lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2019-10-09T16:36:59Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1855Not sure if this is bug or or just my configuration missed thing2019-10-09T16:36:59ZMichal LisNot sure if this is bug or or just my configuration missed thing### Concerned version
Version:
lemonldap-ng-manager-2.0.5-2.el7.noarch
lemonldap-ng-2.0.5-2.el7.noarch
lemonldap-ng-doc-2.0.5-2.el7.noarch
lemonldap-ng-test-2.0.5-2.el7.noarch
lemonldap-ng-conf-2.0.5-2.el7.noarch
lemonldap-ng-portal-2....### Concerned version
Version:
lemonldap-ng-manager-2.0.5-2.el7.noarch
lemonldap-ng-2.0.5-2.el7.noarch
lemonldap-ng-doc-2.0.5-2.el7.noarch
lemonldap-ng-test-2.0.5-2.el7.noarch
lemonldap-ng-conf-2.0.5-2.el7.noarch
lemonldap-ng-portal-2.0.5-2.el7.noarch
lemonldap-ng-handler-2.0.5-2.el7.noarch
Platform: Apache
### Logs
```
auth.my.domian:80 192.168.10.107 - - [14/Jul/2019:07:49:22 +0200] "GET /?url=aHR0cDovL21hbmFnZXIubWxpcy5vbmUucGwv HTTP/1.1" 500 706
```
Hi just want to share my experience with installation procedure for CentOS/RHEL.
After going trough this (with version 2.0 as recommended) I was stuck for a while with 500 error on the manager site(redirected to auth )
I have got
"Unable to protect this server"
After commenting out lines 25:30 in Lemonldap/NG/Handler/Lib/PSGI.pm I go futher with errors
I was getting second error, which was pretty easy to resolve "yum install perl-String-Random.noarch"
That was missed (but I think it should be added to dependency in RPMs if is required)
My question is what is reason and or consequence of getting:
"Unable to protect this server"
I am testing this in isolated VM environment so I am not scary ;)
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixesIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1854Git configuration backend2019-11-21T11:21:47ZYaddGit configuration backend### Summary
Configuration could be based on Git: this would be a wrapper around file which would use `git pull` and `git push` to download/upload configuration. Then only manager server repo will be configured using ssh and a key, other...### Summary
Configuration could be based on Git: this would be a wrapper around file which would use `git pull` and `git push` to download/upload configuration. Then only manager server repo will be configured using ssh and a key, other will use https _(native git security)_
### Design proposition
JSON files will be beautified before upload to easy read differences
This needs also a git hook to be able to find commit by configuration number and some methods to get a non-last configuration (like `git archive`)BacklogYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1845Provide some dependencies in a Debian "extras" reposititory2019-09-05T07:13:52ZClément OUDOTProvide some dependencies in a Debian "extras" reposititoryWe have an "extras" RPM repository for some dependencies (Lasso, Apache::Session::Browseable, ...)
We should have the same for Debian, as some dependencies are quite old in the official stable repository.We have an "extras" RPM repository for some dependencies (Lasso, Apache::Session::Browseable, ...)
We should have the same for Debian, as some dependencies are quite old in the official stable repository.In discussionClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1841Limit node size when display VH in Manager (like in sessions explorer)2019-11-21T11:23:05ZChristophe Maudouxchrmdx@gmail.comLimit node size when display VH in Manager (like in sessions explorer)### Summary
When manager has a lot of CH, opening the VH node takes a while.
### Design proposition
Like sessions explorer, group VH list by first letter to limit the number of sub-nodes to ~30### Summary
When manager has a lot of CH, opening the VH node takes a while.
### Design proposition
Like sessions explorer, group VH list by first letter to limit the number of sub-nodes to ~303.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1840One-file skins2019-11-21T17:17:00ZYaddOne-file skins### Summary
Today, custom skins are a little complex to do and require a lot of work on each upgrade. The goal of this issue is to be able to deploy a skin with only one file _(that can be downloaded by the manager ?)_
### Design propo...### Summary
Today, custom skins are a little complex to do and require a lot of work on each upgrade. The goal of this issue is to be able to deploy a skin with only one file _(that can be downloaded by the manager ?)_
### Design proposition
* old-fashion skin method stays available _(== duplicate `bootstrap` dir)_
* new fashion is named "standard-skin"
* our skin is modified to include more than changing only background image _(may be a .zip containing images and only one general HTML template)_
* standard-skin file is stored in configuration DB in a specific place
* when portal detects that it has not the good file, it download it from configuration DB and deploy it in a directory _(write authorized)_
* [LLNG website](https://lemonldap-ng.org) proposes some of these new standard skinsBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1839Define a password policy for Auth::DBI2019-11-21T17:18:08ZGuillaumeDefine a password policy for Auth::DBI### Summary
For some reason, we would like to have a better password policy for Auth::UserDB function like we can have in LDAP :
- Regexp (we can easily do it on front, but on back, we need specific development)
- Automatic password exp...### Summary
For some reason, we would like to have a better password policy for Auth::UserDB function like we can have in LDAP :
- Regexp (we can easily do it on front, but on back, we need specific development)
- Automatic password expiration
- Block the account if too many attempt. Reset password unblock the account (or delay to retry ?)
### Design proposition
New configuration for the regexp, the validity of the password and the number of attempt allowed
New column in DB (so configuration) for expiration date and the number of attempt before resetting password3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1823[Security:improvement] Improved use of cryptography2023-11-13T14:43:20ZRaphael Geissert[Security:improvement] Improved use of cryptographyPoking different parts of the code base it would appear that the use of cryptography by LLNG needs to be reviewed, updated, and simplified. Some examples:
* `Lemonldap::NG::Common::Crypto` has code to use md5 to what looks like a key-der...Poking different parts of the code base it would appear that the use of cryptography by LLNG needs to be reviewed, updated, and simplified. Some examples:
* `Lemonldap::NG::Common::Crypto` has code to use md5 to what looks like a key-derivation function. PBKDF2 and similar HMAC-based algorithms exist to do that.
* data seems to be encrypted, again with the Crypto module, but not signed. Authenticated encryption should be critical if the encrypted data is ever sent to or received from an untrusted party.
* Use of non-crypto-safe rngs like in #1803 and #1633
* Lastly, but worrisome, by using a low-level primitive like AES directly it appears that some basics were forgotten: the same key appears to be used to sign multiple messages without ever setting an initialization vector! meaning that the IV in use is always a zero.
Libraries such as NaCl and libsodium were created to reduce the complexity of using cryptographic functions the right way. Perhaps using one of the perl binding to libsodium could be a way to address these problems.
E.g. for #1803 there's `randombytes_uniform`. For encryption? `crypto_secretbox_*`, data authentication? `crypto_auth`.
Marking this issue as confidential given that the IV reuse could be pretty serious. I have not tried to asses the impact in the case of LLNG.
C.f. https://cwe.mitre.org/data/definitions/329.html3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1817Unable to install on Debian if Apache2 is already installed2019-06-25T14:12:06ZClément OUDOTUnable to install on Debian if Apache2 is already installedWhen installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl ...When installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
invoke-rc.d: initscript nginx, action "start" failed.
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-06-25 15:40:46 CEST; 9ms ago
Docs: man:nginx(8)
Process: 6662 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 6660 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
juin 25 15:40:44 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:46 pts2019 nginx[6662]: nginx: [emerg] still could not bind()
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Control process exited, code=exited status=1
juin 25 15:40:46 pts2019 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Unit entered failed state.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Failed with result 'exit-code'.
dpkg: erreur de traitement du paquet nginx-extras (--configure) :
le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
...
Paramétrage de lemonldap-ng-fastcgi-server (2.0.4-1) ...
Created symlink /etc/systemd/system/llng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lemonldap-ng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
...
Des erreurs ont été rencontrées pendant l'exécution :
nginx-extras
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
The nginx dependency should not be activated if apache2 is already installed.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1808Room for improvement in Apache::Session::Generate::SHA2562021-10-16T06:04:16ZRaphael GeissertRoom for improvement in Apache::Session::Generate::SHA256The `Lemonldap::NG::Common::Apache::Session::Generate::SHA256` module could use an update, it:
* imports some methods like sha256 but doesn't use them,
* reads 64 bytes of urandom, but only because that's the length of the output of sha2...The `Lemonldap::NG::Common::Apache::Session::Generate::SHA256` module could use an update, it:
* imports some methods like sha256 but doesn't use them,
* reads 64 bytes of urandom, but only because that's the length of the output of sha256_hex,
* does a second round of hashing for no documented reason,
* hashes the output of: `time`, `{}`, and `$$`, but at best they do no harm and at worst they could leak information
Moreover, it doesn't handle the fact that `Crypt::URandom` could croak. Not sure if that's handled nicely by other parts of LLNG?3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1801Combination may authorize to use Choice2021-05-07T08:41:43ZYaddCombination may authorize to use Choice### Summary
Today, Combination menu doesn't propose "Choice". It may be useful in certain case to try an auth before proposing choice. Maybe the reverse can be authorized too### Summary
Today, Combination menu doesn't propose "Choice". It may be useful in certain case to try an auth before proposing choice. Maybe the reverse can be authorized too3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1798Document REST API with OpenAPI2019-06-12T13:58:45ZClément OUDOTDocument REST API with OpenAPIThe goal is to generate a REST documentation, like https://rest.fusiondirectory.org/
Sample YAML file: https://gitlab.fusiondirectory.org/fusiondirectory/fd-plugins/blob/1.4-dev/webservice/html/openapi.yamlThe goal is to generate a REST documentation, like https://rest.fusiondirectory.org/
Sample YAML file: https://gitlab.fusiondirectory.org/fusiondirectory/fd-plugins/blob/1.4-dev/webservice/html/openapi.yaml3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1793Provide a status support for cachet2019-11-21T17:23:06ZJean-François VincentProvide a status support for cachet### Summary
Provide a cachet support to display the status of an instance
### Design proposition
Cachet is a tool to display the status of components:
https://cachethq.io/
In the manager add a page with the cachet URL to call.
Add a da...### Summary
Provide a cachet support to display the status of an instance
### Design proposition
Cachet is a tool to display the status of components:
https://cachethq.io/
In the manager add a page with the cachet URL to call.
Add a daemon to call cachet from the URL registered to push the current status if changed: tool
https://docs.cachethq.io/docs/component-statuses3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1792Add support for Piwik/Matomo2019-11-21T17:24:57ZJean-François VincentAdd support for Piwik/Matomo### Summary
Add a page to allow register of a matomo server in the manager and the supervision calls to matomo in the pages. It may allow to supervise the user jouney inside lemon, and get data about where, when, who is using it.
### D...### Summary
Add a page to allow register of a matomo server in the manager and the supervision calls to matomo in the pages. It may allow to supervise the user jouney inside lemon, and get data about where, when, who is using it.
### Design proposition
In the manager section, add a form with the matomo requiered fields:
- id
- url
to register the target matomo server.
Inside the web pages, add the calls to the configured matomo server.3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1790Share the banished hosts between instances2019-06-07T15:10:53ZJean-François VincentShare the banished hosts between instances### Summary
Share the banished host list as sessions between lemonldap instances. It will prevent issues if a reverse proxy behind the lemonldap instances is configured without session affinity.
### Design proposition
none### Summary
Share the banished host list as sessions between lemonldap instances. It will prevent issues if a reverse proxy behind the lemonldap instances is configured without session affinity.
### Design proposition
noneBackloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1789Add a way to activate and display logs in the manager GUI2019-11-21T17:32:02ZJean-François VincentAdd a way to activate and display logs in the manager GUI### Summary
Add a way to change the log level of lemonldap and to display the log content in real time in the GUI.
### Design proposition
Somewhere in the manager GUI, add a section to manage logs with:
- a select widget to change the...### Summary
Add a way to change the log level of lemonldap and to display the log content in real time in the GUI.
### Design proposition
Somewhere in the manager GUI, add a section to manage logs with:
- a select widget to change the log level.
- a button to display another page with the content of logs displayed in real time.
It's very frustrated to have to do it manually on distant hosts.
**Warning point:** it probably need to be shared between instances in case of multi-lemon architecture.Backloghttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1786Combination: merge Attributes from different UserDB-Sources2019-11-21T11:28:33ZHermann WehnerCombination: merge Attributes from different UserDB-Sources### Summary
When using "Combination" and chaining userdbs, (e.g. [myDBI,myDBI and myLDAP]), attributes from myDBI are overwritten in LDAP's get_user-function.
### Design proposition
Merging the sets of attributes should be a configur...### Summary
When using "Combination" and chaining userdbs, (e.g. [myDBI,myDBI and myLDAP]), attributes from myDBI are overwritten in LDAP's get_user-function.
### Design proposition
Merging the sets of attributes should be a configurable option.3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1784Plugin to decrease authentication level after some time.2019-09-04T09:02:53ZYaddPlugin to decrease authentication level after some time.### Summary
When enabled, this plugin will apply a authentication level policy. Example: after 30mn, SSL auth level (5) is decreased to login/password level (2)
### Design proposition
Add a plugin engine to purgeCentralCache### Summary
When enabled, this plugin will apply a authentication level policy. Example: after 30mn, SSL auth level (5) is decreased to login/password level (2)
### Design proposition
Add a plugin engine to purgeCentralCacheIn discussionChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1772Append a new plugin to display a custom message on portal2024-03-27T10:38:36ZChristophe Maudouxchrmdx@gmail.comAppend a new plugin to display a custom message on portal### Summary
A custom message could be displayed to authenticated or unauthenticaced users
Select background colour, set rules, set message to display, ...### Summary
A custom message could be displayed to authenticated or unauthenticaced users
Select background colour, set rules, set message to display, ...2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1768Append option in Manager to enable/disable tabs with Choice2022-12-13T14:47:30ZChristophe Maudouxchrmdx@gmail.comAppend option in Manager to enable/disable tabs with Choice### Summary
A choice with only two or three authentication modules could be displayed silmutaneously rather than 2 or 3 tabs### Summary
A choice with only two or three authentication modules could be displayed silmutaneously rather than 2 or 3 tabsBacklogClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1760Add systemd scheduled tasks2019-06-11T17:01:06ZYaddAdd systemd scheduled tasks### Summary
In some future distributions, cron/anacron will be replaced by systemd scheduled tasks.### Summary
In some future distributions, cron/anacron will be replaced by systemd scheduled tasks.3.0.0YaddYadd