lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-06-23T06:36:23Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1327Facebook module not working due to API changes in Facebook2018-06-23T06:36:23ZClément OUDOTFacebook module not working due to API changes in FacebookThere is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.There is an issue in Net::Facebook::Oauth2: https://github.com/mamod/Net-Facebook-Oauth2/issues/14
I think we can get rid of this module as we only need 2 or 3 GET requests, like it is done in LinkedIn module.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1253Default values not saved by Manager (complex nodes)2018-03-15T13:19:38ZClément OUDOTDefault values not saved by Manager (complex nodes)I created an OIDC RP in Manager and set some values. When clicking on "ID Token signature algorithm" I let the default value, which is "HS512". After saving configuration, the value is not set in conf file.
When setting another value, s...I created an OIDC RP in Manager and set some values. When clicking on "ID Token signature algorithm" I let the default value, which is "HS512". After saving configuration, the value is not set in conf file.
When setting another value, save, and then reset the "HS512" value, save, then it works.1.9.16YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1314Workaround for memory Leak in perl-fcgi with Perl < 5.182020-04-24T09:20:03ZMathieu Lecompte-melançonWorkaround for memory Leak in perl-fcgi with Perl < 5.18We add 3 news website under nginx/llng and got some memory increment.
the restart of llng-fastcgi-server resolve the issue but the memory usage keep incrementingWe add 3 news website under nginx/llng and got some memory increment.
the restart of llng-fastcgi-server resolve the issue but the memory usage keep incrementing2.0.8YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1368Impossible to configure IssuerDB Get Parameters with RDBI backend2018-02-23T10:31:23ZClément OUDOTImpossible to configure IssuerDB Get Parameters with RDBI backendWhen configuring parameters for IssuerDB Get, they are stored as JSON instead of a Perl Hash, so we got this error in Portal :
```
[Thu Feb 08 10:23:32.011583 2018] [perl:debug] [pid 7249] Lemonldap::NG::Portal::SharedConf: User coudot ...When configuring parameters for IssuerDB Get, they are stored as JSON instead of a Perl Hash, so we got this error in Portal :
```
[Thu Feb 08 10:23:32.011583 2018] [perl:debug] [pid 7249] Lemonldap::NG::Portal::SharedConf: User coudot allowed to use IssuerDB Get
[Thu Feb 08 10:23:32.011749 2018] [perl:debug] [pid 7249] Lemonldap::NG::Portal::SharedConf: URL http://auth.example.com/get/login detected as an Get LOGIN URL
[Thu Feb 08 10:23:32.011858 2018] [:error] [pid 7249] Can't use string ("{"idm.example.com":{"uid":"uid"}}") as a HASH ref while "strict refs" in use at /usr/share/perl5/Lemonldap/NG/Portal/IssuerDBGet.pm line 172, <F> line 15.\n
```1.9.16YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1371incompatibility between 1.4 portal and 1.9/2.0 handler : _utime not defined2018-03-14T08:56:19Zdcoutadeur dcoutadeurincompatibility between 1.4 portal and 1.9/2.0 handler : _utime not definedNormally, no one should use different versions of handler and portal.
However, for now it is quite compatible.
In newer 1.9/2.0 version, there is an update which breaks the behaviour.
In 1.9 Handler/Main.pm or in 2.0 Handler/Main/Run.pm...Normally, no one should use different versions of handler and portal.
However, for now it is quite compatible.
In newer 1.9/2.0 version, there is an update which breaks the behaviour.
In 1.9 Handler/Main.pm or in 2.0 Handler/Main/Run.pm, in function retrieveSession, we do not check if _utime is defined when verifying if timeout activity is outdated.
For 2.0:
```
if (
$now - $session->data->{_utime} > $class->tsv->{timeout}
or ( $class->tsv->{timeoutActivity}
and $session->data->{_lastSeen}
and $now - $session->data->{_lastSeen} >
$class->tsv->{timeoutActivity} )
)
```
I propose to modify it by this code:
```
$class->logger->error("_utime is not defined. This should not happen. Verify sessions integrity and handler/portal version mismatch") unless $session->data->{_utime};
if (
( $session->data->{_utime} and
$now - $session->data->{_utime} > $class->tsv->{timeout} )
or ( $class->tsv->{timeoutActivity}
and $session->data->{_lastSeen}
and $now - $session->data->{_lastSeen} >
$class->tsv->{timeoutActivity} )
)
```
For 1.9:
```
if (
$now - $datas->{_utime} > $tsv->{timeout}
or ( $tsv->{timeoutActivity}
and $datas->{_lastSeen}
and $now - $datas->{_lastSeen} > $tsv->{timeoutActivity} )
)
```
I propose to modify it by this code:
```
$class->logger->error("_utime is not defined. This should not happen. Verify sessions integrity and handler/portal version mismatch") unless $datas->{_utime};
if (
( $datas->{_utime} and
$now - $datas->{_utime} > $tsv->{timeout} )
or ( $tsv->{timeoutActivity}
and $datas->{_lastSeen}
and $now - $datas->{_lastSeen} > $tsv->{timeoutActivity} )
)
```1.9.16Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1372Action "update-cache" in lemonldap-ng-cli does not work2018-03-14T15:19:02ZClément OUDOTAction "update-cache" in lemonldap-ng-cli does not workWhen trying to refresh cache from CLI, new settings are not set in cache.
We have this call in Common::CLI :
```perl
my $conf = $self->confAccess->getConf( { noCache => 1, raw => 1 } );
```
But the noCache parameter is just valid for t...When trying to refresh cache from CLI, new settings are not set in cache.
We have this call in Common::CLI :
```perl
my $conf = $self->confAccess->getConf( { noCache => 1, raw => 1 } );
```
But the noCache parameter is just valid for the $conf object inside lemonldap-ng-cli, it does not reset cache for other modules.1.9.16YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1389Kerberos ticket revalidated in Multi mode2018-03-13T17:13:50ZClément OUDOTKerberos ticket revalidated in Multi modeHello,
when using AuthKerberos mode in AuthMutli, and trying to search authenticated user in several AD (so using UserDBMutli), the Kerberos ticket is revalidated and it fails (seems Kerberos has a replay protection):
```
[Thu Mar 08 17...Hello,
when using AuthKerberos mode in AuthMutli, and trying to search authenticated user in several AD (so using UserDBMutli), the Kerberos ticket is revalidated and it fails (seems Kerberos has a replay protection):
```
[Thu Mar 08 17:09:15.642852 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Multi (type 0): trying extractFormInfo for module Kerberos
[Thu Mar 08 17:09:15.642883 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Kerberos ticket received: YIIIQQYGKwYBBQUCoIIINTCCCDGgMDAuBgkqhkiC9x...
[Thu Mar 08 17:09:15.642996 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/auth.keytab
[Thu Mar 08 17:09:15.656337 2018] [perl:debug] [pid 15128] /usr/share/perl5/vendor_perl/Lemonldap/NG/Common/CGI.pm 305:
[Thu Mar 08 17:09:15.656369 2018] [perl:notice] [pid 15128] Lemonldap::NG : USER@EXAMPLE.COM authentified by Kerberos
...
[Thu Mar 08 17:09:15.693201 2018] [perl:debug] [pid 15128] /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/_Multi.pm 92:
[Thu Mar 08 17:09:15.693230 2018] [perl:info] [pid 15128] Retriving user with AD#1 failed, trying next
[Thu Mar 08 17:09:15.693254 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Replay all methods until sub getUser
[Thu Mar 08 17:09:15.693287 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: processing to sub authInit
[Thu Mar 08 17:09:15.693340 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluate expression: 1
[Thu Mar 08 17:09:15.693390 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluation result: 1
[Thu Mar 08 17:09:15.693411 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Multi (type 0): trying authInit for module Kerberos
[Thu Mar 08 17:09:15.693429 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: processing to sub extractFormInfo
[Thu Mar 08 17:09:15.693470 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluate expression: 1
[Thu Mar 08 17:09:15.693497 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Evaluation result: 1
[Thu Mar 08 17:09:15.693513 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Multi (type 0): trying extractFormInfo for module Kerberos
[Thu Mar 08 17:09:15.693544 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Kerberos ticket received: YIIIQQYGKwYBBQUCoIIINTCCCDGgMDAuB....
[Thu Mar 08 17:09:15.693582 2018] [perl:debug] [pid 15128] Lemonldap::NG::Portal::SharedConf: Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/auth.keytab
[Thu Mar 08 17:09:15.693961 2018] [perl:debug] [pid 15128] /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/AuthKerberos.pm 98:
[Thu Mar 08 17:09:15.693982 2018] [perl:error] [pid 15128] Unable to accept security context
```
I think we should check in extractFormInfo if Kerberos User was already found, and in this case do not try to revalidate ticket.1.9.16Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1416Attribute encoding in CAS responses2018-06-09T09:31:10ZClément OUDOTAttribute encoding in CAS responsesI create this issue to test all attribute sharing possibilites.
First with OIDC test, I have this encoding bug in UserInfo answer:
```js
{
'email' => 'clement@oodo.net',
'family_name' => 'OUDOT',
'name' => "Cl\x{c3}\x{a9}ment OUDO...I create this issue to test all attribute sharing possibilites.
First with OIDC test, I have this encoding bug in UserInfo answer:
```js
{
'email' => 'clement@oodo.net',
'family_name' => 'OUDOT',
'name' => "Cl\x{c3}\x{a9}ment OUDOT",
'sub' => 'coudot'
}1.9.17Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1420Answering to CAS proxy requests as CAS Provider2018-05-14T10:24:05ZClément OUDOTAnswering to CAS proxy requests as CAS ProviderThere is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3c...There is an error when calling the /cas/proxy endpoint:
```
==> /var/log/apache2/error.log <==
[info] No cookie found
[debug] Build URL https://auth.openid.club/cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa
[debug] Redirect 192.168.100.1 to portal (url was /cas/proxy?targetService=http://webmail&pgt=PGT-a599b067f64773560dcca4fd0dd3ccfa)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing cas
Bad response 2 at /usr/share/perl5/Plack/Handler/FCGI.pm line 156.
[Fri May 11 21:49:25.545901 2018] [core:error] [pid 103079] [client 192.168.100.1:48558] End of script output before headers: index.fcgi
```2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/757"Attempt to free unreferenced scalar" in Lemonldap::NG::Common::Session2018-05-15T20:31:11ZClément OUDOT"Attempt to free unreferenced scalar" in Lemonldap::NG::Common::SessionLes erreurs suivantes sont visibles dans les logs :
{panel}
Attempt to free unreferenced scalar: SV 0x7f651397cd08, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 84.
Attempt to free unreferenced...Les erreurs suivantes sont visibles dans les logs :
{panel}
Attempt to free unreferenced scalar: SV 0x7f651397cd08, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 84.
Attempt to free unreferenced scalar: SV 0x7f6513b4b898, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 150.
Attempt to free unreferenced scalar: SV 0x7f6513b4c1b0, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 111.
Attempt to free unreferenced scalar: SV 0x7f6512e5c760, Perl interpreter: 0x7f64f12c0e70 at /usr/share/perl5/Lemonldap/NG/Common/Session.pm line 112.
{panel}
Certainement lié à la version de Mouse qui est assez ancienne.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/789Apache reloading breaks SAML authentication2018-05-15T20:31:11ZUpdateme LulandcoApache reloading breaks SAML authenticationHi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configura...Hi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configuration cache
[Fri Feb 13 19:51:45.934468 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML cache configuration: 46
[Fri Feb 13 19:51:45.934549 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get Metadata for this service
[Fri Feb 13 19:51:45.938604 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: 2015-02-13 19:51:45 (server.c/:699) Failed to load metadata from preloaded buffer
[Fri Feb 13 19:51:45.938754 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
[Fri Feb 13 19:51:45.938777 2015] [perl:debug] [pid 11688] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 186:
[Fri Feb 13 19:51:45.938788 2015] [perl:error] [pid 11688] Unable to create Lasso server
[Fri Feb 13 19:51:45.939030 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
I checked, all apache's modules are normally reloaded. Restarting apache doesn't produce the issue.
LulAndCo2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/804Uncomplete logout in Issuer modules2018-05-15T20:31:11ZClément OUDOTUncomplete logout in Issuer modulesWe have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
Bu...We have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
But this process is not used when a logout request comes form an Issuer module (CAS, OpenID or OpenID Connect). This seems to be OK for the SAML Issuer.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/998encode_base64 can be udefined after a reload by URL2018-05-15T20:31:11ZSwaelens Jontathanencode_base64 can be udefined after a reload by URLHello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must rel...Hello,
After a modification in the manager I have apache errors for my virtualhosts that use the function encore_base64.
Undefined subroutine &Lemonldap::NG::Handler::Main::Jail::encode_base64 called at (eval 638) line 1.\n
I must reload apache to fix it.
Cheers.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1061Multiple segfault using ModPerl::Registry with Apache2.42018-05-15T20:31:11ZJeremy KespiteMultiple segfault using ModPerl::Registry with Apache2.4I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scal...I have recently started to use Apache2.4 with LL1.9.5. I previously used Apache2.2 and LL1.3.3
Since I upgraded, my error logs contain lots of:
```
child pid 46733 exit signal Segmentation fault (11)
Attempt to free unreferenced scalar: SV 0x7f3682a244a0, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemo
nldap/NG/Handler/API.pm line 44.
Attempt to free unreferenced scalar: SV 0x7f363c019f70, Perl interpreter: 0x7f368321f550.
Out of memory!
Attempt to free unreferenced scalar: SV 0x7f363402c818, Perl interpreter: 0x7f368321f550 at /usr/share/perl5/Lemonldap/NG/Handler/API.pm line 73.
```
I found lots of issues on the Internet about Apache2.4 reporting segfault frequently but no good answer. My guess is that it is a Apache issue more than a LLNG issue.
I also use Nginx Handler and it works perfectly.
So my question is:
Is there anyone else having the same kind of problem with Apache2.4?
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1113OIDC Provider to SAML SP does not work2018-05-15T20:31:11Zdcoutadeur dcoutadeurOIDC Provider to SAML SP does not workI have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
t...I have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
the final return does not work : ie SAML SP not calling his internal IdP
I propose a basic patch, which, in summary :
- happens before soring relay state in SAML SP (Portal/_SAML.pm)
- gets called URL
- if URL match with current portal URL, store it in relay state.
The patch is working, but maybe these points should be validated :
- make sure it is generic, in particular make sure the other way is working: SAML IdP calling an OIDC RP
- security: make sure we won't redirect to unsecure locations
- using CGI module may be improved ? (if the portal is to be made more generic and less adherence to apache)
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1171Session explorer freezes when session number is high2018-05-15T20:31:11ZJean-Charles RogezSession explorer freezes when session number is highWhen browsing thousands of sessions, the browser freezes (see the attached screenshot).
We think that browsing is not a good solution in this case.
A solution should be to replace the browsing tree by a search formular (uid and ip for a...When browsing thousands of sessions, the browser freezes (see the attached screenshot).
We think that browsing is not a good solution in this case.
A solution should be to replace the browsing tree by a search formular (uid and ip for active sessions, uid for persistent sessions).
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1468Enabling both Auth::SAML and Issuer::SAML breaks SLO2018-06-30T06:41:53ZYaddEnabling both Auth::SAML and Issuer::SAML breaks SLO# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)# Version
Probably any version since 1.0.0
# Description
Just enable issuerDBSAMLActivation on SAML SP breaks SLO. (related to #1449)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1474OAuth2 token_type is case insensitive2018-07-10T16:55:01ZClément OUDOTOAuth2 token_type is case insensitiveReading the RFC 6749, the token_type value is case insensitive:
https://tools.ietf.org/html/rfc6749#section-5.1
> token_type
> REQUIRED. The type of the token issued as described in
> Section 7.1. Value is case inse...Reading the RFC 6749, the token_type value is case insensitive:
https://tools.ietf.org/html/rfc6749#section-5.1
> token_type
> REQUIRED. The type of the token issued as described in
> Section 7.1. Value is case insensitive.
Our implementation in OpenID Connect only accepts "Bearer" value, case sensitive. It can breaks compatibility with some providers, like ORCID.
See also: https://github.com/ORCID/ORCID-Source/issues/47351.9.18Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1476Unescaped left brace generates a warning with Perl-5.282018-07-14T05:54:56ZYaddUnescaped left brace generates a warning with Perl-5.28### Concerned version
Version: %1.9.17
### Summary
From Debian Perl Group:
> While test rebuilding the archive against Perl 5.28 (currently in experimental), we noticed this warning in the build log of this package:
> `Unescaped left...### Concerned version
Version: %1.9.17
### Summary
From Debian Perl Group:
> While test rebuilding the archive against Perl 5.28 (currently in experimental), we noticed this warning in the build log of this package:
> `Unescaped left brace in regex is deprecated here (and will be fatal in Perl 5.32), passed through in regex; marked by <-- HERE in m/^\$data[0-9]*\s*=\s*({ <-- HERE ?\s*.+\s*}?)/ at ../lemonldap-ng-common/blib/lib/Lemonldap/NG/Common/Conf/SAML/Metadata.pm line 291.`1.9.18YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1479App Category order - Cannot save2018-11-16T14:36:14ZRaphaël HOAREAUApp Category order - Cannot save### Concerned version
Version: %1.9.17
Platform: Apache
### Summary
Modifying application categories order (up or down) doesn't count as a change when saving configuration.
Result : "No change detected, saving aborted"
### Logs
Pop...### Concerned version
Version: %1.9.17
Platform: Apache
### Summary
Modifying application categories order (up or down) doesn't count as a change when saving configuration.
Result : "No change detected, saving aborted"
### Logs
Pop up says : No change detected, saving aborted
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixes1.9.18YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1509InactivityTimeout for applications don't work2019-05-12T13:38:43ZMame Dieynaba SENEInactivityTimeout for applications don't work### Concerned version
Version: %1.9.13
Platform: Apache
### Summary
In my case (timeoutActivityInterval=10mins) :
when an authenticated user opens an application and then stays 15 minutes without doing anything, his session does not...### Concerned version
Version: %1.9.13
Platform: Apache
### Summary
In my case (timeoutActivityInterval=10mins) :
when an authenticated user opens an application and then stays 15 minutes without doing anything, his session does not expire.
In 1.9.13 Handler/Main.pm, in function retrieveSession, I think I identify the source of the problem.
Part of code:
if ( $tsv->{timeoutActivity}
and
( $now - $datas->{_lastSeen} > $tsv->{timeoutActivityInterval} ) )
{
$session->update( { '_lastSeen' => $now } );
The probleme here is if $now - $datas->{_lastSeen} > $tsv->{timeoutActivityInterval} the session must expire. So I do the following patch to resolve the probleme.
I propose to modify it by this code:
if ( $tsv->{timeoutActivity}
and
( $now - $datas->{_lastSeen} < $tsv->{timeoutActivityInterval} ) )
{
$session->update( { '_lastSeen' => $now } );
And it works.
PS: I'm sorry for my English level an I hope you undestand the problem1.9.19Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1520lemonldap-ng-cli adds a new item when deleting an item that does not exist.2019-05-12T13:37:24ZFrédéric MASSOTlemonldap-ng-cli adds a new item when deleting an item that does not exist.Hi,
With lemonldap-ng 1.9.18+ds-1 (Debian).
With the "lemonldap-ng-cli" command, when you delete an application that does not exist in a category that does not exist, the "lemonldap-ng-cli" command adds an empty element with the name o...Hi,
With lemonldap-ng 1.9.18+ds-1 (Debian).
With the "lemonldap-ng-cli" command, when you delete an application that does not exist in a category that does not exist, the "lemonldap-ng-cli" command adds an empty element with the name of the category that did not exist.
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get applicationList
VERY EXPERIMENTAL FEATURE, prefer web interface
applicationList has the following keys:
0001-cat
0004-cat
0008-cat
0011-cat
0018-cat
```
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli delKey applicationList/0019-cat toto
VERY EXPERIMENTAL FEATURE, prefer web interface
Saved under number 149
Warnings: [
{
'message' => 'Your manager seems to be unprotected'
}
];
Status : [
{
'reload.xxx.com' => 'OK',
}
];
```
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get applicationList
VERY EXPERIMENTAL FEATURE, prefer web interface
applicationList has the following keys:
0001-cat
0004-cat
0008-cat
0011-cat
0018-cat
0019-cat
```
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get applicationList/0019-cat
VERY EXPERIMENTAL FEATURE, prefer web interface
applicationList/0019-cat has the following keys:
```
Regards.1.9.19Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1521The manager renames the id of applications created by lemonldap-ng-cli2019-06-24T11:15:06ZFrédéric MASSOTThe manager renames the id of applications created by lemonldap-ng-cliHi,
With lemonldap-ng 1.9.18+ds-1 (Debian).
I created two apps "w8dgli4syyyaahmxbi4aaaak" and "w8dgqy4syyyaahlqypuaaaan" with lemonldap-ng-cli :
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get applicationList/0018-cat
VERY...Hi,
With lemonldap-ng 1.9.18+ds-1 (Debian).
I created two apps "w8dgli4syyyaahmxbi4aaaak" and "w8dgqy4syyyaahlqypuaaaan" with lemonldap-ng-cli :
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get applicationList/0018-cat
VERY EXPERIMENTAL FEATURE, prefer web interface
applicationList/0018-cat has the following keys:
catname
type
w8dgli4syyyaahmxbi4aaaak
w8dgqy4syyyaahlqypuaaaan
```
I added a rule in the manager after reloading it to have both apps, and app ids changed :
```
$ sudo /usr/share/lemonldap-ng/bin/lemonldap-ng-cli get applicationList/0018-cat
VERY EXPERIMENTAL FEATURE, prefer web interface
applicationList/0018-cat has the following keys:
0019-app
0020-app
catname
type
```
Regards.2.0.5YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1543Redirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDP2019-03-13T09:55:39ZClément OUDOTRedirection lost with CAS RP -> Choice -> SAML Discovery Protocol -> SAML IDPWhen testing LL::NG 2.0 as CAS IDP, with a Choice to redirection on a SAML IDP (through Renater WAYF page), when redirected back from SAML IDP, we lost the CAS protocol context, and we are not redirected back CAS RP.
Maybe the issue is ...When testing LL::NG 2.0 as CAS IDP, with a Choice to redirection on a SAML IDP (through Renater WAYF page), when redirected back from SAML IDP, we lost the CAS protocol context, and we are not redirected back CAS RP.
Maybe the issue is linked to the WAYF redirection.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1561Configuration save generates bad warnings2018-12-01T21:44:18ZClément OUDOTConfiguration save generates bad warningsWe have an annoying issue in the 2.0.0 version, when saving configuration in Manager or with lemonldap-ng-cli, we have a lot of warnings:
```
{
'message' => 'totp2fActivation: __badExpression__: \'require\' trapped ...We have an annoying issue in the 2.0.0 version, when saving configuration in Manager or with lemonldap-ng-cli, we have a lot of warnings:
```
{
'message' => 'totp2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 166) line 1, <STDIN> line 1.'
},
{
'message' => 'issuerDBCASRule: __badExpression__: \'require\' trapped by operation mask at (eval 168) line 1, <STDIN> line 1.'
},
{
'message' => 'portalDisplayChangePassword: __badExpression__: \'require\' trapped by operation mask at (eval 170) line 1, <STDIN> line 1.'
},
{
'message' => 'portalSkinRules/1: __badExpression__: \'require\' trapped by operation mask at (eval 172) line 1, <STDIN> line 1.'
},
{
'message' => 'portalDisplayAppslist: __badExpression__: \'require\' trapped by operation mask at (eval 174) line 1, <STDIN> line 1.'
},
{
'message' => 'sfRequired: __badExpression__: \'require\' trapped by operation mask at (eval 176) line 1, <STDIN> line 1.'
},
{
'message' => 'utotp2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 178) line 1, <STDIN> line 1.'
},
{
'message' => 'portalDisplayLogout: __badExpression__: \'require\' trapped by operation mask at (eval 180) line 1, <STDIN> line 1.'
},
{
'message' => 'u2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 182) line 1, <STDIN> line 1.'
},
{
'message' => 'yubikey2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 184) line 1, <STDIN> line 1.'
},
{
'message' => 'totp2fSelfRegistration: __badExpression__: \'require\' trapped by operation mask at (eval 186) line 1, <STDIN> line 1.'
},
{
'message' => 'jsRedirect: __badExpression__: \'require\' trapped by operation mask at (eval 188) line 1, <STDIN> line 1.'
},
{
'message' => 'ext2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 190) line 1, <STDIN> line 1.'
},
{
'message' => 'rest2fActivation: __badExpression__: \'require\' trapped by operation mask at (eval 192) line 1, <STDIN> line 1.'
},
{
'message' => 'u2fSelfRegistration: __badExpression__: \'require\' trapped by operation mask at (eval 194) line 1, <STDIN> line 1.'
},
{
'message' => 'yubikey2fSelfRegistration: __badExpression__: \'require\' trapped by operation mask at (eval 196) line 1, <STDIN> line 1.'
},
{
'message' => 'issuerDBSAMLRule: __badExpression__: \'require\' trapped by operation mask at (eval 198) line 1, <STDIN> line 1.'
}
```
Should be linked to a recent change in the code?2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1564Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL"2018-12-01T21:44:34ZChristophe Maudouxchrmdx@gmail.comFunction authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL"### Concerned version
Version: 2.0.0
### Summary
Hello.
Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL" (file /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm on Debian) with LemonLDAP::NG 2.0.0. When you...### Concerned version
Version: 2.0.0
### Summary
Hello.
Function authLogout is missing in package "Lemonldap::NG::Portal::Auth::SSL" (file /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm on Debian) with LemonLDAP::NG 2.0.0. When you logout with SSL authentication, it raises an 500 error :
### Logs
2018/12/01 12:53:39 [error] 32328#32328: *1764 FastCGI sent in stderr: "Can't locate object method "authLogout" via package "Lemonldap::NG::Portal::Auth::SSL" at /usr/share/perl5/Lemonldap/NG/Common/Combination/Parser.pm line 138" while reading response header from upstream, client: 127.0.0.1, server: auth.example.com, request: "GET /?logout=1 HTTP/2.0", upstream: "fastcgi://unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock:", host: "auth.example.com", referrer: "https://auth.example.com/?logout=1"
### Possible fixes
Fixing is easy, just add three lines after authenticate function (line 58) :
sub authLogout {
PE_OK;
}
Kind regards.
Damien Wertz2.0.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1567[Security: low] Captcha session id is too weak2019-05-12T16:27:41ZClément OUDOT[Security: low] Captcha session id is too weakTo build captcha session id, we use the MD5 of the captcha code:
```
my $md5 = md5_hex($code);
```
But an attacker can brute force the MD5 to find the captcha code:
![image](/uploads/cd98ef0da775842a1e25393a7e1d9e36/image.png)
The re...To build captcha session id, we use the MD5 of the captcha code:
```
my $md5 = md5_hex($code);
```
But an attacker can brute force the MD5 to find the captcha code:
![image](/uploads/cd98ef0da775842a1e25393a7e1d9e36/image.png)
The recommandation is to have a captcha session id that has no link with the captcha code.
Seems the issue is for 1.9 and 2.0 versions.1.9.19Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1572Error when saving in manager (mongoDB as ConfigurationBackend)2018-12-12T14:19:52ZMathieu Lecompte-melançonError when saving in manager (mongoDB as ConfigurationBackend)### Concerned version
Version: %2.0.0
Platform: (Nginx)
### Summary
When save in manager we receive a Bad Request prompt.
The backend was MongoDB, and working fine in 1.9.
The change, after the save, seem to be correctly set in data...### Concerned version
Version: %2.0.0
Platform: (Nginx)
### Summary
When save in manager we receive a Bad Request prompt.
The backend was MongoDB, and working fine in 1.9.
The change, after the save, seem to be correctly set in data...
Configuration in ini for MongoDB Replicaset
```
type = MongoDB
dbName = llng_db
collectionName = configuration
host = mongodb://lemonldap_1.bd.interne.urgences-sante.qc.ca:27017,lemonldap_2.bd.interne.urgences-sante.qc.ca:27017,lemonldap_3.bd.interne.urgences-sante.qc.ca:27017
; authentication parameters
db_name = llng_db
username = quoi
password = cestunsecret
connect_timeout_ms=3000
read_pref_mode = primaryPreferred
replica_set_name = rs0
w = 1
wtimeout = 3000
```
### Logs
```
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: Apply configuration for reload2.interne.urgences-sante.qc.ca: ok
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: Apply configuration for reload4.dmz.urgences-sante.qc.ca: ok
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: Apply configuration for reload3.dmz.urgences-sante.qc.ca: ok
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: Apply configuration for reload1.dmz.urgences-sante.qc.ca: ok
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: Apply configuration for reload1.interne.urgences-sante.qc.ca: ok
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: [anonymous] encountered object 'MongoDB::InsertOneResult=HASH(0x717fc98)', but neither allow_blessed nor convert_blessed settings are enabled at /usr/share/perl5/vendor_perl/Lemonldap/NG/Common/PSGI.pm line 119.
Dec 5 08:32:10 srv-pr-nginxv2 LLNG[7234]: Error 500: encountered object 'MongoDB::InsertOneResult=HASH(0x717fc98)', but neither allow_blessed nor convert_blessed settings are enabled at /usr/share/perl5/vendor_perl/Lemonldap/NG/Common/PSGI.pm line 119.
```
### Backends used
MongoDB
### Possible fixes2.0.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1574"Manager is unprotected" message when whatToTrace value is not the default2019-01-16T10:09:58ZClément OUDOT"Manager is unprotected" message when whatToTrace value is not the defaultVersion %2.0.0
When we use the default Nginx configuration for Manager, we always have the warning "The manager is unprotected", even if it is well protected in lemonldap-ng.ini.
I think it is because the REMOTE_USER is not set, but ev...Version %2.0.0
When we use the default Nginx configuration for Manager, we always have the warning "The manager is unprotected", even if it is well protected in lemonldap-ng.ini.
I think it is because the REMOTE_USER is not set, but even when adding this line, the warning remains:
```
fastcgi_param REMOTE_USER $lmremote_user;
```
I don't see how force this variable to avoid the warning.2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1576Browser doesn t select Portal appropriate language2018-12-14T22:12:20ZChristophe Maudouxchrmdx@gmail.comBrowser doesn t select Portal appropriate language### Concerned version
Version: 2.0
### Summary
When lang cookie isn t defined browser doesn t select the right Portal language.
### Possible fixes
Issue due to multi similare languages (fr fr-FR fr-CH etc...)### Concerned version
Version: 2.0
### Summary
When lang cookie isn t defined browser doesn t select the right Portal language.
### Possible fixes
Issue due to multi similare languages (fr fr-FR fr-CH etc...)2.0.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1577browser language does not seem to be loaded by portal2020-01-14T12:54:29Zdcoutadeur dcoutadeurbrowser language does not seem to be loaded by portal### Concerned version
Version: 2.0.0
Platform: Any
### Summary
browser language does not seem to be loaded by portal### Concerned version
Version: 2.0.0
Platform: Any
### Summary
browser language does not seem to be loaded by portalChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1579SOAP Backend error for empty collection2018-12-12T14:12:54ZMathieu Lecompte-melançonSOAP Backend error for empty collection### Concerned version
Version: %2.0.0
Platform: Nginx
### Summary
Error happen, when trying to connect a second poetal to the SOAP backend of the main portal
Proabblye due to empty collection value
### Logs
```
Dec 11 16:00:11 srv...### Concerned version
Version: %2.0.0
Platform: Nginx
### Summary
Error happen, when trying to connect a second poetal to the SOAP backend of the main portal
Proabblye due to empty collection value
### Logs
```
Dec 11 16:00:11 srv-pr-nginxdmzv2 systemd: Starting FastCGI server for Lemonldap::NG websso system...
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Logger Lemonldap::NG::Common::Logger::Syslog loaded
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: User logger Lemonldap::NG::Common::Logger::Syslog loaded
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Check configuration for Lemonldap::NG::Handler::Server::Main
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Lemonldap::NG::Common::Conf::Backends::SOAP loaded.#012Configuration unchanged, get configuration from cache.
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Get configuration 455
Dec 11 16:00:11 srv-pr-nginxdmzv2 llng-fastcgi-server: Can't use string ("") as a HASH ref while "strict refs" in use at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/Main/Reload.pm line 216.
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Loading configuration 455 for process 8139
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Process 8139 calls defaultValuesInit
Dec 11 16:00:11 srv-pr-nginxdmzv2 LLNG[8139]: Options https for vhost go.interne.urgences-sante.qc.ca: 1
Dec 11 16:00:11 srv-pr-nginxdmzv2 systemd: llng-fastcgi-server.service: control process exited, code=exited status=255
Dec 11 16:00:11 srv-pr-nginxdmzv2 systemd: Failed to start FastCGI server for Lemonldap::NG websso system.
Dec 11 16:00:11 srv-pr-nginxdmzv2 systemd: Unit llng-fastcgi-server.service entered failed state.
Dec 11 16:00:11 srv-pr-nginxdmzv2 systemd: llng-fastcgi-server.service failed.
```
### Backends used
SOAP Config Backend
### Possible fixes
Overloading empty colelction in ini file:
```
groups = {}
grantSessionRules = {}
sessionDataToRemember = {}
trustedProxies = {}
samlIDPMetaDataXML = {}
oidcOPMetaDataJSON = {}
casSrvMetaDataOptions = {}
portalSkinRules = {}
oidcOPMetaDataOptions = {}
SMTPTLSOpts = {}
casSrvMetaDataExportedVars = {}
autoSigninRules = {}
logoutServices = {}
rest2fInitArgs = {}
casStorageOptions = {}
oidcStorageOptions = {}
lwpOpts = {}
casAttributes = {}
casAppMetaDataOptions = {}
rest2fVerifyArgs = {}
sessionDataToRemember = {}
samlIDPMetaDataOptions = {}
nginxCustomHandlers = {}
lwpSslOpts = {}
casAppMetaDataExportedVars = {}
samlStorageOptions = {}
demoExportedVars = {}
oidcOPMetaDataExportedVars = {}
oidcOPMetaDataJWKS = {}
```2.0.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1580Error when saving in manager (mongoDB as ConfigurationBackend)2018-12-12T14:19:54ZYaddError when saving in manager (mongoDB as ConfigurationBackend)Duplication of #1572 for %1.9.19 changelogDuplication of #1572 for %1.9.19 changelog1.9.19YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1582MongoDB Conf backend looses sub hash keys2018-12-17T20:38:04ZMathieu Lecompte-melançonMongoDB Conf backend looses sub hash keys### Concerned version
Version: %2.0.0
Platform: Nginx
### Summary
In Manager, setting up combination in Module list not seem to keep Use section
### Logs
![image](/uploads/6a67b1a534fd70404157e609133659ec/image.png)
```
Dec 13 09:55...### Concerned version
Version: %2.0.0
Platform: Nginx
### Summary
In Manager, setting up combination in Module list not seem to keep Use section
### Logs
![image](/uploads/6a67b1a534fd70404157e609133659ec/image.png)
```
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6430]: Lemonldap::NG::Handler::Server::Main: configuration is up to date
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6431]: Apply configuration for reload2.interne.urgences-sante.qc.ca: ok
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6431]: Apply configuration for reload4.dmz.urgences-sante.qc.ca: ok
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6431]: Apply configuration for reload3.dmz.urgences-sante.qc.ca: ok
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6431]: Apply configuration for reload1.dmz.urgences-sante.qc.ca: ok
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6431]: Apply configuration for reload1.interne.urgences-sante.qc.ca: ok
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6431]: $VAR1 = {'cfgNum' => 463,'details' => {'__warnings__' => [{'message' => 'Your manager seems to be unprotected'}],'__applyResult__' => [{'message' => 'reload2.dmz.urgences-sante.qc.ca: OK'},{'message' => 'reload4.interne.urgences-sante.qc.ca: OK'},{'message' => 'reload3.interne.urgences-sante.qc.ca: OK'},{'message' => 'reload2.interne.urgences-sante.qc.ca: OK'},{'message' => 'reload4.dmz.urgences-sante.qc.ca: OK'},{'message' => 'reload3.dmz.urgences-sante.qc.ca: OK'},{'message' => 'reload1.dmz.urgences-sante.qc.ca: OK'},{'message' => 'reload1.interne.urgences-sante.qc.ca: OK'}]},'message' => '','result' => 1};
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Start routing confs
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Search for cfgNum in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Cfgnum set to latest
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Search for cfgAuthor in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Cfgnum set to 463
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Search for cfgDate in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Cfgnum set to 463
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Search for cfgAuthorIP in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Cfgnum set to 463
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Search for cfgLog in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Cfgnum set to 463
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Search for cfgVersion in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: Cfgnum set to 463
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: User anonymous ask for configuration metadata (463)
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6425]: $VAR1 = {'cfgVersion' => '2.0.0','cfgLog' => '','prev' => 462,'cfgNum' => 463,'cfgDate' => '1544712900','cfgAuthorIP' => '10.193.11.11','cfgAuthor' => 'anonymous'};
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6426]: Start routing confs
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6426]: User anonymous asks for key portal
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6426]: Search for portal in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6426]: Cfgnum set to 463
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6429]: Start routing confs
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6429]: User anonymous asks for key domain
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6429]: Search for domain in conf
Dec 13 09:55:01 srv-pr-nginxv2 LLNG[6429]: Cfgnum set to 463
```
### Backends used
MongoDB Backend
### Possible fixes2.0.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1586Portal message override do not work on plugins and mails templates2018-12-20T09:48:59ZClément OUDOTPortal message override do not work on plugins and mails templatesWhen overriding messages in Portal (see https://lemonldap-ng.org/documentation/latest/portalcustom#messages), it works well on main pages (login, menu), but not on mailreset, register.When overriding messages in Portal (see https://lemonldap-ng.org/documentation/latest/portalcustom#messages), it works well on main pages (login, menu), but not on mailreset, register.2.0.1Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1587Captcha is not displayed in Register form if mail already exists2018-12-18T10:18:02ZClément OUDOTCaptcha is not displayed in Register form if mail already existsWhen we have the error "mail already exists", the captcha is not displayed anymore.When we have the error "mail already exists", the captcha is not displayed anymore.2.0.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1588Captcha is validated with additional letters2018-12-20T09:49:41ZClément OUDOTCaptcha is validated with additional lettersIf we add some lettes to captcha code, it is still accepted.
This is a minor issue, but we should not accept a code that is not exactly the same as the one displayed.If we add some lettes to captcha code, it is still accepted.
This is a minor issue, but we should not accept a code that is not exactly the same as the one displayed.2.0.1YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1589Error in MailReset when asking to resend confirmation mail2018-12-21T14:03:24ZClément OUDOTError in MailReset when asking to resend confirmation mailIf you already have a reset session and you ask a new reset, we ask if you want to resend the confirmation mail.
When doing it we have the error "invalid authentication attempt":
```
Dec 17 11:00:55 llng-site LLNG[39934]: User not authe...If you already have a reset session and you ask a new reset, we ask if you want to resend the confirmation mail.
When doing it we have the error "invalid authentication attempt":
```
Dec 17 11:00:55 llng-site LLNG[39934]: User not authenticated, Try in use, cancel redirection
Dec 17 11:00:55 llng-site LLNG[39934]: Start routing resetpwd
Dec 17 11:00:55 llng-site LLNG[39934]: Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
Dec 17 11:00:55 llng-site LLNG[39934]: Token 1545033775_164 created
Dec 17 11:00:55 llng-site LLNG[39934]: Prepare captcha
Dec 17 11:00:55 llng-site LLNG[39934]: Display called with code: 81
Dec 17 11:00:55 llng-site LLNG[39934]: Skin bootstrap selected from GET/POST parameter
Dec 17 11:00:55 llng-site LLNG[39934]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/mail.tpl
Dec 17 11:00:55 llng-site LLNG[39934]: Skin bootstrap selected from GET/POST parameter
Dec 17 11:00:55 llng-site LLNG[39934]: Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/mail.tpl
Dec 17 11:00:55 llng-site LLNG[39934]: Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action *;frame-ancestors 'none';
```2.0.1Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1592Cannot select a menu tab with ?tab=<tab id> in URL2018-12-18T16:25:34ZClément OUDOTCannot select a menu tab with ?tab=<tab id> in URLIn 1.9, we could display a menu tab by passing tab parameter in URL. For example: https://auth.example.com/?tab=password
It does not work in 2.0.In 1.9, we could display a menu tab by passing tab parameter in URL. For example: https://auth.example.com/?tab=password
It does not work in 2.0.2.0.1Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1594Cannot select oidcConsents tab in menu2018-12-17T14:16:13ZClément OUDOTCannot select oidcConsents tab in menuFollowing #1592, we need to add oidcConsents tab in the list of menu tabs to be able to select it.Following #1592, we need to add oidcConsents tab in the list of menu tabs to be able to select it.2.0.1Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1603Warnings with confirmation required don't work2018-12-30T15:11:18ZChristophe Maudouxchrmdx@gmail.comWarnings with confirmation required don't work### Concerned version
Version: %2.0.1
Platform: all
### Summary
When saving configuration, if a warning with confirmation required is thrown, warning message isn t displayed.
Documentation snippet :
Subroutines can return one of t...### Concerned version
Version: %2.0.1
Platform: all
### Summary
When saving configuration, if a warning with confirmation required is thrown, warning message isn t displayed.
Documentation snippet :
Subroutines can return one of the followings :
- (1) : everything is OK
- (1,message) : OK with a warning
- (0,message) : NOK
- (-1,message) : OK, but must be confirmed (ignored if confirm parameter is set) => doesn t work
2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1604Manager unit tests randomly failed2018-12-30T15:55:55ZChristophe Maudouxchrmdx@gmail.comManager unit tests randomly failed### Concerned version
Version: %"2.1.0"
Platform: all
### Summary
Seems unit tests t/11-save-changed-conf-with-confirmation.t
and t/12-save-changed-conf.t
randomly failed.
Number of entries (key => applicationList) is not always ...### Concerned version
Version: %"2.1.0"
Platform: all
### Summary
Seems unit tests t/11-save-changed-conf-with-confirmation.t
and t/12-save-changed-conf.t
randomly failed.
Number of entries (key => applicationList) is not always the same in response body sent by Portal
![2](/uploads/41feaeee3deedc21ce59e71fe05566fa/2.png)
![1](/uploads/735cf4aec5c6f32384f6177432997a75/1.png)
![NOK](/uploads/1a66c829d499c6a82fe902d3cc1fd15e/NOK.png)
![OK](/uploads/87e279ba0525cd2c8fa2cd9842088b09/OK.png)2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1607Safe errors when saving configuration with lmConfigEditor2019-01-09T07:50:24ZClément OUDOTSafe errors when saving configuration with lmConfigEditorWhen saving configuration, I got this error:
```
root@xxx# /usr/share/lemonldap-ng/bin/lmConfigEditor
Running as uid 33 and gid 33 0
Can't locate object method "new" via package "Safe" (perhaps you forgot to load "Safe"?) at /usr/share/...When saving configuration, I got this error:
```
root@xxx# /usr/share/lemonldap-ng/bin/lmConfigEditor
Running as uid 33 and gid 33 0
Can't locate object method "new" via package "Safe" (perhaps you forgot to load "Safe"?) at /usr/share/perl5/Lemonldap/NG/Manager/Attributes.pm line 32, <F1> line 10422.
```
Seems linked to some value in configuration, I'll try to reproduce.2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1610Unable to save empty value for cookie expiration time in Manager2019-01-11T22:31:31ZClément OUDOTUnable to save empty value for cookie expiration time in ManagerWhen we want to change the value of cookie expiration time in Manager and set it to empty, the Manager detects no changes and we can't save.
If we put 0, the value is not accepted.
We need to be able to disable cookie expiration time.When we want to change the value of cookie expiration time in Manager and set it to empty, the Manager detects no changes and we can't save.
If we put 0, the value is not accepted.
We need to be able to disable cookie expiration time.2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1613handler https redirection does not work2019-02-05T10:34:19Zdcoutadeur dcoutadeurhandler https redirection does not work### Concerned version
Version: 2.0.1
Platform: Apache 2.4.6 (CentOS)
### Summary
When setting https for manager vhost, the handler redirects to: `http://manager.example.com:443/`, which obviously displays an error.
When setting https...### Concerned version
Version: 2.0.1
Platform: Apache 2.4.6 (CentOS)
### Summary
When setting https for manager vhost, the handler redirects to: `http://manager.example.com:443/`, which obviously displays an error.
When setting https globally, the setting is working. (redirection to https://manager.example.com)
### Backends used
Default install with demo2.0.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1614Accents not well displayed in Portal2019-01-23T18:35:54ZPaul CurieAccents not well displayed in Portal### Concerned version
Version: 2.0.1
Platform: Nginx, config & sessions in files, Debian 9.
### Summary
Accents aren t properly shown in portal, when creating a new Menu category named "testé", it show properly in the manager, but in...### Concerned version
Version: 2.0.1
Platform: Nginx, config & sessions in files, Debian 9.
### Summary
Accents aren t properly shown in portal, when creating a new Menu category named "testé", it show properly in the manager, but in portal it shows "test�", when naming this category "testé" it displays correctly in portal as "testé".2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1618Version in server signature is wrong2019-02-01T10:25:19ZClément OUDOTVersion in server signature is wrongIn Handler we set the server signature in lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Init.pm, but it does not use the main $VERSION from lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pmIn Handler we set the server signature in lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Init.pm, but it does not use the main $VERSION from lemonldap-ng-handler/lib/Lemonldap/NG/Handler.pm2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1623ADPwdExpireWarning and ADPwdMaxAge parameters are missing in Manager2019-01-23T12:14:05ZChristophe Maudouxchrmdx@gmail.comADPwdExpireWarning and ADPwdMaxAge parameters are missing in ManagerAppend ADPwdExpireWarning and ADPwdMaxAge to Manager treeAppend ADPwdExpireWarning and ADPwdMaxAge to Manager tree2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1627Display issue with GrantSession plugin2019-02-04T18:01:03ZMaxime BessonDisplay issue with GrantSession plugin### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
When displaying a session opening rule in the manager, field names are inconsistent:
Compare:
![Screenshot-2019-1-29_LemonLDAP_NG_Manager_...### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
When displaying a session opening rule in the manager, field names are inconsistent:
Compare:
![Screenshot-2019-1-29_LemonLDAP_NG_Manager_2_](/uploads/21891871f2a5b1be6c8a7e6cdd1a4800/Screenshot-2019-1-29_LemonLDAP_NG_Manager_2_.png)
With:
![Screenshot-2019-1-29_LemonLDAP_NG_Manager_3_](/uploads/481cfc8959b10fa49e3fd38bae0009ba/Screenshot-2019-1-29_LemonLDAP_NG_Manager_3_.png)
The "rule" and "message" fields are swapped2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1628GrantSession plugin discloses its message to unlogged users2019-03-15T16:04:15ZMaxime BessonGrantSession plugin discloses its message to unlogged users### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
The evaluation of a session opening condition is made regardless of whether the authentication succeeded or not.
Try the following steps i...### Concerned version
Version: 2.0.1+20190124205
Platform: Debian Stretch + Nginx
### Summary
The evaluation of a session opening condition is made regardless of whether the authentication succeeded or not.
Try the following steps in demo mode:
* Add a session opening condition that restricts login to dwho with `$uid eq "dwho"`
* Try to login as rtyler with a bad password
* The message from GrantSession is displayed.
I think most users are expecting to see an "incorrect password" message instead.
This feels to me like a security/privacy issue, letting an anonymous user know that some logins exist in the system (but cannot login). I'm sure it could be interesting information in some sensitive contexts. I'm flagging the issue as confidential for now.
### Logs
```
Processing authenticate
Prepare token
Token 1548712519_3983 created
-> authResult = 5
Processing setSessionInfo
Processing setMacros
Processing setPersistentSessionInfo
Persistent session found for rtyler
Restore persistent parameter _loginHistory
Processing storeHistory
Current login saved into failedLogin
Current login -> 5
Found 'whatToTrace' -> rtyler
Update rtyler persistent session
Processing code ref
Launching ::Plugins::GrantSession::run
Grant session condition -> $uid eq dwho
Message -> Message
User rtyler was not granted to open session (rule -> Message)
Returned error: 41
Display: info detected
Hidden values -> $VAR1 = undef;
Skin returned: info
Calling sendHtml with template info
Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/info.tpl
Skin bootstrap selected from GET/POST parameter
Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/info.tpl
Required urldc : http://auth.lemontest.lxc/
Set CSP form-action with urldc : http://auth.lemontest.lxc
Required Params URL : http://auth.lemontest.lxc/
Set CSP form-action with Params URL : http://auth.lemontest.lxc
Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self' http://auth.lemontest.lxc http://auth.lemontest.lxc;frame-ancestors 'none';
```
### Possible fixes
Maybe testing for $req->authResult before checking the rules?2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1630SSO cookie is sent to protected applications with Nginx-based ReverseProxy2019-02-12T20:39:21ZChristophe Maudouxchrmdx@gmail.comSSO cookie is sent to protected applications with Nginx-based ReverseProxy### Concerned version
Version: %2.0.1
Platform: Nginx
### Summary
SSO cookie is not deleted
### Possible fixes
Bad RegExp### Concerned version
Version: %2.0.1
Platform: Nginx
### Summary
SSO cookie is not deleted
### Possible fixes
Bad RegExp2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1636SSL and Kerberos Auth Modules don t work with choice2019-02-07T19:28:37ZChristophe Maudouxchrmdx@gmail.comSSL and Kerberos Auth Modules don t work with choice### Concerned version
Version: 2.0.1
Platform: all
### Summary
SSL and Kerberos modules don t work with Choice module.
Cross-origin resource sharing CORS and CSP prevent to submit AuthSSL request if Portal and SSL domains mismatch.
...### Concerned version
Version: 2.0.1
Platform: all
### Summary
SSL and Kerberos modules don t work with Choice module.
Cross-origin resource sharing CORS and CSP prevent to submit AuthSSL request if Portal and SSL domains mismatch.
### Possible fixes
'Id lform' tag is missing but it is required by 'ssl.js'
Need to adapt auth choice loop ans Choice.pm2.0.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1639User must change password on AD is broken2019-02-16T10:29:17ZDaniel BerteaudUser must change password on AD is broken### Concerned version
Version: 2.0.1
Platform: Nginx
### Summary
I'm using AD (samba4) as auth module, and when I set an account to change its password on next login, he can't log into LL::NG. There's tha usual "Wrong credentials" di...### Concerned version
Version: 2.0.1
Platform: Nginx
### Summary
I'm using AD (samba4) as auth module, and when I set an account to change its password on next login, he can't log into LL::NG. There's tha usual "Wrong credentials" displayed. This was working fine in the 1.9.X days.
This is 100% reproducible, on 3 different (but with mostly similar configuration) installations. I'm happy to run more test if you need me to.
### Logs
```
févr. 01 19:07:10 proxyin2 LLNG[7775]: User not authenticated, Try in use, cancel redirection
févr. 01 19:07:10 proxyin2 LLNG[7775]: Start routing default route
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing restoreArgs
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing controlUrl
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Cancel called, push authCancel calls
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Launching ::Issuer::CAS::storeEnvAndCheckGateway
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Launching ::Issuer::OpenIDConnect::exportRequestParameters
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:10 proxyin2 LLNG[7775]: Launching ::Plugins::AutoSignin::check
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing extractFormInfo
févr. 01 19:07:10 proxyin2 LLNG[7775]: Trying to load token 1548972544_5139
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing getUser
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing authenticate
févr. 01 19:07:10 proxyin2 LLNG[7775]: Call bind for CN=Test,OU=People,DC=lapiole,DC=org
févr. 01 19:07:10 proxyin2 LLNG[7775]: Bad password
févr. 01 19:07:10 proxyin2 llng-fastcgi-server[7773]: Use of uninitialized value $computed in bitwise and (&) at /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Auth/AD.pm line 77.
févr. 01 19:07:10 proxyin2 LLNG[7775]: -> authResult = 5
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing setSessionInfo
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing setMacros
févr. 01 19:07:10 proxyin2 LLNG[7775]: Processing setPersistentSessionInfo
févr. 01 19:07:11 proxyin2 LLNG[7775]: Persistent session found for test
févr. 01 19:07:11 proxyin2 LLNG[7775]: Restore persistent parameter loginHistory
févr. 01 19:07:11 proxyin2 LLNG[7775]: Restore persistent parameter _loginHistory
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing storeHistory
févr. 01 19:07:11 proxyin2 LLNG[7775]: Current login saved into failedLogin
févr. 01 19:07:11 proxyin2 LLNG[7775]: Current login -> 5
févr. 01 19:07:11 proxyin2 LLNG[7775]: Found 'whatToTrace' -> test
févr. 01 19:07:11 proxyin2 LLNG[7775]: Update test persistent session
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:11 proxyin2 LLNG[7775]: Launching ::Plugins::BruteForceProtection::run
févr. 01 19:07:11 proxyin2 LLNG[7775]: Number of failedLogin = 2
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:11 proxyin2 LLNG[7775]: Launching ::Plugins::GrantSession::run
févr. 01 19:07:11 proxyin2 LLNG[7775]: Processing code ref
févr. 01 19:07:11 proxyin2 LLNG[7775]: Returned error: 5
févr. 01 19:07:11 proxyin2 LLNG[7775]: Skin returned: error
févr. 01 19:07:11 proxyin2 LLNG[7775]: Calling sendHtml with template error
```
### Backends used
Using MySQL as storage backend for both config and session (Browsable::MySQL)2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1642Unable to select skin from URL2019-02-05T18:08:36ZClément OUDOTUnable to select skin from URLWhen using skin GET parameter, the selected skin is not displayed. I think skin rules are also broken.
The log shows that templateDir is initialized before calling getSkin:
```
[debug] Calling sendHtml with template login
[debug] Starti...When using skin GET parameter, the selected skin is not displayed. I think skin rules are also broken.
The log shows that templateDir is initialized before calling getSkin:
```
[debug] Calling sendHtml with template login
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
[debug] Skin myskin selected from GET/POST parameter
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
```
In Portal::Main::Init, we can't call getSkin as we don't have the request parameter. We should be able to select skin before calling sendHtml.
@guimard I need your help on this to find the best way to fix this regression.2.0.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1643Portal CSS is sent with empty background when portalSkinBackground is not def...2019-02-05T17:47:49ZClément OUDOTPortal CSS is sent with empty background when portalSkinBackground is not definedWhen we want to disable portalSkinBackground, portal.css is sent with a bogus code:
```css
html,body {
background:url("/static/common/backgrounds/") no-repeat center fixed;
background-size:cover;
}
```
This leads to error in web serve...When we want to disable portalSkinBackground, portal.css is sent with a bogus code:
```css
html,body {
background:url("/static/common/backgrounds/") no-repeat center fixed;
background-size:cover;
}
```
This leads to error in web server logs:
```
2019/02/05 17:22:14 [error] 90151#90151: *21 directory index of "/usr/share/lemonldap-ng/portal/htdocs/static/common/backgrounds/" is forbidden, client: 81.250.130.213, server: auth.openid.club, request: "GET /static/common/backgrounds/ HTTP/1.1", host: "auth.openid.club", referrer: "https://auth.openid.club/portal.css"
```2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1644error while reseting password with ppolicy enabled2019-02-07T19:16:58Zdcoutadeur dcoutadeurerror while reseting password with ppolicy enabled### Concerned version
```
Apache/2.4.25 (Debian) (prefork)
Debian 9.7
libapache2-mod-perl2 2.0.10-2
libmouse-perl 2.4.7-1
```
Platform: (Apache -> Any ?)
### Summary
When enabling OpenLDAP ppolicy, the password change is sometime inc...### Concerned version
```
Apache/2.4.25 (Debian) (prefork)
Debian 9.7
libapache2-mod-perl2 2.0.10-2
libmouse-perl 2.4.7-1
```
Platform: (Apache -> Any ?)
### Summary
When enabling OpenLDAP ppolicy, the password change is sometime incorrect.
```
Password policy control -> enabled
Extended password modify -> disabled
change as user -> enabled
```
Working kinematic:
- log in as non-privileged user
- change password (ask old one)
- password changed
Non-working kinematic:
- log in as non-privileged user
- change password (ask old one), entering a new password that does not match the ppolicy (for example too short password)
- ppolicy show correct message : password too short,
- change password (ask old one), entering a new password that matches the ppolicy
-> ERROR: Bad old password
Note that restarting Apache fixes the problem. The error occurs any time after a ppolicy error is returned.
After investigating, I found out that error occurs in file Net/LDAP.pm:
```
else {
if ($oldpassword) {
# Check old password with a bind
$mesg = $self->bind(
$dn,
password => $oldpassword,
control => [$pp]
);
my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
unless ( defined $bind_resp ) {
if ( $mesg->code != 0 ) {
$self->{portal}->logger->debug("Bad old password");
return PE_BADOLDPASSWORD;
}
}
```
I noticed that the bind operation fails with a $mesg->code equal to 81, and the BIND operation is never sent to the LDAP server, as if there was a cache in the Net::LDAP library or Lemon code.
Variables $dn and $oldpassword are correctly set.
### Logs
```
[debug] Launching ::Password::LDAP::_modifyPassword
[debug] Get DN from request data: cn=user,ou=branch,dc=domain,dc=com
[debug] Call modify password for cn=user,ou=branch,dc=domain,dc=com
[debug] Call bind for cn=user,ou=branch,dc=domain,dc=com
[debug] Bad old password
[debug] Unbind and disconnect from ldaps://ldap.domain.com
[debug] Returned error: 39
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';
```
### Backends used2.0.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1648ldapAuthnLevel and dbiAuthnLevel are ignored2019-02-11T10:56:13ZClément OUDOTldapAuthnLevel and dbiAuthnLevel are ignoredThe configuration attributes ldapAuthnLevel and dbiAuthnLevel are not used in portal code. We only have the WebForm authentication level.The configuration attributes ldapAuthnLevel and dbiAuthnLevel are not used in portal code. We only have the WebForm authentication level.2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1649Error about Handler when saving configuration in lmConfigEditor2019-02-11T17:00:54ZClément OUDOTError about Handler when saving configuration in lmConfigEditorFrom the latest 2.0 code:
```
root@llng-site:~# /usr/share/lemonldap-ng/bin/lmConfigEditor
Running as uid 33 and gid 33 0
Test cookieNameChanged failed: Can't locate object method "tsv" via package "Lemonldap::NG::Handler::Main" (perhaps...From the latest 2.0 code:
```
root@llng-site:~# /usr/share/lemonldap-ng/bin/lmConfigEditor
Running as uid 33 and gid 33 0
Test cookieNameChanged failed: Can't locate object method "tsv" via package "Lemonldap::NG::Handler::Main" (perhaps you forgot to load "Lemonldap::NG::Handler::Main"?) at /usr/share/perl5/Lemonldap/NG/Manager/Conf/Tests.pm line 241, <F1> line 1427.
Test testApacheSession failed: Can't locate object method "tsv" via package "Lemonldap::NG::Handler::Main" (perhaps you forgot to load "Lemonldap::NG::Handler::Main"?) at /usr/share/perl5/Lemonldap/NG/Manager/Conf/Tests.pm line 202, <F1> line 1427.
Configuration 404 saved
```
I will push a fix.2.0.2Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1654Password must change on AD still not fully working2019-04-02T09:26:17ZDaniel BerteaudPassword must change on AD still not fully working### Concerned version
Version: 2.0.2
Platform: CentOS 7 + nginx 1.15.8 with lua module
### Summary
This is a followup of bug #1639
Progress has been made, but the functionnality to force a user to change its password on next login is...### Concerned version
Version: 2.0.2
Platform: CentOS 7 + nginx 1.15.8 with lua module
### Summary
This is a followup of bug #1639
Progress has been made, but the functionnality to force a user to change its password on next login is still not perfectly working against AD (samba4 in my case).
Here's what happens:
* I create a user test, set a temp password and tick "User must change password on net login"
* I log this user on llng portal. I do get the "Password has been reset and now must be changed" information, and the form to reset the password (BTW, the "Password has been reset and now must be changed" msg is displayed in red, as if it was an error, while IMHO it should be displayed as an info, not an error). At this point, here are the logs:
```
févr. 16 11:24:13 proxyin2 LLNG[19922]: Launching ::Plugins::AutoSignin::check
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing extractFormInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Trying to load token 1550240758_-24306
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing getUser
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing authenticate
févr. 16 11:24:13 proxyin2 LLNG[19922]: Call bind for CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:24:13 proxyin2 LLNG[19922]: Bad password
févr. 16 11:24:13 proxyin2 LLNG[19922]: [AD] Password has expired
févr. 16 11:24:13 proxyin2 LLNG[19922]: [AD] Password reset. User must change his password
févr. 16 11:24:13 proxyin2 LLNG[19922]: Prepare token
févr. 16 11:24:13 proxyin2 LLNG[19922]: Token 1550240773_-1658 created
févr. 16 11:24:13 proxyin2 LLNG[19922]: -> authResult = 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setSessionInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setMacros
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing setPersistentSessionInfo
févr. 16 11:24:13 proxyin2 LLNG[19922]: Persistent session found for test
févr. 16 11:24:13 proxyin2 LLNG[19922]: Restore persistent parameter _loginHistory
févr. 16 11:24:13 proxyin2 LLNG[19922]: Restore persistent parameter _updateTime
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing storeHistory
févr. 16 11:24:13 proxyin2 LLNG[19922]: Current login saved into failedLogin
févr. 16 11:24:13 proxyin2 LLNG[19922]: Current login -> 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Found 'whatToTrace' -> test
févr. 16 11:24:13 proxyin2 LLNG[19922]: Update test persistent session
févr. 16 11:24:13 proxyin2 LLNG[19922]: Processing code ref
févr. 16 11:24:13 proxyin2 LLNG[19922]: Launching ::Plugins::GrantSession::run
févr. 16 11:24:13 proxyin2 LLNG[19922]: Returned error: 5
févr. 16 11:24:13 proxyin2 LLNG[19922]: Returned error: 25
févr. 16 11:24:13 proxyin2 LLNG[19922]: Skin returned: login
févr. 16 11:24:13 proxyin2 LLNG[19922]: Calling sendHtml with template login
févr. 16 11:24:13 proxyin2 LLNG[19922]: Skin bootstrap selected from GET/POST parameter
févr. 16 11:24:13 proxyin2 LLNG[19922]: Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/login.tpl
```
* Now, I enter the old password, and the new one twice, and submit the form. I'd expect to be redirected on the portal. But I'm not. Instead, I just see again the form to change my password because it has expired. Here're the logs when I submit the reset password form
```
févr. 16 11:25:06 proxyin2 LLNG[19925]: Launching ::Plugins::AutoSignin::check
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing extractFormInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Trying to load token 1550240773_-1658
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing getUser
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing authenticate
févr. 16 11:25:06 proxyin2 LLNG[19925]: Call modify password for CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:25:06 proxyin2 LLNG[19925]: Active Directory mode enabled
févr. 16 11:25:06 proxyin2 LLNG[19925]: Modification return code: 0
févr. 16 11:25:06 proxyin2 LLNG[19925]: Password changed CN=Test User,OU=People,DC=lapiole,DC=org
févr. 16 11:25:06 proxyin2 LLNG[19925]: Update password in session for test
févr. 16 11:25:06 proxyin2 LLNG[19925]: [AD] Password has expired
févr. 16 11:25:06 proxyin2 LLNG[19925]: [AD] Password reset. User must change his password
févr. 16 11:25:06 proxyin2 LLNG[19925]: Prepare token
févr. 16 11:25:06 proxyin2 LLNG[19925]: Token 1550240826_-15384 created
févr. 16 11:25:06 proxyin2 LLNG[19925]: -> authResult = 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setSessionInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setMacros
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing setPersistentSessionInfo
févr. 16 11:25:06 proxyin2 LLNG[19925]: Persistent session found for test
févr. 16 11:25:06 proxyin2 LLNG[19925]: Restore persistent parameter _loginHistory
févr. 16 11:25:06 proxyin2 LLNG[19925]: Restore persistent parameter _updateTime
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing storeHistory
févr. 16 11:25:06 proxyin2 LLNG[19925]: Current login saved into failedLogin
févr. 16 11:25:06 proxyin2 LLNG[19925]: Current login -> 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Found 'whatToTrace' -> test
févr. 16 11:25:06 proxyin2 LLNG[19925]: Update test persistent session
févr. 16 11:25:06 proxyin2 LLNG[19925]: Processing code ref
févr. 16 11:25:06 proxyin2 LLNG[19925]: Launching ::Plugins::GrantSession::run
févr. 16 11:25:06 proxyin2 LLNG[19925]: Returned error: 5
févr. 16 11:25:06 proxyin2 LLNG[19925]: Returned error: 25
févr. 16 11:25:06 proxyin2 LLNG[19925]: Skin returned: login
févr. 16 11:25:06 proxyin2 LLNG[19925]: Calling sendHtml with template login
févr. 16 11:25:06 proxyin2 LLNG[19925]: Skin bootstrap selected from GET/POST parameter
```
* If I just open a new tab on the portal, I can login with the new password, and I don't get the password expired.
### Backends used
CentOS 7, nginx 1.15.8 with lua module, LL::NG 2.0.2. DBI (MySQL) used for both config and session2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1655Can't delete notifications from the manager2019-06-12T11:46:43ZDaniel BerteaudCan't delete notifications from the manager### Concerned version
Version: %"2.0.3"
Platform: CentOS 7 + nginx 1.15.8 with lua module, DBI (Mysql) for config, sessions, notifications
### Summary
Followup of bug #1640. I now can create notifications, but am still not able to d...### Concerned version
Version: %"2.0.3"
Platform: CentOS 7 + nginx 1.15.8 with lua module, DBI (Mysql) for config, sessions, notifications
### Summary
Followup of bug #1640. I now can create notifications, but am still not able to delete them from the manager. Get "The notification hasn't been removed message". The DELETE request get a 400 answer
### Logs
```
févr. 17 11:36:10 proxyin2 LLNG[29248]: Bad date 2019-02-17 00:00:00
févr. 17 11:36:10 proxyin2 LLNG[29248]: Notification 2019-02-17 00:00:00#dani#test1 not purged ()
févr. 17 11:36:10 proxyin2 LLNG[29248]: [dani] Notification 2019-02-17 00:00:00#dani#test1 not purged ()
févr. 17 11:36:10 proxyin2 LLNG[29248]: Error 400: Notification 2019-02-17 00:00:00#dani#test1 not purged ()
```
Looks like there's an issue with the regex supposed to regognize the date.
### Backends used
DBI (MySQL) for everything2.0.5YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1656No IP shown in history logon2019-04-09T19:55:33ZMathieu Lecompte-melançonNo IP shown in history logon### Concerned version
Version: %2.0.2
Platform: Nginx
### Summary
There no IP displayed in history logon. It a regression from 1.9
![image](/uploads/ae2817154c162b65485a51d61031bc9a/image.png)
After checking in persistant session ...### Concerned version
Version: %2.0.2
Platform: Nginx
### Summary
There no IP displayed in history logon. It a regression from 1.9
![image](/uploads/ae2817154c162b65485a51d61031bc9a/image.png)
After checking in persistant session no IP is stored in _loginHistory
### Logs
```
ND
```
### Backends used
MONGODB
### Possible fixes2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1659RESTProxy doesn't fully work as a UserDB module2020-05-09T18:19:33ZMaxime BessonRESTProxy doesn't fully work as a UserDB module### Concerned version
Version: %"2.0.3"
Platform: Any
### Summary
The [REST Proxy module](https://lemonldap-ng.org/documentation/latest/authproxy) is advertised in documentation as supporting UserDB functionnality, but doesn't seem ...### Concerned version
Version: %"2.0.3"
Platform: Any
### Summary
The [REST Proxy module](https://lemonldap-ng.org/documentation/latest/authproxy) is advertised in documentation as supporting UserDB functionnality, but doesn't seem to work that way.
In order to reproduce, setup a LemonLDAP::NG instance to proxy authentication to another server, then try either:
* An auto-signin rule
* A password reset
In both cases, the following appears in logs
### Logs
On the proxy LLNG server:
```
LLNG[126]: Processing getUser
LLNG[126]: Proxy push auth to http://auth.example-backend.com/
LLNG[126]: Unable to query authentication service: 401 Unauthorized
```
On the backend LLNG server:
```
LLNG[138]: Returned error: 2 (PE_FORMEMPTY)
```
because the backend receives an empty 'password' field
### Backends used
Demo backend
### Possible fixes
Maybe implement a proper userinfo REST endpoint?2.0.9Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1662id_token validity not correctly evaluated2019-03-03T08:23:08Zdcoutadeur dcoutadeurid_token validity not correctly evaluatedHi,
id_token validity not correctly evaluated:
in `Portal/Lib/OpenIDConnect.pm`
before:
```
sub checkIDTokenValidity {
[...]
my $auth_time = $id_token->{auth_time};
if ($max_age) {
unless ($auth_time) {
$s...Hi,
id_token validity not correctly evaluated:
in `Portal/Lib/OpenIDConnect.pm`
before:
```
sub checkIDTokenValidity {
[...]
my $auth_time = $id_token->{auth_time};
if ($max_age) {
unless ($auth_time) {
$self->logger->error("Auth time was not returned by OP $op");
return 0;
}
if ( $auth_time + $max_age > time ) {
```
after:
```
sub checkIDTokenValidity {
[...]
my $auth_time = $id_token->{auth_time};
if ($max_age) {
unless ($auth_time) {
$self->logger->error("Auth time was not returned by OP $op");
return 0;
}
if ( time > $auth_time + $max_age ) {
```
Explanation: the current time should be before the max_time (max_time = $auth_time + $max_age)
The test above is the error case, so we should test the contrary.1.9.19dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1667[Security:medium] Option userControl is not applied anymore in standard login...2019-04-10T21:21:04ZClément OUDOT[Security:medium] Option userControl is not applied anymore in standard login processLooking at the code, the userControl parameter is only applied in password reset and register:
```
clement@ader-worteks:~/dev/lemonldap-ng$ grep -r userControl lemonldap-ng-portal/
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Mail...Looking at the code, the userControl parameter is only applied in password reset and register:
```
clement@ader-worteks:~/dev/lemonldap-ng$ grep -r userControl lemonldap-ng-portal/
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/MailPasswordReset.pm: unless ( $req->{user} =~ /$self->{conf}->{userControl}/o ) {
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Register.pm: m/$self->{conf}->{userControl}/o );
```
It should also be applied in standard login process.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1671Error in SP-initiated saml logout with multiple SP2019-04-03T10:36:11ZMaxime BessonError in SP-initiated saml logout with multiple SP### Concerned version
Version: 2.0
### Summary
A fatal error (500) is encountered when logging out from a SAML service provider if another SAML service session is active.
The following steps can be used to reproduce:
* Create and re...### Concerned version
Version: 2.0
### Summary
A fatal error (500) is encountered when logging out from a SAML service provider if another SAML service session is active.
The following steps can be used to reproduce:
* Create and register two service providers (in my example, mod_auth_mellon)
* Login to both service providers
* Use a SP-Initiated logout on one service provider (/secret/saml/logout?ReturnTo=http://sp.example.com/ with Mellon)
* Get a err 500 from Lemon
### Logs
In nginx logs
```
FastCGI sent in stderr: "Can't locate object method "do" via package "Lemonldap::NG::Portal::Issuer::SAML" at /usr/share/perl5/Lemonldap/NG/Portal/Issuer/SAML.pm line 1619" while reading response header from upstream
```
### Possible fixes
The issue is simple enough to find in Issuer/SAML.pm
```
# If no waiting SP, return directly SLO response
(...)
# Else build SLO status relay URL and display info
else {
$req->{urldc} =
$self->conf->{portal} . '/saml/relaySingleLogoutTermination';
$self->p->setHiddenFormValue( $req, 'relay', $relayID );
return $self->do( $req, [] );
}
```
However, replacing `$self->do` with `$self->p->do` doesn't improve the situation much, because there is no route for /saml/relaySingleLogoutTermination2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1672In SAML Issuer, environment variables to store current SP are not filled2019-03-13T09:55:16ZClément OUDOTIn SAML Issuer, environment variables to store current SP are not filledThe storeEnv method is called to fill `llng_saml_sp` and `llng_saml_spconfkey` env, but nothing is stored.
Fix is coming.The storeEnv method is called to fill `llng_saml_sp` and `llng_saml_spconfkey` env, but nothing is stored.
Fix is coming.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1673Application list display and specific rules2019-03-25T18:35:07ZCarl R.Application list display and specific rules### Concerned version
Version: %2.0.2
Platform: (Nginx/Apache/Node.js)
### Summary
Application display does not always respect defined specific rule
### Logs
```
no logs
```
### Backends used
For any bug on configuration/sessions...### Concerned version
Version: %2.0.2
Platform: (Nginx/Apache/Node.js)
### Summary
Application display does not always respect defined specific rule
### Logs
```
no logs
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixes
I tried to identify the bug and found that it seems to come from what's called the "cache". Once i commented it, every application is rightfully displayed or hidden, respectfully to the defined special appdisplay rule :
in /usr/share/perl5/vendor_perl/Lemonldap/NG/Portal/Main/Menu.pm :
```
## @method private string _filterHash(hashref apphash)
# Remove unauthorized menu elements
# @param $apphash Menu elements
# @return filtered hash
sub _filterHash {
my ( $self, $req, $apphash ) = @_;
foreach my $key ( keys %$apphash ) {
next if $key =~ /(type|options|catname)/;
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "category" )
{
# Filter the category
$self->_filterHash( $req, $apphash->{$key} );
}
if ( $apphash->{$key}->{type}
and $apphash->{$key}->{type} eq "application" )
{
# Find sub applications and filter them
foreach my $appkey ( keys %{ $apphash->{$key} } ) {
next if $appkey =~ /(type|options|catname)/;
# We have sub elements, so we filter them
$self->_filterHash( $req, $apphash->{$key} );
}
# Check rights
my $appdisplay = $apphash->{$key}->{options}->{display}
|| "auto";
my ( $vhost, $appuri ) =
$apphash->{$key}->{options}->{uri} =~ m#^https?://([^/]*)(.*)#;
$vhost =~ s/:\d+$//;
$vhost = $self->p->HANDLER->resolveAlias($vhost);
$appuri ||= '/';
# Remove if display is "no" or "off"
delete $apphash->{$key} and next if ( $appdisplay =~ /^(no|off)$/ );
# Keep node if display is "yes" or "on"
next if ( $appdisplay =~ /^(yes|on)$/ );
my $cond = undef;
# Handle partner rules (SAML, CAS or OIDC)
if ( $appdisplay =~ /^sp:\s*(.*)$/ ) {
$self->logger->warn("jepassedanssamlcasoidc");#pouet
my $p = $1;
if ( my $sub = $self->p->spRules->{$p} ) {
eval {
delete $apphash->{$key}
unless ( $sub->( $req, $req->sessionInfo ) );
};
if ($@) {
$self->logger->error("Partner rule $p returns: $@");
}
}
next;
}
# If a specific rule exists, get it from cache or compile it
if ( $appdisplay !~ /^auto$/i ) {
# if ( $self->specific->{$appuri} ) {
# $cond = $self->specific->{$appuri};
# }
# else {
$cond = $self->specific->{$appuri} =
$self->p->HANDLER->buildSub(
$self->p->HANDLER->substitute($appdisplay) );
# }
}
# Check grant function if display is "auto" (this is the default)
delete $apphash->{$key}
unless (
$self->p->HANDLER->grant(
$req, $req->sessionInfo, $appuri, $cond, $vhost
)
);
next;
}
}
}
```2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1675[Security:minor] Using /logout instead of /?logout=1 does not work2019-04-10T21:22:53ZClément OUDOT[Security:minor] Using /logout instead of /?logout=1 does not workIn LL::NG 2.0, it seems that a specific route has been created for logout, but it is not working.
Here is the log when calling http://auth.example.com/logout:
```
auth.example.com:80 127.0.0.1 - - [21/Mar/2019:09:15:38 +0100] "GET /stat...In LL::NG 2.0, it seems that a specific route has been created for logout, but it is not working.
Here is the log when calling http://auth.example.com/logout:
```
auth.example.com:80 127.0.0.1 - - [21/Mar/2019:09:15:38 +0100] "GET /static/common/apps/network.png HTTP/1.1" 304 263
[debug] Get session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd from Handler internal cache
[debug] auth.example.com: Apply default rule
[debug] removing cookie
[debug] Cookies -> llnglanguage=fr; lemonldap=10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] CookieName -> lemonldap
[debug] newCookies -> llnglanguage=fr;
[debug] User dwho was granted to access to /logout
[debug] Start routing logout
[debug] Processing controlUrl
[debug] Processing authLogout
[debug] Cleaning pdata
[debug] Processing deleteSession
[debug] Returned error: 47
[debug] Calling autoredirect
[debug] Skin returned: login
[debug] Calling sendHtml with template login
```
And here with http://auth.example.com/?logout=1:
```
[debug] Get session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd from Handler::Main::Run
[debug] Check session validity from Handler
[debug] Session timeout -> 72000
[debug] Session _utime -> 1553156138
[debug] now -> 1553156173
[debug] Session timeoutActivityInterval -> 60
[debug] Session TTL = 71965
[debug] auth.example.com: Apply default rule
[debug] removing cookie
[debug] Cookies -> llnglanguage=fr; lemonldap=10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] CookieName -> lemonldap
[debug] newCookies -> llnglanguage=fr;
[debug] User dwho was granted to access to /?logout=1
[debug] Start routing default route
[debug] Processing importHandlerData
[debug] Processing controlUrl
[debug] Processing checkLogout
[debug] Processing authLogout
[debug] Cleaning pdata
[debug] Processing deleteSession
[debug] Try to get SSO session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] Get session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd from Portal::Main::Run
[debug] Return SSO session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd
[debug] Local handler logout
[notice] User dwho has been disconnected
[debug] Session 10380b49602162d0727a53e74796d00e50ea71c2b051b369ea09b743042ef7fd deleted from global storage
[debug] Returned error: 47
[debug] Calling autoredirect
[debug] Skin returned: login
[debug] Calling sendHtml with template login
```
In the first case the session is not deleted.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1676Active Directory connection information not saved2019-03-26T15:34:52ZAinal SaidinActive Directory connection information not saved### Concerned version
Version: 2.0.2
Platform: Apache (installed using RPMs)
### Summary
Active Directory connection information is not saved. This happens when adding AD as backend or editing existing AD connection after upgrade fr...### Concerned version
Version: 2.0.2
Platform: Apache (installed using RPMs)
### Summary
Active Directory connection information is not saved. This happens when adding AD as backend or editing existing AD connection after upgrade from version 1.9 or earlier. LDAP information, on the other hand, is saved. That is, LDAP connection information is saved when configuring LDAP backend.
When I used the difference viewer it says General Parameters --> Authentication Parameters --> Choice parameters --> Allowed Modules --> AD : New value AD;AD;AD;;;{}
### Logs
The configuration difference viewer shows General Parameters --> Authentication Parameters --> Choice parameters --> Allowed Modules --> AD : New value AD;AD;AD;;;{}
### Backends used
Active Directory2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1679Default jQuery URL in form replay has changed2019-03-25T12:37:04ZClément OUDOTDefault jQuery URL in form replay has changedThe default jQuery URL is using the old jQuery:
```perl
$jqueryUrl = &{ $class->tsv->{portal} } . "skins/common/js/jquery-1.10.2.js"
if ( $jqueryUrl eq "default" );
```
We should now use the jquery in bwr/
Fix is coming.The default jQuery URL is using the old jQuery:
```perl
$jqueryUrl = &{ $class->tsv->{portal} } . "skins/common/js/jquery-1.10.2.js"
if ( $jqueryUrl eq "default" );
```
We should now use the jquery in bwr/
Fix is coming.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1680In form replay, POST data keys are not URL encoded2019-03-25T13:24:01ZClément OUDOTIn form replay, POST data keys are not URL encodedIn our code, we URI encode POST data values, but keys must be encoded too:
```perl
foreach ( keys %data ) {
$data{$_} = uri_escape( $data{$_} );
}
```
Fix is comingIn our code, we URI encode POST data values, but keys must be encoded too:
```perl
foreach ( keys %data ) {
$data{$_} = uri_escape( $data{$_} );
}
```
Fix is coming2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1682LinkedIn OAuth2 authentication is not available in combination modules list2019-03-26T06:01:32ZJulien LedouxLinkedIn OAuth2 authentication is not available in combination modules list### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
LinkedIn OAuth2 authentication is not available in combination modules list
As discussed with Clément OUDOT, it seems like it'...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
LinkedIn OAuth2 authentication is not available in combination modules list
As discussed with Clément OUDOT, it seems like it's just an oversight. No big deal.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1683Changing configuration option cspScript has no effect2019-03-26T08:57:02ZJulien LedouxChanging configuration option cspScript has no effect### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
Changing configuration option cspScript has no effect
In manager General Parameters > Advanced Parameters > Security > Content...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
Changing configuration option cspScript has no effect
In manager General Parameters > Advanced Parameters > Security > Content security policy, changing 'script source' value has no effect since it's absent from http headers. I had to change 'default value' instead
Here is the value I get in portal page response headers:
```
Content-Security-Policy: default-src 'self' 'unsafe-eval';img-src 'self' data:;style-src 'self' 'unsafe-inline';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';
```
As you can see 'script-src' is missing.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1684UI manager: boolean values do not appears in configuration forms with Yaml co...2019-04-16T11:39:47ZJulien LedouxUI manager: boolean values do not appears in configuration forms with Yaml config format### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork) / Yaml config
### Summary
UI manager: boolean values do not appears in configuration forms with Yaml config format
Don't know if it's rela...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork) / Yaml config
### Summary
UI manager: boolean values do not appears in configuration forms with Yaml config format
Don't know if it's related to the Yaml config format, but in UI manager all booleans fields values and not displayed in forms, neither on startup with a fresh custom config, nor after changing their values within the UI, they still appears blank (I've attached a screenshot).
It's not related to a specific browser. I've tested with Chrome, Firefox and Safari.
![Capture_d_écran_2019-03-26_à_10.13.13](/uploads/41fd13428417bc4e486b6f191c36b5bf/Capture_d_écran_2019-03-26_à_10.13.13.png)2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1686SOAP Portal WSDL file is invalid2019-04-15T06:15:03ZJulien LedouxSOAP Portal WSDL file is invalid### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
SOAP Portal WSDL file is invalid
I know Soap web services are deprecated, but the functionality is still available so I tried ...### Concerned version
Version: 2.0.2
Platform: Docker / CentOS 7 / Apache 2.4.6 (mpm prefork)
### Summary
SOAP Portal WSDL file is invalid
I know Soap web services are deprecated, but the functionality is still available so I tried it out but I can't import portal wsdl file into Soap UI. It says something is wrong with the file. I don't have this issue with 1.9.x
![Capture_d_écran_2019-03-26_à_18.33.49](/uploads/2c9f5bfbee82e740040d0822bcbc4f69/Capture_d_écran_2019-03-26_à_18.33.49.png)
![Capture_d_écran_2019-03-26_à_18.33.30](/uploads/54ef81ca2a4dd54dcbe1ca6ca601050d/Capture_d_écran_2019-03-26_à_18.33.30.png)2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1691Password policy can't display messages2019-04-09T11:36:11ZYaddPassword policy can't display messages### Concerned version
Version: %2.0.0
Platform: Any
### Summary & logs
From lemonldap-ng-users@ow2.org:
> Our organization made the switch from the 1.9 branch to 2.0 (Presently on 2.0.2) and we have been been receiving dozens of repo...### Concerned version
Version: %2.0.0
Platform: Any
### Summary & logs
From lemonldap-ng-users@ow2.org:
> Our organization made the switch from the 1.9 branch to 2.0 (Presently on 2.0.2) and we have been been receiving dozens of reports from users that they are recieving an "Internal Server Error" (white background, plain text) when visiting the Portal, or trying to login. Our nginx logs are peppered with the following:
```
Can't locate object method "loadTemplate" via package "Lemonldap::NG::Portal::Lib::Net::LDAP" at /usr/local/share/perl5/site_perl/Lemonldap/NG/Portal/Lib/Net/LDAP.pm line 223" POST /?cancel=1 HTTP/1.1 and also POST /saml/singleSignOn?SAMLRequest=......
```2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1692Parameter base64 is ignored in setHiddenFormValue2019-04-03T15:55:12ZClément OUDOTParameter base64 is ignored in setHiddenFormValueThe value is never encoded in base64, but when using getHiddenFormValue, the decoding is done.
If I just add the base64 encoding, it breaks the unit test, we need to update all the code using setHiddenFormValue.The value is never encoded in base64, but when using getHiddenFormValue, the decoding is done.
If I just add the base64 encoding, it breaks the unit test, we need to update all the code using setHiddenFormValue.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1693Information is not displayed in logout process2019-04-01T15:19:01ZClément OUDOTInformation is not displayed in logout processThis issue is a prerequisite to solve #1671
If `$req->info` is filled but process ends with `PE_LOGOUT_OK`, the info is never displayed.This issue is a prerequisite to solve #1671
If `$req->info` is filled but process ends with `PE_LOGOUT_OK`, the info is never displayed.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1698Invalid pdata causes SAML login to fail after logout2019-04-05T21:29:50ZMaxime BessonInvalid pdata causes SAML login to fail after logout### Concerned version
Version: 2.0
### Summary
* Browse to a SP
* Portal shows login form and creates a issuerRequestSAML pdata
* Fill login form
* be redirected to SP successfully
* Logout
* Browse to SP again
* Portal shows the log...### Concerned version
Version: 2.0
### Summary
* Browse to a SP
* Portal shows login form and creates a issuerRequestSAML pdata
* Fill login form
* be redirected to SP successfully
* Logout
* Browse to SP again
* Portal shows the login form but does not recreate a issuerRequestSAML, and uses the same token from the first time instead
* "An error occured during SAML authentication"
### Logs
First time:
```
LLNG[9822]: Store issuer request
LLNG[9822]: Token 1554223232_-28414 created
LLNG[9817]: Trying to load token 1554223232_-28414
LLNG[9817]: Restoring request from 1554223232_-28414
```
Second time:
```
LLNG[9816]: Trying to load token 1554223232_-28414
LLNG[9816]: Bad (or expired) token 1554223232_-28414
```
### Possible fixes
* Quick and dirty fix: restart your web browser after logout
* Real fix: clear the pdata after SAML login, or at least make sure a samlIssuerRequest is generated each time2.0.3Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1708lmerror page loops on url parameter2019-05-28T19:57:28ZYaddlmerror page loops on url parameterlmerror calls `controlUrl()` which set url parameter in persistent data. Then user loops on this page when clicking to Portal links.lmerror calls `controlUrl()` which set url parameter in persistent data. Then user loops on this page when clicking to Portal links.2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1709ViewDiff template not displayed2019-04-11T15:46:30ZChristophe Maudouxchrmdx@gmail.comViewDiff template not displayed### Concerned version
Version: 2.0.3
Platform: all
### Summary
ViewDiff SPA not loaded
###
Typo### Concerned version
Version: 2.0.3
Platform: all
### Summary
ViewDiff SPA not loaded
###
Typo2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1710Configuration keys not displayed in Viewer2019-04-12T21:38:36ZChristophe Maudouxchrmdx@gmail.comConfiguration keys not displayed in Viewer### Concerned version
Version: 2.0.3
Platform: All
### Summary
Conf keys are not displayed in Viewer if viewerAllowBrowser option is not set.
### Possible fixes
Manage route in function### Concerned version
Version: 2.0.3
Platform: All
### Summary
Conf keys are not displayed in Viewer if viewerAllowBrowser option is not set.
### Possible fixes
Manage route in function2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1716[Security:minor] Update jQuery2019-04-19T12:53:09ZYadd[Security:minor] Update jQuery### Concerned version
Version: all
Platform: any that use our embedded jQuery.
### Summary
jQuery before 3.4.0 is vulnerable to prototype pollution. See [Debian security tracker](https://security-tracker.debian.org/tracker/TEMP-09273...### Concerned version
Version: all
Platform: any that use our embedded jQuery.
### Summary
jQuery before 3.4.0 is vulnerable to prototype pollution. See [Debian security tracker](https://security-tracker.debian.org/tracker/TEMP-0927330-1DAA6F)2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1717Warnings "Devel::StackTrace" when using unnative Perl functions2020-03-28T13:26:14ZAntoine RosierWarnings "Devel::StackTrace" when using unnative Perl functionsEncoding header into base64 not failed but display a warning
Reproduce :
- last build 2.0.3
- choose a header into a vhost
- to value, write : encode_base64($value)
Message appear when trying to save manager conf :
Avertissements
...Encoding header into base64 not failed but display a warning
Reproduce :
- last build 2.0.3
- choose a header into a vhost
- to value, write : encode_base64($value)
Message appear when trying to save manager conf :
Avertissements
exportedHeaders/<application>/<header>: Mauvaise expression: Can't locate object method "new" via package "Devel::StackTrace" (perhaps you forgot to load "Devel::StackTrace"?) at (eval 16) line 1.2.0.5YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1720Duplicate session opening when using multiple Kerberos instances in Combination2020-06-04T13:59:30ZMaxime BessonDuplicate session opening when using multiple Kerberos instances in Combination### Concerned version
Version: %2.0.3
### Summary
My LemonLDAP::NG instance authenticates users from multiple Windows domains. I have created a keytab containing several principals, as shown in the documentation.
My combination expr...### Concerned version
Version: %2.0.3
### Summary
My LemonLDAP::NG instance authenticates users from multiple Windows domains. I have created a keytab containing several principals, as shown in the documentation.
My combination expression is:
```
[Kerberos, AD1] or [Kerberos, AD2]
```
And I of course set KrbByJS = 1
Because of that, the Kerberos AJAX query is run twice, and
And it works perfectly fine, users from AD1 and AD2 are recognized with Kerberos
However, the Kerberos JS is called twice on the login page:
However, some browsers (IE, old Firefox), run the Kerberos AJAX twice and open two sessions.
The only side effect is that the DB is polluted with useless sessions.
### Logs
Login page:
```
<script type="text/javascript" src="/static/bootstrap/js/skin.min.js"></script>
<script type="text/javascript" src="/static/common/js/portal.min.js"></script>
<script type="text/javascript" src="/static/bwr/bootstrap/dist/js/bootstrap.min.js"></script>
<script type="text/javascript" src="/static/common/js/kerberos.js"></script><script type="text/javascript" src="/static/common/js/kerberos.js"></script>
<!-- Custom <head> markups, like CSS, js, etc. -->
```
Logs:
```
[debug] Processing extractFormInfo
[debug] Append Kerberos init/script
[debug] Send init/script -> <script type="text/javascript" src="/static/common/js/kerberos.js"></script>
[debug] Store 0 in hidden key kerberos
[info] Scheme "Kerberos" returned 9, trying next
[debug] Processing extractFormInfo
[debug] Append Kerberos init/script
[debug] Send init/script -> <script type="text/javascript" src="/static/common/js/kerberos.js"></script><script type="text/javascript" src="/static/common/js/kerberos.js"></script>
[debug] Store 0 in hidden key kerberos
```
### Possible fixes
My temporary fix is adding a '$req->data' key in `Portal/Auth/Kerberos.pm` to remember that we already sent the JS code before.
```
# Call kerberos.js if Kerberos is the only Auth module
# kerberosChoice.js is used by Choice
$self->{AjaxInitScript} =~ s/kerberosChoice/kerberos/;
unless ($req->data->{_krbJsAlreadySent}) {
$req->data->{customScript} .= $self->{AjaxInitScript};
$self->logger->debug(
"Send init/script -> " . $req->data->{customScript} );
$req->data->{_krbJsAlreadySent} = 1;
}
```2.0.4Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1724CAS 1.0 /validate endpoint does not return username2019-04-28T17:34:47ZMaxime BessonCAS 1.0 /validate endpoint does not return username### Concerned version
Version: %2.0.3
### Summary
Calling `/cas/validate` returns yes/no, but does not return the username
### Code
In `Issuer::CAS::validate`
```perl
return $self->returnCasValidateSuccess($username);
```
In `...### Concerned version
Version: %2.0.3
### Summary
Calling `/cas/validate` returns yes/no, but does not return the username
### Code
In `Issuer::CAS::validate`
```perl
return $self->returnCasValidateSuccess($username);
```
In `Issuer::Lib::CAS`
```perl
# Return success for CAS VALIDATE request
sub returnCasValidateSuccess {
my ( $self, $req, $username ) = @_;
$self->logger->debug("Return CAS validate success with username $username");
return $self->sendSoapResponse( $req, "yes\n$username\n" );
}
```
The arguments passed to `returnCasValidateSuccess` are incorrect, luckily, `sendSoapResponse` does not use `$req` at all, but the username still is missing from the response.
Also luckily, nobody uses CAS 1.0 in the wild ;)2.0.4Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1726Deb package: missing dependency IO::String2019-04-30T13:21:52ZMoritz JordanDeb package: missing dependency IO::String### Concerned version
Version: 2.0.x
Platform: deb package ([official](https://lemonldap-ng.org/deb/) and Ubuntu (bionic/disco), probably also Debian)
### Summary
When you install the `lemonldap-ng` deb package and the [SAML dependen...### Concerned version
Version: 2.0.x
Platform: deb package ([official](https://lemonldap-ng.org/deb/) and Ubuntu (bionic/disco), probably also Debian)
### Summary
When you install the `lemonldap-ng` deb package and the [SAML dependencies](https://lemonldap-ng.org/documentation/2.0/prereq#saml2) and then activate SAML (`issuerDBSAMLActivation`), you'll get the following error in the portal:
```
Unable to protect this server (Lemonldap::NG::Common::Conf::Backends::File loaded. Configuration unchanged, get configuration from cache.)
```
### Possible fixes
The logs reveal that the IO::String package is missing (`libio-string-perl`).
It is listed as a [core dependency](https://lemonldap-ng.org/documentation/2.0/prereq#core), so I think the deb packages should reflect that.
If it is not required by other parts of LL-NG, then it should be moved to the SAML dependencies.2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1733Invalid default crontab in RPM2019-05-24T08:45:20ZMaxime BessonInvalid default crontab in RPM### Concerned version
Version: %2.0.3
Platform: CentOS (maybe RHEL)
### Summary
The purgeCentralCache crontab does not run on CentOS
### Logs
The crontab provided with the RPM specified this
```
10 1/12 * * * __APACHEUSER__ [ -x ...### Concerned version
Version: %2.0.3
Platform: CentOS (maybe RHEL)
### Summary
The purgeCentralCache crontab does not run on CentOS
### Logs
The crontab provided with the RPM specified this
```
10 1/12 * * * __APACHEUSER__ [ -x __BINDIR__/purgeCentralCache ] && __BINDIR__/purgeCentralCache
```
And it never gets launched by cronie, the default crond on CentOS, probably because it doesn't understand the `1/12` syntax. What is it supposed to mean? Twice a day should probably be `1,13` instead if that is what you meant.
The Debian crontab specifies 'every 10 minutes`, and does run correctly.2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1736Configuration version in Manager is different from software version2019-05-13T09:46:14ZClément OUDOTConfiguration version in Manager is different from software versionWhen using Manager, we first see the configuration version (under configuration author, number, ...) and this version is not the software version. For an adminsitrator, it is not clear if this configuration version should be the same tha...When using Manager, we first see the configuration version (under configuration author, number, ...) and this version is not the software version. For an adminsitrator, it is not clear if this configuration version should be the same than software version. In this case, we should upgrade it, else we need maybe to explain better what is the configuration version.2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1738Error not well catched with Ext2F2019-05-06T12:29:05ZClément OUDOTError not well catched with Ext2FWhen using Ext2F, if the send command fails, we have an error rendering the template:
```
[debug] Launching "Send" external 2F command -> curl -s -G --data-urlencode "from=+412345678" --data-urlencode "username=user" --data-urlencode "'p...When using Ext2F, if the send command fails, we have an error rendering the template:
```
[debug] Launching "Send" external 2F command -> curl -s -G --data-urlencode "from=+412345678" --data-urlencode "username=user" --data-urlencode "'password=password" --data-urlencode "to=$mobile" --data-urlencode "$code" http://sms.example.com/sms
[error] External send command failed (code 1536)
[debug] Processing code ref
[debug] Returned error: 24
[debug] Skin returned: error
[debug] Calling sendHtml with template error
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/error.tpl
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';script-src 'self';form-action 'self' *.openid.club *.facebook.com *.twitter.com *.renater.com;frame-ancestors 'none';
[debug] Returned error: ARRAY(0x55c1885d7380)
```
We should never have an ARRAY in return code.2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1741Deleted category is not detected as a change when saving conf.2019-05-11T10:05:27ZChristophe Maudouxchrmdx@gmail.comDeleted category is not detected as a change when saving conf.### Concerned version
Version: %"2.0.3"
### Summary
I deleted a category and I tried to save the new conf.
A warning is displayed -> "No change detected, saving aborted".
Same error occurs with a custom Category.
Create a new cate...### Concerned version
Version: %"2.0.3"
### Summary
I deleted a category and I tried to save the new conf.
A warning is displayed -> "No change detected, saving aborted".
Same error occurs with a custom Category.
Create a new category -> save -> OK
Delete custom Category -> Save -> KO (no change detected...)
Deleted Apps are well detected.
```
1: {default: [{data: {catname: "Default category", type: "category"}, id: "applicationList/default",…}],…}
default: [{data: {catname: "Default category", type: "category"}, id: "applicationList/default",…}]
0: {data: {catname: "Default category", type: "category"}, id: "applicationList/default",…}
data: {catname: "Default category", type: "category"}
catname: "Default category"
type: "category"
id: "applicationList/default"
title: "default"
type: "catAndAppList"
help: "portalmenu.html#categories_and_applications"
id: "applicationList"
nodes: [{title: "Administration", id: "applicationList/0003-cat", nodes: [{title: "WebSSO Manager",…},…],…}]
0: {title: "Administration", id: "applicationList/0003-cat", nodes: [{title: "WebSSO Manager",…},…],…}
id: "applicationList/0003-cat"
nodes: [{title: "WebSSO Manager",…},…]
0: {title: "WebSSO Manager",…}
data: {description: "Configure LemonLDAP::NG WebSSO", uri: "https://manager.example.com:19876/manager.html",…}
id: "applicationList/0003-cat/0004-app"
title: "WebSSO Manager"
type: "menuApp"
1: {data: {display: "auto", uri: "https://manager.example.com:19876/notifications.html",…},…}
data: {display: "auto", uri: "https://manager.example.com:19876/notifications.html",…}
id: "applicationList/0003-cat/0005-app"
title: "Notifications explorer"
type: "menuApp"
2: {title: "Sessions explorer", data: {logo: "database.png", description: "Explore WebSSO sessions",…},…}
data: {logo: "database.png", description: "Explore WebSSO sessions",…}
id: "applicationList/0003-cat/0006-app"
title: "Sessions explorer"
type: "menuApp"
3: {data: {logo: "database.png", display: "auto", description: "Explore WebSSO 2FA sessions",…},…}
data: {logo: "database.png", display: "auto", description: "Explore WebSSO 2FA sessions",…}
id: "applicationList/0003-cat/0007-app"
title: "2FA Sessions explorer"
type: "menuApp"
title: "Administration"
type: "menuCat"
```
Seems Conf is well formated and transmitted to Parser.pm but no change are detected...2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1742[Security: high, CVE-2019-12046] Setting tokenUseGlobalStorage allows unauthe...2019-05-13T20:24:06ZMaxime Besson[Security: high, CVE-2019-12046] Setting tokenUseGlobalStorage allows unauthenticated users to access the portal (and applications without rules)### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
Any t...### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
Any token stored in the "main" session database may be used as a valid session identified to browse the portal and access applications with a bogus (all fields are empty), but nonetheless accepted session.
This is an issue if tokens generated by OneTimeToken.pm are stored in main session database, because these token are directly visible to unauthenticated users
Proof of concept:
First, enable `tokenUseGlobalStorage`, in the manager, then
```
$ curl -s http://auth.example.com/ | grep token
<input type="hidden" name="token" value="5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862" />
$ curl -sb lemonldap=5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 http://auth.example.com/ | grep Connected
<span trspan="connectedAs">Connected as</span>
$ curl -sb lemonldap=5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 http://test1.lemonregister.lxd/ | grep title
<title>LemonLDAP::NG sample protected application</title>
```
We are logged onto the portal with an empty username, but that's enough to browse the application list, and accept applications that have no access rules (or rules that behave badly in the presence of an empty string!)
### Logs
```
LLNG[19019]: Get session 5e57a93005d3877cccafc6da806c2911fdb62ff2af60d9bb2b890b4253f2a862 from Handler::Main::Run
May 10 13:36:08 lemonregister LLNG[19019]: Check session validity from Handler
May 10 13:36:08 lemonregister LLNG[19019]: Session timeout -> 72000
```
In the global storage, tokens look like this:
```
{
"_session_kind" : "SSO",
"tokenSessionStartTimestamp" : 1557495341,
"_utime" : 1557423461,
"_type" : "token",
"tokenTimeoutTimestamp" : 1557495461,
"_session_id" : "9333f50d80fdbf77d584af01dba27a2dc72b94f841c44dd30d0b9ed42af589df"
}
```
That `"_session_kind" : "SSO",` is probably the root of the issue, as it doesn't appear when using tokens with the normal configuration (tokenUseGlobalStorage=0)
### Possible fixes
The handler and portal should probably check the _kind of the session it retrieves before accepting them.2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1743[Security: low] register_token used for account creation can be used as a val...2019-05-13T21:22:36ZMaxime Besson[Security: low] register_token used for account creation can be used as a valid session identifier### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
The co...### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Concerned version
Version: %2.0.3
### Summary
The confirmation email contains a link that looks like this:
```
http://auth.example.com/register?register_token=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f&skin=bootstrap
```
The register_token may be used as a valid session, before the account is even created in the Register backend
```
curl -b lemonldap=9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f http://test1.example.com/
```
The session is of course empty:
```
<li>Connected user: <ul>
<li><tt>$ENV{HTTP_AUTH_USER}</tt>: </li>
<li><tt>$ENV{REMOTE_USER}</tt>: </li>
```
But i'm pretty sure this is undesired behavior.
### Logs
```
cat /var/lib/lemonldap-ng/sessions/9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f
{
"_utime" : 1557493764,
"tokenSessionStartTimestamp" : 1557493764,
"_type" : "register",
"ipAddr" : "10.128.239.1",
"firstname" : "Bob",
"_session_kind" : "SSO",
"mail" : "hackerman@gibson.com",
"lastname" : "Hackerman",
"_session_id" : "9918800f8e90181a3da20e2c41ac565fc1a4018534bf4f9c37dabd2d24eb711f",
"tokenTimeoutTimestamp" : 1557565764
}
```
### Possible fixes
The register session shouldn't be using _session_kind: SSO, or the handler should not accept _type: register ? Not sure what's the correct way here.2.0.4YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1744[Security: low] register_token used for account creation can be used as a val...2019-05-15T11:48:39ZClément OUDOT[Security: low] register_token used for account creation can be used as a valid session identifier### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Resume
Duplicate of #1743 but for 1.9 branch### References
* [CVE-2019-12046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12046)
* [Debian #928944](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928944)
### Resume
Duplicate of #1743 but for 1.9 branch1.9.19Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1746Impersonation does not work with double cookies authentication2019-05-19T11:52:50ZChristophe Maudouxchrmdx@gmail.comImpersonation does not work with double cookies authentication### Concerned version
Version: %2.X
Platform: All
### Summary
Impersonation + unsecuredCookie (HTTP) -> log into Portal OK
Impersonation + securedCookie (HTTPS) -> log into Portal OK
Impersonation + doubleCookie -> Impossible to au...### Concerned version
Version: %2.X
Platform: All
### Summary
Impersonation + unsecuredCookie (HTTP) -> log into Portal OK
Impersonation + securedCookie (HTTPS) -> log into Portal OK
Impersonation + doubleCookie -> Impossible to authenticate
### Possible fixes
httpCookie is built by buildCookie with $req->{sessionInfo}->{_httpSession}2.0.5Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1749Authentication with "Double Cookies for a single session" (securedCookie==3) ...2019-06-05T10:06:47ZChristophe Maudouxchrmdx@gmail.comAuthentication with "Double Cookies for a single session" (securedCookie==3) does not work### Concerned version
Version: %2.X
Platform: All
### Summary
Set doubleCookie for a single session, logout, reload -> unable to log in
lemonldaphttp cookie value is empty
### Logs
No cookie found
![Capture_d_écran_2019-05-12_23-...### Concerned version
Version: %2.X
Platform: All
### Summary
Set doubleCookie for a single session, logout, reload -> unable to log in
lemonldaphttp cookie value is empty
### Logs
No cookie found
![Capture_d_écran_2019-05-12_23-01-25](/uploads/b52d03da39d28fa75011d09ff6e916c9/Capture_d_écran_2019-05-12_23-01-25.png)2.0.5Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.com