lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-18T05:17:10Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/157Warning messages in make test2018-05-18T05:17:10ZClément OUDOTWarning messages in make testWe have some warning messages in make test:
{panel:title=Console output}
t/30-Lemonldap-NG-Handler-CGI.t ......... Subroutine Lemonldap::NG::Handler::CGI::lmLog redefined at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-handler...We have some warning messages in make test:
{panel:title=Console output}
t/30-Lemonldap-NG-Handler-CGI.t ......... Subroutine Lemonldap::NG::Handler::CGI::lmLog redefined at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-handler/blib/lib/Lemonldap/NG/Handler/SharedConf.pm line 16
Subroutine lmLog redefined at /home/clement/svn/lemonldap/trunk/modules/lemonldap-ng-handler/blib/lib/Lemonldap/NG/Handler/CGI.pm line 196.
t/10-Manager.t ....... Subroutine lmLog redefined at ../lemonldap-ng-handler/blib/lib//Lemonldap/NG/Handler/CGI.pm line 196.
{panel}
And other logging messages, that should be hidden:
{panel:title=Console output}
t/01-Lemonldap-NG-Portal-Simple.t ........ 1/10 Session 1 isn't yet available (127.0.0.1)
t/25-Lemonldap-NG-Portal-Multi.t ......... 1/13 Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
Authentication with 1 failed, trying next
{panel}1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/160Display lib for portal2018-05-18T05:17:10ZYaddDisplay lib for portalInstead of having all display code in index.pl, it could be interesting to have a library that return template name and params :
#index.pl
use Lemonldap::NG::Portal::SharedConf;
use Lemonldap::NG::Portal::Display qw(display); # Extends ...Instead of having all display code in index.pl, it could be interesting to have a library that return template name and params :
#index.pl
use Lemonldap::NG::Portal::SharedConf;
use Lemonldap::NG::Portal::Display qw(display); # Extends Portal/Simple.pm
use HTML::Template;
my $portal = Lemonldap::NG::Portal::SharedConf->new();
my $skin = $portal->{portalSkin};
my $skin_dir = $ENV{DOCUMENT_ROOT} . "/skins";
my($templateName,%templateParams) = $portal->display(); # will call process()
my $template = HTML::Template->new(
filename => "$skin_dir/$skin/$templateName",
die_on_bad_params => 0,
cache => 0,
global_vars => 1,
filter => sub { $portal->translate_template(@_) }
);
while ( my ( $k, $v ) = each %templateParams ) {
$template->param( $k, $v );
}
print $portal->header('text/html; charset=utf-8');
print $template->output;1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/161RelayState value given by SP is HTML reencoded2018-05-18T05:17:10ZClément OUDOTRelayState value given by SP is HTML reencodedGoogleApps use RelayState to set the back URL.
We receive for example:
{panel}
https%3A%2F%2Fwww.google.com%2Fa%2Flinid.org%2FServiceLogin%3Fservice%3Dcl%26passive%3Dtrue%26continue%3Dhttp%253A%252F%252Fwww.google.com%252Fcalendar%252F...GoogleApps use RelayState to set the back URL.
We receive for example:
{panel}
https%3A%2F%2Fwww.google.com%2Fa%2Flinid.org%2FServiceLogin%3Fservice%3Dcl%26passive%3Dtrue%26continue%3Dhttp%253A%252F%252Fwww.google.com%252Fcalendar%252Fhosted%252Flinid.org%252Frender%26followup%3Dhttp%253A%252F%252Fwww.google.com%252Fcalendar%252Fhosted%252Flinid.org%252Frender
{panel}
And we return:
{panel}
www.google.com%252Fa%252Flinid.org%252FServiceLogin%253Fservice%253Dcl%2526passive%253Dtrue%2526continue%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fcalendar%25252Fhosted%25252Flinid.org%25252Frender%2526followup%253Dhttp%25253A%25252F%25252Fwww.google.com%25252Fcalendar%25252Fhosted%25252Flinid.org%25252Frender
{panel}1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/164Trusted domains for OpenID2018-05-18T05:17:10ZYaddTrusted domains for OpenIDCapability to restrict OpenID usage to a list of domainsCapability to restrict OpenID usage to a list of domains1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/165Manage extensions in is_trusted hook2018-05-18T05:17:10ZYaddManage extensions in is_trusted hookI think that we have to prompt user if some new SREG datas are askedI think that we have to prompt user if some new SREG datas are asked1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/166Create a storage for agreements2018-05-18T05:17:10ZYaddCreate a storage for agreements1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/167Bug with trunk installed from scratch2018-05-18T05:17:10ZClément OUDOTBug with trunk installed from scratchI tried a fresh new install, and I have this error:
{panel:title=Apache error log}
Warning: key is not defined, set it in the manager !
[Thu Sep 23 11:48:38 2010] [error] Can't use an undefined value as a HASH reference at /usr/local/sh...I tried a fresh new install, and I have this error:
{panel:title=Apache error log}
Warning: key is not defined, set it in the manager !
[Thu Sep 23 11:48:38 2010] [error] Can't use an undefined value as a HASH reference at /usr/local/share/perl/5.10.1/Lemonldap/NG/Portal/SharedConf.pm line 43.\n
{panel}1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/169IssuerDB CAS : ticket is added 2 times in URL with a service URL containing p...2018-05-18T05:17:10ZClément OUDOTIssuerDB CAS : ticket is added 2 times in URL with a service URL containing parametersFor example :
[Thu Sep 23 14:56:03 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: CAS service session 622b438c43abf357d6799a99cda862de created
[Thu Sep 23 14:56:03 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedCon...For example :
[Thu Sep 23 14:56:03 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: CAS service session 622b438c43abf357d6799a99cda862de created
[Thu Sep 23 14:56:03 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Redirect user to http://auth.vm1.lemonsaml.linagora.com/?lmAuth=3CAS&ticket=ST-622b438c43abf357d6799a99cda862de?ticket=ST-622b438c43abf357d6799a99cda862de
1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/170SAML: artifact resolution URL is not in authForce method2018-05-18T05:17:10ZClément OUDOTSAML: artifact resolution URL is not in authForce methodThis does not allow an IDP to get artifact response with AuthChoice on SPThis does not allow an IDP to get artifact response with AuthChoice on SP1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/172Google Apps SSO not working with Lasso 2.3.22018-05-18T05:17:10ZClément OUDOTGoogle Apps SSO not working with Lasso 2.3.2After Lasso update (to stable version 2.3.2), I cannot log into Google Apps via SAML:
{panel:title=Apache error log}
[Mon Sep 27 09:32:26 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: URL https://auth.vm2.lemonsaml.linago...After Lasso update (to stable version 2.3.2), I cannot log into Google Apps via SAML:
{panel:title=Apache error log}
[Mon Sep 27 09:32:26 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: URL https://auth.vm2.lemonsaml.linagora.com/saml/singleSignOn detected as an SSO request URL
[Mon Sep 27 09:32:26 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: SAML method: HTTP-REDIRECT
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Found entityID google.com in SAML message
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: google.com match GoogleApps SP in configuration
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Message signature will not be checked
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: SSO: authentication request is valid
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Found ForceAuthn flag with value 0
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: No ForceAuthn session found for session 4f6f53749f4433443af8dae49c8909d5
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: No Destination in SAML message
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Authentication context is urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Convert timestamp 1285572739 in SAML2 date: 2010-09-27T07:32:19Z
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Convert timestamp 1285644739 in SAML2 date: 2010-09-28T03:32:19Z
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: SSO: assertion is built
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Get NameID format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from request
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: NameID Format is urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: NameID Content is lemonsaml@linid.org
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: SAML2 attribute uid is not mandatory
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Set sessionIndex ugCc3UEY0612JizCi2TvUKn4jydVxivky3RGw99hfhfkGq53XsikHc2WGP2ZOikj (encrypted from 4f6f53749f4433443af8dae49c8909d5)
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Convert timestamp 1285644739 in SAML2 date: 2010-09-28T03:32:19Z
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Set sessionNotOnOrAfter 2010-09-28T03:32:19Z
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: SSO response will be signed
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Lasso error [ warning ]: 2010-09-27 09:32:27\tcan't find assertion consumer service url (going for default)
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Lasso error [ debug ]: 2010-09-27 09:32:27 (profile.c/:1242) Unable to find Profile URL in metadata
[Mon Sep 27 09:32:27 2010] [debug] CGI.pm(92): Lemonldap::NG::Portal::SharedConf: Lasso error code -410: Unable to find Profile URL in metadata
[Mon Sep 27 09:32:27 2010] [error] Unable to build SSO response message
{panel}
Registered metadata:
{panel:Google Apps metadata}
<md:EntityDescriptor entityID="google.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.google.com/a/linid.org/acs" index="0" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
</SPSSODescriptor>
</md:EntityDescriptor>
{panel}1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/173Token for cross domain authentication2018-05-18T05:17:11ZClément OUDOTToken for cross domain authenticationCDA works like this:
* Access to CDA handler
* No Cookie -> redirect on portal
* Portal see we are from a CDA domain
* Portal redirects on CDA Handler with session_id in URL (as GET parameter)
We could just redirect the user with a toke...CDA works like this:
* Access to CDA handler
* No Cookie -> redirect on portal
* Portal see we are from a CDA domain
* Portal redirects on CDA Handler with session_id in URL (as GET parameter)
We could just redirect the user with a token in URL, and then the Handler would call directly the portal to get the real session ID. This can avoid to keep the session_id in users's history.
This will be a configuration option, because this requires a direct access between Handler and Portal, and maybe activation of SOAP services.1.9.7https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/177OpenID provider cache login/password information: cannot login after bad pass...2018-05-18T05:17:11ZClément OUDOTOpenID provider cache login/password information: cannot login after bad passwordOpenID issuer module use lmHiddenFields to cache all fields on login form. But this includes login/password. Consequence: if I submit a bad password, it is always resubmitted and auth always fail.OpenID issuer module use lmHiddenFields to cache all fields on login form. But this includes login/password. Consequence: if I submit a bad password, it is always resubmitted and auth always fail.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/178Use same Apache conf files for default and Debian install2018-05-18T05:17:11ZYaddUse same Apache conf files for default and Debian installFor now, Debian use files in "debian" dir. This has to be change to use those in "_example" dirFor now, Debian use files in "debian" dir. This has to be change to use those in "_example" dir1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/179OpenID provider does not honor SREG request if only optional attributes2018-05-18T05:17:11ZClément OUDOTOpenID provider does not honor SREG request if only optional attributesThis only works if some attributes are mandatory. Found the bug in SREG.pm, will commit patch soon.This only works if some attributes are mandatory. Found the bug in SREG.pm, will commit patch soon.1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/182Pages displayed by confirm return a 500 error under cgi-script2018-05-18T05:17:11ZYaddPages displayed by confirm return a 500 error under cgi-scriptUsing HTTPfox, I've seen that confirm pages displayed by removeOther (perhaps other confirm pages) generates the good page but with a 500 error under "SetHandler cgi-script". Nothing is displayed in error.log and all is good using "SetHa...Using HTTPfox, I've seen that confirm pages displayed by removeOther (perhaps other confirm pages) generates the good page but with a 500 error under "SetHandler cgi-script". Nothing is displayed in error.log and all is good using "SetHandler perl-script".1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/183OAuth 2.0 / OpenID Connect authentication module2018-05-18T05:17:11ZYaddOAuth 2.0 / OpenID Connect authentication moduleAdd AuthOAuth protocol in the portalAdd AuthOAuth protocol in the portal1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/184OAuth 2.0 / OpenID Connect provider module2018-05-18T05:17:11ZYaddOAuth 2.0 / OpenID Connect provider moduleAdd IssuerDBOAuth module in portalAdd IssuerDBOAuth module in portal1.9.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/186CAS Issuer parameters in Manager2018-05-18T05:17:11ZClément OUDOTCAS Issuer parameters in Manager1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/190Display must display the menu when process() returns an eror but user is auth...2018-05-18T05:17:11ZYaddDisplay must display the menu when process() returns an eror but user is authenticatedWHen an issuerDB module (for example) returns an error, form authentication is promted. Display.pm has to change that (when $self->{id} is set)
WHen an issuerDB module (for example) returns an error, form authentication is promted. Display.pm has to change that (when $self->{id} is set)
1.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/191Use persistent storage for SAML persistent NameID2018-05-18T05:17:11ZClément OUDOTUse persistent storage for SAML persistent NameIDWe now have a persistent storage (thanks to Xavier) that we can use to manage SAML persistent NameID. Sample code can be seen in OpenID Issuer module.We now have a persistent storage (thanks to Xavier) that we can use to manage SAML persistent NameID. Sample code can be seen in OpenID Issuer module.1.0