lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2020-04-03T09:08:16Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1359TOTP plugin2020-04-03T09:08:16ZYaddTOTP pluginUsing [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin th...Using [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin that ask for TOTP code2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1500Possibility to override parameters in Choice modules2019-10-01T12:50:31ZAnthony ROUSSELPossibility to override parameters in Choice modules### Concerned version
Version: 1.9.17
Platform: Apache2,
### Summary
Hello
we want to try authentication choice with severals LDAP servers :
1. Active Directory for our internal users
2. OpenLDAP for "partner's users"
In managerUi,...### Concerned version
Version: 1.9.17
Platform: Apache2,
### Summary
Hello
we want to try authentication choice with severals LDAP servers :
1. Active Directory for our internal users
2. OpenLDAP for "partner's users"
In managerUi, when choosing Authmodule,usermodule,pwdmodule == Authentication Choice, I then specify "allowed modules":
- AuthAD / Active Directory / Active Directory / Active Directory / noUrl / noCondition
- AuthLDAP / LDAP / LDAP / LDAP / noUrl / noCondition
but I can only specify One LDAP configuration in "LDAP Parameters".
Am i doing it wrong or is this a "display bug" ?
I guess the problem would be the same with multiple LDAP
### Backends used
FileConf2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1204Propose reauthentication if higher access level is requested2019-07-09T17:15:57ZClément OUDOTPropose reauthentication if higher access level is requestedWe need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if...We need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if the level is not enough.
This also implies to only propose authentication backends that are up to requested level in the combination module.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/971Server-to-Server Handler2019-04-23T06:00:21ZYaddServer-to-Server HandlerModern applications can have underlying REST requests to some other servers. We could develop a Kerberos-like ticket system to provide to application a ticket available to query other servers (ticket will be available a few seconds):
* i...Modern applications can have underlying REST requests to some other servers. We could develop a Kerberos-like ticket system to provide to application a ticket available to query other servers (ticket will be available a few seconds):
* in manager, just set an header containing {{llngTicket()}};
* application must set this ticket in an header (may be simply a cookie? a GET parameter?);
* handler will use the ticket instead of normal cookie to retrieve session and verify that {{$ticketTime + $class->tsv->ticketTimeout > time()}}. Then normal process;
* ticket can simply be {{cryptWithLlngKey ( random() . '/' . $sessionId . '/' . time() )}}2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1212Propose SSL authentication by Ajax2018-11-21T19:17:21ZYaddPropose SSL authentication by AjaxTo be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth moduleTo be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth module2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1478SAML Discovery Protocol (WAYF)2018-11-20T21:50:57ZClément OUDOTSAML Discovery Protocol (WAYF)There is a discovery protocol in SAML different from the Common Domain Cookie specification: https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf
This protocol is used for example by Renater WAYF: h...There is a discovery protocol in SAML different from the Common Domain Cookie specification: https://www.oasis-open.org/committees/download.php/28049/sstc-saml-idp-discovery-cs-01.pdf
This protocol is used for example by Renater WAYF: https://discovery.renater.fr/renater/WAYF
We need to support it in LemonLDAP::NG.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1535Append Portal parameter to modify Handler Internal Cache2018-11-10T19:32:25ZChristophe Maudouxchrmdx@gmail.comAppend Portal parameter to modify Handler Internal Cache### Summary
Be able to modify handler Internal Cache from ini file to customize unit tests### Summary
Be able to modify handler Internal Cache from ini file to customize unit tests2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1539Option to enable / disable languages choice display2018-11-08T21:58:18ZChristophe Maudouxchrmdx@gmail.comOption to enable / disable languages choice displayManager booleanManager boolean2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1503RENATER metadata download script2018-11-08T14:48:33ZClément OUDOTRENATER metadata download scriptWhen using SAML with RENATER (or eduGAIN), we need to download metadata of all registered partners and configure them inside LL:NG. Unless this, the WAYF (see #1478) is not working, as the selected partner is not registered.
Technical d...When using SAML with RENATER (or eduGAIN), we need to download metadata of all registered partners and configure them inside LL:NG. Unless this, the WAYF (see #1478) is not working, as the selected partner is not registered.
Technical details for script implementation: https://services.renater.fr/federation/technique/metadata2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1512Option to choose which SAML attribute will be used as "user" key2018-10-02T15:21:03ZClément OUDOTOption to choose which SAML attribute will be used as "user" keyFor the moment, we use the NameID value as "user" key, which can be a problem to use it as pivot on another userDB.
We need an option to choose which SAML attribute will be used as "user" key.For the moment, we use the NameID value as "user" key, which can be a problem to use it as pivot on another userDB.
We need an option to choose which SAML attribute will be used as "user" key.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/819Support of FIDO Alliance (multi-factor authentication)2018-06-26T13:59:27ZClément OUDOTSupport of FIDO Alliance (multi-factor authentication)A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161Manage access rules for CAS, SAML and OpenID Connect clients2018-06-23T08:19:18ZClément OUDOTManage access rules for CAS, SAML and OpenID Connect clientsAs we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1458Local conf backend2018-06-19T19:06:59ZYaddLocal conf backend### Summary
Some admins wants to deploy configuration using lemonldap-ng.ini only. This backend just return an empty configuration.
Advanced use only !### Summary
Some admins wants to deploy configuration using lemonldap-ng.ini only. This backend just return an empty configuration.
Advanced use only !2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1162Capability to use Log4Perl (and other log backends)2018-06-13T19:34:33ZYaddCapability to use Log4Perl (and other log backends)Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1148U2F - Universal 2nd Factor Authentication2018-06-12T15:56:55ZYaddU2F - Universal 2nd Factor AuthenticationInsert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.Insert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1091Handler for DevOps (SSOaaS)2018-06-07T17:53:23ZYaddHandler for DevOps (SSOaaS)To be able to provide an handler that can be included in a devops environment, we should have an handler that can calculate dynamically rules and headers.
Proposition : a "Handler::Dev" that download its rules/headers at the root of the ...To be able to provide an handler that can be included in a devops environment, we should have an handler that can calculate dynamically rules and headers.
Proposition : a "Handler::Dev" that download its rules/headers at the root of the website ({{/rules.json}} for example). Default to "accept".
This could be used to provide a sort fo SSO-as-a-Service: the reverse-proxies that hosts the "door" of a tenant could hosts a DevOps handler, developers could so define their own rules for their apps2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1438Build trunk debian repository (nightly build)2018-06-04T19:53:49ZClément OUDOTBuild trunk debian repository (nightly build)By Christian Bayle:
```
I attached a gitlab-ci file that should allow to autobuild debian/ubuntu repository for lemonldap
on stretch/bionic
On your project group, under the "Settings > CI/CD Pipelines", create a
secret variable called ...By Christian Bayle:
```
I attached a gitlab-ci file that should allow to autobuild debian/ubuntu repository for lemonldap
on stretch/bionic
On your project group, under the "Settings > CI/CD Pipelines", create a
secret variable called GPG_PRIVATE_KEY and copy/paste the private key
to sign your package in the value field.
Create a second secret variable called SIGN_USER, whose value will be
the user_ID of your private key.
commit, push and wait ...
You should then get a gitlab page at
http://lemonldap-ng.ow2.io/lemonldap-ng
With a debian/ubuntu repository
Complete explanations are here :
https://gitlab.com/Orange-OpenSource/gitlab-buildpkg-tools
example result here :
https://orange-opensource.gitlab.io/gitlab-buildpkg-tools/
```
[gitlab-ci.yml](/uploads/3e59071b262802fd9c521bd26df815d0/gitlab-ci.yml)2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1427Alternative FastCGI-Client handler for Apache22018-05-22T16:44:40ZYaddAlternative FastCGI-Client handler for Apache2### Summary
Propose an alternative handler to be used to query a LLNG FastCGI server. It will permit to insert an Apache in a [LLNG SSOaaS infrastructure](https://lemonldap-ng.org/documentation/2.0/ssoaas)### Summary
Propose an alternative handler to be used to query a LLNG FastCGI server. It will permit to insert an Apache in a [LLNG SSOaaS infrastructure](https://lemonldap-ng.org/documentation/2.0/ssoaas)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1318Auto-Signin based on $env rules2018-05-19T19:41:51ZMathieu Lecompte-melançonAuto-Signin based on $env rulesDue to some usage like display some webpage under TvScreen on wall for information process.
it would be good to Have some Auto-signin component base on IP for computer not drived by an user..
The idea, is a page in manager to defi...Due to some usage like display some webpage under TvScreen on wall for information process.
it would be good to Have some Auto-signin component base on IP for computer not drived by an user..
The idea, is a page in manager to define and assigne an IP to a user.
That way, if the ip who reach LLNG is in list it will use the user defined in the list and retrive data/session relativlye to teh user and auto-sign the portal. That way, as simple restart on wall computer, witch auti-start browser and webpage will display automatiquely the right content and not the login portal and that without any human action.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1208YAML configuration backend2018-05-19T19:41:46ZYaddYAML configuration backendSeems easily to parse than JSON for some toolsSeems easily to parse than JSON for some tools2.0.0YaddYadd