lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2023-08-25T12:37:47Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2989Bad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you wan...2023-08-25T12:37:47ZYaddBad parameter name : don't set oidcRPMetaDataOptionsRefreshToken when you want to use refresh_tokenHere is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->new...Here is the strange code:
```perl
elsif ( $self->rpOptions->{$rp}->{oidcRPMetaDataOptionsRefreshToken} ) {
my $refreshTokenSession = $self->newRefreshToken(
$rp,
{
redirect_uri => $codeSession->data->{redirect_uri},
scope => $scope,
client_id => $client_id,
user_session_id => $codeSession->data->{user_session_id},
grant_type => "authorizationcode",
},
0,
);
```
The "0" disable the use of `oidcServiceOfflineSessionExpiration` _(or `oidcRPMetaDataOptionsOfflineSessionExpiration`)_ so `refresh_token` timeout is set to `$conf->{timeout}`.
@maxbes, @clement_oudot: is it normal or a bug ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2969Allow OAuth2 tokens in Portal's REST server2023-07-18T08:21:00ZYaddAllow OAuth2 tokens in Portal's REST server### Summary
For now, REST server accepts only LLNG cookie to allow authenticated APIs.
When using mobile applications, it could be interesting to allow authentication by OAuth2 token. Use case: `/myapplication` returns allowed applicat...### Summary
For now, REST server accepts only LLNG cookie to allow authenticated APIs.
When using mobile applications, it could be interesting to allow authentication by OAuth2 token. Use case: `/myapplication` returns allowed applications. To build an app grid in mobile application, I'd like to get /myapplication using an access_token.FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2843Hash using bcrypt2023-01-12T10:06:01ZWahyudi NafiiHash using bcryptI already have user database with passwords using bcrypt hash
reference to https://lemonldap-ng.org/documentation/latest/authdbi.html
`CREATE OR REPLACE FUNCTION sha256(varchar) returns text AS $$
SELECT encode(digest(decode($1, 'hex')...I already have user database with passwords using bcrypt hash
reference to https://lemonldap-ng.org/documentation/latest/authdbi.html
`CREATE OR REPLACE FUNCTION sha256(varchar) returns text AS $$
SELECT encode(digest(decode($1, 'hex'), 'sha256'), 'hex')
$$ LANGUAGE SQL STRICT IMMUTABLE;`
how to encode a plaintext password using bcrypt instead of sha variant or md5 ?FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2794Link to change password on page with info about expired password2022-09-13T00:41:39ZStanislav ShchetinkinLink to change password on page with info about expired passwordHow create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate ...How create link to change password on page with info about expired password
I found that the template page with password expiration information is stored in .../portal/templates/bootstrap/info.tpl
But I don't understand how to generate a link to the "change password" page and then redirect from it to the user's working page. To get the following workflow:
1) user call "work.site.com/index"
2) lemonldap redirect to "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA=="
3) the user enters the current password
4) lenonldap redirected to a page that says the password will expire in 10 days
5) user use link or button to redirect on page with change password
6) user changes password
7) lemonldap redirect user on "auth.site.com?url=d29yay5zaXRlLmNvbS9pbmRleA==" so that he can log in again
When i make link like "auth.site.com?tab=password&url=d29yay5zaXRlLmNvbS9pbmRleA==" lemonldap redirect me to "work.site.com/index" immediately without prompting me to change my passwordFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2752Trigger Choice URL when retrieving choice from pdata2022-06-17T08:06:35ZClément OUDOTTrigger Choice URL when retrieving choice from pdataUse case:
* Configure choices with an URL option (for example ?idp=test to autoselect an IDP with SAML authentication)
* Click on the choice on login screen -> you are redirected on test IDP, the choice is kept in pdata
* Do not login on...Use case:
* Configure choices with an URL option (for example ?idp=test to autoselect an IDP with SAML authentication)
* Click on the choice on login screen -> you are redirected on test IDP, the choice is kept in pdata
* Do not login on IDP, but return on LL::NG portal
* The choice is retrieved from pdata, but we display all the SAML IDP instead of selecting the one in the URL of the Choice
The best would be to find a solution to know if the user went back from IDP without login to cancel the choice, but we don't have this solution for now.
For the moment we could trigger the URL so the user will be redirected on IDP, and not see the IDP list on LL::NG portal.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2741SAML Error -2012022-04-21T18:16:07ZDave ConroySAML Error -201(one of my junior engineers wrote this up and I offered to send it in - it seems this is happening more and more with our instance and I'm eager to understand if there is something that hasn't been discovered as a bug yet)
I am experien...(one of my junior engineers wrote this up and I offered to send it in - it seems this is happening more and more with our instance and I'm eager to understand if there is something that hasn't been discovered as a bug yet)
I am experiencing an issue with SAML. The issue arises only with some SPs and has been challenging to pin-point.
I am running a fairly standard implementation of LLNG (LDAP Authentication, SAML2 IDP and OIDC RP), version 2.0.14, with LaSSO v2.8.0. I also tested the error with different LaSSO versions. I have also tested with `2.6.1`, `2.6.1.3`, and `2.7.0`.
Note: in the following logs, I've fuzzed our domain and the SP name.
It looks like the service provider metadata is not being added correctly.
````
2022-04-12 07:16:50 | LLNG[21926]: [debug] Lasso error [ critical ]: 2022-04-12 07:16:50 (server.c/:76) Failed to add new provider.
2022-04-12 07:16:50 | LLNG[21926]: [error] Lasso error code -202: Failed to add new provider.
2022-04-12 07:16:50 | LLNG[21926]: [error] Fail to use SP organization.service.com Metadata
````
I've confirmed that the assertion/issuer matches the entityID from the SP metadata:
The decoded SAML
````
<AuthnRequest ID="samlrequest_64136f3769f542f6acdf64ddeb49ff7a" Version="2.0" IssueInstant="2022-04-12T17:56:04.3168995Z" AssertionConsumerServiceURL="https://organization.service.com/xxx/xx/auth/login/samlLogin.xxx" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin</Issuer>
</AuthnRequest>
````
The Request vvv
`https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin`
`https://0b2076f0-4054-4937-98a5-08199ed2fee5.tenants.service.com/samlLogin`
The Metadata ^^^
In the LLNG logs, I find:
````
2022-04-12 10:56:15 | LLNG[21926]: [debug] HTTP-REDIRECT: SAML Request SAMLRequest=jZE9b4MwEIb3Sv0PyDvYgIHYgkhRu0RKl6Tt0KUycCZIxqY%2bU%2fXnlyRq1bHbfeiVnueu3i3hbI%2fwsQCGaP%2fYEFST8bf%2bveRpXuq8KoUueKZL1fW65H0PLRdaV4pEr%2bBxdLYhWcJItEdcYG8xKBvWEcuymPE4zZ7TShalZDzJ03IjRPFGoh0i%2bLBmH5zFZQJ%2fAv85dvByPDTkHMKMklIEo3vAcbCJs2a0YEB5O9qh7ZLOTbTPDDUzVasENW4YLb3gHy5Vsu5I9DUZiw1ZvJVO4YjSqglQhk6edk8HuVLL2bvgOmfI9v4uiuqrg%2f9PUP0YkO0PL2szVpWaxZwVPOYir2KxUUXMNqkQ0GcaoEgC2PU%2bmLR%2bHM4BZ9XBVeYXvaY3iBWopn8ftP0G
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1492) lasso_node_impl_init_from_xml<AuthnRequest>
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1461) Matching node Issuer vs snippet Issuer: SUCCESS namespace URIs match
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:2577) Processing node 'Issuer' with type 'LassoSaml2NameID'
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1492) lasso_node_impl_init_from_xml <Issuer>
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1901) lasso_node_impl_init_from_xml </Issuer> rc=0
2022-04-12 10:56:15 | LLNG[21926]: [debug] Lasso error [ debug ]: 2022-04-12 10:56:15 (xml.c/:1901) lasso_node_impl_init_from_xml </AuthnRequest> rc=0
2022-04-12 10:56:15 | LLNG[21926]: [error] Lasso error code -201: The identifier of a provider is unknown to #LassoServer. To register a provider in a #LassoServer object, you must use the methods lasso_server_add_provider() or lasso_server_add_provider_from_buffer().
2022-04-12 10:56:15 | LLNG[21926]: [error] SSO: Fail to process authentication request
2022-04-12 10:56:15 | LLNG[21926]: [debug] Returned error: 51 (PE_SAML_SSO_ERROR)
2022-04-12 10:56:15 | LLNG[21926]: [debug] Skin returned: error
2022-04-12 10:56:15 | LLNG[21926]: [debug] Calling sendHtml with template error
````
The LaSSO documentation for error -201 suggests that the provider identifier is not being added as expected. LaSSO documentation
In your open issues, I found https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2066. But our metadata does use the SPSSODescriptor rather than a IdP descriptor. Our SP is no using ADFS and WS-FED. So this is looking like a different, but perhaps related issue?
The error SSO: Fail to process authentication request appears here: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/SAML.pmFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2722Postgres Session Storage2022-09-27T10:17:27ZPaul BargewellPostgres Session Storage### Concerned version
Version: %2.0.14
Platform: (Nginx/Apache/Node.js)
### Summary
When following the how-to cli documentation to move session storage into Postgres (https://lemonldap-ng.org/documentation/latest/cli_examples.html#co...### Concerned version
Version: %2.0.14
Platform: (Nginx/Apache/Node.js)
### Summary
When following the how-to cli documentation to move session storage into Postgres (https://lemonldap-ng.org/documentation/latest/cli_examples.html#configure-sessions-backend)
The sessions storage fails because the column user is not quoted.
### Logs
```
LINE 1: ...T INTO sessions (id,a_session,ipAddr,_whatToTrace,user) VALU...
^ at /usr/share/perl5/Apache/Session/Browseable/Store/DBI.pm line 37
```
### Backends used
Postgres 12-alpine
### Possible fixes
This is from yadd on IRC. The change works as it correctly quotes the columns names.
```shell
--- a/lib/Apache/Session/Browseable/Store/DBI.pm
+++ b/lib/Apache/Session/Browseable/Store/DBI.pm
@@ -19,9 +19,9 @@ sub insert {
if ( !defined $self->{insert_sth} ) {
$self->{insert_sth} =
- $self->{dbh}->prepare_cached( "INSERT INTO $self->{table_name} ("
- . join( ',', 'id', 'a_session', map { s/'/''/g; $_ } @$index )
- . ') VALUES ('
+ $self->{dbh}->prepare_cached( "INSERT INTO $self->{table_name} (\""
+ . join( '","', 'id', 'a_session', map { s/'/''/g; $_ } @$index )
+ . '") VALUES ('
. join( ',', ('?') x ( 2 + @$index ) )
. ')' );
}
```FAQYaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2702Add support for fido-client-to-authenticator-protocol-v2.02023-10-26T16:51:44ZYaddAdd support for fido-client-to-authenticator-protocol-v2.0### Summary
FIDO published a new protocol that is going to be supported in browsers: [FIDO Client to Authenticator Protocol v2.0 _(CATP2)_](https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-...### Summary
FIDO published a new protocol that is going to be supported in browsers: [FIDO Client to Authenticator Protocol v2.0 _(CATP2)_](https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html). Successor of FIDO/U2F _(called FIDO/CATP1)_
### Design proposition
Maybe a `Authen::CATP2`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2666URL param in logout options from OIDC relying party fails to show2022-02-04T12:06:58ZQue NenniURL param in logout options from OIDC relying party fails to show### Concerned version
Version: %2.0.13
Platform: Debian Bullseye / Nginx
### Summary
Using the param URL in the logout process of an OIDC relying party adds a step in the logout process where an iframe is supposed to be showed (with ...### Concerned version
Version: %2.0.13
Platform: Debian Bullseye / Nginx
### Summary
Using the param URL in the logout process of an OIDC relying party adds a step in the logout process where an iframe is supposed to be showed (with the content of the URL param page) but I have a "Firefox Can't open this page" instead.
### Discussion I had about it:
1.
> I'm trying with Nextcloud.
>
> When I log out from NC, I'm redirected to a (portal) page where it asks me to confirm the logout.
> When I confirms the logout, I'm redirected to another page.
> On this page, I have a small iframe window under the "Information" category, window that is either a "Firefox Can’t Open This Page" window or the portal auth page (login + passwd form), and 2 buttons under to wait or go on with the process.
>
> I set a html page with some text I would like to have there and when the user confirmed the logout, he's redirected to the portal login page.
>
> But I can't find the correct configuration.
>
> My cloud: cloud.mydomain.tld
> Logout text msg: cloud.mydomain.tld/logout.html
> Portal: auth.mydomain.tld
>
>
> * I set in NC config:
> 'oidc_login_logout_url' => 'https://auth.mydomain.tld/',
> 'oidc_login_end_session_redirect' => true,
>
> In Oidc plugin doc:
> // Redirect to this page after logging out the user
> 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
>
> This config seems to be correct from what I want (-> the user to be back at the portal login page after logout).
>
> * In Lemon Manager:
> - OpenID Connect Relying Parties -> rp-nextcloud -> Options -> Logout:
> Allowed redirection addresses for logout: cloud.mydomain.tld/logout.html auth.mydomain.tld
> URL: cloud.mydomain.tld/logout.html
>
> With this set of params, I have the "Firefox can't open this page" and I see in my nginx log:
> "GET /logout.html?iss=https%3A%2F%2Fauth.mydomain.tld&sid=userX HTTP/2.0" 200 7 "https://auth.mydomain.tld/" "Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0" "-" "cloud.mydomain.tld"
>
> The answer is 200, so the "Firefox can't open this page" must comes from Lemon and not Nginx, but couldn't find where it's managed.
>
> I tried several variants of these options, without success.
>
> Now, if I could bypass this step completely, the one with the iframe and the 2 buttons asking to wait or go on with the process, I'd be happy too.
> But I didn't find any option for this.
2.
> There seems to be two issues here:
>
> * LemonLDAP tries to call the logout URL of the application in an iframe,
> without having X-Frame-Options correctly set
>
> * LemonLDAP tries to iframe the logout URL of the application that has
> *initiated* the logout. It should instead filter out the initiating
> application and only called iframes for *other* applications.
>
> So, two LemonLDAP bugs for the price of one, you should open an issue about
> this, we'll take a shot at fixing it.
>
> In the meantime, if you do not specify any "URL" parameter in the Logout
> configuration of your RP, the iframe will not appear, and logout should
> work... but only for the application initiating the logout.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2639OIDC error when multiple email addresses2022-02-04T12:09:43ZMathieu ValoisOIDC error when multiple email addresses### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in ...### Concerned version
Version: %2.0.13
Platform: Apache on debian 11
### Summary
When LDAP users has multiple email addresses, Gitlab OIDC client rejects the connection complaining with a bad email address.
### Logs
Gitlab: Sign-in failed because Email is invalid.
### Possible fixes
Provide a way to map attributes on a single element of an array, like `mail => mail[0]`FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2590Allow OIDC Oauth2 token response type2021-09-08T14:33:45ZTéo GODDETAllow OIDC Oauth2 token response typeWhen trying to setup odoo oauth with lemon ldap I figured out that odoo is asking for a ‘token’ response type.
Lemon ldap doesn’t support it alone (see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/li...When trying to setup odoo oauth with lemon ldap I figured out that odoo is asking for a ‘token’ response type.
Lemon ldap doesn’t support it alone (see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/OpenIDConnect.pm#L2099)
Is it possible to add this response type to one of the flows ?
Google is supporting it :
https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow#oauth-2.0-endpointsFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2553Minimal Bullseye + Ansible + Apache2 static file won't be delivered2021-06-25T13:54:35ZClément JMinimal Bullseye + Ansible + Apache2 static file won't be delivered### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and oth...### Concerned version
Version: %2.0.11
Platform: Apache
OS: Debian 11 (Bullseye)
### Summary
Freshly installed on bullesye via Ansible, lemonldap fails to deliver static content. Some URL mention directly /javascript/angular and others that don't resolve in lemon DocumentRoot.
Some URL are badly forged.
### Logs
See [lemon-debug.tar.gz](/uploads/30832bb37c11e9920396b3a06622ef41/lemon-debug.tar.gz). One file is HAR from Firefox, second is error.log from apache in debug mode.
### Backends used
File backend, actually with LDAP authentication. But with a fresh install without any tweaks, it has the same behavior.
### Possible fixes
Don't know.
Exactly same install on Debian 10.10 gives all functional Lemon.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2523Abnormal error from LDAP server during Password Reset (Bad Filter)2021-04-30T05:34:52ZHenry ClaytonAbnormal error from LDAP server during Password Reset (Bad Filter)### Concerned version
Version: 2.0.11-1 (via apt on Ubuntu 20.04)
Platform: Nginx
### Summary
While trying to use the password reset by mail functionality ( https://lemonldap-ng.org/documentation/2.0/resetpassword.html ), inputting t...### Concerned version
Version: 2.0.11-1 (via apt on Ubuntu 20.04)
Platform: Nginx
### Summary
While trying to use the password reset by mail functionality ( https://lemonldap-ng.org/documentation/2.0/resetpassword.html ), inputting the e-mail address & Captcha, then submitting the form, results in the error message 'Abnormal error from LDAP server', & the following logs.
### Logs
```
Apr 29 22:00:16 skeletor LLNG[60514]: [debug] Good captcha response
Apr 29 22:00:16 skeletor LLNG[60514]: [debug] Captcha code verified
Apr 29 22:00:16 skeletor LLNG[60514]: [debug] Processing getUser
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=1 SRCH base="" scope=0 deref=2 filter="(objectClass=*)"
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=1 SRCH attr=supportedLDAPVersion
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=2 SRCH base="" scope=0 deref=2 filter="(objectClass=*)"
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=2 SRCH attr=supportedLDAPVersion
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 BIND anonymous mech=implicit ssf=0
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 BIND dn="cn=manager,ou=managers,dc=skeletor,dc=com" method=128
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 BIND dn="cn=manager,ou=managers,dc=skeletor,dc=com" mech=SIMPLE ssf=0
Apr 29 22:00:17 skeletor slapd[34800]: conn=1500 op=3 RESULT tag=97 err=0 text=
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] LDAP Search base: ou=people,dc=skeletor,dc=com
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] LDAP transformed filter: '(&(mail=".$req->{user}.")(objectClass=inetOrgPerson))'
Apr 29 22:00:17 skeletor LLNG[60514]: [error] LDAP Search error 89: Bad filter
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] Returned error: 7 (PE_LDAPERROR)
Apr 29 22:00:17 skeletor LLNG[60514]: [debug] Display called with code: 7
```
In lemonldap-ng.ini, I have `mailLDAPFilter = '(&(mail=$mail)(objectClass=inetOrgPerson))'`.FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2507LLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions2022-02-04T12:14:34ZClaude LOISEAULLNG 2.0.7 as SAML IDP : OneTimeUse flag set twice in conditions### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T...### Concerned version
Version: 2.0.7
### Summary
Setting "One time use" to On in service provider configuration cause an
erroneous condition tag to be sent :
<saml:Conditions NotBefore="2021-04-07T09:47:06Z"
NotOnOrAfter="2021-04-08T05:49:06Z">
<saml:AudienceRestriction>
<saml:Audience>xxxxxx</saml:Audience>
</saml:AudienceRestriction>
<saml:OneTimeUse/>
<saml:OneTimeUse/>
</saml:Conditions>
The tag OneTimeUse is set twice, so the SP rejects assertions.
Setting One time use to Off then the assertion is correctly consumed.FAQMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2505New installation of LemonLDAP2021-04-09T11:48:45ZBenjamin AUBRYNew installation of LemonLDAPHi Everybody,
I post this message because I fail to configure LemonLdap. This is my setup :
ubuntu 20.04.02, lemonldap installed via package + Nginx. I followed this [notice ](https://lemonldap-ng.org/documentation/latest/installdeb): . ...Hi Everybody,
I post this message because I fail to configure LemonLdap. This is my setup :
ubuntu 20.04.02, lemonldap installed via package + Nginx. I followed this [notice ](https://lemonldap-ng.org/documentation/latest/installdeb): . I installed postgresql, create database and migrate lemonldap to it; I followed this guide in order to configure the [link ](https://www.worteks.com/2018/04/30/lemonldapng-installation-et-configuration-authentification-ad-et-kerberos/)with active directory and Kerberos. I configure Firefox for NTLM in one GPO. In manager, I choose Kerberos in Authentication module and Active Directory for the other. I created two applications ans two Vhosts : GLPI and Zimbra. I configure zimbra vhost with preauth and put the key diretcly in lemonldap-ng.ini (like in this [article](https://lemonldap-ng.org/documentation/2.0/applications/zimbra.html)). For GLPI, I followed this [one ](https://lemonldap-ng.org/documentation/2.0/applications/glpi.html). In Auth, I am connect automatically : my Windows id is shown. But when i click on GLPI on auth, I need to put my ID, and when I click on Zimbra, I have one this error : ???404Title???
???404Msg???
???errorTryAgainLater???
ERROR: 404
I'm sure that I missed something, but what ? I try to create one glpi-nginx.conf in site-enable, but my link with site-avalaible (ln -s) doesn't work.
Thanks by advanceFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2504[HELP REQUEST] Set special rule for "Required token for forms"2021-07-01T21:02:06ZTuan LE CONG[HELP REQUEST] Set special rule for "Required token for forms"Hello LemonLDAP team,
We are trying to implement auto-login when a user signs up. The solution is we use filled email and auto-generated password and call login endpoint to lemonldap. For example https://auth.example.com/?redirect_uri=h...Hello LemonLDAP team,
We are trying to implement auto-login when a user signs up. The solution is we use filled email and auto-generated password and call login endpoint to lemonldap. For example https://auth.example.com/?redirect_uri=https%3A%2F%2Fweb.qa.twake.app
From my understanding, to send login requests from an external side, we need to configure lemonldap. For now, we succeed to do auto login by turning off the `Required token for forms` config.
However, at the end of the day, we need to keep security and this is what I see from LemonLDAP [documentation](https://lemonldap-ng.org/documentation/latest/security):
> Required token for forms: To prevent CSRF attack, a token is built for each form. To disable it, set this parameter to ‘Off’ or set a special rule
![image](/uploads/8f3661e2f073a5c9f59c42ef5d405430/image.png)
There is an example for special rule: `requireToken => $env->{REMOTE_ADDR} !~ /^127.0.[1-3].1$/`
But I don't find an explanation for this syntax. Do you have any documents for this or could you please explain to me the syntax?
Thanks in advance!FAQClément OUDOTClément OUDOThttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2464OpenId Connect access token expiration2021-06-24T13:46:18ZHeinz MayerOpenId Connect access token expirationVersion: 2.0.9
We use LemonLDAP with Keycloak as Identity Provider (OpenID Connect)
LemonLDAP ignores the "Expiration time" in the OIDC access token
I would it expect that LemonLDAP reauthenticates if the keycloak session endedVersion: 2.0.9
We use LemonLDAP with Keycloak as Identity Provider (OpenID Connect)
LemonLDAP ignores the "Expiration time" in the OIDC access token
I would it expect that LemonLDAP reauthenticates if the keycloak session endedFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2412How can i use _authChoice to hide parts in Login.tpl please?2020-12-08T17:52:06Zjb ArnouxHow can i use _authChoice to hide parts in Login.tpl please?LemonLdap 1.9
Hello,
I try to understand how Login.tpl is generated. I want to use _authChoice value to hide some parts in login.tpl
I made a MyModule.pm file with functions which return booleans.
I tried to use this in index.pl becau...LemonLdap 1.9
Hello,
I try to understand how Login.tpl is generated. I want to use _authChoice value to hide some parts in login.tpl
I made a MyModule.pm file with functions which return booleans.
I tried to use this in index.pl because i do not know how to use it in login.tpl properly:
$template->param( MaVar => MyModule::myFunc1($portal->{_authChoice}) );
In Login.tpl, when i use <TMPL_IF NAME="MaVar"> hello</TMPL_IF> in login.tpl, nothing is shown.
i tried instead those lines to know how get _authChoice var:
$template->param( MaVar => $portal->{_authChoice} );
$template->param( MaVar => $portal->{sessionInfo}->{key} );
$template->param( MaVar => $portal->{sessionInfo}->{_authChoice} );
Nothing works,
I tried defining Exported Var in LemonLdap manager, idem
I tried defining custom function too. idem
Please, could someone help me to know where i could find some additional informations to understand how i can use _authChoice in Login.tpl?
ThanksFAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2400Some trouble on first connexion with oidc module2020-11-29T15:14:34ZFranck neblaiSome trouble on first connexion with oidc moduleHello
I have some trouble on first connexion with OIDC: it happened sometimes with those logs :
```
[Fri Nov 27 09:02:13.130313 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try iss...Hello
I have some trouble on first connexion with OIDC: it happened sometimes with those logs :
```
[Fri Nov 27 09:02:13.130313 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module OpenIDConnect
[Fri Nov 27 09:02:13.130365 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Found path ^/oauth2/
[Fri Nov 27 09:02:13.130461 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Path of current request is /
[Fri Nov 27 09:02:13.130534 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Path do not match, trying next
[Fri Nov 27 09:02:13.130592 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Try issuerDB module Get
[Fri Nov 27 09:02:13.130644 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] Activation flag set to off, trying next
[Fri Nov 27 09:02:13.130779 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::IssuerDBNull loaded
[Fri Nov 27 09:02:13.130846 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: [IssuerDB activation] IssuerDB module Null loaded
[Fri Nov 27 09:02:13.131089 2020] [perl:debug] [pid 50590] CGI.pm(115): Lemonldap::NG::Portal::SharedConf: Module Lemonldap::NG::Portal::_SOAP loaded
```
So IssuerDB found path ^/oauth2/ but then the current request is wrong (Path of current request is /) and my module is not loaded so the login template cannot load the good information (hidden input) to be sent to the server in post and i'm getting an ERROR.
I'm using version 1.9.10 of lemondldap
(excuse my english).FAQhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2362unprotect rule does not recognize existing sessions when using CDA2020-10-30T17:33:31ZGhost Userunprotect rule does not recognize existing sessions when using CDAI am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotec...I am trying to setup a subdomain where an authenticated user would be authenticated to the app with a HTTP header.
For that I used the `unprotect` rule like so:
```json
"locationRules": {
"example.com": {
"default": "unprotect"
}
},
"vhostOptions": {
"example.com": {
"vhostType": "CDA"
}
}
```
But authenticated users are not detected.
I was expecting that lemonLDAP would make a redirection to the portal to check if a session exist and then come back and set a cookie to identify the user.
Am I wrong somewhere ?FAQ