lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-14T10:24:05Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1420Answering to CAS proxy requests as CAS Provider2018-05-14T10:24:05ZClément OUDOTAnswering to CAS proxy requests as CAS ProviderThere is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3c...There is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa
[debug] Redirect 192.168.100.1 to portal (url was /cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing cas
Bad response 2 at /usr/share/perl5/Plack/Handler/FCGI.pm line 156.
[Fri May 11 21:49:25.545901 2018] [core:error] [pid 103079] [client 192.168.100.1:48558] End of script output before headers: index.fcgi
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1542Provide sessions attributes in template2018-11-15T10:54:39ZClément OUDOTProvide sessions attributes in templateFor customization, we need to be able to display some user informations in portal. So it would be great to load as template parameters all sessions attributes, with a prefix in key, for example : 'session_'
So to display 'cn', we can ca...For customization, we need to be able to display some user informations in portal. So it would be great to load as template parameters all sessions attributes, with a prefix in key, for example : 'session_'
So to display 'cn', we can call this in template:
```html
<TMPL_VAR NAME="session_cn">
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1247Support RSA SHA256 signature in SAML2018-06-19T08:24:07ZClément OUDOTSupport RSA SHA256 signature in SAMLWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.htmlWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.html2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1322Get user attributes in Auth module for external authentication2018-06-23T06:33:23ZClément OUDOTGet user attributes in Auth module for external authenticationWhen we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.When we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1512Option to choose which SAML attribute will be used as "user" key2018-10-02T15:21:03ZClément OUDOTOption to choose which SAML attribute will be used as "user" keyFor the moment, we use the NameID value as "user" key, which can be a problem to use it as pivot on another userDB.
We need an option to choose which SAML attribute will be used as "user" key.For the moment, we use the NameID value as "user" key, which can be a problem to use it as pivot on another userDB.
We need an option to choose which SAML attribute will be used as "user" key.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1503RENATER metadata download script2018-11-08T14:48:33ZClément OUDOTRENATER metadata download scriptWhen using SAML with RENATER (or eduGAIN), we need to download metadata of all registered partners and configure them inside LL:NG. Unless this, the WAYF (see #1478) is not working, as the selected partner is not registered.
Technical d...When using SAML with RENATER (or eduGAIN), we need to download metadata of all registered partners and configure them inside LL:NG. Unless this, the WAYF (see #1478) is not working, as the selected partner is not registered.
Technical details for script implementation: https://services.renater.fr/federation/technique/metadata2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1478SAML Discovery Protocol (WAYF)2018-11-20T21:50:57ZClément OUDOTSAML Discovery Protocol (WAYF)There is a discovery protocol in SAML different from the Common Domain Cookie specification: https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf
This protocol is used for example by Renater WAYF: h...There is a discovery protocol in SAML different from the Common Domain Cookie specification: https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf
This protocol is used for example by Renater WAYF: https://discovery.renater.fr/renater/WAYF
We need to support it in LemonLDAP::NG.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161Manage access rules for CAS, SAML and OpenID Connect clients2018-06-23T08:19:18ZClément OUDOTManage access rules for CAS, SAML and OpenID Connect clientsAs we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1321Choice/renew conflict2018-06-12T14:10:49ZYaddChoice/renew conflict2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1560Do not require to edit /etc/hosts to add reload vhost2018-11-29T17:58:01ZClément OUDOTDo not require to edit /etc/hosts to add reload vhostWe don't need to edit /etc/hosts, we should instead set the reload URL key to localhost, so it works by default at first installation. We then have a documentation to explain how configure reload URLs for cluster or complex installations.We don't need to edit /etc/hosts, we should instead set the reload URL key to localhost, so it works by default at first installation. We then have a documentation to explain how configure reload URLs for cluster or complex installations.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1555Do not remember choice in pdata when redirecting user for logout2018-11-28T10:37:52ZClément OUDOTDo not remember choice in pdata when redirecting user for logoutFor example in CAS protocol, the user is redirected back to the CAS server when the logout has ended. When LL::NG is a CAS client configured with Choice, we get well redirected to CAS server, but the CAS authentication is remembered, so ...For example in CAS protocol, the user is redirected back to the CAS server when the logout has ended. When LL::NG is a CAS client configured with Choice, we get well redirected to CAS server, but the CAS authentication is remembered, so when using the portal page, we are always redirected back to CAS server, we can not select another authentication Choice.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1554Parameter portalRequireOldPassword is not restored after mail reset2018-11-24T11:04:36ZClément OUDOTParameter portalRequireOldPassword is not restored after mail resetIn Mail Reset plugin, we modify portalRequireOldPassword so that the password change form do not require the old password, but we need to restore this parameter after.In Mail Reset plugin, we modify portalRequireOldPassword so that the password change form do not require the old password, but we need to restore this parameter after.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1553Read timeout when configuration reload is too long2018-11-26T13:18:26ZClément OUDOTRead timeout when configuration reload is too longWhen we have a big configuration (for example after loading all IDPs of Renater), the reload is a little longer.
In this case after saving a configuration, we have :
```
[notice] Apply configuration for 134.158.39.71: ok
[error] Apply c...When we have a big configuration (for example after loading all IDPs of Renater), the reload is a little longer.
In this case after saving a configuration, we have :
```
[notice] Apply configuration for 134.158.39.71: ok
[error] Apply configuration for 134.158.39.70: error 500 (read timeout)
Status : [
{
'134.158.39.70' => 'Error 500 (read timeout)',
'134.158.39.71' => 'OK'
}
];
```
We should be able to adjust timeout value for reload.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1544Issue with CDA2018-11-15T14:17:27ZClément OUDOTIssue with CDAThe CDA does not seem to work:
```
[debug] CDA request
[debug] Try to get a new CDA session
[debug] Check session validity -> 700s
[debug] Return CDA session 9ebd303f7932ba327369cc887d02c33e
[debug] Update sessionInfo _utime with 154228...The CDA does not seem to work:
```
[debug] CDA request
[debug] Try to get a new CDA session
[debug] Check session validity -> 700s
[debug] Return CDA session 9ebd303f7932ba327369cc887d02c33e
[debug] Update sessionInfo _utime with 1542288651
[debug] Update sessionInfo cookie_value with 2b36c148951a7ab6673a5deb044c7b35
[debug] Update sessionInfo cookie_name with lemonldap
[debug] Try to get SSO session 9ebd303f7932ba327369cc887d02c33e
[debug] Get session 9ebd303f7932ba327369cc887d02c33e from Portal::Main::Run
[debug] Check session validity -> 700s
[debug] Return SSO session 9ebd303f7932ba327369cc887d02c33e
[debug] CDA redirection to https://test1.openid.cda/?lemonldapcda=9ebd303f7932ba327369cc887d02c33e
[debug] Processing code ref
[debug] Launching ::Plugins::Notifications::checkNotifDuringAuth
[debug] Processing code ref
[debug] Launching ::Plugins::History::run
[debug] Processing code ref
[debug] Launching ::Password::Choice::_endAuth
[debug] Unable to find enabledMods2 in this context: endAuth
[debug] Processing code ref
[debug] Cleaning pdata
[debug] Calling autoredirect
[debug] Building redirection to https://test1.openid.cda/?lemonldapcda=9ebd303f7932ba327369cc887d02c33e
[Thu Nov 15 14:30:51.295452 2018] [perl:debug] [pid 102179] Check configuration for Lemonldap::NG::Handler::ApacheMP2::Main
[Thu Nov 15 14:30:51.296960 2018] [perl:debug] [pid 102179] Lemonldap::NG::Common::Conf::Backends::File loaded.\nGet configuration from cache without verification.
[Thu Nov 15 14:30:51.297064 2018] [perl:debug] [pid 102179] Get configuration 285
[Thu Nov 15 14:30:51.297186 2018] [perl:info] [pid 102179] Loading configuration 285 for process 102179
[Thu Nov 15 14:30:51.297271 2018] [perl:debug] [pid 102179] Process 102179 calls defaultValuesInit
[Thu Nov 15 14:30:51.297430 2018] [perl:debug] [pid 102179] Options maintenance for vhost test1.openid.cda: 0
[Thu Nov 15 14:30:51.297538 2018] [perl:debug] [pid 102179] Process 102179 calls jailInit
[Thu Nov 15 14:30:51.299478 2018] [perl:debug] [pid 102179] Process 102179 calls portalInit
[Thu Nov 15 14:30:51.299620 2018] [perl:debug] [pid 102179] Process 102179 calls locationRulesInit
[Thu Nov 15 14:30:51.300857 2018] [perl:debug] [pid 102179] Process 102179 calls sessionStorageInit
[Thu Nov 15 14:30:51.304438 2018] [perl:debug] [pid 102179] Process 102179 calls headersInit
[Thu Nov 15 14:30:51.305920 2018] [perl:debug] [pid 102179] Process 102179 calls postUrlInit
[Thu Nov 15 14:30:51.306030 2018] [perl:debug] [pid 102179] Process 102179 calls aliasInit
[Thu Nov 15 14:30:51.306153 2018] [perl:debug] [pid 102179] Lemonldap::NG::Handler::ApacheMP2::Main: configuration is up to date
[Thu Nov 15 14:30:51.307165 2018] [perl:debug] [pid 102179] CDA request with id 9ebd303f7932ba327369cc887d02c33e
[Thu Nov 15 14:30:51.308751 2018] [perl:debug] [pid 102179] Get CDA session 9ebd303f7932ba327369cc887d02c33e
[Thu Nov 15 14:30:51.309846 2018] [perl:debug] [pid 102179] Build URL https://test1.openid.cda/
[Thu Nov 15 14:30:51.310001 2018] [perl:error] [pid 102179] [client 92.184.112.17:43320] Undefined subroutine &Lemonldap::NG::Handler::Lib::CDA::expires called at /usr/share/perl5/Lemonldap/NG/Handler/Lib/CDA.pm line 44.\n, referer: https://auth.openid.club/
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1534Provide ipAddr in $req->env for rules2018-11-09T11:05:49ZClément OUDOTProvide ipAddr in $req->env for rulesWe had in 1.9 the $ipAddr that could be used in rules, we need the same in 2.0.We had in 1.9 the $ipAddr that could be used in rules, we need the same in 2.0.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1531LDAP parameters are dropped if authentication backend is AD2018-10-29T16:04:52ZClément OUDOTLDAP parameters are dropped if authentication backend is ADIf we choose AD as authentication backend, all LDAP parameters are dropped.If we choose AD as authentication backend, all LDAP parameters are dropped.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1530AD Password module is missing2018-10-29T17:35:44ZClément OUDOTAD Password module is missingThe Portal/Password/AD.pm module is missingThe Portal/Password/AD.pm module is missing2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1528Issuer CAS redirect on bad service URL2018-11-15T09:38:22ZClément OUDOTIssuer CAS redirect on bad service URLWhen service is http://cas.example.com/test/, we are redirected to http://cas.example.com/ (test/ is removed).When service is http://cas.example.com/test/, we are redirected to http://cas.example.com/ (test/ is removed).2.0.0Clément OUDOTClément OUDOT