lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2022-06-03T14:09:27Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2370Memory leak in Lasso when dumping object2022-06-03T14:09:27ZMaxime BessonMemory leak in Lasso when dumping object### Concerned version
Version: 2.0.9
Platform: (Nginx/Apache/Node.js)
### Summary
* Set up LLNG as a SAML Issuer with one SP
* Open a session, and benchmark a simple SAML login flow
* Watch memory rising steadily
### Logs
The main...### Concerned version
Version: 2.0.9
Platform: (Nginx/Apache/Node.js)
### Summary
* Set up LLNG as a SAML Issuer with one SP
* Open a session, and benchmark a simple SAML login flow
* Watch memory rising steadily
### Logs
The main culprit in this particular flow is this code
```perl
if ( $login->is_session_dirty ) {
$self->logger->debug("Save Lasso session in session");
$self->p->updateSession( $req,
{ $self->lsDump => $login->get_session->dump },
$session_id );
}
```
Especialy `$login->get_session->dump`, it seems that Lasso will not release memory when the perl variable goes out of scope.
### Possible fixes
Needs further investigationBacklogMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2363[SAML] Upgrade 2.0.7 > 2.0.9 led some SAML SPs not working unless Check SSO m...2021-01-08T17:12:06ZMehdi KHELIFA[SAML] Upgrade 2.0.7 > 2.0.9 led some SAML SPs not working unless Check SSO message signature is disabled### Concerned version
Version: %2.0.9-1
Platform: Apache / Debian GNU/Linux 9 (stretch) /Linux 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
### Summary
Since upgraded from 2.0.7 to 2.0.9, some SAML service pro...### Concerned version
Version: %2.0.9-1
Platform: Apache / Debian GNU/Linux 9 (stretch) /Linux 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
### Summary
Since upgraded from 2.0.7 to 2.0.9, some SAML service providers can't be authenticated. Portal displays that an error occured during SAML messages signing (translation from french message : "Erreur lors de la gestion de la signature du message SAML")
Other SAML SP are working fine.
I also checked the validity of the public keys provided in the metadatas (including my own just to be sure). They are still valid.
### Logs
```
[LLNG:3781] [error] Lasso error code -1500: The provider has no known public key
[LLNG:3781] [error] Signature is not valid
[LLNG:3781] [debug] Returned error: 57 (PE_SAML_SIGNATURE_ERROR)
See attached error.log file
```
[error.log](/uploads/814ca14fc1aa668ffe9e42178c700e6a/error.log)
You will find attached concerned service providers metadata files.
- [sp1-md.xml](/uploads/9e6b002745d87d61d770796d40421619/sp1-md.xml)
- [sp2-md.xml](/uploads/22e4fd17ad421776611f605c6175b16a/sp2-md.xml)
Here is an URL encoded request from the SP
```
fZBbT4QwEEb%2FCun7llvirhMgIbImxGvcFY1vFRtoUlrsTEX%2FvcC%2BrC%2B%2BzznfyWQoBj1C6ak3T%2FLTS6SgkQ6VNTlLeMSCusrZ3m9fa7OvX26qj0vePF%2FHQ%2FO181v1Ps0HiF7WBkkYmpkoiTZxtEmjY7yDNIUo5hdJ%2BsaCanYrI2hV90QjQhiKeZgjWk5OjErz1g7hkhSiMp2WB9WZB8OC70EbhLU1Z94ZsAIVghGDRKAWDuXdLcy5MDpLtrWaFdlyDWucO%2BP%2FxwWidEshK6Zp4qP2TmhUXU9LWRaeOU8DI9zPkrp6tFq1P0GptZ2unBQkc0bOSxYWJ%2Brvj4tf&RelayState=CquY9iUTrVrkoL3B3yZBph61zAjsqR&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=W8cRNc4N77VJShg9SToCIm1xXvA%2BnJ3ZFv4xqqcRph3TiylsYzARUVy%2Bu8FbuRzRvUhzMbftA%2FWHPs9HFrk2qulbdWMu6iT9JAIgB6tLflM66BZwkJtxTpTmj0iie8iZFodgbPPQjZHVqjmQ5m9nS%2Fm0IxhZRcfwMIxYu2nsSHWYWlcU%2BK5fl%2FzNiX0uHuxfkWMrQyviuX0Mu60w1U8O8Trw%2FfYlvc6Sid9sMi195HZWBXvxzji8R7mEq4Q60YGL2xMrUnuNl1AHQU9bfUwIvtNe7Cqd0NkfjQ3hMXOmNxAS52%2BfrfvU8BBWyUNhtqz708Bs40r9H6FA3FoybV54eQ%3D%3D
```
### Backends used
CONFIGURATION AND SESSIONS on PostrgreSQL DB
AUTH BACKEND : ActiveDiretory
### Possible fixes
The only workaround is to disable **Check SSO message signature** at the service provider level. Once disable Applications are authenticated as expected. But overtime it may not be secure !https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2362unprotect rule does not recognize existing sessions when using CDA2020-10-30T17:33:31ZGhost Userunprotect rule does not recognize existing sessions when using CDAI am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotec...I am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotect"
}
},
"vhostOptions": {
"example.com": {
"vhostType": "CDA"
}
}
```
But authenticated users are not detected.
I was expecting that lemonLDAP would make a redirection to the portal to check if a session exist and then come back and set a cookie to identify the user.
Am I wrong somewhere ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2358OIDC: oidcchecksession and session data encoding2023-02-07T07:42:21ZMichael BaillyOIDC: oidcchecksession and session data encoding### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian buster
Web server: NginX
### Summary
The iodcchecksession iFrame always return "changed" to the host web application.
### Possible fixes
The code to encode OIDC...### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian buster
Web server: NginX
### Summary
The iodcchecksession iFrame always return "changed" to the host web application.
### Possible fixes
The code to encode OIDC session state seems to differ between portal and oidcchecksession iframe.
Portal https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/master/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L1608 :
```
my $data = $client_id . " " . $session_id . " " . $salt;
my $hash = sha256_base64($data);
```
JavaScript https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/master/lemonldap-ng-portal/site/htdocs/static/common/js/oidcchecksession.js#L26-29 :
```javascript
client_id = decodeURIComponent(message.split(' ')[0]);
session_state = decodeURIComponent(message.split(' ')[1]);
salt = decodeURIComponent(session_state.split('.')[1]);
ss = btoa(client_id + ' ' + e.origin + ' ' + salt) + '.' + salt;
```
That has the effect of having JavaScript session state never match portal session state, and always returning **changed** to the host web application.3.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2351llngDeleteSession script is obsolete2020-12-21T20:36:49ZClément OUDOTllngDeleteSession script is obsoleteSince we created lemonldap-ng-sessions utility (https://lemonldap-ng.org/documentation/latest/cli_examples#sessions-management), we should remove llngDeleteSession (https://lemonldap-ng.org/documentation/latest/sessions.html#command-line...Since we created lemonldap-ng-sessions utility (https://lemonldap-ng.org/documentation/latest/cli_examples#sessions-management), we should remove llngDeleteSession (https://lemonldap-ng.org/documentation/latest/sessions.html#command-line-tools)3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2349More details in Lasso lib related log error messages2021-06-24T13:50:31ZJulien LedouxMore details in Lasso lib related log error messages### Environment
LemonLDAP::NG version: 2.0.9
Operating system: CentOS 8 / Docker
Web server: Nginx
### Summary
Currently, with lasso lib v2.6.1, we sometimes get error messages that are quite opaques, as they dont give much informat...### Environment
LemonLDAP::NG version: 2.0.9
Operating system: CentOS 8 / Docker
Web server: Nginx
### Summary
Currently, with lasso lib v2.6.1, we sometimes get error messages that are quite opaques, as they dont give much informations about the cause of the error. Also surroundings [info] messages don't help either. The only thing we know is that it's related to SAML SP/IDP somehow.
For instance:
* Lasso error code -405: Invalid HTTP method
* Lasso error code -407: Invalid message
### Logs
```
[2020/10/07 14:00:32] INFO: User ******* has been disconnected from AD (*.*.*.*)
[2020/10/07 14:00:32] ERROR: Lasso error code -405: Invalid HTTP method
[2020/10/07 14:00:32] INFO: Session cannot be tied: Object does not exist in data store. at /usr/share/perl5/vendor_perl/Apache/Session/Browseable/Store/Redis.pm line 66.
```
Those messages could mean different things: user's session could not be properly unset, user could not be disconnected for one or many SAML services, one or many SAML services are not properly configured (some bindings might be missing from their metadata...)
```
[2020/10/05 09:40:42] ERROR: Lasso error code -407: Invalid message
[2020/10/05 09:40:42] ERROR: SSO: Fail to process authentication request
```
Those messages could mean: invalid user credentials (login or password), user does not exists or is not found in backend, account is disabled / lock, found multiple results in backend identity databases, backend identity databases are currently unavailable, timeout...
### Backends used
Backend identity storage is Redis
### Possible fixes
Adding some detailed informations in error log messages, such as:
* the action causing the error (single login, single logout)
* the user at the origin of this action
* the SAML service concerned
* the underlying error (missing bindings in metadata, misconfiguration, connection lost, request timeout, invalid response, remote service unavailable...)
Some messages about the SAML requests might be useful too.3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2346LDAP Password Policy "Password field must be filled"2021-07-02T07:06:20ZDave ConroyLDAP Password Policy "Password field must be filled"### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Alpine Linux 3.12 (Docker)
Web server: Nginx 1.19.3
### Summary
Users unable to change password when expired via Ppolicy
### Logs
Returned error: 67 (PE_PASSWORDFORMEM...### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Alpine Linux 3.12 (Docker)
Web server: Nginx 1.19.3
### Summary
Users unable to change password when expired via Ppolicy
### Logs
Returned error: 67 (PE_PASSWORDFORMEMPTY)
![image](/uploads/0ceee2a38cdb479d199a67f31add8b66/image.png)
### Backends used
LDAP Backend connecting to OpenLDAP 2.4.53
### Additional Details
This is very similar to #1910 #2268 and potentially #1969
We have a fairly basic in terms of complexity LLNG implementation:
Authentication Module: `LDAP`, Users Module: `LDAP`, Password Module: `LDAP`, Register Module: `LDAP`
LDAP Password Settings: All On with exception of IBM Tivolo DS Support. LDAP Password encoding `utf-8`, Reset Attribute `pwdReset`, Reset value `TRUE`
Macro: `_whatToTrace`: `$_auth eq 'SAML' ? "$_user\@$_idpConfKey" : $_auth eq 'OpenIDConnect' ? "$_user\@$_oidcConnectedRP" : "$_user"`
We have tried the fix listed in #1910 with no success.FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2343TOTP handler2020-12-22T14:18:22ZYaddTOTP handler### Summary
TOTP handler is a handler that accepts tokens that contains a TOTP value. This is a sort of **Human-less** ServiceToken handler.
### Design proposition
Client header contains `WWW-Authenticate: user:<TOTP value>`, handler ...### Summary
TOTP handler is a handler that accepts tokens that contains a TOTP value. This is a sort of **Human-less** ServiceToken handler.
### Design proposition
Client header contains `WWW-Authenticate: user:<TOTP value>`, handler get secret from lemonldap-ng.ini _(or a distinct file ? or a LLNG database ?)_ and verifies the TOTP value, then calculates a temporary session _(like AuthBasic handler using a valid username or a pre-defined session ?)_.
Comments are welcomeIn discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2327display message for successful single-logout from relying parties2020-09-26T17:30:43ZAndreas Deschkadisplay message for successful single-logout from relying partiesFor security and usability reasons it would be good, if the user gets a message which tells him, when the logout-processes is successfully finished.
From my understanding at present (2.0.9) it is only checked, if the logout process is ...For security and usability reasons it would be good, if the user gets a message which tells him, when the logout-processes is successfully finished.
From my understanding at present (2.0.9) it is only checked, if the logout process is started correctly, but not if it has successfully finished.
Two improvements would be good:
1) Check if the logout process is successful finished, by checking the responses from the other relying parties
2) Display the message as soon as possible, so that the user has to wait only as long as it is necessary and not for a constant time.3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2324Manager override checkTime custom value2022-01-14T14:04:42ZJulien LedouxManager override checkTime custom value### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Docker Engine 19.03 / Centos 8
Web server: Nginx
### Summary
I've set a custom value to `checkTime` parameter in `lemonldap-ng.ini` and in `lmConf-1.yaml` files.
On a fr...### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Docker Engine 19.03 / Centos 8
Web server: Nginx
### Summary
I've set a custom value to `checkTime` parameter in `lemonldap-ng.ini` and in `lmConf-1.yaml` files.
On a fresh start of LLNG, when I made any kind of changes in config within manager, totally unrelated to this parameter, `checkTime` value seems to be reset to its default. At least it look like it (cf screenshot)
![Capture_d_écran_2020-09-23_à_16.51.59](/uploads/89493fb2800a8f11f8a1258e357b6928/Capture_d_écran_2020-09-23_à_16.51.59.png)In discussionChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2297SMTP mail fails on mailer template not-found, for symlinked skin dir2020-08-26T17:18:57Zpgnd _SMTP mail fails on mailer template not-found, for symlinked skin dirin LL:NG 2.0.8, changing
/usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/UserDB/Demo.pm
to use/test SMTP @ a real/valid email
```
...
'dwho' => {
'uid' => 'dwho',
'cn' => 'Doctor Who',
- 'mail' => '...in LL:NG 2.0.8, changing
/usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/UserDB/Demo.pm
to use/test SMTP @ a real/valid email
```
...
'dwho' => {
'uid' => 'dwho',
'cn' => 'Doctor Who',
- 'mail' => 'dwho@badwolf.org',
+ 'mail' => 'realuser@example.com',
},
```
@ login to portal as 'dwho', clicking to 'reset password', entering email + submit reports
```
A confirmation mail has been sent
A message has been sent to your mail address.
This message contains a link to reset your password, this link is valid until 26/08/2020.
```
but, there is NO recipt of any email at my server.
checking, the FAIL is seen in LL:NG logs
```
...
2020/08/25 09:17:16 LLNG[44519] DEBUG: SMTP HTML flag on
2020/08/25 09:17:16 LLNG[44519] DEBUG: SMTP Reply-To noreply@example.com
2020/08/25 09:17:16 LLNG[44519] ERROR: Send message failed: MIME::Body::File->open /usr/share/lemonldap-ng/portal/templates/testskin/../../htdocs/static/: No such file or directory at /usr/share/perl5/vendor_perl/MIME/Body.pm line 435.
2020/08/25 09:17:16 LLNG[44519] DEBUG: Unable to send reset mail
2020/08/25 09:17:16 LLNG[44519] DEBUG: Display called with code: 72
...
```
I suspect this is due to a fail to follow symlinks, in
```
./lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm
...
85 sub loadMailTemplate {
my ( $self, $req, $name, %prm ) = @_;
# HTML::Template cache interferes with email translation (#1897)
$prm{cache} = 0 unless defined $prm{cache};
$prm{params}->{STATIC_PREFIX} = $self->p->staticPrefix;
my %extra =
$self->p->can('tplParams')
? $self->p->tplParams($req)
: ();
$prm{params}->{$_} = $extra{$_} for keys %extra;
return $self->loadTemplate( $req, $name, %prm );
}
...
```
I define/maintain my custom skin
```
tree /etc/lemonldap-ng/portal
/etc/lemonldap-ng/portal
├── NOTES.txt
├── skins
│ └── testskin
│ ├── css
│ │ ├── styles.css
│ │ └── styles.min.css
│ ├── images
│ └── js
│ ├── skin.js
│ ├── skin.min.js
│ └── skin.min.js.map
└── templates
└── testskin
├── customfooter.tpl
├── customheader.tpl
├── customhead.tpl
├── customLoginFooter.tpl
└── customLoginHeader.tpl
7 directories, 11 files
```
where,
```
cd /usr/share/lemonldap-ng/portal
ls -al templates/
total 16K
drwxr-xr-x 4 root root 4.0K Aug 19 18:16 ./
drwxr-xr-x 4 root root 4.0K Aug 18 09:30 ../
drwxr-xr-x 3 root root 4.0K Aug 18 09:30 bootstrap/
drwxr-xr-x 3 root root 4.0K Aug 18 09:30 common/
lrwxrwxrwx 1 root root 42 Aug 19 18:16 testskin -> /etc/lemonldap-ng/portal/templates/testskin/
ls -al htdocs/static/
total 24K
drwxr-xr-x 6 root root 4.0K Aug 19 18:12 ./
drwxr-xr-x 3 root root 4.0K Aug 18 09:30 ../
drwxr-xr-x 4 root root 4.0K Aug 18 09:30 bootstrap/
drwxr-xr-x 9 root root 4.0K Aug 18 09:30 bwr/
drwxr-xr-x 9 root root 4.0K Aug 18 09:30 common/
drwxr-xr-x 2 root root 4.0K Aug 18 09:30 languages/
lrwxrwxrwx 1 root root 38 Aug 19 18:12 testskin -> /etc/lemonldap-ng/portal/skins/testskin/
```
symlinks _should_ be correctly followed; that^^ perl snippet will need to accommodate.
if not, then docs should address/clarify that symlinks will NOT be followed for mailer template, even though _elsewhere_ the symlinked skin appears (mostly) OK ...3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2285LLNG should not rely on virtual hosts so much2023-11-13T13:34:01ZMaxime BessonLLNG should not rely on virtual hosts so muchThe current model of LLNG is heavily based around "Virtual Hosts" and the notion of having a common domain for portal, manager, 'reload' and apps, but three (at least) different hostnames.
But we have many users who do not use the handl...The current model of LLNG is heavily based around "Virtual Hosts" and the notion of having a common domain for portal, manager, 'reload' and apps, but three (at least) different hostnames.
But we have many users who do not use the handler at all, and instead only use the SAML/OIDC issuers. For them, having to dedicate an entire subdomain to LemonLDAP makes little sense.
We have users who would like to deploy LLNG components in a sub-path: the manager in /manager, for exemple. Or even, the portal in /portal, why not! And maybe apps in /test1 and /test2?
This would allow us to run an entire "demo instance" under a single URL, without even requiring apache or nginx, just plackup! No more DNS or /etc/hosts issues. Much easier for us devs, too, no more `make start_web_server`.
Good news: because the LLNG router uses `$req->path`, it wouldn't take a huge amount of work to achieve this. (but it will take a lot of testing). Mostly we would just have to write a new handler type that does not depend on the VHost name, but perhaps on a FastCGI environment variable set by the admin within a `location` block. The regexp in this new handler type would only be matched against `$req->path` instead of the entire URL. This handler could solve #2238 too.
Opening this low-priority ticket for discussion, and so I can have a reference to put in commits when I do little improvements towards this long-term goal.3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2270Configuration reload policy is inconsistent2022-07-13T14:46:05ZMaxime BessonConfiguration reload policy is inconsistent### Summary
see #2245
It turns out that running `lmConfigEditor` and `lemonldap-ng-cli restore` will also not reload all servers.
For some reason, `lemonldap-ng-cli set` will reload all servers, however.
This is inconsistent and co...### Summary
see #2245
It turns out that running `lmConfigEditor` and `lemonldap-ng-cli restore` will also not reload all servers.
For some reason, `lemonldap-ng-cli set` will reload all servers, however.
This is inconsistent and confusing, we need to decide to either reload configuration everytime there is a config change somewhere, or leave the user in charge of doing it entirely.3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2264regression in mail reset in 2.0 : mail already sent does not work any more2020-12-22T13:50:53Zdcoutadeur dcoutadeurregression in mail reset in 2.0 : mail already sent does not work any more### Environment
LemonLDAP::NG version: 2.0.*
Operating system: Red-Hat 7.6
Web server: Apache 2.4.33
### Summary
regression in mail reset in 2.0 : mail already sent does not work any more
### Logs
Logs seem to be ok, mail already...### Environment
LemonLDAP::NG version: 2.0.*
Operating system: Red-Hat 7.6
Web server: Apache 2.4.33
### Summary
regression in mail reset in 2.0 : mail already sent does not work any more
### Logs
Logs seem to be ok, mail already sent is correctly detected:
```
Reset mail already sent to ***
```
The error seems to be here:
```
# Return mail already sent only if it is allowed at previous step
if ( $self->conf->{portalErrorOnMailNotFound} ) {
$self->setSecurity($req);
return PE_MAILCONFIRMATION_ALREADY_SENT;
}
```
If I understand correctly, the logic should be reversed: if there is no "portalErrorOnMailNotFound", then we could send a message "mail already sent" to user. Am I right?3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2238Support `/` in Virtual Hosts2020-10-12T13:49:40ZDave ConroySupport `/` in Virtual Hosts### Summary
Support the usage of paths in Virtual Hosts
### Design proposition
We utilize a third party service to create applications, which outputs the URL as `domain.com/appname`. When we wish to add virtualhost restrictions (speci...### Summary
Support the usage of paths in Virtual Hosts
### Design proposition
We utilize a third party service to create applications, which outputs the URL as `domain.com/appname`. When we wish to add virtualhost restrictions (specifically, to allow it to appear in Portal with correct group membership) we are presented with a bad URL value. Allowing paths in the Virtual Host section would allow for this to occur.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2236Default CSP value for script-src does not allow to load portal inline script2020-06-16T08:08:32ZClément OUDOTDefault CSP value for script-src does not allow to load portal inline scriptIn portal we use inline script:
```
<script type="application/init">
{
"displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
"choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
"login":"<TMPL_VAR NAME="LOGIN">",
"newwindow":<TMPL_VAR NAME="NEWWI...In portal we use inline script:
```
<script type="application/init">
{
"displaytab":"<TMPL_VAR NAME="DISPLAY_TAB">",
"choicetab":"<TMPL_VAR NAME="CHOICE_VALUE">",
"login":"<TMPL_VAR NAME="LOGIN">",
"newwindow":<TMPL_VAR NAME="NEWWINDOW" DEFAULT="0">,
"appslistorder":"<TMPL_VAR NAME="APPSLIST_ORDER">",
"scriptname":"<TMPL_VAR NAME="SCRIPT_NAME">",
"activeTimer":<TMPL_VAR NAME="ACTIVE_TIMER" DEFAULT="0">,
"pingInterval":<TMPL_VAR NAME="PING" DEFAULT="0">,
"trOver":<TMPL_VAR NAME="TROVER" DEFAULT="[]">
}
</script>
```
But default CSP for script-src is `'self'` so this inline script can't be executed.
We should either add `'unsafe-inline'`, or we could maybe compute a nonce to add more security (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src)In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2235Regression in redirection with query string after #20852020-12-22T14:43:03ZChristophe Maudouxchrmdx@gmail.comRegression in redirection with query string after #2085### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 9
Web server: Nginx / uWsgi
### Summary
Query string parameters are escaped by browser or PSGI and It leads to an internal server error
In this example, redirect...### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 9
Web server: Nginx / uWsgi
### Summary
Query string parameters are escaped by browser or PSGI and It leads to an internal server error
In this example, redirect parameter is a base64 encoded URL.
As you can see, = is escaped by '%253D'
![encodage](/uploads/6641fcbd5f30921a52ad006f74627fc3/encodage.png)In discussionChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2228loop on portal connexion2020-12-21T16:44:02ZFrancois-Xavier MIOTloop on portal connexion### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
Web server: Apache
### Summary
When I try to connect to the portal one time per day i m login and I wait during few second with server error.
### Logs
[log_l...### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
Web server: Apache
### Summary
When I try to connect to the portal one time per day i m login and I wait during few second with server error.
### Logs
[log_llng.csv](/uploads/124328a5ed9a387e01999cd85ac8bd69/log_llng.csv)
I'm already try `sudo sysctl net.ipv4.tcp_keepalive_time=1800`
and `ldapTimeout` to value like 10sec (It's worse with this value)
Thanks a lothttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2218Manager can generates non unique application id in menu2021-06-24T13:06:52ZClément OUDOTManager can generates non unique application id in menuWhen creating a new application in menu from Manager, the application id is computed from application name.
If this application has the same name than an application in another category, then it will get the same id, which is possible a...When creating a new application in menu from Manager, the application id is computed from application name.
If this application has the same name than an application in another category, then it will get the same id, which is possible as applications are sorted by categories in the application hash. But if you change the dislay rule of the first application, the second application will also be impacted, as they have the same id, and this id is removed from applications shown in the portal.
I am not sure on how to fix this...3.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2202Manager - LDAP auth backend - Option for retrieving groups from memberOf attr...2020-05-11T09:15:14ZGilles FilippiniManager - LDAP auth backend - Option for retrieving groups from memberOf attributesHi,
This is a feature request for the Manager LDAP auth backend.
It would be convenient having an option in the LDAP Groups configuration for retrieving the user's LDAP groups from the memberOf attributes and having them stored into th...Hi,
This is a feature request for the Manager LDAP auth backend.
It would be convenient having an option in the LDAP Groups configuration for retrieving the user's LDAP groups from the memberOf attributes and having them stored into the $hGroups internal variable, the same way they are when using the regular groups retrieval.
Then one could switch between regular and memberOf groups retrieval with no consequences on the inGroup() usage in their macros and access rules.
See discussion on the ML [1].
[1] https://mail.ow2.org/wws/arc/lemonldap-ng-users/2020-05/msg00057.html
Thanks,Backlog