lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2021-01-08T17:21:51Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2423LLNG cli tools are not in PATH after package install2021-01-08T17:21:51ZMaxime BessonLLNG cli tools are not in PATH after package installlemonldap-ng-cli, lemonldap-ng-sessions, convertConfig, convertSessions, etc, are not in PATH after a package install. This hurts the discoverability of these tools, and makes using them more inconvenient in general.
We should decide on...lemonldap-ng-cli, lemonldap-ng-sessions, convertConfig, convertSessions, etc, are not in PATH after a package install. This hurts the discoverability of these tools, and makes using them more inconvenient in general.
We should decide on a consistant naming scheme (lemonldap-ng-convert-sessions for example) and install all these commands in /usr/sbin when using RPMs and DEBs3.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1475Update conf in all threads simultaneously2018-07-12T17:51:36ZYaddUpdate conf in all threads simultaneously### Summary
Today, when conf is updated in local cache, each thread reads it between 0 to 10 minutes, so in the same server, during 10 minutes, configuration isn't consistent.
### Design proposition
We could add a communication channe...### Summary
Today, when conf is updated in local cache, each thread reads it between 0 to 10 minutes, so in the same server, during 10 minutes, configuration isn't consistent.
### Design proposition
We could add a communication channel between all threads (like "status"). If one thread discover a new conf, it will indicates to every others that they should reload it.BacklogYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3000Implement continuations in the portal login flow2023-10-10T13:31:15ZMaxime BessonImplement continuations in the portal login flow### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
*...### Summary
The LemonLDAP::NG portal is centered around the idea of running a list of methods (with `do`) in order.
(extractFormInfo, getUser, etc)
But this flow generally needs to be interrupted at some point for user interaction:
* Entering credentials
* Entering 2FA
* Showing notifications
* Showing info
* etc.
Each component of LemonLDAP::NG has its own way of doing that. Generally a OneTimeToken is used, but not always.
* Issuer saves the request environment
* 2FA saves sessionInfo + a couple other fields
* Notifications encrypt the session cookie but require $req->data->{url} to be persisted
* etc.
There are literally dozens of bugs, maybe more, caused by the fact that the
current `$req` object needs to be serialized before the interaction and
restored after, and this is done incorrectly.
There are many bugs caused by interactions that arise for the fact that some
early part of the processing sets something in `$req->data` that is needed
later, but not restored correctly.
There are also many bugs caused by the fact that some extra steps are stored in
`$req->steps` but not restored after an interaction.
### Design proposition
We need to create a generic system for storing the request state during a user
interaction, including `$req->steps`. This system should be used by every part
of LemonLDAP::NG that needs to interrupt the current flow to display a page.
I will update this issue with a design proposal later, but it will take a lot
of time to implement this correctly, and require many preliminary steps.Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2514improve Content-Security-Policy handling2022-05-01T09:37:03ZMaxime Bessonimprove Content-Security-Policy handling### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each ...### Summary
The way CSP currently works could be improved. Currently all the work is done in sendHtml()
Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options
We should instead let each module/LLNG feature handle its own CSP (see `$req->data->{cspFormAction}`).
### Design proposition
Example of a better API, in Choice.pm
<pre>
$req->setCSP("form-action", $url);
</pre>
or when embedding an iframe:
<pre>
$req->setCSP("frame-src", $url);
</pre>
( see also #2513 )3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2285LLNG should not rely on virtual hosts so much2023-11-13T13:34:01ZMaxime BessonLLNG should not rely on virtual hosts so muchThe current model of LLNG is heavily based around "Virtual Hosts" and the notion of having a common domain for portal, manager, 'reload' and apps, but three (at least) different hostnames.
But we have many users who do not use the handl...The current model of LLNG is heavily based around "Virtual Hosts" and the notion of having a common domain for portal, manager, 'reload' and apps, but three (at least) different hostnames.
But we have many users who do not use the handler at all, and instead only use the SAML/OIDC issuers. For them, having to dedicate an entire subdomain to LemonLDAP makes little sense.
We have users who would like to deploy LLNG components in a sub-path: the manager in /manager, for exemple. Or even, the portal in /portal, why not! And maybe apps in /test1 and /test2?
This would allow us to run an entire "demo instance" under a single URL, without even requiring apache or nginx, just plackup! No more DNS or /etc/hosts issues. Much easier for us devs, too, no more `make start_web_server`.
Good news: because the LLNG router uses `$req->path`, it wouldn't take a huge amount of work to achieve this. (but it will take a lot of testing). Mostly we would just have to write a new handler type that does not depend on the VHost name, but perhaps on a FastCGI environment variable set by the admin within a `location` block. The regexp in this new handler type would only be matched against `$req->path` instead of the entire URL. This handler could solve #2238 too.
Opening this low-priority ticket for discussion, and so I can have a reference to put in commits when I do little improvements towards this long-term goal.3.0.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1434Validate XML SP metadata2018-10-08T13:35:52ZPascal PejacValidate XML SP metadata### Summary
When you upload or copy metadata for a new SP in SAML section, metada are not validate with XML parser.
if you have a mistake in your XML ( like not encoding special caracter like "&" in URL for example) no error is done in ...### Summary
When you upload or copy metadata for a new SP in SAML section, metada are not validate with XML parser.
if you have a mistake in your XML ( like not encoding special caracter like "&" in URL for example) no error is done in IHM.
Moreover SAML not working for other SP due to this error.
### Design proposition
When the form is submited, launch an XML parser validation before save metadata anf if an error is occured display an error messageBacklogClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3127Support SAML subject-id and pairwise-id natively2024-03-27T13:29:12ZMaxime BessonSupport SAML subject-id and pairwise-id nativelysubject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwi...subject-id and pairwise-id are replacement for SAML NameIDs in use in Renater/Edugain federations :
https://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/cs01/saml-subject-id-attr-v1.0-cs01.html
Currently, subject-id and pairwise-id can be enabled via a macro, but this is complex to configure. Especially pairwise-id which must be configured as a per-SP macro for all SPs
Maybe we should natively implement subject-id and pairwise-id through simple options in SAML SP configs2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3126Allow multiple TOTP devices to be registered2024-03-27T10:11:12ZMaxime BessonAllow multiple TOTP devices to be registered### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP### Summary
Currently it is possible to register multiple Webauthn devices, but not multiple TOTP2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3124Allow users to configure WebAuthn relying party ID2024-03-20T13:29:26ZMaxime BessonAllow users to configure WebAuthn relying party ID### Summary
Some users want to use an external system to register WebAuthn credentials
This requires a given WebAuthn device to share credentials between the portal and the registration system
### Design proposition
Allow the RP ID t...### Summary
Some users want to use an external system to register WebAuthn credentials
This requires a given WebAuthn device to share credentials between the portal and the registration system
### Design proposition
Allow the RP ID to be configured in 2F::WebAuthn2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3118Minimal LDAP server load-balancing2024-03-08T14:10:26ZYaddMinimal LDAP server load-balancing[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when...[Net::LDAP](https://metacpan.org/pod/Net::LDAP) provide a way to have more than one LDAP server, this permits to have a fallback. However it tries servers always in the same order. This has some issues:
- only one server is used
- when the first server is down, all LDAP connections are slowed down to wait for first failure
# Design proposition
This should be pushed to [Lemonldap::NG::Portal::Lib::Net::LDAP](lemonldap-ng-portal/blib/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm) and [Apache::Session::Browseable](https://metacpan.org/pod/Apache::Session::Browseable).
```perl
our %knownDown;
our %knownLdapServerStrings;
sub sortDead {
return 1 if $knownDown{$a} and !$knownDown{$b};
return -1 if $knownDown{$b} and !$knownDown{$a};
return 0;
}
# ...
sub new {
# ...
$knownLdapServerStrings{$conf->ldapServer} ||= [ split( /\s+/, $conf->ldapServer ) || 'localhost' ];
# Simple round-robbin if asked
if ($conf->{ldapRoundRobbin}) {
my $last = shift @{ $knownLdapServerStrings{$conf->ldapServer} };
push @{ $knownLdapServerStrings{$conf->ldapServer} }, $last;
}
# Push server which have failed to the end of the list
my @uris = sort pushDeadToEnd @uris;
my $first = $uris[0];
# ... create LDAP object using \@uris
# Update knownDone list:
# The server chosen by Net::LDAP is up
delete $knownDown{ $self->{net_ldap_uri} };
# If Net::LDAP changed, this means that first LDAP is down
if ( $self->{net_ldap_uri} != $first ) {
$knownDown{ $first } = 1;
}
# ...
}
```
@clement_oudot, @maxbes: what do you think ?In discussionYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3116Restart authentication process when error is linked to token expiration2024-03-27T10:59:00ZClément OUDOTRestart authentication process when error is linked to token expirationCurrently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form ...Currently, when the security token is expired (`Returned error: 82 (PE_TOKENEXPIRED)`), we end up on error page and user must return to portal to restart authentication process.
It could be better to display the error on the login form so user can directly restart the authentication process.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3092Display an error message when issuer context is not restored2024-01-25T15:49:33ZMaxime BessonDisplay an error message when issuer context is not restored### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but yo...### Affected version
Version: 2.18.1
### Summary
* Configure LLNG as an SAML/OIDC or CAS issuer
* Initialize login from a SP
* Log in using 2FA, SAML or something else that longer than issuersTimeout to perform
* Login works, but you are redirected either to the portal (SAML/CAS) or an error message (OIDC)
### Logs
```
[INFO] Bad (or expired) token 1706124567_32351
[ERROR] Unknown response type:
```
### Possible fixes
The user often gets confused about ending up on the portal, we should at least give them an error message that says they took too long so that they can understand why the application isn't displayed2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3056Remove XML::Simple (again)2024-03-27T08:18:27ZMaxime BessonRemove XML::Simple (again)Same as #1491 but in 2.0 branchSame as #1491 but in 2.0 branch2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3040Allow auto-detection of portal URL and domain2024-03-28T10:35:05ZMaxime BessonAllow auto-detection of portal URL and domainOne of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this partic...One of my LLNG instances needs to be reached by internal and external users but on a different URL.
The portal uses $self->conf->{portal} and $self->conf->{domain} to get its own URL and cookie domain. But it doesn't work in this particular use case, because in my use case the portal and domain depends on `$req`.
This is similar to #933, but I think the fix proposed there no longer works since the migration to PSGI.
In the handler: it's probably not too difficult to do because every access to the portal URL goes through $class->tsv->portal. We just need to pass `$req` to it.
In the portal: we need to replace all calls to `$self->conf->{portal}` and `$self->conf->{domain}` to methods such as `getPortalUrl($req)` and `getDomain($req)`. This will require a lot of refactoring, but I think its a good idea because users will no longer have to define the `portal` and `domain` configuration variables anymore in most cases.
This is also a requirement of #2285
If I can find sponsorship for this feature I might implement it in 2.192.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3019Update fontawesome to v5 (LTS)2024-03-27T10:55:07ZBenjamin DemarteauUpdate fontawesome to v5 (LTS)### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
...### Summary
Font awesome 4 which was [added a few months ago](https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/322) is great, but the next LTS has been available for a long time and has a lot more icons to chose from.
### Design proposition
Migrating from one the v4 to the v5 should be mostly painless (cf https://fontawesome.com/v5/docs/web/setup/upgrade-from-v4). Not sure if there are attention points.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3015Minimal skin to help developers2024-03-27T10:04:16ZYaddMinimal skin to help developersLLNG is distributed with a bootstrap skin. We decided some years ago to stop developing alternatives skins because it requires too many work.
However, create a custom skin is a huge work if one wants to change for example bootstrap to s...LLNG is distributed with a bootstrap skin. We decided some years ago to stop developing alternatives skins because it requires too many work.
However, create a custom skin is a huge work if one wants to change for example bootstrap to something else.
Proposition:
* continue to distribute LLNG with one elaborated skin
* add a very minimal skin, "_ready-to-be-changed_":
* no CSS
* minimize `portal.js` dependencies (maybe `jQuery` isn't really needed) **or** build it using a modern way _(Typescript + rollup)_
* no tabs and such CSS-based scripts...: Choice will simply provides `<ul><li>`
* move dependencies from common/*tpl to bootstrap/*.tpl
NB: this skin could also be used to simplify HTML parsing inside Perl tests2.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3006OIDC shouldn't rotate keys when they are fixed in lemonldap-ng.ini2023-11-20T16:27:28ZYaddOIDC shouldn't rotate keys when they are fixed in lemonldap-ng.iniIn discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2999Better Session API2024-03-27T09:45:47ZMaxime BessonBetter Session APIThe current session API is not very satisfying:
* We use the same method to create and update a session (getApacheSession) which leads to bugs when $id is unexpectedly `undef`, or when creation works but setting attributes fail
* Error ...The current session API is not very satisfying:
* We use the same method to create and update a session (getApacheSession) which leads to bugs when $id is unexpectedly `undef`, or when creation works but setting attributes fail
* Error reporting is difficult (we need to test `$session->error`) and incomplete (#2995)
* Locking is not supported in most backends, which may cause bugs on high load
* Implementation is difficult to debug (use of `tie` behind the scenes, etc)
We should work on a new session API with cleaner methods, maybe we could even replace Apache::Session completely since I'm pretty sure noone uses Apache::Session::Browseable except for us, and Browseable backends are the recommended way to deploy LemonLDAP::NG ?2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2967SAML federation plugin should use Name instead of FriendlyName2024-03-27T10:04:42ZMaxime BessonSAML federation plugin should use Name instead of FriendlyNameCurrently, SAML federation defines *session attributes* => *SAML attributes* mapping based on the FriendlyName of the requested attribute:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" N...Currently, SAML federation defines *session attributes* => *SAML attributes* mapping based on the FriendlyName of the requested attribute:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
```
Creates a "mail" > "urn:oid:0.9.2342.19200300.100.1.3" mapping
However, in the Edugain federation, some attributes have different FriendlyNames:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="Email" isRequired="true"/>
```
which forces us to create macros to map "Email" => "$mail"
We must find a different way to handle SAML attributes in federation, perhaps ship a dictionary for standard attributes, and let the users do the mapping themselves?2.20.0Maxime BessonMaxime Besson