lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2020-12-02T08:48:01Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2379SameSite attribute for 1.92020-12-02T08:48:01ZMaxime BessonSameSite attribute for 1.9### Concerned version
Version: 1.9.21
### Summary
Some use cases are now broken when using 1.9 with Chromium-based browsers (which today means everything that is not firefox), see #2070.
Firefox will introduce the same change [event...### Concerned version
Version: 1.9.21
### Summary
Some use cases are now broken when using 1.9 with Chromium-based browsers (which today means everything that is not firefox), see #2070.
Firefox will introduce the same change [eventually](https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/)
### Possible fixes
Adding SameSite to cookies is not as simple as it seems.
1.9 uses CGI::Cookie, and old versions of CGI::Cookies do not handle SameSite at all. Event recent versions of CGI::Cookie do not handle SameSite=None (only Lax and Strict)
I have a prototype patch that hacks around this limitation
Maybe this change deserves a 1.9.22 release @cleoud ?1.9.22Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2378Error in inGroup expansion2020-12-21T15:34:04ZMaxime BessonError in inGroup expansion### Concerned version
Version: 2.0.9
### Summary
inGroup adds a superfluous comma that can cause errors on expansion
### Logs
* `inGroup('timelords') ? "ALLOWED" : "DENIED"`
Gets expanded as:
```
listMatch($s->{'hGroups'},'timel...### Concerned version
Version: 2.0.9
### Summary
inGroup adds a superfluous comma that can cause errors on expansion
### Logs
* `inGroup('timelords') ? "ALLOWED" : "DENIED"`
Gets expanded as:
```
listMatch($s->{'hGroups'},'timelords',1), ? "ALLOWED" : "DENIED"
```
Causes a syntax error because of `, ?`
### Possible fixes
I will fix the expansion of inGroup2.0.10Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2367skip rule doesn't work with DevOps handler2020-11-02T11:32:38ZNicolas B.skip rule doesn't work with DevOps handler### Concerned version
Version: %2.0.8
Platform: Apache
### Summary
We have identified as we were talking with @guimard on friday (IRC) that "skip" access rule doesn't work with DevOps handler. It appears that rules.json has no effect...### Concerned version
Version: %2.0.8
Platform: Apache
### Summary
We have identified as we were talking with @guimard on friday (IRC) that "skip" access rule doesn't work with DevOps handler. It appears that rules.json has no effects.
Here's the configuration I used
```json
{
"rules": {
"^/dir/": "skip",
"default": "accept"
},
"headers": {
"Auth-User": "$uid"
}
}
```
with the following configuration on VHOST :
```
PerlHeaderParserHandler Lemonldap::NG::Handler::ApacheMP2::FCGIClient
PerlSetVar LLNG_SERVER <auth.domain.ltd>:8080
PerlSetVar VHOSTTYPE DevOps
PerlSetVar RULES_URL https://vhost_domain.ltd/rules.json
```
Note: Maybe this is a known behaviour, but each time I'm modifying an access rule in the manager with the normal handler, I have to restart llng-fastcgi-server service, is it normal ?2.0.10YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2362unprotect rule does not recognize existing sessions when using CDA2020-10-30T17:33:31ZGhost Userunprotect rule does not recognize existing sessions when using CDAI am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotec...I am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotect"
}
},
"vhostOptions": {
"example.com": {
"vhostType": "CDA"
}
}
```
But authenticated users are not detected.
I was expecting that lemonLDAP would make a redirection to the portal to check if a session exist and then come back and set a cookie to identify the user.
Am I wrong somewhere ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2354Lemonldap::NG::Common::Conf::msg is never reset and grows indefinitely2020-11-16T20:26:13ZMaxime BessonLemonldap::NG::Common::Conf::msg is never reset and grows indefinitely### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Debian/Centos
Web server: Nginx+Fastcgi
### Summary
When using the handler, every $checkTime, Lemonldap::NG::Common::Conf::msg grows a little larger
### Logs
Hitting t...### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Debian/Centos
Web server: Nginx+Fastcgi
### Summary
When using the handler, every $checkTime, Lemonldap::NG::Common::Conf::msg grows a little larger
### Logs
Hitting the handler immediately after restart:
```
Oct 15 15:20:14 lemontest LLNG[3399]: [debug] Check configuration for Lemonldap::NG::Handler::Server::Main
Oct 15 15:20:14 lemontest LLNG[3399]: [debug] Lemonldap::NG::Common::Conf::Backends::File loaded.
Configuration unchanged, get configuration from cache.Get configuration from cache without verification.
```
A few hits later:
```
Oct 15 15:20:49 lemontest LLNG[3399]: [debug] Lemonldap::NG::Common::Conf::Backends::File loaded.
Configuration unchanged, get configuration from cache.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.Get configuration from cache without verification.
```2.0.10Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2343TOTP handler2020-12-22T14:18:22ZYaddTOTP handler### Summary
TOTP handler is a handler that accepts tokens that contains a TOTP value. This is a sort of **Human-less** ServiceToken handler.
### Design proposition
Client header contains `WWW-Authenticate: user:<TOTP value>`, handler ...### Summary
TOTP handler is a handler that accepts tokens that contains a TOTP value. This is a sort of **Human-less** ServiceToken handler.
### Design proposition
Client header contains `WWW-Authenticate: user:<TOTP value>`, handler get secret from lemonldap-ng.ini _(or a distinct file ? or a LLNG database ?)_ and verifies the TOTP value, then calculates a temporary session _(like AuthBasic handler using a valid username or a pre-defined session ?)_.
Comments are welcomeIn discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2335apache handler: allow users to override the port/scheme for redirections2020-11-09T13:51:21ZMaxime Bessonapache handler: allow users to override the port/scheme for redirectionsBy default, LLNG tries to detect the port and scheme of the incoming request to build the url= parameter (see `_buildUrl`)
However, if we are behind a reverse proxy, the SERVER_PORT and HTTPS variables are incorrect. Imagine
```
USER -...By default, LLNG tries to detect the port and scheme of the incoming request to build the url= parameter (see `_buildUrl`)
However, if we are behind a reverse proxy, the SERVER_PORT and HTTPS variables are incorrect. Imagine
```
USER --https://test1.example.com--> RP ---http://internal:999--> LLNG
```
The redirect URL will be http://test1.example.com:999
A solution can be to force Port and Https in the vhost config BUT this prevents having vhosts that can be accessed BOTH over HTTP and HTTPS.
This is easily solved in Nginx:
```
# HTTPS vhost
fastcgi_param HTTPS On;
fastcgi_param SERVER_PORT 443
...
#HTTP vhost
fastcgi_param HTTPS off;
fastcgi_param SERVER_PORT 80
```
But there is no such workaround for Apache yet.
### Possible fixes
Read an override from ENV in the Apache vhost before falling back to $r->get_server_port
I also need to fix the current code to read $req->scheme instead of $req->env->{HTTPS} in `_isHttps`.2.0.10Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290[security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead t...2020-09-11T04:14:43ZMaxime Besson[security:high, CVE-2020-24660] Lack of URL normalization by Nginx may lead to authorization bypass when URL access rules are used### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian Stretch, Debian Buster, probably RHEL
Web server: nginx/1.10.3, nginx/1.14.2
### Summary
When using Nginx, regexp-based access rules may not be correctly enforced...### Environment
LemonLDAP::NG version: 2.0.8
Operating system: Debian Stretch, Debian Buster, probably RHEL
Web server: nginx/1.10.3, nginx/1.14.2
### Summary
When using Nginx, regexp-based access rules may not be correctly enforced by the handler.
I am doing a CVE request for this bug
### Logs
* Content of test vhost:
```
# cat /var/lib/lemonldap-ng/test/admin
SECRET ADMIN FILE
```
* Handler configuration:
![image](/uploads/eee374a6dffff959789dcf83331efb24/image.png)
* Proof of exploitation:
```
GET -S http://test1.example.com/admin/secretfile
GET http://test1.example.com/admin/secretfile
302 Moved Temporarily //AS EXPECTED
$ GET -S http://test1.example.com/%61dmin/secretfile
GET http://test1.example.com/%61dmin/secretfile
200 OK
SECRET ADMIN FILE //SHOULD BE PROTECTED
GET -S http://test1.example.com/x/../admin/secretfile
GET http://test1.example.com/x/../admin/secretfile
200 OK
SECRET ADMIN FILE //SHOULD BE PROTECTED
```
I have also successfully tested this in a reverse proxy configuration, which is a very common, if not the most common use case. I have also tested this without the "skip" keyword, in such a cas, a normal user may be granted access to admin-only resources.
### Cause
The problem comes from the fact that the handler tests regexp against the REQUEST_URI variable. Unlike Apache, Nginx does not [normalize](https://en.wikipedia.org/wiki/URI_normalization) REQUEST_URI. Because of this, it becomes extremely hard for an admin to write a regexp that correctly catches all of the possible URLs that can be used to target a protected resource (such as /admin).
### Solutions
#### URI::Normalize
Nginx transmits the original URL in a X_ORIGINAL_URL header. We could use this fact to trigger special processing in the handler:
```
$self->env->{REQUEST_URI} = $self->env->{X_ORIGINAL_URI}
if ( $self->env->{X_ORIGINAL_URI} );
```
would change to
```
$self->env->{REQUEST_URI} = normalize_url($self->env->{X_ORIGINAL_URI})
if ( $self->env->{X_ORIGINAL_URI} );
```
Using `normalize_url` from [URI::Normalize](https://metacpan.org/pod/URI::Normalize) which is not in distros but easily embeddable.
#### Nginx config
We could also make Nginx normalize the URL, with something like this:
```
location / {
...
# Save the normalized URI here
set $original_uri $uri$is_args$args;
...
}
location = /lmauth {
...
fastcgi_param X_ORIGINAL_URI $original_uri;
...
}
```
But that means each webserver we ever want to support will probably have it's own, distinct solution2.0.9Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2287LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') whi...2020-08-25T22:03:05Zpgnd _LL:NG-provided lua-header snippet -> "writing a global lua variable ('i') which may lead to race conditions between concurrent requests"my LL:NG 2.0.8 + nginx 1.19.2 instance has lua support enabled.
in protected app vhost, per
https://lemonldap-ng.org/documentation/latest/confignginx
the LL:NG-provided lua headers snippet,
```
cat /etc/nginx/nginx-lua-headers.conf
...my LL:NG 2.0.8 + nginx 1.19.2 instance has lua support enabled.
in protected app vhost, per
https://lemonldap-ng.org/documentation/latest/confignginx
the LL:NG-provided lua headers snippet,
```
cat /etc/nginx/nginx-lua-headers.conf
auth_request_set $headername1 $upstream_http_headername1;
...
auth_request_set $lmcookie $upstream_http_cookie;
access_by_lua '
i = 1
ngx.req.set_header("Cookie",ngx.var.lmcookie)
while true do
if ngx.var["headername"..i] ~= nil then
ngx.req.set_header(ngx.var["headername"..i],ngx.var["headervalue"..i])
else
break
end
i = i +1
end
';
```
is included.
on access, nginx logs report,
```
2020/08/23 14:47:56 [warn] 13669#13669: *1 [lua] _G write guard:12: __newindex(): writing a global lua variable ('i') which may lead to race conditions between concurrent requests, so prefer the use of 'local' variables
stack traceback:
access_by_lua(lemonldap-lua-headers.inc:43):2: in main chunk while sending to client, client: 10.0.1.20, server: example.com, request: "GET /app2 HTTP/2.0", host: "example.com", referrer: "https://auth.llng.example.com/"
```
reading @
https://github.com/openresty/lua-nginx-module/issues/1558
https://github.com/openresty/openresty/issues/510
editing
```
access_by_lua '
- i = 1
+ local i = 1
ngx.req.set_header("Cookie",ngx.var.lmcookie)
```
appears to remove the error.
i've not tested any _downstream_ effects. iiuc, there _should_ be none ...2.0.9Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2284Improve serviceToken debug logs2020-08-19T21:21:34ZChristophe Maudouxchrmdx@gmail.comImprove serviceToken debug logs### Summary
More logs will be useful to help debug### Summary
More logs will be useful to help debug2.0.9Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2258Error when using lougout_app_sso2020-07-17T15:22:44ZGuillaume DebaisieuxError when using lougout_app_sso### Environment
LemonLDAP::NG version: 2.0.8-1
Operating system: Linux, debian 10
Web server: Apache
### Summary
We are facing an issue when trying to log out from out application.
When the user logs out, the following error appear...### Environment
LemonLDAP::NG version: 2.0.8-1
Operating system: Linux, debian 10
Web server: Apache
### Summary
We are facing an issue when trying to log out from out application.
When the user logs out, the following error appears in the logs :
[Fri Jul 17 13:55:28.014421 2020] [perl:error] [pid 23734:tid 140082212226816] [client 127.0.0.1:59102] Can't call method "data" on an undefined value at /usr/share/perl5/Lemonldap/NG/Handler/Main/Run.pm line 775.\n, referer: xxx (our referer)
After having modified the Run.pm file in order to show the value of $req in the method localunlog, we can see that the $req in undefined :
Apache2.pm(14): $VAR1 = undef;\n
Is there anything we have done wrong here, or is it a bug ?
### Logs
[error.log](/uploads/f5ff3bd874558e05d6df67da52da2c3b/error.log)2.0.9Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2217Error "Value must be BASE64 encoded" with some specific URL when Handler redi...2020-05-22T15:35:46ZClément OUDOTError "Value must be BASE64 encoded" with some specific URL when Handler redirects on portalI had a strange bug with Handler, occuring only with some URLs.
I found this was because Base64 encoding could generate `+` characters in the value, and with the new portal code using PSGI, URL decoding replaces `+` by space, and the po...I had a strange bug with Handler, occuring only with some URLs.
I found this was because Base64 encoding could generate `+` characters in the value, and with the new portal code using PSGI, URL decoding replaces `+` by space, and the portal returns a "Bad URL" error.
We can reproduce with: https://courriel.example.fr/service/home/~/
```
==> /var/log/httpd/error_log <==
[Fri May 22 16:01:52 2020] [LLNG:29701] [error] Value must be BASE64 encoded (param: url | value: aHR0cHM6Ly9jb3VycmllbC5leGFtcGxlLmZyL3NlcnZpY2UvaG9tZS9 Lw==)
==> /var/log/httpd/access_log <==
1.1.1.1 - - [22/May/2020:16:01:52 +0200] "GET /?url=aHR0cHM6Ly9jb3VycmllbC5leGFtcGxlLmZyL3NlcnZpY2UvaG9tZS9+Lw== HTTP/1.1" 200 1526 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
```
To fix it, Handler must URL encode the url value.2.0.9Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2198[CPAN RT n° 132508] Undeclared dependency Time::Fake2020-05-10T10:27:25ZClément OUDOT[CPAN RT n° 132508] Undeclared dependency Time::FakeSee https://rt.cpan.org/Ticket/Display.html?id=132508See https://rt.cpan.org/Ticket/Display.html?id=1325082.0.9YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2192[CPAN RT n° 132527] Lemonldap-NG-Handler: Decreasing versions2020-05-10T10:27:49ZClément OUDOT[CPAN RT n° 132527] Lemonldap-NG-Handler: Decreasing versionsSee https://rt.cpan.org/Public/Bug/Display.html?id=132527See https://rt.cpan.org/Public/Bug/Display.html?id=1325272.0.9Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2188Declare vhost with wildcard and prefix/suffix2020-05-13T12:39:12ZGrégory ROYDeclare vhost with wildcard and prefix/suffix### Summary
Hello,<br>
Currently it is not possible to declare "vhosts" with a host name including a wildcard with a suffix or prefix, like:
<br>"* -dev.example.com",
<br>"* -sso.example.com"
<br>or "test - *. example.com"
I think it...### Summary
Hello,<br>
Currently it is not possible to declare "vhosts" with a host name including a wildcard with a suffix or prefix, like:
<br>"* -dev.example.com",
<br>"* -sso.example.com"
<br>or "test - *. example.com"
I think it would be an interesting operational possibility,
### Design proposition
After, looking at the code, I don't know if it is possible with regard to the "RFC2396" used for the control of the value?
<br>Maybe that would mean no longer relying on the latter for control, but just on regular expression.
<br>How can I help ?2.0.9YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2167OAuth2 handler should return 401 when access token is missing or invalid2020-05-04T13:57:21ZMaxime BessonOAuth2 handler should return 401 when access token is missing or invalidsee https://tools.ietf.org/html/rfc6750#section-3
The current behavior is to redirect to the portalsee https://tools.ietf.org/html/rfc6750#section-3
The current behavior is to redirect to the portal2.0.8Maxime BessonMaxime Besson2020-04-24https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2143Enable redirection on forbidden access with self protected Portal URLs leads ...2020-04-11T16:07:45ZChristophe Maudouxchrmdx@gmail.comEnable redirection on forbidden access with self protected Portal URLs leads to an endless loop### Concerned version
Version: %2.0.X
Platform: All
### Summary
Enable CheckUser or TOTP & Redirect on forbidden (Handler redirections)
Set rules like this:
auth.example.com/checkuser => $uid eq 'rtyler'
auth.example.com/2fregist...### Concerned version
Version: %2.0.X
Platform: All
### Summary
Enable CheckUser or TOTP & Redirect on forbidden (Handler redirections)
Set rules like this:
auth.example.com/checkuser => $uid eq 'rtyler'
auth.example.com/2fregisters => $uid eq 'rtyler'
Reload conf and log in as 'dwho'.
Try to access /checkuser or /2fregisters, an infinite loop occurs
![redirect_loop](/uploads/8d6931ab2d52b03de33f62709d621feb/redirect_loop.png)
or session is killed:
### Logs
```
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Get session 0b49762ab2e252012e2d97e852241d6035a89c814c72a230e93c93fd37739311 from Handler internal cache
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] No URL authentication level found...
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Regexp "New rule" match
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [notice] User dwho was forbidden to access to auth.example.com/2fregisters
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] [notice] User dwho was forbidden to access to auth.example.com/2fregisters
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Use redirect for forbidden access
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Build URL http://auth.example.com:19876/2fregisters
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Redirect 127.0.0.1 to lmError (url was /2fregisters)
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] User not authenticated, Try in use, cancel redirection
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Start routing 2fregisters
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Processing controlUrl
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Processing code ref
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Processing code ref
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Launching ::Plugins::AutoSignin::check
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Processing extractFormInfo
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Prepare token
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Token 1586448138_64594 created
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Returned error: 1 (PE_SESSIONEXPIRED)
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Display type standardform
[Fri Apr 10 14:00:18 2020] [LLNG:21142] [debug] Skin returned: login
```
2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2127Cache reload throw an error if status enabled2020-04-01T13:54:59ZChristophe Maudouxchrmdx@gmail.comCache reload throw an error if status enabled### Concerned version
Version: %2.0.X
Platform: Demo
### Summary
At each reload, an error is thrown
### Logs
```
[Sat Mar 28 18:35:50 2020] [LLNG:15291] [debug] Add POST route:
[Sat Mar 28 18:35:50 2020] [LLNG:15291] [debug] route 2...### Concerned version
Version: %2.0.X
Platform: Demo
### Summary
At each reload, an error is thrown
### Logs
```
[Sat Mar 28 18:35:50 2020] [LLNG:15291] [debug] Add POST route:
[Sat Mar 28 18:35:50 2020] [LLNG:15291] [debug] route 2fregisters added
[Sat Mar 28 18:35:50 2020] [LLNG:15291] [debug] Plugin ::2F::Engines::Default initializated
Status: Unknown command line : RELOADCACHE Cache::FileCache5
[Sat Mar 28 18:35:51 2020] [LLNG:15291] [debug] Module Lemonldap::NG::Portal::Plugins::MailPasswordReset loaded
[Sat Mar 28 18:35:51 2020] [LLNG:15291] [debug] Declaring unauth route
[Sat Mar 28 18:35:51 2020] [LLNG:15291] [debug] Add POST route:
[Sat Mar 28 18:35:51 2020] [LLNG:15291] [debug] route resetpwd added
```
### Possible fixes
Seems scalar context is used by map directive (5 = number of cache module parameters instead of concatenation string)
lemonldap-ng/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm
```
# Local session storage
if ( $conf->{localSessionStorage} ) {
$class->tsv->{sessionCacheModule} = $conf->{localSessionStorage};
$class->tsv->{sessionCacheOptions} =
$conf->{localSessionStorageOptions};
$class->tsv->{sessionCacheOptions}->{default_expires_in} ||= 600;
if ( $conf->{status} ) {
my $params = "";
if ( $class->tsv->{sessionCacheModule} ) {
$params = ' ' . join(
',',
$class->tsv->{sessionCacheModule} . map {
"$_ => "
. $class->tsv->{sessionCacheOptions}->{$_}
} keys %{ $class->tsv->{sessionCacheOptions} // {} }
);
}
$class->tsv->{statusPipe}->print("RELOADCACHE $params\n");
}
}
```
/home/maudoux/lemonldap-ng/lemonldap-ng-handler/blib/lib/Lemonldap/NG/Handler/Lib/Status.pm
```
elsif (/^RELOADCACHE(?:\s+(\S+?),(.+))?$/) {
if ( my ( $cacheModule, $cacheOptions ) = ( $1, $2 ) ) {
print STDERR "$cacheModule, $cacheOptions\n";
eval "use $cacheModule;"
. "\$cache = new $cacheModule($cacheOptions);";
print STDERR "$@\n" if ($@); # TODO: use logger instead
}
else {
$cache = undef;
}
}
```2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2121Prevent Portal to crash if Custom Functions module is not found2020-04-01T21:56:48ZChristophe Maudouxchrmdx@gmail.comPrevent Portal to crash if Custom Functions module is not found### Summary
Portal crashes if Perl module is not found (typo or bad path).
Append an option to bypass 'die' directive### Summary
Portal crashes if Perl module is not found (typo or bad path).
Append an option to bypass 'die' directive2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2112Local session cache causing basic auth failures2022-12-13T13:44:07ZChris ALocal session cache causing basic auth failures### Concerned version
Version: %"2.0.7"
Platform: Nginx
### Summary
When using basic auth with a local session cache, basic auth will start to fail once a day for several minutes even though the backend authentication succeeds. It ...### Concerned version
Version: %"2.0.7"
Platform: Nginx
### Summary
When using basic auth with a local session cache, basic auth will start to fail once a day for several minutes even though the backend authentication succeeds. It seems to be related to the local session cache keeping an expired session, and the local purge script cleans it up too late.
### Logs
```
Feb 20 20:03:08 janus LLNG[15821]: [notice] Good REST authentication for xxx
Feb 20 20:03:08 janus LLNG[15821]: [debug] [notice] Good REST authentication for xxx
Feb 20 20:03:08 janus LLNG[15821]: [debug] Get session b901f55522ea2b002d10ad57e2a1c2de8503b167ee84fa251906e14348e7a7cf from
Handler::Main::Run
Feb 20 20:03:08 janus LLNG[15821]: [debug] Check session validity from Handler
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session timeout -> 72000
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session _utime -> 1582156801
Feb 20 20:03:08 janus LLNG[15821]: [debug] now -> 1582228988
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session timeoutActivityInterval -> 60
Feb 20 20:03:08 janus LLNG[15821]: [debug] Session TTL = -187
Feb 20 20:03:08 janus LLNG[15821]: [info] Session b901f55522ea2b002d10ad57e2a1c2de8503b167ee84fa251906e14348e7a7cf expired
```
### Backends used
LDAP is used for the authentication backend, and Redis is used as the session storage. The session cache was the file backend.
### Possible fixes
If I manually delete the session from the file cache while the issue is happening, it is fixed. I have since disabled the session cache entirely which has also fixed the issue.
(just as a side note for anyone trying this, the manager interface did not allow an empty field, so I had to set an empty value in the config file manually)
I'm not sure what a proper fix would be, but it seems that the basic auth handler could fall back to the main session database if it sees an expired entry and somehow refresh the expired session in the cache.BacklogChristophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.com