lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2018-05-15T20:31:11Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1113OIDC Provider to SAML SP does not work2018-05-15T20:31:11Zdcoutadeur dcoutadeurOIDC Provider to SAML SP does not workI have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
t...I have 3 machines :
- 1 is ODIC RP
- 1 is OIDC Provider + SAML SP
- 1 is SAML IdP
When trying to make a chain :
- Relying Party contacts OpenID Connect Provider
then
- OpenID Connect Provider (configured as SAML SP) contacts SAML IdP
the final return does not work : ie SAML SP not calling his internal IdP
I propose a basic patch, which, in summary :
- happens before soring relay state in SAML SP (Portal/_SAML.pm)
- gets called URL
- if URL match with current portal URL, store it in relay state.
The patch is working, but maybe these points should be validated :
- make sure it is generic, in particular make sure the other way is working: SAML IdP calling an OIDC RP
- security: make sure we won't redirect to unsecure locations
- using CGI module may be improved ? (if the portal is to be made more generic and less adherence to apache)
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1085CDA: use different cookies for each protected vhost instead of one for all2018-05-19T19:41:40ZJaboeuf QuentinCDA: use different cookies for each protected vhost instead of one for allIn a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie.
So, if someone steal the cookie, he could access all the applicati...In a recent security audit of our LL::NG platform, the expert pointed out an issue with the fact that all the virtual host are protected with the same session id/cookie.
So, if someone steal the cookie, he could access all the applications the cookie-owner user can access.
He suggests to deal with secondary session ids/cookie to limit the impact of stealing a cookie.
Does this sound to you ? Is this achievable ?2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1033Translate mail subject - forgotten password2018-05-19T19:41:37ZJulian LayenTranslate mail subject - forgotten passwordHello,
I need to translate the mails about " forgotten password " in the manager unfortunately it is not possible to translate mail subjet in multiple languages. How I can do to change the subject for each language ?
I modified the fol...Hello,
I need to translate the mails about " forgotten password " in the manager unfortunately it is not possible to translate mail subjet in multiple languages. How I can do to change the subject for each language ?
I modified the following file to change the subject but it does not work well :
/usr/share/perl5/Lemonldap/NG/Portal/MailReset.pm
line 310 :
# TEST
# my $subject = $self->{mailConfirmSubject};
my $subject;
my $a = substr($ENV{HTTP_ACCEPT_LANGUAGE}, 0, 2);
if ( $a == "fr" ) {
$subject = "Espace PRO Zodiac : Demande de re-initialisation de mot de passe";
}
if ( $a == "en" ) {
$subject = "Zodiac Espace PRO : password modification request";
}
if ( $a ==" it" ) {
$subject = "Zodiac Area PRO: modifica della password richiesta";
}
if ( $a == "pt" ) {
$subject = "Espaço PRO Zodiac : pedido de alteração da contra-senha";
}
if ( $a =="es" ) {
$subject = "Zodiac Espacio PRO : solicitud de modificación de contraseña";
}
if ( $a == "nl" ) {
$subject = "Zodiac Espace PRO : Boekingsverzoek reset van het wachtwoord";
}
if ( $a == "de" ) {
$subject = "Zodiac Händlerbereich: Anfrage zur Passwortänderung";
}
$subject .= $a;
# TEST
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1019Evaluate custom template parameters2018-05-18T05:17:51ZClément OUDOTEvaluate custom template parametersWe have the possibility to set custom template parameters: http://lemonldap-ng.org/documentation/latest/portalcustom#template_parameters
But this would even more useful if this parameter is evaluated, so we can use %ENV and all session ...We have the possibility to set custom template parameters: http://lemonldap-ng.org/documentation/latest/portalcustom#template_parameters
But this would even more useful if this parameter is evaluated, so we can use %ENV and all session values. For example :
```
tpl_helloworld = "Hello world from ".$ipAddr
```2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1015Two-Factor Authentication with OTP for portal user logins2018-05-18T05:17:51ZPasi KarkkainenTwo-Factor Authentication with OTP for portal user loginsCurrently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN deliv...Currently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN delivered to mobile phone using SMS) like this:
1) User goes to lemonldap-ng login page and gets the usual prompt for username/password.
2) After successfull user/pass authentication user gets another dialog/form on the login web page with "OTP" prompt (challenge), to enter valid one-time-password/pin.
3) If using SMS-OTP, user will now also get SMS message delivered with the OTP in it into his mobile phone.
4) User enters the OTP (response) from the SMS to the OTP-form on the lemonldap-ng login page.
5) When user entered correct OTP, login is successful and lemonldap session is started.
This can be implemented in the following way:
1) Add Challenge-Response support to lemonldap-ng AuthRadius plugin. Challenge-Response is a generic/standard method of implementing two-factor or multi-factor authentication with Radius. Challenge-Response also supports other types of OTP aswell, not just SMS-OTP.
2) Add Two-Factor / Multi-Factor support to lemonldap-ng login page, so it can display multi-part login forms, based on Challenge-Response results.
Basicly during the first phase of authentication (username/password entered) the radius server will verify the username/password, and normally when it would respond with "Access Accept" for successful authentication, but now in the case of OTP, it'll reply with "Access Challenge" instead, which means LemonLDAP-NG should request additional information from the user. Radius server also includes the actual text that should be given to the user (for example "Enter SMS-OTP"). Also the radius-server, or the configured radius backend, will generate the actual one-time-password/pin and send it to the user using SMS, or some other method.
In the second phase of the authentication LemonLDAP-NG will send the OTP to the radius server, and when radius server verifies that the OTP is correct, the user authentication is successful.
There are multiple Radius-servers/products with support for Two-Factor Authentication with One Time Passwords/PINs. Freeradius also supports this.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/970REST API for Portal2018-05-18T05:17:48Zdcoutadeur dcoutadeurREST API for PortalThis is a proposition for making a REST-API for portal, as it was done recently with Manager.This is a proposition for making a REST-API for portal, as it was done recently with Manager.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/918Env variables are searched in backends2018-05-15T20:31:11ZClément OUDOTEnv variables are searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backendsWhen declaring exported attributes which are env variables, they are also searched in backends2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/868Replace XML format by JSON for notifications2018-05-18T05:17:44ZYaddReplace XML format by JSON for notificationsUsing XML provides no benefit but consumes memory and cpu on the server sideUsing XML provides no benefit but consumes memory and cpu on the server side2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/863get_url function builds wrong Portal URL2018-05-15T20:31:11ZCédric Liardget_url function builds wrong Portal URLThe get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the ...The get_url function in Simple.pm builds the URL portal according to portal-apache2.conf definition and not the URL Portal defined in the LemonLDAP configuration.
The problem is if the portal is behind a proxy (listening on https), the Portal Apache vhost is listening on http and the URL Portal (defined in LemonLDAP configuration) is on https, this function returns the http URL.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/857Adapt apache log level message on multi authentication scheme2018-05-18T05:17:43ZPhilippe BayeAdapt apache log level message on multi authentication schemeWhen Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better n...When Authentication module is set with "Mutiple" (in my case "SSL;Slave;LDAP"), for all first ones that fail, i have a "warn" message put in apache error file, before the authentication process finishes.
In this case, it will be better not have these logs at a low level ("info" or "debug") : first authentication fails are "normal" case.
Exemple 1 :
I have this log, before the connection form is displayed
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:22:50 2015] [warn] Lemonldap::NG : Client IP not accredited for Slave module (172.xxx.xxx.xxx)
Exemple 2 :
If IP is accredited for Slave module (or slaveMasterIP empty), then the message is at "error" level :
[Thu Oct 15 15:25:34 2015] [warn] Lemonldap::NG : No certificate found (172.xxx.xxx.xxx)
[Thu Oct 15 15:25:34 2015] [error] No header Slave-Auth-User found
Moreover, each time connection form is submitted (for example wrong password), these 2 first lines are logged.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/856LemonLDAP loses exportedVars conf randomly2018-05-15T20:31:11ZFrédéric PégéLemonLDAP loses exportedVars conf randomlyRandomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```...Randomly, (at least, for now), Lemonldap loses the entry "exportedVars" of its conf.
The consequence is that exportedVars are not set for this session.
To prove that, I've added the following line in Portal/Simple.pm (lin 1972) :
```
$self->lmLog( "[exportedVars] exportedVars : ".join(' ',keys %{ $self->{exportedVars} }) , 'warn' );
{code}
When everything is fine :
{code}
[Tue Oct 13 17:55:35 2015] [warn] [exportedVars] exportedVars : DATEFINVALIDITE UA SSL_CLIENT_CERT DATEDEBUTVALIDITE
{code}
When the bug occurs :
{code}
[Tue Oct 13 17:41:31 2015] [warn] [exportedVars] exportedVars :
```
This can be checked in the session explorer. LDAP Vars are show, and so on. ExportedVars are missing.
I've managed to reproduce easily the issue with SSL auth and LDAP users.
Can you look into that plz ?
Best regards,
Fred.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/852Possibility to reload/refresh his session without logout and relogin2018-05-18T05:17:43ZClément OUDOTPossibility to reload/refresh his session without logout and reloginThe goal is to be able to refresh the content of the session without forcing the user to logout and login again. This is useful for example if user was affected to a new group, and needs to access an application requiring this group.
The goal is to be able to refresh the content of the session without forcing the user to logout and login again. This is useful for example if user was affected to a new group, and needs to access an application requiring this group.
2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/834Auth Yubikey : second factor authentication module2018-05-18T05:17:42ZMaxime De roucyAuth Yubikey : second factor authentication moduleAdd a second factor authentication module for Yubikey.Add a second factor authentication module for Yubikey.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/826Tab in portal to manage OpenID Connect consent2018-05-18T05:17:42ZClément OUDOTTab in portal to manage OpenID Connect consentThe goal is to be able to view all applications that have the consent of the user, and allow user to revoke them.The goal is to be able to view all applications that have the consent of the user, and allow user to revoke them.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/819Support of FIDO Alliance (multi-factor authentication)2018-06-26T13:59:27ZClément OUDOTSupport of FIDO Alliance (multi-factor authentication)A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/A good way to have multi-factor authentication in LL::NG is to implement the FIDO alliance specification: https://fidoalliance.org/2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/804Uncomplete logout in Issuer modules2018-05-15T20:31:11ZClément OUDOTUncomplete logout in Issuer modulesWe have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
Bu...We have a standard logout process in the portal:
* Delete local session
* Call issuerLogout on each used Issuer module
* Call authLogout
* Display iFrames for logout services
* Display "you are disconnected" at the end of the process
But this process is not used when a logout request comes form an Issuer module (CAS, OpenID or OpenID Connect). This seems to be OK for the SAML Issuer.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/803AuthSSL : Ability to choose SSLvar or UserDB depending of the CA2018-05-18T05:17:41ZYaddAuthSSL : Ability to choose SSLvar or UserDB depending of the CAWhen using AuthSSL with multiple AC, it could be interesting to be able to choose UserDB backend (or simply SSLvar) depending on the CA that signed the user certificate.When using AuthSSL with multiple AC, it could be interesting to be able to choose UserDB backend (or simply SSLvar) depending on the CA that signed the user certificate.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/789Apache reloading breaks SAML authentication2018-05-15T20:31:11ZUpdateme LulandcoApache reloading breaks SAML authenticationHi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configura...Hi,
After reloading apache conf, SAML authentication is broken, SP Metadata can't be retrieved from cache :
[Fri Feb 13 19:51:45.934452 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Reset SAML configuration cache
[Fri Feb 13 19:51:45.934468 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: SAML cache configuration: 46
[Fri Feb 13 19:51:45.934549 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Get Metadata for this service
[Fri Feb 13 19:51:45.938604 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error [ critical ]: 2015-02-13 19:51:45 (server.c/:699) Failed to load metadata from preloaded buffer
[Fri Feb 13 19:51:45.938754 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Lasso error code -501: An object type provided as parameter is invalid or object is NULL.
[Fri Feb 13 19:51:45.938777 2015] [perl:debug] [pid 11688] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/_SAML.pm 186:
[Fri Feb 13 19:51:45.938788 2015] [perl:error] [pid 11688] Unable to create Lasso server
[Fri Feb 13 19:51:45.939030 2015] [perl:debug] [pid 11688] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Display type standardform
I checked, all apache's modules are normally reloaded. Restarting apache doesn't produce the issue.
LulAndCo2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/778Multi backend authentication with SAML + LDAP2018-11-28T12:47:47ZNicolas DutertreMulti backend authentication with SAML + LDAPWith the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into ...With the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into error and loop on the LDAP authentication form.2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/713Request management to handle sessions2018-05-18T05:17:37ZFX DeltombeRequest management to handle sessionsCreating a session causes four request to session backend (at least for SQL session backend, but I guess it behave the same with any backend), one insert request and three update,
* the first one to add "_session_kind" => "SSO",
* the se...Creating a session causes four request to session backend (at least for SQL session backend, but I guess it behave the same with any backend), one insert request and three update,
* the first one to add "_session_kind" => "SSO",
* the second one to add session data
* the third one to add "updateTime" and "_issuerDB"
Till version 1.3, it was done with two requests, one insert and one update. And it could be done with one single request.
As same, logout causes three select requests to read user session, whereas a single request is enough.2.0.0YaddYadd