lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2024-01-25T16:37:30Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2990LLNG mails flagged as spam by SpamAssassin2024-01-25T16:37:30ZBruno MATEULLNG mails flagged as spam by SpamAssassin### Affected version
Version: %2.16.2
Platform: Nginx
### Summary
The mails sent by my instance of LemonLDAP are flagged as spam by SpamAssassin.
### Details and possible fixes
Here are the detailed scores:
```plaintext
Spam detec...### Affected version
Version: %2.16.2
Platform: Nginx
### Summary
The mails sent by my instance of LemonLDAP are flagged as spam by SpamAssassin.
### Details and possible fixes
Here are the detailed scores:
```plaintext
Spam detection results: 3
ALL_TRUSTED -1 Passed through trusted hosts only via SMTP
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
HTML_MESSAGE 0.001 HTML included in message
KAM_DMARC_NONE 0.25 DKIM has Failed or SPF has failed on the message and the domain has no DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
MISSING_MID 0.14 Missing Message-Id: header
TO_NO_BRKTS_HTML_IMG 1.999 To: lacks brackets and HTML and one image
```
Most of this is irrelevant, because it is my internal MTA that is flagging the email so it is not yet dmark-ed and dkim-ed, but these scores are self-canceling with the ALL_TRUSTED rule.
The relevant rules are:
```plaintext
HTML_IMAGE_ONLY_12 1.629 HTML: images with 800-1200 bytes of words
MIME_HTML_ONLY 0.1 Message only has text/html MIME parts
TO_NO_BRKTS_HTML_IMG 1.999 To: lacks brackets and HTML and one image
```
- For the first one, i don't see an obvious fix, it would be dumb to add content to the email just for the shake of satisfying this rule.
- The second one is not really a huge problem but it can be an easy fix, it just need to add a text/plain part to the email next to the html version.
- The last one is also an easy fix. It triggers (among other reasons) because the `To:` field of the email don't contains brackets `<>`. Currently, this contains `To: $mail`. I've fixed it temporary by editing https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SMTP.pm#L145 to contains `To => '<' . $mail . '>'` and it passes the rule correctly. A prettier solution would be to use the \$cn of the user to forge a nice To field in the email, something like `$cn . '<' . $mail . '>'`.2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2988Do not store password in clear text in session when password store option is ...2023-12-16T14:21:41ZClément OUDOTDo not store password in clear text in session when password store option is enabledWe currently have an option to store the password in session (disabled by default), which could be used to replay password with Auth Basic or Form replay.
Even if we strongly discourage the usage of this option, we could improve it by s...We currently have an option to store the password in session (disabled by default), which could be used to replay password with Auth Basic or Form replay.
Even if we strongly discourage the usage of this option, we could improve it by storing a ciphered value of the password in session, and decrypt it when needed.
So far, what need to be done:
* Have a new option to cipher the password (should be true by default)
* Have a new option to set a key (if no key, the default key will be used)
* Add a decrypt extended function (the reverse of https://lemonldap-ng.org/documentation/latest/extendedfunctions.html#encrypt)2.18.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2987Cannot use single quote in passwordPolicySpecialChar2023-08-18T14:58:23ZMaxime BessonCannot use single quote in passwordPolicySpecialChar### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 59...### Affected version
Version: 2.16.2
### Summary
* Try to add a `'` in passwordPolicySpecialChar
* Display the password change interface
* JS error
### Logs
```
Parsing error SyntaxError: Bad escaped character in JSON at position 5979
at JSON.parse (<anonymous>)
at HTMLScriptElement.<anonymous> (portal.js:105:20)
at Function.each (jquery.min.js:2:2976)
at S.fn.init.each (jquery.min.js:2:1454)
at n (portal.js:102:42)
at portal.js:277:13
at dispatch (jquery.min.js:2:43090)
at v.handle (jquery.min.js:2:41074)
```
### Possible fixes
`ESCAPE='js'` from HTML::Template does not correctly escape JSON strings. We need to do it before setting the template parameter2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2983StayConnected + Singlesession does not display deleted sessions2023-10-27T13:39:38ZMaxime BessonStayConnected + Singlesession does not display deleted sessions### Affected version
Version: 2.16.2
### Summary
* Configure the following:
* Sessions / Multiple sessions / One session per user
* Sessions / Multiple sessions / Display deleted sessions
* Plugins / Stay connected / Acti...### Affected version
Version: 2.16.2
### Summary
* Configure the following:
* Sessions / Multiple sessions / One session per user
* Sessions / Multiple sessions / Display deleted sessions
* Plugins / Stay connected / Activation
* Login without "stay connected" in a private tab
* In a non-private tab, login with "stay connected"
* No session summary is shown, despite sessions being removed
### Possible fixes
This issue is caused by the fact that endSession hooks are run twice
* before displaying the fingerprint page (duplicate session is removed then)
* after submitting the fingerprint page (no more duplicate sessions at this point)
I have tried moving the singleSession plugin later in the plugin list, but this breaks some unit tests.
Additionally, the fact that StayConnected::storeBrowser does not call importHandlerData may cause issues with other plugins
I also tried storing $req->info in StayConnected and restoring it after storeBrower: it works but if the "otherSessions" option is set, it causes duplicate display.
It looks like there is not satisfying way to handle this in the current state of the authentication code, because there is no way to resume "endAuth" at a particular step.2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2982Allow specifying a Radius failover server2023-10-10T15:15:47ZMaxime BessonAllow specifying a Radius failover server### Summary
Currently, Auth::Radius and 2F::Radius can only point to one server. Authen::Radius allows a NodeList to be specified
### Design proposition
split radiusServer/radius2fServer on space and populate NodeList### Summary
Currently, Auth::Radius and 2F::Radius can only point to one server. Authen::Radius allows a NodeList to be specified
### Design proposition
split radiusServer/radius2fServer on space and populate NodeList2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2978Using the (unimplemented) claims= parameter in an OIDC authorize request trig...2024-03-27T09:48:50ZMaxime BessonUsing the (unimplemented) claims= parameter in an OIDC authorize request triggers XSS detection with authentication=Choice### Affected version
Version: 2.16.2
### Summary
* Configure Choice as auth module (one Demo choice)
* Enable OIDC issuer
* Send an OIDC request with a "claims" parameter:
https://auth.example.com/oauth2/authorize?response_type=code...### Affected version
Version: 2.16.2
### Summary
* Configure Choice as auth module (one Demo choice)
* Enable OIDC issuer
* Send an OIDC request with a "claims" parameter:
https://auth.example.com/oauth2/authorize?response_type=code&scope=openid&client_id=testrp&state=5azlOvBCuQcmlu_TeCGL317RuSk&redirect_uri=http%3A%2F%2Frp.example.com%2Foauth2callback&nonce=DkqDQChJVDWiLtyDknOYkRyC4xEDhlRMq_wEGtB8twU&claims={%22mail%22:%20null})
* A scary log is generated, but no other side effect (unless a custom URL is set in Choice module, maybe)*
### Logs
```
[error] XSS attack detected (param: URI | value: /oauth2/authorize?response_type=code&scope=openid&client_id=testrp&state=5azlOvBCuQcmlu_TeCGL317RuSk&redirect_uri=http%3A%2F%2Frp.example.com%2Foauth2callback&nonce=DkqDQChJVDWiLtyDknOYkRyC4xEDhlRMq_wEGtB8twU&claims={%22mail%22:%20null})
```
### Possible fixes
Relevant code from Lib::Choice
```
# Default URL
$req->data->{cspFormAction} ||= {};
if (
defined $url
and not $self->checkXSSAttack( 'URI',
$req->env->{'REQUEST_URI'} )
and $url =~
q%^(https?://)?[^\s/.?#$].[^\s]+$% # URL must be well formatted
)
{
my $csp_uri = $self->cspGetHost($url);
$req->data->{cspFormAction}->{$csp_uri} = 1;
}
```
There is no point in checking REQUEST_URI for potential XSS because REQUEST_URI is not used in Choice anymore.
In fact, I'm the one who accidentally removed REQUEST_URI from form destinations (see cd97d3b9227f16f0edcdd30b43a7dfe80f1c56f6).
There hasn't been any complains because pdata already saves REQUEST_URI.
@guimard: I need some advice here on what to do
* Fix my mistake and introduce back the following line:
```
$url .= $req->env->{'REQUEST_URI'};
```
which will break OIDC requests that use the "claims" parameter ?
* Or just remove the useless XSS check ?2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2973Implement pluggable password policies2023-12-07T13:33:16ZMaxime BessonImplement pluggable password policiesAdding password policy checks is currently pretty hard to do (see #2971, #2652). It involves:
* Writing a plugin to implement the behavior
* by definition
* Adding manager options
* no way around this for now
* Adding translation ...Adding password policy checks is currently pretty hard to do (see #2971, #2652). It involves:
* Writing a plugin to implement the behavior
* by definition
* Adding manager options
* no way around this for now
* Adding translation labels
* no way around this for now
* Adding frontend code to portal.coffee/portal.js
* should not be needed
* Adding a bunch of template variables to Display.pm + some plugins (PasswordReset.pm)
* should not be needed
* Modifying existing templates
* maybe not needed?
This is much too complex, in the sense that it involves too many different components.
We need to make it simpler (less components involved) by providing hooks or portal methods that let plugins easily inject JS code, HTML template, etc into pages.
The new Captcha system (#2692) could be taken as inspiration2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2972Better OIDC keys management2023-07-13T13:07:01ZYaddBetter OIDC keys management2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2970Provide all applications informations trought REST service GET /myapplications2023-10-02T14:26:58ZClément OUDOTProvide all applications informations trought REST service GET /myapplicationsWe should add tooltip, icon/svg icon, in the REST services which returns the application list
Linked to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2853We should add tooltip, icon/svg icon, in the REST services which returns the application list
Linked to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/28532.17.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2969Allow OAuth2 tokens in Portal's REST server2023-07-18T08:21:00ZYaddAllow OAuth2 tokens in Portal's REST server### Summary
For now, REST server accepts only LLNG cookie to allow authenticated APIs.
When using mobile applications, it could be interesting to allow authentication by OAuth2 token. Use case: `/myapplication` returns allowed applicat...### Summary
For now, REST server accepts only LLNG cookie to allow authenticated APIs.
When using mobile applications, it could be interesting to allow authentication by OAuth2 token. Use case: `/myapplication` returns allowed applications. To build an app grid in mobile application, I'd like to get /myapplication using an access_token.FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2967SAML federation plugin should use Name instead of FriendlyName2024-03-27T10:04:42ZMaxime BessonSAML federation plugin should use Name instead of FriendlyNameCurrently, SAML federation defines *session attributes* => *SAML attributes* mapping based on the FriendlyName of the requested attribute:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" N...Currently, SAML federation defines *session attributes* => *SAML attributes* mapping based on the FriendlyName of the requested attribute:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
```
Creates a "mail" > "urn:oid:0.9.2342.19200300.100.1.3" mapping
However, in the Edugain federation, some attributes have different FriendlyNames:
```
<md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="Email" isRequired="true"/>
```
which forces us to create macros to map "Email" => "$mail"
We must find a different way to handle SAML attributes in federation, perhaps ship a dictionary for standard attributes, and let the users do the mapping themselves?2.20.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2966SAML federation plugin incorrectly skips entityIDs2023-07-07T15:09:12ZMaxime BessonSAML federation plugin incorrectly skips entityIDs### Affected version
Version: 2.16.2
### Summary
* Only half of `main-sps-edugain-metadata.xml` providers are seen by SamlFederation.pm
* After XML file is prettified, all providers are seen
* Bug in LibXML?
### Possible fixes
use `...### Affected version
Version: 2.16.2
### Summary
* Only half of `main-sps-edugain-metadata.xml` providers are seen by SamlFederation.pm
* After XML file is prettified, all providers are seen
* Bug in LibXML?
### Possible fixes
use `nextElement` instead of `next`2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2964Allow customization of some error codes in templates2023-07-13T14:50:34ZMaxime BessonAllow customization of some error codes in templates### Summary
When doing a heavily customized deployment, an admin might want to display an error message that is much more complex than this:
![image](/uploads/8c045f92844aad9419a266adf3d6e0b4/image.png)
In this instance, maybe they wa...### Summary
When doing a heavily customized deployment, an admin might want to display an error message that is much more complex than this:
![image](/uploads/8c045f92844aad9419a266adf3d6e0b4/image.png)
In this instance, maybe they want to display a big HTML block with a detailed step-by-step guide on how to register an RP/SP
### Design proposition
We currently send `AUTH_ERROR => 108` to the template engine, but this doesn't allow us to do a `TMPL_IF` to handle a particular error code
I propose setting AUTH_ERROR_108 => 1 so that we can write:
```
<TMPL_IF AUTH_ERROR_108>
<!-- custom HTML here -->
</TMPL_IF>
```
See #2885 for an even more advanced possibility2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2963improve Additional 2FA to support different registration rule and activation ...2023-12-05T15:52:20Zemmanuel decouximprove Additional 2FA to support different registration rule and activation rule### Summary
the user can't manage the "additionnal second factor" when he access the 2FA manager (2fregisters) without log with 2FA (only with his password on our secure network), but can manage on 2fregisters both methods "TOTP" and "a...### Summary
the user can't manage the "additionnal second factor" when he access the 2FA manager (2fregisters) without log with 2FA (only with his password on our secure network), but can manage on 2fregisters both methods "TOTP" and "additional second factor" when he log with 2FA
Both methods are working, but the 2FA manager list only TOTP when the user does not log with 2FA (custom rule + self-registration)
General Parameters / Second factors / Display Manager link
- special rule : $authenticationLevel >= 10 || $ipAddr =~ (our secure network)
General Parameters / Second factors /Additional second factors / monMailPerso
- Registrable : ON
- Level : 10
- Rule : $ipAddr !~ (our network)
General Parameters / Second factors / TOTP
- Self Registration : ON
- Authentication level : 10
- Activation : $_2fDevices =~ /"type":\s*"TOTP"/s && $ipAddr !~ (our network)
Change the "additional second factor" rule doesn't solve the issue2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2961Make RS256 the default ID Token signature algorithm2023-07-10T12:47:03ZMaxime BessonMake RS256 the default ID Token signature algorithmA lot of OIDC applications fail with HS512 ID tokens, and having to set RS256 for ID tokens is very common error case when configuring OIDC RPs with LLNG.
Perhaps we should make RS256 the default for new RPs? It is the only required alg...A lot of OIDC applications fail with HS512 ID tokens, and having to set RS256 for ID tokens is very common error case when configuring OIDC RPs with LLNG.
Perhaps we should make RS256 the default for new RPs? It is the only required alg for OIDC OPs (see https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI)2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2960Add option to drop CSP headers from OIDC response2024-01-09T07:48:44ZYaddAdd option to drop CSP headers from OIDC response## Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI.
A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP ...## Summary
Most of mobile app that uses OIDC delegates authentication to the browser. Then the redirect list may contain "app.name://" URI.
A bug in Safari doesn't allow such URI in CSP headers. Then this feature allows one to drop CSP headers from OIDC responses (at least authorization responses)2.17.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2959Send Access-Request without password when preparing Radius 2FA validation2023-08-01T12:12:20ZMaxime BessonSend Access-Request without password when preparing Radius 2FA validation### Summary
Some radius solutions work in the following way:
* Send a Access-Request with only the login before 2FA form is displayed
* After the user inputs the 2FA code, send an Access-Request with the login + code for validation
##...### Summary
Some radius solutions work in the following way:
* Send a Access-Request with only the login before 2FA form is displayed
* After the user inputs the 2FA code, send an Access-Request with the login + code for validation
### Design proposition
Add an option to send an access request with no password attribute2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2958SAML module Lasso error code -5012023-07-13T09:37:44ZLéo RoquesSAML module Lasso error code -501### Affected version
Version: lemonldap-ng 2.16.1 (from official debian packages)
Platform: debian 12 / nginx 1.22.1 / perl 5.36.0 / liblasso 2.8.1
### Summary
Following the firsts steps for [SAML service configuration](https://lemon...### Affected version
Version: lemonldap-ng 2.16.1 (from official debian packages)
Platform: debian 12 / nginx 1.22.1 / perl 5.36.0 / liblasso 2.8.1
### Summary
Following the firsts steps for [SAML service configuration](https://lemonldap-ng.org/documentation/2.0/samlservice.html)
Activating SAML module via General Parameters » Issuer modules » SAML » Activation: set to On
Authentication portal go down, printing "Internal Server Error"
Manager interface is still working properly
### Logs
Each time the authentication page is reloaded, a new process is started and the sequence lead to the same lasso error.
```
Jul 03 09:46:51 ************* LLNG[215]: [debug] Logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] User logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 03 09:46:51 ************* LLNG[215]: [debug] Lemonldap::NG::Common::Conf::Backends::File loaded.
Configuration unchanged, get configuration from cache.
Jul 03 09:46:51 ************* LLNG[215]: [debug] Get configuration 13 aged 1688135511
Jul 03 09:46:51 ************* LLNG[215]: [info] Loading configuration 13 for process 215
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls defaultValuesInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Options https for vhost auth.*********.com: 1
Jul 03 09:46:51 ************* LLNG[215]: [debug] Options https for vhost manager.*********.com: 1
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls jailInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls portalInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls locationRulesInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls sessionStorageInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls headersInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls postUrlInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls aliasInit
Jul 03 09:46:51 ************* LLNG[215]: [debug] Process 215 calls oauth2Init
Jul 03 09:46:51 ************* LLNG[215]: [debug] Launching Lemonldap::NG::Handler::FastCGI::Loader->loadCustomHandlers(conf)
Jul 03 09:46:51 ************* LLNG[215]: [debug] Launching Lemonldap::NG::Portal::Main->reloadConf(conf)
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route psgi.js added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route psgi.js added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route portal.css added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route portal.css added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route : added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route : added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route ping added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route ping added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route refresh added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add OPTIONS route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add OPTIONS route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route logout added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route logout added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Initialized CSP headers : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src
'self';script-src 'self';
Jul 03 09:46:51 ************* LLNG[215]: [debug] Initialized CORS headers : Access-Control-Allow-Origin;*;Access-Control-Allow-Credentials;true;Access-Control-
Allow-Headers;*;Access-Control-Allow-Methods;POST,GET;Access-Control-Expose-Headers;*;Access-Control-Max-Age;86400;
Jul 03 09:46:51 ************* LLNG[215]: [debug] Cookies will use SameSite=None
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Main::Menu loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::Main::Menu initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Auth::LDAP loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Try to build new LDAP connection with: ldap://******.*********.com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP Search base: dc=*********,dc=com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP transformed filter: (&(uid=".$req->{user}.")(objectClass=inetOrgPerson))
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::Auth::LDAP initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::UserDB::LDAP loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Try to build new LDAP connection with: ldap://******.*********.com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP Search base: dc=*********,dc=com
Jul 03 09:46:51 ************* LLNG[215]: [debug] LDAP transformed filter: (&(uid=".$req->{user}.")(objectClass=inetOrgPerson))
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::UserDB::LDAP initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::2F::Engines::Default loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking utotp2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking totp2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking u2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking rest2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking mail2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking ext2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking webauthn2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking yubikey2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking radius2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking password2fActivation
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking password2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking totp2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking u2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking webauthn2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Checking yubikey2fSelfRegistration
Jul 03 09:46:51 ************* LLNG[215]: [debug] -> not enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Processing Extra 2F modules
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::2F::Engines::Default initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Captcha::SecurityImage loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route renewcaptcha added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Plugin ::Captcha::SecurityImage initialized
Jul 03 09:46:51 ************* LLNG[215]: [debug] IssuerSAML enabled
Jul 03 09:46:51 ************* LLNG[215]: [debug] Module Lemonldap::NG::Portal::Issuer::SAML loaded
Jul 03 09:46:51 ************* LLNG[215]: [debug] SAML rule -> 0
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring unauth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Declaring auth route
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add GET route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Add POST route:
Jul 03 09:46:51 ************* LLNG[215]: [debug] route * added
Jul 03 09:46:51 ************* LLNG[215]: [debug] Lasso thin-sessions flag set
Jul 03 09:46:51 ************* LLNG[215]: [debug] Certificate will be used in SAML responses
Jul 03 09:46:51 ************* LLNG[215]: [debug] Get Metadata for this service
Jul 03 09:46:51 ************* LLNG[215]: [error] Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
Jul 03 09:46:52 ************* LLNG[216]: [debug] Logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:52 ************* LLNG[216]: [debug] User logger Lemonldap::NG::Common::Logger::Syslog loaded
Jul 03 09:46:52 ************* LLNG[216]: [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
Jul 03 09:46:52 ************* LLNG[216]: [debug] Lemonldap::NG::Common::Conf::Backends::File loaded.
Configuration unchanged, get configuration from cache.
Jul 03 09:46:52 ************* LLNG[216]: [debug] Get configuration 13 aged 1688135511
Jul 03 09:46:52 ************* LLNG[216]: [info] Loading configuration 13 for process 216
```In discussionhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2957Add new jquery events for webauthn, SSL, Kerberos2023-07-05T15:47:09ZMaxime BessonAdd new jquery events for webauthn, SSL, KerberosWebauthn, SSL and Kerberos heavily rely on client-side JS
We should add some more JQuery hooks so that integrators can plug in their own behavior, such as displaying a helpful pop-in when SSL or WebAuthn authentication fails, instead of...Webauthn, SSL and Kerberos heavily rely on client-side JS
We should add some more JQuery hooks so that integrators can plug in their own behavior, such as displaying a helpful pop-in when SSL or WebAuthn authentication fails, instead of a basic error message2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2956Allow custom jquery event handlers to block default processing2023-07-05T12:42:20ZMaxime BessonAllow custom jquery event handlers to block default processing### Summary
Currently, jquery events sent by LLNG javascript code do not interfere with processing, the event is sent and forgotten about.
Deployers could want to replace the default action with their own
### Design proposition
Test ...### Summary
Currently, jquery events sent by LLNG javascript code do not interfere with processing, the event is sent and forgotten about.
Deployers could want to replace the default action with their own
### Design proposition
Test `.isDefaultPrevented()` on the event after the event was handled2.17.0Maxime BessonMaxime Besson