lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-19T19:41:45Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1206TLS support for mails2018-05-19T19:41:45ZYaddTLS support for mailsAdd options in MIME::Lite to enable SSL or STARTTLSAdd options in MIME::Lite to enable SSL or STARTTLS2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1204Propose reauthentication if higher access level is requested2019-07-09T17:15:57ZClément OUDOTPropose reauthentication if higher access level is requestedWe need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if...We need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if the level is not enough.
This also implies to only propose authentication backends that are up to requested level in the combination module.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1201IPv6 support2018-05-19T19:41:45ZYaddIPv6 supportAdd some IPv6 support :
* in Safelib:
** *{{isInNet6($ipAddr, '2134::/16')}}*: return true if $ipAddr is in 2134::/16 network
* for Session Explorer:
** *{{isIpv6($ipAddr)}}*: check if $ipAddr is a IPv6 address
** some features to displa...Add some IPv6 support :
* in Safelib:
** *{{isInNet6($ipAddr, '2134::/16')}}*: return true if $ipAddr is in 2134::/16 network
* for Session Explorer:
** *{{isIpv6($ipAddr)}}*: check if $ipAddr is a IPv6 address
** some features to display IPv6 addresses2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1196Auth::PAM module2018-05-19T19:41:45ZYaddAuth::PAM moduleUsing Authen::PAM, it seems easy to write this.Using Authen::PAM, it seems easy to write this.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1188Custom auth/userDB/password/register modules2018-05-19T19:41:45ZYaddCustom auth/userDB/password/register modulesInsert "Custom" in selects. customParams will contain real class names.Insert "Custom" in selects. customParams will contain real class names.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1184Remove old skins and keep only bootsrap2018-05-19T19:41:44ZClément OUDOTRemove old skins and keep only bootsrapWe will remove pastel, dark and impact skins which are old and hard to maintain.
While keeping bootstrap skin,we could try to propose bootswatch themes: http://bootswatch.com/We will remove pastel, dark and impact skins which are old and hard to maintain.
While keeping bootstrap skin,we could try to propose bootswatch themes: http://bootswatch.com/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1183Rewrite CAS authentication module2018-05-19T19:41:44ZClément OUDOTRewrite CAS authentication moduleThe Perl-CAS module does not provide enough features (can't read attributes, use a local file to manager proxy tickets), we need to rewrite CAS client code and create a CAS UserDB module.The Perl-CAS module does not provide enough features (can't read attributes, use a local file to manager proxy tickets), we need to rewrite CAS client code and create a CAS UserDB module.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1173Performance: minimize Apache::Session access2018-05-19T19:41:44ZYaddPerformance: minimize Apache::Session accessLemonldap::NG::Common::Session always untie %data. So getApacheSession() + session->update($info) ties 2 times %data.
This issue will give possibility to directly attach and update %data in getApacheSession().Lemonldap::NG::Common::Session always untie %data. So getApacheSession() + session->update($info) ties 2 times %data.
This issue will give possibility to directly attach and update %data in getApacheSession().2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1169Be consistent in session "private" variable names2018-05-19T19:41:44ZClément OUDOTBe consistent in session "private" variable namesWe have sessions data which are set by LL::NG and other which come from UserDB backend.
Some of variables set by LL::NG are prefixed with "_" but not all. We can maybe work on this for 2.0
See also http://lemonldap-ng.org/documentation...We have sessions data which are set by LL::NG and other which come from UserDB backend.
Some of variables set by LL::NG are prefixed with "_" but not all. We can maybe work on this for 2.0
See also http://lemonldap-ng.org/documentation/latest/variables2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1162Capability to use Log4Perl (and other log backends)2018-06-13T19:34:33ZYaddCapability to use Log4Perl (and other log backends)Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.Create Lemonldap::NG::Common::Logger::* classes to be able to choose logging stack.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1161Manage access rules for CAS, SAML and OpenID Connect clients2018-06-23T08:19:18ZClément OUDOTManage access rules for CAS, SAML and OpenID Connect clientsAs we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an applicati...As we are doing a lot of modifications for 2.0, I would like to rethink how we manage access rules and find a way to apply them to all LL::NG clients/applications, not only those protected by Handler.
From my point of view, an application can be authenticated and protected with multiple methods:
* HTTP headers behind Handlers
* CAS
* SAML
* OpenID Connect
We already implemented a kind of access control for CAS client, when CAS service match on registered virtual host, but this is a kind of hack that we can improve.
CAS code must be rewritten so we can declare CAS servers and CAS services, like we have SAML IDP/SP and OIDC OP/RP.
And for CAS, SAML et OIDC, we should have a new sub branch which is access rules, like we have in virtual host. Not that we already have the "exported attributes" for SAML and OIDC. We just need to add it for CAS.
With this, we could be I think the only SSO and Access Management to act on HTTP Headers, CAS, SAML and OpenID Connect.
2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1157Export SAML request parameters in %ENV2018-06-26T13:55:16ZClément OUDOTExport SAML request parameters in %ENVSame as #1156 but for SAMLSame as #1156 but for SAML2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1151Replace Multi by a Combination parser2018-05-19T19:41:43ZYaddReplace Multi by a Combination parserMulti will be replaced by a combination parser that can understand :
* [ LDAP ] or [ DBI ]
* [ LDAP ] and [ DBI ]
* [ SSL, LDAP ] or [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else [ LDAP ]
* if ($env->{REMOTE_ADD...Multi will be replaced by a combination parser that can understand :
* [ LDAP ] or [ DBI ]
* [ LDAP ] and [ DBI ]
* [ SSL, LDAP ] or [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else [ LDAP ]
* if ($env->{REMOTE_ADDR} =~ /^10\./) then [ SSL, LDAP ] else if ($env->{REMOTE_ADDR} =~ /^192/) then [ LDAP ] else [ DBI ]
* [ MyLDAP1 ] or [ MyLDAP2 ]
* [ LDAP, LDAP and DBI ]
...
Names given _(LDAP, DBI,…)_ must be declared:
```
combModules => {
MyLDAP1 => {
type => 'LDAP',
for => 0 # 1 = auth, 2 = userDB, 0 = both
over => {
ldapServer => 'ldaps://10.0.0.1',
}
}
}
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1150Can't get captcha to work with LDAP as backend2018-05-15T20:31:11ZMichael GoldfingerCan't get captcha to work with LDAP as backendAfter getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. ...After getting the websites to work and get LDAP to run as configuration backend I wanted to change the backend for the captcha from Apache::Session::File to Apache::Session::LDAP.
I configured the system like shown on the screenshots. The ldapBindDN and ldapBindPassword are used for the configuration backend to so they are workling. I even tried ldapBindPassword as {SSHA}xxx and in clear text, but I would prever if the {SSHA} would work. However the effect is that instead of the captcha I get the image broken icon and nothing is written into the ldap.
The nginx error_log shows only the warnings about the demo accounts.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1148U2F - Universal 2nd Factor Authentication2018-06-12T15:56:55ZYaddU2F - Universal 2nd Factor AuthenticationInsert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.Insert registration application and for registered users, ask for U2F auth.
U2F authentication flag will be inserted in session for rules.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1140Add CSRF protection to login and password change forms2018-05-18T05:17:09ZMathieu ParentAdd CSRF protection to login and password change formsPlease add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).Please add a token based CSRF protection to login form and password change forms (and maybe others).
Best practices requires that the token is linked to the form+session (and not usable on another form).2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1138Generate Content-Security-Policy headers and related2018-05-18T05:17:09ZMathieu ParentGenerate Content-Security-Policy headers and related(Once #1137 is fixed).
Generate those headers:
```
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $...(Once #1137 is fixed).
Generate those headers:
```
Content-Security-Policy: default-src 'none'; img-src 'self'; script-src 'self'; connect-src 'self'; style-src 'self'; font-src 'self'; child-src 'none' $CHILD_SRC; form-action 'self' $FORM_ACTION; frame-ancestors 'none'; report-uri $REPORT_URI
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
```
With:
- $CHILD_SRC empty, except with logout iframes
- $FORM_ACTION empty, except with SAML forms
- $REPORT_URI : configurable (default empty)2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1137Avoid using inline Javascript and CSS2018-05-18T05:17:09ZMathieu ParentAvoid using inline Javascript and CSSThis is #1125, cont.
To further protect the manager, inline JS and CSS should be removed.This is #1125, cont.
To further protect the manager, inline JS and CSS should be removed.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1133Translation system for mails2018-05-19T19:41:42ZYaddTranslation system for mails2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1131Portal plugin to "Stay connected on this device"2018-05-19T19:41:42ZYaddPortal plugin to "Stay connected on this device"Many websites provide a "Stay connected" based on a permanent cookie. I propose to add this feature but using [Fingerprintjs2|https://github.com/Valve/fingerprintjs2] to secure the cookie.Many websites provide a "Stay connected" based on a permanent cookie. I propose to add this feature but using [Fingerprintjs2|https://github.com/Valve/fingerprintjs2] to secure the cookie.2.0.0YaddYadd