lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T13:29:12Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3127Support SAML subject-id and pairwise-id natively2024-03-27T13:29:12ZMaxime BessonSupport SAML subject-id and pairwise-id nativelysubject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwi...subject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwise-id can be enabled via a macro, but this is complex to configure. Especially pairwise-id which must be configured as a per-SP macro for all SPs
Maybe we should natively implement subject-id and pairwise-id through simple options in SAML SP configs2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3126Allow multiple TOTP devices to be registered2024-03-27T10:11:12ZMaxime BessonAllow multiple TOTP devices to be registered### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3125Add base class for "reset password by SMS"2024-03-27T10:22:31ZYaddAdd base class for "reset password by SMS"SMS API are not standard, however we could easily have a base class to prepare that.
## Design proposition
* Move part of [MailPasswordReset](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm) into "Lib/PasswordR...SMS API are not standard, however we could easily have a base class to prepare that.
## Design proposition
* Move part of [MailPasswordReset](lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm) into "Lib/PasswordReset.pm"
* Maybe create a "Lib/SMSBase.pm" that stores custom parameters somewhere and just needs a "sendSMS" method in sub classes
* Create a "Lib/SMS.pm" that requires a class that exposes a `sendSMS($phone, $text)`
* Create a "Plugins/SMSPasswordResetBase.pm" that inherits from "Lib/PasswordReset.pm" and uses "Lib/SMS.pm"2.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3124Allow users to configure WebAuthn relying party ID2024-03-20T13:29:26ZMaxime BessonAllow users to configure WebAuthn relying party ID### Summary
Some users want to use an external system to register WebAuthn credentials
This requires a given WebAuthn device to share credentials between the portal and the registration system
### Design proposition
Allow the RP ID t...### Summary
Some users want to use an external system to register WebAuthn credentials
This requires a given WebAuthn device to share credentials between the portal and the registration system
### Design proposition
Allow the RP ID to be configured in 2F::WebAuthn2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3123JWKS timeout is not implemented2024-03-27T10:40:19ZMaxime BessonJWKS timeout is not implemented### Affected version
Version: 2.18.2
### Summary
* Configure Auth::OpenIDConnect with a test OP
* set oidcOPMetaDataOptionsJWKSTimeout = 30 (or any non zero value)
* When restarting portal, JWKS is downloaded :white_check_mark:
* Aft...### Affected version
Version: 2.18.2
### Summary
* Configure Auth::OpenIDConnect with a test OP
* set oidcOPMetaDataOptionsJWKSTimeout = 30 (or any non zero value)
* When restarting portal, JWKS is downloaded :white_check_mark:
* After 30 seconds, JWKS is not refreshed :x:2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3122Random DB errors when using llng-fastcgi-server in foreground mode2024-03-27T09:37:24ZMaxime BessonRandom DB errors when using llng-fastcgi-server in foreground mode### Affected version
Version: 2.18.2
Platform: FastCGI server with the coudot/lemonldap-ng docker image
### Summary
* I have customized the coudot/lemonldap-ng image to use CDBI with a mariadb server
* I encounter difficult to predic...### Affected version
Version: 2.18.2
Platform: FastCGI server with the coudot/lemonldap-ng docker image
### Summary
* I have customized the coudot/lemonldap-ng image to use CDBI with a mariadb server
* I encounter difficult to predict DB errors
* Errors can be easily triggered with high load and a disabled configuration cache
### Logs
Some of the errors that pop up:
```
DBD::mysql::db selectrow_array failed: Unknown or undefined error code
...
DBD::mysql::db selectrow_arrayref failed: fetch() without execute()
```
### Root cause
llng-fastcgi-server instanciates a handler[](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.18.2/fastcgi-server/sbin/llng-fastcgi-server?ref_type=tags#L121) during startup.
This is needed to have shared status (apparently). But this action causes DBI to cache a connection to the database.
This connection cache is preserved after the process are forked by
* Plack startup (only when --foreground is not set)
* The FastCGI process manager (NPROC worker processes)
During the plack startup fork, the parent process exists, which runs DBI cleanup and closes the file descriptor, therefore invalidating the cache in other processes.
When --foreground is set, the file descriptor remains open and is reused until:
* That shared connection is closed by the SQL server
* One of the process terminates
### Possible fixes
Either:
* Revert 019f1e75e829ec9fdfc34d23e2874398a5cba8f0 and find another way to share the status server
* Find another way to have working docker logs without --foreground, and remove this option
* Fork llng-fastcgi-server one more time before handing control to Plack2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3118Minimal LDAP server load-balancing2024-03-08T14:10:26ZYaddMinimal LDAP server load-balancing[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when...[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when the first server is down, all LDAP connections are slowed down to wait for first failure
# Design proposition
This should be pushed to [Lemonldap::NG::Portal::Lib::Net::LDAP](lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm) and [Apache::Session::Browseable](https://metacpan.org/pod/Apache::Session::Browseable).
```perl
our %knownDown;
our %knownLdapServerStrings;
sub sortDead {
return 1 if $knownDown{$a} and !$knownDown{$b};
return -1 if $knownDown{$b} and !$knownDown{$a};
return 0;
}
# ...
sub new {
# ...
$knownLdapServerStrings{$conf->ldapServer} ||= [ split( /\s+/, $conf->ldapServer ) || 'localhost' ];
# Simple round-robbin if asked
if ($conf->{ldapRoundRobbin}) {
my $last = shift @{ $knownLdapServerStrings{$conf->ldapServer} };
push @{ $knownLdapServerStrings{$conf->ldapServer} }, $last;
}
# Push server which have failed to the end of the list
my @uris = sort pushDeadToEnd @uris;
my $first = $uris[0];
# ... create LDAP object using \@uris
# Update knownDone list:
# The server chosen by Net::LDAP is up
delete $knownDown{ $self->{net_ldap_uri} };
# If Net::LDAP changed, this means that first LDAP is down
if ( $self->{net_ldap_uri} != $first ) {
$knownDown{ $first } = 1;
}
# ...
}
```
@clement_oudot, @maxbes: what do you think ?In discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3116Restart authentication process when error is linked to token expiration2024-03-27T10:59:00ZClément OUDOTRestart authentication process when error is linked to token expirationCurrently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form ...Currently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form so user can directly restart the authentication process.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3111Hide Code2F secrets even from debug logs2024-03-27T10:25:25ZMaxime BessonHide Code2F secrets even from debug logsCurrently, secrets such as OTP codes (Code2F.pm) are displayed in cleartext in debug logs.
This is useful for debugging
Some users want to be able to hide the values even from error logs
We should find a way to do this, maybe a special ...Currently, secrets such as OTP codes (Code2F.pm) are displayed in cleartext in debug logs.
This is useful for debugging
Some users want to be able to hide the values even from error logs
We should find a way to do this, maybe a special value in hiddenAttributes ?2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3110_2fDevices redaction corrupts session2024-03-27T10:45:57ZDaniel Berteaud_2fDevices redaction corrupts session### Affected version
Version: 2.18.2
Platform: Alma Linux 9, custom Docker image (using the RPMS from https://lemonldap-ng.org/redhat/stable/)
### Summary
Active Directory grants an auth level of 2, and some apps require an auth leve...### Affected version
Version: 2.18.2
Platform: Alma Linux 9, custom Docker image (using the RPMS from https://lemonldap-ng.org/redhat/stable/)
### Summary
Active Directory grants an auth level of 2, and some apps require an auth level of 5. The Upgrade Session plugins handles the re-auth with a second factor (WebAuthn and TOTP are configured). While this is working, I sometime have a corrupted session. The issue comes from the \_2fDevices, which looks like
```plaintext
"_2fDevices": "******"
```
As LL::NG is expecting a JSON array, this is breaking. The session can neither be displayed in the manager, nor can it be upgraded with 2FA. If I try to access a app which requires an authLevel of 5, I just get a white page with "Internal Server Error" instead of the 2FA upgrade page on the portal.
### Logs
```plaintext
[Wed Feb 28 10:04:12 2024] [LLNG:655] [warn] User rejected due to insufficient authentication level
[Wed Feb 28 10:04:12 2024] [LLNG:655] [warn] -> Session upgrade enabled
[Wed Feb 28 10:04:12 2024] [LLNG:655] [error] Corrupted session (_2fDevices): malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before "******") at /usr/share/perl5/vendor_perl/JSON.pm line 190.
[uwsgi-perl error] Can't use an undefined value as an ARRAY reference at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/2F/Engines/Default.pm line 305.
[Wed Feb 28 10:04:54 2024] [LLNG:41] [error] Corrupted session (_2fDevices): malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before "******") at /usr/share/perl5/vendor_perl/JSON.pm line 190.
[uwsgi-perl error] Can't use an undefined value as an ARRAY reference at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/2F/Engines/Default.pm line 305.
```
### Backends used
uwsgi and nginx for the portal and manager, Traefik and uwsgi for the Handler, postgres for configuration and sessions, Active Directory (samba4) for UserDB and PasswordDB. Handlers are using the REST API for config and session. I think the issue comes from here. 2fDevices is an hidden attribute (don't know where this is configured yet). I've enabled "Export secrets attributes" on the REST server, but it doesn't look like it changes anything. As the handler gets a "\*\*\*\*\*\*\*" from the REST API for the session, when it updates the session, it corrupts it in the session database. Attribute redaction should honor attribute type (eg, set 2fDevices as \["\*\*\*\*\*"\] instead of "\*\*\*\*\*") so at least the session wouldn't be corrupted. I also need to find how to remove 2fDevices from the hidden attribute list so it can be served to my handlers with the REST API, but this is probably just a matter of correct configuration.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3103Add a plugin/issuer for Jitsi Meet JWT authentication2024-03-27T04:30:33ZMaxime BessonAdd a plugin/issuer for Jitsi Meet JWT authenticationThe popular Jitsi Meet application does not use OIDC or SAML, but relies on a custom JWT format.
Some projects already bridge the gap between Jitsi and standard SSO protocols
https://github.com/Renater/Jitsi-SAML2JWT
(and others)
But ...The popular Jitsi Meet application does not use OIDC or SAML, but relies on a custom JWT format.
Some projects already bridge the gap between Jitsi and standard SSO protocols
https://github.com/Renater/Jitsi-SAML2JWT
(and others)
But they require deploying yet another piece of software, usually from Docker
We could include a plugin that does the same job, directly inside LLNG2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3097manager API: allow registration of 2FA2024-03-27T08:34:27ZMaxime Bessonmanager API: allow registration of 2FAFor now the 2FA endpoints of the manager API do not support creating new 2F devices
We should provide endpoints for writing to _2fDevices conveniently
TODO: create new persistent sessionFor now the 2FA endpoints of the manager API do not support creating new 2F devices
We should provide endpoints for writing to _2fDevices conveniently
TODO: create new persistent session2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3096No more logs Session granted for *2024-02-01T17:14:32Zdcoutadeur dcoutadeurNo more logs Session granted for *As stated by the documentation:
https://lemonldap-ng.org/documentation/2.0/logs.html#user-log-samples
we should have a log displaying the user logged and his IP address:
```
[notice] Session granted for dwho by LDAP (81.20.13.21)
```
...As stated by the documentation:
https://lemonldap-ng.org/documentation/2.0/logs.html#user-log-samples
we should have a log displaying the user logged and his IP address:
```
[notice] Session granted for dwho by LDAP (81.20.13.21)
```
However, now, the log is managed by the GrantSession plugin, which is not enabled by default, as in configuration we have:
```
'grantSessionRules' => {}
```
and empty hash is considered as disabled.
This issue is just to discuss the desired behaviour:
- set a default value:
```
'grantSessionRules' => {
'always allowed##default_rule' => 1
}
```
- fix the documentation to indicate that there is no log by default, except if the admin set a grantSessionRule2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3092Display an error message when issuer context is not restored2024-01-25T15:49:33ZMaxime BessonDisplay an error message when issuer context is not restored### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but yo...### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but you are redirected either to the portal (SAML/CAS) or an error message (OIDC)
### Logs
```
[INFO] Bad (or expired) token 1706124567_32351
[ERROR] Unknown response type:
```
### Possible fixes
The user often gets confused about ending up on the portal, we should at least give them an error message that says they took too long so that they can understand why the application isn't displayed2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3091Send mail on password change doesn't work corretcly2024-03-27T10:46:54ZGabriele LicariSend mail on password change doesn't work corretcly### Affected version
Version: 2.18.1
Good Morning,
The option "Send a mail when password is changed" is activated, but users receive confirmation of the password change only when they force the reset (forgotten password) but not when ...### Affected version
Version: 2.18.1
Good Morning,
The option "Send a mail when password is changed" is activated, but users receive confirmation of the password change only when they force the reset (forgotten password) but not when they change it independently once logged in. What can I check to fix
this?
This seems to be a bug.2.19.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3089Use Trusted Browser/Stayconnected with 2FA and SAML proxy/client2024-03-27T10:59:40ZWalter BenderUse Trusted Browser/Stayconnected with 2FA and SAML proxy/client### Affected version
Version: 18.0.1
Platform: Nginx
### Summary
The new Trusted Browser plugin worked without problems and sets the corresponding cookie llngconnection when using standard authentification methods.
But we also use l...### Affected version
Version: 18.0.1
Platform: Nginx
### Summary
The new Trusted Browser plugin worked without problems and sets the corresponding cookie llngconnection when using standard authentification methods.
But we also use lemonldap as SAML proxy/client.
In our production system we directly redirect a SAML proxy to our main system. No Trusted Browser cookie is set on proxy server. (only on main system)
On our test system with an authentification choice, we can manually check the corresponding "stayconnected/trusted browser" - checkbox (which is imho not useable with a direct redirection to productive main SAML server), but the cookie will also not be set. Therefore we cannot use the Trusted Browser plugin (with 2FA) when the plugin is (only) activated on SAML proxy/client.
### Logs
```
2024-01-23T12:41:05.709145+01:00 XXX LLNG[8550]: [debug] Module Lemonldap::NG::Portal::Plugins::TrustedBrowser loaded
2024-01-23T12:41:05.709239+01:00 XXX LLNG[8550]: [debug] Declaring unauth route
2024-01-23T12:41:05.709294+01:00 XXX LLNG[8550]: [debug] Add POST route:
2024-01-23T12:41:05.709340+01:00 XXX LLNG[8550]: [debug] route registerbrowser added
2024-01-23T12:41:05.709396+01:00 XXX LLNG[8550]: [debug] Declaring auth route
2024-01-23T12:41:05.709436+01:00 XXX LLNG[8550]: [debug] Add POST route:
2024-01-23T12:41:05.709483+01:00 XXX LLNG[8550]: [debug] route registerbrowser added
2024-01-23T12:41:05.709555+01:00 XXX LLNG[8550]: [debug] Declaring unauth route
2024-01-23T12:41:05.709595+01:00 XXX LLNG[8550]: [debug] Add POST route:
2024-01-23T12:41:05.709682+01:00 XXX LLNG[8550]: [debug] route checkbrowser added
2024-01-23T12:41:05.709746+01:00 XXX LLNG[8550]: [debug] Declaring auth route
2024-01-23T12:41:05.709789+01:00 XXX LLNG[8550]: [debug] Add POST route:
2024-01-23T12:41:05.709842+01:00 XXX LLNG[8550]: [debug] route checkbrowser added
2024-01-23T12:41:05.710152+01:00 XXX LLNG[8550]: [debug] Found beforeLogout entry point:
2024-01-23T12:41:05.710229+01:00 XXX LLNG[8550]: [debug] -> logout
2024-01-23T12:41:05.710289+01:00 XXX LLNG[8550]: [debug] Plugin ::Plugins::TrustedBrowser initialized
```
### Backends used
- Trusted Browser plugin
- SAML as IDP and Service Provider
- 2FA
### Possible fixes2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3086Make systemd timers taken from debian directory available globally2024-03-27T10:01:48ZXavier BachelotMake systemd timers taken from debian directory available globally### Summary
Make systemd timers taken from debian directory available globally
### Design proposition
Also make sure variables set when calling make are properly replaced in the various provided systemd/cron/etc... files.
General house...### Summary
Make systemd timers taken from debian directory available globally
### Design proposition
Also make sure variables set when calling make are properly replaced in the various provided systemd/cron/etc... files.
General housekeeping of the Makefile.
See !4352.19.0Xavier BachelotXavier Bachelothttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3082Debian packaging2024-03-27T11:25:29ZChristophe Maudouxchrmdx@gmail.comDebian packaging### Summary
I am not sure to well understand LL::NG packaging...
What is the purpose and difference between these files?
```
lemonldap-ng/lemonldap-ng-handler/eg/llng-server.psgi
lemonldap-ng/lemonldap-ng-common/eg/llng-app.psgi
lemon...### Summary
I am not sure to well understand LL::NG packaging...
What is the purpose and difference between these files?
```
lemonldap-ng/lemonldap-ng-handler/eg/llng-server.psgi
lemonldap-ng/lemonldap-ng-common/eg/llng-app.psgi
lemonldap-ng/fastcgi-server/psgi/llngapp.psgi
```
Futhermore, hook to load customHandler presents in files below:
```
lemonldap-ng/fastcgi-server/sbin/llng-fastcgi-server
lemonldap-ng/fastcgi-server/psgi/llngapp.psgi
```
is missing in file below:
```
lemonldap-ng/lemonldap-ng-handler/eg/llng-server.psgi
```
like the middleware to downgrade UTF8 is missing in
```
lemonldap-ng/fastcgi-server/psgi/llngapp.psgi
```
Last question, in LL::NG code, we refer to 'llng-fastcgi-server'
```
fastcgi-server/systemd/llng-fastcgi-server.service
```
But in Debian packaging we refer to 'lemonldap-ng-fastcgi-server'
```
lemonldap-ng/debian/lemonldap-ng-fastcgi-server.service
```
### Design proposition
It could be interesting to harmonize all theses files2.20.0Xavier BachelotXavier Bachelothttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3078Allow transmission of extra attributes in Auth/UserDB/Password::REST2024-03-27T10:26:26ZMaxime BessonAllow transmission of extra attributes in Auth/UserDB/Password::RESTCurrently, it's possible to transmit extra attributes in 2F::REST but not in Auth::REST etc.Currently, it's possible to transmit extra attributes in 2F::REST but not in Auth::REST etc.BacklogMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3074lemonldap-ng-cli restore support -force & -cfgNum2023-12-26T03:14:29ZHailong Wanglemonldap-ng-cli restore support -force & -cfgNum### Summary
Like lemonldap-ng-cli merge, set & addKey, lemonldap-ng-cli restore support -force & -cfgNum, to force the configuration version not increase.There is a need to delete some configurations that cannot be removed by the `del` ...### Summary
Like lemonldap-ng-cli merge, set & addKey, lemonldap-ng-cli restore support -force & -cfgNum, to force the configuration version not increase.There is a need to delete some configurations that cannot be removed by the `del` & `delKey` command when restarting the container.
### Design proposition
Add `froce` & `cfgNum` logic in https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Cli.pm#L394