Tags give the ability to mark specific points in history as being important
  • v2.0.9 protected   Publish release 2.0.9
    dc304d18 · Update Debian NEWS file ·
    Release v2.0.9
    • Bugs:

      • #1659: RESTProxy doesn't fully work as a UserDB module
      • #1980: Refresh my rights causes error 500 with OIDC provider
      • #2190: 2.0.6 -> 2.0.8 sends "ARRAY (xxxx)" instead of Groups
      • #2196: Unable do display integer field with other fields in Manager
      • #2199: StayConnected plugin not working due to error in fingerprint javascript
      • #2200: Bad default value for portalDisplayOidcConsents
      • #2211: Setting yubikey verification URL to an empty value does not fallback to Yubikey_Webclient URL
      • #2212: Captcha or OTT is not renewed if Impersonation process failed
      • #2215: CheckUser idRule is checked only if session is computed
      • #2217: Error "Value must be BASE64 encoded" with some specific URL when Handler redirects on portal
      • #2221: Bad error message when conf backend fails to load
      • #2222: Errors in lemonldap-ng.ini are not correctly reported
      • #2223: Misleading error reporting when failing to save conf in lemonldap-ng-cli
      • #2224: regression in redirection to SAML urls with query string after #2085
      • #2229: Impersonation plugin: real_hGroup value is overwritten when specified groups are merged
      • #2230: LLNG 2.0.8 - Error on portal.js with IE 11
      • #2234: Prevent browser caching in sendJSONresponse
      • #2237: SAML SP error with auth kerberos
      • #2250: [CVE-2020-16093] Peer certificate not checked when using LDAPS
      • #2253: clearing oidcRPMetaDataOptionsLogoutUrl leads to Bad URL error
      • #2254: Local session cache and systemd PrivateTmp
      • #2256: Multivalued attributes are not returned as array in OpenID Connect userinfo endpoint
      • #2257: Missing country in OpenID Connect Address Claim
      • #2258: Error when using lougout_app_sso
      • #2261: Refresh my rights fails when Auth=SAML and UserDB=LDAP
      • #2263: Incorrect SOAP Content-Type
      • #2271: Labels are not working in auth form
      • #2272: Secure flag missing on lemonldappdata cookie and during logout
      • #2274: pdata cookie with SameSite value not equal to NONE is not removed and logout request leads to an internal server error with federate flow on SP side
      • #2275: sgRequired option does not work when global storage is enabled for token
      • #2287: LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"
      • #2288: LL:NG 2.0.8 manager missing doc-referenced "Login History" tab
      • #2289: Special chars password policy is not displayed if password is expired
      • #2290: [security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used
      • #2296: skippedGlobalTests / skippedUnitTests have no effect (again)
      • #2305: Error in call to _launch in Lemonldap::NG::Common::Conf delete() method
      • #2306: ldapGroupDecodeSearchedValue does not apply to recursive group search
      • #2307: Password form not displayed when "password change after reset" is returned by LDAP ppolicy and Combination used for authentication
    • New features:

      • #1646: integrate documentation into the codebase
      • #2124: use 2FA only if and when needed
      • #2205: Add a session command line (CLI) tool
    • Improvements:

      • #1598: Proxy Backend support for Password Module (passwordDB)
      • #2188: Declare vhost with wildcard and prefix/suffix
      • #2189: Make externally-provisionned yubikeys easier to configure
      • #2193: Polish translation
      • #2195: Manager - Configuration's Author IP address field should honor $ipAddr
      • #2201: Avoid Portal to crash with bad GrantSession rule
      • #2203: Retrieve GPG keys and SSH keys in GitHub authentication module
      • #2207: Append an "Unrestricted users" rule to CheckUser, ContextSwitching and Impersonation plugins
      • #2214: add option to make convertConfig easier in most cases
      • #2225: REST ression server is too intolerant of clock drift (2)
      • #2233: Error/Warnings id not replaced with CLI
      • #2239: Mail reset token should not be deleted at first page access
      • #2240: Add tests for CAS service URL and OIDC client ID (presence/unicity) when configuration is saved
      • #2241: Add CAS App management to the manager API
      • #2242: Display new supported grant_types in OIDC discovery page
      • #2244: Use configuration key in user log messages for all Issuer modules
      • #2249: Check password policy on the client side when changing password
      • #2251: Add a parameter for Syslog options
      • #2252: No host in logs to use with Fail2ban
      • #2265: increase log level for mail sending and password reset
      • #2273: URL is not set to Portal URL after ContextSwitching
      • #2276: Using bruteForceProtectionIncrementalTempo lock user at first attempt
      • #2278: Display instance name when prompting a message
      • #2280: User attribute based on local macro in Openid rp
      • #2281: Manage SameSite default behavior
      • #2283: Improve Notifications explorer to display done notifications content
      • #2284: Improve serviceToken debug logs
      • #2292: request "do not minify" json config option
      • #2295: Erroneous use of NTLM should be explicitely reported to the user
      • #2299: healthcheck endpoint for manager API
      • #2302: correct usage of invalid vs unvalid in code & messaging
      • #2303: Add del method to lemonldap-ng-cli
  • v2.0.8 protected   Tag release 2.0.8
    Release v2.0.8
    • Bugs:

      • #1314: Workaround for memory Leak in perl-fcgi with Perl < 5.18
      • #1659: RESTProxy doesn't fully work as a UserDB module
      • #1776: Manager breaks when moving a newly created category or application
      • #1939: expired issuer context is not reset when starting new authentication
      • #1990: [warn] Route xxx redefined when using the fastCGI server
      • #1992: Memory leak issue on CentOS 7 / perl 5.16
      • #2048: t/32-OIDC-Refresh-Token.t fails randomly
      • #2049: Unable to display notifications marked as done (DBI)
      • #2050: Wrong message displayed by CheckUser plugin
      • #2051: SAML Service Provider Macros are incorrectly displayed/saved by the manager
      • #2057: Log in request without captcha returns an internal server error
      • #2058: Use of configuration cache can mix global and local configuration parameters
      • #2059: Error in Manager / CLI / Editor when an attribute is not defined
      • #2061: pdata not cleaned with Kerberos authentication
      • #2063: Javascript error: window.datas is undefined
      • #2072: Configuration comparator error on application menu "order"
      • #2074: Portal menu : display condition with sp: does not work for SAML SP
      • #2080: SAML POST to SP becomes GET when an info is displayed
      • #2081: Parameter added to external redirect URL when info.tpl is used
      • #2082: SSLVarIf cannot be set in manager
      • #2085: OIDC provider doesn't work when info is displayed during the login process
      • #2086: LDAP notifications backend does not work
      • #2089: Old format notifications with file backend don t work
      • #2090: Session creation mixup when supplying an existing _session_id
      • #2097: Error after activating userLogger (Apache)
      • #2099: Error 500 when SAML Session is expired
      • #2101: Wildcard in virtualhost names : URL contains a non protected host
      • #2104: Sessions are not well computed by CheckUser plugin
      • #2105: Using RS* ID Token signature algorithm without a RSA key causes ID Token to be returned as "null"
      • #2111: Bad translation tag for password policy remaining grace message
      • #2113: Password policy warning before password expiration is badly displayed
      • #2116: Missing goToPortal translation for mails
      • #2118: Multivalued attributes received from CAS server stored as string "ARRAY" in session
      • #2120: OIDC: hybrid flow does not issue ID token
      • #2123: Rest2F does not transmit session attributes to Verify URL
      • #2127: Cache reload throw an error if status enabled
      • #2128: Manager with CDA issue
      • #2133: Issues with removed second factors notification system
      • #2138: logout forward doesn't work anymore
      • #2141: Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken
      • #2142: OIDC consent validation fails after second factor form or redirection from external IDP
      • #2143: Enable redirection on forbidden access with self protected Portal URLs leads to an endless loop
      • #2144: OTT is not sent if SSL authentication fails with Choice
      • #2148: Bad request with Notification SPA
      • #2151: Session upgrade does not work with multiple second factors
      • #2152: Nginx configuration files do not work with IPv6
      • #2159: Single session module configuration
      • #2165: Server error with rule on Combination
      • #2167: OAuth2 handler should return 401 when access token is missing or invalid
      • #2168: LLNG is too strict on OIDC scope syntax
      • #2169: duplicates in _oidcConsents when scope is updated
      • #2171: Introspection endpoint does not recognize refreshed Access Tokens
      • #2179: refresh my rights downgrades authentication level set by 2FA
      • #2180: SingleSession plugin does not work if history is displayed
    • New features:

      • #2033: Manager API to reset 2FA
      • #2034: Manager API to manage SAML and OIDC clients
      • #2069: Manage Cookie SameSite value
      • #2136: Possibility to override language with a parameter in URL
      • #2154: Github authentication backend
    • Improvements:

      • #1598: Proxy Backend support for Password Module (passwordDB)
      • #1877: Option to run setMacros after setGroups
      • #1902: Configuration is saved even with errors with lemonldap-ng-cli
      • #1957: Provide packages for CentOS 8
      • #2046: compactConf is confusing
      • #2064: Do not show action buttons on portal when displaying waiting message (Kerberos or SSL Ajax call)
      • #2065: Improve diff.html templates to display Author, Date and Summary of both configurations
      • #2068: Append an option to set CSP frame ancestors header
      • #2070: LemonLDAP session cookie - SameSite attribute
      • #2071: Allow users to see and display theirs accepted notifications
      • #2073: Improve notifications SPA
      • #2076: Possibility to configure a custom CSS file
      • #2084: Make "error" the default log level for lasso
      • #2088: BruteForce module: increase delay between each login attempt
      • #2091: Better look for buttons in 2FA choice screen
      • #2093: CheckUser - Remove persistent session attributes if required
      • #2096: Improve introspection endpoint
      • #2102: Bad Autologin rule lead to error 500 and crash the portal
      • #2103: Add a rollback option to lemonldap-ng-cli
      • #2106: CheckUser: Append an option to hide empty headers
      • #2108: "Underlying object can't load conf" is a bad error message
      • #2109: Securing the new API endpoints for 2.0.8 release
      • #2114: Improve adaptive display and show instance name
      • #2115: Possibility to select choice tab, as for menu tab
      • #2117: Remove warning messages "uninitialized value $encryption_mode"
      • #2119: Rely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatory
      • #2121: Prevent Portal to crash if Custom Functions module is not found
      • #2125: Internal Server Error when REST backend does not return a JSON Object
      • #2126: Prevent Portal to crash if a bad rule is used for enabling a plugin
      • #2129: AuthenticationLevel based macros and groups should be updated with second factor
      • #2130: Append password policy options to define and require special characters
      • #2131: Make json does nothing if only a Portal constant is appended
      • #2132: Application icons are displayed with real sizes by the Manager and It is not particularly convenient
      • #2135: Remove 'underscore' in notification reference
      • #2140: Append an option to define applications tooltip
      • #2145: Display a custom param with GlobalLogout plugin
      • #2149: Add an easy way to set level of additional second factors
      • #2155: Implement Resource Owner Password Credentials Grant
      • #2156: "Require 2FA" should be renamed
      • #2161: DBI should test that "table" is set
      • #2164: Make SingleSession options configurable by a rule
      • #2166: Configuration parser does not check validity of SAML/OIDC/CAS/vhost options
      • #2173: Make CheckUser options configurable by a rule
      • #2175: Reorganize OIDC RP options in manager
      • #2177: OIDC: Allow additional audiences for ID Token
      • #2178: Make require old password option configurable by a rule
      • #2182: Append a Show/Hide password button into change password form
      • #2184: SAML logout request returns 400 error code if session is not found
      • #2185: Append a rule to display sfaManager link
  • v2.0.7 protected   Tag release 2.0.7
    Release v2.0.7
    • Bugs:

      • #1893: Issuer urldc is lost after error in 2F flow
      • #1909: Reset password by email issue
      • #1943: [Security: medium, CVE-2019-19791] Apache access rules and SOAP/REST endpoints
      • #1945: passwordpolicy.tpl contains wrong tag
      • #1948: Tranlation menu does not work with Diff.html
      • #1949: Don't Store Password shows password in cleartext
      • #1952: "Attributes and macros" session keys should not be translated
      • #1953: Outgoing emails are missing a Date: field
      • #1954: zimbra preauth not working
      • #1955: Redirection lost after notification validation
      • #1960: REST config service not working
      • #1961: IDP selection rule regression in 2.0.0
      • #1963: Server Error with OpenID Connect register endpoint
      • #1964: Diff.html does not work with minified JS
      • #1966: Configuration reload does not apply changes to location rules
      • #1968: skippedUnitTests/skippedGlobalTests have no effect
      • #1969: Force password reset with LDAP password policy does not work if macro _whatToTrace is not defined
      • #1974: ServiceToken handler TTL value always set to default
      • #1984: Reset expired password doesn't trigger when using Combination
      • #2005: Error in portal "refresh my rights" feature when whatToTrace value is not equal to login
      • #2009: Display authentication error on login form with Combination Kerberos + LDAP
      • #2010: Kerberos not working with session upgrade
      • #2012: Several issues with notification system
      • #2013: Handler, yum install
      • #2018: After temporary ldap failure, ldap connections stop working forever
      • #2038: Missing type attribute in 2FA HTML inputs
      • #2045: Authenticating with external OpenID Connect Provider fails because of special chars in user name
    • New features:

      • #813: Provide refresh tokens in OpenID Connect
      • #1605: certificate reset by mail
      • #1956: DecryptValue plugin
      • #1999: Possibility to view/close other sessions opened for the same user
      • #2006: Create a web service for "refresh my rights"
    • Improvements:

      • #1590: Possibility to configure new plugins in Manager
      • #1905: Append overScheme for persistent sessions
      • #1941: After logged out from SP we are always redirected to IdP - Unable to go back to SP Portal
      • #1947: Highlight active module with Diff.html
      • #1967: allow differents type of managerDN
      • #1983: The script purgeCentralCache should be more fault tolerant
      • #1988: Append a requiredAuthenticationLevel option for each uri
      • #1989: Main logo and lang icons are missing with upgradesession template
      • #1991: Some user logs not using whatToTrace for username
      • #1993: Same issue like (#1884) occures with Issuer redirection
      • #1994: Append varInUri extended function
      • #1995: Add an option to force claims in ID token
      • #1996: REQUEST_URI env variable is not set by CheckUser plugin
      • #1997: Enable checkTime option by default
      • #1998: Misleading token ID format
      • #2003: Possibility to set attributes and extra claims in OIDC registration endpoints
      • #2007: Password change prompt displayed even if initial auth fails
      • #2008: Specific message and error code for 2F failure
      • #2011: Create a function to test if a value belongs to a list
      • #2012: Several issues with notification system
      • #2014: New script to convert sessions between backends
      • #2019: Renew Captcha button
      • #2024: Change default value for cspFormAction
      • #2042: Add per-service macros
  • ubuntu/focal protected
  • v2.0.6 protected   Tag release 2.0.6
    Release v2.0.6
    • Bugs:

      • #1834: Use base64 URL for JWT generation
      • #1838: Return claims from scope values in ID token if no access token requested
      • #1852: SAML request lost after notification
      • #1853: Adding a second notification with same reference is not refused
      • #1856: Unable to validate more than one notification (JSON format)
      • #1857: Message "session is expired" if a notification is refused
      • #1861: Persistent data and notification validation
      • #1863: Duplicate Set-Cookie header when sending lemonldappdata and lemonldap cookies
      • #1864: incorrect loading of SAML metadata when entityID containts html-encoded characters
      • #1865: Dependencies missing in RPM
      • #1866: Skin parameter is lost in second factor choice
      • #1867: Bad error template with Combination and OTT timeout
      • #1868: Yubikey enrolment failed on Internet Explorer
      • #1869: [Security:low] psessions case sensitivity might impact security of 2FA when using case-insensitive auth backends
      • #1874: OTT not regenerated after submitting TOTP form with an expired OTT
      • #1875: Variables from Users module DBI is not used when Authentication module is LDAP (chain: [LDAP,DBI]
      • #1876: $_ no longer works in macros, rules and headers since 2.0
      • #1878: Pdata cookie not cleared after cross domain Auth request
      • #1880: [Security:low] Restricted users can edit conf by using default route
      • #1881: [Security:high] oidc authorization codes are not tied to their RP
      • #1883: Infinite loop when displaying sessions by IP address
      • #1889: No changes detected by Manager when removing CAS/OIDC attributes from a CAS application / OIDC RP or provider
      • #1890: LinkedIn v1 API is not available anymore
      • #1891: GET parameter "cancel" with Choice and CAS authentication
      • #1897: Emails are sometimes sent in the wrong language
      • #1898: Handler SecureToken is not working anymore
      • #1901: Handler error if a header definition is empty
      • #1903: Mail password reset and Combination with LDAP does not work
      • #1906: Missing MAIN_LOGO variable in redirect.tpl
      • #1910: Issue with "force password change on next login" feature with LDAP
      • #1915: Skin selected by rule is lost in 2FA process
      • #1922: Accentuated UTF-8 value of header is UTF-8 encoded again by handler
      • #1925: AuthBasic handler does not work with AuthChoice
      • #1933: [Security:low] nginx portal example file does not filter REST urls
      • #1935: [Security:medium] AuthSlave does not check credential headers
    • New features:

      • #993: Define a local password policy
      • #1783: ContextSwitching plugin
      • #1843: OAuth2 introspection endpoint
      • #1847: Radius 2F module
      • #1860: Multiple instances of 2F modules
    • Improvements:

      • #1619: Support IBM Tivoli Directory Server (ITDS)
      • #1702: Improve log generated by lemonldap
      • #1825: Possibility to disable persistent sessions
      • #1829: Redirection lost between SSL/Ajax and SAML
      • #1831: Warning in lemonldap-ng-cli
      • #1832: Add save/restore in CLI help message and control restore parameters
      • #1833: Show cli errors on file access
      • #1835: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
      • #1842: Merge userLogger notice with logger debug
      • #1844: CheckUser plugin does not compute real session attributes if Impersonation is enabled
      • #1846: Adapt response_types_supported / grant_types_supported attributes in OpenID Connect metadata depending on configured flows
      • #1849: CDA is not compatible with Handler::PSGI::Try
      • #1850: No "Session granted" log if grantSession plugin not enabled
      • #1851: Append notification REST services
      • #1862: When displaying notifications, sort them by date and references
      • #1870: REST Api endpoint "error"
      • #1873: Labels for 2FA choices
      • #1879: [security:low] Access token expiration time is not enforced on userinfo or OAuth handler
      • #1882: Confusing default OIDC issuer setting
      • #1884: Force Upgrade tokens to be stored into global storage if auth and authssl are served by different load balancers
      • #1885: Append an option to log an extra parameter
      • #1888: Javascript error on textContent method with .Net framework and WPF
      • #1896: Add _session_kind to default SOAP/REST exported attributes
      • #1899: Fix portal and manager display for Internet Explorer
      • #1904: Append an option "don t compact conf" + debug log + compact CAS parameters if not enabled
      • #1908: Complete blackout probably due to uncontroled SQL connexion timeout
      • #1913: Append an option to allow / forbid browsers to store users password
      • #1916: Issuer OTT timeout
      • #1919: Customizable error message when a required SAML attribute is missing
      • #1923: REST ression server is too intolerant of clock drift
      • #1927: Implement CORS preflight request
      • #1928: Option to hide password generation checkbox in mail password reset plugin
      • #1929: Custom functions are not imported into Safe Jail
      • #1930: Display password change form after a password policy error in mail reset password plugin
      • #1931: Disable password input field until font is fully downloaded by browser
      • #1932: REST session server should return both session and _httpSession id
      • #1936: Append an option to display Slave logo
      • #1938: CheckUser plugin : include search parameters
  • v1.9.21 protected   Tag release 1.9.21
    e9211d73 · Update documentation ·
    Release v1.9.21
    • Bugs:

      • #1836: Use base64 URL for JWT generation
      • #1924: [security:low] oidc authorization codes are not tied to their RP
    • Improvements:

      • #1837: [Security:improvement] Do not accept a "none" signature in JWT if we enforce signature verification
      • #1892: $data->{_session_kind} uninitialized
  • v2.0.5 protected   Tag release 2.0.5
    7aa3d03c · Fix date in DEB ·
    Release v2.0.5
    • Bugs:

      • #1521: The manager renames the id of applications created by lemonldap-ng-cli
      • #1655: Can't delete notifications from the manager
      • #1717: Warnings "Devel::StackTrace" when using unnative Perl functions
      • #1746: Impersonation does not work with double cookies authentication
      • #1749: Authentication with "Double Cookies for a single session" (securedCookie==3) does not work
      • #1753: Logout with CASv2 is not working (Bad URL)
      • #1754: Configuration caching issue when overriding globalStorage in lemonldap-ng.ini
      • #1755: CheckUser plugin fails if OTT globalStrorage is enabled
      • #1759: Server Error when OpenID Connect provider enabled without any RP
      • #1762: CDA sessions are not removed when handler uses SOAP
      • #1775: Authentication with double cookies fails when uniq session is enabled
      • #1777: Server Error with SAML SLO and expired SSO session
      • #1779: Go to portal message not translated in register confirmation mail
      • #1795: [Security: low] CAS 3.0 Logout does not validate redirect URL
      • #1800: Auth::Slave is unusable with Choice
      • #1802: No error returned if no code provided on OpenID Connect token endpoint
      • #1805: Auth::LDAP unusable in combination if UserDB::LDAP isn't called
      • #1809: UserDB::DBI with Auth::LDAP seems to not work properly
      • #1810: [Security: low] llng-fastcgi-server could fail to setgid
      • #1811: Lua-headers file is missing
      • #1813: searchOn* does not work when a portal uses REST session backend
      • #1814: Local cache not fully purged
      • #1818: [Security:low] XXE vulnerability in SOAP notification server
      • #1819: Portal Notification server unusable with old XML format
      • #1821: Pdata not cleared after session upgrade
      • #1822: Session upgrade does not work with 2FA
      • #1824: lmConfigEditor does not work anymore
      • #1826: Race condition on SSL login form button
    • New features:

      • #1796: Display a message if an expired 2f device is removed
    • Improvements:

      • #1706: html not interpreted for translated messages
      • #1723: Real authentication is masked when using proxy authentication module
      • #1732: Sessions explorer and Browseable::Postgres
      • #1734: RPM version uses JSON::PP instead of JSON::XS
      • #1747: Logging out from portal cause an error with doubleCookie after refreshing rights
      • #1750: Wrong version / author / IP / log in lemonldap-ng-cli
      • #1758: Warnings in Viewer.pm when saving configuration
      • #1763: Transmission of Authorization header should probably be on by default
      • #1764: Set choosen language in user session
      • #1765: Better CORS handling
      • #1766: Warning in logs with SAML
      • #1767: Append startTime overScheme to display sessions to avoid browser crash
      • #1769: CSRF token is not automatically regenerated after a failed login with Auth::Choice
      • #1770: Add save/restore commands in cli
      • #1771: SSO sessions _updateTime value is not updated after a refresh request
      • #1773: Append option to modify service Token handler TTL
      • #1774: CheckUser plugin does not work with SAML
      • #1782: Append an option to set 2FA TTL
      • #1791: Append an option in Manager to merge only specified SSO groups with Impersonation
      • #1797: Allow ServiceToken to send service headers
      • #1799: StorePassword in session not working when using session REST server
      • #1827: Using lemonldap-ng-cli info gives warning with default configuration
      • #1828: 2F plugins and method loadTemplate are not using skin rules
      • #1830: [Security:improvement] Improved use of cryptography
  • ubuntu/eoan protected   Version published in Ubuntu Eoan 18.10
    7aa3d03c · Fix date in DEB ·
  • v1.9.20 protected   Tag version 1.9.20
    d183cbcb · Update packaging files ·
    Release v1.9.20
    • Bugs:
      • #1756: Cross-domain auth not working
      • #1820: [Security:medium] XXE vulnerability in SOAP notification server
  • v2.0.4 protected   Tag release 2.0.4
    Release v2.0.4
    • Bugs:

      • #1684: UI manager: boolean values do not appears in configuration forms with Yaml config format
      • #1709: ViewDiff template not displayed
      • #1710: Configuration keys not displayed in Viewer
      • #1716: [Security:minor] Update jQuery
      • #1720: Duplicate session opening when using multiple Kerberos instances in Combination
      • #1724: CAS 1.0 /validate endpoint does not return username
      • #1726: Deb package: missing dependency IO::String
      • #1733: Invalid default crontab in RPM
      • #1736: Configuration version in Manager is different from software version
      • #1738: Error not well catched with Ext2F
      • #1741: Deleted category is not detected as a change when saving conf.
      • #1742: [Security: high] Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)
      • #1743: [Security: low] register_token used for account creation can be used as a valid session identifier
      • #1746: Impersonation does not work with double cookies authentication
    • New features:

      • #1146: Allow Handler to read OAuth2 access token instead of browser cookie
      • #1722: [Security: improvement] PKCE to secure OIDC Authorization Code flow
    • Improvements:

      • #1703: Fix faulty headers on a null value
      • #1711: Return Session ID when authentication is done via REST
      • #1712: Display idpChoice cancel button only if AuthChoice is enabled
      • #1713: CAS : Allow per application CAS login override
      • #1714: Check logLevel value
      • #1725: Allow unauthenticated clients on OIDC token endpoint
      • #1728: Improve redirect page
      • #1729: Display error if SAML service is enabled without private and public keys signature
      • #1730: Sort real and spoofed attributes in CheckUser and Session explorer
      • #1735: Highlight valid SSO sessions in sessions explorer
      • #1739: Improve log in Grant Session plugin
  • v1.9.19 protected   Create tag for 1.9.19 release
    b63ee346 · Update documentation ·
    Release v1.9.19
    • Bugs:

      • #1509: InactivityTimeout for applications don't work
      • #1520: lemonldap-ng-cli adds a new item when deleting an item that does not exist.
      • #1567: Captcha session id is too weak
      • #1580: Error when saving in manager (mongoDB as ConfigurationBackend)
      • #1662: id_token validity not correctly evaluated
      • #1744: [Security: low] register_token used for account creation can be used as a valid session identifier
    • Improvements:

      • #1516: All IDP conf not usable if only one IDP misconfigured
      • #1519: Cross domain authentication, ajax request and same origin policy
  • v2.0.3 protected   Tag 2.0.3
    Release v2.0.3
    • Bugs:

      • #1543: Redirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDP
      • #1654: Password must change on AD still not fully working
      • #1656: No IP shown in history logon
      • #1667: [Security:medium] Option userControl is not applied anymore in standard login process
      • #1671: Error in SP-initiated saml logout with multiple SP
      • #1672: In SAML Issuer, environment variables to store current SP are not filled
      • #1673: Application list display and specific rules
      • #1675: [Security:minor] Using /logout instead of /?logout=1 does not work
      • #1676: Active Directory connection information not saved
      • #1679: Default jQuery URL in form replay has changed
      • #1680: In form replay, POST data keys are not URL encoded
      • #1682: LinkedIn OAuth2 authentication is not available in combination modules list
      • #1683: Changing configuration option cspScript has no effect
      • #1684: UI manager: boolean values do not appears in configuration forms with Yaml config format
      • #1686: SOAP Portal WSDL file is invalid
      • #1691: Password policy can't display messages
      • #1692: Parameter base64 is ignored in setHiddenFormValue
      • #1693: Information is not displayed in logout process
      • #1698: Invalid pdata causes SAML login to fail after logout
      • #1703: Fix faulty headers on a null value
      • #1708: lmerror page loops on url parameter
    • New features:

      • #1632: Optionally let Ext2F module handle code generation
      • #1658: CheckUser plugin
      • #1661: Configuration viewer module
      • #1664: Impersonation plugin
      • #1697: Command-line tool to delete session for specific user(s)
    • Improvements:

      • #1549: Option to override IDP entityID
      • #1595: Possibility to override message with a custom JSON file in template
      • #1651: Disable cache on portal page
      • #1653: Allow failback to default skin when a template is not found in custom theme
      • #1660: Restore possibility to hide message in portal template
      • #1666: Display errors on login form
      • #1668: As IDP SAML, do not try to send SLO response if no SLO endpoint defined in SP metadata
      • #1670: Display "authentication in progress" when using Ajax with Kerberos
      • #1681: Change behavior with SAML mandatory/optional attributes in SAML Issuer
      • #1687: Add granted log for user and connexion informations
      • #1694: Disable CSRF token with AuthBasic
      • #1696: Remove unnecessary antiframe protection in portal javascript
      • #1699: Authentication level for REST and GPG authentication
      • #1700: Update AuthBasic handler doc : REST server is required
      • #1704: Append parameter to sort IDP, OP and CAS servers in Auth menu loop
  • v2.0.2 protected   Create tag for 2.0.2
    2f81f4b3 · Update documentation ·
    Release v2.0.2
    • Bugs:

      • #1574: "Manager is unprotected" message when whatToTrace value is not the default
      • #1603: Warnings with confirmation required don't work
      • #1604: Manager unit tests randomly failed
      • #1607: Safe errors when saving configuration with lmConfigEditor
      • #1610: Unable to save empty value for cookie expiration time in Manager
      • #1613: handler https redirection does not work
      • #1614: Accents not well displayed in Portal
      • #1618: Version in server signature is wrong
      • #1623: ADPwdExpireWarning and ADPwdMaxAge parameters are missing in Manager
      • #1627: Display issue with GrantSession plugin
      • #1628: GrantSession plugin discloses its message to unlogged users
      • #1630: SSO cookie is sent to protected applications with Nginx-based ReverseProxy
      • #1636: SSL and Kerberos Auth Modules don t work with choice
      • #1639: User must change password on AD is broken
      • #1642: Unable to select skin from URL
      • #1643: Portal CSS is sent with empty background when portalSkinBackground is not defined
      • #1644: error while reseting password with ppolicy enabled
      • #1648: ldapAuthnLevel and dbiAuthnLevel are ignored
      • #1649: Error about Handler when saving configuration in lmConfigEditor
    • New features:

      • #1569: GPG authentication module
      • #1629: Email-based two-factor module
      • #1631: Allow to display "env" as template variables
    • Improvements:

      • #1486: Portal starts even if init() has failed
      • #1600: Improve e2e tests
      • #1601: Create LDAP option to decode DN value
      • #1608: Date and comment not updated with lemonldap-ng-cli
      • #1609: add autocomplete="off" to 2F form fields
      • #1611: Improve apache configuration
      • #1622: Display delete button in 2FAManager only if action is allowed
      • #1625: "Use rule" option in issuer modules seem not to be used anymore
      • #1633: Better random generation
      • #1634: Improve management of template parameters
      • #1635: SAML attribut default value is not set
      • #1637: Add display options for SAML IDP like OIDC and CAS providers
  • ubuntu/disco protected   Create tag for 2.0.2
    2f81f4b3 · Update documentation ·
  • debian/buster protected   Version published in debian/buster
    2f81f4b3 · Update documentation ·
  • v2.0.1 protected   Tag 2.0.1
    2dfe4bdd · Update doc ·
    Release v2.0.1
    • Bugs:

      • #1564: Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL"
      • #1572: Error when saving in manager (mongoDB as ConfigurationBackend)
      • #1576: Browser doesn t select Portal appropriate language
      • #1579: SOAP Backend error for empty collection
      • #1582: MongoDB Conf backend looses sub hash keys
      • #1586: Portal message override do not work on plugins and mails templates
      • #1587: Captcha is not displayed in Register form if mail already exists
      • #1588: Captcha is validated with additional letters
      • #1589: Error in MailReset when asking to resend confirmation mail
      • #1592: Cannot select a menu tab with ?tab= in URL
      • #1594: Cannot select oidcConsents tab in menu
    • Improvements:

      • #1565: OpenId - Default CSP value cause breakdown in OpenId authentification form
      • #1578: Fix fcgi/psgi extensions in documentation
      • #1583: Append parameter to configure number of allowed failed logins before brute force protection activation
      • #1584: Browser doesn t select Manager appropriate language
      • #1585: Fix main logo and langs icons display & double slash in lmerror 403 error URL
      • #1591: $req->user not available in plugins authenticated routes
      • #1593: Bad userinfo response: Unauthorized
      • #1596: Possibility to define new tabs in Menu
      • #1599: Usage of OpenID Connect with bad scope value result in unlimited session grow
  • v2.0.0 protected   Recreate 2.0.0 tag
    ea90c3c7 · Try to fix CI pipeline ·
    Release v2.0.0

    This is a major version with a lot of changes. You need to apply all upgrade instructions listed here: https://lemonldap-ng.org/documentation/2.0/upgrade

    Changelog:

    • Bugs:

      • #757: "Attempt to free unreferenced scalar" in Lemonldap::NG::Common::Session
      • #789: Apache reloading breaks SAML authentication
      • #804: Uncomplete logout in Issuer modules
      • #856: LemonLDAP loses exportedVars conf randomly
      • #863: get_url function builds wrong Portal URL
      • #918: Env variables are searched in backends
      • #998: encode_base64 can be udefined after a reload by URL
      • #1061: Multiple segfault using ModPerl::Registry with Apache2.4
      • #1113: OIDC Provider to SAML SP does not work
      • #1150: Can't get captcha to work with LDAP as backend
      • #1171: Session explorer freezes when session number is high
      • #1327: Facebook module not working due to API changes in Facebook
      • #1420: Answering to CAS proxy requests as CAS Provider
      • #1468: Enabling both Auth::SAML and Issuer::SAML breaks SLO
    • New features:

      • #575: Display differences between 2 conf
      • #782: Node.js handler
      • #819: Support of FIDO Alliance (multi-factor authentication)
      • #826: Tab in portal to manage OpenID Connect consent
      • #852: Possibility to reload/refresh his session without logout and relogin
      • #970: REST API for Portal
      • #971: Server-to-Server Handler
      • #1015: Two-Factor Authentication with OTP for portal user logins
      • #1019: Evaluate custom template parameters
      • #1091: Handler for DevOps (SSOaaS)
      • #1131: Portal plugin to "Stay connected on this device"
      • #1138: Generate Content-Security-Policy headers and related
      • #1148: U2F - Universal 2nd Factor Authentication
      • #1151: Replace Multi by a Combination parser
      • #1161: Manage access rules for CAS, SAML and OpenID Connect clients
      • #1162: Capability to use Log4Perl (and other log backends)
      • #1174: Auth and UserDB REST (delegation by web-service)
      • #1188: Custom auth/userDB/password/register modules
      • #1196: Auth::PAM module
      • #1204: Propose reauthentication if higher access level is requested
      • #1206: TLS support for mails
      • #1208: YAML configuration backend
      • #1212: Propose SSL authentication by Ajax
      • #1318: Auto-Signin based on $env rules
      • #1330: Menu rules for applications using SAML/CAS/OIDC
      • #1359: TOTP plugin
      • #1379: Feature: External Second Factor over REST API
      • #1391: Mixed TOTP/U2F second factor plugin
      • #1397: Plack servers support
      • #1399: Yubikey as second factor
      • #1419: Dispatch logger
      • #1427: Alternative FastCGI-Client handler for Apache2
      • #1438: Build trunk debian repository (nightly build)
      • #1458: Local conf backend
      • #1478: SAML Discovery Protocol (WAYF)
      • #1500: Possibility to override parameters in Choice modules
      • #1503: RENATER metadata download script
      • #1512: Option to choose which SAML attribute will be used as "user" key
      • #1535: Append Portal parameter to modify Handler Internal Cache
      • #1539: Option to enable / disable languages choice display
    • Improvements:

      • #354: Session Explorer: possibility to order sessions by date
      • #587: Selecting language while connecting to LemonLDAP
      • #595: Portal powered by FastCGI (using Plack)
      • #651: Common::CGI::abort should return 500 as HTTP status code
      • #673: Split conf/session/flags management from the Portal $self object
      • #713: Request management to handle sessions
      • #803: AuthSSL : Ability to choose SSLvar or UserDB depending of the CA
      • #868: Replace XML format by JSON for notifications
      • #1033: Translate mail subject - forgotten password
      • #1044: Adapt FastCGI server to be able to use an event Plack engine
      • #1065: Provide SSL options for AuthBasic
      • #1118: Manage unicode in session and configuration backends
      • #1133: Translation system for mails
      • #1137: Avoid using inline Javascript and CSS
      • #1140: Add CSRF protection to login and password change forms
      • #1160: Reorganize handler architecture
      • #1173: Performance: minimize Apache::Session access
      • #1181: Make Debian packages autopkgtestable
      • #1183: Rewrite CAS authentication module
      • #1201: IPv6 support
      • #1220: Vietnamese translation
      • #1222: Arabic translation
      • #1232: Italian translation
      • #1247: Support RSA SHA256 signature in SAML
      • #1267: Allow custom regexp for vhost display
      • #1302: Move all HTML fragments into templates
      • #1317: Wildcard in virtualhost names
      • #1322: Get user attributes in Auth module for external authentication
      • #1388: Auto-generation of parameters list in doc
      • #1400: CLUSTER - Status page who check the working state of LLNG
      • #1418: Sentry Logger (experimental)
      • #1427: Alternative FastCGI-Client handler for Apache2
      • #1428: Provide better logs with Nginx
      • #1429: Use cached configuration when configuration database isn't available
      • #1442: Last logins not shown when second factors are enabled
      • #1443: Hide countdown block when stopped
      • #1445: Let's stop french manager doc translation
      • #1448: Full status for Nginx
      • #1461: Remember Choice and other context settings before redirecting user to an external service
      • #1473: Complex nodes not well displayed in manager
      • #1488: Be tolerant with whitespaces in ini file
      • #1490: Be able to use DBD::MariaDB
      • #1499: CSP prevents to submit OIDC consents form
      • #1501: Improve Login history module
      • #1504: Upgrade to bootstrap 4
      • #1515: Possibility to configure main logo on portal page
      • #1522: Notifications with checkbox does not work
      • #1526: Portal menu application and categorie logos not displayed
      • #1542: Provide sessions attributes in template
      • #1546: Configuration comparator does not work
      • #1550: Error when enables "SSL, Custom " Auth modules with Choice
  • v1.9.18 protected
    073266f3 · Update documentation ·
    Release v1.9.18

    This is a minor release for LemonLDAP::NG 1.9 with some bugfixes and enhancements:

    • #1479: App Category order - Cannot save
    • #1476: Unescaped left brace generates a warning with Perl-5.28
    • #1474: OAuth2 token_type is case insensitive
    • #1514: Aliases not respecting redirect settings
    • #1494: Manage applications with the lemonldap-ng-cli
    • #1470: Warning when using CLI to set value which does not exists before
    • #1469: SMTP timeout breaks Manager configuration save

    The full changelog can be seen here: %1.9.18

    Download: https://lemonldap-ng.org/download

    They made this release:

    • Community: Raphaël Hoareau, Chris A, Frédéric Massot
    • Organizations: Gendarmerie Nationale, Worteks
    • Core team: David Coutadeur, Xavier Guimard, Christophe Maudoux and Clément Oudot

    If you use LemonLDAP::NG and enjoy it, please let us know:

  • v1.9.17 protected
    b5a1f934 · Update version to 1.9.17 ·
    Release v1.9.17

    Changes:

    • #1416: Attribute encoding in CAS responses
    • #1426: Error with mod_auth_openidc when kid is set in JWKS
    • #1423: "samlServicePrivateKeySig: Bad PEM encoding" on manager when saving config with some valid certificates
    • #1415: Improve test pages
    • #1413: Possibility to add conditions to display Choice tabs
    • #1407: Remote MYSQL - mysql_enable_utf8 not applied?
    • #1403: Parameter to ignore some tests during saving

    Contributors:

    • Community: Paul Curie, Anthony Roussel, Antoine Roiser
    • Core team: David Coutadeur, Xavier Guimard, Christophe Maudoux, Clément Oudot
  • ubuntu/cosmic protected   Version published in ubuntu/cosmic
    b5a1f934 · Update version to 1.9.17 ·