lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-11-29T08:52:07Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/259Add system to overload parameters in *Choice (like "multi" key)2018-11-29T08:52:07ZYaddAdd system to overload parameters in *Choice (like "multi" key)UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/440Timer for automatic redirection in info.tpl2018-05-18T05:17:23ZFX DeltombeTimer for automatic redirection in info.tplAutomatic redirection after few seconds are quite troublesome for prompting info : you have just ten seconds to read the info or to find the button "wait".
I think the timer should be either removed from info.tpl, or be a manager option....Automatic redirection after few seconds are quite troublesome for prompting info : you have just ten seconds to read the info or to find the button "wait".
I think the timer should be either removed from info.tpl, or be a manager option. Actually there is a hidden parameter "activeTimer" to disable timer, I would like to put it in manager.
(But I don't challenge automatic redirection in confirm.tpl)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/587Selecting language while connecting to LemonLDAP2018-05-18T05:17:31ZIheb KhemissiSelecting language while connecting to LemonLDAPHi,
First of all, thank you for your hard work.
During our migration process to LemonLDAP (while creating a new skin) I have encountered a problem concerning the ability to select a language (instead of the browser's language sent in t...Hi,
First of all, thank you for your hard work.
During our migration process to LemonLDAP (while creating a new skin) I have encountered a problem concerning the ability to select a language (instead of the browser's language sent in the HTTP header "Accept Languague").
Currently, during the connexion process, my app's users can select which language to choose regardless of the browser's language (which is used by default if the user hasn't choosen a diffrent one). Users can also specify a language in the query string (i.e. http://example.com?lang=fr).
So is there any way to do this with LemonLDAP's skins ? basically, what I want to do is to add some flags in the login page and if the user clicks the flag, I respond with the page translated in the selected language and I continue using the selected language.
I have thought of some solutions (but none of them is appealing enough) :
1) Updating the "Accept-Language" header by adding the value of the LANG param (extracted from the QUERY-STRING) using a lemonldap's custom function.
2) Updating the "Accept-Language" header or the environment variable "HTTP_ACCEPT_LANGUAGE" using a LL::NG Handler
3) Updating the "Accept-Language" header by prepending the value of the LANG param (extracted from the QUERY-STRING and transformed to correct format) using Apache's mods --> I don't know how to preprend the param's value to the header.
4) Creating a patch to the "extract_lang" method to accept other entries.
Should I use one of them or is there a better method ?
Thank you very much (and sorry for the lengthy mail),
Best regards,
Iheb2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/595Portal powered by FastCGI (using Plack)2018-12-21T10:26:30ZYaddPortal powered by FastCGI (using Plack)For performances _(and many bugs with ModPerl::Registry / Apache-2.4)_, all CGI are replaced by FastCGI using [Plack|https://metacpan.org/pod/Plack] like Manager-1.9. This allows also a better Nginx integration.For performances _(and many bugs with ModPerl::Registry / Apache-2.4)_, all CGI are replaced by FastCGI using [Plack|https://metacpan.org/pod/Plack] like Manager-1.9. This allows also a better Nginx integration.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/673Split conf/session/flags management from the Portal $self object2018-05-18T05:17:35ZClément OUDOTSplit conf/session/flags management from the Portal $self objectFor now, the Portal $self object is very big and carry all data (configuration, sessions, etc.). We have to split it.For now, the Portal $self object is very big and carry all data (configuration, sessions, etc.). We have to split it.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/713Request management to handle sessions2018-05-18T05:17:37ZFX DeltombeRequest management to handle sessionsCreating a session causes four request to session backend (at least for SQL session backend, but I guess it behave the same with any backend), one insert request and three update,
* the first one to add "_session_kind" => "SSO",
* the se...Creating a session causes four request to session backend (at least for SQL session backend, but I guess it behave the same with any backend), one insert request and three update,
* the first one to add "_session_kind" => "SSO",
* the second one to add session data
* the third one to add "updateTime" and "_issuerDB"
Till version 1.3, it was done with two requests, one insert and one update. And it could be done with one single request.
As same, logout causes three select requests to read user session, whereas a single request is enough.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/778Multi backend authentication with SAML + LDAP2018-11-28T12:47:47ZNicolas DutertreMulti backend authentication with SAML + LDAPWith the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into ...With the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into error and loop on the LDAP authentication form.2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/789Apache reloading breaks SAML authentication2018-05-15T20:31:11ZUpdateme LulandcoApache reloading breaks SAML authenticationHi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configura...Hi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configuration cache
[Fri Feb 13 19:51:45.934468 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML cache configuration: 46
[Fri Feb 13 19:51:45.934549 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get Metadata for this service
[Fri Feb 13 19:51:45.938604 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: 2015-02-13 19:51:45 (server.c/:699) Failed to load metadata from preloaded buffer
[Fri Feb 13 19:51:45.938754 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
[Fri Feb 13 19:51:45.938777 2015] [perl:debug] [pid 11688] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 186:
[Fri Feb 13 19:51:45.938788 2015] [perl:error] [pid 11688] Unable to create Lasso server
[Fri Feb 13 19:51:45.939030 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
I checked, all apache's modules are normally reloaded. Restarting apache doesn't produce the issue.
LulAndCo2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/803AuthSSL : Ability to choose SSLvar or UserDB depending of the CA2018-05-18T05:17:41ZYaddAuthSSL : Ability to choose SSLvar or UserDB depending of the CAWhen using AuthSSL with multiple AC, it could be interesting to be able to choose UserDB backend (or simply SSLvar) depending on the CA that signed the user certificate.When using AuthSSL with multiple AC, it could be interesting to be able to choose UserDB backend (or simply SSLvar) depending on the CA that signed the user certificate.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/804Uncomplete logout in Issuer modules2018-05-15T20:31:11ZClément OUDOTUncomplete logout in Issuer modulesWe have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
Bu...We have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
But this process is not used when a logout request comes form an Issuer module (CAS, OpenID or OpenID Connect). This seems to be OK for the SAML Issuer.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/819Support of FIDO Alliance (multi-factor authentication)2018-06-26T13:59:27ZClément OUDOTSupport of FIDO Alliance (multi-factor authentication)A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/826Tab in portal to manage OpenID Connect consent2018-05-18T05:17:42ZClément OUDOTTab in portal to manage OpenID Connect consentThe goal is to be able to view all applications that have the consent of the user, and allow user to revoke them.The goal is to be able to view all applications that have the consent of the user, and allow user to revoke them.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/834Auth Yubikey : second factor authentication module2018-05-18T05:17:42ZMaxime De roucyAuth Yubikey : second factor authentication moduleAdd a second factor authentication module for Yubikey.Add a second factor authentication module for Yubikey.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/852Possibility to reload/refresh his session without logout and relogin2018-05-18T05:17:43ZClément OUDOTPossibility to reload/refresh his session without logout and reloginThe goal is to be able to refresh the content of the session without forcing the user to logout and login again. This is useful for example if user was affected to a new group, and needs to access an application requiring this group.
The goal is to be able to refresh the content of the session without forcing the user to logout and login again. This is useful for example if user was affected to a new group, and needs to access an application requiring this group.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/857Adapt apache log level message on multi authentication scheme2018-05-18T05:17:43ZPhilippe BayeAdapt apache log level message on multi authentication schemeWhen Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better n...When Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better not have these logs at a low level ("info" or "debug") : first authentication fails are "normal" case.
Exemple 1 :
I have this log, before the connection form is displayed
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : Client IP not accredited for Slave module (172.xxx.xxx.xxx)
Exemple 2 :
If IP is accredited for Slave module (or slaveMasterIP empty), then the message is at "error" level :
[Thu Oct 15 15:25:34 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:25:34 2015] [error] No header Slave-Auth-User found
Moreover, each time connection form is submitted (for example wrong password), these 2 first lines are logged.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/868Replace XML format by JSON for notifications2018-05-18T05:17:44ZYaddReplace XML format by JSON for notificationsUsing XML provides no benefit but consumes memory and cpu on the server sideUsing XML provides no benefit but consumes memory and cpu on the server side2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/970REST API for Portal2018-05-18T05:17:48Zdcoutadeur dcoutadeurREST API for PortalThis is a proposition for making a REST-API for portal, as it was done recently with Manager.This is a proposition for making a REST-API for portal, as it was done recently with Manager.2.0.0YaddYadd