lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2020-11-28T12:05:15Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1431OIDC consents not well stored in session / displayed in portal2020-11-28T12:05:15ZClément OUDOTOIDC consents not well stored in session / displayed in portalSee ![Screenshot-2018-5-24_Authentication_portal](/uploads/119ca37100f88745d5a5e198e9c599cc/Screenshot-2018-5-24_Authentication_portal.png)See ![Screenshot-2018-5-24_Authentication_portal](/uploads/119ca37100f88745d5a5e198e9c599cc/Screenshot-2018-5-24_Authentication_portal.png)2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1508Test all password reset by mail workflows2020-07-28T14:01:48ZClément OUDOTTest all password reset by mail workflowsWhen testing password reset, submitting twice the same mail did not show a confirmation page to inform that a mail was already sent.
The log seems to show the opposite:
```
[debug] Build URL http://auth.example.com:19876/resetpwd?skin=b...When testing password reset, submitting twice the same mail did not show a confirmation page to inform that a mail was already sent.
The log seems to show the opposite:
```
[debug] Build URL http://auth.example.com:19876/resetpwd?skin=bootstrap
[debug] Redirect 127.0.0.1 to portal (url was /resetpwd?skin=bootstrap)
[debug] User not authenticated, Try in use, cancel redirection
[debug] Start routing resetpwd
[debug] Trying to load token 1537653191_524
[debug] Good captcha response
[debug] Captcha code verified
[debug] Processing getUser
[debug] Processing setSessionInfo
[debug] Processing setMacros
[debug] Processing setGroups
[debug] Processing setPersistentSessionInfo
[debug] Persistent session found for dwho
[debug] Restore persistent parameter _loginHistory
[debug] Restore persistent parameter _updateTime
[debug] Processing setLocalGroups
[debug] Try to get SSO session be2b1fb4c2201bf63c2243073335d0262b9b399965a375c4acd137f7c8803456
[debug] Return SSO session be2b1fb4c2201bf63c2243073335d0262b9b399965a375c4acd137f7c8803456
[debug] Mail session found: be2b1fb4c2201bf63c2243073335d0262b9b399965a375c4acd137f7c8803456
[debug] Mail expiration timestamp: 1537796370
[debug] Mail start timestamp: 1537724370
[notice] Reset mail already sent to dwho
[debug] Display called with code: 72
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Display "confirm mail sent"
[debug] Starting HTML generation using /home/clement/dev/lemonldap-ng/lemonldap-ng-portal/site/templates/bootstrap/mail.tpl
[debug] Skin bootstrap selected from GET/POST parameter
[debug] Sending /home/clement/dev/lemonldap-ng/lemonldap-ng-portal/site/templates/bootstrap/mail.tpl
[debug] Apply following CSP : default-src 'self';img-src 'self' data:;style-src 'self';font-src 'self';connect-src 'self';form-action 'self';frame-ancestors 'none';
auth.example.com:80 127.0.0.1 - - [23/Sep/2018:19:51:21 +0200] "POST /resetpwd?skin=bootstrap HTTP/1.1" 200 7597
auth.example.com:80 127.0.0.1 - - [23/Sep/2018:19:51:21 +0200] "GET /static/bwr/bootstrap/dist/css/bootstrap-theme.css HTTP/1.1" 302 543
```
Maybe an issue in the template.2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1455Registering U2F 2FA doesn't work2020-04-05T10:22:53ZPaul CurieRegistering U2F 2FA doesn't work### Concerned version
Version: 2.0.0~alpha3+20180614095215+2019+master+stretch+olab1
Platform: Apache
OS : Debian 9
### Summary
I activated U2F 2FA on llng manager and self registration, trying self registration, nothing happens if ...### Concerned version
Version: 2.0.0~alpha3+20180614095215+2019+master+stretch+olab1
Platform: Apache
OS : Debian 9
### Summary
I activated U2F 2FA on llng manager and self registration, trying self registration, nothing happens if I click on register and verify. also nothing in logs (apache mode debug, llng mode debug).
Also, on the 2FA registration page, "2ndFA Management" button redirect to https://auth.xps.local2fregisters/ instead of https://auth.xps.local/2fregisters/
Here's what I did :
- Install libu2f-server-dev from debian packages (1.0.1-3+b1)
- Install Crypt::U2F::Server::Simple 0.43 from sources (perl Makefile.pl, make, make install)
- Activation U2F on llng manager (Activation on, self registration on, U2F level 3, authorize to remove on)
- Try on chrome stable (67.0.3396.87-1) nothing happens
- Try on chromium-browser (66.0.3359.181-0ubuntu0.16.04.1) nothing happens
- Try on firefox (60.0.2) after setting security.webauth.u2f to true, nothing happens
I tried the old FIDO and new FIDO2 U2F security keys from yubikey (they both currently work with google/github)
I using a self-signed certificate for SSL, will try with a letsencrypt one.
### Logs
Clicking on 2FA management in portal :
```
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.174313 2018] [ssl:info] [pid 1166] [client 192.168.56.1:51154] AH01964: Connection to child 3 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.174839 2018] [ssl:debug] [pid 1166] ssl_engine_kernel.c(2115): [client 192.168.56.1:51154] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.174944 2018] [core:debug] [pid 1166] protocol.c(2219): [client 192.168.56.1:51154] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.176196 2018] [ssl:debug] [pid 1166] ssl_engine_kernel.c(2042): [client 192.168.56.1:51154] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.176521 2018] [ssl:info] [pid 1166] (70014)End of file found: [client 192.168.56.1:51154] AH01991: SSL input filter read failed.
[Thu Jun 14 20:12:40.178213 2018] [ssl:info] [pid 1168] [client 192.168.56.1:51156] AH01964: Connection to child 5 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.178646 2018] [ssl:debug] [pid 1168] ssl_engine_kernel.c(2115): [client 192.168.56.1:51156] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.178707 2018] [core:debug] [pid 1168] protocol.c(2219): [client 192.168.56.1:51156] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.179382 2018] [ssl:debug] [pid 1168] ssl_engine_kernel.c(2042): [client 192.168.56.1:51156] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.176928 2018] [ssl:debug] [pid 1166] ssl_engine_io.c(1044): [client 192.168.56.1:51154] AH02001: Connection closed to child 3 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:40.179942 2018] [ssl:debug] [pid 1168] ssl_engine_kernel.c(366): [client 192.168.56.1:51156] AH02034: Initial (No.1) HTTPS request received for child 5 (server auth.xps.local:443), referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.180093 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.180107 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.180206 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.180217 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/
==> /var/log/apache2/error.log <==
[debug] Get session 9b2cd6ddbc456071ebfbe7e6886353bacc06be8f88ac5fdb1142c04c5b523f5f from Handler internal cache
[debug] removing cookie
[debug] User fd-admin was granted to access to /2fregisters
[debug] Start routing 2fregisters
[debug] Looking if u2F register is available
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.192924 2018] [ssl:debug] [pid 1168] ssl_engine_kernel.c(366): [client 192.168.56.1:51156] AH02034: Subsequent (No.2) HTTPS request received for child 5 (server auth.xps.local:443), referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.193360 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.193577 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.193951 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.194191 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/
==> /var/log/apache2/error.log <==
[debug] Get session 9b2cd6ddbc456071ebfbe7e6886353bacc06be8f88ac5fdb1142c04c5b523f5f from Handler internal cache
[debug] removing cookie
[debug] User fd-admin was granted to access to /2fregisters/u
[debug] Start routing 2fregisters
[debug] Starting HTML generation using /usr/share/lemonldap-ng/portal/templates/bootstrap/u2fregister.tpl
[debug] Sending /usr/share/lemonldap-ng/portal/templates/bootstrap/u2fregister.tpl
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.200004 2018] [deflate:debug] [pid 1168] mod_deflate.c(853): [client 192.168.56.1:51156] AH01384: Zlib: Compressed 4996 to 1700 : URL /index.fcgi/2fregisters/u, referer: https://auth.xps.local/
[Thu Jun 14 20:12:40.215299 2018] [ssl:debug] [pid 1168] ssl_engine_kernel.c(366): [client 192.168.56.1:51156] AH02034: Subsequent (No.3) HTTPS request received for child 5 (server auth.xps.local:443), referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.216650 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.217790 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/2fregisters/u
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.219187 2018] [ssl:info] [pid 1172] [client 192.168.56.1:51158] AH01964: Connection to child 8 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.219903 2018] [ssl:debug] [pid 1172] ssl_engine_kernel.c(2115): [client 192.168.56.1:51158] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.220208 2018] [ssl:info] [pid 1188] [client 192.168.56.1:51160] AH01964: Connection to child 14 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.220459 2018] [ssl:info] [pid 1182] [client 192.168.56.1:51162] AH01964: Connection to child 0 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.220660 2018] [ssl:info] [pid 1164] [client 192.168.56.1:51164] AH01964: Connection to child 1 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.221264 2018] [ssl:debug] [pid 1164] ssl_engine_kernel.c(2115): [client 192.168.56.1:51164] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.221908 2018] [ssl:debug] [pid 1182] ssl_engine_kernel.c(2115): [client 192.168.56.1:51162] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.222591 2018] [ssl:debug] [pid 1188] ssl_engine_kernel.c(2115): [client 192.168.56.1:51160] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.223815 2018] [core:debug] [pid 1182] protocol.c(2219): [client 192.168.56.1:51162] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.224368 2018] [core:debug] [pid 1164] protocol.c(2219): [client 192.168.56.1:51164] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.224904 2018] [core:debug] [pid 1172] protocol.c(2219): [client 192.168.56.1:51158] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.225205 2018] [core:debug] [pid 1188] protocol.c(2219): [client 192.168.56.1:51160] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.226953 2018] [ssl:info] [pid 1189] [client 192.168.56.1:51166] AH01964: Connection to child 15 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.227920 2018] [ssl:info] [pid 1170] [client 192.168.56.1:51168] AH01964: Connection to child 7 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.228788 2018] [ssl:info] [pid 1173] [client 192.168.56.1:51170] AH01964: Connection to child 9 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.229205 2018] [ssl:debug] [pid 1173] ssl_engine_kernel.c(2115): [client 192.168.56.1:51170] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.229586 2018] [core:debug] [pid 1173] protocol.c(2219): [client 192.168.56.1:51170] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.230343 2018] [ssl:debug] [pid 1173] ssl_engine_kernel.c(2042): [client 192.168.56.1:51170] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.230881 2018] [ssl:debug] [pid 1189] ssl_engine_kernel.c(2115): [client 192.168.56.1:51166] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.231200 2018] [ssl:debug] [pid 1170] ssl_engine_kernel.c(2115): [client 192.168.56.1:51168] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.231444 2018] [core:debug] [pid 1170] protocol.c(2219): [client 192.168.56.1:51168] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.231611 2018] [core:debug] [pid 1189] protocol.c(2219): [client 192.168.56.1:51166] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.232664 2018] [ssl:debug] [pid 1164] ssl_engine_kernel.c(2042): [client 192.168.56.1:51164] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.232907 2018] [ssl:debug] [pid 1188] ssl_engine_kernel.c(2042): [client 192.168.56.1:51160] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.233271 2018] [ssl:info] [pid 1188] (70014)End of file found: [client 192.168.56.1:51160] AH01991: SSL input filter read failed.
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.233552 2018] [ssl:debug] [pid 1173] ssl_engine_kernel.c(366): [client 192.168.56.1:51170] AH02034: Initial (No.1) HTTPS request received for child 9 (server auth.xps.local:443), referer: https://auth.xps.local/2fregisters/u
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.233964 2018] [ssl:debug] [pid 1189] ssl_engine_kernel.c(2042): [client 192.168.56.1:51166] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.234210 2018] [ssl:info] [pid 1164] (70014)End of file found: [client 192.168.56.1:51164] AH01991: SSL input filter read failed.
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.234591 2018] [authz_core:debug] [pid 1173] mod_authz_core.c(809): [client 192.168.56.1:51170] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.234852 2018] [ssl:debug] [pid 1189] ssl_engine_kernel.c(366): [client 192.168.56.1:51166] AH02034: Initial (No.1) HTTPS request received for child 15 (server auth.xps.local:443), referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.235275 2018] [ssl:debug] [pid 1164] ssl_engine_io.c(1044): [client 192.168.56.1:51164] AH02001: Connection closed to child 1 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:40.235993 2018] [ssl:debug] [pid 1188] ssl_engine_io.c(1044): [client 192.168.56.1:51160] AH02001: Connection closed to child 14 with standard shutdown (server auth.xps.local:443)
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.236721 2018] [ssl:info] [pid 1174] [client 192.168.56.1:51172] AH01964: Connection to child 10 established (server manager.xps.local:443)
[Thu Jun 14 20:12:40.237192 2018] [ssl:debug] [pid 1174] ssl_engine_kernel.c(2115): [client 192.168.56.1:51172] AH02043: SSL virtual host for servername auth.xps.local found
[Thu Jun 14 20:12:40.237446 2018] [core:debug] [pid 1174] protocol.c(2219): [client 192.168.56.1:51172] AH03155: select protocol from , choices=h2,http/1.1 for server auth.xps.local
[Thu Jun 14 20:12:40.237984 2018] [ssl:debug] [pid 1170] ssl_engine_kernel.c(2042): [client 192.168.56.1:51168] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.238398 2018] [ssl:debug] [pid 1174] ssl_engine_kernel.c(2042): [client 192.168.56.1:51172] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.238601 2018] [ssl:debug] [pid 1174] ssl_engine_kernel.c(366): [client 192.168.56.1:51172] AH02034: Initial (No.1) HTTPS request received for child 10 (server auth.xps.local:443), referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.238982 2018] [authz_core:debug] [pid 1174] mod_authz_core.c(809): [client 192.168.56.1:51172] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.239725 2018] [authz_core:debug] [pid 1174] mod_authz_core.c(809): [client 192.168.56.1:51172] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.241378 2018] [authz_core:debug] [pid 1189] mod_authz_core.c(809): [client 192.168.56.1:51166] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/2fregisters/u
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.241841 2018] [ssl:debug] [pid 1172] ssl_engine_kernel.c(2042): [client 192.168.56.1:51158] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.242380 2018] [authz_core:debug] [pid 1173] mod_authz_core.c(809): [client 192.168.56.1:51170] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.243227 2018] [authz_core:debug] [pid 1189] mod_authz_core.c(809): [client 192.168.56.1:51166] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/2fregisters/u
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.243664 2018] [ssl:debug] [pid 1182] ssl_engine_kernel.c(2042): [client 192.168.56.1:51162] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Thu Jun 14 20:12:40.243886 2018] [ssl:info] [pid 1172] (70014)End of file found: [client 192.168.56.1:51158] AH01991: SSL input filter read failed.
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.244314 2018] [ssl:debug] [pid 1170] ssl_engine_kernel.c(366): [client 192.168.56.1:51168] AH02034: Initial (No.1) HTTPS request received for child 7 (server auth.xps.local:443), referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.246244 2018] [ssl:debug] [pid 1172] ssl_engine_io.c(1044): [client 192.168.56.1:51158] AH02001: Connection closed to child 8 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:40.247672 2018] [deflate:debug] [pid 1173] mod_deflate.c(853): [client 192.168.56.1:51170] AH01384: Zlib: Compressed 1673 to 691 : URL /static/bootstrap/css/styles.min.css, referer: https://auth.xps.local/2fregisters/u
==> /var/log/apache2/manager.log <==
[Thu Jun 14 20:12:40.248321 2018] [ssl:info] [pid 1182] (70014)End of file found: [client 192.168.56.1:51162] AH01991: SSL input filter read failed.
==> /var/log/apache2/portal.log <==
[Thu Jun 14 20:12:40.249951 2018] [ssl:debug] [pid 1182] ssl_engine_io.c(1044): [client 192.168.56.1:51162] AH02001: Connection closed to child 0 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:40.250809 2018] [deflate:debug] [pid 1174] mod_deflate.c(853): [client 192.168.56.1:51172] AH01384: Zlib: Compressed 1899 to 710 : URL /static//common/js/u2fregistration.min.js, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.251439 2018] [authz_core:debug] [pid 1170] mod_authz_core.c(809): [client 192.168.56.1:51168] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.253355 2018] [authz_core:debug] [pid 1170] mod_authz_core.c(809): [client 192.168.56.1:51168] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.254126 2018] [deflate:debug] [pid 1170] mod_deflate.c(853): [client 192.168.56.1:51168] AH01384: Zlib: Compressed 9052 to 2302 : URL /static//common/js/u2f-api.min.js, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.254525 2018] [deflate:debug] [pid 1189] mod_deflate.c(853): [client 192.168.56.1:51166] AH01384: Zlib: Compressed 23409 to 2758 : URL /static/bwr/bootstrap/dist/css/bootstrap-theme.min.css, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.258695 2018] [deflate:debug] [pid 1168] mod_deflate.c(853): [client 192.168.56.1:51156] AH01384: Zlib: Compressed 121200 to 19726 : URL /static/bwr/bootstrap/dist/css/bootstrap.min.css, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.312857 2018] [ssl:debug] [pid 1168] ssl_engine_kernel.c(366): [client 192.168.56.1:51156] AH02034: Subsequent (No.4) HTTPS request received for child 5 (server auth.xps.local:443), referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.313215 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of Require all granted: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.313395 2018] [authz_core:debug] [pid 1168] mod_authz_core.c(809): [client 192.168.56.1:51156] AH01626: authorization result of <RequireAny>: granted, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:40.314158 2018] [deflate:debug] [pid 1168] mod_deflate.c(853): [client 192.168.56.1:51156] AH01384: Zlib: Compressed 10722 to 3845 : URL /static/languages/en.json, referer: https://auth.xps.local/2fregisters/u
[Thu Jun 14 20:12:45.257757 2018] [ssl:debug] [pid 1174] ssl_engine_io.c(1044): [client 192.168.56.1:51172] AH02001: Connection closed to child 10 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:45.259121 2018] [ssl:debug] [pid 1189] ssl_engine_io.c(1044): [client 192.168.56.1:51166] AH02001: Connection closed to child 15 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:45.259443 2018] [ssl:debug] [pid 1170] ssl_engine_io.c(1044): [client 192.168.56.1:51168] AH02001: Connection closed to child 7 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:45.259487 2018] [ssl:debug] [pid 1173] ssl_engine_io.c(1044): [client 192.168.56.1:51170] AH02001: Connection closed to child 9 with standard shutdown (server auth.xps.local:443)
[Thu Jun 14 20:12:45.320358 2018] [ssl:debug] [pid 1168] ssl_engine_io.c(1044): [client 192.168.56.1:51156] AH02001: Connection closed to child 5 with standard shutdown (server auth.xps.local:443)
```
Clicking on register or verify doesn't log anything
### Backends used
LDAP for auth/users/password
Files for sessions/config2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1359TOTP plugin2020-04-03T09:08:16ZYaddTOTP pluginUsing [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin th...Using [Auth::GoogleAuth](https://metacpan.org/pod/Auth::GoogleAuth), it seems easy to build a Google Authenticator plugin:
* a protected interface that can generate the base code for any user (used by admin)
* a second factor plugin that ask for TOTP code2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1317Wildcard in virtualhost names2020-02-20T16:21:59ZFrédéric MASSOTWildcard in virtualhost namesHi,
The DNS zone and Apache with the vhost_alias module and the VirtualDocumentRoot directive handle addresses with a wildcard like: *.projects.domain.com
In Apache you can configure a virtual host with:
ServerAlias *.projects.dom...Hi,
The DNS zone and Apache with the vhost_alias module and the VirtualDocumentRoot directive handle addresses with a wildcard like: *.projects.domain.com
In Apache you can configure a virtual host with:
ServerAlias *.projects.domain.com
VirtualDocumentRoot "/var/www/projects/%1"
Unfortunately we can not protect these addresses with LemonLDAP, if we add an address with a wildcard in the manager we have the error:
exportedHeaders/*.projects.domain.com: Bad hostname
locationRules/*.projects.domain.com: Bad hostname
Can you add support for wildcard addresses in LemonLDAP, please?
Regards.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1500Possibility to override parameters in Choice modules2019-10-01T12:50:31ZAnthony ROUSSELPossibility to override parameters in Choice modules### Concerned version
Version: 1.9.17
Platform: Apache2,
### Summary
Hello
we want to try authentication choice with severals LDAP servers :
1. Active Directory for our internal users
2. OpenLDAP for "partner's users"
In managerUi,...### Concerned version
Version: 1.9.17
Platform: Apache2,
### Summary
Hello
we want to try authentication choice with severals LDAP servers :
1. Active Directory for our internal users
2. OpenLDAP for "partner's users"
In managerUi, when choosing Authmodule,usermodule,pwdmodule == Authentication Choice, I then specify "allowed modules":
- AuthAD / Active Directory / Active Directory / Active Directory / noUrl / noCondition
- AuthLDAP / LDAP / LDAP / LDAP / noUrl / noCondition
but I can only specify One LDAP configuration in "LDAP Parameters".
Am i doing it wrong or is this a "display bug" ?
I guess the problem would be the same with multiple LDAP
### Backends used
FileConf2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1204Propose reauthentication if higher access level is requested2019-07-09T17:15:57ZClément OUDOTPropose reauthentication if higher access level is requestedWe need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if...We need to be able to know which authentication level is requested (acr_values in OpenID Connect, requestedauthenticationcontext in SAML, a new parameter in Hanlder). Then compare this level to current level and force reauthentication if the level is not enough.
This also implies to only propose authentication backends that are up to requested level in the combination module.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1386Multiple U2F keys2019-04-29T20:35:14ZYaddMultiple U2F keys### Summary
#1148 permits the registration of 1 U2F key. This issue propose to register more than one key _(inspired by GitLab)_.
### ToDo list
* Store more than one key in _u2f* entries *(comma separated)*
* Add a _u2f* entry to stor...### Summary
#1148 permits the registration of 1 U2F key. This issue propose to register more than one key _(inspired by GitLab)_.
### ToDo list
* Store more than one key in _u2f* entries *(comma separated)*
* Add a _u2f* entry to store a name for the key *(comma separated in the same order)*
* Modify self registration page to choose which key to remove
* Update manager U2F interface to choose which key to delete2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/595Portal powered by FastCGI (using Plack)2018-12-21T10:26:30ZYaddPortal powered by FastCGI (using Plack)For performances _(and many bugs with ModPerl::Registry / Apache-2.4)_, all CGI are replaced by FastCGI using [Plack|https://metacpan.org/pod/Plack] like Manager-1.9. This allows also a better Nginx integration.For performances _(and many bugs with ModPerl::Registry / Apache-2.4)_, all CGI are replaced by FastCGI using [Plack|https://metacpan.org/pod/Plack] like Manager-1.9. This allows also a better Nginx integration.2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1506Implement a brut force attack protection2018-12-13T16:42:57ZChristophe Maudouxchrmdx@gmail.comImplement a brut force attack protection### Summary
Create a mechanism to prevent brut force attack
### Design proposition
After a failed login user must wait between each login attempt.
timer = Failed logins X 10 seconds### Summary
Create a mechanism to prevent brut force attack
### Design proposition
After a failed login user must wait between each login attempt.
timer = Failed logins X 10 seconds2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1550Error when enables "SSL, Custom " Auth modules with Choice2018-11-29T20:19:44ZChristophe Maudouxchrmdx@gmail.comError when enables "SSL, Custom " Auth modules with Choice### Concerned version
Version: 2.0
### Summary
Append SSL / LDAP / LDAP / / /
### Logs
[Wed Nov 21 20:37:46.066332 2018] [fcgid:warn] [pid 104980] [client 77.136.14.47:38540] mod_fcgid: stderr: Can't call method "conf" on an undefi...### Concerned version
Version: 2.0
### Summary
Append SSL / LDAP / LDAP / / /
### Logs
[Wed Nov 21 20:37:46.066332 2018] [fcgid:warn] [pid 104980] [client 77.136.14.47:38540] mod_fcgid: stderr: Can't call method "conf" on an undefined value at /usr/share/perl5/Lemonldap/NG/Portal/Auth/SSL.pm line 66.
[Wed Nov 21 20:45:16.196593 2018] [fcgid:warn] [pid 105473] [client 77.136.14.47:38642] mod_fcgid: stderr: Can't use an undefined value as a subroutine reference at /usr/share/perl5/Lemonldap/NG/Portal/Lib/Choice.pm line 236.2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/259Add system to overload parameters in *Choice (like "multi" key)2018-11-29T08:52:07ZYaddAdd system to overload parameters in *Choice (like "multi" key)UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?UserDB modules use exportedVars parameter to load datas. For example, if you use choice with LDAP and OpenID(sreg), exportedVars key must change. I think that it is not possible for now, isn't it ?2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/778Multi backend authentication with SAML + LDAP2018-11-28T12:47:47ZNicolas DutertreMulti backend authentication with SAML + LDAPWith the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into ...With the multi backend using SAML / LDAP, the second authentication backend does not work and no errors in the logs back in debug.
And whatever the order of use of backend (SAML / LDAP or LDAP / SAML).
SAML loop once before falling into error and loop on the LDAP authentication form.2.0.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1555Do not remember choice in pdata when redirecting user for logout2018-11-28T10:37:52ZClément OUDOTDo not remember choice in pdata when redirecting user for logoutFor example in CAS protocol, the user is redirected back to the CAS server when the logout has ended. When LL::NG is a CAS client configured with Choice, we get well redirected to CAS server, but the CAS authentication is remembered, so ...For example in CAS protocol, the user is redirected back to the CAS server when the logout has ended. When LL::NG is a CAS client configured with Choice, we get well redirected to CAS server, but the CAS authentication is remembered, so when using the portal page, we are always redirected back to CAS server, we can not select another authentication Choice.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1504Upgrade to bootstrap 42018-11-24T11:22:33ZClément OUDOTUpgrade to bootstrap 4See http://upgrade-bootstrap.bootply.com/See http://upgrade-bootstrap.bootply.com/2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1507Force authentication to access to Portal is no more available2018-11-24T11:21:16ZChristophe Maudouxchrmdx@gmail.comForce authentication to access to Portal is no more available### Summary
On 2.0.0 Option is missing...
Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session
### Design proposition
Like in 1.9### Summary
On 2.0.0 Option is missing...
Force authentication: set to 'On' to force authentication when user connects to portal, even if he has a valid session
### Design proposition
Like in 1.92.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1505Check iframe protection2018-11-24T11:20:03ZChristophe Maudouxchrmdx@gmail.comCheck iframe protection### Summary
Test if iframe protection works fine
### Design proposition
Create an HTML page with a link to LLNG portal### Summary
Test if iframe protection works fine
### Design proposition
Create an HTML page with a link to LLNG portal2.0.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1554Parameter portalRequireOldPassword is not restored after mail reset2018-11-24T11:04:36ZClément OUDOTParameter portalRequireOldPassword is not restored after mail resetIn Mail Reset plugin, we modify portalRequireOldPassword so that the password change form do not require the old password, but we need to restore this parameter after.In Mail Reset plugin, we modify portalRequireOldPassword so that the password change form do not require the old password, but we need to restore this parameter after.2.0.0Clément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1212Propose SSL authentication by Ajax2018-11-21T19:17:21ZYaddPropose SSL authentication by AjaxTo be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth moduleTo be able to chain SSL with Combination, we could use an Ajax URL like in Kerberos auth module2.0.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1465Enhance IDP selection2018-11-19T22:09:59ZClément OUDOTEnhance IDP selectionWe need a dedicated template for IDP selection, to keep confirm template for confirmation steps.
We should also have the same features for all protocols (CAS/SAML/OIDC):
* Automatic redirection when only one IDP available
* No timer whe...We need a dedicated template for IDP selection, to keep confirm template for confirmation steps.
We should also have the same features for all protocols (CAS/SAML/OIDC):
* Automatic redirection when only one IDP available
* No timer when redirecting to IDP (or make it configurable)
* IDP preslection rule
* Icon configuration2.0.0Clément OUDOTClément OUDOT