lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-06-19T14:48:37Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1224No proxy tickets received when proxiedServices configured2018-06-19T14:48:37ZClément OUDOTNo proxy tickets received when proxiedServices configuredWhen configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac...When configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Redirect 127.0.0.1 to portal (url was /?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing default route
[debug] Processing controlUrl
[debug] Processing extractFormInfo
[debug] CAS server example choosen
[debug] CAS: Service Ticket received: ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Get CAS serviceValidate response: HTTP/1.1 200 OK
Connection: close
Date: Tue, 25 Apr 2017 13:25:57 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: User-Agent
Content-Type: application/xml; charset=ISO-8859-1
Client-Date: Tue, 25 Apr 2017 13:25:57 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>dwho</cas:user>
<cas:attributes>
<cas:uid>dwho</cas:uid>
<cas:mail>dwho@badwolf.org</cas:mail>
<cas:cn>Doctor Who</cas:cn>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161Manage access rules for CAS, SAML and OpenID Connect clients2018-06-23T08:19:18ZClément OUDOTManage access rules for CAS, SAML and OpenID Connect clientsAs we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOT