lemonldap-ng issues
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues
2023-08-29T16:58:03Z
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2952
Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captch...
2023-08-29T16:58:03Z
Christophe Maudoux
chrmdx@gmail.com
Unable to change password if LDAP returns PE_PP_CHANGE_AFTER_RESET and captcha is enabled
### Affected version
Version: All
Platform: All
### Summary
Enable captcha and LDAP password policy with pwdReset attribute.
Reset a userPassword -> pwdReset is set to TRUE
Login -> PE_25 thrown by LDAP server
Captcha input is not...
### Affected version
Version: All
Platform: All
### Summary
Enable captcha and LDAP password policy with pwdReset attribute.
Reset a userPassword -> pwdReset is set to TRUE
Login -> PE_25 thrown by LDAP server
Captcha input is not displayed => unable to change password
![Capture_d_écran_du_2023-07-03_22-39-17](/uploads/4c84ef3dc56a7b6488db5762040a60e3/Capture_d_écran_du_2023-07-03_22-39-17.png)
Captcha is not displayed!
![Capture_d_écran_du_2023-07-03_22-40-19](/uploads/4134988b8c6788a354bc322e592ffcea/Capture_d_écran_du_2023-07-03_22-40-19.png)
![Capture_d_écran_du_2023-07-03_22-40-46](/uploads/775f7471da8f8a9a40f17ae66f8fe0a2/Capture_d_écran_du_2023-07-03_22-40-46.png)
### Logs
```
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Get configuration from cache without verification.
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:37:44 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Return TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca created
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Returned error: 9 (PE_FIRSTACCESS)
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] true
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:37:44 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:37:55 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Get session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca from Portal::Main::Run
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Return TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Good captcha response
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Captcha code verified
Jul 3 22:37:55 vm5704 LLNG[1252]: [debug] Processing getUser
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing authenticate
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Call bind for uid=173668,ou=personnes,dc=police,dc=interieur,dc=gouv,dc=fr
Jul 3 22:37:56 vm5704 LLNG[1252]: [error] Error when binding to LDAP server: Invalid credentials
Jul 3 22:37:56 vm5704 LLNG[1252]: [warn] Bad password for 173668 (10.100.160.1)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] [warn] Bad password for 173668 (10.100.160.1)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Return TOKEN session ef7091e69d87f73c364ea5d7e69346a73dfb0a572ef12c9f7c9c9575497caef8
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Token ef7091e69d87f73c364ea5d7e69346a73dfb0a572ef12c9f7c9c9575497caef8 created
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> authResult = 5
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setMacros
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing setPersistentSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Persistent session found for 173668
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Restore persistent parameter _loginHistory
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Restore persistent parameter _updateTime
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Launching ::Plugins::BruteForceProtection::run afterSub setPersistentSessionInfo
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Failed login maxAge = 2205
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Number of failed login(s) to take into account = 4
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Delta = 65
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] -> Waiting time = 30
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing storeHistory
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Current login saved into failedLogin
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Current login -> 5
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Found 'whatToTrace' -> 173668
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Update 173668 persistent session
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] true
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] *
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:37:56 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Get configuration from cache without verification.
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:38:49 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/DBI.pm line 93.
Jul 3 22:38:49 vm5704 LLNG[1252]: [notice] Bad (or expired) token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:49 vm5704 LLNG[1252]: [warn] Captcha token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca isn't valid
Jul 3 22:38:49 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Return TOKEN session 09f322507d878a152dd54468ec3f5208d5b97b7e56441a508b682735ab49e2aa
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Token 09f322507d878a152dd54468ec3f5208d5b97b7e56441a508b682735ab49e2aa created
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [warn] Captcha failed
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] [warn] Captcha failed
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Display type standardform
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] true
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] *
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:38:50 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Get configuration from cache without verification.
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:38:53 vm5704 LLNG[41826]: [info] No cookie found
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Start routing default route
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing checkUnauthLogout
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing restoreArgs
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing controlUrl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Cancel called, push authCancel calls
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Processing extractFormInfo
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Trying to load token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Try to get TOKEN session 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/DBI.pm line 93.
Jul 3 22:38:53 vm5704 LLNG[41826]: [notice] Bad (or expired) token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca
Jul 3 22:38:53 vm5704 LLNG[41826]: [warn] Captcha token 2d35939c38d7e39eca69bd6c8fe8e6701acee2872ff1c28d1e61ca234a1e5eca isn't valid
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Try to get a new TOKEN session
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Check session validity -> 900s
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Return TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Token fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596 created
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Prepare captcha
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [warn] Captcha failed
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] [warn] Captcha failed
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Display type standardform
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin returned: login
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Calling sendHtml with template login
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Apply following CORS policy:
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Origin
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Credentials
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] true
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Headers
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Methods
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] POST,GET
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Expose-Headers
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] *
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Access-Control-Max-Age
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] 86400
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:38:53 vm5704 LLNG[41826]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:39:31 vm5704 LLNG[1252]: [info] No cookie found
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Start routing default route
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing checkUnauthLogout
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing restoreArgs
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing controlUrl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Cancel called, push authCancel calls
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing extractFormInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Trying to load token fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Get session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596 from Portal::Main::Run
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session fd98d81668c40fd69ac011bdc4231e559039419ce42063b4fe0d54b3b0a78596
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Good captcha response
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Captcha code verified
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing getUser
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing authenticate
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Call bind for uid=173668,ou=personnes,dc=police,dc=interieur,dc=gouv,dc=fr
Jul 3 22:39:31 vm5704 LLNG[1252]: [error] Password policy error 2 for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] [error] Password policy error 2 for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session 9c99d95aa4b3f790ba4d5526cbfec751cf4f858d83530ecf68335a0fcd2c17a0
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Token 9c99d95aa4b3f790ba4d5526cbfec751cf4f858d83530ecf68335a0fcd2c17a0 created
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Try to get a new TOKEN session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Check session validity -> 900s
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Return TOKEN session d5acf9ad3db0e334fd4328968aad025f31052a24a280e644bee52487386ebf89
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Token d5acf9ad3db0e334fd4328968aad025f31052a24a280e644bee52487386ebf89 created
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Prepare captcha
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> authResult = 25
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setMacros
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing setPersistentSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Persistent session found for 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Restore persistent parameter _updateTime
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Restore persistent parameter _loginHistory
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Launching ::Plugins::BruteForceProtection::run afterSub setPersistentSessionInfo
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Failed login maxAge = 2205
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Number of failed login(s) to take into account = 5
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Delta = 95
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] -> Waiting time = 60
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing storeHistory
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Current login saved into failedLogin
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Current login -> 25
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Found 'whatToTrace' -> 173668
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Update 173668 persistent session
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Processing code ref
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Returned error: 5 (PE_BADCREDENTIALS)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Returned error: 25 (PE_PP_CHANGE_AFTER_RESET)
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin returned: login
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Calling sendHtml with template login
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Apply following CORS policy:
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Origin
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Credentials
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] true
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Headers
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Allow-Methods
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] POST,GET
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Expose-Headers
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] *
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Access-Control-Max-Age
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] 86400
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:39:31 vm5704 LLNG[1252]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
Jul 3 22:40:01 vm5704 CRON[42207]: (root) CMD (/opt/rudder/bin/rudder agent check -q >> /var/log/rudder/agent-check/check.log 2>&1)
Jul 3 22:40:01 vm5704 CRON[42215]: (root) CMD (if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Get configuration from cache without verification.
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] VH auth.pp.sso.police.interieur.gouv.fr is HTTPS
Jul 3 22:40:22 vm5704 LLNG[41826]: [info] No cookie found
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Build URL https://auth.pp.sso.police.interieur.gouv.fr:80/?cancel=1
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Redirect 10.100.160.1 to portal (url was /?cancel=1)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] User not authenticated, Try in use, cancel redirection
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Start routing default route
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing checkUnauthLogout
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing restoreArgs
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing controlUrl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Cancel called, push authCancel calls
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing code ref
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Launching ::Issuer::OpenIDConnect::exportRequestParameters
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Processing extractFormInfo
Jul 3 22:40:22 vm5704 LLNG[41826]: [warn] No response provided for Captcha::SecurityImage
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Try to get a new TOKEN session
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Check session validity -> 900s
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Return TOKEN session b5322520b9b8673206f3e24ffcb942848841aed2fef400cc5d38e7b1dc4c2775
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Token b5322520b9b8673206f3e24ffcb942848841aed2fef400cc5d38e7b1dc4c2775 created
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Prepare captcha
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [warn] Captcha failed
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] [warn] Captcha failed
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Returned error: 76 (PE_CAPTCHAERROR)
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Display type standardform
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin returned: login
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Calling sendHtml with template login
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Skin calypsso selected from GET/POST parameter
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Sending /usr/share/lemonldap-ng/portal/templates/calypsso/login.tpl
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Apply following CORS policy:
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Origin
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Credentials
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] true
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Headers
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Allow-Methods
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] POST,GET
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Expose-Headers
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] *
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Access-Control-Max-Age
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] 86400
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Set Strict-Transport-Security with: 15768000
Jul 3 22:40:22 vm5704 LLNG[41826]: [debug] Apply following CSP: default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action *;frame-ancestors 'none';
```
2.17.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2984
Test fails with Perl 5.38
2023-08-28T16:00:34Z
Yadd
Test fails with Perl 5.38
From https://bugs.debian.org/1043239 :
> Source: lemonldap-ng
> Version: 2.16.1+ds-2
> Severity: important
> Tags: ftbfs trixie sid
> User: debian-perl@lists.debian.org
> Usertags: perl-5.38-transition
>
> This package fails to build f...
From https://bugs.debian.org/1043239 :
> Source: lemonldap-ng
> Version: 2.16.1+ds-2
> Severity: important
> Tags: ftbfs trixie sid
> User: debian-perl@lists.debian.org
> Usertags: perl-5.38-transition
>
> This package fails to build from source with Perl 5.38 (currently in experimental.)
>
> http://perl.debian.net/rebuild-logs/perl-5.38-throwaway/lemonldap-ng_2.16.1+ds-2/lemonldap-ng_2.16.1+ds-2_amd64-2023-08-04T06:12:12Z.build
# Failed test 'Found correct error message'
# at t/12-Lemonldap-NG-Handler-Jail.t line 114.
# 'syntax error at (eval 52) line 1, at EOF
# Execution of (eval 52) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 22.
# Failed test 'Found correct error message'
# at t/13-Lemonldap-NG-Handler-Fake-Safe.t line 107.
# 'syntax error at (eval 47) line 1, at EOF
# Execution of (eval 47) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 16.
Test Summary Report
-------------------
t/12-Lemonldap-NG-Handler-Jail.t (Wstat: 256 (exited 1) Tests: 22 Failed: 1)
Failed test: 22
Non-zero exit status: 1
t/13-Lemonldap-NG-Handler-Fake-Safe.t (Wstat: 256 (exited 1) Tests: 16 Failed: 1)
Failed test: 16
Non-zero exit status: 1
Files=25, Tests=405, 7 wallclock secs ( 0.08 usr 0.03 sys + 4.03 cusr 0.70 csys = 4.84 CPU)
Result: FAIL
> This looks like just an issue of changed diagnostics, but please don't hesitate to file a bug against perl in case it turns out to have runtime effects that warrant a Breaks entry.
2.17.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2922
Remove | as separator for Choice configuration values
2023-08-18T16:23:59Z
Clément OUDOT
Remove | as separator for Choice configuration values
For now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, ...
For now we accept both `;` and `|` as separator for choices configuration values, but this leads to a bug when using `|` in a value, for example when overriding an LDAP fitler.
We need to check that `|` separator is not needed anymore, and remove it from the code that splits the choice value.
2.17.0
Clément OUDOT
Clément OUDOT
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2987
Cannot use single quote in passwordPolicySpecialChar
2023-08-18T14:58:23Z
Maxime Besson
Cannot use single quote in passwordPolicySpecialChar
### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 59...
### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 5979
at JSON.parse (<anonymous>)
at HTMLScriptElement.<anonymous> (portal.js:105:20)
at Function.each (jquery.min.js:2:2976)
at S.fn.init.each (jquery.min.js:2:1454)
at n (portal.js:102:42)
at portal.js:277:13
at dispatch (jquery.min.js:2:43090)
at v.handle (jquery.min.js:2:41074)
```
### Possible fixes
`ESCAPE='js'` from HTML::Template does not correctly escape JSON strings. We need to do it before setting the template parameter
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2847
Configuration corruption due to accented characters
2023-08-02T12:58:53Z
Christophe Maudoux
chrmdx@gmail.com
Configuration corruption due to accented characters
### Concerned version
Version: all
Platform: Nginx + uWSGI
### Summary
LL::NG instance has crashed (out of memory) due to accented characters and re-encoding issue that leads to a conf. corruption.
Normal conf. size near 600ko and c...
### Concerned version
Version: all
Platform: Nginx + uWSGI
### Summary
LL::NG instance has crashed (out of memory) due to accented characters and re-encoding issue that leads to a conf. corruption.
Normal conf. size near 600ko and corrupted conf. size near 280Mo!
### Logs
![image](/uploads/d7ab46baa142647e315118ca4a1de162/image.png)
### Backends used
PGSQL
### Possible fixes
Append an option to remove all accented or non printable characters.
Append a warning in Manager if conf. size is out of customizable bounds
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2979
forced saveConf does not correctly report success on MySQL/MariaDB
2023-08-01T14:17:14Z
Maxime Besson
forced saveConf does not correctly report success on MySQL/MariaDB
### Affected version
Version: 2.16.2
### Summary
* Try to run convertConfig from Files to MySQL
```
Unable to store configuration 1: Lemonldap::NG::Common::Conf::Backends::CDBI loaded.
Get configuration 1.
Configuration 1 stored.
```
...
### Affected version
Version: 2.16.2
### Summary
* Try to run convertConfig from Files to MySQL
```
Unable to store configuration 1: Lemonldap::NG::Common::Conf::Backends::CDBI loaded.
Get configuration 1.
Configuration 1 stored.
```
(the process stops with an exit code of 7 and no other sessions are converted, despite success)
Another way to reproduce the issue
```
lemonldap-ng-cli -force 1 -yes 1 set https 1
cfgNum forced with 1Could not save configuration:
```
### Possible fixes
In saveConf:
```
return ( $self->unlock() ? $tmp : UNKNOWN_ERROR );
```
In MySQL the unlock function returns false if the lock hasn't been acquired first, which is the case when "force" has been set
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2055
Vhosts options hash key is removed after a while
2023-08-01T13:11:11Z
Christophe Maudoux
chrmdx@gmail.com
Vhosts options hash key is removed after a while
### Concerned version
Version: %2.0.7
Platform: (Nginx/uWsgi/PG) with 4 portals and 4 rvprx served by HTTP and HTTPS VS.
Double cookies for a single session.
Cache::FileCache module
### Summary
This is an odd issue difficult to repl...
### Concerned version
Version: %2.0.7
Platform: (Nginx/uWsgi/PG) with 4 portals and 4 rvprx served by HTTP and HTTPS VS.
Double cookies for a single session.
Cache::FileCache module
### Summary
This is an odd issue difficult to replay.
All works fine during a while and HTTP vhosts switch to HTTPS.
I added some tracking debug logs and seems default VHostHttps option is applied when a new conf is saved but this does not occure every times....
Base64 encoded URL is https.
Sometimes purge /tmp/lemonldap-ng-config/ and restart uwsgi service fix the problem.
I disabled compactConf but It did not solve this issue.
2.17.0
Christophe Maudoux
chrmdx@gmail.com
Christophe Maudoux
chrmdx@gmail.com
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2641
Unable to remove value for casAppMetaDataOptionsAuthnLevel
2023-07-24T09:48:48Z
Clément OUDOT
Unable to remove value for casAppMetaDataOptionsAuthnLevel
In Manager, no changes is detected if we try to remove the value set in authentication level in a CAS application.
Maybe other parameter have also this issue.
In Manager, no changes is detected if we try to remove the value set in authentication level in a CAS application.
Maybe other parameter have also this issue.
2.17.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2932
unreachable LDAP server blocks initialization for too long
2023-07-19T19:18:55Z
Maxime Besson
unreachable LDAP server blocks initialization for too long
### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP an...
### Affected version
Version: 2.16.2
### Summary
* Configure a combination with [GoodLDAP] or [BadLDAP]
* point BadLDAP to a ldapServer that times out (ldap://1.2.3.4/)
* Try to display the portal
* There is a timeout as Auth::LDAP and UserDB::LDAP preemptively try to connect to BadLDAP
### Possible fixes
All Auth::LDAP and UserDB::LDAP methods validate the LDAP server before doing any work. So there is no need to try to connect in the init() method.
2.17.0
dcoutadeur dcoutadeur
dcoutadeur dcoutadeur
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2920
invalid entry in SAML IDP list after logout error
2023-07-10T13:12:14Z
Maxime Besson
invalid entry in SAML IDP list after logout error
### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure Auth::SAML with a single IDP
* Some code paths in Auth/SAML.pm may lead to the following situation
![image](/uploads/935beb5d515cabd222ec...
### Concerned version
Version: 2.16.1
Platform: (Nginx/Apache/Node.js)
### Summary
* Configure Auth::SAML with a single IDP
* Some code paths in Auth/SAML.pm may lead to the following situation
![image](/uploads/935beb5d515cabd222ec48e7e23da52a/image.png)
### Possible fixes
I was able to reproduce this issue by sending an invalid logout request:
```
# Process logout request
unless ( $self->processLogoutRequestMsg( $logout, $request ) ) {
$self->userLogger->error("Fail to process logout request");
$logout_error = 1;
}
[...]
my $idp = $logout->remote_providerID();
# IDP conf key
my $idpConfKey = $self->idpList->{$idp}->{confKey};
```
after this code, idpConfKey is not found but `$self->idpList->{$idp}` becomes defined.
That's because in Perl, reading a hash can modify it, yay!
We should probably return immediately if processLogoutRequestMsg fails
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2943
eduPersonTargetedID missing from Plugins::SamlFederation
2023-07-07T15:09:29Z
Maxime Besson
eduPersonTargetedID missing from Plugins::SamlFederation
when converting importMetadata to SAMLFederation.pm, special processing for eduPersonTargetedID was forgotten
when converting importMetadata to SAMLFederation.pm, special processing for eduPersonTargetedID was forgotten
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2966
SAML federation plugin incorrectly skips entityIDs
2023-07-07T15:09:12Z
Maxime Besson
SAML federation plugin incorrectly skips entityIDs
### Affected version
Version: 2.16.2
### Summary
* Only half of `main-sps-edugain-metadata.xml` providers are seen by SamlFederation.pm
* After XML file is prettified, all providers are seen
* Bug in LibXML?
### Possible fixes
use `...
### Affected version
Version: 2.16.2
### Summary
* Only half of `main-sps-edugain-metadata.xml` providers are seen by SamlFederation.pm
* After XML file is prettified, all providers are seen
* Bug in LibXML?
### Possible fixes
use `nextElement` instead of `next`
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2939
Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combin...
2023-07-06T13:39:15Z
Far Fade
Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combination
### Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
### Summary
lemonldap-ng is not performing anymore Kerberos auth.
This started at the upgrade from Debian 11 to 12.
### Logs
```
[Tue Jun 13 10:05:20 2023] [LLN...
### Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
### Summary
lemonldap-ng is not performing anymore Kerberos auth.
This started at the upgrade from Debian 11 to 12.
### Logs
```
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing authkrb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Kerberos ticket received: (REMOVED_LONG_STRING)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/lemonldap.keytab
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get a new TOKEN session
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c created
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Apply following CORS policy:
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Origin
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Credentials
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] true
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Methods
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] POST,GET
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Expose-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Max-Age
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] 86400
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] VH auth.DOMAIN is HTTPS
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] No cookie found
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Build URL https://auth.DOMAIN/?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Redirect 192.168.2.11 to portal (url was /?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User not authenticated, Try in use, cancel redirection
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing default route
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing checkUnauthLogout
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing restoreArgs
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing controlUrl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Required URL (param: urldc | value: https://wiki.DOMAIN/ | alias: https://wiki.DOMAIN)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] No URL authentication level found...
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Get session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c from Portal::Main::Run
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
**[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Unexpected token type: auth_token_krb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Expected id: ssl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User: USER@DOMAIN**
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "muhSSL" returned 24, trying next
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/File.pm line 98.
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Bad (or expired) token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Could not fetch user token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "KRB" returned 24, trying next
```
I've added in the log program two lines advised by Maxime on the mailing list :
Lemonldap/NG/Portal/Auth/_Ajax.pm l.85:
# Original line
$self->logger->error( "Unexpected token type: " . $token->{type} );
# extra information
$self->logger->debug( "Expected id: ". $self->auth_id );
$self->logger->debug( "User: " . $token->{user} );
Thank you for your attention !
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2938
POST to /oauth2/token responds error 400 "This endpoint is not supposed to be...
2023-06-23T08:35:39Z
Jérémie Lesage
POST to /oauth2/token responds error 400 "This endpoint is not supposed to be called by authenticated users"
### Affected version
Version: 2.16.2
### Summary
We are trying to connect to LLNG using oauth2 API, from a vuejs application using [a keaycloak-js library](https://www.npmjs.com/package/@dsb-norge/vue-keycloak-js).
With standard flow...
### Affected version
Version: 2.16.2
### Summary
We are trying to connect to LLNG using oauth2 API, from a vuejs application using [a keaycloak-js library](https://www.npmjs.com/package/@dsb-norge/vue-keycloak-js).
With standard flow we receive a 302 from GET /oauth2/authorize, then the library try to POST to /oauth2/token to retrieve the access_token but we receive 400 Bad Request
``` json
{"error_description":"This endpoint is not supposed to be called by authenticated users","error":"invalid_request"}
```
With hybrid flow, LLNG return the access_token in the location header (`location: https://xx/portail/#access_token=xxxxxx`) so we can authenticate the application, but the library try to POST to /oauth2/token to retrieve the refresh_token and we receive also the 400 Bad Request. So every 10 seconds the application is reloading.
```
POST /oauth2/token HTTP/2
Host: xxxxxxxxxxxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-type: application/x-www-form-urlencoded
Content-Length: 304
Origin: https://xxxxxxxxxxxx
Connection: keep-alive
Referer: https://xxxxxxxxxxxx/
Cookie: lemonldap=xxxxxxxxxxxxxxxxxxx
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Sec-GPC: 1
Pragma: no-cache
Cache-Control: no-cache
TE: trailers
code=xxxx&grant_type=authorization_code&client_id=rp-pristyfront&redirect_uri=https%3A%2F%2Fxxxxxx%2Fportail%2F&code_verifier=xxxxxx
```
### Logs
We are not seeing specific error in logs.
2.17.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2948
Manager should accept mobile-style URL in OIDC callbacks
2023-06-23T07:34:14Z
Yadd
Manager should accept mobile-style URL in OIDC callbacks
### Affected version
Version: %2.16.x
### Summary
When using a custom mobile url in authorized callbacks, Manager rejects the configuration. Example: teammail.mobile://oidc/callback
### Affected version
Version: %2.16.x
### Summary
When using a custom mobile url in authorized callbacks, Manager rejects the configuration. Example: teammail.mobile://oidc/callback
2.17.0
Yadd
Yadd
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2942
Logout shouldn't fail when a OIDC/SAML partner doesn't respond
2023-06-15T10:10:58Z
Yadd
Logout shouldn't fail when a OIDC/SAML partner doesn't respond
### Affected version
Version: %2.x
Platform: any
### Summary
When using a back-channel logout system (SAML/SOAP or new OIDC Back-Channel), if host is filtered, the logout is blocked and the user receives a "timeout" page and is never...
### Affected version
Version: %2.x
Platform: any
### Summary
When using a back-channel logout system (SAML/SOAP or new OIDC Back-Channel), if host is filtered, the logout is blocked and the user receives a "timeout" page and is never disconnected
### Logs
```
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] User xguimard was granted to access to /?logout=1
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Start routing default route
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing importHandlerData
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing controlUrl
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing checkLogout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing code ref
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Launching ::Issuer::SAML::logout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] No SAML session found for session a7734274f64ed418e24dc663a5
dfe00ec63ec2837e50c8e82e2feeb547da89a6
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] No SAML session available into this session
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Processing code ref
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Launching ::Issuer::OpenIDConnect::logout
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Access Token signature algorithm: RS512
Jun 15 08:56:56 test-lemonldap docker/sso_auth_1[162903]: [Thu Jun 15 08:56:56 2023] [LLNG:154] [debug] Logout token content: {"events":{"http://schemas.openid.net/
event/backchannel-logout":{}},"iss":"https://sso.linagora.com","sid":"ROW600DdvXMLirrSV4TI0laCC99teH3A+hLDYTxf2HY","sub":"xguimard","aud":["app-canary"],"iat":1686819
416,"jti":"03V99AEL"}
[1 minute to wait...]
Jun 15 08:57:56 test-lemonldap docker/sso_auth_1[162903]: 2023/06/15 08:57:56 [error] 145#145: *12 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 46.255.204.128, server: sso.test.com, request: "GET /?logout=1 HTTP/1.1", upstream: "fastcgi://unix:/run/llng-fastcgi-server/llng-fastcgi.sock", host: "sso.test.com", referrer: "https://sso.linagora.com/"
Jun 15 08:57:56 test-lemonldap docker/sso_auth_1[162903]: 46.255.204.128 - - [15/Jun/2023:08:57:56 +0000] "GET /?logout=1 HTTP/1.1" 504 167 "https://sso.test.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0"
```
2.17.0
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2935
importMetadata causes encoding issues when saving conf
2023-06-08T19:21:36Z
Maxime Besson
importMetadata causes encoding issues when saving conf
### Affected version
Version: 2.16.2
### Summary
* Have an accent in config (such as a comment) in File storage
* import Edugain Metadata (https://metadata.federation.renater.fr/edugain/main/main-sps-edugain-metadata.xml)
* config get...
### Affected version
Version: 2.16.2
### Summary
* Have an accent in config (such as a comment) in File storage
* import Edugain Metadata (https://metadata.federation.renater.fr/edugain/main/main-sps-edugain-metadata.xml)
* config gets double-encoded each time importMetadata is run, and ends up with a huge size
* "Wide character in print" message in stderr
#2748
2.17.0
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875
[Security:Low] incorrect parsing of OP-provided acr
2023-05-12T17:56:15Z
Maxime Besson
[Security:Low] incorrect parsing of OP-provided acr
### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with an OP that always returns `acr: 1` in the ID token
* Set oidcOPMetaDataOptionsAcrValues to `loa-1`
* `ACR` value `1` is accepted despite not being part of t...
### Concerned version
Version: 2.0.16
### Summary
* Configure Auth::OIDC with an OP that always returns `acr: 1` in the ID token
* Set oidcOPMetaDataOptionsAcrValues to `loa-1`
* `ACR` value `1` is accepted despite not being part of the list `['loa-1']`
### Possible fixes
```
unless ( $acr_values =~ /\b$acr\b/i ) {
```
it not a good way to test because `\b` matches too many things (in the example: it matches `-`)
2.16.2
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909
Manager viewer uses the wrong endpoints to read conf
2023-05-09T08:55:38Z
Maxime Besson
Manager viewer uses the wrong endpoints to read conf
### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instea...
### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instead of GET /view/xxx
This is a regression in c330347f3c20dcfa7fb26ddf0bc701283c62478f
replacing confPrefix by viewPrefix in viewer.coffee seems to fix the issue
TODO:
* [x] Fix issue
* [x] Update viewer.rst doc to give a working example of vhost rules
2.16.2
Maxime Besson
Maxime Besson
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2926
"Federation not found on login" SAML error when NameID not specified in request
2023-05-09T08:49:08Z
Maxime Besson
"Federation not found on login" SAML error when NameID not specified in request
### Concerned version
Version: 2.16.1
### Summary
* Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
* In metadata, "persistent" must be the first available NameID format:
``` <md:NameIDFormat>urn:oasis:na...
### Concerned version
Version: 2.16.1
### Summary
* Configure a SAML provider with samlSPMetaDataOptionsNameIDFormat=persistent
* In metadata, "persistent" must be the first available NameID format:
``` <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
```
* The SAMLRequest must not contain a NameIDFormat:
```
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_FDF33840F31FD21FE2C411BE524B3E94" Version="2.0" IssueInstant="2023-05-03T14:20:25Z" Destination="http://auth.idp.com/saml/singleSignOn" ForceAuthn="false" IsPassive="false">
<saml:Issuer>XXX</saml:Issuer>
</samlp:AuthnRequest>
```
### Logs
```
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Lasso error code 601: Federation not found on login
[Wed May 3 16:21:03 2023] [LLNG:699228] [warn] Unable to validate SSO request message
```
### Possible fixes
When users set samlSPMetaDataOptionsNameIDFormat=persistent, we must assume that they also want AllowCreate=1. If the the NameIDFormat is not present in AuthnRequest, we must create it, and set its AllowCreate to 1 to avoid a failure when Lasso checks if federation is allowed
2.16.2
Maxime Besson
Maxime Besson