lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T08:18:27Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3056Remove XML::Simple (again)2024-03-27T08:18:27ZMaxime BessonRemove XML::Simple (again)Same as #1491 but in 2.0 branchSame as #1491 but in 2.0 branch2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3054Cannot get the full otpauth URL when registering a new TOTP2024-03-27T09:19:28ZSoisik FrogerCannot get the full otpauth URL when registering a new TOTPAs a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed s...As a user, I'd like to copy the content of the QR code when enrolling a new TOTP. This URL is useful if you use any device/software that do no rely on scanning a image.
Right now, the URL as to be built from scratch from the displayed secret (if put in lowercase and without space).
Some kind of way to retrieve this URL (in the HREF attribute of the image ?) would make it easier to register TOTP without scans.2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3046Conf::Backends::LDAP permanently fails to connect after an error2023-12-20T10:29:30ZMaxime BessonConf::Backends::LDAP permanently fails to connect after an errorIn unstable network conditions, the LDAP connection may become invalid:
```
LDAP error 82: Broken pipe
```
There is no way to recover from this except restart httpd. We need to add a healthcheck on connection reuse like in Apache::Ses...In unstable network conditions, the LDAP connection may become invalid:
```
LDAP error 82: Broken pipe
```
There is no way to recover from this except restart httpd. We need to add a healthcheck on connection reuse like in Apache::Session::LDAP2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3043Return to 2FA manager after registration2023-11-21T08:52:56ZMaxime BessonReturn to 2FA manager after registrationCurrently, after registering a TOTP (or any other 2FA), the user remains on the TOTP screen:
![image](/uploads/33886c54eba6ab62c72a986f1aedb83a/image.png)
![image](/uploads/df3b7d37cd8b47704cf061a7319ec5ee/image.png)
This is consisten...Currently, after registering a TOTP (or any other 2FA), the user remains on the TOTP screen:
![image](/uploads/33886c54eba6ab62c72a986f1aedb83a/image.png)
![image](/uploads/df3b7d37cd8b47704cf061a7319ec5ee/image.png)
This is consistently reported by my users as confusing.
A better flow would be to take them back to the list of registered 2FA:
![image](/uploads/d0f8b7e1ae333be4afe8ce7f0740436c/image.png)
Similar to #2610 but for all 2FA types2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3040Allow auto-detection of portal URL and domain2024-03-28T16:34:28ZMaxime BessonAllow auto-detection of portal URL and domainOne of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this partic...One of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this particular use case, because in my use case the portal and domain depends on `$req`.
This is similar to #933, but I think the fix proposed there no longer works since the migration to PSGI.
In the handler: it's probably not too difficult to do because every access to the portal URL goes through $class->tsv->portal. We just need to pass `$req` to it.
In the portal: we need to replace all calls to `$self->conf->{portal}` and `$self->conf->{domain}` to methods such as `getPortalUrl($req)` and `getDomain($req)`. This will require a lot of refactoring, but I think its a good idea because users will no longer have to define the `portal` and `domain` configuration variables anymore in most cases.
This is also a requirement of #2285
If I can find sponsorship for this feature I might implement it in 2.192.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3031OIDC: implement client_secret_jwt and private_key_jwt authentication mechanis...2023-12-14T15:55:58ZYaddOIDC: implement client_secret_jwt and private_key_jwt authentication mechanisms for endpoints accessRef: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Related to #3030
MR: !397Ref: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Related to #3030
MR: !3972.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3029Set a UserAgent for requests done by LemonLDAP::NG2023-12-14T14:51:55ZClément OUDOTSet a UserAgent for requests done by LemonLDAP::NGWe can easily set a UserAgent string in Common/UserAgent.pm to avoid using the default LWP::UserAgent sting.
It is only cosmetic. My question is: would it add some security issue? Not sure of it because there not so many SSO products u...We can easily set a UserAgent string in Common/UserAgent.pm to avoid using the default LWP::UserAgent sting.
It is only cosmetic. My question is: would it add some security issue? Not sure of it because there not so many SSO products using perl LWP module, so it won't really disclose information.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3025Accept EC algorithms in OpenIDConnect2023-12-01T10:56:16ZYaddAccept EC algorithms in OpenIDConnectThe `verifyJWTSignature()` returns 0 if algorithm isn't HS* or RS*.
It could be easy to support any algorithms by replacing our internal algorithm by [Crypt::JWT](https://metacpan.org/pod/Crypt::JWT) which supports all algorithms and al...The `verifyJWTSignature()` returns 0 if algorithm isn't HS* or RS*.
It could be easy to support any algorithms by replacing our internal algorithm by [Crypt::JWT](https://metacpan.org/pod/Crypt::JWT) which supports all algorithms and also JWE. The library is available in Debian and is the base of !389.
As usual, not available on rpm distributions.2.18.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3022Add a log to give details if CAS SLO request returns an error2023-10-11T09:38:10ZClément OUDOTAdd a log to give details if CAS SLO request returns an errorWhen using CAS SLO, we don't get any message in log if SLO request returns an error.When using CAS SLO, we don't get any message in log if SLO request returns an error.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3019Update fontawesome to v5 (LTS)2024-03-27T10:55:07ZBenjamin DemarteauUpdate fontawesome to v5 (LTS)### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
...### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
### Design proposition
Migrating from one the v4 to the v5 should be mostly painless (cf https://fontawesome.com/v5/docs/web/setup/upgrade-from-v4). Not sure if there are attention points.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3015Minimal skin to help developers2024-03-27T10:04:16ZYaddMinimal skin to help developersLLNG is distributed with a bootstrap skin. We decided some years ago to stop developing alternatives skins because it requires too many work.
However, create a custom skin is a huge work if one wants to change for example bootstrap to s...LLNG is distributed with a bootstrap skin. We decided some years ago to stop developing alternatives skins because it requires too many work.
However, create a custom skin is a huge work if one wants to change for example bootstrap to something else.
Proposition:
* continue to distribute LLNG with one elaborated skin
* add a very minimal skin, "_ready-to-be-changed_":
* no CSS
* minimize `portal.js` dependencies (maybe `jQuery` isn't really needed) **or** build it using a modern way _(Typescript + rollup)_
* no tabs and such CSS-based scripts...: Choice will simply provides `<ul><li>`
* move dependencies from common/*tpl to bootstrap/*.tpl
NB: this skin could also be used to simplify HTML parsing inside Perl tests2.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3006OIDC shouldn't rotate keys when they are fixed in lemonldap-ng.ini2023-11-20T16:27:28ZYaddOIDC shouldn't rotate keys when they are fixed in lemonldap-ng.iniIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3000Implement continuations in the portal login flow2023-10-10T13:31:15ZMaxime BessonImplement continuations in the portal login flow### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
*...### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
* Entering credentials
* Entering 2FA
* Showing notifications
* Showing info
* etc.
Each component of LemonLDAP::NG has its own way of doing that. Generally a OneTimeToken is used, but not always.
* Issuer saves the request environment
* 2FA saves sessionInfo + a couple other fields
* Notifications encrypt the session cookie but require $req->data->{url} to be persisted
* etc.
There are literally dozens of bugs, maybe more, caused by the fact that the
current `$req` object needs to be serialized before the interaction and
restored after, and this is done incorrectly.
There are many bugs caused by interactions that arise for the fact that some
early part of the processing sets something in `$req->data` that is needed
later, but not restored correctly.
There are also many bugs caused by the fact that some extra steps are stored in
`$req->steps` but not restored after an interaction.
### Design proposition
We need to create a generic system for storing the request state during a user
interaction, including `$req->steps`. This system should be used by every part
of LemonLDAP::NG that needs to interrupt the current flow to display a page.
I will update this issue with a design proposal later, but it will take a lot
of time to implement this correctly, and require many preliminary steps.Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2999Better Session API2024-03-27T09:45:47ZMaxime BessonBetter Session APIThe current session API is not very satisfying:
* We use the same method to create and update a session (getApacheSession) which leads to bugs when $id is unexpectedly `undef`, or when creation works but setting attributes fail
* Error ...The current session API is not very satisfying:
* We use the same method to create and update a session (getApacheSession) which leads to bugs when $id is unexpectedly `undef`, or when creation works but setting attributes fail
* Error reporting is difficult (we need to test `$session->error`) and incomplete (#2995)
* Locking is not supported in most backends, which may cause bugs on high load
* Implementation is difficult to debug (use of `tie` behind the scenes, etc)
We should work on a new session API with cleaner methods, maybe we could even replace Apache::Session completely since I'm pretty sure noone uses Apache::Session::Browseable except for us, and Browseable backends are the recommended way to deploy LemonLDAP::NG ?2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2982Allow specifying a Radius failover server2023-10-10T15:15:47ZMaxime BessonAllow specifying a Radius failover server### Summary
Currently, Auth::Radius and 2F::Radius can only point to one server. Authen::Radius allows a NodeList to be specified
### Design proposition
split radiusServer/radius2fServer on space and populate NodeList### Summary
Currently, Auth::Radius and 2F::Radius can only point to one server. Authen::Radius allows a NodeList to be specified
### Design proposition
split radiusServer/radius2fServer on space and populate NodeList2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2975Allow admin to choose key size during certificate generation2023-07-24T09:47:00ZYaddAllow admin to choose key size during certificate generation### Summary
The helper to generate new SAML certificates use fixed key size (2048)
### Design proposition
The idea here is to add a parameter in the manager UI to change this size### Summary
The helper to generate new SAML certificates use fixed key size (2048)
### Design proposition
The idea here is to add a parameter in the manager UI to change this size2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2973Implement pluggable password policies2023-12-07T13:33:16ZMaxime BessonImplement pluggable password policiesAdding password policy checks is currently pretty hard to do (see #2971, #2652). It involves:
* Writing a plugin to implement the behavior
* by definition
* Adding manager options
* no way around this for now
* Adding translation ...Adding password policy checks is currently pretty hard to do (see #2971, #2652). It involves:
* Writing a plugin to implement the behavior
* by definition
* Adding manager options
* no way around this for now
* Adding translation labels
* no way around this for now
* Adding frontend code to portal.coffee/portal.js
* should not be needed
* Adding a bunch of template variables to Display.pm + some plugins (PasswordReset.pm)
* should not be needed
* Modifying existing templates
* maybe not needed?
This is much too complex, in the sense that it involves too many different components.
We need to make it simpler (less components involved) by providing hooks or portal methods that let plugins easily inject JS code, HTML template, etc into pages.
The new Captcha system (#2692) could be taken as inspiration2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2972Better OIDC keys management2023-07-13T13:07:01ZYaddBetter OIDC keys management2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2970Provide all applications informations trought REST service GET /myapplications2023-10-02T14:26:58ZClément OUDOTProvide all applications informations trought REST service GET /myapplicationsWe should add tooltip, icon/svg icon, in the REST services which returns the application list
Linked to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2853We should add tooltip, icon/svg icon, in the REST services which returns the application list
Linked to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/28532.17.0Clément OUDOTClément OUDOT