lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-01-17T09:54:11Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3084JWT shouldn't have a "kid" when using symetric sign algorithm2024-01-17T09:54:11ZJérémie PiersonJWT shouldn't have a "kid" when using symetric sign algorithm### Affected version
Version: 2.18.1
Platform: Nginx
### Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. ...### Affected version
Version: 2.18.1
Platform: Nginx
### Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. This confuses Apache mod-auth-openidc (latest version in Debian), who fails to verify signature and rejects the token.
Note : this manifests only because we do have RSA signing keys with a "kid" configured in OpenID Connect Service.
### Possible fixes
I tried to remove the following three lines in Portal/Lib/OpenIDConnect.pm :
```
--- Portal/Lib/OpenIDConnect.pm.ori 2024-01-15 14:56:20.675925536 +0100
+++ Portal/Lib/OpenIDConnect.pm 2024-01-15 14:52:27.247075049 +0100
@@ -2267,9 +2267,6 @@
encode_jwt(
payload => to_json($payload),
alg => $alg,
- extra_headers => {
- kid => $self->conf->{oidcServiceKeyIdSig},
- },
@keyArg,
);
};
```
and it does seem to fix this problem (tested only with HS256 and RS256).
May be related to commit 7a407da7d8cb642fd5b5ec24fa35d5c38aab5e24 ; seems like a previous issue #3066 was fixed two times in parallel :-)2.18.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3081oidcDropCspHeaders shouldn't drop CORS headers2024-01-17T09:51:29ZYaddoidcDropCspHeaders shouldn't drop CORS headersWhen using this option, if relying party is inside web app, Chromium refuse to download OIDC metadata because of lack of CORS headers
Fixed by !432When using this option, if relying party is inside web app, Chromium refuse to download OIDC metadata because of lack of CORS headers
Fixed by !4322.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3085Lemonldap-NG-Manager: Test suite fails with bleadperl (perl 5.39.x)2024-01-17T09:48:54ZClément OUDOTLemonldap-NG-Manager: Test suite fails with bleadperl (perl 5.39.x)See RT https://rt.cpan.org/Public/Bug/Display.html?id=150959See RT https://rt.cpan.org/Public/Bug/Display.html?id=1509592.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3079UserDB::OpenIDConnect doesn't handle arrays of values2024-01-17T08:26:28ZMaxime BessonUserDB::OpenIDConnect doesn't handle arrays of values### Affected version
Version: 2.18.1
### Summary
* Configure an OIDC OP to send multi valued claims
* Configure that claim as an exported attribute in LLNG
* Exported attribute is stored as an arrayref
### Logs
```
[debug] Store ARR...### Affected version
Version: 2.18.1
### Summary
* Configure an OIDC OP to send multi valued claims
* Configure that claim as an exported attribute in LLNG
* Exported attribute is stored as an arrayref
### Logs
```
[debug] Store ARRAY(0x6390dd0) in session key groups
```2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3083OIDC Special-scope hook system2024-01-17T03:58:50ZYaddOIDC Special-scope hook system### Summary
The idea is to provide a plugin system to be able to add special scopes in OIDC flow (scopes not related to user's attributes
### Design proposition
Special plugin keyword### Summary
The idea is to provide a plugin system to be able to add special scopes in OIDC flow (scopes not related to user's attributes
### Design proposition
Special plugin keywordIn discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3066"kid" missing from emitted JWT2024-01-15T14:27:31ZMaxime Besson"kid" missing from emitted JWTFollowing the migration to Crypt::JWT, ID tokens no longer contain a "kid".
Some applications require them, even if we expose only one key, so this has to be considered as a regressionFollowing the migration to Crypt::JWT, ID tokens no longer contain a "kid".
Some applications require them, even if we expose only one key, so this has to be considered as a regression2.18.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2960Add option to drop CSP headers from OIDC response2024-01-09T07:48:44ZYaddAdd option to drop CSP headers from OIDC response## Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI.
A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP ...## Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI.
A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP headers from OIDC responses (at least authorization responses)2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3073[OIDC] Implement optional "Passing Request Parameters as JWTs"2024-01-03T03:56:43ZYadd[OIDC] Implement optional "Passing Request Parameters as JWTs"See [OIDC Core - JWTRequests](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
Already implemented on OP side, missing in RP.
Needed by #3030See [OIDC Core - JWTRequests](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
Already implemented on OP side, missing in RP.
Needed by #30302.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3072Authen WebAuthn package not available on CentOS 72023-12-22T23:22:15ZClément OUDOTAuthen WebAuthn package not available on CentOS 7When installing 2.18 on Cent07:
```
Résolution des dépendances
--> Lancement de la transaction de test
---> Le paquet lemonldap-ng.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng.noarch 0:2.18.0-1.el7 sera utilisé
---> ...When installing 2.18 on Cent07:
```
Résolution des dépendances
--> Lancement de la transaction de test
---> Le paquet lemonldap-ng.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-conf.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-conf.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-doc.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-doc.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-fastcgi-server.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-fastcgi-server.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-handler.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-handler.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-manager.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-manager.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-nginx.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-nginx.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-portal.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-portal.noarch 0:2.18.0-1.el7 sera utilisé
--> Traitement de la dépendance : perl(Authen::WebAuthn) pour le paquet : lemonldap-ng-portal-2.18.0-1.el7.noarch
---> Le paquet lemonldap-ng-selinux.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-selinux.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-test.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-test.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet lemonldap-ng-uwsgi-app.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet lemonldap-ng-uwsgi-app.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet perl-Lemonldap-NG-Common.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet perl-Lemonldap-NG-Common.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet perl-Lemonldap-NG-Handler.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet perl-Lemonldap-NG-Handler.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet perl-Lemonldap-NG-Manager.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet perl-Lemonldap-NG-Manager.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet perl-Lemonldap-NG-Portal.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet perl-Lemonldap-NG-Portal.noarch 0:2.18.0-1.el7 sera utilisé
---> Le paquet perl-Lemonldap-NG-SSOaaS-Apache-Client.noarch 0:2.17.2-1.el7 sera mis à jour
---> Le paquet perl-Lemonldap-NG-SSOaaS-Apache-Client.noarch 0:2.18.0-1.el7 sera utilisé
--> Résolution des dépendances terminée
Erreur : Paquet : lemonldap-ng-portal-2.18.0-1.el7.noarch (lemonldap-ng)
Requiert : perl(Authen::WebAuthn)
Vous pouvez essayer d'utiliser --skip-broken pour contourner le problème
Vous pouvez essayer d'exécuter : rpm -Va --nofiles --nodigest
```
We should remove Authen::WebAuthn form requires for EL72.18.1https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3068Regression in configuration reload2023-12-22T22:56:15ZMaxime BessonRegression in configuration reloadI am able to reproduce a rather strange regression cause by ec8b3e30e9f38900addf96c7033d4c7d99f0d9f7
* Only when one of my vhosts uses logout_app_sso
* A config change in the manager is not immediately applied on the portal (checkConf=1 ...I am able to reproduce a rather strange regression cause by ec8b3e30e9f38900addf96c7033d4c7d99f0d9f7
* Only when one of my vhosts uses logout_app_sso
* A config change in the manager is not immediately applied on the portal (checkConf=1 in llng.ini)
* Config changes in the CLI are immediately applied
low priority but annoying2.18.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3069portal debian package needs libdigest-hmac-perl2023-12-22T15:43:11ZChristophe BOYANIQUEportal debian package needs libdigest-hmac-perl### Affected version
Version: 2.18.0
Platform: (Apache)
### Summary
Upgraded LemonLDAP on several servers (Debian 10 and Debian 12), portal page loading fails.
### Logs
[Fri Dec 22 15:21:41.031631 2023] [fcgid:warn] [pid 31331] [cl...### Affected version
Version: 2.18.0
Platform: (Apache)
### Summary
Upgraded LemonLDAP on several servers (Debian 10 and Debian 12), portal page loading fails.
### Logs
[Fri Dec 22 15:21:41.031631 2023] [fcgid:warn] [pid 31331] [client xx.xx.xx.xx:58113] mod_fcgid: stderr: Can't locate object method "token" via package "Lemonldap::NG::Common::PSGI::Request" at /usr/share/perl5/Lemonldap/NG/Portal/Main/Run.pm line 1263., referer: https://sso-portal.xx.fr/
Dec 22 15:31:50 xxxx LLNG[31975]: [error] Lemonldap::NG::Portal::Plugins::TrustedBrowser load error: Could not load class (Lemonldap::NG::Common::TOTP) because : Can't locate Digest/HMAC_SHA1.pm in @INC (you may need to install the Digest::HMAC_SHA1 module)
For any bug on configuration/sessions storage, give us details on backends
### Possible fixes
Resolved after installed libdigest-hmac-perl. Should be added as a dependency ?Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3064Missing dependencies when updating Debian packages2023-12-22T15:42:57ZClément OUDOTMissing dependencies when updating Debian packagesWhen updating to 2.18, LL::NG was not starting because of missing dependencies linked to TrustedBrowser code:
* libconvert-base32-perl
* libdigest-hmac-perl
* libcrypt-jwt-perl
They should be mandatory to avoid problemsWhen updating to 2.18, LL::NG was not starting because of missing dependencies linked to TrustedBrowser code:
* libconvert-base32-perl
* libdigest-hmac-perl
* libcrypt-jwt-perl
They should be mandatory to avoid problems2.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3067Error when verifying signature when OP uses more than one key and kid missing...2023-12-21T17:42:23ZMaxime BessonError when verifying signature when OP uses more than one key and kid missing in ID Tokencf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !423cf #3065
This is not permitted in OIDC but we might want to support it for some applications / older LLNG releases
MR !4232.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3065Error when verifying signature when OP uses more than one key and kid provide...2023-12-21T15:23:39ZClément OUDOTError when verifying signature when OP uses more than one key and kid provided in ID TokenAfter updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmY...After updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] JWT signature algorithm: RS256
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Unable to verify JWT: JWS: invalid signature at /usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm line 1524.
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Jwt was: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] JWT signature verification failed
```
But the JWT is valid: https://oauth2.googleapis.com/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
So there should be a problem on LL::NG side but I don't se what.2.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2980[security:low] LLNG admins can disable Safe jail and run commands on the server2023-12-20T13:06:32ZMaxime Besson[security:low] LLNG admins can disable Safe jail and run commands on the serverWith the Safe jail turned off, it is possible to run commands on the servers by abusing Perl backticks:
![image](/uploads/5f38554fa55a87f6c42a4e066b0ef87a/image.png)
![image](/uploads/af977ce285da5633f5fdbc38883f0b0d/image.png)
Using ...With the Safe jail turned off, it is possible to run commands on the servers by abusing Perl backticks:
![image](/uploads/5f38554fa55a87f6c42a4e066b0ef87a/image.png)
![image](/uploads/af977ce285da5633f5fdbc38883f0b0d/image.png)
Using this, an admin who only has access to the manager can gain shell access to the server (as the apache user, but still)
If the Safe Jail (which prevents this) is on, the rogue admin can disable it easily from the manager.
It would be nice to make this feature impossible to disable in the manager to make sure an SSO admin cannot exploit this vulnerability. A simple way to do that is to set useSafeJail=1 in lemonldap-ng.ini but it's not done by default
We should at least do that, and maybe remove the setting from the manager completely too ?2.18.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2490Possibility to remember second factor / 2FA on a device, to avoid entering it...2023-12-20T11:13:08ZClément OUDOTPossibility to remember second factor / 2FA on a device, to avoid entering it at each authenticationThe goal is to remember that the user already connected with a 2FA on a device, which become a "trusted device", and 2FA is not requested anymore
This could be a permanent/long lifetime cookie with a ciphered value that will be checked ...The goal is to remember that the user already connected with a 2FA on a device, which become a "trusted device", and 2FA is not requested anymore
This could be a permanent/long lifetime cookie with a ciphered value that will be checked by the portal to validate the second factor step. The portal should check that the cookie is valid for the connected user.
Code from StayConnected plugin could be reused here.
This may imply a new portal menu to allow a use to revoke a trusted device.2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3017Handle acr_values in Issuer::OpenIDConnect2023-12-20T10:30:55ZMaxime BessonHandle acr_values in Issuer::OpenIDConnect### Summary
* We should allow RPs to request a particular authentication level with the acr_values parameter
### Design proposition
* Parse acr_values and set targetAuthnLevel accordingly
* Allow targetAuthnLevel to be customized in a...### Summary
* We should allow RPs to request a particular authentication level with the acr_values parameter
### Design proposition
* Parse acr_values and set targetAuthnLevel accordingly
* Allow targetAuthnLevel to be customized in a hook2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3046Conf::Backends::LDAP permanently fails to connect after an error2023-12-20T10:29:30ZMaxime BessonConf::Backends::LDAP permanently fails to connect after an errorIn unstable network conditions, the LDAP connection may become invalid:
```
LDAP error 82: Broken pipe
```
There is no way to recover from this except restart httpd. We need to add a healthcheck on connection reuse like in Apache::Ses...In unstable network conditions, the LDAP connection may become invalid:
```
LDAP error 82: Broken pipe
```
There is no way to recover from this except restart httpd. We need to add a healthcheck on connection reuse like in Apache::Session::LDAP2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2945CheckUser: Do not compute setAuthSession step for unauthenticated user2023-12-20T10:27:43ZChristophe Maudouxchrmdx@gmail.comCheckUser: Do not compute setAuthSession step for unauthenticated user### Concerned version
Version: all
Platform: all
### Summary
Enable checkUser.
Set checkuser access rule with 'skip'.### Concerned version
Version: all
Platform: all
### Summary
Enable checkUser.
Set checkuser access rule with 'skip'.2.18.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3063Set default logLevel to notice2023-12-19T21:49:13ZClément OUDOTSet default logLevel to noticeFor now the default logLevel is `warn`, which do not display messages like 'user xxx authenticated'.
It would be better to set the default value to `notice`.For now the default logLevel is `warn`, which do not display messages like 'user xxx authenticated'.
It would be better to set the default value to `notice`.2.18.0Clément OUDOTClément OUDOT