lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-15T20:31:11Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/857Adapt apache log level message on multi authentication scheme2018-05-18T05:17:43ZPhilippe BayeAdapt apache log level message on multi authentication schemeWhen Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better n...When Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better not have these logs at a low level ("info" or "debug") : first authentication fails are "normal" case.
Exemple 1 :
I have this log, before the connection form is displayed
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : Client IP not accredited for Slave module (172.xxx.xxx.xxx)
Exemple 2 :
If IP is accredited for Slave module (or slaveMasterIP empty), then the message is at "error" level :
[Thu Oct 15 15:25:34 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:25:34 2015] [error] No header Slave-Auth-User found
Moreover, each time connection form is submitted (for example wrong password), these 2 first lines are logged.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/868Replace XML format by JSON for notifications2018-05-18T05:17:44ZYaddReplace XML format by JSON for notificationsUsing XML provides no benefit but consumes memory and cpu on the server sideUsing XML provides no benefit but consumes memory and cpu on the server side2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/960Simplify handler arch2018-05-18T05:17:47ZYaddSimplify handler arch2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/967Warnings on OpenID attributes when configuration is saved2018-05-18T05:17:47ZClément OUDOTWarnings on OpenID attributes when configuration is saved during the save that seems to work properly until I open
the tab again, I get 4 warnings that used not to be here:
```
Avertissements
openIdSreg_timezone: Attribut ou macro inconnu: _timezone
openIdSreg_nickname: Attribut ou ... during the save that seems to work properly until I open
the tab again, I get 4 warnings that used not to be here:
```
Avertissements
openIdSreg_timezone: Attribut ou macro inconnu: _timezone
openIdSreg_nickname: Attribut ou macro inconnu: uid
openIdSreg_fullname: Attribut ou macro inconnu: cn
openIdSreg_email: Attribut ou macro inconnu: mail
```
I suspect those are benign and maybe leftovers of the 1.4 to 1.9
migration, since I tried using the OpenID provider.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/970REST API for Portal2018-05-18T05:17:48Zdcoutadeur dcoutadeurREST API for PortalThis is a proposition for making a REST-API for portal, as it was done recently with Manager.This is a proposition for making a REST-API for portal, as it was done recently with Manager.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/971Server-to-Server Handler2019-04-23T06:00:21ZYaddServer-to-Server HandlerModern applications can have underlying REST requests to some other servers. We could develop a Kerberos-like ticket system to provide to application a ticket available to query other servers (ticket will be available a few seconds):
* i...Modern applications can have underlying REST requests to some other servers. We could develop a Kerberos-like ticket system to provide to application a ticket available to query other servers (ticket will be available a few seconds):
* in manager, just set an header containing {{llngTicket()}};
* application must set this ticket in an header (may be simply a cookie? a GET parameter?);
* handler will use the ticket instead of normal cookie to retrieve session and verify that {{$ticketTime + $class->tsv->ticketTimeout > time()}}. Then normal process;
* ticket can simply be {{cryptWithLlngKey ( random() . '/' . $sessionId . '/' . time() )}}2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/998encode_base64 can be udefined after a reload by URL2018-05-15T20:31:11ZSwaelens Jontathanencode_base64 can be udefined after a reload by URLHello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must rel...Hello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must reload apache to fix it.
Cheers.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1015Two-Factor Authentication with OTP for portal user logins2018-05-18T05:17:51ZPasi KarkkainenTwo-Factor Authentication with OTP for portal user loginsCurrently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN deliv...Currently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN delivered to mobile phone using SMS) like this:
1) User goes to lemonldap-ng login page and gets the usual prompt for username/password.
2) After successfull user/pass authentication user gets another dialog/form on the login web page with "OTP" prompt (challenge), to enter valid one-time-password/pin.
3) If using SMS-OTP, user will now also get SMS message delivered with the OTP in it into his mobile phone.
4) User enters the OTP (response) from the SMS to the OTP-form on the lemonldap-ng login page.
5) When user entered correct OTP, login is successful and lemonldap session is started.
This can be implemented in the following way:
1) Add Challenge-Response support to lemonldap-ng AuthRadius plugin. Challenge-Response is a generic/standard method of implementing two-factor or multi-factor authentication with Radius. Challenge-Response also supports other types of OTP aswell, not just SMS-OTP.
2) Add Two-Factor / Multi-Factor support to lemonldap-ng login page, so it can display multi-part login forms, based on Challenge-Response results.
Basicly during the first phase of authentication (username/password entered) the radius server will verify the username/password, and normally when it would respond with "Access Accept" for successful authentication, but now in the case of OTP, it'll reply with "Access Challenge" instead, which means LemonLDAP-NG should request additional information from the user. Radius server also includes the actual text that should be given to the user (for example "Enter SMS-OTP"). Also the radius-server, or the configured radius backend, will generate the actual one-time-password/pin and send it to the user using SMS, or some other method.
In the second phase of the authentication LemonLDAP-NG will send the OTP to the radius server, and when radius server verifies that the OTP is correct, the user authentication is successful.
There are multiple Radius-servers/products with support for Two-Factor Authentication with One Time Passwords/PINs. Freeradius also supports this.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1019Evaluate custom template parameters2018-05-18T05:17:51ZClément OUDOTEvaluate custom template parametersWe have the possibility to set custom template parameters: http://lemonldap-ng.org/documentation/latest/portalcustom#template_parameters
But this would even more useful if this parameter is evaluated, so we can use %ENV and all session ...We have the possibility to set custom template parameters: http://lemonldap-ng.org/documentation/latest/portalcustom#template_parameters
But this would even more useful if this parameter is evaluated, so we can use %ENV and all session values. For example :
```
tpl_helloworld = "Hello world from ".$ipAddr
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1033Translate mail subject - forgotten password2018-05-19T19:41:37ZJulian LayenTranslate mail subject - forgotten passwordHello,
I need to translate the mails about " forgotten password " in the manager unfortunately it is not possible to translate mail subjet in multiple languages. How I can do to change the subject for each language ?
I modified the fol...Hello,
I need to translate the mails about " forgotten password " in the manager unfortunately it is not possible to translate mail subjet in multiple languages. How I can do to change the subject for each language ?
I modified the following file to change the subject but it does not work well :
/usr/share/perl5/Lemonldap/NG/Portal/MailReset.pm
line 310 :
# TEST
# my $subject = $self->{mailConfirmSubject};
my $subject;
my $a = substr($ENV{HTTP_ACCEPT_LANGUAGE}, 0, 2);
if ( $a == "fr" ) {
$subject = "Espace PRO Zodiac : Demande de re-initialisation de mot de passe";
}
if ( $a == "en" ) {
$subject = "Zodiac Espace PRO : password modification request";
}
if ( $a ==" it" ) {
$subject = "Zodiac Area PRO: modifica della password richiesta";
}
if ( $a == "pt" ) {
$subject = "Espaço PRO Zodiac : pedido de alteração da contra-senha";
}
if ( $a =="es" ) {
$subject = "Zodiac Espacio PRO : solicitud de modificación de contraseña";
}
if ( $a == "nl" ) {
$subject = "Zodiac Espace PRO : Boekingsverzoek reset van het wachtwoord";
}
if ( $a == "de" ) {
$subject = "Zodiac Händlerbereich: Anfrage zur Passwortänderung";
}
$subject .= $a;
# TEST
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1044Adapt FastCGI server to be able to use an event Plack engine2018-05-19T19:41:37ZYaddAdapt FastCGI server to be able to use an event Plack engineThe only thing to do seems to replace $_v handler variable by a $req property (to avoid confusing users), but it seems to be a little bit hard to do...The only thing to do seems to replace $_v handler variable by a $req property (to avoid confusing users), but it seems to be a little bit hard to do...2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1061Multiple segfault using ModPerl::Registry with Apache2.42018-05-15T20:31:11ZJeremy KespiteMultiple segfault using ModPerl::Registry with Apache2.4I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scal...I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scalar: SV 0x7f3682a244a0, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemo
nldap/NG/Handler/API.pm line 44.
Attempt to free unreferenced scalar: SV 0x7f363c019f70, Perl interpreter: 0x7f368321f550.
Out of memory!
Attempt to free unreferenced scalar: SV 0x7f363402c818, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemonldap/NG/Handler/API.pm line 73.
```
I found lots of issues on the Internet about Apache2.4 reporting segfault frequently but no good answer. My guess is that it is a Apache issue more than a LLNG issue.
I also use Nginx Handler and it works perfectly.
So my question is:
Is there anyone else having the same kind of problem with Apache2.4?
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1065Provide SSL options for AuthBasic2018-05-19T19:41:39ZJeremy KespiteProvide SSL options for AuthBasicRecent versions of libwww-perl, always verify SSL certificate.
If the portal uses https, AuthBasic is not working unless you provide certificate information
Previously, this was handled by
PerlSetEnv PERL_LWP_SSL_VERIFY_HOSTNAME 0
in a...Recent versions of libwww-perl, always verify SSL certificate.
If the portal uses https, AuthBasic is not working unless you provide certificate information
Previously, this was handled by
PerlSetEnv PERL_LWP_SSL_VERIFY_HOSTNAME 0
in a conf.d of apache
Now, this is not enough.
So could you provide soap option in Manager to specify the need to check ssl certificate?
Is no, the solution is to create a SOAP object with:
```
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
my $soapClient =
SOAP::Lite->proxy( $tsv->{portal}->(), default_headers => $soapHeaders, "ssl_opts" => [ SSL_verify_mode => 0 ] )
```
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1085CDA: use different cookies for each protected vhost instead of one for all2018-05-19T19:41:40ZJaboeuf QuentinCDA: use different cookies for each protected vhost instead of one for allIn a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie.
So, if someone steal the cookie, he could access all the applicati...In a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie.
So, if someone steal the cookie, he could access all the applications the cookie-owner user can access.
He suggests to deal with secondary session ids/cookie to limit the impact of stealing a cookie.
Does this sound to you ? Is this achievable ?2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1090Rename lmConf-1.js to lmConf-1.json2018-05-19T19:41:40ZStéphane LiabatRename lmConf-1.js to lmConf-1.jsonIt will be more convenient, especially with editors software, to use .json instead .js. For lmConf file.
It will be more convenient, especially with editors software, to use .json instead .js. For lmConf file.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1091Handler for DevOps (SSOaaS)2018-06-07T17:53:23ZYaddHandler for DevOps (SSOaaS)To be able to provide an handler that can be included in a devops environment, we should have an handler that can calculate dynamically rules and headers.
Proposition : a "Handler::Dev" that download its rules/headers at the root of the ...To be able to provide an handler that can be included in a devops environment, we should have an handler that can calculate dynamically rules and headers.
Proposition : a "Handler::Dev" that download its rules/headers at the root of the website ({{/rules.json}} for example). Default to "accept".
This could be used to provide a sort fo SSO-as-a-Service: the reverse-proxies that hosts the "door" of a tenant could hosts a DevOps handler, developers could so define their own rules for their apps2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1113OIDC Provider to SAML SP does not work2018-05-15T20:31:11Zdcoutadeur dcoutadeurOIDC Provider to SAML SP does not workI have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
t...I have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
the final return does not work : ie SAML SP not calling his internal IdP
I propose a basic patch, which, in summary :
- happens before soring relay state in SAML SP (Portal/_SAML.pm)
- gets called URL
- if URL match with current portal URL, store it in relay state.
The patch is working, but maybe these points should be validated :
- make sure it is generic, in particular make sure the other way is working: SAML IdP calling an OIDC RP
- security: make sure we won't redirect to unsecure locations
- using CGI module may be improved ? (if the portal is to be made more generic and less adherence to apache)
2.0.0YaddYadd