lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-12-14T16:18:02Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3062tidy / simplify nginx test application2023-12-14T16:18:02Zdcoutadeur dcoutadeurtidy / simplify nginx test application### Affected version
Version: %"2.18.0"
Platform: Nginx
### Summary
`etc/test-nginx.conf` configuration is quite complicated and could be improved.
Especially after integration of the https://gitlab.ow2.org/lemonldap-ng/lemonldap-n...### Affected version
Version: %"2.18.0"
Platform: Nginx
### Summary
`etc/test-nginx.conf` configuration is quite complicated and could be improved.
Especially after integration of the https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3044 feature, there is a lua script which must be loaded, but you must also uncomment the `header_filter_by_lua` block in `etc/test-nginx.conf`
Maybe we could find a way to tidy this configuration, and have a more coherent structure.https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3061lwpOpts and lwpSslOpts parameters not used in REST session module2024-03-27T10:48:59ZClément OUDOTlwpOpts and lwpSslOpts parameters not used in REST session moduleWhen trying to use lwpOpts and lwpSslOpts for REST session backend, I noticed that these parameters are not used.
If we wen to set them, we need to add them in globalStorageOptions HASH, the values defined in global configuration are al...When trying to use lwpOpts and lwpSslOpts for REST session backend, I noticed that these parameters are not used.
If we wen to set them, we need to add them in globalStorageOptions HASH, the values defined in global configuration are always ignored
It think this is a bug and that the global parameters should be used.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3059sp: display rule doesn't work with saml federation / lazy loading2024-03-27T08:18:32ZMaxime Bessonsp: display rule doesn't work with saml federation / lazy loadingWhen using SAML federations, it is no longer possible to use sp:confKey as a display rule because at the time the rule is evaluated, the SP is not always loaded
We need a new syntax such as entityID:xxx + client_id:xxxWhen using SAML federations, it is no longer possible to use sp:confKey as a display rule because at the time the rule is evaluated, the SP is not always loaded
We need a new syntax such as entityID:xxx + client_id:xxx2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3056Remove XML::Simple (again)2024-03-27T08:18:27ZMaxime BessonRemove XML::Simple (again)Same as #1491 but in 2.0 branchSame as #1491 but in 2.0 branch2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3053Special OIDC scope to get app grid2024-03-27T10:23:56ZYaddSpecial OIDC scope to get app grid### Summary
Currently the app grid is available using `/myapplications`, only for conected users
### Problem
When using OIDC and `offline_access`scope, the relying party isn't able to get `/myapplications` result
### Proposition
Bui...### Summary
Currently the app grid is available using `/myapplications`, only for conected users
### Problem
When using OIDC and `offline_access`scope, the relying party isn't able to get `/myapplications` result
### Proposition
Build a special OIDC scope _(or macro value ?)_ to store the JSON result of the appgrid calculation, then will be available as long as offline session exists
Problem: won't be refreshed2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3052Handle USR1 signal to launch configuration reload2024-03-28T07:43:21ZYaddHandle USR1 signal to launch configuration reloadSee !413See !4132.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3050Protection MFA du portail impossible2023-12-01T12:08:28Zkevin reverchonProtection MFA du portail impossible### Affected version
Version: 2.17.1-1
Platform: Apache -2.4.37-56
OS : Redhat 8
### Summary
La Protection MFA du portail ne fonctionne pas. L'ecran d'upgrade de level n'est pas proposé. On reste sur la page de login avec le message...### Affected version
Version: 2.17.1-1
Platform: Apache -2.4.37-56
OS : Redhat 8
### Summary
La Protection MFA du portail ne fonctionne pas. L'ecran d'upgrade de level n'est pas proposé. On reste sur la page de login avec le message
"Votre session a expiré, vous devez vous ré-authentifier".
Pour reproduire le bug.
Mettre dans la section Virtual Host -> FQDN (du portail) -> Options -> Required authentication level : la valeur 3 ou 4 ou 5
A noter qu'il n'y a aucun problème quand on met le niveau d'authentification 3 ou 4 ou 5 pour le Virtual Host Manager ou bien une ressource CAS ou un SP SAML. L'écran d'upgrade demandant le code TOTP est proposé.
Cela concerne uniquement le portail lui-même.
### Logs
```
Nov 30 14:49:35 mfa23-t-3 LLNG[736026]: [378774] - client=XXXX user=[undef] sessionID=[undef] mail=[undef] action=New request Lemonldap::NG::Portal::Main GET /
Nov 30 14:49:42 mfa23-t-3 LLNG[736026]: [385250] - client=XXXX user=[undef] sessionID=[undef] mail=[undef] action=New request Lemonldap::NG::Portal::Main POST /
Nov 30 14:49:42 mfa23-t-3 LLNG[736026]: [385713] - clientXXXX= user=krevercho sessionID=[undef] mail=[undef] action=[LocationDetect] Could not resolve city for IP XXXXX: Can't locate object method "city" via package "GeoIP2::Model::Country" at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Plugins/LocationDetect.pm line 113.
Nov 30 14:49:42 mfa23-t-3 LLNGUSER[736026]: [385871] - client= user=krevercho sessionID=f0a3d30cca8fee42179b64e1b3cd89ce7283a634e2c1fa6e3841ed6f7404216f mail=kevin.reverchon@univ-lyon2.fr action=User krevercho successfully authenticated at level 2
Nov 30 14:49:42 mfa23-t-3 LLNG[736026]: [385871] - client=XXXX user=krevercho sessionID=f0a3d30cca8fee42179b64e1b3cd89ce7283a634e2c1fa6e3841ed6f7404216f mail=kevin.reverchon@univ-lyon2.fr action=No notification found
Nov 30 14:49:42 mfa23-t-3 LLNGUSER[736026]: [385872] - client=XXXX user=krevercho sessionID=f0a3d30cca8fee42179b64e1b3cd89ce7283a634e2c1fa6e3841ed6f7404216f mail=kevin.reverchon@univ-lyon2.fr action=krevercho connected
Nov 30 14:49:42 mfa23-t-3 LLNG[736026]: [385903] - client=XXXX user=[undef] sessionID=[undef] mail=[undef] action=New request Lemonldap::NG::Portal::Main GET /
Nov 30 14:49:42 mfa23-t-3 LLNG[736026]: [385909] - client=XXX user=[undef] sessionID=[undef] mail=[undef] action=User rejected due to insufficient authentication level
Nov 30 14:49:42 mfa23-t-3 LLNG[736026]: [385909] - client=XXX user=[undef] sessionID=[undef] mail=[undef] action= -> Session upgrade enabled
```
### Backends used
Toutes les sessions sont en base postgreSQL.
La configuration est en base postgreSQL.
Backend authentification LDAP
Backend User LDAP
template laissé par défaut : bwr
### Possible fixesIn discussionClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3049Reset password with 2FA2024-03-27T10:56:07ZClément OUDOTReset password with 2FAAsked feature: if a user lost its password and has a 2FA, he could use the 2FA to reset its password.
To be discussed as we clearly loose security here: an attacker having the 2FA will be able to force the password, so it's like having ...Asked feature: if a user lost its password and has a 2FA, he could use the 2FA to reset its password.
To be discussed as we clearly loose security here: an attacker having the 2FA will be able to force the password, so it's like having only 1FA.
Maybe the idea would be to add 2FA on top on current reset feature (mail)?2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3048Error in Notification DBI backend2024-03-27T10:53:14ZClément OUDOTError in Notification DBI backendOna production environment, we encounter this error:
```
DBD::Pg::st execute failed: aucune connexion au serveur at /usr/share/perl5/Lemonldap/NG/Common/Notifications/DBI.pm line 283.
```
The DB is well started, so I suspect a bad conne...Ona production environment, we encounter this error:
```
DBD::Pg::st execute failed: aucune connexion au serveur at /usr/share/perl5/Lemonldap/NG/Common/Notifications/DBI.pm line 283.
```
The DB is well started, so I suspect a bad connection management in Notification DBI module.
Not easy to reproduce.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3047Headers are sent twice in Traefik handler2023-11-19T20:42:39ZDaniel BerteaudHeaders are sent twice in Traefik handler### Affected version
Version: 2.17.2
Platform: Traefik 3.0beta4
### Summary
When using the Traefik handler, headers configured in LL::NG are sent in double to the backend app. Eg, if I set Auth-User = $uid in LL::NG, the backend app ...### Affected version
Version: 2.17.2
Platform: Traefik 3.0beta4
### Summary
When using the Traefik handler, headers configured in LL::NG are sent in double to the backend app. Eg, if I set Auth-User = $uid in LL::NG, the backend app will receive
```
Auth-User: dani
Auth-User: dani
```
While it's not a problem for most app (that's why I didn't noticed it earlier), at least Django based apps are problematic as it will join all the values, separated with a comma (eg, if I try to get the user from the Auth-User header, the login will be seen as "dani,dani" instead of "dani")
### Logs
Nothing particular in logs. We can only one ```Send header 'Auth-User' with value 'dani'``` line per request
### Backends used
Lemonldap::NG handler for Traefik running under uwsgi on AlmaLinux 9. Config and session backend is MariaDB
### Possible fixes
The problem seems to lie in Lemonldap/NG/Handler/Server/Traefik.pm, in the handler sub. Current version is
```perl
sub handler {
my ( $self, $req ) = @_;
my @convertedHdrs = (
@{ $req->{respHeaders} },
'Content-Length' => 0,
Cookie => ( $req->env->{HTTP_COOKIE} // '' )
);
return [ 200, \@convertedHdrs, [] ];
}
```
Changing it like this (taken from the Nginx handler) fixes the issue
```perl
sub handler {
my ( $self, $req ) = @_;
my @convertedHdrs =
( 'Content-Length' => 0, Cookie => ( $req->env->{HTTP_COOKIE} // '' ) );
while ( my ( $k, $v ) = splice( @{ $req->{respHeaders} }, 0, 2 ) ) {
push @convertedHdrs, $k, $v;
}
return [ 200, \@convertedHdrs, [] ];
}
```
But I'm not sure if it's the best way to fix it.https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3042Create a theme compatible with DSFR2023-11-15T16:26:22Zdcoutadeur dcoutadeurCreate a theme compatible with DSFR### Summary
The French ministry has made a standard for its websites : https://www.systeme-de-design.gouv.fr/
Maybe we could develop a LemonLDAP::NG theme compatible with this design:
- either by modifying existing bootstrap theme, to ...### Summary
The French ministry has made a standard for its websites : https://www.systeme-de-design.gouv.fr/
Maybe we could develop a LemonLDAP::NG theme compatible with this design:
- either by modifying existing bootstrap theme, to make it compatible with DSFR integration
- or by creating a new themehttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3040Allow auto-detection of portal URL and domain2024-03-28T10:35:05ZMaxime BessonAllow auto-detection of portal URL and domainOne of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this partic...One of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this particular use case, because in my use case the portal and domain depends on `$req`.
This is similar to #933, but I think the fix proposed there no longer works since the migration to PSGI.
In the handler: it's probably not too difficult to do because every access to the portal URL goes through $class->tsv->portal. We just need to pass `$req` to it.
In the portal: we need to replace all calls to `$self->conf->{portal}` and `$self->conf->{domain}` to methods such as `getPortalUrl($req)` and `getDomain($req)`. This will require a lot of refactoring, but I think its a good idea because users will no longer have to define the `portal` and `domain` configuration variables anymore in most cases.
This is also a requirement of #2285
If I can find sponsorship for this feature I might implement it in 2.192.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3039Creating an new 2F plugin requires to edit available2F / available2FSelfRegis...2024-03-27T08:18:22ZClément OUDOTCreating an new 2F plugin requires to edit available2F / available2FSelfRegistration keysI don't know if this is a real issue but at least technical documentation must be updated.
Currently I follow instructions from:
```
perldoc Lemonldap::NG::Portal::Main::SecondFactor
```
The 2F module is not loaded at all because avail...I don't know if this is a real issue but at least technical documentation must be updated.
Currently I follow instructions from:
```
perldoc Lemonldap::NG::Portal::Main::SecondFactor
```
The 2F module is not loaded at all because available2F must be modified. I don't find it very convenient because the default value of this parameter will change when we will add a new core 2FA module in LL::NG.2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3038OKTA 2FA module2024-03-19T12:02:04ZClément OUDOTOKTA 2FA moduleThis feature request is about a new 2FA module which will use OKTA API: https://developer.okta.com/docs/reference/api/factors/
The use case:
* An organization is using LL::NG as main authentication portal
* For some power users, it choo...This feature request is about a new 2FA module which will use OKTA API: https://developer.okta.com/docs/reference/api/factors/
The use case:
* An organization is using LL::NG as main authentication portal
* For some power users, it choosed to buy some OKTA accounts, including MFA
* The user will register its MFA on OKTA (mail, SMS, mobile app, ...)
* The user will authenticate on LL::NG portal and use OKTA MFA as second factor
This requires of course that the user login on OKTA is known by LL::NG to request to correct MFA account.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3035FIDO2 / WebAuthn Passwordless2024-03-27T08:17:28ZClément OUDOTFIDO2 / WebAuthn PasswordlessFIDO2 / WebAuthn is implemented in LemonLDAP::NG for 2FA. Another use case is to use the FIDO2 / WebAuthn as main authentication factor, to replace the login/password form. This is called "Passwordless".
To have this feature, we need to...FIDO2 / WebAuthn is implemented in LemonLDAP::NG for 2FA. Another use case is to use the FIDO2 / WebAuthn as main authentication factor, to replace the login/password form. This is called "Passwordless".
To have this feature, we need to decide how the registration of 2FA will be done (do we need to keep login/password for registration or is there another way for a user to enroll its device?) and how the association between the 2FA device and the user account will be done.2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3034Deletion of a 2FA in the middle of an authentication flow is not taken into a...2023-11-02T13:19:30ZMaxime BessonDeletion of a 2FA in the middle of an authentication flow is not taken into account### Affected version
Version: 2.17.1
### Summary
* As user, register a 2FA
* As user, go to portal, login with your 1st factor, and choose your 2FA
* You are prompted to enter a code or complete the webauthn challenge, and you have $...### Affected version
Version: 2.17.1
### Summary
* As user, register a 2FA
* As user, go to portal, login with your 1st factor, and choose your 2FA
* You are prompted to enter a code or complete the webauthn challenge, and you have $sfTimeout seconds to do it (can be several minutes)
* As an admin, delete the 2FA for this user
* As a user, complete the 2FA challenge successfully :x:
### Possible fixes
This is caused by the fact that `_2fdevices` is copied into the user's session, and stored as a OneTimeToken during the 2FA flow. Despite the 2FA being removed by the admin, it still exists in the OneTimeToken.
I think we should update the `_2fDevices` array when the 2FA challenge is completed to make sure the selected device still exists.In discussionMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3030Implement ANSSI recommendations for securing the implementation of the Openid...2024-03-16T11:40:53ZYaddImplement ANSSI recommendations for securing the implementation of the Openid-Connect protocolRef: [Recommendations for securing the implementation of the Openid-Connect protocol _(fr)_](https://cyber.gouv.fr/publications/recommandations-pour-la-securisation-de-la-mise-en-oeuvre-du-protocole-openid-connect)
> Most of the items a...Ref: [Recommendations for securing the implementation of the Openid-Connect protocol _(fr)_](https://cyber.gouv.fr/publications/recommandations-pour-la-securisation-de-la-mise-en-oeuvre-du-protocole-openid-connect)
> Most of the items are included into %2.18.0 except if mentioned below.
## Items related to LLNG
### [LLNG as OIDC Relying Party](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm):
* [X] Already implemented and enabled
* [X] Always send `state` _(R10)_
* [X] Randomly generate `state` and `nonce` _(R11, R15)_
* [X] Verify "state" _(R22)_
* [X] Verify `id_token` _(R26, R28)_
* [X] Check that `/userinfo` response and `id_token` have the same `sub`
* [X] [Doc about items to check](!430)
* [X] `oidcOPMetaDataOptionsUseNonce` required _(R14)_
* [X] Disable `HS*` algorithms _(to workaround "distinct client_secret" R27 recommendation + R39)_
* `/token` calls:
* [x] [implement JWS authentication](#3031) _(level+)_
* `code` requests
* [X] Implement optional [Passing Request Parameters as JWTs](#3073) during `code` request _(R8 and R8+)_ - release %2.19.0
### [LLNG as OIDC Provider](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm):
* [X] Already implemented and enabled
* [X] randomly generate `code` _(R18)_
* [X] randomly generate `access_token` _(R24)_
* [X] associate `access_token` with RP _(R20)_
* [X] disable `code` after `/token` call _(R30)_
* [X] don't write `access_token` in logs _(R32)_
* [X] limit `access_token` TTL _(R33)_
* [X] Use session cookie
* [X] [Doc about items to check](!430)
* [X] hybrid and implicit flows must be disabled _(R1)_
* [X] disable `HS*` algorithms _(to workaround "distinct client_secret" R27 recommendation + R39)_ _**[Restrict]**_
* [X] disable automatic enrollment _(R49)_
* [X] limit `access_token` validity in endpoints to a short time _(R19)_
* [X] reject open redirections _(R17)_
* `code` request
* [x] [support JWS authentication](!397) _(R8, R8+)_
* [x] [accept only one mode per RP](!397) _(R9)_ _**[Restrict]**_
* [X] accept JWT _(R8 and R8+)_
* [X] [require it](!427) _**[Out]**_ - release %2.19.0
* [X] [require `state` and `nonce`](!428) _(R12, R16)_ _**[Restrict]**_ - release %"2.19.0"
* `/token` calls:
* [x] [implement JWS authentication](#3031) _(level+)_
* [X] [require it](!397) _**[Out]**_
* `/userinfo` calls:
* [X] [authentication using access_token only inside `Authorization: Bearer` header](!429) _(R31)_ _**[Restrict]**_ - release %2.19.0
* [ ] ToDo:
* Auto-discover
* [ ] Disable `/.well-known/openid-configuration` _(R48, given by hand, but then give a way to download the document using the manager)_ _**[Out]**_
* `code` requests
* [ ] [store `code` and `access_token` using hash](!462) _(R21, R25)_ - release %"2.19.0"
----
Notes:
* _**[Restrict]**: Restrict the OpenID-Connect spec, may break some clients_
* _**[Out]**: out of OpenID-Connect Spec, will break a lot of clients_2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3023Allow mixed CAS protection mode2024-03-27T10:56:20ZClément OUDOTAllow mixed CAS protection modeCurrently we can either open CAS issuer so any CAS clients can use the LL::NG portal without being declared in configuration, or require that every CAS client is defined in configuration, and apply access rules and check authentication l...Currently we can either open CAS issuer so any CAS clients can use the LL::NG portal without being declared in configuration, or require that every CAS client is defined in configuration, and apply access rules and check authentication levels.
We could provide a mixed mode:
* Apply access rule for CAS applications defined in configuration
* Allow all other CAS applications if they are not in configuration
The goal is to enforce access control or minimum authentication level on a few CAS applications, without being forced to register all existing CAS applications in LL::NG configuration2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3021Plugin Register does not work with Combination2023-10-03T14:09:38Zdcoutadeur dcoutadeurPlugin Register does not work with Combination### Affected version
Version: %2.17.1
Platform: Any
### Summary
Multiple bugs are encountered while trying to use Plugin Register with Combination.
- Authentication: Combination
- UserDB : Same
- Register : LDAP
- Combination: [MySl...### Affected version
Version: %2.17.1
Platform: Any
### Summary
Multiple bugs are encountered while trying to use Plugin Register with Combination.
- Authentication: Combination
- UserDB : Same
- Register : LDAP
- Combination: [MySlave, MyLDAP] or [MyLDAP, MyLDAP]
### Logs
```
mod_fcgid: stderr: Can't use an undefined value as an ARRAY reference at /usr/share/perl5/Lemonldap/NG/Portal/Auth/Combination.pm line 216.
```
When fixing this bug, I have encoutered another one:
```
[notice] Combination (Lemonldap::NG::Portal::Lib::LDAP): user@domain.com was not found in LDAP directory (1.2.3.4)
[debug] [notice] Combination (Lemonldap::NG::Portal::Lib::LDAP): user@domain.com was not found in LDAP directory (1.2.3.4)
[debug] Can't locate object method "setSecurity" via package "Lemonldap::NG::Portal::Auth::Slave" at /usr/share/perl5/Lemonldap/NG/Common/Combination/Parser.pm line 144.
[info] Scheme "MyLDAP" returned 5, trying next
[error] Register: refuse mail user@domain.com because already exists in UserDB
[debug] [error] Register: refuse mail user@domain.com because already exists in UserDB
```
### Backends used
configuration : file
sessions : file
### Possible fixes
Lemonldap/NG/Portal/Auth/Combination.pm
```
sub getStack {
...
if( $req->steps )
{
@{ $req->data->{combinationSteps} } = ( @steps, @{ $req->steps } );
}
else
{
@{ $req->data->{combinationSteps} } = ( @steps );
}
```