lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-15T20:31:11Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161Manage access rules for CAS, SAML and OpenID Connect clients2018-06-23T08:19:18ZClément OUDOTManage access rules for CAS, SAML and OpenID Connect clientsAs we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1224No proxy tickets received when proxiedServices configured2018-06-19T14:48:37ZClément OUDOTNo proxy tickets received when proxiedServices configuredWhen configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac...When configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Redirect 127.0.0.1 to portal (url was /?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing default route
[debug] Processing controlUrl
[debug] Processing extractFormInfo
[debug] CAS server example choosen
[debug] CAS: Service Ticket received: ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Get CAS serviceValidate response: HTTP/1.1 200 OK
Connection: close
Date: Tue, 25 Apr 2017 13:25:57 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: User-Agent
Content-Type: application/xml; charset=ISO-8859-1
Client-Date: Tue, 25 Apr 2017 13:25:57 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>dwho</cas:user>
<cas:attributes>
<cas:uid>dwho</cas:uid>
<cas:mail>dwho@badwolf.org</cas:mail>
<cas:cn>Doctor Who</cas:cn>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1227Old password input not shown in password form in menu2018-05-19T19:41:47ZClément OUDOTOld password input not shown in password form in menuIn password tab, old password input is not show, but it is required to change the password:
```
[debug] User dwho was granted to access to /
[debug] Start routing default route
[debug] Processing importHandlerDatas
[debug] Processing re...In password tab, old password input is not show, but it is required to change the password:
```
[debug] User dwho was granted to access to /
[debug] Start routing default route
[debug] Processing importHandlerDatas
[debug] Processing restoreArgs
[debug] Processing controlUrl
[debug] Processing checkLogout
[debug] Processing code ref
[warn] Portal require old password
[debug] Returned error: 27
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Starting HTML generation using /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
```
Another thing is that the error message should be displayed with menu and password tab activated so we can directly retry to change password. Here we have the generic error.tpl2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1235Confirm buttons always return 12018-05-19T19:41:47ZClément OUDOTConfirm buttons always return 1When using the confirm.tpl template, it seems that "accept" and "refuse" buttons both set confirm parameter to 1.
Here is a log when "refuse" button is clicked:
```
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
```When using the confirm.tpl template, it seems that "accept" and "refuse" buttons both set confirm parameter to 1.
Here is a log when "refuse" button is clicked:
```
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1239Add an alt attribute and a cursor to flag icons2018-05-19T19:41:48ZClément OUDOTAdd an alt attribute and a cursor to flag iconsWhen flag icon, we should display an alternative text instead of a broken image (and this will also increase accessibility).
And also a click cursor can be better to materialize that flags are buttons.When flag icon, we should display an alternative text instead of a broken image (and this will also increase accessibility).
And also a click cursor can be better to materialize that flags are buttons.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1247Support RSA SHA256 signature in SAML2018-06-19T08:24:07ZClément OUDOTSupport RSA SHA256 signature in SAMLWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.htmlWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.html2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1248Invalid call to upgradesession in OpenID Connect authorization2018-05-19T19:41:48ZClément OUDOTInvalid call to upgradesession in OpenID Connect authorizationWhen testing OIDC with prompt=consent, I have this error:
```
[debug] Client id lemonldap match RP rp-example
Use of uninitialized value $_lastAuthnUTime in addition (+) at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/...When testing OIDC with prompt=consent, I have this error:
```
[debug] Client id lemonldap match RP rp-example
Use of uninitialized value $_lastAuthnUTime in addition (+) at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 281.
Use of uninitialized value $_lastAuthnUTime in concatenation (.) or string at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 282.
[debug] Reauthentication forced cause authentication time () is too old (>3600 s)
[debug] Returned error: 85
Status: Unknown command line : dwho => /oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid profile address email phone&redirect_uri=http:/auth.example.com/oauth2.pl?openidconnectcallback=1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA en-GB en fr-FR fr&login_hint=coudot&max_age=3600&id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJsZW1vbmxkYXAiLCJzdWIiOiJjb3Vkb3QiLCJpYXQiOjE0MjcyOTkyMzIsImF1dGhfdGltZSI6MTQyNzI5NjA1NCwiZXhwIjoiMzYwMCIsIm5vbmNlIjoiMTIzNDU2Nzg5MCIsImF1ZCI6WyJsZW1vbmxkYXAiXSwiYXRfaGFzaCI6InBkR0Fwb2VUTy01MzR6X1dDbDFxS1EiLCJhY3IiOiJsb2EtMiIsImlzcyI6Imh0dHA6Ly9hdXRoLmV4YW1wbGUuY29tLyJ9.QRU8KV0dDwUbfAYA3CbcNpYE3SGaqn2nHb6qT76i2-Y 85
[debug] Skin returned: upgradesession
[debug] Calling sendHtml with template upgradesession
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1250No translation and no logo in OIDC consent page2018-05-19T19:41:48ZClément OUDOTNo translation and no logo in OIDC consent pageWhen displaying OIDC consent file, translated strings are not shown, see screenshot.
And we also have CSP error if logo is not in portal
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à...When displaying OIDC consent file, translated strings are not shown, see screenshot.
And we also have CSP error if logo is not in portal
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://lemonldap-ng.org/_media/wiki/logo.png (« img-src http://auth.example.com:19876 data: »)
```
But for this I think we just need to update CSP parameter for portal when using logos from outside. It should be said in documentation.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1260RPM Update for SLES12, RHEL7+ and Fedora2018-05-19T19:41:49ZChauvet NicolasRPM Update for SLES12, RHEL7+ and FedoraHello,
I need to build a SLES12 repository for LemonLDAP::NG 1.9+ branch.
This build also have perl(Lasso) enabled (not by default in the lemonldap package because it's optional, one has to manually install it).
I've an old svn->git co...Hello,
I need to build a SLES12 repository for LemonLDAP::NG 1.9+ branch.
This build also have perl(Lasso) enabled (not by default in the lemonldap package because it's optional, one has to manually install it).
I've an old svn->git converstion checkout (from 1.4 days) on which I've made several improvement on the LM RPM spec file for both SLES12 and RHEL7 derivatives. Here is the changelog:
```
dcbef3b1 (HEAD -> master) Add missing requires on crontabs
e1917d93 Avoid a resay on summary and description
2bb91bd0 Owns sbin directory
e8fb8e2f own directories
ed024e9d fixup
4e8952d5 Use hardlink to avoid duplicate content
970d28de Since Boolean deps can be enabled, test to avoid errors in nginx case
f4da640c Improve suse post_installation
4a4ff05f Add boolean dependencies on httpd/nginx
623237ae Don't package /var/run/llng-fastcgi-server
f8946fac Move defattr in the appropriate palce
1ce04305 Add BR perl-GD
8d01857d Avoid any error in RPM snippets
a41d280a Update lm
d3a824d5 Install handler/manager/portal/test into respectives sub-packages
5a6c2207 Switch to posttrans
cd74c7bd Remove broken filter
5d0a4036 Use lm perl module only on the related host
ff4f7441 Resync with trunk
7e5c3a75 (rpm) Remove unused RPM Group field
0040ea4f Sort dependencies
b5c72c20 Add missing requires for conf in the related sub-packages
c5682101 Add runtime detection for suse to enable apache modules
e1b9cdb0 Remove updating editor on user's back
dd22872f Update to standard perl dependency notation
8c67bef4 Fixup license field
4a02dcc5 Update apache header for suse
```
Here is attached a svn diff against the current trunk (2.0.0).
Please note that I've only tested again the 1.9.10.
From the Documentation update perspective
https://lemonldap-ng.org/documentation/1.9/installsles?s[]=sles
I don't see a need to enable the Leap repository. I don't have anything from that repository on my installation at runtime (not even used anything at build time).
Koji scratch build:
f26 https://koji.fedoraproject.org/koji/taskinfo?taskID=20340604
el7 is still missing few dependencies as reported in
https://bugzilla.redhat.com/show_bug.cgi?id=1436076
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1264Add dependency to documentation2018-05-19T19:41:49ZMathieu Lecompte-melançonAdd dependency to documentationHi, there missing dependency for yum in thise page:
https://lemonldap-ng.org/documentation/2.0/prereq
yum install perl-Moose
yum install perl-Email-Simple
yum install perl-Email-Abstract
yum install perl-Email-Address
Those ...Hi, there missing dependency for yum in thise page:
https://lemonldap-ng.org/documentation/2.0/prereq
yum install perl-Moose
yum install perl-Email-Simple
yum install perl-Email-Abstract
yum install perl-Email-Address
Those package are mendatory to install:
http://people.parinux.org/~seyman/1436076/SRPMS/
Also add requirement for the last one in the page2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1321Choice/renew conflict2018-06-12T14:10:49ZYaddChoice/renew conflict2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1322Get user attributes in Auth module for external authentication2018-06-23T06:33:23ZClément OUDOTGet user attributes in Auth module for external authenticationWhen we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.When we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1332LDAP groups not correctly set in session2017-12-04T13:22:58ZClément OUDOTLDAP groups not correctly set in sessionI tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.I tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1350dependency problem installing lemonldap-ng 2.0 with centos 72018-01-26T10:30:52ZCarl R.dependency problem installing lemonldap-ng 2.0 with centos 7Hello, i'm having a problem installing version 2.0 in centos7 (trying to implement kerberos, cf issue 1344), i get the following message when installing with "yum install lemonldap-ng" :
Erreur : Paquet : lemonldap-ng-handler-2.0.0~alph...Hello, i'm having a problem installing version 2.0 in centos7 (trying to implement kerberos, cf issue 1344), i get the following message when installing with "yum install lemonldap-ng" :
Erreur : Paquet : lemonldap-ng-handler-2.0.0~alpha2-1.el7.noarch (lemonldap-ng)
Requiert : perl(Lemonldap::NG::Handler::CGI)
Erreur : Paquet : perl-Lemonldap-NG-Common-2.0.0~alpha2-1.el7.noarch (lemonldap-ng)
Requiert : perl(Lemonldap::NG::Common::Conf::File)
my repo definition (/etc/yum.repos.d/lemonldap-ng.repo) seems ok :
```ini
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/2.0/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
```
I've seen similar message in https://jira.ow2.org/browse/LEMONLDAP-1260 but it's reported that it's fixed, it appears it is not in my case.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1364Centos - Issue with starting service llng-fastcgi-server2018-06-26T10:06:11ZMathieu Lecompte-melançonCentos - Issue with starting service llng-fastcgi-serverAs we lunch service llng-fastcgi-server, we get this message:
/etc/init.d/llng-fastcgi-server : line 27 : /lib/init/vars.sh : No such file or directory
/etc/init.d/llng-fastcgi-server : line 28 : /lib/lsb/init-functions : No such file o...As we lunch service llng-fastcgi-server, we get this message:
/etc/init.d/llng-fastcgi-server : line 27 : /lib/init/vars.sh : No such file or directory
/etc/init.d/llng-fastcgi-server : line 28 : /lib/lsb/init-functions : No such file or directory
This happen on 2.0 Alpha release2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1383Include 2nd factor register page in menu2018-05-09T04:51:33ZClément OUDOTInclude 2nd factor register page in menuI just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.I just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1404Incorrect date when creating a new account2018-04-03T21:01:58ZPaul CurieIncorrect date when creating a new account### Concerned version
Version: 2.0
### Summary
When creating a account on https://auth.openid.club, the account is successfully created, then this message with the wrong date appears :
"a confirmation link has been sent, this link is...### Concerned version
Version: 2.0
### Summary
When creating a account on https://auth.openid.club, the account is successfully created, then this message with the wrong date appears :
"a confirmation link has been sent, this link is valid until 01/01/1970"!
[Selection_011](/uploads/77097fa615b31cac6d225ee92f9b9ea1/Selection_011.png)2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1420Answering to CAS proxy requests as CAS Provider2018-05-14T10:24:05ZClément OUDOTAnswering to CAS proxy requests as CAS ProviderThere is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3c...There is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa
[debug] Redirect 192.168.100.1 to portal (url was /cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing cas
Bad response 2 at /usr/share/perl5/Plack/Handler/FCGI.pm line 156.
[Fri May 11 21:49:25.545901 2018] [core:error] [pid 103079] [client 192.168.100.1:48558] End of script output before headers: index.fcgi
```2.0.0Clément OUDOTClément OUDOT