lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-03-27T10:54:34Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3109Conf test: should warn when auth is Choice and userDB isn't set to Choice or ...2024-03-27T10:54:34ZYaddConf test: should warn when auth is Choice and userDB isn't set to Choice or SameNot an error but often a mistakeNot an error but often a mistake2.19.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3107Manager diff viewer doesn't work when adding new macro named "groups"2024-03-27T09:44:46ZMaxime BessonManager diff viewer doesn't work when adding new macro named "groups"### Affected version
Version: 2.18.2
### Summary
* Edit configuration to add a new macro named "groups", any value
* Try to view configuration diff with previous version
* "Error: undefined"
It also happens on any configuration scree...### Affected version
Version: 2.18.2
### Summary
* Edit configuration to add a new macro named "groups", any value
* Try to view configuration diff with previous version
* "Error: undefined"
It also happens on any configuration screen that lets you enter key/value maps (exported variables, etc)
It also happens if you use "macros" as the key, and possibly other keys that match top-level configuration keys
### Logs
```
FastCGI sent in stderr: "Can't use string (""somevalue"") as a HASH ref while "strict refs" in use at /usr/share/perl5/Lemonldap/NG/Manager/Conf/Diff.pm line 93
```2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3097manager API: allow registration of 2FA2024-03-27T08:34:27ZMaxime Bessonmanager API: allow registration of 2FAFor now the 2FA endpoints of the manager API do not support creating new 2F devices
We should provide endpoints for writing to _2fDevices conveniently
TODO: create new persistent sessionFor now the 2FA endpoints of the manager API do not support creating new 2F devices
We should provide endpoints for writing to _2fDevices conveniently
TODO: create new persistent session2.19.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3085Lemonldap-NG-Manager: Test suite fails with bleadperl (perl 5.39.x)2024-01-17T09:48:54ZClément OUDOTLemonldap-NG-Manager: Test suite fails with bleadperl (perl 5.39.x)See RT https://rt.cpan.org/Public/Bug/Display.html?id=150959See RT https://rt.cpan.org/Public/Bug/Display.html?id=1509592.18.2YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2980[security:low] LLNG admins can disable Safe jail and run commands on the server2023-12-20T13:06:32ZMaxime Besson[security:low] LLNG admins can disable Safe jail and run commands on the serverWith the Safe jail turned off, it is possible to run commands on the servers by abusing Perl backticks:
![image](/uploads/5f38554fa55a87f6c42a4e066b0ef87a/image.png)
![image](/uploads/af977ce285da5633f5fdbc38883f0b0d/image.png)
Using ...With the Safe jail turned off, it is possible to run commands on the servers by abusing Perl backticks:
![image](/uploads/5f38554fa55a87f6c42a4e066b0ef87a/image.png)
![image](/uploads/af977ce285da5633f5fdbc38883f0b0d/image.png)
Using this, an admin who only has access to the manager can gain shell access to the server (as the apache user, but still)
If the Safe Jail (which prevents this) is on, the rogue admin can disable it easily from the manager.
It would be nice to make this feature impossible to disable in the manager to make sure an SSO admin cannot exploit this vulnerability. A simple way to do that is to set useSafeJail=1 in lemonldap-ng.ini but it's not done by default
We should at least do that, and maybe remove the setting from the manager completely too ?2.18.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2975Allow admin to choose key size during certificate generation2023-07-24T09:47:00ZYaddAllow admin to choose key size during certificate generation### Summary
The helper to generate new SAML certificates use fixed key size (2048)
### Design proposition
The idea here is to add a parameter in the manager UI to change this size### Summary
The helper to generate new SAML certificates use fixed key size (2048)
### Design proposition
The idea here is to add a parameter in the manager UI to change this size2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2951Append a conf test to check if password generation regexp matches LLNG passwo...2024-03-27T10:05:09ZChristophe Maudouxchrmdx@gmail.comAppend a conf test to check if password generation regexp matches LLNG password policy### Affected version
Version: All
Platform: All
### Summary
When saving conf, a test should warn if password generation RegExp does not match the LLNG password policy### Affected version
Version: All
Platform: All
### Summary
When saving conf, a test should warn if password generation RegExp does not match the LLNG password policy2.20.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2948Manager should accept mobile-style URL in OIDC callbacks2023-06-23T07:34:14ZYaddManager should accept mobile-style URL in OIDC callbacks### Affected version
Version: %2.16.x
### Summary
When using a custom mobile url in authorized callbacks, Manager rejects the configuration. Example: teammail.mobile://oidc/callback### Affected version
Version: %2.16.x
### Summary
When using a custom mobile url in authorized callbacks, Manager rejects the configuration. Example: teammail.mobile://oidc/callback2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2937Possibility to generate partner SP metadata from entityID and ACS2024-03-27T10:57:26ZClément OUDOTPossibility to generate partner SP metadata from entityID and ACSNowadays a lot of applications are not providing their SP SAML metadata, but only entityID and ACS URL (and if lucky a certificate).
We are forced to wrtie the metadata content with these informations (or generate it from https://www.sa...Nowadays a lot of applications are not providing their SP SAML metadata, but only entityID and ACS URL (and if lucky a certificate).
We are forced to wrtie the metadata content with these informations (or generate it from https://www.samltool.com/sp_metadata.php)
It could be nice to have a feature in Manager to do this.2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2911Manager warning when a config test needs confirmation is confusing2023-04-13T07:51:00ZMaxime BessonManager warning when a config test needs confirmation is confusing### Concerned version
Version: 2.16.1
### Summary
Here is the display when a configuration test requires confirmation:
![image](/uploads/62d2513c68a38de78aafe5c76bf25be1/image.png)
The warning about a new configuration being availab...### Concerned version
Version: 2.16.1
### Summary
Here is the display when a configuration test requires confirmation:
![image](/uploads/62d2513c68a38de78aafe5c76bf25be1/image.png)
The warning about a new configuration being available has nothing to do with the actual error (a configuration test failed)
We need to clarify this
### Possible fixes
better wording when a new config has been published:
![image](/uploads/ea3e5645400b5b86498d0ffbe96c25ac/image.png)
when a config test failed:
![image](/uploads/6b196a3f8ae888a8ed32e2761643bb9d/image.png)2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909Manager viewer uses the wrong endpoints to read conf2023-05-09T08:55:38ZMaxime BessonManager viewer uses the wrong endpoints to read conf### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instea...### Concerned version
Version: 2.16.1
### Summary
Configuring this:
```
[manager]
enabledModules = viewer, sessions, 2ndFA
defaultModule = viewer
```
does not work: the manager viewer uses GET /confs/xxx to read config values instead of GET /view/xxx
This is a regression in c330347f3c20dcfa7fb26ddf0bc701283c62478f
replacing confPrefix by viewPrefix in viewer.coffee seems to fix the issue
TODO:
* [x] Fix issue
* [x] Update viewer.rst doc to give a working example of vhost rules2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2907Manager customCSS not available with minified files2023-04-02T10:25:47ZChristophe Maudouxchrmdx@gmail.comManager customCSS not available with minified files### Concerned version
Version: %2.X
Platform: All
### Summary
customCSS file is not included in manager/header.tlp### Concerned version
Version: %2.X
Platform: All
### Summary
customCSS file is not included in manager/header.tlp2.16.2Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2886Be more consistent with plugins sending an email2023-03-28T14:34:26ZChristophe Maudouxchrmdx@gmail.comBe more consistent with plugins sending an email### Summary
Password, CertificateReset and RegisterNewAccount management plugins options and doc are not consistent.
### Design proposition
Harmonize tree### Summary
Password, CertificateReset and RegisterNewAccount management plugins options and doc are not consistent.
### Design proposition
Harmonize tree2.16.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2884Manager API: add methods to get login history2023-04-24T15:46:59ZMaxime BessonManager API: add methods to get login history### Summary
Currently, if we want to get a user's login history, we need to either:
* enable restSessionServer on portal (security risk), compute the persistent session ID ourself, and call restSessionServer, parse the output (make sen...### Summary
Currently, if we want to get a user's login history, we need to either:
* enable restSessionServer on portal (security risk), compute the persistent session ID ourself, and call restSessionServer, parse the output (make sense of failedLogin/successLogin), etc
* query the session backend directly (which is probably even worse)
### Design proposition
Add new high level methods in the manager api:
* /api/v1/history/uid : returns a JSON array of previous attempts, ordered by date (and not by success/failure)
* /api/v1/history/uid/lastsuccess : returns the last successful login
(we can add more methods later)2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2876Errors in Manager FR translations2023-03-31T20:45:25ZChristophe Maudouxchrmdx@gmail.comErrors in Manager FR translations### Concerned version
Version: %2.0.16
Platform: All
### Summary
Bad FR options translation
![image](/uploads/5c5b20aac5e4d1a2d972c13e564db1aa/image.png)
Maybe duplicated entries### Concerned version
Version: %2.0.16
Platform: All
### Summary
Bad FR options translation
![image](/uploads/5c5b20aac5e4d1a2d972c13e564db1aa/image.png)
Maybe duplicated entries2.16.1Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2871Possible bug in manager related to adaptativeAuthenticationLevelRules2023-02-25T10:57:20ZDavide BozzelliPossible bug in manager related to adaptativeAuthenticationLevelRulesIn 2.0.16 when in manager try to add an adaptive auth rule by insert for example:
As key: $env->{REMOTE_ADDR} =~ /^192\.168\./
As value: +3
I receive the following error:
adaptativeAuthenticationLevelRules/$env->{REMOTE_ADDR} =~ /^...In 2.0.16 when in manager try to add an adaptive auth rule by insert for example:
As key: $env->{REMOTE_ADDR} =~ /^192\.168\./
As value: +3
I receive the following error:
adaptativeAuthenticationLevelRules/$env->{REMOTE_ADDR} =~ /^192\.168\./: Bad regular expression
As this is simply the example reported in the inline help I would imagine there is some bug in the parse of rule.
Thx2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2858Improve accountability of 2FA devices2023-07-06T13:21:15ZMaxime BessonImprove accountability of 2FA devicesCurrently, there is not much consistency when it comes to accounting 2FA operations (device add, use, deletion).
* Some logs use type + name (TOTP add)
* Some logs use type only (TOTP delete, using 2F to log in)
* Some logs use type + e...Currently, there is not much consistency when it comes to accounting 2FA operations (device add, use, deletion).
* Some logs use type + name (TOTP add)
* Some logs use type only (TOTP delete, using 2F to log in)
* Some logs use type + epoch (WebAuthn add)
* Some operations are not logged at all (Webauthn delete, manager delete, API delete)
And the format differs everytime
We should decide what to log exactly (name? epoch? both), use a common format (123456789@TOTP ? [TOTP]My_iphone ?) and log all the information everytime a 2FA device is involved
What are your opinions on what to log @clement_oudot / @maudoux ? Is epoch (a technical ID) more interesting than name (a user-supplied string) ?2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2855Append an option to override manager drop-down menu links2023-01-30T21:13:17ZChristophe Maudouxchrmdx@gmail.comAppend an option to override manager drop-down menu links### Summary
We have got an internal LLNG instance with manager and portal (manager.sso.internal.com and auth.sso.internal.com) to protect our internal applications.
We also have got an external LLNG instance on the Internet (manager.ss...### Summary
We have got an internal LLNG instance with manager and portal (manager.sso.internal.com and auth.sso.internal.com) to protect our internal applications.
We also have got an external LLNG instance on the Internet (manager.sso.external.com and auth.sso.external.com). But, the manager is protected and accessible by using the internal instance only and portal can be reached from internal (admin access) and external network. From internal instance, external manager can be reached with external-manager.sso.internal.com URL and DMZ. But drop-down menu links in Manager refer to the conf external URL (auth.sso.external.com).
### Design proposition
Append an option in lemon.ini to override portal links2.0.16Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2847Configuration corruption due to accented characters2023-08-02T12:58:53ZChristophe Maudouxchrmdx@gmail.comConfiguration corruption due to accented characters### Concerned version
Version: all
Platform: Nginx + uWSGI
### Summary
LL::NG instance has crashed (out of memory) due to accented characters and re-encoding issue that leads to a conf. corruption.
Normal conf. size near 600ko and c...### Concerned version
Version: all
Platform: Nginx + uWSGI
### Summary
LL::NG instance has crashed (out of memory) due to accented characters and re-encoding issue that leads to a conf. corruption.
Normal conf. size near 600ko and corrupted conf. size near 280Mo!
### Logs
![image](/uploads/d7ab46baa142647e315118ca4a1de162/image.png)
### Backends used
PGSQL
### Possible fixes
Append an option to remove all accented or non printable characters.
Append a warning in Manager if conf. size is out of customizable bounds2.17.0Maxime BessonMaxime Besson