lemonldap-ng merge requestshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests2023-02-27T18:40:43Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/330OIDC RP Initiated Logout: ensure RP can not bypass confirmation2023-02-27T18:40:43ZYaddOIDC RP Initiated Logout: ensure RP can not bypass confirmation2.17.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/344Resolve "unreachable LDAP server blocks initialization for too long"2023-06-08T12:01:09Zdcoutadeur dcoutadeurResolve "unreachable LDAP server blocks initialization for too long"Related to #2932Related to #29322.17.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/356Add AppGrid API (#2955)2023-07-06T14:47:35ZYaddAdd AppGrid API (#2955)2.17.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/350Append OAuth2ST wrapper (#2947)2023-07-12T22:15:48ZChristophe Maudouxchrmdx@gmail.comAppend OAuth2ST wrapper (#2947)Provide a handler able to handle AccessToken, ServiceToken and Cookie.Provide a handler able to handle AccessToken, ServiceToken and Cookie.2.17.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/371Display captcha in password form (#2952)2023-08-29T16:31:41ZChristophe Maudouxchrmdx@gmail.comDisplay captcha in password form (#2952)Append captcha to lemonldap-ng-portal/site/templates/bootstrap/password.tplAppend captcha to lemonldap-ng-portal/site/templates/bootstrap/password.tpl2.17.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/400Update german de.json regarding TOTP2023-12-19T21:31:46ZWalter BenderUpdate german de.json regarding TOTPThis is german translation regarding TOTP as 2FA.This is german translation regarding TOTP as 2FA.Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/426No Authen::WebAuthn for EL72024-01-08T11:30:53ZXavier BachelotNo Authen::WebAuthn for EL7Fixes #3072Fixes #3072https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/144Allow user to set their login when registering2024-01-14T20:34:24ZGhost UserAllow user to set their login when registeringHi,
I added the possibility for a registering user to set its login.
Changes:
+ Introduce `registerDisplayLoginInput` config variable to toggle the visibility of the login input.
+ Use `registerDisplayLoginInput` to create a template v...Hi,
I added the possibility for a registering user to set its login.
Changes:
+ Introduce `registerDisplayLoginInput` config variable to toggle the visibility of the login input.
+ Use `registerDisplayLoginInput` to create a template variable `DISPLAY_LOGIN_INPUT`
+ Create a login input in `register.tpl`
+ Add the login param to the `registerInfo` object in `Register.pm`
+ Use the provided login instead of calling `computeLogin`
+ Make `isLoginUsed` method a public method in `SAML` and `AD`
+ Add a `isLoginUsed` method to `DEMO` to make it compliant with the new API requirement
+ Add default values for the variables in `Attributes.pm`
Extra changes:
+ Introduce `loginControl` config variables to validate the login and validate the login in the registration flow in `Register.pm`
+ Introduce `registerLdapObjectClasses` config variable to customize the `objectClass` in `userCreation` in `LDAP.pm` and `AD.pm`
+ Introduce `registerTransformNames` to prevent first and last name transformation in `userCreation`
Needed changes (I would need guidance):
+ Create a `PE_LOGINALREADYEXISTS` variable in `Register.pm` and a correct error message
+ Add inputs in manager
+ Write tests3.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/446More checkXSS2024-02-06T16:40:31ZYaddMore checkXSSImport XSS fix from v2.0Import XSS fix from v2.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/452fix diff or variables named with top-level configuration keys (#3107)2024-02-23T13:24:32Zphilippe lhardyphilha@worteks.comfix diff or variables named with top-level configuration keys (#3107)- check value is a HASH before getting its hash length
leaf variable value is a string
Related to #3107- check value is a HASH before getting its hash length
leaf variable value is a string
Related to #3107https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/459Add failedLogin code 110 PR_RETRY_2FA in history on failure retry (#3106)2024-03-08T09:52:47Zphilippe lhardyphilha@worteks.comAdd failedLogin code 110 PR_RETRY_2FA in history on failure retry (#3106)- each 2FA retry failure is recorded as a failure within history
- _utime date of any history record is now the actual date and not the _utime of seesion
- update test 77-2F-Retry for history length side effect
- create dedicated test ca...- each 2FA retry failure is recorded as a failure within history
- _utime date of any history record is now the actual date and not the _utime of seesion
- update test 77-2F-Retry for history length side effect
- create dedicated test case 77-2F-Retry-BruteForcehttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/472Allow dynamic portal URL2024-03-28T16:36:33ZMaxime BessonAllow dynamic portal URLThis MR fixes #3040 by restoring the ability to have a sub as the portal URL in the handler, and making the portal aware of this.
The main mechanism is storing the portal URL in the $req object.
It can be enabled like this:
```
...This MR fixes #3040 by restoring the ability to have a sub as the portal URL in the handler, and making the portal aware of this.
The main mechanism is storing the portal URL in the $req object.
It can be enabled like this:
```
# auto-set the cookie domain to the portal subdomain
domain => '#PORTALDOMAIN#',
# use auth.acme.com for all apps on *.acme.com, and auth.example.com in every other case (including CDA)
portal =>
'inDomain("acme.com") ? "http://auth.acme.com/" : "http://auth.example.com/"',
```
I have also ported some, but no all features of LemonLDAP to be compatible with this new ability:
* OIDC Issuer
* WebAuthn/U2F
But not Auth::SSL (as of yet)
I have written some minimal unit tests, and will be conducting some in-situation testing with a user over the next months. This therefore should be considered a beta feature (which is why I haven't documented it yet)2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/471Split refresh session function (#3101)2024-03-26T13:21:11ZMaxime BessonSplit refresh session function (#3101)This lets other plugins, such as the OIDC issuer, reuse the "refresh"
logic.
I have refactored Refresh Token user refresh to reuse this new method. It means that new Offline refresh sessions will keep more attributes from now onThis lets other plugins, such as the OIDC issuer, reuse the "refresh"
logic.
I have refactored Refresh Token user refresh to reuse this new method. It means that new Offline refresh sessions will keep more attributes from now on2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/470Draft: add common lib to reset password2024-03-27T10:21:30ZYaddDraft: add common lib to reset passwordRelated to #3125Related to #31252.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/469New special values for "domain" parameter2024-03-19T07:56:39ZMaxime BessonNew special values for "domain" parameterThis MR is preliminary work for #3040
it introduces new options for "domain":
* empty string: means cookies are only valid for the portal itself. This might be used in some extremely specific situations (SAML/OIDC/CAS only + no manager...This MR is preliminary work for #3040
it introduces new options for "domain":
* empty string: means cookies are only valid for the portal itself. This might be used in some extremely specific situations (SAML/OIDC/CAS only + no manager)
* #PORTAL#: use the same domain as the portal such as auth.example.com *including subdomains*
* #PORTALDOMAIN#: use the parent domain of the portal, such as example.com
Once #3040 is complete, this work will allow the cookie domain to be completely derived from `$req`
We could even already make `#PORTALDOMAIN#` the default in new installs ? This way users will only have to change the "portal" variable in most situations.2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/468#1848: Showing Authentication Schema based on Auth Level2024-03-27T10:13:22ZAbhishek Pai#1848: Showing Authentication Schema based on Auth LevelRelated to #1848Related to #18482.19.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/467Fix configuration cache2024-03-19T07:58:26ZMaxime BessonFix configuration cacheThis MR addresses #3112 by no longer storing ini overrides in the shared configuration cache, but instead reapplying overrides (and default values) after reading from cache.
This means default values are copied every time we call getCon...This MR addresses #3112 by no longer storing ini overrides in the shared configuration cache, but instead reapplying overrides (and default values) after reading from cache.
This means default values are copied every time we call getConf, but thanks to checkTime, it happens at most 1 time per second2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/466Render session cache more resilient (#3121)2024-03-27T09:08:26ZYaddRender session cache more resilient (#3121)Related to #3121
To kind of errors managed here:
| Error | Previous behavior | New behavior | Change |
| ---------------------------------- | ----------------- | --------------------------- |...Related to #3121
To kind of errors managed here:
| Error | Previous behavior | New behavior | Change |
| ---------------------------------- | ----------------- | --------------------------- | ------ |
| Cache works but data was corrupted | Failure | Warn and call central cache | In [Common::Apache::Session::Store](lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm), try to unserialize data |
| Cache fail | Failure | Warn and call central cache | In [Common::Apache::Session::Store](lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm), `eval` all cache calls |2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/465#3102: Adding ordering to login history columns.2024-03-18T11:01:43ZAbhishek Pai#3102: Adding ordering to login history columns.#3102#31022.19.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/464Add a request correlation ID to $req2024-03-12T15:12:10ZMaxime BessonAdd a request correlation ID to $reqThis MR attempts to help make logs more useable by providing a `request_id` field in `$req`.
This request ID is set by mod_unique_id (Apache), or by a new configuration directive in Nginx.
It allows to correlate access logs and error l...This MR attempts to help make logs more useable by providing a `request_id` field in `$req`.
This request ID is set by mod_unique_id (Apache), or by a new configuration directive in Nginx.
It allows to correlate access logs and error logs.
This new feature is not enabled by default, but easy to configured by changing the web server log format + enabling and configuring log4perl.
It will also be used in #29412.19.0Maxime BessonMaxime Besson