lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T11:25:29Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3082Debian packaging2024-03-27T11:25:29ZChristophe Maudouxchrmdx@gmail.comDebian packaging### Summary
I am not sure to well understand LL::NG packaging...
What is the purpose and difference between these files?
```
lemonldap-ng/lemonldap-ng-handler/eg/llng-server.psgi
lemonldap-ng/lemonldap-ng-common/eg/llng-app.psgi
lemon...### Summary
I am not sure to well understand LL::NG packaging...
What is the purpose and difference between these files?
```
lemonldap-ng/lemonldap-ng-handler/eg/llng-server.psgi
lemonldap-ng/lemonldap-ng-common/eg/llng-app.psgi
lemonldap-ng/fastcgi-server/psgi/llngapp.psgi
```
Futhermore, hook to load customHandler presents in files below:
```
lemonldap-ng/fastcgi-server/sbin/llng-fastcgi-server
lemonldap-ng/fastcgi-server/psgi/llngapp.psgi
```
is missing in file below:
```
lemonldap-ng/lemonldap-ng-handler/eg/llng-server.psgi
```
like the middleware to downgrade UTF8 is missing in
```
lemonldap-ng/fastcgi-server/psgi/llngapp.psgi
```
Last question, in LL::NG code, we refer to 'llng-fastcgi-server'
```
fastcgi-server/systemd/llng-fastcgi-server.service
```
But in Debian packaging we refer to 'lemonldap-ng-fastcgi-server'
```
lemonldap-ng/debian/lemonldap-ng-fastcgi-server.service
```
### Design proposition
It could be interesting to harmonize all theses files2.20.0Xavier BachelotXavier Bachelothttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3039Creating an new 2F plugin requires to edit available2F / available2FSelfRegis...2024-03-27T08:18:22ZClément OUDOTCreating an new 2F plugin requires to edit available2F / available2FSelfRegistration keysI don't know if this is a real issue but at least technical documentation must be updated.
Currently I follow instructions from:
```
perldoc Lemonldap::NG::Portal::Main::SecondFactor
```
The 2F module is not loaded at all because avail...I don't know if this is a real issue but at least technical documentation must be updated.
Currently I follow instructions from:
```
perldoc Lemonldap::NG::Portal::Main::SecondFactor
```
The 2F module is not loaded at all because available2F must be modified. I don't find it very convenient because the default value of this parameter will change when we will add a new core 2FA module in LL::NG.2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2989Bad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you wan...2023-08-25T12:37:47ZYaddBad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you want to use refresh_tokenHere is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->new...Here is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
redirect_uri => $codeSession->data->{redirect_uri},
scope => $scope,
client_id => $client_id,
user_session_id => $codeSession->data->{user_session_id},
grant_type => "authorizationcode",
},
0,
);
```
The "0" disable the use of `oidcServiceOfflineSessionExpiration` _(or `oidcRPMetaDataOptionsOfflineSessionExpiration`)_ so `refresh_token` timeout is set to `$conf->{timeout}`.
@maxbes, @clement_oudot: is it normal or a bug ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2947Append an OAuth2ST handler wrapper2024-03-27T10:05:35ZChristophe Maudouxchrmdx@gmail.comAppend an OAuth2ST handler wrapper### Summary
Some WebServices can be requested by OIDC applications using AccessToken and Web applications using ServiceToken.
It leads to define two routes, 1 protected by the ST handler and 1 protected by the OAuth2 handler.
### Desig...### Summary
Some WebServices can be requested by OIDC applications using AccessToken and Web applications using ServiceToken.
It leads to define two routes, 1 protected by the ST handler and 1 protected by the OAuth2 handler.
### Design proposition
The idea is to provide a handler able to serve both AT and ST like DevOpsST wrapper.2.20.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2916TOTP: "Internal Server Error" after user enabled it2023-04-29T08:51:46ZMathieu MDTOTP: "Internal Server Error" after user enabled it### Concerned version
Version: %2.16.1
Platform: Nginx
### Summary
After an user has enabled TOTP in her account (flashed and confirmed the code), she cannot go back to `https://auth.example.com/2fregisters` without getting a mere "I...### Concerned version
Version: %2.16.1
Platform: Nginx
### Summary
After an user has enabled TOTP in her account (flashed and confirmed the code), she cannot go back to `https://auth.example.com/2fregisters` without getting a mere "Internal Server Error".
### Logs
```
[error] Corrupted session (_2fDevices): malformed JSON string, neither tag, array, object, number, string or atom, at character offset 0 (before "**********") at /usr/share/perl5/JSON.pm line 190.
```
### Possible fixes
Anything else is working fine. Even logout and login again, with TOTP. It's only accessing to `/2fregisters` (via sub-menu at the top-right) that fails like that.BacklogMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2891Mini HowTo OIDC with a single page application2023-07-06T15:35:05ZBlack SousnenuMini HowTo OIDC with a single page applicationHi all,
We try to authenticate a single page application with OIDC, we did not find in the documentation how to do it.
Is it possible to create a mini how-to ?
Thanks
Regards
BSHi all,
We try to authenticate a single page application with OIDC, we did not find in the documentation how to do it.
Is it possible to create a mini how-to ?
Thanks
Regards
BSIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2639OIDC error when multiple email addresses2022-02-04T12:09:43ZMathieu ValoisOIDC error when multiple email addresses### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in ...### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in failed because Email is invalid.
### Possible fixes
Provide a way to map attributes on a single element of an array, like `mail => mail[0]`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2029Create a specific subdomain on default installation to restrict visibility of...2019-11-25T11:17:09ZClément OUDOTCreate a specific subdomain on default installation to restrict visibility of SSO cookieUntil now, we use a wide domain (example.com) as default value, which is not a good practice, as the SSO cookie is then visible for all applications on this domain.
We should instead configure a subdomain (sso.example.com) with portal a...Until now, we use a wide domain (example.com) as default value, which is not a good practice, as the SSO cookie is then visible for all applications on this domain.
We should instead configure a subdomain (sso.example.com) with portal and manager inside it (auth.sso.example.com and manager.sso.example.com).3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1798Document REST API with OpenAPI2019-06-12T13:58:45ZClément OUDOTDocument REST API with OpenAPIThe goal is to generate a REST documentation, like https://rest.fusiondirectory.org/
Sample YAML file: https://gitlab.fusiondirectory.org/fusiondirectory/fd-plugins/blob/1.4-dev/webservice/html/openapi.yamlThe goal is to generate a REST documentation, like https://rest.fusiondirectory.org/
Sample YAML file: https://gitlab.fusiondirectory.org/fusiondirectory/fd-plugins/blob/1.4-dev/webservice/html/openapi.yaml3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1124Bad type for oidcRPMetaDataOptionsIDTokenSignAlg2017-12-05T18:36:14ZYaddBad type for oidcRPMetaDataOptionsIDTokenSignAlgoidcRPMetaDataOptionsIDTokenSignAlg is declared as "select" in Manager::Build::Attributes but documentation indicates a list of algorithms.oidcRPMetaDataOptionsIDTokenSignAlg is declared as "select" in Manager::Build::Attributes but documentation indicates a list of algorithms.In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1005Choice module breaks OpenID Connect and other methods requesting URL params2017-12-05T18:36:13ZJames HookChoice module breaks OpenID Connect and other methods requesting URL paramsWhen using the Choice module for authentication a parameter for URL is provided allowing for a different address to authenticate.
However when using an OpenID Connect Rlay (and possibly other methods) which redirect to a page such as /oa...When using the Choice module for authentication a parameter for URL is provided allowing for a different address to authenticate.
However when using an OpenID Connect Rlay (and possibly other methods) which redirect to a page such as /oauth2/... the URL given drops these params.
This means the first login of the day will fail to redirect correctly.
I fixed this by patching line 201 of /usr/share/perl5/Lemonldap/NG/Portal_Choice.pm to have the following:
```
--- ./_Choice.pm.hookbak 2016-05-04 17:40:01.000000000 +1200
+++ ./_Choice.pm 2016-05-04 17:39:38.000000000 +1200
@@ -198,6 +198,7 @@
# Default URL
$url ||= "#";
+ $url =~ s/\$REQUEST_URI/$ENV{"REQUEST_URI"} . $ENV{"QUERY_STRING"}/g;
# Options to store in the loop
my $optionsLoop =
{code}
This then allows for the url to contain $REQUEST_URI.
In our case we use Kerberos via apache and LDAP as a fallback, (based on http://lemonldap-ng.org/documentation/1.3/authapache )
To allow this patch to work, The choice module has LDAP and Kerberos. LDAP is the default settings, Kerberos has the url now set to:
/krb.pl$REQUEST_URI
Apache configs:
{code}
# OpenID Connect Issuer
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^(/krb.pl)?/oauth2/.* /index.pl
RewriteRule ^/.well-known/openid-configuration$ /openid-configuration.pl
</IfModule>
```
And issuerDBOpenIDConnectPath inside the manager is now set to:
^(/krb.pl)?/oauth2/
This will only fix OpenID Connect.In discussion