lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-06-15T10:10:58Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2942Logout shouldn't fail when a OIDC/SAML partner doesn't respond2023-06-15T10:10:58ZYaddLogout shouldn't fail when a OIDC/SAML partner doesn't respond### Affected version
Version: %2.x
Platform: any
### Summary
When using a back-channel logout system (SAML/SOAP or new OIDC Back-Channel), if host is filtered, the logout is blocked and the user receives a "timeout" page and is never...### Affected version
Version: %2.x
Platform: any
### Summary
When using a back-channel logout system (SAML/SOAP or new OIDC Back-Channel), if host is filtered, the logout is blocked and the user receives a "timeout" page and is never disconnected
### Logs
```
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] User xguimard was granted to access to /?logout=1
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Start routing default route
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing importHandlerData
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing controlUrl
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing checkLogout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing code ref
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Launching ::Issuer::SAML::logout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] No SAML session found for session a7734274f64ed418e24dc663a5
dfe00ec63ec2837e50c8e82e2feeb547da89a6
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] No SAML session available into this session
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing code ref
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Launching ::Issuer::OpenIDConnect::logout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Access Token signature algorithm: RS512
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Logout token content: {"events":{"http://schemas.openid.net/
event/backchannel-logout":{}},"iss":"https://sso.linagora.com","sid":"ROW600DdvXMLirrSV4TI0laCC99teH3A+hLDYTxf2HY","sub":"xguimard","aud":["app-canary"],"iat":1686819
416,"jti":"03V99AEL"}
[1 minute to wait...]
Jun 15 08:57:56 test-lemonldap docker/sso_auth_1[162903]: 2023/06/15 08:57:56 [error] 145#145: *12 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 46.255.204.128, server: sso.test.com, request: "GET /?logout=1 HTTP/1.1", upstream: "fastcgi://unix:/run/llng-fastcgi-server/llng-fastcgi.sock", host: "sso.test.com", referrer: "https://sso.linagora.com/"
Jun 15 08:57:56 test-lemonldap docker/sso_auth_1[162903]: 46.255.204.128 - - [15/Jun/2023:08:57:56 +0000] "GET /?logout=1 HTTP/1.1" 504 167 "https://sso.test.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0"
```2.17.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2939Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combin...2023-07-06T13:39:15ZFar FadeUnexpected token type: auth_token_krb when using SSL and Kerberos in a Combination### Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
### Summary
lemonldap-ng is not performing anymore Kerberos auth.
This started at the upgrade from Debian 11 to 12.
### Logs
```
[Tue Jun 13 10:05:20 2023] [LLN...### Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
### Summary
lemonldap-ng is not performing anymore Kerberos auth.
This started at the upgrade from Debian 11 to 12.
### Logs
```
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing authkrb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Kerberos ticket received: (REMOVED_LONG_STRING)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/lemonldap.keytab
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get a new TOKEN session
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c created
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Apply following CORS policy:
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Origin
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Credentials
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] true
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Methods
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] POST,GET
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Expose-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Max-Age
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] 86400
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] VH auth.DOMAIN is HTTPS
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] No cookie found
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Build URL https://auth.DOMAIN/?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Redirect 192.168.2.11 to portal (url was /?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User not authenticated, Try in use, cancel redirection
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing default route
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing checkUnauthLogout
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing restoreArgs
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing controlUrl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Required URL (param: urldc | value: https://wiki.DOMAIN/ | alias: https://wiki.DOMAIN)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] No URL authentication level found...
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Get session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c from Portal::Main::Run
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
**[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Unexpected token type: auth_token_krb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Expected id: ssl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User: USER@DOMAIN**
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "muhSSL" returned 24, trying next
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/File.pm line 98.
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Bad (or expired) token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Could not fetch user token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "KRB" returned 24, trying next
```
I've added in the log program two lines advised by Maxime on the mailing list :
Lemonldap/NG/Portal/Auth/_Ajax.pm l.85:
# Original line
$self->logger->error( "Unexpected token type: " . $token->{type} );
# extra information
$self->logger->debug( "Expected id: ". $self->auth_id );
$self->logger->debug( "User: " . $token->{user} );
Thank you for your attention !2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2936this version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)2023-11-21T08:40:16ZAntoine Gallavardinthis version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)### Affected version
Version: %2.16.2 ( maybe previous)
Platform: Apache and galera cluster
### Summary
After uprade our SSO stack with the following upgrade
MariaDB-server.x86_64 0:10.5.18-1.el7.centos => MariaDB-server.x86_64 0...### Affected version
Version: %2.16.2 ( maybe previous)
Platform: Apache and galera cluster
### Summary
After uprade our SSO stack with the following upgrade
MariaDB-server.x86_64 0:10.5.18-1.el7.centos => MariaDB-server.x86_64 0:10.5.20-1.el7.centos (Galera cluster)
LL::NG 2.0.15 to LL:NG 2.16.2
We always connect on our SSO but writing configuration isn't possible anymore
### Logs
On the manager interface we get an error message :
```
Get remote configuration (localStorage unavailable). Get configuration 494. DBD::mysql::db selectrow_array failed: This version of MariaDB doesn't yet support 'GET_LOCK in cluster (WSREP_ON=ON)'
```
### Backends used
- Our storage backend is a Galera cluster 10.5.20 on centos with 5 nodes
- A limitation appears in mariadb 10.5.20 : GET_LOCK() / RELEASE_LOCK() are dropped in galera cluster mode since 10.5.20
### Possible fixes
It could be possible to insert an exception in code see :
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/Backends/_DBI.pm#L82
In order to test if MariadB is in cluster mode or not
It could be a request like "show status like 'wsrep_cluster_conf_id"' which implies the use of a cluster.
### Addition ressources
- https://mariadb.com/kb/en/mariadb-galera-cluster-known-limitations/
- https://github.com/matomo-org/matomo/issues/20752#issuecomment-1573401141
- https://mariadb.com/kb/en/mariadb-10-5-20-changelog/2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2935importMetadata causes encoding issues when saving conf2023-06-08T19:21:36ZMaxime BessonimportMetadata causes encoding issues when saving conf### Affected version
Version: 2.16.2
### Summary
* Have an accent in config (such as a comment) in File storage
* import Edugain Metadata (https://metadata.federation.renater.fr/edugain/main/main-sps-edugain-metadata.xml)
* config get...### Affected version
Version: 2.16.2
### Summary
* Have an accent in config (such as a comment) in File storage
* import Edugain Metadata (https://metadata.federation.renater.fr/edugain/main/main-sps-edugain-metadata.xml)
* config gets double-encoded each time importMetadata is run, and ends up with a huge size
* "Wide character in print" message in stderr
#27482.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2932unreachable LDAP server blocks initialization for too long2023-07-19T19:18:55ZMaxime Bessonunreachable LDAP server blocks initialization for too long### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP an...### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP and UserDB::LDAP preemptively try to connect to BadLDAP
### Possible fixes
All Auth::LDAP and UserDB::LDAP methods validate the LDAP server before doing any work. So there is no need to try to connect in the init() method.2.17.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2931[Security:medium] open redirection due to incorrect escape handling in URI us...2023-09-22T14:13:30ZMaxime Besson[Security:medium] open redirection due to incorrect escape handling in URI userinfo### Concerned version
Version: 2.16.2
### Summary
* Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com\@@test1.example.com/)
* LLNG detects it as test1.example.com, which is...### Concerned version
Version: 2.16.2
### Summary
* Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com\@@test1.example.com/)
* LLNG detects it as test1.example.com, which is allowed, and sends redirect
* For some reason, browsers "correct" it to https://hacker.com/@@test1.example.com/
### Possible fixes
We should normalize the received URL before using it in redirects:
```perl
my $u = URI->new('https://hacker.com\@@test1.example.com/');
print $u; # https://hacker.com%5C@@test1.example.com
```2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2926"Federation not found on login" SAML error when NameID not specified in request2023-05-09T08:49:08ZMaxime Besson"Federation not found on login" SAML error when NameID not specified in request### Concerned version
Version: 2.16.1
### Summary
* Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
* In metadata, "persistent" must be the first available NameID format:
``` <md:NameIDFormat>urn:oasis:na...### Concerned version
Version: 2.16.1
### Summary
* Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
* In metadata, "persistent" must be the first available NameID format:
``` <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
```
* The SAMLRequest must not contain a NameIDFormat:
```
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_FDF33840F31FD21FE2C411BE524B3E94" Version="2.0" IssueInstant="2023-05-03T14:20:25Z" Destination="http://auth.idp.com/saml/singleSignOn" ForceAuthn="false" IsPassive="false">
<saml:Issuer>XXX</saml:Issuer>
</samlp:AuthnRequest>
```
### Logs
```
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Lasso error code 601: Federation not found on login
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Unable to validate SSO request message
```
### Possible fixes
When users set samlSPMetaDataOptionsNameIDFormat=persistent, we must assume that they also want AllowCreate=1. If the the NameIDFormat is not present in AuthnRequest, we must create it, and set its AllowCreate to 1 to avoid a failure when Lasso checks if federation is allowed2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2922Remove | as separator for Choice configuration values2023-08-18T16:23:59ZClément OUDOTRemove | as separator for Choice configuration valuesFor now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, ...For now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, and remove it from the code that splits the choice value.2.17.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2920invalid entry in SAML IDP list after logout error2023-07-10T13:12:14ZMaxime Bessoninvalid entry in SAML IDP list after logout error### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure Auth::SAML with a single IDP
* Some code paths in Auth/SAML.pm may lead to the following situation
![image](/uploads/935beb5d515cabd222ec...### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure Auth::SAML with a single IDP
* Some code paths in Auth/SAML.pm may lead to the following situation
![image](/uploads/935beb5d515cabd222ec48e7e23da52a/image.png)
### Possible fixes
I was able to reproduce this issue by sending an invalid logout request:
```
# Process logout request
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->userLogger->error("Fail to process logout request");
$logout_error = 1;
}
[...]
my $idp = $logout->remote_providerID();
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
```
after this code, idpConfKey is not found but `$self->idpList->{$idp}` becomes defined.
That's because in Perl, reading a hash can modify it, yay!
We should probably return immediately if processLogoutRequestMsg fails2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2918CAS issuer can't handle urn: URIs2023-05-09T09:26:37ZMaxime BessonCAS issuer can't handle urn: URIs### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
Some CAS apps (jnlp) use urn:my:app URLs, which currently don't work (PE_ERROR)### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
Some CAS apps (jnlp) use urn:my:app URLs, which currently don't work (PE_ERROR)In discussionMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2915jsRedirect does not preserve GET parameter order2023-04-17T16:21:17ZMaxime BessonjsRedirect does not preserve GET parameter order### Concerned version
Version: 2.16.1
### Summary
Using the CAS issuer when jsRedirect=1 leads to random failures because redirection to the CAS application tends to swap parameter order### Concerned version
Version: 2.16.1
### Summary
Using the CAS issuer when jsRedirect=1 leads to random failures because redirection to the CAS application tends to swap parameter order2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2912Non reproducible error when redirect to another url (SAML,..)2023-08-30T15:10:53ZWalter BenderNon reproducible error when redirect to another url (SAML,..)### Concerned version
Version: %2.16.1-1 (Ubuntu)
Platform: Various
### Summary
We updated from 2.0.13 to 2.16.1 and got an non-reproducible-error when redirecting to another url (as used for SAML authentification). Some perl process...### Concerned version
Version: %2.16.1-1 (Ubuntu)
Platform: Various
### Summary
We updated from 2.0.13 to 2.16.1 and got an non-reproducible-error when redirecting to another url (as used for SAML authentification). Some perl processes worked without problems. With higher load, we get more and more processes with "Bad URL" errors. After a restart of the service the error vanished first, but than grows up to about 50% redirection with an error message. We are not sure, what caused the error and if it's a security issue. Downgrading back to 2.0.13 solved the issue.
Hint: The same problem happenend in version 2.0.16
### Logs
```
Apr 6 18:34:05 XHOSTX LLNG[44612]: [debug] Required Params URL: URI::https=SCALAR(0x563e0fd10f40)
Apr 6 18:34:05 XHOSTX LLNG[44612]: [debug] Set CSP form-action with Params URL: URI::https=SCALAR(0x563e0fd10f40)
Apr 6 18:34:14 XHOSTX LLNG[44591]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fdd1838)
Apr 6 18:34:26 XHOSTX LLNG[44593]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fdedbb8)
Apr 6 18:36:22 XHOSTX LLNG[44589]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0e9a2e38)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Required urldc: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Set CSP form-action with urldc: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Required Params URL: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:37:59 XHOSTX LLNG[44589]: [debug] Set CSP form-action with Params URL: URI::https=SCALAR(0x563e0de5de78)
Apr 6 18:38:26 XHOSTX LLNG[44603]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fd74fd0)
Apr 6 18:39:47 XHOSTX LLNG[44589]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0e8df388)
Apr 6 18:41:17 XHOSTX LLNG[44596]: [debug] [error] Bad URL URI::https=SCALAR(0x563e0fd9eb08)
Apr 6 18:44:16 XHOSTX LLNG[44611]: [debug] [error] Bad URL URI::https=SCALAR(0x55c915768d50)
```
### Backends used
We use redis as backend
### Possible fixes
Downgrade to former version2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909Manager viewer uses the wrong endpoints to read conf2023-05-09T08:55:38ZMaxime BessonManager viewer uses the wrong endpoints to read conf### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instea...### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instead of GET /view/xxx
This is a regression in c330347f3c20dcfa7fb26ddf0bc701283c62478f
replacing confPrefix by viewPrefix in viewer.coffee seems to fix the issue
TODO:
* [x] Fix issue
* [x] Update viewer.rst doc to give a working example of vhost rules2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2907Manager customCSS not available with minified files2023-04-02T10:25:47ZChristophe Maudouxchrmdx@gmail.comManager customCSS not available with minified files### Concerned version
Version: %2.X
Platform: All
### Summary
customCSS file is not included in manager/header.tlp### Concerned version
Version: %2.X
Platform: All
### Summary
customCSS file is not included in manager/header.tlp2.16.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2905No applications displayed in menu for all users when one of the user has no r...2023-03-30T14:52:05ZClément OUDOTNo applications displayed in menu for all users when one of the user has no rights to see themSteps to repoduce :
* Connect with a user that can see applications in menu : applications are displayed :white_check_mark:
* Connect with a user that cannot see applications in menu (because no access to any of them) : no applications ...Steps to repoduce :
* Connect with a user that can see applications in menu : applications are displayed :white_check_mark:
* Connect with a user that cannot see applications in menu (because no access to any of them) : no applications are displayed :white_check_mark:
* Connect with a user that can see applications in menu : no applications are displayed :no_entry:
This is a regression linked to issue #2833
The problem is in the code of Lemonldap::NG::Portal::Main::Menu
```perl
# Display noApp message
$res{NO_APP_ALLOWED} = $self->noApp;
```
Of course storing the state of applications visibility in a class parameter is wrong, as this is linked to request context.2.16.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2899When Portal language is configured to follow browser language, change in brow...2023-04-07T09:31:19ZAki KemppainenWhen Portal language is configured to follow browser language, change in browser language requires clearing a cookie### Concerned version
Version: 2.0.16
Platform: Nginx
### Summary
Preconditions / test setup:
- LemonLDAP configured not to display language selection buttons in the Portal UI => Portal should follow the browser's language
- Firefox...### Concerned version
Version: 2.0.16
Platform: Nginx
### Summary
Preconditions / test setup:
- LemonLDAP configured not to display language selection buttons in the Portal UI => Portal should follow the browser's language
- Firefox set to prefer English for web pages
Steps to reproduce:
- Open LemonLDAP portal page => Page is in English
- Change Firefox to prefer French for web pages
- Reload LemonLDAP portal page
Expected result:
- LemonLDAP should show the page in French
Actual result:
- The page is still shown in English (because LemonLDAP stores the language to a cookie named llnglanguage)
Workaround:
- Click the padlock icon next to the address in address bar and select "clear cookies and site data" and press "remove"
- Then reload the page and it is shown in French2.16.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896[Security][CVE-2023-28862] AuthBasic does not handle failure correctly2023-10-08T16:40:55ZMaxime Besson[Security][CVE-2023-28862] AuthBasic does not handle failure correctly### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corr...### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corresponding session by sending the login+pass to the portal RESTServer plugin
However, the only required step in the login flow is `store`, if anything happens after the`store` step, AuthBasic will succeed because the fixed-id session has been successfully created, which means:
* Accounts that are supposed to be 2FA-protected are not 2FA protected when AuthBasic is used
* If a 2FA module returns an error, the *first* AuthBasic request will 401, but the *second* AuthBasic request will work correctly => *VERY CONFUSING*
* Any plugin that tries to deny session *after* the `store` step will not deny AuthBasic sessions
This is probably a security issue
### Possible fixes
If the AuthBasic login process fails (not PE_OK), we need to remove the session created by `store` and return an error
This will cause a regression: users who relied on AuthBasic working for 2FA protected account will now see failures
Possible solution: use an env variable in 2FA activation rules if desired:
```
has2f("TOTP") and not $env->{"AuthBasic"}
```
or something of that sort2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2894Captcha broken with latest Debian-Buster ImageMagick package (8:6.9.10.23+dfs...2023-03-19T08:43:57ZClément OUDOTCaptcha broken with latest Debian-Buster ImageMagick package (8:6.9.10.23+dfsg-2.1+deb10u)With latest ImageMagick package, Captcha is broken:
![image](/uploads/272684d0d12e84b3f3bf17de3d8ac1b4/image.png)
```
# dpkg -l | grep libimage-magick
ii libimage-magick-perl 8:6.9.10.23+dfsg-2.1+deb10u2 ...With latest ImageMagick package, Captcha is broken:
![image](/uploads/272684d0d12e84b3f3bf17de3d8ac1b4/image.png)
```
# dpkg -l | grep libimage-magick
ii libimage-magick-perl 8:6.9.10.23+dfsg-2.1+deb10u2 all Perl interface to the ImageMagick graphics routines
ii libimage-magick-q16-perl 8:6.9.10.23+dfsg-2.1+deb10u2 amd64 Perl interface to the ImageMagick graphics routines -- Q16 version
```
Downgrading the packages is the current workaround:
```
# apt install libimage-magick-perl=8:6.9.10.23+dfsg-2.1+deb10u1 imagemagick-6-common=8:6.9.10.23+dfsg-2.1+deb10u1
```FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2887URL parameter for Register and CertificateResetByMail plugins are not taken i...2023-03-07T22:07:22ZChristophe Maudouxchrmdx@gmail.comURL parameter for Register and CertificateResetByMail plugins are not taken into account### Concerned version
Version: %2.X
Platform: (Nginx/Apache/Node.js)
### Summary
```
has registerUrl => (
is => 'rw',
lazy => 1,
default => sub {
my $p = $_[0]->conf->{portal};
$p =~ s#/*$##;
...### Concerned version
Version: %2.X
Platform: (Nginx/Apache/Node.js)
### Summary
```
has registerUrl => (
is => 'rw',
lazy => 1,
default => sub {
my $p = $_[0]->conf->{portal};
$p =~ s#/*$##;
return "$p/register";
}
);
```
$self->conf->{registerUrl}, $self->conf->{certificateResetUrl} and are not used during init. step2.16.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2882SAML signature validation fails in RHEL9 + Lasso 2.8.02023-02-27T09:45:15ZMaxime BessonSAML signature validation fails in RHEL9 + Lasso 2.8.0Possibly an upstream bug, but I'm opening it here for reference:
```
[debug] Lasso error [ critical ]: 2023-02-24 09:11:17 (tools.c/:1562) Error: failed to limit allowed sha1 signature transforms
[debug] Lasso error [ critical ]: 2023-0...Possibly an upstream bug, but I'm opening it here for reference:
```
[debug] Lasso error [ critical ]: 2023-02-24 09:11:17 (tools.c/:1562) Error: failed to limit allowed sha1 signature transforms
[debug] Lasso error [ critical ]: 2023-02-24 09:11:17 (tools.c/:1562) Error: failed to limit allowed sha1 signature transforms
[error] Lasso error code -111: Failed to verify signature.
```
Reproduced on Alma9 and Rocky9
Related:
https://dev.entrouvert.org/issues/74121
https://github.com/latchset/mod_auth_mellon/issues/1152.17.0Maxime BessonMaxime Besson