19:41:42ZYaddPortal plugin to "Stay connected on this device"Many websites provide a "Stay connected" based on a permanent cookie. I propose to add this feature but using [Fingerprintjs2|https://github.com/Valve/fingerprintjs2] to secure the cookie.Many websites provide a "Stay connected" based on a permanent cookie. I propose to add this feature but using [Fingerprintjs2|https://github.com/Valve/fingerprintjs2] to secure the cookie.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1133Translation system for mails2018-05-19T19:41:42ZYaddTranslation system for mails2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1148U2F - Universal 2nd Factor Authentication2018-06-12T15:56:55ZYaddU2F - Universal 2nd Factor AuthenticationInsert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.Insert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1151Replace Multi by a Combination parser2018-05-19T19:41:43ZYaddReplace Multi by a Combination parserMulti will be replaced by a combination parser that can understand :
* [ LDAP ] or [ DBI ]
* [ LDAP ] and [ DBI ]
* [ SSL, LDAP ] or [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else [ LDAP ]
* if ($env->{REMOTE_ADD...Multi will be replaced by a combination parser that can understand :
* [ LDAP ] or [ DBI ]
* [ LDAP ] and [ DBI ]
* [ SSL, LDAP ] or [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else if ($env->{REMOTE_ADDR} =~ /^192/) then [ LDAP ] else [ DBI ]
* [ MyLDAP1 ] or [ MyLDAP2 ]
* [ LDAP, LDAP and DBI ]
...
Names given _(LDAP, DBI,…)_ must be declared:
```
combModules => {
MyLDAP1 => {
type => 'LDAP',
for => 0 # 1 = auth, 2 = userDB, 0 = both
over => {
ldapServer => 'ldaps://10.0.0.1',
}
}
}
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1157Export SAML request parameters in %ENV2018-06-26T13:55:16ZClément OUDOTExport SAML request parameters in %ENVSame as #1156 but for SAMLSame as #1156 but for SAML2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1162Capability to use Log4Perl (and other log backends)2018-06-13T19:34:33ZYaddCapability to use Log4Perl (and other log backends)Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1169Be consistent in session "private" variable names2018-05-19T19:41:44ZClément OUDOTBe consistent in session "private" variable namesWe have sessions data which are set by LL::NG and other which come from UserDB backend.
Some of variables set by LL::NG are prefixed with "_" but not all. We can maybe work on this for 2.0
See also http://lemonldap-ng.org/documentation...We have sessions data which are set by LL::NG and other which come from UserDB backend.
Some of variables set by LL::NG are prefixed with "_" but not all. We can maybe work on this for 2.0
See also http://lemonldap-ng.org/documentation/latest/variables2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1173Performance: minimize Apache::Session access2018-05-19T19:41:44ZYaddPerformance: minimize Apache::Session accessLemonldap::NG::Common::Session always untie %data. So getApacheSession() + session->update($info) ties 2 times %data.
This issue will give possibility to directly attach and update %data in getApacheSession().Lemonldap::NG::Common::Session always untie %data. So getApacheSession() + session->update($info) ties 2 times %data.
This issue will give possibility to directly attach and update %data in getApacheSession().2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1183Rewrite CAS authentication module2018-05-19T19:41:44ZClément OUDOTRewrite CAS authentication moduleThe Perl-CAS module does not provide enough features (can't read attributes, use a local file to manager proxy tickets), we need to rewrite CAS client code and create a CAS UserDB module.The Perl-CAS module does not provide enough features (can't read attributes, use a local file to manager proxy tickets), we need to rewrite CAS client code and create a CAS UserDB module.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1184Remove old skins and keep only bootsrap2018-05-19T19:41:44ZClément OUDOTRemove old skins and keep only bootsrapWe will remove pastel, dark and impact skins which are old and hard to maintain.
While keeping bootstrap skin,we could try to propose bootswatch themes: http://bootswatch.com/We will remove pastel, dark and impact skins which are old and hard to maintain.
While keeping bootstrap skin,we could try to propose bootswatch themes: http://bootswatch.com/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1188Custom auth/userDB/password/register modules2018-05-19T19:41:45ZYaddCustom auth/userDB/password/register modulesInsert "Custom" in selects. customParams will contain real class names.Insert "Custom" in selects. customParams will contain real class names.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1196Auth::PAM module2018-05-19T19:41:45ZYaddAuth::PAM moduleUsing Authen::PAM, it seems easy to write this.Using Authen::PAM, it seems easy to write this.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1201IPv6 support2018-05-19T19:41:45ZYaddIPv6 supportAdd some IPv6 support :
* in Safelib:
** *{{isInNet6($ipAddr, '2134::/16')}}*: return true if $ipAddr is in 2134::/16 network
* for Session Explorer:
** *{{isIpv6($ipAddr)}}*: check if $ipAddr is a IPv6 address
** some features to displa...Add some IPv6 support :
* in Safelib:
** *{{isInNet6($ipAddr, '2134::/16')}}*: return true if $ipAddr is in 2134::/16 network
* for Session Explorer:
** *{{isIpv6($ipAddr)}}*: check if $ipAddr is a IPv6 address
** some features to display IPv6 addresses2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1204Propose reauthentication if higher access level is requested2019-07-09T17:15:57ZClément OUDOTPropose reauthentication if higher access level is requestedWe need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if...We need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if the level is not enough.
This also implies to only propose authentication backends that are up to requested level in the combination module.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1206TLS support for mails2018-05-19T19:41:45ZYaddTLS support for mailsAdd options in MIME::Lite to enable SSL or STARTTLSAdd options in MIME::Lite to enable SSL or STARTTLS2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1212Propose SSL authentication by Ajax2018-11-21T19:17:21ZYaddPropose SSL authentication by AjaxTo be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth moduleTo be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth module2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1213CDA error while loading plugin2018-05-19T19:41:46ZJeremy KespiteCDA error while loading pluginIf CDA is set to 1 in conf, I get:
```
[error] Lemonldap::NG::Portal::Plugins::CDA load error: Bareword "PE_APACHESESSIONERROR" not allowed while "strict subs" in use at /usr/share/perl5/Lemonldap/NG/Portal/Plugins/CDA.pm line 53.
Barew...If CDA is set to 1 in conf, I get:
```
[error] Lemonldap::NG::Portal::Plugins::CDA load error: Bareword "PE_APACHESESSIONERROR" not allowed while "strict subs" in use at /usr/share/perl5/Lemonldap/NG/Portal/Plugins/CDA.pm line 53.
Bareword "PE_OK" not allowed while "strict subs" in use at /usr/share/perl5/Lemonldap/NG/Portal/Plugins/CDA.pm line 56.
Compilation failed in require at (eval 2038) line 2.
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1215Session not deleted in cache when removing session from Sessions Explorer2018-05-19T19:41:46ZClément OUDOTSession not deleted in cache when removing session from Sessions ExplorerI try to reproduce #1214 on 2.0 but when removing session from Sessions Explorer, it is not deleted in cache :
```
[debug] Get session e0cb632bac14cc2b04e4fd99f13bb550586a438d97d99834d9de3024df088cba from Handler internal cache
[debug]...I try to reproduce #1214 on 2.0 but when removing session from Sessions Explorer, it is not deleted in cache :
```
[debug] Get session e0cb632bac14cc2b04e4fd99f13bb550586a438d97d99834d9de3024df088cba from Handler internal cache
[debug] removing cookie
[debug] User dwho was granted to access to /index.fcgi//psgi.js
[debug] Start routing psgi.js
```
This was working in 1.9.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1216Missing PasswordDBNull2018-05-19T19:41:46ZClément OUDOTMissing PasswordDBNull
```[error] Lemonldap::NG::Portal::Password::Null load error: Can't locate Lemonldap/NG/Portal/Password/Null.pm in @INC (you may need to install the Lemonldap::NG::Portal::Password::Null module) (@INC contains: /home/clement/dev/lemonlda...
```[error] Lemonldap::NG::Portal::Password::Null load error: Can't locate Lemonldap/NG/Portal/Password/Null.pm in @INC (you may need to install the Lemonldap::NG::Portal::Password::Null module) (@INC contains: /home/clement/dev/lemonldap/trunk/lemonldap-ng-manager/blib/lib /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib /home/clement/dev/lemonldap/trunk/lemonldap-ng-handler/blib/lib /home/clement/dev/lemonldap/trunk/lemonldap-ng-common/blib/lib /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.2 /usr/local/share/perl/5.22.2 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl-base .) at (eval 258) line 2, <FILE> line 2.
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1217Choice are not displayed on portal2018-05-19T19:41:46ZClément OUDOTChoice are not displayed on portalI tried to configure Choice and this does not seem to work. I get an empty form when displaying portal, see screenshot.I tried to configure Choice and this does not seem to work. I get an empty form when displaying portal, see screenshot.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1220Vietnamese translation2018-05-19T19:41:46ZYaddVietnamese translationVietnamese translation started on https://www.transifex.com/lemonldapng/lemonldapng/dashboard/Vietnamese translation started on https://www.transifex.com/lemonldapng/lemonldapng/dashboard/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1222Arabic translation2018-05-19T19:41:47ZYaddArabic translationArabic translation started on https://www.transifex.com/lemonldapng/lemonldapng/dashboard/Arabic translation started on https://www.transifex.com/lemonldapng/lemonldapng/dashboard/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1227Old password input not shown in password form in menu2018-05-19T19:41:47ZClément OUDOTOld password input not shown in password form in menuIn password tab, old password input is not show, but it is required to change the password:
```
[debug] User dwho was granted to access to /
[debug] Start routing default route
[debug] Processing importHandlerDatas
[debug] Processing re...In password tab, old password input is not show, but it is required to change the password:
```
[debug] User dwho was granted to access to /
[debug] Start routing default route
[debug] Processing importHandlerDatas
[debug] Processing restoreArgs
[debug] Processing controlUrl
[debug] Processing checkLogout
[debug] Processing code ref
[warn] Portal require old password
[debug] Returned error: 27
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Starting HTML generation using /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
```
Another thing is that the error message should be displayed with menu and password tab activated so we can directly retry to change password. Here we have the generic error.tpl2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1228Logo not displayed in Choices tab2018-05-19T19:41:47ZClément OUDOTLogo not displayed in Choices tabWhen configuring Choices, with CAS for example, the CAS logo is not displayed:
```
<img src="/static/common/CAS.png" alt="CAS" class="img-thumbnail">
```
/static/common/CAS.png leads to 404 error.When configuring Choices, with CAS for example, the CAS logo is not displayed:
```
<img src="/static/common/CAS.png" alt="CAS" class="img-thumbnail">
```
/static/common/CAS.png leads to 404 error.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1230Redirector JS error2018-05-19T19:41:47ZJeremy KespiteRedirector JS errorWhen I authenticate, I'm glued on the redirector page and I get a JS error:
```
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inlin...When I authenticate, I'm glued on the redirector page and I get a JS error:
```
Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
```
about this line:
<body onload="document.location.href='https://auth.example.fr/'">
And the CSP generated by portal is:
Content-Security-Policy:default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self' auth.example.fr auth.example.fr;frame-ancestors 'none';
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1232Italian translation2018-05-19T19:41:47ZYaddItalian translationItalian translation (by Paola Penati).Italian translation (by Paola Penati).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1234HTML entities not authorized in translation files2018-05-19T19:41:47ZClément OUDOTHTML entities not authorized in translation filesIn FR portal translation, we have sometimes HTML entites:
```
"logoutConfirm":"Souhaitez-vous vous déconnecter&nbsp;?",
```
This HTML entites is not converted by browser, maybe because it is set by javascript (trspan). See screenshot.
...In FR portal translation, we have sometimes HTML entites:
```
"logoutConfirm":"Souhaitez-vous vous déconnecter ?",
```
This HTML entites is not converted by browser, maybe because it is set by javascript (trspan). See screenshot.
I think we should just avoid HTML entites in our translation files.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1235Confirm buttons always return 12018-05-19T19:41:47ZClément OUDOTConfirm buttons always return 1When using the confirm.tpl template, it seems that "accept" and "refuse" buttons both set confirm parameter to 1.
Here is a log when "refuse" button is clicked:
```
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
```When using the confirm.tpl template, it seems that "accept" and "refuse" buttons both set confirm parameter to 1.
Here is a log when "refuse" button is clicked:
```
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1236No redirect is done after OpenID Connect logout2018-05-19T19:41:47ZClément OUDOTNo redirect is done after OpenID Connect logoutI updated OpenID Connect code on 2.0 for #1233 and I found that post_logout_redirect_uri is not taken into account if the user choose to close its session (after confirmation).
I notice that the logout process always return an error, an...I updated OpenID Connect code on 2.0 for #1233 and I found that post_logout_redirect_uri is not taken into account if the user choose to close its session (after confirmation).
I notice that the logout process always return an error, and I don't find why:
```
[debug] URL detected as an OpenID Connect END SESSION URL
[debug] OIDC request parameter post_logout_redirect_uri: http://auth.example.com/oauth2.pl
[debug] Store http://auth.example.com/oauth2.pl in hidden key post_logout_redirect_uri
[debug] OIDC request parameter state: ABCDEFGHIJKLMNOPQRSTUVW
[debug] Store ABCDEFGHIJKLMNOPQRSTUVW in hidden key state
[debug] Processing code ref
[debug] Processing authLogout
[debug] Processing deleteSession
[debug] Try to get SSO session 66cef3d689e22f16712e803e6304587c14578b0fd4967f0aee74154423a1b0ec
[debug] Return SSO session 66cef3d689e22f16712e803e6304587c14578b0fd4967f0aee74154423a1b0ec
[debug] Local handler logout
[notice] User dwho has been disconnected
[debug] Session 66cef3d689e22f16712e803e6304587c14578b0fd4967f0aee74154423a1b0ec deleted from global storage
[debug] Returned error: 47
[error] Logout process returns error code 47
[debug] Returned error: 24
```
Any idea?
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1239Add an alt attribute and a cursor to flag icons2018-05-19T19:41:48ZClément OUDOTAdd an alt attribute and a cursor to flag iconsWhen flag icon, we should display an alternative text instead of a broken image (and this will also increase accessibility).
And also a click cursor can be better to materialize that flags are buttons.When flag icon, we should display an alternative text instead of a broken image (and this will also increase accessibility).
And also a click cursor can be better to materialize that flags are buttons.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1248Invalid call to upgradesession in OpenID Connect authorization2018-05-19T19:41:48ZClément OUDOTInvalid call to upgradesession in OpenID Connect authorizationWhen testing OIDC with prompt=consent, I have this error:
```
[debug] Client id lemonldap match RP rp-example
Use of uninitialized value $_lastAuthnUTime in addition (+) at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/...When testing OIDC with prompt=consent, I have this error:
```
[debug] Client id lemonldap match RP rp-example
Use of uninitialized value $_lastAuthnUTime in addition (+) at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 281.
Use of uninitialized value $_lastAuthnUTime in concatenation (.) or string at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 282.
[debug] Reauthentication forced cause authentication time () is too old (>3600 s)
[debug] Returned error: 85
Status: Unknown command line : dwho => /oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid profile address email phone&redirect_uri=http:/auth.example.com/oauth2.pl?openidconnectcallback=1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA en-GB en fr-FR fr&login_hint=coudot&max_age=3600&id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJsZW1vbmxkYXAiLCJzdWIiOiJjb3Vkb3QiLCJpYXQiOjE0MjcyOTkyMzIsImF1dGhfdGltZSI6MTQyNzI5NjA1NCwiZXhwIjoiMzYwMCIsIm5vbmNlIjoiMTIzNDU2Nzg5MCIsImF1ZCI6WyJsZW1vbmxkYXAiXSwiYXRfaGFzaCI6InBkR0Fwb2VUTy01MzR6X1dDbDFxS1EiLCJhY3IiOiJsb2EtMiIsImlzcyI6Imh0dHA6Ly9hdXRoLmV4YW1wbGUuY29tLyJ9.QRU8KV0dDwUbfAYA3CbcNpYE3SGaqn2nHb6qT76i2-Y 85
[debug] Skin returned: upgradesession
[debug] Calling sendHtml with template upgradesession
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1249OIDC Consent is automatically accepted2018-05-19T19:41:48ZClément OUDOTOIDC Consent is automatically acceptedWhen using OIDC and requesting user consent for attributes sharing, the consent is automatically accepted after 30s even if the timer is not displayed.
The form should never be automatically submitted if timer is not active.When using OIDC and requesting user consent for attributes sharing, the consent is automatically accepted after 30s even if the timer is not displayed.
The form should never be automatically submitted if timer is not active.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1250No translation and no logo in OIDC consent page2018-05-19T19:41:48ZClément OUDOTNo translation and no logo in OIDC consent pageWhen displaying OIDC consent file, translated strings are not shown, see screenshot.
And we also have CSP error if logo is not in portal
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à...When displaying OIDC consent file, translated strings are not shown, see screenshot.
And we also have CSP error if logo is not in portal
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://lemonldap-ng.org/_media/wiki/logo.png (« img-src http://auth.example.com:19876 data: »)
```
But for this I think we just need to update CSP parameter for portal when using logos from outside. It should be said in documentation.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1251Internal Server error if no OIDC session storage defined2018-05-19T19:41:48ZClément OUDOTInternal Server error if no OIDC session storage definedIn a simple OIDC configuration, we may not need to define a specific session stroage for OIDC technical sessions.
But in this case we have this error:
```
[Tue Jun 13 15:15:05.678223 2017] [fcgid:warn] [pid 21088:tid 139656070940416] [...In a simple OIDC configuration, we may not need to define a specific session stroage for OIDC technical sessions.
But in this case we have this error:
```
[Tue Jun 13 15:15:05.678223 2017] [fcgid:warn] [pid 21088:tid 139656070940416] [client 127.0.0.1:39570] mod_fcgid: stderr: Attribute (storageModule) does not pass the type constraint because: Validation failed for 'Str' with value undef at /usr/lib/x86_64-linux-gnu/perl5/5.22/Mouse/Util.pm line 386., referer: http://auth.example.com:19876/oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid%20profile%20address%20email%20phone&redirect_uri=http%3A%2F%2Fauth.example.com%2Foauth2.pl%3Fopenidconnectcallback%3D1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA%20en-GB%20en%20fr-FR%20fr
[Tue Jun 13 15:15:05.678261 2017] [fcgid:warn] [pid 21088:tid 139656070940416] [client 127.0.0.1:39570] mod_fcgid: stderr: \tMouse::Util::throw_error(Mouse::Meta::Attribute=HASH(0x559b3f4c8500), "Attribute (storageModule) does not pass the type constraint b"..., "data", undef, "depth", -1) called at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm line 652, referer: http://auth.example.com:19876/oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid%20profile%20address%20email%20phone&redirect_uri=http%3A%2F%2Fauth.example.com%2Foauth2.pl%3Fopenidconnectcallback%3D1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA%20en-GB%20en%20fr-FR%20fr
```
All technical session storage should use the default one if not configured.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1252Bad URL in OIDC authentication flow when first authentication2018-05-19T19:41:48ZClément OUDOTBad URL in OIDC authentication flow when first authenticationWhen testing OIDC authentication from RP without being authenticated on OP, the flow ends with a "Bad URL" error after login+consent screen:
```
[debug] Get session 8faa76011d8e811799d0c1af8c754e70a0448801040170684b2e219fe473892b
[debug...When testing OIDC authentication from RP without being authenticated on OP, the flow ends with a "Bad URL" error after login+consent screen:
```
[debug] Get session 8faa76011d8e811799d0c1af8c754e70a0448801040170684b2e219fe473892b
[debug] removing cookie
[debug] User dwho was granted to access to /oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid%20profile%20address%20email%20phone&redirect_uri=http%3A%2F%2Fauth.example.com%2Foauth2.pl%3Fopenidconnectcallback%3D1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA%20en-GB%20en%20fr-FR%20fr
[debug] Start routing oauth2
[debug] Processing _forAuthUser
[notice] Bad (or expired) token 1497288803_7661
[debug] Processing importHandlerDatas
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
[error] Value must be in BASE64 (param: url | value: http://auth.example.com:19876/oauth2/authorize?issuerRequestoauth2=1497288803_7661)
[debug] Returned error: 37
Status: Unknown command line : dwho => /oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid profile address email phone&redirect_uri=http:/auth.example.com/oauth2.pl?openidconnectcallback=1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA en-GB en fr-FR fr 37
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Starting HTML generation using /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1258no successful password notification message2018-05-19T19:41:49Zdcoutadeur dcoutadeurno successful password notification messageWhen changing password on the portal, the user never gets a successful notification message.When changing password on the portal, the user never gets a successful notification message.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1267Allow custom regexp for vhost display2018-05-19T19:41:49ZMathieu ParentAllow custom regexp for vhost displayCurrently "Display application" has 3 possibilities : yes/no/auto (auto means use location rules).
We need a fourth possibility to have an application visible in the portal to a group while being accessible by a more broad group.
P...Currently "Display application" has 3 possibilities : yes/no/auto (auto means use location rules).
We need a fourth possibility to have an application visible in the portal to a group while being accessible by a more broad group.
Proposal : accept an expression like in location rules.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1271Bad behaviour with static content2018-05-19T19:41:49ZMathieu Lecompte-melançonBad behaviour with static contentIn test page, ther some js reference to portal js like:
http://auth.beta.urgences-sante.qc.ca/skins/bootstrap/js/bootstrap.js
But apparently when i load manually the link i obtain the portal web page note the JSIn test page, ther some js reference to portal js like:
http://auth.beta.urgences-sante.qc.ca/skins/bootstrap/js/bootstrap.js
But apparently when i load manually the link i obtain the portal web page note the JS2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1273Can't call method "logger" on an undefined value2018-05-19T19:41:49ZMathieu Lecompte-melançonCan't call method "logger" on an undefined valueWith "COMBI" mode between LDAP and DEMO, i can't login with my user ldap to LDAP backend
2017/07/17 15:05:16 [error] 2340#2340: *1636 FastCGI sent in stderr: "Can't call method "logger" on an undefined value at /usr/share/perl5/vendor...With "COMBI" mode between LDAP and DEMO, i can't login with my user ldap to LDAP backend
2017/07/17 15:05:16 [error] 2340#2340: *1636 FastCGI sent in stderr: "Can't call method "logger" on an undefined value at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Lib/Net/LDAP.pm line 591" while reading response header from upstream, client: 10.193.11.11, server: auth.beta.urgences-sante.qc.ca, request: "POST / HTTP/1.1", upstream: "fastcgi://unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "auth.beta.urgences-sante.qc.ca", referrer: "http://auth.beta.urgences-sante.qc.ca/"2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1290Server error when REST/SOAP servers enabled2018-05-19T19:41:50ZClément OUDOTServer error when REST/SOAP servers enabledWhen enabling REST/SOAP servers and reloading portal page, we have this error:
```
[info] Loading configuration 2 for process 30641
[debug] Process 30641 calls defaultValuesInit
[debug] Process 30641 calls jailInit
[debug] Custom f...When enabling REST/SOAP servers and reloading portal page, we have this error:
```
[info] Loading configuration 2 for process 30641
[debug] Process 30641 calls defaultValuesInit
[debug] Process 30641 calls jailInit
[debug] Custom function : My::hello
[debug] Custom function : My::get_additional_arg
[debug] Process 30641 calls portalInit
[debug] Process 30641 calls locationRulesInit
[info] Rules logout_app and logout_app_sso require Apache>=2
[info] Rules logout_app and logout_app_sso require Apache>=2
[debug] Process 30641 calls sessionStorageInit
[debug] Process 30641 calls headersInit
[debug] Process 30641 calls postUrlInit
[debug] Compiling POST data for /form.html
[debug] Process 30641 calls aliasInit
[debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[debug] Launching Lemonldap::NG::Portal::Main->reloadConf(conf)
[debug] Module Lemonldap::NG::Portal::Auth::Demo loaded
[warn] Using demonstration mode, go to Manager to edit the configuration
[debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[debug] Plugin ::Auth::Demo initializated
[debug] Module Lemonldap::NG::Portal::UserDB::Demo loaded
[debug] Plugin ::UserDB::Demo initializated
[debug] Vhost test1.example.com added in trusted domains
[debug] Vhost manager.example.com added in trusted domains
[debug] Vhost test2.example.com added in trusted domains
[debug] Module Lemonldap::NG::Portal::Main::Menu loaded
[debug] Plugin ::Main::Menu initializated
[debug] Module Lemonldap::NG::Portal::Plugins::History loaded
[debug] Found afterDatas entry point:
[debug] -> run
[debug] Plugin ::Plugins::History initializated
[debug] Module Lemonldap::NG::Portal::Plugins::Upgrade loaded
[debug] Declaring auth route
[debug] Add GET route:
[debug] route upgradesession added
[debug] Declaring auth route
[debug] Add POST route:
[debug] route upgradesession added
[debug] Plugin ::Plugins::Upgrade initializated
[debug] Module Lemonldap::NG::Portal::Plugins::SOAPServer loaded
[debug] Declaring unauth route
[debug] Add POST route:
[debug] route sessions added
[debug] Declaring unauth route
[debug] Add POST route:
[debug] route adminSessions added
[debug] Declaring auth route
[debug] Add POST route:
[debug] route sessions added
[debug] Declaring auth route
[debug] Add POST route:
[debug] route adminSessions added
[debug] Declaring unauth route
[debug] Add POST route:
[debug] route config added
[debug] Declaring auth route
[debug] Add POST route:
[debug] route config added
[debug] Plugin ::Plugins::SOAPServer initializated
[debug] Module Lemonldap::NG::Portal::Plugins::RESTServer loaded
[debug] Declaring unauth route
[debug] Add GET route:
[debug] route virtualHosts added
[debug] route samlIDPMetaDataNodes added
[debug] route samlSPMetaDataNodes added
[debug] route applicationList added
[debug] route oidcOPMetaDataNodes added
[debug] route oidcRPMetaDataNodes added
[debug] route authChoiceModules added
[debug] route grantSessionRules added
[debug] route : added
[debug] route confs added
[debug] Declaring unauth route
[debug] Add GET route:
[debug] route * added
[debug] route : added
[debug] route confs added
[debug] Declaring unauth route
[debug] Add GET route:
[debug] route : added
[debug] route sessions added
[debug] Declaring unauth route
[debug] Add POST route:
Not a HASH reference at /home/clement/dev/lemonldap/trunk/lemonldap-ng-common/blib/lib/Lemonldap/NG/Common/PSGI/Router.pm line 41, <FILE> line 1.
[Wed Aug 30 18:50:46.506860 2017] [fcgid:warn] [pid 30613:tid 140497117656832] (104)Connexion ré-initialisée par le correspondant: [client 127.0.0.1:45846] mod_fcgid: error reading data from FastCGI server, referer: http://manager.example.com:19876/manager.html
[Wed Aug 30 18:50:46.507060 2017] [core:error] [pid 30613:tid 140497117656832] [client 127.0.0.1:45846] End of script output before headers: index.fcgi, referer: http://manager.example.com:19876/manager.html
auth.example.com:80 127.0.0.1 - - [30/Aug/2017:18:50:46 +0200] "GET / HTTP/1.1" 302 506 "http://manager.example.com:19876/manager.html" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0"
```2.0.0YaddYadd