lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-14T07:22:21Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1403Parameter to ignore some tests during saving2018-05-14T07:22:21ZAntoine RosierParameter to ignore some tests during saving### Summary
Add option to autoignore test
### Design proposition
Symptom : LL::NG 1.9.16 -> When using overload process with lemonldap-ng.ini for configuration, save new configuration with manager will raise timeout gateway due to fas...### Summary
Add option to autoignore test
### Design proposition
Symptom : LL::NG 1.9.16 -> When using overload process with lemonldap-ng.ini for configuration, save new configuration with manager will raise timeout gateway due to fastcgi error, caused by test module, when the database written in manager is different than the surcharged database written in lemonldap-ng.ini and not reachable.
Solution by X. Guimard : add option auto-ignore in test module.1.9.17YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1407Remote MYSQL - mysql_enable_utf8 not applied?2018-06-20T09:13:08ZAnthony ROUSSELRemote MYSQL - mysql_enable_utf8 not applied?### Concerned version
Version: %1.9.15
### Summary
Can't connect to remote MySQL Server (backend) with LLNG.
* We are migrating mysql databases all arround the IT into a secured cluster. As we choosed MySQL as backend, LLNG is also co...### Concerned version
Version: %1.9.15
### Summary
Can't connect to remote MySQL Server (backend) with LLNG.
* We are migrating mysql databases all arround the IT into a secured cluster. As we choosed MySQL as backend, LLNG is also concerned by this migration;
* Connection needs to be done with a client-charset = UTF8.
I can connect successfuly to the cluster via mysql command :
> mysql -u [lemonUser] -p -h mysqlCluser
( default-charset fixed in my.cnf )
But it doesn't work via LLNG (from lemonldap-ng.ini):
> dbiChain = DBI:mysql:database=lemonLdapDb;host=mysqlCluster
I tried to force mysql_enable_utf8=1 & SET NAMES 'utf8'; but saw that it was already put in _DBI.pm.
### Logs
```
DBD::mysql::db do failed: Lost connection to MySQL server during query at /usr/share/perl5/Lemonldap/NG/Common/Conf/_DBI.pm
```
It fails on "set names utf8;"
It's like the utf8 encoding is not really "sent" and so the server doesn't accept transactions despite it accepted the connection....
Can you reproduce this issue ? dunno where else to search for make it work.
Anthony1.9.17YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1413Possibility to add conditions to display Choice tabs2018-05-14T07:22:53ZClément OUDOTPossibility to add conditions to display Choice tabs### Summary
Like we have in Multi/Combination, we should be able to have conditions for each tab.
### Design proposition
We need to add a new field for each choice defining the condition### Summary
Like we have in Multi/Combination, we should be able to have conditions for each tab.
### Design proposition
We need to add a new field for each choice defining the condition1.9.17Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1415Improve test pages2018-06-09T09:31:33ZClément OUDOTImprove test pagesSome things to do:
* Adapt portal URL directly from test host
* Provide CAS/OIDC tests scripts in test applicationSome things to do:
* Adapt portal URL directly from test host
* Provide CAS/OIDC tests scripts in test application1.9.17Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1416Attribute encoding in CAS responses2018-06-09T09:31:10ZClément OUDOTAttribute encoding in CAS responsesI create this issue to test all attribute sharing possibilites.
First with OIDC test, I have this encoding bug in UserInfo answer:
```js
{
'email' => 'clement@oodo.net',
'family_name' => 'OUDOT',
'name' => "Cl\x{c3}\x{a9}ment OUDO...I create this issue to test all attribute sharing possibilites.
First with OIDC test, I have this encoding bug in UserInfo answer:
```js
{
'email' => 'clement@oodo.net',
'family_name' => 'OUDOT',
'name' => "Cl\x{c3}\x{a9}ment OUDOT",
'sub' => 'coudot'
}1.9.17Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1423"samlServicePrivateKeySig: Bad PEM encoding" on manager when saving config wi...2018-05-16T10:03:29ZPaul Curie"samlServicePrivateKeySig: Bad PEM encoding" on manager when saving config with some valid certificates### Concerned version
Version: 1.9.16
### Summary
"samlServicePrivateKeySig: Bad PEM encoding" as a warning in the manager when saving a configuration.
The key is valid, saml works perfectly in this install, @clement_oudot have a cop...### Concerned version
Version: 1.9.16
### Summary
"samlServicePrivateKeySig: Bad PEM encoding" as a warning in the manager when saving a configuration.
The key is valid, saml works perfectly in this install, @clement_oudot have a copy of the "offending" key for further investigations.
### Logs
Nothing appears in apache error log with LogLevel perl:debug, just normal saml log.
### Backends used
Local files backend for conf/session, Multi (Kerberos;Yubikey;AD) & (AD)
### Possible fixes1.9.17Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1426Error with mod_auth_openidc when kid is set in JWKS2018-05-19T14:30:00ZClément OUDOTError with mod_auth_openidc when kid is set in JWKSWhen kid is set, mod_auth_openidc check also the kty, and it fails:
```
==> /var/log/apache2/error.log <==
[Sat May 19 15:47:10.388791 2018] [auth_openidc:debug] [pid 3516] src/util.c(670): [client 127.0.0.1:58352] oidc_util_http_call: H...When kid is set, mod_auth_openidc check also the kty, and it fails:
```
==> /var/log/apache2/error.log <==
[Sat May 19 15:47:10.388791 2018] [auth_openidc:debug] [pid 3516] src/util.c(670): [client 127.0.0.1:58352] oidc_util_http_call: HTTP response code=200, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.388804 2018] [auth_openidc:debug] [pid 3516] src/util.c(675): [client 127.0.0.1:58352] oidc_util_http_call: response={\n "keys" : [\n {\n "e" : "AQAB",\n "use" : "sig",\n "kty" : "RSA",\n "n" : "44hKjc-9ghBJ9Ul3iSC4RTlmCzSLfVxytfRDTAInfA2FHhpPpMlqMkX3KG5BB0kfwQgXbAZ0SIOWiAvaPc79k39ynbXcAnRfn-iBBmKwULmqr-q4RAJDKa8_jOlDSAjjk5J3Yvi0mcnVQDbCeJbRw1eku8jkVZz7unEVwEmIavdF1rv7ulTQUxvgeLyUbuErhVGCXd5cq3oCCsHfptbQQznixv4p4pAUv3_vOrvO3tFAculszi5JFm1KFqG10Uid-6e0Na1PSKomoacHwf7PBHw0oMZXevlhLjEQDlqwgVK6RTki-ZzUgGBcC-7_XA_HlviyhtzWsVKrUl7ObSU4vw",\n "kid" : "secret"\n }\n ]\n}\n, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.388917 2018] [auth_openidc:debug] [pid 3516] src/cache/shm.c(215): [client 127.0.0.1:58352] oidc_cache_shm_set: enter, section="jwks", key="http://auth.example.com/oauth2/jwks", value size=%lu, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.388929 2018] [auth_openidc:debug] [pid 3516] src/proto.c(876): [client 127.0.0.1:58352] oidc_proto_get_key_from_jwks: search for kid "secret" or thumbprint x5t "(null)", referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.389016 2018] [auth_openidc:debug] [pid 3516] src/proto.c(901): [client 127.0.0.1:58352] oidc_proto_get_key_from_jwks: skipping non matching kty=1 for kid=secret because it doesn't match requested kty=3, kid=secret, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.389024 2018] [auth_openidc:debug] [pid 3516] src/proto.c(1002): [client 127.0.0.1:58352] oidc_proto_get_keys_from_jwks_uri: returning 0 key(s) obtained from the (possibly cached) JWKs URI, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.389032 2018] [auth_openidc:error] [pid 3516] [client 127.0.0.1:58352] oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:887: oidc_jwt_verify]: could not find key with kid: secret\n, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
[Sat May 19 15:47:10.389053 2018] [auth_openidc:error] [pid 3516] [client 127.0.0.1:58352] oidc_proto_parse_idtoken: id_token signature could not be validated, aborting, referer: http://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=openidc&state=O8n91Fyu7qwtyGyuq0mUFhmgpBE&redirect_uri=http%3A%2F%2Fopenidc.example.com%2Fredirect_uri&nonce=OC3B2ihHYwMrqglt8-8eG903LdchKU0uy6tDFu9FJh8&prompt=login
```1.9.17Clément OUDOTClément OUDOT