lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2022-11-24T14:56:52Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1740
Applications disappear from the portal in rare cases after saving configurati...
2022-11-24T14:56:52Z
Maxime Besson
Applications disappear from the portal in rare cases after saving configuration in the manager
### Concerned version
Version: %2.0.2
### Summary
I have witnessed a strange case in which all applications disappear from the portal after editing a completely unrelated setting.
Making a minor edit (description) to one application...
### Concerned version
Version: %2.0.2
### Summary
I have witnessed a strange case in which all applications disappear from the portal after editing a completely unrelated setting.
Making a minor edit (description) to one application makes them appear again.
### Logs
The faulty applications look like this in configuration:
```
"applicationList" : {
...
"0005-cat" : {
"0006-app" : {
"options" : {
"description" : "Configure LemonLDAP::NG WebSSO",
"display" : "on",
"logo" : "configure.png",
"name" : "WebSSO Manager",
"uri" : "https://manager.example.com/manager.html"
},
"type" : "menuApp"
},
...
```
They have `type: menuApp` instead of `type: application`, and after making any minor edit, the type is set to the correct value again and they all display correctly
And this is a redacted diff between a working configuration and the faulty one:
```
--- /dev/fd/63 2019-05-07 17:49:13.393814123 +0200
+++ /dev/fd/62 2019-05-07 17:49:13.393814123 +0200
@@ -14,7 +14,7 @@
},
- "type" : "application"
+ "type" : "menuApp"
},
"0003-app" : {
"options" : {
@@ -24,7 +24,7 @@
- "type" : "application"
+ "type" : "menuApp"
},
"0004-app" : {
"options" : {
@@ -34,7 +34,7 @@
},
- "type" : "application"
+ "type" : "menuApp"
},
@@ -48,7 +48,7 @@
"name" : "WebSSO Manager",
},
- "type" : "application"
+ "type" : "menuApp"
},
"0007-app" : {
"options" : {
@@ -58,7 +58,7 @@
"name" : "Notifications explorer",
},
- "type" : "application"
+ "type" : "menuApp"
},
"0008-app" : {
"options" : {
@@ -68,7 +68,7 @@
"name" : "Sessions explorer",
},
- "type" : "application"
+ "type" : "menuApp"
},
"catname" : "Administration",
"type" : "category"
@@ -82,7 +82,7 @@
"name" : "Local documentation",
- "type" : "application"
+ "type" : "menuApp"
},
"0011-app" : {
"options" : {
@@ -92,7 +92,7 @@
"name" : "Official Website",
"uri" : "http://lemonldap-ng.org/"
},
- "type" : "application"
+ "type" : "menuApp"
},
"catname" : "Documentation",
"type" : "category"
@@ -113,9 +113,9 @@
"cda" : "0",
- "cfgDate" : 1557133222,
+ "cfgDate" : 1557135349,
"cfgLog" : "",
- "cfgNum" : 90,
+ "cfgNum" : 91,
"cfgVersion" : "2.0.2",
"checkXSS" : "1",
"combModules" : {
@@ -206,9 +206,10 @@
"uid" : "lc $_user"
},
"mail2fActivation" : "$_2fDevices !~ /\"type\"\\s*:\\s*\"(UBK|TOTP|U2F)\"/s",
- "mail2fAuthnLevel" : "3",
+ "mail2fAuthnLevel" : 3,
"mail2fCodeRegex" : "\\d{6}",
+ "mail2fTimeout" : 300,
"mailCharset" : "utf-8",
@@ -509,7 +510,7 @@
"totp2fUserCanRemoveKey" : "1",
"trustedDomains" : "'*'",
"u2fActivation" : "1",
- "u2fAuthnLevel" : "4",
+ "u2fAuthnLevel" : 4,
"u2fSelfRegistration" : "$authenticationLevel > 2",
"u2fUserCanRemoveKey" : "1",
"upgradeSession" : "1",
```
As you can see, the corruption occurs when saving some setting in the mail2f plugin. It's probably a coincidence, I tried to reproduce the same change, but it did not break the menu this time.
There seem to be something wrong going on when parsing the JSON sent by the manager into an LLNG config. But I couldn't figure out what after looking at `Conf::Parser.pm`.
### Backends used
JSON file backend is used
### Possible fixes
Saving the configuration again is enough to "repair" the applicationList by replacing the keyword `menuApp` by `application`.
```
EDITOR="sed -i 's/menuApp/application/'" /usr/*/lemonldap-ng/bin/lmConfigEditor
```
In discussion
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1665
Bad configuration encoding with LDAP backend
2022-05-02T15:10:45Z
Clément OUDOT
Bad configuration encoding with LDAP backend
When storing the configuration in LDAP, the encoding is wrong.
Setting "é" from Manager inside the LDAP backend results in this value:
```
"description":"A simple application displaying authenticated user é"
```
When storing the configuration in LDAP, the encoding is wrong.
Setting "é" from Manager inside the LDAP backend results in this value:
```
"description":"A simple application displaying authenticated user é"
```
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1641
Floating Menu breaks accents
2020-02-05T13:08:22Z
Paul Curie
Floating Menu breaks accents
### Concerned version
Version: 2.0.1
Platform: CentOS 7.6 / Apache 2.4.6
### Summary
When activating floating menu on a php app (Self Service Password), accents breaks, removing the floating menu resolve this issue.
### Logs
```
Ap...
### Concerned version
Version: 2.0.1
Platform: CentOS 7.6 / Apache 2.4.6
### Summary
When activating floating menu on a php app (Self Service Password), accents breaks, removing the floating menu resolve this issue.
### Logs
```
Apache2::Filter::print: (32) Broken pipe at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2/Menu.pm line 72, referer: https://sspad.acme.fr/
```
I'm not sure if this error message is related but there is nothing else.
### Backends used
LDAP backend for config/sessions
### Possible fixes
3.0.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1374
LemonLDAP randomly turns in demonstration mode
2018-10-08T07:44:48Z
Mickael Bride
LemonLDAP randomly turns in demonstration mode
This occured 2 times in our production environment.
After making an action on the manager IHM (adding a new SAML identity provider), and saving the new configuration, LemonLDAP suddenly turns in demonstration mode.
A restart of Apache wa...
This occured 2 times in our production environment.
After making an action on the manager IHM (adding a new SAML identity provider), and saving the new configuration, LemonLDAP suddenly turns in demonstration mode.
A restart of Apache was required to retrieve the normal behavior.
Here are the Apache logs during the issue when someone try to authenticate:
```
[Mon Feb 12 15:00:02.700765 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Now using configuration: 110
[Mon Feb 12 15:00:02.700897 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Menu loaded
[Mon Feb 12 15:00:02.700956 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Display loaded
[Mon Feb 12 15:00:02.701021 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthDemo loaded
[Mon Feb 12 15:00:02.701347 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::UserDBMulti loaded
[Mon Feb 12 15:00:02.701410 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::PasswordDBLDAP loaded
[Mon Feb 12 15:00:02.701754 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::RegisterDBDemo loaded
[Mon Feb 12 15:00:02.702006 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module SAML
[Mon Feb 12 15:00:02.702018 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702025 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenID
[Mon Feb 12 15:00:02.702031 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702037 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module CAS
[Mon Feb 12 15:00:02.702043 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702049 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenIDConnect
[Mon Feb 12 15:00:02.702055 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702060 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module Get
[Mon Feb 12 15:00:02.702066 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:02.702156 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::IssuerDBNull loaded
[Mon Feb 12 15:00:02.702169 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] IssuerDB module Null loaded
[Mon Feb 12 15:00:02.702233 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::_SOAP loaded
[Mon Feb 12 15:00:02.702351 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlUrlOrigin
[Mon Feb 12 15:00:02.702417 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub checkNotifBack
[Mon Feb 12 15:00:02.702429 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlExistingSession
[Mon Feb 12 15:00:02.702474 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub issuerDBInit
[Mon Feb 12 15:00:02.702492 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub authInit
[Mon Feb 12 15:00:02.702536 2018] [perl:debug] [pid 30330] CGI.pm(114): /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/AuthDemo.pm 42:
[Mon Feb 12 15:00:02.702544 2018] [perl:warn] [pid 30330] Using demonstration mode, go in Manager to edit the configuration
[Mon Feb 12 15:00:02.702552 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub issuerForUnAuthUser
[Mon Feb 12 15:00:02.702568 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub extractFormInfo
[Mon Feb 12 15:00:02.702654 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Use customized message for error 9
[Mon Feb 12 15:00:02.702730 2018] [perl:debug] [pid 30330] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
```
Here are the Apache logs when it correctly works:
```
[Mon Feb 12 15:00:52.380004 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Now using configuration: 110
[Mon Feb 12 15:00:52.380112 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Menu loaded
[Mon Feb 12 15:00:52.380166 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::Display loaded
[Mon Feb 12 15:00:52.380231 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthMulti loaded
[Mon Feb 12 15:00:52.380284 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::UserDBMulti loaded
[Mon Feb 12 15:00:52.380335 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::PasswordDBLDAP loaded
[Mon Feb 12 15:00:52.380623 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::RegisterDBDemo loaded
[Mon Feb 12 15:00:52.380826 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module SAML
[Mon Feb 12 15:00:52.380837 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380843 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenID
[Mon Feb 12 15:00:52.380849 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380854 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module CAS
[Mon Feb 12 15:00:52.380868 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380874 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenIDConnect
[Mon Feb 12 15:00:52.380880 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380886 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module Get
[Mon Feb 12 15:00:52.380891 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Mon Feb 12 15:00:52.380968 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::IssuerDBNull loaded
[Mon Feb 12 15:00:52.380979 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] IssuerDB module Null loaded
[Mon Feb 12 15:00:52.381035 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::_SOAP loaded
[Mon Feb 12 15:00:52.381139 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlUrlOrigin
[Mon Feb 12 15:00:52.381196 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub checkNotifBack
[Mon Feb 12 15:00:52.381208 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlExistingSession
[Mon Feb 12 15:00:52.381251 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub issuerDBInit
[Mon Feb 12 15:00:52.381269 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub authInit
[Mon Feb 12 15:00:52.381377 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthSAML loaded
[Mon Feb 12 15:00:52.381458 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::AuthLDAP loaded
[Mon Feb 12 15:00:52.381567 2018] [perl:debug] [pid 24364] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::UserDBLDAP loaded
```
I notice in the first lines that "AuthDemo" is loaded instead of "AuthMulti".
Do you have any idea what could be the problem? Same action was done other times without any problem. It only happened 2 times but it was very critical as it avoids any new connection.
Do we need to make an Apache restart every time we make that kind of modification?
Thank you
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3127
Support SAML subject-id and pairwise-id natively
2024-03-27T13:29:12Z
Maxime Besson
Support SAML subject-id and pairwise-id natively
subject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwi...
subject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwise-id can be enabled via a macro, but this is complex to configure. Especially pairwise-id which must be configured as a per-SP macro for all SPs
Maybe we should natively implement subject-id and pairwise-id through simple options in SAML SP configs
2.20.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3126
Allow multiple TOTP devices to be registered
2024-03-27T10:11:12Z
Maxime Besson
Allow multiple TOTP devices to be registered
### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP
### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP
2.20.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3118
Minimal LDAP server load-balancing
2024-03-08T14:10:26Z
Yadd
Minimal LDAP server load-balancing
[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when...
[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when the first server is down, all LDAP connections are slowed down to wait for first failure
# Design proposition
This should be pushed to [Lemonldap::NG::Portal::Lib::Net::LDAP](lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm) and [Apache::Session::Browseable](https://metacpan.org/pod/Apache::Session::Browseable).
```perl
our %knownDown;
our %knownLdapServerStrings;
sub sortDead {
return 1 if $knownDown{$a} and !$knownDown{$b};
return -1 if $knownDown{$b} and !$knownDown{$a};
return 0;
}
# ...
sub new {
# ...
$knownLdapServerStrings{$conf->ldapServer} ||= [ split( /\s+/, $conf->ldapServer ) || 'localhost' ];
# Simple round-robbin if asked
if ($conf->{ldapRoundRobbin}) {
my $last = shift @{ $knownLdapServerStrings{$conf->ldapServer} };
push @{ $knownLdapServerStrings{$conf->ldapServer} }, $last;
}
# Push server which have failed to the end of the list
my @uris = sort pushDeadToEnd @uris;
my $first = $uris[0];
# ... create LDAP object using \@uris
# Update knownDone list:
# The server chosen by Net::LDAP is up
delete $knownDown{ $self->{net_ldap_uri} };
# If Net::LDAP changed, this means that first LDAP is down
if ( $self->{net_ldap_uri} != $first ) {
$knownDown{ $first } = 1;
}
# ...
}
```
@clement_oudot, @maxbes: what do you think ?
In discussion
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3116
Restart authentication process when error is linked to token expiration
2024-03-27T10:59:00Z
Clément OUDOT
Restart authentication process when error is linked to token expiration
Currently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form ...
Currently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form so user can directly restart the authentication process.
2.20.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3056
Remove XML::Simple (again)
2024-03-27T08:18:27Z
Maxime Besson
Remove XML::Simple (again)
Same as #1491 but in 2.0 branch
Same as #1491 but in 2.0 branch
2.20.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051
Add messaging broker support to share instantaneously events like logout or c...
2024-03-27T10:53:38Z
Yadd
Add messaging broker support to share instantaneously events like logout or configuration update
We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...
We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system
2.20.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3019
Update fontawesome to v5 (LTS)
2024-03-27T10:55:07Z
Benjamin Demarteau
Update fontawesome to v5 (LTS)
### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
...
### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
### Design proposition
Migrating from one the v4 to the v5 should be mostly painless (cf https://fontawesome.com/v5/docs/web/setup/upgrade-from-v4). Not sure if there are attention points.
2.20.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3015
Minimal skin to help developers
2024-03-27T10:04:16Z
Yadd
Minimal skin to help developers
LLNG is distributed with a bootstrap skin. We decided some years ago to stop developing alternatives skins because it requires too many work.
However, create a custom skin is a huge work if one wants to change for example bootstrap to s...
LLNG is distributed with a bootstrap skin. We decided some years ago to stop developing alternatives skins because it requires too many work.
However, create a custom skin is a huge work if one wants to change for example bootstrap to something else.
Proposition:
* continue to distribute LLNG with one elaborated skin
* add a very minimal skin, "_ready-to-be-changed_":
* no CSS
* minimize `portal.js` dependencies (maybe `jQuery` isn't really needed) **or** build it using a modern way _(Typescript + rollup)_
* no tabs and such CSS-based scripts...: Choice will simply provides `<ul><li>`
* move dependencies from common/*tpl to bootstrap/*.tpl
NB: this skin could also be used to simplify HTML parsing inside Perl tests
2.20.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3006
OIDC shouldn't rotate keys when they are fixed in lemonldap-ng.ini
2023-11-20T16:27:28Z
Yadd
OIDC shouldn't rotate keys when they are fixed in lemonldap-ng.ini
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3000
Implement continuations in the portal login flow
2023-10-10T13:31:15Z
Maxime Besson
Implement continuations in the portal login flow
### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
*...
### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
* Entering credentials
* Entering 2FA
* Showing notifications
* Showing info
* etc.
Each component of LemonLDAP::NG has its own way of doing that. Generally a OneTimeToken is used, but not always.
* Issuer saves the request environment
* 2FA saves sessionInfo + a couple other fields
* Notifications encrypt the session cookie but require $req->data->{url} to be persisted
* etc.
There are literally dozens of bugs, maybe more, caused by the fact that the
current `$req` object needs to be serialized before the interaction and
restored after, and this is done incorrectly.
There are many bugs caused by interactions that arise for the fact that some
early part of the processing sets something in `$req->data` that is needed
later, but not restored correctly.
There are also many bugs caused by the fact that some extra steps are stored in
`$req->steps` but not restored after an interaction.
### Design proposition
We need to create a generic system for storing the request state during a user
interaction, including `$req->steps`. This system should be used by every part
of LemonLDAP::NG that needs to interrupt the current flow to display a page.
I will update this issue with a design proposal later, but it will take a lot
of time to implement this correctly, and require many preliminary steps.
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2999
Better Session API
2024-03-27T09:45:47Z
Maxime Besson
Better Session API
The current session API is not very satisfying:
* We use the same method to create and update a session (getApacheSession) which leads to bugs when $id is unexpectedly `undef`, or when creation works but setting attributes fail
* Error ...
The current session API is not very satisfying:
* We use the same method to create and update a session (getApacheSession) which leads to bugs when $id is unexpectedly `undef`, or when creation works but setting attributes fail
* Error reporting is difficult (we need to test `$session->error`) and incomplete (#2995)
* Locking is not supported in most backends, which may cause bugs on high load
* Implementation is difficult to debug (use of `tie` behind the scenes, etc)
We should work on a new session API with cleaner methods, maybe we could even replace Apache::Session completely since I'm pretty sure noone uses Apache::Session::Browseable except for us, and Browseable backends are the recommended way to deploy LemonLDAP::NG ?
2.20.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2967
SAML federation plugin should use Name instead of FriendlyName
2024-03-27T10:04:42Z
Maxime Besson
SAML federation plugin should use Name instead of FriendlyName
Currently, SAML federation defines *session attributes* => *SAML attributes* mapping based on the FriendlyName of the requested attribute:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" N...
Currently, SAML federation defines *session attributes* => *SAML attributes* mapping based on the FriendlyName of the requested attribute:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
```
Creates a "mail" > "urn:oid:0.9.2342.19200300.100.1.3" mapping
However, in the Edugain federation, some attributes have different FriendlyNames:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="Email" isRequired="true"/>
```
which forces us to create macros to map "Email" => "$mail"
We must find a different way to handle SAML attributes in federation, perhaps ship a dictionary for standard attributes, and let the users do the mapping themselves?
2.20.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2951
Append a conf test to check if password generation regexp matches LLNG passwo...
2024-03-27T10:05:09Z
Christophe Maudoux
chrmdx@gmail.com
Append a conf test to check if password generation regexp matches LLNG password policy
### Affected version
Version: All
Platform: All
### Summary
When saving conf, a test should warn if password generation RegExp does not match the LLNG password policy
### Affected version
Version: All
Platform: All
### Summary
When saving conf, a test should warn if password generation RegExp does not match the LLNG password policy
2.20.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2947
Append an OAuth2ST handler wrapper
2024-03-27T10:05:35Z
Christophe Maudoux
chrmdx@gmail.com
Append an OAuth2ST handler wrapper
### Summary
Some WebServices can be requested by OIDC applications using AccessToken and Web applications using ServiceToken.
It leads to define two routes, 1 protected by the ST handler and 1 protected by the OAuth2 handler.
### Desig...
### Summary
Some WebServices can be requested by OIDC applications using AccessToken and Web applications using ServiceToken.
It leads to define two routes, 1 protected by the ST handler and 1 protected by the OAuth2 handler.
### Design proposition
The idea is to provide a handler able to serve both AT and ST like DevOpsST wrapper.
2.20.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2890
Allow syslog to send logs to a remote host
2024-03-28T07:43:58Z
Yadd
Allow syslog to send logs to a remote host
### Summary
In a docker environment, it's annoying to have to instantiate a syslog to send logs to a remote server.
### Design proposition
[Sys::Sylog](https://metacpan.org/pod/Sys::Syslog#setlogsock()) provides a `setlogsock()` funct...
### Summary
In a docker environment, it's annoying to have to instantiate a syslog to send logs to a remote server.
### Design proposition
[Sys::Sylog](https://metacpan.org/pod/Sys::Syslog#setlogsock()) provides a `setlogsock()` function that allow to configure syslog to use a remote syslog (host, port, usd/tcp).
So we just have to add an option to call `setlogsock()` with custom parameters.
2.20.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2880
php-jwt requires "alg" parameter in JWKS
2024-03-27T10:08:14Z
Maxime Besson
php-jwt requires "alg" parameter in JWKS
Software that relies on php-jwt (such as GLPI) needs an "alg" subkey in JWKS.
Problem is that a single RSA key can be used by multiple JWE algs, and "alg" is single valued, in addition to being non-mandatory
A workaround in some compet...
Software that relies on php-jwt (such as GLPI) needs an "alg" subkey in JWKS.
Problem is that a single RSA key can be used by multiple JWE algs, and "alg" is single valued, in addition to being non-mandatory
A workaround in some competing solutions is to declare `"alg": "RS256"` even if it's technically false
Backlog
Maxime Besson
Maxime Besson