lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2020-04-12T15:13:13Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2141Auth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken2020-04-12T15:13:13ZErik AndersAuth Combination SSL/LDAP + VHOSTTYPE AuthBasic broken### Concerned version
Version: %2.0.7
Platform: Nginx
### Summary
The following auth combination does not work, when using the AuthBasic handler:
```
[ad and ssl, ad] or [ad, ad]
```
### Logs
[lemonldap-auth-combination-failed.log...### Concerned version
Version: %2.0.7
Platform: Nginx
### Summary
The following auth combination does not work, when using the AuthBasic handler:
```
[ad and ssl, ad] or [ad, ad]
```
### Logs
[lemonldap-auth-combination-failed.log](/uploads/a3ab2ae0d1d0f481a5e3198dc0cc54c3/lemonldap-auth-combination-failed.log)
### Backends used
- LemonLDAP-NG server with File Session Storage on sso.corp.example.com
- LemonLDAP-NG handler with REST Session Storage (pointing to sso.corp.example.com) on webmail-sso.intern.example.com
Nginx configuration on webmail-sso.intern.example.com:
```
server {
# ...
location = /lmauth-basic {
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
# Drop post datas
fastcgi_pass_request_body off;
fastcgi_param CONTENT_LENGTH "";
# Keep original hostname
fastcgi_param HOST $http_host;
# Keep original request (LLNG server will receive /lmauth-basic)
fastcgi_param X_ORIGINAL_URI $request_uri;
fastcgi_param VHOSTTYPE AuthBasic;
}
location ^~ /rpc.php/ {
auth_request /lmauth-basic;
auth_request_set $authuser $upstream_http_auth_user;
fastcgi_param HTTP_LEMONLDAP_USER $authuser;
auth_request_set $authpw $upstream_http_auth_pw;
fastcgi_param HTTP_LEMONLDAP_PW $authpw;
auth_request_set $lmauth_header $upstream_http_auth_header;
fastcgi_param HTTP_AUTHORIZATION $lmauth_header;
alias /var/www/horde-sso/rpc.php;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include /etc/nginx/fastcgi_params;
fastcgi_pass unix:/run/php/php7.3-fpm.sock;
}
}
```
### Possible fixes
The `$req->{user}` gets overwritten in `NG/Portal/Auth/SSL.pm` even if no certificate is present. `$req->{user}` is then empty when checking in `NG/Portal/Auth/LDAP.pm`.
A quick **not thoroughly tested** fix could be:
```patch
--- /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm 2020-04-09 11:43:57.707126444 +0200
+++ /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm 2020-04-09 11:44:25.318117340 +0200
@@ -39,7 +39,7 @@
$field = $tmp;
}
- if ( $req->user( $req->env->{$field} ) ) {
+ if ( $req->env->{$field} and $req->user( $req->env->{$field} ) ) {
$self->userLogger->notice( "GoodSSL authentication for " . $req->user );
return PE_OK;
}
```2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2140Append an option to define applications tooltip2022-11-21T17:25:12ZChristophe Maudouxchrmdx@gmail.comAppend an option to define applications tooltip### Summary
Applications tooltip (title tag) is the same than app name
### Design proposition
Be able to define tooltip### Summary
Applications tooltip (title tag) is the same than app name
### Design proposition
Be able to define tooltip2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2138logout forward doesn't work anymore2020-04-17T18:02:43Zdcoutadeur dcoutadeurlogout forward doesn't work anymore### Concerned version
Version: at least %2.0.6 and %2.0.7
Platform: Apache
### Summary
In demo authentication or in choice authentication, logout forward is no called any more.
### Logs
```
[Wed Apr 8 17:56:12 2020] [LLNG:6468] [d...### Concerned version
Version: at least %2.0.6 and %2.0.7
Platform: Apache
### Summary
In demo authentication or in choice authentication, logout forward is no called any more.
### Logs
```
[Wed Apr 8 17:56:12 2020] [LLNG:6468] [debug] [notice] User dwho has been disconnected from Demo (127.0.0.1)
[Wed Apr 8 17:56:12 2020] [LLNG:6468] [debug] Session d96f1ea16b3043c6002d108cfa20499eb15d170c6918d456828975ed1b1303ef deleted from global storage
[HERE]
[Wed Apr 8 17:56:12 2020] [LLNG:6468] [debug] Returned error: 47 (PE_LOGOUT_OK)
```
At [HERE] mark, the transfert logout should appear.
I tried to debug a little further. It seems to happen in file:
`/usr/share/perl5/Lemonldap/NG/Portal/Main/Process.pm` line 192:
```
# TODO
# Collect logout services and build hidden iFrames
if ( $req->data->{logoutServices} and %{ $req->data->{logoutServices} } ) {
```
- in demo mode, logoutServices does not appear in any structure
- in choice mode, logoutServices appear into $req->data->enabledMods0 object
I don't really know how logoutServices is supposed to be provisioned into $req-data, does anybody have an idea?
### Backends used
- authentication: demo or choice(demo)
- userDB: Same
- Password: Demo2.0.8dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2136Possibility to override language with a parameter in URL2020-07-24T16:14:50ZClément OUDOTPossibility to override language with a parameter in URLThe language of the portal is set with a cookie, or rely on default browser settings if cookie is not present.
We could need to force the display of the portal with a parameter in URL, like `llnglanguage=fr` for example.
The difficulty...The language of the portal is set with a cookie, or rely on default browser settings if cookie is not present.
We could need to force the display of the portal with a parameter in URL, like `llnglanguage=fr` for example.
The difficulty is that the language choice is done in a javascript on client side.2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2135Remove 'underscore' in notification reference2020-04-03T20:05:39ZChristophe Maudouxchrmdx@gmail.comRemove 'underscore' in notification reference### Summary
We can create notifications with a reference including an 'underscore'.
But we can t remove them => 400 bad request (date/time value invalid)### Summary
We can create notifications with a reference including an 'underscore'.
But we can t remove them => 400 bad request (date/time value invalid)2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2133Issues with removed second factors notification system2020-04-03T17:12:14ZChristophe Maudouxchrmdx@gmail.comIssues with removed second factors notification system### Concerned version
Version: %2.0.7
Platform: All
### Summary
Several issues :
- Error if notification system is not enabled => test loaded plugin
- Internal error if a 2nd notification has to be displayed => 2 notifications with ...### Concerned version
Version: %2.0.7
Platform: All
### Summary
Several issues :
- Error if notification system is not enabled => test loaded plugin
- Internal error if a 2nd notification has to be displayed => 2 notifications with the same reference
- Append manager test => display warning message2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2131Make json does nothing if only a Portal constant is appended2020-04-02T19:57:44ZChristophe Maudouxchrmdx@gmail.comMake json does nothing if only a Portal constant is appended### Concerned version
Version: %2.0.X
### Summary
I appended a Portal constant, launch make json
but no change detected.
You have to edit Attibutes.pm, lauch "make json" and new Portal constant is taken into account.### Concerned version
Version: %2.0.X
### Summary
I appended a Portal constant, launch make json
but no change detected.
You have to edit Attibutes.pm, lauch "make json" and new Portal constant is taken into account.2.0.8Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2130Append password policy options to define and require special characters2020-04-03T08:47:20ZChristophe Maudouxchrmdx@gmail.comAppend password policy options to define and require special characters### Summary
With %2.0.7 Password Policy we can set minUpper, minLower, minSize and MinDigit.
Set minSpeChar and allowed specials characters is missing.### Summary
With %2.0.7 Password Policy we can set minUpper, minLower, minSize and MinDigit.
Set minSpeChar and allowed specials characters is missing.2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2129AuthenticationLevel based macros and groups should be updated with second factor2020-04-07T09:48:43ZChristophe Maudouxchrmdx@gmail.comAuthenticationLevel based macros and groups should be updated with second factor### Concerned version
Version: %"2.0.X"
Platform: All
### Summary
I created a macro like this :
$_auth eq 'SSL' ? 'Card' : $authenticationLevel > 2 ? 'SFA' : 'LDAP'
$authenticationLevel is only 5 or 2.
Macros and groups are compute...### Concerned version
Version: %"2.0.X"
Platform: All
### Summary
I created a macro like this :
$_auth eq 'SSL' ? 'Card' : $authenticationLevel > 2 ? 'SFA' : 'LDAP'
$authenticationLevel is only 5 or 2.
Macros and groups are computed before second factor.
Only authenticationLevel is updated at the end of 2FA process.
Main/SecondFactor.pm
```
$self->userLogger->notice( $self->prefix
. '2F verification for '
. $req->sessionInfo->{ $self->conf->{whatToTrace} } );
if ( my $l = $self->conf->{ $self->prefix . '2fAuthnLevel' } ) {
$self->p->updateSession( $req, { authenticationLevel => $l } );
}
```
### Possible fixes
Compute macros and groups again after a successful 2FA authentication
Any objections?2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2126Prevent Portal to crash if a bad rule is used for enabling a plugin2020-04-01T13:54:59ZChristophe Maudouxchrmdx@gmail.comPrevent Portal to crash if a bad rule is used for enabling a plugin### Concerned version
Version: %2.0.X
Platform: Nginx
### Summary
Enable ContextSwitching with a bad rule like this : $uid ~= /dwho/
### Logs
Black screen
### Possible fixes
Warn user, remove rule and disable plugin### Concerned version
Version: %2.0.X
Platform: Nginx
### Summary
Enable ContextSwitching with a bad rule like this : $uid ~= /dwho/
### Logs
Black screen
### Possible fixes
Warn user, remove rule and disable plugin2.0.8Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2125Internal Server Error when REST backend does not return a JSON Object2020-04-16T13:47:25ZMaxime BessonInternal Server Error when REST backend does not return a JSON ObjectCurrently if a REST backend called by Auth::REST, 2F::REST, UserDB::REST (etc.) returns a string , the portal will show an error 500
All current calls to `restCall` expect it to return an object, we should make sure that's the case in `...Currently if a REST backend called by Auth::REST, 2F::REST, UserDB::REST (etc.) returns a string , the portal will show an error 500
All current calls to `restCall` expect it to return an object, we should make sure that's the case in `restCall` itself2.0.8Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2123Rest2F does not transmit session attributes to Verify URL2020-04-14T15:21:48ZMaxime BessonRest2F does not transmit session attributes to Verify URL### Concerned version
Version: 2.0.7
### Summary
Rest2F successfully transmits the configured sessions attributes to the Init URL but not to the Verify URL
`$req->sessionInfo` does not contain session data in the context of the `ver...### Concerned version
Version: 2.0.7
### Summary
Rest2F successfully transmits the configured sessions attributes to the Init URL but not to the Verify URL
`$req->sessionInfo` does not contain session data in the context of the `verify` sub.2.0.8Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2120OIDC: hybrid flow does not issue ID token2020-03-18T20:06:44ZMaxime BessonOIDC: hybrid flow does not issue ID token### Concerned version
Version: 2.0.7
### Summary
As per https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthResponse
when using `response_type=code id_token token` an ID token must be returned in the response
In LLNG an...### Concerned version
Version: 2.0.7
### Summary
As per https://openid.net/specs/openid-connect-core-1_0.html#HybridAuthResponse
when using `response_type=code id_token token` an ID token must be returned in the response
In LLNG an ID token is generated but not returned2.0.8Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2119Rely on "isRequired" XML field in importMetadata script to mark SAML attribut...2020-03-17T15:48:31ZClément OUDOTRely on "isRequired" XML field in importMetadata script to mark SAML attributes as mandatoryCurrently all attributes listed in `RequestedAttributes` are marked as mandatory when importing SP configuration in LL::NG with importMetadata script. We should instead rely on `isRequired` field.
Example:
```xml
<md:RequestedAttribute ...Currently all attributes listed in `RequestedAttributes` are marked as mandatory when importing SP configuration in LL::NG with importMetadata script. We should instead rely on `isRequired` field.
Example:
```xml
<md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
</md:RequestedAttribute><md:RequestedAttribute FriendlyName="eduPersonPrincipalNamePrior" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.12" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
</md:RequestedAttribute><md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
</md:RequestedAttribute><md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
</md:RequestedAttribute><md:RequestedAttribute FriendlyName="cn" Name="urn:oid:2.5.4.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" isRequired="true">
</md:RequestedAttribute>
```2.0.8Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2118Multivalued attributes received from CAS server stored as string "ARRAY" in s...2020-05-12T13:56:50ZClément OUDOTMultivalued attributes received from CAS server stored as string "ARRAY" in sessionWhen registering attributes from CAS server, multivalued attributes are not correctly stored:
For example:
```xml
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user...When registering attributes from CAS server, multivalued attributes are not correctly stored:
For example:
```xml
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>cleoud</cas:user>
<cas:attributes>
<cas:uid>cleoud</cas:uid>
<cas:cn>Clément Oudot</cas:cn>
<cas:allMails>cleoud@worteks.com</cas:allMails>
<cas:allMails>clement.oudot@worteks.com</cas:allMails>
<cas:mail>clement.oudot@worteks.com</cas:mail>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
```
Give this in logs:
```
[Thu Mar 19 19:45:00 2020] [LLNG:12816] [debug] Store ARRAY(0x4015698) in session key allMails
```
2.0.8Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2117Remove warning messages "uninitialized value $encryption_mode"2020-03-12T16:02:32ZClément OUDOTRemove warning messages "uninitialized value $encryption_mode"We have some annoying warning message when encryption mode is not set for an SAML partner.We have some annoying warning message when encryption mode is not set for an SAML partner.2.0.8Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2116Missing goToPortal translation for mails2020-03-11T16:09:47ZClément OUDOTMissing goToPortal translation for mailsFollowing #1779, we still need to add the translated string in templates/common/mail/ JSON files, else the translation does not work.Following #1779, we still need to add the translated string in templates/common/mail/ JSON files, else the translation does not work.2.0.8Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2115Possibility to select choice tab, as for menu tab2020-03-12T16:27:25ZClément OUDOTPossibility to select choice tab, as for menu tabThe goal is to use the same tip that the one coded for the menu: if we have a `tab` parameter in the URL, we use it to activate the corresponding tab.The goal is to use the same tip that the one coded for the menu: if we have a `tab` parameter in the URL, we use it to activate the corresponding tab.2.0.8Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2113Password policy warning before password expiration is badly displayed2020-03-10T10:31:52ZClément OUDOTPassword policy warning before password expiration is badly displayedWhen LDAP ppolicy is enabled and user receives a warning before password expiration, the information message is wrong. It displays grace remaining instead of time before expiration. And the parameters given to `trspan` are not well forma...When LDAP ppolicy is enabled and user receives a warning before password expiration, the information message is wrong. It displays grace remaining instead of time before expiration. And the parameters given to `trspan` are not well formatted.2.0.8Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2111Bad translation tag for password policy remaining grace message2020-03-10T09:34:51ZClément OUDOTBad translation tag for password policy remaining grace messageUsing LDAP ppolicy authn graces leads to an info screen where the message is not translated. Instead we see "PEppGrace" message.Using LDAP ppolicy authn graces leads to an info screen where the message is not translated. Instead we see "PEppGrace" message.2.0.8Clément OUDOTClément OUDOT