lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2021-07-02T07:06:20Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2346LDAP Password Policy "Password field must be filled"2021-07-02T07:06:20ZDave ConroyLDAP Password Policy "Password field must be filled"### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Alpine Linux 3.12 (Docker)
Web server: Nginx 1.19.3
### Summary
Users unable to change password when expired via Ppolicy
### Logs
Returned error: 67 (PE_PASSWORDFORMEM...### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Alpine Linux 3.12 (Docker)
Web server: Nginx 1.19.3
### Summary
Users unable to change password when expired via Ppolicy
### Logs
Returned error: 67 (PE_PASSWORDFORMEMPTY)
![image](/uploads/0ceee2a38cdb479d199a67f31add8b66/image.png)
### Backends used
LDAP Backend connecting to OpenLDAP 2.4.53
### Additional Details
This is very similar to #1910 #2268 and potentially #1969
We have a fairly basic in terms of complexity LLNG implementation:
Authentication Module: `LDAP`, Users Module: `LDAP`, Password Module: `LDAP`, Register Module: `LDAP`
LDAP Password Settings: All On with exception of IBM Tivolo DS Support. LDAP Password encoding `utf-8`, Reset Attribute `pwdReset`, Reset value `TRUE`
Macro: `_whatToTrace`: `$_auth eq 'SAML' ? "$_user\@$_idpConfKey" : $_auth eq 'OpenIDConnect' ? "$_user\@$_oidcConnectedRP" : "$_user"`
We have tried the fix listed in #1910 with no success.FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2238Support `/` in Virtual Hosts2020-10-12T13:49:40ZDave ConroySupport `/` in Virtual Hosts### Summary
Support the usage of paths in Virtual Hosts
### Design proposition
We utilize a third party service to create applications, which outputs the URL as `domain.com/appname`. When we wish to add virtualhost restrictions (speci...### Summary
Support the usage of paths in Virtual Hosts
### Design proposition
We utilize a third party service to create applications, which outputs the URL as `domain.com/appname`. When we wish to add virtualhost restrictions (specifically, to allow it to appear in Portal with correct group membership) we are presented with a bad URL value. Allowing paths in the Virtual Host section would allow for this to occur.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2176SAML Send ProtocolBinding and AssertionConsumerURL in the AuthnRequest2021-01-06T22:12:04ZRené LinderSAML Send ProtocolBinding and AssertionConsumerURL in the AuthnRequest### Summary
Some SAML IdP did'nt fallback to the metadata information and fails.
So it would be nice to configure it via the IdP Settings Optional.
### Design proposition
Currently manualy with a code addition solved for the problema...### Summary
Some SAML IdP did'nt fallback to the metadata information and fails.
So it would be nice to configure it via the IdP Settings Optional.
### Design proposition
Currently manualy with a code addition solved for the problematic SAML IdP:
```
clement@ader-worteks:~/dev/lemonldap-ng$ git diff
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
index 1c55d1477..1fba06317 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
@@ -869,6 +869,10 @@ sub createAuthnRequest {
# Always allow NameID creation
$request->NameIDPolicy()->AllowCreate(1);
+ # Set AssertionConsumerServiceURL and ProtocolBinding
+ $request->ProtocolBinding(Lasso::Constants::HTTP_METHOD_POST);
+
$request->AssertionConsumerServiceURL("https://auth.example.com/saml/proxySingleSignOnPost");
+
# Force authentication
if ($forceAuthn) {
$self->logger->debug("Force authentication on IDP");
```
+ $request->ProtocolBinding(Lasso::Constants::HTTP_METHOD_POST); In this line something wrong (to less Perl knowing) it sets only number 3 not the Text who's needed ...
Thanks to @clement_oudot fore code :smile: FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2079Lasso error code -4272020-02-06T15:11:04ZLe HUYNHLasso error code -427[error_log-2019-10-15_173400.xml](/uploads/78963d8cd577417bcbc6e941128961f7/error_log-2019-10-15_173400.xml)
Hello,
We use Axway WebDashBoarad as the client with SAML:2.0 and got the following error:
"[LLNG:5477] [debug] Lasso error cod...[error_log-2019-10-15_173400.xml](/uploads/78963d8cd577417bcbc6e941128961f7/error_log-2019-10-15_173400.xml)
Hello,
We use Axway WebDashBoarad as the client with SAML:2.0 and got the following error:
"[LLNG:5477] [debug] Lasso error code -427: When looking for an assertion we did not found it"
Axway claims that their structure of the Logout Request as well as assertion that was sent to LemonLDAP is well formed. However, since the debug log doesn't specify what's being checked and what is wrong, would you provide us with what exactly is being verified behind the scenes and why it fails please?
Thank you!
LeFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2075Changing rule to include basic_auth in access rules of vhost triggers perl er...2020-01-30T09:54:22ZJulien MaryChanging rule to include basic_auth in access rules of vhost triggers perl error.I changed the access rule for manager to
> $uid eq "dwho" or $uid eq "admin" or basic("admin","admin")
I get message :
> locationRules/manager.lemonproxy.XXXXXXXX.com/(?#Configuration)^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs/|$): B...I changed the access rule for manager to
> $uid eq "dwho" or $uid eq "admin" or basic("admin","admin")
I get message :
> locationRules/manager.lemonproxy.XXXXXXXX.com/(?#Configuration)^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs/|$): Bad expression: Can't locate object method "getEncoding" via package "Encode" (perhaps you forgot to load "Encode"?) at /usr/lib/x86_64-linux-gnu/perl5/5.24/Encode.pm line 132, <FILE> line 2.
**OS : Debian 9** <br>
**LemonLDAP-NG version : 2.0.7 installed via "deb https://lemonldap-ng.org/deb stable main"**FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2066[SAML] Lasso Error Code -2012022-04-19T21:44:10ZMehdi KHELIFA[SAML] Lasso Error Code -201### Concerned version
Version: %2.0.7
Platform: (Apache)
### Summary
Some SAML Service providers are not working. I suppose it's related to some consistency issue with the Service Provider Metadatas. But LL:NG should have shown an er...### Concerned version
Version: %2.0.7
Platform: (Apache)
### Summary
Some SAML Service providers are not working. I suppose it's related to some consistency issue with the Service Provider Metadatas. But LL:NG should have shown an error when I register the SP.
Even with the IdpInitiated option enable, I'm still facing the same error page (An error occured during SAML single sign on) with SAMLRequest in the URL
### Logs
```
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Start routing saml
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing _forAuthUser
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Cleaning pdata
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing importHandlerData
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing controlUrl
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing code ref
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Launching ::Password::AD::_modifyPassword
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing code ref
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] URL /saml/singleSignOn?SAMLRequest=fZBPS8QwEEe/Ssm96R8r4rAtVHspWJXdxQUvEmpoA2kSMxOrfnrb7mW9eJ/3fo/ZoZi0gzrQaPbyI0ik6EV6VNaULOcpi9qmZMfPxrann/eQdvqtywj3eNJ38eQoXg4Qg2wNkjC0MGmexmkWZ1fH7AaKHIpbXmTXryxqFrcygjb1SOQQkkQswxzRcvLCKc17OyVrUoLKDFoe1GCeDIu+Jm0QttaSBW/AClQIRkwSgXo41N0DLLngvCXbW82q3XoNW5y/4P/HBaL0ayGr5nnmTgcvNKphpLVsl1w4zwMOHhdJ2zxbrfrvqNbazvdeCpIlIx8kS6oz9ffH1S8=&RelayState=Mm8KXJVTHxsXILwo5249LfEIUilR3K&SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&Signature=jSikuUYKncp76e03j8BS+DFYcvwxzg0ZRvjYy/IDJCMQWP8Rm49bfJ6lZIAjCL4Kih2xGVKuDxrksodYdlDLTN4cFEdu8vXH/EX8LE2z4dFhgqBgaxRVo6Nu4Ac4GAGUbx++X72joTDoLfO5OOfg9bfU6sW6EnmwMNHp3DKU1v1ebi8vq+eMHZLW9Fwrg2IWyeJSLMqVtO0J/uKKzDorTcQlDSkKfCD5/NxNsPGQeR/FUb1nAczzKgVZpYpqrOS5/gn78vQUjlseVIvnJ5+rDcpP1PymI8S33Lv4LtsRdI/FnoFnZbrcQJbqL9OmYvWr26dsDEbydw7EogKajpvc8Q== detected as an SSO request URL
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] SAML method: HTTP-REDIRECT
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] HTTP-REDIRECT: SAML Request SAMLRequest=fZBPS8QwEEe%2FSsm96R8r4rAtVHspWJXdxQUvEmpoA2kSMxOrfnrb7mW9eJ%2F3fo%2FZoZi0gzrQaPbyI0ik6EV6VNaULOcpi9qmZMfPxrann%2FeQdvqtywj3eNJ38eQoXg4Qg2wNkjC0MGmexmkWZ1fH7AaKHIpbXmTXryxqFrcygjb1SOQQkkQswxzRcvLCKc17OyVrUoLKDFoe1GCeDIu%2BJm0QttaSBW%2FAClQIRkwSgXo41N0DLLngvCXbW82q3XoNW5y%2F4P%2FHBaL0ayGr5nnmTgcvNKphpLVsl1w4zwMOHhdJ2zxbrfrvqNbazvdeCpIlIx8kS6oz9ffH1S8%3D&RelayState=Mm8KXJVTHxsXILwo5249LfEIUilR3K&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=jSikuUYKncp76e03j8BS%2BDFYcvwxzg0ZRvjYy%2FIDJCMQWP8Rm49bfJ6lZIAjCL4Kih2xGVKuDxrksodYdlDLTN4cFEdu8vXH%2FEX8LE2z4dFhgqBgaxRVo6Nu4Ac4GAGUbx%2B%2BX72joTDoLfO5OOfg9bfU6sW6EnmwMNHp3DKU1v1ebi8vq%2BeMHZLW9Fwrg2IWyeJSLMqVtO0J%2FuKKzDorTcQlDSkKfCD5%2FNxNsPGQeR%2FFUb1nAczzKgVZpYpqrOS5%2Fgn78vQUjlseVIvnJ5%2BrDcpP1PymI8S33Lv4LtsRdI%2FFnoFnZbrcQJbqL9OmYvWr26dsDEbydw7EogKajpvc8Q%3D%3D
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Lasso Identity loaded
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Lasso error code -201: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [error] SSO: Fail to process authentication request
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Returned error: 51 (PE_SAML_SSO_ERROR)
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Skin returned: error
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Calling sendHtml with template error
```
### Backends used
Debian 9 / Apache 2.4 / PostgreSQL 9 for Configuration and Session Storage
### Possible fixesFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2062Multiple SAML signatures in authentication response2020-04-24T09:29:19ZClément OUDOTMultiple SAML signatures in authentication responseAfter a migration to 2.0, I notice that our SAML authn responses now have 2 signatures, for example:
```xml
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assert...After a migration to 2.0, I notice that our SAML authn responses now have 2 signatures, for example:
```xml
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_39AFA0A0E55174DB8DBE5F5E5FB82EDE"
InResponseTo="_WlAaKyUXroWlTtpL"
Version="2.0"
IssueInstant="2020-01-09T13:27:15Z"
Destination="xxxx"
>
<saml:Issuer>xxxx</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_39AFA0A0E55174DB8DBE5F5E5FB82EDE">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>jGKGtk/crirq2qgQLhaP7YUQoMw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XavE9YWAdC94nIaCF0tr5nXVt3yDPzdef/7SucI7sFE1NtSjKol/L7n0zvipCCZW
33GB/Zyd0sptgxIOpzka/4kkIulS6RkoGYgnff3wDnJcOAsitoAPaZU1CZ/7dXOI
doaQoRtdjJgfH8razX8vWxhqZdaMqOgcTnAME+Hc09GtCN+Cwh4JQFDybiAGajG0
80XatOaqouD0Xj9RC4LRqjcjubdd/MOerfpWhncw+DnnFE41VJUXIAfd0vhUH3Ot
HA5FB/uufHhSqEazzTm0pIgr3RkZkdvNYE5PO42TRgbcH4KRsSx2LIHILScJfLOl
YueWwBpO6tPPMePkV9TOhhJa2tK9uXTZTpkLeAJMQIRTTHQO556h+BqqKqh0MQny
rs1WxyLka6EifBu54fgmbKiEqvvw6GXi76/s2oNLhUv2ThopTO7IFxTfpPeayEyA
QmrbvL6Lwg6sokn/Q72/GWxNJCiPNfk95WFX9s8qcnGVgEO5VkwW0MO9Cci9pNNe
l9YImFLMTDBbKZPOiQTA4b2bq6IaYpfta7BDyBl912wLabYt1Olq8xp4EvuEfY/2
hONRLAXvaqkWwIHXAtZx4dT+mRcqbcvT49nzclDjcrWFJPCfOLF0Jvmdtmqt5nDp
XKm5uGazaFXbLO1FvH9pHkS+W3WrMYTcjacripUYiLA=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
nvq7kJ8bFXdTvnSJcJ0ci08uz+UuAFb9CkZPrAbLFS/7k73usQjBx0g5fLZlVkvn
+CAiaJhl/NTLh1P9NknKOK8nXDSMmoxix0HslICW+3/rAtbZ50/ATCZ6owjyMNk1
4AyjzUUgPgtGO5yoF7Ev1GxZTVW4STtQRdyxoN96eZZDir9XASZdPxQ8gBavZ2ys
0C15qK/vseiIaMLYoz0Hsi33xP6zvP+Tpnl8ext9Ok7txribIRyjfed8/QLfVwNx
2n4Fqr3l05rojyXnJm2MliaMdvkKWadA7CKnGfC9xhcVd0UwbMyESoO8A5XwlMlt
eR1wKg0jD/jnt8ghd8yZUA03XxfQEjrvIABi+LYSTXJ2U3SKHW/qo+JG2YBg6Dni
Em/qSLv59SIeedOpY9Hbe6oMoSXwWIjr1sZSvXffxRki9kREy+38JhJ6qoAafT+m
SVPOjR1nxrcsxZifs1u5s9O6ZdLJtX7ijXktn9IywKhBTj/t2IpjJ6ypYxPt9bBT
9R0+8F4elILG5sCfMCfpOd7mYSIFswMbPKEtpFvyCfcSfKaFlMJLOtVoXARcDmBk
RwXkSzVVZojbGXGphRys8rUtWZ+eT4BwvRk4m3SI6YqMGCqAw9qtwElzF2Q5bzg9
nzWs8Vm+YlsZJH/xcRhP4ssiIeHdpuAts7pOLsDU5LE=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
ID="_747ABBF254269028B433C7B6E793C82E"
IssueInstant="2020-01-09T13:27:15Z"
>
<saml:Issuer>xxxx</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_747ABBF254269028B433C7B6E793C82E">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>aCaze1q5G200EDQUg9keMcF/EXs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NpLQIcvOCdInJTJAW0M+qOSfBJs+0mXoNewFxoF/7QJFhPnuMDAl/Q1Zo8Luhbmq
2COInhqWsHCi4QwYmf4+hi0SUw5FyTMTUgXdIuY9f7OZjJ0MJopQkvUhEb4UJ4kP
CNxuZSY0I8fXG4uqUYaKk59sHnusa/vHZhH9/how5Dakx5HNZd0rqeCXp/mvDcx8
djw83TAM8I9v6FcSugTWyH1nDKwp+bHMQjhUMaGixR/LJd3WPppoKLX0Brfw4D2m
miQZCkfN2SrMF3FU2RdE+ea9Vozed+t7oqlOw/d8Bx2Z1W4zYm8Si1mSvg/mBsPI
qipiT37ohK0UD3UnGRsOVxbaZhrR1QzySiCArR+O4c7pkH//9T3NjIub+2A31/W4
xUTtrjOrPXGSV/pIkbiNZYkiROAVlql0ATFeFYDACFDWArOUJLPIvCD/f09iiWDA
6vTlmk9uhrJtjkxAZNgPzvzbLStKmLrjRUnrirGmRO3t4JgWF7V/TJ4suAAZ7BwE
JFuifvpbSjk3Z+qD81AYNetuoOjgpoQWCJKBDCxcmcR5g27EDjvGk+46w6ynidBK
z2InaSfN9MP814oZp7xx20gU4QewMZC0Guyv71H+CAyhbx04VYLJkabCbYmW25Vx
oYlUl/yxQHCSeeJEwSpGIkATzPn5gX2mrR8OxuCP9dY=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
nvq7kJ8bFXdTvnSJcJ0ci08uz+UuAFb9CkZPrAbLFS/7k73usQjBx0g5fLZlVkvn
+CAiaJhl/NTLh1P9NknKOK8nXDSMmoxix0HslICW+3/rAtbZ50/ATCZ6owjyMNk1
4AyjzUUgPgtGO5yoF7Ev1GxZTVW4STtQRdyxoN96eZZDir9XASZdPxQ8gBavZ2ys
0C15qK/vseiIaMLYoz0Hsi33xP6zvP+Tpnl8ext9Ok7txribIRyjfed8/QLfVwNx
2n4Fqr3l05rojyXnJm2MliaMdvkKWadA7CKnGfC9xhcVd0UwbMyESoO8A5XwlMlt
eR1wKg0jD/jnt8ghd8yZUA03XxfQEjrvIABi+LYSTXJ2U3SKHW/qo+JG2YBg6Dni
Em/qSLv59SIeedOpY9Hbe6oMoSXwWIjr1sZSvXffxRki9kREy+38JhJ6qoAafT+m
SVPOjR1nxrcsxZifs1u5s9O6ZdLJtX7ijXktn9IywKhBTj/t2IpjJ6ypYxPt9bBT
9R0+8F4elILG5sCfMCfpOd7mYSIFswMbPKEtpFvyCfcSfKaFlMJLOtVoXARcDmBk
RwXkSzVVZojbGXGphRys8rUtWZ+eT4BwvRk4m3SI6YqMGCqAw9qtwElzF2Q5bzg9
nzWs8Vm+YlsZJH/xcRhP4ssiIeHdpuAts7pOLsDU5LE=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-01-10T09:27:15Z"
Recipient="xxxx"
InResponseTo="_WlAaKyUXroWlTtpL"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-01-09T13:26:15Z"
NotOnOrAfter="2020-01-10T13:28:15Z"
>
<saml:AudienceRestriction>
<saml:Audience>xxxx</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-01-09T13:26:16Z"
SessionIndex="4f317d845fdcac41078ba09e4ae79c799850fa546c18b1710ab90307df5219ac"
SessionNotOnOrAfter="2020-01-10T09:26:16Z"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
```
There is one signature in the "reponse" level and another to the "assertion" level. We also see the "Issuer" markup is duplicated. Before 2.0, the signature was only in the "assertion" part.
I did not checked yet, but I am pretty sure this is valid. Anyway, some SAML SP do not like it, this is the cas of ArcGis for my case.
I tried to disable the signature for tests, and I noticed that the signature was still present in the SAML message, at "assertion" level, but no more at "response" level. This should not be the case as signature is disabled..., there should be no signature at all.
I don't know if this behavior is linked to Lasso or to our code.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2043Using session info in Combination rules2019-12-17T14:55:59ZClément OUDOTUsing session info in Combination rulesIn version 1.9, I had a rule in Multi that used a session attribute to enable/disable a module in the stack. The use case was to dismiss Kerberos for generic accounts, so users need to enter their personal login/password on the login for...In version 1.9, I had a rule in Multi that used a session attribute to enable/disable a module in the stack. The use case was to dismiss Kerberos for generic accounts, so users need to enter their personal login/password on the login form.
The Multi rule was something like this:
```
Kerberos $employeeType !~ /generic/; LDAP
```
So the Kerberos authentication was done, the user was found but before the final authentication step the rule was evaluated (with the Safe cage) and returned false (because at the end the $employeeType was filled), so the Kerberos authentication was refused and Multi was then using LDAP to authenticate user.
How could we reproduce the same behavior in Combination? In Combination, we only have access to $env.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1982Issue for new installation2020-01-14T12:49:31ZXIYI ZhuIssue for new installationHello,
I am testing to install lemonldap 2.0.6 as new installation in CentOS7. I followed the instruction and it install. However, it doesn't start apache when I configure to use RDBI by following this instruction:
https://lemonldap-n...Hello,
I am testing to install lemonldap 2.0.6 as new installation in CentOS7. I followed the instruction and it install. However, it doesn't start apache when I configure to use RDBI by following this instruction:
https://lemonldap-ng.org/documentation/2.0/sqlconfbackend
The database is the Mariadb 10.4.8 with following configuration:
```
[mysql]
# CLIENT #
port = 3306
socket = /var/lib/mysql/mysql.sock
[mysqld]
# GENERAL #
user = mysql
default-storage-engine = InnoDB
socket = /var/lib/mysql/mysql.sock
pid-file = /var/lib/mysql/mysqld.pid
# MyISAM #
# key-buffer-size = 32M
# myisam-recover = FORCE,BACKUP
# SAFETY #
max-allowed-packet = 256M
max-connect-errors = 1000000
skip-name-resolve
sql-mode = NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER
sysdate-is-now = 1
innodb-strict-mode = 1
# DATA STORAGE #
datadir = /var/lib/mysql
# SERVER ID #
server-id = 1
# BINARY LOGGING #
log-bin
# CACHES AND LIMITS #
max-connections = 500
tmp-table-size = 32M
max-heap-table-size = 32M
query-cache-type = 0
query-cache-size = 0
thread-cache-size = 50
open-files-limit = 65535
table-definition-cache = 1024
table-open-cache = 2048
# INNODB #
innodb-flush-method = O_DIRECT
innodb-log-files-in-group = 2
innodb-log-file-size = 768M
innodb-flush-log-at-trx-commit = 1
innodb-file-per-table = 1
innodb-buffer-pool-size = 1536M
# LOGGING #
log-error = /var/lib/mysql/mysqld.log
slow-query-log = 1
slow-query-log-file = /var/lib/mysql/mysqld-slow.log
log-queries-not-using-indexes = OFF
long_query_time = 30
```
since it doesn't allow to do dash for the database name, it change it to lemonldap-ng.
Here is what I set in the /etc/lemonldap-ng/lemonldap-ng.ini
```
[configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings :
;
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
;
; type = File ; or type = YAMLFile
type = File
dirName = /var/lib/lemonldap-ng/conf
;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
; if needed. Example:
;
type = RDBI
; ;type = CDBI
dbiChain = DBI:MariaDB:database=lemonldap_ng;host=localhost
dbiUser = <username>
dbiPassword = <password>
dbiTable = lmConfig
```
The error is
```
[Tue Oct 22 16:34:31.605705 2019] [perl:error] [pid 3327] Lemonldap::NG::Handler::ApacheMP2::Main : unable to build configuration: Error: configStorage: type is not well formed.\nError: Unknown package Lemonldap::NG::Common::Conf::Backends::File\nRDBI\nFile.\nCompilation failed in require at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2.pm line 9.\nBEGIN failed--compilation aborted at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2.pm line 9.\nCompilation failed in require at (eval 2) line 2.\n
[Tue Oct 22 16:34:31.605768 2019] [perl:error] [pid 3327] Can't load Perl module Lemonldap::NG::Handler::ApacheMP2 for server <url>:0, exiting...
```
Did I miss to install something? I did yum install perl-DBD-MySQL
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1979Second Factor question2019-10-24T05:31:05ZXIYI ZhuSecond Factor questionHello,
For Second Factor, is that possible to only enable it when the request comes from "External Network"? For example, if the request comes within 192.168.1.0/24, not second factor require. If the request comes from IP address other ...Hello,
For Second Factor, is that possible to only enable it when the request comes from "External Network"? For example, if the request comes within 192.168.1.0/24, not second factor require. If the request comes from IP address other than 192.168.1.0/24, present the second factor. Also, is Twilio SMS message support for second factor?
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1973Change some config need Apache Restart2019-11-20T15:52:16ZFrancois-Xavier MIOTChange some config need Apache Restart### Concerned version
Version: %"2.0.7"
Platform: Debian 10 - Apache
### Summary
Some new configuration in manager need `Apache2ctl Restart` to take effect. For personnalisation or for change URL for reset password in the portal pag...### Concerned version
Version: %"2.0.7"
Platform: Debian 10 - Apache
### Summary
Some new configuration in manager need `Apache2ctl Restart` to take effect. For personnalisation or for change URL for reset password in the portal page.
### Logs
```
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler::Main::Run
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Check session validity from Handler
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session timeout -> 72000
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session _utime -> 1570702452
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] now -> 1570702747
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session timeoutActivityInterval -> 60
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session TTL = 71705
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/?cfgNum=15
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [notice] Request for configuration reload
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Check configuration for Lemonldap::NG::Handler::Main
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Configuration 16 stored.
Get configuration 16.
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get configuration 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] Loading configuration 16 for process 3837
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls defaultValuesInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls jailInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls portalInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls locationRulesInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls sessionStorageInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls headersInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls postUrlInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls aliasInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Lemonldap::NG::Handler::Main: configuration is up to date
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [notice] User fxmiot has stored conf 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [notice] User fxmiot has stored conf 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Configuration 16 stored.
Get configuration 16.Get configuration from cache without verification.
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Thu Oct 10 12:19:07.744386 2019] [perl:notice] [pid 3778:tid 139962577643264] Request for configuration reload
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [notice] Apply configuration for localhost: ok
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "POST /manager.fcgi/confs/?cfgNum=15 HTTP/1.1" 200 5681 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
reload.domain.com:80 ::1 - - [10/Oct/2019:12:19:07 +0200] "GET /reload HTTP/1.1" 200 126 "-" "libwww-perl/6.36"
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler internal cache
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/latest
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgNum in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to latest
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgAuthor in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgDate in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgAuthorIP in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgLog in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgVersion in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] User fxmiot ask for configuration metadata (16)
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [info] User fxmiot ask for configuration metadata (16)
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "GET /manager.fcgi/confs/latest HTTP/1.1" 200 432 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler internal cache
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/16/portal
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] User fxmiot asks for key portal
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [info] User fxmiot asks for key portal
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for portal in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "GET /manager.fcgi/confs/16/portal HTTP/1.1" 200 368 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler internal cache
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/16/domain
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] User fxmiot asks for key domain
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [info] User fxmiot asks for key domain
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for domain in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "GET /manager.fcgi/confs/16/domain HTTP/1.1" 200 354 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixesFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1942Launching make test with LDAP2019-09-24T12:37:14ZClément OUDOTLaunching make test with LDAPTo be able to override LDAP parameters to launch test suite, I need to patch Makefile:
```
diff --git a/Makefile b/Makefile
index fa2538f07..357fee831 100644
--- a/Makefile
+++ b/Makefile
@@ -128,9 +128,9 @@ TESTUSESSL=0
E2E_TESTS='port...To be able to override LDAP parameters to launch test suite, I need to patch Makefile:
```
diff --git a/Makefile b/Makefile
index fa2538f07..357fee831 100644
--- a/Makefile
+++ b/Makefile
@@ -128,9 +128,9 @@ TESTUSESSL=0
E2E_TESTS='portal/*.js'
# LDAP backend test
-LLNGTESTLDAP_SLAPD_BIN=/usr/sbin/slapd
-LLNGTESTLDAP_SLAPADD_BIN=/usr/sbin/slapdadd
-LLNGTESTLDAP_SCHEMA_DIR=/etc/slapd/schema
+#LLNGTESTLDAP_SLAPD_BIN=/usr/sbin/slapd
+#LLNGTESTLDAP_SLAPADD_BIN=/usr/sbin/slapdadd
+#LLNGTESTLDAP_SCHEMA_DIR=/etc/slapd/schema
# Other
SRCCOMMONDIR=lemonldap-ng-common
```
Then I am able to launch this command:
```
LLNGTESTLDAP=1 LLNGTESTLDAP_SLAPD_BIN=/usr/local/openldap/libexec/slapd LLNGTESTLDAP_SLAPADD_BIN=/usr/local/openldap/sbin/slapadd LLNGTESTLDAP_SCHEMA_DIR=/usr/local/openldap/etc/openldap/schema/ make test
```
Is there a better way to override Makefile vars?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1940Use session array values in access rules2019-11-20T16:07:44ZHeinz MayerUse session array values in access rulesI use LemonLdap with a Keycloak as OpenID Connect IDP ( LemonLDAP Version 2.0.5)
I pass groups as a claim from Keycloak to LemonLdap
The groups are correctly stored in the LemonLDAP session
```
[debug] UserInfo received: {"sub":"e3c3...I use LemonLdap with a Keycloak as OpenID Connect IDP ( LemonLDAP Version 2.0.5)
I pass groups as a claim from Keycloak to LemonLdap
The groups are correctly stored in the LemonLDAP session
```
[debug] UserInfo received: {"sub":"e3c33ab5-4410-4a82-ad78-cd6284e17078","email_verified":false,"groups":["vccadmin","vccconnect"],"preferred_username":"heinz.mayer@mic-cust.com"}
[debug] Store ARRAY(0x4f64c38) in session key groups
[debug] Dump: $VAR1 = ['vccadmin','vccconnect'];
```
When I create a virtual host with a default access rule it doesn't work
```
$groups =~ /\bvccconnect\b/
```FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1926Remark related to LDAP backend2019-09-11T07:04:41ZMathieu Lecompte-melançonRemark related to LDAP backendWe make some discovery today, and i was surprised that the LDAP perl was working that way:
It's happen that someone have added a new AD controler without doing necessery firewall rules...
On LLNG it's happen to not working:
so the con...We make some discovery today, and i was surprised that the LDAP perl was working that way:
It's happen that someone have added a new AD controler without doing necessery firewall rules...
On LLNG it's happen to not working:
so the context: our ldap is provided by round-robin dns: ex: domain.ldap = 1.1.1.1, 1.1.1.2, 1.1.1.3
If we do some maintenance on 1.1.1.3, we expect that when ldap not retriving the 1.1.1.3 he try others ip?
It's probably a configuration issue, when i read docs related to LDAP, they ask to provide manually multi host.
Did we have to do that in LLNG to avoid impact on scheduling maintenance or individual unplaned ldap server downtime?
As we read the documentation:
https://lemonldap-ng.org/documentation/latest/authldap
It's could be interesting to clarify that even if we provide the dns domain name, it's will not attempt the automatic fallback, we need to provide manually each ldap server.
Providing the main ldap dnas (round robin) will crash llng if some ip are not resolved in the round robin...FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1917Slash before double quote in JSON data for REST back-end2019-09-04T16:52:43ZAinal SaidinSlash before double quote in JSON data for REST back-end### Concerned version
Version: 2.0.5 with patch (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/fca831411bdca2179a20eb230ec843c195c97cdd)
Platform: Apache
### Summary
REST Back-end JSON data body aka JSON file sent to the RE...### Concerned version
Version: 2.0.5 with patch (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/fca831411bdca2179a20eb230ec843c195c97cdd)
Platform: Apache
### Summary
REST Back-end JSON data body aka JSON file sent to the REST Authentication URL contains slash before quotes.
### Logs
The following output in JSON format was captured by Wiremock. The LLNG (192.168.1.40) REST Authentication URL was set to the Wiremock URL (http://192.168.1.134:8080/api/auth) for the data to be captured:
```json
{
"url" : "/api/auth",
"absoluteUrl" : "http://192.168.1.134:8080/api/auth",
"method" : "POST",
"clientIp" : "192.168.1.40",
"headers" : {
"Connection" : "TE, close",
"User-Agent" : "libwww-perl/6.05",
"TE" : "deflate,gzip;q=0.3",
"Host" : "192.168.1.134:8080",
"Content-Length" : "38",
"Content-Type" : "application/json"
},
"cookies" : { },
"browserProxyRequest" : false,
"loggedDate" : 1567140439293,
"bodyAsBase64" : "eyJwYXNzd29yZCI6InNlY3JldCIsInVzZXIiOiJqYWlsYW5pIn0=",
"body" : "{\"password\":\"secret\",\"user\":\"jailani\"}",
"scheme" : "http",
"host" : "192.168.1.134",
"port" : 8080,
"loggedDateString" : "2019-08-30T04:47:19Z",
"queryParams" : { }
}
```
Correspondingly, JSON data was sent using CURL from the same host to the same Wiremock URL is as follows
$ curl --header "Content-Type: application/json" --request POST --data '{“user”:jailani,“password”:secret}' http://192.168.1.134:8080/api/auth
What the wiremock captured was (in JSON)
```json
{
"url" : "/api/auth",
"absoluteUrl" : "http://192.168.1.134:8080/api/auth",
"method" : "POST",
"clientIp" : "192.168.1.40",
"headers" : {
"User-Agent" : "curl/7.29.0",
"Host" : "192.168.1.134:8080",
"Accept" : "*/*",
"Content-Length" : "42",
"Content-Type" : "application/json"
},
"cookies" : { },
"browserProxyRequest" : false,
"loggedDate" : 1566994915552,
"bodyAsBase64" : "e+KAnHVzZXLigJ06amFpbGFuaSzigJxwYXNzd29yZOKAnTpzZWNyZXR9",
"body" : "{“user”:jailani,“password”:secret}",
"scheme" : "http",
"host" : "192.168.1.134",
"port" : 8080,
"loggedDateString" : "2019-08-28T12:21:55Z",
"queryParams" : { }
}
```
### Backends used
REST backend
### Possible fixes
The code to add slash before the double quotes was probably done to comply to the specifications set out in http://json.org/ and RFC 8259 (https://tools.ietf.org/html/rfc8259) to allow for double quotation marks as part of a string value in the name:value pair.
Possible solution
1. fix the code that adds the slash before the double quotes.
2. code the API end points to ignore or strip the slashFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1914Debian package : documentation not properly set in virtual host configuration...2019-09-04T05:55:02ZAdrien LasserreDebian package : documentation not properly set in virtual host configuration files### Concerned version
Version: 2.0.2+ds-7+deb10u1
Platform: Debian 10 - Apache (Nginx may be concerned too)
Package : lemonldap-ng in relation to lemonldap-ng-doc
### Summary
On file : /etc/lemonldap-ng/manager-apache2.X.conf
Wrong...### Concerned version
Version: 2.0.2+ds-7+deb10u1
Platform: Debian 10 - Apache (Nginx may be concerned too)
Package : lemonldap-ng in relation to lemonldap-ng-doc
### Summary
On file : /etc/lemonldap-ng/manager-apache2.X.conf
Wrong line after : "# On-line documentation".
"Alias /doc/ /usr/share/doc/lemonldap-ng-doc/"
should be replaced by :
"Alias /doc/ /usr/share/doc/lemonldap-ng/"
(Indeed, documentation static files are installed in /usr/share/doc/lemonldap-ng/ and not /usr/share/doc/lemonldap-ng-doc/).FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1886mysql and MariaDB DBI UserBackend UTF8 encoding2022-05-02T15:12:54ZAndreas Deschkamysql and MariaDB DBI UserBackend UTF8 encoding### Concerned version
Version: %2.0.5
Platform: (Nginx)
### Summary
Variables read out of Maria DB database are not UTF8-encoded
In the Database there is for example "Österreich". The Ö will appear as question mark in the session va...### Concerned version
Version: %2.0.5
Platform: (Nginx)
### Summary
Variables read out of Maria DB database are not UTF8-encoded
In the Database there is for example "Österreich". The Ö will appear as question mark in the session variable.
Tables, columns in the database are encoded in utf8mb4.
I used dbi:mysql and dbi:MariaDB. Neither worked.
For dbi:mysql I added in the connect command the option to enable utf8mb4:
```
DBI->connect_cached(
$conf->{dbiAuthChain}, $conf->{dbiAuthUser},
# setting mysql_enable_utf8mb4 does not seem to help
$conf->{dbiAuthPassword}, { RaiseError => 1, mysql_enable_utf8mb4 => 1 }
);
```
For dbi:MariaDB the change resulted in an error.
When I added the following line before `$req->{sessionInfo}->{$var} =$req->data->{entry2}->{$attr}` in NG/Portal/UserDB/DBI.pm it worked correctly
```
utf8::encode( $req->data->{entry}->{$attr} );
```
Maybe I am missing something with setting up the configuration. I use the coudot/lemonldap-ng:2.0.5 docker image.
### Backends used
Database is MariaDB version 10.3.15.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1817Unable to install on Debian if Apache2 is already installed2019-06-25T14:12:06ZClément OUDOTUnable to install on Debian if Apache2 is already installedWhen installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl ...When installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
invoke-rc.d: initscript nginx, action "start" failed.
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-06-25 15:40:46 CEST; 9ms ago
Docs: man:nginx(8)
Process: 6662 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 6660 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
juin 25 15:40:44 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:46 pts2019 nginx[6662]: nginx: [emerg] still could not bind()
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Control process exited, code=exited status=1
juin 25 15:40:46 pts2019 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Unit entered failed state.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Failed with result 'exit-code'.
dpkg: erreur de traitement du paquet nginx-extras (--configure) :
le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
...
Paramétrage de lemonldap-ng-fastcgi-server (2.0.4-1) ...
Created symlink /etc/systemd/system/llng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lemonldap-ng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
...
Des erreurs ont été rencontrées pendant l'exécution :
nginx-extras
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
The nginx dependency should not be activated if apache2 is already installed.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1757[RPM] Update lemonldap-ng 2.0.1 to 2.0.4 delete vhosts file2019-09-09T08:54:28ZMame Dieynaba SENE[RPM] Update lemonldap-ng 2.0.1 to 2.0.4 delete vhosts file### Concerned version
Version: %"2.0.4"
Platform: (Apache/centos7)
### Vhosts files delete
Update lemonldap-ng version 2.0.1 to 2.0.4 delete vhosts file in /etc/httpd/conf.d/ and create z-lemonldap-ng.*.conf.rpmnew with default con...### Concerned version
Version: %"2.0.4"
Platform: (Apache/centos7)
### Vhosts files delete
Update lemonldap-ng version 2.0.1 to 2.0.4 delete vhosts file in /etc/httpd/conf.d/ and create z-lemonldap-ng.*.conf.rpmnew with default configuration [z-lemonldap-ng-portal.conf.rpmnew](/uploads/2b73e8a54f346504ed238a3a8d4cba21/z-lemonldap-ng-portal.conf.rpmnew)FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1745Return Handler error as JSON2019-05-28T10:02:22ZClément OUDOTReturn Handler error as JSONWe should return Handler error (access forbidden for example) as JSON for API.
This can be useful for OAuth2 Handler (see #1146)We should return Handler error (access forbidden for example) as JSON for API.
This can be useful for OAuth2 Handler (see #1146)FAQYaddYadd