lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2019-02-16T10:29:17Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1639User must change password on AD is broken2019-02-16T10:29:17ZDaniel BerteaudUser must change password on AD is broken### Concerned version
Version: 2.0.1
Platform: Nginx
### Summary
I'm using AD (samba4) as auth module, and when I set an account to change its password on next login, he can't log into LL::NG. There's tha usual "Wrong credentials" di...### Concerned version
Version: 2.0.1
Platform: Nginx
### Summary
I'm using AD (samba4) as auth module, and when I set an account to change its password on next login, he can't log into LL::NG. There's tha usual "Wrong credentials" displayed. This was working fine in the 1.9.X days.
This is 100% reproducible, on 3 different (but with mostly similar configuration) installations. I'm happy to run more test if you need me to.
### Logs
```
févr. 01 19:07:10 proxyin2 LLNG[7775]: User not authenticated, Try in use, cancel redirection
févr. 01 19:07:10 proxyin2 LLNG[7775]: Start routing default route
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing restoreArgs
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing controlUrl
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Cancel called, push authCancel calls
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Launching ::Issuer::CAS::storeEnvAndCheckGateway
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Launching ::Issuer::OpenIDConnect::exportRequestParameters
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Launching ::Plugins::AutoSignin::check
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing extractFormInfo
févr. 01 19:07:10 proxyin2 LLNG[7775]: Trying to load token 1548972544_5139
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing getUser
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing authenticate
févr. 01 19:07:10 proxyin2 LLNG[7775]: Call bind for CN=Test,OU=People,DC=lapiole,DC=org
févr. 01 19:07:10 proxyin2 LLNG[7775]: Bad password
févr. 01 19:07:10 proxyin2 llng-fastcgi-server[7773]: Use of uninitialized value $computed in bitwise and (&) at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Auth/AD.pm line 77.
févr. 01 19:07:10 proxyin2 LLNG[7775]: -> authResult = 5
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing setSessionInfo
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing setMacros
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing setPersistentSessionInfo
févr. 01 19:07:11 proxyin2 LLNG[7775]: Persistent session found for test
févr. 01 19:07:11 proxyin2 LLNG[7775]: Restore persistent parameter loginHistory
févr. 01 19:07:11 proxyin2 LLNG[7775]: Restore persistent parameter _loginHistory
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing storeHistory
févr. 01 19:07:11 proxyin2 LLNG[7775]: Current login saved into failedLogin
févr. 01 19:07:11 proxyin2 LLNG[7775]: Current login -> 5
févr. 01 19:07:11 proxyin2 LLNG[7775]: Found 'whatToTrace' -> test
févr. 01 19:07:11 proxyin2 LLNG[7775]: Update test persistent session
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:11 proxyin2 LLNG[7775]: Launching ::Plugins::BruteForceProtection::run
févr. 01 19:07:11 proxyin2 LLNG[7775]: Number of failedLogin = 2
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:11 proxyin2 LLNG[7775]: Launching ::Plugins::GrantSession::run
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:11 proxyin2 LLNG[7775]: Returned error: 5
févr. 01 19:07:11 proxyin2 LLNG[7775]: Skin returned: error
févr. 01 19:07:11 proxyin2 LLNG[7775]: Calling sendHtml with template error
```
### Backends used
Using MySQL as storage backend for both config and session (Browsable::MySQL)2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1636SSL and Kerberos Auth Modules don t work with choice2019-02-07T19:28:37ZChristophe Maudouxchrmdx@gmail.comSSL and Kerberos Auth Modules don t work with choice### Concerned version
Version: 2.0.1
Platform: all
### Summary
SSL and Kerberos modules don t work with Choice module.
Cross-origin resource sharing CORS and CSP prevent to submit AuthSSL request if Portal and SSL domains mismatch.
...### Concerned version
Version: 2.0.1
Platform: all
### Summary
SSL and Kerberos modules don t work with Choice module.
Cross-origin resource sharing CORS and CSP prevent to submit AuthSSL request if Portal and SSL domains mismatch.
### Possible fixes
'Id lform' tag is missing but it is required by 'ssl.js'
Need to adapt auth choice loop ans Choice.pm2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1630SSO cookie is sent to protected applications with Nginx-based ReverseProxy2019-02-12T20:39:21ZChristophe Maudouxchrmdx@gmail.comSSO cookie is sent to protected applications with Nginx-based ReverseProxy### Concerned version
Version: %2.0.1
Platform: Nginx
### Summary
SSO cookie is not deleted
### Possible fixes
Bad RegExp### Concerned version
Version: %2.0.1
Platform: Nginx
### Summary
SSO cookie is not deleted
### Possible fixes
Bad RegExp2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1628GrantSession plugin discloses its message to unlogged users2019-03-15T16:04:15ZMaxime BessonGrantSession plugin discloses its message to unlogged users### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
The evaluation of a session opening condition is made regardless of whether the authentication succeeded or not.
Try the following steps i...### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
The evaluation of a session opening condition is made regardless of whether the authentication succeeded or not.
Try the following steps in demo mode:
* Add a session opening condition that restricts login to dwho with `$uid eq "dwho"`
* Try to login as rtyler with a bad password
* The message from GrantSession is displayed.
I think most users are expecting to see an "incorrect password" message instead.
This feels to me like a security/privacy issue, letting an anonymous user know that some logins exist in the system (but cannot login). I'm sure it could be interesting information in some sensitive contexts. I'm flagging the issue as confidential for now.
### Logs
```
Processing authenticate
Prepare token
Token 1548712519_3983 created
-> authResult = 5
Processing setSessionInfo
Processing setMacros
Processing setPersistentSessionInfo
Persistent session found for rtyler
Restore persistent parameter _loginHistory
Processing storeHistory
Current login saved into failedLogin
Current login -> 5
Found 'whatToTrace' -> rtyler
Update rtyler persistent session
Processing code ref
Launching ::Plugins::GrantSession::run
Grant session condition -> $uid eq dwho
Message -> Message
User rtyler was not granted to open session (rule -> Message)
Returned error: 41
Display: info detected
Hidden values -> $VAR1 = undef;
Skin returned: info
Calling sendHtml with template info
Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/info.tpl
Skin bootstrap selected from GET/POST parameter
Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/info.tpl
Required urldc : http://auth.lemontest.lxc/
Set CSP form-action with urldc : http://auth.lemontest.lxc
Required Params URL : http://auth.lemontest.lxc/
Set CSP form-action with Params URL : http://auth.lemontest.lxc
Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self' http://auth.lemontest.lxc http://auth.lemontest.lxc;frame-ancestors 'none';
```
### Possible fixes
Maybe testing for $req->authResult before checking the rules?2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1627Display issue with GrantSession plugin2019-02-04T18:01:03ZMaxime BessonDisplay issue with GrantSession plugin### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
When displaying a session opening rule in the manager, field names are inconsistent:
Compare:
![Screenshot-2019-1-29_LemonLDAP_NG_Manager_...### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
When displaying a session opening rule in the manager, field names are inconsistent:
Compare:
![Screenshot-2019-1-29_LemonLDAP_NG_Manager_2_](/uploads/21891871f2a5b1be6c8a7e6cdd1a4800/Screenshot-2019-1-29_LemonLDAP_NG_Manager_2_.png)
With:
![Screenshot-2019-1-29_LemonLDAP_NG_Manager_3_](/uploads/481cfc8959b10fa49e3fd38bae0009ba/Screenshot-2019-1-29_LemonLDAP_NG_Manager_3_.png)
The "rule" and "message" fields are swapped2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1623ADPwdExpireWarning and ADPwdMaxAge parameters are missing in Manager2019-01-23T12:14:05ZChristophe Maudouxchrmdx@gmail.comADPwdExpireWarning and ADPwdMaxAge parameters are missing in ManagerAppend ADPwdExpireWarning and ADPwdMaxAge to Manager treeAppend ADPwdExpireWarning and ADPwdMaxAge to Manager tree2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1618Version in server signature is wrong2019-02-01T10:25:19ZClément OUDOTVersion in server signature is wrongIn Handler we set the server signature in lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Init.pm, but it does not use the main $VERSION from lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pmIn Handler we set the server signature in lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Init.pm, but it does not use the main $VERSION from lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1614Accents not well displayed in Portal2019-01-23T18:35:54ZPaul CurieAccents not well displayed in Portal### Concerned version
Version: 2.0.1
Platform: Nginx, config & sessions in files, Debian 9.
### Summary
Accents aren t properly shown in portal, when creating a new Menu category named "testé", it show properly in the manager, but in...### Concerned version
Version: 2.0.1
Platform: Nginx, config & sessions in files, Debian 9.
### Summary
Accents aren t properly shown in portal, when creating a new Menu category named "testé", it show properly in the manager, but in portal it shows "test�", when naming this category "testé" it displays correctly in portal as "testé".2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1613handler https redirection does not work2019-02-05T10:34:19Zdcoutadeur dcoutadeurhandler https redirection does not work### Concerned version
Version: 2.0.1
Platform: Apache 2.4.6 (CentOS)
### Summary
When setting https for manager vhost, the handler redirects to: `http://manager.example.com:443/`, which obviously displays an error.
When setting https...### Concerned version
Version: 2.0.1
Platform: Apache 2.4.6 (CentOS)
### Summary
When setting https for manager vhost, the handler redirects to: `http://manager.example.com:443/`, which obviously displays an error.
When setting https globally, the setting is working. (redirection to https://manager.example.com)
### Backends used
Default install with demo2.0.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1610Unable to save empty value for cookie expiration time in Manager2019-01-11T22:31:31ZClément OUDOTUnable to save empty value for cookie expiration time in ManagerWhen we want to change the value of cookie expiration time in Manager and set it to empty, the Manager detects no changes and we can't save.
If we put 0, the value is not accepted.
We need to be able to disable cookie expiration time.When we want to change the value of cookie expiration time in Manager and set it to empty, the Manager detects no changes and we can't save.
If we put 0, the value is not accepted.
We need to be able to disable cookie expiration time.2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1607Safe errors when saving configuration with lmConfigEditor2019-01-09T07:50:24ZClément OUDOTSafe errors when saving configuration with lmConfigEditorWhen saving configuration, I got this error:
```
root@xxx# /usr/share/lemonldap-ng/bin/lmConfigEditor
Running as uid 33 and gid 33 0
Can't locate object method "new" via package "Safe" (perhaps you forgot to load "Safe"?) at /usr/share/...When saving configuration, I got this error:
```
root@xxx# /usr/share/lemonldap-ng/bin/lmConfigEditor
Running as uid 33 and gid 33 0
Can't locate object method "new" via package "Safe" (perhaps you forgot to load "Safe"?) at /usr/share/perl5/Lemonldap/NG/Manager/Attributes.pm line 32, <F1> line 10422.
```
Seems linked to some value in configuration, I'll try to reproduce.2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1604Manager unit tests randomly failed2018-12-30T15:55:55ZChristophe Maudouxchrmdx@gmail.comManager unit tests randomly failed### Concerned version
Version: %"2.1.0"
Platform: all
### Summary
Seems unit tests t/11-save-changed-conf-with-confirmation.t
and t/12-save-changed-conf.t
randomly failed.
Number of entries (key => applicationList) is not always ...### Concerned version
Version: %"2.1.0"
Platform: all
### Summary
Seems unit tests t/11-save-changed-conf-with-confirmation.t
and t/12-save-changed-conf.t
randomly failed.
Number of entries (key => applicationList) is not always the same in response body sent by Portal
![2](/uploads/41feaeee3deedc21ce59e71fe05566fa/2.png)
![1](/uploads/735cf4aec5c6f32384f6177432997a75/1.png)
![NOK](/uploads/1a66c829d499c6a82fe902d3cc1fd15e/NOK.png)
![OK](/uploads/87e279ba0525cd2c8fa2cd9842088b09/OK.png)2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1603Warnings with confirmation required don't work2018-12-30T15:11:18ZChristophe Maudouxchrmdx@gmail.comWarnings with confirmation required don't work### Concerned version
Version: %2.0.1
Platform: all
### Summary
When saving configuration, if a warning with confirmation required is thrown, warning message isn t displayed.
Documentation snippet :
Subroutines can return one of t...### Concerned version
Version: %2.0.1
Platform: all
### Summary
When saving configuration, if a warning with confirmation required is thrown, warning message isn t displayed.
Documentation snippet :
Subroutines can return one of the followings :
- (1) : everything is OK
- (1,message) : OK with a warning
- (0,message) : NOK
- (-1,message) : OK, but must be confirmed (ignored if confirm parameter is set) => doesn t work
2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1574"Manager is unprotected" message when whatToTrace value is not the default2019-01-16T10:09:58ZClément OUDOT"Manager is unprotected" message when whatToTrace value is not the defaultVersion %2.0.0
When we use the default Nginx configuration for Manager, we always have the warning "The manager is unprotected", even if it is well protected in lemonldap-ng.ini.
I think it is because the REMOTE_USER is not set, but ev...Version %2.0.0
When we use the default Nginx configuration for Manager, we always have the warning "The manager is unprotected", even if it is well protected in lemonldap-ng.ini.
I think it is because the REMOTE_USER is not set, but even when adding this line, the warning remains:
```
fastcgi_param REMOTE_USER $lmremote_user;
```
I don't see how force this variable to avoid the warning.2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1708lmerror page loops on url parameter2019-05-28T19:57:28ZYaddlmerror page loops on url parameterlmerror calls `controlUrl()` which set url parameter in persistent data. Then user loops on this page when clicking to Portal links.lmerror calls `controlUrl()` which set url parameter in persistent data. Then user loops on this page when clicking to Portal links.2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1698Invalid pdata causes SAML login to fail after logout2019-04-05T21:29:50ZMaxime BessonInvalid pdata causes SAML login to fail after logout### Concerned version
Version: 2.0
### Summary
* Browse to a SP
* Portal shows login form and creates a issuerRequestSAML pdata
* Fill login form
* be redirected to SP successfully
* Logout
* Browse to SP again
* Portal shows the log...### Concerned version
Version: 2.0
### Summary
* Browse to a SP
* Portal shows login form and creates a issuerRequestSAML pdata
* Fill login form
* be redirected to SP successfully
* Logout
* Browse to SP again
* Portal shows the login form but does not recreate a issuerRequestSAML, and uses the same token from the first time instead
* "An error occured during SAML authentication"
### Logs
First time:
```
LLNG[9822]: Store issuer request
LLNG[9822]: Token 1554223232_-28414 created
LLNG[9817]: Trying to load token 1554223232_-28414
LLNG[9817]: Restoring request from 1554223232_-28414
```
Second time:
```
LLNG[9816]: Trying to load token 1554223232_-28414
LLNG[9816]: Bad (or expired) token 1554223232_-28414
```
### Possible fixes
* Quick and dirty fix: restart your web browser after logout
* Real fix: clear the pdata after SAML login, or at least make sure a samlIssuerRequest is generated each time2.0.3Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1693Information is not displayed in logout process2019-04-01T15:19:01ZClément OUDOTInformation is not displayed in logout processThis issue is a prerequisite to solve #1671
If `$req->info` is filled but process ends with `PE_LOGOUT_OK`, the info is never displayed.This issue is a prerequisite to solve #1671
If `$req->info` is filled but process ends with `PE_LOGOUT_OK`, the info is never displayed.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1692Parameter base64 is ignored in setHiddenFormValue2019-04-03T15:55:12ZClément OUDOTParameter base64 is ignored in setHiddenFormValueThe value is never encoded in base64, but when using getHiddenFormValue, the decoding is done.
If I just add the base64 encoding, it breaks the unit test, we need to update all the code using setHiddenFormValue.The value is never encoded in base64, but when using getHiddenFormValue, the decoding is done.
If I just add the base64 encoding, it breaks the unit test, we need to update all the code using setHiddenFormValue.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1691Password policy can't display messages2019-04-09T11:36:11ZYaddPassword policy can't display messages### Concerned version
Version: %2.0.0
Platform: Any
### Summary & logs
From lemonldap-ng-users@ow2.org:
> Our organization made the switch from the 1.9 branch to 2.0 (Presently on 2.0.2) and we have been been receiving dozens of repo...### Concerned version
Version: %2.0.0
Platform: Any
### Summary & logs
From lemonldap-ng-users@ow2.org:
> Our organization made the switch from the 1.9 branch to 2.0 (Presently on 2.0.2) and we have been been receiving dozens of reports from users that they are recieving an "Internal Server Error" (white background, plain text) when visiting the Portal, or trying to login. Our nginx logs are peppered with the following:
```
Can't locate object method "loadTemplate" via package "Lemonldap::NG::Portal::Lib::Net::LDAP" at /usr/local/share/perl5/site_perl/Lemonldap/NG/Portal/Lib/Net/LDAP.pm line 223" POST /?cancel=1 HTTP/1.1 and also POST /saml/singleSignOn?SAMLRequest=......
```2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1686SOAP Portal WSDL file is invalid2019-04-15T06:15:03ZJulien LedouxSOAP Portal WSDL file is invalid### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
SOAP Portal WSDL file is invalid
I know Soap web services are deprecated, but the functionality is still available so I tried ...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
SOAP Portal WSDL file is invalid
I know Soap web services are deprecated, but the functionality is still available so I tried it out but I can't import portal wsdl file into Soap UI. It says something is wrong with the file. I don't have this issue with 1.9.x
![Capture_d_écran_2019-03-26_à_18.33.49](/uploads/2c9f5bfbee82e740040d0822bcbc4f69/Capture_d_écran_2019-03-26_à_18.33.49.png)
![Capture_d_écran_2019-03-26_à_18.33.30](/uploads/54ef81ca2a4dd54dcbe1ca6ca601050d/Capture_d_écran_2019-03-26_à_18.33.30.png)2.0.3YaddYadd