lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-12-22T15:42:57Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3064Missing dependencies when updating Debian packages2023-12-22T15:42:57ZClément OUDOTMissing dependencies when updating Debian packagesWhen updating to 2.18, LL::NG was not starting because of missing dependencies linked to TrustedBrowser code:
* libconvert-base32-perl
* libdigest-hmac-perl
* libcrypt-jwt-perl
They should be mandatory to avoid problemsWhen updating to 2.18, LL::NG was not starting because of missing dependencies linked to TrustedBrowser code:
* libconvert-base32-perl
* libdigest-hmac-perl
* libcrypt-jwt-perl
They should be mandatory to avoid problems2.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3065Error when verifying signature when OP uses more than one key and kid provide...2023-12-21T15:23:39ZClément OUDOTError when verifying signature when OP uses more than one key and kid provided in ID TokenAfter updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmY...After updating to 2.18, JWT issued by Google are not valid anymore:
```
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] Verification of JWT signature: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [debug] JWT signature algorithm: RS256
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Unable to verify JWT: JWS: invalid signature at /usr/share/perl5/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm line 1524.
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] Jwt was: eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
[Wed Dec 20 21:51:55 2023] [LLNG:2423922] [error] JWT signature verification failed
```
But the JWT is valid: https://oauth2.googleapis.com/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjliMDI4NWMzMWJmZDhiMDQwZTAzMTU3YjE5YzRlOTYwYmRjMTBjNmYiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiI3MzIwNzIwNzQ5MDAtZHZ1aDZiZ2s5bjhzNjUwYzN1bzY1ZmUwa3FyOTloMGMuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDcwNjUyMzUyNTQxNzY4MTM4NDMiLCJlbWFpbCI6ImNsZW0ub3Vkb3RAZ21haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImF0X2hhc2giOiJ4VFdOY0w1TXdUandZWjk0SGtWMmpnIiwibm9uY2UiOiJUUHNLUTBiWFFCUlVjRHZmS2h6WUlBIiwibmFtZSI6IkNsw6ltZW50IE9VRE9UIiwicGljdHVyZSI6Imh0dHBzOi8vbGgzLmdvb2dsZXVzZXJjb250ZW50LmNvbS9hL0FDZzhvY0o5bjVRdG00dFd5MUJaOWtMOTBFTmxaYkdMZlBnemJYanpnemZMdGxIRGNDUT1zOTYtYyIsImdpdmVuX25hbWUiOiJDbMOpbWVudCIsImZhbWlseV9uYW1lIjoiT1VET1QiLCJsb2NhbGUiOiJmciIsImlhdCI6MTcwMzEwOTExNSwiZXhwIjoxNzAzMTEyNzE1fQ.GOHTD7-J_zZXbqgB8bFDCX4wZ_fXChnCD4oneFrs-RBo7YK-PVd1tKdALblpBQRZ8HVV4WjrL9Q0jvfN6AKZGSDsBo2cLhZhKpN_bVS19uLmVq0EyN1YBJd_seFQpbQCeKLxPvlf3oIJQPHOKaw0Yfbpuv_Lmy1bx7QUq0VShm6gOAfUsWvYwhONfGA621UXbDl8eafn05EhrwIExGofHF37eQCBvO0_WS55F4zlxBg643f2Nbb9M5QZX4kBUiPoIY6I_qz7WRLyx9lGEK0UP9PkXWDGy87r7Sq9j4g01ybS3Q33pT26e3g68Mm_eEHk_M5qF3PlbyCmmd0lRKcP6A
So there should be a problem on LL::NG side but I don't se what.2.18.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2945CheckUser: Do not compute setAuthSession step for unauthenticated user2023-12-20T10:27:43ZChristophe Maudouxchrmdx@gmail.comCheckUser: Do not compute setAuthSession step for unauthenticated user### Concerned version
Version: all
Platform: all
### Summary
Enable checkUser.
Set checkuser access rule with 'skip'.### Concerned version
Version: all
Platform: all
### Summary
Enable checkUser.
Set checkuser access rule with 'skip'.2.18.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3060No LWP options or SSL options for REST configuration access (proxyOptions par...2023-12-15T16:58:01ZClément OUDOTNo LWP options or SSL options for REST configuration access (proxyOptions parameter not working)When using REST configuration backend, we can declare on client side the baseUrl and optionaly user, password and realm: https://lemonldap-ng.org/documentation/latest/restconfbackend.html
But contrary to what is documented, `proxyOption...When using REST configuration backend, we can declare on client side the baseUrl and optionaly user, password and realm: https://lemonldap-ng.org/documentation/latest/restconfbackend.html
But contrary to what is documented, `proxyOptions` is not available. This option is only for SOAP.
And LL::NG `lwpOpts` and `lwpSslOpts` can't be used as they are in configuration.
From my point of view, this is a bug, we need to implement proxyOptions in REST configuration backend.2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3055Internal error while processing a "access forbidden" SAML assertion2023-12-15T14:21:55ZYaddInternal error while processing a "access forbidden" SAML assertion### Affected version
Version: %2.17.2
Platform: any
### Summary
During SAML authentication, the ForgeRock server sends a SAML assertion that contains a new attribute with a "accès refusé" content. Lemon doesn't catch XML error and di...### Affected version
Version: %2.17.2
Platform: any
### Summary
During SAML authentication, the ForgeRock server sends a SAML assertion that contains a new attribute with a "accès refusé" content. Lemon doesn't catch XML error and displays an internal error
### Logs
```
[Wed Dec 6 03:03:53 2023] [LLNG:164] [debug] Processing setAuthSessionInfo
2023/12/06 03:03:53 [error] 157#157: *25 FastCGI sent in stderr: ":1: namespace error : Namespaced Attribute type in 'http://www.w3.org/2001/XMLSchema-instance' redefined
://www.w3.org/2001/XMLSchema-instance" ns1:type="xs:string" xsi:type="xs:string"
^
XML::Simple called at /usr/share/perl5/Lemonldap/NG/Portal/Lib/SAML.pm line 1548" while reading response header from upstream, client: 1.2.3.4, server: auth.poc-mail-avocat.fr, request: "POST /saml/proxySingleSignOnPost HTTP/1.1", upstream: "fastcgi://unix:/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "auth.poc-mail-avocat.fr", referrer: "https://preprod-sso.cnb-prive.net/"
1.2.3.4 - - [06/Dec/2023:03:03:53 +0000] "POST /saml/proxySingleSignOnPost HTTP/1.1" 500 21 "https://preprod-sso.cnb-prive.net/" "Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0"
2023/12/06 03:03:55 [info] 157#157: *26 client closed connection while waiting for request, client: 54.36.52.8, server: 0.0.0.0:443
```2.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3058Access rule of an OIDC RP not working to dynamically display application in p...2023-12-14T12:49:05ZClément OUDOTAccess rule of an OIDC RP not working to dynamically display application in portal menuMay be a regression linked to OIDC RP lazy loading.
Steps to reproduce:
* Declare an OIDC RP with an access rule
* Declare an application in menu with display rule (sp: rp-example)
Expected result:
* Application not displayed for users...May be a regression linked to OIDC RP lazy loading.
Steps to reproduce:
* Declare an OIDC RP with an access rule
* Declare an application in menu with display rule (sp: rp-example)
Expected result:
* Application not displayed for users not matching the access rule
Current result:
* Application always displayed2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2962timeoutActivity feature makes Offline sessions expire prematurely2023-12-07T09:59:23Zemmanuel decouxtimeoutActivity feature makes Offline sessions expire prematurely### Affected version
Version: 2.16.2
Platform: Nginx
### Summary
When the oidc session duration activitytimeout occurs, the offline session is deleted too (but shouldn't)
### Backends used
LDAP for users / BrowsableMySQL for sessions### Affected version
Version: 2.16.2
Platform: Nginx
### Summary
When the oidc session duration activitytimeout occurs, the offline session is deleted too (but shouldn't)
### Backends used
LDAP for users / BrowsableMySQL for sessions2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2693"Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses2023-12-05T15:51:39ZJérémie Pierson"Status: Unknown command line -> " log line for each SKIP and EXPIRED accesses### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
If Status handler is enabled, for each user access through a handler, if action was SKIP or EXPIRED, a line is logged to STDERR.
As an example, this morning on one o...### Concerned version
Version: %2.0.13
Platform: Nginx
### Summary
If Status handler is enabled, for each user access through a handler, if action was SKIP or EXPIRED, a line is logged to STDERR.
As an example, this morning on one of our production system it amounts to 40,370 lines out of 43,294 total log lines of LemonLDAP::NG handler service.
### Logs
Example log line:
```
Feb 03 18:04:15 llnghost1 llng-fastcgi-server[1234]: Status: Unknown command line -> 192.168.0.27 => webapp1.example.com/path/to/a/page SKIP
```
### Possible fixes
It seems that the Status handler has to know each and every possible handler action.
Every time an action is reached in `Lemonldap/NG/Handler/Main/Run.pm`, the code calls `$class->updateStatus($req, $action, ...)`, which appears to send a line of text to the Status handler via a pipe.
In the Status handler, this line is then handled according to its match against regular expressions. One of the regexp is `/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|\-?\d+)$/` (commented as "Activity collect"). It **does not** match status lines for SKIP or EXPIRED actions. Then the code falls into the catch-all case which logs unknown status lines to STDERR.
If I edit this regular expression to add the two missing actions, the spurious log lines disappear (and I see new entries in the status JSON :-) ).
Patch looks like this:
```diff
--- Lemonldap/NG/Handler/Lib/Status.pm.ori 2022-02-04 08:58:46.000000000 +0100
+++ Lemonldap/NG/Handler/Lib/Status.pm 2022-02-04 08:55:18.000000000 +0100
@@ -63,7 +63,7 @@
# Activity collect
if (
-/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|\-?\d+)$/
+/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|SKIP|EXPIRED|\-?\d+)$/
)
{
my ( $user, $uri, $code ) = ( $1, $2, $3 );
```
There may be other actions which we do not see in our logs, but that are also missing from the regular expression...2.0.14YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2555Language icons are truncated on mobile screens2023-11-29T07:37:17Zdcoutadeur dcoutadeurLanguage icons are truncated on mobile screens### Concerned version
Version: %"2.0.11"
Platform: any
### Summary
11 language icons appear on a desktop screen.
When switching to a mobile screen, only a part of them are shown. (see the screenshot where only 3 of them appear on a ...### Concerned version
Version: %"2.0.11"
Platform: any
### Summary
11 language icons appear on a desktop screen.
When switching to a mobile screen, only a part of them are shown. (see the screenshot where only 3 of them appear on a Galaxy S9 screen)
See screenshot
### Screenshot
![lemonldap-languages-truncated](/uploads/e05b2f4af7f05a0948edb1565093c479/lemonldap-languages-truncated.png)2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2771LemonLDAP::NG SAML IDP crash when saml attribute contains a special character...2023-11-24T11:00:12Zdcoutadeur dcoutadeurLemonLDAP::NG SAML IDP crash when saml attribute contains a special character in debug mode### Concerned version
Version: %2.0.14
Platform: Nginx
### Summary
When a lemonldap portal configured as SAML IdP tries to send the attributes to his service provider, it crashes when displaying the logs to Syslog in debug mode.
Pro...### Concerned version
Version: %2.0.14
Platform: Nginx
### Summary
When a lemonldap portal configured as SAML IdP tries to send the attributes to his service provider, it crashes when displaying the logs to Syslog in debug mode.
Problems occurs in `Portal/Lib/SAML.pm`
```
sub createAttributeValue {
my ( $self, $value, $force_utf8 ) = @_;
my $saml2value;
$force_utf8 = 1 unless defined($force_utf8);
# Value is required
return unless defined $value;
# Decode UTF-8
$self->logger->debug("Decode UTF8 value $value") if $force_utf8;
```
For the record, the setup is:
- Nginx portal
- authentication = another SAML IDP
- sessions and SAML sessions = postgresql database
### Logs
```
SAML2 attribute Prenom will be set with Prenom session key (https://sp.domain.com/saml/metadata)
Decode UTF8 value Andr
```
the é of André is not displayed, there is no more logs after that, and portal sends error 500.2.18.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2936this version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)2023-11-21T08:40:16ZAntoine Gallavardinthis version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)### Affected version
Version: %2.16.2 ( maybe previous)
Platform: Apache and galera cluster
### Summary
After uprade our SSO stack with the following upgrade
MariaDB-server.x86_64 0:10.5.18-1.el7.centos => MariaDB-server.x86_64 0...### Affected version
Version: %2.16.2 ( maybe previous)
Platform: Apache and galera cluster
### Summary
After uprade our SSO stack with the following upgrade
MariaDB-server.x86_64 0:10.5.18-1.el7.centos => MariaDB-server.x86_64 0:10.5.20-1.el7.centos (Galera cluster)
LL::NG 2.0.15 to LL:NG 2.16.2
We always connect on our SSO but writing configuration isn't possible anymore
### Logs
On the manager interface we get an error message :
```
Get remote configuration (localStorage unavailable). Get configuration 494. DBD::mysql::db selectrow_array failed: This version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)'
```
### Backends used
- Our storage backend is a Galera cluster 10.5.20 on centos with 5 nodes
- A limitation appears in mariadb 10.5.20 : GET_LOCK() / RELEASE_LOCK() are dropped in galera cluster mode since 10.5.20
### Possible fixes
It could be possible to insert an exception in code see :
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/_DBI.pm#L82
In order to test if MariadB is in cluster mode or not
It could be a request like "show status like 'wsrep_cluster_conf_id"' which implies the use of a cluster.
### Addition ressources
- https://mariadb.com/kb/en/mariadb-galera-cluster-known-limitations/
- https://github.com/matomo-org/matomo/issues/20752#issuecomment-1573401141
- https://mariadb.com/kb/en/mariadb-10-5-20-changelog/2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2994Auth::SAML back channel logout doesnt work when 2FA is used2023-11-20T15:01:19ZMaxime BessonAuth::SAML back channel logout doesnt work when 2FA is used### Affected version
Version: 2.16.2
### Summary
* Configure Auth::SAML + 2FA (mail2f)
* Login with LLNG as SP
* Configure SAML IDP to use SOAP logout (backchannel)
* Logout from SAML IDP
* Logout is not effective on LLNG
### Logs
`...### Affected version
Version: 2.16.2
### Summary
* Configure Auth::SAML + 2FA (mail2f)
* Login with LLNG as SP
* Configure SAML IDP to use SOAP logout (backchannel)
* Logout from SAML IDP
* Logout is not effective on LLNG
### Logs
```
[debug] No SAML session found for user test@example.com
[debug] SLO message to IDP idp-example signature according to metadata
[error] Authentication module succeed but has not set $req->user
```
### Possible fixes
This happens because when Auth::SAML extractFormInfo is called, it schedules authFinish to be run later, by modifying $req->steps
But 2FA resets $req->steps to the default list
My solution is to trigger authFinish in afterData step instead2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3013Default value is not applied to ServiceTokenTTL2023-11-20T14:44:22ZChristophe Maudouxchrmdx@gmail.comDefault value is not applied to ServiceTokenTTL### Affected version
Version: %2.17.0
Platform: All
### Summary
ServiceTokenTTL can be defined for each VH by using Manager. Default value (30s) should be used if ServiceTokenTTL is set to '-1'.
But it seems that the used value is re...### Affected version
Version: %2.17.0
Platform: All
### Summary
ServiceTokenTTL can be defined for each VH by using Manager. Default value (30s) should be used if ServiceTokenTTL is set to '-1'.
But it seems that the used value is really '-1' instead of '30'.
![image](/uploads/163ed864e35800d89becc9b61c827c2f/image.png)
### Logs
```
2023-09-26T14:40:52+02:00 [info] New request Lemonldap::NG::Handler::Server::Nginx GET /rest/webservice/multifichiers
2023-09-26T14:40:52+02:00 [debug] Found token: kNW9Z7tPx5BGcedL48GqcwRkehsPxEp12mwG5mpBE+JWkCKDrx/lPQmCciSKwBwi0RMnTi1Pr4mY8Q3ud5WTMkthByb5qteYUOwfy2cZhVvX7itK8VjCNrPzXDIpMOsU75IucuR2hMU1OFA46tbSKQkCU+DJKojmH0WnIyyfrYuZASkJsnHC9IArYCtxZWyJis/7x6hBvqppWwMnBya4UA==
2023-09-26T14:40:52+02:00 [debug] Found epoch: 1695732026
2023-09-26T14:40:52+02:00 [debug] Found _session_id: 31ea82a21bad933a8a0ccf8db0b143413702043ed50ea748914e6f54b148756a
2023-09-26T14:40:52+02:00 [debug] Found VHost: fpr-test.dvsso.gendarmerie.fr
2023-09-26T14:40:52+02:00 [debug] fpr-test.dvsso.gendarmerie.fr found in VHosts list: fpr-test.dvsso.gendarmerie.fr
2023-09-26T14:40:52+02:00 [warn] Expired service token
2023-09-26T14:40:52+02:00 [debug] [warn] Expired service token
2023-09-26T14:40:52+02:00 [debug] VH: fpr-test.dvsso.gendarmerie.fr with ServiceTokenTTL: -1
2023-09-26T14:40:52+02:00 [debug] TokenTime: 1695732026 / Time: 1695732052
2023-09-26T14:40:52+02:00 [debug] No cookie found
```
### Possible fixes
SetDefault function is employed?2.18.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3036OIDC response fron userinfo endpoint is not consistent when retrieving user data2023-11-20T14:36:08ZChristophe Maudouxchrmdx@gmail.comOIDC response fron userinfo endpoint is not consistent when retrieving user data### Affected version
Version: %2.17.1
Platform: All
### Summary
Always Send Exported Attributes = OFF
Only Allow Declared Scopes = ON
Scope : test=codeUnite,employeeType,unite
1 - Auth to portal/oauth2 >> OK (TO Obtain a session ...### Affected version
Version: %2.17.1
Platform: All
### Summary
Always Send Exported Attributes = OFF
Only Allow Declared Scopes = ON
Scope : test=codeUnite,employeeType,unite
1 - Auth to portal/oauth2 >> OK (TO Obtain a session ID)
2 - Retrieve from portal/oauth2/authorize >> OK (To obtain an authorization code)
3 - Obtain tokens from portal/oauth2/token >> OK (To obtain an access token)
4 - Retrieve user info from portal/oauth2/userinfo with the access token >> NOK
Sometimes :
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
and sometimes:
{
"sub" : "adam.sores"
}
The portal response is not consistent.
```
### Logs
Client LOGS :
adam.sores@dgn092st014467:~$ for i in {1..1000} ; do curl -s -H 'Authorization: Bearer a896d64f0dc3f424384ea6c57827ea1441ab3858a05c356964e90b3f041d93ca' 'https://auth.dvsso.gendarmerie.fr/oauth2/userinfo' | json_pp ;sleep 1; done
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"sub" : "adam.sores"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
{
"sub" : "adam.sores"
}
{
"codeUnite" : "67658",
"displayname" : "SORES Adam APPR TECH (SCT BCOF STSISI)",
"email" : "adam.sores@gendarmerie.interieur.gouv.fr",
"employeeType" : "APPRENTI TECH",
"grade" : "APPR TECH",
"nigend" : "480625",
"nom" : "SORES",
"postalCode" : "92130",
"prenom" : "Adam",
"responsabilite" : "E",
"sub" : "adam.sores",
"unite" : "SCT BCOF STSISI"
}
******************************************
Portal LOGS :
2023-11-02T12:09:19+01:00 [debug] Redirect ************* to portal (url was /oauth2/userinfo)
2023-11-02T12:09:19+01:00 [debug] User not authenticated, Try in use, cancel redirection
2023-11-02T12:09:19+01:00 [debug] Start routing oauth2
2023-11-02T12:09:19+01:00 [debug] URL detected as an OpenID Connect USERINFO URL
2023-11-02T12:09:19+01:00 [debug] Bearer access token
2023-11-02T12:09:19+01:00 [debug] Received Access Token a896d64f0dc3f424384ea6c57827ea1441ab3858a05c356964e90b3f041d93ca
2023-11-02T12:09:19+01:00 [debug] Try to get SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:19+01:00 [debug] Get session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370 from Portal::Main::Run
2023-11-02T12:09:19+01:00 [debug] Return SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:19+01:00 [debug] Found corresponding user: adam.sores
2023-11-02T12:09:19+01:00 [debug] Calling hook oidcGenerateUserInfoResponse
2023-11-02T12:09:19+01:00 [debug] Apply following CORS policy:
2023-11-02T12:09:19+01:00 [debug] Access-Control-Allow-Origin
2023-11-02T12:09:19+01:00 [debug] *
--
2023-11-02T12:09:20+01:00 [debug] Redirect ************ to portal (url was /oauth2/userinfo)
2023-11-02T12:09:20+01:00 [debug] User not authenticated, Try in use, cancel redirection
2023-11-02T12:09:20+01:00 [debug] Start routing oauth2
2023-11-02T12:09:20+01:00 [debug] URL detected as an OpenID Connect USERINFO URL
2023-11-02T12:09:20+01:00 [debug] Bearer access token
2023-11-02T12:09:20+01:00 [debug] Received Access Token a896d64f0dc3f424384ea6c57827ea1441ab3858a05c356964e90b3f041d93ca
2023-11-02T12:09:20+01:00 [debug] Try to get SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:20+01:00 [debug] Get session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370 from Portal::Main::Run
2023-11-02T12:09:20+01:00 [debug] Return SSO session b2609ec568fd9579a0f75dc7bc6778022c9c830f5f6dd691ba45b361e6649370
2023-11-02T12:09:20+01:00 [debug] Found corresponding user: adam.sores
2023-11-02T12:09:20+01:00 [debug] Calling hook oidcGenerateUserInfoResponse
2023-11-02T12:09:20+01:00 [debug] Apply following CORS policy:
2023-11-02T12:09:20+01:00 [debug] Access-Control-Allow-Origin
2023-11-02T12:09:20+01:00 [debug] *
--
```Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3014Logout error with message "[error] Unknown Relying Party xxxx" in logs2023-11-14T08:43:08ZClément OUDOTLogout error with message "[error] Unknown Relying Party xxxx" in logsUse case:
* Log in to LL::NG with an OIDC RP
* Go to LL::NG portal and click on logout
* The logout do not work, the RP seems not found in configuration
This may be because `$self->rpOptions` is not filled in logout process (see https:/...Use case:
* Log in to LL::NG with an OIDC RP
* Go to LL::NG portal and click on logout
* The logout do not work, the RP seems not found in configuration
This may be because `$self->rpOptions` is not filled in logout process (see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm#L2320)
Anyway, we should not return an error here, which prevents the logout.2.17.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3033Userinfo sometimes does not return attributes2023-11-02T14:18:00ZMaxime BessonUserinfo sometimes does not return attributesA(nother) regression from #2867
Sometimes, calls to userinfo returns no attributes because the RP hasn't been loaded yetA(nother) regression from #2867
Sometimes, calls to userinfo returns no attributes because the RP hasn't been loaded yet2.17.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2983StayConnected + Singlesession does not display deleted sessions2023-10-27T13:39:38ZMaxime BessonStayConnected + Singlesession does not display deleted sessions### Affected version
Version: 2.16.2
### Summary
* Configure the following:
* Sessions / Multiple sessions / One session per user
* Sessions / Multiple sessions / Display deleted sessions
* Plugins / Stay connected / Acti...### Affected version
Version: 2.16.2
### Summary
* Configure the following:
* Sessions / Multiple sessions / One session per user
* Sessions / Multiple sessions / Display deleted sessions
* Plugins / Stay connected / Activation
* Login without "stay connected" in a private tab
* In a non-private tab, login with "stay connected"
* No session summary is shown, despite sessions being removed
### Possible fixes
This issue is caused by the fact that endSession hooks are run twice
* before displaying the fingerprint page (duplicate session is removed then)
* after submitting the fingerprint page (no more duplicate sessions at this point)
I have tried moving the singleSession plugin later in the plugin list, but this breaks some unit tests.
Additionally, the fact that StayConnected::storeBrowser does not call importHandlerData may cause issues with other plugins
I also tried storing $req->info in StayConnected and restoring it after storeBrower: it works but if the "otherSessions" option is set, it causes duplicate display.
It looks like there is not satisfying way to handle this in the current state of the authentication code, because there is no way to resume "endAuth" at a particular step.2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3018Choice breaks OIDC Offline2023-10-11T05:59:41ZYaddChoice breaks OIDC OfflineHi,
when using Choice and trying to get a new `access_token` using `refresh_token`, getUser is called without `_choice` in `$req->pdata` _(but in `$req->data`)_, and then returns `PE_FIRSTACCESS`.Hi,
when using Choice and trying to get a new `access_token` using `refresh_token`, getUser is called without `_choice` in `$req->pdata` _(but in `$req->data`)_, and then returns `PE_FIRSTACCESS`.2.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896[Security][CVE-2023-28862] AuthBasic does not handle failure correctly2023-10-08T16:40:55ZMaxime Besson[Security][CVE-2023-28862] AuthBasic does not handle failure correctly### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corr...### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corresponding session by sending the login+pass to the portal RESTServer plugin
However, the only required step in the login flow is `store`, if anything happens after the`store` step, AuthBasic will succeed because the fixed-id session has been successfully created, which means:
* Accounts that are supposed to be 2FA-protected are not 2FA protected when AuthBasic is used
* If a 2FA module returns an error, the *first* AuthBasic request will 401, but the *second* AuthBasic request will work correctly => *VERY CONFUSING*
* Any plugin that tries to deny session *after* the `store` step will not deny AuthBasic sessions
This is probably a security issue
### Possible fixes
If the AuthBasic login process fails (not PE_OK), we need to remove the session created by `store` and return an error
This will cause a regression: users who relied on AuthBasic working for 2FA protected account will now see failures
Possible solution: use an env variable in 2FA activation rules if desired:
```
has2f("TOTP") and not $env->{"AuthBasic"}
```
or something of that sort2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250[CVE-2020-16093] Peer certificate not checked when using LDAPS2023-10-08T16:40:55ZMaxime Besson[CVE-2020-16093] Peer certificate not checked when using LDAPS### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
### Summary
* Configure a `ldaps://` URL as `ldapServer`
* Setup a self signed certificate on the LDAP server
* It works
* (It should not work.)
### Possible f...### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian 10
### Summary
* Configure a `ldaps://` URL as `ldapServer`
* Setup a self signed certificate on the LDAP server
* It works
* (It should not work.)
### Possible fixes
Net::LDAP is insecure by default, at least on Debian Buster. We should explicitely pass `verify => require` when initializing it.
Fixing this is probably going to break a lot of installs. We need to create a new option for this and add a warning to release notes.2.0.9Maxime BessonMaxime Besson