lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-10-08T16:40:55Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1700Update AuthBasic handler doc : REST server is required2023-10-08T16:40:55ZChris AUpdate AuthBasic handler doc : REST server is required### Concerned version
Version: %"2.0.2"
Platform: Nginx
### Summary
Authentication via basic auth using LDAP seems to lose track of its sessions. It correctly authenticates to LDAP, but then denies the client. This creates many se...### Concerned version
Version: %"2.0.2"
Platform: Nginx
### Summary
Authentication via basic auth using LDAP seems to lose track of its sessions. It correctly authenticates to LDAP, but then denies the client. This creates many sessions in the database, one for each client connection, which can quickly overload the database.
### Logs
```
pr 02 21:52:51 janus2 LLNG[27146]: Session c8023fb986d5c2e0928ab64d83465516 can't be retrieved
Apr 02 21:52:51 janus2 LLNG[27146]: Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/File.pm line 98.
Apr 02 21:52:51 janus2 LLNG[27146]: Good REST authentication for systems.test
Apr 02 21:52:51 janus2 LLNG[27146]: Session c8023fb986d5c2e0928ab64d83465516 can't be retrieved
Apr 02 21:52:51 janus2 LLNG[27146]: Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/File.pm line 98.
Apr 02 21:52:54 janus2 LLNG[27148]: Session c8023fb986d5c2e0928ab64d83465516 can't be retrieved
Apr 02 21:52:54 janus2 LLNG[27148]: Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/File.pm line 98.
Apr 02 21:52:56 janus2 LLNG[27148]: Good REST authentication for systems.test
Apr 02 21:52:56 janus2 LLNG[27148]: Session c8023fb986d5c2e0928ab64d83465516 can't be retrieved
Apr 02 21:52:56 janus2 LLNG[27148]: Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/File.pm line 98.
Apr 02 21:52:57 janus2 LLNG[27152]: Session c8023fb986d5c2e0928ab64d83465516 can't be retrieved
Apr 02 21:52:57 janus2 LLNG[27152]: Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/File.pm line 98.
Apr 02 21:52:59 janus2 LLNG[27152]: Good REST authentication for systems.test
Apr 02 21:52:59 janus2 LLNG[27152]: Session c8023fb986d5c2e0928ab64d83465516 can't be retrieved
Apr 02 21:52:59 janus2 LLNG[27152]: Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/File.pm line 98.
```
### Backends used
Authentication/Users/Password = LDAP
localStorage=Cache::FileCache
Session storage = Apache::Session::File (was LDAP, but changed due to the number of sessions being written)2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1699Authentication level for REST and GPG authentication2019-04-21T19:52:25ZAlexandre LINTEAuthentication level for REST and GPG authentication### Summary
Add authentication level for REST/GPG Authentication.
### Design proposition
Add in the configuration menu a default value for REST/GPG authentication (default 2/3) and the possibility to change it under REST/GPG parameter...### Summary
Add authentication level for REST/GPG Authentication.
### Design proposition
Add in the configuration menu a default value for REST/GPG authentication (default 2/3) and the possibility to change it under REST/GPG parameters menu.
2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1696Remove unnecessary antiframe protection in portal javascript2019-04-10T21:16:57ZClément OUDOTRemove unnecessary antiframe protection in portal javascriptIn 2.0, we use CSP to disable portal in a frame:
```
# Deny using portal in frame except if it is required
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
push @{ $res->[1] }, 'X-Frame-Options' => 'DENY';
...In 2.0, we use CSP to disable portal in a frame:
```
# Deny using portal in frame except if it is required
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
push @{ $res->[1] }, 'X-Frame-Options' => 'DENY';
$csp .= "frame-ancestors 'none';";
}
```
But we still have a javascript in portal to disable frame. I think this one should be removed.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1694Disable CSRF token with AuthBasic2019-04-10T07:23:33ZChristophe Maudouxchrmdx@gmail.comDisable CSRF token with AuthBasic### Summary
When using AuthBasic handler, CSRF token is required.
### Design proposition
Append configuration option to set IPs addresses to disable token for those **specific IP addresses**.
Using IP-based rule avoids security issue.
I...### Summary
When using AuthBasic handler, CSRF token is required.
### Design proposition
Append configuration option to set IPs addresses to disable token for those **specific IP addresses**.
Using IP-based rule avoids security issue.
Indeed AuthBasic handler mostly used by servers also administrator can set IP address to bypass token checking.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1687Add granted log for user and connexion informations2019-03-27T21:13:13ZAntoine RosierAdd granted log for user and connexion informationsLogging user action :
Missing granted user action into logs, like in previous lemonldap versions.
Message : "Session granted for user...."
Missing IP user address.
Add type authentification (LDAP, SSL, SAML, etc....)Logging user action :
Missing granted user action into logs, like in previous lemonldap versions.
Message : "Session granted for user...."
Missing IP user address.
Add type authentification (LDAP, SSL, SAML, etc....)2.0.3YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1681Change behavior with SAML mandatory/optional attributes in SAML Issuer2019-04-03T14:41:19ZClément OUDOTChange behavior with SAML mandatory/optional attributes in SAML IssuerCurrently, in our SAML IDP implementation, if an attribute is mandatory, an error is displayed if user don't have this attribute in its session. And if an attribute is optional, it is never sent in SAML response, it is only available in ...Currently, in our SAML IDP implementation, if an attribute is mandatory, an error is displayed if user don't have this attribute in its session. And if an attribute is optional, it is never sent in SAML response, it is only available in attribute request.
I propose to send optional attribute in SAML response if there are values in user session.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1670Display "authentication in progress" when using Ajax with Kerberos2019-03-12T08:38:25ZClément OUDOTDisplay "authentication in progress" when using Ajax with KerberosIn 1.9, we had a small banner with "authentication in progress" when using Kerberos with Ajax. In 2.0, we just have the login form, which is annoying for end user who can try to login instead of waiting for Kerberos authentication.In 1.9, we had a small banner with "authentication in progress" when using Kerberos with Ajax. In 2.0, we just have the login form, which is annoying for end user who can try to login instead of waiting for Kerberos authentication.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1668As IDP SAML, do not try to send SLO response if no SLO endpoint defined in SP...2019-04-03T09:23:05ZClément OUDOTAs IDP SAML, do not try to send SLO response if no SLO endpoint defined in SP metadataWhen using LL::NG as SAML IDP with Shibboleht SP (in Renater), we discover that the SP can send send an SLO request to IDP, but has no SLO endpoint to get the SLO response.
The SAML specification (saml-profiles-2.0-os) says the IDP *MUS...When using LL::NG as SAML IDP with Shibboleht SP (in Renater), we discover that the SP can send send an SLO request to IDP, but has no SLO endpoint to get the SLO response.
The SAML specification (saml-profiles-2.0-os) says the IDP *MUST* send an SLO response:
```
4.4.3.5 Identity Provider Issues <LogoutResponse> to Session Participant
After processing the original session participant's <LogoutRequest> as described in the previous steps
the identity provider MUST respond to the original request with a <LogoutResponse> containing an
appropriate status code to complete the SAML protocol exchange.
The response is sent to the original session participant, using a SAML binding consistent with the binding
used in the original request, the capability of the responder, and the availability of the user agent at the
identity provider. Assuming an asynchronous binding was used in step 1, then any binding supported by
both entities MAY be used.
```
But if we don't have the SLO endpoint in SP, the logout process ends with an error 500:
```
Mar 5 17:35:08 cchum-epcc-refid-llng1-dev LLNG[13043]: Lasso error [ critical ]: 2019-03-05 17:35:08 (profile.c/:1287) Unable to find Profile URL in metadata
Mar 5 17:35:08 cchum-epcc-refid-llng1-dev LLNG[13043]: Lasso error code -410: Unable to find Profile URL in metadata
Mar 5 17:35:08 cchum-epcc-refid-llng1-dev LLNG[13043]: Error 500: Unable to build SLO response
```
Even if this is not fully compliant with SAML specification, I think we should not try to send SLO response if the endpoint is not defined, or catch the error to display it in logs, but end the process with a redirection on IDP logout page to have a clean behavior from the end user side.2.0.3Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1666Display errors on login form2019-03-27T13:07:51ZClément OUDOTDisplay errors on login formSince 2.0, we have a behavior change on how errors are displayed. For example when you enter the wrong password, we use the error template and we don't see anymore the login form. The side effect is that we loose the initial context, as ...Since 2.0, we have a behavior change on how errors are displayed. For example when you enter the wrong password, we use the error template and we don't see anymore the login form. The side effect is that we loose the initial context, as the "go to portal" button is using the cancel parameter to clean pdata. This parameter is mandatory in some cases, so we can't remove it.
We should have the possibility to display some errors on the login form, or on the password form.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1660Restore possibility to hide message in portal template2019-04-10T21:15:25ZClément OUDOTRestore possibility to hide message in portal templateIn LL::NG 1.9, we had the possiblity to override an error message to hide it in the template.
For example:
```
[portal]
error_9 = 0
```
This was working as the template parameter `AUTH_ERROR` was filled with the text message, so this t...In LL::NG 1.9, we had the possiblity to override an error message to hide it in the template.
For example:
```
[portal]
error_9 = 0
```
This was working as the template parameter `AUTH_ERROR` was filled with the text message, so this test in template could hide the message box:
```
<TMPL_IF NAME="AUTH_ERROR">
<div class="message message-<TMPL_VAR NAME="AUTH_ERROR_TYPE"> alert">...
</TMPL_IF>
```
In 2.0, the `AUTH_ERROR` contains the message number, so this test is not accurate anymore.
But we should find a way to hide the message box if we need it to customize the skin.
Any idea is welcomed.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1653Allow failback to default skin when a template is not found in custom theme2019-07-04T14:44:16ZClément OUDOTAllow failback to default skin when a template is not found in custom themeWe upgrading to 2.0.2, people with custom templates have an error because new templates (gpgform, sslformChoice) are absent.
We should maybe change the way we load templates: first check the template in current skin, and if not present,...We upgrading to 2.0.2, people with custom templates have an error because new templates (gpgform, sslformChoice) are absent.
We should maybe change the way we load templates: first check the template in current skin, and if not present, use template from bootstrap skin. This would allow to put in custom skin only templates that are different from the bootstrap skin.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1651Disable cache on portal page2020-06-10T19:40:01ZClément OUDOTDisable cache on portal pageWith some browsers, the login page is cached and we an error as the security token is invalid (it has not been regenerated).
We should update our response headers so that portal pages are not cached by browsers.With some browsers, the login page is cached and we an error as the security token is invalid (it has not been regenerated).
We should update our response headers so that portal pages are not cached by browsers.2.0.3Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1595Possibility to override message with a custom JSON file in template2019-03-26T13:16:50ZClément OUDOTPossibility to override message with a custom JSON file in templateInstead of editing lemonldap-ng.ini file to override translations, we could try to read a JSON file in the template directory and use it to override messages.Instead of editing lemonldap-ng.ini file to override translations, we could try to read a JSON file in the template directory and use it to override messages.2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1549Option to override IDP entityID2019-03-13T09:56:35ZClément OUDOTOption to override IDP entityIDSome federation systems do not allow that SP and IDP modules share the same entityID. This is the case in Renater.
We could add an option to override the entityID of the IDP and set this value in authn responses, like we do for Office 3...Some federation systems do not allow that SP and IDP modules share the same entityID. This is the case in Renater.
We could add an option to override the entityID of the IDP and set this value in authn responses, like we do for Office 365 with the domain parameter.
Sadly we can't use the ?domain=test trick with Renater, the special characters are not allowed in URL. So we should have for example this entityID for SP: https://auth.example.com/saml/metadata and this entityID for IDP : https://auth.example.com/saml/idp-metadata2.0.3Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1739Improve log in Grant Session plugin2019-05-06T17:11:00ZClément OUDOTImprove log in Grant Session pluginThe log is not accurate, as we output the message instead of the rule.The log is not accurate, as we output the message instead of the rule.2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1735Highlight valid SSO sessions in sessions explorer2019-05-06T16:58:01ZChristophe Maudouxchrmdx@gmail.comHighlight valid SSO sessions in sessions explorer### Summary
In sessions explorer, all SSO sessions are displayed until expired sessions are purged by cron job.### Summary
In sessions explorer, all SSO sessions are displayed until expired sessions are purged by cron job.2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1730Sort real and spoofed attributes in CheckUser and Session explorer2019-05-05T20:14:07ZChristophe Maudouxchrmdx@gmail.comSort real and spoofed attributes in CheckUser and Session explorer### Summary
Sort user attributes by alphabetical order and session type (Real or Spoofed) in CheckUser plugin ans Sessions explorer### Summary
Sort user attributes by alphabetical order and session type (Real or Spoofed) in CheckUser plugin ans Sessions explorer2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1729Display error if SAML service is enabled without private and public keys sign...2019-05-02T06:54:38ZChristophe Maudouxchrmdx@gmail.comDisplay error if SAML service is enabled without private and public keys signature### Concerned version
Version: %"2.0.4"
Platform: (Nginx/Apache/Node.js)
### Summary
Return error during conf saving to avoid a black screen with 500 internal server error
```
[error] SAML private and public key not found in config...### Concerned version
Version: %"2.0.4"
Platform: (Nginx/Apache/Node.js)
### Summary
Return error during conf saving to avoid a black screen with 500 internal server error
```
[error] SAML private and public key not found in configuration
[error]
[error] Underlying object can't load conf (Lemonldap::NG::Portal::Main->reloadConf)
Use of uninitialized value in string eq at /home/maudoux/lemonldap-ng/lemonldap-ng-handler/blib/lib/Lemonldap/NG/Handler/Lib/PSGI.pm line 23.
[error] Unable to protect this server (Lemonldap::NG::Common::Conf::Backends::File loaded.
Get remote configuration (localStorage unavailable).
Get configuration 2.)
[warn] [anonymous] Unable to protect this server (Lemonldap::NG::Common::Conf::Backends::File loaded.
Get remote configuration (localStorage unavailable).
Get configuration 2.)
[error] Error 500: Unable to protect this server (Lemonldap::NG::Common::Conf::Backends::File loaded.
Get remote configuration (localStorage unavailable).
Get configuration 2.)
auth.example.com:80 127.0.0.1 - - [01/May/2019:21:35:20 +0200] "GET /?cancel=1 HTTP/1.1" 500 2425
```2.0.4Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1728Improve redirect page2019-05-11T15:36:13ZClément OUDOTImprove redirect pageOur current "redirection in progress" page is very simple. I think we should integrate it in the default template to keep at least logo/background.Our current "redirection in progress" page is very simple. I think we should integrate it in the default template to keep at least logo/background.2.0.4Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1725Allow unauthenticated clients on OIDC token endpoint2019-04-29T08:07:50ZClément OUDOTAllow unauthenticated clients on OIDC token endpointIn our OIDC implementation, we always require an authentication on token endpoint, but we need to also allow unauthenticated requests for public clients.
For such client, we can then enable PKCE (see #1722).In our OIDC implementation, we always require an authentication on token endpoint, but we need to also allow unauthenticated requests for public clients.
For such client, we can then enable PKCE (see #1722).2.0.4Clément OUDOTClément OUDOT