lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-12-25T17:55:55Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2977lemonldap-ng-cli delKey locationRules failed2023-12-25T17:55:55ZYaddlemonldap-ng-cli delKey locationRules failedFrom [GitHub #2](https://github.com/LemonLDAPNG/lemonldap-ng/issues/2)
> The `simpleHashKeys` rule does not contain `locationRules`.
>
> https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-manager/lib/Lemonldap/NG/...From [GitHub #2](https://github.com/LemonLDAPNG/lemonldap-ng/issues/2)
> The `simpleHashKeys` rule does not contain `locationRules`.
>
> https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Cli.pm#L261
>
```
$ /usr/share/lemonldap-ng/bin/lemonldap-ng-cli -yes 1 delKey locationRules manager.example.com
[Tue Jul 25 00:58:49 2023] [LLNG:320838] [info] Loading configuration 29 for process 320838
[Tue Jul 25 00:58:49 2023] [LLNG:320838] [info] CLI: Retrieve last conf.
[Tue Jul 25 00:58:49 2023] [LLNG:320838] [info] REST request to get configuration metadata (29)
locationRules is not a simple hash. Aborting at /usr/share/perl5/Lemonldap/NG/Manager/Cli.pm line 262.
```https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2989Bad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you wan...2023-08-25T12:37:47ZYaddBad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you want to use refresh_tokenHere is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->new...Here is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
redirect_uri => $codeSession->data->{redirect_uri},
scope => $scope,
client_id => $client_id,
user_session_id => $codeSession->data->{user_session_id},
grant_type => "authorizationcode",
},
0,
);
```
The "0" disable the use of `oidcServiceOfflineSessionExpiration` _(or `oidcRPMetaDataOptionsOfflineSessionExpiration`)_ so `refresh_token` timeout is set to `$conf->{timeout}`.
@maxbes, @clement_oudot: is it normal or a bug ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2891Mini HowTo OIDC with a single page application2023-07-06T15:35:05ZBlack SousnenuMini HowTo OIDC with a single page applicationHi all,
We try to authenticate a single page application with OIDC, we did not find in the documentation how to do it.
Is it possible to create a mini how-to ?
Thanks
Regards
BSHi all,
We try to authenticate a single page application with OIDC, we did not find in the documentation how to do it.
Is it possible to create a mini how-to ?
Thanks
Regards
BSIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2794Link to change password on page with info about expired password2022-09-13T00:41:39ZStanislav ShchetinkinLink to change password on page with info about expired passwordHow create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate ...How create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate a link to the "change password" page and then redirect from it to the user's working page. To get the following workflow:
1) user call "work.site.com/index"
2) lemonldap redirect to "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA=="
3) the user enters the current password
4) lenonldap redirected to a page that says the password will expire in 10 days
5) user use link or button to redirect on page with change password
6) user changes password
7) lemonldap redirect user on "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA==" so that he can log in again
When i make link like "auth.site.com?tab=password&url=d29yay5zaXRlLmNvbS9pbmRleA==" lemonldap redirect me to "work.site.com/index" immediately without prompting me to change my passwordFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2639OIDC error when multiple email addresses2022-02-04T12:09:43ZMathieu ValoisOIDC error when multiple email addresses### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in ...### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in failed because Email is invalid.
### Possible fixes
Provide a way to map attributes on a single element of an array, like `mail => mail[0]`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2553Minimal Bullseye + Ansible + Apache2 static file won't be delivered2021-06-25T13:54:35ZClément JMinimal Bullseye + Ansible + Apache2 static file won't be delivered### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and oth...### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and others that don't resolve in lemon DocumentRoot.
Some URL are badly forged.
### Logs
See [lemon-debug.tar.gz](/uploads/30832bb37c11e9920396b3a06622ef41/lemon-debug.tar.gz). One file is HAR from Firefox, second is error.log from apache in debug mode.
### Backends used
File backend, actually with LDAP authentication. But with a fresh install without any tweaks, it has the same behavior.
### Possible fixes
Don't know.
Exactly same install on Debian 10.10 gives all functional Lemon.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2505New installation of LemonLDAP2021-04-09T11:48:45ZBenjamin AUBRYNew installation of LemonLDAPHi Everybody,
I post this message because I fail to configure LemonLdap. This is my setup :
ubuntu 20.04.02, lemonldap installed via package + Nginx. I followed this [notice ](https://lemonldap-ng.org/documentation/latest/installdeb): . ...Hi Everybody,
I post this message because I fail to configure LemonLdap. This is my setup :
ubuntu 20.04.02, lemonldap installed via package + Nginx. I followed this [notice ](https://lemonldap-ng.org/documentation/latest/installdeb): . I installed postgresql, create database and migrate lemonldap to it; I followed this guide in order to configure the [link ](https://www.worteks.com/2018/04/30/lemonldapng-installation-et-configuration-authentification-ad-et-kerberos/)with active directory and Kerberos. I configure Firefox for NTLM in one GPO. In manager, I choose Kerberos in Authentication module and Active Directory for the other. I created two applications ans two Vhosts : GLPI and Zimbra. I configure zimbra vhost with preauth and put the key diretcly in lemonldap-ng.ini (like in this [article](https://lemonldap-ng.org/documentation/2.0/applications/zimbra.html)). For GLPI, I followed this [one ](https://lemonldap-ng.org/documentation/2.0/applications/glpi.html). In Auth, I am connect automatically : my Windows id is shown. But when i click on GLPI on auth, I need to put my ID, and when I click on Zimbra, I have one this error : ???404Title???
???404Msg???
???errorTryAgainLater???
ERROR: 404
I'm sure that I missed something, but what ? I try to create one glpi-nginx.conf in site-enable, but my link with site-avalaible (ln -s) doesn't work.
Thanks by advanceFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2441Microsoft Edge kerberos authentification error2021-01-18T13:00:19ZMame Dieynaba SENEMicrosoft Edge kerberos authentification error### Concerned version
Version: 2.0.8
Platform: (Edge 87/Apache 2.4)
### Summary
LL::NG is configured with combinaison module Kerberos/LDAP. Kerberos authentication is ok in Firefox and Edge when user has a valid ticket.
If the user is...### Concerned version
Version: 2.0.8
Platform: (Edge 87/Apache 2.4)
### Summary
LL::NG is configured with combinaison module Kerberos/LDAP. Kerberos authentication is ok in Firefox and Edge when user has a valid ticket.
If the user is out of the Domain or has no valid ticket every thing works fine with firefox but not Edge.
Here how to reproduce the bug
-user goes to Edge, open a private window ( no kerneros ticket) and tap portal url
-Edge shows a credential popup and then user must click on "cancel" to be redirect on LDAP login page.
There is no error in logs
what will I be missing ?
Thanks guyshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2363[SAML] Upgrade 2.0.7 > 2.0.9 led some SAML SPs not working unless Check SSO m...2021-01-08T17:12:06ZMehdi KHELIFA[SAML] Upgrade 2.0.7 > 2.0.9 led some SAML SPs not working unless Check SSO message signature is disabled### Concerned version
Version: %2.0.9-1
Platform: Apache / Debian GNU/Linux 9 (stretch) /Linux 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
### Summary
Since upgraded from 2.0.7 to 2.0.9, some SAML service pro...### Concerned version
Version: %2.0.9-1
Platform: Apache / Debian GNU/Linux 9 (stretch) /Linux 4.9.0-13-amd64 #1 SMP Debian 4.9.228-1 (2020-07-05) x86_64 GNU/Linux
### Summary
Since upgraded from 2.0.7 to 2.0.9, some SAML service providers can't be authenticated. Portal displays that an error occured during SAML messages signing (translation from french message : "Erreur lors de la gestion de la signature du message SAML")
Other SAML SP are working fine.
I also checked the validity of the public keys provided in the metadatas (including my own just to be sure). They are still valid.
### Logs
```
[LLNG:3781] [error] Lasso error code -1500: The provider has no known public key
[LLNG:3781] [error] Signature is not valid
[LLNG:3781] [debug] Returned error: 57 (PE_SAML_SIGNATURE_ERROR)
See attached error.log file
```
[error.log](/uploads/814ca14fc1aa668ffe9e42178c700e6a/error.log)
You will find attached concerned service providers metadata files.
- [sp1-md.xml](/uploads/9e6b002745d87d61d770796d40421619/sp1-md.xml)
- [sp2-md.xml](/uploads/22e4fd17ad421776611f605c6175b16a/sp2-md.xml)
Here is an URL encoded request from the SP
```
fZBbT4QwEEb%2FCun7llvirhMgIbImxGvcFY1vFRtoUlrsTEX%2FvcC%2BrC%2B%2BzznfyWQoBj1C6ak3T%2FLTS6SgkQ6VNTlLeMSCusrZ3m9fa7OvX26qj0vePF%2FHQ%2FO181v1Ps0HiF7WBkkYmpkoiTZxtEmjY7yDNIUo5hdJ%2BsaCanYrI2hV90QjQhiKeZgjWk5OjErz1g7hkhSiMp2WB9WZB8OC70EbhLU1Z94ZsAIVghGDRKAWDuXdLcy5MDpLtrWaFdlyDWucO%2BP%2FxwWidEshK6Zp4qP2TmhUXU9LWRaeOU8DI9zPkrp6tFq1P0GptZ2unBQkc0bOSxYWJ%2Brvj4tf&RelayState=CquY9iUTrVrkoL3B3yZBph61zAjsqR&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=W8cRNc4N77VJShg9SToCIm1xXvA%2BnJ3ZFv4xqqcRph3TiylsYzARUVy%2Bu8FbuRzRvUhzMbftA%2FWHPs9HFrk2qulbdWMu6iT9JAIgB6tLflM66BZwkJtxTpTmj0iie8iZFodgbPPQjZHVqjmQ5m9nS%2Fm0IxhZRcfwMIxYu2nsSHWYWlcU%2BK5fl%2FzNiX0uHuxfkWMrQyviuX0Mu60w1U8O8Trw%2FfYlvc6Sid9sMi195HZWBXvxzji8R7mEq4Q60YGL2xMrUnuNl1AHQU9bfUwIvtNe7Cqd0NkfjQ3hMXOmNxAS52%2BfrfvU8BBWyUNhtqz708Bs40r9H6FA3FoybV54eQ%3D%3D
```
### Backends used
CONFIGURATION AND SESSIONS on PostrgreSQL DB
AUTH BACKEND : ActiveDiretory
### Possible fixes
The only workaround is to disable **Check SSO message signature** at the service provider level. Once disable Applications are authenticated as expected. But overtime it may not be secure !https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1982Issue for new installation2020-01-14T12:49:31ZXIYI ZhuIssue for new installationHello,
I am testing to install lemonldap 2.0.6 as new installation in CentOS7. I followed the instruction and it install. However, it doesn't start apache when I configure to use RDBI by following this instruction:
https://lemonldap-n...Hello,
I am testing to install lemonldap 2.0.6 as new installation in CentOS7. I followed the instruction and it install. However, it doesn't start apache when I configure to use RDBI by following this instruction:
https://lemonldap-ng.org/documentation/2.0/sqlconfbackend
The database is the Mariadb 10.4.8 with following configuration:
```
[mysql]
# CLIENT #
port = 3306
socket = /var/lib/mysql/mysql.sock
[mysqld]
# GENERAL #
user = mysql
default-storage-engine = InnoDB
socket = /var/lib/mysql/mysql.sock
pid-file = /var/lib/mysql/mysqld.pid
# MyISAM #
# key-buffer-size = 32M
# myisam-recover = FORCE,BACKUP
# SAFETY #
max-allowed-packet = 256M
max-connect-errors = 1000000
skip-name-resolve
sql-mode = NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER
sysdate-is-now = 1
innodb-strict-mode = 1
# DATA STORAGE #
datadir = /var/lib/mysql
# SERVER ID #
server-id = 1
# BINARY LOGGING #
log-bin
# CACHES AND LIMITS #
max-connections = 500
tmp-table-size = 32M
max-heap-table-size = 32M
query-cache-type = 0
query-cache-size = 0
thread-cache-size = 50
open-files-limit = 65535
table-definition-cache = 1024
table-open-cache = 2048
# INNODB #
innodb-flush-method = O_DIRECT
innodb-log-files-in-group = 2
innodb-log-file-size = 768M
innodb-flush-log-at-trx-commit = 1
innodb-file-per-table = 1
innodb-buffer-pool-size = 1536M
# LOGGING #
log-error = /var/lib/mysql/mysqld.log
slow-query-log = 1
slow-query-log-file = /var/lib/mysql/mysqld-slow.log
log-queries-not-using-indexes = OFF
long_query_time = 30
```
since it doesn't allow to do dash for the database name, it change it to lemonldap-ng.
Here is what I set in the /etc/lemonldap-ng/lemonldap-ng.ini
```
[configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings :
;
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
;
; type = File ; or type = YAMLFile
type = File
dirName = /var/lib/lemonldap-ng/conf
;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
; if needed. Example:
;
type = RDBI
; ;type = CDBI
dbiChain = DBI:MariaDB:database=lemonldap_ng;host=localhost
dbiUser = <username>
dbiPassword = <password>
dbiTable = lmConfig
```
The error is
```
[Tue Oct 22 16:34:31.605705 2019] [perl:error] [pid 3327] Lemonldap::NG::Handler::ApacheMP2::Main : unable to build configuration: Error: configStorage: type is not well formed.\nError: Unknown package Lemonldap::NG::Common::Conf::Backends::File\nRDBI\nFile.\nCompilation failed in require at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2.pm line 9.\nBEGIN failed--compilation aborted at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2.pm line 9.\nCompilation failed in require at (eval 2) line 2.\n
[Tue Oct 22 16:34:31.605768 2019] [perl:error] [pid 3327] Can't load Perl module Lemonldap::NG::Handler::ApacheMP2 for server <url>:0, exiting...
```
Did I miss to install something? I did yum install perl-DBD-MySQL
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1940Use session array values in access rules2019-11-20T16:07:44ZHeinz MayerUse session array values in access rulesI use LemonLdap with a Keycloak as OpenID Connect IDP ( LemonLDAP Version 2.0.5)
I pass groups as a claim from Keycloak to LemonLdap
The groups are correctly stored in the LemonLDAP session
```
[debug] UserInfo received: {"sub":"e3c3...I use LemonLdap with a Keycloak as OpenID Connect IDP ( LemonLDAP Version 2.0.5)
I pass groups as a claim from Keycloak to LemonLdap
The groups are correctly stored in the LemonLDAP session
```
[debug] UserInfo received: {"sub":"e3c33ab5-4410-4a82-ad78-cd6284e17078","email_verified":false,"groups":["vccadmin","vccconnect"],"preferred_username":"heinz.mayer@mic-cust.com"}
[debug] Store ARRAY(0x4f64c38) in session key groups
[debug] Dump: $VAR1 = ['vccadmin','vccconnect'];
```
When I create a virtual host with a default access rule it doesn't work
```
$groups =~ /\bvccconnect\b/
```FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1979Second Factor question2019-10-24T05:31:05ZXIYI ZhuSecond Factor questionHello,
For Second Factor, is that possible to only enable it when the request comes from "External Network"? For example, if the request comes within 192.168.1.0/24, not second factor require. If the request comes from IP address other ...Hello,
For Second Factor, is that possible to only enable it when the request comes from "External Network"? For example, if the request comes within 192.168.1.0/24, not second factor require. If the request comes from IP address other than 192.168.1.0/24, present the second factor. Also, is Twilio SMS message support for second factor?
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1817Unable to install on Debian if Apache2 is already installed2019-06-25T14:12:06ZClément OUDOTUnable to install on Debian if Apache2 is already installedWhen installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl ...When installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
invoke-rc.d: initscript nginx, action "start" failed.
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-06-25 15:40:46 CEST; 9ms ago
Docs: man:nginx(8)
Process: 6662 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 6660 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
juin 25 15:40:44 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:46 pts2019 nginx[6662]: nginx: [emerg] still could not bind()
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Control process exited, code=exited status=1
juin 25 15:40:46 pts2019 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Unit entered failed state.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Failed with result 'exit-code'.
dpkg: erreur de traitement du paquet nginx-extras (--configure) :
le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
...
Paramétrage de lemonldap-ng-fastcgi-server (2.0.4-1) ...
Created symlink /etc/systemd/system/llng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lemonldap-ng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
...
Des erreurs ont été rencontrées pendant l'exécution :
nginx-extras
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
The nginx dependency should not be activated if apache2 is already installed.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1581Documentation related to Proxy2018-12-21T05:34:02ZMathieu Lecompte-melançonDocumentation related to ProxyHi the documentation related to Proxy seem incomplet:
https://lemonldap-ng.org/documentation/2.0/authproxy
First, in the manager Proxy is not appear as a choice for auth and user as described in docs.
And maybe more usable to provide...Hi the documentation related to Proxy seem incomplet:
https://lemonldap-ng.org/documentation/2.0/authproxy
First, in the manager Proxy is not appear as a choice for auth and user as described in docs.
And maybe more usable to provide a sample of overloading in .ini with the right parameters name
In 1.9 I have set for soap:
```
authentication = Proxy
userDB = Proxy
soapAuthService = https://auth.interne.urgences-sante.qc.ca/
```FAQClément OUDOTClément OUDOT