lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2024-01-25T16:37:30Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2990
LLNG mails flagged as spam by SpamAssassin
2024-01-25T16:37:30Z
Bruno MATEU
LLNG mails flagged as spam by SpamAssassin
### Affected version
Version: %2.16.2
Platform: Nginx
### Summary
The mails sent by my instance of LemonLDAP are flagged as spam by SpamAssassin.
### Details and possible fixes
Here are the detailed scores:
```plaintext
Spam detec...
### Affected version
Version: %2.16.2
Platform: Nginx
### Summary
The mails sent by my instance of LemonLDAP are flagged as spam by SpamAssassin.
### Details and possible fixes
Here are the detailed scores:
```plaintext
Spam detection results: 3
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_NONE 0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
MISSING_MID 0.14 Missing Message-Id: header
TO_NO_BRKTS_HTML_IMG 1.999 To: lacks brackets and HTML and one image
```
Most of this is irrelevant, because it is my internal MTA that is flagging the email so it is not yet dmark-ed and dkim-ed, but these scores are self-canceling with the ALL_TRUSTED rule.
The relevant rules are:
```plaintext
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
TO_NO_BRKTS_HTML_IMG 1.999 To: lacks brackets and HTML and one image
```
- For the first one, i don't see an obvious fix, it would be dumb to add content to the email just for the shake of satisfying this rule.
- The second one is not really a huge problem but it can be an easy fix, it just need to add a text/plain part to the email next to the html version.
- The last one is also an easy fix. It triggers (among other reasons) because the `To:` field of the email don't contains brackets `<>`. Currently, this contains `To: $mail`. I've fixed it temporary by editing https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm#L145 to contains `To => '<' . $mail . '>'` and it passes the rule correctly. A prettier solution would be to use the \$cn of the user to forge a nice To field in the email, something like `$cn . '<' . $mail . '>'`.
2.18.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2987
Cannot use single quote in passwordPolicySpecialChar
2023-08-18T14:58:23Z
Maxime Besson
Cannot use single quote in passwordPolicySpecialChar
### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 59...
### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 5979
at JSON.parse (<anonymous>)
at HTMLScriptElement.<anonymous> (portal.js:105:20)
at Function.each (jquery.min.js:2:2976)
at S.fn.init.each (jquery.min.js:2:1454)
at n (portal.js:102:42)
at portal.js:277:13
at dispatch (jquery.min.js:2:43090)
at v.handle (jquery.min.js:2:41074)
```
### Possible fixes
`ESCAPE='js'` from HTML::Template does not correctly escape JSON strings. We need to do it before setting the template parameter
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2984
Test fails with Perl 5.38
2023-08-28T16:00:34Z
Yadd
Test fails with Perl 5.38
From https://bugs.debian.org/1043239 :
> Source: lemonldap-ng
> Version: 2.16.1+ds-2
> Severity: important
> Tags: ftbfs trixie sid
> User: debian-perl@lists.debian.org
> Usertags: perl-5.38-transition
>
> This package fails to build f...
From https://bugs.debian.org/1043239 :
> Source: lemonldap-ng
> Version: 2.16.1+ds-2
> Severity: important
> Tags: ftbfs trixie sid
> User: debian-perl@lists.debian.org
> Usertags: perl-5.38-transition
>
> This package fails to build from source with Perl 5.38 (currently in experimental.)
>
> http://perl.debian.net/rebuild-logs/perl-5.38-throwaway/lemonldap-ng_2.16.1+ds-2/lemonldap-ng_2.16.1+ds-2_amd64-2023-08-04T06:12:12Z.build
# Failed test 'Found correct error message'
# at t/12-Lemonldap-NG-Handler-Jail.t line 114.
# 'syntax error at (eval 52) line 1, at EOF
# Execution of (eval 52) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 22.
# Failed test 'Found correct error message'
# at t/13-Lemonldap-NG-Handler-Fake-Safe.t line 107.
# 'syntax error at (eval 47) line 1, at EOF
# Execution of (eval 47) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 16.
Test Summary Report
-------------------
t/12-Lemonldap-NG-Handler-Jail.t (Wstat: 256 (exited 1) Tests: 22 Failed: 1)
Failed test: 22
Non-zero exit status: 1
t/13-Lemonldap-NG-Handler-Fake-Safe.t (Wstat: 256 (exited 1) Tests: 16 Failed: 1)
Failed test: 16
Non-zero exit status: 1
Files=25, Tests=405, 7 wallclock secs ( 0.08 usr 0.03 sys + 4.03 cusr 0.70 csys = 4.84 CPU)
Result: FAIL
> This looks like just an issue of changed diagnostics, but please don't hesitate to file a bug against perl in case it turns out to have runtime effects that warrant a Breaks entry.
2.17.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2983
StayConnected + Singlesession does not display deleted sessions
2023-10-27T13:39:38Z
Maxime Besson
StayConnected + Singlesession does not display deleted sessions
### Affected version
Version: 2.16.2
### Summary
* Configure the following:
* Sessions / Multiple sessions / One session per user
* Sessions / Multiple sessions / Display deleted sessions
* Plugins / Stay connected / Acti...
### Affected version
Version: 2.16.2
### Summary
* Configure the following:
* Sessions / Multiple sessions / One session per user
* Sessions / Multiple sessions / Display deleted sessions
* Plugins / Stay connected / Activation
* Login without "stay connected" in a private tab
* In a non-private tab, login with "stay connected"
* No session summary is shown, despite sessions being removed
### Possible fixes
This issue is caused by the fact that endSession hooks are run twice
* before displaying the fingerprint page (duplicate session is removed then)
* after submitting the fingerprint page (no more duplicate sessions at this point)
I have tried moving the singleSession plugin later in the plugin list, but this breaks some unit tests.
Additionally, the fact that StayConnected::storeBrowser does not call importHandlerData may cause issues with other plugins
I also tried storing $req->info in StayConnected and restoring it after storeBrower: it works but if the "otherSessions" option is set, it causes duplicate display.
It looks like there is not satisfying way to handle this in the current state of the authentication code, because there is no way to resume "endAuth" at a particular step.
2.18.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2979
forced saveConf does not correctly report success on MySQL/MariaDB
2023-08-01T14:17:14Z
Maxime Besson
forced saveConf does not correctly report success on MySQL/MariaDB
### Affected version
Version: 2.16.2
### Summary
* Try to run convertConfig from Files to MySQL
```
Unable to store configuration 1: Lemonldap::NG::Common::Conf::Backends::CDBI loaded.
Get configuration 1.
Configuration 1 stored.
```
...
### Affected version
Version: 2.16.2
### Summary
* Try to run convertConfig from Files to MySQL
```
Unable to store configuration 1: Lemonldap::NG::Common::Conf::Backends::CDBI loaded.
Get configuration 1.
Configuration 1 stored.
```
(the process stops with an exit code of 7 and no other sessions are converted, despite success)
Another way to reproduce the issue
```
lemonldap-ng-cli -force 1 -yes 1 set https 1
cfgNum forced with 1Could not save configuration:
```
### Possible fixes
In saveConf:
```
return ( $self->unlock() ? $tmp : UNKNOWN_ERROR );
```
In MySQL the unlock function returns false if the lock hasn't been acquired first, which is the case when "force" has been set
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2978
Using the (unimplemented) claims= parameter in an OIDC authorize request trig...
2024-03-27T09:48:50Z
Maxime Besson
Using the (unimplemented) claims= parameter in an OIDC authorize request triggers XSS detection with authentication=Choice
### Affected version
Version: 2.16.2
### Summary
* Configure Choice as auth module (one Demo choice)
* Enable OIDC issuer
* Send an OIDC request with a "claims" parameter:
https://auth.example.com/oauth2/authorize?response_type=code...
### Affected version
Version: 2.16.2
### Summary
* Configure Choice as auth module (one Demo choice)
* Enable OIDC issuer
* Send an OIDC request with a "claims" parameter:
https://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=testrp&state=5azlOvBCuQcmlu_TeCGL317RuSk&redirect_uri=http%3A%2F%2Frp.example.com%2Foauth2callback&nonce=DkqDQChJVDWiLtyDknOYkRyC4xEDhlRMq_wEGtB8twU&claims={%22mail%22:%20null})
* A scary log is generated, but no other side effect (unless a custom URL is set in Choice module, maybe)*
### Logs
```
[error] XSS attack detected (param: URI | value: /oauth2/authorize?response_type=code&scope=openid&client_id=testrp&state=5azlOvBCuQcmlu_TeCGL317RuSk&redirect_uri=http%3A%2F%2Frp.example.com%2Foauth2callback&nonce=DkqDQChJVDWiLtyDknOYkRyC4xEDhlRMq_wEGtB8twU&claims={%22mail%22:%20null})
```
### Possible fixes
Relevant code from Lib::Choice
```
# Default URL
$req->data->{cspFormAction} ||= {};
if (
defined $url
and not $self->checkXSSAttack( 'URI',
$req->env->{'REQUEST_URI'} )
and $url =~
q%^(https?://)?[^\s/.?#$].[^\s]+$% # URL must be well formatted
)
{
my $csp_uri = $self->cspGetHost($url);
$req->data->{cspFormAction}->{$csp_uri} = 1;
}
```
There is no point in checking REQUEST_URI for potential XSS because REQUEST_URI is not used in Choice anymore.
In fact, I'm the one who accidentally removed REQUEST_URI from form destinations (see cd97d3b9227f16f0edcdd30b43a7dfe80f1c56f6).
There hasn't been any complains because pdata already saves REQUEST_URI.
@guimard: I need some advice here on what to do
* Fix my mistake and introduce back the following line:
```
$url .= $req->env->{'REQUEST_URI'};
```
which will break OIDC requests that use the "claims" parameter ?
* Or just remove the useless XSS check ?
2.20.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2966
SAML federation plugin incorrectly skips entityIDs
2023-07-07T15:09:12Z
Maxime Besson
SAML federation plugin incorrectly skips entityIDs
### Affected version
Version: 2.16.2
### Summary
* Only half of `main-sps-edugain-metadata.xml` providers are seen by SamlFederation.pm
* After XML file is prettified, all providers are seen
* Bug in LibXML?
### Possible fixes
use `...
### Affected version
Version: 2.16.2
### Summary
* Only half of `main-sps-edugain-metadata.xml` providers are seen by SamlFederation.pm
* After XML file is prettified, all providers are seen
* Bug in LibXML?
### Possible fixes
use `nextElement` instead of `next`
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2962
timeoutActivity feature makes Offline sessions expire prematurely
2023-12-07T09:59:23Z
emmanuel decoux
timeoutActivity feature makes Offline sessions expire prematurely
### Affected version
Version: 2.16.2
Platform: Nginx
### Summary
When the oidc session duration activitytimeout occurs, the offline session is deleted too (but shouldn't)
### Backends used
LDAP for users / BrowsableMySQL for sessions
### Affected version
Version: 2.16.2
Platform: Nginx
### Summary
When the oidc session duration activitytimeout occurs, the offline session is deleted too (but shouldn't)
### Backends used
LDAP for users / BrowsableMySQL for sessions
2.18.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2958
SAML module Lasso error code -501
2023-07-13T09:37:44Z
Léo Roques
SAML module Lasso error code -501
### Affected version
Version: lemonldap-ng 2.16.1 (from official debian packages)
Platform: debian 12 / nginx 1.22.1 / perl 5.36.0 / liblasso 2.8.1
### Summary
Following the firsts steps for [SAML service configuration](https://lemon...
### Affected version
Version: lemonldap-ng 2.16.1 (from official debian packages)
Platform: debian 12 / nginx 1.22.1 / perl 5.36.0 / liblasso 2.8.1
### Summary
Following the firsts steps for [SAML service configuration](https://lemonldap-ng.org/documentation/2.0/samlservice.html)
Activating SAML module via General Parameters » Issuer modules » SAML » Activation: set to On
Authentication portal go down, printing "Internal Server Error"
Manager interface is still working properly
### Logs
Each time the authentication page is reloaded, a new process is started and the sequence lead to the same lasso error.
```
Jul 03 09:46:51 ************* LLNG[215]: [debug] Logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] User logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 03 09:46:51 ************* LLNG[215]: [debug] Lemonldap::NG::Common::Conf::Backends::File loaded.
Configuration unchanged, get configuration from cache.
Jul 03 09:46:51 ************* LLNG[215]: [debug] Get configuration 13 aged 1688135511
Jul 03 09:46:51 ************* LLNG[215]: [info] Loading configuration 13 for process 215
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls defaultValuesInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Options https for vhost auth.*********.com: 1
Jul 03 09:46:51 ************* LLNG[215]: [debug] Options https for vhost manager.*********.com: 1
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls jailInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls portalInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls locationRulesInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls sessionStorageInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls headersInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls postUrlInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls aliasInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls oauth2Init
Jul 03 09:46:51 ************* LLNG[215]: [debug] Launching Lemonldap::NG::Handler::FastCGI::Loader->loadCustomHandlers(conf)
Jul 03 09:46:51 ************* LLNG[215]: [debug] Launching Lemonldap::NG::Portal::Main->reloadConf(conf)
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route psgi.js added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route psgi.js added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route portal.css added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route portal.css added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route : added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route : added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route ping added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route ping added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route refresh added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add OPTIONS route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add OPTIONS route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route logout added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route logout added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Initialized CSP headers : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src
'self';script-src 'self';
Jul 03 09:46:51 ************* LLNG[215]: [debug] Initialized CORS headers : Access-Control-Allow-Origin;*;Access-Control-Allow-Credentials;true;Access-Control-
Allow-Headers;*;Access-Control-Allow-Methods;POST,GET;Access-Control-Expose-Headers;*;Access-Control-Max-Age;86400;
Jul 03 09:46:51 ************* LLNG[215]: [debug] Cookies will use SameSite=None
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Main::Menu loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::Main::Menu initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Auth::LDAP loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Try to build new LDAP connection with: ldap://******.*********.com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP Search base: dc=*********,dc=com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP transformed filter: (&(uid=".$req->{user}.")(objectClass=inetOrgPerson))
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::Auth::LDAP initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::UserDB::LDAP loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Try to build new LDAP connection with: ldap://******.*********.com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP Search base: dc=*********,dc=com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP transformed filter: (&(uid=".$req->{user}.")(objectClass=inetOrgPerson))
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::UserDB::LDAP initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::2F::Engines::Default loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking utotp2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking totp2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking u2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking rest2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking mail2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking ext2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking webauthn2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking yubikey2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking radius2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking password2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking password2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking totp2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking u2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking webauthn2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking yubikey2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Processing Extra 2F modules
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::2F::Engines::Default initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Captcha::SecurityImage loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route renewcaptcha added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::Captcha::SecurityImage initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] IssuerSAML enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Issuer::SAML loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] SAML rule -> 0
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Lasso thin-sessions flag set
Jul 03 09:46:51 ************* LLNG[215]: [debug] Certificate will be used in SAML responses
Jul 03 09:46:51 ************* LLNG[215]: [debug] Get Metadata for this service
Jul 03 09:46:51 ************* LLNG[215]: [error] Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
Jul 03 09:46:52 ************* LLNG[216]: [debug] Logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:52 ************* LLNG[216]: [debug] User logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:52 ************* LLNG[216]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 03 09:46:52 ************* LLNG[216]: [debug] Lemonldap::NG::Common::Conf::Backends::File loaded.
Configuration unchanged, get configuration from cache.
Jul 03 09:46:52 ************* LLNG[216]: [debug] Get configuration 13 aged 1688135511
Jul 03 09:46:52 ************* LLNG[216]: [info] Loading configuration 13 for process 216
```
In discussion
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2952
Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captch...
2023-08-29T16:58:03Z
Christophe Maudoux
chrmdx@gmail.com
Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captcha is enabled
### Affected version
Version: All
Platform: All
### Summary
Enable captcha and LDAP password policy with pwdReset attribute.
Reset a userPassword -> pwdReset is set to TRUE
Login -> PE_25 thrown by LDAP server
Captcha input is not...
### Affected version
Version: All
Platform: All
### Summary
Enable captcha and LDAP password policy with pwdReset attribute.
Reset a userPassword -> pwdReset is set to TRUE
Login -> PE_25 thrown by LDAP server
Captcha input is not displayed => unable to change password
![Capture_d_écran_du_2023-07-03_22-39-17](/uploads/4c84ef3dc56a7b6488db5762040a60e3/Capture_d_écran_du_2023-07-03_22-39-17.png)
Captcha is not displayed!
![Capture_d_écran_du_2023-07-03_22-40-19](/uploads/4134988b8c6788a354bc322e592ffcea/Capture_d_écran_du_2023-07-03_22-40-19.png)
![Capture_d_écran_du_2023-07-03_22-40-46](/uploads/775f7471da8f8a9a40f17ae66f8fe0a2/Capture_d_écran_du_2023-07-03_22-40-46.png)
### Logs
```
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Get configuration from cache without verification.
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:37:44 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Return TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca created
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Returned error: 9 (PE_FIRSTACCESS)
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] true
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:37:55 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Get session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca from Portal::Main::Run
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Return TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Good captcha response
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Captcha code verified
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing getUser
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing authenticate
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Call bind for uid=173668,ou=personnes,dc=police,dc=interieur,dc=gouv,dc=fr
Jul 3 22:37:56 vm5704 LLNG[1252]: [error] Error when binding to LDAP server: Invalid credentials
Jul 3 22:37:56 vm5704 LLNG[1252]: [warn] Bad password for 173668 (10.100.160.1)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] [warn] Bad password for 173668 (10.100.160.1)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Return TOKEN session ef7091e69d87f73c364ea5d7e69346a73dfb0a572ef12c9f7c9c9575497caef8
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Token ef7091e69d87f73c364ea5d7e69346a73dfb0a572ef12c9f7c9c9575497caef8 created
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> authResult = 5
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setMacros
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setPersistentSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Persistent session found for 173668
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Restore persistent parameter _loginHistory
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Restore persistent parameter _updateTime
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Launching ::Plugins::BruteForceProtection::run afterSub setPersistentSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Failed login maxAge = 2205
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Number of failed login(s) to take into account = 4
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Delta = 65
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Waiting time = 30
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing storeHistory
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Current login saved into failedLogin
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Current login -> 5
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Found 'whatToTrace' -> 173668
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Update 173668 persistent session
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] true
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Get configuration from cache without verification.
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:38:49 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/DBI.pm line 93.
Jul 3 22:38:49 vm5704 LLNG[1252]: [notice] Bad (or expired) token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [warn] Captcha token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca isn't valid
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Return TOKEN session 09f322507d878a152dd54468ec3f5208d5b97b7e56441a508b682735ab49e2aa
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Token 09f322507d878a152dd54468ec3f5208d5b97b7e56441a508b682735ab49e2aa created
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [warn] Captcha failed
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] [warn] Captcha failed
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] true
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Get configuration from cache without verification.
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:38:53 vm5704 LLNG[41826]: [info] No cookie found
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Start routing default route
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing checkUnauthLogout
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing restoreArgs
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing controlUrl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Cancel called, push authCancel calls
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing extractFormInfo
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/DBI.pm line 93.
Jul 3 22:38:53 vm5704 LLNG[41826]: [notice] Bad (or expired) token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [warn] Captcha token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca isn't valid
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Try to get a new TOKEN session
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Check session validity -> 900s
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Return TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Token fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596 created
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Prepare captcha
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [warn] Captcha failed
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] [warn] Captcha failed
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Display type standardform
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin returned: login
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Calling sendHtml with template login
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Apply following CORS policy:
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Origin
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Credentials
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] true
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Headers
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Methods
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] POST,GET
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Expose-Headers
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Max-Age
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] 86400
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:39:31 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Trying to load token fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Get session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596 from Portal::Main::Run
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Good captcha response
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Captcha code verified
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing getUser
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing authenticate
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Call bind for uid=173668,ou=personnes,dc=police,dc=interieur,dc=gouv,dc=fr
Jul 3 22:39:31 vm5704 LLNG[1252]: [error] Password policy error 2 for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] [error] Password policy error 2 for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session 9c99d95aa4b3f790ba4d5526cbfec751cf4f858d83530ecf68335a0fcd2c17a0
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Token 9c99d95aa4b3f790ba4d5526cbfec751cf4f858d83530ecf68335a0fcd2c17a0 created
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session d5acf9ad3db0e334fd4328968aad025f31052a24a280e644bee52487386ebf89
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Token d5acf9ad3db0e334fd4328968aad025f31052a24a280e644bee52487386ebf89 created
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> authResult = 25
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setMacros
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setPersistentSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Persistent session found for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Restore persistent parameter _updateTime
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Restore persistent parameter _loginHistory
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Launching ::Plugins::BruteForceProtection::run afterSub setPersistentSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Failed login maxAge = 2205
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Number of failed login(s) to take into account = 5
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Delta = 95
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Waiting time = 60
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing storeHistory
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Current login saved into failedLogin
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Current login -> 25
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Found 'whatToTrace' -> 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Update 173668 persistent session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Returned error: 25 (PE_PP_CHANGE_AFTER_RESET)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] true
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:40:01 vm5704 CRON[42207]: (root) CMD (/opt/rudder/bin/rudder agent check -q >> /var/log/rudder/agent-check/check.log 2>&1)
Jul 3 22:40:01 vm5704 CRON[42215]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Get configuration from cache without verification.
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:40:22 vm5704 LLNG[41826]: [info] No cookie found
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Start routing default route
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing checkUnauthLogout
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing restoreArgs
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing controlUrl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Cancel called, push authCancel calls
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing extractFormInfo
Jul 3 22:40:22 vm5704 LLNG[41826]: [warn] No response provided for Captcha::SecurityImage
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Try to get a new TOKEN session
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Check session validity -> 900s
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Return TOKEN session b5322520b9b8673206f3e24ffcb942848841aed2fef400cc5d38e7b1dc4c2775
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Token b5322520b9b8673206f3e24ffcb942848841aed2fef400cc5d38e7b1dc4c2775 created
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Prepare captcha
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [warn] Captcha failed
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] [warn] Captcha failed
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Display type standardform
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin returned: login
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Calling sendHtml with template login
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Apply following CORS policy:
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Origin
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Credentials
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] true
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Headers
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Methods
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] POST,GET
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Expose-Headers
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Max-Age
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] 86400
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
```
2.17.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2948
Manager should accept mobile-style URL in OIDC callbacks
2023-06-23T07:34:14Z
Yadd
Manager should accept mobile-style URL in OIDC callbacks
### Affected version
Version: %2.16.x
### Summary
When using a custom mobile url in authorized callbacks, Manager rejects the configuration. Example: teammail.mobile://oidc/callback
### Affected version
Version: %2.16.x
### Summary
When using a custom mobile url in authorized callbacks, Manager rejects the configuration. Example: teammail.mobile://oidc/callback
2.17.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946
userControl regexp is not applied by authSlave
2023-09-22T13:59:59Z
Christophe Maudoux
chrmdx@gmail.com
userControl regexp is not applied by authSlave
### Affected version
Version: All
Platform: All
Slave authentication module can submit an unvalid login
### Affected version
Version: All
Platform: All
Slave authentication module can submit an unvalid login
2.17.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2945
CheckUser: Do not compute setAuthSession step for unauthenticated user
2023-12-20T10:27:43Z
Christophe Maudoux
chrmdx@gmail.com
CheckUser: Do not compute setAuthSession step for unauthenticated user
### Concerned version
Version: all
Platform: all
### Summary
Enable checkUser.
Set checkuser access rule with 'skip'.
### Concerned version
Version: all
Platform: all
### Summary
Enable checkUser.
Set checkuser access rule with 'skip'.
2.18.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2943
eduPersonTargetedID missing from Plugins::SamlFederation
2023-07-07T15:09:29Z
Maxime Besson
eduPersonTargetedID missing from Plugins::SamlFederation
when converting importMetadata to SAMLFederation.pm, special processing for eduPersonTargetedID was forgotten
when converting importMetadata to SAMLFederation.pm, special processing for eduPersonTargetedID was forgotten
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2942
Logout shouldn't fail when a OIDC/SAML partner doesn't respond
2023-06-15T10:10:58Z
Yadd
Logout shouldn't fail when a OIDC/SAML partner doesn't respond
### Affected version
Version: %2.x
Platform: any
### Summary
When using a back-channel logout system (SAML/SOAP or new OIDC Back-Channel), if host is filtered, the logout is blocked and the user receives a "timeout" page and is never...
### Affected version
Version: %2.x
Platform: any
### Summary
When using a back-channel logout system (SAML/SOAP or new OIDC Back-Channel), if host is filtered, the logout is blocked and the user receives a "timeout" page and is never disconnected
### Logs
```
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] User xguimard was granted to access to /?logout=1
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Start routing default route
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing importHandlerData
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing controlUrl
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing checkLogout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing code ref
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Launching ::Issuer::SAML::logout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] No SAML session found for session a7734274f64ed418e24dc663a5
dfe00ec63ec2837e50c8e82e2feeb547da89a6
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] No SAML session available into this session
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing code ref
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Launching ::Issuer::OpenIDConnect::logout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Access Token signature algorithm: RS512
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Logout token content: {"events":{"http://schemas.openid.net/
event/backchannel-logout":{}},"iss":"https://sso.linagora.com","sid":"ROW600DdvXMLirrSV4TI0laCC99teH3A+hLDYTxf2HY","sub":"xguimard","aud":["app-canary"],"iat":1686819
416,"jti":"03V99AEL"}
[1 minute to wait...]
Jun 15 08:57:56 test-lemonldap docker/sso_auth_1[162903]: 2023/06/15 08:57:56 [error] 145#145: *12 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 46.255.204.128, server: sso.test.com, request: "GET /?logout=1 HTTP/1.1", upstream: "fastcgi://unix:/run/llng-fastcgi-server/llng-fastcgi.sock", host: "sso.test.com", referrer: "https://sso.linagora.com/"
Jun 15 08:57:56 test-lemonldap docker/sso_auth_1[162903]: 46.255.204.128 - - [15/Jun/2023:08:57:56 +0000] "GET /?logout=1 HTTP/1.1" 504 167 "https://sso.test.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0"
```
2.17.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2939
Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combin...
2023-07-06T13:39:15Z
Far Fade
Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combination
### Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
### Summary
lemonldap-ng is not performing anymore Kerberos auth.
This started at the upgrade from Debian 11 to 12.
### Logs
```
[Tue Jun 13 10:05:20 2023] [LLN...
### Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
### Summary
lemonldap-ng is not performing anymore Kerberos auth.
This started at the upgrade from Debian 11 to 12.
### Logs
```
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing authkrb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Kerberos ticket received: (REMOVED_LONG_STRING)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/lemonldap.keytab
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get a new TOKEN session
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c created
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Apply following CORS policy:
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Origin
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Credentials
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] true
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Methods
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] POST,GET
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Expose-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Max-Age
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] 86400
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] VH auth.DOMAIN is HTTPS
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] No cookie found
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Build URL https://auth.DOMAIN/?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Redirect 192.168.2.11 to portal (url was /?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User not authenticated, Try in use, cancel redirection
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing default route
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing checkUnauthLogout
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing restoreArgs
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing controlUrl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Required URL (param: urldc | value: https://wiki.DOMAIN/ | alias: https://wiki.DOMAIN)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] No URL authentication level found...
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Get session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c from Portal::Main::Run
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
**[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Unexpected token type: auth_token_krb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Expected id: ssl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User: USER@DOMAIN**
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "muhSSL" returned 24, trying next
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/File.pm line 98.
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Bad (or expired) token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Could not fetch user token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "KRB" returned 24, trying next
```
I've added in the log program two lines advised by Maxime on the mailing list :
Lemonldap/NG/Portal/Auth/_Ajax.pm l.85:
# Original line
$self->logger->error( "Unexpected token type: " . $token->{type} );
# extra information
$self->logger->debug( "Expected id: ". $self->auth_id );
$self->logger->debug( "User: " . $token->{user} );
Thank you for your attention !
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2936
this version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)
2023-11-21T08:40:16Z
Antoine Gallavardin
this version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)
### Affected version
Version: %2.16.2 ( maybe previous)
Platform: Apache and galera cluster
### Summary
After uprade our SSO stack with the following upgrade
MariaDB-server.x86_64 0:10.5.18-1.el7.centos => MariaDB-server.x86_64 0...
### Affected version
Version: %2.16.2 ( maybe previous)
Platform: Apache and galera cluster
### Summary
After uprade our SSO stack with the following upgrade
MariaDB-server.x86_64 0:10.5.18-1.el7.centos => MariaDB-server.x86_64 0:10.5.20-1.el7.centos (Galera cluster)
LL::NG 2.0.15 to LL:NG 2.16.2
We always connect on our SSO but writing configuration isn't possible anymore
### Logs
On the manager interface we get an error message :
```
Get remote configuration (localStorage unavailable). Get configuration 494. DBD::mysql::db selectrow_array failed: This version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)'
```
### Backends used
- Our storage backend is a Galera cluster 10.5.20 on centos with 5 nodes
- A limitation appears in mariadb 10.5.20 : GET_LOCK() / RELEASE_LOCK() are dropped in galera cluster mode since 10.5.20
### Possible fixes
It could be possible to insert an exception in code see :
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/_DBI.pm#L82
In order to test if MariadB is in cluster mode or not
It could be a request like "show status like 'wsrep_cluster_conf_id"' which implies the use of a cluster.
### Addition ressources
- https://mariadb.com/kb/en/mariadb-galera-cluster-known-limitations/
- https://github.com/matomo-org/matomo/issues/20752#issuecomment-1573401141
- https://mariadb.com/kb/en/mariadb-10-5-20-changelog/
2.18.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2935
importMetadata causes encoding issues when saving conf
2023-06-08T19:21:36Z
Maxime Besson
importMetadata causes encoding issues when saving conf
### Affected version
Version: 2.16.2
### Summary
* Have an accent in config (such as a comment) in File storage
* import Edugain Metadata (https://metadata.federation.renater.fr/edugain/main/main-sps-edugain-metadata.xml)
* config get...
### Affected version
Version: 2.16.2
### Summary
* Have an accent in config (such as a comment) in File storage
* import Edugain Metadata (https://metadata.federation.renater.fr/edugain/main/main-sps-edugain-metadata.xml)
* config gets double-encoded each time importMetadata is run, and ends up with a huge size
* "Wide character in print" message in stderr
#2748
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2932
unreachable LDAP server blocks initialization for too long
2023-07-19T19:18:55Z
Maxime Besson
unreachable LDAP server blocks initialization for too long
### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP an...
### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP and UserDB::LDAP preemptively try to connect to BadLDAP
### Possible fixes
All Auth::LDAP and UserDB::LDAP methods validate the LDAP server before doing any work. So there is no need to try to connect in the init() method.
2.17.0
dcoutadeur dcoutadeur
dcoutadeur dcoutadeur
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2931
[Security:medium] open redirection due to incorrect escape handling in URI us...
2023-09-22T14:13:30Z
Maxime Besson
[Security:medium] open redirection due to incorrect escape handling in URI userinfo
### Concerned version
Version: 2.16.2
### Summary
* Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com\@@test1.example.com/)
* LLNG detects it as test1.example.com, which is...
### Concerned version
Version: 2.16.2
### Summary
* Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com\@@test1.example.com/)
* LLNG detects it as test1.example.com, which is allowed, and sends redirect
* For some reason, browsers "correct" it to https://hacker.com/@@test1.example.com/
### Possible fixes
We should normalize the received URL before using it in redirects:
```perl
my $u = URI->new('https://hacker.com\@@test1.example.com/');
print $u; # https://hacker.com%5C@@test1.example.com
```
2.17.0
Maxime Besson
Maxime Besson