lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-12-04T13:22:58Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1332LDAP groups not correctly set in session2017-12-04T13:22:58ZClément OUDOTLDAP groups not correctly set in sessionI tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.I tried to collect LDAP groups but they are not well stored in session. For a user belonging to group "admin", I have this value in $groups:
```js
"groups" : "; admin|",
```
And I don't find the hGroups variable in session.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1350dependency problem installing lemonldap-ng 2.0 with centos 72018-01-26T10:30:52ZCarl R.dependency problem installing lemonldap-ng 2.0 with centos 7Hello, i'm having a problem installing version 2.0 in centos7 (trying to implement kerberos, cf issue 1344), i get the following message when installing with "yum install lemonldap-ng" :
Erreur : Paquet : lemonldap-ng-handler-2.0.0~alph...Hello, i'm having a problem installing version 2.0 in centos7 (trying to implement kerberos, cf issue 1344), i get the following message when installing with "yum install lemonldap-ng" :
Erreur : Paquet : lemonldap-ng-handler-2.0.0~alpha2-1.el7.noarch (lemonldap-ng)
Requiert : perl(Lemonldap::NG::Handler::CGI)
Erreur : Paquet : perl-Lemonldap-NG-Common-2.0.0~alpha2-1.el7.noarch (lemonldap-ng)
Requiert : perl(Lemonldap::NG::Common::Conf::File)
my repo definition (/etc/yum.repos.d/lemonldap-ng.repo) seems ok :
```ini
[lemonldap-ng]
name=LemonLDAP::NG packages
baseurl=https://lemonldap-ng.org/redhat/2.0/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
[lemonldap-ng-extras]
name=LemonLDAP::NG extra packages
baseurl=https://lemonldap-ng.org/redhat/extras/$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-OW2
```
I've seen similar message in https://jira.ow2.org/browse/LEMONLDAP-1260 but it's reported that it's fixed, it appears it is not in my case.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1404Incorrect date when creating a new account2018-04-03T21:01:58ZPaul CurieIncorrect date when creating a new account### Concerned version
Version: 2.0
### Summary
When creating a account on https://auth.openid.club, the account is successfully created, then this message with the wrong date appears :
"a confirmation link has been sent, this link is...### Concerned version
Version: 2.0
### Summary
When creating a account on https://auth.openid.club, the account is successfully created, then this message with the wrong date appears :
"a confirmation link has been sent, this link is valid until 01/01/1970"!
[Selection_011](/uploads/77097fa615b31cac6d225ee92f9b9ea1/Selection_011.png)2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1383Include 2nd factor register page in menu2018-05-09T04:51:33ZClément OUDOTInclude 2nd factor register page in menuI just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.I just tested the new TOTP feature and it works great!
I will try to add a menu button that will link to register page if the feature is enabled.
We also need to let user remove the 2nd factor if he wants to.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1420Answering to CAS proxy requests as CAS Provider2018-05-14T10:24:05ZClément OUDOTAnswering to CAS proxy requests as CAS ProviderThere is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3c...There is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa
[debug] Redirect 192.168.100.1 to portal (url was /cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing cas
Bad response 2 at /usr/share/perl5/Plack/Handler/FCGI.pm line 156.
[Fri May 11 21:49:25.545901 2018] [core:error] [pid 103079] [client 192.168.100.1:48558] End of script output before headers: index.fcgi
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1227Old password input not shown in password form in menu2018-05-19T19:41:47ZClément OUDOTOld password input not shown in password form in menuIn password tab, old password input is not show, but it is required to change the password:
```
[debug] User dwho was granted to access to /
[debug] Start routing default route
[debug] Processing importHandlerDatas
[debug] Processing re...In password tab, old password input is not show, but it is required to change the password:
```
[debug] User dwho was granted to access to /
[debug] Start routing default route
[debug] Processing importHandlerDatas
[debug] Processing restoreArgs
[debug] Processing controlUrl
[debug] Processing checkLogout
[debug] Processing code ref
[warn] Portal require old password
[debug] Returned error: 27
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Starting HTML generation using /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/site/templates/bootstrap/error.tpl
```
Another thing is that the error message should be displayed with menu and password tab activated so we can directly retry to change password. Here we have the generic error.tpl2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1235Confirm buttons always return 12018-05-19T19:41:47ZClément OUDOTConfirm buttons always return 1When using the confirm.tpl template, it seems that "accept" and "refuse" buttons both set confirm parameter to 1.
Here is a log when "refuse" button is clicked:
```
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
```When using the confirm.tpl template, it seems that "accept" and "refuse" buttons both set confirm parameter to 1.
Here is a log when "refuse" button is clicked:
```
[debug] Processing controlUrl
[debug] Confirm parameter accepted 1
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1239Add an alt attribute and a cursor to flag icons2018-05-19T19:41:48ZClément OUDOTAdd an alt attribute and a cursor to flag iconsWhen flag icon, we should display an alternative text instead of a broken image (and this will also increase accessibility).
And also a click cursor can be better to materialize that flags are buttons.When flag icon, we should display an alternative text instead of a broken image (and this will also increase accessibility).
And also a click cursor can be better to materialize that flags are buttons.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1248Invalid call to upgradesession in OpenID Connect authorization2018-05-19T19:41:48ZClément OUDOTInvalid call to upgradesession in OpenID Connect authorizationWhen testing OIDC with prompt=consent, I have this error:
```
[debug] Client id lemonldap match RP rp-example
Use of uninitialized value $_lastAuthnUTime in addition (+) at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/...When testing OIDC with prompt=consent, I have this error:
```
[debug] Client id lemonldap match RP rp-example
Use of uninitialized value $_lastAuthnUTime in addition (+) at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 281.
Use of uninitialized value $_lastAuthnUTime in concatenation (.) or string at /home/clement/dev/lemonldap/trunk/lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm line 282.
[debug] Reauthentication forced cause authentication time () is too old (>3600 s)
[debug] Returned error: 85
Status: Unknown command line : dwho => /oauth2/authorize?response_type=code&client_id=lemonldap&scope=openid profile address email phone&redirect_uri=http:/auth.example.com/oauth2.pl?openidconnectcallback=1&state=ABCDEFGHIJKLMNOPQRSTUVWXXZ&nonce=1234567890&display=popup&prompt=consent&ui_locales=fr-CA en-GB en fr-FR fr&login_hint=coudot&max_age=3600&id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhenAiOiJsZW1vbmxkYXAiLCJzdWIiOiJjb3Vkb3QiLCJpYXQiOjE0MjcyOTkyMzIsImF1dGhfdGltZSI6MTQyNzI5NjA1NCwiZXhwIjoiMzYwMCIsIm5vbmNlIjoiMTIzNDU2Nzg5MCIsImF1ZCI6WyJsZW1vbmxkYXAiXSwiYXRfaGFzaCI6InBkR0Fwb2VUTy01MzR6X1dDbDFxS1EiLCJhY3IiOiJsb2EtMiIsImlzcyI6Imh0dHA6Ly9hdXRoLmV4YW1wbGUuY29tLyJ9.QRU8KV0dDwUbfAYA3CbcNpYE3SGaqn2nHb6qT76i2-Y 85
[debug] Skin returned: upgradesession
[debug] Calling sendHtml with template upgradesession
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1250No translation and no logo in OIDC consent page2018-05-19T19:41:48ZClément OUDOTNo translation and no logo in OIDC consent pageWhen displaying OIDC consent file, translated strings are not shown, see screenshot.
And we also have CSP error if logo is not in portal
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à...When displaying OIDC consent file, translated strings are not shown, see screenshot.
And we also have CSP error if logo is not in portal
```
Content Security Policy: Les paramètres de la page ont empêché le chargement d’une ressource à https://lemonldap-ng.org/_media/wiki/logo.png (« img-src http://auth.example.com:19876 data: »)
```
But for this I think we just need to update CSP parameter for portal when using logos from outside. It should be said in documentation.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1260RPM Update for SLES12, RHEL7+ and Fedora2018-05-19T19:41:49ZChauvet NicolasRPM Update for SLES12, RHEL7+ and FedoraHello,
I need to build a SLES12 repository for LemonLDAP::NG 1.9+ branch.
This build also have perl(Lasso) enabled (not by default in the lemonldap package because it's optional, one has to manually install it).
I've an old svn->git co...Hello,
I need to build a SLES12 repository for LemonLDAP::NG 1.9+ branch.
This build also have perl(Lasso) enabled (not by default in the lemonldap package because it's optional, one has to manually install it).
I've an old svn->git converstion checkout (from 1.4 days) on which I've made several improvement on the LM RPM spec file for both SLES12 and RHEL7 derivatives. Here is the changelog:
```
dcbef3b1 (HEAD -> master) Add missing requires on crontabs
e1917d93 Avoid a resay on summary and description
2bb91bd0 Owns sbin directory
e8fb8e2f own directories
ed024e9d fixup
4e8952d5 Use hardlink to avoid duplicate content
970d28de Since Boolean deps can be enabled, test to avoid errors in nginx case
f4da640c Improve suse post_installation
4a4ff05f Add boolean dependencies on httpd/nginx
623237ae Don't package /var/run/llng-fastcgi-server
f8946fac Move defattr in the appropriate palce
1ce04305 Add BR perl-GD
8d01857d Avoid any error in RPM snippets
a41d280a Update lm
d3a824d5 Install handler/manager/portal/test into respectives sub-packages
5a6c2207 Switch to posttrans
cd74c7bd Remove broken filter
5d0a4036 Use lm perl module only on the related host
ff4f7441 Resync with trunk
7e5c3a75 (rpm) Remove unused RPM Group field
0040ea4f Sort dependencies
b5c72c20 Add missing requires for conf in the related sub-packages
c5682101 Add runtime detection for suse to enable apache modules
e1b9cdb0 Remove updating editor on user's back
dd22872f Update to standard perl dependency notation
8c67bef4 Fixup license field
4a02dcc5 Update apache header for suse
```
Here is attached a svn diff against the current trunk (2.0.0).
Please note that I've only tested again the 1.9.10.
From the Documentation update perspective
https://lemonldap-ng.org/documentation/1.9/installsles?s[]=sles
I don't see a need to enable the Leap repository. I don't have anything from that repository on my installation at runtime (not even used anything at build time).
Koji scratch build:
f26 https://koji.fedoraproject.org/koji/taskinfo?taskID=20340604
el7 is still missing few dependencies as reported in
https://bugzilla.redhat.com/show_bug.cgi?id=1436076
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1264Add dependency to documentation2018-05-19T19:41:49ZMathieu Lecompte-melançonAdd dependency to documentationHi, there missing dependency for yum in thise page:
https://lemonldap-ng.org/documentation/2.0/prereq
yum install perl-Moose
yum install perl-Email-Simple
yum install perl-Email-Abstract
yum install perl-Email-Address
Those ...Hi, there missing dependency for yum in thise page:
https://lemonldap-ng.org/documentation/2.0/prereq
yum install perl-Moose
yum install perl-Email-Simple
yum install perl-Email-Abstract
yum install perl-Email-Address
Those package are mendatory to install:
http://people.parinux.org/~seyman/1436076/SRPMS/
Also add requirement for the last one in the page2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1321Choice/renew conflict2018-06-12T14:10:49ZYaddChoice/renew conflict2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1451CAS service ticket not validated with Choice + CAS client2018-06-13T10:25:19ZClément OUDOTCAS service ticket not validated with Choice + CAS clientLL::NG configured with Choice and CAS client
The initial service value when requesting ST is https://auth.openid.club/?lmAuth=8CAS, but the service valued when calling serviceValidate is https://auth.openid.club/?lmAuth=8CAS&&lmAuth=8CA...LL::NG configured with Choice and CAS client
The initial service value when requesting ST is https://auth.openid.club/?lmAuth=8CAS, but the service valued when calling serviceValidate is https://auth.openid.club/?lmAuth=8CAS&&lmAuth=8CAS.
Logs on CAS server (LL::NG 1.9):
```
[Wed Jun 13 11:29:03.436694 2018] [perl:debug] [pid 2083:tid 140310743086848] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get service validate request with ticket ST-a68d2469f888296f2e7a8dc0813d623294a98ab1fd39ad0088e976d9fdb8ec0b for service https://auth.openid.club/?lmAuth=8CAS&&lmAuth=8CAS
[Wed Jun 13 11:29:03.439241 2018] [perl:debug] [pid 2083:tid 140310743086848] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SERVICE ticket session a68d2469f888296f2e7a8dc0813d623294a98ab1fd39ad0088e976d9fdb8ec0b found
[Wed Jun 13 11:29:03.444351 2018] [perl:debug] [pid 2083:tid 140310743086848] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/IssuerDBCAS.pm 317:
[Wed Jun 13 11:29:03.444472 2018] [perl:error] [pid 2083:tid 140310743086848] Submitted service https://auth.openid.club/?lmAuth=8CAS&&lmAuth=8CAS does not match initial service https://auth.openid.club/?lmAuth=8CAS
[Wed Jun 13 11:29:03.465267 2018] [perl:debug] [pid 2083:tid 140310743086848] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: CAS session a68d2469f888296f2e7a8dc0813d623294a98ab1fd39ad0088e976d9fdb8ec0b deleted
[Wed Jun 13 11:29:03.465508 2018] [perl:debug] [pid 2083:tid 140310743086848] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Return CAS service validate error INVALID_SERVICE (Submitted service does not match initial service)
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1453Error when displaying CAS servers list2018-06-14T09:53:20ZClément OUDOTError when displaying CAS servers listLogs:
```
[debug] Processing extractFormInfo
[debug] Redirecting user to CAS server list
[debug] Returned error: 42
[debug] Display: confirm detected
[debug] Skin returned: confirm
[debug] Calling sendHtml with template confirm
[debug] S...Logs:
```
[debug] Processing extractFormInfo
[debug] Redirecting user to CAS server list
[debug] Returned error: 42
[debug] Display: confirm detected
[debug] Skin returned: confirm
[debug] Calling sendHtml with template confirm
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/confirm.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[warn] [anonymous] Unable to load template: HTML::Template::param() : attempt to set parameter 'list' with a scalar - parameter is not a TMPL_VAR! at /usr/share/perl5/Lemonldap/NG/Common/PSGI.pm line 268.
[error] Error 500: Unable to load template: HTML::Template::param() : attempt to set parameter 'list' with a scalar - parameter is not a TMPL_VAR! at /usr/share/perl5/Lemonldap/NG/Common/PSGI.pm line 268.
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1247Support RSA SHA256 signature in SAML2018-06-19T08:24:07ZClément OUDOTSupport RSA SHA256 signature in SAMLWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.htmlWe use by default SHA1 signatures. We should use instead SHA256 but this should be a configuration for each provider.
See this thread on Lasso mailing list: http://listes.entrouvert.com/arc/lasso/2017-06/msg00000.html2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1224No proxy tickets received when proxiedServices configured2018-06-19T14:48:37ZClément OUDOTNo proxy tickets received when proxiedServices configuredWhen configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac...When configuring proxied services, CAS auth module do not try to ask them to CAS server. The serviceValidate service is called without the pgtUrl parameter.
```
[debug] Build URL http://auth.example.com:19876/?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Redirect 127.0.0.1 to portal (url was /?ticket=ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing default route
[debug] Processing controlUrl
[debug] Processing extractFormInfo
[debug] CAS server example choosen
[debug] CAS: Service Ticket received: ST-b54a939508843ac982d7187f26078e6c8cf876d7774048e23966886d65c52188
[debug] Get CAS serviceValidate response: HTTP/1.1 200 OK
Connection: close
Date: Tue, 25 Apr 2017 13:25:57 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: User-Agent
Content-Type: application/xml; charset=ISO-8859-1
Client-Date: Tue, 25 Apr 2017 13:25:57 GMT
Client-Peer: 127.0.0.1:80
Client-Response-Num: 1
Client-Transfer-Encoding: chunked
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>dwho</cas:user>
<cas:attributes>
<cas:uid>dwho</cas:uid>
<cas:mail>dwho@badwolf.org</cas:mail>
<cas:cn>Doctor Who</cas:cn>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1322Get user attributes in Auth module for external authentication2018-06-23T06:33:23ZClément OUDOTGet user attributes in Auth module for external authenticationWhen we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.When we use social login (Twitter/FB/LinkedIn/...), we need to get user attributes at authentication phase, to be able to map one of these to UserDB backend.
This is already done for LinkedIn, and must be generalized to other modules.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOT