lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2017-12-05T18:36:14Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1246Manager authentification problem + error 403 with ldap authentification2017-12-05T18:36:14ZDamien RocherManager authentification problem + error 403 with ldap authentificationDear,
I have a problem with my LDAP authentification. I follow exactly the tutorial. In fact, when i connect on auth portal, I'm not recognized to administrator account. I can't open my manager and i meet a 403 error.
Any people have s...Dear,
I have a problem with my LDAP authentification. I follow exactly the tutorial. In fact, when i connect on auth portal, I'm not recognized to administrator account. I can't open my manager and i meet a 403 error.
Any people have solution about this ? Or recommandation ?
(I'm new in this type of infrastructure)FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1335[OIDC] Probable bug with scope2017-12-15T07:54:13ZFlorian Thoni[OIDC] Probable bug with scopeUsing last stable version 1.9.14 (apache version), I am activly using openid connect service proposed.
I would like that userinfo and jwt return to me more information than simply "sub".
I tried then to change the "scope" from openid t...Using last stable version 1.9.14 (apache version), I am activly using openid connect service proposed.
I would like that userinfo and jwt return to me more information than simply "sub".
I tried then to change the "scope" from openid to a standard or a custom scope (custom = one I create in the manager) and I see that whatever the scope I put but openid, instead of getting the consent page or to be redirected, it presents me the portal page.
Thank you
![image](/uploads/97de46dc3b0637debbe17f9aa531fd31/image.png)
![image](/uploads/fc53390a50941f57a4d416642297dba8/image.png)FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1354Lasso errors on Debian2018-01-19T10:27:36ZClément OUDOTLasso errors on DebianWe face some critical errors with Lasso on Debian systems, like:
```
GLib-GObject-WARNING **: cannot register existing type 'LassoNode' at
/usr/share/perl/5.20/XSLoader.pm line 117.
GLib-GObject-CRITICAL **: g_type_register_static: asser...We face some critical errors with Lasso on Debian systems, like:
```
GLib-GObject-WARNING **: cannot register existing type 'LassoNode' at
/usr/share/perl/5.20/XSLoader.pm line 117.
GLib-GObject-CRITICAL **: g_type_register_static: assertion
'parent_type > 0' failed at /usr/share/perl/5.20/XSLoader.pm line 117.
GLib-GObject-CRITICAL **: g_type_register_static: assertion
'parent_type > 0' failed at /usr/share/perl/5.20/XSLoader.pm line 117.
```
A mail has been sent to Lasso team: http://listes.entrouvert.com/wwsympa.fcgi/arc/lasso/2018-01/msg00000.html
Seems there is no issue with Lasso on RHEL 7: https://mail.ow2.org/wws/arc/lemonldap-ng-users/2018-01/msg00011.htmlFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1495Verify if bootstrap vulnerability can be exploited in LLNG2019-01-04T14:58:48ZYaddVerify if bootstrap vulnerability can be exploited in LLNG### Concerned version
Version: %"1.9.18", %"2.0.0"
### Summary
The following vulnerabilities were published for twitter-bootstrap3. If LLNG is vulnerable, update bootstrap at least to 4.1.2
[CVE-2018-14040](https://cve.mitre.org/cgi...### Concerned version
Version: %"1.9.18", %"2.0.0"
### Summary
The following vulnerabilities were published for twitter-bootstrap3. If LLNG is vulnerable, update bootstrap at least to 4.1.2
[CVE-2018-14040](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14040): In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
[CVE-2018-14041](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14041): In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
[CVE-2018-14042](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14042): In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1541Issue with multiple module2018-11-17T16:48:21ZThomas ProstIssue with multiple moduleHello,
I have some issues using the multiple module of LemonLDAP (I'm using 1.9.17).
I'm trying to configure an access with a LDAP and an Active Directory (so, the same module).
I followed the steps found in the documentation, but ca...Hello,
I have some issues using the multiple module of LemonLDAP (I'm using 1.9.17).
I'm trying to configure an access with a LDAP and an Active Directory (so, the same module).
I followed the steps found in the documentation, but can't make it work since I have a single LDAP tab to configure. It also seems like the #name I configured in lemonldap-ng.ini aren't recognized, in my case, I use **LDAP#ldap;LDAP#ad** in the multiple module.
Is there anything I'm doing wrong ?
Thanks a lot and have a nice day.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1551Segmentation fault sur lng et apache 2.42018-11-22T19:08:26ZStéphane LiabatSegmentation fault sur lng et apache 2.4### Concerned version
Version: %"1.9.19"
Platform:
- CentOS Linux release 7.4.1708 (Core)
- apache
- Server Version: Apache/2.4.35 (IUS) Lemonldap::NG/1.9.18 OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_jk/1.2.42 mod_perl/2.0.10 Perl/...### Concerned version
Version: %"1.9.19"
Platform:
- CentOS Linux release 7.4.1708 (Core)
- apache
- Server Version: Apache/2.4.35 (IUS) Lemonldap::NG/1.9.18 OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 mod_jk/1.2.42 mod_perl/2.0.10 Perl/v5.16.3
- Server MPM: event
- Server Built: Oct 16 2018 16:35:27
- This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
### Summary
Bonjour,
Historiqueemnt, nous avions un lng 1.9 et un apache 2 sur du rhel.
Depuis que nous sommes passés sur lng 1.9 et apache 2.4 centos, nous rencontrons un gros problème de disponibilité. En effet le service n'est pas rendu car nous avons des requêtes qui n'aboutissent pas. Après un certain temps d'investigations, nous avons trouvé l'erreur, en isolant beaucoup de nos pans d'infrastructure.
Habituellement en load balancer IP, puis derrière en load balancer Ajp, avec deux Reverse Proxy qui utilisent une base de données communes mysql, nous avons tout isolé avec un seul RP. Nous écartons donc la complexité de notre infra.
De plus, avec notre ancien apache 2, nous n'avions pas cette erreur.
Sur apache 2.4, nous somme passés par trois stades :
- stade 1 : mode prefork par defaut d'apache.
- une catastrophe. Au bout de quelques heures, apache avaient des centaines de threads non terminés, et se mettait à ne plus répondre, en passant d'abord par une phase d'extrème lenteur.
- stade 2 : mode worker
- Plus de problèmes de thread orphelins ni de lenteur, mais beaucoup de pb de segmentation fault
- stade 3 : mode events
- Beaucoup moins de pb de segmentation fault, mais qui reste fréquent et génants.
Cette erreur se concrétise par la ligne suivante dans le log apache :
```[pid 1577:tid 140381358463168] AH00052: child pid 17763 exit signal Segmentation fault (11)```
Merci à vous pour votre aide.
### Logs
```
Wed Nov 21 00:32:09.047765 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlUrlOrigin
[Wed Nov 21 00:32:09.047966 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub checkNotifBack
[Wed Nov 21 00:32:09.048033 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: processing to sub controlExistingSession
[Wed Nov 21 00:32:09.048665 2018] [perl:debug] [pid 20144:tid 140380402022144] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Set custom template parameter ucanss_portal with http://dextranet.ucanss.fr/portail/auth/portal/default/PPerso
[Wed Nov 21 00:32:09.597609 2018] [core:notice] [pid 1577:tid 140381358463168] AH00052: child pid 17763 exit signal Segmentation fault (11)
[Wed Nov 21 00:33:07.781777 2018] [proxy:debug] [pid 20620:tid 140381358463168] proxy_util.c(1923): AH00925: initializing worker http://dnas01.ucanss.fr/ressources shared
[Wed Nov 21 00:33:07.781800 2018] [proxy:debug] [pid 20620:tid 140381358463168] proxy_util.c(1980): AH00927: initializing worker http://dnas01.ucanss.fr/ressources local
[Wed Nov 21 00:33:07.781820 2018] [proxy:debug] [pid 20620:tid 140381358463168] proxy_util.c(2015): AH00930: initialized pool in child 20620 for (
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixesFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1581Documentation related to Proxy2018-12-21T05:34:02ZMathieu Lecompte-melançonDocumentation related to ProxyHi the documentation related to Proxy seem incomplet:
https://lemonldap-ng.org/documentation/2.0/authproxy
First, in the manager Proxy is not appear as a choice for auth and user as described in docs.
And maybe more usable to provide...Hi the documentation related to Proxy seem incomplet:
https://lemonldap-ng.org/documentation/2.0/authproxy
First, in the manager Proxy is not appear as a choice for auth and user as described in docs.
And maybe more usable to provide a sample of overloading in .ini with the right parameters name
In 1.9 I have set for soap:
```
authentication = Proxy
userDB = Proxy
soapAuthService = https://auth.interne.urgences-sante.qc.ca/
```FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1678SOAP Error: Can't locate Lemonldap::NG::Common::Apache::Session2019-04-09T21:36:13ZGreg BSOAP Error: Can't locate Lemonldap::NG::Common::Apache::Session### Concerned version
Version: %1.9.18
Platform: Apache
### Summary
PurgeCentralCache generates error "SOAP Error: Can't locate Lemonldap::NG::Common::Apache::Session in @INC..." although it is in the @INC path and
'''
perl -e 'use ...### Concerned version
Version: %1.9.18
Platform: Apache
### Summary
PurgeCentralCache generates error "SOAP Error: Can't locate Lemonldap::NG::Common::Apache::Session in @INC..." although it is in the @INC path and
'''
perl -e 'use Lemonldap::NG::Common::Apache::Session'
'''
doesn't generate any error.
### Logs
```
# /usr/share/lemonldap-ng/bin/purgeCentralCache
SOAP Error: Can't locate Lemonldap::NG::Common::Apache::Session in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 /usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 /usr/local/lib/site_perl . /etc/apache2) at /usr/share/perl5/Lemonldap/NG/Portal/_SOAP.pm line 266.
```
### Backends used
It is installed on debian through the packages from https://lemonldap-ng.org/deb repo
### Possible fixesFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1701saml sessions not being purged by purgeCentralCache script2019-04-08T12:08:03ZRenaud R.saml sessions not being purged by purgeCentralCache script### Concerned version
Version: 1.9.7
Platform: Apache
### Summary
We have a ll::ng 1.9.7 acting as an samlv2 identity provider. In the portal, session module for saml and saml storage options are not configured (blank). Local config ...### Concerned version
Version: 1.9.7
Platform: Apache
### Summary
We have a ll::ng 1.9.7 acting as an samlv2 identity provider. In the portal, session module for saml and saml storage options are not configured (blank). Local config file (lemonldap-ng.ini) doesn't override this settings. By design the main session module is used to store saml sessions (globalStorage : Apache::Session::Postgres) but the cron job 'purgeCentralCache' doesn't purge old saml sessions in the dedicated table of the database. The 'purgeCentralCache' script doesn't detect saml module because `$conf->{samlStorage}` is not defined and `keys %{ $conf->{samlStorageOptions}` returns 0.
### Logs
n/a
### Backends used
globalStorage : Apache::Session::Postgres
### Possible fixes
When using saml, i think configuration of session module for saml is required in the portal, so 'samlStorage' gets defined and 'purgeCentralCache' adds module in managed backends
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/blob/v1.9.7/lemonldap-ng-portal/example/scripts/purgeCentralCache#L72
Thank you very much for your work on ll::ng !FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1745Return Handler error as JSON2019-05-28T10:02:22ZClément OUDOTReturn Handler error as JSONWe should return Handler error (access forbidden for example) as JSON for API.
This can be useful for OAuth2 Handler (see #1146)We should return Handler error (access forbidden for example) as JSON for API.
This can be useful for OAuth2 Handler (see #1146)FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1757[RPM] Update lemonldap-ng 2.0.1 to 2.0.4 delete vhosts file2019-09-09T08:54:28ZMame Dieynaba SENE[RPM] Update lemonldap-ng 2.0.1 to 2.0.4 delete vhosts file### Concerned version
Version: %"2.0.4"
Platform: (Apache/centos7)
### Vhosts files delete
Update lemonldap-ng version 2.0.1 to 2.0.4 delete vhosts file in /etc/httpd/conf.d/ and create z-lemonldap-ng.*.conf.rpmnew with default con...### Concerned version
Version: %"2.0.4"
Platform: (Apache/centos7)
### Vhosts files delete
Update lemonldap-ng version 2.0.1 to 2.0.4 delete vhosts file in /etc/httpd/conf.d/ and create z-lemonldap-ng.*.conf.rpmnew with default configuration [z-lemonldap-ng-portal.conf.rpmnew](/uploads/2b73e8a54f346504ed238a3a8d4cba21/z-lemonldap-ng-portal.conf.rpmnew)FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1817Unable to install on Debian if Apache2 is already installed2019-06-25T14:12:06ZClément OUDOTUnable to install on Debian if Apache2 is already installedWhen installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl ...When installing LL::NG packages on Debian, where apache2 is already installed, we have this error:
```
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
invoke-rc.d: initscript nginx, action "start" failed.
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-06-25 15:40:46 CEST; 9ms ago
Docs: man:nginx(8)
Process: 6662 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 6660 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
juin 25 15:40:44 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:45 pts2019 nginx[6662]: nginx: [emerg] listen() to [::]:80, backlog 511 failed (98: Address already in use)
juin 25 15:40:46 pts2019 nginx[6662]: nginx: [emerg] still could not bind()
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Control process exited, code=exited status=1
juin 25 15:40:46 pts2019 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Unit entered failed state.
juin 25 15:40:46 pts2019 systemd[1]: nginx.service: Failed with result 'exit-code'.
dpkg: erreur de traitement du paquet nginx-extras (--configure) :
le sous-processus script post-installation installé a retourné une erreur de sortie d'état 1
...
Paramétrage de lemonldap-ng-fastcgi-server (2.0.4-1) ...
Created symlink /etc/systemd/system/llng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
Created symlink /etc/systemd/system/multi-user.target.wants/lemonldap-ng-fastcgi-server.service → /lib/systemd/system/lemonldap-ng-fastcgi-server.service.
...
Des erreurs ont été rencontrées pendant l'exécution :
nginx-extras
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
The nginx dependency should not be activated if apache2 is already installed.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1886mysql and MariaDB DBI UserBackend UTF8 encoding2022-05-02T15:12:54ZAndreas Deschkamysql and MariaDB DBI UserBackend UTF8 encoding### Concerned version
Version: %2.0.5
Platform: (Nginx)
### Summary
Variables read out of Maria DB database are not UTF8-encoded
In the Database there is for example "Österreich". The Ö will appear as question mark in the session va...### Concerned version
Version: %2.0.5
Platform: (Nginx)
### Summary
Variables read out of Maria DB database are not UTF8-encoded
In the Database there is for example "Österreich". The Ö will appear as question mark in the session variable.
Tables, columns in the database are encoded in utf8mb4.
I used dbi:mysql and dbi:MariaDB. Neither worked.
For dbi:mysql I added in the connect command the option to enable utf8mb4:
```
DBI->connect_cached(
$conf->{dbiAuthChain}, $conf->{dbiAuthUser},
# setting mysql_enable_utf8mb4 does not seem to help
$conf->{dbiAuthPassword}, { RaiseError => 1, mysql_enable_utf8mb4 => 1 }
);
```
For dbi:MariaDB the change resulted in an error.
When I added the following line before `$req->{sessionInfo}->{$var} =$req->data->{entry2}->{$attr}` in NG/Portal/UserDB/DBI.pm it worked correctly
```
utf8::encode( $req->data->{entry}->{$attr} );
```
Maybe I am missing something with setting up the configuration. I use the coudot/lemonldap-ng:2.0.5 docker image.
### Backends used
Database is MariaDB version 10.3.15.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1914Debian package : documentation not properly set in virtual host configuration...2019-09-04T05:55:02ZAdrien LasserreDebian package : documentation not properly set in virtual host configuration files### Concerned version
Version: 2.0.2+ds-7+deb10u1
Platform: Debian 10 - Apache (Nginx may be concerned too)
Package : lemonldap-ng in relation to lemonldap-ng-doc
### Summary
On file : /etc/lemonldap-ng/manager-apache2.X.conf
Wrong...### Concerned version
Version: 2.0.2+ds-7+deb10u1
Platform: Debian 10 - Apache (Nginx may be concerned too)
Package : lemonldap-ng in relation to lemonldap-ng-doc
### Summary
On file : /etc/lemonldap-ng/manager-apache2.X.conf
Wrong line after : "# On-line documentation".
"Alias /doc/ /usr/share/doc/lemonldap-ng-doc/"
should be replaced by :
"Alias /doc/ /usr/share/doc/lemonldap-ng/"
(Indeed, documentation static files are installed in /usr/share/doc/lemonldap-ng/ and not /usr/share/doc/lemonldap-ng-doc/).FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1917Slash before double quote in JSON data for REST back-end2019-09-04T16:52:43ZAinal SaidinSlash before double quote in JSON data for REST back-end### Concerned version
Version: 2.0.5 with patch (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/fca831411bdca2179a20eb230ec843c195c97cdd)
Platform: Apache
### Summary
REST Back-end JSON data body aka JSON file sent to the RE...### Concerned version
Version: 2.0.5 with patch (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/fca831411bdca2179a20eb230ec843c195c97cdd)
Platform: Apache
### Summary
REST Back-end JSON data body aka JSON file sent to the REST Authentication URL contains slash before quotes.
### Logs
The following output in JSON format was captured by Wiremock. The LLNG (192.168.1.40) REST Authentication URL was set to the Wiremock URL (http://192.168.1.134:8080/api/auth) for the data to be captured:
```json
{
"url" : "/api/auth",
"absoluteUrl" : "http://192.168.1.134:8080/api/auth",
"method" : "POST",
"clientIp" : "192.168.1.40",
"headers" : {
"Connection" : "TE, close",
"User-Agent" : "libwww-perl/6.05",
"TE" : "deflate,gzip;q=0.3",
"Host" : "192.168.1.134:8080",
"Content-Length" : "38",
"Content-Type" : "application/json"
},
"cookies" : { },
"browserProxyRequest" : false,
"loggedDate" : 1567140439293,
"bodyAsBase64" : "eyJwYXNzd29yZCI6InNlY3JldCIsInVzZXIiOiJqYWlsYW5pIn0=",
"body" : "{\"password\":\"secret\",\"user\":\"jailani\"}",
"scheme" : "http",
"host" : "192.168.1.134",
"port" : 8080,
"loggedDateString" : "2019-08-30T04:47:19Z",
"queryParams" : { }
}
```
Correspondingly, JSON data was sent using CURL from the same host to the same Wiremock URL is as follows
$ curl --header "Content-Type: application/json" --request POST --data '{“user”:jailani,“password”:secret}' http://192.168.1.134:8080/api/auth
What the wiremock captured was (in JSON)
```json
{
"url" : "/api/auth",
"absoluteUrl" : "http://192.168.1.134:8080/api/auth",
"method" : "POST",
"clientIp" : "192.168.1.40",
"headers" : {
"User-Agent" : "curl/7.29.0",
"Host" : "192.168.1.134:8080",
"Accept" : "*/*",
"Content-Length" : "42",
"Content-Type" : "application/json"
},
"cookies" : { },
"browserProxyRequest" : false,
"loggedDate" : 1566994915552,
"bodyAsBase64" : "e+KAnHVzZXLigJ06amFpbGFuaSzigJxwYXNzd29yZOKAnTpzZWNyZXR9",
"body" : "{“user”:jailani,“password”:secret}",
"scheme" : "http",
"host" : "192.168.1.134",
"port" : 8080,
"loggedDateString" : "2019-08-28T12:21:55Z",
"queryParams" : { }
}
```
### Backends used
REST backend
### Possible fixes
The code to add slash before the double quotes was probably done to comply to the specifications set out in http://json.org/ and RFC 8259 (https://tools.ietf.org/html/rfc8259) to allow for double quotation marks as part of a string value in the name:value pair.
Possible solution
1. fix the code that adds the slash before the double quotes.
2. code the API end points to ignore or strip the slashFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1926Remark related to LDAP backend2019-09-11T07:04:41ZMathieu Lecompte-melançonRemark related to LDAP backendWe make some discovery today, and i was surprised that the LDAP perl was working that way:
It's happen that someone have added a new AD controler without doing necessery firewall rules...
On LLNG it's happen to not working:
so the con...We make some discovery today, and i was surprised that the LDAP perl was working that way:
It's happen that someone have added a new AD controler without doing necessery firewall rules...
On LLNG it's happen to not working:
so the context: our ldap is provided by round-robin dns: ex: domain.ldap = 1.1.1.1, 1.1.1.2, 1.1.1.3
If we do some maintenance on 1.1.1.3, we expect that when ldap not retriving the 1.1.1.3 he try others ip?
It's probably a configuration issue, when i read docs related to LDAP, they ask to provide manually multi host.
Did we have to do that in LLNG to avoid impact on scheduling maintenance or individual unplaned ldap server downtime?
As we read the documentation:
https://lemonldap-ng.org/documentation/latest/authldap
It's could be interesting to clarify that even if we provide the dns domain name, it's will not attempt the automatic fallback, we need to provide manually each ldap server.
Providing the main ldap dnas (round robin) will crash llng if some ip are not resolved in the round robin...FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1940Use session array values in access rules2019-11-20T16:07:44ZHeinz MayerUse session array values in access rulesI use LemonLdap with a Keycloak as OpenID Connect IDP ( LemonLDAP Version 2.0.5)
I pass groups as a claim from Keycloak to LemonLdap
The groups are correctly stored in the LemonLDAP session
```
[debug] UserInfo received: {"sub":"e3c3...I use LemonLdap with a Keycloak as OpenID Connect IDP ( LemonLDAP Version 2.0.5)
I pass groups as a claim from Keycloak to LemonLdap
The groups are correctly stored in the LemonLDAP session
```
[debug] UserInfo received: {"sub":"e3c33ab5-4410-4a82-ad78-cd6284e17078","email_verified":false,"groups":["vccadmin","vccconnect"],"preferred_username":"heinz.mayer@mic-cust.com"}
[debug] Store ARRAY(0x4f64c38) in session key groups
[debug] Dump: $VAR1 = ['vccadmin','vccconnect'];
```
When I create a virtual host with a default access rule it doesn't work
```
$groups =~ /\bvccconnect\b/
```FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1942Launching make test with LDAP2019-09-24T12:37:14ZClément OUDOTLaunching make test with LDAPTo be able to override LDAP parameters to launch test suite, I need to patch Makefile:
```
diff --git a/Makefile b/Makefile
index fa2538f07..357fee831 100644
--- a/Makefile
+++ b/Makefile
@@ -128,9 +128,9 @@ TESTUSESSL=0
E2E_TESTS='port...To be able to override LDAP parameters to launch test suite, I need to patch Makefile:
```
diff --git a/Makefile b/Makefile
index fa2538f07..357fee831 100644
--- a/Makefile
+++ b/Makefile
@@ -128,9 +128,9 @@ TESTUSESSL=0
E2E_TESTS='portal/*.js'
# LDAP backend test
-LLNGTESTLDAP_SLAPD_BIN=/usr/sbin/slapd
-LLNGTESTLDAP_SLAPADD_BIN=/usr/sbin/slapdadd
-LLNGTESTLDAP_SCHEMA_DIR=/etc/slapd/schema
+#LLNGTESTLDAP_SLAPD_BIN=/usr/sbin/slapd
+#LLNGTESTLDAP_SLAPADD_BIN=/usr/sbin/slapdadd
+#LLNGTESTLDAP_SCHEMA_DIR=/etc/slapd/schema
# Other
SRCCOMMONDIR=lemonldap-ng-common
```
Then I am able to launch this command:
```
LLNGTESTLDAP=1 LLNGTESTLDAP_SLAPD_BIN=/usr/local/openldap/libexec/slapd LLNGTESTLDAP_SLAPADD_BIN=/usr/local/openldap/sbin/slapadd LLNGTESTLDAP_SCHEMA_DIR=/usr/local/openldap/etc/openldap/schema/ make test
```
Is there a better way to override Makefile vars?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1973Change some config need Apache Restart2019-11-20T15:52:16ZFrancois-Xavier MIOTChange some config need Apache Restart### Concerned version
Version: %"2.0.7"
Platform: Debian 10 - Apache
### Summary
Some new configuration in manager need `Apache2ctl Restart` to take effect. For personnalisation or for change URL for reset password in the portal pag...### Concerned version
Version: %"2.0.7"
Platform: Debian 10 - Apache
### Summary
Some new configuration in manager need `Apache2ctl Restart` to take effect. For personnalisation or for change URL for reset password in the portal page.
### Logs
```
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler::Main::Run
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Check session validity from Handler
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session timeout -> 72000
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session _utime -> 1570702452
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] now -> 1570702747
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session timeoutActivityInterval -> 60
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Session TTL = 71705
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/?cfgNum=15
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [notice] Request for configuration reload
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Check configuration for Lemonldap::NG::Handler::Main
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Configuration 16 stored.
Get configuration 16.
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get configuration 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] Loading configuration 16 for process 3837
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls defaultValuesInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls jailInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls portalInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls locationRulesInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls sessionStorageInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls headersInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls postUrlInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Process 3837 calls aliasInit
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Lemonldap::NG::Handler::Main: configuration is up to date
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [notice] User fxmiot has stored conf 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [notice] User fxmiot has stored conf 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Check configuration for Lemonldap::NG::Handler::PSGI::Main
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Configuration 16 stored.
Get configuration 16.Get configuration from cache without verification.
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Lemonldap::NG::Handler::PSGI::Main: configuration is up to date
[Thu Oct 10 12:19:07.744386 2019] [perl:notice] [pid 3778:tid 139962577643264] Request for configuration reload
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [notice] Apply configuration for localhost: ok
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "POST /manager.fcgi/confs/?cfgNum=15 HTTP/1.1" 200 5681 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
reload.domain.com:80 ::1 - - [10/Oct/2019:12:19:07 +0200] "GET /reload HTTP/1.1" 200 126 "-" "libwww-perl/6.36"
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler internal cache
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/latest
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgNum in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to latest
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgAuthor in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgDate in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgAuthorIP in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgLog in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for cfgVersion in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] User fxmiot ask for configuration metadata (16)
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [info] User fxmiot ask for configuration metadata (16)
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "GET /manager.fcgi/confs/latest HTTP/1.1" 200 432 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler internal cache
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/16/portal
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] User fxmiot asks for key portal
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [info] User fxmiot asks for key portal
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for portal in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "GET /manager.fcgi/confs/16/portal HTTP/1.1" 200 368 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
==> /var/log/apache2/error.log <==
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Get session 332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023 from Handler internal cache
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] manager.domain.com: Apply default rule
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] removing cookie
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cookies -> llnglanguage=fr; showhelp=false; lemonldap=332858ae9524d6327aa175cc03b2c6cc91d50ea79d1f6d9383d463db7ef47023
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] CookieName -> lemonldap
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] newCookies -> llnglanguage=fr; showhelp=false;
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User fxmiot was granted to access to /manager.fcgi/confs/16/domain
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] User authenticated, calling handler()
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Start routing confs
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [info] User fxmiot asks for key domain
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] [info] User fxmiot asks for key domain
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Search for domain in conf
[Thu Oct 10 12:19:07 2019] [LLNG:3837] [debug] Cfgnum set to 16
==> /var/log/apache2/other_vhosts_access.log <==
manager.domain.com:443 192.168.X.X - - [10/Oct/2019:12:19:07 +0200] "GET /manager.fcgi/confs/16/domain HTTP/1.1" 200 354 "https://manager.domain.com/manager.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
```
### Backends used
For any bug on configuration/sessions storage, give us details on backends
### Possible fixesFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1979Second Factor question2019-10-24T05:31:05ZXIYI ZhuSecond Factor questionHello,
For Second Factor, is that possible to only enable it when the request comes from "External Network"? For example, if the request comes within 192.168.1.0/24, not second factor require. If the request comes from IP address other ...Hello,
For Second Factor, is that possible to only enable it when the request comes from "External Network"? For example, if the request comes within 192.168.1.0/24, not second factor require. If the request comes from IP address other than 192.168.1.0/24, present the second factor. Also, is Twilio SMS message support for second factor?
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/1982Issue for new installation2020-01-14T12:49:31ZXIYI ZhuIssue for new installationHello,
I am testing to install lemonldap 2.0.6 as new installation in CentOS7. I followed the instruction and it install. However, it doesn't start apache when I configure to use RDBI by following this instruction:
https://lemonldap-n...Hello,
I am testing to install lemonldap 2.0.6 as new installation in CentOS7. I followed the instruction and it install. However, it doesn't start apache when I configure to use RDBI by following this instruction:
https://lemonldap-ng.org/documentation/2.0/sqlconfbackend
The database is the Mariadb 10.4.8 with following configuration:
```
[mysql]
# CLIENT #
port = 3306
socket = /var/lib/mysql/mysql.sock
[mysqld]
# GENERAL #
user = mysql
default-storage-engine = InnoDB
socket = /var/lib/mysql/mysql.sock
pid-file = /var/lib/mysql/mysqld.pid
# MyISAM #
# key-buffer-size = 32M
# myisam-recover = FORCE,BACKUP
# SAFETY #
max-allowed-packet = 256M
max-connect-errors = 1000000
skip-name-resolve
sql-mode = NO_ENGINE_SUBSTITUTION,NO_AUTO_CREATE_USER
sysdate-is-now = 1
innodb-strict-mode = 1
# DATA STORAGE #
datadir = /var/lib/mysql
# SERVER ID #
server-id = 1
# BINARY LOGGING #
log-bin
# CACHES AND LIMITS #
max-connections = 500
tmp-table-size = 32M
max-heap-table-size = 32M
query-cache-type = 0
query-cache-size = 0
thread-cache-size = 50
open-files-limit = 65535
table-definition-cache = 1024
table-open-cache = 2048
# INNODB #
innodb-flush-method = O_DIRECT
innodb-log-files-in-group = 2
innodb-log-file-size = 768M
innodb-flush-log-at-trx-commit = 1
innodb-file-per-table = 1
innodb-buffer-pool-size = 1536M
# LOGGING #
log-error = /var/lib/mysql/mysqld.log
slow-query-log = 1
slow-query-log-file = /var/lib/mysql/mysqld-slow.log
log-queries-not-using-indexes = OFF
long_query_time = 30
```
since it doesn't allow to do dash for the database name, it change it to lemonldap-ng.
Here is what I set in the /etc/lemonldap-ng/lemonldap-ng.ini
```
[configuration]
; confTimeout: maximum time to get configuration (default 10)
;confTimeout = 5
; GLOBAL CONFIGURATION ACCESS TYPE
; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
; Set here the parameters needed to access to LemonLDAP::NG configuration.
; You have to set "type" to one of the followings :
;
; * File/YAMLFile: you have to set 'dirName' parameter. Example:
;
; type = File ; or type = YAMLFile
type = File
dirName = /var/lib/lemonldap-ng/conf
;
; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
; if needed. Example:
;
type = RDBI
; ;type = CDBI
dbiChain = DBI:MariaDB:database=lemonldap_ng;host=localhost
dbiUser = <username>
dbiPassword = <password>
dbiTable = lmConfig
```
The error is
```
[Tue Oct 22 16:34:31.605705 2019] [perl:error] [pid 3327] Lemonldap::NG::Handler::ApacheMP2::Main : unable to build configuration: Error: configStorage: type is not well formed.\nError: Unknown package Lemonldap::NG::Common::Conf::Backends::File\nRDBI\nFile.\nCompilation failed in require at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2.pm line 9.\nBEGIN failed--compilation aborted at /usr/share/perl5/vendor_perl/Lemonldap/NG/Handler/ApacheMP2.pm line 9.\nCompilation failed in require at (eval 2) line 2.\n
[Tue Oct 22 16:34:31.605768 2019] [perl:error] [pid 3327] Can't load Perl module Lemonldap::NG::Handler::ApacheMP2 for server <url>:0, exiting...
```
Did I miss to install something? I did yum install perl-DBD-MySQL
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2043Using session info in Combination rules2019-12-17T14:55:59ZClément OUDOTUsing session info in Combination rulesIn version 1.9, I had a rule in Multi that used a session attribute to enable/disable a module in the stack. The use case was to dismiss Kerberos for generic accounts, so users need to enter their personal login/password on the login for...In version 1.9, I had a rule in Multi that used a session attribute to enable/disable a module in the stack. The use case was to dismiss Kerberos for generic accounts, so users need to enter their personal login/password on the login form.
The Multi rule was something like this:
```
Kerberos $employeeType !~ /generic/; LDAP
```
So the Kerberos authentication was done, the user was found but before the final authentication step the rule was evaluated (with the Safe cage) and returned false (because at the end the $employeeType was filled), so the Kerberos authentication was refused and Multi was then using LDAP to authenticate user.
How could we reproduce the same behavior in Combination? In Combination, we only have access to $env.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2062Multiple SAML signatures in authentication response2020-04-24T09:29:19ZClément OUDOTMultiple SAML signatures in authentication responseAfter a migration to 2.0, I notice that our SAML authn responses now have 2 signatures, for example:
```xml
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assert...After a migration to 2.0, I notice that our SAML authn responses now have 2 signatures, for example:
```xml
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_39AFA0A0E55174DB8DBE5F5E5FB82EDE"
InResponseTo="_WlAaKyUXroWlTtpL"
Version="2.0"
IssueInstant="2020-01-09T13:27:15Z"
Destination="xxxx"
>
<saml:Issuer>xxxx</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_39AFA0A0E55174DB8DBE5F5E5FB82EDE">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>jGKGtk/crirq2qgQLhaP7YUQoMw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XavE9YWAdC94nIaCF0tr5nXVt3yDPzdef/7SucI7sFE1NtSjKol/L7n0zvipCCZW
33GB/Zyd0sptgxIOpzka/4kkIulS6RkoGYgnff3wDnJcOAsitoAPaZU1CZ/7dXOI
doaQoRtdjJgfH8razX8vWxhqZdaMqOgcTnAME+Hc09GtCN+Cwh4JQFDybiAGajG0
80XatOaqouD0Xj9RC4LRqjcjubdd/MOerfpWhncw+DnnFE41VJUXIAfd0vhUH3Ot
HA5FB/uufHhSqEazzTm0pIgr3RkZkdvNYE5PO42TRgbcH4KRsSx2LIHILScJfLOl
YueWwBpO6tPPMePkV9TOhhJa2tK9uXTZTpkLeAJMQIRTTHQO556h+BqqKqh0MQny
rs1WxyLka6EifBu54fgmbKiEqvvw6GXi76/s2oNLhUv2ThopTO7IFxTfpPeayEyA
QmrbvL6Lwg6sokn/Q72/GWxNJCiPNfk95WFX9s8qcnGVgEO5VkwW0MO9Cci9pNNe
l9YImFLMTDBbKZPOiQTA4b2bq6IaYpfta7BDyBl912wLabYt1Olq8xp4EvuEfY/2
hONRLAXvaqkWwIHXAtZx4dT+mRcqbcvT49nzclDjcrWFJPCfOLF0Jvmdtmqt5nDp
XKm5uGazaFXbLO1FvH9pHkS+W3WrMYTcjacripUYiLA=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
nvq7kJ8bFXdTvnSJcJ0ci08uz+UuAFb9CkZPrAbLFS/7k73usQjBx0g5fLZlVkvn
+CAiaJhl/NTLh1P9NknKOK8nXDSMmoxix0HslICW+3/rAtbZ50/ATCZ6owjyMNk1
4AyjzUUgPgtGO5yoF7Ev1GxZTVW4STtQRdyxoN96eZZDir9XASZdPxQ8gBavZ2ys
0C15qK/vseiIaMLYoz0Hsi33xP6zvP+Tpnl8ext9Ok7txribIRyjfed8/QLfVwNx
2n4Fqr3l05rojyXnJm2MliaMdvkKWadA7CKnGfC9xhcVd0UwbMyESoO8A5XwlMlt
eR1wKg0jD/jnt8ghd8yZUA03XxfQEjrvIABi+LYSTXJ2U3SKHW/qo+JG2YBg6Dni
Em/qSLv59SIeedOpY9Hbe6oMoSXwWIjr1sZSvXffxRki9kREy+38JhJ6qoAafT+m
SVPOjR1nxrcsxZifs1u5s9O6ZdLJtX7ijXktn9IywKhBTj/t2IpjJ6ypYxPt9bBT
9R0+8F4elILG5sCfMCfpOd7mYSIFswMbPKEtpFvyCfcSfKaFlMJLOtVoXARcDmBk
RwXkSzVVZojbGXGphRys8rUtWZ+eT4BwvRk4m3SI6YqMGCqAw9qtwElzF2Q5bzg9
nzWs8Vm+YlsZJH/xcRhP4ssiIeHdpuAts7pOLsDU5LE=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion Version="2.0"
ID="_747ABBF254269028B433C7B6E793C82E"
IssueInstant="2020-01-09T13:27:15Z"
>
<saml:Issuer>xxxx</saml:Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_747ABBF254269028B433C7B6E793C82E">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>aCaze1q5G200EDQUg9keMcF/EXs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>NpLQIcvOCdInJTJAW0M+qOSfBJs+0mXoNewFxoF/7QJFhPnuMDAl/Q1Zo8Luhbmq
2COInhqWsHCi4QwYmf4+hi0SUw5FyTMTUgXdIuY9f7OZjJ0MJopQkvUhEb4UJ4kP
CNxuZSY0I8fXG4uqUYaKk59sHnusa/vHZhH9/how5Dakx5HNZd0rqeCXp/mvDcx8
djw83TAM8I9v6FcSugTWyH1nDKwp+bHMQjhUMaGixR/LJd3WPppoKLX0Brfw4D2m
miQZCkfN2SrMF3FU2RdE+ea9Vozed+t7oqlOw/d8Bx2Z1W4zYm8Si1mSvg/mBsPI
qipiT37ohK0UD3UnGRsOVxbaZhrR1QzySiCArR+O4c7pkH//9T3NjIub+2A31/W4
xUTtrjOrPXGSV/pIkbiNZYkiROAVlql0ATFeFYDACFDWArOUJLPIvCD/f09iiWDA
6vTlmk9uhrJtjkxAZNgPzvzbLStKmLrjRUnrirGmRO3t4JgWF7V/TJ4suAAZ7BwE
JFuifvpbSjk3Z+qD81AYNetuoOjgpoQWCJKBDCxcmcR5g27EDjvGk+46w6ynidBK
z2InaSfN9MP814oZp7xx20gU4QewMZC0Guyv71H+CAyhbx04VYLJkabCbYmW25Vx
oYlUl/yxQHCSeeJEwSpGIkATzPn5gX2mrR8OxuCP9dY=</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>
nvq7kJ8bFXdTvnSJcJ0ci08uz+UuAFb9CkZPrAbLFS/7k73usQjBx0g5fLZlVkvn
+CAiaJhl/NTLh1P9NknKOK8nXDSMmoxix0HslICW+3/rAtbZ50/ATCZ6owjyMNk1
4AyjzUUgPgtGO5yoF7Ev1GxZTVW4STtQRdyxoN96eZZDir9XASZdPxQ8gBavZ2ys
0C15qK/vseiIaMLYoz0Hsi33xP6zvP+Tpnl8ext9Ok7txribIRyjfed8/QLfVwNx
2n4Fqr3l05rojyXnJm2MliaMdvkKWadA7CKnGfC9xhcVd0UwbMyESoO8A5XwlMlt
eR1wKg0jD/jnt8ghd8yZUA03XxfQEjrvIABi+LYSTXJ2U3SKHW/qo+JG2YBg6Dni
Em/qSLv59SIeedOpY9Hbe6oMoSXwWIjr1sZSvXffxRki9kREy+38JhJ6qoAafT+m
SVPOjR1nxrcsxZifs1u5s9O6ZdLJtX7ijXktn9IywKhBTj/t2IpjJ6ypYxPt9bBT
9R0+8F4elILG5sCfMCfpOd7mYSIFswMbPKEtpFvyCfcSfKaFlMJLOtVoXARcDmBk
RwXkSzVVZojbGXGphRys8rUtWZ+eT4BwvRk4m3SI6YqMGCqAw9qtwElzF2Q5bzg9
nzWs8Vm+YlsZJH/xcRhP4ssiIeHdpuAts7pOLsDU5LE=
</Modulus>
<Exponent>
AQAB
</Exponent>
</RSAKeyValue>
</KeyValue>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">xxxx</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2020-01-10T09:27:15Z"
Recipient="xxxx"
InResponseTo="_WlAaKyUXroWlTtpL"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2020-01-09T13:26:15Z"
NotOnOrAfter="2020-01-10T13:28:15Z"
>
<saml:AudienceRestriction>
<saml:Audience>xxxx</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2020-01-09T13:26:16Z"
SessionIndex="4f317d845fdcac41078ba09e4ae79c799850fa546c18b1710ab90307df5219ac"
SessionNotOnOrAfter="2020-01-10T09:26:16Z"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>
```
There is one signature in the "reponse" level and another to the "assertion" level. We also see the "Issuer" markup is duplicated. Before 2.0, the signature was only in the "assertion" part.
I did not checked yet, but I am pretty sure this is valid. Anyway, some SAML SP do not like it, this is the cas of ArcGis for my case.
I tried to disable the signature for tests, and I noticed that the signature was still present in the SAML message, at "assertion" level, but no more at "response" level. This should not be the case as signature is disabled..., there should be no signature at all.
I don't know if this behavior is linked to Lasso or to our code.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2066[SAML] Lasso Error Code -2012022-04-19T21:44:10ZMehdi KHELIFA[SAML] Lasso Error Code -201### Concerned version
Version: %2.0.7
Platform: (Apache)
### Summary
Some SAML Service providers are not working. I suppose it's related to some consistency issue with the Service Provider Metadatas. But LL:NG should have shown an er...### Concerned version
Version: %2.0.7
Platform: (Apache)
### Summary
Some SAML Service providers are not working. I suppose it's related to some consistency issue with the Service Provider Metadatas. But LL:NG should have shown an error when I register the SP.
Even with the IdpInitiated option enable, I'm still facing the same error page (An error occured during SAML single sign on) with SAMLRequest in the URL
### Logs
```
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Start routing saml
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing _forAuthUser
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Cleaning pdata
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing importHandlerData
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing controlUrl
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing code ref
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Launching ::Password::AD::_modifyPassword
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Processing code ref
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] URL /saml/singleSignOn?SAMLRequest=fZBPS8QwEEe/Ssm96R8r4rAtVHspWJXdxQUvEmpoA2kSMxOrfnrb7mW9eJ/3fo/ZoZi0gzrQaPbyI0ik6EV6VNaULOcpi9qmZMfPxrann/eQdvqtywj3eNJ38eQoXg4Qg2wNkjC0MGmexmkWZ1fH7AaKHIpbXmTXryxqFrcygjb1SOQQkkQswxzRcvLCKc17OyVrUoLKDFoe1GCeDIu+Jm0QttaSBW/AClQIRkwSgXo41N0DLLngvCXbW82q3XoNW5y/4P/HBaL0ayGr5nnmTgcvNKphpLVsl1w4zwMOHhdJ2zxbrfrvqNbazvdeCpIlIx8kS6oz9ffH1S8=&RelayState=Mm8KXJVTHxsXILwo5249LfEIUilR3K&SigAlg=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256&Signature=jSikuUYKncp76e03j8BS+DFYcvwxzg0ZRvjYy/IDJCMQWP8Rm49bfJ6lZIAjCL4Kih2xGVKuDxrksodYdlDLTN4cFEdu8vXH/EX8LE2z4dFhgqBgaxRVo6Nu4Ac4GAGUbx++X72joTDoLfO5OOfg9bfU6sW6EnmwMNHp3DKU1v1ebi8vq+eMHZLW9Fwrg2IWyeJSLMqVtO0J/uKKzDorTcQlDSkKfCD5/NxNsPGQeR/FUb1nAczzKgVZpYpqrOS5/gn78vQUjlseVIvnJ5+rDcpP1PymI8S33Lv4LtsRdI/FnoFnZbrcQJbqL9OmYvWr26dsDEbydw7EogKajpvc8Q== detected as an SSO request URL
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] SAML method: HTTP-REDIRECT
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] HTTP-REDIRECT: SAML Request SAMLRequest=fZBPS8QwEEe%2FSsm96R8r4rAtVHspWJXdxQUvEmpoA2kSMxOrfnrb7mW9eJ%2F3fo%2FZoZi0gzrQaPbyI0ik6EV6VNaULOcpi9qmZMfPxrann%2FeQdvqtywj3eNJ38eQoXg4Qg2wNkjC0MGmexmkWZ1fH7AaKHIpbXmTXryxqFrcygjb1SOQQkkQswxzRcvLCKc17OyVrUoLKDFoe1GCeDIu%2BJm0QttaSBW%2FAClQIRkwSgXo41N0DLLngvCXbW82q3XoNW5y%2F4P%2FHBaL0ayGr5nnmTgcvNKphpLVsl1w4zwMOHhdJ2zxbrfrvqNbazvdeCpIlIx8kS6oz9ffH1S8%3D&RelayState=Mm8KXJVTHxsXILwo5249LfEIUilR3K&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=jSikuUYKncp76e03j8BS%2BDFYcvwxzg0ZRvjYy%2FIDJCMQWP8Rm49bfJ6lZIAjCL4Kih2xGVKuDxrksodYdlDLTN4cFEdu8vXH%2FEX8LE2z4dFhgqBgaxRVo6Nu4Ac4GAGUbx%2B%2BX72joTDoLfO5OOfg9bfU6sW6EnmwMNHp3DKU1v1ebi8vq%2BeMHZLW9Fwrg2IWyeJSLMqVtO0J%2FuKKzDorTcQlDSkKfCD5%2FNxNsPGQeR%2FFUb1nAczzKgVZpYpqrOS5%2Fgn78vQUjlseVIvnJ5%2BrDcpP1PymI8S33Lv4LtsRdI%2FFnoFnZbrcQJbqL9OmYvWr26dsDEbydw7EogKajpvc8Q%3D%3D
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Lasso Identity loaded
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Lasso error code -201: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [error] SSO: Fail to process authentication request
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Returned error: 51 (PE_SAML_SSO_ERROR)
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Skin returned: error
[Mon Jan 13 18:42:46 2020] [LLNG:56892] [debug] Calling sendHtml with template error
```
### Backends used
Debian 9 / Apache 2.4 / PostgreSQL 9 for Configuration and Session Storage
### Possible fixesFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2075Changing rule to include basic_auth in access rules of vhost triggers perl er...2020-01-30T09:54:22ZJulien MaryChanging rule to include basic_auth in access rules of vhost triggers perl error.I changed the access rule for manager to
> $uid eq "dwho" or $uid eq "admin" or basic("admin","admin")
I get message :
> locationRules/manager.lemonproxy.XXXXXXXX.com/(?#Configuration)^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs/|$): B...I changed the access rule for manager to
> $uid eq "dwho" or $uid eq "admin" or basic("admin","admin")
I get message :
> locationRules/manager.lemonproxy.XXXXXXXX.com/(?#Configuration)^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs/|$): Bad expression: Can't locate object method "getEncoding" via package "Encode" (perhaps you forgot to load "Encode"?) at /usr/lib/x86_64-linux-gnu/perl5/5.24/Encode.pm line 132, <FILE> line 2.
**OS : Debian 9** <br>
**LemonLDAP-NG version : 2.0.7 installed via "deb https://lemonldap-ng.org/deb stable main"**FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2079Lasso error code -4272020-02-06T15:11:04ZLe HUYNHLasso error code -427[error_log-2019-10-15_173400.xml](/uploads/78963d8cd577417bcbc6e941128961f7/error_log-2019-10-15_173400.xml)
Hello,
We use Axway WebDashBoarad as the client with SAML:2.0 and got the following error:
"[LLNG:5477] [debug] Lasso error cod...[error_log-2019-10-15_173400.xml](/uploads/78963d8cd577417bcbc6e941128961f7/error_log-2019-10-15_173400.xml)
Hello,
We use Axway WebDashBoarad as the client with SAML:2.0 and got the following error:
"[LLNG:5477] [debug] Lasso error code -427: When looking for an assertion we did not found it"
Axway claims that their structure of the Logout Request as well as assertion that was sent to LemonLDAP is well formed. However, since the debug log doesn't specify what's being checked and what is wrong, would you provide us with what exactly is being verified behind the scenes and why it fails please?
Thank you!
LeFAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2176SAML Send ProtocolBinding and AssertionConsumerURL in the AuthnRequest2021-01-06T22:12:04ZRené LinderSAML Send ProtocolBinding and AssertionConsumerURL in the AuthnRequest### Summary
Some SAML IdP did'nt fallback to the metadata information and fails.
So it would be nice to configure it via the IdP Settings Optional.
### Design proposition
Currently manualy with a code addition solved for the problema...### Summary
Some SAML IdP did'nt fallback to the metadata information and fails.
So it would be nice to configure it via the IdP Settings Optional.
### Design proposition
Currently manualy with a code addition solved for the problematic SAML IdP:
```
clement@ader-worteks:~/dev/lemonldap-ng$ git diff
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
index 1c55d1477..1fba06317 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/SAML.pm
@@ -869,6 +869,10 @@ sub createAuthnRequest {
# Always allow NameID creation
$request->NameIDPolicy()->AllowCreate(1);
+ # Set AssertionConsumerServiceURL and ProtocolBinding
+ $request->ProtocolBinding(Lasso::Constants::HTTP_METHOD_POST);
+
$request->AssertionConsumerServiceURL("https://auth.example.com/saml/proxySingleSignOnPost");
+
# Force authentication
if ($forceAuthn) {
$self->logger->debug("Force authentication on IDP");
```
+ $request->ProtocolBinding(Lasso::Constants::HTTP_METHOD_POST); In this line something wrong (to less Perl knowing) it sets only number 3 not the Text who's needed ...
Thanks to @clement_oudot fore code :smile: FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2238Support `/` in Virtual Hosts2020-10-12T13:49:40ZDave ConroySupport `/` in Virtual Hosts### Summary
Support the usage of paths in Virtual Hosts
### Design proposition
We utilize a third party service to create applications, which outputs the URL as `domain.com/appname`. When we wish to add virtualhost restrictions (speci...### Summary
Support the usage of paths in Virtual Hosts
### Design proposition
We utilize a third party service to create applications, which outputs the URL as `domain.com/appname`. When we wish to add virtualhost restrictions (specifically, to allow it to appear in Portal with correct group membership) we are presented with a bad URL value. Allowing paths in the Virtual Host section would allow for this to occur.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2346LDAP Password Policy "Password field must be filled"2021-07-02T07:06:20ZDave ConroyLDAP Password Policy "Password field must be filled"### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Alpine Linux 3.12 (Docker)
Web server: Nginx 1.19.3
### Summary
Users unable to change password when expired via Ppolicy
### Logs
Returned error: 67 (PE_PASSWORDFORMEM...### Environment
LemonLDAP::NG version: 2.0.9
Operating system: Alpine Linux 3.12 (Docker)
Web server: Nginx 1.19.3
### Summary
Users unable to change password when expired via Ppolicy
### Logs
Returned error: 67 (PE_PASSWORDFORMEMPTY)
![image](/uploads/0ceee2a38cdb479d199a67f31add8b66/image.png)
### Backends used
LDAP Backend connecting to OpenLDAP 2.4.53
### Additional Details
This is very similar to #1910 #2268 and potentially #1969
We have a fairly basic in terms of complexity LLNG implementation:
Authentication Module: `LDAP`, Users Module: `LDAP`, Password Module: `LDAP`, Register Module: `LDAP`
LDAP Password Settings: All On with exception of IBM Tivolo DS Support. LDAP Password encoding `utf-8`, Reset Attribute `pwdReset`, Reset value `TRUE`
Macro: `_whatToTrace`: `$_auth eq 'SAML' ? "$_user\@$_idpConfKey" : $_auth eq 'OpenIDConnect' ? "$_user\@$_oidcConnectedRP" : "$_user"`
We have tried the fix listed in #1910 with no success.FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2362unprotect rule does not recognize existing sessions when using CDA2020-10-30T17:33:31ZGhost Userunprotect rule does not recognize existing sessions when using CDAI am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotec...I am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotect"
}
},
"vhostOptions": {
"example.com": {
"vhostType": "CDA"
}
}
```
But authenticated users are not detected.
I was expecting that lemonLDAP would make a redirection to the portal to check if a session exist and then come back and set a cookie to identify the user.
Am I wrong somewhere ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2400Some trouble on first connexion with oidc module2020-11-29T15:14:34ZFranck neblaiSome trouble on first connexion with oidc moduleHello
I have some trouble on first connexion with OIDC: it happened sometimes with those logs :
```
[Fri Nov 27 09:02:13.130313 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try iss...Hello
I have some trouble on first connexion with OIDC: it happened sometimes with those logs :
```
[Fri Nov 27 09:02:13.130313 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenIDConnect
[Fri Nov 27 09:02:13.130365 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Found path ^/oauth2/
[Fri Nov 27 09:02:13.130461 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Path of current request is /
[Fri Nov 27 09:02:13.130534 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Path do not match, trying next
[Fri Nov 27 09:02:13.130592 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module Get
[Fri Nov 27 09:02:13.130644 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Fri Nov 27 09:02:13.130779 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::IssuerDBNull loaded
[Fri Nov 27 09:02:13.130846 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] IssuerDB module Null loaded
[Fri Nov 27 09:02:13.131089 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::_SOAP loaded
```
So IssuerDB found path ^/oauth2/ but then the current request is wrong (Path of current request is /) and my module is not loaded so the login template cannot load the good information (hidden input) to be sent to the server in post and i'm getting an ERROR.
I'm using version 1.9.10 of lemondldap
(excuse my english).FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2412How can i use _authChoice to hide parts in Login.tpl please?2020-12-08T17:52:06Zjb ArnouxHow can i use _authChoice to hide parts in Login.tpl please?LemonLdap 1.9
Hello,
I try to understand how Login.tpl is generated. I want to use _authChoice value to hide some parts in login.tpl
I made a MyModule.pm file with functions which return booleans.
I tried to use this in index.pl becau...LemonLdap 1.9
Hello,
I try to understand how Login.tpl is generated. I want to use _authChoice value to hide some parts in login.tpl
I made a MyModule.pm file with functions which return booleans.
I tried to use this in index.pl because i do not know how to use it in login.tpl properly:
$template->param( MaVar => MyModule::myFunc1($portal->{_authChoice}) );
In Login.tpl, when i use <TMPL_IF NAME="MaVar"> hello</TMPL_IF> in login.tpl, nothing is shown.
i tried instead those lines to know how get _authChoice var:
$template->param( MaVar => $portal->{_authChoice} );
$template->param( MaVar => $portal->{sessionInfo}->{key} );
$template->param( MaVar => $portal->{sessionInfo}->{_authChoice} );
Nothing works,
I tried defining Exported Var in LemonLdap manager, idem
I tried defining custom function too. idem
Please, could someone help me to know where i could find some additional informations to understand how i can use _authChoice in Login.tpl?
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2464OpenId Connect access token expiration2021-06-24T13:46:18ZHeinz MayerOpenId Connect access token expirationVersion: 2.0.9
We use LemonLDAP with Keycloak as Identity Provider (OpenID Connect)
LemonLDAP ignores the "Expiration time" in the OIDC access token
I would it expect that LemonLDAP reauthenticates if the keycloak session endedVersion: 2.0.9
We use LemonLDAP with Keycloak as Identity Provider (OpenID Connect)
LemonLDAP ignores the "Expiration time" in the OIDC access token
I would it expect that LemonLDAP reauthenticates if the keycloak session endedFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2504[HELP REQUEST] Set special rule for "Required token for forms"2021-07-01T21:02:06ZTuan LE CONG[HELP REQUEST] Set special rule for "Required token for forms"Hello LemonLDAP team,
We are trying to implement auto-login when a user signs up. The solution is we use filled email and auto-generated password and call login endpoint to lemonldap. For example https://auth.example.com/?redirect_uri=h...Hello LemonLDAP team,
We are trying to implement auto-login when a user signs up. The solution is we use filled email and auto-generated password and call login endpoint to lemonldap. For example https://auth.example.com/?redirect_uri=https%3A%2F%2Fweb.qa.twake.app
From my understanding, to send login requests from an external side, we need to configure lemonldap. For now, we succeed to do auto login by turning off the `Required token for forms` config.
However, at the end of the day, we need to keep security and this is what I see from LemonLDAP [documentation](https://lemonldap-ng.org/documentation/latest/security):
> Required token for forms: To prevent CSRF attack, a token is built for each form. To disable it, set this parameter to ‘Off’ or set a special rule
![image](/uploads/8f3661e2f073a5c9f59c42ef5d405430/image.png)
There is an example for special rule: `requireToken => $env->{REMOTE_ADDR} !~ /^127.0.[1-3].1$/`
But I don't find an explanation for this syntax. Do you have any documents for this or could you please explain to me the syntax?
Thanks in advance!FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2505New installation of LemonLDAP2021-04-09T11:48:45ZBenjamin AUBRYNew installation of LemonLDAPHi Everybody,
I post this message because I fail to configure LemonLdap. This is my setup :
ubuntu 20.04.02, lemonldap installed via package + Nginx. I followed this [notice ](https://lemonldap-ng.org/documentation/latest/installdeb): . ...Hi Everybody,
I post this message because I fail to configure LemonLdap. This is my setup :
ubuntu 20.04.02, lemonldap installed via package + Nginx. I followed this [notice ](https://lemonldap-ng.org/documentation/latest/installdeb): . I installed postgresql, create database and migrate lemonldap to it; I followed this guide in order to configure the [link ](https://www.worteks.com/2018/04/30/lemonldapng-installation-et-configuration-authentification-ad-et-kerberos/)with active directory and Kerberos. I configure Firefox for NTLM in one GPO. In manager, I choose Kerberos in Authentication module and Active Directory for the other. I created two applications ans two Vhosts : GLPI and Zimbra. I configure zimbra vhost with preauth and put the key diretcly in lemonldap-ng.ini (like in this [article](https://lemonldap-ng.org/documentation/2.0/applications/zimbra.html)). For GLPI, I followed this [one ](https://lemonldap-ng.org/documentation/2.0/applications/glpi.html). In Auth, I am connect automatically : my Windows id is shown. But when i click on GLPI on auth, I need to put my ID, and when I click on Zimbra, I have one this error : ???404Title???
???404Msg???
???errorTryAgainLater???
ERROR: 404
I'm sure that I missed something, but what ? I try to create one glpi-nginx.conf in site-enable, but my link with site-avalaible (ln -s) doesn't work.
Thanks by advanceFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2507LLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions2022-02-04T12:14:34ZClaude LOISEAULLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T...### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T05:49:06Z">
<saml:AudienceRestriction>
<saml:Audience>xxxxxx</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
<saml:OneTimeUse/>
</saml:Conditions>
The tag OneTimeUse is set twice, so the SP rejects assertions.
Setting One time use to Off then the assertion is correctly consumed.FAQMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2523Abnormal error from LDAP server during Password Reset (Bad Filter)2021-04-30T05:34:52ZHenry ClaytonAbnormal error from LDAP server during Password Reset (Bad Filter)### Concerned version
Version: 2.0.11-1 (via apt on Ubuntu 20.04)
Platform: Nginx
### Summary
While trying to use the password reset by mail functionality ( https://lemonldap-ng.org/documentation/2.0/resetpassword.html ), inputting t...### Concerned version
Version: 2.0.11-1 (via apt on Ubuntu 20.04)
Platform: Nginx
### Summary
While trying to use the password reset by mail functionality ( https://lemonldap-ng.org/documentation/2.0/resetpassword.html ), inputting the e-mail address & Captcha, then submitting the form, results in the error message 'Abnormal error from LDAP server', & the following logs.
### Logs
```
Apr 29 22:00:16 skeletor LLNG[60514]: [debug] Good captcha response
Apr 29 22:00:16 skeletor LLNG[60514]: [debug] Captcha code verified
Apr 29 22:00:16 skeletor LLNG[60514]: [debug] Processing getUser
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=1 SRCH base="" scope=0 deref=2 filter="(objectClass=*)"
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=1 SRCH attr=supportedLDAPVersion
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=2 SRCH base="" scope=0 deref=2 filter="(objectClass=*)"
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=2 SRCH attr=supportedLDAPVersion
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 BIND anonymous mech=implicit ssf=0
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 BIND dn="cn=manager,ou=managers,dc=skeletor,dc=com" method=128
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 BIND dn="cn=manager,ou=managers,dc=skeletor,dc=com" mech=SIMPLE ssf=0
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 RESULT tag=97 err=0 text=
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] LDAP Search base: ou=people,dc=skeletor,dc=com
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] LDAP transformed filter: '(&(mail=".$req->{user}.")(objectClass=inetOrgPerson))'
Apr 29 22:00:17 skeletor LLNG[60514]: [error] LDAP Search error 89: Bad filter
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] Returned error: 7 (PE_LDAPERROR)
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] Display called with code: 7
```
In lemonldap-ng.ini, I have `mailLDAPFilter = '(&(mail=$mail)(objectClass=inetOrgPerson))'`.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2553Minimal Bullseye + Ansible + Apache2 static file won't be delivered2021-06-25T13:54:35ZClément JMinimal Bullseye + Ansible + Apache2 static file won't be delivered### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and oth...### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and others that don't resolve in lemon DocumentRoot.
Some URL are badly forged.
### Logs
See [lemon-debug.tar.gz](/uploads/30832bb37c11e9920396b3a06622ef41/lemon-debug.tar.gz). One file is HAR from Firefox, second is error.log from apache in debug mode.
### Backends used
File backend, actually with LDAP authentication. But with a fresh install without any tweaks, it has the same behavior.
### Possible fixes
Don't know.
Exactly same install on Debian 10.10 gives all functional Lemon.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2590Allow OIDC Oauth2 token response type2021-09-08T14:33:45ZTéo GODDETAllow OIDC Oauth2 token response typeWhen trying to setup odoo oauth with lemon ldap I figured out that odoo is asking for a ‘token’ response type.
Lemon ldap doesn’t support it alone (see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/li...When trying to setup odoo oauth with lemon ldap I figured out that odoo is asking for a ‘token’ response type.
Lemon ldap doesn’t support it alone (see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm#L2099)
Is it possible to add this response type to one of the flows ?
Google is supporting it :
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#oauth-2.0-endpointsFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2639OIDC error when multiple email addresses2022-02-04T12:09:43ZMathieu ValoisOIDC error when multiple email addresses### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in ...### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in failed because Email is invalid.
### Possible fixes
Provide a way to map attributes on a single element of an array, like `mail => mail[0]`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2666URL param in logout options from OIDC relying party fails to show2022-02-04T12:06:58ZQue NenniURL param in logout options from OIDC relying party fails to show### Concerned version
Version: %2.0.13
Platform: Debian Bullseye / Nginx
### Summary
Using the param URL in the logout process of an OIDC relying party adds a step in the logout process where an iframe is supposed to be showed (with ...### Concerned version
Version: %2.0.13
Platform: Debian Bullseye / Nginx
### Summary
Using the param URL in the logout process of an OIDC relying party adds a step in the logout process where an iframe is supposed to be showed (with the content of the URL param page) but I have a "Firefox Can't open this page" instead.
### Discussion I had about it:
1.
> I'm trying with Nextcloud.
>
> When I log out from NC, I'm redirected to a (portal) page where it asks me to confirm the logout.
> When I confirms the logout, I'm redirected to another page.
> On this page, I have a small iframe window under the "Information" category, window that is either a "Firefox Can’t Open This Page" window or the portal auth page (login + passwd form), and 2 buttons under to wait or go on with the process.
>
> I set a html page with some text I would like to have there and when the user confirmed the logout, he's redirected to the portal login page.
>
> But I can't find the correct configuration.
>
> My cloud: cloud.mydomain.tld
> Logout text msg: cloud.mydomain.tld/logout.html
> Portal: auth.mydomain.tld
>
>
> * I set in NC config:
> 'oidc_login_logout_url' => 'https://auth.mydomain.tld/',
> 'oidc_login_end_session_redirect' => true,
>
> In Oidc plugin doc:
> // Redirect to this page after logging out the user
> 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
>
> This config seems to be correct from what I want (-> the user to be back at the portal login page after logout).
>
> * In Lemon Manager:
> - OpenID Connect Relying Parties -> rp-nextcloud -> Options -> Logout:
> Allowed redirection addresses for logout: cloud.mydomain.tld/logout.html auth.mydomain.tld
> URL: cloud.mydomain.tld/logout.html
>
> With this set of params, I have the "Firefox can't open this page" and I see in my nginx log:
> "GET /logout.html?iss=https%3A%2F%2Fauth.mydomain.tld&sid=userX HTTP/2.0" 200 7 "https://auth.mydomain.tld/" "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "-" "cloud.mydomain.tld"
>
> The answer is 200, so the "Firefox can't open this page" must comes from Lemon and not Nginx, but couldn't find where it's managed.
>
> I tried several variants of these options, without success.
>
> Now, if I could bypass this step completely, the one with the iframe and the 2 buttons asking to wait or go on with the process, I'd be happy too.
> But I didn't find any option for this.
2.
> There seems to be two issues here:
>
> * LemonLDAP tries to call the logout URL of the application in an iframe,
> without having X-Frame-Options correctly set
>
> * LemonLDAP tries to iframe the logout URL of the application that has
> *initiated* the logout. It should instead filter out the initiating
> application and only called iframes for *other* applications.
>
> So, two LemonLDAP bugs for the price of one, you should open an issue about
> this, we'll take a shot at fixing it.
>
> In the meantime, if you do not specify any "URL" parameter in the Logout
> configuration of your RP, the iframe will not appear, and logout should
> work... but only for the application initiating the logout.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2702Add support for fido-client-to-authenticator-protocol-v2.02023-10-26T16:51:44ZYaddAdd support for fido-client-to-authenticator-protocol-v2.0### Summary
FIDO published a new protocol that is going to be supported in browsers: [FIDO Client to Authenticator Protocol v2.0 _(CATP2)_](https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-...### Summary
FIDO published a new protocol that is going to be supported in browsers: [FIDO Client to Authenticator Protocol v2.0 _(CATP2)_](https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html). Successor of FIDO/U2F _(called FIDO/CATP1)_
### Design proposition
Maybe a `Authen::CATP2`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2722Postgres Session Storage2022-09-27T10:17:27ZPaul BargewellPostgres Session Storage### Concerned version
Version: %2.0.14
Platform: (Nginx/Apache/Node.js)
### Summary
When following the how-to cli documentation to move session storage into Postgres (https://lemonldap-ng.org/documentation/latest/cli_examples.html#co...### Concerned version
Version: %2.0.14
Platform: (Nginx/Apache/Node.js)
### Summary
When following the how-to cli documentation to move session storage into Postgres (https://lemonldap-ng.org/documentation/latest/cli_examples.html#configure-sessions-backend)
The sessions storage fails because the column user is not quoted.
### Logs
```
LINE 1: ...T INTO sessions (id,a_session,ipAddr,_whatToTrace,user) VALU...
^ at /usr/share/perl5/Apache/Session/Browseable/Store/DBI.pm line 37
```
### Backends used
Postgres 12-alpine
### Possible fixes
This is from yadd on IRC. The change works as it correctly quotes the columns names.
```shell
--- a/lib/Apache/Session/Browseable/Store/DBI.pm
+++ b/lib/Apache/Session/Browseable/Store/DBI.pm
@@ -19,9 +19,9 @@ sub insert {
if ( !defined $self->{insert_sth} ) {
$self->{insert_sth} =
- $self->{dbh}->prepare_cached( "INSERT INTO $self->{table_name} ("
- . join( ',', 'id', 'a_session', map { s/'/''/g; $_ } @$index )
- . ') VALUES ('
+ $self->{dbh}->prepare_cached( "INSERT INTO $self->{table_name} (\""
+ . join( '","', 'id', 'a_session', map { s/'/''/g; $_ } @$index )
+ . '") VALUES ('
. join( ',', ('?') x ( 2 + @$index ) )
. ')' );
}
```FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2741SAML Error -2012022-04-21T18:16:07ZDave ConroySAML Error -201(one of my junior engineers wrote this up and I offered to send it in - it seems this is happening more and more with our instance and I'm eager to understand if there is something that hasn't been discovered as a bug yet)
I am experien...(one of my junior engineers wrote this up and I offered to send it in - it seems this is happening more and more with our instance and I'm eager to understand if there is something that hasn't been discovered as a bug yet)
I am experiencing an issue with SAML. The issue arises only with some SPs and has been challenging to pin-point.
I am running a fairly standard implementation of LLNG (LDAP Authentication, SAML2 IDP and OIDC RP), version 2.0.14, with LaSSO v2.8.0. I also tested the error with different LaSSO versions. I have also tested with `2.6.1`, `2.6.1.3`, and `2.7.0`.
Note: in the following logs, I've fuzzed our domain and the SP name.
It looks like the service provider metadata is not being added correctly.
````
2022-04-12 07:16:50 | LLNG[21926]: [debug] Lasso error [ critical ]: 2022-04-12 07:16:50 (server.c/:76) Failed to add new provider.
2022-04-12 07:16:50 | LLNG[21926]: [error] Lasso error code -202: Failed to add new provider.
2022-04-12 07:16:50 | LLNG[21926]: [error] Fail to use SP organization.service.com Metadata
````
I've confirmed that the assertion/issuer matches the entityID from the SP metadata:
The decoded SAML
````
<AuthnRequest ID="samlrequest_64136f3769f542f6acdf64ddeb49ff7a" Version="2.0" IssueInstant="2022-04-12T17:56:04.3168995Z" AssertionConsumerServiceURL="https://organization.service.com/xxx/xx/auth/login/samlLogin.xxx" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin</Issuer>
</AuthnRequest>
````
The Request vvv
`https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin`
`https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin`
The Metadata ^^^
In the LLNG logs, I find:
````
2022-04-12 10:56:15 | LLNG[21926]: [debug] HTTP-REDIRECT: SAML Request SAMLRequest=jZE9b4MwEIb3Sv0PyDvYgIHYgkhRu0RKl6Tt0KUycCZIxqY%2bU%2fXnlyRq1bHbfeiVnueu3i3hbI%2fwsQCGaP%2fYEFST8bf%2bveRpXuq8KoUueKZL1fW65H0PLRdaV4pEr%2bBxdLYhWcJItEdcYG8xKBvWEcuymPE4zZ7TShalZDzJ03IjRPFGoh0i%2bLBmH5zFZQJ%2fAv85dvByPDTkHMKMklIEo3vAcbCJs2a0YEB5O9qh7ZLOTbTPDDUzVasENW4YLb3gHy5Vsu5I9DUZiw1ZvJVO4YjSqglQhk6edk8HuVLL2bvgOmfI9v4uiuqrg%2f9PUP0YkO0PL2szVpWaxZwVPOYir2KxUUXMNqkQ0GcaoEgC2PU%2bmLR%2bHM4BZ9XBVeYXvaY3iBWopn8ftP0G
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1492) lasso_node_impl_init_from_xml<AuthnRequest>
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1461) Matching node Issuer vs snippet Issuer: SUCCESS namespace URIs match
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:2577) Processing node 'Issuer' with type 'LassoSaml2NameID'
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1492) lasso_node_impl_init_from_xml <Issuer>
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1901) lasso_node_impl_init_from_xml </Issuer> rc=0
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1901) lasso_node_impl_init_from_xml </AuthnRequest> rc=0
2022-04-12 10:56:15 | LLNG[21926]: [error] Lasso error code -201: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
2022-04-12 10:56:15 | LLNG[21926]: [error] SSO: Fail to process authentication request
2022-04-12 10:56:15 | LLNG[21926]: [debug] Returned error: 51 (PE_SAML_SSO_ERROR)
2022-04-12 10:56:15 | LLNG[21926]: [debug] Skin returned: error
2022-04-12 10:56:15 | LLNG[21926]: [debug] Calling sendHtml with template error
````
The LaSSO documentation for error -201 suggests that the provider identifier is not being added as expected. LaSSO documentation
In your open issues, I found https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2066. But our metadata does use the SPSSODescriptor rather than a IdP descriptor. Our SP is no using ADFS and WS-FED. So this is looking like a different, but perhaps related issue?
The error SSO: Fail to process authentication request appears here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pmFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2752Trigger Choice URL when retrieving choice from pdata2022-06-17T08:06:35ZClément OUDOTTrigger Choice URL when retrieving choice from pdataUse case:
* Configure choices with an URL option (for example ?idp=test to autoselect an IDP with SAML authentication)
* Click on the choice on login screen -> you are redirected on test IDP, the choice is kept in pdata
* Do not login on...Use case:
* Configure choices with an URL option (for example ?idp=test to autoselect an IDP with SAML authentication)
* Click on the choice on login screen -> you are redirected on test IDP, the choice is kept in pdata
* Do not login on IDP, but return on LL::NG portal
* The choice is retrieved from pdata, but we display all the SAML IDP instead of selecting the one in the URL of the Choice
The best would be to find a solution to know if the user went back from IDP without login to cancel the choice, but we don't have this solution for now.
For the moment we could trigger the URL so the user will be redirected on IDP, and not see the IDP list on LL::NG portal.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2794Link to change password on page with info about expired password2022-09-13T00:41:39ZStanislav ShchetinkinLink to change password on page with info about expired passwordHow create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate ...How create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate a link to the "change password" page and then redirect from it to the user's working page. To get the following workflow:
1) user call "work.site.com/index"
2) lemonldap redirect to "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA=="
3) the user enters the current password
4) lenonldap redirected to a page that says the password will expire in 10 days
5) user use link or button to redirect on page with change password
6) user changes password
7) lemonldap redirect user on "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA==" so that he can log in again
When i make link like "auth.site.com?tab=password&url=d29yay5zaXRlLmNvbS9pbmRleA==" lemonldap redirect me to "work.site.com/index" immediately without prompting me to change my passwordFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2843Hash using bcrypt2023-01-12T10:06:01ZWahyudi NafiiHash using bcryptI already have user database with passwords using bcrypt hash
reference to https://lemonldap-ng.org/documentation/latest/authdbi.html
`CREATE OR REPLACE FUNCTION sha256(varchar) returns text AS $$
SELECT encode(digest(decode($1, 'hex')...I already have user database with passwords using bcrypt hash
reference to https://lemonldap-ng.org/documentation/latest/authdbi.html
`CREATE OR REPLACE FUNCTION sha256(varchar) returns text AS $$
SELECT encode(digest(decode($1, 'hex'), 'sha256'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;`
how to encode a plaintext password using bcrypt instead of sha variant or md5 ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2969Allow OAuth2 tokens in Portal's REST server2023-07-18T08:21:00ZYaddAllow OAuth2 tokens in Portal's REST server### Summary
For now, REST server accepts only LLNG cookie to allow authenticated APIs.
When using mobile applications, it could be interesting to allow authentication by OAuth2 token. Use case: `/myapplication` returns allowed applicat...### Summary
For now, REST server accepts only LLNG cookie to allow authenticated APIs.
When using mobile applications, it could be interesting to allow authentication by OAuth2 token. Use case: `/myapplication` returns allowed applications. To build an app grid in mobile application, I'd like to get /myapplication using an access_token.FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2989Bad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you wan...2023-08-25T12:37:47ZYaddBad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you want to use refresh_tokenHere is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->new...Here is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
redirect_uri => $codeSession->data->{redirect_uri},
scope => $scope,
client_id => $client_id,
user_session_id => $codeSession->data->{user_session_id},
grant_type => "authorizationcode",
},
0,
);
```
The "0" disable the use of `oidcServiceOfflineSessionExpiration` _(or `oidcRPMetaDataOptionsOfflineSessionExpiration`)_ so `refresh_token` timeout is set to `$conf->{timeout}`.
@maxbes, @clement_oudot: is it normal or a bug ?FAQ